Botan  1.11.15
src/lib/cert/x509/x509path.h
Go to the documentation of this file.
00001 /*
00002 * X.509 Cert Path Validation
00003 * (C) 2010-2011 Jack Lloyd
00004 *
00005 * Botan is released under the Simplified BSD License (see license.txt)
00006 */
00007 
00008 #ifndef BOTAN_X509_CERT_PATH_VALIDATION_H__
00009 #define BOTAN_X509_CERT_PATH_VALIDATION_H__
00010 
00011 #include <botan/cert_status.h>
00012 #include <botan/x509cert.h>
00013 #include <botan/certstor.h>
00014 #include <set>
00015 
00016 namespace Botan {
00017 
00018 /**
00019 * Specifies restrictions on the PKIX path validation
00020 */
00021 class BOTAN_DLL Path_Validation_Restrictions
00022    {
00023    public:
00024       /**
00025       * @param require_rev if true, revocation information is required
00026       * @param minimum_key_strength is the minimum strength (in terms of
00027       *        operations, eg 80 means 2^80) of a signature. Signatures
00028       *        weaker than this are rejected. If more than 80, SHA-1
00029       *        signatures are also rejected.
00030       */
00031       Path_Validation_Restrictions(bool require_rev = false,
00032                                    size_t minimum_key_strength = 80,
00033                                    bool ocsp_all_intermediates = false);
00034 
00035       /**
00036       * @param require_rev if true, revocation information is required
00037       * @param minimum_key_strength is the minimum strength (in terms of
00038       *        operations, eg 80 means 2^80) of a signature. Signatures
00039       *        weaker than this are rejected.
00040       * @param trusted_hashes a set of trusted hashes. Any signatures
00041       *        created using a hash other than one of these will be
00042       *        rejected.
00043       */
00044       Path_Validation_Restrictions(bool require_rev,
00045                                    size_t minimum_key_strength,
00046                                    bool ocsp_all_intermediates,
00047                                    const std::set<std::string>& trusted_hashes) :
00048          m_require_revocation_information(require_rev),
00049          m_ocsp_all_intermediates(ocsp_all_intermediates),
00050          m_trusted_hashes(trusted_hashes),
00051          m_minimum_key_strength(minimum_key_strength) {}
00052 
00053       bool require_revocation_information() const
00054          { return m_require_revocation_information; }
00055 
00056       bool ocsp_all_intermediates() const
00057          { return m_ocsp_all_intermediates; }
00058 
00059       const std::set<std::string>& trusted_hashes() const
00060          { return m_trusted_hashes; }
00061 
00062       size_t minimum_key_strength() const
00063          { return m_minimum_key_strength; }
00064 
00065    private:
00066       bool m_require_revocation_information;
00067       bool m_ocsp_all_intermediates;
00068       std::set<std::string> m_trusted_hashes;
00069       size_t m_minimum_key_strength;
00070    };
00071 
00072 /**
00073 * Represents the result of a PKIX path validation
00074 */
00075 class BOTAN_DLL Path_Validation_Result
00076    {
00077    public:
00078       typedef Certificate_Status_Code Code;
00079 
00080       /**
00081       * @return the set of hash functions you are implicitly
00082       * trusting by trusting this result.
00083       */
00084       std::set<std::string> trusted_hashes() const;
00085 
00086       /**
00087       * @return the trust root of the validation
00088       */
00089       const X509_Certificate& trust_root() const;
00090 
00091       /**
00092       * @return the full path from subject to trust root
00093       */
00094       const std::vector<X509_Certificate>& cert_path() const { return m_cert_path; }
00095 
00096       /**
00097       * @return true iff the validation was succesful
00098       */
00099       bool successful_validation() const;
00100 
00101       /**
00102       * @return overall validation result code
00103       */
00104       Certificate_Status_Code result() const { return m_overall; }
00105 
00106       /**
00107       * Return a set of status codes for each certificate in the chain
00108       */
00109       const std::vector<std::set<Certificate_Status_Code>>& all_statuses() const
00110          { return m_all_status; }
00111 
00112       /**
00113       * @return string representation of the validation result
00114       */
00115       std::string result_string() const;
00116 
00117       static const char* status_string(Certificate_Status_Code code);
00118 
00119       Path_Validation_Result(std::vector<std::set<Certificate_Status_Code>> status,
00120                              std::vector<X509_Certificate>&& cert_chain);
00121 
00122       Path_Validation_Result(Certificate_Status_Code status) : m_overall(status) {}
00123 
00124    private:
00125       friend Path_Validation_Result BOTAN_DLL x509_path_validate(
00126          const std::vector<X509_Certificate>& end_certs,
00127          const Path_Validation_Restrictions& restrictions,
00128          const std::vector<Certificate_Store*>& certstores);
00129 
00130       Certificate_Status_Code m_overall;
00131       std::vector<std::set<Certificate_Status_Code>> m_all_status;
00132       std::vector<X509_Certificate> m_cert_path;
00133    };
00134 
00135 /**
00136 * PKIX Path Validation
00137 */
00138 Path_Validation_Result BOTAN_DLL x509_path_validate(
00139    const std::vector<X509_Certificate>& end_certs,
00140    const Path_Validation_Restrictions& restrictions,
00141    const std::vector<Certificate_Store*>& certstores);
00142 
00143 /**
00144 * PKIX Path Validation
00145 */
00146 Path_Validation_Result BOTAN_DLL x509_path_validate(
00147    const X509_Certificate& end_cert,
00148    const Path_Validation_Restrictions& restrictions,
00149    const std::vector<Certificate_Store*>& certstores);
00150 
00151 /**
00152 * PKIX Path Validation
00153 */
00154 Path_Validation_Result BOTAN_DLL x509_path_validate(
00155    const X509_Certificate& end_cert,
00156    const Path_Validation_Restrictions& restrictions,
00157    const Certificate_Store& store);
00158 
00159 /**
00160 * PKIX Path Validation
00161 */
00162 Path_Validation_Result BOTAN_DLL x509_path_validate(
00163    const std::vector<X509_Certificate>& end_certs,
00164    const Path_Validation_Restrictions& restrictions,
00165    const Certificate_Store& store);
00166 
00167 }
00168 
00169 #endif