/src/botan/build/include/botan/ocsp.h
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * OCSP |
3 | | * (C) 2012 Jack Lloyd |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #ifndef BOTAN_OCSP_H_ |
9 | | #define BOTAN_OCSP_H_ |
10 | | |
11 | | #include <botan/cert_status.h> |
12 | | #include <botan/ocsp_types.h> |
13 | | #include <botan/x509_dn.h> |
14 | | #include <chrono> |
15 | | |
16 | | namespace Botan { |
17 | | |
18 | | class Certificate_Store; |
19 | | |
20 | | namespace OCSP { |
21 | | |
22 | | /** |
23 | | * An OCSP request. |
24 | | */ |
25 | | class BOTAN_PUBLIC_API(2,0) Request final |
26 | | { |
27 | | public: |
28 | | /** |
29 | | * Create an OCSP request. |
30 | | * @param issuer_cert issuer certificate |
31 | | * @param subject_cert subject certificate |
32 | | */ |
33 | | Request(const X509_Certificate& issuer_cert, |
34 | | const X509_Certificate& subject_cert); |
35 | | |
36 | | Request(const X509_Certificate& issuer_cert, |
37 | | const BigInt& subject_serial); |
38 | | |
39 | | /** |
40 | | * @return BER-encoded OCSP request |
41 | | */ |
42 | | std::vector<uint8_t> BER_encode() const; |
43 | | |
44 | | /** |
45 | | * @return Base64-encoded OCSP request |
46 | | */ |
47 | | std::string base64_encode() const; |
48 | | |
49 | | /** |
50 | | * @return issuer certificate |
51 | | */ |
52 | 0 | const X509_Certificate& issuer() const { return m_issuer; } |
53 | | |
54 | | /** |
55 | | * @return subject certificate |
56 | | */ |
57 | 0 | const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); } |
58 | | |
59 | | const std::vector<uint8_t>& issuer_key_hash() const |
60 | 0 | { return m_certid.issuer_key_hash(); } |
61 | | private: |
62 | | X509_Certificate m_issuer; |
63 | | CertID m_certid; |
64 | | }; |
65 | | |
66 | | /** |
67 | | * OCSP response status. |
68 | | * |
69 | | * see https://tools.ietf.org/html/rfc6960#section-4.2.1 |
70 | | */ |
71 | | enum class Response_Status_Code { |
72 | | Successful = 0, |
73 | | Malformed_Request = 1, |
74 | | Internal_Error = 2, |
75 | | Try_Later = 3, |
76 | | Sig_Required = 5, |
77 | | Unauthorized = 6 |
78 | | }; |
79 | | |
80 | | /** |
81 | | * OCSP response. |
82 | | * |
83 | | * Note this class is only usable as an OCSP client |
84 | | */ |
85 | | class BOTAN_PUBLIC_API(2,0) Response final |
86 | | { |
87 | | public: |
88 | | /** |
89 | | * Creates an empty OCSP response. |
90 | | */ |
91 | | Response() = default; |
92 | | |
93 | | /** |
94 | | * Create a fake OCSP response from a given status code. |
95 | | * @param status the status code the check functions will return |
96 | | */ |
97 | | Response(Certificate_Status_Code status); |
98 | | |
99 | | /** |
100 | | * Parses an OCSP response. |
101 | | * @param response_bits response bits received |
102 | | */ |
103 | | Response(const std::vector<uint8_t>& response_bits) : |
104 | | Response(response_bits.data(), response_bits.size()) |
105 | 0 | {} |
106 | | |
107 | | /** |
108 | | * Parses an OCSP response. |
109 | | * @param response_bits response bits received |
110 | | * @param response_bits_len length of response in bytes |
111 | | */ |
112 | | Response(const uint8_t response_bits[], |
113 | | size_t response_bits_len); |
114 | | |
115 | | /** |
116 | | * Check signature and return status |
117 | | * The optional cert_path is the (already validated!) certificate path of |
118 | | * the end entity which is being inquired about |
119 | | * @param trust_roots list of certstores containing trusted roots |
120 | | * @param cert_path optionally, the (already verified!) certificate path for the certificate |
121 | | * this is an OCSP response for. This is necessary to find the correct intermediate CA in |
122 | | * some cases. |
123 | | */ |
124 | | Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots, |
125 | | const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path = {}) const; |
126 | | |
127 | | /** |
128 | | * Verify that issuer's key signed this response |
129 | | * @param issuer certificate of issuer |
130 | | * @return if signature valid OCSP_SIGNATURE_OK else an error code |
131 | | */ |
132 | | Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const; |
133 | | |
134 | | /** |
135 | | * @return the status of the response |
136 | | */ |
137 | 0 | Response_Status_Code status() const { return m_status; } |
138 | | |
139 | | /** |
140 | | * @return the time this OCSP response was supposedly produced at |
141 | | */ |
142 | 0 | const X509_Time& produced_at() const { return m_produced_at; } |
143 | | |
144 | | /** |
145 | | * @return DN of signer, if provided in response (may be empty) |
146 | | */ |
147 | 0 | const X509_DN& signer_name() const { return m_signer_name; } |
148 | | |
149 | | /** |
150 | | * @return key hash, if provided in response (may be empty) |
151 | | */ |
152 | 0 | const std::vector<uint8_t>& signer_key_hash() const { return m_key_hash; } |
153 | | |
154 | 0 | const std::vector<uint8_t>& raw_bits() const { return m_response_bits; } |
155 | | |
156 | | /** |
157 | | * Searches the OCSP response for issuer and subject certificate. |
158 | | * @param issuer issuer certificate |
159 | | * @param subject subject certificate |
160 | | * @param ref_time the reference time |
161 | | * @param max_age the maximum age the response should be considered valid |
162 | | * if next_update is not set |
163 | | * @return OCSP status code, possible values: |
164 | | * CERT_IS_REVOKED, |
165 | | * OCSP_NOT_YET_VALID, |
166 | | * OCSP_HAS_EXPIRED, |
167 | | * OCSP_IS_TOO_OLD, |
168 | | * OCSP_RESPONSE_GOOD, |
169 | | * OCSP_BAD_STATUS, |
170 | | * OCSP_CERT_NOT_LISTED |
171 | | */ |
172 | | Certificate_Status_Code status_for(const X509_Certificate& issuer, |
173 | | const X509_Certificate& subject, |
174 | | std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now(), |
175 | | std::chrono::seconds max_age = std::chrono::seconds::zero()) const; |
176 | | |
177 | | /** |
178 | | * @return the certificate chain, if provided in response |
179 | | */ |
180 | 0 | const std::vector<X509_Certificate> &certificates() const { return m_certs; } |
181 | | |
182 | | private: |
183 | | Response_Status_Code m_status; |
184 | | std::vector<uint8_t> m_response_bits; |
185 | | X509_Time m_produced_at; |
186 | | X509_DN m_signer_name; |
187 | | std::vector<uint8_t> m_key_hash; |
188 | | std::vector<uint8_t> m_tbs_bits; |
189 | | AlgorithmIdentifier m_sig_algo; |
190 | | std::vector<uint8_t> m_signature; |
191 | | std::vector<X509_Certificate> m_certs; |
192 | | |
193 | | std::vector<SingleResponse> m_responses; |
194 | | |
195 | | Certificate_Status_Code m_dummy_response_status; |
196 | | }; |
197 | | |
198 | | #if defined(BOTAN_HAS_HTTP_UTIL) |
199 | | |
200 | | /** |
201 | | * Makes an online OCSP request via HTTP and returns the OCSP response. |
202 | | * @param issuer issuer certificate |
203 | | * @param subject_serial the subject's serial number |
204 | | * @param ocsp_responder the OCSP responder to query |
205 | | * @param trusted_roots trusted roots for the OCSP response |
206 | | * @param timeout a timeout on the HTTP request |
207 | | * @return OCSP response |
208 | | */ |
209 | | BOTAN_PUBLIC_API(2,1) |
210 | | Response online_check(const X509_Certificate& issuer, |
211 | | const BigInt& subject_serial, |
212 | | const std::string& ocsp_responder, |
213 | | Certificate_Store* trusted_roots, |
214 | | std::chrono::milliseconds timeout = std::chrono::milliseconds(3000)); |
215 | | |
216 | | /** |
217 | | * Makes an online OCSP request via HTTP and returns the OCSP response. |
218 | | * @param issuer issuer certificate |
219 | | * @param subject subject certificate |
220 | | * @param trusted_roots trusted roots for the OCSP response |
221 | | * @param timeout a timeout on the HTTP request |
222 | | * @return OCSP response |
223 | | */ |
224 | | BOTAN_PUBLIC_API(2,0) |
225 | | Response online_check(const X509_Certificate& issuer, |
226 | | const X509_Certificate& subject, |
227 | | Certificate_Store* trusted_roots, |
228 | | std::chrono::milliseconds timeout = std::chrono::milliseconds(3000)); |
229 | | |
230 | | #endif |
231 | | |
232 | | } |
233 | | |
234 | | } |
235 | | |
236 | | #endif |