pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:1375:    add("basicConstraints", Sequence(({Boolean(1)})), 1);       return sign_key(dn, c, c, h||Crypto.SHA256, dn, serial, ttl, extensions);   }      //! Decodes a certificate and verifies that it is structually sound.   //! Returns a @[TBSCertificate] object if ok, otherwise @expr{0@}.   TBSCertificate decode_certificate(string|.PKCS.Signature.Signed cert)   {    if (stringp (cert)) -  cert = Standards.PKCS.Signature.decode_signed(cert, x509_types); +  cert = .PKCS.Signature.decode_signed(cert, x509_types);    -  if (!cert -  || (cert->tbs->type_name != "SEQUENCE") -  || (cert->algorithm->type_name != "SEQUENCE") -  || (!sizeof(cert->algorithm)) -  || (cert->algorithm[0]->type_name != "OBJECT IDENTIFIER") -  || (cert->signature->type_name != "BIT STRING") -  || cert->signature->unused) -  return NULL("Certificate has the wrong ASN.1 structure.\n"); -  +     TBSCertificate tbs = TBSCertificate()->init(cert[0]);       // FIXME: The re-encoding and algorithm checks are more appropriate    // in verify_certificate, but the full certificate doesn't reach    // there.    if (!tbs)    return NULL("Failed to generate TBSCertificate.\n");    -  if(tbs->algorithm->get_der() != cert->algorithm->get_der()) -  return NULL("Mismatching algorithm identifiers.\n"); -  +     return tbs;   }      //! Decodes a certificate, checks the signature. Returns the   //! TBSCertificate structure, or 0 if decoding or verification failes.   //! The valid time range for the certificate is not checked.   //!   //! Authorities is a mapping from (DER-encoded) names to a verifiers.   //!   //! @note   //! This function allows self-signed certificates, and it doesn't   //! check that names or extensions make sense.   TBSCertificate verify_certificate(string s,    mapping(string:Verifier|array(Verifier)) authorities)   { -  object cert = Standards.ASN1.Decode.secure_der_decode(s); +  .PKCS.Signature.Signed cert = .PKCS.Signature.decode_signed(s, x509_types);       TBSCertificate tbs = decode_certificate(cert);    if (!tbs) return 0;    -  +  if(tbs->algorithm->get_der() != cert->algorithm->get_der()) +  return NULL("Mismatching algorithm identifiers.\n"); +     array(Verifier)|Verifier verifiers;       if (tbs->issuer->get_der() == tbs->subject->get_der())    {    DBG("Self signed certificate: %O\n", tbs->public_key);    verifiers = ({ tbs->public_key });    }    else {    verifiers = authorities[tbs->issuer->get_der()];    if (objectp(verifiers)) verifiers = ({ verifiers });