pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:33:   constant CERT_ROOT_UNTRUSTED = 5;      //!   constant CERT_BAD_SIGNATURE = 6;      #if 0   // A CA certificate does not have the CA basic constraint.   constant CERT_UNAUTHORIZED_CA = 7;   #endif    + //! Unique identifier for the certificate issuer. + //! + //! X.509v2 (deprecated). + class IssuerId { +  inherit BitString; +  constant cls = 2; +  constant tag = 1; + } +  + //! Unique identifier for the certificate subject. + //! + //! X.509v2 (deprecated). + class SubjectId { +  inherit BitString; +  constant cls = 2; +  constant tag = 2; + } +    protected {    MetaExplicit extension_sequence = MetaExplicit(2, 3);    MetaExplicit version_integer = MetaExplicit(2, 0);       mapping algorithms = ([   #if constant(Crypto.MD2)    Identifiers.rsa_md2_id->get_der() : Crypto.MD2,   #endif    Identifiers.rsa_md5_id->get_der() : Crypto.MD5,    Identifiers.rsa_sha1_id->get_der() : Crypto.SHA1,
pike.git/lib/modules/Standards.pmod/X509.pmod:194: Inside #if constant(Crypto.ECC.Curve)
   return 0;       Sequence params = seq[1];    return ECDSAVerifier(str->value, params->get_der());    }   #endif       DBG("make_verifier: Unknown algorithm identifier: %O\n", seq[0]);   }    + protected mapping(int:program(Object)) x509_types = ([ +  make_combined_tag(2, 1):IssuerId, +  make_combined_tag(2, 2):SubjectId, +  ]); +    //! Represents a TBSCertificate.   //!   //! @note   //! Was not compatible with @[Standards.ASN1.Types.Sequence]   //! Prior to Pike 8.0.   class TBSCertificate   {    inherit Sequence;       protected string internal_der;       //!    void `der=(string asn1)    {    internal_der = UNDEFINED; -  if (init(Standards.ASN1.Decode.simple_der_decode(asn1))) { +  if (init(Standards.ASN1.Decode.simple_der_decode(asn1, x509_types))) {    internal_der = asn1;    }    }    string `der()    {    if (internal_der) return internal_der;    return internal_der = der_encode();    }       //!
pike.git/lib/modules/Standards.pmod/X509.pmod:381:    }       /* Optional */       protected int issuer_pos;    protected int subject_pos;    protected int extensions_pos;       //! @note    //! optional -  void `issuer_id=(BitString i) +  void `issuer_id=(IssuerId|BitString i)    {    internal_der = UNDEFINED;    if (!i) {    if (!issuer_pos) return;    elements = elements[..6] + elements[8..];    issuer_pos = 0;    if (subject_pos) subject_pos--;    if (extensions_pos) extensions_pos--;    return;    } -  TaggedType1 tti = TaggedType1(i); +  if (i->cls != 2) { +  // Convert BitString to IssuerId. +  i = IssuerId(i->value); +  } else if (i->raw) { +  // Convert Primitive to IssuerId. +  (i = IssuerId())->decode_primitive(a[i]->raw); +  }    if (!issuer_pos) {    if (version < 2) version = 2;    issuer_pos = 7; -  elements = elements[..6] + ({ tti }) + elements[7..]; +  elements = elements[..6] + ({ i }) + elements[7..];    if (subject_pos) subject_pos++;    if (extensions_pos) extensions_pos++;    return;    } -  elements[issuer_pos] = tti; +  elements[issuer_pos] = i;    } -  BitString `issuer_id() +  IssuerId `issuer_id()    { -  if (issuer_pos) return elements[issuer_pos][0]; +  if (issuer_pos) return elements[issuer_pos];    return UNDEFINED;    }       //! @note    //! optional -  void `subject_id=(BitString s) +  void `subject_id=(SubjectId|BitString s)    {    internal_der = UNDEFINED;    if (!s) {    if (!subject_pos) return;    elements = elements[..subject_pos -1] + elements[subject_pos+1..];    subject_pos = 0;    if (extensions_pos) extensions_pos--;    return;    } -  TaggedType2 tts = TaggedType2(s); +  if (s->cls != 2) { +  // Convert BitString to SubjectId. +  s = SubjectId()->decode_primitive(s->raw); +  } else if (i->raw) { +  // Convert Primitive to SubjectId. +  (s = SubjectId())->decode_primitive(a[i]->raw); +  }    if (!subject_pos) {    if (version < 2) version = 2;    subject_pos = (issuer_pos || 6) + 1; -  elements = elements[..subject_pos-1] + ({ tts }) + +  elements = elements[..subject_pos-1] + ({ s }) +    elements[subject_pos..];    if (extensions_pos) extensions_pos++;    return;    } -  elements[subject_pos] = tts; +  elements[subject_pos] = s;    } -  BitString `subject_id() +  SubjectId `subject_id()    { -  if (subject_pos) return elements[subject_pos][0]; +  if (subject_pos) return elements[subject_pos];    return UNDEFINED;    }       //! The raw ASN.1 objects from which @[extensions] and @[critical]    //! have been generated.    //!    //! @note    //! optional    void `raw_extensions=(Sequence r)    {
pike.git/lib/modules/Standards.pmod/X509.pmod:696:    return 0;       DBG("TBSCertificate: parsed public key. type = %s\n",    public_key->type);       int i = 6;       if (version >= 2)    {    if ((i < sizeof(a)) && !a[i]->constructed && -  (a[i]->combined_tag == make_combined_tag(2, 1))) +  (a[i]->get_combined_tag() == make_combined_tag(2, 1)))    { -  issuer_id = BitString()->decode_primitive(a[i]->raw); +  if (a[i]->raw) { +  (issuer_id = IssuerId())->decode_primitive(a[i]->raw); +  } else { +  issuer_id = a[i]; +  }    DBG("TBSCertificate: issuer_id = %O\n", issuer_id);    i++;    }    if ((i < sizeof(a)) && !a[i]->constructed && -  (a[i]->combined_tag == make_combined_tag(2, 2))) +  (a[i]->get_combined_tag() == make_combined_tag(2, 2)))    { -  subject_id = BitString()->decode_primitive(a[i]->raw); +  if (a[i]->raw) { +  (subject_id = SubjectId())->decode_primitive(a[i]->raw); +  } else { +  subject_id = a[i]; +  }    DBG("TBSCertificate: subject_id = %O\n", subject_id);    i++;    }    }    if (version >= 3) {    if ((i < sizeof(a)) && a[i]->constructed &&    (a[i]->combined_tag == make_combined_tag(2, 3)) &&    sizeof(a[i])==1 &&    a[i][0]->type_name == "SEQUENCE") {    raw_extensions = a[i][0];
pike.git/lib/modules/Standards.pmod/X509.pmod:889:    if(!serial)    serial = (int)Gmp.mpz(Standards.UUID.make_version1(-1)->encode(), 256);    Sequence dn = Certificate.build_distinguished_name(name);    return sign_key(dn, c, h||Crypto.SHA256, dn, serial, ttl, extensions);   }      //! Decodes a certificate and verifies that it is structually sound.   //! Returns a @[TBSCertificate] object if ok, otherwise @expr{0@}.   TBSCertificate decode_certificate(string|object cert)   { -  if (stringp (cert)) cert = Standards.ASN1.Decode.simple_der_decode(cert); +  if (stringp (cert)) { +  cert = Standards.ASN1.Decode.simple_der_decode(cert, x509_types); +  }       if (!cert    || (cert->type_name != "SEQUENCE")    || (sizeof(cert) != 3)    || (cert[0]->type_name != "SEQUENCE")    || (cert[1]->type_name != "SEQUENCE")    || (!sizeof(cert[1]))    || (cert[1][0]->type_name != "OBJECT IDENTIFIER")    || (cert[2]->type_name != "BIT STRING")    || cert[2]->unused)