/src/botan/src/lib/x509/ocsp_types.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * OCSP subtypes |
3 | | * (C) 2012 Jack Lloyd |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #include <botan/ocsp.h> |
9 | | #include <botan/der_enc.h> |
10 | | #include <botan/ber_dec.h> |
11 | | #include <botan/x509_ext.h> |
12 | | #include <botan/hash.h> |
13 | | |
14 | | namespace Botan { |
15 | | |
16 | | namespace OCSP { |
17 | | |
18 | | CertID::CertID(const X509_Certificate& issuer, |
19 | | const BigInt& subject_serial) |
20 | 0 | { |
21 | | /* |
22 | | In practice it seems some responders, including, notably, |
23 | | ocsp.verisign.com, will reject anything but SHA-1 here |
24 | | */ |
25 | 0 | std::unique_ptr<HashFunction> hash(HashFunction::create_or_throw("SHA-160")); |
26 | |
|
27 | 0 | m_hash_id = AlgorithmIdentifier(hash->name(), AlgorithmIdentifier::USE_NULL_PARAM); |
28 | 0 | m_issuer_key_hash = unlock(hash->process(issuer.subject_public_key_bitstring())); |
29 | 0 | m_issuer_dn_hash = unlock(hash->process(issuer.raw_subject_dn())); |
30 | 0 | m_subject_serial = subject_serial; |
31 | 0 | } |
32 | | |
33 | | bool CertID::is_id_for(const X509_Certificate& issuer, |
34 | | const X509_Certificate& subject) const |
35 | 0 | { |
36 | 0 | try |
37 | 0 | { |
38 | 0 | if(BigInt::decode(subject.serial_number()) != m_subject_serial) |
39 | 0 | return false; |
40 | | |
41 | 0 | const std::string hash_algo = m_hash_id.get_oid().to_formatted_string(); |
42 | 0 | std::unique_ptr<HashFunction> hash = HashFunction::create_or_throw(hash_algo); |
43 | |
|
44 | 0 | if(m_issuer_dn_hash != unlock(hash->process(subject.raw_issuer_dn()))) |
45 | 0 | return false; |
46 | | |
47 | 0 | if(m_issuer_key_hash != unlock(hash->process(issuer.subject_public_key_bitstring()))) |
48 | 0 | return false; |
49 | 0 | } |
50 | 0 | catch(...) |
51 | 0 | { |
52 | 0 | return false; |
53 | 0 | } |
54 | | |
55 | 0 | return true; |
56 | 0 | } |
57 | | |
58 | | void CertID::encode_into(class DER_Encoder& to) const |
59 | 0 | { |
60 | 0 | to.start_sequence() |
61 | 0 | .encode(m_hash_id) |
62 | 0 | .encode(m_issuer_dn_hash, ASN1_Type::OctetString) |
63 | 0 | .encode(m_issuer_key_hash, ASN1_Type::OctetString) |
64 | 0 | .encode(m_subject_serial) |
65 | 0 | .end_cons(); |
66 | 0 | } |
67 | | |
68 | | void CertID::decode_from(class BER_Decoder& from) |
69 | 23 | { |
70 | 23 | from.start_sequence() |
71 | 23 | .decode(m_hash_id) |
72 | 23 | .decode(m_issuer_dn_hash, ASN1_Type::OctetString) |
73 | 23 | .decode(m_issuer_key_hash, ASN1_Type::OctetString) |
74 | 23 | .decode(m_subject_serial) |
75 | 23 | .end_cons(); |
76 | | |
77 | 23 | } |
78 | | |
79 | | void SingleResponse::encode_into(class DER_Encoder&) const |
80 | 0 | { |
81 | 0 | throw Not_Implemented("SingleResponse::encode_into"); |
82 | 0 | } |
83 | | |
84 | | void SingleResponse::decode_from(class BER_Decoder& from) |
85 | 25 | { |
86 | 25 | BER_Object cert_status; |
87 | 25 | Extensions extensions; |
88 | | |
89 | 25 | from.start_sequence() |
90 | 25 | .decode(m_certid) |
91 | 25 | .get_next(cert_status) |
92 | 25 | .decode(m_thisupdate) |
93 | 25 | .decode_optional(m_nextupdate, ASN1_Type(0), |
94 | 25 | ASN1_Class::ContextSpecific | ASN1_Class::Constructed) |
95 | 25 | .decode_optional(extensions, |
96 | 25 | ASN1_Type(1), |
97 | 25 | ASN1_Class::ContextSpecific | ASN1_Class::Constructed) |
98 | 25 | .end_cons(); |
99 | | |
100 | | /* CertStatus ::= CHOICE { |
101 | | good [0] IMPLICIT NULL, |
102 | | revoked [1] IMPLICIT RevokedInfo, |
103 | | unknown [2] IMPLICIT UnknownInfo } |
104 | | |
105 | | RevokedInfo ::= SEQUENCE { |
106 | | revocationTime GeneralizedTime, |
107 | | revocationReason [0] EXPLICIT CRLReason OPTIONAL } |
108 | | |
109 | | UnknownInfo ::= NULL |
110 | | |
111 | | We should verify the expected body and decode the RevokedInfo |
112 | | */ |
113 | 25 | m_cert_status = static_cast<uint32_t>(cert_status.type()); |
114 | 25 | } |
115 | | |
116 | | } |
117 | | |
118 | | } |