Certificate validation as described in RFC5280 and RFC6125.
abstract type of a certificate
a stack of certificates: the server certificate and a list of intermediate certificates
strict or wildcard matching of a server name
parse cstruct
is certificate option
where the cstruct
is parsed to a high-level certificate
or failure
cs_of_cert certificate
is cstruct
the binary representation of the certificate
.
asn_of_cert certificate
is asn
the ASN.1 representation of the certificate
.
#
| InvalidCertificate
| |||
#
| InvalidSignature
| |||
#
| CertificateExpired
| |||
#
| InvalidExtensions
| |||
#
| InvalidPathlen
| |||
#
| SelfSigned
| |||
#
| NoTrustAnchor
| |||
#
| InvalidInput
| |||
#
| InvalidServerExtensions
| |||
#
| InvalidServerName
| |||
#
| InvalidCA
|
possible failures while validating a certificate chain
variant of different public key types of a certificate
cert_type certificate
is key_type
, the public key type of the certificate
cert_usage certificate
is key_usage
, the key usage extensions of the certificate
cert_extended_usage certificate
is extended_key_usage
, the extended key usage extensions of the certificate
cert_hostnames certficate
is hostnames
, the list of hostnames mentioned in the certifcate
wildcard_matches hostname certificate
is result
, depending on whether the certificate contains a wildcard name which the hostname matches.
verify_chain_of_trust ?host ?time ~anchors stack
is validation_result
, where the certificate stack
is verified using the algorithm from RFC5280: The validity period of the given certificates is checked against the time
. The X509v3 extensions of the stack
are checked, then a chain of trust from some anchors
to the server certificate is validated. Also, the server certificate is checked to contain the given hostname
in its subject alternative name extension (or common name if subject alternative name is not present), either using wildcard or strict matching as described in RFC6125. The returned certificate is the trust anchor.
trust_fingerprint ?time hash fingerprints stack
is validation_result
, where the certificate stack
is verified (using same RFC5280 algorithm). Instead of trust anchors, a map from hostname to fingerprint is provided, where the certificate is checked against. Lookup in the fingerprint list is based on the provided host. If no host is provided, validation_result
is `Fail
.
valid_cas ?time certificates
is valid_certificates
which has filtered out those certificates which validity period does not contain time
. Furthermore, X509v3 extensions are checked (basic constraints must be true).
common_name_to_string certificate
is common_name
which is the extracted common name from the subject
certificate_failure_to_string failure
is failure_string
which is a string describing the failure
.