pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:1567:    // Ubuntu Precise (12.04), OpenSSL 1.0.1       "/etc/pki/tls/certs",    // Redhat Enterprise 6, OpenSSL 1.0.0    // Redhat Fedora Core 4, OpenSSL 0.9.7    // Redhat Fedora Core 5 / 6, OpenSSL 0.9.8       "/System/Library/OpenSSL/certs",    // Mac OS X 10.1.2, OpenSSL 0.9.6b    +  "/Library/Keychains", +  // Mac OS X. +  +  "/System/Library/Keychains", +  // Mac OS X 11.4.2 +     "/etc/openssl/certs",    // NetBSD, OpenSSL 0.9.x       // From this point on the operation systems start getting    // a bit old.       "/usr/share/ssl/certs",    // Centos 3 / 4, OpenSSL 0.9.7    // Redhat 6.2 / 7.x / 8.0 / 9, OpenSSL 0.9.6    // Redhat Enterprise 3 / 4, OpenSSL 0.9.7
pike.git/lib/modules/Standards.pmod/X509.pmod:1605:       "/opt/local/ssl/certs",    // Common alternative to /usr/local/.    });    if (!arrayp(root_cert_dirs)) {    root_cert_dirs = ({ root_cert_dirs });    }    mapping(string:array(Verifier)) res = ([]);       foreach(root_cert_dirs, string dir) { +  if (!Stdio.is_dir(dir)) continue; +  +  // Try the merged certificate file first.    string pem = Stdio.read_bytes(combine_path(dir, "ca-certificates.crt"));    if (pem) {    Standards.PEM.Messages messages = Standards.PEM.Messages(pem);    foreach(messages->fragments, string|Standards.PEM.Message m) {    if (!objectp(m) || m->pre!="CERTIFICATE" || !m->body) continue;    TBSCertificate tbs = verify_ca_certificate(m->body);    if (!tbs) continue;    string subj = tbs->subject->get_der();    if( !res[subj] || !has_value(res[subj], tbs->public_key ) )    res[subj] += ({ tbs->public_key });    }    continue;    } -  +  +  // Then try the Apple KeyChain files. +  int found; +  foreach(({ "X509Anchors", "X509Certificates" }), string fname) { +  string keychain = Stdio.read_bytes(combine_path(dir, fname)); +  if (keychain) { +  Apple.Keychain chain = Apple.Keychain(keychain); +  foreach(chain->certs, TBSCertificate tbs) { +  string subj = tbs->subject->get_der(); +  if( !res[subj] || !has_value(res[subj], tbs->public_key ) ) +  res[subj] += ({ tbs->public_key }); +  } +  found = 1; +  } +  } +  if (found) continue; +  +  // Fall back to trying every file.    foreach(get_dir(dir) || ({}), string fname) {    if (has_suffix(fname, ".0")) {    // Skip OpenSSL hash files for now (as they are duplicates).    continue;    }    fname = combine_path(dir, fname);    if (!Stdio.is_file(fname)) continue;    pem = Stdio.read_bytes(fname);    if (!pem) continue;    string cert = Standards.PEM.simple_decode(pem);