pike.git / lib / modules / Tools.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Tools.pmod/X509.pmod:1:   #pike __REAL_VERSION__   //#pragma strict_types      /* -  * $Id: X509.pmod,v 1.28 2004/02/05 19:22:17 nilsson Exp $ +  * $Id: X509.pmod,v 1.29 2004/02/05 19:47:27 nilsson Exp $    *    * Some random functions for creating RFC-2459 style X.509 certificates.    *    */      #if constant(Standards.ASN1.Types.Sequence)      import Standards.ASN1.Types;   import Standards.PKCS;   
pike.git/lib/modules/Tools.pmod/X509.pmod:217:    Sequence dn = Certificate.build_distinguished_name(@name);       Sequence tbs = make_tbs(dn, rsa_sha1_algorithm,    dn, keyinfo,    serial, ttl, extensions);       return Sequence(    ({ tbs,    rsa_sha1_algorithm,    BitString(rsa_sign_digest(rsa, Identifiers.sha1_id, - #if constant(Crypto.SHA1.name) +     Crypto.SHA1.hash(tbs->get_der()) - #else -  Crypto.sha()->update(tbs->get_der())->digest() - #endif +     )) }) )->get_der();   }      class Verifier {    constant type = "none";    int(0..1) verify(object,string,string);    this_program init(string key);       optional Crypto.RSA rsa; // Ugly   }
pike.git/lib/modules/Tools.pmod/X509.pmod:252:    this_program init(string key) {    rsa = RSA.parse_public_key(key);    return rsa && this;    }       //!    int(0..1) verify(Sequence algorithm, string msg, string signature)    {    if (algorithm->get_der() == rsa_md5_algorithm->get_der())    return rsa_verify_digest(rsa, Identifiers.md5_id, - #if constant(Crypto.MD5.name) +     Crypto.MD5.hash(msg), - #else -  Crypto.md5()->update(msg)->digest(), - #endif +     signature);    if (algorithm->get_der() == rsa_sha1_algorithm->get_der())    return rsa_verify_digest(rsa, Identifiers.sha1_id, - #if constant(Crypto.SHA1.name) +     Crypto.SHA1.hash(msg), - #else -  Crypto.sha()->update(msg)->digest(), - #endif +     signature);    if (algorithm->get_der() == rsa_md2_algorithm->get_der())    return rsa_verify_digest(rsa, Identifiers.md2_id, - #if constant(Crypto.MD2.name) +     Crypto.MD2.hash(msg), - #else -  Crypto.md2()->update(msg)->digest(), - #endif +     signature);    return 0;    }   }      #if 0   /* FIXME: This is a little more difficult, as the dsa-parameters are    * sometimes taken from the CA, and not present in the keyinfo. */   class dsa_verifier   {
pike.git/lib/modules/Tools.pmod/X509.pmod:542:   //! May be one of the following: @[CERT_TOO_NEW], @[CERT_TOO_OLD],   //! @[CERT_ROOT_UNTRUSTED], @[CERT_BAD_SIGNATURE], @[CERT_INVALID]   //! or @[CERT_CHAIN_BROKEN]   //! @member int "error_cert"   //! Index number of the certificate that caused the verification failure.   //! @member int(0..1) "self_signed"   //! Non-zero if the certificate is self-signed.   //! @member int(0..1) "verified"   //! Non-zero if the certificate is verified.   //! @member string "authority" - //! @[Standards.ASN1.Sequence] of the authority RDN that verified the chain. + //! @[Standards.ASN1.Sequence] of the authority RDN that verified + //! the chain.   //! @member string "cn" - //! @[Standards.ASN1.Sequence] of the common name RDN of the leaf certificate. + //! @[Standards.ASN1.Sequence] of the common name RDN of the leaf + //! certificate.   //! @endmapping   //!   //! @param cert_chain   //! An array of certificates, with the relative-root last.   //! @param authorities   //! A mapping from (DER-encoded) names to verifiers.   //! @param forbid_selfsigned - //! Require that the certificate be traced to an authority, even if it is self signed. + //! Require that the certificate be traced to an authority, even if + //! it is self signed.   //! - //! See @[Standards.PKCS.Certificate.get_dn_string] for converting the RDN to an X500 style string. - mapping verify_certificate_chain(array(string) cert_chain, mapping authorities, int|void require_trust) + //! See @[Standards.PKCS.Certificate.get_dn_string] for converting the + //! RDN to an X500 style string. + mapping verify_certificate_chain(array(string) cert_chain, +  mapping authorities, int|void require_trust)   {       mapping m = ([ ]);       array chain_obj = ({});    array chain_cert = ({});       foreach(cert_chain; int idx; string c)    {    object cert = Standards.ASN1.Decode.simple_der_decode(c);
pike.git/lib/modules/Tools.pmod/X509.pmod:585:    }       foreach(chain_obj; int idx; TBSCertificate tbs)    {    object v;       if(idx == 0) // The root cert    {    v = authorities[tbs->issuer->get_der()];    -  // if we don't know the issuer of the root certificate, and we require trust, we're done. +  // if we don't know the issuer of the root certificate, and we +  // require trust, we're done.    if(!v && require_trust)    {    X509_WERR("we require trust, but haven't got it.\n");    m->error_code = CERT_ROOT_UNTRUSTED;    m->error_cert = idx;    return m;    }       // is the root self signed?    if (tbs->issuer->get_der() == tbs->subject->get_der())
pike.git/lib/modules/Tools.pmod/X509.pmod:630:       // first check not_after. we want the current time to be earlier.    if(my_time > mktime(tbs->not_after))    {    m->verified = 0;    m->error_code = CERT_TOO_OLD;    m->error_cert = idx;    return m;    }    -  // is the issuer of this certificate the subject of the previous (more rootward) certificate? +  // is the issuer of this certificate the subject of the previous +  // (more rootward) certificate?    if(tbs->issuer->get_der() != chain_obj[idx-1]->subject->get_der())    {    X509_WERR("issuer chain is broken!\n");    m->verified = 0;    m->error_code = CERT_CHAIN_BROKEN;    m->error_cert = idx;    return m;    } -  // the verifier for this certificate should be the public key of the previous certificate in the chain. +  // the verifier for this certificate should be the public key of +  // the previous certificate in the chain.    v = chain_obj[idx-1]->public_key;    }       if (v && v->verify(chain_cert[idx]->elements[1],    chain_cert[idx]->elements[0]->get_der(),    chain_cert[idx]->elements[2]->value)    && tbs)    {    X509_WERR("signature is verified..\n");    m->verified = 1;    -  if(idx == 0) // if we're the root of the chain and we've verified, this is the authority. +  // if we're the root of the chain and we've verified, this is +  // the authority. +  if(idx == 0)    m->authority = tbs->issuer;       if(idx == sizeof(chain_cert)-1) m->cn = tbs->subject;    }    else    {    X509_WERR("signature _not_ verified...\n");    m->error_code = CERT_BAD_SIGNATURE;    m->error_cert = idx;    m->verified = 0;    return m;    }    }    return m;   }      #endif