Botan
1.11.15
|
00001 /* 00002 * X.509 Cert Path Validation 00003 * (C) 2010-2011 Jack Lloyd 00004 * 00005 * Botan is released under the Simplified BSD License (see license.txt) 00006 */ 00007 00008 #ifndef BOTAN_X509_CERT_PATH_VALIDATION_H__ 00009 #define BOTAN_X509_CERT_PATH_VALIDATION_H__ 00010 00011 #include <botan/cert_status.h> 00012 #include <botan/x509cert.h> 00013 #include <botan/certstor.h> 00014 #include <set> 00015 00016 namespace Botan { 00017 00018 /** 00019 * Specifies restrictions on the PKIX path validation 00020 */ 00021 class BOTAN_DLL Path_Validation_Restrictions 00022 { 00023 public: 00024 /** 00025 * @param require_rev if true, revocation information is required 00026 * @param minimum_key_strength is the minimum strength (in terms of 00027 * operations, eg 80 means 2^80) of a signature. Signatures 00028 * weaker than this are rejected. If more than 80, SHA-1 00029 * signatures are also rejected. 00030 */ 00031 Path_Validation_Restrictions(bool require_rev = false, 00032 size_t minimum_key_strength = 80, 00033 bool ocsp_all_intermediates = false); 00034 00035 /** 00036 * @param require_rev if true, revocation information is required 00037 * @param minimum_key_strength is the minimum strength (in terms of 00038 * operations, eg 80 means 2^80) of a signature. Signatures 00039 * weaker than this are rejected. 00040 * @param trusted_hashes a set of trusted hashes. Any signatures 00041 * created using a hash other than one of these will be 00042 * rejected. 00043 */ 00044 Path_Validation_Restrictions(bool require_rev, 00045 size_t minimum_key_strength, 00046 bool ocsp_all_intermediates, 00047 const std::set<std::string>& trusted_hashes) : 00048 m_require_revocation_information(require_rev), 00049 m_ocsp_all_intermediates(ocsp_all_intermediates), 00050 m_trusted_hashes(trusted_hashes), 00051 m_minimum_key_strength(minimum_key_strength) {} 00052 00053 bool require_revocation_information() const 00054 { return m_require_revocation_information; } 00055 00056 bool ocsp_all_intermediates() const 00057 { return m_ocsp_all_intermediates; } 00058 00059 const std::set<std::string>& trusted_hashes() const 00060 { return m_trusted_hashes; } 00061 00062 size_t minimum_key_strength() const 00063 { return m_minimum_key_strength; } 00064 00065 private: 00066 bool m_require_revocation_information; 00067 bool m_ocsp_all_intermediates; 00068 std::set<std::string> m_trusted_hashes; 00069 size_t m_minimum_key_strength; 00070 }; 00071 00072 /** 00073 * Represents the result of a PKIX path validation 00074 */ 00075 class BOTAN_DLL Path_Validation_Result 00076 { 00077 public: 00078 typedef Certificate_Status_Code Code; 00079 00080 /** 00081 * @return the set of hash functions you are implicitly 00082 * trusting by trusting this result. 00083 */ 00084 std::set<std::string> trusted_hashes() const; 00085 00086 /** 00087 * @return the trust root of the validation 00088 */ 00089 const X509_Certificate& trust_root() const; 00090 00091 /** 00092 * @return the full path from subject to trust root 00093 */ 00094 const std::vector<X509_Certificate>& cert_path() const { return m_cert_path; } 00095 00096 /** 00097 * @return true iff the validation was succesful 00098 */ 00099 bool successful_validation() const; 00100 00101 /** 00102 * @return overall validation result code 00103 */ 00104 Certificate_Status_Code result() const { return m_overall; } 00105 00106 /** 00107 * Return a set of status codes for each certificate in the chain 00108 */ 00109 const std::vector<std::set<Certificate_Status_Code>>& all_statuses() const 00110 { return m_all_status; } 00111 00112 /** 00113 * @return string representation of the validation result 00114 */ 00115 std::string result_string() const; 00116 00117 static const char* status_string(Certificate_Status_Code code); 00118 00119 Path_Validation_Result(std::vector<std::set<Certificate_Status_Code>> status, 00120 std::vector<X509_Certificate>&& cert_chain); 00121 00122 Path_Validation_Result(Certificate_Status_Code status) : m_overall(status) {} 00123 00124 private: 00125 friend Path_Validation_Result BOTAN_DLL x509_path_validate( 00126 const std::vector<X509_Certificate>& end_certs, 00127 const Path_Validation_Restrictions& restrictions, 00128 const std::vector<Certificate_Store*>& certstores); 00129 00130 Certificate_Status_Code m_overall; 00131 std::vector<std::set<Certificate_Status_Code>> m_all_status; 00132 std::vector<X509_Certificate> m_cert_path; 00133 }; 00134 00135 /** 00136 * PKIX Path Validation 00137 */ 00138 Path_Validation_Result BOTAN_DLL x509_path_validate( 00139 const std::vector<X509_Certificate>& end_certs, 00140 const Path_Validation_Restrictions& restrictions, 00141 const std::vector<Certificate_Store*>& certstores); 00142 00143 /** 00144 * PKIX Path Validation 00145 */ 00146 Path_Validation_Result BOTAN_DLL x509_path_validate( 00147 const X509_Certificate& end_cert, 00148 const Path_Validation_Restrictions& restrictions, 00149 const std::vector<Certificate_Store*>& certstores); 00150 00151 /** 00152 * PKIX Path Validation 00153 */ 00154 Path_Validation_Result BOTAN_DLL x509_path_validate( 00155 const X509_Certificate& end_cert, 00156 const Path_Validation_Restrictions& restrictions, 00157 const Certificate_Store& store); 00158 00159 /** 00160 * PKIX Path Validation 00161 */ 00162 Path_Validation_Result BOTAN_DLL x509_path_validate( 00163 const std::vector<X509_Certificate>& end_certs, 00164 const Path_Validation_Restrictions& restrictions, 00165 const Certificate_Store& store); 00166 00167 } 00168 00169 #endif