diff options
| author | Vincent Richard <[email protected]> | 2005-10-30 15:02:39 +0000 |
|---|---|---|
| committer | Vincent Richard <[email protected]> | 2005-10-30 15:02:39 +0000 |
| commit | 4522121196f11de0200ed54ea50830c1baf017a6 (patch) | |
| tree | 10dc792a93779ac0546291acf8064fd0efa138ed /src/security/cert/defaultCertificateVerifier.cpp | |
| parent | Added flush() on 'outputStream' + added unit tests for 'charsetFilteredOutput... (diff) | |
| download | vmime-4522121196f11de0200ed54ea50830c1baf017a6.tar.gz vmime-4522121196f11de0200ed54ea50830c1baf017a6.zip | |
Moved certificate code into 'vmime::net::security::cert' namespace.
Diffstat (limited to 'src/security/cert/defaultCertificateVerifier.cpp')
| -rw-r--r-- | src/security/cert/defaultCertificateVerifier.cpp | 164 |
1 files changed, 164 insertions, 0 deletions
diff --git a/src/security/cert/defaultCertificateVerifier.cpp b/src/security/cert/defaultCertificateVerifier.cpp new file mode 100644 index 00000000..b125d3e4 --- /dev/null +++ b/src/security/cert/defaultCertificateVerifier.cpp @@ -0,0 +1,164 @@ +// +// VMime library (http://www.vmime.org) +// Copyright (C) 2002-2005 Vincent Richard <[email protected]> +// +// This program is free software; you can redistribute it and/or +// modify it under the terms of the GNU General Public License as +// published by the Free Software Foundation; either version 2 of +// the License, or (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// Linking this library statically or dynamically with other modules is making +// a combined work based on this library. Thus, the terms and conditions of +// the GNU General Public License cover the whole combination. +// + +#include "vmime/security/cert/defaultCertificateVerifier.hpp" + +#include "vmime/security/cert/X509Certificate.hpp" + +#include "vmime/exception.hpp" + + +namespace vmime { +namespace security { +namespace cert { + + +defaultCertificateVerifier::defaultCertificateVerifier() +{ +} + + +defaultCertificateVerifier::~defaultCertificateVerifier() +{ +} + + +defaultCertificateVerifier::defaultCertificateVerifier(const defaultCertificateVerifier&) + : certificateVerifier() +{ + // Not used +} + + +void defaultCertificateVerifier::verify(ref <certificateChain> chain) +{ + if (chain->getCount() == 0) + return; + + const string type = chain->getAt(0)->getType(); + + if (type == "X.509") + verifyX509(chain); + else + throw exceptions::unsupported_certificate_type(type); +} + + +void defaultCertificateVerifier::verifyX509(ref <certificateChain> chain) +{ + // For every certificate in the chain, verify that the certificate + // has been issued by the next certificate in the chain + if (chain->getCount() >= 2) + { + for (unsigned int i = 0 ; i < chain->getCount() - 1 ; ++i) + { + ref <X509Certificate> cert = + chain->getAt(i).dynamicCast <X509Certificate>(); + + ref <X509Certificate> next = + chain->getAt(i + 1).dynamicCast <X509Certificate>(); + + if (!cert->checkIssuer(next)) + { + throw exceptions::certificate_verification_exception + ("Subject/issuer verification failed."); + } + } + } + + // For every certificate in the chain, verify that the certificate + // is valid at the current time + const datetime now = datetime::now(); + + for (unsigned int i = 0 ; i < chain->getCount() ; ++i) + { + ref <X509Certificate> cert = + chain->getAt(i).dynamicCast <X509Certificate>(); + + const datetime begin = cert->getActivationDate(); + const datetime end = cert->getExpirationDate(); + + if (now < begin || now > end) + { + throw exceptions::certificate_verification_exception + ("Validity date check failed."); + } + } + + // Check whether the certificate can be trusted + + // -- First, verify that the the last certificate in the chain was + // -- issued by a third-party that we trust + ref <X509Certificate> lastCert = + chain->getAt(chain->getCount() - 1).dynamicCast <X509Certificate>(); + + bool trusted = false; + + for (unsigned int i = 0 ; !trusted && i < m_x509RootCAs.size() ; ++i) + { + ref <X509Certificate> rootCa = m_x509RootCAs[i]; + + if (lastCert->verify(rootCa)) + trusted = true; + } + + // -- Next, if the issuer certificate cannot be verified against + // -- root CAs, compare the subject's certificate against the + // -- trusted certificates + ref <X509Certificate> firstCert = + chain->getAt(0).dynamicCast <X509Certificate>(); + + for (unsigned int i = 0 ; !trusted && i < m_x509TrustedCerts.size() ; ++i) + { + ref <X509Certificate> cert = m_x509TrustedCerts[i]; + + if (firstCert->equals(cert)) + trusted = true; + } + + if (!trusted) + { + throw exceptions::certificate_verification_exception + ("Cannot verify certificate against trusted certificates."); + } +} + + +void defaultCertificateVerifier::setX509RootCAs + (const std::vector <ref <X509Certificate> >& caCerts) +{ + m_x509RootCAs = caCerts; +} + + +void defaultCertificateVerifier::setX509TrustedCerts + (const std::vector <ref <X509Certificate> >& trustedCerts) +{ + m_x509TrustedCerts = trustedCerts; +} + + +} // cert +} // security +} // vmime + |