pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:33:      //!   constant CERT_BAD_SIGNATURE = 6;      // A CA certificate does not have the CA basic constraint.   constant CERT_UNAUTHORIZED_CA = 7;         // Bit 0 is the first bit in the BitString.   protected enum keyUsage { -  digitalSignature = (1<<(7-0)), -  nonRepudiation = (1<<(7-1)), -  keyEncipherment = (1<<(7-2)), -  dataEncipherment = (1<<(7-3)), -  keyAgreement = (1<<(7-4)), -  keyCertSign = (1<<(7-5)), -  cRLSign = (1<<(7-6)), +  digitalSignature = 1<<0, +  nonRepudiation = 1<<1, +  keyEncipherment = 1<<2, +  dataEncipherment = 1<<3, +  keyAgreement = 1<<4, +  keyCertSign = 1<<5, +  cRLSign = 1<<6, +  encipherOnly = 1<<7, +  decipherOnly = 1<<8,   };    -  + // Generates the reverse int for keyUsage. + protected BitString build_keyUsage(keyUsage i) + { +  string v = ""; +  int pos=7, char;    -  +  while(i) +  { +  if(i&1) +  char |= 1<<pos; +  if( --pos < 0 ) +  { +  pos = 7; +  v += sprintf("%c", char); +  char = 0; +  } +  i >>= 1; +  } +  if( char ) +  v += sprintf("%c", char); +  +  BitString b = BitString(v); +  b->unused = pos==7 ? 0 : pos+1; +  return b; + } +  +    //! Unique identifier for the certificate issuer.   //!   //! X.509v2 (deprecated).   class IssuerId {    inherit BitString;    constant cls = 2;    constant tag = 1;   }      //! Unique identifier for the certificate subject.
pike.git/lib/modules/Standards.pmod/X509.pmod:878:    {    if( !o ) return 1;    if( o->type_name!="OCTET STRING" )    return 0;    ext_subjectKeyIdentifier = o->value;    return 1;    }       //! Set to the value of the KeyUsage if the certificate    //! contains the keyUsage extension. RFC3280 4.2.1.3. -  int ext_keyUsage; +  keyUsage ext_keyUsage;       protected int(0..1) parse_keyUsage(Object o)    {    if( !o ) return 1;    if( o->type_name!="BIT STRING" )    return 0; - #if 0 -  int bits, pos; +  +  int pos;    foreach(o->value;; int char)    for(int i; i<8; i++)    {    int bit = !!(char & 0x80); -  bits |= (bit << pos); +  ext_keyUsage |= (bit << pos);    pos++;    char <<= 1;    } - #endif -  int bits = o->value[0]; -  ext_keyUsage = bits; +     return 1;    }         }      //! Creates the ASN.1 TBSCertificate sequence (see RFC2459 section   //! 4.1) to be signed (TBS) by the CA. version is explicitly set to   //! v3, and @[extensions] is optionally added to the sequence.   //! issuerUniqueID and subjectUniqueID are not supported.
pike.git/lib/modules/Standards.pmod/X509.pmod:1087:   #define ADD(X,Y,Z) extensions+=({ make_extension(Identifiers.ce_ids->X,Y,Z) })       if(!extensions) extensions = ({});       // While RFC 3280 section 4.2.1.2 suggest to only hash the BIT    // STRING part of the subjectPublicKey, it is only a suggestion.    ADD(subjectKeyIdentifier,    OctetString( Crypto.SHA1.hash(c->pkcs_public_key()->get_der()) ),    0);    ADD(keyUsage, -  BitString(Gmp.mpz(keyCertSign|cRLSign|digitalSignature)->digits(256)), +  build_keyUsage(keyCertSign|cRLSign|digitalSignature),    1);    ADD(basicConstraints,    Sequence(({Boolean(1)})),    1);      #undef ADD       return sign_key(dn, c, h||Crypto.SHA256, dn, serial, ttl, extensions);   }   
pike.git/lib/modules/Standards.pmod/X509.pmod:1217:       // id-ce-keyUsage is required.    crit[.PKCS.Identifiers.ce_ids.keyUsage]=0;    if( !(tbs->ext_keyUsage & keyCertSign) )    {    DBG("verify ca: id-ce-keyUsage doesn't allow keyCertSign.\n");    return 0;    }    // FIXME: RFC 5759 also requires CRLSign set.    if( tbs->ext_keyUsage & -  (~(keyCertSign | cRLSign | digitalSignature | nonRepudiation)&255) ) +  (~(keyCertSign | cRLSign | digitalSignature | nonRepudiation)&0xffff) )    {    DBG("verify ca: illegal CA uses in id-ce-keyUsage.\n");    return 0;    }       // FIXME: In addition RFC 5759 requires policyMappings,    // policyConstraints and inhibitAnyPolicy to be processed in    // accordance with RFC 5280.       // One or more critical extensions have not been processed.