pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:45:       //! The certificate chain is longer than allowed by a certificate in    //! the chain.    CERT_EXCEEDED_PATH_LENGTH = 1<<8,   }         // Bit 0 is the first bit in the BitString.   enum keyUsage {    KU_digitalSignature = 1<<0, -  KU_nonRepudiation = 1<<1, +  KU_nonRepudiation = 1<<1, // contentCommitment    KU_keyEncipherment = 1<<2,    KU_dataEncipherment = 1<<3,    KU_keyAgreement = 1<<4,    KU_keyCertSign = 1<<5,    KU_cRLSign = 1<<6,    KU_encipherOnly = 1<<7,    KU_decipherOnly = 1<<8,    KU_last_keyUsage = 1<<9, // end marker   };   
pike.git/lib/modules/Standards.pmod/X509.pmod:1236:   //! @[ext] as the extension payload. If the @[critical] flag is set   //! the extension will be marked as critical.   Sequence make_extension(Identifier id, Object ext, void|int critical)   {    array seq = ({ id });    if( critical )    seq += ({ Boolean(1) });    return Sequence( seq+({ OctetString(ext->get_der()) }) );   }    + int make_key_usage_flags(Crypto.Sign.State c) + { +  int flags = KU_digitalSignature|KU_keyEncipherment; +  +  // ECDSA certificates can be used for ECDH exchanges, which requires +  // keyAgreement. Potentially we should make a nicer API than name +  // prefix. +  if( has_prefix(c->name(), "ECDSA") ) +  flags |= KU_keyAgreement; +  +  return flags; + } +    //! Creates a selfsigned certificate, i.e. where issuer and subject   //! are the same entity. This entity is derived from the list of pairs   //! in @[name], which is encoded into an distinguished_name by   //! @[Standards.PKCS.Certificate.build_distinguished_name].   //!   //! @param c   //! The public key cipher used for the certificate, @[Crypto.RSA],   //! @[Crypto.DSA] or @[Crypto.ECC.Curve.ECDSA]. The object should be   //! initialized with both public and private keys.   //!
pike.git/lib/modules/Standards.pmod/X509.pmod:1295:    if(!extensions[id])    extensions[id] = make_extension(id, data, critical);    };       if(!extensions) extensions = ([]);       // While RFC 3280 section 4.2.1.2 suggest to only hash the BIT    // STRING part of the subjectPublicKey, it is only a suggestion.    add("subjectKeyIdentifier",    OctetString( Crypto.SHA1.hash(c->pkcs_public_key()->get_der()) )); -  add("keyUsage", build_keyUsage(KU_digitalSignature|KU_keyEncipherment), 1); +  +  add("keyUsage", build_keyUsage(make_key_usage_flags(c)), 1); +     add("basicConstraints", Sequence(({})), 1);       return sign_key(dn, c, c, h||Crypto.SHA256, dn, serial, ttl, extensions);   }      string make_site_certificate(TBSCertificate ca, Crypto.Sign.State ca_key,    Crypto.Sign.State c, int ttl, mapping|array name,    mapping|void extensions,    void|Crypto.Hash h, void|int serial)   {
pike.git/lib/modules/Standards.pmod/X509.pmod:1320:       void add(string name, Object data, void|int critical)    {    Identifier id = Identifiers.ce_ids[name];    if(!extensions[id])    extensions[id] = make_extension(id, data, critical);    };       if(!extensions) extensions = ([]);    // FIXME: authorityKeyIdentifier -  add("keyUsage", build_keyUsage(KU_digitalSignature|KU_keyEncipherment), 1); +  add("keyUsage", build_keyUsage(make_key_usage_flags(c)), 1); +     add("basicConstraints", Sequence(({})), 1);    return sign_key(ca->subject, c, ca_key, h||Crypto.SHA256, dn, serial, ttl, extensions);   }      string make_root_certificate(Crypto.Sign.State c, int ttl, mapping|array name,    mapping(Identifier:Sequence)|void extensions,    void|Crypto.Hash h, void|int serial)   {    if(!serial)    serial = (int)Gmp.mpz(Standards.UUID.make_version1(-1)->encode(), 256);