diff options
author | Jack Lloyd <[email protected]> | 2018-08-16 19:07:24 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-08-16 19:07:24 -0400 |
commit | 5d15cbbad729cde83f35ca4e73c3afd62f0e5f7c (patch) | |
tree | a5f01f545f848e809e4b39ba7f03f507ab244f0f | |
parent | abac219d8a0a48b7d03221cbd9c3f84127acaa01 (diff) |
Add args for botan FFI cert verification for hostname and time
-rw-r--r-- | src/lib/ffi/ffi.h | 4 | ||||
-rw-r--r-- | src/lib/ffi/ffi_cert.cpp | 16 | ||||
-rw-r--r-- | src/tests/test_ffi.cpp | 8 |
3 files changed, 20 insertions, 8 deletions
diff --git a/src/lib/ffi/ffi.h b/src/lib/ffi/ffi.h index a680a0c19..19e04ce4d 100644 --- a/src/lib/ffi/ffi.h +++ b/src/lib/ffi/ffi.h @@ -1420,7 +1420,9 @@ BOTAN_PUBLIC_API(2,8) int botan_x509_cert_verify( const botan_x509_cert_t* trusted, size_t trusted_len, const char* trusted_path, - size_t required_strength); + size_t required_strength, + const char* hostname, + uint64_t reference_time); /** * Returns a pointer to a static character string explaining the status code, diff --git a/src/lib/ffi/ffi_cert.cpp b/src/lib/ffi/ffi_cert.cpp index 1e832765c..723bea862 100644 --- a/src/lib/ffi/ffi_cert.cpp +++ b/src/lib/ffi/ffi_cert.cpp @@ -261,14 +261,21 @@ int botan_x509_cert_verify(int* result_code, const botan_x509_cert_t* trusted, size_t trusted_len, const char* trusted_path, - size_t required_strength) + size_t required_strength, + const char* hostname_cstr, + uint64_t reference_time) { if(required_strength == 0) required_strength = 110; return ffi_guard_thunk(BOTAN_CURRENT_FUNCTION, [=]() -> int { - std::vector<Botan::X509_Certificate> end_certs; + const std::string hostname((hostname_cstr == nullptr) ? "" : hostname_cstr); + const Botan::Usage_Type usage = Botan::Usage_Type::UNSPECIFIED; + const auto validation_time = reference_time == 0 ? + std::chrono::system_clock::now() : + std::chrono::system_clock::from_time_t(static_cast<time_t>(reference_time)); + std::vector<Botan::X509_Certificate> end_certs; end_certs.push_back(safe_get(cert)); for(size_t i = 0; i != intermediates_len; ++i) end_certs.push_back(safe_get(intermediates[i])); @@ -297,7 +304,10 @@ int botan_x509_cert_verify(int* result_code, auto validation_result = Botan::x509_path_validate(end_certs, restrictions, - trusted_roots); + trusted_roots, + hostname, + usage, + validation_time); if(result_code) *result_code = static_cast<int>(validation_result.result()); diff --git a/src/tests/test_ffi.cpp b/src/tests/test_ffi.cpp index 20a531820..c0068ea66 100644 --- a/src/tests/test_ffi.cpp +++ b/src/tests/test_ffi.cpp @@ -279,11 +279,11 @@ class FFI_Unit_Tests final : public Test REQUIRE_FFI_OK(botan_x509_cert_load_file, (&end2, Test::data_file("x509/nist/test02/end.crt").c_str())); REQUIRE_FFI_OK(botan_x509_cert_load_file, (&sub2, Test::data_file("x509/nist/test02/int.crt").c_str())); - TEST_FFI_RC(1, botan_x509_cert_verify, (&rc, end2, &sub2, 1, &root, 1, NULL, 0)); + TEST_FFI_RC(1, botan_x509_cert_verify, (&rc, end2, &sub2, 1, &root, 1, nullptr, 0, nullptr, 0)); result.confirm("Validation failed", rc == 5002); result.test_eq("Validation status string", botan_x509_cert_validation_status(rc), "Signature error"); - TEST_FFI_RC(1, botan_x509_cert_verify, (&rc, end2, nullptr, 0, &root, 1, NULL, 0)); + TEST_FFI_RC(1, botan_x509_cert_verify, (&rc, end2, nullptr, 0, &root, 1, nullptr, 0, nullptr, 0)); result.confirm("Validation failed", rc == 3000); result.test_eq("Validation status string", botan_x509_cert_validation_status(rc), "Certificate issuer not found"); @@ -293,12 +293,12 @@ class FFI_Unit_Tests final : public Test REQUIRE_FFI_OK(botan_x509_cert_load_file, (&sub7, Test::data_file("x509/nist/test07/int.crt").c_str())); botan_x509_cert_t subs[2] = {sub2, sub7}; - TEST_FFI_RC(1, botan_x509_cert_verify, (&rc, end7, subs, 2, &root, 1, NULL, 0)); + TEST_FFI_RC(1, botan_x509_cert_verify, (&rc, end7, subs, 2, &root, 1, nullptr, 0, nullptr, 0)); result.confirm("Validation failed", rc == 1001); result.test_eq("Validation status string", botan_x509_cert_validation_status(rc), "Hash function used is considered too weak for security"); - TEST_FFI_RC(0, botan_x509_cert_verify, (&rc, end7, subs, 2, &root, 1, NULL, 80)); + TEST_FFI_RC(0, botan_x509_cert_verify, (&rc, end7, subs, 2, &root, 1, nullptr, 80, nullptr, 0)); result.confirm("Validation passed", rc == 0); result.test_eq("Validation status string", botan_x509_cert_validation_status(rc), "Verified"); |