diff options
| -rw-r--r-- | src/asn1/x509_dn.cpp | 2 | ||||
| -rw-r--r-- | src/cert/certstore/info.txt | 6 | ||||
| -rw-r--r-- | src/cert/pkcs10/info.txt | 6 | ||||
| -rw-r--r-- | src/cert/x509/certstor.cpp (renamed from src/cert/certstore/certstor.cpp) | 9 | ||||
| -rw-r--r-- | src/cert/x509/certstor.h (renamed from src/cert/certstore/certstor.h) | 2 | ||||
| -rw-r--r-- | src/cert/x509/crl_ent.cpp (renamed from src/cert/x509crl/crl_ent.cpp) | 0 | ||||
| -rw-r--r-- | src/cert/x509/crl_ent.h (renamed from src/cert/x509crl/crl_ent.h) | 0 | ||||
| -rw-r--r-- | src/cert/x509/info.txt (renamed from src/cert/x509cert/info.txt) | 1 | ||||
| -rw-r--r-- | src/cert/x509/pkcs10.cpp (renamed from src/cert/pkcs10/pkcs10.cpp) | 0 | ||||
| -rw-r--r-- | src/cert/x509/pkcs10.h (renamed from src/cert/pkcs10/pkcs10.h) | 0 | ||||
| -rw-r--r-- | src/cert/x509/x509_ca.cpp (renamed from src/cert/x509ca/x509_ca.cpp) | 0 | ||||
| -rw-r--r-- | src/cert/x509/x509_ca.h (renamed from src/cert/x509ca/x509_ca.h) | 0 | ||||
| -rw-r--r-- | src/cert/x509/x509_crl.cpp (renamed from src/cert/x509crl/x509_crl.cpp) | 0 | ||||
| -rw-r--r-- | src/cert/x509/x509_crl.h (renamed from src/cert/x509crl/x509_crl.h) | 0 | ||||
| -rw-r--r-- | src/cert/x509/x509_ext.cpp (renamed from src/cert/x509cert/x509_ext.cpp) | 0 | ||||
| -rw-r--r-- | src/cert/x509/x509_ext.h (renamed from src/cert/x509cert/x509_ext.h) | 0 | ||||
| -rw-r--r-- | src/cert/x509/x509_obj.cpp (renamed from src/cert/x509cert/x509_obj.cpp) | 0 | ||||
| -rw-r--r-- | src/cert/x509/x509_obj.h (renamed from src/cert/x509cert/x509_obj.h) | 0 | ||||
| -rw-r--r-- | src/cert/x509/x509cert.cpp (renamed from src/cert/x509cert/x509cert.cpp) | 0 | ||||
| -rw-r--r-- | src/cert/x509/x509cert.h (renamed from src/cert/x509cert/x509cert.h) | 0 | ||||
| -rw-r--r-- | src/cert/x509/x509opt.cpp (renamed from src/cert/x509self/x509opt.cpp) | 0 | ||||
| -rw-r--r-- | src/cert/x509/x509path.cpp (renamed from src/cert/x509path/x509path.cpp) | 54 | ||||
| -rw-r--r-- | src/cert/x509/x509path.h (renamed from src/cert/x509path/x509path.h) | 50 | ||||
| -rw-r--r-- | src/cert/x509/x509self.cpp (renamed from src/cert/x509self/x509self.cpp) | 0 | ||||
| -rw-r--r-- | src/cert/x509/x509self.h (renamed from src/cert/x509self/x509self.h) | 0 | ||||
| -rw-r--r-- | src/cert/x509ca/info.txt | 6 | ||||
| -rw-r--r-- | src/cert/x509crl/info.txt | 6 | ||||
| -rw-r--r-- | src/cert/x509path/info.txt | 5 | ||||
| -rw-r--r-- | src/cert/x509self/info.txt | 6 | ||||
| -rw-r--r-- | src/cms/info.txt | 2 | ||||
| -rw-r--r-- | src/ssl/info.txt | 2 |
31 files changed, 75 insertions, 82 deletions
diff --git a/src/asn1/x509_dn.cpp b/src/asn1/x509_dn.cpp index 37eecc6a3..ceb12cee6 100644 --- a/src/asn1/x509_dn.cpp +++ b/src/asn1/x509_dn.cpp @@ -177,7 +177,7 @@ bool operator!=(const X509_DN& dn1, const X509_DN& dn2) } /* -* Compare two X509_DNs +* Induce an arbitrary ordering on DNs */ bool operator<(const X509_DN& dn1, const X509_DN& dn2) { diff --git a/src/cert/certstore/info.txt b/src/cert/certstore/info.txt deleted file mode 100644 index a5de1baff..000000000 --- a/src/cert/certstore/info.txt +++ /dev/null @@ -1,6 +0,0 @@ -define CERTIFICATE_STORE - -<requires> -x509cert -x509crl -</requires> diff --git a/src/cert/pkcs10/info.txt b/src/cert/pkcs10/info.txt deleted file mode 100644 index bf53a562a..000000000 --- a/src/cert/pkcs10/info.txt +++ /dev/null @@ -1,6 +0,0 @@ -define PKCS10_REQUESTS - -<requires> -asn1 -x509cert -</requires> diff --git a/src/cert/certstore/certstor.cpp b/src/cert/x509/certstor.cpp index 7aa528d04..de27361ed 100644 --- a/src/cert/certstore/certstor.cpp +++ b/src/cert/x509/certstor.cpp @@ -9,6 +9,15 @@ namespace Botan { +bool Certificate_Store::certificate_known(const X509_Certificate& cert) const + { + std::vector<X509_Certificate> found = + find_cert_by_subject_and_key_id(cert.subject_dn(), + cert.subject_key_id()); + + return (found.size() > 0); + } + void Certificate_Store_In_Memory::add_certificate(const X509_Certificate& cert) { for(size_t i = 0; i != certs.size(); ++i) diff --git a/src/cert/certstore/certstor.h b/src/cert/x509/certstor.h index 604541d52..e2727c569 100644 --- a/src/cert/certstore/certstor.h +++ b/src/cert/x509/certstor.h @@ -31,6 +31,8 @@ class BOTAN_DLL Certificate_Store */ virtual void add_crl(const X509_CRL& crl) = 0; + bool certificate_known(const X509_Certificate& cert) const; + /** * Subject DN and (optionally) key identifier */ diff --git a/src/cert/x509crl/crl_ent.cpp b/src/cert/x509/crl_ent.cpp index d566637f6..d566637f6 100644 --- a/src/cert/x509crl/crl_ent.cpp +++ b/src/cert/x509/crl_ent.cpp diff --git a/src/cert/x509crl/crl_ent.h b/src/cert/x509/crl_ent.h index ae9535484..ae9535484 100644 --- a/src/cert/x509crl/crl_ent.h +++ b/src/cert/x509/crl_ent.h diff --git a/src/cert/x509cert/info.txt b/src/cert/x509/info.txt index 5e3715e7a..c994dab8f 100644 --- a/src/cert/x509cert/info.txt +++ b/src/cert/x509/info.txt @@ -1,6 +1,5 @@ define X509_CERTIFICATES <requires> -certstore datastor </requires> diff --git a/src/cert/pkcs10/pkcs10.cpp b/src/cert/x509/pkcs10.cpp index 784318d3d..784318d3d 100644 --- a/src/cert/pkcs10/pkcs10.cpp +++ b/src/cert/x509/pkcs10.cpp diff --git a/src/cert/pkcs10/pkcs10.h b/src/cert/x509/pkcs10.h index bd01fb6b5..bd01fb6b5 100644 --- a/src/cert/pkcs10/pkcs10.h +++ b/src/cert/x509/pkcs10.h diff --git a/src/cert/x509ca/x509_ca.cpp b/src/cert/x509/x509_ca.cpp index 40f2e3b3a..40f2e3b3a 100644 --- a/src/cert/x509ca/x509_ca.cpp +++ b/src/cert/x509/x509_ca.cpp diff --git a/src/cert/x509ca/x509_ca.h b/src/cert/x509/x509_ca.h index 97be6a415..97be6a415 100644 --- a/src/cert/x509ca/x509_ca.h +++ b/src/cert/x509/x509_ca.h diff --git a/src/cert/x509crl/x509_crl.cpp b/src/cert/x509/x509_crl.cpp index 9c6b891c7..9c6b891c7 100644 --- a/src/cert/x509crl/x509_crl.cpp +++ b/src/cert/x509/x509_crl.cpp diff --git a/src/cert/x509crl/x509_crl.h b/src/cert/x509/x509_crl.h index 55eb8424b..55eb8424b 100644 --- a/src/cert/x509crl/x509_crl.h +++ b/src/cert/x509/x509_crl.h diff --git a/src/cert/x509cert/x509_ext.cpp b/src/cert/x509/x509_ext.cpp index 6e0befaf3..6e0befaf3 100644 --- a/src/cert/x509cert/x509_ext.cpp +++ b/src/cert/x509/x509_ext.cpp diff --git a/src/cert/x509cert/x509_ext.h b/src/cert/x509/x509_ext.h index 714e29562..714e29562 100644 --- a/src/cert/x509cert/x509_ext.h +++ b/src/cert/x509/x509_ext.h diff --git a/src/cert/x509cert/x509_obj.cpp b/src/cert/x509/x509_obj.cpp index c58081225..c58081225 100644 --- a/src/cert/x509cert/x509_obj.cpp +++ b/src/cert/x509/x509_obj.cpp diff --git a/src/cert/x509cert/x509_obj.h b/src/cert/x509/x509_obj.h index 570b00f51..570b00f51 100644 --- a/src/cert/x509cert/x509_obj.h +++ b/src/cert/x509/x509_obj.h diff --git a/src/cert/x509cert/x509cert.cpp b/src/cert/x509/x509cert.cpp index 52115a1a8..52115a1a8 100644 --- a/src/cert/x509cert/x509cert.cpp +++ b/src/cert/x509/x509cert.cpp diff --git a/src/cert/x509cert/x509cert.h b/src/cert/x509/x509cert.h index d25b97694..d25b97694 100644 --- a/src/cert/x509cert/x509cert.h +++ b/src/cert/x509/x509cert.h diff --git a/src/cert/x509self/x509opt.cpp b/src/cert/x509/x509opt.cpp index 345df1fe0..345df1fe0 100644 --- a/src/cert/x509self/x509opt.cpp +++ b/src/cert/x509/x509opt.cpp diff --git a/src/cert/x509path/x509path.cpp b/src/cert/x509/x509path.cpp index e18c3b2f8..a9b8150ae 100644 --- a/src/cert/x509path/x509path.cpp +++ b/src/cert/x509/x509path.cpp @@ -71,11 +71,16 @@ std::vector<X509_CRL> find_crls_from(const X509_Certificate& cert, } +const X509_Certificate& Path_Validation_Result::trust_root() const + { + return m_cert_path[m_cert_path.size()-1]; + } + std::set<std::string> Path_Validation_Result::trusted_hashes() const { std::set<std::string> hashes; - for(size_t i = 0; i != cert_path.size(); ++i) - hashes.insert(cert_path[i].hash_used_for_signature()); + for(size_t i = 0; i != m_cert_path.size(); ++i) + hashes.insert(m_cert_path[i].hash_used_for_signature()); return hashes; } @@ -117,30 +122,27 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs, { Path_Validation_Result r; - r.cert_path = end_certs; + r.m_cert_path = end_certs; + + std::vector<X509_Certificate>& cert_path = r.m_cert_path; try { // iterate until we reach a root or cannot find the issuer - - while(!r.cert_path.back().is_self_signed()) + while(!cert_path.back().is_self_signed()) { - X509_Certificate cert = find_issuing_cert(r.cert_path.back(), - certstores); - - r.cert_path.push_back(cert); + cert_path.push_back( + find_issuing_cert(cert_path.back(), certstores) + ); } - /* - for(size_t i = 0; i != r.cert_path.size(); ++i) - std::cout << "Cert " << i << " = " << r.cert_path[i].subject_dn() << "\n"; - */ + const bool self_signed_ee_cert = (cert_path.size() == 1); X509_Time current_time(system_time()); - for(size_t i = 0; i != r.cert_path.size(); ++i) + for(size_t i = 0; i != cert_path.size(); ++i) { - const X509_Certificate& subject = r.cert_path[i]; + const X509_Certificate& subject = cert_path[i]; // Check all certs for valid time range if(current_time < X509_Time(subject.start_time())) @@ -149,13 +151,15 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs, if(current_time > X509_Time(subject.end_time())) throw PKIX_Validation_Failure(CERT_HAS_EXPIRED); - const bool at_self_signed_root = (i == r.cert_path.size() - 1); + const bool at_self_signed_root = (i == cert_path.size() - 1); const X509_Certificate& issuer = - r.cert_path[at_self_signed_root ? (i) : (i + 1)]; + cert_path[at_self_signed_root ? (i) : (i + 1)]; // Check issuer constraints - if(!issuer.is_CA_cert()) // require this for self-signed end-entity? + + // Don't require CA bit set on self-signed end entity cert + if(!issuer.is_CA_cert() && !self_signed_ee_cert) throw PKIX_Validation_Failure(CA_CERT_NOT_FOR_CERT_ISSUER); if(issuer.path_limit() < i) @@ -165,17 +169,16 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs, throw PKIX_Validation_Failure(SIGNATURE_ERROR); } - r.validation_result = VERIFIED; - - for(size_t i = 1; i != r.cert_path.size(); ++i) + for(size_t i = 1; i != cert_path.size(); ++i) { - const X509_Certificate& subject = r.cert_path[i-1]; - const X509_Certificate& ca = r.cert_path[i]; + const X509_Certificate& subject = cert_path[i-1]; + const X509_Certificate& ca = cert_path[i]; std::vector<X509_CRL> crls = find_crls_from(ca, certstores); if(crls.empty()) - throw PKIX_Validation_Failure(CRL_NOT_FOUND); + //throw PKIX_Validation_Failure(CRL_NOT_FOUND); + continue; const X509_CRL& crl = crls[0]; @@ -195,10 +198,11 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs, throw PKIX_Validation_Failure(CERT_IS_REVOKED); } + r.set_result(self_signed_ee_cert ? CANNOT_ESTABLISH_TRUST : VERIFIED); } catch(PKIX_Validation_Failure& e) { - r.validation_result = e.code(); + r.set_result(e.code()); } return r; diff --git a/src/cert/x509path/x509path.h b/src/cert/x509/x509path.h index b32a69162..c389431d8 100644 --- a/src/cert/x509path/x509path.h +++ b/src/cert/x509/x509path.h @@ -45,34 +45,48 @@ enum X509_Path_Validation_Code { CA_CERT_NOT_FOR_CRL_ISSUER }; - enum Usage_Restrictions { - NO_RESTRICTIONS = 0x00, - TLS_SERVER = 0x01, - TLS_CLIENT = 0x02, - CODE_SIGNING = 0x04, - EMAIL_PROTECTION = 0x08, - TIME_STAMPING = 0x10, - CRL_SIGNING = 0x20 - }; - -class Path_Validation_Result +enum Usage_Restrictions { + NO_RESTRICTIONS = 0x00, + TLS_SERVER = 0x01, + TLS_CLIENT = 0x02, + CODE_SIGNING = 0x04, + EMAIL_PROTECTION = 0x08, + TIME_STAMPING = 0x10, + CRL_SIGNING = 0x20 +}; + +class BOTAN_DLL Path_Validation_Result { public: Path_Validation_Result() : - validation_result(UNKNOWN_X509_ERROR), - allowed_usages(NO_RESTRICTIONS) + m_result(UNKNOWN_X509_ERROR), + m_usages(NO_RESTRICTIONS) {} - X509_Path_Validation_Code validation_result; - Usage_Restrictions allowed_usages; - - std::vector<X509_Certificate> cert_path; - /** * Returns the set of hash functions you are implicitly * trusting by trusting this result. */ std::set<std::string> trusted_hashes() const; + + const X509_Certificate& trust_root() const; + + const std::vector<X509_Certificate>& cert_path() const { return m_cert_path; } + + bool successful_validation() const { return result() == VERIFIED; } + + X509_Path_Validation_Code result() const { return m_result; } + private: + friend Path_Validation_Result x509_path_validate( + const std::vector<X509_Certificate>& end_certs, + const std::vector<Certificate_Store*>& certstores); + + void set_result(X509_Path_Validation_Code result) { m_result = result; } + + X509_Path_Validation_Code m_result; + Usage_Restrictions m_usages; + + std::vector<X509_Certificate> m_cert_path; }; Path_Validation_Result BOTAN_DLL x509_path_validate( diff --git a/src/cert/x509self/x509self.cpp b/src/cert/x509/x509self.cpp index a2f89159f..a2f89159f 100644 --- a/src/cert/x509self/x509self.cpp +++ b/src/cert/x509/x509self.cpp diff --git a/src/cert/x509self/x509self.h b/src/cert/x509/x509self.h index 2850096c8..2850096c8 100644 --- a/src/cert/x509self/x509self.h +++ b/src/cert/x509/x509self.h diff --git a/src/cert/x509ca/info.txt b/src/cert/x509ca/info.txt deleted file mode 100644 index d412c3070..000000000 --- a/src/cert/x509ca/info.txt +++ /dev/null @@ -1,6 +0,0 @@ -define X509_CA - -<requires> -pkcs10 -x509cert -</requires> diff --git a/src/cert/x509crl/info.txt b/src/cert/x509crl/info.txt deleted file mode 100644 index 77de46074..000000000 --- a/src/cert/x509crl/info.txt +++ /dev/null @@ -1,6 +0,0 @@ -define X509_CRL - -<requires> -x509cert -</requires> - diff --git a/src/cert/x509path/info.txt b/src/cert/x509path/info.txt deleted file mode 100644 index b24b03a02..000000000 --- a/src/cert/x509path/info.txt +++ /dev/null @@ -1,5 +0,0 @@ -define X509_STORE - -<requires> -x509cert -</requires> diff --git a/src/cert/x509self/info.txt b/src/cert/x509self/info.txt deleted file mode 100644 index bb02c4f74..000000000 --- a/src/cert/x509self/info.txt +++ /dev/null @@ -1,6 +0,0 @@ -define X509_SELF_SIGNED - -<requires> -x509cert -</requires> - diff --git a/src/cms/info.txt b/src/cms/info.txt index 79c16e200..0e74caa49 100644 --- a/src/cms/info.txt +++ b/src/cms/info.txt @@ -14,5 +14,5 @@ pem pubkey sha1 algo_base -x509cert +x509 </requires> diff --git a/src/ssl/info.txt b/src/ssl/info.txt index 169b76115..fd2c255fc 100644 --- a/src/ssl/info.txt +++ b/src/ssl/info.txt @@ -67,5 +67,5 @@ rng rsa sha1 ssl3mac -x509cert +x509 </requires> |