Botan
1.11.15
|
#include <x509path.h>
Public Types | |
typedef Certificate_Status_Code | Code |
Public Member Functions | |
const std::vector< std::set < Certificate_Status_Code > > & | all_statuses () const |
const std::vector < X509_Certificate > & | cert_path () const |
Path_Validation_Result (std::vector< std::set< Certificate_Status_Code >> status, std::vector< X509_Certificate > &&cert_chain) | |
Path_Validation_Result (Certificate_Status_Code status) | |
Certificate_Status_Code | result () const |
std::string | result_string () const |
bool | successful_validation () const |
const X509_Certificate & | trust_root () const |
std::set< std::string > | trusted_hashes () const |
Static Public Member Functions | |
static const char * | status_string (Certificate_Status_Code code) |
Friends | |
Path_Validation_Result BOTAN_DLL | x509_path_validate (const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &certstores) |
Represents the result of a PKIX path validation
Definition at line 75 of file x509path.h.
Definition at line 78 of file x509path.h.
Botan::Path_Validation_Result::Path_Validation_Result | ( | std::vector< std::set< Certificate_Status_Code >> | status, |
std::vector< X509_Certificate > && | cert_chain | ||
) |
Definition at line 292 of file x509path.cpp.
References Botan::OCSP_RESPONSE_GOOD.
: m_overall(Certificate_Status_Code::VERIFIED), m_all_status(status), m_cert_path(cert_chain) { // take the "worst" error as overall for(const auto& s : m_all_status) { if(!s.empty()) { auto worst = *s.rbegin(); // Leave OCSP confirmations on cert-level status only if(worst != Certificate_Status_Code::OCSP_RESPONSE_GOOD) m_overall = worst; } } }
Botan::Path_Validation_Result::Path_Validation_Result | ( | Certificate_Status_Code | status | ) | [inline] |
Definition at line 122 of file x509path.h.
: m_overall(status) {}
const std::vector<std::set<Certificate_Status_Code> >& Botan::Path_Validation_Result::all_statuses | ( | ) | const [inline] |
Return a set of status codes for each certificate in the chain
Definition at line 109 of file x509path.h.
{ return m_all_status; }
const std::vector<X509_Certificate>& Botan::Path_Validation_Result::cert_path | ( | ) | const [inline] |
Definition at line 94 of file x509path.h.
{ return m_cert_path; }
Certificate_Status_Code Botan::Path_Validation_Result::result | ( | ) | const [inline] |
Definition at line 104 of file x509path.h.
Referenced by result_string(), and successful_validation().
{ return m_overall; }
std::string Botan::Path_Validation_Result::result_string | ( | ) | const |
Definition at line 332 of file x509path.cpp.
References result(), and status_string().
{ return status_string(result()); }
const char * Botan::Path_Validation_Result::status_string | ( | Certificate_Status_Code | code | ) | [static] |
Definition at line 337 of file x509path.cpp.
References Botan::CA_CERT_NOT_FOR_CERT_ISSUER, Botan::CA_CERT_NOT_FOR_CRL_ISSUER, Botan::CANNOT_ESTABLISH_TRUST, Botan::CERT_CHAIN_TOO_LONG, Botan::CERT_HAS_EXPIRED, Botan::CERT_IS_REVOKED, Botan::CERT_ISSUER_NOT_FOUND, Botan::CERT_NOT_YET_VALID, Botan::CRL_BAD_SIGNATURE, Botan::CRL_HAS_EXPIRED, Botan::CRL_NOT_YET_VALID, Botan::INVALID_USAGE, Botan::NO_REVOCATION_DATA, Botan::OCSP_BAD_STATUS, Botan::OCSP_CERT_NOT_LISTED, Botan::OCSP_HAS_EXPIRED, Botan::OCSP_NOT_YET_VALID, Botan::OCSP_RESPONSE_GOOD, Botan::POLICY_ERROR, Botan::SIGNATURE_ERROR, Botan::SIGNATURE_METHOD_TOO_WEAK, Botan::UNTRUSTED_HASH, and Botan::VERIFIED.
Referenced by result_string().
{ switch(code) { case Certificate_Status_Code::VERIFIED: return "Verified"; case Certificate_Status_Code::OCSP_RESPONSE_GOOD: return "OCSP response good"; case Certificate_Status_Code::NO_REVOCATION_DATA: return "No revocation data"; case Certificate_Status_Code::SIGNATURE_METHOD_TOO_WEAK: return "Signature method too weak"; case Certificate_Status_Code::UNTRUSTED_HASH: return "Untrusted hash"; case Certificate_Status_Code::CERT_NOT_YET_VALID: return "Certificate is not yet valid"; case Certificate_Status_Code::CERT_HAS_EXPIRED: return "Certificate has expired"; case Certificate_Status_Code::OCSP_NOT_YET_VALID: return "OCSP is not yet valid"; case Certificate_Status_Code::OCSP_HAS_EXPIRED: return "OCSP has expired"; case Certificate_Status_Code::CRL_NOT_YET_VALID: return "CRL is not yet valid"; case Certificate_Status_Code::CRL_HAS_EXPIRED: return "CRL has expired"; case Certificate_Status_Code::CERT_ISSUER_NOT_FOUND: return "Certificate issuer not found"; case Certificate_Status_Code::CANNOT_ESTABLISH_TRUST: return "Cannot establish trust"; case Certificate_Status_Code::POLICY_ERROR: return "Policy error"; case Certificate_Status_Code::INVALID_USAGE: return "Invalid usage"; case Certificate_Status_Code::CERT_CHAIN_TOO_LONG: return "Certificate chain too long"; case Certificate_Status_Code::CA_CERT_NOT_FOR_CERT_ISSUER: return "CA certificate not allowed to issue certs"; case Certificate_Status_Code::CA_CERT_NOT_FOR_CRL_ISSUER: return "CA certificate not allowed to issue CRLs"; case Certificate_Status_Code::OCSP_CERT_NOT_LISTED: return "OCSP cert not listed"; case Certificate_Status_Code::OCSP_BAD_STATUS: return "OCSP bad status"; case Certificate_Status_Code::CERT_IS_REVOKED: return "Certificate is revoked"; case Certificate_Status_Code::CRL_BAD_SIGNATURE: return "CRL bad signature"; case Certificate_Status_Code::SIGNATURE_ERROR: return "Signature error"; default: return "Unknown error"; } }
bool Botan::Path_Validation_Result::successful_validation | ( | ) | const |
Definition at line 324 of file x509path.cpp.
References Botan::OCSP_RESPONSE_GOOD, result(), and Botan::VERIFIED.
{ if(result() == Certificate_Status_Code::VERIFIED || result() == Certificate_Status_Code::OCSP_RESPONSE_GOOD) return true; return false; }
const X509_Certificate & Botan::Path_Validation_Result::trust_root | ( | ) | const |
Definition at line 311 of file x509path.cpp.
{
return m_cert_path[m_cert_path.size()-1];
}
std::set< std::string > Botan::Path_Validation_Result::trusted_hashes | ( | ) | const |
Definition at line 316 of file x509path.cpp.
{ std::set<std::string> hashes; for(size_t i = 0; i != m_cert_path.size(); ++i) hashes.insert(m_cert_path[i].hash_used_for_signature()); return hashes; }
Path_Validation_Result BOTAN_DLL x509_path_validate | ( | const std::vector< X509_Certificate > & | end_certs, |
const Path_Validation_Restrictions & | restrictions, | ||
const std::vector< Certificate_Store * > & | certstores | ||
) | [friend] |
PKIX Path Validation
Definition at line 214 of file x509path.cpp.
{ if(end_certs.empty()) throw std::invalid_argument("x509_path_validate called with no subjects"); std::vector<X509_Certificate> cert_path; cert_path.push_back(end_certs[0]); Certificate_Store_Overlay extra(end_certs); // iterate until we reach a root or cannot find the issuer while(!cert_path.back().is_self_signed()) { const X509_Certificate* cert = find_issuing_cert(cert_path.back(), extra, certstores); if(!cert) return Path_Validation_Result(Certificate_Status_Code::CERT_ISSUER_NOT_FOUND); cert_path.push_back(*cert); } return Path_Validation_Result(check_chain(cert_path, restrictions, certstores), std::move(cert_path)); }