aboutsummaryrefslogtreecommitdiffstats
path: root/src/credentials/credentials_manager.cpp
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-02-01 17:55:03 +0000
committerlloyd <[email protected]>2012-02-01 17:55:03 +0000
commit863a5420e3ad5efcfc7a175eed0d1a0b641c83c0 (patch)
treead82580eca85f784b2965ec61a1d1bb25fac1695 /src/credentials/credentials_manager.cpp
parente2e9105071f2d0a1360603f06c2acf68865ff072 (diff)
Actually check CA signatures in Credentials_Manager. This area needs a
lot more work before this can be deployed.
Diffstat (limited to 'src/credentials/credentials_manager.cpp')
-rw-r--r--src/credentials/credentials_manager.cpp28
1 files changed, 15 insertions, 13 deletions
diff --git a/src/credentials/credentials_manager.cpp b/src/credentials/credentials_manager.cpp
index 7ca6ac657..ef5d44819 100644
--- a/src/credentials/credentials_manager.cpp
+++ b/src/credentials/credentials_manager.cpp
@@ -6,6 +6,7 @@
*/
#include <botan/credentials_manager.h>
+#include <botan/x509stor.h>
namespace Botan {
@@ -88,31 +89,32 @@ Credentials_Manager::trusted_certificate_authorities(
}
void Credentials_Manager::verify_certificate_chain(
- const std::vector<X509_Certificate>& cert_chain,
- const std::string& purported_hostname)
+ const std::string& type,
+ const std::string& purported_hostname,
+ const std::vector<X509_Certificate>& cert_chain)
{
if(cert_chain.empty())
throw std::invalid_argument("Certificate chain was empty");
-#if 0
- X509_Store store;
+ if(!cert_chain[0].matches_dns_name(purported_hostname))
+ throw std::runtime_error("Certificate did not match hostname");
+
+ std::vector<X509_Certificate> CAs = trusted_certificate_authorities(type, purported_hostname);
- std::vector<X509_Certificate> CAs = trusted_certificate_authorities();
+ X509_Store store;
- for(size_t i = 1; i != CAs.size(); ++i)
+ for(size_t i = 0; i != CAs.size(); ++i)
store.add_cert(CAs[i], true);
- for(size_t i = 1; i != cert_chain.size(); ++i)
+ for(size_t i = 0; i != cert_chain.size(); ++i)
store.add_cert(cert_chain[i]);
- X509_Code result = store.validate_cert(cert_chain[0], TLS_SERVER);
+ X509_Code result = store.validate_cert(cert_chain[0], X509_Store::TLS_SERVER);
+
+ if(CAs.empty() && result == CERT_ISSUER_NOT_FOUND)
+ return;
if(result != VERIFIED)
throw std::runtime_error("Certificate did not validate");
-
- if(!cert_chain[0].matches_dns_name(purported_hostname))
- throw std::runtime_error("Certificate did not match hostname");
-
-#endif
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-21 18:49:30 +0000