1 /*
2 * X.509 Certificate Store
3 * (C) 1999-2007 Jack Lloyd
4 *
5 * Distributed under the terms of the Botan license
6 */
7 
8 #ifndef BOTAN_X509_CERT_STORE_H__
9 #define BOTAN_X509_CERT_STORE_H__
10 
11 #include <botan/x509cert.h>
12 #include <botan/x509_crl.h>
13 #include <botan/certstor.h>
14 
15 namespace Botan {
16 
17 /**
18 * X.509 Certificate Validation Result
19 */
20 enum X509_Code {
21    VERIFIED,
22    UNKNOWN_X509_ERROR,
23    CANNOT_ESTABLISH_TRUST,
24    CERT_CHAIN_TOO_LONG,
25    SIGNATURE_ERROR,
26    POLICY_ERROR,
27    INVALID_USAGE,
28 
29    CERT_FORMAT_ERROR,
30    CERT_ISSUER_NOT_FOUND,
31    CERT_NOT_YET_VALID,
32    CERT_HAS_EXPIRED,
33    CERT_IS_REVOKED,
34 
35    CRL_FORMAT_ERROR,
36    CRL_ISSUER_NOT_FOUND,
37    CRL_NOT_YET_VALID,
38    CRL_HAS_EXPIRED,
39 
40    CA_CERT_CANNOT_SIGN,
41    CA_CERT_NOT_FOR_CERT_ISSUER,
42    CA_CERT_NOT_FOR_CRL_ISSUER
43 };
44 
45 /**
46 * X.509 Certificate Store
47 */
48 class BOTAN_DLL X509_Store
49    {
50    public:
51       enum Cert_Usage {
52          ANY              = 0x00,
53          TLS_SERVER       = 0x01,
54          TLS_CLIENT       = 0x02,
55          CODE_SIGNING     = 0x04,
56          EMAIL_PROTECTION = 0x08,
57          TIME_STAMPING    = 0x10,
58          CRL_SIGNING      = 0x20
59       };
60 
61       X509_Code validate_cert(const X509_Certificate&, Cert_Usage = ANY);
62 
63       std::vector<X509_Certificate> get_cert_chain(const X509_Certificate&);
64       std::string PEM_encode() const;
65 
66       X509_Code add_crl(const X509_CRL&);
67       void add_cert(const X509_Certificate&, bool = false);
68       void add_certs(DataSource&);
69       void add_trusted_certs(DataSource&);
70 
71       void add_new_certstore(Certificate_Store*);
72 
73       X509_Store(u32bit time_slack = 24*60*60,
74                  u32bit cache_results = 30*60);
75 
76       X509_Store(const X509_Store&);
77       ~X509_Store();
78    private:
79       X509_Store& operator=(const X509_Store&) { return (*this); }
80 
81       class BOTAN_DLL CRL_Data
82          {
83          public:
84             X509_DN issuer;
85             MemoryVector<byte> serial, auth_key_id;
86             bool operator==(const CRL_Data&) const;
87             bool operator!=(const CRL_Data&) const;
88             bool operator<(const CRL_Data&) const;
89          };
90 
91       class BOTAN_DLL Cert_Info
92          {
93          public:
94             bool is_verified(u32bit timeout) const;
95             bool is_trusted() const;
96             X509_Code verify_result() const;
97             void set_result(X509_Code) const;
98             Cert_Info(const X509_Certificate&, bool = false);
99 
100             X509_Certificate cert;
101             bool trusted;
102          private:
103             mutable bool checked;
104             mutable X509_Code result;
105             mutable u64bit last_checked;
106          };
107 
108       static X509_Code check_sig(const X509_Object&, Public_Key*);
109 
110       size_t find_cert(const X509_DN&, const MemoryRegion<byte>&) const;
111       X509_Code check_sig(const Cert_Info&, const Cert_Info&) const;
112       void recompute_revoked_info() const;
113 
114       void do_add_certs(DataSource&, bool);
115       X509_Code construct_cert_chain(const X509_Certificate&,
116                                      std::vector<size_t>&, bool = false);
117 
118       size_t find_parent_of(const X509_Certificate&);
119       bool is_revoked(const X509_Certificate&) const;
120 
121       static const size_t NO_CERT_FOUND = 0xFFFFFFFF;
122       std::vector<Cert_Info> certs;
123       std::vector<CRL_Data> revoked;
124       std::vector<Certificate_Store*> stores;
125       u32bit time_slack, validation_cache_timeout;
126       mutable bool revoked_info_valid;
127    };
128 
129 }
130 
131 #endif
132