pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:301:    ::_decode(x);    init(this);    }       protected string internal_der;       //!    void `der=(string asn1)    {    internal_der = UNDEFINED; -  if (init(Standards.ASN1.Decode.simple_der_decode(asn1, x509_types))) { +  if (init(Standards.ASN1.Decode.secure_der_decode(asn1, x509_types))) {    internal_der = asn1;    }    }    string `der()    {    if (internal_der) return internal_der;    return internal_der = der_encode();    }       //!
pike.git/lib/modules/Standards.pmod/X509.pmod:648:    DBG("TBSCertificate: extension: %O\n", ext[0]);    Identifier id = ext[0];       if( extensions[id] )    {    DBG("TBSCertificate: extension %O sent twice.\n");    return 0;    }       extensions[ id ] = -  Standards.ASN1.Decode.simple_der_decode(ext->elements[-1]->value, +  Standards.ASN1.Decode.secure_der_decode(ext->elements[-1]->value,    extension_types[id]);    if(sizeof(ext)==3)    {    if( ext[1]->type_name != "BOOLEAN" ) return 0;    if( ext[1]->value ) critical[id]=1;    }    }       if (!extensions_pos) {    if (version < 3) version = 3;
pike.git/lib/modules/Standards.pmod/X509.pmod:1392:    add("basicConstraints", Sequence(({Boolean(1)})), 1);       return sign_key(dn, c, c, h||Crypto.SHA256, dn, serial, ttl, extensions);   }      //! Decodes a certificate and verifies that it is structually sound.   //! Returns a @[TBSCertificate] object if ok, otherwise @expr{0@}.   TBSCertificate decode_certificate(string|object cert)   {    if (stringp (cert)) { -  cert = Standards.ASN1.Decode.simple_der_decode(cert, x509_types); +  cert = Standards.ASN1.Decode.secure_der_decode(cert, x509_types);    }       if (!cert    || (cert->type_name != "SEQUENCE")    || (sizeof(cert) != 3)    || (cert[0]->type_name != "SEQUENCE")    || (cert[1]->type_name != "SEQUENCE")    || (!sizeof(cert[1]))    || (cert[1][0]->type_name != "OBJECT IDENTIFIER")    || (cert[2]->type_name != "BIT STRING")
pike.git/lib/modules/Standards.pmod/X509.pmod:1432:   //! The valid time range for the certificate is not checked.   //!   //! Authorities is a mapping from (DER-encoded) names to a verifiers.   //!   //! @note   //! This function allows self-signed certificates, and it doesn't   //! check that names or extensions make sense.   TBSCertificate verify_certificate(string s,    mapping(string:Verifier|array(Verifier)) authorities)   { -  object cert = Standards.ASN1.Decode.simple_der_decode(s); +  object cert = Standards.ASN1.Decode.secure_der_decode(s);       TBSCertificate tbs = decode_certificate(cert);    if (!tbs) return 0;       array(Verifier)|Verifier verifiers;       if (tbs->issuer->get_der() == tbs->subject->get_der())    {    DBG("Self signed certificate: %O\n", tbs->public_key);    verifiers = ({ tbs->public_key });
pike.git/lib/modules/Standards.pmod/X509.pmod:1717:       // Decode all certificates in the chain. Leaf is first and root is    // last.       int len = sizeof(cert_chain);    array chain_obj = allocate(len);    array chain_cert = allocate(len);       foreach(cert_chain; int idx; string c)    { -  object cert = Standards.ASN1.Decode.simple_der_decode(c); +  object cert = Standards.ASN1.Decode.secure_der_decode(c);    TBSCertificate tbs = decode_certificate(cert);    if(!tbs)    FATAL(CERT_INVALID);       int idx = len-idx-1;    chain_cert[idx] = cert;    chain_obj[idx] = tbs;    }    m->certificates = chain_obj;   
pike.git/lib/modules/Standards.pmod/X509.pmod:1856: Inside #if constant(Nettle.ECC_Curve)
   case 4:    return Standards.PKCS.ECDSA.parse_private_key(seq);   #endif    }    return UNDEFINED;   }      //! DWIM-parse the DER-sequence for a private key.   variant Crypto.Sign.State parse_private_key(string private_key)   { -  Object seq = Standards.ASN1.Decode.simple_der_decode(private_key); +  Object seq = Standards.ASN1.Decode.secure_der_decode(private_key);    if (!seq || (seq->type_name != "SEQUENCE")) return UNDEFINED;    return parse_private_key([object(Sequence)]seq);   }