pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:680:    return 0;    a = a[1..];    }    DBG("TBSCertificate: version = %d\n", version);       this_program::version = version;       if (a[0]->type_name != "INTEGER")    return 0;    serial = a[0]->value; +  if(serial<0) +  return 0;    DBG("TBSCertificate: serial = %s\n", (string) serial);       if ((a[1]->type_name != "SEQUENCE")    || !sizeof(a[1])    || (a[1][0]->type_name != "OBJECT IDENTIFIER"))    return 0;       algorithm = a[1];    DBG("TBSCertificate: algorithm = %O\n", algorithm);   
pike.git/lib/modules/Standards.pmod/X509.pmod:878:   //! @returns   //! Returns a DER-encoded certificate.   //!   //! @seealso   //! @[make_selfsigned_certificate()], @[make_tbs()], @[sign_tbs()]   string sign_key(Sequence issuer, Crypto.Sign c, Crypto.Hash h,    Sequence subject, int serial, int ttl, array|void extensions)   {    Sequence algorithm_id = c->pkcs_signature_algorithm_id(h);    if(!algorithm_id) error("Can't use %O for %O.\n", h, c); +  if(serial<0) error("Serial number needs to be >=0.\n");    return sign_tbs(make_tbs(issuer, algorithm_id,    subject, c->pkcs_public_key(),    Integer(serial), ttl, extensions),    c, h)->get_der();   }      //! Creates a selfsigned certificate, i.e. where issuer and subject   //! are the same entity. This entity is derived from the list of pairs   //! in @[name], which is encoded into an distinguished_name by   //! @[Standards.PKCS.Certificate.build_distinguished_name].
pike.git/lib/modules/Standards.pmod/X509.pmod:996:    if (objectp(verifiers)) verifiers = ({ verifiers });    }       foreach(verifiers || ({}), Verifier v) {    if (v->verify(cert[1], cert[0]->get_der(), cert[2]->value))    return tbs;    }    return 0;   }    - //! Decodes a root certificate using @[decode_certificate] and - //! verifies that all extensions mandated for root certificates are - //! present and valid. - TBSCertificate verify_root_certificate(string s) +  + //! Verifies that all extensions mandated for certificate signing + //! certificates are present and valid. + TBSCertificate verify_root_certificate(TBSCertificate tbs)   { -  TBSCertificate tbs = decode_certificate(s); +     if(!tbs) return 0;       multiset crit = tbs->critical + (<>);       Object lookup(int num)    {    string id = Identifiers.ce_id->append(num)->get_der();    crit[id]=0;    return tbs->extensions[id];    };
pike.git/lib/modules/Standards.pmod/X509.pmod:1231:    mapping(string:Verifier|array(Verifier)) authorities,    int|void require_trust)   {    mapping m = ([ ]);   #define ERROR(X) do { \    DBG("Error " #X "\n"); \    m->verified=0; m->error_code=(X); m->error_cert=idx; \    return m; \    } while(0)    +  // Decode all certificates in the chain. Leaf is first and root is +  // last. +     int len = sizeof(cert_chain);    array chain_obj = allocate(len);    array chain_cert = allocate(len);       foreach(cert_chain; int idx; string c)    {    object cert = Standards.ASN1.Decode.simple_der_decode(c);    TBSCertificate tbs = decode_certificate(cert);    if(!tbs)    ERROR(CERT_INVALID);       int idx = len-idx-1;    chain_cert[idx] = cert;    chain_obj[idx] = tbs;    }    -  +  // Chain is now reversed so root is first and leaf is last. +     foreach(chain_obj; int idx; TBSCertificate tbs)    {    array(Verifier)|Verifier verifiers;       if(idx == 0) // The root cert    {    verifiers = authorities[tbs->issuer->get_der()];       // if we don't know the issuer of the root certificate, and we    // require trust, we're done.