From 4ef234d711e1dd40f1cd7ec328e9933fb19dc5ee Mon Sep 17 00:00:00 2001 From: lloyd Date: Fri, 17 Sep 2010 14:13:48 +0000 Subject: Split up src/cert/x509 into a set of modules, though mostly mutually dependent right now. --- src/cert/x509store/x509stor.h | 142 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 142 insertions(+) create mode 100644 src/cert/x509store/x509stor.h (limited to 'src/cert/x509store/x509stor.h') diff --git a/src/cert/x509store/x509stor.h b/src/cert/x509store/x509stor.h new file mode 100644 index 000000000..7c3895635 --- /dev/null +++ b/src/cert/x509store/x509stor.h @@ -0,0 +1,142 @@ +/* +* X.509 Certificate Store +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_X509_CERT_STORE_H__ +#define BOTAN_X509_CERT_STORE_H__ + +#include +#include +#include + +namespace Botan { + +/** +* X.509 Certificate Validation Result +*/ +enum X509_Code { + VERIFIED, + UNKNOWN_X509_ERROR, + CANNOT_ESTABLISH_TRUST, + CERT_CHAIN_TOO_LONG, + SIGNATURE_ERROR, + POLICY_ERROR, + INVALID_USAGE, + + CERT_FORMAT_ERROR, + CERT_ISSUER_NOT_FOUND, + CERT_NOT_YET_VALID, + CERT_HAS_EXPIRED, + CERT_IS_REVOKED, + + CRL_FORMAT_ERROR, + CRL_ISSUER_NOT_FOUND, + CRL_NOT_YET_VALID, + CRL_HAS_EXPIRED, + + CA_CERT_CANNOT_SIGN, + CA_CERT_NOT_FOR_CERT_ISSUER, + CA_CERT_NOT_FOR_CRL_ISSUER +}; + +/** +* X.509 Certificate Store +*/ +class BOTAN_DLL X509_Store + { + public: + /** + * A callback for searching the store + */ + class BOTAN_DLL Search_Func + { + public: + virtual bool match(const X509_Certificate&) const = 0; + virtual ~Search_Func() {} + }; + + enum Cert_Usage { + ANY = 0x00, + TLS_SERVER = 0x01, + TLS_CLIENT = 0x02, + CODE_SIGNING = 0x04, + EMAIL_PROTECTION = 0x08, + TIME_STAMPING = 0x10, + CRL_SIGNING = 0x20 + }; + + X509_Code validate_cert(const X509_Certificate&, Cert_Usage = ANY); + + std::vector get_certs(const Search_Func&) const; + std::vector get_cert_chain(const X509_Certificate&); + std::string PEM_encode() const; + + X509_Code add_crl(const X509_CRL&); + void add_cert(const X509_Certificate&, bool = false); + void add_certs(DataSource&); + void add_trusted_certs(DataSource&); + + void add_new_certstore(Certificate_Store*); + + static X509_Code check_sig(const X509_Object&, Public_Key*); + + X509_Store(u32bit time_slack = 24*60*60, + u32bit cache_results = 30*60); + + X509_Store(const X509_Store&); + ~X509_Store(); + private: + X509_Store& operator=(const X509_Store&) { return (*this); } + + class BOTAN_DLL CRL_Data + { + public: + X509_DN issuer; + MemoryVector serial, auth_key_id; + bool operator==(const CRL_Data&) const; + bool operator!=(const CRL_Data&) const; + bool operator<(const CRL_Data&) const; + }; + + class BOTAN_DLL Cert_Info + { + public: + bool is_verified(u32bit timeout) const; + bool is_trusted() const; + X509_Code verify_result() const; + void set_result(X509_Code) const; + Cert_Info(const X509_Certificate&, bool = false); + + X509_Certificate cert; + bool trusted; + private: + mutable bool checked; + mutable X509_Code result; + mutable u64bit last_checked; + }; + + u32bit find_cert(const X509_DN&, const MemoryRegion&) const; + X509_Code check_sig(const Cert_Info&, const Cert_Info&) const; + void recompute_revoked_info() const; + + void do_add_certs(DataSource&, bool); + X509_Code construct_cert_chain(const X509_Certificate&, + std::vector&, bool = false); + + u32bit find_parent_of(const X509_Certificate&); + bool is_revoked(const X509_Certificate&) const; + + static const u32bit NO_CERT_FOUND = 0xFFFFFFFF; + std::vector certs; + std::vector revoked; + std::vector stores; + u32bit time_slack, validation_cache_timeout; + mutable bool revoked_info_valid; + }; + +} + +#endif -- cgit v1.2.3