void Credentials_Manager::verify_certificate_chain( const std::string& type, const std::string& purported_hostname, const std::vector<X509_Certificate>& cert_chain) { if(cert_chain.empty()) throw std::invalid_argument("Certificate chain was empty"); auto trusted_CAs = trusted_certificate_authorities(type, purported_hostname); Path_Validation_Restrictions restrictions; auto result = x509_path_validate(cert_chain, restrictions, trusted_CAs); if(!result.successful_validation()) throw std::runtime_error("Certificate validation failure: " + result.result_string()); if(!cert_in_some_store(trusted_CAs, result.trust_root())) throw std::runtime_error("Certificate chain roots in unknown/untrusted CA"); if(purported_hostname != "" && !cert_chain[0].matches_dns_name(purported_hostname)) throw std::runtime_error("Certificate did not match hostname"); }
void TLS::Callbacks::tls_verify_cert_chain( const std::vector<X509_Certificate>& cert_chain, const std::vector<std::shared_ptr<const OCSP::Response>>& ocsp_responses, const std::vector<Certificate_Store*>& trusted_roots, Usage_Type usage, const std::string& hostname, const TLS::Policy& policy) { if(cert_chain.empty()) throw Invalid_Argument("Certificate chain was empty"); Path_Validation_Restrictions restrictions(policy.require_cert_revocation_info(), policy.minimum_signature_strength()); Path_Validation_Result result = x509_path_validate(cert_chain, restrictions, trusted_roots, (usage == Usage_Type::TLS_SERVER_AUTH ? hostname : ""), usage, std::chrono::system_clock::now(), tls_verify_cert_chain_ocsp_timeout(), ocsp_responses); if(!result.successful_validation()) { throw TLS_Exception(Alert::BAD_CERTIFICATE, "Certificate validation failure: " + result.result_string()); } }
Path_Validation_Result x509_path_validate( const X509_Certificate& end_cert, const Path_Validation_Restrictions& restrictions, const std::vector<Certificate_Store*>& certstores, const std::string& hostname, Usage_Type usage) { std::vector<X509_Certificate> certs; certs.push_back(end_cert); return x509_path_validate(certs, restrictions, certstores, hostname, usage); }
Path_Validation_Result x509_path_validate( const std::vector<X509_Certificate>& end_certs, const Path_Validation_Restrictions& restrictions, const Certificate_Store& store, const std::string& hostname, Usage_Type usage) { std::vector<Certificate_Store*> certstores; certstores.push_back(const_cast<Certificate_Store*>(&store)); return x509_path_validate(end_certs, restrictions, certstores, hostname, usage); }