pike.git / lib / modules / SSL.pmod / Connection.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Connection.pike:270:    if((context->auth_level < AUTHLEVEL_require) && !sizeof(certs))    return ({});       // A lack of certificates when we reqiure and must verify the    // certificates is probably a failure.    if(!sizeof(certs))    return 0;       // See if the issuer of the certificate is acceptable. This means    // the issuer of the certificate must be one of the authorities. +  // NOTE: This code is only relevant when acting as a server dealing +  // with client certificates.    if(sizeof(context->authorities_cache))    {    string r=Standards.X509.decode_certificate(certs[-1])->issuer    ->get_der();    int issuer_known = 0;    foreach(context->authorities_cache, string c)    {    if(r == c) // we have a trusted issuer    {    issuer_known = 1;    break;    }    }       if(issuer_known==0)    {    return 0;    }    }    -  // ok, so we have a certificate chain whose client certificate is -  // issued by an authority known to us. -  -  // next we must verify the chain to see if the chain is unbroken -  -  mapping result = -  Standards.X509.verify_certificate_chain(certs, +  // Decode the chain, verify each certificate and verify that the +  // chain is unbroken. +  mapping result = ([]); +  catch { +  result = Standards.X509.verify_certificate_chain(certs,    context->trusted_issuers_cache,    context->require_trust); -  +  };       // This data isn't actually used internally.    session->cert_data = result;       if(result->verified)    return [array(Standards.X509.TBSCertificate)]result->certificates;       return 0;   }