completion result, validateflags

svn path=/trunk/kdesupport/qca/; revision=681370
2025-05-09 09:19:33 +00:00 · 2007-06-28 18:53:41 +00:00 · 2007-06-28 18:53:41 +00:00 · ea6d9e5dab
commit ea6d9e5dab
parent 2b8e201018
4 changed files with 61 additions and 51 deletions
--- a/include/QtCrypto/qca_cert.h
+++ b/include/QtCrypto/qca_cert.h
@ -452,7 +452,18 @@ enum Validity
 	ErrorPathLengthExceeded, ///< The path length from the root CA to this certificate is too long
 	ErrorExpired,            ///< The certificate has expired, or is not yet valid (e.g. current time is earlier than notBefore time)
 	ErrorExpiredCA,          ///< The Certificate Authority has expired
-	ErrorValidityUnknown     ///< Validity is unknown
+	ErrorValidityUnknown = 64  ///< Validity is unknown
+};
+
+/**
+   The conditions to validate for a certificate
+*/
+enum ValidateFlags
+{
+	ValidateAll     = 0x00,  // Verify all conditions
+	ValidateRevoked = 0x01,  // Verify the certificate was not revoked
+	ValidateExpired = 0x02,  // Verify the certificate has not expired
+	ValidatePolicy  = 0x04   // Verify the certificate can be used for a specified purpose
 };

 /**
@ -987,8 +998,11 @@ CertificateInfoOrdered info = cert.subjectInfoOrdered();
 	   \param untrusted a collection of additional certificates, not
 	   necessarily trusted
 	   \param u the use required for the certificate
+	   \param vf the conditions to validate
+
+	   \note This function may block
 	*/
-	Validity validate(const CertificateCollection &trusted, const CertificateCollection &untrusted, UsageMode u = UsageAny) const;
+	Validity validate(const CertificateCollection &trusted, const CertificateCollection &untrusted, UsageMode u = UsageAny, ValidateFlags vf = ValidateAll) const;

 	/**
 	   Export the Certificate into a DER format
@ -1090,8 +1104,8 @@ private:
 	QSharedDataPointer<Private> d;

 	friend class CertificateChain;
-	Validity chain_validate(const CertificateChain &chain, const CertificateCollection &trusted, const QList<CRL> &untrusted_crls, UsageMode u) const;
-	CertificateChain chain_complete(const CertificateChain &chain, const QList<Certificate> &issuers) const;
+	Validity chain_validate(const CertificateChain &chain, const CertificateCollection &trusted, const QList<CRL> &untrusted_crls, UsageMode u, ValidateFlags vf) const;
+	CertificateChain chain_complete(const CertificateChain &chain, const QList<Certificate> &issuers, Validity *result) const;
 };

 /**
@ -1142,10 +1156,13 @@ public:
 	   \param untrusted_crls a list of additional CRLs, not necessarily
 	   trusted
 	   \param u the use required for the primary certificate
+	   \param vf the conditions to validate
+
+	   \note This function may block

 	   \sa Certificate::validate()
 	*/
-	inline Validity validate(const CertificateCollection &trusted, const QList<CRL> &untrusted_crls = QList<CRL>(), UsageMode u = UsageAny) const;
+	inline Validity validate(const CertificateCollection &trusted, const QList<CRL> &untrusted_crls = QList<CRL>(), UsageMode u = UsageAny, ValidateFlags vf = ValidateAll) const;

 	/**
 	   Complete a certificate chain for the primary certificate, using the
@ -1153,8 +1170,10 @@ public:
 	   \a issuers, as possible issuers in the chain.  If there are issuers
 	   missing, then the chain might be incomplete (at the worst case, if
 	   no issuers exist for the primary certificate, then the resulting
-	   chain will consist of just the primary certificate).  To ensure a
-	   CertificateChain is fully complete, you must use validate().
+	   chain will consist of just the primary certificate).  Use the
+	   \a result argument to find out if there was a problem during
+	   completion.  A result of ValidityGood means the chain was completed
+	   successfully.

 	   The newly constructed CertificateChain is returned.

@ -1162,24 +1181,27 @@ public:
 	   CertificateChain object.

 	   \param issuers a pool of issuers to draw from as necessary
+	   \param result the result of the completion operation
+
+	   \note This function may block

 	   \sa validate
 	*/
-	inline CertificateChain complete(const QList<Certificate> &issuers) const;
+	inline CertificateChain complete(const QList<Certificate> &issuers = QList<Certificate>(), Validity *result = 0) const;
 };

-inline Validity CertificateChain::validate(const CertificateCollection &trusted, const QList<CRL> &untrusted_crls, UsageMode u) const
+inline Validity CertificateChain::validate(const CertificateCollection &trusted, const QList<CRL> &untrusted_crls, UsageMode u, ValidateFlags vf) const
 {
 	if(isEmpty())
 		return ErrorValidityUnknown;
-	return first().chain_validate(*this, trusted, untrusted_crls, u);
+	return first().chain_validate(*this, trusted, untrusted_crls, u, vf);
 }

-inline CertificateChain CertificateChain::complete(const QList<Certificate> &issuers) const
+inline CertificateChain CertificateChain::complete(const QList<Certificate> &issuers, Validity *result) const
 {
 	if(isEmpty())
 		return CertificateChain();
-	return first().chain_complete(*this, issuers);
+	return first().chain_complete(*this, issuers, result);
 }

 /**
--- a/include/QtCrypto/qcaprovider.h
+++ b/include/QtCrypto/qcaprovider.h
@ -278,8 +278,8 @@ public:
 	virtual bool isIssuerOf(const CertContext *other) const = 0;

 	// ownership of items IS NOT passed
-	virtual Validity validate(const QList<CertContext*> &trusted, const QList<CertContext*> &untrusted, const QList<CRLContext*> &crls, UsageMode u) const = 0;
-	virtual Validity validate_chain(const QList<CertContext*> &chain, const QList<CertContext*> &trusted, const QList<CRLContext*> &crls, UsageMode u) const = 0;
+	virtual Validity validate(const QList<CertContext*> &trusted, const QList<CertContext*> &untrusted, const QList<CRLContext*> &crls, UsageMode u, ValidateFlags vf) const = 0;
+	virtual Validity validate_chain(const QList<CertContext*> &chain, const QList<CertContext*> &trusted, const QList<CRLContext*> &crls, UsageMode u, ValidateFlags vf) const = 0;
 };

 class QCA_EXPORT CSRContext : public CertBase
--- a/plugins/qca-openssl/qca-openssl.cpp
+++ b/plugins/qca-openssl/qca-openssl.cpp
@ -3251,9 +3251,9 @@ public:
 	}

 	// implemented later because it depends on MyCRLContext
-	virtual Validity validate(const QList<CertContext*> &trusted, const QList<CertContext*> &untrusted, const QList<CRLContext *> &crls, UsageMode u) const;
+	virtual Validity validate(const QList<CertContext*> &trusted, const QList<CertContext*> &untrusted, const QList<CRLContext *> &crls, UsageMode u, ValidateFlags vf) const;

-	virtual Validity validate_chain(const QList<CertContext*> &chain, const QList<CertContext*> &trusted, const QList<CRLContext *> &crls, UsageMode u) const;
+	virtual Validity validate_chain(const QList<CertContext*> &chain, const QList<CertContext*> &trusted, const QList<CRLContext *> &crls, UsageMode u, ValidateFlags vf) const;

 	void make_props()
 	{
@ -4010,8 +4010,11 @@ static bool usage_check(const MyCertContext &cc, UsageMode u)
 	}
 }

-Validity MyCertContext::validate(const QList<CertContext*> &trusted, const QList<CertContext*> &untrusted, const QList<CRLContext*> &crls, UsageMode u) const
+Validity MyCertContext::validate(const QList<CertContext*> &trusted, const QList<CertContext*> &untrusted, const QList<CRLContext*> &crls, UsageMode u, ValidateFlags vf) const
 {
+	// TODO
+	Q_UNUSED(vf);
+
 	STACK_OF(X509) *trusted_list = sk_X509_new_null();
 	STACK_OF(X509) *untrusted_list = sk_X509_new_null();
 	QList<X509_CRL*> crl_list;
@ -4080,8 +4083,11 @@ Validity MyCertContext::validate(const QList<CertContext*> &trusted, const QList
 	return ValidityGood;
 }

-Validity MyCertContext::validate_chain(const QList<CertContext*> &chain, const QList<CertContext*> &trusted, const QList<CRLContext*> &crls, UsageMode u) const
+Validity MyCertContext::validate_chain(const QList<CertContext*> &chain, const QList<CertContext*> &trusted, const QList<CRLContext*> &crls, UsageMode u, ValidateFlags vf) const
 {
+	// TODO
+	Q_UNUSED(vf);
+
 	STACK_OF(X509) *trusted_list = sk_X509_new_null();
 	STACK_OF(X509) *untrusted_list = sk_X509_new_null();
 	QList<X509_CRL*> crl_list;
--- a/src/qca_cert.cpp
+++ b/src/qca_cert.cpp
@ -1573,40 +1573,16 @@ QByteArray Certificate::issuerKeyId() const
 	return static_cast<const CertContext *>(context())->props()->issuerId;
 }

-Validity Certificate::validate(const CertificateCollection &trusted, const CertificateCollection &untrusted, UsageMode u) const
+Validity Certificate::validate(const CertificateCollection &trusted, const CertificateCollection &untrusted, UsageMode u, ValidateFlags vf) const
 {
 	QList<Certificate> issuers = trusted.certificates() + untrusted.certificates();
 	CertificateChain chain;
 	chain += *this;
-	chain = chain.complete(issuers);
-	return chain.validate(trusted, untrusted.crls(), u);
-
-	/*QList<CertContext*> trusted_list;
-	QList<CertContext*> untrusted_list;
-	QList<CRLContext*> crl_list;
-
-	QList<Certificate> trusted_certs = trusted.certificates();
-	QList<Certificate> untrusted_certs = untrusted.certificates();
-	QList<CRL> crls = trusted.crls() + untrusted.crls();
-
-	int n;
-	for(n = 0; n < trusted_certs.count(); ++n)
-	{
-		CertContext *c = static_cast<CertContext *>(trusted_certs[n].context());
-		trusted_list += c;
-	}
-	for(n = 0; n < untrusted_certs.count(); ++n)
-	{
-		CertContext *c = static_cast<CertContext *>(untrusted_certs[n].context());
-		untrusted_list += c;
-	}
-	for(n = 0; n < crls.count(); ++n)
-	{
-		CRLContext *c = static_cast<CRLContext *>(crls[n].context());
-		crl_list += c;
-	}
-
-	return static_cast<const CertContext *>(context())->validate(trusted_list, untrusted_list, crl_list, u);*/
+	Validity result;
+	chain = chain.complete(issuers, &result);
+	if(result != ValidityGood)
+		return result;
+	return chain.validate(trusted, untrusted.crls(), u, vf);
 }

 QByteArray Certificate::toDER() const
@ -1752,7 +1728,7 @@ void Certificate::change(CertContext *c)
 	d->update(static_cast<CertContext *>(context()));
 }

-Validity Certificate::chain_validate(const CertificateChain &chain, const CertificateCollection &trusted, const QList<CRL> &untrusted_crls, UsageMode u) const
+Validity Certificate::chain_validate(const CertificateChain &chain, const CertificateCollection &trusted, const QList<CRL> &untrusted_crls, UsageMode u, ValidateFlags vf) const
 {
 	QList<CertContext*> chain_list;
 	QList<CertContext*> trusted_list;
@ -1778,14 +1754,16 @@ Validity Certificate::chain_validate(const CertificateChain &chain, const Certif
 		crl_list += c;
 	}

-	return static_cast<const CertContext *>(context())->validate_chain(chain_list, trusted_list, crl_list, u);
+	return static_cast<const CertContext *>(context())->validate_chain(chain_list, trusted_list, crl_list, u, vf);
 }

-CertificateChain Certificate::chain_complete(const CertificateChain &chain, const QList<Certificate> &issuers) const
+CertificateChain Certificate::chain_complete(const CertificateChain &chain, const QList<Certificate> &issuers, Validity *result) const
 {
 	CertificateChain out;
 	QList<Certificate> pool = issuers + chain.mid(1);
 	out += chain.first();
+	if(result)
+		*result = ValidityGood;
 	while(!out.last().isSelfSigned())
 	{
 		// try to get next in chain
@ -1802,7 +1780,11 @@ CertificateChain Certificate::chain_complete(const CertificateChain &chain, cons
 			//printf("%s  no\n", qPrintable(str));
 		}
 		if(at == -1)
+		{
+			if(result)
+				*result = ErrorValidityUnknown;
 			break;
+		}

 		// take it out of the pool
 		Certificate next = pool.takeAt(at);