pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:861:    //       //! Set if the certificate contains a valid basicConstraints    //! extension. RFC3280 4.2.1.10.    int(0..1) ext_basicConstraints;       //! If set, the certificate may be used as a CA certificate, i.e.    //! sign other certificates.    int(0..1) ext_basicConstraints_cA;    -  //! The maximum number of intermediate certificates that may follow -  //! this certificate in a certificate chain. @exp{-1@} in case no -  //! limit is imposed. -  int ext_basicConstraints_pathLenConstraint = -1; +  //! The maximum number of certificates that may follow this +  //! certificate in a certificate chain. @exp{0@} in case no limit is +  //! imposed. Note that this variable is off by one compared to the +  //! RFC 3280 definition, which only counts intermediate certificates +  //! (i.e. 0 intermediates means this variable would be 1, as in one +  //! following certificate). +  int ext_basicConstraints_pathLenConstraint;       protected int(0..1) parse_basicConstraints(Object o)    {    // FIXME: This extension must be critical if certificate contains    // public keys use usage is to validate signatures on    // certificates.       if( o->type_name!="SEQUENCE" )    return 0;    Sequence s = [object(Sequence)]o;    if( sizeof(s)<1 || sizeof(s)>2 || s[0]->type_name!="BOOLEAN" )    return 0;    if( sizeof(s)==2 )    {    if( s[1]->type_name!="INTEGER" || s[0]->value==0 || s[1]->value<0 )    return 0; -  ext_basicConstraints_pathLenConstraint = s[1]->value; +  ext_basicConstraints_pathLenConstraint = s[1]->value + 1;    // FIXME: pathLenConstraint is not permitted if keyCertSign    // isn't set in key usage.    }    ext_basicConstraints = 1;    ext_basicConstraints_cA = s[0]->value;    return 1;    }       //! Set if the certificate contains a valid authorityKeyIdentifier    //! extension. RFC3280 4.2.1.1.
pike.git/lib/modules/Standards.pmod/X509.pmod:1484:    {    // id-ce-basicConstraints is required for certificates with    // public key used to validate certificate signatures.       if( !tbs->ext_basicConstraints )    ERROR(CERT_INVALID);       if( !tbs->ext_basicConstraints_cA )    ERROR(CERT_UNAUTHORIZED_CA);    -  if( tbs->ext_basicConstraints_pathLenConstraint!=-1 ) +  if( tbs->ext_basicConstraints_pathLenConstraint )    { -  // pathLenConstraint is the maximum number of intermediate -  // certificates. len-1-idx is the number of following -  // certificates. Subtract one more to not count the leaf -  // certificate. -  if( len-1-idx-1 > tbs->ext_basicConstraints_pathLenConstraint ) +  // len-1-idx is the number of following certificates. +  if( len-1-idx > tbs->ext_basicConstraints_pathLenConstraint )    {    // The error was later in the chain though, so maybe a    // different error should be sent.    ERROR(CERT_EXCEEDED_PATH_LENGTH);    }    }       if( !(tbs->ext_keyUsage & keyCertSign) )    ERROR(CERT_UNAUTHORIZED_CA);    }