Botan::Path_Validation_Restrictions Class Reference

#include <x509path.h>

Public Member Functions
bool	ignore_trusted_root_time_range () const
std::chrono::seconds	max_ocsp_age () const
size_t	minimum_key_strength () const
bool	ocsp_all_intermediates () const
	Path_Validation_Restrictions (bool require_rev, size_t minimum_key_strength, bool ocsp_all_intermediates, const std::set< std::string > &trusted_hashes, std::chrono::seconds max_ocsp_age=std::chrono::seconds::zero(), std::unique_ptr< Certificate_Store > trusted_ocsp_responders=std::make_unique< Certificate_Store_In_Memory >(), bool ignore_trusted_root_time_range=false, bool require_self_signed_trust_anchors=true)
BOTAN_FUTURE_EXPLICIT	Path_Validation_Restrictions (bool require_rev=false, size_t minimum_key_strength=110, bool ocsp_all_intermediates=false, std::chrono::seconds max_ocsp_age=std::chrono::seconds::zero(), std::unique_ptr< Certificate_Store > trusted_ocsp_responders=std::make_unique< Certificate_Store_In_Memory >(), bool ignore_trusted_root_time_range=false, bool require_self_signed_trust_anchors=true)
bool	require_revocation_information () const
bool	require_self_signed_trust_anchors () const
const std::set< std::string > &	trusted_hashes () const
const Certificate_Store *	trusted_ocsp_responders () const

Detailed Description

Specifies restrictions on the PKIX path validation

Definition at line 33 of file x509path.h.

Constructor & Destructor Documentation

Path_Validation_Restrictions() [1/2]

Botan::Path_Validation_Restrictions::Path_Validation_Restrictions	(	bool	require_rev = false,
		size_t	minimum_key_strength = 110,
		bool	ocsp_all_intermediates = false,
		std::chrono::seconds	max_ocsp_age = std::chrono::seconds::zero(),
		std::unique_ptr< Certificate_Store >	trusted_ocsp_responders = std::make_unique<Certificate_Store_In_Memory>(),
		bool	ignore_trusted_root_time_range = false,
		bool	require_self_signed_trust_anchors = true )

Parameters

require_rev	if true, revocation information is required
minimum_key_strength	is the minimum strength (in terms of operations, eg 80 means 2^80) of a signature. Signatures weaker than this are rejected. If more than 80, SHA-1 signatures are also rejected. If possible use at least setting 110. 80 bit strength requires 1024 bit RSA 110 bit strength requires 2k bit RSA 128 bit strength requires ~3k bit RSA or P-256
ocsp_all_intermediates	Make OCSP requests for all CAs as well as end entity (if OCSP enabled in path validation request)
max_ocsp_age	maximum age of OCSP responses w/o next_update. If zero, there is no maximum age
trusted_ocsp_responders	certificate store containing certificates of trusted OCSP responders (additionally to the CA's responders)
ignore_trusted_root_time_range	if true, validity checks on the time range of the trusted root certificate only produce warnings
require_self_signed_trust_anchors	if true, only self-signed certificates are allowed as trust anchors. Trust anchors based on intermediate and leaf certificates are forbidden in this case.

Definition at line 985 of file x509path.cpp.

                                                                                                   :
      m_require_revocation_information(require_rev),
      m_ocsp_all_intermediates(ocsp_intermediates),
      m_minimum_key_strength(key_strength),
      m_max_ocsp_age(max_ocsp_age),
      m_trusted_ocsp_responders(std::move(trusted_ocsp_responders)),
      m_ignore_trusted_root_time_range(ignore_trusted_root_time_range),
      m_require_self_signed_trust_anchors(require_self_signed_trust_anchors) {
   if(key_strength <= 80) {
      m_trusted_hashes.insert("SHA-1");
   }
 
   m_trusted_hashes.insert("SHA-224");
   m_trusted_hashes.insert("SHA-256");
   m_trusted_hashes.insert("SHA-384");
   m_trusted_hashes.insert("SHA-512");
   m_trusted_hashes.insert("SHAKE-256(512)");  // Dilithium/ML-DSA
   m_trusted_hashes.insert("SHAKE-256(912)");  // Ed448
}

References ignore_trusted_root_time_range(), max_ocsp_age(), require_self_signed_trust_anchors(), and trusted_ocsp_responders().

Path_Validation_Restrictions() [2/2]

Botan::Path_Validation_Restrictions::Path_Validation_Restrictions ( bool require_rev, size_t minimum_key_strength, bool ocsp_all_intermediates, const std::set< std::string > & trusted_hashes, std::chrono::seconds max_ocsp_age = std::chrono::seconds::zero(), std::unique_ptr< Certificate_Store > trusted_ocsp_responders = std::make_unique<Certificate_Store_In_Memory>(), bool ignore_trusted_root_time_range = false, bool require_self_signed_trust_anchors = true )

inline

Parameters

require_rev	if true, revocation information is required
minimum_key_strength	is the minimum strength (in terms of operations, eg 80 means 2^80) of a signature. Signatures weaker than this are rejected.
ocsp_all_intermediates	Make OCSP requests for all CAs as well as end entity (if OCSP enabled in path validation request)
trusted_hashes	a set of trusted hashes. Any signatures created using a hash other than one of these will be rejected.
max_ocsp_age	maximum age of OCSP responses w/o next_update. If zero, there is no maximum age
trusted_ocsp_responders	certificate store containing certificates of trusted OCSP responders (additionally to the CA's responders)
ignore_trusted_root_time_range	if true, validity checks on the time range of the trusted root certificate only produce warnings
require_self_signed_trust_anchors	if true, only self-signed certificates are allowed as trust anchors. Trust anchors based on intermediate and leaf certificates are forbidden in this case.

Definition at line 87 of file x509path.h.

                                                        :
            m_require_revocation_information(require_rev),
            m_ocsp_all_intermediates(ocsp_all_intermediates),
            m_trusted_hashes(trusted_hashes),
            m_minimum_key_strength(minimum_key_strength),
            m_max_ocsp_age(max_ocsp_age),
            m_trusted_ocsp_responders(std::move(trusted_ocsp_responders)),
            m_ignore_trusted_root_time_range(ignore_trusted_root_time_range),
            m_require_self_signed_trust_anchors(require_self_signed_trust_anchors) {}

References ignore_trusted_root_time_range(), max_ocsp_age(), minimum_key_strength(), ocsp_all_intermediates(), require_self_signed_trust_anchors(), trusted_hashes(), and trusted_ocsp_responders().

Member Function Documentation

ignore_trusted_root_time_range()

bool Botan::Path_Validation_Restrictions::ignore_trusted_root_time_range ( ) const

inline

RFC 5280 does not disallow trusted anchors signing certificates with wider validity ranges than theirs. When checking a certificate chain at a specific point in time, this can lead to situations where a root certificate is expired, but the lower-chain certificates are not.

If this flag is set to true, such chains are considered valid (with warning TRUSTED_CERT_HAS_EXPIRED). Otherwise, the chain is rejected with the error code CERT_HAS_EXPIRED. The same holds for not yet valid certificates with the error code CERT_NOT_YET_VALID (or warning TRUSTED_CERT_NOT_YET_VALID).

Definition at line 150 of file x509path.h.

{ return m_ignore_trusted_root_time_range; }

Referenced by Botan::PKIX::check_chain(), Path_Validation_Restrictions(), and Path_Validation_Restrictions().

max_ocsp_age()

std::chrono::seconds Botan::Path_Validation_Restrictions::max_ocsp_age ( ) const

inline

Returns

maximum age of OCSP responses w/o next_update. If zero, there is no maximum age

Definition at line 130 of file x509path.h.

{ return m_max_ocsp_age; }

Referenced by Path_Validation_Restrictions(), and Path_Validation_Restrictions().

minimum_key_strength()

size_t Botan::Path_Validation_Restrictions::minimum_key_strength ( ) const

inline

Returns

minimum required key strength

Definition at line 124 of file x509path.h.

{ return m_minimum_key_strength; }

Referenced by Botan::PKIX::check_chain(), and Path_Validation_Restrictions().

ocsp_all_intermediates()

bool Botan::Path_Validation_Restrictions::ocsp_all_intermediates ( ) const

inline

Returns

whether all intermediate CAs should also be OCSPed. If false then only end entity OCSP is required/requested.

Definition at line 114 of file x509path.h.

{ return m_ocsp_all_intermediates; }

Referenced by Botan::PKIX::merge_revocation_status(), and Path_Validation_Restrictions().

require_revocation_information()

bool Botan::Path_Validation_Restrictions::require_revocation_information ( ) const

inline

Returns

whether revocation information is required

Definition at line 108 of file x509path.h.

{ return m_require_revocation_information; }

Referenced by Botan::PKIX::merge_revocation_status().

require_self_signed_trust_anchors()

bool Botan::Path_Validation_Restrictions::require_self_signed_trust_anchors ( ) const

inline

By default Botan requires trust anchors to be self-signed. This prevents using intermediate CA certificates and leaf certificates as trust anchors, even if they are included in the Certificate Store. This restriction can be removed by setting require_self_signed_trust_anchors=false in the constructor.

Definition at line 159 of file x509path.h.

{ return m_require_self_signed_trust_anchors; }

Referenced by Botan::PKIX::check_chain(), Path_Validation_Restrictions(), Path_Validation_Restrictions(), and Botan::x509_path_validate().

trusted_hashes()

const std::set< std::string > & Botan::Path_Validation_Restrictions::trusted_hashes ( ) const

inline

Returns

trusted signature hash functions

Definition at line 119 of file x509path.h.

{ return m_trusted_hashes; }

Referenced by Botan::PKIX::check_chain(), and Path_Validation_Restrictions().

trusted_ocsp_responders()

const Certificate_Store * Botan::Path_Validation_Restrictions::trusted_ocsp_responders ( ) const

inline

Certificates in this store are trusted to sign OCSP responses additionally to the CA's responder certificates.

Returns

certificate store containing trusted OCSP responder certs

Definition at line 137 of file x509path.h.

{ return m_trusted_ocsp_responders.get(); }

Referenced by Path_Validation_Restrictions(), and Path_Validation_Restrictions().

---

The documentation for this class was generated from the following files:

• src/lib/x509/x509path.h
• src/lib/x509/x509path.cpp