8#ifndef BOTAN_X509_CERT_PATH_VALIDATION_H_
9#define BOTAN_X509_CERT_PATH_VALIDATION_H_
11#include <botan/pkix_enums.h>
12#include <botan/x509cert.h>
13#include <botan/certstor.h>
14#include <botan/ocsp.h>
19#if defined(BOTAN_TARGET_OS_HAS_THREADS) && defined(BOTAN_HAS_HTTP_UTIL)
20 #define BOTAN_HAS_ONLINE_REVOCATION_CHECKS
54 size_t minimum_key_strength = 110,
55 bool ocsp_all_intermediates =
false,
56 std::chrono::seconds max_ocsp_age = std::chrono::seconds::zero());
72 size_t minimum_key_strength,
73 bool ocsp_all_intermediates,
74 const std::set<std::string>& trusted_hashes,
75 std::chrono::seconds max_ocsp_age = std::chrono::seconds::zero()) :
76 m_require_revocation_information(require_rev),
77 m_ocsp_all_intermediates(ocsp_all_intermediates),
78 m_trusted_hashes(trusted_hashes),
79 m_minimum_key_strength(minimum_key_strength),
80 m_max_ocsp_age(max_ocsp_age) {}
86 {
return m_require_revocation_information; }
93 {
return m_ocsp_all_intermediates; }
99 {
return m_trusted_hashes; }
105 {
return m_minimum_key_strength; }
112 {
return m_max_ocsp_age; }
115 bool m_require_revocation_information;
116 bool m_ocsp_all_intermediates;
117 std::set<std::string> m_trusted_hashes;
118 size_t m_minimum_key_strength;
119 std::chrono::seconds m_max_ocsp_age;
134 std::set<std::string> trusted_hashes()
const;
146 const std::vector<std::shared_ptr<const X509_Certificate>>&
cert_path()
const {
return m_cert_path; }
151 bool successful_validation()
const;
156 bool no_warnings()
const;
167 {
return m_all_status; }
177 std::string result_string()
const;
182 std::string warnings_string()
const;
196 std::vector<std::shared_ptr<const X509_Certificate>>&& cert_chain);
207 std::vector<std::shared_ptr<const X509_Certificate>> m_cert_path;
227 const
std::vector<X509_Certificate>& end_certs,
228 const Path_Validation_Restrictions& restrictions,
229 const
std::vector<Certificate_Store*>& trusted_roots,
230 const
std::
string& hostname = "",
232 std::chrono::system_clock::time_point validation_time =
std::chrono::system_clock::now(),
233 std::chrono::milliseconds ocsp_timeout =
std::chrono::milliseconds(0),
234 const
std::vector<
std::shared_ptr<const OCSP::Response>>& ocsp_resp = {});
249 const X509_Certificate& end_cert,
250 const Path_Validation_Restrictions& restrictions,
251 const
std::vector<Certificate_Store*>& trusted_roots,
252 const
std::
string& hostname = "",
254 std::chrono::system_clock::time_point validation_time =
std::chrono::system_clock::now(),
255 std::chrono::milliseconds ocsp_timeout =
std::chrono::milliseconds(0),
256 const
std::vector<
std::shared_ptr<const OCSP::Response>>& ocsp_resp = {});
271 const X509_Certificate& end_cert,
272 const Path_Validation_Restrictions& restrictions,
273 const Certificate_Store& store,
274 const
std::
string& hostname = "",
276 std::chrono::system_clock::time_point validation_time =
std::chrono::system_clock::now(),
277 std::chrono::milliseconds ocsp_timeout =
std::chrono::milliseconds(0),
278 const
std::vector<
std::shared_ptr<const OCSP::Response>>& ocsp_resp = {});
293 const
std::vector<X509_Certificate>& end_certs,
294 const Path_Validation_Restrictions& restrictions,
295 const Certificate_Store& store,
296 const
std::
string& hostname = "",
298 std::chrono::system_clock::time_point validation_time =
std::chrono::system_clock::now(),
299 std::chrono::milliseconds ocsp_timeout =
std::chrono::milliseconds(0),
300 const
std::vector<
std::shared_ptr<const OCSP::Response>>& ocsp_resp = {});
312build_all_certificate_paths(std::vector<std::vector<std::shared_ptr<const X509_Certificate>>>& cert_paths,
313 const std::vector<Certificate_Store*>& trusted_certstores,
314 const std::shared_ptr<const X509_Certificate>& end_entity,
315 const std::vector<std::shared_ptr<const X509_Certificate>>& end_entity_extra);
327BOTAN_PUBLIC_API(2,0) build_certificate_path(std::vector<std::shared_ptr<const X509_Certificate>>& cert_path_out,
328 const std::vector<Certificate_Store*>& trusted_certstores,
329 const std::shared_ptr<const X509_Certificate>& end_entity,
330 const std::vector<std::shared_ptr<const X509_Certificate>>& end_entity_extra);
350BOTAN_PUBLIC_API(2,0) check_chain(
const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
351 std::chrono::system_clock::time_point ref_time,
352 const std::string& hostname,
354 size_t min_signature_algo_strength,
355 const std::set<std::string>& trusted_hashes);
369BOTAN_PUBLIC_API(2, 0) check_ocsp(
const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
370 const std::vector<std::shared_ptr<const OCSP::Response>>& ocsp_responses,
371 const std::vector<Certificate_Store*>& certstores,
372 std::chrono::system_clock::time_point ref_time,
373 std::chrono::seconds max_ocsp_age = std::chrono::seconds::zero());
385BOTAN_PUBLIC_API(2,0) check_crl(
const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
386 const std::vector<std::shared_ptr<const X509_CRL>>& crls,
387 std::chrono::system_clock::time_point ref_time);
398BOTAN_PUBLIC_API(2,0) check_crl(
const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
399 const std::vector<Certificate_Store*>& certstores,
400 std::chrono::system_clock::time_point ref_time);
402#if defined(BOTAN_HAS_ONLINE_REVOCATION_CHECKS)
421BOTAN_PUBLIC_API(2, 0) check_ocsp_online(
const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
422 const std::vector<Certificate_Store*>& trusted_certstores,
423 std::chrono::system_clock::time_point ref_time,
424 std::chrono::milliseconds timeout,
425 bool ocsp_check_intermediate_CAs,
426 std::chrono::seconds max_ocsp_age = std::chrono::seconds::zero());
443BOTAN_PUBLIC_API(2,0) check_crl_online(
const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
444 const std::vector<Certificate_Store*>& trusted_certstores,
446 std::chrono::system_clock::time_point ref_time,
447 std::chrono::milliseconds timeout);
468 bool require_rev_on_end_entity,
469 bool require_rev_on_intermediates);
bool require_revocation_information() const
bool ocsp_all_intermediates() const
const std::set< std::string > & trusted_hashes() const
std::chrono::seconds max_ocsp_age() const
size_t minimum_key_strength() const
Path_Validation_Restrictions(bool require_rev, size_t minimum_key_strength, bool ocsp_all_intermediates, const std::set< std::string > &trusted_hashes, std::chrono::seconds max_ocsp_age=std::chrono::seconds::zero())
Certificate_Status_Code result() const
Certificate_Status_Code Code
Path_Validation_Result(Certificate_Status_Code status)
const std::vector< std::shared_ptr< const X509_Certificate > > & cert_path() const
const CertificatePathStatusCodes & all_statuses() const
int(* final)(unsigned char *, CTX *)
#define BOTAN_PUBLIC_API(maj, min)
std::vector< std::set< Certificate_Status_Code > > CertificatePathStatusCodes
Path_Validation_Result x509_path_validate(const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &trusted_roots, const std::string &hostname, Usage_Type usage, std::chrono::system_clock::time_point ref_time, std::chrono::milliseconds ocsp_timeout, const std::vector< std::shared_ptr< const OCSP::Response > > &ocsp_resp)