x509-validation-1.4.5: X.509 Certificate and CRL validation

Portabilityunknown
Stabilityexperimental
MaintainerVincent Hanquez <vincent@snarc.org>
Safe HaskellNone

Data.X509.Validation

Description

X.509 Certificate checks and validations routines

Follows RFC5280 / RFC6818

Synopsis

Documentation

data FailedReason Source

Possible reason of certificate and chain failure

Constructors

UnknownCriticalExtension

certificate contains an unknown critical extension

Expired

validity ends before checking time

InFuture

validity starts after checking time

SelfSigned

certificate is self signed

UnknownCA

unknown Certificate Authority (CA)

NotAllowedToSign

certificate is not allowed to sign

NotAnAuthority

not a CA

InvalidSignature

signature failed

NoCommonName

Certificate doesn't have any common name (CN)

InvalidName String

Invalid name in certificate

NameMismatch String

connection name and certificate do not match

InvalidWildcard

invalid wildcard in certificate

EmptyChain

empty chain of certificate

Instances

data Parameters Source

Validation parameters

Constructors

Parameters 

Fields

parameterTime :: UTCTime
 

Instances

data Checks Source

A set of checks to activate or parametrize to perform on certificates.

It's recommended to use defaultChecks to create the structure, to better cope with future changes or expansion of the structure.

Constructors

Checks 

Fields

checkTimeValidity :: Bool

check time validity of every certificate in the chain. the make sure that current time is between each validity bounds in the certificate

checkStrictOrdering :: Bool

Check that no certificate is included that shouldn't be included. unfortunately despite the specification violation, a lots of real world server serves useless and usually old certificates that are not relevant to the certificate sent, in their chain.

checkCAConstraints :: Bool

Check that signing certificate got the CA basic constraint. this is absolutely not recommended to turn it off.

checkExhaustive :: Bool

Check the whole certificate chain without stopping at the first failure. Allow gathering a exhaustive list of failure reasons. if this is turn off, it's absolutely not safe to ignore a failed reason even it doesn't look serious (e.g. Expired) as other more serious checks would not have been performed.

checkFQHN :: Maybe String

Check the top certificate names matching the fully qualified hostname (FQHN). it's not recommended to turn this check off, if no other name checks are performed.

Instances

defaultChecksSource

Arguments

:: Maybe String

fully qualified host name that we need to match in the certificate

-> Checks 

Default checks to perform

validate :: Checks -> CertificateStore -> CertificateChain -> IO [FailedReason]Source

validate a certificate chain.

validateWith :: Parameters -> CertificateStore -> Checks -> CertificateChain -> IO [FailedReason]Source

Validate a certificate chain with explicit parameters

getFingerprintSource

Arguments

:: (Show a, Eq a, ASN1Object a) 
=> SignedExact a

object to fingerprint

-> HashALG

algorithm to compute the fingerprint

-> ByteString

fingerprint in binary form

Get the fingerprint of the whole signed object using the hashing algorithm specified