Branch: Tag:

2013-08-16

2013-08-16 01:21:45 by Martin Nilsson <nilsson@opera.com>

Documentation update

1:   #pike __REAL_VERSION__   //#pragma strict_types    - /* -  * Some random functions for creating RFC-2459 style X.509 certificates. -  * -  */ + //! Functions to generate and validate RFC2459 style X.509 v3 + //! certificates.      constant dont_dump_module = 1;    - #if constant(Standards.ASN1.Types.Sequence) && constant(Crypto.Hash) + #if constant(Crypto.Hash)      import Standards.ASN1.Types;   import Standards.PKCS;    - // Note: Redump this module if you change X509_DEBUG +    #ifdef X509_DEBUG - #define X509_WERR werror + #define DBG(X ...) werror(X)   #else - #define X509_WERR + #define DBG(X ...)   #endif      //!
59:    second->second_no()));   }    - //! Returns a mapping similar to that returned by gmtime + //! Returns a mapping similar to that returned by gmtime. Returns + //! @expr{0@} on invalid dates. + //!   //! @returns   //! @mapping   //! @member int "year"
79:    if ( (sizeof(s) != 12) && (c != 'Z') )    return 0;    -  /* NOTE: This relies on pike-0.7 not interpreting leading zeros as -  * an octal prefix. */ +     mapping(string:int) m = mkmapping( ({ "year", "mon", "mday",    "hour", "min", "sec" }),    (array(int)) (s/2));
135:      Sequence dsa_sha1_algorithm = Sequence( ({ Identifiers.dsa_sha_id }) );    - //! - Sequence make_tbs(object issuer, object algorithm, -  object subject, object keyinfo, -  object serial, int ttl, + //! Creates the ASN.1 TBSCertificate sequence (see RFC2459 section + //! 4.1) to be signed (TBS) by the CA. version is explicitly set to + //! v3, validity is calculated based on time and @[ttl], and + //! @[extensions] is optionally added to the sequence. issuerUniqueID + //! and subjectUniqueID are not supported. + Sequence make_tbs(Sequence issuer, Sequence algorithm, +  Sequence subject, Sequence keyinfo, +  Integer serial, int ttl,    array extensions)   {    int now = time();
380:    }   }    - //! + //! Represents a TBSCertificate.   class TBSCertificate   {    //!
424:    //! optional    object extensions;    -  //! +  //! Populates the object from a certificate decoded into an ASN.1 +  //! Object. Returns the object on success, otherwise @expr{0@}. You +  //! probably want to call @[decode_certificate] or even +  //! @[verify_certificate].    this_program init(Object asn1)    {    der = asn1->get_der();
432:    return 0;       array(Object) a = ([object(Sequence)]asn1)->elements; -  X509_WERR("TBSCertificate: sizeof(a) = %d\n", sizeof(a)); +  DBG("TBSCertificate: sizeof(a) = %d\n", sizeof(a));       if (sizeof(a) < 6)    return 0;
453:    } else    version = 1;    -  X509_WERR("TBSCertificate: version = %d\n", version); +  DBG("TBSCertificate: version = %d\n", version);    if (a[0]->type_name != "INTEGER")    return 0;    serial = a[0]->value;    -  X509_WERR("TBSCertificate: serial = %s\n", (string) serial); +  DBG("TBSCertificate: serial = %s\n", (string) serial);       if ((a[1]->type_name != "SEQUENCE")    || !sizeof(a[1]->elements )
467:       algorithm = a[1];    -  X509_WERR("TBSCertificate: algorithm = %s\n", algorithm->debug_string()); +  DBG("TBSCertificate: algorithm = %s\n", algorithm->debug_string());       if (a[2]->type_name != "SEQUENCE")    return 0;    issuer = a[2];    -  X509_WERR("TBSCertificate: issuer = %s\n", issuer->debug_string()); +  DBG("TBSCertificate: issuer = %s\n", issuer->debug_string());       if ((a[3]->type_name != "SEQUENCE")    || (sizeof(a[3]->elements) != 2))
485:    if (!not_before)    return 0;    -  X509_WERR("TBSCertificate: not_before = %O\n", not_before); +  DBG("TBSCertificate: not_before = %O\n", not_before);       not_after = parse_time(validity[1]);    if (!not_after)    return 0;    -  X509_WERR("TBSCertificate: not_after = %O\n", not_after); +  DBG("TBSCertificate: not_after = %O\n", not_after);       if (a[4]->type_name != "SEQUENCE")    return 0;    subject = a[4];    -  X509_WERR("TBSCertificate: keyinfo = %s\n", a[5]->debug_string()); +  DBG("TBSCertificate: keyinfo = %s\n", a[5]->debug_string());       public_key = make_verifier(a[5]);       if (!public_key)    return 0;    -  X509_WERR("TBSCertificate: parsed public key. type = %s\n", +  DBG("TBSCertificate: parsed public key. type = %s\n",    public_key->type);       int i = 6;
543:    }   }    - //! + //! Decodes a certificate and verifies that it is structually sound. + //! Returns a @[TBSCertificate] object if ok, otherwise @expr{0@}.   TBSCertificate decode_certificate(string|object cert)   {    if (stringp (cert)) cert = Standards.ASN1.Decode.simple_der_decode(cert);
587:    if (tbs->issuer->get_der() == tbs->subject->get_der())    {    /* A self signed certificate */ -  X509_WERR("Self signed certificate\n"); +  DBG("Self signed certificate\n");    v = tbs->public_key;    }    else
699: Inside #if 0
      if(! caok)    { -  X509_WERR("a CA certificate does not have the CA basic constraint.\n"); +  DBG("a CA certificate does not have the CA basic constraint.\n");    m->error_code = CERT_UNAUTHORIZED_CA;    m->error_cert = idx;    return m;
715:    // require trust, we're done.    if(!v && require_trust)    { -  X509_WERR("we require trust, but haven't got it.\n"); +  DBG("we require trust, but haven't got it.\n");    m->error_code = CERT_ROOT_UNTRUSTED;    m->error_cert = idx;    return m;
726:    {    /* A self signed certificate */    m->self_signed = 1; -  X509_WERR("Self signed certificate\n"); +  DBG("Self signed certificate\n");       // always trust our own authority first, even if it is self signed.    if(!v)
761:    // (more rootward) certificate?    if(tbs->issuer->get_der() != chain_obj[idx-1]->subject->get_der())    { -  X509_WERR("issuer chain is broken!\n"); +  DBG("issuer chain is broken!\n");    m->verified = 0;    m->error_code = CERT_CHAIN_BROKEN;    m->error_cert = idx;
779:    chain_cert[idx]->elements[2]->value)    && tbs)    { -  X509_WERR("signature is verified..\n"); +  DBG("signature is verified..\n");    m->verified = 1;       // if we're the root of the chain and we've verified, this is
791:    }    else    { -  X509_WERR("signature _not_ verified...\n"); +  DBG("signature _not_ verified...\n");    m->error_code = CERT_BAD_SIGNATURE;    m->error_cert = idx;    m->verified = 0;