diff options
author | lloyd <[email protected]> | 2012-02-06 19:30:38 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2012-02-06 19:30:38 +0000 |
commit | f1a2b5a7b5f35322927446d1b9a381f05cc677df (patch) | |
tree | 905b125d9173a32c4a3b758ae124ded0d045d635 /src/cert | |
parent | cd58927000ef86eacc9de5b80f361d4d05e71731 (diff) |
All of the X509 modules were actually mutually dependent. Ideally this
would be fixed but it's quite hard to do, makes more sense for now to
merge then back into one big x509 blog.
Diffstat (limited to 'src/cert')
-rw-r--r-- | src/cert/certstore/info.txt | 6 | ||||
-rw-r--r-- | src/cert/pkcs10/info.txt | 6 | ||||
-rw-r--r-- | src/cert/x509/certstor.cpp (renamed from src/cert/certstore/certstor.cpp) | 9 | ||||
-rw-r--r-- | src/cert/x509/certstor.h (renamed from src/cert/certstore/certstor.h) | 2 | ||||
-rw-r--r-- | src/cert/x509/crl_ent.cpp (renamed from src/cert/x509crl/crl_ent.cpp) | 0 | ||||
-rw-r--r-- | src/cert/x509/crl_ent.h (renamed from src/cert/x509crl/crl_ent.h) | 0 | ||||
-rw-r--r-- | src/cert/x509/info.txt (renamed from src/cert/x509cert/info.txt) | 1 | ||||
-rw-r--r-- | src/cert/x509/pkcs10.cpp (renamed from src/cert/pkcs10/pkcs10.cpp) | 0 | ||||
-rw-r--r-- | src/cert/x509/pkcs10.h (renamed from src/cert/pkcs10/pkcs10.h) | 0 | ||||
-rw-r--r-- | src/cert/x509/x509_ca.cpp (renamed from src/cert/x509ca/x509_ca.cpp) | 0 | ||||
-rw-r--r-- | src/cert/x509/x509_ca.h (renamed from src/cert/x509ca/x509_ca.h) | 0 | ||||
-rw-r--r-- | src/cert/x509/x509_crl.cpp (renamed from src/cert/x509crl/x509_crl.cpp) | 0 | ||||
-rw-r--r-- | src/cert/x509/x509_crl.h (renamed from src/cert/x509crl/x509_crl.h) | 0 | ||||
-rw-r--r-- | src/cert/x509/x509_ext.cpp (renamed from src/cert/x509cert/x509_ext.cpp) | 0 | ||||
-rw-r--r-- | src/cert/x509/x509_ext.h (renamed from src/cert/x509cert/x509_ext.h) | 0 | ||||
-rw-r--r-- | src/cert/x509/x509_obj.cpp (renamed from src/cert/x509cert/x509_obj.cpp) | 0 | ||||
-rw-r--r-- | src/cert/x509/x509_obj.h (renamed from src/cert/x509cert/x509_obj.h) | 0 | ||||
-rw-r--r-- | src/cert/x509/x509cert.cpp (renamed from src/cert/x509cert/x509cert.cpp) | 0 | ||||
-rw-r--r-- | src/cert/x509/x509cert.h (renamed from src/cert/x509cert/x509cert.h) | 0 | ||||
-rw-r--r-- | src/cert/x509/x509opt.cpp (renamed from src/cert/x509self/x509opt.cpp) | 0 | ||||
-rw-r--r-- | src/cert/x509/x509path.cpp (renamed from src/cert/x509path/x509path.cpp) | 54 | ||||
-rw-r--r-- | src/cert/x509/x509path.h (renamed from src/cert/x509path/x509path.h) | 50 | ||||
-rw-r--r-- | src/cert/x509/x509self.cpp (renamed from src/cert/x509self/x509self.cpp) | 0 | ||||
-rw-r--r-- | src/cert/x509/x509self.h (renamed from src/cert/x509self/x509self.h) | 0 | ||||
-rw-r--r-- | src/cert/x509ca/info.txt | 6 | ||||
-rw-r--r-- | src/cert/x509crl/info.txt | 6 | ||||
-rw-r--r-- | src/cert/x509path/info.txt | 5 | ||||
-rw-r--r-- | src/cert/x509self/info.txt | 6 |
28 files changed, 72 insertions, 79 deletions
diff --git a/src/cert/certstore/info.txt b/src/cert/certstore/info.txt deleted file mode 100644 index a5de1baff..000000000 --- a/src/cert/certstore/info.txt +++ /dev/null @@ -1,6 +0,0 @@ -define CERTIFICATE_STORE - -<requires> -x509cert -x509crl -</requires> diff --git a/src/cert/pkcs10/info.txt b/src/cert/pkcs10/info.txt deleted file mode 100644 index bf53a562a..000000000 --- a/src/cert/pkcs10/info.txt +++ /dev/null @@ -1,6 +0,0 @@ -define PKCS10_REQUESTS - -<requires> -asn1 -x509cert -</requires> diff --git a/src/cert/certstore/certstor.cpp b/src/cert/x509/certstor.cpp index 7aa528d04..de27361ed 100644 --- a/src/cert/certstore/certstor.cpp +++ b/src/cert/x509/certstor.cpp @@ -9,6 +9,15 @@ namespace Botan { +bool Certificate_Store::certificate_known(const X509_Certificate& cert) const + { + std::vector<X509_Certificate> found = + find_cert_by_subject_and_key_id(cert.subject_dn(), + cert.subject_key_id()); + + return (found.size() > 0); + } + void Certificate_Store_In_Memory::add_certificate(const X509_Certificate& cert) { for(size_t i = 0; i != certs.size(); ++i) diff --git a/src/cert/certstore/certstor.h b/src/cert/x509/certstor.h index 604541d52..e2727c569 100644 --- a/src/cert/certstore/certstor.h +++ b/src/cert/x509/certstor.h @@ -31,6 +31,8 @@ class BOTAN_DLL Certificate_Store */ virtual void add_crl(const X509_CRL& crl) = 0; + bool certificate_known(const X509_Certificate& cert) const; + /** * Subject DN and (optionally) key identifier */ diff --git a/src/cert/x509crl/crl_ent.cpp b/src/cert/x509/crl_ent.cpp index d566637f6..d566637f6 100644 --- a/src/cert/x509crl/crl_ent.cpp +++ b/src/cert/x509/crl_ent.cpp diff --git a/src/cert/x509crl/crl_ent.h b/src/cert/x509/crl_ent.h index ae9535484..ae9535484 100644 --- a/src/cert/x509crl/crl_ent.h +++ b/src/cert/x509/crl_ent.h diff --git a/src/cert/x509cert/info.txt b/src/cert/x509/info.txt index 5e3715e7a..c994dab8f 100644 --- a/src/cert/x509cert/info.txt +++ b/src/cert/x509/info.txt @@ -1,6 +1,5 @@ define X509_CERTIFICATES <requires> -certstore datastor </requires> diff --git a/src/cert/pkcs10/pkcs10.cpp b/src/cert/x509/pkcs10.cpp index 784318d3d..784318d3d 100644 --- a/src/cert/pkcs10/pkcs10.cpp +++ b/src/cert/x509/pkcs10.cpp diff --git a/src/cert/pkcs10/pkcs10.h b/src/cert/x509/pkcs10.h index bd01fb6b5..bd01fb6b5 100644 --- a/src/cert/pkcs10/pkcs10.h +++ b/src/cert/x509/pkcs10.h diff --git a/src/cert/x509ca/x509_ca.cpp b/src/cert/x509/x509_ca.cpp index 40f2e3b3a..40f2e3b3a 100644 --- a/src/cert/x509ca/x509_ca.cpp +++ b/src/cert/x509/x509_ca.cpp diff --git a/src/cert/x509ca/x509_ca.h b/src/cert/x509/x509_ca.h index 97be6a415..97be6a415 100644 --- a/src/cert/x509ca/x509_ca.h +++ b/src/cert/x509/x509_ca.h diff --git a/src/cert/x509crl/x509_crl.cpp b/src/cert/x509/x509_crl.cpp index 9c6b891c7..9c6b891c7 100644 --- a/src/cert/x509crl/x509_crl.cpp +++ b/src/cert/x509/x509_crl.cpp diff --git a/src/cert/x509crl/x509_crl.h b/src/cert/x509/x509_crl.h index 55eb8424b..55eb8424b 100644 --- a/src/cert/x509crl/x509_crl.h +++ b/src/cert/x509/x509_crl.h diff --git a/src/cert/x509cert/x509_ext.cpp b/src/cert/x509/x509_ext.cpp index 6e0befaf3..6e0befaf3 100644 --- a/src/cert/x509cert/x509_ext.cpp +++ b/src/cert/x509/x509_ext.cpp diff --git a/src/cert/x509cert/x509_ext.h b/src/cert/x509/x509_ext.h index 714e29562..714e29562 100644 --- a/src/cert/x509cert/x509_ext.h +++ b/src/cert/x509/x509_ext.h diff --git a/src/cert/x509cert/x509_obj.cpp b/src/cert/x509/x509_obj.cpp index c58081225..c58081225 100644 --- a/src/cert/x509cert/x509_obj.cpp +++ b/src/cert/x509/x509_obj.cpp diff --git a/src/cert/x509cert/x509_obj.h b/src/cert/x509/x509_obj.h index 570b00f51..570b00f51 100644 --- a/src/cert/x509cert/x509_obj.h +++ b/src/cert/x509/x509_obj.h diff --git a/src/cert/x509cert/x509cert.cpp b/src/cert/x509/x509cert.cpp index 52115a1a8..52115a1a8 100644 --- a/src/cert/x509cert/x509cert.cpp +++ b/src/cert/x509/x509cert.cpp diff --git a/src/cert/x509cert/x509cert.h b/src/cert/x509/x509cert.h index d25b97694..d25b97694 100644 --- a/src/cert/x509cert/x509cert.h +++ b/src/cert/x509/x509cert.h diff --git a/src/cert/x509self/x509opt.cpp b/src/cert/x509/x509opt.cpp index 345df1fe0..345df1fe0 100644 --- a/src/cert/x509self/x509opt.cpp +++ b/src/cert/x509/x509opt.cpp diff --git a/src/cert/x509path/x509path.cpp b/src/cert/x509/x509path.cpp index e18c3b2f8..a9b8150ae 100644 --- a/src/cert/x509path/x509path.cpp +++ b/src/cert/x509/x509path.cpp @@ -71,11 +71,16 @@ std::vector<X509_CRL> find_crls_from(const X509_Certificate& cert, } +const X509_Certificate& Path_Validation_Result::trust_root() const + { + return m_cert_path[m_cert_path.size()-1]; + } + std::set<std::string> Path_Validation_Result::trusted_hashes() const { std::set<std::string> hashes; - for(size_t i = 0; i != cert_path.size(); ++i) - hashes.insert(cert_path[i].hash_used_for_signature()); + for(size_t i = 0; i != m_cert_path.size(); ++i) + hashes.insert(m_cert_path[i].hash_used_for_signature()); return hashes; } @@ -117,30 +122,27 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs, { Path_Validation_Result r; - r.cert_path = end_certs; + r.m_cert_path = end_certs; + + std::vector<X509_Certificate>& cert_path = r.m_cert_path; try { // iterate until we reach a root or cannot find the issuer - - while(!r.cert_path.back().is_self_signed()) + while(!cert_path.back().is_self_signed()) { - X509_Certificate cert = find_issuing_cert(r.cert_path.back(), - certstores); - - r.cert_path.push_back(cert); + cert_path.push_back( + find_issuing_cert(cert_path.back(), certstores) + ); } - /* - for(size_t i = 0; i != r.cert_path.size(); ++i) - std::cout << "Cert " << i << " = " << r.cert_path[i].subject_dn() << "\n"; - */ + const bool self_signed_ee_cert = (cert_path.size() == 1); X509_Time current_time(system_time()); - for(size_t i = 0; i != r.cert_path.size(); ++i) + for(size_t i = 0; i != cert_path.size(); ++i) { - const X509_Certificate& subject = r.cert_path[i]; + const X509_Certificate& subject = cert_path[i]; // Check all certs for valid time range if(current_time < X509_Time(subject.start_time())) @@ -149,13 +151,15 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs, if(current_time > X509_Time(subject.end_time())) throw PKIX_Validation_Failure(CERT_HAS_EXPIRED); - const bool at_self_signed_root = (i == r.cert_path.size() - 1); + const bool at_self_signed_root = (i == cert_path.size() - 1); const X509_Certificate& issuer = - r.cert_path[at_self_signed_root ? (i) : (i + 1)]; + cert_path[at_self_signed_root ? (i) : (i + 1)]; // Check issuer constraints - if(!issuer.is_CA_cert()) // require this for self-signed end-entity? + + // Don't require CA bit set on self-signed end entity cert + if(!issuer.is_CA_cert() && !self_signed_ee_cert) throw PKIX_Validation_Failure(CA_CERT_NOT_FOR_CERT_ISSUER); if(issuer.path_limit() < i) @@ -165,17 +169,16 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs, throw PKIX_Validation_Failure(SIGNATURE_ERROR); } - r.validation_result = VERIFIED; - - for(size_t i = 1; i != r.cert_path.size(); ++i) + for(size_t i = 1; i != cert_path.size(); ++i) { - const X509_Certificate& subject = r.cert_path[i-1]; - const X509_Certificate& ca = r.cert_path[i]; + const X509_Certificate& subject = cert_path[i-1]; + const X509_Certificate& ca = cert_path[i]; std::vector<X509_CRL> crls = find_crls_from(ca, certstores); if(crls.empty()) - throw PKIX_Validation_Failure(CRL_NOT_FOUND); + //throw PKIX_Validation_Failure(CRL_NOT_FOUND); + continue; const X509_CRL& crl = crls[0]; @@ -195,10 +198,11 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs, throw PKIX_Validation_Failure(CERT_IS_REVOKED); } + r.set_result(self_signed_ee_cert ? CANNOT_ESTABLISH_TRUST : VERIFIED); } catch(PKIX_Validation_Failure& e) { - r.validation_result = e.code(); + r.set_result(e.code()); } return r; diff --git a/src/cert/x509path/x509path.h b/src/cert/x509/x509path.h index b32a69162..c389431d8 100644 --- a/src/cert/x509path/x509path.h +++ b/src/cert/x509/x509path.h @@ -45,34 +45,48 @@ enum X509_Path_Validation_Code { CA_CERT_NOT_FOR_CRL_ISSUER }; - enum Usage_Restrictions { - NO_RESTRICTIONS = 0x00, - TLS_SERVER = 0x01, - TLS_CLIENT = 0x02, - CODE_SIGNING = 0x04, - EMAIL_PROTECTION = 0x08, - TIME_STAMPING = 0x10, - CRL_SIGNING = 0x20 - }; - -class Path_Validation_Result +enum Usage_Restrictions { + NO_RESTRICTIONS = 0x00, + TLS_SERVER = 0x01, + TLS_CLIENT = 0x02, + CODE_SIGNING = 0x04, + EMAIL_PROTECTION = 0x08, + TIME_STAMPING = 0x10, + CRL_SIGNING = 0x20 +}; + +class BOTAN_DLL Path_Validation_Result { public: Path_Validation_Result() : - validation_result(UNKNOWN_X509_ERROR), - allowed_usages(NO_RESTRICTIONS) + m_result(UNKNOWN_X509_ERROR), + m_usages(NO_RESTRICTIONS) {} - X509_Path_Validation_Code validation_result; - Usage_Restrictions allowed_usages; - - std::vector<X509_Certificate> cert_path; - /** * Returns the set of hash functions you are implicitly * trusting by trusting this result. */ std::set<std::string> trusted_hashes() const; + + const X509_Certificate& trust_root() const; + + const std::vector<X509_Certificate>& cert_path() const { return m_cert_path; } + + bool successful_validation() const { return result() == VERIFIED; } + + X509_Path_Validation_Code result() const { return m_result; } + private: + friend Path_Validation_Result x509_path_validate( + const std::vector<X509_Certificate>& end_certs, + const std::vector<Certificate_Store*>& certstores); + + void set_result(X509_Path_Validation_Code result) { m_result = result; } + + X509_Path_Validation_Code m_result; + Usage_Restrictions m_usages; + + std::vector<X509_Certificate> m_cert_path; }; Path_Validation_Result BOTAN_DLL x509_path_validate( diff --git a/src/cert/x509self/x509self.cpp b/src/cert/x509/x509self.cpp index a2f89159f..a2f89159f 100644 --- a/src/cert/x509self/x509self.cpp +++ b/src/cert/x509/x509self.cpp diff --git a/src/cert/x509self/x509self.h b/src/cert/x509/x509self.h index 2850096c8..2850096c8 100644 --- a/src/cert/x509self/x509self.h +++ b/src/cert/x509/x509self.h diff --git a/src/cert/x509ca/info.txt b/src/cert/x509ca/info.txt deleted file mode 100644 index d412c3070..000000000 --- a/src/cert/x509ca/info.txt +++ /dev/null @@ -1,6 +0,0 @@ -define X509_CA - -<requires> -pkcs10 -x509cert -</requires> diff --git a/src/cert/x509crl/info.txt b/src/cert/x509crl/info.txt deleted file mode 100644 index 77de46074..000000000 --- a/src/cert/x509crl/info.txt +++ /dev/null @@ -1,6 +0,0 @@ -define X509_CRL - -<requires> -x509cert -</requires> - diff --git a/src/cert/x509path/info.txt b/src/cert/x509path/info.txt deleted file mode 100644 index b24b03a02..000000000 --- a/src/cert/x509path/info.txt +++ /dev/null @@ -1,5 +0,0 @@ -define X509_STORE - -<requires> -x509cert -</requires> diff --git a/src/cert/x509self/info.txt b/src/cert/x509self/info.txt deleted file mode 100644 index bb02c4f74..000000000 --- a/src/cert/x509self/info.txt +++ /dev/null @@ -1,6 +0,0 @@ -define X509_SELF_SIGNED - -<requires> -x509cert -</requires> - |