#include <ocsp.h>

Public Member Functions
const std::vector< X509_Certificate > &	certificates () const

std::optional< Certificate_Status_Code >	dummy_status () const

std::optional< X509_Certificate >	find_signing_certificate (const X509_Certificate &issuer_certificate, const Certificate_Store *trusted_ocsp_responders=nullptr) const

const X509_Time &	produced_at () const

const std::vector< uint8_t > &	raw_bits () const

	Response (Certificate_Status_Code status)

	Response (const std::vector< uint8_t > &response_bits)

	Response (const uint8_t response_bits[], size_t response_bits_len)

const std::vector< uint8_t > &	signer_key_hash () const

const X509_DN &	signer_name () const

Response_Status_Code	status () const

Certificate_Status_Code	status_for (const X509_Certificate &issuer, const X509_Certificate &subject, std::chrono::system_clock::time_point ref_time=std::chrono::system_clock::now(), std::chrono::seconds max_age=std::chrono::seconds::zero()) const

Certificate_Status_Code	verify_signature (const X509_Certificate &signing_certificate) const

Detailed Description

OCSP response.

Note this class is only usable as an OCSP client

Definition at line 127 of file ocsp.h.

Constructor & Destructor Documentation

◆ Response() [1/3]

Botan::OCSP::Response::Response ( Certificate_Status_Code status )

Create a fake OCSP response from a given status code.

Parameters

status the status code the check functions will return

Definition at line 81 of file ocsp.cpp.

81 :

82 m_status(Response_Status_Code::Successful), m_dummy_response_status(status) {}

Botan::OCSP::Response::status

Response_Status_Code status() const

Definition ocsp.h:177

Botan::OCSP::Response_Status_Code::Successful

@ Successful

◆ Response() [2/3]

Botan::OCSP::Response::Response ( const std::vector< uint8_t > & response_bits )

inline

Parses an OCSP response.

Parameters

response_bits response bits received

Definition at line 139 of file ocsp.h.

139: Response(response_bits.data(), response_bits.size()) {}

Botan::OCSP::Response::Response

Response(Certificate_Status_Code status)

Definition ocsp.cpp:81

◆ Response() [3/3]

Botan::OCSP::Response::Response	(	const uint8_t	response_bits[],
		size_t	response_bits_len )

Parses an OCSP response.

Parameters

response_bits	response bits received
response_bits_len	length of response in bytes

Definition at line 84 of file ocsp.cpp.

                                                                          :
      m_response_bits(response_bits, response_bits + response_bits_len) {
   BER_Decoder response_outer = BER_Decoder(m_response_bits).start_sequence();
 
   size_t resp_status = 0;
 
   response_outer.decode(resp_status, ASN1_Type::Enumerated, ASN1_Class::Universal);
 
   m_status = static_cast<Response_Status_Code>(resp_status);
 
   if(m_status != Response_Status_Code::Successful) {
      return;
   }
 
   if(response_outer.more_items()) {
      BER_Decoder response_bytes = response_outer.start_context_specific(0).start_sequence();
 
      response_bytes.decode_and_check(OID("1.3.6.1.5.5.7.48.1.1"), "Unknown response type in OCSP response");
 
      BER_Decoder basicresponse = BER_Decoder(response_bytes.get_next_octet_string()).start_sequence();
 
      basicresponse.start_sequence()
         .raw_bytes(m_tbs_bits)
         .end_cons()
         .decode(m_sig_algo)
         .decode(m_signature, ASN1_Type::BitString);
      decode_optional_list(basicresponse, ASN1_Type(0), m_certs);
 
      size_t responsedata_version = 0;
      Extensions extensions;
 
      BER_Decoder(m_tbs_bits)
         .decode_optional(responsedata_version, ASN1_Type(0), ASN1_Class::ContextSpecific | ASN1_Class::Constructed)
 
         .decode_optional(m_signer_name, ASN1_Type(1), ASN1_Class::ContextSpecific | ASN1_Class::Constructed)
 
         .decode_optional_string(
            m_key_hash, ASN1_Type::OctetString, 2, ASN1_Class::ContextSpecific | ASN1_Class::Constructed)
 
         .decode(m_produced_at)
 
         .decode_list(m_responses)
 
         .decode_optional(extensions, ASN1_Type(1), ASN1_Class::ContextSpecific | ASN1_Class::Constructed);
 
      const bool has_signer = !m_signer_name.empty();
      const bool has_key_hash = !m_key_hash.empty();
 
      if(has_signer && has_key_hash) {
         throw Decoding_Error("OCSP response includes both byName and byKey in responderID field");
      }
      if(!has_signer && !has_key_hash) {
         throw Decoding_Error("OCSP response contains neither byName nor byKey in responderID field");
      }
   }
 
   response_outer.end_cons();
}

Member Function Documentation

◆ certificates()

const std::vector< X509_Certificate > & Botan::OCSP::Response::certificates ( ) const

inline

Returns: the certificate chain, if provided in response

Definition at line 221 of file ocsp.h.

221{ return m_certs; }

◆ dummy_status()

std::optional< Certificate_Status_Code > Botan::OCSP::Response::dummy_status ( ) const

inline

Returns: the dummy response if this is a 'fake' OCSP response otherwise std::nullopt

Definition at line 226 of file ocsp.h.

226{ return m_dummy_response_status; }

◆ find_signing_certificate()

std::optional< X509_Certificate > Botan::OCSP::Response::find_signing_certificate	(	const X509_Certificate &	issuer_certificate,
		const Certificate_Store *	trusted_ocsp_responders = nullptr ) const

Find the certificate that signed this OCSP response from all possible candidates and taking the attached certificates into account.

Parameters

issuer_certificate	is the issuer of the certificate in question
trusted_ocsp_responders	optionally, a certificate store containing additionally trusted responder certificates

Returns: the certificate that signed this response or std::nullopt if not found

Definition at line 183 of file ocsp.cpp.

                                                                                                       {
   using namespace std::placeholders;
 
   // Check whether the CA issuing the certificate in question also signed this
   if(is_issued_by(issuer_certificate)) {
      return issuer_certificate;
   }
 
   // Then try to find a delegated responder certificate in the stapled certs
   auto match = std::find_if(m_certs.begin(), m_certs.end(), std::bind(&Response::is_issued_by, this, _1));
   if(match != m_certs.end()) {
      return *match;
   }
 
   // Last resort: check the additionally provides trusted OCSP responders
   if(trusted_ocsp_responders) {
      if(!m_key_hash.empty()) {
         auto signing_cert = trusted_ocsp_responders->find_cert_by_pubkey_sha1(m_key_hash);
         if(signing_cert) {
            return signing_cert;
         }
      }
 
      if(!m_signer_name.empty()) {
         auto signing_cert = trusted_ocsp_responders->find_cert(m_signer_name, {});
         if(signing_cert) {
            return signing_cert;
         }
      }
   }
 
   return std::nullopt;
}

References Botan::X509_DN::empty(), Botan::Certificate_Store::find_cert(), and Botan::Certificate_Store::find_cert_by_pubkey_sha1().

◆ produced_at()

const X509_Time & Botan::OCSP::Response::produced_at ( ) const

inline

Returns: the time this OCSP response was supposedly produced at

Definition at line 182 of file ocsp.h.

182{ return m_produced_at; }

◆ raw_bits()

const std::vector< uint8_t > & Botan::OCSP::Response::raw_bits ( ) const

inline

Definition at line 194 of file ocsp.h.

194{ return m_response_bits; }

◆ signer_key_hash()

const std::vector< uint8_t > & Botan::OCSP::Response::signer_key_hash ( ) const

inline

Returns: key hash, if provided in response (may be empty)

Definition at line 192 of file ocsp.h.

192{ return m_key_hash; }

◆ signer_name()

const X509_DN & Botan::OCSP::Response::signer_name ( ) const

inline

Returns: DN of signer, if provided in response (may be empty)

Definition at line 187 of file ocsp.h.

187{ return m_signer_name; }

◆ status()

Response_Status_Code Botan::OCSP::Response::status ( ) const

inline

Returns: the status of the response

Definition at line 177 of file ocsp.h.

177{ return m_status; }

◆ status_for()

Certificate_Status_Code Botan::OCSP::Response::status_for	(	const X509_Certificate &	issuer,
		const X509_Certificate &	subject,
		std::chrono::system_clock::time_point	ref_time = std::chrono::system_clock::now(),
		std::chrono::seconds	max_age = std::chrono::seconds::zero() ) const

Searches the OCSP response for issuer and subject certificate.

Parameters

issuer	issuer certificate
subject	subject certificate
ref_time	the reference time
max_age	the maximum age the response should be considered valid if next_update is not set

Returns: OCSP status code, possible values: CERT_IS_REVOKED, OCSP_NOT_YET_VALID, OCSP_HAS_EXPIRED, OCSP_IS_TOO_OLD, OCSP_RESPONSE_GOOD, OCSP_BAD_STATUS, OCSP_CERT_NOT_LISTED

Definition at line 218 of file ocsp.cpp.

                                                                             {
   if(m_dummy_response_status) {
      return m_dummy_response_status.value();
   }
 
   for(const auto& response : m_responses) {
      if(response.certid().is_id_for(issuer, subject)) {
         X509_Time x509_ref_time(ref_time);
 
         if(response.cert_status() == 1) {
            return Certificate_Status_Code::CERT_IS_REVOKED;
         }
 
         if(response.this_update() > x509_ref_time) {
            return Certificate_Status_Code::OCSP_NOT_YET_VALID;
         }
 
         if(response.next_update().time_is_set()) {
            if(x509_ref_time > response.next_update()) {
               return Certificate_Status_Code::OCSP_HAS_EXPIRED;
            }
         } else if(max_age > std::chrono::seconds::zero() &&
                   ref_time - response.this_update().to_std_timepoint() > max_age) {
            return Certificate_Status_Code::OCSP_IS_TOO_OLD;
         }
 
         if(response.cert_status() == 0) {
            return Certificate_Status_Code::OCSP_RESPONSE_GOOD;
         } else {
            return Certificate_Status_Code::OCSP_BAD_STATUS;
         }
      }
   }
 
   return Certificate_Status_Code::OCSP_CERT_NOT_LISTED;
}

References Botan::CERT_IS_REVOKED, Botan::OCSP_BAD_STATUS, Botan::OCSP_CERT_NOT_LISTED, Botan::OCSP_HAS_EXPIRED, Botan::OCSP_IS_TOO_OLD, Botan::OCSP_NOT_YET_VALID, and Botan::OCSP_RESPONSE_GOOD.

◆ verify_signature()

Certificate_Status_Code Botan::OCSP::Response::verify_signature ( const X509_Certificate & signing_certificate ) const

Check signature of the OCSP response.

Note: It is the responsibility of the caller to verify that signing certificate is trustworthy and authorized to do so.

Parameters

signing_certificate the certificate that signed this response (

See also: Response::find_signing_certificate).

Returns: status code indicating the validity of the signature

Definition at line 155 of file ocsp.cpp.

                                                                                       {
   if(m_dummy_response_status) {
      return m_dummy_response_status.value();
   }
 
   if(m_signer_name.empty() && m_key_hash.empty()) {
      return Certificate_Status_Code::OCSP_RESPONSE_INVALID;
   }
 
   if(!is_issued_by(issuer)) {
      return Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND;
   }
 
   try {
      auto pub_key = issuer.subject_public_key();
 
      PK_Verifier verifier(*pub_key, m_sig_algo);
 
      if(verifier.verify_message(ASN1::put_in_sequence(m_tbs_bits), m_signature)) {
         return Certificate_Status_Code::OCSP_SIGNATURE_OK;
      } else {
         return Certificate_Status_Code::OCSP_SIGNATURE_ERROR;
      }
   } catch(Exception&) {
      return Certificate_Status_Code::OCSP_SIGNATURE_ERROR;
   }
}

References Botan::X509_DN::empty(), Botan::OCSP_ISSUER_NOT_FOUND, Botan::OCSP_RESPONSE_INVALID, Botan::OCSP_SIGNATURE_ERROR, Botan::OCSP_SIGNATURE_OK, Botan::ASN1::put_in_sequence(), Botan::X509_Certificate::subject_public_key(), and Botan::PK_Verifier::verify_message().

The documentation for this class was generated from the following files:

src/lib/x509/ocsp.h
src/lib/x509/ocsp.cpp

Public Member Functions

Detailed Description

Constructor & Destructor Documentation

◆ Response() [1/3]

◆ Response() [2/3]

◆ Response() [3/3]

Member Function Documentation

◆ certificates()

◆ dummy_status()

◆ find_signing_certificate()

◆ produced_at()

◆ raw_bits()

◆ signer_key_hash()

◆ signer_name()

◆ status()

◆ status_for()

◆ verify_signature()