|
Botan
1.11.15
|
#include <x509path.h>
Public Types | |
| typedef Certificate_Status_Code | Code |
Public Member Functions | |
| const std::vector< std::set < Certificate_Status_Code > > & | all_statuses () const |
| const std::vector < X509_Certificate > & | cert_path () const |
| Path_Validation_Result (std::vector< std::set< Certificate_Status_Code >> status, std::vector< X509_Certificate > &&cert_chain) | |
| Path_Validation_Result (Certificate_Status_Code status) | |
| Certificate_Status_Code | result () const |
| std::string | result_string () const |
| bool | successful_validation () const |
| const X509_Certificate & | trust_root () const |
| std::set< std::string > | trusted_hashes () const |
Static Public Member Functions | |
| static const char * | status_string (Certificate_Status_Code code) |
Friends | |
| Path_Validation_Result BOTAN_DLL | x509_path_validate (const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &certstores) |
Represents the result of a PKIX path validation
Definition at line 75 of file x509path.h.
Definition at line 78 of file x509path.h.
| Botan::Path_Validation_Result::Path_Validation_Result | ( | std::vector< std::set< Certificate_Status_Code >> | status, |
| std::vector< X509_Certificate > && | cert_chain | ||
| ) |
Definition at line 292 of file x509path.cpp.
References Botan::OCSP_RESPONSE_GOOD.
: m_overall(Certificate_Status_Code::VERIFIED), m_all_status(status), m_cert_path(cert_chain) { // take the "worst" error as overall for(const auto& s : m_all_status) { if(!s.empty()) { auto worst = *s.rbegin(); // Leave OCSP confirmations on cert-level status only if(worst != Certificate_Status_Code::OCSP_RESPONSE_GOOD) m_overall = worst; } } }
| Botan::Path_Validation_Result::Path_Validation_Result | ( | Certificate_Status_Code | status | ) | [inline] |
Definition at line 122 of file x509path.h.
: m_overall(status) {}
| const std::vector<std::set<Certificate_Status_Code> >& Botan::Path_Validation_Result::all_statuses | ( | ) | const [inline] |
Return a set of status codes for each certificate in the chain
Definition at line 109 of file x509path.h.
{ return m_all_status; }
| const std::vector<X509_Certificate>& Botan::Path_Validation_Result::cert_path | ( | ) | const [inline] |
Definition at line 94 of file x509path.h.
{ return m_cert_path; }
| Certificate_Status_Code Botan::Path_Validation_Result::result | ( | ) | const [inline] |
Definition at line 104 of file x509path.h.
Referenced by result_string(), and successful_validation().
{ return m_overall; }
| std::string Botan::Path_Validation_Result::result_string | ( | ) | const |
Definition at line 332 of file x509path.cpp.
References result(), and status_string().
{
return status_string(result());
}
| const char * Botan::Path_Validation_Result::status_string | ( | Certificate_Status_Code | code | ) | [static] |
Definition at line 337 of file x509path.cpp.
References Botan::CA_CERT_NOT_FOR_CERT_ISSUER, Botan::CA_CERT_NOT_FOR_CRL_ISSUER, Botan::CANNOT_ESTABLISH_TRUST, Botan::CERT_CHAIN_TOO_LONG, Botan::CERT_HAS_EXPIRED, Botan::CERT_IS_REVOKED, Botan::CERT_ISSUER_NOT_FOUND, Botan::CERT_NOT_YET_VALID, Botan::CRL_BAD_SIGNATURE, Botan::CRL_HAS_EXPIRED, Botan::CRL_NOT_YET_VALID, Botan::INVALID_USAGE, Botan::NO_REVOCATION_DATA, Botan::OCSP_BAD_STATUS, Botan::OCSP_CERT_NOT_LISTED, Botan::OCSP_HAS_EXPIRED, Botan::OCSP_NOT_YET_VALID, Botan::OCSP_RESPONSE_GOOD, Botan::POLICY_ERROR, Botan::SIGNATURE_ERROR, Botan::SIGNATURE_METHOD_TOO_WEAK, Botan::UNTRUSTED_HASH, and Botan::VERIFIED.
Referenced by result_string().
{
switch(code)
{
case Certificate_Status_Code::VERIFIED:
return "Verified";
case Certificate_Status_Code::OCSP_RESPONSE_GOOD:
return "OCSP response good";
case Certificate_Status_Code::NO_REVOCATION_DATA:
return "No revocation data";
case Certificate_Status_Code::SIGNATURE_METHOD_TOO_WEAK:
return "Signature method too weak";
case Certificate_Status_Code::UNTRUSTED_HASH:
return "Untrusted hash";
case Certificate_Status_Code::CERT_NOT_YET_VALID:
return "Certificate is not yet valid";
case Certificate_Status_Code::CERT_HAS_EXPIRED:
return "Certificate has expired";
case Certificate_Status_Code::OCSP_NOT_YET_VALID:
return "OCSP is not yet valid";
case Certificate_Status_Code::OCSP_HAS_EXPIRED:
return "OCSP has expired";
case Certificate_Status_Code::CRL_NOT_YET_VALID:
return "CRL is not yet valid";
case Certificate_Status_Code::CRL_HAS_EXPIRED:
return "CRL has expired";
case Certificate_Status_Code::CERT_ISSUER_NOT_FOUND:
return "Certificate issuer not found";
case Certificate_Status_Code::CANNOT_ESTABLISH_TRUST:
return "Cannot establish trust";
case Certificate_Status_Code::POLICY_ERROR:
return "Policy error";
case Certificate_Status_Code::INVALID_USAGE:
return "Invalid usage";
case Certificate_Status_Code::CERT_CHAIN_TOO_LONG:
return "Certificate chain too long";
case Certificate_Status_Code::CA_CERT_NOT_FOR_CERT_ISSUER:
return "CA certificate not allowed to issue certs";
case Certificate_Status_Code::CA_CERT_NOT_FOR_CRL_ISSUER:
return "CA certificate not allowed to issue CRLs";
case Certificate_Status_Code::OCSP_CERT_NOT_LISTED:
return "OCSP cert not listed";
case Certificate_Status_Code::OCSP_BAD_STATUS:
return "OCSP bad status";
case Certificate_Status_Code::CERT_IS_REVOKED:
return "Certificate is revoked";
case Certificate_Status_Code::CRL_BAD_SIGNATURE:
return "CRL bad signature";
case Certificate_Status_Code::SIGNATURE_ERROR:
return "Signature error";
default:
return "Unknown error";
}
}
| bool Botan::Path_Validation_Result::successful_validation | ( | ) | const |
Definition at line 324 of file x509path.cpp.
References Botan::OCSP_RESPONSE_GOOD, result(), and Botan::VERIFIED.
{
if(result() == Certificate_Status_Code::VERIFIED ||
result() == Certificate_Status_Code::OCSP_RESPONSE_GOOD)
return true;
return false;
}
| const X509_Certificate & Botan::Path_Validation_Result::trust_root | ( | ) | const |
Definition at line 311 of file x509path.cpp.
{
return m_cert_path[m_cert_path.size()-1];
}
| std::set< std::string > Botan::Path_Validation_Result::trusted_hashes | ( | ) | const |
Definition at line 316 of file x509path.cpp.
{
std::set<std::string> hashes;
for(size_t i = 0; i != m_cert_path.size(); ++i)
hashes.insert(m_cert_path[i].hash_used_for_signature());
return hashes;
}
| Path_Validation_Result BOTAN_DLL x509_path_validate | ( | const std::vector< X509_Certificate > & | end_certs, |
| const Path_Validation_Restrictions & | restrictions, | ||
| const std::vector< Certificate_Store * > & | certstores | ||
| ) | [friend] |
PKIX Path Validation
Definition at line 214 of file x509path.cpp.
{
if(end_certs.empty())
throw std::invalid_argument("x509_path_validate called with no subjects");
std::vector<X509_Certificate> cert_path;
cert_path.push_back(end_certs[0]);
Certificate_Store_Overlay extra(end_certs);
// iterate until we reach a root or cannot find the issuer
while(!cert_path.back().is_self_signed())
{
const X509_Certificate* cert = find_issuing_cert(cert_path.back(), extra, certstores);
if(!cert)
return Path_Validation_Result(Certificate_Status_Code::CERT_ISSUER_NOT_FOUND);
cert_path.push_back(*cert);
}
return Path_Validation_Result(check_chain(cert_path, restrictions, certstores),
std::move(cert_path));
}
1.7.6.1