FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F13.1.0 2019-05-09T22:25:12Z 2019-05-09T22:25:12Z Simon J. Gerraty sjg@FreeBSD.org 2019-05-09T22:25:12Z urn:sha1:9bee6a6083228d0e6abfb991fdbb4edf020fd438 Avoid making hash self-tests depend on X.509 certs. Include OpenPGP keys in trust store count. Reviewed by: stevek MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D20208 2019-03-06T06:39:42Z Marcin Wojtas mw@FreeBSD.org 2019-03-06T06:39:42Z urn:sha1:13ea0450a9c8742119d36f3bf8f47accdce46e54 UEFI related headers were copied from edk2. A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow loading of trusted anchors from UEFI. Certificate revocation support is also introduced. The forbidden certificates are loaded from dbx variable. Verification fails in two cases: There is a direct match between cert in dbx and the one in the chain. The CA used to sign the chain is found in dbx. One can also insert a hash of TBS section of a certificate into dbx. In this case verifications fails only if a direct match with a certificate in chain is found. Submitted by: Kornel Duleba <mindal@semihalf.com> Reviewed by: sjg Obtained from: Semihalf Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D19093 2019-03-04T22:04:21Z Simon J. Gerraty sjg@FreeBSD.org 2019-03-04T22:04:21Z urn:sha1:02a4bc589cb28479993057372d74f26a7c3fce84 Use SOURCE_DATE_EPOCH for BUILD_UTC if MK_REPRODUCIBLE_BUILD is yes. Default SOURCE_DATE_EPOCH to 2019-01-01 Reviewed by: emaste Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D19464 2019-02-26T06:09:10Z Simon J. Gerraty sjg@FreeBSD.org 2019-02-26T06:09:10Z urn:sha1:5fff9558a43aaac53da41dc23c250c4e84f6fb02 Used by loader and veriexec Depends on libbearssl Reviewed by: emaste Sponsored by: Juniper Networks Differential Revision: D16335