pike.git
/
lib
/
modules
/
SSL.pmod
/
Connection.pike
version
»
Context lines:
10
20
40
80
file
none
3
pike.git/lib/modules/SSL.pmod/Connection.pike:270:
if((context->auth_level < AUTHLEVEL_require) && !sizeof(certs)) return ({}); // A lack of certificates when we reqiure and must verify the // certificates is probably a failure. if(!sizeof(certs)) return 0; // See if the issuer of the certificate is acceptable. This means // the issuer of the certificate must be one of the authorities.
+
// NOTE: This code is only relevant when acting as a server dealing
+
// with client certificates.
if(sizeof(context->authorities_cache)) { string r=Standards.X509.decode_certificate(certs[-1])->issuer ->get_der(); int issuer_known = 0; foreach(context->authorities_cache, string c) { if(r == c) // we have a trusted issuer { issuer_known = 1; break; } } if(issuer_known==0) { return 0; } }
-
//
ok,
so
we
have
a
certificate
chain
whose
client
certificate is
-
//
issued
by
an authority known to us
.
-
-
//
next
we
must
verify
the
chain to see if the chain is unbroken
-
-
mapping
result =
-
Standards.X509.verify_certificate_chain(certs,
+
//
Decode
the
chain,
verify
each
certificate
and
verify
that
the
+
//
chain
is
unbroken
.
+
mapping
result
=
([]);
+
catch
{
+
result = Standards.X509.verify_certificate_chain(certs,
context->trusted_issuers_cache, context->require_trust);
-
+
};
// This data isn't actually used internally. session->cert_data = result; if(result->verified) return [array(Standards.X509.TBSCertificate)]result->certificates; return 0; }