86     unknown experimental#Vincent Hanquez <vincent@snarc.org>None/Get the fingerprint of the whole signed object ' using the hashing algorithm specified 1Convert a hash algorithm into a Hash Description object to fingerprint %algorithm to compute the fingerprint fingerprint in binary form unknown experimental#Vincent Hanquez <vincent@snarc.org>None6A set of possible return from signature verification. 2Only SignaturePass should be accepted as success. :Other values are only useful to differentiate the failure , reason, but are all equivalent to failure. "unimplemented signature algorithm 2algorithm and public key mismatch, cannot proceed verification failed !verification succeeded "6Verify a Signed object against a specified public key #!verify signature using parameter  !"#Signature algorithm used Public key to use for verify *Certificate data that need to be verified Signature to verify  !"#! "#unknown experimental#Vincent Hanquez <vincent@snarc.org>NoneValidation parameters GA set of checks to activate or parametrize to perform on certificates. It's recommended to use  to create the structure, C to better cope with future changes or expansion of the structure. 7check time validity of every certificate in the chain. A the make sure that current time is between each validity bounds  in the certificate 2Check that no certificate is included that shouldn't be included. > unfortunately despite the specification violation, a lots of ? real world server serves useless and usually old certificates @ that are not relevant to the certificate sent, in their chain. <Check that signing certificate got the CA basic constraint. 4 this is absolutely not recommended to turn it off. ICheck the whole certificate chain without stopping at the first failure. B Allow gathering a exhaustive list of failure reasons. if this is  turn off, it'=s absolutely not safe to ignore a failed reason even it doesn't look serious L (e.g. Expired) as other more serious checks would not have been performed. NCheck the top certificate names matching the fully qualified hostname (FQHN).  it'Qs not recommended to turn this check off, if no other name checks are performed. 1Possible reason of certificate and chain failure empty chain of certificate  invalid wildcard in certificate -connection name and certificate do not match Invalid name in certificate Certificate doesn't have any common name (CN) signature failed  not a CA #certificate is not allowed to sign #unknown Certificate Authority (CA) certificate is self signed $validity starts after checking time #validity ends before checking time 3certificate contains an unknown critical extension Default checks to perform validate a certificate chain. 6Validate a certificate chain with explicit parameters $:Validate that the current time is between validity bounds %KValidate that the fqhn is matched by at least one name in the certificate. K The name can be either the common name or one of the alternative names if * the SubjectAltName extension is present. &return true if the subject certificate's issuer match  the issuer certificate' s subject ! Cfully qualified host name that we need to match in the certificate $'%&()       $'%&()*      !"#$%&'()*+,x509-validation-1.4.2Data.X509.Validation Data.X509.Validation.FingerprintData.X509.Validation.SignaturegetFingerprint Parameters parameterTimeCheckscheckTimeValiditycheckStrictOrderingcheckCAConstraintscheckExhaustive checkFQHN FailedReason EmptyChainInvalidWildcard NameMismatch InvalidName NoCommonNameInvalidSignatureNotAnAuthorityNotAllowedToSign UnknownCA SelfSignedInFutureExpiredUnknownCriticalExtension defaultChecksvalidate validateWithtoDescrSignatureVerificationSignatureUnimplementedSignaturePubkeyMismatchSignatureFailed SignaturePassverifySignedSignatureverifySignature validateTimevalidateCertificateNamematchSIgetNames exhaustiveexhaustiveList