Botan 2.19.1
Crypto and TLS for C&
ocsp.h
Go to the documentation of this file.
1/*
2* OCSP
3* (C) 2012 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#ifndef BOTAN_OCSP_H_
9#define BOTAN_OCSP_H_
10
11#include <botan/asn1_obj.h>
12#include <botan/pkix_types.h>
13#include <botan/x509cert.h>
14#include <botan/bigint.h>
15#include <chrono>
16
17namespace Botan {
18
19class Certificate_Store;
20
21namespace OCSP {
22
24 {
25 public:
26 CertID() = default;
27
28 CertID(const X509_Certificate& issuer,
29 const BigInt& subject_serial);
30
31 bool is_id_for(const X509_Certificate& issuer,
32 const X509_Certificate& subject) const;
33
34 void encode_into(class DER_Encoder& to) const override;
35
36 void decode_from(class BER_Decoder& from) override;
37
38 const std::vector<uint8_t>& issuer_key_hash() const { return m_issuer_key_hash; }
39
40 private:
41 AlgorithmIdentifier m_hash_id;
42 std::vector<uint8_t> m_issuer_dn_hash;
43 std::vector<uint8_t> m_issuer_key_hash;
44 BigInt m_subject_serial;
45 };
46
48 {
49 public:
50 const CertID& certid() const { return m_certid; }
51
52 size_t cert_status() const { return m_cert_status; }
53
54 X509_Time this_update() const { return m_thisupdate; }
55
56 X509_Time next_update() const { return m_nextupdate; }
57
58 void encode_into(class DER_Encoder& to) const override;
59
60 void decode_from(class BER_Decoder& from) override;
61 private:
62 CertID m_certid;
63 size_t m_cert_status = 2; // unknown
64 X509_Time m_thisupdate;
65 X509_Time m_nextupdate;
66 };
67
68/**
69* An OCSP request.
70*/
72 {
73 public:
74 /**
75 * Create an OCSP request.
76 * @param issuer_cert issuer certificate
77 * @param subject_cert subject certificate
78 */
79 Request(const X509_Certificate& issuer_cert,
80 const X509_Certificate& subject_cert);
81
82 Request(const X509_Certificate& issuer_cert,
83 const BigInt& subject_serial);
84
85 /**
86 * @return BER-encoded OCSP request
87 */
88 std::vector<uint8_t> BER_encode() const;
89
90 /**
91 * @return Base64-encoded OCSP request
92 */
93 std::string base64_encode() const;
94
95 /**
96 * @return issuer certificate
97 */
98 const X509_Certificate& issuer() const { return m_issuer; }
99
100 /**
101 * @return subject certificate
102 */
103 const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); }
104
105 const std::vector<uint8_t>& issuer_key_hash() const
106 { return m_certid.issuer_key_hash(); }
107 private:
108 X509_Certificate m_issuer;
109 CertID m_certid;
110 };
111
112/**
113* OCSP response status.
114*
115* see https://tools.ietf.org/html/rfc6960#section-4.2.1
116*/
118 Successful = 0,
120 Internal_Error = 2,
121 Try_Later = 3,
122 Sig_Required = 5,
123 Unauthorized = 6
124};
125
126/**
127* OCSP response.
128*
129* Note this class is only usable as an OCSP client
130*/
132 {
133 public:
134 /**
135 * Creates an empty OCSP response.
136 */
137 Response() = default;
138
139 /**
140 * Create a fake OCSP response from a given status code.
141 * @param status the status code the check functions will return
142 */
144
145 /**
146 * Parses an OCSP response.
147 * @param response_bits response bits received
148 */
149 Response(const std::vector<uint8_t>& response_bits) :
150 Response(response_bits.data(), response_bits.size())
151 {}
152
153 /**
154 * Parses an OCSP response.
155 * @param response_bits response bits received
156 * @param response_bits_len length of response in bytes
157 */
158 Response(const uint8_t response_bits[],
159 size_t response_bits_len);
160
161 /**
162 * Check signature and return status
163 * The optional cert_path is the (already validated!) certificate path of
164 * the end entity which is being inquired about
165 * @param trust_roots list of certstores containing trusted roots
166 * @param cert_path optionally, the (already verified!) certificate path for the certificate
167 * this is an OCSP response for. This is necessary to find the correct intermediate CA in
168 * some cases.
169 */
170 Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots,
171 const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path = {}) const;
172
173 /**
174 * Verify that issuer's key signed this response
175 * @param issuer certificate of issuer
176 * @return if signature valid OCSP_SIGNATURE_OK else an error code
177 */
178 Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const;
179
180 /**
181 * @return the status of the response
182 */
183 Response_Status_Code status() const { return m_status; }
184
185 /**
186 * @return the time this OCSP response was supposedly produced at
187 */
188 const X509_Time& produced_at() const { return m_produced_at; }
189
190 /**
191 * @return DN of signer, if provided in response (may be empty)
192 */
193 const X509_DN& signer_name() const { return m_signer_name; }
194
195 /**
196 * @return key hash, if provided in response (may be empty)
197 */
198 const std::vector<uint8_t>& signer_key_hash() const { return m_key_hash; }
199
200 const std::vector<uint8_t>& raw_bits() const { return m_response_bits; }
201
202 /**
203 * Searches the OCSP response for issuer and subject certificate.
204 * @param issuer issuer certificate
205 * @param subject subject certificate
206 * @param ref_time the reference time
207 * @param max_age the maximum age the response should be considered valid
208 * if next_update is not set
209 * @return OCSP status code, possible values:
210 * CERT_IS_REVOKED,
211 * OCSP_NOT_YET_VALID,
212 * OCSP_HAS_EXPIRED,
213 * OCSP_IS_TOO_OLD,
214 * OCSP_RESPONSE_GOOD,
215 * OCSP_BAD_STATUS,
216 * OCSP_CERT_NOT_LISTED
217 */
218 Certificate_Status_Code status_for(const X509_Certificate& issuer,
219 const X509_Certificate& subject,
220 std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now(),
221 std::chrono::seconds max_age = std::chrono::seconds::zero()) const;
222
223 /**
224 * @return the certificate chain, if provided in response
225 */
226 const std::vector<X509_Certificate> &certificates() const { return m_certs; }
227
228 private:
229 Response_Status_Code m_status;
230 std::vector<uint8_t> m_response_bits;
231 X509_Time m_produced_at;
232 X509_DN m_signer_name;
233 std::vector<uint8_t> m_key_hash;
234 std::vector<uint8_t> m_tbs_bits;
235 AlgorithmIdentifier m_sig_algo;
236 std::vector<uint8_t> m_signature;
237 std::vector<X509_Certificate> m_certs;
238
239 std::vector<SingleResponse> m_responses;
240
241 Certificate_Status_Code m_dummy_response_status;
242 };
243
244#if defined(BOTAN_HAS_HTTP_UTIL)
245
246/**
247* Makes an online OCSP request via HTTP and returns the OCSP response.
248* @param issuer issuer certificate
249* @param subject_serial the subject's serial number
250* @param ocsp_responder the OCSP responder to query
251* @param trusted_roots trusted roots for the OCSP response
252* @param timeout a timeout on the HTTP request
253* @return OCSP response
254*/
256Response online_check(const X509_Certificate& issuer,
257 const BigInt& subject_serial,
258 const std::string& ocsp_responder,
259 Certificate_Store* trusted_roots,
260 std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
261
262/**
263* Makes an online OCSP request via HTTP and returns the OCSP response.
264* @param issuer issuer certificate
265* @param subject subject certificate
266* @param trusted_roots trusted roots for the OCSP response
267* @param timeout a timeout on the HTTP request
268* @return OCSP response
269*/
271Response online_check(const X509_Certificate& issuer,
272 const X509_Certificate& subject,
273 Certificate_Store* trusted_roots,
274 std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
275
276#endif
277
278}
279
280}
281
282#endif
const std::vector< uint8_t > & issuer_key_hash() const
Definition: ocsp.h:38
const X509_Certificate & subject() const
Definition: ocsp.h:103
const std::vector< uint8_t > & issuer_key_hash() const
Definition: ocsp.h:105
const X509_Certificate & issuer() const
Definition: ocsp.h:98
Response(const std::vector< uint8_t > &response_bits)
Definition: ocsp.h:149
Response_Status_Code status() const
Definition: ocsp.h:183
const X509_DN & signer_name() const
Definition: ocsp.h:193
const X509_Time & produced_at() const
Definition: ocsp.h:188
const std::vector< X509_Certificate > & certificates() const
Definition: ocsp.h:226
const std::vector< uint8_t > & raw_bits() const
Definition: ocsp.h:200
const std::vector< uint8_t > & signer_key_hash() const
Definition: ocsp.h:198
const CertID & certid() const
Definition: ocsp.h:50
X509_Time next_update() const
Definition: ocsp.h:56
X509_Time this_update() const
Definition: ocsp.h:54
size_t cert_status() const
Definition: ocsp.h:52
int(* final)(unsigned char *, CTX *)
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:31
Response_Status_Code
Definition: ocsp.h:117
secure_vector< uint8_t > BER_encode(const Private_Key &key)
Definition: pkcs8.cpp:139
Definition: alg_id.cpp:13
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: base64.cpp:185
Certificate_Status_Code
Definition: pkix_enums.h:17
Definition: bigint.h:1143