This library provides support for X.509 certificates, specifically the profiles and interpretations defined by [PKIX] and the CA/Browser Forum’s Baseline Requirements.
The following example shows how to configure a certificate store with trusted root certificates, load a PEM file to create a certificate chain, and check whether the chain is suitable for identifying a TLS server.
First, let’s use openssl s_client to connect to https://www.racket-lang.org and save the certificates that the server sends in the TLS handshake:
openssl s_client -connect www.racket-lang.org:443 -showcerts \
< /dev/null > racket.pem
In general, the saved file will contain one or more PEM-encapsulated CERTIFICATE blocks: one for the server, and zero or more intermediate CA certificates necessary for building a certificate chain anchored by a trusted root CA.
pem-file->chain: failed to build complete chain
end certificate: #<certificate: C=US/ST=California/L=San
Francisco/O=Cloudflare, Inc./CN=sni.cloudflaressl.com>
#<certificate: C=US/ST=California/L=San Francisco/O=Cloudflare, Inc./CN=sni.cloudflaressl.com>
'(#<certificate: C=US/ST=California/L=San Francisco/O=Cloudflare, Inc./CN=sni.cloudflaressl.com>
#<certificate: C=US/O=Cloudflare, Inc./CN=Cloudflare Inc ECC CA-3>
#<certificate: C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root>)
#t
#f
A certificate represents an assertion that a cryptographic public key is tied to an identity, to be used for a particular purpose. The assertion is cryptographically signed by another party, the issuer.
For example, a secure web site (serving HTTP over TLS) would present a certificate with their public key, their identity in the form of their DNS name, and the purpose of identifying a TLS server. That certificate’s issuer would own a certificate for the purpose of acting as a certificate authority (CA), and its public key should verify the signature on the TLS server’s certificate.
One does not decide whether to trust a certificate in isolation; it depends on whether the issuer is trusted, and that often involves obtaining a certificate for the issuer and deciding whether to trust it, and so on. In general, trust is evaluated for a certificate chain; chains are built and evaluated using a certificate store.
procedure
( certificate? v)→boolean?
v:any/c
interface
> racket-cert#<certificate: C=US/ST=California/L=San Francisco/O=Cloudflare, Inc./CN=sni.cloudflaressl.com>
method
(send a-certificate get-subject )→any/c
Returns the Name of the certificate’s subject.The result is a X.509 Name value represented according to the rules of the asn1 library. See [PKIX] for the definition of Name.
'(rdnSequence
((#hasheq((type . (2 5 4 6)) (value . "US")))
(#hasheq((type . (2 5 4 8)) (value . (printableString "California"))))
(#hasheq((type . (2 5 4 7)) (value . (printableString "San Francisco"))))
(#hasheq((type . (2 5 4 10))
(value . (printableString "Cloudflare, Inc."))))
(#hasheq((type . (2 5 4 3))
(value . (printableString "sni.cloudflaressl.com"))))))
method
(send a-certificate get-issuer )→any/c
Returns the Name of the certificate’s issuer.'(rdnSequence
((#hasheq((type . (2 5 4 6)) (value . "US")))
(#hasheq((type . (2 5 4 10))
(value . (printableString "Cloudflare, Inc."))))
(#hasheq((type . (2 5 4 3))
(value . (printableString "Cloudflare Inc ECC CA-3"))))))
method
(send a-certificate get-subject-common-names )
Returns a list of Common Names (CN) occuring in the certificate’s subject. A typical certificate has at most one Common Name.'("sni.cloudflaressl.com")
method
(send a-certificate get-subject-alt-names [kind])
Returns a list of the certificate’s Subject Alternative Names (SAN).If kind is a symbol, only subject alternative names of the given kind are returned, and they are returned untagged. If kind is #f, then all SAN entries are returned, and each entry is tagged with a kind symbol (see x509-general-name-tag/c ).
'((dNSName "sni.cloudflaressl.com")
(dNSName "racket-lang.org")
(dNSName "*.racket-lang.org"))
'("sni.cloudflaressl.com" "racket-lang.org" "*.racket-lang.org")
method
(send a-certificate get-subject-name-string )→string?
Returns a string summarizing the subject name of the certificate.Warning: The format of the result may change in future versions of this library.
Example:"C=US/ST=California/L=San Francisco/O=Cloudflare, Inc./CN=sni.cloudflaressl.com"
method
(send a-certificate get-issuer-name-string )→string?
Like get-subject-name-string , but returns a string representing the issuer.Example:"C=US/O=Cloudflare, Inc./CN=Cloudflare Inc ECC CA-3"
method
(send a-certificate get-validity-seconds )
Returns the validity period of the certificate (from notBefore to notAfter) in seconds (see current-seconds , seconds->date , etc).'(1623448800 1654984799)
Gets the DER encoding of the certificate’s SubjectPublicKeyInfo (SPKI).This can be converted to a public key with datum->pk-key , but it is usually better to validate the certificate first and then call the chain’s get-public-key method.
method
(send a-certificate get-key-usages )
Gets the value of the KeyUsage extension, if present; if the extension is absent, returns null . See also ok-key-usage? in certificate-chain<%> .'(digitalSignature)
method
(send a-certificate get-extended-key-usages )
Gets the value of the ExtendedKeyUsage extension, if present; if the extension is absent, returns null . See also ok-extended-key-usage? in certificate-chain<%> .'((1 3 6 1 5 5 7 3 1) (1 3 6 1 5 5 7 3 2))
Gets the DER encoding of the certificate.
procedure
bs:bytes?
procedure
( read-pem-certificates in[#:countcount])→(listof certificate? )
in:input-port?
Certificates are delimited by "----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. Data outside of the delimiters is ignored and discarded, so certificates may be interleaved with other text. For example, the openssl s_client -showcerts command logs certificates intermixed with other diagnostic messages during TLS handshaking.
procedure
pem-file:path-string?
value
'keyAgreement'keyCertSign'cRLSign'encipherOnly'decipherOnly)
value
'ediPartyName'uniformResourceIdentifier'iPAddress'registeredID)
Each certificate is the issuer of the next—that is, the subject name of each certificate “matches” [PKIX] the issuer name of the next certificate.
Each certificate that acts as an issuer (that is, every certificate in the chain except for the end certificate) is suitable as a CA certificate.
Each certificate’s public key verifies the signature of the next certificate in the chain. (Note that the anchor certificate’s signature is not checked; its trust is determined by the certificate store.)
The validity period of the chain is non-empty. The validity period of the chain is the intersection of the validity periods of all of the certificates in the chain. The certificates are not required to have strictly nested validity periods.
A chain does not necessarily start with a trusted root CA.
A chain is not necessarily valid at the current time.
A chain’s end certificate is not necessarily valid for a given purpose (for example, for identifying particular a TLS server and creating a TLS connection).
Note: [PKIX] uses the term “certification path” instead of “certificate chain”.
procedure
v:any/c
interface
method
(send a-certificate-chain get-certificate )→certificate?
Returns the chain’s end certificate — that is, the certificate that the chain certifies.method
(send a-certificate-chain get-certificates )
Returns all of the certificates in a-certificate-chain, in “reversed” order: that is, the end certificate is the first element of the resulting list and the anchor is last.method
(send a-certificate-chain get-issuer-chain )
Returns the prefix of the certificate chain corresponding to this certificate’s issuer, or #f if the current chain is an anchor.method
(send a-certificate-chain get-anchor )→certificate-chain?
Returns the certificate chain’s anchor.method
(send a-certificate-chain is-anchor? )→boolean?
Returns #t if a-certificate-chain is an anchor, #f otherwise. An anchor is a chain that has no issuer chain.method
(send a-certificate-chain get-subject )→any/c
Equivalent to(send (send a-certificate-chainget-certificate )get-subject )
method
(send a-certificate-chain get-subject-alt-names [kind])
Equivalent tomethod
(send a-certificate-chain get-public-key [factories])
Creates a public key from the end certificate’s SubjectPublicKeyInfo using an implementation from factories.Verifies that the signature sig is valid for the data msg using the end certificate’s public key and the signature algorithm specified by algid (an AlgorithmIdentifier, either DER-encoded as a byte string or the parsed representation).The result is one of the following:
The result is (ok #t) if the signature is valid.
The result is (bad faults) if verification failed, where faults is a list of symbols describing the failure. The symbol 'signature:bad indicates a bad signature; other symbols indicate situations like problems interpreting algid and mismatches between the public key and the algorithm specified by algid.
method
(send a-certificate-chain get-security-level )
Returns the security level of the chain. Equivalent to(security-strength->level (send a-certificate-chainget-security-strength ))
Example:2
method
(send a-certificate-chain get-security-strength )
Returns the security strength of the chain, which is the minimum of the strengths of each public key and signature in the chain, except for the signature within the anchor.Example:112
method
(send a-certificate-chain get-public-key-security-strength )
Returns the security strength of the end certificate’s public key. Equivalent to(pk-security-strength (send a-certificate-chainget-public-key ))
Example:128
method
store[ from-timeto-time#:security-levelsecurity-level])store:certificate-store?Returns #t if the chain’s anchor certificate is trusted according to store, the validity of the chain includes the period from from-time to to-time, and the security level of all public keys and signatures in the chain is at least security-level; otherwise, returns #f.Equivalent to#:security-levelsecurity-level))method
store[ from-timeto-time#:security-levelsecurity-level])store:certificate-store?Similar to trusted? , but the result is one of the following:
The result is (ok #t) if the chain’s anchor certificate is trusted by store, the validity of the chain includes the period from from-time to to-time, and the security level of all public keys and signatures in the chain is at least security-level.
The result is (bad (list (cons cert-indexfault)... )) otherwise, where each cert-index is the index of the certificate where the problem occurred (starting with 0 for the anchor) and fault is a value (usually a symbol) describing the problem.
Examples:'#s(ok #t)
'#s(bad ((0 . anchor:not-trusted) (0 . security-level:weak-public-key)))
method
(send a-certificate-chain get-validity-seconds )
Gets the validity period of the chain, which is the intersection of the validity periods of all certificates in the chain.Example:'(1623448800 1654984799)
method
usage:key-usage/cReturns #t if the end certificate has the KeyUsage extension and the extension’s value contains the key usage named by usage. If the extension is present but does not contain usage, returns #f. If the end certificate does not have a KeyUsage extension, returns default.Examples:#t
#f
#t
method
(send a-certificate-chain ok-extended-key-usage? eku)
eku:asn1-oid?Returns #t if the extended key usage identified by eku (an OBJECT IDENTIFIER) is allowed for the end certificate of a-certificate-chain; returns #f otherwise.The extended key usage eku is allowed if all of the following are true:
The end certificate contains an ExtendedKeyUsage extension and the extension’s value contains eku.
In every preceding certificate in the chain (that is, the anchor and intermediate CA certificates), if the ExtendedKeyUsage extension is present, then its value contains eku.
Note: this method does not treat anyExtendedKeyUsage specially.Examples:#t
#f
method
(send a-certificate-chain suitable-for-CA? )→boolean?
Returns #t if the chain ends with a certificate that is suitable for a certificate authority — specifically, for signing other certificates. Returns #f otherwise.Examples:#f
#t
method
(send a-certificate-chain suitable-for-tls-server? host)
Returns #t if the chain ends with a certificate that is suitable for identifying a TLS server, and if the certificate has a subject alternative name (SAN) that matches the given host DNS name; otherwise, returns #f. If host is #f, the DNS name check is omitted.Examples:#t
#f
#t
method
(send a-certificate-chain suitable-for-tls-client? name)
name:any/cReturns #t if the chain’s certificate is suitable for identifying a client to a TLS server, and if the certificate has a subject name or subject alternative name (SAN) that matches the given name; otherwise, returns #f. If name is #f, then the name check is omitted.
A certificate store determines which certificates are trusted a priori—usually, these trusted certificates correspond to root CAs, which are typically self-issued and self-signed. In this context, “trusted” means that the assertion that the certificate represents (binding a public key to identities and purposes) is accepted at face value; it does not mean that the certificate is automatically accepted as suitable for every purpose.
The store may also contain certificates that are not directly trusted, but may be used in the construction of chains.
procedure
v:any/c
procedure
( empty-store [#:security-levelsecurity-level])
procedure
( default-store [#:security-levelsecurity-level])
interface
Creates a new certificate store like a-certificate-store but where
The trusted-certs and untrusted-certs are available for building certificate chains.
The trusted-certs are considered trusted.
Note: trust is monotonic. That is, if a certificate is already trusted, then adding it again as an untrusted certificate does not make it untrusted.method
(send a-certificate-store add-trusted-from-pem-file pem-file)
pem-file:path-string?Creates a new certificate store like a-certificate-store, but trusting the certificates contained in PEM format in pem-file.method
(send a-certificate-store add-trusted-from-openssl-directory dir)
dir:path-string?Creates a new certificate store like a-certificate-store, but trusting the certificates in dir, which uses OpenSSL-style hashing.method
[ other-untrusted-certsvalid-time])end-cert:certificate?Builds a certificate chain starting with some trusted certificate and ending with end-cert. The chain may be built from intermediate certificates from other-untrusted-certs in addition to the certificates already in the store. The result chain is chain-valid; it is valid for a period including valid-time; and its anchor is trusted by a-certificate-store.If no such chain can be constructed, an exception is raised. If multiple chains can be constructed, one is selected, but there are no guarantees about how it is selected.
method
[ other-untrusted-certsvalid-time#:empty-ok?empty-ok?])end-cert:certificate?Like build-chain , but returns all chains that could be constructed. If no such chains can be constructed, an exception is raised, unless empty-ok? is true, in which case null is returned.method
[ valid-time])pem-file:path-string?Returns a certificate chain for the first certificate in PEM format in pem-file, using any remaining certificates in the file as other untrusted certificates. The result chain is chain-valid; it is valid for a period including valid-time; and its anchor is trusted by a-certificate-store.
There are two main certificate revocation mechanisms: CRLs (Certificate Revocation Lists) and OCSP (Online Certificate Status Protocol).
'#s(ok #t)
'#s(bad unknown)
procedure
[ #:trust-db?trust-db?#:fetch-ocsp?fetch-ocsp?#:fetch-crl?fetch-crl?])
The db-file is a SQLite3 database file used to cache OCSP and CRL responses. These responses carry signatures, so they can be cached even if the cache is untrusted. (When the cache contains a response, the response is re-verified, and if verification fails then the cached response is discarded and a new response is retrieved.)
If trust-db? is #t, then status information about individual certificates is also cached. This saves parsing and signature verification time, but these individual status records do not carry signatures, so they cannot be re-verified later. If trust-db? is #f, then only the re-verifiable parts of the cache are used.
If fetch-ocsp? is #t, then if the cache does not contain a trusted, unexpired OCSP response, a response is fetched from the OCSP responder URL (or URLs) in the certificate being checked. If fetch-ocsp? is #f, no new response is fetched; if a suitable response is not in the cache, the certificate’s status is unknown. Likewise, the fetch-crl? option controls requests for CRLs.
interface
method
(send a-revocation-checker check-ocsp chain)
chain:certificate-chain?Returns one of the following:
(ok #t) — Some OCSP response indicated that the end certificate is good.
(bad 'revoked) — Some OCSP response indicated that the end certificate is revoked.
(bad 'unknown) — No responder produced a valid response, or the response indicated that the responder does not know the certificate’s status.
(bad 'no-sources) — The certificate has no usable OCSP responder URLs. This library uses only URLs with the scheme "http" or "https".
chain:certificate-chain?Returns one of the following:
(ok #t) — All usable CRLs were checked and the end certificate of chain was absent from all of the revocation lists.
(bad 'revoked) — Some CRL indicated that the certificate is revoked.
(bad 'unknown) — Some CRL source was unavailable or contained an invalid CRL, either because retrieving it failed (perhaps due to a network failure or server problem), or the retrieved CRL had a bad signature, or a-revocation-checker was configured not to fetch CRLs and it was not in the cache.
(bad 'no-sources) — The certificate has no usable CRL sources. This library uses only URLs with the scheme "http" or "https".