-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/


-- | X.509 Certificate and CRL validation
--   
--   X.509 Certificate and CRL validation
@package x509-validation
@version 1.4.6


-- | X.509 Certificate checks and validations routines
--   
--   Follows RFC5280 / RFC6818
module Data.X509.Validation

-- | Possible reason of certificate and chain failure
data FailedReason

-- | certificate contains an unknown critical extension
UnknownCriticalExtension :: FailedReason

-- | validity ends before checking time
Expired :: FailedReason

-- | validity starts after checking time
InFuture :: FailedReason

-- | certificate is self signed
SelfSigned :: FailedReason

-- | unknown Certificate Authority (CA)
UnknownCA :: FailedReason

-- | certificate is not allowed to sign
NotAllowedToSign :: FailedReason

-- | not a CA
NotAnAuthority :: FailedReason

-- | signature failed
InvalidSignature :: FailedReason

-- | Certificate doesn't have any common name (CN)
NoCommonName :: FailedReason

-- | Invalid name in certificate
InvalidName :: String -> FailedReason

-- | connection name and certificate do not match
NameMismatch :: String -> FailedReason

-- | invalid wildcard in certificate
InvalidWildcard :: FailedReason

-- | the requested key usage is not compatible with the leaf certificate's
--   key usage
LeafKeyUsageNotAllowed :: FailedReason

-- | Only authorized an X509.V3 certificate as leaf certificate.
LeafNotV3 :: FailedReason

-- | empty chain of certificate
EmptyChain :: FailedReason

-- | Validation parameters
data Parameters
Parameters :: UTCTime -> Parameters
parameterTime :: Parameters -> UTCTime

-- | A set of checks to activate or parametrize to perform on certificates.
--   
--   It's recommended to use <a>defaultChecks</a> to create the structure,
--   to better cope with future changes or expansion of the structure.
data Checks
Checks :: Bool -> Bool -> Bool -> Bool -> Bool -> [ExtKeyUsageFlag] -> Maybe String -> Checks

-- | check time validity of every certificate in the chain. the make sure
--   that current time is between each validity bounds in the certificate
checkTimeValidity :: Checks -> Bool

-- | Check that no certificate is included that shouldn't be included.
--   unfortunately despite the specification violation, a lots of real
--   world server serves useless and usually old certificates that are not
--   relevant to the certificate sent, in their chain.
checkStrictOrdering :: Checks -> Bool

-- | Check that signing certificate got the CA basic constraint. this is
--   absolutely not recommended to turn it off.
checkCAConstraints :: Checks -> Bool

-- | Check the whole certificate chain without stopping at the first
--   failure. Allow gathering a exhaustive list of failure reasons. if this
--   is turn off, it's absolutely not safe to ignore a failed reason even
--   it doesn't look serious (e.g. Expired) as other more serious checks
--   would not have been performed.
checkExhaustive :: Checks -> Bool

-- | Check that the leaf certificate is version 3. If disable, version 2
--   certificate is authorized in leaf position and key usage cannot be
--   checked.
checkLeafV3 :: Checks -> Bool

-- | Check that the leaf certificate is authorized to be used for certain
--   usage. If set to empty list no check are performed, otherwise all the
--   flags is the list need to exists in the key usage extension
checkLeafKeyUsage :: Checks -> [ExtKeyUsageFlag]

-- | Check the top certificate names matching the fully qualified hostname
--   (FQHN). it's not recommended to turn this check off, if no other name
--   checks are performed.
checkFQHN :: Checks -> Maybe String

-- | Default checks to perform
--   
--   It's not recommended to use Nothing as FQDN, doing so will ignore an
--   important validation parameter check.
defaultChecks :: Maybe String -> Checks

-- | validate a certificate chain.
validate :: Checks -> CertificateStore -> CertificateChain -> IO [FailedReason]

-- | Validate a certificate chain with explicit parameters
validateWith :: Parameters -> CertificateStore -> Checks -> CertificateChain -> IO [FailedReason]

-- | Get the fingerprint of the whole signed object using the hashing
--   algorithm specified
getFingerprint :: (Show a, Eq a, ASN1Object a) => SignedExact a -> HashALG -> ByteString
instance Show FailedReason
instance Eq FailedReason
instance Show Checks
instance Eq Checks
instance Show Parameters
instance Eq Parameters
