pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:1377:    return sign_key(dn, c, c, h||Crypto.SHA256, dn, serial, ttl, extensions);   }      //! Decodes a certificate and verifies that it is structually sound.   //! Returns a @[TBSCertificate] object if ok, otherwise @expr{0@}.   TBSCertificate decode_certificate(string|.PKCS.Signature.Signed cert)   {    if (stringp (cert))    cert = .PKCS.Signature.decode_signed(cert, x509_types);    -  TBSCertificate tbs = TBSCertificate()->init(cert[0]); +  TBSCertificate tbs=TBSCertificate([object(.PKCS.Signature.Signed)]cert->tbs);       // FIXME: The re-encoding and algorithm checks are more appropriate    // in verify_certificate, but the full certificate doesn't reach    // there.    if (!tbs)    return NULL("Failed to generate TBSCertificate.\n");       return tbs;   }   
pike.git/lib/modules/Standards.pmod/X509.pmod:1640:   //! @member Standards.ASN1.Sequence "authority"   //! The authority RDN that verified the chain.   //! @member Standards.ASN1.Sequence "cn"   //! The common name RDN of the leaf certificate.   //! @member array(TBSCertificate) "certificates"   //! An array with the decoded certificates, ordered from root to leaf.   //! @endmapping   //!   //! @param cert_chain   //! An array of certificates, with the relative-root last. Each - //! certificate should be a DER-encoded certificate. + //! certificate should be a DER-encoded certificate, or decoded as a + //! @[Standards.PKCS.Signature.Signed] object.   //! @param authorities   //! A mapping from (DER-encoded) names to verifiers.   //! @param require_trust   //! Require that the certificate be traced to an authority, even if   //! it is self signed.   //!   //! See @[Standards.PKCS.Certificate.get_dn_string] for converting the   //! RDN to an X500 style string. - mapping verify_certificate_chain(array(string) cert_chain, + mapping verify_certificate_chain(array(string|.PKCS.Signature.Signed) cert_chain,    mapping(string:Verifier|array(Verifier)) authorities,    int|void require_trust)   {    mapping m = ([ ]);      #define ERROR(X) do { \    DBG("Error " #X "\n"); \    m->verified=0; m->error_code|=(X); m->error_cert=idx; \    } while(0)   #define FATAL(X) do { ERROR(X); return m; } while(0)       // Decode all certificates in the chain. Leaf is first and root is    // last.       int len = sizeof(cert_chain);    array chain_obj = allocate(len);    array chain_cert = allocate(len);    -  foreach(cert_chain; int idx; string c) +  foreach(cert_chain; int idx; string|.PKCS.Signature.Signed c)    { -  object cert = Standards.PKCS.Signature.decode_signed(c); -  TBSCertificate tbs = decode_certificate(cert); +  .PKCS.Signature.Signed cert; +  if( stringp(c) ) +  cert = .PKCS.Signature.decode_signed(c); +  TBSCertificate tbs = decode_certificate(c);    if(!tbs)    FATAL(CERT_INVALID);       int idx = len-idx-1;    chain_cert[idx] = cert;    chain_obj[idx] = tbs;    }    m->certificates = chain_obj;       // Chain is now reversed so root is first and leaf is last.