Botan  2.4.0
Crypto and TLS for C++11
ocsp.h
Go to the documentation of this file.
1 /*
2 * OCSP
3 * (C) 2012 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_OCSP_H_
9 #define BOTAN_OCSP_H_
10 
11 #include <botan/cert_status.h>
12 #include <botan/ocsp_types.h>
13 #include <botan/x509_dn.h>
14 #include <chrono>
15 
16 namespace Botan {
17 
18 class Certificate_Store;
19 
20 namespace OCSP {
21 
22 /**
23 * An OCSP request.
24 */
25 class BOTAN_PUBLIC_API(2,0) Request final
26  {
27  public:
28  /**
29  * Create an OCSP request.
30  * @param issuer_cert issuer certificate
31  * @param subject_cert subject certificate
32  */
33  Request(const X509_Certificate& issuer_cert,
34  const X509_Certificate& subject_cert);
35 
36  Request(const X509_Certificate& issuer_cert,
37  const BigInt& subject_serial);
38 
39  /**
40  * @return BER-encoded OCSP request
41  */
42  std::vector<uint8_t> BER_encode() const;
43 
44  /**
45  * @return Base64-encoded OCSP request
46  */
47  std::string base64_encode() const;
48 
49  /**
50  * @return issuer certificate
51  */
52  const X509_Certificate& issuer() const { return m_issuer; }
53 
54  /**
55  * @return subject certificate
56  */
57  const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); }
58 
59  const std::vector<uint8_t>& issuer_key_hash() const
60  { return m_certid.issuer_key_hash(); }
61  private:
62  X509_Certificate m_issuer;
63  CertID m_certid;
64  };
65 
66 /**
67 * OCSP response.
68 *
69 * Note this class is only usable as an OCSP client
70 */
71 class BOTAN_PUBLIC_API(2,0) Response final
72  {
73  public:
74  /**
75  * Creates an empty OCSP response.
76  */
77  Response() = default;
78 
79  /**
80  * Parses an OCSP response.
81  * @param response_bits response bits received
82  */
83  Response(const std::vector<uint8_t>& response_bits) :
84  Response(response_bits.data(), response_bits.size())
85  {}
86 
87  /**
88  * Parses an OCSP response.
89  * @param response_bits response bits received
90  * @param response_bits_len length of response in bytes
91  */
92  Response(const uint8_t response_bits[],
93  size_t response_bits_len);
94 
95  /**
96  * Check signature and return status
97  * The optional cert_path is the (already validated!) certificate path of
98  * the end entity which is being inquired about
99  * @param trust_roots list of certstores containing trusted roots
100  * @param cert_path optionally, the (already verified!) certificate path for the certificate
101  * this is an OCSP response for. This is necessary to find the correct intermediate CA in
102  * some cases.
103  */
104  Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots,
105  const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path = {}) const;
106 
107  /**
108  * Verify that issuer's key signed this response
109  * @param issuer certificate of issuer
110  * @return if signature valid OCSP_SIGNATURE_OK else an error code
111  */
112  Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const;
113 
114  /**
115  * @return the time this OCSP response was supposedly produced at
116  */
117  const X509_Time& produced_at() const { return m_produced_at; }
118 
119  /**
120  * @return DN of signer, if provided in response (may be empty)
121  */
122  const X509_DN& signer_name() const { return m_signer_name; }
123 
124  /**
125  * @return key hash, if provided in response (may be empty)
126  */
127  const std::vector<uint8_t>& signer_key_hash() const { return m_key_hash; }
128 
129  const std::vector<uint8_t>& raw_bits() const { return m_response_bits; }
130 
131  /**
132  * Searches the OCSP response for issuer and subject certificate.
133  * @param issuer issuer certificate
134  * @param subject subject certificate
135  * @param ref_time the reference time
136  * @return OCSP status code, possible values:
137  * CERT_IS_REVOKED,
138  * OCSP_NOT_YET_VALID,
139  * OCSP_HAS_EXPIRED,
140  * OCSP_RESPONSE_GOOD,
141  * OCSP_BAD_STATUS,
142  * OCSP_CERT_NOT_LISTED
143  */
144  Certificate_Status_Code status_for(const X509_Certificate& issuer,
145  const X509_Certificate& subject,
146  std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now()) const;
147 
148  /**
149  * @return the certificate chain, if provided in response
150  */
151  const std::vector<X509_Certificate> &certificates() const { return m_certs; }
152 
153  private:
154  std::vector<uint8_t> m_response_bits;
155  X509_Time m_produced_at;
156  X509_DN m_signer_name;
157  std::vector<uint8_t> m_key_hash;
158  std::vector<uint8_t> m_tbs_bits;
159  AlgorithmIdentifier m_sig_algo;
160  std::vector<uint8_t> m_signature;
161  std::vector<X509_Certificate> m_certs;
162 
163  std::vector<SingleResponse> m_responses;
164  };
165 
166 #if defined(BOTAN_HAS_HTTP_UTIL)
167 
168 /**
169 * Makes an online OCSP request via HTTP and returns the OCSP response.
170 * @param issuer issuer certificate
171 * @param subject_serial the subject's serial number
172 * @param ocsp_responder the OCSP responder to query
173 * @param trusted_roots trusted roots for the OCSP response
174 * @param timeout a timeout on the HTTP request
175 * @return OCSP response
176 */
177 BOTAN_PUBLIC_API(2,1)
178 Response online_check(const X509_Certificate& issuer,
179  const BigInt& subject_serial,
180  const std::string& ocsp_responder,
181  Certificate_Store* trusted_roots,
182  std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
183 
184 /**
185 * Makes an online OCSP request via HTTP and returns the OCSP response.
186 * @param issuer issuer certificate
187 * @param subject subject certificate
188 * @param trusted_roots trusted roots for the OCSP response
189 * @param timeout a timeout on the HTTP request
190 * @return OCSP response
191 */
192 BOTAN_PUBLIC_API(2,0)
193 Response online_check(const X509_Certificate& issuer,
194  const X509_Certificate& subject,
195  Certificate_Store* trusted_roots,
196  std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
197 
198 #endif
199 
200 }
201 
202 }
203 
204 #endif
Response(const std::vector< uint8_t > &response_bits)
Definition: ocsp.h:83
const X509_Time & produced_at() const
Definition: ocsp.h:117
const std::vector< uint8_t > & signer_key_hash() const
Definition: ocsp.h:127
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:27
const std::vector< uint8_t > & issuer_key_hash() const
Definition: ocsp.h:59
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: base64.cpp:35
const X509_Certificate & subject() const
Definition: ocsp.h:57
const X509_Certificate & issuer() const
Definition: ocsp.h:52
Definition: alg_id.cpp:13
secure_vector< uint8_t > BER_encode(const Private_Key &key)
Definition: pkcs8.cpp:131
const std::vector< uint8_t > & raw_bits() const
Definition: ocsp.h:129
const X509_DN & signer_name() const
Definition: ocsp.h:122
Certificate_Status_Code
Definition: cert_status.h:18
const std::vector< X509_Certificate > & certificates() const
Definition: ocsp.h:151