pike.git / lib / modules / SSL.pmod / Context.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Context.pike:841:   protected array(array(string(8bit))) trusted_issuers = ({});      //! Mapping from DER-encoded issuer to @[Standards.X509.Verifier]s   //! compatible with eg @[Standards.X509.verify_certificate()] and   //! @[Standards.X509.load_authorities()].   //!   //! @seealso   //! @[get_trusted_issuers()], @[set_trusted_issuers()]   mapping(string(8bit):array(Standards.X509.Verifier)) trusted_issuers_cache = ([]);    - //! For client authentication. Used only if auth_level is AUTH_ask or - //! AUTH_require. - array(int) preferred_auth_methods = - ({ AUTH_rsa_sign }); + //! The possible client authentication methods. Used only if + //! auth_level is AUTH_ask or AUTH_require. Generated by + //! @[set_authorities]. + array(int) client_auth_methods = ({});      // Lookup from issuer DER to an array of suitable @[CertificatePair]s,   // sorted in order of strength.   protected mapping(string(8bit):array(CertificatePair)) cert_chains_issuer = ([]);      // Lookup from DN/SNI domain name/glob to an array of suitable   // @[CertificatePair]s, sorted in order of strength.   protected mapping(string(8bit):array(CertificatePair)) cert_chains_domain = ([]);      //! Look up a suitable set of certificates for the specified issuer.
pike.git/lib/modules/SSL.pmod/Context.pike:987:    foreach( cp->globs, string id )    add(id, cert_chains_domain);       add(cp->issuers[0], cert_chains_issuer);   }      // update the cached decoded authorities list   private void update_authorities()   {    authorities_cache = ({}); +  mapping(int:int) cert_types = ([]);    foreach(authorities, string a) -  authorities_cache += ({ Standards.X509.decode_certificate(a)-> -  subject->get_der() }); +  { +  Standards.X509.TBSCertificate tbs = Standards.X509.decode_certificate(a); +  Standards.ASN1.Types.Identifier id = [object(Standards.ASN1.Types.Identifier)]tbs->algorithm[0]; +  +  // --- START Duplicated code from CertificatePair +  array(HashAlgorithm|SignatureAlgorithm) sign_alg; +  sign_alg = [array(HashAlgorithm|SignatureAlgorithm)]pkcs_der_to_sign_alg[id->get_der()]; +  if (!sign_alg) error("Unknown signature algorithm.\n"); +  +  int cert_type = ([ +  SIGNATURE_rsa: AUTH_rsa_sign, +  SIGNATURE_dsa: AUTH_dss_sign, +  SIGNATURE_ecdsa: AUTH_ecdsa_sign, +  ])[sign_alg[1]]; +  // --- END Duplicated code from CertificatePair +  +  cert_types[cert_type]++; +  authorities_cache += ({ tbs->subject->get_der() });    } -  +  client_auth_methods = indices(cert_types); + }      // update the cached decoded issuers list   private void update_trusted_issuers()   {    trusted_issuers_cache=([]);    foreach(trusted_issuers, array(string) i)    {    // make sure the chain is valid and intact.    mapping result = Standards.X509.verify_certificate_chain(i, ([]), 0);