aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2018-08-16 19:07:24 -0400
committerJack Lloyd <[email protected]>2018-08-16 19:07:24 -0400
commit5d15cbbad729cde83f35ca4e73c3afd62f0e5f7c (patch)
treea5f01f545f848e809e4b39ba7f03f507ab244f0f /src
parentabac219d8a0a48b7d03221cbd9c3f84127acaa01 (diff)
Add args for botan FFI cert verification for hostname and time
Diffstat (limited to 'src')
-rw-r--r--src/lib/ffi/ffi.h4
-rw-r--r--src/lib/ffi/ffi_cert.cpp16
-rw-r--r--src/tests/test_ffi.cpp8
3 files changed, 20 insertions, 8 deletions
diff --git a/src/lib/ffi/ffi.h b/src/lib/ffi/ffi.h
index a680a0c19..19e04ce4d 100644
--- a/src/lib/ffi/ffi.h
+++ b/src/lib/ffi/ffi.h
@@ -1420,7 +1420,9 @@ BOTAN_PUBLIC_API(2,8) int botan_x509_cert_verify(
const botan_x509_cert_t* trusted,
size_t trusted_len,
const char* trusted_path,
- size_t required_strength);
+ size_t required_strength,
+ const char* hostname,
+ uint64_t reference_time);
/**
* Returns a pointer to a static character string explaining the status code,
diff --git a/src/lib/ffi/ffi_cert.cpp b/src/lib/ffi/ffi_cert.cpp
index 1e832765c..723bea862 100644
--- a/src/lib/ffi/ffi_cert.cpp
+++ b/src/lib/ffi/ffi_cert.cpp
@@ -261,14 +261,21 @@ int botan_x509_cert_verify(int* result_code,
const botan_x509_cert_t* trusted,
size_t trusted_len,
const char* trusted_path,
- size_t required_strength)
+ size_t required_strength,
+ const char* hostname_cstr,
+ uint64_t reference_time)
{
if(required_strength == 0)
required_strength = 110;
return ffi_guard_thunk(BOTAN_CURRENT_FUNCTION, [=]() -> int {
- std::vector<Botan::X509_Certificate> end_certs;
+ const std::string hostname((hostname_cstr == nullptr) ? "" : hostname_cstr);
+ const Botan::Usage_Type usage = Botan::Usage_Type::UNSPECIFIED;
+ const auto validation_time = reference_time == 0 ?
+ std::chrono::system_clock::now() :
+ std::chrono::system_clock::from_time_t(static_cast<time_t>(reference_time));
+ std::vector<Botan::X509_Certificate> end_certs;
end_certs.push_back(safe_get(cert));
for(size_t i = 0; i != intermediates_len; ++i)
end_certs.push_back(safe_get(intermediates[i]));
@@ -297,7 +304,10 @@ int botan_x509_cert_verify(int* result_code,
auto validation_result = Botan::x509_path_validate(end_certs,
restrictions,
- trusted_roots);
+ trusted_roots,
+ hostname,
+ usage,
+ validation_time);
if(result_code)
*result_code = static_cast<int>(validation_result.result());
diff --git a/src/tests/test_ffi.cpp b/src/tests/test_ffi.cpp
index 20a531820..c0068ea66 100644
--- a/src/tests/test_ffi.cpp
+++ b/src/tests/test_ffi.cpp
@@ -279,11 +279,11 @@ class FFI_Unit_Tests final : public Test
REQUIRE_FFI_OK(botan_x509_cert_load_file, (&end2, Test::data_file("x509/nist/test02/end.crt").c_str()));
REQUIRE_FFI_OK(botan_x509_cert_load_file, (&sub2, Test::data_file("x509/nist/test02/int.crt").c_str()));
- TEST_FFI_RC(1, botan_x509_cert_verify, (&rc, end2, &sub2, 1, &root, 1, NULL, 0));
+ TEST_FFI_RC(1, botan_x509_cert_verify, (&rc, end2, &sub2, 1, &root, 1, nullptr, 0, nullptr, 0));
result.confirm("Validation failed", rc == 5002);
result.test_eq("Validation status string", botan_x509_cert_validation_status(rc), "Signature error");
- TEST_FFI_RC(1, botan_x509_cert_verify, (&rc, end2, nullptr, 0, &root, 1, NULL, 0));
+ TEST_FFI_RC(1, botan_x509_cert_verify, (&rc, end2, nullptr, 0, &root, 1, nullptr, 0, nullptr, 0));
result.confirm("Validation failed", rc == 3000);
result.test_eq("Validation status string", botan_x509_cert_validation_status(rc), "Certificate issuer not found");
@@ -293,12 +293,12 @@ class FFI_Unit_Tests final : public Test
REQUIRE_FFI_OK(botan_x509_cert_load_file, (&sub7, Test::data_file("x509/nist/test07/int.crt").c_str()));
botan_x509_cert_t subs[2] = {sub2, sub7};
- TEST_FFI_RC(1, botan_x509_cert_verify, (&rc, end7, subs, 2, &root, 1, NULL, 0));
+ TEST_FFI_RC(1, botan_x509_cert_verify, (&rc, end7, subs, 2, &root, 1, nullptr, 0, nullptr, 0));
result.confirm("Validation failed", rc == 1001);
result.test_eq("Validation status string", botan_x509_cert_validation_status(rc),
"Hash function used is considered too weak for security");
- TEST_FFI_RC(0, botan_x509_cert_verify, (&rc, end7, subs, 2, &root, 1, NULL, 80));
+ TEST_FFI_RC(0, botan_x509_cert_verify, (&rc, end7, subs, 2, &root, 1, nullptr, 80, nullptr, 0));
result.confirm("Validation passed", rc == 0);
result.test_eq("Validation status string", botan_x509_cert_validation_status(rc), "Verified");