Botan  2.11.0
Crypto and TLS for C++11
ocsp.h
Go to the documentation of this file.
1 /*
2 * OCSP
3 * (C) 2012 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_OCSP_H_
9 #define BOTAN_OCSP_H_
10 
11 #include <botan/cert_status.h>
12 #include <botan/ocsp_types.h>
13 #include <botan/x509_dn.h>
14 #include <chrono>
15 
16 namespace Botan {
17 
18 class Certificate_Store;
19 
20 namespace OCSP {
21 
22 /**
23 * An OCSP request.
24 */
25 class BOTAN_PUBLIC_API(2,0) Request final
26  {
27  public:
28  /**
29  * Create an OCSP request.
30  * @param issuer_cert issuer certificate
31  * @param subject_cert subject certificate
32  */
33  Request(const X509_Certificate& issuer_cert,
34  const X509_Certificate& subject_cert);
35 
36  Request(const X509_Certificate& issuer_cert,
37  const BigInt& subject_serial);
38 
39  /**
40  * @return BER-encoded OCSP request
41  */
42  std::vector<uint8_t> BER_encode() const;
43 
44  /**
45  * @return Base64-encoded OCSP request
46  */
47  std::string base64_encode() const;
48 
49  /**
50  * @return issuer certificate
51  */
52  const X509_Certificate& issuer() const { return m_issuer; }
53 
54  /**
55  * @return subject certificate
56  */
57  const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); }
58 
59  const std::vector<uint8_t>& issuer_key_hash() const
60  { return m_certid.issuer_key_hash(); }
61  private:
62  X509_Certificate m_issuer;
63  CertID m_certid;
64  };
65 
66 /**
67 * OCSP response.
68 *
69 * Note this class is only usable as an OCSP client
70 */
71 class BOTAN_PUBLIC_API(2,0) Response final
72  {
73  public:
74  /**
75  * Creates an empty OCSP response.
76  */
77  Response() = default;
78 
79  /**
80  * Create a fake OCSP response from a given status code.
81  * @param status the status code the check functions will return
82  */
83  Response(Certificate_Status_Code status);
84 
85  /**
86  * Parses an OCSP response.
87  * @param response_bits response bits received
88  */
89  Response(const std::vector<uint8_t>& response_bits) :
90  Response(response_bits.data(), response_bits.size())
91  {}
92 
93  /**
94  * Parses an OCSP response.
95  * @param response_bits response bits received
96  * @param response_bits_len length of response in bytes
97  */
98  Response(const uint8_t response_bits[],
99  size_t response_bits_len);
100 
101  /**
102  * Check signature and return status
103  * The optional cert_path is the (already validated!) certificate path of
104  * the end entity which is being inquired about
105  * @param trust_roots list of certstores containing trusted roots
106  * @param cert_path optionally, the (already verified!) certificate path for the certificate
107  * this is an OCSP response for. This is necessary to find the correct intermediate CA in
108  * some cases.
109  */
110  Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots,
111  const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path = {}) const;
112 
113  /**
114  * Verify that issuer's key signed this response
115  * @param issuer certificate of issuer
116  * @return if signature valid OCSP_SIGNATURE_OK else an error code
117  */
118  Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const;
119 
120  /**
121  * @return the time this OCSP response was supposedly produced at
122  */
123  const X509_Time& produced_at() const { return m_produced_at; }
124 
125  /**
126  * @return DN of signer, if provided in response (may be empty)
127  */
128  const X509_DN& signer_name() const { return m_signer_name; }
129 
130  /**
131  * @return key hash, if provided in response (may be empty)
132  */
133  const std::vector<uint8_t>& signer_key_hash() const { return m_key_hash; }
134 
135  const std::vector<uint8_t>& raw_bits() const { return m_response_bits; }
136 
137  /**
138  * Searches the OCSP response for issuer and subject certificate.
139  * @param issuer issuer certificate
140  * @param subject subject certificate
141  * @param ref_time the reference time
142  * @param max_age the maximum age the response should be considered valid
143  * if next_update is not set
144  * @return OCSP status code, possible values:
145  * CERT_IS_REVOKED,
146  * OCSP_NOT_YET_VALID,
147  * OCSP_HAS_EXPIRED,
148  * OCSP_IS_TOO_OLD,
149  * OCSP_RESPONSE_GOOD,
150  * OCSP_BAD_STATUS,
151  * OCSP_CERT_NOT_LISTED
152  */
153  Certificate_Status_Code status_for(const X509_Certificate& issuer,
154  const X509_Certificate& subject,
155  std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now(),
156  std::chrono::seconds max_age = std::chrono::seconds::zero()) const;
157 
158  /**
159  * @return the certificate chain, if provided in response
160  */
161  const std::vector<X509_Certificate> &certificates() const { return m_certs; }
162 
163  private:
164  std::vector<uint8_t> m_response_bits;
165  X509_Time m_produced_at;
166  X509_DN m_signer_name;
167  std::vector<uint8_t> m_key_hash;
168  std::vector<uint8_t> m_tbs_bits;
169  AlgorithmIdentifier m_sig_algo;
170  std::vector<uint8_t> m_signature;
171  std::vector<X509_Certificate> m_certs;
172 
173  std::vector<SingleResponse> m_responses;
174 
175  Certificate_Status_Code m_dummy_response_status;
176  };
177 
178 #if defined(BOTAN_HAS_HTTP_UTIL)
179 
180 /**
181 * Makes an online OCSP request via HTTP and returns the OCSP response.
182 * @param issuer issuer certificate
183 * @param subject_serial the subject's serial number
184 * @param ocsp_responder the OCSP responder to query
185 * @param trusted_roots trusted roots for the OCSP response
186 * @param timeout a timeout on the HTTP request
187 * @return OCSP response
188 */
189 BOTAN_PUBLIC_API(2,1)
190 Response online_check(const X509_Certificate& issuer,
191  const BigInt& subject_serial,
192  const std::string& ocsp_responder,
193  Certificate_Store* trusted_roots,
194  std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
195 
196 /**
197 * Makes an online OCSP request via HTTP and returns the OCSP response.
198 * @param issuer issuer certificate
199 * @param subject subject certificate
200 * @param trusted_roots trusted roots for the OCSP response
201 * @param timeout a timeout on the HTTP request
202 * @return OCSP response
203 */
204 BOTAN_PUBLIC_API(2,0)
205 Response online_check(const X509_Certificate& issuer,
206  const X509_Certificate& subject,
207  Certificate_Store* trusted_roots,
208  std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
209 
210 #endif
211 
212 }
213 
214 }
215 
216 #endif
Path_Validation_Result const Path_Validation_Restrictions const std::vector< Certificate_Store * > & trusted_roots
Definition: x509path.h:250
class BOTAN_PUBLIC_API(2, 0) Request final
Definition: ocsp.h:25
int(* final)(unsigned char *, CTX *)
Definition: bigint.h:1136
secure_vector< uint8_t > BER_encode(const Private_Key &key)
Definition: pkcs8.cpp:139
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: base64.cpp:166
Definition: alg_id.cpp:13
Certificate_Status_Code
Definition: cert_status.h:19