Branch: Tag:

2016-03-04

2016-03-04 13:59:59 by Per Hedbor <ph@opera.com>

Addressed code review issues

411:    {    return low_get_sequence(2);    } -  // Attempt to create a presentable string from the issuer DER. +  +  //! Return the issuer of the certificate as a human readable string. +  //! Mainly useful for debug.    string issuer_str()    {    return dn_str(issuer);
477:    return low_get_sequence(4);    }    -  // Attempt to create a presentable string from the subject DER. +  //! Attempt to create a presentable string from the subject DER.    string subject_str()    {    return dn_str(subject);    }    -  +  //! Try to extract a readable name from @[dn]. This is one of +  //! commonName, organizationName or organizationUnitName. The first +  //! that is found is returned. Suitable for subjects and issuer +  //! sequences.    string dn_str(Sequence dn)    {    mapping ids = ([]);
1680:   //! @param require_trust   //! Require that the certificate be traced to an authority, even if   //! it is self signed. + //! @param strict + //! By default this function only requires that the certificates are + //! in order, it ignores extra certificates we didn't need to verify + //! the leaf certificate.   //! -  + //! If you specify @[strict], this will change, each certificate has + //! to be signed by the next in the chain. + //! + //! Some https-servers send extraneous intermediate certificates + //! that aren't used to validate the leaf certificate. So strict + //! mode will be incompatible with those srevers. + //!   //! See @[Standards.PKCS.Certificate.get_dn_string] for converting the   //! RDN to an X500 style string.   mapping verify_certificate_chain(array(string) cert_chain,    mapping(string:Verifier|array(Verifier)) authorities, -  int|void require_trust) +  int|void require_trust, bool|void strict)   {    mapping m = ([ ]);   
1701:    int len = sizeof(cert_chain);    array chain_obj = ({});    array chain_cert = ({}); -  // Ignore certificates that aren't issuers of the leaf certificate. -  bool ignore_extraneous = true; +        string last_issuer;    foreach(cert_chain; int idx; string c)
1713:    FATAL(CERT_INVALID);       string subject = tbs->subject->get_der(); -  if (ignore_extraneous && last_issuer && subject != last_issuer) +  if (!strict && last_issuer && subject != last_issuer)    {    // This doesn't look relevant for validating the previous (closer to    // the leaf) certificate.
1727:    chain_cert = ({ cert }) + chain_cert;    chain_obj = ({ tbs }) + chain_obj;    -  if (ignore_extraneous && has_index(authorities, last_issuer)) +  if (!strict && has_index(authorities, last_issuer))    {    // We've reached a certificate signed by a root we trust, end here.    DBG("Ending at %q - signed by root %q\n", tbs->subject_str(), tbs->issuer_str());