diff options
| author | lloyd <[email protected]> | 2012-11-13 19:25:35 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2012-11-13 19:25:35 +0000 |
| commit | cf8f87c832273ea2d70ed00be7130e36884e370c (patch) | |
| tree | 7d8a9f493c74882a83c35b1993e8992ca221412a /src/credentials | |
| parent | 58461a900aea49e5230b7b748fc481114d31904a (diff) | |
Change Credentials_Manager::trusted_certificate_authorities to return
a list of Certificate_Stores instead of a list of actual certs,
allowing for instance the ability to reference a DB cert store without
actually pulling all the certs into memory.
Add Certificate_Store::all_subjects which returns the DNs of all
contained certificates.
Diffstat (limited to 'src/credentials')
| -rw-r--r-- | src/credentials/credentials_manager.cpp | 30 | ||||
| -rw-r--r-- | src/credentials/credentials_manager.h | 3 |
2 files changed, 22 insertions, 11 deletions
diff --git a/src/credentials/credentials_manager.cpp b/src/credentials/credentials_manager.cpp index 95a54d1ae..1077edf61 100644 --- a/src/credentials/credentials_manager.cpp +++ b/src/credentials/credentials_manager.cpp @@ -85,14 +85,27 @@ Private_Key* Credentials_Manager::private_key_for(const X509_Certificate&, return nullptr; } -std::vector<X509_Certificate> +std::vector<Certificate_Store*> Credentials_Manager::trusted_certificate_authorities( const std::string&, const std::string&) { - return std::vector<X509_Certificate>(); + return std::vector<Certificate_Store*>(); + } + +namespace { + +bool cert_in_some_store(const std::vector<Certificate_Store*>& trusted_CAs, + const X509_Certificate& trust_root) + { + for(auto CAs : trusted_CAs) + if(CAs->certificate_known(trust_root)) + return true; + return false; } +} + void Credentials_Manager::verify_certificate_chain( const std::string& type, const std::string& purported_hostname, @@ -103,19 +116,16 @@ void Credentials_Manager::verify_certificate_chain( auto trusted_CAs = trusted_certificate_authorities(type, purported_hostname); - Certificate_Store_In_Memory CAs; - for(auto cert : trusted_CAs) - CAs.add_certificate(cert); + Path_Validation_Restrictions restrictions; - Path_Validation_Result result = - x509_path_validate(cert_chain, - Path_Validation_Restrictions(), - CAs); + auto result = x509_path_validate(cert_chain, + restrictions, + trusted_CAs); if(!result.successful_validation()) throw std::runtime_error("Certificate validation failure: " + result.result_string()); - if(!CAs.certificate_known(result.trust_root())) + if(!cert_in_some_store(trusted_CAs, result.trust_root())) throw std::runtime_error("Certificate chain roots in unknown/untrusted CA"); if(purported_hostname != "" && !cert_chain[0].matches_dns_name(purported_hostname)) diff --git a/src/credentials/credentials_manager.h b/src/credentials/credentials_manager.h index 8493ccd92..85db078e3 100644 --- a/src/credentials/credentials_manager.h +++ b/src/credentials/credentials_manager.h @@ -9,6 +9,7 @@ #define BOTAN_CREDENTIALS_MANAGER_H__ #include <botan/x509cert.h> +#include <botan/certstor.h> #include <botan/symkey.h> #include <string> @@ -38,7 +39,7 @@ class BOTAN_DLL Credentials_Manager * @param context specifies a context relative to type. For instance * for type "tls-client", context specifies the servers name. */ - virtual std::vector<X509_Certificate> trusted_certificate_authorities( + virtual std::vector<Certificate_Store*> trusted_certificate_authorities( const std::string& type, const std::string& context); |