Method Standards.X509.verify_certificate_chain()

Method verify_certificate_chain

mapping verify_certificate_chain(array(string|.PKCS.Signature.Signed) cert_chain, mapping(string:Verifier|array(Verifier)) authorities, int|void require_trust, mapping(string:mixed)|bool|void options)

Description

Decodes a certificate chain, ordered from leaf to root, and checks the signatures. Verifies that the chain can be decoded correctly, is unbroken, and that all certificates are in effect (time-wise.) and allowed to sign its child certificate.

No verifications are done on the leaf certificate to determine what it can and can not be used for.

Returns a mapping with the following contents, depending on the verification of the certificate chain:

"error_code" : int

Error describing type of verification failures, if verification failed. May be one of the following, OR:ed together: CERT_TOO_NEW, CERT_TOO_OLD, CERT_ROOT_UNTRUSTED, CERT_BAD_SIGNATURE, CERT_INVALID, CERT_CHAIN_BROKEN, CERT_UNAUTHORIZED_CA or CERT_EXCEEDED_PATH_LENGTH.

"error_cert" : int

Index number of the certificate that caused the verification failure.

"self_signed" : bool

Non-zero if the certificate is self-signed.

"verified" : bool

Non-zero if the certificate is verified.

"authority" : Standards.ASN1.Sequence

The authority RDN that verified the chain.

"cn" : Standards.ASN1.Sequence

The common name RDN of the leaf certificate.

"certificates" : array(TBSCertificate)

An array with the decoded certificates, ordered from root to leaf.

Parameter cert_chain

An array of certificates, with the relative-root last. Each certificate should be a DER-encoded certificate, or decoded as a Standards.PKCS.Signature.Signed object.

Parameter authorities

A mapping from (DER-encoded) names to verifiers.

Parameter require_trust

Require that the certificate be traced to an authority, even if it is self signed.

Parameter strict

By default this function only requires that the certificates are in order, it ignores extra certificates we didn't need to verify the leaf certificate.

If you specify strict, this will change, each certificate has to be signed by the next in the chain.

Some https-servers send extraneous intermediate certificates that aren't used to validate the leaf certificate. So strict mode will be incompatible with such srevers.

Parameter options
"verifier_algorithms" : mapping(Standards.ASN1.Types.Identifier:Crypto.Hash)

A mapping of verifier algorithm identifier to hash algorithm implementation.

"strict" : int

See strict above.

See also

get_algorithms()

See Standards.PKCS.Certificate.get_dn_string for converting the RDN to an X500 style string.