TlsUtility: Add IsCa() function to verify given certificate being a CA certificate

This commit is contained in:
Michael Friedrich 2020-02-13 16:03:43 +01:00
parent be2178b993
commit a7436394cd
2 changed files with 18 additions and 0 deletions

View File

@ -809,6 +809,23 @@ bool VerifyCertificate(const std::shared_ptr<X509>& caCertificate, const std::sh
return rc == 1;
}
bool IsCa(const std::shared_ptr<X509>& cacert)
{
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
/* OpenSSL 1.1.x provides https://www.openssl.org/docs/man1.1.0/man3/X509_check_ca.html
*
* 0 if it is not CA certificate,
* 1 if it is proper X509v3 CA certificate with basicConstraints extension CA:TRUE,
* 3 if it is self-signed X509 v1 certificate
* 4 if it is certificate with keyUsage extension with bit keyCertSign set, but without basicConstraints,
* 5 if it has outdated Netscape Certificate Type extension telling that it is CA certificate.
*/
return (X509_check_ca(cacert.get()) == 1);
#else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
BOOST_THROW_EXCEPTION(std::invalid_argument("Not supported on this platform, OpenSSL version too old."));
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
}
std::string to_string(const errinfo_openssl_error& e)
{
std::ostringstream tmp;

View File

@ -47,6 +47,7 @@ String SHA256(const String& s);
String RandomString(int length);
bool VerifyCertificate(const std::shared_ptr<X509>& caCertificate, const std::shared_ptr<X509>& certificate);
bool IsCa(const std::shared_ptr<X509>& cacert);
class openssl_error : virtual public std::exception, virtual public boost::exception { };