Branch: Tag:

2012-05-20

2012-05-20 19:50:33 by Martin Nilsson <nilsson@opera.com>

Certificate chains are processed in the wrong direction, so reverse it. If no root certificates were provided the root element would always fail. This is no longer the case.

627:   //! @endmapping   //!   //! @param cert_chain - //! An array of certificates, with the relative-root last. Each certificate should - //! be a DER-encoded certificate. + //! An array of certificates, with the relative-root last. Each + //! certificate should be a DER-encoded certificate.   //! @param authorities   //! A mapping from (DER-encoded) names to verifiers.   //! @param require_trust
643:       mapping m = ([ ]);    -  array chain_obj = ({}); -  array chain_cert = ({}); +  int len = sizeof(cert_chain); +  array chain_obj = allocate(len); +  array chain_cert = allocate(len);       foreach(cert_chain; int idx; string c)    {
656:    m->error_cert = idx;    return m;    } -  chain_cert += ({cert}); -  chain_obj += ({tbs}); +  +  int idx = len-idx-1; +  chain_cert[idx] = cert; +  chain_obj[idx] = tbs;    }       foreach(chain_obj; int idx; TBSCertificate tbs)
769:    v = chain_obj[idx-1]->public_key;    }    -  if (v && v->verify(chain_cert[idx]->elements[1], +  if (v) +  { +  if( v->verify(chain_cert[idx]->elements[1],    chain_cert[idx]->elements[0]->get_der(),    chain_cert[idx]->elements[2]->value)    && tbs)
793:    return m;    }    } +  }    return m;   }      #endif