diff options
Diffstat (limited to 'src/cert/x509/x509path.cpp')
-rw-r--r-- | src/cert/x509/x509path.cpp | 170 |
1 files changed, 91 insertions, 79 deletions
diff --git a/src/cert/x509/x509path.cpp b/src/cert/x509/x509path.cpp index c8266c129..3ed57206d 100644 --- a/src/cert/x509/x509path.cpp +++ b/src/cert/x509/x509path.cpp @@ -59,118 +59,125 @@ const X509_CRL* find_crls_from(const X509_Certificate& cert, return nullptr; } -} - -Path_Validation_Result x509_path_validate( - const std::vector<X509_Certificate>& end_certs, - const Path_Validation_Restrictions& restrictions, - const std::vector<Certificate_Store*>& certstores) +Certificate_Status_Code check_chain(const std::vector<X509_Certificate>& cert_path, + const Path_Validation_Restrictions& restrictions, + const std::vector<Certificate_Store*>& certstores) { - if(end_certs.empty()) - throw std::invalid_argument("x509_path_validate called with no subjects"); - - Path_Validation_Result r; - - r.m_cert_path = end_certs; + const std::set<std::string>& trusted_hashes = restrictions.trusted_hashes(); - std::vector<X509_Certificate>& cert_path = r.m_cert_path; + const bool self_signed_ee_cert = (cert_path.size() == 1); - const std::set<std::string>& trusted_hashes = restrictions.trusted_hashes(); + X509_Time current_time(std::chrono::system_clock::now()); - try + for(size_t i = 0; i != cert_path.size(); ++i) { - // iterate until we reach a root or cannot find the issuer - while(!cert_path.back().is_self_signed()) - { - cert_path.push_back( - find_issuing_cert(cert_path.back(), certstores) - ); - } + const X509_Certificate& subject = cert_path[i]; - const bool self_signed_ee_cert = (cert_path.size() == 1); + // Check all certs for valid time range + if(current_time < X509_Time(subject.start_time())) + return Certificate_Status_Code::CERT_NOT_YET_VALID; - X509_Time current_time(std::chrono::system_clock::now()); + if(current_time > X509_Time(subject.end_time())) + return Certificate_Status_Code::CERT_HAS_EXPIRED; - for(size_t i = 0; i != cert_path.size(); ++i) - { - const X509_Certificate& subject = cert_path[i]; + const bool at_self_signed_root = (i == cert_path.size() - 1); - // Check all certs for valid time range - if(current_time < X509_Time(subject.start_time())) - throw PKIX_Validation_Failure(Certificate_Status_Code::CERT_NOT_YET_VALID); + const X509_Certificate& issuer = + cert_path[at_self_signed_root ? (i) : (i + 1)]; - if(current_time > X509_Time(subject.end_time())) - throw PKIX_Validation_Failure(Certificate_Status_Code::CERT_HAS_EXPIRED); + // Check issuer constraints - const bool at_self_signed_root = (i == cert_path.size() - 1); + // Don't require CA bit set on self-signed end entity cert + if(!issuer.is_CA_cert() && !self_signed_ee_cert) + return Certificate_Status_Code::CA_CERT_NOT_FOR_CERT_ISSUER; - const X509_Certificate& issuer = - cert_path[at_self_signed_root ? (i) : (i + 1)]; + if(issuer.path_limit() < i) + return Certificate_Status_Code::CERT_CHAIN_TOO_LONG; - // Check issuer constraints + std::unique_ptr<Public_Key> issuer_key(issuer.subject_public_key()); - // Don't require CA bit set on self-signed end entity cert - if(!issuer.is_CA_cert() && !self_signed_ee_cert) - throw PKIX_Validation_Failure(Certificate_Status_Code::CA_CERT_NOT_FOR_CERT_ISSUER); + if(subject.check_signature(*issuer_key) == false) + return Certificate_Status_Code::SIGNATURE_ERROR; - if(issuer.path_limit() < i) - throw PKIX_Validation_Failure(Certificate_Status_Code::CERT_CHAIN_TOO_LONG); + if(issuer_key->estimated_strength() < restrictions.minimum_key_strength()) + return Certificate_Status_Code::SIGNATURE_METHOD_TOO_WEAK; - std::unique_ptr<Public_Key> issuer_key(issuer.subject_public_key()); + if(!trusted_hashes.empty() && !at_self_signed_root) + if(!trusted_hashes.count(subject.hash_used_for_signature())) + return Certificate_Status_Code::UNTRUSTED_HASH; + } - if(subject.check_signature(*issuer_key) == false) - throw PKIX_Validation_Failure(Certificate_Status_Code::SIGNATURE_ERROR); + for(size_t i = 1; i != cert_path.size(); ++i) + { + const X509_Certificate& subject = cert_path[i-1]; + const X509_Certificate& ca = cert_path[i]; - if(issuer_key->estimated_strength() < restrictions.minimum_key_strength()) - throw PKIX_Validation_Failure(Certificate_Status_Code::SIGNATURE_METHOD_TOO_WEAK); + const X509_CRL* crl_p = find_crls_from(ca, certstores); - if(!trusted_hashes.empty() && !at_self_signed_root) - if(!trusted_hashes.count(subject.hash_used_for_signature())) - throw PKIX_Validation_Failure(Certificate_Status_Code::UNTRUSTED_HASH); + if(!crl_p) + { + if(restrictions.require_revocation_information()) + return Certificate_Status_Code::CRL_NOT_FOUND; + continue; } - for(size_t i = 1; i != cert_path.size(); ++i) - { - const X509_Certificate& subject = cert_path[i-1]; - const X509_Certificate& ca = cert_path[i]; + const X509_CRL& crl = *crl_p; - const X509_CRL* crl_p = find_crls_from(ca, certstores); + if(!ca.allowed_usage(CRL_SIGN)) + return Certificate_Status_Code::CA_CERT_NOT_FOR_CRL_ISSUER; - if(!crl_p) - { - if(restrictions.require_revocation_information()) - throw PKIX_Validation_Failure(Certificate_Status_Code::CRL_NOT_FOUND); - continue; - } + if(current_time < X509_Time(crl.this_update())) + return Certificate_Status_Code::CRL_NOT_YET_VALID; - const X509_CRL& crl = *crl_p; + if(current_time > X509_Time(crl.next_update())) + return Certificate_Status_Code::CRL_HAS_EXPIRED; - if(!ca.allowed_usage(CRL_SIGN)) - throw PKIX_Validation_Failure(Certificate_Status_Code::CA_CERT_NOT_FOR_CRL_ISSUER); + if(crl.check_signature(ca.subject_public_key()) == false) + return Certificate_Status_Code::SIGNATURE_ERROR; - if(current_time < X509_Time(crl.this_update())) - throw PKIX_Validation_Failure(Certificate_Status_Code::CRL_NOT_YET_VALID); + if(crl.is_revoked(subject)) + return Certificate_Status_Code::CERT_IS_REVOKED; + } - if(current_time > X509_Time(crl.next_update())) - throw PKIX_Validation_Failure(Certificate_Status_Code::CRL_HAS_EXPIRED); + if(self_signed_ee_cert) + return Certificate_Status_Code::CANNOT_ESTABLISH_TRUST; - if(crl.check_signature(ca.subject_public_key()) == false) - throw PKIX_Validation_Failure(Certificate_Status_Code::SIGNATURE_ERROR); + return Certificate_Status_Code::VERIFIED; + } + +} + + +Path_Validation_Result x509_path_validate( + const std::vector<X509_Certificate>& end_certs, + const Path_Validation_Restrictions& restrictions, + const std::vector<Certificate_Store*>& certstores) + { + if(end_certs.empty()) + throw std::invalid_argument("x509_path_validate called with no subjects"); + + std::vector<X509_Certificate> cert_path = end_certs; - if(crl.is_revoked(subject)) - throw PKIX_Validation_Failure(Certificate_Status_Code::CERT_IS_REVOKED); + try + { + // iterate until we reach a root or cannot find the issuer + while(!cert_path.back().is_self_signed()) + { + cert_path.push_back( + find_issuing_cert(cert_path.back(), certstores) + ); } - r.set_result(self_signed_ee_cert ? - Certificate_Status_Code::CANNOT_ESTABLISH_TRUST : - Certificate_Status_Code::VERIFIED); + Certificate_Status_Code res = check_chain(cert_path, restrictions, certstores); + + return Path_Validation_Result(res, std::move(cert_path)); } catch(PKIX_Validation_Failure& e) { - r.set_result(e.code()); + return Path_Validation_Result(e.code()); } - return r; + return Path_Validation_Result(Certificate_Status_Code::UNKNOWN_X509_ERROR); } Path_Validation_Result x509_path_validate( @@ -235,9 +242,14 @@ std::set<std::string> Path_Validation_Result::trusted_hashes() const return hashes; } -std::string Path_Validation_Result::result_string() const +std::string Path_Validation_Result::result_string() constmtn + { + return status_string(m_status); + } + +std::string Path_Validation_Result::status_string(Certificate_Status_Code code) { - switch(m_result) + switch(code) { case VERIFIED: return "verified"; @@ -299,7 +311,7 @@ std::string Path_Validation_Result::result_string() const } // default case - return "Unknown code " + std::to_string(m_result); + return "Unknown code " + std::to_string(code); } } |