Skip to content
Snippets Groups Projects
Commit 33a99836 authored by Martin Nilsson's avatar Martin Nilsson
Browse files

Updated the documentation to verify_certificate_chain. Add the decoded... 

Updated the documentation to verify_certificate_chain. Add the decoded certificates in the returned mapping. Don't check the keyUsage of the leaf node.
parent ab985409
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
lib/modules/Standards.pmod/X509.pmod
+ 14
14
View file @ 33a99836
...@@ -1406,9 +1406,13 @@ mapping(string:array(Verifier)) load_authorities(string|array(string)|void root_ ...@@ -1406,9 +1406,13 @@ mapping(string:array(Verifier)) load_authorities(string|array(string)|void root_
return res; return res;
} }
//! Decodes a certificate chain, checks the signatures. Verifies that the //! Decodes a certificate chain, oredered from leaf to root, and
//! chain is unbroken, and that all certificates are in effect //! checks the signatures. Verifies that the chain can be decoded
//! (time-wise.) //! correctly, is unbroken, and that all certificates are in effect
//! (time-wise.) and allowed to sign it's child certificate.
//!
//! No verifications are done on the leaf certificate to determine
//! what it can and can not be used for.
//! //!
//! Returns a mapping with the following contents, depending //! Returns a mapping with the following contents, depending
//! on the verification of the certificate chain: //! on the verification of the certificate chain:
...@@ -1426,12 +1430,12 @@ mapping(string:array(Verifier)) load_authorities(string|array(string)|void root_ ...@@ -1426,12 +1430,12 @@ mapping(string:array(Verifier)) load_authorities(string|array(string)|void root_
//! Non-zero if the certificate is self-signed. //! Non-zero if the certificate is self-signed.
//! @member int(0..1) "verified" //! @member int(0..1) "verified"
//! Non-zero if the certificate is verified. //! Non-zero if the certificate is verified.
//! @member string "authority" //! @member Standards.ASN1.Sequence "authority"
//! @[Standards.ASN1.Sequence] of the authority RDN that verified //! The authority RDN that verified the chain.
//! the chain. //! @member Standards.ASN1.Sequence "cn"
//! @member string "cn" //! The common name RDN of the leaf certificate.
//! @[Standards.ASN1.Sequence] of the common name RDN of the leaf //! @member array(TBSCertificate) "certificates"
//! certificate. //! An array with the decoded certificates, ordered from root to leaf.
//! @endmapping //! @endmapping
//! //!
//! @param cert_chain //! @param cert_chain
...@@ -1475,6 +1479,7 @@ mapping verify_certificate_chain(array(string) cert_chain, ...@@ -1475,6 +1479,7 @@ mapping verify_certificate_chain(array(string) cert_chain,
chain_cert[idx] = cert; chain_cert[idx] = cert;
chain_obj[idx] = tbs; chain_obj[idx] = tbs;
} }
m->certificates = chain_obj;
// Chain is now reversed so root is first and leaf is last. // Chain is now reversed so root is first and leaf is last.
...@@ -1508,11 +1513,6 @@ mapping verify_certificate_chain(array(string) cert_chain, ...@@ -1508,11 +1513,6 @@ mapping verify_certificate_chain(array(string) cert_chain,
if( !(tbs->ext_keyUsage & keyCertSign) ) if( !(tbs->ext_keyUsage & keyCertSign) )
ERROR(CERT_UNAUTHORIZED_CA); ERROR(CERT_UNAUTHORIZED_CA);
} }
else // The leaf
{
if( !(tbs->ext_keyUsage & digitalSignature) )
ERROR(CERT_UNAUTHORIZED_SIGNING);
}
if(idx == 0) // The root cert if(idx == 0) // The root cert
{ {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment