QuasarApp/qca
4
0
Fork 0
mirror of https://github.com/QuasarApp/qca.git synced 2025-05-11 02:09:33 +00:00
Code Issues Projects Releases Wiki Activity

completion result, validateflags

Browse Source 
svn path=/trunk/kdesupport/qca/; revision=681370
This commit is contained in:
Justin Karneges 2007-06-28 18:53:41 +00:00
parent 2b8e201018
commit ea6d9e5dab
4 changed files with 61 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
include/QtCrypto/qca_cert.h
View File

@ -452,7 +452,18 @@ enum Validity
ErrorPathLengthExceeded, ///< The path length from the root CA to this certificate is too long ErrorPathLengthExceeded, ///< The path length from the root CA to this certificate is too long
ErrorExpired, ///< The certificate has expired, or is not yet valid (e.g. current time is earlier than notBefore time) ErrorExpired, ///< The certificate has expired, or is not yet valid (e.g. current time is earlier than notBefore time)
ErrorExpiredCA, ///< The Certificate Authority has expired ErrorExpiredCA, ///< The Certificate Authority has expired
ErrorValidityUnknown ///< Validity is unknown ErrorValidityUnknown = 64 ///< Validity is unknown
};
/**
The conditions to validate for a certificate
*/
enum ValidateFlags
{
ValidateAll = 0x00, // Verify all conditions
ValidateRevoked = 0x01, // Verify the certificate was not revoked
ValidateExpired = 0x02, // Verify the certificate has not expired
ValidatePolicy = 0x04 // Verify the certificate can be used for a specified purpose
}; };
/** /**
@ -987,8 +998,11 @@ CertificateInfoOrdered info = cert.subjectInfoOrdered();
\param untrusted a collection of additional certificates, not \param untrusted a collection of additional certificates, not
necessarily trusted necessarily trusted
\param u the use required for the certificate \param u the use required for the certificate
\param vf the conditions to validate
\note This function may block
*/ */
Validity validate(const CertificateCollection &trusted, const CertificateCollection &untrusted, UsageMode u = UsageAny) const; Validity validate(const CertificateCollection &trusted, const CertificateCollection &untrusted, UsageMode u = UsageAny, ValidateFlags vf = ValidateAll) const;
/** /**
Export the Certificate into a DER format Export the Certificate into a DER format
@ -1090,8 +1104,8 @@ private:
QSharedDataPointer<Private> d; QSharedDataPointer<Private> d;
friend class CertificateChain; friend class CertificateChain;
Validity chain_validate(const CertificateChain &chain, const CertificateCollection &trusted, const QList<CRL> &untrusted_crls, UsageMode u) const; Validity chain_validate(const CertificateChain &chain, const CertificateCollection &trusted, const QList<CRL> &untrusted_crls, UsageMode u, ValidateFlags vf) const;
CertificateChain chain_complete(const CertificateChain &chain, const QList<Certificate> &issuers) const; CertificateChain chain_complete(const CertificateChain &chain, const QList<Certificate> &issuers, Validity *result) const;
}; };
/** /**
@ -1142,10 +1156,13 @@ public:
\param untrusted_crls a list of additional CRLs, not necessarily \param untrusted_crls a list of additional CRLs, not necessarily
trusted trusted
\param u the use required for the primary certificate \param u the use required for the primary certificate
\param vf the conditions to validate
\note This function may block
\sa Certificate::validate() \sa Certificate::validate()
*/ */
inline Validity validate(const CertificateCollection &trusted, const QList<CRL> &untrusted_crls = QList<CRL>(), UsageMode u = UsageAny) const; inline Validity validate(const CertificateCollection &trusted, const QList<CRL> &untrusted_crls = QList<CRL>(), UsageMode u = UsageAny, ValidateFlags vf = ValidateAll) const;
/** /**
Complete a certificate chain for the primary certificate, using the Complete a certificate chain for the primary certificate, using the
@ -1153,8 +1170,10 @@ public:
\a issuers, as possible issuers in the chain. If there are issuers \a issuers, as possible issuers in the chain. If there are issuers
missing, then the chain might be incomplete (at the worst case, if missing, then the chain might be incomplete (at the worst case, if
no issuers exist for the primary certificate, then the resulting no issuers exist for the primary certificate, then the resulting
chain will consist of just the primary certificate). To ensure a chain will consist of just the primary certificate). Use the
CertificateChain is fully complete, you must use validate(). \a result argument to find out if there was a problem during
completion. A result of ValidityGood means the chain was completed
successfully.
The newly constructed CertificateChain is returned. The newly constructed CertificateChain is returned.
@ -1162,24 +1181,27 @@ public:
CertificateChain object. CertificateChain object.
\param issuers a pool of issuers to draw from as necessary \param issuers a pool of issuers to draw from as necessary
\param result the result of the completion operation
\note This function may block
\sa validate \sa validate
*/ */
inline CertificateChain complete(const QList<Certificate> &issuers) const; inline CertificateChain complete(const QList<Certificate> &issuers = QList<Certificate>(), Validity *result = 0) const;
}; };
inline Validity CertificateChain::validate(const CertificateCollection &trusted, const QList<CRL> &untrusted_crls, UsageMode u) const inline Validity CertificateChain::validate(const CertificateCollection &trusted, const QList<CRL> &untrusted_crls, UsageMode u, ValidateFlags vf) const
{ {
if(isEmpty()) if(isEmpty())
return ErrorValidityUnknown; return ErrorValidityUnknown;
return first().chain_validate(*this, trusted, untrusted_crls, u); return first().chain_validate(*this, trusted, untrusted_crls, u, vf);
} }
inline CertificateChain CertificateChain::complete(const QList<Certificate> &issuers) const inline CertificateChain CertificateChain::complete(const QList<Certificate> &issuers, Validity *result) const
{ {
if(isEmpty()) if(isEmpty())
return CertificateChain(); return CertificateChain();
return first().chain_complete(*this, issuers); return first().chain_complete(*this, issuers, result);
} }
/** /**

4
include/QtCrypto/qcaprovider.h
View File

@ -278,8 +278,8 @@ public:
virtual bool isIssuerOf(const CertContext *other) const = 0; virtual bool isIssuerOf(const CertContext *other) const = 0;
// ownership of items IS NOT passed // ownership of items IS NOT passed
virtual Validity validate(const QList<CertContext*> &trusted, const QList<CertContext*> &untrusted, const QList<CRLContext*> &crls, UsageMode u) const = 0; virtual Validity validate(const QList<CertContext*> &trusted, const QList<CertContext*> &untrusted, const QList<CRLContext*> &crls, UsageMode u, ValidateFlags vf) const = 0;
virtual Validity validate_chain(const QList<CertContext*> &chain, const QList<CertContext*> &trusted, const QList<CRLContext*> &crls, UsageMode u) const = 0; virtual Validity validate_chain(const QList<CertContext*> &chain, const QList<CertContext*> &trusted, const QList<CRLContext*> &crls, UsageMode u, ValidateFlags vf) const = 0;
}; };
class QCA_EXPORT CSRContext : public CertBase class QCA_EXPORT CSRContext : public CertBase

14
plugins/qca-openssl/qca-openssl.cpp
View File

@ -3251,9 +3251,9 @@ public:
} }
// implemented later because it depends on MyCRLContext // implemented later because it depends on MyCRLContext
virtual Validity validate(const QList<CertContext*> &trusted, const QList<CertContext*> &untrusted, const QList<CRLContext *> &crls, UsageMode u) const; virtual Validity validate(const QList<CertContext*> &trusted, const QList<CertContext*> &untrusted, const QList<CRLContext *> &crls, UsageMode u, ValidateFlags vf) const;
virtual Validity validate_chain(const QList<CertContext*> &chain, const QList<CertContext*> &trusted, const QList<CRLContext *> &crls, UsageMode u) const; virtual Validity validate_chain(const QList<CertContext*> &chain, const QList<CertContext*> &trusted, const QList<CRLContext *> &crls, UsageMode u, ValidateFlags vf) const;
void make_props() void make_props()
{ {
@ -4010,8 +4010,11 @@ static bool usage_check(const MyCertContext &cc, UsageMode u)
} }
} }
Validity MyCertContext::validate(const QList<CertContext*> &trusted, const QList<CertContext*> &untrusted, const QList<CRLContext*> &crls, UsageMode u) const Validity MyCertContext::validate(const QList<CertContext*> &trusted, const QList<CertContext*> &untrusted, const QList<CRLContext*> &crls, UsageMode u, ValidateFlags vf) const
{ {
// TODO
Q_UNUSED(vf);
STACK_OF(X509) *trusted_list = sk_X509_new_null(); STACK_OF(X509) *trusted_list = sk_X509_new_null();
STACK_OF(X509) *untrusted_list = sk_X509_new_null(); STACK_OF(X509) *untrusted_list = sk_X509_new_null();
QList<X509_CRL*> crl_list; QList<X509_CRL*> crl_list;
@ -4080,8 +4083,11 @@ Validity MyCertContext::validate(const QList<CertContext*> &trusted, const QList
return ValidityGood; return ValidityGood;
} }
Validity MyCertContext::validate_chain(const QList<CertContext*> &chain, const QList<CertContext*> &trusted, const QList<CRLContext*> &crls, UsageMode u) const Validity MyCertContext::validate_chain(const QList<CertContext*> &chain, const QList<CertContext*> &trusted, const QList<CRLContext*> &crls, UsageMode u, ValidateFlags vf) const
{ {
// TODO
Q_UNUSED(vf);
STACK_OF(X509) *trusted_list = sk_X509_new_null(); STACK_OF(X509) *trusted_list = sk_X509_new_null();
STACK_OF(X509) *untrusted_list = sk_X509_new_null(); STACK_OF(X509) *untrusted_list = sk_X509_new_null();
QList<X509_CRL*> crl_list; QList<X509_CRL*> crl_list;

48
src/qca_cert.cpp
View File

@ -1573,40 +1573,16 @@ QByteArray Certificate::issuerKeyId() const
return static_cast<const CertContext *>(context())->props()->issuerId; return static_cast<const CertContext *>(context())->props()->issuerId;
} }
Validity Certificate::validate(const CertificateCollection &trusted, const CertificateCollection &untrusted, UsageMode u) const Validity Certificate::validate(const CertificateCollection &trusted, const CertificateCollection &untrusted, UsageMode u, ValidateFlags vf) const
{ {
QList<Certificate> issuers = trusted.certificates() + untrusted.certificates(); QList<Certificate> issuers = trusted.certificates() + untrusted.certificates();
CertificateChain chain; CertificateChain chain;
chain += *this; chain += *this;
chain = chain.complete(issuers); Validity result;
return chain.validate(trusted, untrusted.crls(), u); chain = chain.complete(issuers, &result);
if(result != ValidityGood)
/*QList<CertContext*> trusted_list; return result;
QList<CertContext*> untrusted_list; return chain.validate(trusted, untrusted.crls(), u, vf);
QList<CRLContext*> crl_list;
QList<Certificate> trusted_certs = trusted.certificates();
QList<Certificate> untrusted_certs = untrusted.certificates();
QList<CRL> crls = trusted.crls() + untrusted.crls();
int n;
for(n = 0; n < trusted_certs.count(); ++n)
{
CertContext *c = static_cast<CertContext *>(trusted_certs[n].context());
trusted_list += c;
}
for(n = 0; n < untrusted_certs.count(); ++n)
{
CertContext *c = static_cast<CertContext *>(untrusted_certs[n].context());
untrusted_list += c;
}
for(n = 0; n < crls.count(); ++n)
{
CRLContext *c = static_cast<CRLContext *>(crls[n].context());
crl_list += c;
}
return static_cast<const CertContext *>(context())->validate(trusted_list, untrusted_list, crl_list, u);*/
} }
QByteArray Certificate::toDER() const QByteArray Certificate::toDER() const
@ -1752,7 +1728,7 @@ void Certificate::change(CertContext *c)
d->update(static_cast<CertContext *>(context())); d->update(static_cast<CertContext *>(context()));
} }
Validity Certificate::chain_validate(const CertificateChain &chain, const CertificateCollection &trusted, const QList<CRL> &untrusted_crls, UsageMode u) const Validity Certificate::chain_validate(const CertificateChain &chain, const CertificateCollection &trusted, const QList<CRL> &untrusted_crls, UsageMode u, ValidateFlags vf) const
{ {
QList<CertContext*> chain_list; QList<CertContext*> chain_list;
QList<CertContext*> trusted_list; QList<CertContext*> trusted_list;
@ -1778,14 +1754,16 @@ Validity Certificate::chain_validate(const CertificateChain &chain, const Certif
crl_list += c; crl_list += c;
} }
return static_cast<const CertContext *>(context())->validate_chain(chain_list, trusted_list, crl_list, u); return static_cast<const CertContext *>(context())->validate_chain(chain_list, trusted_list, crl_list, u, vf);
} }
CertificateChain Certificate::chain_complete(const CertificateChain &chain, const QList<Certificate> &issuers) const CertificateChain Certificate::chain_complete(const CertificateChain &chain, const QList<Certificate> &issuers, Validity *result) const
{ {
CertificateChain out; CertificateChain out;
QList<Certificate> pool = issuers + chain.mid(1); QList<Certificate> pool = issuers + chain.mid(1);
out += chain.first(); out += chain.first();
if(result)
*result = ValidityGood;
while(!out.last().isSelfSigned()) while(!out.last().isSelfSigned())
{ {
// try to get next in chain // try to get next in chain
@ -1802,7 +1780,11 @@ CertificateChain Certificate::chain_complete(const CertificateChain &chain, cons
//printf("%s no\n", qPrintable(str)); //printf("%s no\n", qPrintable(str));
} }
if(at == -1) if(at == -1)
{
if(result)
*result = ErrorValidityUnknown;
break; break;
}
// take it out of the pool // take it out of the pool
Certificate next = pool.takeAt(at); Certificate next = pool.takeAt(at);