pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:141:    Identifiers.ecdsa_sha384_id : Crypto.SHA384,   #endif   #if constant(Crypto.SHA512)    Identifiers.ecdsa_sha512_id : Crypto.SHA512,   #endif    ]);   }      class Verifier {    constant type = "none"; -  Crypto.Sign pkc; +  Crypto.Sign.State pkc;    optional __deprecated__(Crypto.RSA) rsa;    optional __deprecated__(Crypto.DSA) dsa;       //! Verifies the @[signature] of the certificate @[msg] using the    //! indicated hash @[algorithm].    int(0..1) verify(Sequence algorithm, string(8bit) msg, string(8bit) signature)    {    DBG("Verify hash %O\n", algorithm[0]);    Crypto.Hash hash = algorithms[algorithm[0]];    if (!hash) return 0;
pike.git/lib/modules/Standards.pmod/X509.pmod:176:      protected class RSAVerifier   {    inherit Verifier;    constant type = "rsa";       protected void create(string key) {    pkc = RSA.parse_public_key(key);    }    -  __deprecated__ Crypto.RSA `rsa() { return [object(Crypto.RSA)]pkc; } +  __deprecated__ Crypto.RSA.State `rsa() { +  return [object(Crypto.RSA.State)]pkc;    } -  + }      protected class DSAVerifier   {    inherit Verifier;    constant type = "dsa";       protected void create(string key, Gmp.mpz p, Gmp.mpz q, Gmp.mpz g)    {    pkc = DSA.parse_public_key(key, p, q, g);    }    -  __deprecated__ Crypto.DSA `dsa() { return [object(Crypto.DSA)]pkc; } +  __deprecated__ Crypto.DSA.State `dsa() { +  return [object(Crypto.DSA.State)]pkc;    } -  + }      #if constant(Crypto.ECC.Curve)   protected class ECDSAVerifier   {    inherit Verifier;    constant type = "ecdsa";       protected void create(string(8bit) key, Identifier curve_id)    {    Crypto.ECC.Curve curve;
pike.git/lib/modules/Standards.pmod/X509.pmod:1143:   //! See @[Crypto.RSA], @[Crypto.DSA] and @[Crypto.ECC.Curve.ECDSA].   //! Must be initialized with the private key.   //!   //! @param hash   //! The hash function to use for the certificate. Must be one of the   //! standardized PKCS hashes to be used with the given Crypto.   //!   //! @seealso   //! @[decode_certificate()], @[make_tbs()]   Sequence sign_tbs(TBSCertificate tbs, -  Crypto.Sign sign, Crypto.Hash hash) +  Crypto.Sign.State sign, Crypto.Hash hash)   {    return Sequence(({ [object(Sequence)]tbs,    sign->pkcs_signature_algorithm_id(hash),    BitString(sign->pkcs_sign(tbs->get_der(), hash)),    }));   }      //! Low-level function for creating a signed certificate.   //!   //! @param issuer
pike.git/lib/modules/Standards.pmod/X509.pmod:1193:   //! Validity time in seconds for this signature to be valid.   //!   //! @param extensions   //! Set of extensions.   //!   //! @returns   //! Returns a DER-encoded certificate.   //!   //! @seealso   //! @[make_selfsigned_certificate()], @[make_tbs()], @[sign_tbs()] - string sign_key(Sequence issuer, Crypto.Sign c, Crypto.Sign ca, Crypto.Hash h, -  Sequence subject, int serial, int ttl, array|mapping|void extensions) + string sign_key(Sequence issuer, Crypto.Sign.State c, Crypto.Sign.State ca, +  Crypto.Hash h, Sequence subject, int serial, int ttl, +  array|mapping|void extensions)   {    Sequence algorithm_id = c->pkcs_signature_algorithm_id(h);    if(!algorithm_id) error("Can't use %O for %O.\n", h, c);    if(serial<=0) error("Conforming CA serial number needs to be >0.\n");    if(serial>1<<142) error("Serial needs to be less than 20 bytes encoded.\n");       if( mappingp(extensions) )    {    mapping(Identifier:Sequence) m = [mapping]extensions;    array(Sequence) a = ({});
pike.git/lib/modules/Standards.pmod/X509.pmod:1263:   //! default @[Crypto.SHA256] is selected for both RSA and DSA.   //!   //! @param serial   //! Serial number of the certificate. Defaults to generating a UUID   //! version1 value with random node. Some browsers will refuse   //! different certificates from the same signer with the same serial   //! number.   //!   //! @seealso   //! @[sign_key()], @[sign_tbs()] - string make_selfsigned_certificate(Crypto.Sign c, int ttl, + string make_selfsigned_certificate(Crypto.Sign.State c, int ttl,    mapping|array name,    mapping(Identifier:Sequence)|void extensions,    void|Crypto.Hash h, void|int serial)   {    if(!serial)    serial = (int)Gmp.mpz(Standards.UUID.make_version1(-1)->encode(), 256);       Sequence dn = Certificate.build_distinguished_name(name);       void add(string name, Object data, void|int critical)
pike.git/lib/modules/Standards.pmod/X509.pmod:1292:    // While RFC 3280 section 4.2.1.2 suggest to only hash the BIT    // STRING part of the subjectPublicKey, it is only a suggestion.    add("subjectKeyIdentifier",    OctetString( Crypto.SHA1.hash(c->pkcs_public_key()->get_der()) ));    add("keyUsage", build_keyUsage(KU_digitalSignature|KU_keyEncipherment), 1);    add("basicConstraints", Sequence(({})), 1);       return sign_key(dn, c, c, h||Crypto.SHA256, dn, serial, ttl, extensions);   }    - string make_site_certificate(TBSCertificate ca, Crypto.Sign ca_key, -  Crypto.Sign c, int ttl, mapping|array name, + string make_site_certificate(TBSCertificate ca, Crypto.Sign.State ca_key, +  Crypto.Sign.State c, int ttl, mapping|array name,    mapping|void extensions,    void|Crypto.Hash h, void|int serial)   {    if(!serial)    serial = (int)Gmp.mpz(Standards.UUID.make_version1(-1)->encode(), 256);       Sequence dn = Certificate.build_distinguished_name(name);       void add(string name, Object data, void|int critical)    {
pike.git/lib/modules/Standards.pmod/X509.pmod:1316:    extensions[id] = make_extension(id, data, critical);    };       if(!extensions) extensions = ([]);    // FIXME: authorityKeyIdentifier    add("keyUsage", build_keyUsage(KU_digitalSignature|KU_keyEncipherment), 1);    add("basicConstraints", Sequence(({})), 1);    return sign_key(ca->subject, c, ca_key, h||Crypto.SHA256, dn, serial, ttl, extensions);   }    - string make_root_certificate(Crypto.Sign c, int ttl, -  mapping|array name, + string make_root_certificate(Crypto.Sign.State c, int ttl, mapping|array name,    mapping(Identifier:Sequence)|void extensions,    void|Crypto.Hash h, void|int serial)   {    if(!serial)    serial = (int)Gmp.mpz(Standards.UUID.make_version1(-1)->encode(), 256);       Sequence dn = Certificate.build_distinguished_name(name);       void add(string name, Object data, void|int critical)    {
pike.git/lib/modules/Standards.pmod/X509.pmod:1793:    if (!verified)    ERROR(CERT_BAD_SIGNATURE);    }    return m;      #undef ERROR   #undef FATAL   }      //! DWIM-parse the ASN.1-sequence for a private key. - Crypto.Sign parse_private_key(Sequence seq) + Crypto.Sign.State parse_private_key(Sequence seq)   {    switch(sizeof(seq)) {    case 5:    return Standards.PKCS.DSA.parse_private_key(seq);    case 9:    return Standards.PKCS.RSA.parse_private_key(seq);   #if constant(Nettle.ECC_Curve)    case 2:    // ECDSA, implicit curve. Not supported yet.    return UNDEFINED;    case 3:    case 4:    return Standards.PKCS.ECDSA.parse_private_key(seq);   #endif    }    return UNDEFINED;   }      //! DWIM-parse the DER-sequence for a private key. - variant Crypto.Sign parse_private_key(string private_key) + variant Crypto.Sign.State parse_private_key(string private_key)   {    Object seq = Standards.ASN1.Decode.simple_der_decode(private_key);    if (!seq || (seq->type_name != "SEQUENCE")) return UNDEFINED;    return parse_private_key([object(Sequence)]seq);   }