pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:919:       protected int(0..1) parse_basicConstraints(Object o)    {    // FIXME: This extension must be critical if certificate contains    // public keys use usage is to validate signatures on    // certificates.       if( o->type_name!="SEQUENCE" )    return 0;    Sequence s = [object(Sequence)]o; -  if( sizeof(s)<1 || sizeof(s)>2 || s[0]->type_name!="BOOLEAN" ) +  if( sizeof(s)==0 ) +  { +  ext_basicConstraints = 1; +  ext_basicConstraints_cA = 0; +  return 1; +  } +  if( sizeof(s)>2 || s[0]->type_name!="BOOLEAN" )    return 0; -  +     if( sizeof(s)==2 )    {    if( s[1]->type_name!="INTEGER" || s[0]->value==0 || s[1]->value<0 )    return 0;    ext_basicConstraints_pathLenConstraint = s[1]->value + 1;    // FIXME: pathLenConstraint is not permitted if keyCertSign    // isn't set in key usage. We need to check that at a higher    // level though.    } -  +  else +  ext_basicConstraints_pathLenConstraint = 0; +     ext_basicConstraints = 1;    ext_basicConstraints_cA = s[0]->value;    return 1;    }       //! Set if the certificate contains a valid authorityKeyIdentifier    //! extension. RFC3280 4.2.1.1.    int(0..1) ext_authorityKeyIdentifier;       //! Set to the KeyIdentifier, if set in the extension.
pike.git/lib/modules/Standards.pmod/X509.pmod:1277:    extensions[id] = make_extension(id, data, critical);    };       if(!extensions) extensions = ([]);       // While RFC 3280 section 4.2.1.2 suggest to only hash the BIT    // STRING part of the subjectPublicKey, it is only a suggestion.    add("subjectKeyIdentifier",    OctetString( Crypto.SHA1.hash(c->pkcs_public_key()->get_der()) ));    add("keyUsage", build_keyUsage(KU_digitalSignature|KU_keyEncipherment), 1); -  add("basicConstraints", Sequence(({Boolean(0)})), 1); +  add("basicConstraints", Sequence(({})), 1);       return sign_key(dn, c, c, h||Crypto.SHA256, dn, serial, ttl, extensions);   }      string make_site_certificate(TBSCertificate ca, Crypto.Sign ca_key,    Crypto.Sign c, int ttl, mapping|array name,    mapping|void extensions,    void|Crypto.Hash h, void|int serial)   {    if(!serial)
pike.git/lib/modules/Standards.pmod/X509.pmod:1302:    void add(string name, Object data, void|int critical)    {    Identifier id = Identifiers.ce_ids[name];    if(!extensions[id])    extensions[id] = make_extension(id, data, critical);    };       if(!extensions) extensions = ([]);    // FIXME: authorityKeyIdentifier    add("keyUsage", build_keyUsage(KU_digitalSignature|KU_keyEncipherment), 1); -  add("basicConstraints", Sequence(({Boolean(0)})), 1); +  add("basicConstraints", Sequence(({})), 1);    return sign_key(ca->subject, c, ca_key, h||Crypto.SHA256, dn, serial, ttl, extensions);   }      string make_root_certificate(Crypto.Sign c, int ttl,    mapping|array name,    mapping(Identifier:Sequence)|void extensions,    void|Crypto.Hash h, void|int serial)   {    if(!serial)    serial = (int)Gmp.mpz(Standards.UUID.make_version1(-1)->encode(), 256);