Move TLS cert verification callback from Credentials_Manager to TLS::Callbacks

It is the only function in C_M which is called on to process session-specific
(and adversarially provided) inputs, rather than passively returning some credential
which is typically not session specific.

2 files changed, 26 insertions, 18 deletions

diff --git a/src/cli/credentials.h b/src/cli/credentials.h
index 95bbd5aa4..71acdc83d 100644
--- a/src/cli/credentials.h
+++ b/src/cli/credentials.h
@@ -92,24 +92,6 @@ class Basic_Credentials_Manager : public Botan::Credentials_Manager
          return v;
          }
 
-      void verify_certificate_chain(
-         const std::string& type,
-         const std::string& purported_hostname,
-         const std::vector<Botan::X509_Certificate>& cert_chain) override
-         {
-         try
-            {
-            Credentials_Manager::verify_certificate_chain(type,
-                                                          purported_hostname,
-                                                          cert_chain);
-            }
-         catch(std::exception& e)
-            {
-            std::cout << e.what() << std::endl;
-            //throw;
-            }
-         }
-
       std::vector<Botan::X509_Certificate> cert_chain(
          const std::vector<std::string>& algos,
          const std::string& type,
diff --git a/src/cli/tls_client.cpp b/src/cli/tls_client.cpp
index 0d96f3348..fdbc21ec9 100644
--- a/src/cli/tls_client.cpp
+++ b/src/cli/tls_client.cpp
@@ -10,6 +10,7 @@
 #if defined(BOTAN_HAS_TLS) && defined(BOTAN_TARGET_OS_HAS_SOCKETS)
 
 #include <botan/tls_client.h>
+#include <botan/x509path.h>
 #include <botan/hex.h>
 
 #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)
@@ -250,6 +251,31 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks
          return fd;
          }
 
+      void tls_verify_cert_chain(
+         const std::vector<Botan::X509_Certificate>& cert_chain,
+         const std::vector<Botan::Certificate_Store*>& trusted_roots,
+         Botan::Usage_Type usage,
+         const std::string& hostname) override
+         {
+         if(cert_chain.empty())
+            throw std::invalid_argument("Certificate chain was empty");
+
+         Botan::Path_Validation_Restrictions restrictions(true, 80);
+
+         auto ocsp_timeout = std::chrono::milliseconds(300);
+
+         Botan::Path_Validation_Result result =
+            Botan::x509_path_validate(cert_chain,
+                                      restrictions,
+                                      trusted_roots,
+                                      hostname,
+                                      usage,
+                                      std::chrono::system_clock::now(),
+                                      ocsp_timeout);
+
+         std::cout << "Certificate validation status: " << result.result_string() << "\n";
+         }
+
       bool tls_session_established(const Botan::TLS::Session& session) override
          {
          output() << "Handshake complete, " << session.version().to_string()