/src/botan/build/include/botan/ocsp.h

Source (jump to first uncovered line)
/*
* OCSP
* (C) 2012 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#ifndef BOTAN_OCSP_H_
#define BOTAN_OCSP_H_

#include <botan/cert_status.h>
#include <botan/ocsp_types.h>
#include <botan/x509_dn.h>
#include <chrono>

namespace Botan {

class Certificate_Store;

namespace OCSP {

/**
* An OCSP request.
*/
class BOTAN_PUBLIC_API(2,0) Request final
   {
   public:
      /**
      * Create an OCSP request.
      * @param issuer_cert issuer certificate
      * @param subject_cert subject certificate
      */
      Request(const X509_Certificate& issuer_cert,
              const X509_Certificate& subject_cert);

      Request(const X509_Certificate& issuer_cert,
              const BigInt& subject_serial);

      /**
      * @return BER-encoded OCSP request
      */
      std::vector<uint8_t> BER_encode() const;

      /**
      * @return Base64-encoded OCSP request
      */
      std::string base64_encode() const;

      /**
      * @return issuer certificate
      */
      const X509_Certificate& issuer() const { return m_issuer; }

      /**
      * @return subject certificate
      */
      const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); }

      const std::vector<uint8_t>& issuer_key_hash() const
         { return m_certid.issuer_key_hash(); }
   private:
      X509_Certificate m_issuer;
      CertID m_certid;
   };

/**
* OCSP response status.
*
* see https://tools.ietf.org/html/rfc6960#section-4.2.1
*/
enum class Response_Status_Code {
   Successful = 0,
   Malformed_Request = 1,
   Internal_Error = 2,
   Try_Later = 3,
   Sig_Required = 5,
   Unauthorized = 6
};

/**
* OCSP response.
*
* Note this class is only usable as an OCSP client
*/
class BOTAN_PUBLIC_API(2,0) Response final
   {
   public:
      /**
      * Creates an empty OCSP response.
      */
      Response() = default;

      /**
      * Create a fake OCSP response from a given status code.
      * @param status the status code the check functions will return
      */
      Response(Certificate_Status_Code status);

      /**
      * Parses an OCSP response.
      * @param response_bits response bits received
      */
      Response(const std::vector<uint8_t>& response_bits) :
         Response(response_bits.data(), response_bits.size())
         {}

      /**
      * Parses an OCSP response.
      * @param response_bits response bits received
      * @param response_bits_len length of response in bytes
      */
      Response(const uint8_t response_bits[],
               size_t response_bits_len);

      /**
      * Check signature and return status
      * The optional cert_path is the (already validated!) certificate path of
      * the end entity which is being inquired about
      * @param trust_roots list of certstores containing trusted roots
      * @param cert_path optionally, the (already verified!) certificate path for the certificate
      * this is an OCSP response for. This is necessary to find the correct intermediate CA in
      * some cases.
      */
      Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots,
                                              const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path = {}) const;

      /**
      * Verify that issuer's key signed this response
      * @param issuer certificate of issuer
      * @return if signature valid OCSP_SIGNATURE_OK else an error code
      */
      Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const;

      /**
      * @return the status of the response
      */
      Response_Status_Code status() const { return m_status; }

      /**
      * @return the time this OCSP response was supposedly produced at
      */
      const X509_Time& produced_at() const { return m_produced_at; }

      /**
      * @return DN of signer, if provided in response (may be empty)
      */
      const X509_DN& signer_name() const { return m_signer_name; }

      /**
      * @return key hash, if provided in response (may be empty)
      */
      const std::vector<uint8_t>& signer_key_hash() const { return m_key_hash; }

      const std::vector<uint8_t>& raw_bits() const { return m_response_bits; }

      /**
       * Searches the OCSP response for issuer and subject certificate.
       * @param issuer issuer certificate
       * @param subject subject certificate
       * @param ref_time the reference time
       * @param max_age the maximum age the response should be considered valid
       *                if next_update is not set
       * @return OCSP status code, possible values:
       *         CERT_IS_REVOKED,
       *         OCSP_NOT_YET_VALID,
       *         OCSP_HAS_EXPIRED,
       *         OCSP_IS_TOO_OLD,
       *         OCSP_RESPONSE_GOOD,
       *         OCSP_BAD_STATUS,
       *         OCSP_CERT_NOT_LISTED
       */
      Certificate_Status_Code status_for(const X509_Certificate& issuer,
                                         const X509_Certificate& subject,
                                         std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now(),
                                         std::chrono::seconds max_age = std::chrono::seconds::zero()) const;

      /**
       * @return the certificate chain, if provided in response
       */
      const std::vector<X509_Certificate> &certificates() const { return  m_certs; }

   private:
      Response_Status_Code m_status;
      std::vector<uint8_t> m_response_bits;
      X509_Time m_produced_at;
      X509_DN m_signer_name;
      std::vector<uint8_t> m_key_hash;
      std::vector<uint8_t> m_tbs_bits;
      AlgorithmIdentifier m_sig_algo;
      std::vector<uint8_t> m_signature;
      std::vector<X509_Certificate> m_certs;

      std::vector<SingleResponse> m_responses;

      Certificate_Status_Code m_dummy_response_status;
   };

#if defined(BOTAN_HAS_HTTP_UTIL)

/**
* Makes an online OCSP request via HTTP and returns the OCSP response.
* @param issuer issuer certificate
* @param subject_serial the subject's serial number
* @param ocsp_responder the OCSP responder to query
* @param trusted_roots trusted roots for the OCSP response
* @param timeout a timeout on the HTTP request
* @return OCSP response
*/
BOTAN_PUBLIC_API(2,1)
Response online_check(const X509_Certificate& issuer,
                      const BigInt& subject_serial,
                      const std::string& ocsp_responder,
                      Certificate_Store* trusted_roots,
                      std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));

/**
* Makes an online OCSP request via HTTP and returns the OCSP response.
* @param issuer issuer certificate
* @param subject subject certificate
* @param trusted_roots trusted roots for the OCSP response
* @param timeout a timeout on the HTTP request
* @return OCSP response
*/
BOTAN_PUBLIC_API(2,0)
Response online_check(const X509_Certificate& issuer,
                      const X509_Certificate& subject,
                      Certificate_Store* trusted_roots,
                      std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));

#endif

}

}

#endif

Coverage Report

Created: 2020-02-14 15:38

Line	Count	Source (jump to first uncovered line)
1		/*
2		* OCSP
3		* (C) 2012 Jack Lloyd
4		*
5		* Botan is released under the Simplified BSD License (see license.txt)
6		*/
7
8		#ifndef BOTAN_OCSP_H_
9		#define BOTAN_OCSP_H_
10
11		#include <botan/cert_status.h>
12		#include <botan/ocsp_types.h>
13		#include <botan/x509_dn.h>
14		#include <chrono>
15
16		namespace Botan {
17
18		class Certificate_Store;
19
20		namespace OCSP {
21
22		/**
23		* An OCSP request.
24		*/
25		class BOTAN_PUBLIC_API(2,0) Request final
26		{
27		public:
28		/**
29		* Create an OCSP request.
30		* @param issuer_cert issuer certificate
31		* @param subject_cert subject certificate
32		*/
33		Request(const X509_Certificate& issuer_cert,
34		const X509_Certificate& subject_cert);
35
36		Request(const X509_Certificate& issuer_cert,
37		const BigInt& subject_serial);
38
39		/**
40		* @return BER-encoded OCSP request
41		*/
42		std::vector<uint8_t> BER_encode() const;
43
44		/**
45		* @return Base64-encoded OCSP request
46		*/
47		std::string base64_encode() const;
48
49		/**
50		* @return issuer certificate
51		*/
52	0	const X509_Certificate& issuer() const { return m_issuer; }
53
54		/**
55		* @return subject certificate
56		*/
57	0	const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); }
58
59		const std::vector<uint8_t>& issuer_key_hash() const
60	0	{ return m_certid.issuer_key_hash(); }
61		private:
62		X509_Certificate m_issuer;
63		CertID m_certid;
64		};
65
66		/**
67		* OCSP response status.
68		*
69		* see https://tools.ietf.org/html/rfc6960#section-4.2.1
70		*/
71		enum class Response_Status_Code {
72		Successful = 0,
73		Malformed_Request = 1,
74		Internal_Error = 2,
75		Try_Later = 3,
76		Sig_Required = 5,
77		Unauthorized = 6
78		};
79
80		/**
81		* OCSP response.
82		*
83		* Note this class is only usable as an OCSP client
84		*/
85		class BOTAN_PUBLIC_API(2,0) Response final
86		{
87		public:
88		/**
89		* Creates an empty OCSP response.
90		*/
91		Response() = default;
92
93		/**
94		* Create a fake OCSP response from a given status code.
95		* @param status the status code the check functions will return
96		*/
97		Response(Certificate_Status_Code status);
98
99		/**
100		* Parses an OCSP response.
101		* @param response_bits response bits received
102		*/
103		Response(const std::vector<uint8_t>& response_bits) :
104		Response(response_bits.data(), response_bits.size())
105	0	{}
106
107		/**
108		* Parses an OCSP response.
109		* @param response_bits response bits received
110		* @param response_bits_len length of response in bytes
111		*/
112		Response(const uint8_t response_bits[],
113		size_t response_bits_len);
114
115		/**
116		* Check signature and return status
117		* The optional cert_path is the (already validated!) certificate path of
118		* the end entity which is being inquired about
119		* @param trust_roots list of certstores containing trusted roots
120		* @param cert_path optionally, the (already verified!) certificate path for the certificate
121		* this is an OCSP response for. This is necessary to find the correct intermediate CA in
122		* some cases.
123		*/
124		Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots,
125		const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path = {}) const;
126
127		/**
128		* Verify that issuer's key signed this response
129		* @param issuer certificate of issuer
130		* @return if signature valid OCSP_SIGNATURE_OK else an error code
131		*/
132		Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const;
133
134		/**
135		* @return the status of the response
136		*/
137	0	Response_Status_Code status() const { return m_status; }
138
139		/**
140		* @return the time this OCSP response was supposedly produced at
141		*/
142	0	const X509_Time& produced_at() const { return m_produced_at; }
143
144		/**
145		* @return DN of signer, if provided in response (may be empty)
146		*/
147	0	const X509_DN& signer_name() const { return m_signer_name; }
148
149		/**
150		* @return key hash, if provided in response (may be empty)
151		*/
152	0	const std::vector<uint8_t>& signer_key_hash() const { return m_key_hash; }
153
154	0	const std::vector<uint8_t>& raw_bits() const { return m_response_bits; }
155
156		/**
157		* Searches the OCSP response for issuer and subject certificate.
158		* @param issuer issuer certificate
159		* @param subject subject certificate
160		* @param ref_time the reference time
161		* @param max_age the maximum age the response should be considered valid
162		* if next_update is not set
163		* @return OCSP status code, possible values:
164		* CERT_IS_REVOKED,
165		* OCSP_NOT_YET_VALID,
166		* OCSP_HAS_EXPIRED,
167		* OCSP_IS_TOO_OLD,
168		* OCSP_RESPONSE_GOOD,
169		* OCSP_BAD_STATUS,
170		* OCSP_CERT_NOT_LISTED
171		*/
172		Certificate_Status_Code status_for(const X509_Certificate& issuer,
173		const X509_Certificate& subject,
174		std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now(),
175		std::chrono::seconds max_age = std::chrono::seconds::zero()) const;
176
177		/**
178		* @return the certificate chain, if provided in response
179		*/
180	0	const std::vector<X509_Certificate> &certificates() const { return m_certs; }
181
182		private:
183		Response_Status_Code m_status;
184		std::vector<uint8_t> m_response_bits;
185		X509_Time m_produced_at;
186		X509_DN m_signer_name;
187		std::vector<uint8_t> m_key_hash;
188		std::vector<uint8_t> m_tbs_bits;
189		AlgorithmIdentifier m_sig_algo;
190		std::vector<uint8_t> m_signature;
191		std::vector<X509_Certificate> m_certs;
192
193		std::vector<SingleResponse> m_responses;
194
195		Certificate_Status_Code m_dummy_response_status;
196		};
197
198		#if defined(BOTAN_HAS_HTTP_UTIL)
199
200		/**
201		* Makes an online OCSP request via HTTP and returns the OCSP response.
202		* @param issuer issuer certificate
203		* @param subject_serial the subject's serial number
204		* @param ocsp_responder the OCSP responder to query
205		* @param trusted_roots trusted roots for the OCSP response
206		* @param timeout a timeout on the HTTP request
207		* @return OCSP response
208		*/
209		BOTAN_PUBLIC_API(2,1)
210		Response online_check(const X509_Certificate& issuer,
211		const BigInt& subject_serial,
212		const std::string& ocsp_responder,
213		Certificate_Store* trusted_roots,
214		std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
215
216		/**
217		* Makes an online OCSP request via HTTP and returns the OCSP response.
218		* @param issuer issuer certificate
219		* @param subject subject certificate
220		* @param trusted_roots trusted roots for the OCSP response
221		* @param timeout a timeout on the HTTP request
222		* @return OCSP response
223		*/
224		BOTAN_PUBLIC_API(2,0)
225		Response online_check(const X509_Certificate& issuer,
226		const X509_Certificate& subject,
227		Certificate_Store* trusted_roots,
228		std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
229
230		#endif
231
232		}
233
234		}
235
236		#endif