Pass a class to the validation function that represents any

restrictions on the validation process. Currently these are if
revocation information (CRL or hypothetically OCSP) is required, and
what hashes to trust. Default trusted hashes are SHA-1 and SHA-2. This
will also be used for policy restrictions, likely other things.

The result enum is now a member of Path_Validation_Result

Remove the usage restrictions enum. It is easier, for applications
that actually care about one of these, to just check the extended
constraint attribute on the final result, if everything else
validates.

1 files changed, 62 insertions, 48 deletions

diff --git a/src/cert/x509/x509path.h b/src/cert/x509/x509path.h
index c389431d8..18129a236 100644
--- a/src/cert/x509/x509path.h
+++ b/src/cert/x509/x509path.h
@@ -14,54 +14,59 @@
 
 namespace Botan {
 
-/**
-* X.509 Certificate Validation Result
-*/
-enum X509_Path_Validation_Code {
-   VERIFIED,
-   UNKNOWN_X509_ERROR,
-   CANNOT_ESTABLISH_TRUST,
-   CERT_CHAIN_TOO_LONG,
-   SIGNATURE_ERROR,
-   POLICY_ERROR,
-   INVALID_USAGE,
-
-   CERT_MULTIPLE_ISSUERS_FOUND,
-
-   CERT_FORMAT_ERROR,
-   CERT_ISSUER_NOT_FOUND,
-   CERT_NOT_YET_VALID,
-   CERT_HAS_EXPIRED,
-   CERT_IS_REVOKED,
-
-   CRL_NOT_FOUND,
-   CRL_FORMAT_ERROR,
-   CRL_ISSUER_NOT_FOUND,
-   CRL_NOT_YET_VALID,
-   CRL_HAS_EXPIRED,
-
-   CA_CERT_CANNOT_SIGN,
-   CA_CERT_NOT_FOR_CERT_ISSUER,
-   CA_CERT_NOT_FOR_CRL_ISSUER
-};
-
-enum Usage_Restrictions {
-   NO_RESTRICTIONS  = 0x00,
-   TLS_SERVER       = 0x01,
-   TLS_CLIENT       = 0x02,
-   CODE_SIGNING     = 0x04,
-   EMAIL_PROTECTION = 0x08,
-   TIME_STAMPING    = 0x10,
-   CRL_SIGNING      = 0x20
-};
+class BOTAN_DLL Path_Validation_Restrictions
+   {
+   public:
+   Path_Validation_Restrictions(bool require_rev = false);
+
+   Path_Validation_Restrictions(bool require_rev,
+                                const std::set<std::string>& trusted_hashes) :
+      m_require_revocation_information(require_rev),
+      m_trusted_hashes(trusted_hashes) {}
+
+      bool require_revocation_information() const
+         { return m_require_revocation_information; }
+
+      const std::set<std::string>& trusted_hashes() const
+         { return m_trusted_hashes; }
+   private:
+      bool m_require_revocation_information;
+      std::set<std::string> m_trusted_hashes;
+   };
 
 class BOTAN_DLL Path_Validation_Result
    {
    public:
-      Path_Validation_Result() :
-         m_result(UNKNOWN_X509_ERROR),
-         m_usages(NO_RESTRICTIONS)
-         {}
+      /**
+      * X.509 Certificate Validation Result
+      */
+      enum Code {
+         VERIFIED,
+         UNKNOWN_X509_ERROR,
+         CANNOT_ESTABLISH_TRUST,
+         CERT_CHAIN_TOO_LONG,
+         SIGNATURE_ERROR,
+         POLICY_ERROR,
+         INVALID_USAGE,
+         UNTRUSTED_HASH,
+
+         CERT_MULTIPLE_ISSUERS_FOUND,
+
+         CERT_FORMAT_ERROR,
+         CERT_ISSUER_NOT_FOUND,
+         CERT_NOT_YET_VALID,
+         CERT_HAS_EXPIRED,
+         CERT_IS_REVOKED,
+
+         CRL_NOT_FOUND,
+         CRL_FORMAT_ERROR,
+         CRL_NOT_YET_VALID,
+         CRL_HAS_EXPIRED,
+
+         CA_CERT_CANNOT_SIGN,
+         CA_CERT_NOT_FOR_CERT_ISSUER,
+         CA_CERT_NOT_FOR_CRL_ISSUER
+      };
 
       /**
       * Returns the set of hash functions you are implicitly
@@ -75,34 +80,43 @@ class BOTAN_DLL Path_Validation_Result
 
       bool successful_validation() const { return result() == VERIFIED; }
 
-      X509_Path_Validation_Code result() const { return m_result; }
+      Code result() const { return m_result; }
+
+      std::string result_string() const;
+
    private:
+      Path_Validation_Result() : m_result(UNKNOWN_X509_ERROR) {}
+
       friend Path_Validation_Result x509_path_validate(
          const std::vector<X509_Certificate>& end_certs,
+         const Path_Validation_Restrictions& restrictions,
          const std::vector<Certificate_Store*>& certstores);
 
-      void set_result(X509_Path_Validation_Code result) { m_result = result; }
+      void set_result(Code result) { m_result = result; }
 
-      X509_Path_Validation_Code m_result;
-      Usage_Restrictions m_usages;
+      Code m_result;
 
       std::vector<X509_Certificate> m_cert_path;
    };
 
 Path_Validation_Result BOTAN_DLL x509_path_validate(
    const std::vector<X509_Certificate>& end_certs,
+   const Path_Validation_Restrictions& restrictions,
    const std::vector<Certificate_Store*>& certstores);
 
 Path_Validation_Result BOTAN_DLL x509_path_validate(
    const X509_Certificate& end_cert,
+   const Path_Validation_Restrictions& restrictions,
    const std::vector<Certificate_Store*>& certstores);
 
 Path_Validation_Result BOTAN_DLL x509_path_validate(
    const X509_Certificate& end_cert,
+   const Path_Validation_Restrictions& restrictions,
    Certificate_Store& store);
 
 Path_Validation_Result BOTAN_DLL x509_path_validate(
    const std::vector<X509_Certificate>& end_certs,
+   const Path_Validation_Restrictions& restrictions,
    Certificate_Store& store);
 
 }