pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:9:      import Standards.ASN1.Types;   import Standards.PKCS;      #ifdef X509_DEBUG   #define DBG(X ...) werror(X)   #else   #define DBG(X ...)   #endif    + enum CertFailure + {    //! - constant CERT_TOO_OLD = 1; +  CERT_TOO_OLD = 1<<0,       //! - constant CERT_TOO_NEW = 2; +  CERT_TOO_NEW = 1<<1,       //! - constant CERT_INVALID = 3; +  CERT_INVALID = 1<<2,       //! - constant CERT_CHAIN_BROKEN = 4; +  CERT_CHAIN_BROKEN = 1<<3,       //! - constant CERT_ROOT_UNTRUSTED = 5; +  CERT_ROOT_UNTRUSTED = 1<<4,       //! - constant CERT_BAD_SIGNATURE = 6; +  CERT_BAD_SIGNATURE = 1<<5,    - // A CA certificate does not have the CA basic constraint. - constant CERT_UNAUTHORIZED_CA = 7; +  //! A CA certificate is not allowed by basic constraints to sign +  //! another certificate. +  CERT_UNAUTHORIZED_CA = 1<<6, + }         // Bit 0 is the first bit in the BitString.   protected enum keyUsage {    digitalSignature = 1<<0,    nonRepudiation = 1<<1,    keyEncipherment = 1<<2,    dataEncipherment = 1<<3,    keyAgreement = 1<<4,    keyCertSign = 1<<5,
pike.git/lib/modules/Standards.pmod/X509.pmod:1396:      //! Decodes a certificate chain, checks the signatures. Verifies that the   //! chain is unbroken, and that all certificates are in effect   //! (time-wise.)   //!   //! Returns a mapping with the following contents, depending   //! on the verification of the certificate chain:   //!   //! @mapping   //! @member int "error_code" - //! Error describing type of verification failure, if verification failed. - //! May be one of the following: @[CERT_TOO_NEW], @[CERT_TOO_OLD], - //! @[CERT_ROOT_UNTRUSTED], @[CERT_BAD_SIGNATURE], @[CERT_INVALID] - //! or @[CERT_CHAIN_BROKEN] + //! Error describing type of verification failurew, if + //! verification failed. May be one of the following, OR:ed + //! together: @[CERT_TOO_NEW], @[CERT_TOO_OLD], + //! @[CERT_ROOT_UNTRUSTED], @[CERT_BAD_SIGNATURE], @[CERT_INVALID] + //! or @[CERT_CHAIN_BROKEN].   //! @member int "error_cert"   //! Index number of the certificate that caused the verification failure.   //! @member int(0..1) "self_signed"   //! Non-zero if the certificate is self-signed.   //! @member int(0..1) "verified"   //! Non-zero if the certificate is verified.   //! @member string "authority"   //! @[Standards.ASN1.Sequence] of the authority RDN that verified   //! the chain.   //! @member string "cn"
pike.git/lib/modules/Standards.pmod/X509.pmod:1430:   //! Require that the certificate be traced to an authority, even if   //! it is self signed.   //!   //! See @[Standards.PKCS.Certificate.get_dn_string] for converting the   //! RDN to an X500 style string.   mapping verify_certificate_chain(array(string) cert_chain,    mapping(string:Verifier|array(Verifier)) authorities,    int|void require_trust)   {    mapping m = ([ ]); +    #define ERROR(X) do { \    DBG("Error " #X "\n"); \ -  m->verified=0; m->error_code=(X); m->error_cert=idx; \ -  return m; \ +  m->verified=0; m->error_code|=(X); m->error_cert=idx; \    } while(0) -  + #define FATAL(X) do { ERROR(X); return m; } while(0)       // Decode all certificates in the chain. Leaf is first and root is    // last.       int len = sizeof(cert_chain);    array chain_obj = allocate(len);    array chain_cert = allocate(len);       foreach(cert_chain; int idx; string c)    {    object cert = Standards.ASN1.Decode.simple_der_decode(c);    TBSCertificate tbs = decode_certificate(cert);    if(!tbs) -  ERROR(CERT_INVALID); +  FATAL(CERT_INVALID);       int idx = len-idx-1;    chain_cert[idx] = cert;    chain_obj[idx] = tbs;    }       // Chain is now reversed so root is first and leaf is last.       int my_time = time();    foreach(chain_obj; int idx; TBSCertificate tbs)
pike.git/lib/modules/Standards.pmod/X509.pmod:1556:    if(idx == sizeof(chain_cert)-1) m->cn = tbs->subject;    break;    }    }    if (!verified)    ERROR(CERT_BAD_SIGNATURE);    }    return m;      #undef ERROR + #undef FATAL   }