pike.git / lib / modules / Standards.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Standards.pmod/X509.pmod:1:   #pike __REAL_VERSION__ + #require constant(Crypto.Hash)   //#pragma strict_types      //! Functions to generate and validate RFC2459 style X.509 v3   //! certificates.      constant dont_dump_module = 1;    - #if constant(Crypto.Hash) -  +    import Standards.ASN1.Types;   import Standards.PKCS;      #ifdef X509_DEBUG   #define DBG(X ...) werror(X)   #else   #define DBG(X ...)   #endif      //!
pike.git/lib/modules/Standards.pmod/X509.pmod:28:      //!   constant CERT_CHAIN_BROKEN = 4;      //!   constant CERT_ROOT_UNTRUSTED = 5;      //!   constant CERT_BAD_SIGNATURE = 6;    - #if 0 +    // A CA certificate does not have the CA basic constraint.   constant CERT_UNAUTHORIZED_CA = 7; - #endif +     -  +    // Bit 0 is the first bit in the BitString.   protected enum keyUsage {    digitalSignature = (1<<(7-0)),    nonRepudiation = (1<<(7-1)),    keyEncipherment = (1<<(7-2)),    dataEncipherment = (1<<(7-3)),    keyAgreement = (1<<(7-4)),    keyCertSign = (1<<(7-5)),    cRLSign = (1<<(7-6)),   };
pike.git/lib/modules/Standards.pmod/X509.pmod:1105:    return 0;    }       // id-ce-keyUsage is required. RFC 3280 4.2.1.3    c = lookup("keyUsage");    if( !c || c->type_name!="BIT STRING" )    {    DBG("verify root: Missing id-ce-keyUsage.\n");    return 0;    } -  keyUsage usage = (int)c; +  keyUsage usage = c->value[0]; // Arguably API violation.    if( !( usage & digitalSignature ) )    {    DBG("verify root: id-ce-keyUsage doesn't allow digitalSignature.\n");    return 0;    }    if( !( usage & keyCertSign ) ) // RFC 5759    {    return 0;    }   
pike.git/lib/modules/Standards.pmod/X509.pmod:1323:    chain_cert[idx] = cert;    chain_obj[idx] = tbs;    }       // Chain is now reversed so root is first and leaf is last.       foreach(chain_obj; int idx; TBSCertificate tbs)    {    array(Verifier)|Verifier verifiers;    +  if(idx != len-1) // Not the leaf +  { +  Object o = tbs->extensions[ Identifiers.ce_ids["basicConstraints"]->get_der() ]; +  +  // id-ce-basicConstraints is required for certificates with +  // public key used to validate certificate signatures. RFC 3280, +  // 4.2.1.10. +  if( !o || o->type_name!="SEQUENCE" ) +  ERROR(CERT_INVALID); +  Sequence s = [object(Sequence)]o; +  if( sizeof(o)<1 || sizeof(o)>2 || +  s[0]->type_name!="BOOLEAN" ) +  ERROR(CERT_INVALID); +  +  if( !s[0]->value ) +  ERROR(CERT_UNAUTHORIZED_CA); +  +  if( sizeof(s)==2 ) +  { +  if( s[1]->type_name!="INTEGER" || s[1]->value<0 ) +  ERROR(CERT_INVALID); +  +  // pathLenConstraint is the maximum number of intermediate +  // certificates. len-1-idx is the number of following +  // certificates. Subtract one more to not count the leaf +  // certificate. +  if( len-1-idx-1 > s[1]->value ) +  { +  // The error was later in the chain though, so maybe a +  // different error should be sent. +  ERROR(CERT_UNAUTHORIZED_CA); +  } +  } +  } +     if(idx == 0) // The root cert    {    verifiers = authorities[tbs->issuer->get_der()];       // if we don't know the issuer of the root certificate, and we    // require trust, we're done.    if(!verifiers && require_trust)    ERROR(CERT_ROOT_UNTRUSTED);       // Is the root self signed?
pike.git/lib/modules/Standards.pmod/X509.pmod:1395:    break;    }    }    if (!verified)    ERROR(CERT_BAD_SIGNATURE);    }    return m;      #undef ERROR   } -  - #endif +