pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:1684:    }    m->certificates = chain_obj;       // Chain is now reversed so root is first and leaf is last.       int my_time = time();    foreach(chain_obj; int idx; TBSCertificate tbs)    {    array(Verifier)|Verifier verifiers;    +  // Check not_before. We want the current time to be later. +  if(my_time < tbs->not_before) +  ERROR(CERT_TOO_NEW); +  +  // Check not_after. We want the current time to be earlier. +  if(my_time > tbs->not_after) +  ERROR(CERT_TOO_OLD); +     if(idx != len-1) // Not the leaf    {    // id-ce-basicConstraints is required for certificates with    // public key used to validate certificate signatures.       if( !tbs->ext_basicConstraints )    ERROR(CERT_INVALID);       if( !tbs->ext_basicConstraints_cA )    ERROR(CERT_UNAUTHORIZED_CA);
pike.git/lib/modules/Standards.pmod/X509.pmod:1736:    if(!verifiers)    verifiers = ({ tbs->public_key });    }       if (objectp(verifiers))    verifiers = ({ verifiers });    }       else // otherwise, we make sure the chain is unbroken.    { -  // Check not_before. We want the current time to be later. -  if(my_time < tbs->not_before) -  ERROR(CERT_TOO_NEW); -  -  // Check not_after. We want the current time to be earlier. -  if(my_time > tbs->not_after) -  ERROR(CERT_TOO_OLD); -  +     // is the issuer of this certificate the subject of the previous    // (more rootward) certificate?    if(tbs->issuer->get_der() != chain_obj[idx-1]->subject->get_der())    ERROR(CERT_CHAIN_BROKEN);       // the verifier for this certificate should be the public key of    // the previous certificate in the chain.    verifiers = ({ chain_obj[idx-1]->public_key });    }