Method Standards.X509.verify_certificate_chain()
- Method verify_certificate_chain
mapping verify_certificate_chain(array(string) cert_chain, mapping(string:Verifier|array(Verifier)) authorities, int|void require_trust)
- Description
Decodes a certificate chain, oredered from leaf to root, and checks the signatures. Verifies that the chain can be decoded correctly, is unbroken, and that all certificates are in effect (time-wise.) and allowed to sign it's child certificate.
No verifications are done on the leaf certificate to determine what it can and can not be used for.
Returns a mapping with the following contents, depending on the verification of the certificate chain:
"error_code" : int Error describing type of verification failurew, if verification failed. May be one of the following, OR:ed together: CERT_TOO_NEW, CERT_TOO_OLD, CERT_ROOT_UNTRUSTED, CERT_BAD_SIGNATURE, CERT_INVALID or CERT_CHAIN_BROKEN.
"error_cert" : int Index number of the certificate that caused the verification failure.
"self_signed" : bool Non-zero if the certificate is self-signed.
"verified" : bool Non-zero if the certificate is verified.
"authority" : Standards.ASN1.Sequence The authority RDN that verified the chain.
"cn" : Standards.ASN1.Sequence The common name RDN of the leaf certificate.
"certificates" : array(TBSCertificate) An array with the decoded certificates, ordered from root to leaf.
- Parameter cert_chain
An array of certificates, with the relative-root last. Each certificate should be a DER-encoded certificate.
- Parameter authorities
A mapping from (DER-encoded) names to verifiers.
- Parameter require_trust
Require that the certificate be traced to an authority, even if it is self signed.
See Standards.PKCS.Certificate.get_dn_string for converting the RDN to an X500 style string.