doxygen/ocsp_8h_source.html

/*

* OCSP

* (C) 2012 Jack Lloyd

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#ifndef BOTAN_OCSP_H_

#define BOTAN_OCSP_H_


#include <botan/asn1_obj.h>

#include <botan/pkix_types.h>

#include <botan/x509cert.h>

#include <botan/bigint.h>

#include <chrono>


namespace Botan {


class Certificate_Store;


namespace OCSP {


class BOTAN_PUBLIC_API(2,0) CertID final : public ASN1_Object

   {

   public:

      CertID() = default;


      CertID(const X509_Certificate& issuer,

             const BigInt& subject_serial);


      bool is_id_for(const X509_Certificate& issuer,

                     const X509_Certificate& subject) const;


      void encode_into(class DER_Encoder& to) const override;


      void decode_from(class BER_Decoder& from) override;


      const std::vector<uint8_t>& issuer_key_hash() const { return m_issuer_key_hash; }


   private:

      AlgorithmIdentifier m_hash_id;

      std::vector<uint8_t> m_issuer_dn_hash;

      std::vector<uint8_t> m_issuer_key_hash;

      BigInt m_subject_serial;

   };


class BOTAN_PUBLIC_API(2,0) SingleResponse final : public ASN1_Object

   {

   public:

      const CertID& certid() const { return m_certid; }


      size_t cert_status() const { return m_cert_status; }


      X509_Time this_update() const { return m_thisupdate; }


      X509_Time next_update() const { return m_nextupdate; }


      void encode_into(class DER_Encoder& to) const override;


      void decode_from(class BER_Decoder& from) override;

   private:

      CertID m_certid;

      size_t m_cert_status = 2; // unknown

      X509_Time m_thisupdate;

      X509_Time m_nextupdate;

   };


/**

* An OCSP request.

*/

class BOTAN_PUBLIC_API(2,0) Request final

   {

   public:

      /**

      * Create an OCSP request.

      * @param issuer_cert issuer certificate

      * @param subject_cert subject certificate

      */

      Request(const X509_Certificate& issuer_cert,

              const X509_Certificate& subject_cert);


      Request(const X509_Certificate& issuer_cert,

              const BigInt& subject_serial);


      /**

      * @return BER-encoded OCSP request

      */

      std::vector<uint8_t> BER_encode() const;


      /**

      * @return Base64-encoded OCSP request

      */

      std::string base64_encode() const;


      /**

      * @return issuer certificate

      */

      const X509_Certificate& issuer() const { return m_issuer; }


      /**

      * @return subject certificate

      */

      const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); }


      const std::vector<uint8_t>& issuer_key_hash() const

         { return m_certid.issuer_key_hash(); }

   private:

      X509_Certificate m_issuer;

      CertID m_certid;

   };


/**

* OCSP response status.

*

* see https://tools.ietf.org/html/rfc6960#section-4.2.1

*/

enum class Response_Status_Code {

   Successful = 0,

   Malformed_Request = 1,

   Internal_Error = 2,

   Try_Later = 3,

   Sig_Required = 5,

   Unauthorized = 6

};


/**

* OCSP response.

*

* Note this class is only usable as an OCSP client

*/

class BOTAN_PUBLIC_API(2,0) Response final

   {

   public:

      /**

      * Creates an empty OCSP response.

      */

      Response() = default;


      /**

      * Create a fake OCSP response from a given status code.

      * @param status the status code the check functions will return

      */

      Response(Certificate_Status_Code status);


      /**

      * Parses an OCSP response.

      * @param response_bits response bits received

      */

      Response(const std::vector<uint8_t>& response_bits) :

         Response(response_bits.data(), response_bits.size())

         {}


      /**

      * Parses an OCSP response.

      * @param response_bits response bits received

      * @param response_bits_len length of response in bytes

      */

      Response(const uint8_t response_bits[],

               size_t response_bits_len);


      /**

      * Check signature and return status

      * The optional cert_path is the (already validated!) certificate path of

      * the end entity which is being inquired about

      * @param trust_roots list of certstores containing trusted roots

      * @param cert_path optionally, the (already verified!) certificate path for the certificate

      * this is an OCSP response for. This is necessary to find the correct intermediate CA in

      * some cases.

      */

      Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots,

                                              const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path = {}) const;


      /**

      * Verify that issuer's key signed this response

      * @param issuer certificate of issuer

      * @return if signature valid OCSP_SIGNATURE_OK else an error code

      */

      Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const;


      /**

      * @return the status of the response

      */

      Response_Status_Code status() const { return m_status; }


      /**

      * @return the time this OCSP response was supposedly produced at

      */

      const X509_Time& produced_at() const { return m_produced_at; }


      /**

      * @return DN of signer, if provided in response (may be empty)

      */

      const X509_DN& signer_name() const { return m_signer_name; }


      /**

      * @return key hash, if provided in response (may be empty)

      */

      const std::vector<uint8_t>& signer_key_hash() const { return m_key_hash; }


      const std::vector<uint8_t>& raw_bits() const { return m_response_bits; }


      /**

       * Searches the OCSP response for issuer and subject certificate.

       * @param issuer issuer certificate

       * @param subject subject certificate

       * @param ref_time the reference time

       * @param max_age the maximum age the response should be considered valid

       *                if next_update is not set

       * @return OCSP status code, possible values:

       *         CERT_IS_REVOKED,

       *         OCSP_NOT_YET_VALID,

       *         OCSP_HAS_EXPIRED,

       *         OCSP_IS_TOO_OLD,

       *         OCSP_RESPONSE_GOOD,

       *         OCSP_BAD_STATUS,

       *         OCSP_CERT_NOT_LISTED

       */

      Certificate_Status_Code status_for(const X509_Certificate& issuer,

                                         const X509_Certificate& subject,

                                         std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now(),

                                         std::chrono::seconds max_age = std::chrono::seconds::zero()) const;


      /**

       * @return the certificate chain, if provided in response

       */

      const std::vector<X509_Certificate> &certificates() const { return  m_certs; }


   private:

      Response_Status_Code m_status;

      std::vector<uint8_t> m_response_bits;

      X509_Time m_produced_at;

      X509_DN m_signer_name;

      std::vector<uint8_t> m_key_hash;

      std::vector<uint8_t> m_tbs_bits;

      AlgorithmIdentifier m_sig_algo;

      std::vector<uint8_t> m_signature;

      std::vector<X509_Certificate> m_certs;


      std::vector<SingleResponse> m_responses;


      Certificate_Status_Code m_dummy_response_status;

   };


#if defined(BOTAN_HAS_HTTP_UTIL)


/**

* Makes an online OCSP request via HTTP and returns the OCSP response.

* @param issuer issuer certificate

* @param subject_serial the subject's serial number

* @param ocsp_responder the OCSP responder to query

* @param trusted_roots trusted roots for the OCSP response

* @param timeout a timeout on the HTTP request

* @return OCSP response

*/

BOTAN_PUBLIC_API(2,1)

Response online_check(const X509_Certificate& issuer,

                      const BigInt& subject_serial,

                      const std::string& ocsp_responder,

                      Certificate_Store* trusted_roots,

                      std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));


/**

* Makes an online OCSP request via HTTP and returns the OCSP response.

* @param issuer issuer certificate

* @param subject subject certificate

* @param trusted_roots trusted roots for the OCSP response

* @param timeout a timeout on the HTTP request

* @return OCSP response

*/

BOTAN_PUBLIC_API(2,0)

Response online_check(const X509_Certificate& issuer,

                      const X509_Certificate& subject,

                      Certificate_Store* trusted_roots,

                      std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));


#endif


}


}


#endif

Botan::ASN1_Object
Definition: asn1_obj.h:69

Botan::ASN1_Time
Definition: asn1_obj.h:328

Botan::AlgorithmIdentifier
Definition: asn1_obj.h:430

Botan::BER_Decoder
Definition: ber_dec.h:22

Botan::BigInt
Definition: bigint.h:25

Botan::Certificate_Store
Definition: certstor.h:20

Botan::DER_Encoder
Definition: der_enc.h:23

Botan::Internal_Error
Definition: exceptn.h:342

Botan::Not_Implemented
Definition: exceptn.h:356

Botan::OCSP::CertID
Definition: ocsp.h:24

Botan::OCSP::CertID::issuer_key_hash
const std::vector< uint8_t > & issuer_key_hash() const
Definition: ocsp.h:38

Botan::OCSP::CertID::CertID
CertID()=default

Botan::OCSP::Request
Definition: ocsp.h:72

Botan::OCSP::Request::subject
const X509_Certificate & subject() const
Definition: ocsp.h:103

Botan::OCSP::Request::issuer_key_hash
const std::vector< uint8_t > & issuer_key_hash() const
Definition: ocsp.h:105

Botan::OCSP::Request::issuer
const X509_Certificate & issuer() const
Definition: ocsp.h:98

Botan::OCSP::Response
Definition: ocsp.h:132

Botan::OCSP::Response::Response
Response(const std::vector< uint8_t > &response_bits)
Definition: ocsp.h:149

Botan::OCSP::Response::status
Response_Status_Code status() const
Definition: ocsp.h:183

Botan::OCSP::Response::signer_name
const X509_DN & signer_name() const
Definition: ocsp.h:193

Botan::OCSP::Response::produced_at
const X509_Time & produced_at() const
Definition: ocsp.h:188

Botan::OCSP::Response::certificates
const std::vector< X509_Certificate > & certificates() const
Definition: ocsp.h:226

Botan::OCSP::Response::raw_bits
const std::vector< uint8_t > & raw_bits() const
Definition: ocsp.h:200

Botan::OCSP::Response::Response
Response()=default

Botan::OCSP::Response::signer_key_hash
const std::vector< uint8_t > & signer_key_hash() const
Definition: ocsp.h:198

Botan::OCSP::SingleResponse
Definition: ocsp.h:48

Botan::OCSP::SingleResponse::certid
const CertID & certid() const
Definition: ocsp.h:50

Botan::OCSP::SingleResponse::next_update
X509_Time next_update() const
Definition: ocsp.h:56

Botan::OCSP::SingleResponse::this_update
X509_Time this_update() const
Definition: ocsp.h:54

Botan::OCSP::SingleResponse::cert_status
size_t cert_status() const
Definition: ocsp.h:52

Botan::X509_Certificate
Definition: x509cert.h:38

Botan::X509_DN
Definition: pkix_types.h:43

final
int(* final)(unsigned char *, CTX *)
Definition: commoncrypto_hash.cpp:29

BOTAN_PUBLIC_API
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:31

Botan::OCSP::Response_Status_Code
Response_Status_Code
Definition: ocsp.h:117

Botan::OCSP::Response_Status_Code::Sig_Required
@ Sig_Required

Botan::OCSP::Response_Status_Code::Successful
@ Successful

Botan::OCSP::Response_Status_Code::Malformed_Request
@ Malformed_Request

Botan::OCSP::Response_Status_Code::Try_Later
@ Try_Later

Botan::OCSP::Response_Status_Code::Unauthorized
@ Unauthorized

Botan::PKCS8::BER_encode
secure_vector< uint8_t > BER_encode(const Private_Key &key)
Definition: pkcs8.cpp:139

Botan
Definition: alg_id.cpp:13

Botan::base64_encode
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: base64.cpp:185

Botan::Certificate_Status_Code
Certificate_Status_Code
Definition: pkix_enums.h:17

std
Definition: bigint.h:1143