All of the X509 modules were actually mutually dependent. Ideally this

would be fixed but it's quite hard to do, makes more sense for now to merge then back into one big x509 blog.
author: lloyd <[email protected]> 2012-02-06 19:30:38 +0000
committer: lloyd <[email protected]> 2012-02-06 19:30:38 +0000
commit: f1a2b5a7b5f35322927446d1b9a381f05cc677df (patch)
tree: 905b125d9173a32c4a3b758ae124ded0d045d635
parent: cd58927000ef86eacc9de5b80f361d4d05e71731 (diff)
31 files changed, 75 insertions, 82 deletions
diff --git a/src/asn1/x509_dn.cpp b/src/asn1/x509_dn.cpp
index 37eecc6a3..ceb12cee6 100644
--- a/src/asn1/x509_dn.cpp
+++ b/src/asn1/x509_dn.cpp
@@ -177,7 +177,7 @@ bool operator!=(const X509_DN& dn1, const X509_DN& dn2)
    }
 
 /*
-* Compare two X509_DNs
+* Induce an arbitrary ordering on DNs
 */
 bool operator<(const X509_DN& dn1, const X509_DN& dn2)
    {
diff --git a/src/cert/certstore/info.txt b/src/cert/certstore/info.txt
deleted file mode 100644
index a5de1baff..000000000
--- a/src/cert/certstore/info.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-define CERTIFICATE_STORE
-
-<requires>
-x509cert
-x509crl
-</requires>
diff --git a/src/cert/pkcs10/info.txt b/src/cert/pkcs10/info.txt
deleted file mode 100644
index bf53a562a..000000000
--- a/src/cert/pkcs10/info.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-define PKCS10_REQUESTS
-
-<requires>
-asn1
-x509cert
-</requires>
diff --git a/src/cert/certstore/certstor.cpp b/src/cert/x509/certstor.cpp
index 7aa528d04..de27361ed 100644
--- a/src/cert/certstore/certstor.cpp
+++ b/src/cert/x509/certstor.cpp
@@ -9,6 +9,15 @@
 
 namespace Botan {
 
+bool Certificate_Store::certificate_known(const X509_Certificate& cert) const
+   {
+   std::vector<X509_Certificate> found =
+      find_cert_by_subject_and_key_id(cert.subject_dn(),
+                                      cert.subject_key_id());
+
+   return (found.size() > 0);
+   }
+
 void Certificate_Store_In_Memory::add_certificate(const X509_Certificate& cert)
    {
    for(size_t i = 0; i != certs.size(); ++i)
diff --git a/src/cert/certstore/certstor.h b/src/cert/x509/certstor.h
index 604541d52..e2727c569 100644
--- a/src/cert/certstore/certstor.h
+++ b/src/cert/x509/certstor.h
@@ -31,6 +31,8 @@ class BOTAN_DLL Certificate_Store
       */
       virtual void add_crl(const X509_CRL& crl) = 0;
 
+      bool certificate_known(const X509_Certificate& cert) const;
+
       /**
       * Subject DN and (optionally) key identifier
       */
diff --git a/src/cert/x509crl/crl_ent.cpp b/src/cert/x509/crl_ent.cpp
index d566637f6..d566637f6 100644
--- a/src/cert/x509crl/crl_ent.cpp
+++ b/src/cert/x509/crl_ent.cpp
diff --git a/src/cert/x509crl/crl_ent.h b/src/cert/x509/crl_ent.h
index ae9535484..ae9535484 100644
--- a/src/cert/x509crl/crl_ent.h
+++ b/src/cert/x509/crl_ent.h
diff --git a/src/cert/x509cert/info.txt b/src/cert/x509/info.txt
index 5e3715e7a..c994dab8f 100644
--- a/src/cert/x509cert/info.txt
+++ b/src/cert/x509/info.txt
@@ -1,6 +1,5 @@
 define X509_CERTIFICATES
 
 <requires>
-certstore
 datastor
 </requires>
diff --git a/src/cert/pkcs10/pkcs10.cpp b/src/cert/x509/pkcs10.cpp
index 784318d3d..784318d3d 100644
--- a/src/cert/pkcs10/pkcs10.cpp
+++ b/src/cert/x509/pkcs10.cpp
diff --git a/src/cert/pkcs10/pkcs10.h b/src/cert/x509/pkcs10.h
index bd01fb6b5..bd01fb6b5 100644
--- a/src/cert/pkcs10/pkcs10.h
+++ b/src/cert/x509/pkcs10.h
diff --git a/src/cert/x509ca/x509_ca.cpp b/src/cert/x509/x509_ca.cpp
index 40f2e3b3a..40f2e3b3a 100644
--- a/src/cert/x509ca/x509_ca.cpp
+++ b/src/cert/x509/x509_ca.cpp
diff --git a/src/cert/x509ca/x509_ca.h b/src/cert/x509/x509_ca.h
index 97be6a415..97be6a415 100644
--- a/src/cert/x509ca/x509_ca.h
+++ b/src/cert/x509/x509_ca.h
diff --git a/src/cert/x509crl/x509_crl.cpp b/src/cert/x509/x509_crl.cpp
index 9c6b891c7..9c6b891c7 100644
--- a/src/cert/x509crl/x509_crl.cpp
+++ b/src/cert/x509/x509_crl.cpp
diff --git a/src/cert/x509crl/x509_crl.h b/src/cert/x509/x509_crl.h
index 55eb8424b..55eb8424b 100644
--- a/src/cert/x509crl/x509_crl.h
+++ b/src/cert/x509/x509_crl.h
diff --git a/src/cert/x509cert/x509_ext.cpp b/src/cert/x509/x509_ext.cpp
index 6e0befaf3..6e0befaf3 100644
--- a/src/cert/x509cert/x509_ext.cpp
+++ b/src/cert/x509/x509_ext.cpp
diff --git a/src/cert/x509cert/x509_ext.h b/src/cert/x509/x509_ext.h
index 714e29562..714e29562 100644
--- a/src/cert/x509cert/x509_ext.h
+++ b/src/cert/x509/x509_ext.h
diff --git a/src/cert/x509cert/x509_obj.cpp b/src/cert/x509/x509_obj.cpp
index c58081225..c58081225 100644
--- a/src/cert/x509cert/x509_obj.cpp
+++ b/src/cert/x509/x509_obj.cpp
diff --git a/src/cert/x509cert/x509_obj.h b/src/cert/x509/x509_obj.h
index 570b00f51..570b00f51 100644
--- a/src/cert/x509cert/x509_obj.h
+++ b/src/cert/x509/x509_obj.h
diff --git a/src/cert/x509cert/x509cert.cpp b/src/cert/x509/x509cert.cpp
index 52115a1a8..52115a1a8 100644
--- a/src/cert/x509cert/x509cert.cpp
+++ b/src/cert/x509/x509cert.cpp
diff --git a/src/cert/x509cert/x509cert.h b/src/cert/x509/x509cert.h
index d25b97694..d25b97694 100644
--- a/src/cert/x509cert/x509cert.h
+++ b/src/cert/x509/x509cert.h
diff --git a/src/cert/x509self/x509opt.cpp b/src/cert/x509/x509opt.cpp
index 345df1fe0..345df1fe0 100644
--- a/src/cert/x509self/x509opt.cpp
+++ b/src/cert/x509/x509opt.cpp
diff --git a/src/cert/x509path/x509path.cpp b/src/cert/x509/x509path.cpp
index e18c3b2f8..a9b8150ae 100644
--- a/src/cert/x509path/x509path.cpp
+++ b/src/cert/x509/x509path.cpp
@@ -71,11 +71,16 @@ std::vector<X509_CRL> find_crls_from(const X509_Certificate& cert,
 
 }
 
+const X509_Certificate& Path_Validation_Result::trust_root() const
+   {
+   return m_cert_path[m_cert_path.size()-1];
+   }
+
 std::set<std::string> Path_Validation_Result::trusted_hashes() const
    {
    std::set<std::string> hashes;
-   for(size_t i = 0; i != cert_path.size(); ++i)
-      hashes.insert(cert_path[i].hash_used_for_signature());
+   for(size_t i = 0; i != m_cert_path.size(); ++i)
+      hashes.insert(m_cert_path[i].hash_used_for_signature());
    return hashes;
    }
 
@@ -117,30 +122,27 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs,
    {
    Path_Validation_Result r;
 
-   r.cert_path = end_certs;
+   r.m_cert_path = end_certs;
+
+   std::vector<X509_Certificate>& cert_path = r.m_cert_path;
 
    try
       {
       // iterate until we reach a root or cannot find the issuer
-
-      while(!r.cert_path.back().is_self_signed())
+      while(!cert_path.back().is_self_signed())
          {
-         X509_Certificate cert = find_issuing_cert(r.cert_path.back(),
-                                                   certstores);
-
-         r.cert_path.push_back(cert);
+         cert_path.push_back(
+            find_issuing_cert(cert_path.back(), certstores)
+            );
          }
 
-      /*
-      for(size_t i = 0; i != r.cert_path.size(); ++i)
-         std::cout << "Cert " << i << " = " << r.cert_path[i].subject_dn() << "\n";
-      */
+      const bool self_signed_ee_cert = (cert_path.size() == 1);
 
       X509_Time current_time(system_time());
 
-      for(size_t i = 0; i != r.cert_path.size(); ++i)
+      for(size_t i = 0; i != cert_path.size(); ++i)
          {
-         const X509_Certificate& subject = r.cert_path[i];
+         const X509_Certificate& subject = cert_path[i];
 
          // Check all certs for valid time range
          if(current_time < X509_Time(subject.start_time()))
@@ -149,13 +151,15 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs,
          if(current_time > X509_Time(subject.end_time()))
             throw PKIX_Validation_Failure(CERT_HAS_EXPIRED);
 
-         const bool at_self_signed_root = (i == r.cert_path.size() - 1);
+         const bool at_self_signed_root = (i == cert_path.size() - 1);
 
          const X509_Certificate& issuer =
-            r.cert_path[at_self_signed_root ? (i) : (i + 1)];
+            cert_path[at_self_signed_root ? (i) : (i + 1)];
 
          // Check issuer constraints
-         if(!issuer.is_CA_cert()) // require this for self-signed end-entity?
+
+         // Don't require CA bit set on self-signed end entity cert
+         if(!issuer.is_CA_cert() && !self_signed_ee_cert)
             throw PKIX_Validation_Failure(CA_CERT_NOT_FOR_CERT_ISSUER);
 
          if(issuer.path_limit() < i)
@@ -165,17 +169,16 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs,
             throw PKIX_Validation_Failure(SIGNATURE_ERROR);
          }
 
-      r.validation_result = VERIFIED;
-
-      for(size_t i = 1; i != r.cert_path.size(); ++i)
+      for(size_t i = 1; i != cert_path.size(); ++i)
          {
-         const X509_Certificate& subject = r.cert_path[i-1];
-         const X509_Certificate& ca = r.cert_path[i];
+         const X509_Certificate& subject = cert_path[i-1];
+         const X509_Certificate& ca = cert_path[i];
 
          std::vector<X509_CRL> crls = find_crls_from(ca, certstores);
 
          if(crls.empty())
-            throw PKIX_Validation_Failure(CRL_NOT_FOUND);
+            //throw PKIX_Validation_Failure(CRL_NOT_FOUND);
+            continue;
 
          const X509_CRL& crl = crls[0];
 
@@ -195,10 +198,11 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs,
             throw PKIX_Validation_Failure(CERT_IS_REVOKED);
          }
 
+      r.set_result(self_signed_ee_cert ? CANNOT_ESTABLISH_TRUST : VERIFIED);
       }
    catch(PKIX_Validation_Failure& e)
       {
-      r.validation_result = e.code();
+      r.set_result(e.code());
       }
 
    return r;
diff --git a/src/cert/x509path/x509path.h b/src/cert/x509/x509path.h
index b32a69162..c389431d8 100644
--- a/src/cert/x509path/x509path.h
+++ b/src/cert/x509/x509path.h
@@ -45,34 +45,48 @@ enum X509_Path_Validation_Code {
    CA_CERT_NOT_FOR_CRL_ISSUER
 };
 
-      enum Usage_Restrictions {
-         NO_RESTRICTIONS  = 0x00,
-         TLS_SERVER       = 0x01,
-         TLS_CLIENT       = 0x02,
-         CODE_SIGNING     = 0x04,
-         EMAIL_PROTECTION = 0x08,
-         TIME_STAMPING    = 0x10,
-         CRL_SIGNING      = 0x20
-      };
-
-class Path_Validation_Result
+enum Usage_Restrictions {
+   NO_RESTRICTIONS  = 0x00,
+   TLS_SERVER       = 0x01,
+   TLS_CLIENT       = 0x02,
+   CODE_SIGNING     = 0x04,
+   EMAIL_PROTECTION = 0x08,
+   TIME_STAMPING    = 0x10,
+   CRL_SIGNING      = 0x20
+};
+
+class BOTAN_DLL Path_Validation_Result
    {
    public:
       Path_Validation_Result() :
-         validation_result(UNKNOWN_X509_ERROR),
-         allowed_usages(NO_RESTRICTIONS)
+         m_result(UNKNOWN_X509_ERROR),
+         m_usages(NO_RESTRICTIONS)
          {}
 
-      X509_Path_Validation_Code validation_result;
-      Usage_Restrictions allowed_usages;
-
-      std::vector<X509_Certificate> cert_path;
-
       /**
       * Returns the set of hash functions you are implicitly
       * trusting by trusting this result.
       */
       std::set<std::string> trusted_hashes() const;
+
+      const X509_Certificate& trust_root() const;
+
+      const std::vector<X509_Certificate>& cert_path() const { return m_cert_path; }
+
+      bool successful_validation() const { return result() == VERIFIED; }
+
+      X509_Path_Validation_Code result() const { return m_result; }
+   private:
+      friend Path_Validation_Result x509_path_validate(
+         const std::vector<X509_Certificate>& end_certs,
+         const std::vector<Certificate_Store*>& certstores);
+
+      void set_result(X509_Path_Validation_Code result) { m_result = result; }
+
+      X509_Path_Validation_Code m_result;
+      Usage_Restrictions m_usages;
+
+      std::vector<X509_Certificate> m_cert_path;
    };
 
 Path_Validation_Result BOTAN_DLL x509_path_validate(
diff --git a/src/cert/x509self/x509self.cpp b/src/cert/x509/x509self.cpp
index a2f89159f..a2f89159f 100644
--- a/src/cert/x509self/x509self.cpp
+++ b/src/cert/x509/x509self.cpp
diff --git a/src/cert/x509self/x509self.h b/src/cert/x509/x509self.h
index 2850096c8..2850096c8 100644
--- a/src/cert/x509self/x509self.h
+++ b/src/cert/x509/x509self.h
diff --git a/src/cert/x509ca/info.txt b/src/cert/x509ca/info.txt
deleted file mode 100644
index d412c3070..000000000
--- a/src/cert/x509ca/info.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-define X509_CA
-
-<requires>
-pkcs10
-x509cert
-</requires>
diff --git a/src/cert/x509crl/info.txt b/src/cert/x509crl/info.txt
deleted file mode 100644
index 77de46074..000000000
--- a/src/cert/x509crl/info.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-define X509_CRL
-
-<requires>
-x509cert
-</requires>
-
diff --git a/src/cert/x509path/info.txt b/src/cert/x509path/info.txt
deleted file mode 100644
index b24b03a02..000000000
--- a/src/cert/x509path/info.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-define X509_STORE
-
-<requires>
-x509cert
-</requires>
diff --git a/src/cert/x509self/info.txt b/src/cert/x509self/info.txt
deleted file mode 100644
index bb02c4f74..000000000
--- a/src/cert/x509self/info.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-define X509_SELF_SIGNED
-
-<requires>
-x509cert
-</requires>
-
diff --git a/src/cms/info.txt b/src/cms/info.txt
index 79c16e200..0e74caa49 100644
--- a/src/cms/info.txt
+++ b/src/cms/info.txt
@@ -14,5 +14,5 @@ pem
 pubkey
 sha1
 algo_base
-x509cert
+x509
 </requires>
diff --git a/src/ssl/info.txt b/src/ssl/info.txt
index 169b76115..fd2c255fc 100644
--- a/src/ssl/info.txt
+++ b/src/ssl/info.txt
@@ -67,5 +67,5 @@ rng
 rsa
 sha1
 ssl3mac
-x509cert
+x509
 </requires>
author	lloyd <[email protected]>	2012-02-06 19:30:38 +0000
committer	lloyd <[email protected]>	2012-02-06 19:30:38 +0000
commit	f1a2b5a7b5f35322927446d1b9a381f05cc677df (patch)
tree	905b125d9173a32c4a3b758ae124ded0d045d635
parent	cd58927000ef86eacc9de5b80f361d4d05e71731 (diff)