Portability	unknown
Stability	experimental
Maintainer	Vincent Hanquez <vincent@snarc.org>
Safe Haskell	None

Data.X509.Validation

Description

X.509 Certificate checks and validations routines

Follows RFC5280 / RFC6818

Synopsis

Documentation

data FailedReason Source

Possible reason of certificate and chain failure

Constructors

UnknownCriticalExtension	certificate contains an unknown critical extension
Expired	validity ends before checking time
InFuture	validity starts after checking time
SelfSigned	certificate is self signed
UnknownCA	unknown Certificate Authority (CA)
NotAllowedToSign	certificate is not allowed to sign
NotAnAuthority	not a CA
InvalidSignature	signature failed
NoCommonName	Certificate doesn't have any common name (CN)
InvalidName String	Invalid name in certificate
NameMismatch String	connection name and certificate do not match
InvalidWildcard	invalid wildcard in certificate
LeafKeyUsageNotAllowed	the requested key usage is not compatible with the leaf certificate's key usage
LeafNotV3	Only authorized an X509.V3 certificate as leaf certificate.
EmptyChain	empty chain of certificate

Instances

Eq FailedReason
Show FailedReason

data Parameters Source

Validation parameters

Constructors

Parameters
Fields parameterTime :: UTCTime

Instances

Eq Parameters
Show Parameters

data Checks Source

A set of checks to activate or parametrize to perform on certificates.

It's recommended to use defaultChecks to create the structure, to better cope with future changes or expansion of the structure.

Constructors

Checks

Fields

checkTimeValidity :: Bool: check time validity of every certificate in the chain. the make sure that current time is between each validity bounds in the certificate
checkStrictOrdering :: Bool: Check that no certificate is included that shouldn't be included. unfortunately despite the specification violation, a lots of real world server serves useless and usually old certificates that are not relevant to the certificate sent, in their chain.
checkCAConstraints :: Bool: Check that signing certificate got the CA basic constraint. this is absolutely not recommended to turn it off.
checkExhaustive :: Bool: Check the whole certificate chain without stopping at the first failure. Allow gathering a exhaustive list of failure reasons. if this is turn off, it's absolutely not safe to ignore a failed reason even it doesn't look serious (e.g. Expired) as other more serious checks would not have been performed.
checkLeafV3 :: Bool: Check that the leaf certificate is version 3. If disable, version 2 certificate is authorized in leaf position and key usage cannot be checked.
checkLeafKeyUsage :: [ExtKeyUsageFlag]: Check that the leaf certificate is authorized to be used for certain usage. If set to empty list no check are performed, otherwise all the flags is the list need to exists in the key usage extension
checkFQHN :: Maybe String: Check the top certificate names matching the fully qualified hostname (FQHN). it's not recommended to turn this check off, if no other name checks are performed.

Instances

Eq Checks
Show Checks

defaultChecks Source

Arguments

:: Maybe String	fully qualified host name that we need to match in the certificate
-> Checks

Default checks to perform

It's not recommended to use Nothing as FQDN, doing so will ignore an important validation parameter check.

validate :: Checks -> CertificateStore -> CertificateChain -> IO [FailedReason]Source

validate a certificate chain.

validateWith :: Parameters -> CertificateStore -> Checks -> CertificateChain -> IO [FailedReason]Source

Validate a certificate chain with explicit parameters

getFingerprint Source

Arguments

:: (Show a, Eq a, ASN1Object a)
=> SignedExact a	object to fingerprint
-> HashALG	algorithm to compute the fingerprint
-> ByteString	fingerprint in binary form

Get the fingerprint of the whole signed object using the hashing algorithm specified