pike.git / lib / modules / Tools.pmod / X509.pmod

version» Context lines:

pike.git/lib/modules/Tools.pmod/X509.pmod:214:    signature);    else    return 0;    }    }   }      #if 0   /* FIXME: This is a little more difficult, as the dsa-parameters are    * sometimes taken from the CA, and not present in the keyinfo. */ - class dsa_verifyer + class dsa_verifier   {    object dsa;       constant type = "dsa";       object init(string key)    {    }   }   #endif
pike.git/lib/modules/Tools.pmod/X509.pmod:280:    object subject_id;    object extensions;       object init(object asn1)    {    der = asn1->get_der();    if (asn1->type_name != "SEQUENCE")    return 0;       array a = asn1->elements; -  werror("TBSCertificate: sizeof(a) = %d\n", sizeof(a)); +  //werror("TBSCertificate: sizeof(a) = %d\n", sizeof(a));       if (sizeof(a) < 6)    return 0;       if (sizeof(a) > 6)    {    /* The optional version field must be present */    if (!a[0]->constructed    || (a[0]->get_combinded_tag() != make_combined_tag(2, 0))    || (sizeof(a[0]->elements) != 1)    || (a[0]->elements[0]->type_name != "INTEGER"))    return 0;       version = (int) a[0]->elements[0]->value + 1;    if ( (version < 2) || (version > 3))    return 0;    a = a[1..];    } else    version = 1;    -  werror("TBSCertificate: version = %d\n", version); +  //werror("TBSCertificate: version = %d\n", version);    if (a[0]->type_name != "INTEGER")    return 0;    serial = a[0]->value;    -  werror("TBSCertificate: serial = %s\n", (string) serial); +  //werror("TBSCertificate: serial = %s\n", (string) serial);       if ((a[1]->type_name != "SEQUENCE")    || !sizeof(a[1]->elements )    || (a[1]->elements[0]->type_name != "OBJECT IDENTIFIER"))    return 0;       algorithm = a[1];    -  werror("TBSCertificate: algorithm = %s\n", algorithm->debug_string()); +  //werror("TBSCertificate: algorithm = %s\n", algorithm->debug_string());       if (a[2]->type_name != "SEQUENCE")    return 0;    issuer = a[2];    -  werror("TBSCertificate: issuer = %s\n", issuer->debug_string()); +  //werror("TBSCertificate: issuer = %s\n", issuer->debug_string());       if ((a[3]->type_name != "SEQUENCE")    || (sizeof(a[3]->elements) != 2))    return 0;       array validity = a[3]->elements;       not_before = parse_time(validity[0]);    if (!not_before)    return 0;    -  werror("TBSCertificate: not_before = %O\n", not_before); +  //werror("TBSCertificate: not_before = %O\n", not_before);       not_after = parse_time(validity[0]);    if (!not_after)    return 0;    -  werror("TBSCertificate: not_after = %O\n", not_after); +  //werror("TBSCertificate: not_after = %O\n", not_after);       if (a[4]->type_name != "SEQUENCE")    return 0;    subject = a[4];    -  werror("TBSCertificate: keyinfo = %s\n", a[5]->debug_string()); +  //werror("TBSCertificate: keyinfo = %s\n", a[5]->debug_string());       public_key = make_verifier(a[5]);       if (!public_key)    return 0;    -  werror("TBSCertificate: parsed public key. type = %s\n", -  public_key->type); +  //werror("TBSCertificate: parsed public key. type = %s\n", +  // public_key->type);       int i = 6;    if (i == sizeof(a))    return this_object();       if (version < 2)    return 0;       if (! a[i]->constructed    && (a[i]->combined_tag == make_combined_tag(2, 1)))
pike.git/lib/modules/Tools.pmod/X509.pmod:391:    extensions = a[i];    i++;    if (i == sizeof(a))    return this_object();    }    /* Too many fields */    return 0;    }   }    - /* Decodes a certificate, checks the signature. Returns the -  * TBSCertificate structure, or 0 if decoding or verification failes. -  * -  * Authorities is a mapping from (DER-encoded) names to a verifiers. */ -  - /* NOTE: This function allows self-signed certificates, and it doesn't -  * check that names or extensions make sense. */ -  - object verify_certificate(string s, mapping authorities) + object decode_certificate(string|object cert)   { -  object cert = Standards.ASN1.Decode.simple_der_decode(s); +  if (stringp (cert)) cert = Standards.ASN1.Decode.simple_der_decode(cert);       if (!cert    || (cert->type_name != "SEQUENCE")    || (sizeof(cert->elements) != 3)    || (cert->elements[0]->type_name != "SEQUENCE")    || (cert->elements[1]->type_name != "SEQUENCE")    || (!sizeof(cert->elements[1]->elements))    || (cert->elements[1]->elements[0]->type_name != "OBJECT IDENTIFIER")    || (cert->elements[2]->type_name != "BIT STRING")    || cert->elements[2]->unused)    return 0;       object(TBSCertificate) tbs = TBSCertificate()->init(cert->elements[0]);       if (!tbs || (cert->elements[1]->get_der() != tbs->algorithm->get_der()))    return 0;    -  +  return tbs; + } +  + /* Decodes a certificate, checks the signature. Returns the +  * TBSCertificate structure, or 0 if decoding or verification failes. +  * +  * Authorities is a mapping from (DER-encoded) names to a verifiers. */ +  + /* NOTE: This function allows self-signed certificates, and it doesn't +  * check that names or extensions make sense. */ +  + object verify_certificate(string s, mapping authorities) + { +  object cert = Standards.ASN1.Decode.simple_der_decode(s); +  +  object(TBSCertificate) tbs = decode_certificate(cert); +  if (!tbs) return 0; +     object v;       if (tbs->issuer->get_der() == tbs->subject->get_der())    {    /* A self signed certificate */ -  werror("Self signed certificate\n"); +  //werror("Self signed certificate\n");    v = tbs->public_key;    }    else    v = authorities[tbs->issuer->get_der()];       return v && v->verify(cert->elements[1],    cert->elements[0]->get_der(),    cert->elements[2]->value)    && tbs;   }