Functions
Certificate_Status_Code	build_all_certificate_paths (std::vector< std::vector< std::shared_ptr< const X509_Certificate >>> &cert_paths, const std::vector< Certificate_Store *> &trusted_certstores, const std::shared_ptr< const X509_Certificate > &end_entity, const std::vector< std::shared_ptr< const X509_Certificate >> &end_entity_extra)

Certificate_Status_Code	build_certificate_path (std::vector< std::shared_ptr< const X509_Certificate >> &cert_path_out, const std::vector< Certificate_Store *> &trusted_certstores, const std::shared_ptr< const X509_Certificate > &end_entity, const std::vector< std::shared_ptr< const X509_Certificate >> &end_entity_extra)

CertificatePathStatusCodes	check_chain (const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::chrono::system_clock::time_point ref_time, const std::string &hostname, Usage_Type usage, size_t min_signature_algo_strength, const std::set< std::string > &trusted_hashes)

CertificatePathStatusCodes	check_crl (const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, const std::vector< std::shared_ptr< const X509_CRL >> &crls, std::chrono::system_clock::time_point ref_time)

CertificatePathStatusCodes	check_crl (const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, const std::vector< Certificate_Store *> &certstores, std::chrono::system_clock::time_point ref_time)

CertificatePathStatusCodes	check_ocsp (const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_responses, const std::vector< Certificate_Store *> &certstores, std::chrono::system_clock::time_point ref_time, std::chrono::seconds max_ocsp_age=std::chrono::seconds::zero())

void	merge_revocation_status (CertificatePathStatusCodes &chain_status, const CertificatePathStatusCodes &crl_status, const CertificatePathStatusCodes &ocsp_status, bool require_rev_on_end_entity, bool require_rev_on_intermediates)

Certificate_Status_Code	overall_status (const CertificatePathStatusCodes &cert_status)

Detailed Description

namespace PKIX holds the building blocks that are called by x509_path_validate. This allows custom validation logic to be written by applications and makes for easier testing, but unless you're positive you know what you're doing you probably want to just call x509_path_validate instead.

Function Documentation

◆ build_all_certificate_paths()

Certificate_Status_Code Botan::PKIX::build_all_certificate_paths	(	std::vector< std::vector< std::shared_ptr< const X509_Certificate >>> &	cert_paths_out,
		const std::vector< Certificate_Store *> &	trusted_certstores,
		const std::shared_ptr< const X509_Certificate > &	end_entity,
		const std::vector< std::shared_ptr< const X509_Certificate >> &	end_entity_extra
	)

Build all possible certificate paths from the end certificate to self-signed trusted roots.

All potentially valid paths are put into the cert_paths vector. If no potentially valid paths are found, one of the encountered errors is returned arbitrarily.

todo add a path building function that returns detailed information on errors encountered while building the potentially numerous path candidates.

Basically, a DFS is performed starting from the end certificate. A stack (vector) serves to control the DFS. At the beginning of each iteration, a pair is popped from the stack that contains (1) the next certificate to add to the path (2) a bool that indicates if the certificate is part of a trusted certstore. Ideally, we follow the unique issuer of the current certificate until a trusted root is reached. However, the issuer DN + authority key id need not be unique among the certificates used for building the path. In such a case, we consider all the matching issuers by pushing <IssuerCert, trusted?> on the stack for each of them.

Definition at line 629 of file x509path.cpp.

References Botan::Certificate_Store_In_Memory::add_certificate(), Botan::CANNOT_ESTABLISH_TRUST, Botan::CERT_CHAIN_LOOP, Botan::CERT_ISSUER_NOT_FOUND, Botan::Certificate_Store_In_Memory::find_all_certs(), and Botan::OK.

Referenced by Botan::x509_path_validate().

    {
    if(!cert_paths_out.empty())
       {
       throw Invalid_Argument("PKIX::build_all_certificate_paths: cert_paths_out must be empty");
       }
 
    if(end_entity->is_self_signed())
       {
       return Certificate_Status_Code::CANNOT_ESTABLISH_TRUST;
       }
 
    /*
     * Pile up error messages
     */
    std::vector<Certificate_Status_Code> stats;
 
    Certificate_Store_In_Memory ee_extras;
    for(size_t i = 0; i != end_entity_extra.size(); ++i)
       {
       ee_extras.add_certificate(end_entity_extra[i]);
       }
 
    /*
    * This is an inelegant but functional way of preventing path loops
    * (where C1 -> C2 -> C3 -> C1). We store a set of all the certificate
    * fingerprints in the path. If there is a duplicate, we error out.
    * TODO: save fingerprints in result struct? Maybe useful for blacklists, etc.
    */
    std::set<std::string> certs_seen;
 
    // new certs are added and removed from the path during the DFS
    // it is copied into cert_paths_out when we encounter a trusted root
    std::vector<std::shared_ptr<const X509_Certificate>> path_so_far;
 
    // todo can we assume that the end certificate is not trusted?
    std::vector<cert_maybe_trusted> stack = { {end_entity, false} };
 
    while(!stack.empty())
       {
       // found a deletion marker that guides the DFS, backtracing
       if(stack.back().first == nullptr)
          {
          stack.pop_back();
          std::string fprint = path_so_far.back()->fingerprint("SHA-256");
          certs_seen.erase(fprint);
          path_so_far.pop_back();
          }
       // process next cert on the path
       else
          {
          std::shared_ptr<const X509_Certificate> last = stack.back().first;
          bool trusted = stack.back().second;
          stack.pop_back();
 
          // certificate already seen?
          const std::string fprint = last->fingerprint("SHA-256");
          if(certs_seen.count(fprint) == 1)
             {
             stats.push_back(Certificate_Status_Code::CERT_CHAIN_LOOP);
             // the current path ended in a loop
             continue;
             }
 
          // the current path ends here
          if(last->is_self_signed())
             {
             // found a trust anchor
             if(trusted)
                {
                cert_paths_out.push_back(path_so_far);
                cert_paths_out.back().push_back(last);
 
                continue;
                }
             // found an untrustworthy root
             else
                {
                stats.push_back(Certificate_Status_Code::CANNOT_ESTABLISH_TRUST);
                continue;
                }
             }
 
          const X509_DN issuer_dn = last->issuer_dn();
          const std::vector<uint8_t> auth_key_id = last->authority_key_id();
 
          // search for trusted issuers
          std::vector<std::shared_ptr<const X509_Certificate>> trusted_issuers;
          for(Certificate_Store* store : trusted_certstores)
             {
             auto new_issuers = store->find_all_certs(issuer_dn, auth_key_id);
             trusted_issuers.insert(trusted_issuers.end(), new_issuers.begin(), new_issuers.end());
             }
 
          // search the supplemental certs
          std::vector<std::shared_ptr<const X509_Certificate>> misc_issuers =
             ee_extras.find_all_certs(issuer_dn, auth_key_id);
 
          // if we could not find any issuers, the current path ends here
          if(trusted_issuers.size() + misc_issuers.size() == 0)
             {
             stats.push_back(Certificate_Status_Code::CERT_ISSUER_NOT_FOUND);
             continue;
             }
 
          // push the latest certificate onto the path_so_far
          path_so_far.push_back(last);
          certs_seen.emplace(fprint);
 
          // push a deletion marker on the stack for backtracing later
          stack.push_back({std::shared_ptr<const X509_Certificate>(nullptr),false});
 
          for(const auto& trusted_cert : trusted_issuers)
             {
             stack.push_back({trusted_cert,true});
             }
 
          for(const auto& misc : misc_issuers)
             {
             stack.push_back({misc,false});
             }
          }
       }
 
    // could not construct any potentially valid path
    if(cert_paths_out.empty())
       {
       if(stats.empty())
          throw Internal_Error("X509 path building failed for unknown reasons");
       else
          // arbitrarily return the first error
          return stats[0];
       }
    else
       {
       return Certificate_Status_Code::OK;
       }
    }

◆ build_certificate_path()

Certificate_Status_Code Botan::PKIX::build_certificate_path	(	std::vector< std::shared_ptr< const X509_Certificate >> &	cert_path_out,
		const std::vector< Certificate_Store *> &	trusted_certstores,
		const std::shared_ptr< const X509_Certificate > &	end_entity,
		const std::vector< std::shared_ptr< const X509_Certificate >> &	end_entity_extra
	)

Build certificate path

Parameters

cert_path_out	output parameter, cert_path will be appended to this vector
trusted_certstores	list of certificate stores that contain trusted certificates
end_entity	the cert to be validated
end_entity_extra	optional list of additional untrusted certs for path building

Returns: result of the path building operation (OK or error)

Definition at line 524 of file x509path.cpp.

References Botan::Certificate_Store_In_Memory::add_certificate(), Botan::X509_Certificate::authority_key_id(), Botan::CANNOT_ESTABLISH_TRUST, Botan::CERT_CHAIN_LOOP, Botan::CERT_ISSUER_NOT_FOUND, Botan::Certificate_Store_In_Memory::find_cert(), Botan::X509_Certificate::issuer_dn(), and Botan::OK.

    {
    if(end_entity->is_self_signed())
       {
       return Certificate_Status_Code::CANNOT_ESTABLISH_TRUST;
       }
 
    /*
    * This is an inelegant but functional way of preventing path loops
    * (where C1 -> C2 -> C3 -> C1). We store a set of all the certificate
    * fingerprints in the path. If there is a duplicate, we error out.
    * TODO: save fingerprints in result struct? Maybe useful for blacklists, etc.
    */
    std::set<std::string> certs_seen;
 
    cert_path.push_back(end_entity);
    certs_seen.insert(end_entity->fingerprint("SHA-256"));
 
    Certificate_Store_In_Memory ee_extras;
    for(size_t i = 0; i != end_entity_extra.size(); ++i)
       ee_extras.add_certificate(end_entity_extra[i]);
 
    // iterate until we reach a root or cannot find the issuer
    for(;;)
       {
       const X509_Certificate& last = *cert_path.back();
       const X509_DN issuer_dn = last.issuer_dn();
       const std::vector<uint8_t> auth_key_id = last.authority_key_id();
 
       std::shared_ptr<const X509_Certificate> issuer;
       bool trusted_issuer = false;
 
       for(Certificate_Store* store : trusted_certstores)
          {
          issuer = store->find_cert(issuer_dn, auth_key_id);
          if(issuer)
             {
             trusted_issuer = true;
             break;
             }
          }
 
       if(!issuer)
          {
          // fall back to searching supplemental certs
          issuer = ee_extras.find_cert(issuer_dn, auth_key_id);
          }
 
       if(!issuer)
          return Certificate_Status_Code::CERT_ISSUER_NOT_FOUND;
 
       const std::string fprint = issuer->fingerprint("SHA-256");
 
       if(certs_seen.count(fprint) > 0) // already seen?
          {
          return Certificate_Status_Code::CERT_CHAIN_LOOP;
          }
 
       certs_seen.insert(fprint);
       cert_path.push_back(issuer);
 
       if(issuer->is_self_signed())
          {
          if(trusted_issuer)
             {
             return Certificate_Status_Code::OK;
             }
          else
             {
             return Certificate_Status_Code::CANNOT_ESTABLISH_TRUST;
             }
          }
       }
    }

◆ check_chain()

CertificatePathStatusCodes Botan::PKIX::check_chain	(	const std::vector< std::shared_ptr< const X509_Certificate >> &	cert_path,
		std::chrono::system_clock::time_point	ref_time,
		const std::string &	hostname,
		Usage_Type	usage,
		size_t	min_signature_algo_strength,
		const std::set< std::string > &	trusted_hashes
	)

Check the certificate chain, but not any revocation data

Parameters

cert_path	path built by build_certificate_path with OK result
ref_time	whatever time you want to perform the validation against (normally current system clock)
hostname	the hostname
usage	end entity usage checks
min_signature_algo_strength	80 or 110 typically Note 80 allows 1024 bit RSA and SHA-1. 110 allows 2048 bit RSA and SHA-2. Using 128 requires ECC (P-256) or ~3000 bit RSA keys.
trusted_hashes	set of trusted hash functions, empty means accept any hash we have an OID for

Returns: vector of results on per certificate in the path, each containing a set of results. If all codes in the set are < Certificate_Status_Code::FIRST_ERROR_STATUS, then the result for that certificate is successful. If all results are

Definition at line 32 of file x509path.cpp.

References Botan::CA_CERT_NOT_FOR_CERT_ISSUER, Botan::CERT_CHAIN_TOO_LONG, Botan::CERT_HAS_EXPIRED, Botan::CERT_NAME_NOMATCH, Botan::CERT_NOT_YET_VALID, Botan::CERT_PUBKEY_INVALID, Botan::CERT_SERIAL_NEGATIVE, Botan::CHAIN_LACKS_TRUST_ROOT, Botan::CHAIN_NAME_MISMATCH, Botan::DN_TOO_LONG, Botan::DUPLICATE_CERT_EXTENSION, Botan::EXT_IN_V1_V2_CERT, Botan::Extensions::extensions(), Botan::Extensions::get_extension_oids(), Botan::INVALID_USAGE, Botan::KEY_CERT_SIGN, Botan::X509_DN::lookup_ub(), Botan::OIDS::oid2str_or_empty(), Botan::SIGNATURE_ALGO_UNKNOWN, Botan::SIGNATURE_METHOD_TOO_WEAK, Botan::UNTRUSTED_HASH, Botan::V2_IDENTIFIERS_IN_V1_CERT, and Botan::VERIFIED.

Referenced by Botan::x509_path_validate().

    {
    if(cert_path.empty())
       throw Invalid_Argument("PKIX::check_chain cert_path empty");
 
    const bool self_signed_ee_cert = (cert_path.size() == 1);
 
    X509_Time validation_time(ref_time);
 
    CertificatePathStatusCodes cert_status(cert_path.size());
 
    if(!hostname.empty() && !cert_path[0]->matches_dns_name(hostname))
       cert_status[0].insert(Certificate_Status_Code::CERT_NAME_NOMATCH);
 
    if(!cert_path[0]->allowed_usage(usage))
       cert_status[0].insert(Certificate_Status_Code::INVALID_USAGE);
 
    if(cert_path[0]->is_CA_cert() == false &&
       cert_path[0]->has_constraints(KEY_CERT_SIGN))
       {
       /*
       "If the keyCertSign bit is asserted, then the cA bit in the
       basic constraints extension (Section 4.2.1.9) MUST also be
       asserted." - RFC 5280
 
       We don't bother doing this check on the rest of the path since they
       must have the cA bit asserted or the validation will fail anyway.
       */
       cert_status[0].insert(Certificate_Status_Code::INVALID_USAGE);
       }
 
    for(size_t i = 0; i != cert_path.size(); ++i)
       {
       std::set<Certificate_Status_Code>& status = cert_status.at(i);
 
       const bool at_self_signed_root = (i == cert_path.size() - 1);
 
       const std::shared_ptr<const X509_Certificate>& subject = cert_path[i];
 
       const std::shared_ptr<const X509_Certificate>& issuer = cert_path[at_self_signed_root ? (i) : (i + 1)];
 
       if(at_self_signed_root && (issuer->is_self_signed() == false))
          {
          status.insert(Certificate_Status_Code::CHAIN_LACKS_TRUST_ROOT);
          }
 
       if(subject->issuer_dn() != issuer->subject_dn())
          {
          status.insert(Certificate_Status_Code::CHAIN_NAME_MISMATCH);
          }
 
       // Check the serial number
       if(subject->is_serial_negative())
          {
          status.insert(Certificate_Status_Code::CERT_SERIAL_NEGATIVE);
          }
 
       // Check the subject's DN components' length
 
       for(const auto& dn_pair : subject->subject_dn().dn_info())
          {
          const size_t dn_ub = X509_DN::lookup_ub(dn_pair.first);
          // dn_pair = <OID,str>
          if(dn_ub > 0 && dn_pair.second.size() > dn_ub)
             {
             status.insert(Certificate_Status_Code::DN_TOO_LONG);
             }
          }
 
       // Check all certs for valid time range
       if(validation_time < subject->not_before())
          status.insert(Certificate_Status_Code::CERT_NOT_YET_VALID);
 
       if(validation_time > subject->not_after())
          status.insert(Certificate_Status_Code::CERT_HAS_EXPIRED);
 
       // Check issuer constraints
       if(!issuer->is_CA_cert() && !self_signed_ee_cert)
          status.insert(Certificate_Status_Code::CA_CERT_NOT_FOR_CERT_ISSUER);
 
       std::unique_ptr<Public_Key> issuer_key(issuer->subject_public_key());
 
       // Check the signature algorithm is known
       if(OIDS::oid2str_or_empty(subject->signature_algorithm().get_oid()).empty())
          {
          status.insert(Certificate_Status_Code::SIGNATURE_ALGO_UNKNOWN);
          }
       else
          {
          // only perform the following checks if the signature algorithm is known
          if(!issuer_key)
             {
             status.insert(Certificate_Status_Code::CERT_PUBKEY_INVALID);
             }
          else
             {
             const Certificate_Status_Code sig_status = subject->verify_signature(*issuer_key);
 
             if(sig_status != Certificate_Status_Code::VERIFIED)
                status.insert(sig_status);
 
             if(issuer_key->estimated_strength() < min_signature_algo_strength)
                status.insert(Certificate_Status_Code::SIGNATURE_METHOD_TOO_WEAK);
             }
 
          // Ignore untrusted hashes on self-signed roots
          if(trusted_hashes.size() > 0 && !at_self_signed_root)
             {
             if(trusted_hashes.count(subject->hash_used_for_signature()) == 0)
                status.insert(Certificate_Status_Code::UNTRUSTED_HASH);
             }
          }
 
       // Check cert extensions
 
       if(subject->x509_version() == 1)
          {
          if(subject->v2_issuer_key_id().empty() == false ||
             subject->v2_subject_key_id().empty() == false)
             {
             status.insert(Certificate_Status_Code::V2_IDENTIFIERS_IN_V1_CERT);
             }
          }
 
       Extensions extensions = subject->v3_extensions();
       const auto& extensions_vec = extensions.extensions();
       if(subject->x509_version() < 3 && !extensions_vec.empty())
          {
          status.insert(Certificate_Status_Code::EXT_IN_V1_V2_CERT);
          }
       for(auto& extension : extensions_vec)
          {
          extension.first->validate(*subject, *issuer, cert_path, cert_status, i);
          }
       if(extensions.extensions().size() != extensions.get_extension_oids().size())
          {
          status.insert(Certificate_Status_Code::DUPLICATE_CERT_EXTENSION);
          }
       }
 
    // path len check
    size_t max_path_length = cert_path.size();
    for(size_t i = cert_path.size() - 1; i > 0 ; --i)
       {
       std::set<Certificate_Status_Code>& status = cert_status.at(i);
       const std::shared_ptr<const X509_Certificate>& subject = cert_path[i];
 
       /*
       * If the certificate was not self-issued, verify that max_path_length is
       * greater than zero and decrement max_path_length by 1.
       */
       if(subject->subject_dn() != subject->issuer_dn())
          {
          if(max_path_length > 0)
             {
             --max_path_length;
             }
          else
             {
             status.insert(Certificate_Status_Code::CERT_CHAIN_TOO_LONG);
             }
          }
 
       /*
       * If pathLenConstraint is present in the certificate and is less than max_path_length,
       * set max_path_length to the value of pathLenConstraint.
       */
       if(subject->path_limit() != Cert_Extension::NO_CERT_PATH_LIMIT && subject->path_limit() < max_path_length)
          {
          max_path_length = subject->path_limit();
          }
       }
 
    return cert_status;
    }

◆ check_crl() [1/2]

CertificatePathStatusCodes Botan::PKIX::check_crl	(	const std::vector< std::shared_ptr< const X509_Certificate >> &	cert_path,
		const std::vector< std::shared_ptr< const X509_CRL >> &	crls,
		std::chrono::system_clock::time_point	ref_time
	)

Check CRLs for revocation information

Parameters

cert_path	path already validated by check_chain
crls	the list of CRLs to check, it is assumed that crls[i] (if not null) is the associated CRL for the subject in cert_path[i].
ref_time	whatever time you want to perform the validation against (normally current system clock)

Returns: revocation status

Definition at line 265 of file x509path.cpp.

References Botan::CA_CERT_NOT_FOR_CRL_ISSUER, Botan::CERT_IS_REVOKED, Botan::CRL_BAD_SIGNATURE, Botan::CRL_HAS_EXPIRED, Botan::CRL_NOT_YET_VALID, Botan::CRL_SIGN, Botan::NO_MATCHING_CRLDP, Botan::OIDS::oid2str_or_empty(), and Botan::VALID_CRL_CHECKED.

Referenced by check_crl(), and Botan::x509_path_validate().

    {
    if(cert_path.empty())
       throw Invalid_Argument("PKIX::check_crl cert_path empty");
 
    CertificatePathStatusCodes cert_status(cert_path.size());
    const X509_Time validation_time(ref_time);
 
    for(size_t i = 0; i != cert_path.size() - 1; ++i)
       {
       std::set<Certificate_Status_Code>& status = cert_status.at(i);
 
       if(i < crls.size() && crls.at(i))
          {
          std::shared_ptr<const X509_Certificate> subject = cert_path.at(i);
          std::shared_ptr<const X509_Certificate> ca = cert_path.at(i+1);
 
          if(!ca->allowed_usage(CRL_SIGN))
             status.insert(Certificate_Status_Code::CA_CERT_NOT_FOR_CRL_ISSUER);
 
          if(validation_time < crls[i]->this_update())
             status.insert(Certificate_Status_Code::CRL_NOT_YET_VALID);
 
          if(validation_time > crls[i]->next_update())
             status.insert(Certificate_Status_Code::CRL_HAS_EXPIRED);
 
          if(crls[i]->check_signature(ca->subject_public_key()) == false)
             status.insert(Certificate_Status_Code::CRL_BAD_SIGNATURE);
 
          status.insert(Certificate_Status_Code::VALID_CRL_CHECKED);
 
          if(crls[i]->is_revoked(*subject))
             status.insert(Certificate_Status_Code::CERT_IS_REVOKED);
 
          std::string dp = subject->crl_distribution_point();
          if(!dp.empty())
             {
             if(dp != crls[i]->crl_issuing_distribution_point())
                {
                status.insert(Certificate_Status_Code::NO_MATCHING_CRLDP);
                }
             }
 
          for(const auto& extension : crls[i]->extensions().extensions())
             {
             // XXX this is wrong - the OID might be defined but the extention not full parsed
             // for example see #1652
 
             // is the extension critical and unknown?
             if(extension.second && OIDS::oid2str_or_empty(extension.first->oid_of()) == "")
                {
                /* NIST Certificate Path Valiadation Testing document: "When an implementation does not recognize a critical extension in the
                 * crlExtensions field, it shall assume that identified certificates have been revoked and are no longer valid"
                 */
                status.insert(Certificate_Status_Code::CERT_IS_REVOKED);
                }
             }
 
          }
       }
 
    while(cert_status.size() > 0 && cert_status.back().empty())
       cert_status.pop_back();
 
    return cert_status;
    }

◆ check_crl() [2/2]

CertificatePathStatusCodes Botan::PKIX::check_crl	(	const std::vector< std::shared_ptr< const X509_Certificate >> &	cert_path,
		const std::vector< Certificate_Store *> &	certstores,
		std::chrono::system_clock::time_point	ref_time
	)

Check CRLs for revocation information

Parameters

cert_path	path already validated by check_chain
certstores	a list of certificate stores to query for the CRL
ref_time	whatever time you want to perform the validation against (normally current system clock)

Returns: revocation status

Definition at line 335 of file x509path.cpp.

References BOTAN_ASSERT_NONNULL, and check_crl().

    {
    if(cert_path.empty())
       throw Invalid_Argument("PKIX::check_crl cert_path empty");
 
    if(certstores.empty())
       throw Invalid_Argument("PKIX::check_crl certstores empty");
 
    std::vector<std::shared_ptr<const X509_CRL>> crls(cert_path.size());
 
    for(size_t i = 0; i != cert_path.size(); ++i)
       {
       BOTAN_ASSERT_NONNULL(cert_path[i]);
       for(size_t c = 0; c != certstores.size(); ++c)
          {
          crls[i] = certstores[c]->find_crl_for(*cert_path[i]);
          if(crls[i])
             break;
          }
       }
 
    return PKIX::check_crl(cert_path, crls, ref_time);
    }

◆ check_ocsp()

CertificatePathStatusCodes Botan::PKIX::check_ocsp	(	const std::vector< std::shared_ptr< const X509_Certificate >> &	cert_path,
		const std::vector< std::shared_ptr< const OCSP::Response >> &	ocsp_responses,
		const std::vector< Certificate_Store *> &	certstores,
		std::chrono::system_clock::time_point	ref_time,
		std::chrono::seconds	max_ocsp_age = `std::chrono::seconds::zero()`
	)

Check OCSP responses for revocation information

Parameters

cert_path	path already validated by check_chain
ocsp_responses	the OCSP responses to consider
certstores	trusted roots
ref_time	whatever time you want to perform the validation against (normally current system clock)
max_ocsp_age	maximum age of OCSP responses w/o next_update. If zero, there is no maximum age

Returns: revocation status

Definition at line 214 of file x509path.cpp.

References Botan::OCSP_RESPONSE_INVALID, Botan::OCSP_SIGNATURE_OK, and Botan::OCSP::Successful.

Referenced by Botan::x509_path_validate().

    {
    if(cert_path.empty())
       throw Invalid_Argument("PKIX::check_ocsp cert_path empty");
 
    CertificatePathStatusCodes cert_status(cert_path.size() - 1);
 
    for(size_t i = 0; i != cert_path.size() - 1; ++i)
       {
       std::set<Certificate_Status_Code>& status = cert_status.at(i);
 
       std::shared_ptr<const X509_Certificate> subject = cert_path.at(i);
       std::shared_ptr<const X509_Certificate> ca = cert_path.at(i+1);
 
       if(i < ocsp_responses.size() && (ocsp_responses.at(i) != nullptr)
             && (ocsp_responses.at(i)->status() == OCSP::Response_Status_Code::Successful))
          {
          try
             {
             Certificate_Status_Code ocsp_signature_status = ocsp_responses.at(i)->check_signature(trusted_certstores, cert_path);
 
             if(ocsp_signature_status == Certificate_Status_Code::OCSP_SIGNATURE_OK)
                {
                // Signature ok, so check the claimed status
                Certificate_Status_Code ocsp_status = ocsp_responses.at(i)->status_for(*ca, *subject, ref_time, max_ocsp_age);
                status.insert(ocsp_status);
                }
             else
                {
                // Some signature problem
                status.insert(ocsp_signature_status);
                }
             }
          catch(Exception&)
             {
             status.insert(Certificate_Status_Code::OCSP_RESPONSE_INVALID);
             }
          }
       }
 
    while(cert_status.size() > 0 && cert_status.back().empty())
       cert_status.pop_back();
 
    return cert_status;
    }

◆ merge_revocation_status()

void Botan::PKIX::merge_revocation_status	(	CertificatePathStatusCodes &	chain_status,
		const CertificatePathStatusCodes &	crl_status,
		const CertificatePathStatusCodes &	ocsp_status,
		bool	require_rev_on_end_entity,
		bool	require_rev_on_intermediates
	)

Merge the results from CRL and/or OCSP checks into chain_status

Parameters

chain_status	the certificate status
crl_status	results from check_crl
ocsp_status	results from check_ocsp
require_rev_on_end_entity	require valid CRL or OCSP on end-entity cert
require_rev_on_intermediates	require valid CRL or OCSP on all intermediate certificates

Definition at line 772 of file x509path.cpp.

References Botan::NO_REVOCATION_DATA, Botan::OCSP_NO_REVOCATION_URL, Botan::OCSP_RESPONSE_GOOD, Botan::OCSP_SERVER_NOT_AVAILABLE, and Botan::VALID_CRL_CHECKED.

Referenced by Botan::x509_path_validate().

    {
    if(chain_status.empty())
       throw Invalid_Argument("PKIX::merge_revocation_status chain_status was empty");
 
    for(size_t i = 0; i != chain_status.size() - 1; ++i)
       {
       bool had_crl = false, had_ocsp = false;
 
       if(i < crl.size() && crl[i].size() > 0)
          {
          for(auto&& code : crl[i])
             {
             if(code == Certificate_Status_Code::VALID_CRL_CHECKED)
                {
                had_crl = true;
                }
             chain_status[i].insert(code);
             }
          }
 
       if(i < ocsp.size() && ocsp[i].size() > 0)
          {
          for(auto&& code : ocsp[i])
             {
             if(code == Certificate_Status_Code::OCSP_RESPONSE_GOOD ||
                code == Certificate_Status_Code::OCSP_NO_REVOCATION_URL ||  // softfail
                code == Certificate_Status_Code::OCSP_SERVER_NOT_AVAILABLE) // softfail
                {
                had_ocsp = true;
                }
 
             chain_status[i].insert(code);
             }
          }
 
       if(had_crl == false && had_ocsp == false)
          {
          if((require_rev_on_end_entity && i == 0) ||
             (require_rev_on_intermediates && i > 0))
             {
             chain_status[i].insert(Certificate_Status_Code::NO_REVOCATION_DATA);
             }
          }
       }
    }

◆ overall_status()

Certificate_Status_Code Botan::PKIX::overall_status ( const CertificatePathStatusCodes & cert_status )

Find overall status (OK, error) of a validation

Parameters

cert_status result of merge_revocation_status or check_chain

Definition at line 823 of file x509path.cpp.

References Botan::FIRST_ERROR_STATUS, and Botan::OK.

    {
    if(cert_status.empty())
       throw Invalid_Argument("PKIX::overall_status empty cert status");
 
    Certificate_Status_Code overall_status = Certificate_Status_Code::OK;
 
    // take the "worst" error as overall
    for(const std::set<Certificate_Status_Code>& s : cert_status)
       {
       if(!s.empty())
          {
          auto worst = *s.rbegin();
          // Leave informative OCSP/CRL confirmations on cert-level status only
          if(worst >= Certificate_Status_Code::FIRST_ERROR_STATUS && worst > overall_status)
             {
             overall_status = worst;
             }
          }
       }
    return overall_status;
    }

Functions

Detailed Description

Function Documentation

◆ build_all_certificate_paths()

◆ build_certificate_path()

◆ check_chain()

◆ check_crl() [1/2]

◆ check_crl() [2/2]

◆ check_ocsp()

◆ merge_revocation_status()

◆ overall_status()