/src/botan/src/lib/tls/tls_extensions_cert_status_req.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * TLS Extension Certificate_Status_Request |
3 | | * (C) 2011,2012,2015,2016,2022 Jack Lloyd |
4 | | * 2016 Juraj Somorovsky |
5 | | * 2021 Elektrobit Automotive GmbH |
6 | | * 2022 Hannes Rantzsch, René Meusel, neXenio GmbH |
7 | | * |
8 | | * Botan is released under the Simplified BSD License (see license.txt) |
9 | | */ |
10 | | |
11 | | #include <botan/tls_extensions.h> |
12 | | #include <botan/tls_messages.h> |
13 | | #include <botan/internal/tls_reader.h> |
14 | | #include <botan/tls_exceptn.h> |
15 | | |
16 | | namespace Botan::TLS |
17 | | { |
18 | | |
19 | | std::vector<uint8_t> Certificate_Status_Request::serialize(Connection_Side whoami) const |
20 | 3.60k | { |
21 | 3.60k | std::vector<uint8_t> buf; |
22 | | |
23 | 3.60k | if(whoami == Connection_Side::SERVER) |
24 | 1.93k | return buf; // server reply is empty |
25 | | |
26 | | /* |
27 | | opaque ResponderID<1..2^16-1>; |
28 | | opaque Extensions<0..2^16-1>; |
29 | | |
30 | | CertificateStatusType status_type = ocsp(1) |
31 | | ResponderID responder_id_list<0..2^16-1> |
32 | | Extensions request_extensions; |
33 | | */ |
34 | | |
35 | 1.67k | buf.push_back(1); // CertificateStatusType ocsp |
36 | | |
37 | 1.67k | buf.push_back(0); |
38 | 1.67k | buf.push_back(0); |
39 | 1.67k | buf.push_back(0); |
40 | 1.67k | buf.push_back(0); |
41 | | |
42 | 1.67k | return buf; |
43 | 3.60k | } |
44 | | |
45 | | Certificate_Status_Request::Certificate_Status_Request(TLS_Data_Reader& reader, |
46 | | uint16_t extension_size, |
47 | | Connection_Side from, |
48 | | Handshake_Type message_type) |
49 | 2.10k | { |
50 | 2.10k | if(from == Connection_Side::SERVER) |
51 | 50 | { |
52 | | // RFC 8446 4.4.2.1 |
53 | | // In TLS 1.2 and below, the server replies with an empty extension |
54 | | // [in its Server Hello] [...]. In TLS 1.3, the server's OCSP information |
55 | | // is carried in an extension in the [Certificate handshake message] |
56 | | // containing the associated certificate. |
57 | | // |
58 | | // We use the `message_type` context information as an indication which |
59 | | // type of Certificate_Status_Request extension to expect. |
60 | 50 | if(message_type == Handshake_Type::SERVER_HELLO) |
61 | 50 | { |
62 | | // ... in a Server Hello the extension must have a zero-length body |
63 | 50 | if(extension_size != 0) |
64 | 17 | throw Decoding_Error("Server sent non-empty Certificate_Status_Request extension in Server Hello"); |
65 | 50 | } |
66 | 0 | else if(message_type == Handshake_Type::CERTIFICATE) |
67 | 0 | { |
68 | | // RFC 8446 4.4.2.1 |
69 | | // In TLS 1.3, the server's OCSP information is carried in an |
70 | | // extension in the CertificateEntry [in a Certificate handshake |
71 | | // message] [...]. Specifically, the body of the "status_request" |
72 | | // extension from the server MUST be a CertificateStatus structure |
73 | | // as defined in [RFC6066] [...]. |
74 | 0 | m_response = Certificate_Status(reader.get_fixed<uint8_t>(extension_size)).response(); |
75 | 0 | } |
76 | 0 | else |
77 | 0 | { |
78 | 0 | throw TLS_Exception(Alert::UNSUPPORTED_EXTENSION, "Server sent a Certificate_Status_Request extension in an unsupported context"); |
79 | 0 | } |
80 | 50 | } |
81 | 2.05k | else if(extension_size > 0) |
82 | 1.23k | { |
83 | 1.23k | const uint8_t type = reader.get_byte(); |
84 | 1.23k | if(type == 1) |
85 | 37 | { |
86 | 37 | const size_t len_resp_id_list = reader.get_uint16_t(); |
87 | 37 | m_ocsp_names = reader.get_fixed<uint8_t>(len_resp_id_list); |
88 | 37 | const size_t len_requ_ext = reader.get_uint16_t(); |
89 | 37 | m_extension_bytes = reader.get_fixed<uint8_t>(len_requ_ext); |
90 | 37 | } |
91 | 1.20k | else |
92 | 1.20k | { |
93 | 1.20k | reader.discard_next(extension_size - 1); |
94 | 1.20k | } |
95 | 1.23k | } |
96 | 2.10k | } |
97 | | |
98 | | Certificate_Status_Request::Certificate_Status_Request(const std::vector<uint8_t>& ocsp_responder_ids, |
99 | | const std::vector<std::vector<uint8_t>>& ocsp_key_ids) : |
100 | | m_ocsp_names(ocsp_responder_ids), |
101 | | m_ocsp_keys(ocsp_key_ids) |
102 | 1.67k | { |
103 | 1.67k | } |
104 | | |
105 | | } |