pike.git / lib / modules / SSL.pmod / Context.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Context.pike:760:   //   // If the server sends a certificate request the client has to respond   // with a certificate matching the requested issuer der. These are   // stored in the cert_chains_issuer mapping.   //   // FIXME: Currently only one client certificate per der issuer is   // supported. If multiple are added a random one will be selected,   // which later may fail when verified against supported certificate   // types, hash/signature algorithms.   // + // FIXME: There is no need to allow the same context object to be used + // both for client and server side, so we could join + // cert_chains_domain and cert_chains_issuer into one system. + //   // The client/server potentially has a set of trusted issuers   // certificates (root certificates) that are used to validate the   // server/client sent certificate. These are stored in trusted_issuers   // and in a cache from subject der to Verifier object. FIXME: Should   // use key identifier.      //! Policy for client authentication. One of   //! @[SSL.Constants.AUTHLEVEL_none],   //! @[SSL.Constants.AUTHLEVEL_verify], @[SSL.Constants.AUTHLEVEL_ask]   //! and @[SSL.Constants.AUTHLEVEL_require].
pike.git/lib/modules/SSL.pmod/Context.pike:815:   //! An array of certificate chains whose root is self signed (ie a   //! root issuer), and whose final certificate is an issuer that we   //! trust. The root of the certificate should be first certificate in   //! the chain. The string is a DER-encoded certificate, which   //! typically must be decoded using @[MIME.decode_base64] or   //! @[Standards.PEM.Messages] first.   //!   //! If this array is left empty, and the context is set to verify   //! certificates, a certificate chain must have a root that is self   //! signed. - void set_trusted_issuers(array(array(string)) issuers) + void set_trusted_issuers(array(array(string(8bit))) issuers)   {    trusted_issuers = issuers;    update_trusted_issuers();   }      //! Get the list of trusted issuers. See @[set_trusted_issuers]. - array(array(string)) get_trusted_issuers() + array(array(string(8bit))) get_trusted_issuers()   {    return trusted_issuers;   }    - protected array(array(string)) trusted_issuers = ({}); + protected array(array(string(8bit))) trusted_issuers = ({});      //! Mapping from DER-encoded issuer to @[Standards.X509.Verifier]s   //! compatible with eg @[Standards.X509.verify_certificate()] and   //! @[Standards.X509.load_authorities()].   //!   //! @seealso   //! @[get_trusted_issuers()], @[set_trusted_issuers()] - mapping(string:array(Standards.X509.Verifier)) trusted_issuers_cache = ([]); + mapping(string(8bit):array(Standards.X509.Verifier)) trusted_issuers_cache = ([]);      //! For client authentication. Used only if auth_level is AUTH_ask or   //! AUTH_require.   array(int) preferred_auth_methods =   ({ AUTH_rsa_sign });      // Lookup from issuer DER to an array of suitable @[CertificatePair]s,   // sorted in order of strength.   protected mapping(string(8bit):array(CertificatePair)) cert_chains_issuer = ([]);      // Lookup from DN/SNI domain name/glob to an array of suitable   // @[CertificatePair]s, sorted in order of strength.   protected mapping(string(8bit):array(CertificatePair)) cert_chains_domain = ([]);      //! Look up a suitable set of certificates for the specified issuer. - //! @[UNDEFIEND] if no certificate was found. + //! @[UNDEFIEND] if no certificate was found. Called only by the + //! ClientConnection as a response to a certificate request.   array(CertificatePair) find_cert_issuer(array(string) ders)   {    // Return the first matching issuer. FIXME: Should we merge if    // several matching issuers are found?    foreach(ders, string der)    if(cert_chains_issuer[der])    return cert_chains_issuer[der];       // We MAY return any certificate here. Let's not reveal any    // certificates not specifically requested.    return UNDEFINED;   }      //! Look up a suitable set of certificates for the specified domain. - //! @[UNDEFINED] if no certificate was found. + //! @[UNDEFINED] if no certificate was found. Called only by the + //! Server.   array(CertificatePair) find_cert_domain(string(8bit) domain)   {    if( domain )    {    if( cert_chains_domain[domain] )    return cert_chains_domain[domain];       // Return first matching chain that isn't a fallback certificate.    foreach(cert_chains_domain; string g; array(CertificatePair) chains)    if( (g != "*") && glob(g, domain) )