pike.git / lib / modules / SSL.pmod / Context.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Context.pike:554: Inside #if constant(Crypto.ECC.Curve) && constant(Crypto.AES.GCM) && constant(Crypto.SHA384)
   }   }      #endif /* Crypto.ECC.Curve && Crypto.AES.GCM && Crypto.SHA384 */         //   // --- Certificates and authentication   //    + // Unless connecting in anonymous mode the server has to have a set of + // CertificatePair certificate chains to sign its handshake with. + // These are stored in the cert_chains_domain mapping, where they are + // retrieved based on domain the client is connecting to. + // + // If the server sends a certificate request the client has to respond + // with a certificate matching the requested issuer der. These are + // stored in the cert_chains_issuer mapping. + // + // The client/server potentially has a set of trusted issuers + // certificate (root certificates) that are used to validate the + // server/client sent certificate. These are stored in a cache from + // subject der to Verifier object. FIXME: Should use key identifier. +    //! Policy for client authentication. One of   //! @[SSL.Constants.AUTHLEVEL_none], @[SSL.Constants.AUTHLEVEL_ask]   //! and @[SSL.Constants.AUTHLEVEL_require].   int auth_level;      //! Array of authorities that are accepted for client certificates.   //! The server will only accept connections from clients whose   //! certificate is signed by one of these authorities. The string is a   //! DER-encoded certificate, which typically must be decoded using   //! @[MIME.decode_base64] or @[Standards.PEM.Messages] first.
pike.git/lib/modules/SSL.pmod/Context.pike:734:   variant void add_cert(CertificatePair cp)   {    void add(string what, mapping(string:array(CertificatePair)) to)    {    if( !to[what] )    to[what] = ({cp});    else    to[what] = sort( to[what]+({cp}) );    };    +  // FIXME: Look at leaf flags to determine which mapping to store the +  // chains in. +     // Insert cp in cert_chains both under all DN/SNI names/globs and    // under issuer DER. Keep lists sorted by strength.    foreach( cp->globs, string id )    add(id, cert_chains_domain);       add(cp->issuers[0], cert_chains_issuer);   }      // update the cached decoded authorities list   private void update_authorities()