Botan 3.5.0
Crypto and TLS for C&
|
Functions | |
Certificate_Status_Code | build_all_certificate_paths (std::vector< std::vector< X509_Certificate > > &cert_paths, const std::vector< Certificate_Store * > &trusted_certstores, const std::optional< X509_Certificate > &end_entity, const std::vector< X509_Certificate > &end_entity_extra) |
Certificate_Status_Code | build_certificate_path (std::vector< X509_Certificate > &cert_path_out, const std::vector< Certificate_Store * > &trusted_certstores, const X509_Certificate &end_entity, const std::vector< X509_Certificate > &end_entity_extra) |
CertificatePathStatusCodes | check_chain (const std::vector< X509_Certificate > &cert_path, std::chrono::system_clock::time_point ref_time, std::string_view hostname, Usage_Type usage, const Path_Validation_Restrictions &restrictions) |
CertificatePathStatusCodes | check_crl (const std::vector< X509_Certificate > &cert_path, const std::vector< Certificate_Store * > &certstores, std::chrono::system_clock::time_point ref_time) |
CertificatePathStatusCodes | check_crl (const std::vector< X509_Certificate > &cert_path, const std::vector< std::optional< X509_CRL > > &crls, std::chrono::system_clock::time_point ref_time) |
CertificatePathStatusCodes | check_ocsp (const std::vector< X509_Certificate > &cert_path, const std::vector< std::optional< OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &certstores, std::chrono::system_clock::time_point ref_time, const Path_Validation_Restrictions &restrictions) |
void | merge_revocation_status (CertificatePathStatusCodes &chain_status, const CertificatePathStatusCodes &crl_status, const CertificatePathStatusCodes &ocsp_status, const Path_Validation_Restrictions &restrictions) |
Certificate_Status_Code | overall_status (const CertificatePathStatusCodes &cert_status) |
namespace PKIX holds the building blocks that are called by x509_path_validate. This allows custom validation logic to be written by applications and makes for easier testing, but unless you're positive you know what you're doing you probably want to just call x509_path_validate instead.
Certificate_Status_Code Botan::PKIX::build_all_certificate_paths | ( | std::vector< std::vector< X509_Certificate > > & | cert_paths, |
const std::vector< Certificate_Store * > & | trusted_certstores, | ||
const std::optional< X509_Certificate > & | end_entity, | ||
const std::vector< X509_Certificate > & | end_entity_extra ) |
Referenced by Botan::x509_path_validate().
Certificate_Status_Code Botan::PKIX::build_certificate_path | ( | std::vector< X509_Certificate > & | cert_path_out, |
const std::vector< Certificate_Store * > & | trusted_certstores, | ||
const X509_Certificate & | end_entity, | ||
const std::vector< X509_Certificate > & | end_entity_extra ) |
Build certificate path
cert_path_out | output parameter, cert_path will be appended to this vector |
trusted_certstores | list of certificate stores that contain trusted certificates |
end_entity | the cert to be validated |
end_entity_extra | optional list of additional untrusted certs for path building |
Definition at line 601 of file x509path.cpp.
References Botan::Certificate_Store_In_Memory::add_certificate(), Botan::X509_Certificate::authority_key_id(), Botan::CANNOT_ESTABLISH_TRUST, Botan::CERT_CHAIN_LOOP, Botan::CERT_ISSUER_NOT_FOUND, Botan::Certificate_Store_In_Memory::find_cert(), Botan::X509_Certificate::fingerprint(), Botan::X509_Certificate::is_self_signed(), Botan::X509_Certificate::issuer_dn(), and Botan::OK.
CertificatePathStatusCodes Botan::PKIX::check_chain | ( | const std::vector< X509_Certificate > & | cert_path, |
std::chrono::system_clock::time_point | ref_time, | ||
std::string_view | hostname, | ||
Usage_Type | usage, | ||
const Path_Validation_Restrictions & | restrictions ) |
Check the certificate chain, but not any revocation data
cert_path | path built by build_certificate_path with OK result. The first element is the end entity certificate, the last element is the trusted root certificate. |
ref_time | whatever time you want to perform the validation against (normally current system clock) |
hostname | the hostname |
usage | end entity usage checks |
restrictions | the relevant path validation restrictions object |
Definition at line 36 of file x509path.cpp.
References BOTAN_ASSERT_NOMSG, Botan::CA_CERT_NOT_FOR_CERT_ISSUER, Botan::CERT_CHAIN_TOO_LONG, Botan::CERT_HAS_EXPIRED, Botan::CERT_NAME_NOMATCH, Botan::CERT_NOT_YET_VALID, Botan::CERT_PUBKEY_INVALID, Botan::CERT_SERIAL_NEGATIVE, Botan::CHAIN_LACKS_TRUST_ROOT, Botan::CHAIN_NAME_MISMATCH, Botan::X509_DN::dn_info(), Botan::DN_TOO_LONG, Botan::DUPLICATE_CERT_EXTENSION, Botan::EXT_IN_V1_V2_CERT, Botan::Extensions::extensions(), Botan::Extensions::get_extension_oids(), Botan::Path_Validation_Restrictions::ignore_trusted_root_time_range(), Botan::INVALID_USAGE, Botan::X509_Certificate::is_CA_cert(), Botan::X509_Certificate::is_self_signed(), Botan::X509_Certificate::is_serial_negative(), Botan::X509_Certificate::issuer_dn(), Botan::Key_Constraints::KeyCertSign, Botan::X509_DN::lookup_ub(), Botan::Path_Validation_Restrictions::minimum_key_strength(), Botan::X509_Certificate::not_after(), Botan::X509_Certificate::not_before(), Botan::OCSP_RESPONDER, Botan::OCSP_RESPONSE_MISSING_KEYUSAGE, Botan::AlgorithmIdentifier::oid(), Botan::X509_Certificate::path_limit(), Botan::OID::registered_oid(), Botan::SIGNATURE_ALGO_UNKNOWN, Botan::X509_Object::signature_algorithm(), Botan::SIGNATURE_METHOD_TOO_WEAK, Botan::X509_Certificate::subject_dn(), Botan::X509_Certificate::subject_public_key(), Botan::TRUSTED_CERT_HAS_EXPIRED, Botan::TRUSTED_CERT_NOT_YET_VALID, Botan::Path_Validation_Restrictions::trusted_hashes(), Botan::UNTRUSTED_HASH, Botan::V2_IDENTIFIERS_IN_V1_CERT, Botan::X509_Certificate::v2_issuer_key_id(), Botan::X509_Certificate::v2_subject_key_id(), Botan::X509_Certificate::v3_extensions(), Botan::VERIFIED, Botan::X509_Object::verify_signature(), and Botan::X509_Certificate::x509_version().
Referenced by Botan::x509_path_validate().
CertificatePathStatusCodes Botan::PKIX::check_crl | ( | const std::vector< X509_Certificate > & | cert_path, |
const std::vector< Certificate_Store * > & | certstores, | ||
std::chrono::system_clock::time_point | ref_time ) |
Check CRLs for revocation information
cert_path | path already validated by check_chain |
certstores | a list of certificate stores to query for the CRL |
ref_time | whatever time you want to perform the validation against (normally current system clock) |
Definition at line 433 of file x509path.cpp.
References check_crl().
CertificatePathStatusCodes Botan::PKIX::check_crl | ( | const std::vector< X509_Certificate > & | cert_path, |
const std::vector< std::optional< X509_CRL > > & | crls, | ||
std::chrono::system_clock::time_point | ref_time ) |
Check CRLs for revocation information
cert_path | path already validated by check_chain |
crls | the list of CRLs to check, it is assumed that crls[i] (if not null) is the associated CRL for the subject in cert_path[i]. |
ref_time | whatever time you want to perform the validation against (normally current system clock) |
Definition at line 362 of file x509path.cpp.
References Botan::X509_Certificate::allowed_usage(), Botan::CA_CERT_NOT_FOR_CRL_ISSUER, Botan::CERT_IS_REVOKED, Botan::CRL_BAD_SIGNATURE, Botan::X509_Certificate::crl_distribution_points(), Botan::CRL_HAS_EXPIRED, Botan::CRL_NOT_YET_VALID, Botan::Key_Constraints::CrlSign, Botan::NO_MATCHING_CRLDP, Botan::X509_Certificate::subject_public_key(), and Botan::VALID_CRL_CHECKED.
Referenced by check_crl(), and Botan::x509_path_validate().
CertificatePathStatusCodes Botan::PKIX::check_ocsp | ( | const std::vector< X509_Certificate > & | cert_path, |
const std::vector< std::optional< OCSP::Response > > & | ocsp_responses, | ||
const std::vector< Certificate_Store * > & | certstores, | ||
std::chrono::system_clock::time_point | ref_time, | ||
const Path_Validation_Restrictions & | restrictions ) |
Check OCSP responses for revocation information
cert_path | path already validated by check_chain |
ocsp_responses | the OCSP responses to consider |
certstores | trusted roots |
ref_time | whatever time you want to perform the validation against (normally current system clock) |
restrictions | the relevant path validation restrictions object |
Definition at line 307 of file x509path.cpp.
References Botan::concat(), Botan::FIRST_ERROR_STATUS, Botan::Path_Validation_Restrictions::max_ocsp_age(), Botan::OCSP_ISSUER_NOT_FOUND, Botan::OCSP_ISSUER_NOT_TRUSTED, Botan::OCSP_RESPONSE_INVALID, Botan::OCSP::Successful, and Botan::Path_Validation_Restrictions::trusted_ocsp_responders().
Referenced by Botan::x509_path_validate().
void Botan::PKIX::merge_revocation_status | ( | CertificatePathStatusCodes & | chain_status, |
const CertificatePathStatusCodes & | crl_status, | ||
const CertificatePathStatusCodes & | ocsp_status, | ||
const Path_Validation_Restrictions & | restrictions ) |
Merge the results from CRL and/or OCSP checks into chain_status
chain_status | the certificate status |
crl_status | results from check_crl |
ocsp_status | results from check_ocsp |
restrictions | the relevant path validation restrictions object |
Definition at line 820 of file x509path.cpp.
References Botan::NO_REVOCATION_DATA, Botan::Path_Validation_Restrictions::ocsp_all_intermediates(), Botan::OCSP_NO_REVOCATION_URL, Botan::OCSP_RESPONSE_GOOD, Botan::OCSP_SERVER_NOT_AVAILABLE, Botan::Path_Validation_Restrictions::require_revocation_information(), and Botan::VALID_CRL_CHECKED.
Referenced by Botan::x509_path_validate().
Certificate_Status_Code Botan::PKIX::overall_status | ( | const CertificatePathStatusCodes & | cert_status | ) |
Find overall status (OK, error) of a validation
cert_status | result of merge_revocation_status or check_chain |
Definition at line 862 of file x509path.cpp.
References Botan::FIRST_ERROR_STATUS, Botan::OK, and overall_status().
Referenced by overall_status().