Botan  2.1.0
Crypto and TLS for C++11
ocsp.h
Go to the documentation of this file.
1 /*
2 * OCSP
3 * (C) 2012 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_OCSP_H__
9 #define BOTAN_OCSP_H__
10 
11 #include <botan/cert_status.h>
12 #include <botan/ocsp_types.h>
13 
14 namespace Botan {
15 
16 class Certificate_Store;
17 
18 namespace OCSP {
19 
20 /**
21 * An OCSP request.
22 */
23 class BOTAN_DLL Request
24  {
25  public:
26  /**
27  * Create an OCSP request.
28  * @param issuer_cert issuer certificate
29  * @param subject_cert subject certificate
30  */
31  Request(const X509_Certificate& issuer_cert,
32  const X509_Certificate& subject_cert);
33 
34  Request(const X509_Certificate& issuer_cert,
35  const BigInt& subject_serial);
36 
37  /**
38  * @return BER-encoded OCSP request
39  */
40  std::vector<uint8_t> BER_encode() const;
41 
42  /**
43  * @return Base64-encoded OCSP request
44  */
45  std::string base64_encode() const;
46 
47  /**
48  * @return issuer certificate
49  */
50  const X509_Certificate& issuer() const { return m_issuer; }
51 
52  /**
53  * @return subject certificate
54  */
55  const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); }
56 
57  const std::vector<uint8_t>& issuer_key_hash() const
58  { return m_certid.issuer_key_hash(); }
59  private:
60  X509_Certificate m_issuer;
61  CertID m_certid;
62  };
63 
64 /**
65 * OCSP response.
66 *
67 * Note this class is only usable as an OCSP client
68 */
69 class BOTAN_DLL Response
70  {
71  public:
72  /**
73  * Creates an empty OCSP response.
74  */
75  Response() = default;
76 
77  /**
78  * Parses an OCSP response.
79  * @param response_bits response bits received
80  */
81  Response(const std::vector<uint8_t>& response_bits) :
82  Response(response_bits.data(), response_bits.size())
83  {}
84 
85  /**
86  * Parses an OCSP response.
87  * @param response_bits response bits received
88  * @param response_bits_len length of response in bytes
89  */
90  Response(const uint8_t response_bits[],
91  size_t response_bits_len);
92 
93  /**
94  * Check signature and return status
95  * The optional cert_path is the (already validated!) certificate path of
96  * the end entity which is being inquired about
97  * @param trust_roots list of certstores containing trusted roots
98  * @param cert_path optionally, the (already verified!) certificate path for the certificate
99  * this is an OCSP response for. This is necessary to find the correct intermediate CA in
100  * some cases.
101  */
102  Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots,
103  const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path = {}) const;
104 
105  /**
106  * Verify that issuer's key signed this response
107  * @param issuer certificate of issuer
108  * @return if signature valid OCSP_SIGNATURE_OK else an error code
109  */
110  Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const;
111 
112  /**
113  * @return the time this OCSP response was supposedly produced at
114  */
115  const X509_Time& produced_at() const { return m_produced_at; }
116 
117  /**
118  * @return DN of signer, if provided in response (may be empty)
119  */
120  const X509_DN& signer_name() const { return m_signer_name; }
121 
122  /**
123  * @return key hash, if provided in response (may be empty)
124  */
125  const std::vector<uint8_t>& signer_key_hash() const { return m_key_hash; }
126 
127  const std::vector<uint8_t>& raw_bits() const { return m_response_bits; }
128 
129  /**
130  * Searches the OCSP response for issuer and subject certificate.
131  * @param issuer issuer certificate
132  * @param subject subject certificate
133  * @param ref_time the reference time
134  * @return OCSP status code, possible values:
135  * CERT_IS_REVOKED,
136  * OCSP_NOT_YET_VALID,
137  * OCSP_HAS_EXPIRED,
138  * OCSP_RESPONSE_GOOD,
139  * OCSP_BAD_STATUS,
140  * OCSP_CERT_NOT_LISTED
141  */
142  Certificate_Status_Code status_for(const X509_Certificate& issuer,
143  const X509_Certificate& subject,
144  std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now()) const;
145 
146  private:
147  std::vector<uint8_t> m_response_bits;
148  X509_Time m_produced_at;
149  X509_DN m_signer_name;
150  std::vector<uint8_t> m_key_hash;
151  std::vector<uint8_t> m_tbs_bits;
152  AlgorithmIdentifier m_sig_algo;
153  std::vector<uint8_t> m_signature;
154  std::vector<X509_Certificate> m_certs;
155 
156  std::vector<SingleResponse> m_responses;
157  };
158 
159 #if defined(BOTAN_HAS_HTTP_UTIL)
160 
161 BOTAN_DLL Response online_check(const X509_Certificate& issuer,
162  const BigInt& subject_serial,
163  const std::string& ocsp_responder,
164  Certificate_Store* trusted_roots);
165 
166 /**
167 * Makes an online OCSP request via HTTP and returns the OCSP response.
168 * @param issuer issuer certificate
169 * @param subject subject certificate
170 * @param trusted_roots trusted roots for the OCSP response
171 * @return OCSP response
172 */
173 BOTAN_DLL Response online_check(const X509_Certificate& issuer,
174  const X509_Certificate& subject,
175  Certificate_Store* trusted_roots);
176 
177 #endif
178 
179 }
180 
181 }
182 
183 #endif
const std::vector< uint8_t > & signer_key_hash() const
Definition: ocsp.h:125
Response(const std::vector< uint8_t > &response_bits)
Definition: ocsp.h:81
secure_vector< uint8_t > BER_encode(const Private_Key &key)
Definition: pkcs8.cpp:130
const std::vector< uint8_t > & issuer_key_hash() const
Definition: ocsp.h:57
const X509_Time & produced_at() const
Definition: ocsp.h:115
const X509_Certificate & issuer() const
Definition: ocsp.h:50
Definition: alg_id.cpp:13
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: base64.cpp:35
Certificate_Status_Code
Definition: cert_status.h:18
const X509_Certificate & subject() const
Definition: ocsp.h:55
const std::vector< uint8_t > & raw_bits() const
Definition: ocsp.h:127
const X509_DN & signer_name() const
Definition: ocsp.h:120