/src/botan/build/include/botan/ocsp.h
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * OCSP |
3 | | * (C) 2012 Jack Lloyd |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #ifndef BOTAN_OCSP_H_ |
9 | | #define BOTAN_OCSP_H_ |
10 | | |
11 | | #include <botan/asn1_obj.h> |
12 | | #include <botan/pkix_types.h> |
13 | | #include <botan/x509cert.h> |
14 | | #include <botan/bigint.h> |
15 | | #include <chrono> |
16 | | |
17 | | namespace Botan { |
18 | | |
19 | | class Certificate_Store; |
20 | | |
21 | | namespace OCSP { |
22 | | |
23 | | class BOTAN_PUBLIC_API(2,0) CertID final : public ASN1_Object |
24 | | { |
25 | | public: |
26 | 34 | CertID() = default; |
27 | | |
28 | | CertID(const X509_Certificate& issuer, |
29 | | const BigInt& subject_serial); |
30 | | |
31 | | bool is_id_for(const X509_Certificate& issuer, |
32 | | const X509_Certificate& subject) const; |
33 | | |
34 | | void encode_into(class DER_Encoder& to) const override; |
35 | | |
36 | | void decode_from(class BER_Decoder& from) override; |
37 | | |
38 | 0 | const std::vector<uint8_t>& issuer_key_hash() const { return m_issuer_key_hash; } |
39 | | |
40 | | private: |
41 | | AlgorithmIdentifier m_hash_id; |
42 | | std::vector<uint8_t> m_issuer_dn_hash; |
43 | | std::vector<uint8_t> m_issuer_key_hash; |
44 | | BigInt m_subject_serial; |
45 | | }; |
46 | | |
47 | | class BOTAN_PUBLIC_API(2,0) SingleResponse final : public ASN1_Object |
48 | | { |
49 | | public: |
50 | 0 | const CertID& certid() const { return m_certid; } |
51 | | |
52 | 0 | size_t cert_status() const { return m_cert_status; } |
53 | | |
54 | 0 | X509_Time this_update() const { return m_thisupdate; } |
55 | | |
56 | 0 | X509_Time next_update() const { return m_nextupdate; } |
57 | | |
58 | | void encode_into(class DER_Encoder& to) const override; |
59 | | |
60 | | void decode_from(class BER_Decoder& from) override; |
61 | | private: |
62 | | CertID m_certid; |
63 | | size_t m_cert_status = 2; // unknown |
64 | | X509_Time m_thisupdate; |
65 | | X509_Time m_nextupdate; |
66 | | }; |
67 | | |
68 | | /** |
69 | | * An OCSP request. |
70 | | */ |
71 | | class BOTAN_PUBLIC_API(2,0) Request final |
72 | | { |
73 | | public: |
74 | | /** |
75 | | * Create an OCSP request. |
76 | | * @param issuer_cert issuer certificate |
77 | | * @param subject_cert subject certificate |
78 | | */ |
79 | | Request(const X509_Certificate& issuer_cert, |
80 | | const X509_Certificate& subject_cert); |
81 | | |
82 | | Request(const X509_Certificate& issuer_cert, |
83 | | const BigInt& subject_serial); |
84 | | |
85 | | /** |
86 | | * @return BER-encoded OCSP request |
87 | | */ |
88 | | std::vector<uint8_t> BER_encode() const; |
89 | | |
90 | | /** |
91 | | * @return Base64-encoded OCSP request |
92 | | */ |
93 | | std::string base64_encode() const; |
94 | | |
95 | | /** |
96 | | * @return issuer certificate |
97 | | */ |
98 | 0 | const X509_Certificate& issuer() const { return m_issuer; } |
99 | | |
100 | | /** |
101 | | * @return subject certificate |
102 | | */ |
103 | 0 | const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); } |
104 | | |
105 | | const std::vector<uint8_t>& issuer_key_hash() const |
106 | 0 | { return m_certid.issuer_key_hash(); } |
107 | | private: |
108 | | X509_Certificate m_issuer; |
109 | | CertID m_certid; |
110 | | }; |
111 | | |
112 | | /** |
113 | | * OCSP response status. |
114 | | * |
115 | | * see https://tools.ietf.org/html/rfc6960#section-4.2.1 |
116 | | */ |
117 | | enum class Response_Status_Code { |
118 | | Successful = 0, |
119 | | Malformed_Request = 1, |
120 | | Internal_Error = 2, |
121 | | Try_Later = 3, |
122 | | Sig_Required = 5, |
123 | | Unauthorized = 6 |
124 | | }; |
125 | | |
126 | | /** |
127 | | * OCSP response. |
128 | | * |
129 | | * Note this class is only usable as an OCSP client |
130 | | */ |
131 | | class BOTAN_PUBLIC_API(2,0) Response final |
132 | | { |
133 | | public: |
134 | | /** |
135 | | * Creates an empty OCSP response. |
136 | | */ |
137 | | Response() = default; |
138 | | |
139 | | /** |
140 | | * Create a fake OCSP response from a given status code. |
141 | | * @param status the status code the check functions will return |
142 | | */ |
143 | | Response(Certificate_Status_Code status); |
144 | | |
145 | | /** |
146 | | * Parses an OCSP response. |
147 | | * @param response_bits response bits received |
148 | | */ |
149 | | Response(const std::vector<uint8_t>& response_bits) : |
150 | | Response(response_bits.data(), response_bits.size()) |
151 | 0 | {} |
152 | | |
153 | | /** |
154 | | * Parses an OCSP response. |
155 | | * @param response_bits response bits received |
156 | | * @param response_bits_len length of response in bytes |
157 | | */ |
158 | | Response(const uint8_t response_bits[], |
159 | | size_t response_bits_len); |
160 | | |
161 | | /** |
162 | | * Check signature and return status |
163 | | * The optional cert_path is the (already validated!) certificate path of |
164 | | * the end entity which is being inquired about |
165 | | * @param trust_roots list of certstores containing trusted roots |
166 | | * @param cert_path optionally, the (already verified!) certificate path for the certificate |
167 | | * this is an OCSP response for. This is necessary to find the correct intermediate CA in |
168 | | * some cases. |
169 | | */ |
170 | | Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots, |
171 | | const std::vector<X509_Certificate>& cert_path = {}) const; |
172 | | |
173 | | /** |
174 | | * Verify that issuer's key signed this response |
175 | | * @param issuer certificate of issuer |
176 | | * @return if signature valid OCSP_SIGNATURE_OK else an error code |
177 | | */ |
178 | | Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const; |
179 | | |
180 | | /** |
181 | | * @return the status of the response |
182 | | */ |
183 | 0 | Response_Status_Code status() const { return m_status; } |
184 | | |
185 | | /** |
186 | | * @return the time this OCSP response was supposedly produced at |
187 | | */ |
188 | 0 | const X509_Time& produced_at() const { return m_produced_at; } |
189 | | |
190 | | /** |
191 | | * @return DN of signer, if provided in response (may be empty) |
192 | | */ |
193 | 0 | const X509_DN& signer_name() const { return m_signer_name; } |
194 | | |
195 | | /** |
196 | | * @return key hash, if provided in response (may be empty) |
197 | | */ |
198 | 0 | const std::vector<uint8_t>& signer_key_hash() const { return m_key_hash; } |
199 | | |
200 | 0 | const std::vector<uint8_t>& raw_bits() const { return m_response_bits; } |
201 | | |
202 | | /** |
203 | | * Searches the OCSP response for issuer and subject certificate. |
204 | | * @param issuer issuer certificate |
205 | | * @param subject subject certificate |
206 | | * @param ref_time the reference time |
207 | | * @param max_age the maximum age the response should be considered valid |
208 | | * if next_update is not set |
209 | | * @return OCSP status code, possible values: |
210 | | * CERT_IS_REVOKED, |
211 | | * OCSP_NOT_YET_VALID, |
212 | | * OCSP_HAS_EXPIRED, |
213 | | * OCSP_IS_TOO_OLD, |
214 | | * OCSP_RESPONSE_GOOD, |
215 | | * OCSP_BAD_STATUS, |
216 | | * OCSP_CERT_NOT_LISTED |
217 | | */ |
218 | | Certificate_Status_Code status_for(const X509_Certificate& issuer, |
219 | | const X509_Certificate& subject, |
220 | | std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now(), |
221 | | std::chrono::seconds max_age = std::chrono::seconds::zero()) const; |
222 | | |
223 | | /** |
224 | | * @return the certificate chain, if provided in response |
225 | | */ |
226 | 0 | const std::vector<X509_Certificate> &certificates() const { return m_certs; } |
227 | | |
228 | | private: |
229 | | Response_Status_Code m_status; |
230 | | std::vector<uint8_t> m_response_bits; |
231 | | X509_Time m_produced_at; |
232 | | X509_DN m_signer_name; |
233 | | std::vector<uint8_t> m_key_hash; |
234 | | std::vector<uint8_t> m_tbs_bits; |
235 | | AlgorithmIdentifier m_sig_algo; |
236 | | std::vector<uint8_t> m_signature; |
237 | | std::vector<X509_Certificate> m_certs; |
238 | | |
239 | | std::vector<SingleResponse> m_responses; |
240 | | |
241 | | Certificate_Status_Code m_dummy_response_status; |
242 | | }; |
243 | | |
244 | | #if defined(BOTAN_HAS_HTTP_UTIL) |
245 | | |
246 | | /** |
247 | | * Makes an online OCSP request via HTTP and returns the OCSP response. |
248 | | * @param issuer issuer certificate |
249 | | * @param subject_serial the subject's serial number |
250 | | * @param ocsp_responder the OCSP responder to query |
251 | | * @param trusted_roots trusted roots for the OCSP response |
252 | | * @param timeout a timeout on the HTTP request |
253 | | * @return OCSP response |
254 | | */ |
255 | | BOTAN_PUBLIC_API(2,1) |
256 | | Response online_check(const X509_Certificate& issuer, |
257 | | const BigInt& subject_serial, |
258 | | const std::string& ocsp_responder, |
259 | | Certificate_Store* trusted_roots, |
260 | | std::chrono::milliseconds timeout = std::chrono::milliseconds(3000)); |
261 | | |
262 | | /** |
263 | | * Makes an online OCSP request via HTTP and returns the OCSP response. |
264 | | * @param issuer issuer certificate |
265 | | * @param subject subject certificate |
266 | | * @param trusted_roots trusted roots for the OCSP response |
267 | | * @param timeout a timeout on the HTTP request |
268 | | * @return OCSP response |
269 | | */ |
270 | | BOTAN_PUBLIC_API(2,0) |
271 | | Response online_check(const X509_Certificate& issuer, |
272 | | const X509_Certificate& subject, |
273 | | Certificate_Store* trusted_roots, |
274 | | std::chrono::milliseconds timeout = std::chrono::milliseconds(3000)); |
275 | | |
276 | | #endif |
277 | | |
278 | | } |
279 | | |
280 | | } |
281 | | |
282 | | #endif |