doxygen/ocsp_8h_source.html

/*

* OCSP

* (C) 2012 Jack Lloyd

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#ifndef BOTAN_OCSP_H_

#define BOTAN_OCSP_H_


#include <botan/asn1_obj.h>

#include <botan/bigint.h>

#include <botan/pkix_types.h>

#include <botan/x509cert.h>


#include <chrono>

#include <optional>


namespace Botan {


class Certificate_Store;


namespace OCSP {


class BOTAN_PUBLIC_API(2, 0) CertID final : public ASN1_Object {

   public:

      CertID() = default;


      CertID(const X509_Certificate& issuer, const BigInt& subject_serial);


      bool is_id_for(const X509_Certificate& issuer, const X509_Certificate& subject) const;


      void encode_into(DER_Encoder& to) const override;


      void decode_from(BER_Decoder& from) override;


      const std::vector<uint8_t>& issuer_key_hash() const { return m_issuer_key_hash; }


   private:

      AlgorithmIdentifier m_hash_id;

      std::vector<uint8_t> m_issuer_dn_hash;

      std::vector<uint8_t> m_issuer_key_hash;

      BigInt m_subject_serial;

};


class BOTAN_PUBLIC_API(2, 0) SingleResponse final : public ASN1_Object {

   public:

      const CertID& certid() const { return m_certid; }


      size_t cert_status() const { return m_cert_status; }


      X509_Time this_update() const { return m_thisupdate; }


      X509_Time next_update() const { return m_nextupdate; }


      void encode_into(DER_Encoder& to) const override;


      void decode_from(BER_Decoder& from) override;


   private:

      CertID m_certid;

      size_t m_cert_status = 2;  // unknown

      X509_Time m_thisupdate;

      X509_Time m_nextupdate;

};


/**

* An OCSP request.

*/

class BOTAN_PUBLIC_API(2, 0) Request final {

   public:

      /**

      * Create an OCSP request.

      * @param issuer_cert issuer certificate

      * @param subject_cert subject certificate

      */

      Request(const X509_Certificate& issuer_cert, const X509_Certificate& subject_cert);


      Request(const X509_Certificate& issuer_cert, const BigInt& subject_serial);


      /**

      * @return BER-encoded OCSP request

      */

      std::vector<uint8_t> BER_encode() const;


      /**

      * @return Base64-encoded OCSP request

      */

      std::string base64_encode() const;


      /**

      * @return issuer certificate

      */

      const X509_Certificate& issuer() const { return m_issuer; }


      /**

      * @return subject certificate

      */

      const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); }


      const std::vector<uint8_t>& issuer_key_hash() const { return m_certid.issuer_key_hash(); }


   private:

      X509_Certificate m_issuer;

      CertID m_certid;

};


/**

* OCSP response status.

*

* see https://tools.ietf.org/html/rfc6960#section-4.2.1

*/

enum class Response_Status_Code {

   Successful = 0,

   Malformed_Request = 1,

   Internal_Error = 2,

   Try_Later = 3,

   Sig_Required = 5,

   Unauthorized = 6

};


/**

* OCSP response.

*

* Note this class is only usable as an OCSP client

*/

class BOTAN_PUBLIC_API(2, 0) Response final {

   public:

      /**

      * Create a fake OCSP response from a given status code.

      * @param status the status code the check functions will return

      */

      Response(Certificate_Status_Code status);


      /**

      * Parses an OCSP response.

      * @param response_bits response bits received

      */

      Response(const std::vector<uint8_t>& response_bits) : Response(response_bits.data(), response_bits.size()) {}


      /**

      * Parses an OCSP response.

      * @param response_bits response bits received

      * @param response_bits_len length of response in bytes

      */

      Response(const uint8_t response_bits[], size_t response_bits_len);


      /**

      * Find the certificate that signed this OCSP response from all possible

      * candidates and taking the attached certificates into account.

      *

      * @param issuer_certificate is the issuer of the certificate in question

      * @param trusted_ocsp_responders optionally, a certificate store containing

      *        additionally trusted responder certificates

      *

      * @return the certificate that signed this response or std::nullopt if not found

      */

      std::optional<X509_Certificate> find_signing_certificate(

         const X509_Certificate& issuer_certificate, const Certificate_Store* trusted_ocsp_responders = nullptr) const;


      /**

      * Check signature of the OCSP response.

      *

      * Note: It is the responsibility of the caller to verify that signing

      *       certificate is trustworthy and authorized to do so.

      *

      * @param signing_certificate the certificate that signed this response

      *                            (@sa Response::find_signing_certificate).

      *

      * @return status code indicating the validity of the signature

      */

      Certificate_Status_Code verify_signature(const X509_Certificate& signing_certificate) const;


      /**

      * @return the status of the response

      */

      Response_Status_Code status() const { return m_status; }


      /**

      * @return the time this OCSP response was supposedly produced at

      */

      const X509_Time& produced_at() const { return m_produced_at; }


      /**

      * @return DN of signer, if provided in response (may be empty)

      */

      const X509_DN& signer_name() const { return m_signer_name; }


      /**

      * @return key hash, if provided in response (may be empty)

      */

      const std::vector<uint8_t>& signer_key_hash() const { return m_key_hash; }


      const std::vector<uint8_t>& raw_bits() const { return m_response_bits; }


      /**

       * Searches the OCSP response for issuer and subject certificate.

       * @param issuer issuer certificate

       * @param subject subject certificate

       * @param ref_time the reference time

       * @param max_age the maximum age the response should be considered valid

       *                if next_update is not set

       * @return OCSP status code, possible values:

       *         CERT_IS_REVOKED,

       *         OCSP_NOT_YET_VALID,

       *         OCSP_HAS_EXPIRED,

       *         OCSP_IS_TOO_OLD,

       *         OCSP_RESPONSE_GOOD,

       *         OCSP_BAD_STATUS,

       *         OCSP_CERT_NOT_LISTED

       */

      Certificate_Status_Code status_for(

         const X509_Certificate& issuer,

         const X509_Certificate& subject,

         std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now(),

         std::chrono::seconds max_age = std::chrono::seconds::zero()) const;


      /**

       * @return the certificate chain, if provided in response

       */

      const std::vector<X509_Certificate>& certificates() const { return m_certs; }


      /**

      * @return the dummy response if this is a 'fake' OCSP response otherwise std::nullopt

      */

      std::optional<Certificate_Status_Code> dummy_status() const { return m_dummy_response_status; }


   private:

      bool is_issued_by(const X509_Certificate& candidate) const;


   private:

      Response_Status_Code m_status = Response_Status_Code::Internal_Error;

      std::vector<uint8_t> m_response_bits;

      X509_Time m_produced_at;

      X509_DN m_signer_name;

      std::vector<uint8_t> m_key_hash;

      std::vector<uint8_t> m_tbs_bits;

      AlgorithmIdentifier m_sig_algo;

      std::vector<uint8_t> m_signature;

      std::vector<X509_Certificate> m_certs;


      std::vector<SingleResponse> m_responses;


      std::optional<Certificate_Status_Code> m_dummy_response_status;

};


#if defined(BOTAN_HAS_HTTP_UTIL)


/**

* Makes an online OCSP request via HTTP and returns the (unverified) OCSP response.

* @param issuer issuer certificate

* @param subject_serial the subject's serial number

* @param ocsp_responder the OCSP responder to query

* @param timeout a timeout on the HTTP request

* @return OCSP response

*/

BOTAN_PUBLIC_API(3, 0)

Response online_check(const X509_Certificate& issuer,

                      const BigInt& subject_serial,

                      std::string_view ocsp_responder,

                      std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));


/**

* Makes an online OCSP request via HTTP and returns the (unverified) OCSP response.

* @param issuer issuer certificate

* @param subject subject certificate

* @param timeout a timeout on the HTTP request

* @return OCSP response

*/

BOTAN_PUBLIC_API(3, 0)

Response online_check(const X509_Certificate& issuer,

                      const X509_Certificate& subject,

                      std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));


#endif


}  // namespace OCSP


}  // namespace Botan


#endif

Botan::ASN1_Object
Definition: asn1_obj.h:96

Botan::ASN1_Time
Definition: asn1_obj.h:341

Botan::AlgorithmIdentifier
Definition: asn1_obj.h:440

Botan::BER_Decoder
Definition: ber_dec.h:21

Botan::BigInt
Definition: bigint.h:24

Botan::Certificate_Store
Definition: certstor.h:20

Botan::DER_Encoder
Definition: der_enc.h:22

Botan::Internal_Error
Definition: exceptn.h:321

Botan::Not_Implemented
Definition: exceptn.h:334

Botan::OCSP::CertID
Definition: ocsp.h:25

Botan::OCSP::CertID::issuer_key_hash
const std::vector< uint8_t > & issuer_key_hash() const
Definition: ocsp.h:37

Botan::OCSP::CertID::CertID
CertID()=default

Botan::OCSP::Request
Definition: ocsp.h:70

Botan::OCSP::Request::subject
const X509_Certificate & subject() const
Definition: ocsp.h:99

Botan::OCSP::Request::issuer_key_hash
const std::vector< uint8_t > & issuer_key_hash() const
Definition: ocsp.h:101

Botan::OCSP::Request::issuer
const X509_Certificate & issuer() const
Definition: ocsp.h:94

Botan::OCSP::Response
Definition: ocsp.h:127

Botan::OCSP::Response::Response
Response(const std::vector< uint8_t > &response_bits)
Definition: ocsp.h:139

Botan::OCSP::Response::status
Response_Status_Code status() const
Definition: ocsp.h:177

Botan::OCSP::Response::signer_name
const X509_DN & signer_name() const
Definition: ocsp.h:187

Botan::OCSP::Response::produced_at
const X509_Time & produced_at() const
Definition: ocsp.h:182

Botan::OCSP::Response::dummy_status
std::optional< Certificate_Status_Code > dummy_status() const
Definition: ocsp.h:226

Botan::OCSP::Response::certificates
const std::vector< X509_Certificate > & certificates() const
Definition: ocsp.h:221

Botan::OCSP::Response::raw_bits
const std::vector< uint8_t > & raw_bits() const
Definition: ocsp.h:194

Botan::OCSP::Response::signer_key_hash
const std::vector< uint8_t > & signer_key_hash() const
Definition: ocsp.h:192

Botan::OCSP::SingleResponse
Definition: ocsp.h:46

Botan::OCSP::SingleResponse::certid
const CertID & certid() const
Definition: ocsp.h:48

Botan::OCSP::SingleResponse::next_update
X509_Time next_update() const
Definition: ocsp.h:54

Botan::OCSP::SingleResponse::this_update
X509_Time this_update() const
Definition: ocsp.h:52

Botan::OCSP::SingleResponse::cert_status
size_t cert_status() const
Definition: ocsp.h:50

Botan::X509_Certificate
Definition: x509cert.h:36

Botan::X509_DN
Definition: pkix_types.h:37

final
int(* final)(unsigned char *, CTX *)
Definition: commoncrypto_hash.cpp:28

BOTAN_PUBLIC_API
#define BOTAN_PUBLIC_API(maj, min)
Definition: compiler.h:20

Botan::OCSP::Response_Status_Code
Response_Status_Code
Definition: ocsp.h:113

Botan::OCSP::Response_Status_Code::Sig_Required
@ Sig_Required

Botan::OCSP::Response_Status_Code::Successful
@ Successful

Botan::OCSP::Response_Status_Code::Malformed_Request
@ Malformed_Request

Botan::OCSP::Response_Status_Code::Try_Later
@ Try_Later

Botan::OCSP::Response_Status_Code::Unauthorized
@ Unauthorized

Botan
Definition: alg_id.cpp:13

Botan::base64_encode
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: base64.cpp:146

Botan::Certificate_Status_Code
Certificate_Status_Code
Definition: pkix_enums.h:20

std
Definition: bigint.h:1030