10#include <botan/base64.h>
11#include <botan/ber_dec.h>
12#include <botan/certstor.h>
13#include <botan/der_enc.h>
14#include <botan/pubkey.h>
15#include <botan/x509_ext.h>
16#include <botan/internal/parsing.h>
20#if defined(BOTAN_HAS_HTTP_UTIL)
21 #include <botan/internal/http_util.h>
29void decode_optional_list(BER_Decoder& ber,
ASN1_Type tag, std::vector<X509_Certificate>& output) {
30 BER_Object obj = ber.get_next_object();
37 BER_Decoder list(obj);
38 auto seq = list.start_sequence();
39 while(seq.more_items()) {
40 output.push_back([&] {
41 X509_Certificate cert;
42 cert.decode_from(seq);
52 m_issuer(issuer_cert), m_certid(m_issuer,
BigInt::from_bytes(subject_cert.serial_number())) {
54 throw Invalid_Argument(
"Invalid cert pair to OCSP::Request (mismatched issuer,subject args?)");
59 m_issuer(issuer_cert), m_certid(m_issuer, subject_serial) {}
62 std::vector<uint8_t> output;
67 .
encode(
static_cast<size_t>(0))
88 m_response_bits(response_bits, response_bits + response_bits_len) {
91 size_t resp_status = 0;
104 response_bytes.
decode_and_check(
OID(
"1.3.6.1.5.5.7.48.1.1"),
"Unknown response type in OCSP response");
113 decode_optional_list(basicresponse,
ASN1_Type(0), m_certs);
115 size_t responsedata_version = 0;
132 const bool has_signer = !m_signer_name.
empty();
133 const bool has_key_hash = !m_key_hash.empty();
135 if(has_signer && has_key_hash) {
136 throw Decoding_Error(
"OCSP response includes both byName and byKey in responderID field");
138 if(!has_signer && !has_key_hash) {
139 throw Decoding_Error(
"OCSP response contains neither byName nor byKey in responderID field");
147 if(!m_signer_name.
empty()) {
148 return (candidate.
subject_dn() == m_signer_name);
151 if(!m_key_hash.empty()) {
159 if(m_dummy_response_status) {
160 return m_dummy_response_status.value();
163 if(m_signer_name.
empty() && m_key_hash.empty()) {
167 if(!is_issued_by(issuer)) {
188 using namespace std::placeholders;
191 if(is_issued_by(issuer_certificate)) {
192 return issuer_certificate;
196 auto match = std::find_if(m_certs.begin(), m_certs.end(), std::bind(&Response::is_issued_by,
this, _1));
197 if(match != m_certs.end()) {
202 if(trusted_ocsp_responders) {
203 if(!m_key_hash.empty()) {
210 if(!m_signer_name.
empty()) {
211 auto signing_cert = trusted_ocsp_responders->
find_cert(m_signer_name, {});
223 std::chrono::system_clock::time_point ref_time,
224 std::chrono::seconds max_age)
const {
225 if(m_dummy_response_status) {
226 return m_dummy_response_status.value();
229 for(
const auto& response : m_responses) {
230 if(response.certid().is_id_for(issuer, subject)) {
233 if(response.cert_status() == 1) {
237 if(response.this_update() > x509_ref_time) {
241 if(response.next_update().time_is_set()) {
242 if(x509_ref_time > response.next_update()) {
245 }
else if(max_age > std::chrono::seconds::zero() &&
246 ref_time - response.this_update().to_std_timepoint() > max_age) {
250 if(response.cert_status() == 0) {
261#if defined(BOTAN_HAS_HTTP_UTIL)
264 const BigInt& subject_serial,
265 std::string_view ocsp_responder,
266 std::chrono::milliseconds timeout) {
267 if(ocsp_responder.empty()) {
273 auto http =
HTTP::POST_sync(ocsp_responder,
"application/ocsp-request", req.BER_encode(), 1, timeout);
275 http.throw_unless_ok();
282Response online_check(
const X509_Certificate& issuer,
283 const X509_Certificate& subject,
284 std::chrono::milliseconds timeout) {
285 if(subject.issuer_dn() != issuer.subject_dn()) {
286 throw Invalid_Argument(
"Invalid cert pair to OCSP::online_check (mismatched issuer,subject args?)");
289 return online_check(issuer,
BigInt::from_bytes(subject.serial_number()), subject.ocsp_responder(), timeout);
BER_Decoder & decode(bool &out)
BER_Decoder & raw_bytes(std::vector< uint8_t, Alloc > &out)
std::vector< uint8_t > get_next_octet_string()
BER_Decoder & decode_list(std::vector< T > &out, ASN1_Type type_tag=ASN1_Type::Sequence, ASN1_Class class_tag=ASN1_Class::Universal)
BER_Decoder start_sequence()
BER_Decoder start_context_specific(uint32_t tag)
BER_Decoder & decode_optional(T &out, ASN1_Type type_tag, ASN1_Class class_tag, const T &default_value=T())
BER_Decoder & decode_and_check(const T &expected, std::string_view error_msg)
BER_Decoder & decode_optional_string(std::vector< uint8_t, Alloc > &out, ASN1_Type real_type, uint32_t expected_tag, ASN1_Class class_tag=ASN1_Class::ContextSpecific)
static BigInt from_bytes(std::span< const uint8_t > bytes)
virtual std::optional< X509_Certificate > find_cert_by_pubkey_sha1(const std::vector< uint8_t > &key_hash) const =0
virtual std::optional< X509_Certificate > find_cert(const X509_DN &subject_dn, const std::vector< uint8_t > &key_id) const
DER_Encoder & end_explicit()
DER_Encoder & start_explicit(uint16_t type_tag)
DER_Encoder & start_sequence()
DER_Encoder & encode(bool b)
std::string base64_encode() const
Request(const X509_Certificate &issuer_cert, const X509_Certificate &subject_cert)
std::vector< uint8_t > BER_encode() const
Response(Certificate_Status_Code status)
Certificate_Status_Code status_for(const X509_Certificate &issuer, const X509_Certificate &subject, std::chrono::system_clock::time_point ref_time=std::chrono::system_clock::now(), std::chrono::seconds max_age=std::chrono::seconds::zero()) const
std::optional< X509_Certificate > find_signing_certificate(const X509_Certificate &issuer_certificate, const Certificate_Store *trusted_ocsp_responders=nullptr) const
Certificate_Status_Code verify_signature(const X509_Certificate &signing_certificate) const
bool verify_message(const uint8_t msg[], size_t msg_length, const uint8_t sig[], size_t sig_length)
const X509_DN & subject_dn() const
const std::vector< uint8_t > & subject_public_key_bitstring_sha1() const
const X509_DN & issuer_dn() const
std::unique_ptr< Public_Key > subject_public_key() const
std::vector< uint8_t > put_in_sequence(const std::vector< uint8_t > &contents)
Response POST_sync(std::string_view url, std::string_view content_type, const std::vector< uint8_t > &body, size_t allowable_redirects, std::chrono::milliseconds timeout)
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)