Botan  2.18.2
Crypto and TLS for C++11
ocsp.h
Go to the documentation of this file.
1 /*
2 * OCSP
3 * (C) 2012 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #ifndef BOTAN_OCSP_H_
9 #define BOTAN_OCSP_H_
10 
11 #include <botan/asn1_obj.h>
12 #include <botan/pkix_types.h>
13 #include <botan/x509cert.h>
14 #include <botan/bigint.h>
15 #include <chrono>
16 
17 namespace Botan {
18 
19 class Certificate_Store;
20 
21 namespace OCSP {
22 
24  {
25  public:
26  CertID() = default;
27 
28  CertID(const X509_Certificate& issuer,
29  const BigInt& subject_serial);
30 
31  bool is_id_for(const X509_Certificate& issuer,
32  const X509_Certificate& subject) const;
33 
34  void encode_into(class DER_Encoder& to) const override;
35 
36  void decode_from(class BER_Decoder& from) override;
37 
38  const std::vector<uint8_t>& issuer_key_hash() const { return m_issuer_key_hash; }
39 
40  private:
41  AlgorithmIdentifier m_hash_id;
42  std::vector<uint8_t> m_issuer_dn_hash;
43  std::vector<uint8_t> m_issuer_key_hash;
44  BigInt m_subject_serial;
45  };
46 
48  {
49  public:
50  const CertID& certid() const { return m_certid; }
51 
52  size_t cert_status() const { return m_cert_status; }
53 
54  X509_Time this_update() const { return m_thisupdate; }
55 
56  X509_Time next_update() const { return m_nextupdate; }
57 
58  void encode_into(class DER_Encoder& to) const override;
59 
60  void decode_from(class BER_Decoder& from) override;
61  private:
62  CertID m_certid;
63  size_t m_cert_status = 2; // unknown
64  X509_Time m_thisupdate;
65  X509_Time m_nextupdate;
66  };
67 
68 /**
69 * An OCSP request.
70 */
72  {
73  public:
74  /**
75  * Create an OCSP request.
76  * @param issuer_cert issuer certificate
77  * @param subject_cert subject certificate
78  */
79  Request(const X509_Certificate& issuer_cert,
80  const X509_Certificate& subject_cert);
81 
82  Request(const X509_Certificate& issuer_cert,
83  const BigInt& subject_serial);
84 
85  /**
86  * @return BER-encoded OCSP request
87  */
88  std::vector<uint8_t> BER_encode() const;
89 
90  /**
91  * @return Base64-encoded OCSP request
92  */
93  std::string base64_encode() const;
94 
95  /**
96  * @return issuer certificate
97  */
98  const X509_Certificate& issuer() const { return m_issuer; }
99 
100  /**
101  * @return subject certificate
102  */
103  const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); }
104 
105  const std::vector<uint8_t>& issuer_key_hash() const
106  { return m_certid.issuer_key_hash(); }
107  private:
108  X509_Certificate m_issuer;
109  CertID m_certid;
110  };
111 
112 /**
113 * OCSP response status.
114 *
115 * see https://tools.ietf.org/html/rfc6960#section-4.2.1
116 */
118  Successful = 0,
119  Malformed_Request = 1,
120  Internal_Error = 2,
121  Try_Later = 3,
122  Sig_Required = 5,
123  Unauthorized = 6
124 };
125 
126 /**
127 * OCSP response.
128 *
129 * Note this class is only usable as an OCSP client
130 */
132  {
133  public:
134  /**
135  * Creates an empty OCSP response.
136  */
137  Response() = default;
138 
139  /**
140  * Create a fake OCSP response from a given status code.
141  * @param status the status code the check functions will return
142  */
144 
145  /**
146  * Parses an OCSP response.
147  * @param response_bits response bits received
148  */
149  Response(const std::vector<uint8_t>& response_bits) :
150  Response(response_bits.data(), response_bits.size())
151  {}
152 
153  /**
154  * Parses an OCSP response.
155  * @param response_bits response bits received
156  * @param response_bits_len length of response in bytes
157  */
158  Response(const uint8_t response_bits[],
159  size_t response_bits_len);
160 
161  /**
162  * Check signature and return status
163  * The optional cert_path is the (already validated!) certificate path of
164  * the end entity which is being inquired about
165  * @param trust_roots list of certstores containing trusted roots
166  * @param cert_path optionally, the (already verified!) certificate path for the certificate
167  * this is an OCSP response for. This is necessary to find the correct intermediate CA in
168  * some cases.
169  */
170  Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots,
171  const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path = {}) const;
172 
173  /**
174  * Verify that issuer's key signed this response
175  * @param issuer certificate of issuer
176  * @return if signature valid OCSP_SIGNATURE_OK else an error code
177  */
178  Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const;
179 
180  /**
181  * @return the status of the response
182  */
183  Response_Status_Code status() const { return m_status; }
184 
185  /**
186  * @return the time this OCSP response was supposedly produced at
187  */
188  const X509_Time& produced_at() const { return m_produced_at; }
189 
190  /**
191  * @return DN of signer, if provided in response (may be empty)
192  */
193  const X509_DN& signer_name() const { return m_signer_name; }
194 
195  /**
196  * @return key hash, if provided in response (may be empty)
197  */
198  const std::vector<uint8_t>& signer_key_hash() const { return m_key_hash; }
199 
200  const std::vector<uint8_t>& raw_bits() const { return m_response_bits; }
201 
202  /**
203  * Searches the OCSP response for issuer and subject certificate.
204  * @param issuer issuer certificate
205  * @param subject subject certificate
206  * @param ref_time the reference time
207  * @param max_age the maximum age the response should be considered valid
208  * if next_update is not set
209  * @return OCSP status code, possible values:
210  * CERT_IS_REVOKED,
211  * OCSP_NOT_YET_VALID,
212  * OCSP_HAS_EXPIRED,
213  * OCSP_IS_TOO_OLD,
214  * OCSP_RESPONSE_GOOD,
215  * OCSP_BAD_STATUS,
216  * OCSP_CERT_NOT_LISTED
217  */
218  Certificate_Status_Code status_for(const X509_Certificate& issuer,
219  const X509_Certificate& subject,
220  std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now(),
221  std::chrono::seconds max_age = std::chrono::seconds::zero()) const;
222 
223  /**
224  * @return the certificate chain, if provided in response
225  */
226  const std::vector<X509_Certificate> &certificates() const { return m_certs; }
227 
228  private:
229  Response_Status_Code m_status;
230  std::vector<uint8_t> m_response_bits;
231  X509_Time m_produced_at;
232  X509_DN m_signer_name;
233  std::vector<uint8_t> m_key_hash;
234  std::vector<uint8_t> m_tbs_bits;
235  AlgorithmIdentifier m_sig_algo;
236  std::vector<uint8_t> m_signature;
237  std::vector<X509_Certificate> m_certs;
238 
239  std::vector<SingleResponse> m_responses;
240 
241  Certificate_Status_Code m_dummy_response_status;
242  };
243 
244 #if defined(BOTAN_HAS_HTTP_UTIL)
245 
246 /**
247 * Makes an online OCSP request via HTTP and returns the OCSP response.
248 * @param issuer issuer certificate
249 * @param subject_serial the subject's serial number
250 * @param ocsp_responder the OCSP responder to query
251 * @param trusted_roots trusted roots for the OCSP response
252 * @param timeout a timeout on the HTTP request
253 * @return OCSP response
254 */
255 BOTAN_PUBLIC_API(2,1)
256 Response online_check(const X509_Certificate& issuer,
257  const BigInt& subject_serial,
258  const std::string& ocsp_responder,
259  Certificate_Store* trusted_roots,
260  std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
261 
262 /**
263 * Makes an online OCSP request via HTTP and returns the OCSP response.
264 * @param issuer issuer certificate
265 * @param subject subject certificate
266 * @param trusted_roots trusted roots for the OCSP response
267 * @param timeout a timeout on the HTTP request
268 * @return OCSP response
269 */
270 BOTAN_PUBLIC_API(2,0)
271 Response online_check(const X509_Certificate& issuer,
272  const X509_Certificate& subject,
273  Certificate_Store* trusted_roots,
274  std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
275 
276 #endif
277 
278 }
279 
280 }
281 
282 #endif
Response_Status_Code status() const
Definition: ocsp.h:183
Response_Status_Code
Definition: ocsp.h:117
const CertID & certid() const
Definition: ocsp.h:50
Response(const std::vector< uint8_t > &response_bits)
Definition: ocsp.h:149
const std::vector< uint8_t > & issuer_key_hash() const
Definition: ocsp.h:38
X509_Time this_update() const
Definition: ocsp.h:54
const X509_Time & produced_at() const
Definition: ocsp.h:188
const std::vector< uint8_t > & signer_key_hash() const
Definition: ocsp.h:198
int(* final)(unsigned char *, CTX *)
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:31
Definition: bigint.h:1143
size_t cert_status() const
Definition: ocsp.h:52
const std::vector< uint8_t > & issuer_key_hash() const
Definition: ocsp.h:105
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: base64.cpp:185
X509_Time next_update() const
Definition: ocsp.h:56
const X509_Certificate & subject() const
Definition: ocsp.h:103
const X509_Certificate & issuer() const
Definition: ocsp.h:98
Definition: alg_id.cpp:13
secure_vector< uint8_t > BER_encode(const Private_Key &key)
Definition: pkcs8.cpp:139
const std::vector< uint8_t > & raw_bits() const
Definition: ocsp.h:200
const X509_DN & signer_name() const
Definition: ocsp.h:193
Certificate_Status_Code
Definition: pkix_enums.h:17
const std::vector< X509_Certificate > & certificates() const
Definition: ocsp.h:226