Coverage Report

Created: 2020-05-23 13:54

/src/botan/build/include/botan/ocsp.h
Line
Count
Source (jump to first uncovered line)
1
/*
2
* OCSP
3
* (C) 2012 Jack Lloyd
4
*
5
* Botan is released under the Simplified BSD License (see license.txt)
6
*/
7
8
#ifndef BOTAN_OCSP_H_
9
#define BOTAN_OCSP_H_
10
11
#include <botan/cert_status.h>
12
#include <botan/ocsp_types.h>
13
#include <botan/x509_dn.h>
14
#include <chrono>
15
16
namespace Botan {
17
18
class Certificate_Store;
19
20
namespace OCSP {
21
22
/**
23
* An OCSP request.
24
*/
25
class BOTAN_PUBLIC_API(2,0) Request final
26
   {
27
   public:
28
      /**
29
      * Create an OCSP request.
30
      * @param issuer_cert issuer certificate
31
      * @param subject_cert subject certificate
32
      */
33
      Request(const X509_Certificate& issuer_cert,
34
              const X509_Certificate& subject_cert);
35
36
      Request(const X509_Certificate& issuer_cert,
37
              const BigInt& subject_serial);
38
39
      /**
40
      * @return BER-encoded OCSP request
41
      */
42
      std::vector<uint8_t> BER_encode() const;
43
44
      /**
45
      * @return Base64-encoded OCSP request
46
      */
47
      std::string base64_encode() const;
48
49
      /**
50
      * @return issuer certificate
51
      */
52
0
      const X509_Certificate& issuer() const { return m_issuer; }
53
54
      /**
55
      * @return subject certificate
56
      */
57
0
      const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); }
58
59
      const std::vector<uint8_t>& issuer_key_hash() const
60
0
         { return m_certid.issuer_key_hash(); }
61
   private:
62
      X509_Certificate m_issuer;
63
      CertID m_certid;
64
   };
65
66
/**
67
* OCSP response status.
68
*
69
* see https://tools.ietf.org/html/rfc6960#section-4.2.1
70
*/
71
enum class Response_Status_Code {
72
   Successful = 0,
73
   Malformed_Request = 1,
74
   Internal_Error = 2,
75
   Try_Later = 3,
76
   Sig_Required = 5,
77
   Unauthorized = 6
78
};
79
80
/**
81
* OCSP response.
82
*
83
* Note this class is only usable as an OCSP client
84
*/
85
class BOTAN_PUBLIC_API(2,0) Response final
86
   {
87
   public:
88
      /**
89
      * Creates an empty OCSP response.
90
      */
91
      Response() = default;
92
93
      /**
94
      * Create a fake OCSP response from a given status code.
95
      * @param status the status code the check functions will return
96
      */
97
      Response(Certificate_Status_Code status);
98
99
      /**
100
      * Parses an OCSP response.
101
      * @param response_bits response bits received
102
      */
103
      Response(const std::vector<uint8_t>& response_bits) :
104
         Response(response_bits.data(), response_bits.size())
105
0
         {}
106
107
      /**
108
      * Parses an OCSP response.
109
      * @param response_bits response bits received
110
      * @param response_bits_len length of response in bytes
111
      */
112
      Response(const uint8_t response_bits[],
113
               size_t response_bits_len);
114
115
      /**
116
      * Check signature and return status
117
      * The optional cert_path is the (already validated!) certificate path of
118
      * the end entity which is being inquired about
119
      * @param trust_roots list of certstores containing trusted roots
120
      * @param cert_path optionally, the (already verified!) certificate path for the certificate
121
      * this is an OCSP response for. This is necessary to find the correct intermediate CA in
122
      * some cases.
123
      */
124
      Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots,
125
                                              const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path = {}) const;
126
127
      /**
128
      * Verify that issuer's key signed this response
129
      * @param issuer certificate of issuer
130
      * @return if signature valid OCSP_SIGNATURE_OK else an error code
131
      */
132
      Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const;
133
134
      /**
135
      * @return the status of the response
136
      */
137
0
      Response_Status_Code status() const { return m_status; }
138
139
      /**
140
      * @return the time this OCSP response was supposedly produced at
141
      */
142
0
      const X509_Time& produced_at() const { return m_produced_at; }
143
144
      /**
145
      * @return DN of signer, if provided in response (may be empty)
146
      */
147
0
      const X509_DN& signer_name() const { return m_signer_name; }
148
149
      /**
150
      * @return key hash, if provided in response (may be empty)
151
      */
152
0
      const std::vector<uint8_t>& signer_key_hash() const { return m_key_hash; }
153
154
0
      const std::vector<uint8_t>& raw_bits() const { return m_response_bits; }
155
156
      /**
157
       * Searches the OCSP response for issuer and subject certificate.
158
       * @param issuer issuer certificate
159
       * @param subject subject certificate
160
       * @param ref_time the reference time
161
       * @param max_age the maximum age the response should be considered valid
162
       *                if next_update is not set
163
       * @return OCSP status code, possible values:
164
       *         CERT_IS_REVOKED,
165
       *         OCSP_NOT_YET_VALID,
166
       *         OCSP_HAS_EXPIRED,
167
       *         OCSP_IS_TOO_OLD,
168
       *         OCSP_RESPONSE_GOOD,
169
       *         OCSP_BAD_STATUS,
170
       *         OCSP_CERT_NOT_LISTED
171
       */
172
      Certificate_Status_Code status_for(const X509_Certificate& issuer,
173
                                         const X509_Certificate& subject,
174
                                         std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now(),
175
                                         std::chrono::seconds max_age = std::chrono::seconds::zero()) const;
176
177
      /**
178
       * @return the certificate chain, if provided in response
179
       */
180
0
      const std::vector<X509_Certificate> &certificates() const { return  m_certs; }
181
182
   private:
183
      Response_Status_Code m_status;
184
      std::vector<uint8_t> m_response_bits;
185
      X509_Time m_produced_at;
186
      X509_DN m_signer_name;
187
      std::vector<uint8_t> m_key_hash;
188
      std::vector<uint8_t> m_tbs_bits;
189
      AlgorithmIdentifier m_sig_algo;
190
      std::vector<uint8_t> m_signature;
191
      std::vector<X509_Certificate> m_certs;
192
193
      std::vector<SingleResponse> m_responses;
194
195
      Certificate_Status_Code m_dummy_response_status;
196
   };
197
198
#if defined(BOTAN_HAS_HTTP_UTIL)
199
200
/**
201
* Makes an online OCSP request via HTTP and returns the OCSP response.
202
* @param issuer issuer certificate
203
* @param subject_serial the subject's serial number
204
* @param ocsp_responder the OCSP responder to query
205
* @param trusted_roots trusted roots for the OCSP response
206
* @param timeout a timeout on the HTTP request
207
* @return OCSP response
208
*/
209
BOTAN_PUBLIC_API(2,1)
210
Response online_check(const X509_Certificate& issuer,
211
                      const BigInt& subject_serial,
212
                      const std::string& ocsp_responder,
213
                      Certificate_Store* trusted_roots,
214
                      std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
215
216
/**
217
* Makes an online OCSP request via HTTP and returns the OCSP response.
218
* @param issuer issuer certificate
219
* @param subject subject certificate
220
* @param trusted_roots trusted roots for the OCSP response
221
* @param timeout a timeout on the HTTP request
222
* @return OCSP response
223
*/
224
BOTAN_PUBLIC_API(2,0)
225
Response online_check(const X509_Certificate& issuer,
226
                      const X509_Certificate& subject,
227
                      Certificate_Store* trusted_roots,
228
                      std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
229
230
#endif
231
232
}
233
234
}
235
236
#endif