pike.git / lib / modules / Tools.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Tools.pmod/X509.pmod:620:   //! Non-zero if the certificate is verified.   //! @member string "authority"   //! @[Standards.ASN1.Sequence] of the authority RDN that verified   //! the chain.   //! @member string "cn"   //! @[Standards.ASN1.Sequence] of the common name RDN of the leaf   //! certificate.   //! @endmapping   //!   //! @param cert_chain - //! An array of certificates, with the relative-root last. Each certificate should - //! be a DER-encoded certificate. + //! An array of certificates, with the relative-root last. Each + //! certificate should be a DER-encoded certificate.   //! @param authorities   //! A mapping from (DER-encoded) names to verifiers.   //! @param require_trust   //! Require that the certificate be traced to an authority, even if   //! it is self signed.   //!   //! See @[Standards.PKCS.Certificate.get_dn_string] for converting the   //! RDN to an X500 style string.   mapping verify_certificate_chain(array(string) cert_chain,    mapping authorities, int|void require_trust)   {       mapping m = ([ ]);    -  array chain_obj = ({}); -  array chain_cert = ({}); +  int len = sizeof(cert_chain); +  array chain_obj = allocate(len); +  array chain_cert = allocate(len);       foreach(cert_chain; int idx; string c)    {    object cert = Standards.ASN1.Decode.simple_der_decode(c);    TBSCertificate tbs = decode_certificate(cert);    if(!tbs)    {    m->error_code = CERT_INVALID;    m->error_cert = idx;    return m;    } -  chain_cert += ({cert}); -  chain_obj += ({tbs}); +  +  int idx = len-idx-1; +  chain_cert[idx] = cert; +  chain_obj[idx] = tbs;    }       foreach(chain_obj; int idx; TBSCertificate tbs)    {    object v;      #if 0    // NOTE: disabled due to unreliable presence of cA constraint.    //    // if we are a CA certificate (we don't care about the end cert)
pike.git/lib/modules/Tools.pmod/X509.pmod:762:    m->verified = 0;    m->error_code = CERT_CHAIN_BROKEN;    m->error_cert = idx;    return m;    }    // the verifier for this certificate should be the public key of    // the previous certificate in the chain.    v = chain_obj[idx-1]->public_key;    }    -  if (v && v->verify(chain_cert[idx]->elements[1], +  if (v) +  { +  if( v->verify(chain_cert[idx]->elements[1],    chain_cert[idx]->elements[0]->get_der(),    chain_cert[idx]->elements[2]->value)    && tbs)    {    X509_WERR("signature is verified..\n");    m->verified = 1;       // if we're the root of the chain and we've verified, this is    // the authority.    if(idx == 0)
pike.git/lib/modules/Tools.pmod/X509.pmod:786:    }    else    {    X509_WERR("signature _not_ verified...\n");    m->error_code = CERT_BAD_SIGNATURE;    m->error_cert = idx;    m->verified = 0;    return m;    }    } +  }    return m;   }      #endif