pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:43:    //! The certificate is not allowed by it's key usage to sign data.    CERT_UNAUTHORIZED_SIGNING = 1<<7,       //! The certificate chain is longer than allowed by a certificate in    //! the chain.    CERT_EXCEEDED_PATH_LENGTH = 1<<8,   }         // Bit 0 is the first bit in the BitString. - protected enum keyUsage { -  digitalSignature = 1<<0, -  nonRepudiation = 1<<1, -  keyEncipherment = 1<<2, -  dataEncipherment = 1<<3, -  keyAgreement = 1<<4, -  keyCertSign = 1<<5, -  cRLSign = 1<<6, -  encipherOnly = 1<<7, -  decipherOnly = 1<<8, -  last_keyUsage = 1<<9, // end marker + enum keyUsage { +  KU_digitalSignature = 1<<0, +  KU_nonRepudiation = 1<<1, +  KU_keyEncipherment = 1<<2, +  KU_dataEncipherment = 1<<3, +  KU_keyAgreement = 1<<4, +  KU_keyCertSign = 1<<5, +  KU_cRLSign = 1<<6, +  KU_encipherOnly = 1<<7, +  KU_decipherOnly = 1<<8, +  KU_last_keyUsage = 1<<9, // end marker   };      // Generates the reverse int for keyUsage.   protected BitString build_keyUsage(keyUsage i)   {    string v = "";    int pos=7, char;       while(i)    {
pike.git/lib/modules/Standards.pmod/X509.pmod:1251:   #define ADD(X,Y,Z) extensions+=({ make_extension(Identifiers.ce_ids->X,Y,Z) })       if(!extensions) extensions = ({});       // While RFC 3280 section 4.2.1.2 suggest to only hash the BIT    // STRING part of the subjectPublicKey, it is only a suggestion.    ADD(subjectKeyIdentifier,    OctetString( Crypto.SHA1.hash(c->pkcs_public_key()->get_der()) ),    0);    ADD(keyUsage, -  build_keyUsage(keyCertSign|cRLSign|digitalSignature), +  build_keyUsage(KU_keyCertSign|KU_cRLSign|KU_digitalSignature),    1);    ADD(basicConstraints,    Sequence(({Boolean(1)})),    1);      #undef ADD       return sign_key(dn, c, h||Crypto.SHA256, dn, serial, ttl, extensions);   }   
pike.git/lib/modules/Standards.pmod/X509.pmod:1374:    // recommended.    crit[.PKCS.Identifiers.ce_ids.authorityKeyIdentifier]=0;    if( !tbs->ext_authorityKeyIdentifier && !self_signed )    {    DBG("verify ca: Missing id-ce-authorityKeyIdentifier.\n");    return 0;    }       // id-ce-keyUsage is required.    crit[.PKCS.Identifiers.ce_ids.keyUsage]=0; -  if( !(tbs->ext_keyUsage & keyCertSign) ) +  if( !(tbs->ext_keyUsage & KU_keyCertSign) )    {    DBG("verify ca: id-ce-keyUsage doesn't allow keyCertSign.\n");    return 0;    }    // FIXME: RFC 5759 also requires CRLSign set.    if( tbs->ext_keyUsage & -  (~(keyCertSign | cRLSign | digitalSignature | -  nonRepudiation)&(last_keyUsage-1)) ) +  (~(KU_keyCertSign | KU_cRLSign | KU_digitalSignature | +  KU_nonRepudiation)&(KU_last_keyUsage-1)) )    {    DBG("verify ca: illegal CA uses in id-ce-keyUsage.\n");    return 0;    }       // FIXME: In addition RFC 5759 requires policyMappings,    // policyConstraints and inhibitAnyPolicy to be processed in    // accordance with RFC 5280.       // One or more critical extensions have not been processed.
pike.git/lib/modules/Standards.pmod/X509.pmod:1628:    {    // len-1-idx is the number of following certificates.    if( len-1-idx > tbs->ext_basicConstraints_pathLenConstraint )    {    // The error was later in the chain though, so maybe a    // different error should be sent.    ERROR(CERT_EXCEEDED_PATH_LENGTH);    }    }    -  if( !(tbs->ext_keyUsage & keyCertSign) ) +  if( !(tbs->ext_keyUsage & KU_keyCertSign) )    ERROR(CERT_UNAUTHORIZED_CA);    }       if(idx == 0) // The root cert    {    verifiers = authorities[tbs->issuer->get_der()];       // if we don't know the issuer of the root certificate, and we    // require trust, we're done.    if(!verifiers && require_trust)