pike.git / lib / modules / Tools.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Tools.pmod/X509.pmod:1:   #pike __REAL_VERSION__   //#pragma strict_types      /* -  * $Id: X509.pmod,v 1.33 2004/03/19 22:39:30 nilsson Exp $ +  * $Id: X509.pmod,v 1.34 2004/03/22 22:22:18 bill Exp $    *    * Some random functions for creating RFC-2459 style X.509 certificates.    *    */      constant dont_dump_module = 1;      #if constant(Standards.ASN1.Types.Sequence) && constant(Crypto.Hash)      import Standards.ASN1.Types;
pike.git/lib/modules/Tools.pmod/X509.pmod:33:      //!   constant CERT_CHAIN_BROKEN = 4;      //!   constant CERT_ROOT_UNTRUSTED = 5;      //!   constant CERT_BAD_SIGNATURE = 6;    + //! + constant CERT_UNAUTHORIZED_CA = 7; +    //! Creates a @[Standards.ASN1.Types.UTC] object from the posix   //! time @[t].   UTC make_time(int t)   {    Calendar.Second second = Calendar.Second(t)->set_timezone("UTC");       if (second->year_no() >= 2050)    error( "Times later than 2049 not supported yet\n" );       return UTC(sprintf("%02d%02d%02d%02d%02d%02dZ",
pike.git/lib/modules/Tools.pmod/X509.pmod:319:    == Identifiers.dsa_sha_id->get_der())    {    /* FIXME: Not implemented */    return 0;    }   }      //!   class TBSCertificate   { +  //!    string der;    -  +  //!    int version; -  +  +  //!    Gmp.mpz serial; -  +  +  //!    Sequence algorithm; /* Algorithm Identifier */ -  +  +  //!    Sequence issuer; -  +  +  //!    mapping not_after; -  +  +  //!    mapping not_before;    -  +  //!    Sequence subject; -  +  +  //!    Verifier public_key;       /* Optional */ -  +  +  //! @note +  //! optional    BitString issuer_id; -  +  +  //! @note +  //! optional    BitString subject_id; -  +  +  //! @note +  //! optional    object extensions;    -  +  //!    this_program init(Object asn1)    {    der = asn1->get_der();    if (asn1->type_name != "SEQUENCE")    return 0;       array(Object) a = ([object(Sequence)]asn1)->elements;    X509_WERR("TBSCertificate: sizeof(a) = %d\n", sizeof(a));       if (sizeof(a) < 6)
pike.git/lib/modules/Tools.pmod/X509.pmod:521:   //! chain is unbroken, and that all certificates are in effect   //! (time-wise.)   //!   //! Returns a mapping with the following contents, depending   //! on the verification of the certificate chain:   //!   //! @mapping   //! @member int "error_code"   //! Error describing type of verification failure, if verification failed.   //! May be one of the following: @[CERT_TOO_NEW], @[CERT_TOO_OLD], - //! @[CERT_ROOT_UNTRUSTED], @[CERT_BAD_SIGNATURE], @[CERT_INVALID] - //! or @[CERT_CHAIN_BROKEN] + //! @[CERT_ROOT_UNTRUSTED], @[CERT_BAD_SIGNATURE], @[CERT_INVALID], + //! @[CERT_UNAUTHORIZED_CA] or @[CERT_CHAIN_BROKEN]   //! @member int "error_cert"   //! Index number of the certificate that caused the verification failure.   //! @member int(0..1) "self_signed"   //! Non-zero if the certificate is self-signed.   //! @member int(0..1) "verified"   //! Non-zero if the certificate is verified.   //! @member string "authority"   //! @[Standards.ASN1.Sequence] of the authority RDN that verified   //! the chain.   //! @member string "cn"   //! @[Standards.ASN1.Sequence] of the common name RDN of the leaf   //! certificate.   //! @endmapping   //!   //! @param cert_chain - //! An array of certificates, with the relative-root last. + //! An array of certificates, with the relative-root last. Each certificate should + //! be a DER-encoded certificate.   //! @param authorities   //! A mapping from (DER-encoded) names to verifiers. - //! @param forbid_selfsigned + //! @param require_trust   //! Require that the certificate be traced to an authority, even if   //! it is self signed.   //!   //! See @[Standards.PKCS.Certificate.get_dn_string] for converting the   //! RDN to an X500 style string.   mapping verify_certificate_chain(array(string) cert_chain,    mapping authorities, int|void require_trust)   {       mapping m = ([ ]);
pike.git/lib/modules/Tools.pmod/X509.pmod:574:    return m;    }    chain_cert += ({cert});    chain_obj += ({tbs});    }       foreach(chain_obj; int idx; TBSCertificate tbs)    {    object v;    +  // if we are a CA certificate (we don't care about the end cert) +  // make sure the CA constraint is set. +  // +  // should we be considering self signed certificates? +  if(idx != (sizeof(chain_obj)-1)) +  { +  int caok = 0; +  +  if(tbs->extensions && sizeof(tbs->extensions)) +  { +  foreach(tbs->extensions->elements[0]->elements, Sequence c) +  { +  if(c->elements[0] == Identifiers.ce_id->append(19)) +  { +  foreach(c->elements[1..], Sequence v) +  { +  werror("checking for boolean: " + v->type_name + " " + v->value + "\n"); +  if(v->type_name == "BOOLEAN" && v->value == 1) +  caok = 1; +  } +  } +  } +  } +  +  if(! caok) +  { +  X509_WERR("a CA certificate does not have the CA basic constraint.\n"); +  m->error_code = CERT_UNAUTHORIZED_CA; +  m->error_cert = idx; +  return m; +  } +  } +     if(idx == 0) // The root cert    {    v = authorities[tbs->issuer->get_der()];       // if we don't know the issuer of the root certificate, and we    // require trust, we're done.    if(!v && require_trust)    {    X509_WERR("we require trust, but haven't got it.\n");    m->error_code = CERT_ROOT_UNTRUSTED;