pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:67:    constant cls = 2;    constant tag = 2;   }      protected {    MetaExplicit extension_sequence = MetaExplicit(2, 3);    MetaExplicit version_integer = MetaExplicit(2, 0);       mapping algorithms = ([   #if constant(Crypto.MD2) -  Identifiers.rsa_md2_id->get_der() : Crypto.MD2, +  Identifiers.rsa_md2_id : Crypto.MD2,   #endif -  Identifiers.rsa_md5_id->get_der() : Crypto.MD5, -  Identifiers.rsa_sha1_id->get_der() : Crypto.SHA1, -  Identifiers.rsa_sha256_id->get_der() : Crypto.SHA256, +  Identifiers.rsa_md5_id : Crypto.MD5, +  Identifiers.rsa_sha1_id : Crypto.SHA1, +  Identifiers.rsa_sha256_id : Crypto.SHA256,   #if constant(Crypto.SHA384) -  Identifiers.rsa_sha384_id->get_der() : Crypto.SHA384, +  Identifiers.rsa_sha384_id : Crypto.SHA384,   #endif   #if constant(Crypto.SHA512) -  Identifiers.rsa_sha512_id->get_der() : Crypto.SHA512, +  Identifiers.rsa_sha512_id : Crypto.SHA512,   #endif    -  Identifiers.dsa_sha_id->get_der() : Crypto.SHA1, +  Identifiers.dsa_sha_id : Crypto.SHA1,   #if constant(Crypto.SHA224) -  Identifiers.dsa_sha224_id->get_der() : Crypto.SHA224, +  Identifiers.dsa_sha224_id : Crypto.SHA224,   #endif -  Identifiers.dsa_sha256_id->get_der() : Crypto.SHA256, +  Identifiers.dsa_sha256_id : Crypto.SHA256,    -  Identifiers.ecdsa_sha1_id->get_der() : Crypto.SHA1, +  Identifiers.ecdsa_sha1_id : Crypto.SHA1,   #if constant(Crypto.SHA224) -  Identifiers.ecdsa_sha224_id->get_der() : Crypto.SHA224, +  Identifiers.ecdsa_sha224_id : Crypto.SHA224,   #endif -  Identifiers.ecdsa_sha256_id->get_der() : Crypto.SHA256, +  Identifiers.ecdsa_sha256_id : Crypto.SHA256,   #if constant(Crypto.SHA384) -  Identifiers.ecdsa_sha384_id->get_der() : Crypto.SHA384, +  Identifiers.ecdsa_sha384_id : Crypto.SHA384,   #endif   #if constant(Crypto.SHA512) -  Identifiers.ecdsa_sha512_id->get_der() : Crypto.SHA512, +  Identifiers.ecdsa_sha512_id : Crypto.SHA512,   #endif    ]);   }      class Verifier {    constant type = "none";    Crypto.Sign pkc;    optional __deprecated__(Crypto.RSA) rsa;    optional __deprecated__(Crypto.DSA) dsa;       //! Verifies the @[signature] of the certificate @[msg] using the    //! indicated hash @[algorithm].    int(0..1) verify(Sequence algorithm, string msg, string signature)    {    DBG("Verify hash %O\n", algorithm[0]); -  Crypto.Hash hash = algorithms[algorithm[0]->get_der()]; +  Crypto.Hash hash = algorithms[algorithm[0]];    if (!hash) return 0;    return pkc && pkc->pkcs_verify(msg, hash, signature);    }       protected string _sprintf(int t)    {    return t=='O' && sprintf("%O(%O)", this_program, pkc);    }   }   
pike.git/lib/modules/Standards.pmod/X509.pmod:152:       __deprecated__ Crypto.DSA `dsa() { return [object(Crypto.DSA)]pkc; }   }      #if constant(Crypto.ECC.Curve)   protected class ECDSAVerifier   {    inherit Verifier;    constant type = "ecdsa";    -  protected void create(string(8bit) key, string(8bit) curve_der) +  protected void create(string(8bit) key, Identifier curve_id)    {    Crypto.ECC.Curve curve;    foreach(values(Crypto.ECC), mixed c) {    if (objectp(c) && c->pkcs_named_curve_id && -  (c->pkcs_named_curve_id()->get_der() == curve_der)) { +  (c->pkcs_named_curve_id() == curve_id)) {    curve = [object(Crypto.ECC.Curve)]c;    break;    }    } -  DBG("ECC Curve: %O (DER: %O)\n", curve, curve_der); +  DBG("ECC Curve: %O (%O)\n", curve, curve_id);    pkc = curve->ECDSA()->set_public_key(key);    }   }   #endif      protected Verifier make_verifier(Object _keyinfo)   {    if( _keyinfo->type_name != "SEQUENCE" )    return 0;    Sequence keyinfo = [object(Sequence)]_keyinfo;
pike.git/lib/modules/Standards.pmod/X509.pmod:213:    return DSAVerifier(str->value, params[0]->value,    params[1]->value, params[2]->value);    }      #if constant(Crypto.ECC.Curve)    if(seq[0]->get_der() == Identifiers.ec_id->get_der())    {    if( sizeof(seq)!=2 || seq[1]->type_name!="OBJECT IDENTIFIER" )    return 0;    -  Sequence params = seq[1]; -  return ECDSAVerifier(str->value, params->get_der()); +  Identifier params = seq[1]; +  return ECDSAVerifier(str->value, params);    }   #endif       DBG("make_verifier: Unknown algorithm identifier: %O\n", seq[0]);   }      protected mapping(int:program(Object)) x509_types = ([    make_combined_tag(2, 1):IssuerId,    make_combined_tag(2, 2):SubjectId,    ]);
pike.git/lib/modules/Standards.pmod/X509.pmod:393:    {    Sequence subj = low_get(4);    mapping ids = ([]);    foreach(subj->elements, Compound pair)    {    if(pair->type_name!="SET" || !sizeof(pair)) continue;    pair = pair[0];    if(pair->type_name!="SEQUENCE" || sizeof(pair)!=2)    continue;    if(pair[0]->type_name=="OBJECT IDENTIFIER" && -  pair[1]->value && !ids[pair[0]->get_der()]) -  ids[pair[0]->get_der()] = pair[1]->value; +  pair[1]->value && !ids[pair[0]]) +  ids[pair[0]] = pair[1]->value;    }    -  string res = ids[.PKCS.Identifiers.at_ids->commonName->get_der()] || -  ids[.PKCS.Identifiers.at_ids->organizationName->get_der()] || -  ids[.PKCS.Identifiers.at_ids->organizationUnitName->get_der()]; +  string res = ids[.PKCS.Identifiers.at_ids.commonName] || +  ids[.PKCS.Identifiers.at_ids.organizationName] || +  ids[.PKCS.Identifiers.at_ids.organizationUnitName];       return res;    }       protected Verifier internal_public_key;       //!    void `keyinfo=(Sequence ki)    {    internal_public_key = make_verifier(ki);
pike.git/lib/modules/Standards.pmod/X509.pmod:515:    //! The raw ASN.1 objects from which @[extensions] and @[critical]    //! have been generated.    //!    //! @note    //! optional    void `raw_extensions=(Sequence r)    {    internal_der = UNDEFINED;    internal_extensions = ([]);    internal_critical = (<>); -  mapping(string:Object) extensions = ([]); +  mapping(Identifier:Object) extensions = ([]);    multiset critical = (<>);       if (!r) {    if (!extensions_pos) return;    elements = elements[..extensions_pos-1];    extensions_pos = 0;    return;    }       foreach(r->elements, Object _ext)
pike.git/lib/modules/Standards.pmod/X509.pmod:541:    return 0;    }    Sequence ext = [object(Sequence)]_ext;    if( ext[0]->type_name != "OBJECT IDENTIFIER" ||    ext[-1]->type_name != "OCTET STRING" )    {    DBG("TBSCertificate: Bad extensions structure.\n");    return 0;    }    DBG("TBSCertificate: extension: %O\n", ext[0]); -  string id = ext[0]->get_der(); +  Identifier id = ext[0];       if( extensions[id] )    {    DBG("TBSCertificate: extension %O sent twice.\n");    return 0;    }       extensions[ id ] =    Standards.ASN1.Decode.simple_der_decode(ext->elements[-1]->value);    if(sizeof(ext)==3)
pike.git/lib/modules/Standards.pmod/X509.pmod:577:    internal_critical = critical;    }    Sequence `raw_extensions()    {    if (extensions_pos) return elements[extensions_pos][0];    return UNDEFINED;    }       //! @note    //! optional -  protected mapping(string:Object) internal_extensions = ([]); -  mapping(string:Object) `extensions() +  protected mapping(Identifier:Object) internal_extensions = ([]); +  mapping(Identifier:Object) `extensions()    {    return internal_extensions;    }       //! @note    //! optional    protected multiset internal_critical = (<>);    multiset `critical()    {    return internal_critical;
pike.git/lib/modules/Standards.pmod/X509.pmod:1074:    return 0;   }      //! Verifies that all extensions mandated for certificate signing   //! certificates are present and valid.   TBSCertificate verify_ca_certificate(string|TBSCertificate tbs)   {    if(stringp(tbs)) tbs = decode_certificate(tbs);    if(!tbs) return 0;    -  multiset crit = tbs->critical + (<>); +  array crit = indices(tbs->critical);    int self_signed = (tbs->issuer->get_der() == tbs->subject->get_der());    -  Object lookup(string id) +  Object lookup(Identifier id)    { -  id = Identifiers.ce_ids[id]->get_der(); -  crit[id]=0; +  crit -= ({id});    return tbs->extensions[id];    };       // FIXME: Move extension parsing into tbs.       // id-ce-basicConstraints is required for certificates with public    // key used to validate certificate signatures. RFC 3280, 4.2.1.10. -  Object c = lookup("basicConstraints"); +  Object c = lookup(.PKCS.Identifiers.ce_ids.basicConstraints);    if( !c || c->type_name!="SEQUENCE" || sizeof(c)<1 || sizeof(c)>2 ||    c[0]->type_name!="BOOLEAN" ||    !c[0]->value )    {    DBG("verify ca: Bad or missing id-ce-basicConstraints.\n");    return 0;    }    Sequence s = [object(Sequence)]c;    if( sizeof(s)==2 && s[1]->type_name!="INTEGER" )    {    DBG("verify ca: id-ce-basicConstraints has incorrect pathLenConstraint.\n");    return 0;    }       // id-ce-authorityKeyIdentifier is required by RFC 5759, unless self    // signed. Defined in RFC 3280 4.2.1.1, but there only as    // recommended. -  if( !lookup("authorityKeyIdentifier") && !self_signed ) +  if( !lookup(.PKCS.Identifiers.ce_ids.authorityKeyIdentifier) && !self_signed )    {    DBG("verify ca: Missing id-ce-authorityKeyIdentifier.\n");    return 0;    }       // id-ce-keyUsage is required. RFC 3280 4.2.1.3 -  c = lookup("keyUsage"); +  c = lookup(.PKCS.Identifiers.ce_ids.keyUsage);    if( !c || c->type_name!="BIT STRING" )    {    DBG("verify ca: Missing id-ce-keyUsage.\n");    return 0;    }    keyUsage usage = c->value[0]; // Arguably API violation.    if( !( usage & keyCertSign ) ) // RFC 5759    {    DBG("verify ca: id-ce-keyUsage doesn't allow keyCertSign.\n");    return 0;
pike.git/lib/modules/Standards.pmod/X509.pmod:1139:    return 0;    }       // FIXME: In addition RFC 5759 requires policyMappings,    // policyConstraints and inhibitAnyPolicy to be processed in    // accordance with RFC 5280.       // One or more critical extensions have not been processed.    if( sizeof(crit) )    { - #ifdef X509_DEBUG -  foreach(.PKCS.Identifiers.ce_ids; string n; Object o) -  if( crit[o->get_der()] ) -  { -  crit[o->get_der()]=0; -  crit[n] = 1; -  } - #endif +     DBG("verify ca: Critical unknown extensions %O.\n", crit);    return 0;    }       return tbs;   }      //! Convenience function for loading known root certificates.   //!   //! @param root_cert_dirs
pike.git/lib/modules/Standards.pmod/X509.pmod:1353:       // Chain is now reversed so root is first and leaf is last.       int my_time = time();    foreach(chain_obj; int idx; TBSCertificate tbs)    {    array(Verifier)|Verifier verifiers;       if(idx != len-1) // Not the leaf    { -  Object o = tbs->extensions[ Identifiers.ce_ids["basicConstraints"]->get_der() ]; +  Object o = tbs->extensions[ Identifiers.ce_ids.basicConstraints ];       // id-ce-basicConstraints is required for certificates with    // public key used to validate certificate signatures. RFC 3280,    // 4.2.1.10.    if( !o || o->type_name!="SEQUENCE" )    ERROR(CERT_INVALID);    Sequence s = [object(Sequence)]o;    if( sizeof(o)<1 || sizeof(o)>2 ||    s[0]->type_name!="BOOLEAN" )    ERROR(CERT_INVALID);