Branch: Tag:

2014-04-27

2014-04-27 15:32:51 by Martin Nilsson <nilsson@opera.com>

Added certificate check failure modes CERT_EXCEEDED_PATH_LENGTH and CERT_UNAUTHORIZED_SIGNING. Improved the extensions code somewhat and removed some debug left on.

39:    //! A CA certificate is not allowed by basic constraints to sign    //! another certificate.    CERT_UNAUTHORIZED_CA = 1<<6, +  +  //! The certificate is not allowed by it's key usage to sign data. +  CERT_UNAUTHORIZED_SIGNING = 1<<7, +  +  //! The certificate chain is longer than allowed by a certificate in +  //! the chain. +  CERT_EXCEEDED_PATH_LENGTH = 1<<8,   }      
830:    raw_extensions = a[i][0];    i++;    - #define EXT(X) if(!parse_##X(internal_extensions[ \ -  .PKCS.Identifiers.ce_ids.##X])) { \ -  werror("TBSCertificate: Failed to parse extension %O.\n", #X); } + #define EXT(X) do { \ +  Object o = internal_extensions[.PKCS.Identifiers.ce_ids.##X]; \ +  if(o && !parse_##X(o)) \ +  DBG("TBSCertificate: Failed to parse extension %O.\n", #X); \ +  } while (0)    EXT(basicConstraints);    EXT(authorityKeyIdentifier);    EXT(subjectKeyIdentifier);
870:    // public keys use usage is to validate signatures on    // certificates.    -  if( !o || o->type_name!="SEQUENCE" ) +  if( o->type_name!="SEQUENCE" )    return 0;    Sequence s = [object(Sequence)]o;    if( sizeof(s)<1 || sizeof(s)>2 || s[0]->type_name!="BOOLEAN" )
894:       protected int(0..1) parse_authorityKeyIdentifier(Object o)    { -  if( !o ) return 1; +     if( o->type_name!="SEQUENCE" )    return 0;   
909:       protected int(0..1) parse_subjectKeyIdentifier(Object o)    { -  if( !o ) return 1; +     if( o->type_name!="OCTET STRING" )    return 0;    ext_subjectKeyIdentifier = o->value;
922:       protected int(0..1) parse_keyUsage(Object o)    { -  if( !o ) return 1; +     if( o->type_name!="BIT STRING" )    return 0;   
939:    return 1;    }    -  +    }      //! Creates the ASN.1 TBSCertificate sequence (see RFC2459 section
1496:    {    // The error was later in the chain though, so maybe a    // different error should be sent. -  ERROR(CERT_UNAUTHORIZED_CA); +  ERROR(CERT_EXCEEDED_PATH_LENGTH);    }    } -  +  +  if( !(tbs->ext_keyUsage & keyCertSign) ) +  ERROR(CERT_UNAUTHORIZED_CA);    } -  +  else // The leaf +  { +  if( !(tbs->ext_keyUsage & digitalSignature) ) +  ERROR(CERT_UNAUTHORIZED_SIGNING); +  }       if(idx == 0) // The root cert    {