/usr/include/botan-2/botan/x509path.h is in libbotan-2-dev 2.4.0-5ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 | /*
* X.509 Cert Path Validation
* (C) 2010-2011 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
#ifndef BOTAN_X509_CERT_PATH_VALIDATION_H_
#define BOTAN_X509_CERT_PATH_VALIDATION_H_
#include <botan/cert_status.h>
#include <botan/x509cert.h>
#include <botan/certstor.h>
#include <botan/ocsp.h>
#include <functional>
#include <set>
#include <chrono>
#if defined(BOTAN_TARGET_OS_HAS_THREADS) && defined(BOTAN_HAS_HTTP_UTIL)
#define BOTAN_HAS_ONLINE_REVOCATION_CHECKS
#endif
namespace Botan {
/**
* This type represents the validation status of an entire certificate path.
* There is one set of status codes for each certificate in the path.
*/
typedef std::vector<std::set<Certificate_Status_Code>> CertificatePathStatusCodes;
/**
* Specifies restrictions on the PKIX path validation
*/
class BOTAN_PUBLIC_API(2,0) Path_Validation_Restrictions final
{
public:
/**
* @param require_rev if true, revocation information is required
* @param minimum_key_strength is the minimum strength (in terms of
* operations, eg 80 means 2^80) of a signature. Signatures weaker than
* this are rejected. If more than 80, SHA-1 signatures are also
* rejected. If possible use at least setting 110.
*
* 80 bit strength requires 1024 bit RSA
* 110 bit strength requires 2k bit RSA
* 128 bit strength requires ~3k bit RSA or P-256
* @param ocsp_all_intermediates Make OCSP requests for all CAs as
* well as end entity (if OCSP enabled in path validation request)
*/
Path_Validation_Restrictions(bool require_rev = false,
size_t minimum_key_strength = 110,
bool ocsp_all_intermediates = false);
/**
* @param require_rev if true, revocation information is required
* @param minimum_key_strength is the minimum strength (in terms of
* operations, eg 80 means 2^80) of a signature. Signatures
* weaker than this are rejected.
* @param ocsp_all_intermediates Make OCSP requests for all CAs as
* well as end entity (if OCSP enabled in path validation request)
* @param trusted_hashes a set of trusted hashes. Any signatures
* created using a hash other than one of these will be
* rejected.
*/
Path_Validation_Restrictions(bool require_rev,
size_t minimum_key_strength,
bool ocsp_all_intermediates,
const std::set<std::string>& trusted_hashes) :
m_require_revocation_information(require_rev),
m_ocsp_all_intermediates(ocsp_all_intermediates),
m_trusted_hashes(trusted_hashes),
m_minimum_key_strength(minimum_key_strength) {}
/**
* @return whether revocation information is required
*/
bool require_revocation_information() const
{ return m_require_revocation_information; }
/**
* @return whether all intermediate CAs should also be OCSPed. If false
* then only end entity OCSP is required/requested.
*/
bool ocsp_all_intermediates() const
{ return m_ocsp_all_intermediates; }
/**
* @return trusted signature hash functions
*/
const std::set<std::string>& trusted_hashes() const
{ return m_trusted_hashes; }
/**
* @return minimum required key strength
*/
size_t minimum_key_strength() const
{ return m_minimum_key_strength; }
private:
bool m_require_revocation_information;
bool m_ocsp_all_intermediates;
std::set<std::string> m_trusted_hashes;
size_t m_minimum_key_strength;
};
/**
* Represents the result of a PKIX path validation
*/
class BOTAN_PUBLIC_API(2,0) Path_Validation_Result final
{
public:
typedef Certificate_Status_Code Code;
/**
* @return the set of hash functions you are implicitly
* trusting by trusting this result.
*/
std::set<std::string> trusted_hashes() const;
/**
* @return the trust root of the validation if successful
* throws an exception if the validation failed
*/
const X509_Certificate& trust_root() const;
/**
* @return the full path from subject to trust root
* This path may be empty
*/
const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path() const { return m_cert_path; }
/**
* @return true iff the validation was successful
*/
bool successful_validation() const;
/**
* @return true iff no warnings occured during validation
*/
bool no_warnings() const;
/**
* @return overall validation result code
*/
Certificate_Status_Code result() const { return m_overall; }
/**
* @return a set of status codes for each certificate in the chain
*/
const CertificatePathStatusCodes& all_statuses() const
{ return m_all_status; }
/**
* @return the subset of status codes that are warnings
*/
CertificatePathStatusCodes warnings() const;
/**
* @return string representation of the validation result
*/
std::string result_string() const;
/**
* @param code validation status code
* @return corresponding validation status message
*/
static const char* status_string(Certificate_Status_Code code);
/**
* Create a Path_Validation_Result
* @param status list of validation status codes
* @param cert_chain the certificate chain that was validated
*/
Path_Validation_Result(CertificatePathStatusCodes status,
std::vector<std::shared_ptr<const X509_Certificate>>&& cert_chain);
/**
* Create a Path_Validation_Result
* @param status validation status code
*/
explicit Path_Validation_Result(Certificate_Status_Code status) : m_overall(status) {}
private:
CertificatePathStatusCodes m_all_status;
CertificatePathStatusCodes m_warnings;
std::vector<std::shared_ptr<const X509_Certificate>> m_cert_path;
Certificate_Status_Code m_overall;
};
/**
* PKIX Path Validation
* @param end_certs certificate chain to validate (with end entity certificate in end_certs[0])
* @param restrictions path validation restrictions
* @param trusted_roots list of certificate stores that contain trusted certificates
* @param hostname if not empty, compared against the DNS name in end_certs[0]
* @param usage if not set to UNSPECIFIED, compared against the key usage in end_certs[0]
* @param validation_time what reference time to use for validation
* @param ocsp_timeout timeout for OCSP operations, 0 disables OCSP check
* @param ocsp_resp additional OCSP responses to consider (eg from peer)
* @return result of the path validation
*/
Path_Validation_Result BOTAN_PUBLIC_API(2,0) x509_path_validate(
const std::vector<X509_Certificate>& end_certs,
const Path_Validation_Restrictions& restrictions,
const std::vector<Certificate_Store*>& trusted_roots,
const std::string& hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector<std::shared_ptr<const OCSP::Response>>& ocsp_resp = {});
/**
* PKIX Path Validation
* @param end_cert certificate to validate
* @param restrictions path validation restrictions
* @param trusted_roots list of stores that contain trusted certificates
* @param hostname if not empty, compared against the DNS name in end_cert
* @param usage if not set to UNSPECIFIED, compared against the key usage in end_cert
* @param validation_time what reference time to use for validation
* @param ocsp_timeout timeout for OCSP operations, 0 disables OCSP check
* @param ocsp_resp additional OCSP responses to consider (eg from peer)
* @return result of the path validation
*/
Path_Validation_Result BOTAN_PUBLIC_API(2,0) x509_path_validate(
const X509_Certificate& end_cert,
const Path_Validation_Restrictions& restrictions,
const std::vector<Certificate_Store*>& trusted_roots,
const std::string& hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector<std::shared_ptr<const OCSP::Response>>& ocsp_resp = {});
/**
* PKIX Path Validation
* @param end_cert certificate to validate
* @param restrictions path validation restrictions
* @param store store that contains trusted certificates
* @param hostname if not empty, compared against the DNS name in end_cert
* @param usage if not set to UNSPECIFIED, compared against the key usage in end_cert
* @param validation_time what reference time to use for validation
* @param ocsp_timeout timeout for OCSP operations, 0 disables OCSP check
* @param ocsp_resp additional OCSP responses to consider (eg from peer)
* @return result of the path validation
*/
Path_Validation_Result BOTAN_PUBLIC_API(2,0) x509_path_validate(
const X509_Certificate& end_cert,
const Path_Validation_Restrictions& restrictions,
const Certificate_Store& store,
const std::string& hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector<std::shared_ptr<const OCSP::Response>>& ocsp_resp = {});
/**
* PKIX Path Validation
* @param end_certs certificate chain to validate
* @param restrictions path validation restrictions
* @param store store that contains trusted certificates
* @param hostname if not empty, compared against the DNS name in end_certs[0]
* @param usage if not set to UNSPECIFIED, compared against the key usage in end_certs[0]
* @param validation_time what reference time to use for validation
* @param ocsp_timeout timeout for OCSP operations, 0 disables OCSP check
* @param ocsp_resp additional OCSP responses to consider (eg from peer)
* @return result of the path validation
*/
Path_Validation_Result BOTAN_PUBLIC_API(2,0) x509_path_validate(
const std::vector<X509_Certificate>& end_certs,
const Path_Validation_Restrictions& restrictions,
const Certificate_Store& store,
const std::string& hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector<std::shared_ptr<const OCSP::Response>>& ocsp_resp = {});
/**
* namespace PKIX holds the building blocks that are called by x509_path_validate.
* This allows custom validation logic to be written by applications and makes
* for easier testing, but unless you're positive you know what you're doing you
* probably want to just call x509_path_validate instead.
*/
namespace PKIX {
Certificate_Status_Code
build_all_certificate_paths(std::vector<std::vector<std::shared_ptr<const X509_Certificate>>>& cert_paths,
const std::vector<Certificate_Store*>& trusted_certstores,
const std::shared_ptr<const X509_Certificate>& end_entity,
const std::vector<std::shared_ptr<const X509_Certificate>>& end_entity_extra);
/**
* Build certificate path
* @param cert_path_out output parameter, cert_path will be appended to this vector
* @param trusted_certstores list of certificate stores that contain trusted certificates
* @param end_entity the cert to be validated
* @param end_entity_extra optional list of additional untrusted certs for path building
* @return result of the path building operation (OK or error)
*/
Certificate_Status_Code
BOTAN_PUBLIC_API(2,0) build_certificate_path(std::vector<std::shared_ptr<const X509_Certificate>>& cert_path_out,
const std::vector<Certificate_Store*>& trusted_certstores,
const std::shared_ptr<const X509_Certificate>& end_entity,
const std::vector<std::shared_ptr<const X509_Certificate>>& end_entity_extra);
/**
* Check the certificate chain, but not any revocation data
*
* @param cert_path path built by build_certificate_path with OK result
* @param ref_time whatever time you want to perform the validation
* against (normally current system clock)
* @param hostname the hostname
* @param usage end entity usage checks
* @param min_signature_algo_strength 80 or 110 typically
* Note 80 allows 1024 bit RSA and SHA-1. 110 allows 2048 bit RSA and SHA-2.
* Using 128 requires ECC (P-256) or ~3000 bit RSA keys.
* @param trusted_hashes set of trusted hash functions, empty means accept any
* hash we have an OID for
* @return vector of results on per certificate in the path, each containing a set of
* results. If all codes in the set are < Certificate_Status_Code::FIRST_ERROR_STATUS,
* then the result for that certificate is successful. If all results are
*/
CertificatePathStatusCodes
BOTAN_PUBLIC_API(2,0) check_chain(const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
std::chrono::system_clock::time_point ref_time,
const std::string& hostname,
Usage_Type usage,
size_t min_signature_algo_strength,
const std::set<std::string>& trusted_hashes);
/**
* Check OCSP responses for revocation information
* @param cert_path path already validated by check_chain
* @param ocsp_responses the OCSP responses to consider
* @param certstores trusted roots
* @param ref_time whatever time you want to perform the validation against
* (normally current system clock)
* @return revocation status
*/
CertificatePathStatusCodes
BOTAN_PUBLIC_API(2,0) check_ocsp(const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
const std::vector<std::shared_ptr<const OCSP::Response>>& ocsp_responses,
const std::vector<Certificate_Store*>& certstores,
std::chrono::system_clock::time_point ref_time);
/**
* Check CRLs for revocation information
* @param cert_path path already validated by check_chain
* @param crls the list of CRLs to check, it is assumed that crls[i] (if not null)
* is the associated CRL for the subject in cert_path[i].
* @param ref_time whatever time you want to perform the validation against
* (normally current system clock)
* @return revocation status
*/
CertificatePathStatusCodes
BOTAN_PUBLIC_API(2,0) check_crl(const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
const std::vector<std::shared_ptr<const X509_CRL>>& crls,
std::chrono::system_clock::time_point ref_time);
/**
* Check CRLs for revocation information
* @param cert_path path already validated by check_chain
* @param certstores a list of certificate stores to query for the CRL
* @param ref_time whatever time you want to perform the validation against
* (normally current system clock)
* @return revocation status
*/
CertificatePathStatusCodes
BOTAN_PUBLIC_API(2,0) check_crl(const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
const std::vector<Certificate_Store*>& certstores,
std::chrono::system_clock::time_point ref_time);
#if defined(BOTAN_HAS_ONLINE_REVOCATION_CHECKS)
/**
* Check OCSP using online (HTTP) access. Current version creates a thread and
* network connection per OCSP request made.
*
* @param cert_path path already validated by check_chain
* @param trusted_certstores a list of certstores with trusted certs
* @param ref_time whatever time you want to perform the validation against
* (normally current system clock)
* @param timeout for timing out the responses, though actually this function
* may block for up to timeout*cert_path.size()*C for some small C.
* @param ocsp_check_intermediate_CAs if true also performs OCSP on any intermediate
* CA certificates. If false, only does OCSP on the end entity cert.
* @return revocation status
*/
CertificatePathStatusCodes
BOTAN_PUBLIC_API(2,0) check_ocsp_online(const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
const std::vector<Certificate_Store*>& trusted_certstores,
std::chrono::system_clock::time_point ref_time,
std::chrono::milliseconds timeout,
bool ocsp_check_intermediate_CAs);
/**
* Check CRL using online (HTTP) access. Current version creates a thread and
* network connection per CRL access.
* @param cert_path path already validated by check_chain
* @param trusted_certstores a list of certstores with trusted certs
* @param certstore_to_recv_crls optional (nullptr to disable), all CRLs
* retreived will be saved to this cert store.
* @param ref_time whatever time you want to perform the validation against
* (normally current system clock)
* @param timeout for timing out the responses, though actually this function
* may block for up to timeout*cert_path.size()*C for some small C.
* @return revocation status
*/
CertificatePathStatusCodes
BOTAN_PUBLIC_API(2,0) check_crl_online(const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
const std::vector<Certificate_Store*>& trusted_certstores,
Certificate_Store_In_Memory* certstore_to_recv_crls,
std::chrono::system_clock::time_point ref_time,
std::chrono::milliseconds timeout);
#endif
/**
* Find overall status (OK, error) of a validation
* @param cert_status result of merge_revocation_status or check_chain
*/
Certificate_Status_Code BOTAN_PUBLIC_API(2,0) overall_status(const CertificatePathStatusCodes& cert_status);
/**
* Merge the results from CRL and/or OCSP checks into chain_status
* @param chain_status the certificate status
* @param crl_status results from check_crl
* @param ocsp_status results from check_ocsp
* @param require_rev_on_end_entity require valid CRL or OCSP on end-entity cert
* @param require_rev_on_intermediates require valid CRL or OCSP on all intermediate certificates
*/
void BOTAN_PUBLIC_API(2,0) merge_revocation_status(CertificatePathStatusCodes& chain_status,
const CertificatePathStatusCodes& crl_status,
const CertificatePathStatusCodes& ocsp_status,
bool require_rev_on_end_entity,
bool require_rev_on_intermediates);
}
}
#endif
|