Copyright	(c) Leo D 2023
License	BSD-3-Clause
Maintainer	leo@apotheca.io
Stability	experimental
Portability	POSIX
Safe Haskell	Safe-Inferred
Language	Haskell2010

Botan.Low.X509

Contents

X509 Certificates
X509 Key constraints
X509 Certificate revocation list
Convenience

Description

A certificate is a binding between some identifying information (called a subject) and a public key. This binding is asserted by a signature on the certificate, which is placed there by some authority (the issuer) that at least claims that it knows the subject named in the certificate really “owns” the private key corresponding to the public key in the certificate.

The major certificate format in use today is X.509v3, used for instance in the Transport Layer Security (TLS) protocol.

Synopsis

newtype X509Cert = MkX509Cert {
- getX509CertForeignPtr :: ForeignPtr BotanX509CertStruct
}
withX509Cert :: X509Cert -> (BotanX509Cert -> IO a) -> IO a
x509CertLoad :: ByteString -> IO X509Cert
x509CertLoadFile :: FilePath -> IO X509Cert
x509CertDestroy :: X509Cert -> IO ()
x509CertDup :: X509Cert -> IO X509Cert
x509CertGetTimeStarts :: X509Cert -> IO ByteString
x509CertGetTimeExpires :: X509Cert -> IO ByteString
x509CertNotBefore :: X509Cert -> IO Word64
x509CertNotAfter :: X509Cert -> IO Word64
x509CertGetPubKeyFingerprint :: X509Cert -> HashName -> IO ByteString
x509CertGetSerialNumber :: X509Cert -> IO ByteString
x509CertGetAuthorityKeyId :: X509Cert -> IO ByteString
x509CertGetSubjectKeyId :: X509Cert -> IO ByteString
x509CertGetPublicKeyBits :: X509Cert -> IO ByteString
x509CertGetPublicKey :: X509Cert -> IO PubKey
x509CertGetIssuerDN :: X509Cert -> ByteString -> Int -> IO ByteString
x509CertGetSubjectDN :: X509Cert -> ByteString -> Int -> IO ByteString
x509CertToString :: X509Cert -> IO ByteString
x509CertAllowedUsage :: X509Cert -> X509KeyConstraints -> IO Bool
x509CertHostnameMatch :: X509Cert -> ByteString -> IO Bool
x509CertVerify :: X509Cert -> [X509Cert] -> [X509Cert] -> Maybe FilePath -> Int -> ByteString -> Word64 -> IO (Bool, Int)
x509CertValidationStatus :: Int -> IO (Maybe ByteString)
type X509KeyConstraints = CUInt
pattern NoConstraints :: X509KeyConstraints
pattern DigitalSignature :: X509KeyConstraints
pattern NonRepudiation :: X509KeyConstraints
pattern KeyEncipherment :: X509KeyConstraints
pattern DataEncipherment :: X509KeyConstraints
pattern KeyAgreement :: X509KeyConstraints
pattern KeyCertSign :: X509KeyConstraints
pattern CRLSign :: X509KeyConstraints
pattern EncipherOnly :: X509KeyConstraints
pattern DecipherOnly :: X509KeyConstraints
newtype X509CRL = MkX509CRL {
- getX509CRLForeignPtr :: ForeignPtr BotanX509CRLStruct
}
withX509CRL :: X509CRL -> (BotanX509CRL -> IO a) -> IO a
x509CRLLoad :: ByteString -> IO X509CRL
x509CRLLoadFile :: FilePath -> IO X509CRL
x509CRLDestroy :: X509CRL -> IO ()
x509IsRevoked :: X509CRL -> X509Cert -> IO Bool
x509CertVerifyWithCLR :: X509Cert -> [X509Cert] -> [X509Cert] -> [X509CRL] -> Maybe FilePath -> Int -> ByteString -> Word64 -> IO (Bool, Int)
type DistinguishedName = ByteString

X509 Certificates

newtype X509Cert Source #

Constructors

MkX509Cert
Fields getX509CertForeignPtr :: ForeignPtr BotanX509CertStruct

withX509Cert :: X509Cert -> (BotanX509Cert -> IO a) -> IO a Source #

x509CertLoad Source #

Arguments

:: ByteString	cert[]
-> IO X509Cert	cert_obj

x509CertLoadFile Source #

Arguments

:: FilePath	filename
-> IO X509Cert	cert_obj

x509CertDestroy :: X509Cert -> IO () Source #

Destroy an x509 cert object immediately

x509CertDup Source #

Arguments

:: X509Cert	new_cert
-> IO X509Cert	cert

x509CertGetTimeStarts Source #

Arguments

:: X509Cert	cert
-> IO ByteString	out[]

x509CertGetTimeExpires Source #

Arguments

:: X509Cert	cert
-> IO ByteString	out[]

x509CertNotBefore Source #

Arguments

:: X509Cert	cert
-> IO Word64	time_since_epoch

x509CertNotAfter Source #

Arguments

:: X509Cert	cert
-> IO Word64	time_since_epoch

x509CertGetPubKeyFingerprint Source #

Arguments

:: X509Cert	cert
-> HashName	hash
-> IO ByteString	out[]

x509CertGetSerialNumber Source #

Arguments

:: X509Cert	cert
-> IO ByteString	out[]

x509CertGetAuthorityKeyId Source #

Arguments

:: X509Cert	cert
-> IO ByteString	out[]

x509CertGetSubjectKeyId Source #

Arguments

:: X509Cert	cert
-> IO ByteString	out[]

x509CertGetPublicKeyBits Source #

Arguments

:: X509Cert	cert
-> IO ByteString	out[]

x509CertGetPublicKey Source #

Arguments

:: X509Cert	cert
-> IO PubKey	key

x509CertGetIssuerDN Source #

Arguments

:: X509Cert	cert
-> ByteString	key
-> Int	index
-> IO ByteString	out[]

x509CertGetSubjectDN Source #

Arguments

:: X509Cert	cert
-> ByteString	key
-> Int	index
-> IO ByteString	out[]

x509CertToString Source #

Arguments

:: X509Cert	cert
-> IO ByteString	out[]

x509CertAllowedUsage Source #

Arguments

:: X509Cert	cert
-> X509KeyConstraints	key_usage
-> IO Bool

Warning: Unexplained function, best-guess implementation

x509CertHostnameMatch Source #

Arguments

:: X509Cert	cert
-> ByteString	hostname
-> IO Bool

Warning: Unexplained function, best-guess implementation

Check if the certificate matches the specified hostname via alternative name or CN match. RFC 5280 wildcards also supported.

x509CertVerify Source #

Arguments

:: X509Cert	cert
-> [X509Cert]	intermediates
-> [X509Cert]	trusted
-> Maybe FilePath	trusted_path
-> Int	required_strength
-> ByteString	hostname
-> Word64	reference_time
-> IO (Bool, Int)	(valid,validation_result)

Returns 0 if the validation was successful, 1 if validation failed, and negative on error. A status code with details is written to *validation_result

Intermediates or trusted lists can be null Trusted path can be null

x509CertValidationStatus Source #

Arguments

:: Int	code
-> IO (Maybe ByteString)

X509 Key constraints

type X509KeyConstraints = CUInt Source #

pattern NoConstraints :: X509KeyConstraints Source #

pattern DigitalSignature :: X509KeyConstraints Source #

pattern NonRepudiation :: X509KeyConstraints Source #

pattern KeyEncipherment :: X509KeyConstraints Source #

pattern DataEncipherment :: X509KeyConstraints Source #

pattern KeyAgreement :: X509KeyConstraints Source #

pattern KeyCertSign :: X509KeyConstraints Source #

pattern CRLSign :: X509KeyConstraints Source #

pattern EncipherOnly :: X509KeyConstraints Source #

pattern DecipherOnly :: X509KeyConstraints Source #

X509 Certificate revocation list

newtype X509CRL Source #

Constructors

MkX509CRL
Fields getX509CRLForeignPtr :: ForeignPtr BotanX509CRLStruct

withX509CRL :: X509CRL -> (BotanX509CRL -> IO a) -> IO a Source #

x509CRLLoad Source #

Arguments

:: ByteString	crl_bits[]
-> IO X509CRL	crl_obj

x509CRLLoadFile Source #

Arguments

:: FilePath	crl_path
-> IO X509CRL	crl_obj

x509CRLDestroy :: X509CRL -> IO () Source #

x509IsRevoked Source #

Arguments

:: X509CRL	crl
-> X509Cert	cert
-> IO Bool

Given a CRL and a certificate, check if the certificate is revoked on that particular CRL

x509CertVerifyWithCLR Source #

Arguments

:: X509Cert	cert
-> [X509Cert]	intermediates
-> [X509Cert]	trusted
-> [X509CRL]	crls
-> Maybe FilePath	trusted_path
-> Int	required_strength
-> ByteString	hostname
-> Word64	reference_time
-> IO (Bool, Int)	(valid,validation_result)

Different flavor of botan_x509_cert_verify, supports revocation lists. CRLs are passed as an array, same as intermediates and trusted CAs

Convenience

type DistinguishedName = ByteString Source #