Method Standards.X509.verify_certificate_chain()
- Method verify_certificate_chain
mapping
verify_certificate_chain(array
(string
)cert_chain
,mapping
(string
:Verifier
|array
(Verifier
))authorities
,int
|void
require_trust
,
|bool
void
strict
)
mapping
verify_certificate_chain(array
(string
)cert_chain
,mapping
(string
:Verifier
|array
(Verifier
))authorities
,int
|void
require_trust
,mapping
(string
:mixed
)options
)- Description
Decodes a certificate chain, ordered from leaf to root, and checks the signatures. Verifies that the chain can be decoded correctly, is unbroken, and that all certificates are in effect (time-wise.) and allowed to sign its child certificate.
No verifications are done on the leaf certificate to determine what it can and can not be used for.
Returns a mapping with the following contents, depending on the verification of the certificate chain:
"error_code"
:int
Error describing type of verification failurew, if verification failed. May be one of the following, OR:ed together:
CERT_TOO_NEW
,CERT_TOO_OLD
,CERT_ROOT_UNTRUSTED
,CERT_BAD_SIGNATURE
,CERT_INVALID
orCERT_CHAIN_BROKEN
."error_cert"
:int
Index number of the certificate that caused the verification failure.
"self_signed"
:bool
Non-zero if the certificate is self-signed.
"verified"
:bool
Non-zero if the certificate is verified.
"authority"
:Standards.ASN1.Sequence
The authority RDN that verified the chain.
"cn"
:Standards.ASN1.Sequence
The common name RDN of the leaf certificate.
"certificates"
:array
(TBSCertificate
)An array with the decoded certificates, ordered from root to leaf.
- Parameter
cert_chain
An array of certificates, with the relative-root last. Each certificate should be a DER-encoded certificate.
- Parameter
authorities
A mapping from (DER-encoded) names to verifiers.
- Parameter
require_trust
Require that the certificate be traced to an authority, even if it is self signed.
- Parameter
strict
By default this function only requires that the certificates are in order, it ignores extra certificates we didn't need to verify the leaf certificate.
If you specify
strict
, this will change, each certificate has to be signed by the next in the chain.Some https-servers send extraneous intermediate certificates that aren't used to validate the leaf certificate. So strict mode will be incompatible with such servers.
- Parameter
options
"verifier_algorithm"
:mapping
(Standards.ASN1.Types.Identifier
:Crypto.Hash
)A mapping of verifier algorithm identifier to hash algorithm implementation.
"strict"
:int
See
strict
above.- See also
-
See Standards.PKCS.Certificate.get_dn_string for converting the RDN to an X500 style string.