pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:1013:       multiset crit = tbs->critical + (<>);       Object lookup(int num)    {    string id = Identifiers.ce_id->append(num)->get_der();    crit[id]=0;    return tbs->extensions[id];    };    +  // FIXME: Move extension parsing into tbs. +     // id-ce-basicConstraints is required for certificates with public    // key used to validate certificate signatures. RFC 3280, 4.2.1.10.    Object c = lookup(19);    if( !c || c->type_name!="SEQUENCE" || sizeof(c)<1 || sizeof(c)>2 ||    c[0]->type_name!="BOOLEAN" ||    !c[0]->value )    {    DBG("verify root: Bad or missing id-ce-basicConstraints.\n");    return 0;    } -  +  // FIXME: Verify pathLenConstraint       // id-ce-authorityKeyIdentifier is required, unless self signed. RFC    // 3280 4.2.1.1    if( !lookup(35) && tbs->issuer->get_der() != tbs->subject->get_der() )    {    DBG("verify root: Missing id-ce-authorityKeyIdentifier.\n");    return 0;    }       // id-ce-subjectKeyIdentifier is required. RFC 3280 4.2.1.2    if( !lookup(14) )    {    DBG("verify root: Missing id-ce-subjectKeyIdentifier.\n");    return 0;    }       // id-ce-keyUsage is required. RFC 3280 4.2.1.3 -  if( !lookup(15) ) // FIXME: Look at usage bits +  c = lookup(15); +  if( !c ) // FIXME: Look at usage bits    {    DBG("verify root: Missing id-ce-keyUsage.\n");    return 0;    }       // One or more critical extensions have not been processed.    if( sizeof(crit) )    {    DBG("verify root: Critical unknown extensions %O.\n", crit);    return 0;    }       return tbs;   }    - //! Convenience function for loading known root ceritificates. + //! Convenience function for loading known root certificates.   //!   //! @param root_cert_dirs   //! Directory/directories containing the PEM-encoded root certificates   //! to load. Defaults to a rather long list of directories, including   //! @expr{"/etc/ssl/certs"@}, @expr{"/etc/pki/tls/certs"@} and   //! @expr{"/System/Library/OpenSSL/certs"@}, which seem to be the most   //! common locations.   //!   //! @returns   //! Returns a mapping from DER-encoded issuer to @[Verifier]s