2 files changed, 56 insertions, 1 deletions

diff --git a/src/credentials/credentials_manager.cpp b/src/credentials/credentials_manager.cpp
index e7886d307..82da8a75d 100644
--- a/src/credentials/credentials_manager.cpp
+++ b/src/credentials/credentials_manager.cpp
@@ -49,4 +49,34 @@ Private_Key* Credentials_Manager::private_key_for(const X509_Certificate&,
    return 0;
    }
 
+std::vector<X509_Certificate>
+Credentials_Manager::trusted_certificate_authorities(
+   const std::string&,
+   const std::string&)
+   {
+   return std::vector<X509_Certificate>();
+   }
+
+void Credentials_Manager::verify_certificate_chain(
+   const std::vector<X509_Certificate>& cert_chain,
+   const std::string& purported_hostname)
+   {
+   if(cert_chain.empty())
+      throw std::invalid_argument("Certificate chain was empty");
+
+#if 0
+   if(!cert_chain[0].matches_dns_name(purported_hostname))
+      return false;
+
+   X509_Store store;
+
+   std::vector<X509_Certificate> CAs = trusted_certificate_authorities();
+
+   for(size_t i = 1; i != CAs.size(); ++i)
+      store.add_cert(CAs[i], true);
+   for(size_t i = 1; i != cert_chain.size(); ++i)
+      store.add_cert(cert_chain[i]);
+#endif
+   }
+
 }
diff --git a/src/credentials/credentials_manager.h b/src/credentials/credentials_manager.h
index 43bccec69..fdcfa74da 100644
--- a/src/credentials/credentials_manager.h
+++ b/src/credentials/credentials_manager.h
@@ -62,6 +62,10 @@ class BOTAN_DLL Credentials_Manager
                                 bool generate_fake_on_unknown);
 
       /**
+      * Return a cert chain we can use, ordered from leaf to root.
+      * Assumed that we can get the private key of the leaf with
+      * private_key_for
+      *
       * @param cert_key_type is a string representing the key type
       * ("rsa", "dsa", "ecdsa", etc) or empty if no preference.
       */
@@ -71,8 +75,29 @@ class BOTAN_DLL Credentials_Manager
          const std::string& context);
 
       /**
+      * Return a list of the certificates of CAs that we trust in this
+      * type/context.
+      */
+      virtual std::vector<X509_Certificate> trusted_certificate_authorities(
+         const std::string& type,
+         const std::string& context);
+
+      /**
+      * Check the certificate chain is valid up to a trusted root, and
+      * optionally (if hostname != "") that the hostname given is
+      * consistent with the leaf certificate.
+      *
+      * This function should throw an exception derived from
+      * std::exception with an informative what() result if the
+      * certificate chain cannot be verified.
+      */
+      virtual void verify_certificate_chain(
+         const std::vector<X509_Certificate>& cert_chain,
+         const std::string& hostname = "");
+
+      /**
       * @return private key associated with this certificate if we should
-      *         use it with this context
+      *         use it with this context. cert was returned by cert_chain
       */
       virtual Private_Key* private_key_for(const X509_Certificate& cert,
                                            const std::string& type,