From ea3cb1e12822bbdbe99938ef47ac739f9c891ff4 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Mon, 28 Nov 2016 05:30:29 -0500 Subject: Add TLS::Policy::require_cert_revocation_info --- src/lib/tls/tls_callbacks.cpp | 3 ++- src/lib/tls/tls_policy.cpp | 5 +++++ src/lib/tls/tls_policy.h | 7 +++++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/lib/tls/tls_callbacks.cpp b/src/lib/tls/tls_callbacks.cpp index 7afb3f17f..f25f392b3 100644 --- a/src/lib/tls/tls_callbacks.cpp +++ b/src/lib/tls/tls_callbacks.cpp @@ -36,7 +36,8 @@ void TLS::Callbacks::tls_verify_cert_chain( if(cert_chain.empty()) throw Invalid_Argument("Certificate chain was empty"); - Path_Validation_Restrictions restrictions(true, policy.minimum_signature_strength()); + Path_Validation_Restrictions restrictions(policy.require_cert_revocation_info(), + policy.minimum_signature_strength()); Path_Validation_Result result = x509_path_validate(cert_chain, diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index e9caa8bb3..84ba5e4bf 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -161,6 +161,11 @@ size_t Policy::minimum_signature_strength() const return 110; } +bool Policy::require_cert_revocation_info() const + { + return true; + } + size_t Policy::minimum_rsa_bits() const { /* Default assumption is all end-entity certificates should diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index f992949fe..b577eb265 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -66,6 +66,13 @@ class BOTAN_DLL Policy */ virtual size_t minimum_signature_strength() const; + /** + * Return if cert revocation info (CRL/OCSP) is required + * If true, validation will fail unless a valid CRL or OCSP response + * was examined. + */ + virtual bool require_cert_revocation_info() const; + bool allowed_signature_method(const std::string& sig_method) const; /** -- cgit v1.2.3