x509-validation 1.4.5 → 1.4.6
raw patch · 2 files changed
+37/−7 lines, 2 files
Files
- Data/X509/Validation.hs +36/−6
- x509-validation.cabal +1/−1
Data/X509/Validation.hs view
@@ -43,6 +43,8 @@ | InvalidName String -- ^ Invalid name in certificate | NameMismatch String -- ^ connection name and certificate do not match | InvalidWildcard -- ^ invalid wildcard in certificate+ | LeafKeyUsageNotAllowed -- ^ the requested key usage is not compatible with the leaf certificate's key usage+ | LeafNotV3 -- ^ Only authorized an X509.V3 certificate as leaf certificate. | EmptyChain -- ^ empty chain of certificate deriving (Show,Eq) @@ -69,6 +71,13 @@ -- turn off, it's absolutely not safe to ignore a failed reason even it doesn't look serious -- (e.g. Expired) as other more serious checks would not have been performed. , checkExhaustive :: Bool+ -- | Check that the leaf certificate is version 3. If disable, version 2 certificate+ -- is authorized in leaf position and key usage cannot be checked.+ , checkLeafV3 :: Bool+ -- | Check that the leaf certificate is authorized to be used for certain usage.+ -- If set to empty list no check are performed, otherwise all the flags is the list+ -- need to exists in the key usage extension+ , checkLeafKeyUsage :: [ExtKeyUsageFlag] -- | Check the top certificate names matching the fully qualified hostname (FQHN). -- it's not recommended to turn this check off, if no other name checks are performed. , checkFQHN :: Maybe String@@ -80,6 +89,9 @@ } deriving (Show,Eq) -- | Default checks to perform+--+-- It's not recommended to use Nothing as FQDN, doing so+-- will ignore an important validation parameter check. defaultChecks :: Maybe String -- ^ fully qualified host name that we need to match in the certificate -> Checks defaultChecks fqhn = Checks@@ -87,6 +99,8 @@ , checkStrictOrdering = False , checkCAConstraints = True , checkExhaustive = False+ , checkLeafV3 = True+ , checkLeafKeyUsage = [KeyUsage_keyEncipherment] , checkFQHN = fqhn } @@ -101,10 +115,13 @@ validateWith :: Parameters -> CertificateStore -> Checks -> CertificateChain -> IO [FailedReason] validateWith _ _ _ (CertificateChain []) = return [EmptyChain] validateWith params store checks (CertificateChain (top:rchain)) =- doNameCheck (checkFQHN checks) top |> doCheckChain 0 top rchain+ doLeafChecks |> doCheckChain 0 top rchain where isExhaustive = checkExhaustive checks a |> b = exhaustive isExhaustive a b + doLeafChecks = doNameCheck (checkFQHN checks) top |> doV3Check topCert |> doKeyUsageCheck topCert+ where topCert = getCertificate top+ doCheckChain :: Int -> SignedCertificate -> [SignedCertificate] -> IO [FailedReason] doCheckChain level current chain = do r <- doCheckCertificate (getCertificate current)@@ -140,9 +157,9 @@ checkCA :: Certificate -> [FailedReason] checkCA cert | allowedSign && allowedCA = []- | otherwise = if allowedSign then [] else [NotAllowedToSign]- ++ if allowedCA then [] else [NotAnAuthority]- where extensions = (certExtensions cert)+ | otherwise = (if allowedSign then [] else [NotAllowedToSign])+ ++ (if allowedCA then [] else [NotAnAuthority])+ where extensions = certExtensions cert allowedSign = case extensionGet extensions of Just (ExtKeyUsage flags) -> KeyUsage_keyCertSign `elem` flags Nothing -> True@@ -151,8 +168,21 @@ _ -> False doNameCheck Nothing _ = return []- doNameCheck (Just fqhn) cert =- return (validateCertificateName fqhn (getCertificate cert))+ doNameCheck (Just fqhn) cert = return (validateCertificateName fqhn (getCertificate cert))++ doV3Check cert+ | checkLeafV3 checks = case certVersion cert of+ 2 {- confusingly it means X509.V3 -} -> return []+ _ -> return [LeafNotV3]+ | otherwise = return []++ doKeyUsageCheck cert = return $+ case (certVersion cert, checkLeafKeyUsage checks) of+ (2, usage) -> if intersect usage flags == usage then [] else [LeafKeyUsageNotAllowed]+ _ -> []+ where flags = case extensionGet $ certExtensions cert of+ Just (ExtKeyUsage keyflags) -> keyflags+ Nothing -> [] doCheckCertificate cert = exhaustiveList (checkExhaustive checks)
x509-validation.cabal view
@@ -1,5 +1,5 @@ Name: x509-validation-Version: 1.4.5+Version: 1.4.6 Description: X.509 Certificate and CRL validation License: BSD3 License-file: LICENSE