Botan  2.7.0
Crypto and TLS for C++11
ocsp.h
Go to the documentation of this file.
1 /*
2 * OCSP
3 * (C) 2012 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_OCSP_H_
9 #define BOTAN_OCSP_H_
10 
11 #include <botan/cert_status.h>
12 #include <botan/ocsp_types.h>
13 #include <botan/x509_dn.h>
14 #include <chrono>
15 
16 namespace Botan {
17 
18 class Certificate_Store;
19 
20 namespace OCSP {
21 
22 /**
23 * An OCSP request.
24 */
25 class BOTAN_PUBLIC_API(2,0) Request final
26  {
27  public:
28  /**
29  * Create an OCSP request.
30  * @param issuer_cert issuer certificate
31  * @param subject_cert subject certificate
32  */
33  Request(const X509_Certificate& issuer_cert,
34  const X509_Certificate& subject_cert);
35 
36  Request(const X509_Certificate& issuer_cert,
37  const BigInt& subject_serial);
38 
39  /**
40  * @return BER-encoded OCSP request
41  */
42  std::vector<uint8_t> BER_encode() const;
43 
44  /**
45  * @return Base64-encoded OCSP request
46  */
47  std::string base64_encode() const;
48 
49  /**
50  * @return issuer certificate
51  */
52  const X509_Certificate& issuer() const { return m_issuer; }
53 
54  /**
55  * @return subject certificate
56  */
57  const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); }
58 
59  const std::vector<uint8_t>& issuer_key_hash() const
60  { return m_certid.issuer_key_hash(); }
61  private:
62  X509_Certificate m_issuer;
63  CertID m_certid;
64  };
65 
66 /**
67 * OCSP response.
68 *
69 * Note this class is only usable as an OCSP client
70 */
71 class BOTAN_PUBLIC_API(2,0) Response final
72  {
73  public:
74  /**
75  * Creates an empty OCSP response.
76  */
77  Response() = default;
78 
79  /**
80  * Create a fake OCSP response from a given status code.
81  * @param status the status code the check functions will return
82  */
84 
85  /**
86  * Parses an OCSP response.
87  * @param response_bits response bits received
88  */
89  Response(const std::vector<uint8_t>& response_bits) :
90  Response(response_bits.data(), response_bits.size())
91  {}
92 
93  /**
94  * Parses an OCSP response.
95  * @param response_bits response bits received
96  * @param response_bits_len length of response in bytes
97  */
98  Response(const uint8_t response_bits[],
99  size_t response_bits_len);
100 
101  /**
102  * Check signature and return status
103  * The optional cert_path is the (already validated!) certificate path of
104  * the end entity which is being inquired about
105  * @param trust_roots list of certstores containing trusted roots
106  * @param cert_path optionally, the (already verified!) certificate path for the certificate
107  * this is an OCSP response for. This is necessary to find the correct intermediate CA in
108  * some cases.
109  */
110  Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots,
111  const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path = {}) const;
112 
113  /**
114  * Verify that issuer's key signed this response
115  * @param issuer certificate of issuer
116  * @return if signature valid OCSP_SIGNATURE_OK else an error code
117  */
118  Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const;
119 
120  /**
121  * @return the time this OCSP response was supposedly produced at
122  */
123  const X509_Time& produced_at() const { return m_produced_at; }
124 
125  /**
126  * @return DN of signer, if provided in response (may be empty)
127  */
128  const X509_DN& signer_name() const { return m_signer_name; }
129 
130  /**
131  * @return key hash, if provided in response (may be empty)
132  */
133  const std::vector<uint8_t>& signer_key_hash() const { return m_key_hash; }
134 
135  const std::vector<uint8_t>& raw_bits() const { return m_response_bits; }
136 
137  /**
138  * Searches the OCSP response for issuer and subject certificate.
139  * @param issuer issuer certificate
140  * @param subject subject certificate
141  * @param ref_time the reference time
142  * @return OCSP status code, possible values:
143  * CERT_IS_REVOKED,
144  * OCSP_NOT_YET_VALID,
145  * OCSP_HAS_EXPIRED,
146  * OCSP_RESPONSE_GOOD,
147  * OCSP_BAD_STATUS,
148  * OCSP_CERT_NOT_LISTED
149  */
150  Certificate_Status_Code status_for(const X509_Certificate& issuer,
151  const X509_Certificate& subject,
152  std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now()) const;
153 
154  /**
155  * @return the certificate chain, if provided in response
156  */
157  const std::vector<X509_Certificate> &certificates() const { return m_certs; }
158 
159  private:
160  std::vector<uint8_t> m_response_bits;
161  X509_Time m_produced_at;
162  X509_DN m_signer_name;
163  std::vector<uint8_t> m_key_hash;
164  std::vector<uint8_t> m_tbs_bits;
165  AlgorithmIdentifier m_sig_algo;
166  std::vector<uint8_t> m_signature;
167  std::vector<X509_Certificate> m_certs;
168 
169  std::vector<SingleResponse> m_responses;
170 
171  Certificate_Status_Code m_dummy_response_status;
172  };
173 
174 #if defined(BOTAN_HAS_HTTP_UTIL)
175 
176 /**
177 * Makes an online OCSP request via HTTP and returns the OCSP response.
178 * @param issuer issuer certificate
179 * @param subject_serial the subject's serial number
180 * @param ocsp_responder the OCSP responder to query
181 * @param trusted_roots trusted roots for the OCSP response
182 * @param timeout a timeout on the HTTP request
183 * @return OCSP response
184 */
185 BOTAN_PUBLIC_API(2,1)
186 Response online_check(const X509_Certificate& issuer,
187  const BigInt& subject_serial,
188  const std::string& ocsp_responder,
189  Certificate_Store* trusted_roots,
190  std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
191 
192 /**
193 * Makes an online OCSP request via HTTP and returns the OCSP response.
194 * @param issuer issuer certificate
195 * @param subject subject certificate
196 * @param trusted_roots trusted roots for the OCSP response
197 * @param timeout a timeout on the HTTP request
198 * @return OCSP response
199 */
200 BOTAN_PUBLIC_API(2,0)
201 Response online_check(const X509_Certificate& issuer,
202  const X509_Certificate& subject,
203  Certificate_Store* trusted_roots,
204  std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
205 
206 #endif
207 
208 }
209 
210 }
211 
212 #endif
Response(const std::vector< uint8_t > &response_bits)
Definition: ocsp.h:89
const X509_Time & produced_at() const
Definition: ocsp.h:123
const std::vector< uint8_t > & signer_key_hash() const
Definition: ocsp.h:133
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:27
Definition: bigint.h:796
const std::vector< uint8_t > & issuer_key_hash() const
Definition: ocsp.h:59
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: base64.cpp:35
const X509_Certificate & subject() const
Definition: ocsp.h:57
const X509_Certificate & issuer() const
Definition: ocsp.h:52
Definition: alg_id.cpp:13
secure_vector< uint8_t > BER_encode(const Private_Key &key)
Definition: pkcs8.cpp:139
const std::vector< uint8_t > & raw_bits() const
Definition: ocsp.h:135
const X509_DN & signer_name() const
Definition: ocsp.h:128
Certificate_Status_Code
Definition: cert_status.h:18
const std::vector< X509_Certificate > & certificates() const
Definition: ocsp.h:157