Botan
2.1.0
Crypto and TLS for C++11
|
Functions | |
Certificate_Status_Code BOTAN_DLL | build_certificate_path (std::vector< std::shared_ptr< const X509_Certificate >> &cert_path_out, const std::vector< Certificate_Store * > &trusted_certstores, const std::shared_ptr< const X509_Certificate > &end_entity, const std::vector< std::shared_ptr< const X509_Certificate >> &end_entity_extra) |
CertificatePathStatusCodes BOTAN_DLL | check_chain (const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::chrono::system_clock::time_point ref_time, const std::string &hostname, Usage_Type usage, size_t min_signature_algo_strength, const std::set< std::string > &trusted_hashes) |
CertificatePathStatusCodes BOTAN_DLL | check_crl (const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, const std::vector< std::shared_ptr< const X509_CRL >> &crls, std::chrono::system_clock::time_point ref_time) |
CertificatePathStatusCodes BOTAN_DLL | check_crl (const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, const std::vector< Certificate_Store * > &certstores, std::chrono::system_clock::time_point ref_time) |
CertificatePathStatusCodes BOTAN_DLL | check_ocsp (const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_responses, const std::vector< Certificate_Store * > &certstores, std::chrono::system_clock::time_point ref_time) |
void BOTAN_DLL | merge_revocation_status (CertificatePathStatusCodes &chain_status, const CertificatePathStatusCodes &crl_status, const CertificatePathStatusCodes &ocsp_status, bool require_rev_on_end_entity, bool require_rev_on_intermediates) |
Certificate_Status_Code BOTAN_DLL | overall_status (const CertificatePathStatusCodes &cert_status) |
namespace PKIX holds the building blocks that are called by x509_path_validate. This allows custom validation logic to be written by applications and makes for easier testing, but unless you're positive you know what you're doing you probably want to just call x509_path_validate instead.
Certificate_Status_Code Botan::PKIX::build_certificate_path | ( | std::vector< std::shared_ptr< const X509_Certificate >> & | cert_path_out, |
const std::vector< Certificate_Store * > & | trusted_certstores, | ||
const std::shared_ptr< const X509_Certificate > & | end_entity, | ||
const std::vector< std::shared_ptr< const X509_Certificate >> & | end_entity_extra | ||
) |
Build certificate path
cert_path_out | output parameter, cert_path will be appended to this vector |
trusted_certstores | list of certificate stores that contain trusted certificates |
end_entity | the cert to be validated |
end_entity_extra | optional list of additional untrusted certs for path building |
Definition at line 414 of file x509path.cpp.
References Botan::Certificate_Store_In_Memory::add_certificate(), Botan::X509_Certificate::authority_key_id(), Botan::CANNOT_ESTABLISH_TRUST, Botan::CERT_CHAIN_LOOP, Botan::CERT_ISSUER_NOT_FOUND, Botan::Certificate_Store_In_Memory::find_cert(), Botan::X509_Certificate::issuer_dn(), and Botan::OK.
Referenced by Botan::x509_path_validate().
CertificatePathStatusCodes Botan::PKIX::check_chain | ( | const std::vector< std::shared_ptr< const X509_Certificate >> & | cert_path, |
std::chrono::system_clock::time_point | ref_time, | ||
const std::string & | hostname, | ||
Usage_Type | usage, | ||
size_t | min_signature_algo_strength, | ||
const std::set< std::string > & | trusted_hashes | ||
) |
Check the certificate chain, but not any revocation data
cert_path | path built by build_certificate_path with OK result |
ref_time | whatever time you want to perform the validation against (normally current system clock) |
hostname | the hostname |
usage | end entity usage checks |
min_signature_algo_strength | 80 or 110 typically Note 80 allows 1024 bit RSA and SHA-1. 110 allows 2048 bit RSA and SHA-2. Using 128 requires ECC (P-256) or ~3000 bit RSA keys. |
trusted_hashes | set of trusted hash functions, empty means accept any hash we have an OID for |
Definition at line 29 of file x509path.cpp.
References Botan::CA_CERT_NOT_FOR_CERT_ISSUER, Botan::CERT_CHAIN_TOO_LONG, Botan::CERT_HAS_EXPIRED, Botan::CERT_NAME_NOMATCH, Botan::CERT_NOT_YET_VALID, Botan::CERT_PUBKEY_INVALID, Botan::CHAIN_LACKS_TRUST_ROOT, Botan::CHAIN_NAME_MISMATCH, Botan::Extensions::extensions(), Botan::INVALID_USAGE, Botan::SIGNATURE_ERROR, Botan::SIGNATURE_METHOD_TOO_WEAK, Botan::UNTRUSTED_HASH, and Botan::UTC_OR_GENERALIZED_TIME.
Referenced by Botan::x509_path_validate().
CertificatePathStatusCodes Botan::PKIX::check_crl | ( | const std::vector< std::shared_ptr< const X509_Certificate >> & | cert_path, |
const std::vector< std::shared_ptr< const X509_CRL >> & | crls, | ||
std::chrono::system_clock::time_point | ref_time | ||
) |
Check CRLs for revocation infomration
cert_path | path already validated by check_chain |
crls | the list of CRLs to check, it is assumed that crls[i] (if not null) is the associated CRL for the subject in cert_path[i]. |
ref_time | whatever time you want to perform the validation against (normally current system clock) |
Definition at line 171 of file x509path.cpp.
References Botan::CA_CERT_NOT_FOR_CRL_ISSUER, Botan::CERT_IS_REVOKED, Botan::CRL_BAD_SIGNATURE, Botan::CRL_HAS_EXPIRED, Botan::CRL_NOT_YET_VALID, Botan::CRL_SIGN, and Botan::VALID_CRL_CHECKED.
Referenced by check_crl(), and Botan::x509_path_validate().
CertificatePathStatusCodes Botan::PKIX::check_crl | ( | const std::vector< std::shared_ptr< const X509_Certificate >> & | cert_path, |
const std::vector< Certificate_Store * > & | certstores, | ||
std::chrono::system_clock::time_point | ref_time | ||
) |
Check CRLs for revocation infomration
cert_path | path already validated by check_chain |
certstores | a list of certificate stores to query for the CRL |
ref_time | whatever time you want to perform the validation against (normally current system clock) |
Definition at line 216 of file x509path.cpp.
References BOTAN_ASSERT_NONNULL, and check_crl().
CertificatePathStatusCodes Botan::PKIX::check_ocsp | ( | const std::vector< std::shared_ptr< const X509_Certificate >> & | cert_path, |
const std::vector< std::shared_ptr< const OCSP::Response >> & | ocsp_responses, | ||
const std::vector< Certificate_Store * > & | certstores, | ||
std::chrono::system_clock::time_point | ref_time | ||
) |
Check OCSP responses for revocation information
cert_path | path already validated by check_chain |
ocsp_responses | the OCSP responses to consider |
certstores | trusted roots |
ref_time | whatever time you want to perform the validation against (normally current system clock) |
Definition at line 122 of file x509path.cpp.
References Botan::OCSP_RESPONSE_INVALID, and Botan::OCSP_SIGNATURE_OK.
Referenced by Botan::x509_path_validate().
void Botan::PKIX::merge_revocation_status | ( | CertificatePathStatusCodes & | chain_status, |
const CertificatePathStatusCodes & | crl_status, | ||
const CertificatePathStatusCodes & | ocsp_status, | ||
bool | require_rev_on_end_entity, | ||
bool | require_rev_on_intermediates | ||
) |
Merge the results from CRL and/or OCSP checks into chain_status
chain_status | the certificate status |
crl_status | results from check_crl |
ocsp_status | results from check_ocsp |
require_rev_on_end_entity | require valid CRL or OCSP on end-entity cert |
require_rev_on_intermediates | require valid CRL or OCSP on all intermediate certificates |
Definition at line 490 of file x509path.cpp.
References Botan::NO_REVOCATION_DATA, Botan::OCSP_RESPONSE_GOOD, and Botan::VALID_CRL_CHECKED.
Referenced by Botan::x509_path_validate().
Certificate_Status_Code Botan::PKIX::overall_status | ( | const CertificatePathStatusCodes & | cert_status | ) |
Find overall status (OK, error) of a validation
cert_status | result of merge_revocation_status or check_chain |
Definition at line 539 of file x509path.cpp.
References Botan::FIRST_ERROR_STATUS, and Botan::OK.