Pike v8.0 release 1738

Method Standards.X509.verify_certificate_chain()

Method verify_certificate_chain

mapping verify_certificate_chain(array(string) cert_chain, mapping(string:Verifier|array(Verifier)) authorities, int|void require_trust, bool|void strict)
mapping verify_certificate_chain(array(string) cert_chain, mapping(string:Verifier|array(Verifier)) authorities, int|void require_trust, mapping(string:mixed) options)

Description

Decodes a certificate chain, ordered from leaf to root, and checks the signatures. Verifies that the chain can be decoded correctly, is unbroken, and that all certificates are in effect (time-wise.) and allowed to sign its child certificate.

No verifications are done on the leaf certificate to determine what it can and can not be used for.

Returns a mapping with the following contents, depending on the verification of the certificate chain:

"error_code" : int

Error describing type of verification failurew, if verification failed. May be one of the following, OR:ed together: CERT_TOO_NEW, CERT_TOO_OLD, CERT_ROOT_UNTRUSTED, CERT_BAD_SIGNATURE, CERT_INVALID or CERT_CHAIN_BROKEN.

"error_cert" : int

Index number of the certificate that caused the verification failure.

"self_signed" : bool

Non-zero if the certificate is self-signed.

"verified" : bool

Non-zero if the certificate is verified.

"authority" : Standards.ASN1.Sequence

The authority RDN that verified the chain.

"cn" : Standards.ASN1.Sequence

The common name RDN of the leaf certificate.

"certificates" : array(TBSCertificate)

An array with the decoded certificates, ordered from root to leaf.

Parameter cert_chain

An array of certificates, with the relative-root last. Each certificate should be a DER-encoded certificate.

Parameter authorities

A mapping from (DER-encoded) names to verifiers.

Parameter require_trust

Require that the certificate be traced to an authority, even if it is self signed.

Parameter strict

By default this function only requires that the certificates are in order, it ignores extra certificates we didn't need to verify the leaf certificate.

If you specify strict, this will change, each certificate has to be signed by the next in the chain.

Some https-servers send extraneous intermediate certificates that aren't used to validate the leaf certificate. So strict mode will be incompatible with such servers.

Parameter options
"verifier_algorithm" : mapping(Standards.ASN1.Types.Identifier:Crypto.Hash)

A mapping of verifier algorithm identifier to hash algorithm implementation.

"strict" : int

See strict above.

See also

get_algorithms()

See Standards.PKCS.Certificate.get_dn_string for converting the RDN to an X500 style string.