1 /* 2 * X.509 Certificate Store 3 * (C) 1999-2007 Jack Lloyd 4 * 5 * Distributed under the terms of the Botan license 6 */ 7 8 #ifndef BOTAN_X509_CERT_STORE_H__ 9 #define BOTAN_X509_CERT_STORE_H__ 10 11 #include <botan/x509cert.h> 12 #include <botan/x509_crl.h> 13 #include <botan/certstor.h> 14 15 namespace Botan { 16 17 /** 18 * X.509 Certificate Validation Result 19 */ 20 enum X509_Code { 21 VERIFIED, 22 UNKNOWN_X509_ERROR, 23 CANNOT_ESTABLISH_TRUST, 24 CERT_CHAIN_TOO_LONG, 25 SIGNATURE_ERROR, 26 POLICY_ERROR, 27 INVALID_USAGE, 28 29 CERT_FORMAT_ERROR, 30 CERT_ISSUER_NOT_FOUND, 31 CERT_NOT_YET_VALID, 32 CERT_HAS_EXPIRED, 33 CERT_IS_REVOKED, 34 35 CRL_FORMAT_ERROR, 36 CRL_ISSUER_NOT_FOUND, 37 CRL_NOT_YET_VALID, 38 CRL_HAS_EXPIRED, 39 40 CA_CERT_CANNOT_SIGN, 41 CA_CERT_NOT_FOR_CERT_ISSUER, 42 CA_CERT_NOT_FOR_CRL_ISSUER 43 }; 44 45 /** 46 * X.509 Certificate Store 47 */ 48 class BOTAN_DLL X509_Store 49 { 50 public: 51 enum Cert_Usage { 52 ANY = 0x00, 53 TLS_SERVER = 0x01, 54 TLS_CLIENT = 0x02, 55 CODE_SIGNING = 0x04, 56 EMAIL_PROTECTION = 0x08, 57 TIME_STAMPING = 0x10, 58 CRL_SIGNING = 0x20 59 }; 60 61 X509_Code validate_cert(const X509_Certificate&, Cert_Usage = ANY); 62 63 std::vector<X509_Certificate> get_cert_chain(const X509_Certificate&); 64 std::string PEM_encode() const; 65 66 X509_Code add_crl(const X509_CRL&); 67 void add_cert(const X509_Certificate&, bool = false); 68 void add_certs(DataSource&); 69 void add_trusted_certs(DataSource&); 70 71 void add_new_certstore(Certificate_Store*); 72 73 X509_Store(u32bit time_slack = 24*60*60, 74 u32bit cache_results = 30*60); 75 76 X509_Store(const X509_Store&); 77 ~X509_Store(); 78 private: 79 X509_Store& operator=(const X509_Store&) { return (*this); } 80 81 class BOTAN_DLL CRL_Data 82 { 83 public: 84 X509_DN issuer; 85 MemoryVector<byte> serial, auth_key_id; 86 bool operator==(const CRL_Data&) const; 87 bool operator!=(const CRL_Data&) const; 88 bool operator<(const CRL_Data&) const; 89 }; 90 91 class BOTAN_DLL Cert_Info 92 { 93 public: 94 bool is_verified(u32bit timeout) const; 95 bool is_trusted() const; 96 X509_Code verify_result() const; 97 void set_result(X509_Code) const; 98 Cert_Info(const X509_Certificate&, bool = false); 99 100 X509_Certificate cert; 101 bool trusted; 102 private: 103 mutable bool checked; 104 mutable X509_Code result; 105 mutable u64bit last_checked; 106 }; 107 108 static X509_Code check_sig(const X509_Object&, Public_Key*); 109 110 size_t find_cert(const X509_DN&, const MemoryRegion<byte>&) const; 111 X509_Code check_sig(const Cert_Info&, const Cert_Info&) const; 112 void recompute_revoked_info() const; 113 114 void do_add_certs(DataSource&, bool); 115 X509_Code construct_cert_chain(const X509_Certificate&, 116 std::vector<size_t>&, bool = false); 117 118 size_t find_parent_of(const X509_Certificate&); 119 bool is_revoked(const X509_Certificate&) const; 120 121 static const size_t NO_CERT_FOUND = 0xFFFFFFFF; 122 std::vector<Cert_Info> certs; 123 std::vector<CRL_Data> revoked; 124 std::vector<Certificate_Store*> stores; 125 u32bit time_slack, validation_cache_timeout; 126 mutable bool revoked_info_valid; 127 }; 128 129 } 130 131 #endif 132