diff options
| author | Vincent Richard <[email protected]> | 2005-10-30 15:02:39 +0000 |
|---|---|---|
| committer | Vincent Richard <[email protected]> | 2005-10-30 15:02:39 +0000 |
| commit | 4522121196f11de0200ed54ea50830c1baf017a6 (patch) | |
| tree | 10dc792a93779ac0546291acf8064fd0efa138ed /src/net/tls/defaultCertificateVerifier.cpp | |
| parent | Added flush() on 'outputStream' + added unit tests for 'charsetFilteredOutput... (diff) | |
| download | vmime-4522121196f11de0200ed54ea50830c1baf017a6.tar.gz vmime-4522121196f11de0200ed54ea50830c1baf017a6.zip | |
Moved certificate code into 'vmime::net::security::cert' namespace.
Diffstat (limited to 'src/net/tls/defaultCertificateVerifier.cpp')
| -rw-r--r-- | src/net/tls/defaultCertificateVerifier.cpp | 164 |
1 files changed, 0 insertions, 164 deletions
diff --git a/src/net/tls/defaultCertificateVerifier.cpp b/src/net/tls/defaultCertificateVerifier.cpp deleted file mode 100644 index de0c6e45..00000000 --- a/src/net/tls/defaultCertificateVerifier.cpp +++ /dev/null @@ -1,164 +0,0 @@ -// -// VMime library (http://www.vmime.org) -// Copyright (C) 2002-2005 Vincent Richard <[email protected]> -// -// This program is free software; you can redistribute it and/or -// modify it under the terms of the GNU General Public License as -// published by the Free Software Foundation; either version 2 of -// the License, or (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// Linking this library statically or dynamically with other modules is making -// a combined work based on this library. Thus, the terms and conditions of -// the GNU General Public License cover the whole combination. -// - -#include "vmime/net/tls/defaultCertificateVerifier.hpp" - -#include "vmime/net/tls/X509Certificate.hpp" - -#include "vmime/exception.hpp" - - -namespace vmime { -namespace net { -namespace tls { - - -defaultCertificateVerifier::defaultCertificateVerifier() -{ -} - - -defaultCertificateVerifier::~defaultCertificateVerifier() -{ -} - - -defaultCertificateVerifier::defaultCertificateVerifier(const defaultCertificateVerifier&) - : certificateVerifier() -{ - // Not used -} - - -void defaultCertificateVerifier::verify(ref <certificateChain> chain) -{ - if (chain->getCount() == 0) - return; - - const string type = chain->getAt(0)->getType(); - - if (type == "X.509") - verifyX509(chain); - else - throw exceptions::unsupported_certificate_type(type); -} - - -void defaultCertificateVerifier::verifyX509(ref <certificateChain> chain) -{ - // For every certificate in the chain, verify that the certificate - // has been issued by the next certificate in the chain - if (chain->getCount() >= 2) - { - for (unsigned int i = 0 ; i < chain->getCount() - 1 ; ++i) - { - ref <X509Certificate> cert = - chain->getAt(i).dynamicCast <X509Certificate>(); - - ref <X509Certificate> next = - chain->getAt(i + 1).dynamicCast <X509Certificate>(); - - if (!cert->checkIssuer(next)) - { - throw exceptions::certificate_verification_exception - ("Subject/issuer verification failed."); - } - } - } - - // For every certificate in the chain, verify that the certificate - // is valid at the current time - const datetime now = datetime::now(); - - for (unsigned int i = 0 ; i < chain->getCount() ; ++i) - { - ref <X509Certificate> cert = - chain->getAt(i).dynamicCast <X509Certificate>(); - - const datetime begin = cert->getActivationDate(); - const datetime end = cert->getExpirationDate(); - - if (now < begin || now > end) - { - throw exceptions::certificate_verification_exception - ("Validity date check failed."); - } - } - - // Check whether the certificate can be trusted - - // -- First, verify that the the last certificate in the chain was - // -- issued by a third-party that we trust - ref <X509Certificate> lastCert = - chain->getAt(chain->getCount() - 1).dynamicCast <X509Certificate>(); - - bool trusted = false; - - for (unsigned int i = 0 ; !trusted && i < m_x509RootCAs.size() ; ++i) - { - ref <X509Certificate> rootCa = m_x509RootCAs[i]; - - if (lastCert->verify(rootCa)) - trusted = true; - } - - // -- Next, if the issuer certificate cannot be verified against - // -- root CAs, compare the subject's certificate against the - // -- trusted certificates - ref <X509Certificate> firstCert = - chain->getAt(0).dynamicCast <X509Certificate>(); - - for (unsigned int i = 0 ; !trusted && i < m_x509TrustedCerts.size() ; ++i) - { - ref <X509Certificate> cert = m_x509TrustedCerts[i]; - - if (firstCert->equals(cert)) - trusted = true; - } - - if (!trusted) - { - throw exceptions::certificate_verification_exception - ("Cannot verify certificate against trusted certificates."); - } -} - - -void defaultCertificateVerifier::setX509RootCAs - (const std::vector <ref <X509Certificate> >& caCerts) -{ - m_x509RootCAs = caCerts; -} - - -void defaultCertificateVerifier::setX509TrustedCerts - (const std::vector <ref <X509Certificate> >& trustedCerts) -{ - m_x509TrustedCerts = trustedCerts; -} - - -} // tls -} // net -} // vmime - |