pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:1:   #pike __REAL_VERSION__   #require constant(Crypto.Hash)   //#pragma strict_types      //! Functions to generate and validate RFC2459 style X.509 v3   //! certificates.      constant dont_dump_module = 1;      import Standards.ASN1.Types; - import Standards.PKCS; +       #ifdef X509_DEBUG   #define DBG(X ...) werror(X)   #define NULL(X ...) werror(X) && 0   #else   #define DBG(X ...)   #define NULL(X ...) 0   #endif      enum CertFailure
pike.git/lib/modules/Standards.pmod/X509.pmod:109:    int cls = 2;    int tag = 2;   }      protected {    MetaExplicit extension_sequence = MetaExplicit(2, 3);    MetaExplicit version_integer = MetaExplicit(2, 0);       mapping algorithms = ([   #if constant(Crypto.MD2) -  Identifiers.rsa_md2_id : Crypto.MD2, +  .PKCS.Identifiers.rsa_md2_id : Crypto.MD2,   #endif -  Identifiers.rsa_md5_id : Crypto.MD5, -  Identifiers.rsa_sha1_id : Crypto.SHA1, -  Identifiers.rsa_sha256_id : Crypto.SHA256, +  .PKCS.Identifiers.rsa_md5_id : Crypto.MD5, +  .PKCS.Identifiers.rsa_sha1_id : Crypto.SHA1, +  .PKCS.Identifiers.rsa_sha256_id : Crypto.SHA256,   #if constant(Crypto.SHA384) -  Identifiers.rsa_sha384_id : Crypto.SHA384, +  .PKCS.Identifiers.rsa_sha384_id : Crypto.SHA384,   #endif   #if constant(Crypto.SHA512) -  Identifiers.rsa_sha512_id : Crypto.SHA512, +  .PKCS.Identifiers.rsa_sha512_id : Crypto.SHA512,   #endif    -  Identifiers.dsa_sha_id : Crypto.SHA1, +  .PKCS.Identifiers.dsa_sha_id : Crypto.SHA1,   #if constant(Crypto.SHA224) -  Identifiers.dsa_sha224_id : Crypto.SHA224, +  .PKCS.Identifiers.dsa_sha224_id : Crypto.SHA224,   #endif -  Identifiers.dsa_sha256_id : Crypto.SHA256, +  .PKCS.Identifiers.dsa_sha256_id : Crypto.SHA256,    -  Identifiers.ecdsa_sha1_id : Crypto.SHA1, +  .PKCS.Identifiers.ecdsa_sha1_id : Crypto.SHA1,   #if constant(Crypto.SHA224) -  Identifiers.ecdsa_sha224_id : Crypto.SHA224, +  .PKCS.Identifiers.ecdsa_sha224_id : Crypto.SHA224,   #endif -  Identifiers.ecdsa_sha256_id : Crypto.SHA256, +  .PKCS.Identifiers.ecdsa_sha256_id : Crypto.SHA256,   #if constant(Crypto.SHA384) -  Identifiers.ecdsa_sha384_id : Crypto.SHA384, +  .PKCS.Identifiers.ecdsa_sha384_id : Crypto.SHA384,   #endif   #if constant(Crypto.SHA512) -  Identifiers.ecdsa_sha512_id : Crypto.SHA512, +  .PKCS.Identifiers.ecdsa_sha512_id : Crypto.SHA512,   #endif    ]);   }      class Verifier {    constant type = "none";    Crypto.Sign.State pkc;    optional __deprecated__(Crypto.RSA) rsa;    optional __deprecated__(Crypto.DSA) dsa;   
pike.git/lib/modules/Standards.pmod/X509.pmod:175:    return t=='O' && sprintf("%O(%O)", this_program, pkc);    }   }      protected class RSAVerifier   {    inherit Verifier;    constant type = "rsa";       protected void create(string key) { -  pkc = RSA.parse_public_key(key); +  pkc = .PKCS.RSA.parse_public_key(key);    }       __deprecated__ Crypto.RSA.State `rsa() {    return pkc;    }   }      protected class DSAVerifier   {    inherit Verifier;    constant type = "dsa";       protected void create(string key, Gmp.mpz p, Gmp.mpz q, Gmp.mpz g)    { -  pkc = DSA.parse_public_key(key, p, q, g); +  pkc = .PKCS.DSA.parse_public_key(key, p, q, g);    }       __deprecated__ Crypto.DSA.State `dsa() {    return pkc;    }   }      #if constant(Crypto.ECC.Curve)   protected class ECDSAVerifier   {
pike.git/lib/modules/Standards.pmod/X509.pmod:238:    || (keyinfo[0]->type_name != "SEQUENCE")    || !sizeof( [object(Sequence)]keyinfo[0] )    || (keyinfo[1]->type_name != "BIT STRING")    || keyinfo[1]->unused)    return NULL("Illegal keyinfo ASN.1\n");    Sequence seq = [object(Sequence)]keyinfo[0];    String str = [object(String)]keyinfo[1];       if(sizeof(seq)==0) return NULL("Empty keyinfo algorithm identifier.\n");    -  if (seq[0]->get_der() == Identifiers.rsa_id->get_der()) +  if (seq[0]->get_der() == .PKCS.Identifiers.rsa_id->get_der())    {    if ( (sizeof(seq) > 2) ||    // Strictly there should always be a Null parameter member    // here, but there has been a lot of confusion about 1    // element sequence vs. 2 element sequence with Null. Allow    // both for compatibility.    (sizeof(seq)==2 && seq[1]->get_der() != Null()->get_der()) )    return NULL("Illegal RSA ASN.1\n");       return RSAVerifier(str->value);    }    -  if(seq[0]->get_der() == Identifiers.dsa_id->get_der()) +  if(seq[0]->get_der() == .PKCS.Identifiers.dsa_id->get_der())    {    if( sizeof(seq)!=2 || seq[1]->type_name!="SEQUENCE" ||    sizeof(seq[1])!=3 || seq[1][0]->type_name!="INTEGER" ||    seq[1][1]->type_name!="INTEGER" || seq[1][2]->type_name!="INTEGER" )    return NULL("Illegal DSA ASN.1\n");       Sequence params = seq[1];    return DSAVerifier(str->value, params[0]->value,    params[1]->value, params[2]->value);    }      #if constant(Crypto.ECC.Curve) -  if(seq[0]->get_der() == Identifiers.ec_id->get_der()) +  if(seq[0]->get_der() == .PKCS.Identifiers.ec_id->get_der())    {    if( sizeof(seq)!=2 || seq[1]->type_name!="OBJECT IDENTIFIER" )    return NULL("Illegal ECDSA ASN.1\n");       Identifier params = seq[1];    return ECDSAVerifier(str->value, params);    }   #endif       return NULL("make_verifier: Unknown algorithm identifier: %O\n", seq[0]);
pike.git/lib/modules/Standards.pmod/X509.pmod:1304:   //! @seealso   //! @[sign_key()], @[sign_tbs()]   string make_selfsigned_certificate(Crypto.Sign.State c, int ttl,    mapping|array name,    mapping(Identifier:Sequence)|void extensions,    void|Crypto.Hash h, void|int serial)   {    if(!serial)    serial = (int)Gmp.mpz(Standards.UUID.make_version1(-1)->encode(), 256);    -  Sequence dn = Certificate.build_distinguished_name(name); +  Sequence dn = .PKCS.Certificate.build_distinguished_name(name);       void add(string name, Object data, void|int critical)    { -  Identifier id = Identifiers.ce_ids[name]; +  Identifier id = .PKCS.Identifiers.ce_ids[name];    if(!extensions[id])    extensions[id] = make_extension(id, data, critical);    };       if(!extensions) extensions = ([]);       // While RFC 3280 section 4.2.1.2 suggest to only hash the BIT    // STRING part of the subjectPublicKey, it is only a suggestion.    add("subjectKeyIdentifier",    OctetString( Crypto.SHA1.hash(c->pkcs_public_key()->get_der()) ));
pike.git/lib/modules/Standards.pmod/X509.pmod:1335:   }      string make_site_certificate(TBSCertificate ca, Crypto.Sign.State ca_key,    Crypto.Sign.State c, int ttl, mapping|array name,    mapping|void extensions,    void|Crypto.Hash h, void|int serial)   {    if(!serial)    serial = (int)Gmp.mpz(Standards.UUID.make_version1(-1)->encode(), 256);    -  Sequence dn = Certificate.build_distinguished_name(name); +  Sequence dn = .PKCS.Certificate.build_distinguished_name(name);       void add(string name, Object data, void|int critical)    { -  Identifier id = Identifiers.ce_ids[name]; +  Identifier id = .PKCS.Identifiers.ce_ids[name];    if(!extensions[id])    extensions[id] = make_extension(id, data, critical);    };       if(!extensions) extensions = ([]);    // FIXME: authorityKeyIdentifier    add("keyUsage", build_keyUsage(make_key_usage_flags(c)), 1);       add("basicConstraints", Sequence(({})), 1);    return sign_key(ca->subject, c, ca_key, h||Crypto.SHA256, dn, serial, ttl, extensions);   }      string make_root_certificate(Crypto.Sign.State c, int ttl, mapping|array name,    mapping(Identifier:Sequence)|void extensions,    void|Crypto.Hash h, void|int serial)   {    if(!serial)    serial = (int)Gmp.mpz(Standards.UUID.make_version1(-1)->encode(), 256);    -  Sequence dn = Certificate.build_distinguished_name(name); +  Sequence dn = .PKCS.Certificate.build_distinguished_name(name);       void add(string name, Object data, void|int critical)    { -  Identifier id = Identifiers.ce_ids[name]; +  Identifier id = .PKCS.Identifiers.ce_ids[name];    if(!extensions[id])    extensions[id] = make_extension(id, data, critical);    };       if(!extensions) extensions = ([]);       // While RFC 3280 section 4.2.1.2 suggest to only hash the BIT    // STRING part of the subjectPublicKey, it is only a suggestion.    // FIXME: authorityKeyIdentifier    add("subjectKeyIdentifier",