Botan 2.19.1
Crypto and TLS for C&
|
Functions | |
Certificate_Status_Code | build_all_certificate_paths (std::vector< std::vector< std::shared_ptr< const X509_Certificate > > > &cert_paths, const std::vector< Certificate_Store * > &trusted_certstores, const std::shared_ptr< const X509_Certificate > &end_entity, const std::vector< std::shared_ptr< const X509_Certificate > > &end_entity_extra) |
Certificate_Status_Code | build_certificate_path (std::vector< std::shared_ptr< const X509_Certificate > > &cert_path_out, const std::vector< Certificate_Store * > &trusted_certstores, const std::shared_ptr< const X509_Certificate > &end_entity, const std::vector< std::shared_ptr< const X509_Certificate > > &end_entity_extra) |
CertificatePathStatusCodes | check_chain (const std::vector< std::shared_ptr< const X509_Certificate > > &cert_path, std::chrono::system_clock::time_point ref_time, const std::string &hostname, Usage_Type usage, size_t min_signature_algo_strength, const std::set< std::string > &trusted_hashes) |
CertificatePathStatusCodes | check_crl (const std::vector< std::shared_ptr< const X509_Certificate > > &cert_path, const std::vector< Certificate_Store * > &certstores, std::chrono::system_clock::time_point ref_time) |
CertificatePathStatusCodes | check_crl (const std::vector< std::shared_ptr< const X509_Certificate > > &cert_path, const std::vector< std::shared_ptr< const X509_CRL > > &crls, std::chrono::system_clock::time_point ref_time) |
CertificatePathStatusCodes | check_ocsp (const std::vector< std::shared_ptr< const X509_Certificate > > &cert_path, const std::vector< std::shared_ptr< const OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &certstores, std::chrono::system_clock::time_point ref_time, std::chrono::seconds max_ocsp_age=std::chrono::seconds::zero()) |
void | merge_revocation_status (CertificatePathStatusCodes &chain_status, const CertificatePathStatusCodes &crl_status, const CertificatePathStatusCodes &ocsp_status, bool require_rev_on_end_entity, bool require_rev_on_intermediates) |
Certificate_Status_Code | overall_status (const CertificatePathStatusCodes &cert_status) |
namespace PKIX holds the building blocks that are called by x509_path_validate. This allows custom validation logic to be written by applications and makes for easier testing, but unless you're positive you know what you're doing you probably want to just call x509_path_validate instead.
Certificate_Status_Code Botan::PKIX::build_all_certificate_paths | ( | std::vector< std::vector< std::shared_ptr< const X509_Certificate > > > & | cert_paths_out, |
const std::vector< Certificate_Store * > & | trusted_certstores, | ||
const std::shared_ptr< const X509_Certificate > & | end_entity, | ||
const std::vector< std::shared_ptr< const X509_Certificate > > & | end_entity_extra | ||
) |
Build all possible certificate paths from the end certificate to self-signed trusted roots.
All potentially valid paths are put into the cert_paths vector. If no potentially valid paths are found, one of the encountered errors is returned arbitrarily.
todo add a path building function that returns detailed information on errors encountered while building the potentially numerous path candidates.
Basically, a DFS is performed starting from the end certificate. A stack (vector) serves to control the DFS. At the beginning of each iteration, a pair is popped from the stack that contains (1) the next certificate to add to the path (2) a bool that indicates if the certificate is part of a trusted certstore. Ideally, we follow the unique issuer of the current certificate until a trusted root is reached. However, the issuer DN + authority key id need not be unique among the certificates used for building the path. In such a case, we consider all the matching issuers by pushing <IssuerCert, trusted?> on the stack for each of them.
Definition at line 629 of file x509path.cpp.
References Botan::Certificate_Store_In_Memory::add_certificate(), Botan::CANNOT_ESTABLISH_TRUST, Botan::CERT_CHAIN_LOOP, Botan::CERT_ISSUER_NOT_FOUND, Botan::Certificate_Store_In_Memory::find_all_certs(), and Botan::OK.
Referenced by Botan::x509_path_validate().
Certificate_Status_Code Botan::PKIX::build_certificate_path | ( | std::vector< std::shared_ptr< const X509_Certificate > > & | cert_path_out, |
const std::vector< Certificate_Store * > & | trusted_certstores, | ||
const std::shared_ptr< const X509_Certificate > & | end_entity, | ||
const std::vector< std::shared_ptr< const X509_Certificate > > & | end_entity_extra | ||
) |
Build certificate path
cert_path_out | output parameter, cert_path will be appended to this vector |
trusted_certstores | list of certificate stores that contain trusted certificates |
end_entity | the cert to be validated |
end_entity_extra | optional list of additional untrusted certs for path building |
Definition at line 524 of file x509path.cpp.
References Botan::Certificate_Store_In_Memory::add_certificate(), Botan::X509_Certificate::authority_key_id(), Botan::CANNOT_ESTABLISH_TRUST, Botan::CERT_CHAIN_LOOP, Botan::CERT_ISSUER_NOT_FOUND, Botan::Certificate_Store_In_Memory::find_cert(), Botan::X509_Certificate::issuer_dn(), and Botan::OK.
CertificatePathStatusCodes Botan::PKIX::check_chain | ( | const std::vector< std::shared_ptr< const X509_Certificate > > & | cert_path, |
std::chrono::system_clock::time_point | ref_time, | ||
const std::string & | hostname, | ||
Usage_Type | usage, | ||
size_t | min_signature_algo_strength, | ||
const std::set< std::string > & | trusted_hashes | ||
) |
Check the certificate chain, but not any revocation data
cert_path | path built by build_certificate_path with OK result |
ref_time | whatever time you want to perform the validation against (normally current system clock) |
hostname | the hostname |
usage | end entity usage checks |
min_signature_algo_strength | 80 or 110 typically Note 80 allows 1024 bit RSA and SHA-1. 110 allows 2048 bit RSA and SHA-2. Using 128 requires ECC (P-256) or ~3000 bit RSA keys. |
trusted_hashes | set of trusted hash functions, empty means accept any hash we have an OID for |
Definition at line 32 of file x509path.cpp.
References Botan::CA_CERT_NOT_FOR_CERT_ISSUER, Botan::CERT_CHAIN_TOO_LONG, Botan::CERT_HAS_EXPIRED, Botan::CERT_NAME_NOMATCH, Botan::CERT_NOT_YET_VALID, Botan::CERT_PUBKEY_INVALID, Botan::CERT_SERIAL_NEGATIVE, Botan::CHAIN_LACKS_TRUST_ROOT, Botan::CHAIN_NAME_MISMATCH, Botan::DN_TOO_LONG, Botan::DUPLICATE_CERT_EXTENSION, Botan::EXT_IN_V1_V2_CERT, Botan::Extensions::extensions(), Botan::Extensions::get_extension_oids(), Botan::INVALID_USAGE, Botan::KEY_CERT_SIGN, Botan::X509_DN::lookup_ub(), Botan::OIDS::oid2str_or_empty(), Botan::SIGNATURE_ALGO_UNKNOWN, Botan::SIGNATURE_METHOD_TOO_WEAK, Botan::UNTRUSTED_HASH, Botan::V2_IDENTIFIERS_IN_V1_CERT, and Botan::VERIFIED.
Referenced by Botan::x509_path_validate().
CertificatePathStatusCodes Botan::PKIX::check_crl | ( | const std::vector< std::shared_ptr< const X509_Certificate > > & | cert_path, |
const std::vector< Certificate_Store * > & | certstores, | ||
std::chrono::system_clock::time_point | ref_time | ||
) |
Check CRLs for revocation information
cert_path | path already validated by check_chain |
certstores | a list of certificate stores to query for the CRL |
ref_time | whatever time you want to perform the validation against (normally current system clock) |
Definition at line 335 of file x509path.cpp.
References BOTAN_ASSERT_NONNULL, and check_crl().
CertificatePathStatusCodes Botan::PKIX::check_crl | ( | const std::vector< std::shared_ptr< const X509_Certificate > > & | cert_path, |
const std::vector< std::shared_ptr< const X509_CRL > > & | crls, | ||
std::chrono::system_clock::time_point | ref_time | ||
) |
Check CRLs for revocation information
cert_path | path already validated by check_chain |
crls | the list of CRLs to check, it is assumed that crls[i] (if not null) is the associated CRL for the subject in cert_path[i]. |
ref_time | whatever time you want to perform the validation against (normally current system clock) |
Definition at line 265 of file x509path.cpp.
References Botan::CA_CERT_NOT_FOR_CRL_ISSUER, Botan::CERT_IS_REVOKED, Botan::CRL_BAD_SIGNATURE, Botan::CRL_HAS_EXPIRED, Botan::CRL_NOT_YET_VALID, Botan::CRL_SIGN, Botan::NO_MATCHING_CRLDP, Botan::OIDS::oid2str_or_empty(), and Botan::VALID_CRL_CHECKED.
Referenced by check_crl(), and Botan::x509_path_validate().
CertificatePathStatusCodes Botan::PKIX::check_ocsp | ( | const std::vector< std::shared_ptr< const X509_Certificate > > & | cert_path, |
const std::vector< std::shared_ptr< const OCSP::Response > > & | ocsp_responses, | ||
const std::vector< Certificate_Store * > & | certstores, | ||
std::chrono::system_clock::time_point | ref_time, | ||
std::chrono::seconds | max_ocsp_age = std::chrono::seconds::zero() |
||
) |
Check OCSP responses for revocation information
cert_path | path already validated by check_chain |
ocsp_responses | the OCSP responses to consider |
certstores | trusted roots |
ref_time | whatever time you want to perform the validation against (normally current system clock) |
max_ocsp_age | maximum age of OCSP responses w/o next_update. If zero, there is no maximum age |
Definition at line 214 of file x509path.cpp.
References Botan::OCSP_RESPONSE_INVALID, Botan::OCSP_SIGNATURE_OK, and Botan::OCSP::Successful.
Referenced by Botan::x509_path_validate().
void Botan::PKIX::merge_revocation_status | ( | CertificatePathStatusCodes & | chain_status, |
const CertificatePathStatusCodes & | crl_status, | ||
const CertificatePathStatusCodes & | ocsp_status, | ||
bool | require_rev_on_end_entity, | ||
bool | require_rev_on_intermediates | ||
) |
Merge the results from CRL and/or OCSP checks into chain_status
chain_status | the certificate status |
crl_status | results from check_crl |
ocsp_status | results from check_ocsp |
require_rev_on_end_entity | require valid CRL or OCSP on end-entity cert |
require_rev_on_intermediates | require valid CRL or OCSP on all intermediate certificates |
Definition at line 772 of file x509path.cpp.
References Botan::NO_REVOCATION_DATA, Botan::OCSP_NO_REVOCATION_URL, Botan::OCSP_RESPONSE_GOOD, Botan::OCSP_SERVER_NOT_AVAILABLE, and Botan::VALID_CRL_CHECKED.
Referenced by Botan::x509_path_validate().
Certificate_Status_Code Botan::PKIX::overall_status | ( | const CertificatePathStatusCodes & | cert_status | ) |
Find overall status (OK, error) of a validation
cert_status | result of merge_revocation_status or check_chain |
Definition at line 823 of file x509path.cpp.
References Botan::FIRST_ERROR_STATUS, Botan::OK, and overall_status().
Referenced by overall_status().