Skip to content
Snippets Groups Projects
Commit 33a99836 authored by Martin Nilsson's avatar Martin Nilsson
Browse files

Updated the documentation to verify_certificate_chain. Add the decoded... 

Updated the documentation to verify_certificate_chain. Add the decoded certificates in the returned mapping. Don't check the keyUsage of the leaf node.
parent ab985409
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
lib/modules/Standards.pmod/X509.pmod
+ 14
14
View file @ 33a99836
...@@ -1406,9 +1406,13 @@ mapping(string:array(Verifier)) load_authorities(string|array(string)|void root_ ...@@ -1406,9 +1406,13 @@ mapping(string:array(Verifier)) load_authorities(string|array(string)|void root_
return res; return res;
} }
//! Decodes a certificate chain, checks the signatures. Verifies that the //! Decodes a certificate chain, oredered from leaf to root, and
//! chain is unbroken, and that all certificates are in effect //! checks the signatures. Verifies that the chain can be decoded
//! (time-wise.) //! correctly, is unbroken, and that all certificates are in effect
//! (time-wise.) and allowed to sign it's child certificate.
//!
//! No verifications are done on the leaf certificate to determine
//! what it can and can not be used for.
//! //!
//! Returns a mapping with the following contents, depending //! Returns a mapping with the following contents, depending
//! on the verification of the certificate chain: //! on the verification of the certificate chain:
...@@ -1426,12 +1430,12 @@ mapping(string:array(Verifier)) load_authorities(string|array(string)|void root_ ...@@ -1426,12 +1430,12 @@ mapping(string:array(Verifier)) load_authorities(string|array(string)|void root_
//! Non-zero if the certificate is self-signed. //! Non-zero if the certificate is self-signed.
//! @member int(0..1) "verified" //! @member int(0..1) "verified"
//! Non-zero if the certificate is verified. //! Non-zero if the certificate is verified.
//! @member string "authority" //! @member Standards.ASN1.Sequence "authority"
//! @[Standards.ASN1.Sequence] of the authority RDN that verified //! The authority RDN that verified the chain.
//! the chain. //! @member Standards.ASN1.Sequence "cn"
//! @member string "cn" //! The common name RDN of the leaf certificate.
//! @[Standards.ASN1.Sequence] of the common name RDN of the leaf //! @member array(TBSCertificate) "certificates"
//! certificate. //! An array with the decoded certificates, ordered from root to leaf.
//! @endmapping //! @endmapping
//! //!
//! @param cert_chain //! @param cert_chain
...@@ -1475,6 +1479,7 @@ mapping verify_certificate_chain(array(string) cert_chain, ...@@ -1475,6 +1479,7 @@ mapping verify_certificate_chain(array(string) cert_chain,
chain_cert[idx] = cert; chain_cert[idx] = cert;
chain_obj[idx] = tbs; chain_obj[idx] = tbs;
} }
m->certificates = chain_obj;
// Chain is now reversed so root is first and leaf is last. // Chain is now reversed so root is first and leaf is last.
...@@ -1508,11 +1513,6 @@ mapping verify_certificate_chain(array(string) cert_chain, ...@@ -1508,11 +1513,6 @@ mapping verify_certificate_chain(array(string) cert_chain,
if( !(tbs->ext_keyUsage & keyCertSign) ) if( !(tbs->ext_keyUsage & keyCertSign) )
ERROR(CERT_UNAUTHORIZED_CA); ERROR(CERT_UNAUTHORIZED_CA);
} }
else // The leaf
{
if( !(tbs->ext_keyUsage & digitalSignature) )
ERROR(CERT_UNAUTHORIZED_SIGNING);
}
if(idx == 0) // The root cert if(idx == 0) // The root cert
{ {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment