pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:32:       //!    CERT_ROOT_UNTRUSTED = 1<<4,       //!    CERT_BAD_SIGNATURE = 1<<5,       //! A CA certificate is not allowed by basic constraints to sign    //! another certificate.    CERT_UNAUTHORIZED_CA = 1<<6, +  +  //! The certificate is not allowed by it's key usage to sign data. +  CERT_UNAUTHORIZED_SIGNING = 1<<7, +  +  //! The certificate chain is longer than allowed by a certificate in +  //! the chain. +  CERT_EXCEEDED_PATH_LENGTH = 1<<8,   }         // Bit 0 is the first bit in the BitString.   protected enum keyUsage {    digitalSignature = 1<<0,    nonRepudiation = 1<<1,    keyEncipherment = 1<<2,    dataEncipherment = 1<<3,    keyAgreement = 1<<4,
pike.git/lib/modules/Standards.pmod/X509.pmod:823:    }    }    if (version >= 3) {    if ((i < sizeof(a)) && a[i]->constructed &&    (a[i]->combined_tag == make_combined_tag(2, 3)) &&    sizeof(a[i])==1 &&    a[i][0]->type_name == "SEQUENCE") {    raw_extensions = a[i][0];    i++;    - #define EXT(X) if(!parse_##X(internal_extensions[ \ -  .PKCS.Identifiers.ce_ids.##X])) { \ -  werror("TBSCertificate: Failed to parse extension %O.\n", #X); } + #define EXT(X) do { \ +  Object o = internal_extensions[.PKCS.Identifiers.ce_ids.##X]; \ +  if(o && !parse_##X(o)) \ +  DBG("TBSCertificate: Failed to parse extension %O.\n", #X); \ +  } while (0)    EXT(basicConstraints);    EXT(authorityKeyIdentifier);    EXT(subjectKeyIdentifier);    EXT(keyUsage);   #undef EXT    }    }    internal_der = asn1->get_der();    if (i == sizeof(a))    return this;
pike.git/lib/modules/Standards.pmod/X509.pmod:863:    //! this certificate in a certificate chain. @exp{-1@} in case no    //! limit is imposed.    int ext_basicConstraints_pathLenConstraint = -1;       protected int(0..1) parse_basicConstraints(Object o)    {    // FIXME: This extension must be critical if certificate contains    // public keys use usage is to validate signatures on    // certificates.    -  if( !o || o->type_name!="SEQUENCE" ) +  if( o->type_name!="SEQUENCE" )    return 0;    Sequence s = [object(Sequence)]o;    if( sizeof(s)<1 || sizeof(s)>2 || s[0]->type_name!="BOOLEAN" )    return 0;    if( sizeof(s)==2 )    {    if( s[1]->type_name!="INTEGER" || s[0]->value==0 || s[1]->value<0 )    return 0;    ext_basicConstraints_pathLenConstraint = s[1]->value;    // FIXME: pathLenConstraint is not permitted if keyCertSign
pike.git/lib/modules/Standards.pmod/X509.pmod:887:    ext_basicConstraints_cA = s[0]->value;    return 1;    }       //! Set if the certificate contains a valid authorityKeyIdentifier    //! extension. RFC3280 4.2.1.1.    int(0..1) ext_authorityKeyIdentifier;       protected int(0..1) parse_authorityKeyIdentifier(Object o)    { -  if( !o ) return 1; +     if( o->type_name!="SEQUENCE" )    return 0;       // FIXME: Actually parse this.    ext_authorityKeyIdentifier = 1;    return 1;    }       //! Set to the value of the SubjectKeyIdentifier if the certificate    //! contains the subjectKeyIdentifier extension. RFC3280 4.2.1.2.    string ext_subjectKeyIdentifier;       protected int(0..1) parse_subjectKeyIdentifier(Object o)    { -  if( !o ) return 1; +     if( o->type_name!="OCTET STRING" )    return 0;    ext_subjectKeyIdentifier = o->value;    return 1;    }       //! Set to the value of the KeyUsage if the certificate    //! contains the keyUsage extension. RFC3280 4.2.1.3.    keyUsage ext_keyUsage;       protected int(0..1) parse_keyUsage(Object o)    { -  if( !o ) return 1; +     if( o->type_name!="BIT STRING" )    return 0;       int pos;    foreach(o->value;; int char)    for(int i; i<8; i++)    {    int bit = !!(char & 0x80);    ext_keyUsage |= (bit << pos);    pos++;    char <<= 1;    }       return 1;    }    -  +    }      //! Creates the ASN.1 TBSCertificate sequence (see RFC2459 section   //! 4.1) to be signed (TBS) by the CA. version is explicitly set to   //! v3, and @[extensions] is optionally added to the sequence.   //! issuerUniqueID and subjectUniqueID are not supported.   TBSCertificate make_tbs(Sequence issuer, Sequence algorithm,    Sequence subject, Sequence keyinfo,    Integer serial, Sequence validity,    array|int(0..0)|void extensions)
pike.git/lib/modules/Standards.pmod/X509.pmod:1489:    if( tbs->ext_basicConstraints_pathLenConstraint!=-1 )    {    // pathLenConstraint is the maximum number of intermediate    // certificates. len-1-idx is the number of following    // certificates. Subtract one more to not count the leaf    // certificate.    if( len-1-idx-1 > tbs->ext_basicConstraints_pathLenConstraint )    {    // The error was later in the chain though, so maybe a    // different error should be sent. -  ERROR(CERT_UNAUTHORIZED_CA); +  ERROR(CERT_EXCEEDED_PATH_LENGTH);    }    } -  +  +  if( !(tbs->ext_keyUsage & keyCertSign) ) +  ERROR(CERT_UNAUTHORIZED_CA);    } -  +  else // The leaf +  { +  if( !(tbs->ext_keyUsage & digitalSignature) ) +  ERROR(CERT_UNAUTHORIZED_SIGNING); +  }       if(idx == 0) // The root cert    {    verifiers = authorities[tbs->issuer->get_der()];       // if we don't know the issuer of the root certificate, and we    // require trust, we're done.    if(!verifiers && require_trust)    ERROR(CERT_ROOT_UNTRUSTED);