pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:347:   }   #endif      protected Verifier make_verifier(Object _keyinfo)   {    if( _keyinfo->type_name != "SEQUENCE" )    return 0;    Sequence keyinfo = [object(Sequence)]_keyinfo;       if ( (keyinfo->type_name != "SEQUENCE") -  || (sizeof(keyinfo->elements) != 2) -  || (keyinfo->elements[0]->type_name != "SEQUENCE") -  || !sizeof(([object(Sequence)]keyinfo->elements[0])->elements) -  || (keyinfo->elements[1]->type_name != "BIT STRING") -  || keyinfo->elements[1]->unused) +  || (sizeof(keyinfo) != 2) +  || (keyinfo[0]->type_name != "SEQUENCE") +  || !sizeof( [object(Sequence)]keyinfo[0] ) +  || (keyinfo[1]->type_name != "BIT STRING") +  || keyinfo[1]->unused)    return 0; -  Sequence seq = [object(Sequence)]keyinfo->elements[0]; -  String str = [object(String)]keyinfo->elements[1]; +  Sequence seq = [object(Sequence)]keyinfo[0]; +  String str = [object(String)]keyinfo[1];    -  if (seq->elements[0]->get_der() == Identifiers.rsa_id->get_der()) +  if (seq[0]->get_der() == Identifiers.rsa_id->get_der())    { -  if ( (sizeof(seq->elements) != 2) -  || (seq->elements[1]->get_der() != Null()->get_der()) ) +  if ( (sizeof(seq) != 2) +  || (seq[1]->get_der() != Null()->get_der()) )    return 0;       return rsa_verifier()->init(str->value);    }    -  if(seq->elements[0]->get_der() == Identifiers.dsa_sha_id->get_der()) +  if(seq[0]->get_der() == Identifiers.dsa_sha_id->get_der())    {    /* FIXME: Not implemented */    return 0;    }   }      //! Represents a TBSCertificate.   class TBSCertificate   {    //!
pike.git/lib/modules/Standards.pmod/X509.pmod:437:    DBG("TBSCertificate: sizeof(a) = %d\n", sizeof(a));       if (sizeof(a) < 6)    return 0;       if (sizeof(a) > 6)    {    /* The optional version field must be present */    if (!a[0]->constructed    || (a[0]->get_combined_tag() != make_combined_tag(2, 0)) -  || (sizeof(a[0]->elements) != 1) -  || (a[0]->elements[0]->type_name != "INTEGER")) +  || (sizeof(a[0]) != 1) +  || (a[0][0]->type_name != "INTEGER"))    return 0;    -  version = (int) a[0]->elements[0]->value + 1; +  version = (int) a[0][0]->value + 1;    if ( (version < 2) || (version > 3))    return 0;    a = a[1..];    } else    version = 1;    DBG("TBSCertificate: version = %d\n", version);       if (a[0]->type_name != "INTEGER")    return 0;    serial = a[0]->value;    DBG("TBSCertificate: serial = %s\n", (string) serial);       if ((a[1]->type_name != "SEQUENCE") -  || !sizeof(a[1]->elements ) -  || (a[1]->elements[0]->type_name != "OBJECT IDENTIFIER")) +  || !sizeof(a[1]) +  || (a[1][0]->type_name != "OBJECT IDENTIFIER"))    return 0;       algorithm = a[1];    DBG("TBSCertificate: algorithm = %O\n", algorithm);       if (a[2]->type_name != "SEQUENCE")    return 0;    issuer = a[2];    DBG("TBSCertificate: issuer = %O\n", issuer);       if ((a[3]->type_name != "SEQUENCE") -  || (sizeof(a[3]->elements) != 2)) +  || (sizeof(a[3]) != 2))    return 0;    array validity = a[3]->elements;       not_before = parse_time(validity[0]);    if (!not_before)    return 0;    DBG("TBSCertificate: not_before = %O\n", not_before);       not_after = parse_time(validity[1]);    if (!not_after)
pike.git/lib/modules/Standards.pmod/X509.pmod:539:   }      //! Decodes a certificate and verifies that it is structually sound.   //! Returns a @[TBSCertificate] object if ok, otherwise @expr{0@}.   TBSCertificate decode_certificate(string|object cert)   {    if (stringp (cert)) cert = Standards.ASN1.Decode.simple_der_decode(cert);       if (!cert    || (cert->type_name != "SEQUENCE") -  || (sizeof(cert->elements) != 3) -  || (cert->elements[0]->type_name != "SEQUENCE") -  || (cert->elements[1]->type_name != "SEQUENCE") -  || (!sizeof(cert->elements[1]->elements)) -  || (cert->elements[1]->elements[0]->type_name != "OBJECT IDENTIFIER") -  || (cert->elements[2]->type_name != "BIT STRING") -  || cert->elements[2]->unused) +  || (sizeof(cert) != 3) +  || (cert[0]->type_name != "SEQUENCE") +  || (cert[1]->type_name != "SEQUENCE") +  || (!sizeof(cert[1])) +  || (cert[1][0]->type_name != "OBJECT IDENTIFIER") +  || (cert[2]->type_name != "BIT STRING") +  || cert[2]->unused)    return 0;    -  TBSCertificate tbs = TBSCertificate()->init(cert->elements[0]); +  TBSCertificate tbs = TBSCertificate()->init(cert[0]);    -  if (!tbs || (cert->elements[1]->get_der() != tbs->algorithm->get_der())) +  if (!tbs || (cert[1]->get_der() != tbs->algorithm->get_der()))    return 0;       return tbs;   }      //! Decodes a certificate, checks the signature. Returns the   //! TBSCertificate structure, or 0 if decoding or verification failes.   //!   //! Authorities is a mapping from (DER-encoded) names to a verifiers.   //!
pike.git/lib/modules/Standards.pmod/X509.pmod:582:       if (tbs->issuer->get_der() == tbs->subject->get_der())    {    /* A self signed certificate */    DBG("Self signed certificate\n");    v = tbs->public_key;    }    else    v = authorities[tbs->issuer->get_der()];    -  return v && v->verify(cert->elements[1], -  cert->elements[0]->get_der(), -  cert->elements[2]->value) +  return v && v->verify(cert[1], +  cert[0]->get_der(), +  cert[2]->value)    && tbs;   }      //! Decodes a certificate chain, checks the signatures. Verifies that the   //! chain is unbroken, and that all certificates are in effect   //! (time-wise.)   //!   //! Returns a mapping with the following contents, depending   //! on the verification of the certificate chain:   //!
pike.git/lib/modules/Standards.pmod/X509.pmod:670: Inside #if 0
   // make sure the CA constraint is set.    //    // should we be considering self signed certificates?    if(idx != (sizeof(chain_obj)-1))    {    int caok = 0;       if(tbs->extensions && sizeof(tbs->extensions))    {    werror("have extensions.\n"); -  foreach(tbs->extensions->elements[0]->elements, Sequence c) +  foreach(tbs->extensions[0]->elements, Sequence c)    {    werror("checking each element...\n"); -  if(c->elements[0] == Identifiers.ce_id->append(19)) +  if(c[0] == Identifiers.ce_id->append(19))    {    werror("have a basic constraints element.\n");    foreach(c->elements[1..], Sequence v)    {    werror("checking for boolean: " + v->type_name + " " + v->value + "\n");    if(v->type_name == "BOOLEAN" && v->value == 1)    caok = 1;    }    }    }
pike.git/lib/modules/Standards.pmod/X509.pmod:763:    m->error_cert = idx;    return m;    }    // the verifier for this certificate should be the public key of    // the previous certificate in the chain.    v = chain_obj[idx-1]->public_key;    }       if (v)    { -  if( v->verify(chain_cert[idx]->elements[1], -  chain_cert[idx]->elements[0]->get_der(), -  chain_cert[idx]->elements[2]->value) +  if( v->verify(chain_cert[idx][1], +  chain_cert[idx][0]->get_der(), +  chain_cert[idx][2]->value)    && tbs)    {    DBG("signature is verified..\n");    m->verified = 1;       // if we're the root of the chain and we've verified, this is    // the authority.    if(idx == 0)    m->authority = tbs->issuer;