Botan  1.11.15
Public Types | Public Member Functions | Static Public Member Functions | Friends
Botan::Path_Validation_Result Class Reference

#include <x509path.h>

List of all members.

Public Types

typedef Certificate_Status_Code Code

Public Member Functions

const std::vector< std::set
< Certificate_Status_Code > > & 
all_statuses () const
const std::vector
< X509_Certificate > & 
cert_path () const
 Path_Validation_Result (std::vector< std::set< Certificate_Status_Code >> status, std::vector< X509_Certificate > &&cert_chain)
 Path_Validation_Result (Certificate_Status_Code status)
Certificate_Status_Code result () const
std::string result_string () const
bool successful_validation () const
const X509_Certificatetrust_root () const
std::set< std::string > trusted_hashes () const

Static Public Member Functions

static const char * status_string (Certificate_Status_Code code)

Friends

Path_Validation_Result BOTAN_DLL x509_path_validate (const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &certstores)

Detailed Description

Represents the result of a PKIX path validation

Definition at line 75 of file x509path.h.


Member Typedef Documentation

Definition at line 78 of file x509path.h.


Constructor & Destructor Documentation

Botan::Path_Validation_Result::Path_Validation_Result ( std::vector< std::set< Certificate_Status_Code >>  status,
std::vector< X509_Certificate > &&  cert_chain 
)

Definition at line 292 of file x509path.cpp.

References Botan::OCSP_RESPONSE_GOOD.

                                                                                         :
   m_overall(Certificate_Status_Code::VERIFIED),
   m_all_status(status),
   m_cert_path(cert_chain)
   {
   // take the "worst" error as overall
   for(const auto& s : m_all_status)
      {
      if(!s.empty())
         {
         auto worst = *s.rbegin();
         // Leave OCSP confirmations on cert-level status only
         if(worst != Certificate_Status_Code::OCSP_RESPONSE_GOOD)
            m_overall = worst;
         }
      }
   }

Definition at line 122 of file x509path.h.

: m_overall(status) {}

Member Function Documentation

const std::vector<std::set<Certificate_Status_Code> >& Botan::Path_Validation_Result::all_statuses ( ) const [inline]

Return a set of status codes for each certificate in the chain

Definition at line 109 of file x509path.h.

         { return m_all_status; }
const std::vector<X509_Certificate>& Botan::Path_Validation_Result::cert_path ( ) const [inline]
Returns:
the full path from subject to trust root

Definition at line 94 of file x509path.h.

{ return m_cert_path; }
Returns:
overall validation result code

Definition at line 104 of file x509path.h.

Referenced by result_string(), and successful_validation().

{ return m_overall; }
Returns:
string representation of the validation result

Definition at line 332 of file x509path.cpp.

References result(), and status_string().

   {
   return status_string(result());
   }

Definition at line 337 of file x509path.cpp.

References Botan::CA_CERT_NOT_FOR_CERT_ISSUER, Botan::CA_CERT_NOT_FOR_CRL_ISSUER, Botan::CANNOT_ESTABLISH_TRUST, Botan::CERT_CHAIN_TOO_LONG, Botan::CERT_HAS_EXPIRED, Botan::CERT_IS_REVOKED, Botan::CERT_ISSUER_NOT_FOUND, Botan::CERT_NOT_YET_VALID, Botan::CRL_BAD_SIGNATURE, Botan::CRL_HAS_EXPIRED, Botan::CRL_NOT_YET_VALID, Botan::INVALID_USAGE, Botan::NO_REVOCATION_DATA, Botan::OCSP_BAD_STATUS, Botan::OCSP_CERT_NOT_LISTED, Botan::OCSP_HAS_EXPIRED, Botan::OCSP_NOT_YET_VALID, Botan::OCSP_RESPONSE_GOOD, Botan::POLICY_ERROR, Botan::SIGNATURE_ERROR, Botan::SIGNATURE_METHOD_TOO_WEAK, Botan::UNTRUSTED_HASH, and Botan::VERIFIED.

Referenced by result_string().

   {
   switch(code)
      {
      case Certificate_Status_Code::VERIFIED:
         return "Verified";
      case Certificate_Status_Code::OCSP_RESPONSE_GOOD:
         return "OCSP response good";
      case Certificate_Status_Code::NO_REVOCATION_DATA:
         return "No revocation data";
      case Certificate_Status_Code::SIGNATURE_METHOD_TOO_WEAK:
         return "Signature method too weak";
      case Certificate_Status_Code::UNTRUSTED_HASH:
         return "Untrusted hash";

      case Certificate_Status_Code::CERT_NOT_YET_VALID:
         return "Certificate is not yet valid";
      case Certificate_Status_Code::CERT_HAS_EXPIRED:
         return "Certificate has expired";
      case Certificate_Status_Code::OCSP_NOT_YET_VALID:
         return "OCSP is not yet valid";
      case Certificate_Status_Code::OCSP_HAS_EXPIRED:
         return "OCSP has expired";
      case Certificate_Status_Code::CRL_NOT_YET_VALID:
         return "CRL is not yet valid";
      case Certificate_Status_Code::CRL_HAS_EXPIRED:
         return "CRL has expired";

      case Certificate_Status_Code::CERT_ISSUER_NOT_FOUND:
         return "Certificate issuer not found";
      case Certificate_Status_Code::CANNOT_ESTABLISH_TRUST:
         return "Cannot establish trust";

      case Certificate_Status_Code::POLICY_ERROR:
         return "Policy error";
      case Certificate_Status_Code::INVALID_USAGE:
         return "Invalid usage";
      case Certificate_Status_Code::CERT_CHAIN_TOO_LONG:
         return "Certificate chain too long";
      case Certificate_Status_Code::CA_CERT_NOT_FOR_CERT_ISSUER:
         return "CA certificate not allowed to issue certs";
      case Certificate_Status_Code::CA_CERT_NOT_FOR_CRL_ISSUER:
         return "CA certificate not allowed to issue CRLs";
      case Certificate_Status_Code::OCSP_CERT_NOT_LISTED:
         return "OCSP cert not listed";
      case Certificate_Status_Code::OCSP_BAD_STATUS:
         return "OCSP bad status";

      case Certificate_Status_Code::CERT_IS_REVOKED:
         return "Certificate is revoked";
      case Certificate_Status_Code::CRL_BAD_SIGNATURE:
         return "CRL bad signature";
      case Certificate_Status_Code::SIGNATURE_ERROR:
         return "Signature error";
      default:
         return "Unknown error";
      }
   }
Returns:
true iff the validation was succesful

Definition at line 324 of file x509path.cpp.

References Botan::OCSP_RESPONSE_GOOD, result(), and Botan::VERIFIED.

Returns:
the trust root of the validation

Definition at line 311 of file x509path.cpp.

   {
   return m_cert_path[m_cert_path.size()-1];
   }
std::set< std::string > Botan::Path_Validation_Result::trusted_hashes ( ) const
Returns:
the set of hash functions you are implicitly trusting by trusting this result.

Definition at line 316 of file x509path.cpp.

   {
   std::set<std::string> hashes;
   for(size_t i = 0; i != m_cert_path.size(); ++i)
      hashes.insert(m_cert_path[i].hash_used_for_signature());
   return hashes;
   }

Friends And Related Function Documentation

Path_Validation_Result BOTAN_DLL x509_path_validate ( const std::vector< X509_Certificate > &  end_certs,
const Path_Validation_Restrictions restrictions,
const std::vector< Certificate_Store * > &  certstores 
) [friend]

PKIX Path Validation

Definition at line 214 of file x509path.cpp.

   {
   if(end_certs.empty())
      throw std::invalid_argument("x509_path_validate called with no subjects");

   std::vector<X509_Certificate> cert_path;
   cert_path.push_back(end_certs[0]);

   Certificate_Store_Overlay extra(end_certs);

   // iterate until we reach a root or cannot find the issuer
   while(!cert_path.back().is_self_signed())
      {
      const X509_Certificate* cert = find_issuing_cert(cert_path.back(), extra, certstores);
      if(!cert)
         return Path_Validation_Result(Certificate_Status_Code::CERT_ISSUER_NOT_FOUND);

      cert_path.push_back(*cert);
      }

   return Path_Validation_Result(check_chain(cert_path, restrictions, certstores),
                                 std::move(cert_path));
   }

The documentation for this class was generated from the following files: