API Reference | developer.brewmp.com API Reference | developer.brewmp.com

Developer

API Reference

CERTDATATRUSTOVERRIDE

Brew Release
Brew MP 1.0.2
See Also
ICertChain_Verify
Description
Structure to specify that certain trust checks be skipped.
Members
  • uCertID:             Comes from CertDataBasic data structure. If uCertID  
                            is zero, then the override applies 
                            to all certs in the chain. Note that this is a bit 
                            dangerous, though necessary in some cases. When 
                            using certs without SSL, say for verify digital 
                            signatures, verifying the hostname and checking 
                            dates are unnecessary. The way to turn off this 
                            checking is an override of these two checks on 
                            all certs in the chain.
    
  • uOverrideBits:       Is a map of bits from CERTDATA_* (below) indicating what 
                            trust failures to override.
Definition
  •    typedef struct CertDataTrustOverride
       {
          uint32  uCertID;
          uint32  uOverrideBits;
       } CertDataTrustOverride;
    
Comments
One of these represents a set of trust overrides for a particular certificate. This is used by adding an option with this structure as the value, and CERTDATAOPT_OVERRIDE as the ID. The option may be added to ICertChain instance, or may be passed in to the arguments to ICertChain_Verify(). Trust override records are useful for storing trust overrides for the short or long term. That is, this binary format won't be changed from release to release. The same macros/constants are used for indicating trust errors and overrides. The following explains how the bits are used as trust overrides. They generally disable some part of the trust checking. CERTDATA_OVERRIDE_ALL Override all trust processing. This is dangerous. CERTDATA_CERT_TRUST Trust this certificate as a root during chaining operation CERTDATA_LONG_CHAIN Doesn't work as an override. Use CERTDATAOPT_MAX_CHAIN instead CERTDATA_CERT_EXPIRED Don't check the dates on the cert (but still try to parse them) CERTDATA_BAD_DATE Turn off all attempts to examine dates in cert CERTDATA_HOST_MISMATCH Don't try to compare the names CERTDATA_NO_TARGET_HOST Same as CERTDATA_HOST_MISMATCH. Don't try to check the hostname CERTDATA_NO_HOST_IN_CERT Same as CERTDATA_HOST_MISMATCH. Don't try to check the hostname. CERTDATA_BAD_SIGNATURE Don't attempt to verify the signature on this cert; no heavy crypto. CERTDATA_CERT_HASH_UNKNOWN Same as CERTDATA_SEVER_CERT_SIG_BAD CERTDATA_CERT_HASH_UNSUPP Same as CERTDATA_SEVER_CERT_SIG_BAD CERTDATA_SIGNER_KEY_BAD Stops signature verification on certs *signed* by this cert CERTDATA_CRITICAL_EXTENSION Will still try to check the extensions that are understood but will silently ignore the ones not understood CERTDATA_BASIC_CONST Don't check the basic constraints CERTDATA_EXT_KEY_USE Extended key use extension will be ignored if it is not critical CERTDATA_CRIT_EXT_KEY_USE Extended key use will be completely ignored CERTDATA_KEY_USE Disables all key usage processing CERTDATA_NON_LEAF_EXT_KEY_USE When set, extended key use is checked on the root and intermediate certs. If not set checking is only done on the leaf certs. This is really just a flag, not a trust override, nor is it ever returned as an error.