Botan::Path_Validation_Restrictions Class Reference

#include <x509path.h>

Public Member Functions
bool	ignore_trusted_root_time_range () const
std::chrono::seconds	max_ocsp_age () const
size_t	minimum_key_strength () const
bool	ocsp_all_intermediates () const
	Path_Validation_Restrictions (bool require_rev, size_t minimum_key_strength, bool ocsp_all_intermediates, const std::set< std::string > &trusted_hashes, std::chrono::seconds max_ocsp_age=std::chrono::seconds::zero(), std::unique_ptr< Certificate_Store > trusted_ocsp_responders=std::make_unique< Certificate_Store_In_Memory >(), bool ignore_trusted_root_time_range=false)
	Path_Validation_Restrictions (bool require_rev=false, size_t minimum_key_strength=110, bool ocsp_all_intermediates=false, std::chrono::seconds max_ocsp_age=std::chrono::seconds::zero(), std::unique_ptr< Certificate_Store > trusted_ocsp_responders=std::make_unique< Certificate_Store_In_Memory >(), bool ignore_trusted_root_time_range=false)
bool	require_revocation_information () const
const std::set< std::string > &	trusted_hashes () const
const Certificate_Store *	trusted_ocsp_responders () const

Detailed Description

Specifies restrictions on the PKIX path validation

Definition at line 34 of file x509path.h.

Constructor & Destructor Documentation

Path_Validation_Restrictions() [1/2]

Botan::Path_Validation_Restrictions::Path_Validation_Restrictions	(	bool	require_rev = false,
		size_t	minimum_key_strength = 110,
		bool	ocsp_all_intermediates = false,
		std::chrono::seconds	max_ocsp_age = std::chrono::seconds::zero(),
		std::unique_ptr< Certificate_Store >	trusted_ocsp_responders = std::make_unique<Certificate_Store_In_Memory>(),
		bool	ignore_trusted_root_time_range = false )

Parameters

require_rev	if true, revocation information is required
minimum_key_strength	is the minimum strength (in terms of operations, eg 80 means 2^80) of a signature. Signatures weaker than this are rejected. If more than 80, SHA-1 signatures are also rejected. If possible use at least setting 110. 80 bit strength requires 1024 bit RSA 110 bit strength requires 2k bit RSA 128 bit strength requires ~3k bit RSA or P-256
ocsp_all_intermediates	Make OCSP requests for all CAs as well as end entity (if OCSP enabled in path validation request)
max_ocsp_age	maximum age of OCSP responses w/o next_update. If zero, there is no maximum age
trusted_ocsp_responders	certificate store containing certificates of trusted OCSP responders (additionally to the CA's responders)
ignore_trusted_root_time_range	if true, validity checks on the time range of the trusted root certificate only produce warnings

Definition at line 987 of file x509path.cpp.

                                                                                                :
      m_require_revocation_information(require_rev),
      m_ocsp_all_intermediates(ocsp_intermediates),
      m_minimum_key_strength(key_strength),
      m_max_ocsp_age(max_ocsp_age),
      m_trusted_ocsp_responders(std::move(trusted_ocsp_responders)),
      m_ignore_trusted_root_time_range(ignore_trusted_root_time_range) {
   if(key_strength <= 80) {
      m_trusted_hashes.insert("SHA-1");
   }
 
   m_trusted_hashes.insert("SHA-224");
   m_trusted_hashes.insert("SHA-256");
   m_trusted_hashes.insert("SHA-384");
   m_trusted_hashes.insert("SHA-512");
   m_trusted_hashes.insert("SHAKE-256(512)");  // Dilithium/ML-DSA
   m_trusted_hashes.insert("SHAKE-256(912)");  // Ed448
}

Path_Validation_Restrictions() [2/2]

Botan::Path_Validation_Restrictions::Path_Validation_Restrictions ( bool require_rev, size_t minimum_key_strength, bool ocsp_all_intermediates, const std::set< std::string > & trusted_hashes, std::chrono::seconds max_ocsp_age = std::chrono::seconds::zero(), std::unique_ptr< Certificate_Store > trusted_ocsp_responders = std::make_unique<Certificate_Store_In_Memory>(), bool ignore_trusted_root_time_range = false )

inline

Parameters

require_rev	if true, revocation information is required
minimum_key_strength	is the minimum strength (in terms of operations, eg 80 means 2^80) of a signature. Signatures weaker than this are rejected.
ocsp_all_intermediates	Make OCSP requests for all CAs as well as end entity (if OCSP enabled in path validation request)
trusted_hashes	a set of trusted hashes. Any signatures created using a hash other than one of these will be rejected.
max_ocsp_age	maximum age of OCSP responses w/o next_update. If zero, there is no maximum age
trusted_ocsp_responders	certificate store containing certificates of trusted OCSP responders (additionally to the CA's responders)
ignore_trusted_root_time_range	if true, validity checks on the time range of the trusted root certificate only produce warnings

Definition at line 81 of file x509path.h.

                                                      :
            m_require_revocation_information(require_rev),
            m_ocsp_all_intermediates(ocsp_all_intermediates),
            m_trusted_hashes(trusted_hashes),
            m_minimum_key_strength(minimum_key_strength),
            m_max_ocsp_age(max_ocsp_age),
            m_trusted_ocsp_responders(std::move(trusted_ocsp_responders)),
            m_ignore_trusted_root_time_range(ignore_trusted_root_time_range) {}

Member Function Documentation

ignore_trusted_root_time_range()

bool Botan::Path_Validation_Restrictions::ignore_trusted_root_time_range ( ) const

inline

RFC 5280 does not disallow trusted anchors signing certificates with wider validity ranges than theirs. When checking a certificate chain at a specific point in time, this can lead to situations where a root certificate is expired, but the lower-chain certificates are not.

If this flag is set to true, such chains are considered valid (with warning TRUSTED_CERT_HAS_EXPIRED). Otherwise, the chain is rejected with the error code CERT_HAS_EXPIRED. The same holds for not yet valid certificates with the error code CERT_NOT_YET_VALID (or warning TRUSTED_CERT_NOT_YET_VALID).

Definition at line 142 of file x509path.h.

{ return m_ignore_trusted_root_time_range; }

Referenced by Botan::PKIX::check_chain().

max_ocsp_age()

std::chrono::seconds Botan::Path_Validation_Restrictions::max_ocsp_age ( ) const

inline

Returns

maximum age of OCSP responses w/o next_update. If zero, there is no maximum age

Definition at line 122 of file x509path.h.

{ return m_max_ocsp_age; }

Referenced by Botan::PKIX::check_ocsp().

minimum_key_strength()

size_t Botan::Path_Validation_Restrictions::minimum_key_strength ( ) const

inline

Returns

minimum required key strength

Definition at line 116 of file x509path.h.

{ return m_minimum_key_strength; }

Referenced by Botan::PKIX::check_chain().

ocsp_all_intermediates()

bool Botan::Path_Validation_Restrictions::ocsp_all_intermediates ( ) const

inline

Returns

whether all intermediate CAs should also be OCSPed. If false then only end entity OCSP is required/requested.

Definition at line 106 of file x509path.h.

{ return m_ocsp_all_intermediates; }

Referenced by Botan::PKIX::merge_revocation_status().

require_revocation_information()

bool Botan::Path_Validation_Restrictions::require_revocation_information ( ) const

inline

Returns

whether revocation information is required

Definition at line 100 of file x509path.h.

{ return m_require_revocation_information; }

Referenced by Botan::PKIX::merge_revocation_status().

trusted_hashes()

const std::set< std::string > & Botan::Path_Validation_Restrictions::trusted_hashes ( ) const

inline

Returns

trusted signature hash functions

Definition at line 111 of file x509path.h.

{ return m_trusted_hashes; }

Referenced by Botan::PKIX::check_chain().

trusted_ocsp_responders()

const Certificate_Store * Botan::Path_Validation_Restrictions::trusted_ocsp_responders ( ) const

inline

Certificates in this store are trusted to sign OCSP responses additionally to the CA's responder certificates.

Returns

certificate store containing trusted OCSP responder certs

Definition at line 129 of file x509path.h.

{ return m_trusted_ocsp_responders.get(); }

Referenced by Botan::PKIX::check_ocsp().

---

The documentation for this class was generated from the following files:

• src/lib/x509/x509path.h
• src/lib/x509/x509path.cpp