Botan 3.4.0
Crypto and TLS for C&
Public Member Functions | List of all members
Botan::Path_Validation_Restrictions Class Referencefinal

#include <x509path.h>

Public Member Functions

bool ignore_trusted_root_time_range () const
 
std::chrono::seconds max_ocsp_age () const
 
size_t minimum_key_strength () const
 
bool ocsp_all_intermediates () const
 
 Path_Validation_Restrictions (bool require_rev, size_t minimum_key_strength, bool ocsp_all_intermediates, const std::set< std::string > &trusted_hashes, std::chrono::seconds max_ocsp_age=std::chrono::seconds::zero(), std::unique_ptr< Certificate_Store > trusted_ocsp_responders=std::make_unique< Certificate_Store_In_Memory >(), bool ignore_trusted_root_time_range=false)
 
 Path_Validation_Restrictions (bool require_rev=false, size_t minimum_key_strength=110, bool ocsp_all_intermediates=false, std::chrono::seconds max_ocsp_age=std::chrono::seconds::zero(), std::unique_ptr< Certificate_Store > trusted_ocsp_responders=std::make_unique< Certificate_Store_In_Memory >(), bool ignore_trusted_root_time_range=false)
 
bool require_revocation_information () const
 
const std::set< std::string > & trusted_hashes () const
 
const Certificate_Storetrusted_ocsp_responders () const
 

Detailed Description

Specifies restrictions on the PKIX path validation

Definition at line 34 of file x509path.h.

Constructor & Destructor Documentation

◆ Path_Validation_Restrictions() [1/2]

Botan::Path_Validation_Restrictions::Path_Validation_Restrictions ( bool require_rev = false,
size_t minimum_key_strength = 110,
bool ocsp_all_intermediates = false,
std::chrono::seconds max_ocsp_age = std::chrono::seconds::zero(),
std::unique_ptr< Certificate_Store > trusted_ocsp_responders = std::make_unique<Certificate_Store_In_Memory>(),
bool ignore_trusted_root_time_range = false )
Parameters
require_revif true, revocation information is required
minimum_key_strengthis the minimum strength (in terms of operations, eg 80 means 2^80) of a signature. Signatures weaker than this are rejected. If more than 80, SHA-1 signatures are also rejected. If possible use at least setting 110.
80 bit strength requires 1024 bit RSA
110 bit strength requires 2k bit RSA
128 bit strength requires ~3k bit RSA or P-256
ocsp_all_intermediatesMake OCSP requests for all CAs as well as end entity (if OCSP enabled in path validation request)
max_ocsp_agemaximum age of OCSP responses w/o next_update. If zero, there is no maximum age
trusted_ocsp_responderscertificate store containing certificates of trusted OCSP responders (additionally to the CA's responders)
ignore_trusted_root_time_rangeif true, validity checks on the time range of the trusted root certificate only produce warnings

Definition at line 955 of file x509path.cpp.

960 :
961 m_require_revocation_information(require_rev),
962 m_ocsp_all_intermediates(ocsp_intermediates),
963 m_minimum_key_strength(key_strength),
964 m_max_ocsp_age(max_ocsp_age),
965 m_trusted_ocsp_responders(std::move(trusted_ocsp_responders)),
966 m_ignore_trusted_root_time_range(ignore_trusted_root_time_range) {
967 if(key_strength <= 80) {
968 m_trusted_hashes.insert("SHA-1");
969 }
970
971 m_trusted_hashes.insert("SHA-224");
972 m_trusted_hashes.insert("SHA-256");
973 m_trusted_hashes.insert("SHA-384");
974 m_trusted_hashes.insert("SHA-512");
975 m_trusted_hashes.insert("SHAKE-256(512)"); // Dilithium/ML-DSA
976 m_trusted_hashes.insert("SHAKE-256(912)"); // Ed448
977}
std::chrono::seconds max_ocsp_age() const
Definition x509path.h:122
bool ignore_trusted_root_time_range() const
Definition x509path.h:142
const Certificate_Store * trusted_ocsp_responders() const
Definition x509path.h:129

◆ Path_Validation_Restrictions() [2/2]

Botan::Path_Validation_Restrictions::Path_Validation_Restrictions ( bool require_rev,
size_t minimum_key_strength,
bool ocsp_all_intermediates,
const std::set< std::string > & trusted_hashes,
std::chrono::seconds max_ocsp_age = std::chrono::seconds::zero(),
std::unique_ptr< Certificate_Store > trusted_ocsp_responders = std::make_unique<Certificate_Store_In_Memory>(),
bool ignore_trusted_root_time_range = false )
inline
Parameters
require_revif true, revocation information is required
minimum_key_strengthis the minimum strength (in terms of operations, eg 80 means 2^80) of a signature. Signatures weaker than this are rejected.
ocsp_all_intermediatesMake OCSP requests for all CAs as well as end entity (if OCSP enabled in path validation request)
trusted_hashesa set of trusted hashes. Any signatures created using a hash other than one of these will be rejected.
max_ocsp_agemaximum age of OCSP responses w/o next_update. If zero, there is no maximum age
trusted_ocsp_responderscertificate store containing certificates of trusted OCSP responders (additionally to the CA's responders)
ignore_trusted_root_time_rangeif true, validity checks on the time range of the trusted root certificate only produce warnings

Definition at line 81 of file x509path.h.

88 :
89 m_require_revocation_information(require_rev),
90 m_ocsp_all_intermediates(ocsp_all_intermediates),
91 m_trusted_hashes(trusted_hashes),
92 m_minimum_key_strength(minimum_key_strength),
93 m_max_ocsp_age(max_ocsp_age),
94 m_trusted_ocsp_responders(std::move(trusted_ocsp_responders)),
95 m_ignore_trusted_root_time_range(ignore_trusted_root_time_range) {}
const std::set< std::string > & trusted_hashes() const
Definition x509path.h:111

Member Function Documentation

◆ ignore_trusted_root_time_range()

bool Botan::Path_Validation_Restrictions::ignore_trusted_root_time_range ( ) const
inline

RFC 5280 does not disallow trusted anchors signing certificates with wider validity ranges than theirs. When checking a certificate chain at a specific point in time, this can lead to situations where a root certificate is expired, but the lower-chain certificates are not.

If this flag is set to true, such chains are considered valid (with warning TRUSTED_CERT_HAS_EXPIRED). Otherwise, the chain is rejected with the error code CERT_HAS_EXPIRED. The same holds for not yet valid certificates with the error code CERT_NOT_YET_VALID (or warning TRUSTED_CERT_NOT_YET_VALID).

Definition at line 142 of file x509path.h.

142{ return m_ignore_trusted_root_time_range; }

Referenced by Botan::PKIX::check_chain().

◆ max_ocsp_age()

std::chrono::seconds Botan::Path_Validation_Restrictions::max_ocsp_age ( ) const
inline
Returns
maximum age of OCSP responses w/o next_update. If zero, there is no maximum age

Definition at line 122 of file x509path.h.

122{ return m_max_ocsp_age; }

Referenced by Botan::PKIX::check_ocsp().

◆ minimum_key_strength()

size_t Botan::Path_Validation_Restrictions::minimum_key_strength ( ) const
inline
Returns
minimum required key strength

Definition at line 116 of file x509path.h.

116{ return m_minimum_key_strength; }

Referenced by Botan::PKIX::check_chain().

◆ ocsp_all_intermediates()

bool Botan::Path_Validation_Restrictions::ocsp_all_intermediates ( ) const
inline
Returns
whether all intermediate CAs should also be OCSPed. If false then only end entity OCSP is required/requested.

Definition at line 106 of file x509path.h.

106{ return m_ocsp_all_intermediates; }

Referenced by Botan::PKIX::merge_revocation_status().

◆ require_revocation_information()

bool Botan::Path_Validation_Restrictions::require_revocation_information ( ) const
inline
Returns
whether revocation information is required

Definition at line 100 of file x509path.h.

100{ return m_require_revocation_information; }

Referenced by Botan::PKIX::merge_revocation_status().

◆ trusted_hashes()

const std::set< std::string > & Botan::Path_Validation_Restrictions::trusted_hashes ( ) const
inline
Returns
trusted signature hash functions

Definition at line 111 of file x509path.h.

111{ return m_trusted_hashes; }

Referenced by Botan::PKIX::check_chain().

◆ trusted_ocsp_responders()

const Certificate_Store * Botan::Path_Validation_Restrictions::trusted_ocsp_responders ( ) const
inline

Certificates in this store are trusted to sign OCSP responses additionally to the CA's responder certificates.

Returns
certificate store containing trusted OCSP responder certs

Definition at line 129 of file x509path.h.

129{ return m_trusted_ocsp_responders.get(); }

Referenced by Botan::PKIX::check_ocsp().


The documentation for this class was generated from the following files: