aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/asn1/x509_dn.cpp2
-rw-r--r--src/cert/certstore/info.txt6
-rw-r--r--src/cert/pkcs10/info.txt6
-rw-r--r--src/cert/x509/certstor.cpp (renamed from src/cert/certstore/certstor.cpp)9
-rw-r--r--src/cert/x509/certstor.h (renamed from src/cert/certstore/certstor.h)2
-rw-r--r--src/cert/x509/crl_ent.cpp (renamed from src/cert/x509crl/crl_ent.cpp)0
-rw-r--r--src/cert/x509/crl_ent.h (renamed from src/cert/x509crl/crl_ent.h)0
-rw-r--r--src/cert/x509/info.txt (renamed from src/cert/x509cert/info.txt)1
-rw-r--r--src/cert/x509/pkcs10.cpp (renamed from src/cert/pkcs10/pkcs10.cpp)0
-rw-r--r--src/cert/x509/pkcs10.h (renamed from src/cert/pkcs10/pkcs10.h)0
-rw-r--r--src/cert/x509/x509_ca.cpp (renamed from src/cert/x509ca/x509_ca.cpp)0
-rw-r--r--src/cert/x509/x509_ca.h (renamed from src/cert/x509ca/x509_ca.h)0
-rw-r--r--src/cert/x509/x509_crl.cpp (renamed from src/cert/x509crl/x509_crl.cpp)0
-rw-r--r--src/cert/x509/x509_crl.h (renamed from src/cert/x509crl/x509_crl.h)0
-rw-r--r--src/cert/x509/x509_ext.cpp (renamed from src/cert/x509cert/x509_ext.cpp)0
-rw-r--r--src/cert/x509/x509_ext.h (renamed from src/cert/x509cert/x509_ext.h)0
-rw-r--r--src/cert/x509/x509_obj.cpp (renamed from src/cert/x509cert/x509_obj.cpp)0
-rw-r--r--src/cert/x509/x509_obj.h (renamed from src/cert/x509cert/x509_obj.h)0
-rw-r--r--src/cert/x509/x509cert.cpp (renamed from src/cert/x509cert/x509cert.cpp)0
-rw-r--r--src/cert/x509/x509cert.h (renamed from src/cert/x509cert/x509cert.h)0
-rw-r--r--src/cert/x509/x509opt.cpp (renamed from src/cert/x509self/x509opt.cpp)0
-rw-r--r--src/cert/x509/x509path.cpp (renamed from src/cert/x509path/x509path.cpp)54
-rw-r--r--src/cert/x509/x509path.h (renamed from src/cert/x509path/x509path.h)50
-rw-r--r--src/cert/x509/x509self.cpp (renamed from src/cert/x509self/x509self.cpp)0
-rw-r--r--src/cert/x509/x509self.h (renamed from src/cert/x509self/x509self.h)0
-rw-r--r--src/cert/x509ca/info.txt6
-rw-r--r--src/cert/x509crl/info.txt6
-rw-r--r--src/cert/x509path/info.txt5
-rw-r--r--src/cert/x509self/info.txt6
-rw-r--r--src/cms/info.txt2
-rw-r--r--src/ssl/info.txt2
31 files changed, 75 insertions, 82 deletions
diff --git a/src/asn1/x509_dn.cpp b/src/asn1/x509_dn.cpp
index 37eecc6a3..ceb12cee6 100644
--- a/src/asn1/x509_dn.cpp
+++ b/src/asn1/x509_dn.cpp
@@ -177,7 +177,7 @@ bool operator!=(const X509_DN& dn1, const X509_DN& dn2)
}
/*
-* Compare two X509_DNs
+* Induce an arbitrary ordering on DNs
*/
bool operator<(const X509_DN& dn1, const X509_DN& dn2)
{
diff --git a/src/cert/certstore/info.txt b/src/cert/certstore/info.txt
deleted file mode 100644
index a5de1baff..000000000
--- a/src/cert/certstore/info.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-define CERTIFICATE_STORE
-
-<requires>
-x509cert
-x509crl
-</requires>
diff --git a/src/cert/pkcs10/info.txt b/src/cert/pkcs10/info.txt
deleted file mode 100644
index bf53a562a..000000000
--- a/src/cert/pkcs10/info.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-define PKCS10_REQUESTS
-
-<requires>
-asn1
-x509cert
-</requires>
diff --git a/src/cert/certstore/certstor.cpp b/src/cert/x509/certstor.cpp
index 7aa528d04..de27361ed 100644
--- a/src/cert/certstore/certstor.cpp
+++ b/src/cert/x509/certstor.cpp
@@ -9,6 +9,15 @@
namespace Botan {
+bool Certificate_Store::certificate_known(const X509_Certificate& cert) const
+ {
+ std::vector<X509_Certificate> found =
+ find_cert_by_subject_and_key_id(cert.subject_dn(),
+ cert.subject_key_id());
+
+ return (found.size() > 0);
+ }
+
void Certificate_Store_In_Memory::add_certificate(const X509_Certificate& cert)
{
for(size_t i = 0; i != certs.size(); ++i)
diff --git a/src/cert/certstore/certstor.h b/src/cert/x509/certstor.h
index 604541d52..e2727c569 100644
--- a/src/cert/certstore/certstor.h
+++ b/src/cert/x509/certstor.h
@@ -31,6 +31,8 @@ class BOTAN_DLL Certificate_Store
*/
virtual void add_crl(const X509_CRL& crl) = 0;
+ bool certificate_known(const X509_Certificate& cert) const;
+
/**
* Subject DN and (optionally) key identifier
*/
diff --git a/src/cert/x509crl/crl_ent.cpp b/src/cert/x509/crl_ent.cpp
index d566637f6..d566637f6 100644
--- a/src/cert/x509crl/crl_ent.cpp
+++ b/src/cert/x509/crl_ent.cpp
diff --git a/src/cert/x509crl/crl_ent.h b/src/cert/x509/crl_ent.h
index ae9535484..ae9535484 100644
--- a/src/cert/x509crl/crl_ent.h
+++ b/src/cert/x509/crl_ent.h
diff --git a/src/cert/x509cert/info.txt b/src/cert/x509/info.txt
index 5e3715e7a..c994dab8f 100644
--- a/src/cert/x509cert/info.txt
+++ b/src/cert/x509/info.txt
@@ -1,6 +1,5 @@
define X509_CERTIFICATES
<requires>
-certstore
datastor
</requires>
diff --git a/src/cert/pkcs10/pkcs10.cpp b/src/cert/x509/pkcs10.cpp
index 784318d3d..784318d3d 100644
--- a/src/cert/pkcs10/pkcs10.cpp
+++ b/src/cert/x509/pkcs10.cpp
diff --git a/src/cert/pkcs10/pkcs10.h b/src/cert/x509/pkcs10.h
index bd01fb6b5..bd01fb6b5 100644
--- a/src/cert/pkcs10/pkcs10.h
+++ b/src/cert/x509/pkcs10.h
diff --git a/src/cert/x509ca/x509_ca.cpp b/src/cert/x509/x509_ca.cpp
index 40f2e3b3a..40f2e3b3a 100644
--- a/src/cert/x509ca/x509_ca.cpp
+++ b/src/cert/x509/x509_ca.cpp
diff --git a/src/cert/x509ca/x509_ca.h b/src/cert/x509/x509_ca.h
index 97be6a415..97be6a415 100644
--- a/src/cert/x509ca/x509_ca.h
+++ b/src/cert/x509/x509_ca.h
diff --git a/src/cert/x509crl/x509_crl.cpp b/src/cert/x509/x509_crl.cpp
index 9c6b891c7..9c6b891c7 100644
--- a/src/cert/x509crl/x509_crl.cpp
+++ b/src/cert/x509/x509_crl.cpp
diff --git a/src/cert/x509crl/x509_crl.h b/src/cert/x509/x509_crl.h
index 55eb8424b..55eb8424b 100644
--- a/src/cert/x509crl/x509_crl.h
+++ b/src/cert/x509/x509_crl.h
diff --git a/src/cert/x509cert/x509_ext.cpp b/src/cert/x509/x509_ext.cpp
index 6e0befaf3..6e0befaf3 100644
--- a/src/cert/x509cert/x509_ext.cpp
+++ b/src/cert/x509/x509_ext.cpp
diff --git a/src/cert/x509cert/x509_ext.h b/src/cert/x509/x509_ext.h
index 714e29562..714e29562 100644
--- a/src/cert/x509cert/x509_ext.h
+++ b/src/cert/x509/x509_ext.h
diff --git a/src/cert/x509cert/x509_obj.cpp b/src/cert/x509/x509_obj.cpp
index c58081225..c58081225 100644
--- a/src/cert/x509cert/x509_obj.cpp
+++ b/src/cert/x509/x509_obj.cpp
diff --git a/src/cert/x509cert/x509_obj.h b/src/cert/x509/x509_obj.h
index 570b00f51..570b00f51 100644
--- a/src/cert/x509cert/x509_obj.h
+++ b/src/cert/x509/x509_obj.h
diff --git a/src/cert/x509cert/x509cert.cpp b/src/cert/x509/x509cert.cpp
index 52115a1a8..52115a1a8 100644
--- a/src/cert/x509cert/x509cert.cpp
+++ b/src/cert/x509/x509cert.cpp
diff --git a/src/cert/x509cert/x509cert.h b/src/cert/x509/x509cert.h
index d25b97694..d25b97694 100644
--- a/src/cert/x509cert/x509cert.h
+++ b/src/cert/x509/x509cert.h
diff --git a/src/cert/x509self/x509opt.cpp b/src/cert/x509/x509opt.cpp
index 345df1fe0..345df1fe0 100644
--- a/src/cert/x509self/x509opt.cpp
+++ b/src/cert/x509/x509opt.cpp
diff --git a/src/cert/x509path/x509path.cpp b/src/cert/x509/x509path.cpp
index e18c3b2f8..a9b8150ae 100644
--- a/src/cert/x509path/x509path.cpp
+++ b/src/cert/x509/x509path.cpp
@@ -71,11 +71,16 @@ std::vector<X509_CRL> find_crls_from(const X509_Certificate& cert,
}
+const X509_Certificate& Path_Validation_Result::trust_root() const
+ {
+ return m_cert_path[m_cert_path.size()-1];
+ }
+
std::set<std::string> Path_Validation_Result::trusted_hashes() const
{
std::set<std::string> hashes;
- for(size_t i = 0; i != cert_path.size(); ++i)
- hashes.insert(cert_path[i].hash_used_for_signature());
+ for(size_t i = 0; i != m_cert_path.size(); ++i)
+ hashes.insert(m_cert_path[i].hash_used_for_signature());
return hashes;
}
@@ -117,30 +122,27 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs,
{
Path_Validation_Result r;
- r.cert_path = end_certs;
+ r.m_cert_path = end_certs;
+
+ std::vector<X509_Certificate>& cert_path = r.m_cert_path;
try
{
// iterate until we reach a root or cannot find the issuer
-
- while(!r.cert_path.back().is_self_signed())
+ while(!cert_path.back().is_self_signed())
{
- X509_Certificate cert = find_issuing_cert(r.cert_path.back(),
- certstores);
-
- r.cert_path.push_back(cert);
+ cert_path.push_back(
+ find_issuing_cert(cert_path.back(), certstores)
+ );
}
- /*
- for(size_t i = 0; i != r.cert_path.size(); ++i)
- std::cout << "Cert " << i << " = " << r.cert_path[i].subject_dn() << "\n";
- */
+ const bool self_signed_ee_cert = (cert_path.size() == 1);
X509_Time current_time(system_time());
- for(size_t i = 0; i != r.cert_path.size(); ++i)
+ for(size_t i = 0; i != cert_path.size(); ++i)
{
- const X509_Certificate& subject = r.cert_path[i];
+ const X509_Certificate& subject = cert_path[i];
// Check all certs for valid time range
if(current_time < X509_Time(subject.start_time()))
@@ -149,13 +151,15 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs,
if(current_time > X509_Time(subject.end_time()))
throw PKIX_Validation_Failure(CERT_HAS_EXPIRED);
- const bool at_self_signed_root = (i == r.cert_path.size() - 1);
+ const bool at_self_signed_root = (i == cert_path.size() - 1);
const X509_Certificate& issuer =
- r.cert_path[at_self_signed_root ? (i) : (i + 1)];
+ cert_path[at_self_signed_root ? (i) : (i + 1)];
// Check issuer constraints
- if(!issuer.is_CA_cert()) // require this for self-signed end-entity?
+
+ // Don't require CA bit set on self-signed end entity cert
+ if(!issuer.is_CA_cert() && !self_signed_ee_cert)
throw PKIX_Validation_Failure(CA_CERT_NOT_FOR_CERT_ISSUER);
if(issuer.path_limit() < i)
@@ -165,17 +169,16 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs,
throw PKIX_Validation_Failure(SIGNATURE_ERROR);
}
- r.validation_result = VERIFIED;
-
- for(size_t i = 1; i != r.cert_path.size(); ++i)
+ for(size_t i = 1; i != cert_path.size(); ++i)
{
- const X509_Certificate& subject = r.cert_path[i-1];
- const X509_Certificate& ca = r.cert_path[i];
+ const X509_Certificate& subject = cert_path[i-1];
+ const X509_Certificate& ca = cert_path[i];
std::vector<X509_CRL> crls = find_crls_from(ca, certstores);
if(crls.empty())
- throw PKIX_Validation_Failure(CRL_NOT_FOUND);
+ //throw PKIX_Validation_Failure(CRL_NOT_FOUND);
+ continue;
const X509_CRL& crl = crls[0];
@@ -195,10 +198,11 @@ x509_path_validate(const std::vector<X509_Certificate>& end_certs,
throw PKIX_Validation_Failure(CERT_IS_REVOKED);
}
+ r.set_result(self_signed_ee_cert ? CANNOT_ESTABLISH_TRUST : VERIFIED);
}
catch(PKIX_Validation_Failure& e)
{
- r.validation_result = e.code();
+ r.set_result(e.code());
}
return r;
diff --git a/src/cert/x509path/x509path.h b/src/cert/x509/x509path.h
index b32a69162..c389431d8 100644
--- a/src/cert/x509path/x509path.h
+++ b/src/cert/x509/x509path.h
@@ -45,34 +45,48 @@ enum X509_Path_Validation_Code {
CA_CERT_NOT_FOR_CRL_ISSUER
};
- enum Usage_Restrictions {
- NO_RESTRICTIONS = 0x00,
- TLS_SERVER = 0x01,
- TLS_CLIENT = 0x02,
- CODE_SIGNING = 0x04,
- EMAIL_PROTECTION = 0x08,
- TIME_STAMPING = 0x10,
- CRL_SIGNING = 0x20
- };
-
-class Path_Validation_Result
+enum Usage_Restrictions {
+ NO_RESTRICTIONS = 0x00,
+ TLS_SERVER = 0x01,
+ TLS_CLIENT = 0x02,
+ CODE_SIGNING = 0x04,
+ EMAIL_PROTECTION = 0x08,
+ TIME_STAMPING = 0x10,
+ CRL_SIGNING = 0x20
+};
+
+class BOTAN_DLL Path_Validation_Result
{
public:
Path_Validation_Result() :
- validation_result(UNKNOWN_X509_ERROR),
- allowed_usages(NO_RESTRICTIONS)
+ m_result(UNKNOWN_X509_ERROR),
+ m_usages(NO_RESTRICTIONS)
{}
- X509_Path_Validation_Code validation_result;
- Usage_Restrictions allowed_usages;
-
- std::vector<X509_Certificate> cert_path;
-
/**
* Returns the set of hash functions you are implicitly
* trusting by trusting this result.
*/
std::set<std::string> trusted_hashes() const;
+
+ const X509_Certificate& trust_root() const;
+
+ const std::vector<X509_Certificate>& cert_path() const { return m_cert_path; }
+
+ bool successful_validation() const { return result() == VERIFIED; }
+
+ X509_Path_Validation_Code result() const { return m_result; }
+ private:
+ friend Path_Validation_Result x509_path_validate(
+ const std::vector<X509_Certificate>& end_certs,
+ const std::vector<Certificate_Store*>& certstores);
+
+ void set_result(X509_Path_Validation_Code result) { m_result = result; }
+
+ X509_Path_Validation_Code m_result;
+ Usage_Restrictions m_usages;
+
+ std::vector<X509_Certificate> m_cert_path;
};
Path_Validation_Result BOTAN_DLL x509_path_validate(
diff --git a/src/cert/x509self/x509self.cpp b/src/cert/x509/x509self.cpp
index a2f89159f..a2f89159f 100644
--- a/src/cert/x509self/x509self.cpp
+++ b/src/cert/x509/x509self.cpp
diff --git a/src/cert/x509self/x509self.h b/src/cert/x509/x509self.h
index 2850096c8..2850096c8 100644
--- a/src/cert/x509self/x509self.h
+++ b/src/cert/x509/x509self.h
diff --git a/src/cert/x509ca/info.txt b/src/cert/x509ca/info.txt
deleted file mode 100644
index d412c3070..000000000
--- a/src/cert/x509ca/info.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-define X509_CA
-
-<requires>
-pkcs10
-x509cert
-</requires>
diff --git a/src/cert/x509crl/info.txt b/src/cert/x509crl/info.txt
deleted file mode 100644
index 77de46074..000000000
--- a/src/cert/x509crl/info.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-define X509_CRL
-
-<requires>
-x509cert
-</requires>
-
diff --git a/src/cert/x509path/info.txt b/src/cert/x509path/info.txt
deleted file mode 100644
index b24b03a02..000000000
--- a/src/cert/x509path/info.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-define X509_STORE
-
-<requires>
-x509cert
-</requires>
diff --git a/src/cert/x509self/info.txt b/src/cert/x509self/info.txt
deleted file mode 100644
index bb02c4f74..000000000
--- a/src/cert/x509self/info.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-define X509_SELF_SIGNED
-
-<requires>
-x509cert
-</requires>
-
diff --git a/src/cms/info.txt b/src/cms/info.txt
index 79c16e200..0e74caa49 100644
--- a/src/cms/info.txt
+++ b/src/cms/info.txt
@@ -14,5 +14,5 @@ pem
pubkey
sha1
algo_base
-x509cert
+x509
</requires>
diff --git a/src/ssl/info.txt b/src/ssl/info.txt
index 169b76115..fd2c255fc 100644
--- a/src/ssl/info.txt
+++ b/src/ssl/info.txt
@@ -67,5 +67,5 @@ rng
rsa
sha1
ssl3mac
-x509cert
+x509
</requires>