Extracted from Pike v7.8 release 866 at 2016-11-06.
pike.ida.liu.se
[Top]
Tools
Tools.X509

Classes
 TBSCertificate
 rsa_verifier

Methods
 decode_certificate()
 dsa_sign_key()
 make_selfsigned_dsa_certificate()
 make_selfsigned_rsa_certificate()
 make_tbs()
 make_time()
 make_verifier()
 parse_time()
 rsa_sign_digest()
 rsa_sign_key()
 rsa_verify_digest()
 time_compare()
 verify_certificate()
 verify_certificate_chain()
previousTools.X509.verify_certificate()
Tools.sednext

Method Tools.X509.verify_certificate_chain()

Method verify_certificate_chain

mapping verify_certificate_chain(array(string) cert_chain, mapping authorities, int|void require_trust)

Description

Decodes a certificate chain, checks the signatures. Verifies that the chain is unbroken, and that all certificates are in effect (time-wise.)

Returns a mapping with the following contents, depending on the verification of the certificate chain:

"error_code" : int

Error describing type of verification failure, if verification failed. May be one of the following: CERT_TOO_NEW , CERT_TOO_OLD , CERT_ROOT_UNTRUSTED , CERT_BAD_SIGNATURE , CERT_INVALID , CERT_UNAUTHORIZED_CA or CERT_CHAIN_BROKEN

"error_cert" : int

Index number of the certificate that caused the verification failure.

"self_signed" : int(0..1)

Non-zero if the certificate is self-signed.

"verified" : int(0..1)

Non-zero if the certificate is verified.

"authority" : string

Standards.ASN1.Sequence of the authority RDN that verified the chain.

"cn" : string

Standards.ASN1.Sequence of the common name RDN of the leaf certificate.


Parameter cert_chain

An array of certificates, with the relative-root last. Each certificate should be a DER-encoded certificate.

Parameter authorities

A mapping from (DER-encoded) names to verifiers.

Parameter require_trust

Require that the certificate be traced to an authority, even if it is self signed.

See Standards.PKCS.Certificate.get_dn_string for converting the RDN to an X500 style string.