Copyright | (c) Leo D 2023 |
---|---|
License | BSD-3-Clause |
Maintainer | leo@apotheca.io |
Stability | experimental |
Portability | POSIX |
Safe Haskell | Safe-Inferred |
Language | Haskell2010 |
A certificate is a binding between some identifying information (called a subject) and a public key. This binding is asserted by a signature on the certificate, which is placed there by some authority (the issuer) that at least claims that it knows the subject named in the certificate really “owns” the private key corresponding to the public key in the certificate.
The major certificate format in use today is X.509v3, used for instance in the Transport Layer Security (TLS) protocol.
Synopsis
- newtype X509Cert = MkX509Cert {
- getX509CertForeignPtr :: ForeignPtr BotanX509CertStruct
- withX509Cert :: X509Cert -> (BotanX509Cert -> IO a) -> IO a
- x509CertLoad :: ByteString -> IO X509Cert
- x509CertLoadFile :: FilePath -> IO X509Cert
- x509CertDestroy :: X509Cert -> IO ()
- x509CertDup :: X509Cert -> IO X509Cert
- x509CertGetTimeStarts :: X509Cert -> IO ByteString
- x509CertGetTimeExpires :: X509Cert -> IO ByteString
- x509CertNotBefore :: X509Cert -> IO Word64
- x509CertNotAfter :: X509Cert -> IO Word64
- x509CertGetPubKeyFingerprint :: X509Cert -> HashName -> IO ByteString
- x509CertGetSerialNumber :: X509Cert -> IO ByteString
- x509CertGetAuthorityKeyId :: X509Cert -> IO ByteString
- x509CertGetSubjectKeyId :: X509Cert -> IO ByteString
- x509CertGetPublicKeyBits :: X509Cert -> IO ByteString
- x509CertGetPublicKey :: X509Cert -> IO PubKey
- x509CertGetIssuerDN :: X509Cert -> ByteString -> Int -> IO ByteString
- x509CertGetSubjectDN :: X509Cert -> ByteString -> Int -> IO ByteString
- x509CertToString :: X509Cert -> IO ByteString
- x509CertAllowedUsage :: X509Cert -> X509KeyConstraints -> IO Bool
- x509CertHostnameMatch :: X509Cert -> ByteString -> IO Bool
- x509CertVerify :: X509Cert -> [X509Cert] -> [X509Cert] -> Maybe FilePath -> Int -> ByteString -> Word64 -> IO (Bool, Int)
- x509CertValidationStatus :: Int -> IO (Maybe ByteString)
- type X509KeyConstraints = CUInt
- pattern NoConstraints :: X509KeyConstraints
- pattern DigitalSignature :: X509KeyConstraints
- pattern NonRepudiation :: X509KeyConstraints
- pattern KeyEncipherment :: X509KeyConstraints
- pattern DataEncipherment :: X509KeyConstraints
- pattern KeyAgreement :: X509KeyConstraints
- pattern KeyCertSign :: X509KeyConstraints
- pattern CRLSign :: X509KeyConstraints
- pattern EncipherOnly :: X509KeyConstraints
- pattern DecipherOnly :: X509KeyConstraints
- newtype X509CRL = MkX509CRL {
- getX509CRLForeignPtr :: ForeignPtr BotanX509CRLStruct
- withX509CRL :: X509CRL -> (BotanX509CRL -> IO a) -> IO a
- x509CRLLoad :: ByteString -> IO X509CRL
- x509CRLLoadFile :: FilePath -> IO X509CRL
- x509CRLDestroy :: X509CRL -> IO ()
- x509IsRevoked :: X509CRL -> X509Cert -> IO Bool
- x509CertVerifyWithCLR :: X509Cert -> [X509Cert] -> [X509Cert] -> [X509CRL] -> Maybe FilePath -> Int -> ByteString -> Word64 -> IO (Bool, Int)
- type DistinguishedName = ByteString
X509 Certificates
MkX509Cert | |
|
:: ByteString | cert[] |
-> IO X509Cert | cert_obj |
x509CertDestroy :: X509Cert -> IO () Source #
Destroy an x509 cert object immediately
x509CertGetTimeStarts Source #
:: X509Cert | cert |
-> IO ByteString | out[] |
x509CertGetTimeExpires Source #
:: X509Cert | cert |
-> IO ByteString | out[] |
x509CertGetPubKeyFingerprint Source #
:: X509Cert | cert |
-> HashName | hash |
-> IO ByteString | out[] |
x509CertGetSerialNumber Source #
:: X509Cert | cert |
-> IO ByteString | out[] |
x509CertGetAuthorityKeyId Source #
:: X509Cert | cert |
-> IO ByteString | out[] |
x509CertGetSubjectKeyId Source #
:: X509Cert | cert |
-> IO ByteString | out[] |
x509CertGetPublicKeyBits Source #
:: X509Cert | cert |
-> IO ByteString | out[] |
:: X509Cert | cert |
-> ByteString | key |
-> Int | index |
-> IO ByteString | out[] |
:: X509Cert | cert |
-> ByteString | key |
-> Int | index |
-> IO ByteString | out[] |
:: X509Cert | cert |
-> IO ByteString | out[] |
:: X509Cert | cert |
-> X509KeyConstraints | key_usage |
-> IO Bool |
Warning: Unexplained function, best-guess implementation
x509CertHostnameMatch Source #
:: X509Cert | cert |
-> ByteString | hostname |
-> IO Bool |
Warning: Unexplained function, best-guess implementation
Check if the certificate matches the specified hostname via alternative name or CN match. RFC 5280 wildcards also supported.
:: X509Cert | cert |
-> [X509Cert] | intermediates |
-> [X509Cert] | trusted |
-> Maybe FilePath | trusted_path |
-> Int | required_strength |
-> ByteString | hostname |
-> Word64 | reference_time |
-> IO (Bool, Int) | (valid,validation_result) |
Returns 0 if the validation was successful, 1 if validation failed, and negative on error. A status code with details is written to *validation_result
Intermediates or trusted lists can be null Trusted path can be null
x509CertValidationStatus Source #
:: Int | code |
-> IO (Maybe ByteString) |
X509 Key constraints
type X509KeyConstraints = CUInt Source #
pattern NoConstraints :: X509KeyConstraints Source #
pattern DigitalSignature :: X509KeyConstraints Source #
pattern NonRepudiation :: X509KeyConstraints Source #
pattern KeyEncipherment :: X509KeyConstraints Source #
pattern DataEncipherment :: X509KeyConstraints Source #
pattern KeyAgreement :: X509KeyConstraints Source #
pattern KeyCertSign :: X509KeyConstraints Source #
pattern CRLSign :: X509KeyConstraints Source #
pattern EncipherOnly :: X509KeyConstraints Source #
pattern DecipherOnly :: X509KeyConstraints Source #
X509 Certificate revocation list
MkX509CRL | |
|
:: ByteString | crl_bits[] |
-> IO X509CRL | crl_obj |
x509CRLDestroy :: X509CRL -> IO () Source #
Given a CRL and a certificate, check if the certificate is revoked on that particular CRL
x509CertVerifyWithCLR Source #
:: X509Cert | cert |
-> [X509Cert] | intermediates |
-> [X509Cert] | trusted |
-> [X509CRL] | crls |
-> Maybe FilePath | trusted_path |
-> Int | required_strength |
-> ByteString | hostname |
-> Word64 | reference_time |
-> IO (Bool, Int) | (valid,validation_result) |
Different flavor of botan_x509_cert_verify
, supports revocation lists.
CRLs are passed as an array, same as intermediates and trusted CAs
Convenience
type DistinguishedName = ByteString Source #