Botan  2.13.0
Crypto and TLS for C++11
ocsp.h
Go to the documentation of this file.
1 /*
2 * OCSP
3 * (C) 2012 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_OCSP_H_
9 #define BOTAN_OCSP_H_
10 
11 #include <botan/cert_status.h>
12 #include <botan/ocsp_types.h>
13 #include <botan/x509_dn.h>
14 #include <chrono>
15 
16 namespace Botan {
17 
18 class Certificate_Store;
19 
20 namespace OCSP {
21 
22 /**
23 * An OCSP request.
24 */
26  {
27  public:
28  /**
29  * Create an OCSP request.
30  * @param issuer_cert issuer certificate
31  * @param subject_cert subject certificate
32  */
33  Request(const X509_Certificate& issuer_cert,
34  const X509_Certificate& subject_cert);
35 
36  Request(const X509_Certificate& issuer_cert,
37  const BigInt& subject_serial);
38 
39  /**
40  * @return BER-encoded OCSP request
41  */
42  std::vector<uint8_t> BER_encode() const;
43 
44  /**
45  * @return Base64-encoded OCSP request
46  */
47  std::string base64_encode() const;
48 
49  /**
50  * @return issuer certificate
51  */
52  const X509_Certificate& issuer() const { return m_issuer; }
53 
54  /**
55  * @return subject certificate
56  */
57  const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); }
58 
59  const std::vector<uint8_t>& issuer_key_hash() const
60  { return m_certid.issuer_key_hash(); }
61  private:
62  X509_Certificate m_issuer;
63  CertID m_certid;
64  };
65 
66 /**
67 * OCSP response status.
68 *
69 * see https://tools.ietf.org/html/rfc6960#section-4.2.1
70 */
72  Successful = 0,
74  Internal_Error = 2,
75  Try_Later = 3,
76  Sig_Required = 5,
77  Unauthorized = 6
78 };
79 
80 /**
81 * OCSP response.
82 *
83 * Note this class is only usable as an OCSP client
84 */
86  {
87  public:
88  /**
89  * Creates an empty OCSP response.
90  */
91  Response() = default;
92 
93  /**
94  * Create a fake OCSP response from a given status code.
95  * @param status the status code the check functions will return
96  */
98 
99  /**
100  * Parses an OCSP response.
101  * @param response_bits response bits received
102  */
103  Response(const std::vector<uint8_t>& response_bits) :
104  Response(response_bits.data(), response_bits.size())
105  {}
106 
107  /**
108  * Parses an OCSP response.
109  * @param response_bits response bits received
110  * @param response_bits_len length of response in bytes
111  */
112  Response(const uint8_t response_bits[],
113  size_t response_bits_len);
114 
115  /**
116  * Check signature and return status
117  * The optional cert_path is the (already validated!) certificate path of
118  * the end entity which is being inquired about
119  * @param trust_roots list of certstores containing trusted roots
120  * @param cert_path optionally, the (already verified!) certificate path for the certificate
121  * this is an OCSP response for. This is necessary to find the correct intermediate CA in
122  * some cases.
123  */
124  Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots,
125  const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path = {}) const;
126 
127  /**
128  * Verify that issuer's key signed this response
129  * @param issuer certificate of issuer
130  * @return if signature valid OCSP_SIGNATURE_OK else an error code
131  */
132  Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const;
133 
134  /**
135  * @return the status of the response
136  */
137  Response_Status_Code status() const { return m_status; }
138 
139  /**
140  * @return the time this OCSP response was supposedly produced at
141  */
142  const X509_Time& produced_at() const { return m_produced_at; }
143 
144  /**
145  * @return DN of signer, if provided in response (may be empty)
146  */
147  const X509_DN& signer_name() const { return m_signer_name; }
148 
149  /**
150  * @return key hash, if provided in response (may be empty)
151  */
152  const std::vector<uint8_t>& signer_key_hash() const { return m_key_hash; }
153 
154  const std::vector<uint8_t>& raw_bits() const { return m_response_bits; }
155 
156  /**
157  * Searches the OCSP response for issuer and subject certificate.
158  * @param issuer issuer certificate
159  * @param subject subject certificate
160  * @param ref_time the reference time
161  * @param max_age the maximum age the response should be considered valid
162  * if next_update is not set
163  * @return OCSP status code, possible values:
164  * CERT_IS_REVOKED,
165  * OCSP_NOT_YET_VALID,
166  * OCSP_HAS_EXPIRED,
167  * OCSP_IS_TOO_OLD,
168  * OCSP_RESPONSE_GOOD,
169  * OCSP_BAD_STATUS,
170  * OCSP_CERT_NOT_LISTED
171  */
172  Certificate_Status_Code status_for(const X509_Certificate& issuer,
173  const X509_Certificate& subject,
174  std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now(),
175  std::chrono::seconds max_age = std::chrono::seconds::zero()) const;
176 
177  /**
178  * @return the certificate chain, if provided in response
179  */
180  const std::vector<X509_Certificate> &certificates() const { return m_certs; }
181 
182  private:
183  Response_Status_Code m_status;
184  std::vector<uint8_t> m_response_bits;
185  X509_Time m_produced_at;
186  X509_DN m_signer_name;
187  std::vector<uint8_t> m_key_hash;
188  std::vector<uint8_t> m_tbs_bits;
189  AlgorithmIdentifier m_sig_algo;
190  std::vector<uint8_t> m_signature;
191  std::vector<X509_Certificate> m_certs;
192 
193  std::vector<SingleResponse> m_responses;
194 
195  Certificate_Status_Code m_dummy_response_status;
196  };
197 
198 #if defined(BOTAN_HAS_HTTP_UTIL)
199 
200 /**
201 * Makes an online OCSP request via HTTP and returns the OCSP response.
202 * @param issuer issuer certificate
203 * @param subject_serial the subject's serial number
204 * @param ocsp_responder the OCSP responder to query
205 * @param trusted_roots trusted roots for the OCSP response
206 * @param timeout a timeout on the HTTP request
207 * @return OCSP response
208 */
209 BOTAN_PUBLIC_API(2,1)
210 Response online_check(const X509_Certificate& issuer,
211  const BigInt& subject_serial,
212  const std::string& ocsp_responder,
213  Certificate_Store* trusted_roots,
214  std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
215 
216 /**
217 * Makes an online OCSP request via HTTP and returns the OCSP response.
218 * @param issuer issuer certificate
219 * @param subject subject certificate
220 * @param trusted_roots trusted roots for the OCSP response
221 * @param timeout a timeout on the HTTP request
222 * @return OCSP response
223 */
224 BOTAN_PUBLIC_API(2,0)
225 Response online_check(const X509_Certificate& issuer,
226  const X509_Certificate& subject,
227  Certificate_Store* trusted_roots,
228  std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
229 
230 #endif
231 
232 }
233 
234 }
235 
236 #endif
Response_Status_Code status() const
Definition: ocsp.h:137
Response_Status_Code
Definition: ocsp.h:71
Response(const std::vector< uint8_t > &response_bits)
Definition: ocsp.h:103
const X509_Time & produced_at() const
Definition: ocsp.h:142
const std::vector< uint8_t > & signer_key_hash() const
Definition: ocsp.h:152
int(* final)(unsigned char *, CTX *)
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:31
Definition: bigint.h:1135
const std::vector< uint8_t > & issuer_key_hash() const
Definition: ocsp.h:59
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: base64.cpp:166
const X509_Certificate & subject() const
Definition: ocsp.h:57
const X509_Certificate & issuer() const
Definition: ocsp.h:52
Definition: alg_id.cpp:13
secure_vector< uint8_t > BER_encode(const Private_Key &key)
Definition: pkcs8.cpp:139
const std::vector< uint8_t > & raw_bits() const
Definition: ocsp.h:154
const X509_DN & signer_name() const
Definition: ocsp.h:147
Certificate_Status_Code
Definition: cert_status.h:19
const std::vector< X509_Certificate > & certificates() const
Definition: ocsp.h:180