pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:1399:    string cert = Standards.PEM.simple_decode(pem);    if (!cert) continue;    TBSCertificate tbs = verify_ca_certificate(cert);    if (!tbs) continue;    res[tbs->subject->get_der()] += ({ tbs->public_key });    }    }    return res;   }    - //! Decodes a certificate chain, checks the signatures. Verifies that the - //! chain is unbroken, and that all certificates are in effect - //! (time-wise.) + //! Decodes a certificate chain, oredered from leaf to root, and + //! checks the signatures. Verifies that the chain can be decoded + //! correctly, is unbroken, and that all certificates are in effect + //! (time-wise.) and allowed to sign it's child certificate.   //! -  + //! No verifications are done on the leaf certificate to determine + //! what it can and can not be used for. + //!   //! Returns a mapping with the following contents, depending   //! on the verification of the certificate chain:   //!   //! @mapping   //! @member int "error_code"   //! Error describing type of verification failurew, if   //! verification failed. May be one of the following, OR:ed   //! together: @[CERT_TOO_NEW], @[CERT_TOO_OLD],   //! @[CERT_ROOT_UNTRUSTED], @[CERT_BAD_SIGNATURE], @[CERT_INVALID]   //! or @[CERT_CHAIN_BROKEN].   //! @member int "error_cert"   //! Index number of the certificate that caused the verification failure.   //! @member int(0..1) "self_signed"   //! Non-zero if the certificate is self-signed.   //! @member int(0..1) "verified"   //! Non-zero if the certificate is verified. - //! @member string "authority" - //! @[Standards.ASN1.Sequence] of the authority RDN that verified - //! the chain. - //! @member string "cn" - //! @[Standards.ASN1.Sequence] of the common name RDN of the leaf - //! certificate. + //! @member Standards.ASN1.Sequence "authority" + //! The authority RDN that verified the chain. + //! @member Standards.ASN1.Sequence "cn" + //! The common name RDN of the leaf certificate. + //! @member array(TBSCertificate) "certificates" + //! An array with the decoded certificates, ordered from root to leaf.   //! @endmapping   //!   //! @param cert_chain   //! An array of certificates, with the relative-root last. Each   //! certificate should be a DER-encoded certificate.   //! @param authorities   //! A mapping from (DER-encoded) names to verifiers.   //! @param require_trust   //! Require that the certificate be traced to an authority, even if   //! it is self signed.
pike.git/lib/modules/Standards.pmod/X509.pmod:1468:    {    object cert = Standards.ASN1.Decode.simple_der_decode(c);    TBSCertificate tbs = decode_certificate(cert);    if(!tbs)    FATAL(CERT_INVALID);       int idx = len-idx-1;    chain_cert[idx] = cert;    chain_obj[idx] = tbs;    } +  m->certificates = chain_obj;       // Chain is now reversed so root is first and leaf is last.       int my_time = time();    foreach(chain_obj; int idx; TBSCertificate tbs)    {    array(Verifier)|Verifier verifiers;       if(idx != len-1) // Not the leaf    {
pike.git/lib/modules/Standards.pmod/X509.pmod:1501:    {    // The error was later in the chain though, so maybe a    // different error should be sent.    ERROR(CERT_EXCEEDED_PATH_LENGTH);    }    }       if( !(tbs->ext_keyUsage & keyCertSign) )    ERROR(CERT_UNAUTHORIZED_CA);    } -  else // The leaf -  { -  if( !(tbs->ext_keyUsage & digitalSignature) ) -  ERROR(CERT_UNAUTHORIZED_SIGNING); -  } +        if(idx == 0) // The root cert    {    verifiers = authorities[tbs->issuer->get_der()];       // if we don't know the issuer of the root certificate, and we    // require trust, we're done.    if(!verifiers && require_trust)    ERROR(CERT_ROOT_UNTRUSTED);