Portability | unknown |
---|---|
Stability | experimental |
Maintainer | Vincent Hanquez <vincent@snarc.org> |
Safe Haskell | None |
X.509 Certificate checks and validations routines
Follows RFC5280 / RFC6818
- type FQHN = String
- data FailedReason
- = UnknownCriticalExtension
- | Expired
- | InFuture
- | SelfSigned
- | UnknownCA
- | NotAllowedToSign
- | NotAnAuthority
- | AuthorityTooDeep
- | NoCommonName
- | InvalidName String
- | NameMismatch String
- | InvalidWildcard
- | LeafKeyUsageNotAllowed
- | LeafKeyPurposeNotAllowed
- | LeafNotV3
- | EmptyChain
- | InvalidSignature SignatureFailure
- data SignatureFailure
- data Parameters = Parameters {}
- data Checks = Checks {}
- data Hooks = Hooks {
- hookMatchSubjectIssuer :: DistinguishedName -> Certificate -> Bool
- hookValidateTime :: UTCTime -> Certificate -> [FailedReason]
- hookValidateName :: FQHN -> Certificate -> [FailedReason]
- defaultChecks :: Checks
- defaultHooks :: Hooks
- validate :: Hooks -> Checks -> CertificateStore -> FQHN -> CertificateChain -> IO [FailedReason]
- validateWith :: Parameters -> Hooks -> Checks -> CertificateStore -> CertificateChain -> IO [FailedReason]
- getFingerprint :: (Show a, Eq a, ASN1Object a) => SignedExact a -> HashALG -> ByteString
Documentation
data FailedReason Source
Possible reason of certificate and chain failure
UnknownCriticalExtension | certificate contains an unknown critical extension |
Expired | validity ends before checking time |
InFuture | validity starts after checking time |
SelfSigned | certificate is self signed |
UnknownCA | unknown Certificate Authority (CA) |
NotAllowedToSign | certificate is not allowed to sign |
NotAnAuthority | not a CA |
AuthorityTooDeep | Violation of the optional Basic constraint's path length |
NoCommonName | Certificate doesn't have any common name (CN) |
InvalidName String | Invalid name in certificate |
NameMismatch String | connection name and certificate do not match |
InvalidWildcard | invalid wildcard in certificate |
LeafKeyUsageNotAllowed | the requested key usage is not compatible with the leaf certificate's key usage |
LeafKeyPurposeNotAllowed | the requested key purpose is not compatible with the leaf certificate's extended key usage |
LeafNotV3 | Only authorized an X509.V3 certificate as leaf certificate. |
EmptyChain | empty chain of certificate |
InvalidSignature SignatureFailure | signature failed |
data SignatureFailure Source
Various failure possible during signature checking
SignatureInvalid | signature doesn't verify |
SignaturePubkeyMismatch | algorithm and public key mismatch, cannot proceed |
SignatureUnimplemented | unimplemented signature algorithm |
data Parameters Source
Validation parameters. List all the conditions where/when we want the certificate checks to happen.
Parameters | |
|
A set of checks to activate or parametrize to perform on certificates.
It's recommended to use defaultChecks
to create the structure,
to better cope with future changes or expansion of the structure.
Checks | |
|
A set of hooks to manipulate the way the verification works.
BEWARE, it's easy to change behavior leading to compromised security.
Hooks | |
|
Default checks to perform
The default checks are: * Each certificate time is valid * CA constraints is enforced for signing certificate * Leaf certificate is X.509 v3 * Check that the FQHN match
Default hooks in the validation process
validate :: Hooks -> Checks -> CertificateStore -> FQHN -> CertificateChain -> IO [FailedReason]Source
validate a certificate chain.
validateWith :: Parameters -> Hooks -> Checks -> CertificateStore -> CertificateChain -> IO [FailedReason]Source
Validate a certificate chain with explicit parameters
:: (Show a, Eq a, ASN1Object a) | |
=> SignedExact a | object to fingerprint |
-> HashALG | algorithm to compute the fingerprint |
-> ByteString | fingerprint in binary form |
Get the fingerprint of the whole signed object using the hashing algorithm specified