x509-validation-1.4.8: X.509 Certificate and CRL validation

MaintainerVincent Hanquez <vincent@snarc.org>
Safe HaskellNone



X.509 Certificate checks and validations routines

Follows RFC5280 / RFC6818



type FQHN = StringSource

a Fully Qualified Host Name, e.g. www.example.com

data FailedReason Source

Possible reason of certificate and chain failure



certificate contains an unknown critical extension


validity ends before checking time


validity starts after checking time


certificate is self signed


unknown Certificate Authority (CA)


certificate is not allowed to sign


not a CA


Violation of the optional Basic constraint's path length


Certificate doesn't have any common name (CN)

InvalidName String

Invalid name in certificate

NameMismatch String

connection name and certificate do not match


invalid wildcard in certificate


the requested key usage is not compatible with the leaf certificate's key usage


the requested key purpose is not compatible with the leaf certificate's extended key usage


Only authorized an X509.V3 certificate as leaf certificate.


empty chain of certificate

InvalidSignature SignatureFailure

signature failed

data SignatureFailure Source

Various failure possible during signature checking



signature doesn't verify


algorithm and public key mismatch, cannot proceed


unimplemented signature algorithm

data Parameters Source

Validation parameters. List all the conditions where/when we want the certificate checks to happen.




parameterTime :: UTCTime

the time when we want the certificate check to happen. usually should be the time as of now.

parameterFQHN :: FQHN

fqhn to match

data Checks Source

A set of checks to activate or parametrize to perform on certificates.

It's recommended to use defaultChecks to create the structure, to better cope with future changes or expansion of the structure.




checkTimeValidity :: Bool

check time validity of every certificate in the chain. the make sure that current time is between each validity bounds in the certificate

checkStrictOrdering :: Bool

Check that no certificate is included that shouldn't be included. unfortunately despite the specification violation, a lots of real world server serves useless and usually old certificates that are not relevant to the certificate sent, in their chain.

checkCAConstraints :: Bool

Check that signing certificate got the CA basic constraint. this is absolutely not recommended to turn it off.

checkExhaustive :: Bool

Check the whole certificate chain without stopping at the first failure. Allow gathering a exhaustive list of failure reasons. if this is turn off, it's absolutely not safe to ignore a failed reason even it doesn't look serious (e.g. Expired) as other more serious checks would not have been performed.

checkLeafV3 :: Bool

Check that the leaf certificate is version 3. If disable, version 2 certificate is authorized in leaf position and key usage cannot be checked.

checkLeafKeyUsage :: [ExtKeyUsageFlag]

Check that the leaf certificate is authorized to be used for certain usage. If set to empty list no check are performed, otherwise all the flags is the list need to exists in the key usage extension. If the extension is not present, the check will pass and behave as if the certificate key is not restricted to any specific usage.

checkLeafKeyPurpose :: [ExtKeyUsagePurpose]

Check that the leaf certificate is authorized to be used for certain purpose. If set to empty list no check are performed, otherwise all the flags is the list need to exists in the extended key usage extension if present. If the extension is not present, then the check will pass and behave as if the certificate is not restricted to any specific purpose.

checkFQHN :: Bool

Check the top certificate names matching the fully qualified hostname (FQHN). it's not recommended to turn this check off, if no other name checks are performed.


data Hooks Source

A set of hooks to manipulate the way the verification works.

BEWARE, it's easy to change behavior leading to compromised security.




hookMatchSubjectIssuer :: DistinguishedName -> Certificate -> Bool

check the the issuer DistinguishedName match the subject DistinguishedName of a certificate.

hookValidateTime :: UTCTime -> Certificate -> [FailedReason]

validate that the parametrized time valide with the certificate in argument

hookValidateName :: FQHN -> Certificate -> [FailedReason]

validate the certificate leaf name with the DNS named used to connect

defaultChecks :: ChecksSource

Default checks to perform

The default checks are: * Each certificate time is valid * CA constraints is enforced for signing certificate * Leaf certificate is X.509 v3 * Check that the FQHN match

defaultHooks :: HooksSource

Default hooks in the validation process

validate :: Hooks -> Checks -> CertificateStore -> FQHN -> CertificateChain -> IO [FailedReason]Source

validate a certificate chain.

validateWith :: Parameters -> Hooks -> Checks -> CertificateStore -> CertificateChain -> IO [FailedReason]Source

Validate a certificate chain with explicit parameters



:: (Show a, Eq a, ASN1Object a) 
=> SignedExact a

object to fingerprint

-> HashALG

algorithm to compute the fingerprint

-> ByteString

fingerprint in binary form

Get the fingerprint of the whole signed object using the hashing algorithm specified