/src/botan/src/lib/x509/ocsp_types.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * OCSP subtypes |
3 | | * (C) 2012 Jack Lloyd |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #include <botan/ocsp.h> |
9 | | #include <botan/der_enc.h> |
10 | | #include <botan/ber_dec.h> |
11 | | #include <botan/x509_ext.h> |
12 | | #include <botan/hash.h> |
13 | | |
14 | | namespace Botan::OCSP { |
15 | | |
16 | | CertID::CertID(const X509_Certificate& issuer, |
17 | | const BigInt& subject_serial) |
18 | 0 | { |
19 | | /* |
20 | | In practice it seems some responders, including, notably, |
21 | | ocsp.verisign.com, will reject anything but SHA-1 here |
22 | | */ |
23 | 0 | std::unique_ptr<HashFunction> hash(HashFunction::create_or_throw("SHA-160")); |
24 | |
|
25 | 0 | m_hash_id = AlgorithmIdentifier(hash->name(), AlgorithmIdentifier::USE_NULL_PARAM); |
26 | 0 | m_issuer_key_hash = unlock(hash->process(issuer.subject_public_key_bitstring())); |
27 | 0 | m_issuer_dn_hash = unlock(hash->process(issuer.raw_subject_dn())); |
28 | 0 | m_subject_serial = subject_serial; |
29 | 0 | } |
30 | | |
31 | | bool CertID::is_id_for(const X509_Certificate& issuer, |
32 | | const X509_Certificate& subject) const |
33 | 0 | { |
34 | 0 | try |
35 | 0 | { |
36 | 0 | if(BigInt::decode(subject.serial_number()) != m_subject_serial) |
37 | 0 | return false; |
38 | | |
39 | 0 | const std::string hash_algo = m_hash_id.get_oid().to_formatted_string(); |
40 | 0 | std::unique_ptr<HashFunction> hash = HashFunction::create_or_throw(hash_algo); |
41 | |
|
42 | 0 | if(m_issuer_dn_hash != unlock(hash->process(subject.raw_issuer_dn()))) |
43 | 0 | return false; |
44 | | |
45 | 0 | if(m_issuer_key_hash != unlock(hash->process(issuer.subject_public_key_bitstring()))) |
46 | 0 | return false; |
47 | 0 | } |
48 | 0 | catch(...) |
49 | 0 | { |
50 | 0 | return false; |
51 | 0 | } |
52 | | |
53 | 0 | return true; |
54 | 0 | } |
55 | | |
56 | | void CertID::encode_into(DER_Encoder& to) const |
57 | 0 | { |
58 | 0 | to.start_sequence() |
59 | 0 | .encode(m_hash_id) |
60 | 0 | .encode(m_issuer_dn_hash, ASN1_Type::OctetString) |
61 | 0 | .encode(m_issuer_key_hash, ASN1_Type::OctetString) |
62 | 0 | .encode(m_subject_serial) |
63 | 0 | .end_cons(); |
64 | 0 | } |
65 | | |
66 | | void CertID::decode_from(BER_Decoder& from) |
67 | 18 | { |
68 | 18 | from.start_sequence() |
69 | 18 | .decode(m_hash_id) |
70 | 18 | .decode(m_issuer_dn_hash, ASN1_Type::OctetString) |
71 | 18 | .decode(m_issuer_key_hash, ASN1_Type::OctetString) |
72 | 18 | .decode(m_subject_serial) |
73 | 18 | .end_cons(); |
74 | | |
75 | 18 | } |
76 | | |
77 | | void SingleResponse::encode_into(DER_Encoder& /*to*/) const |
78 | 0 | { |
79 | 0 | throw Not_Implemented("SingleResponse::encode_into"); |
80 | 0 | } |
81 | | |
82 | | void SingleResponse::decode_from(BER_Decoder& from) |
83 | 19 | { |
84 | 19 | BER_Object cert_status; |
85 | 19 | Extensions extensions; |
86 | | |
87 | 19 | from.start_sequence() |
88 | 19 | .decode(m_certid) |
89 | 19 | .get_next(cert_status) |
90 | 19 | .decode(m_thisupdate) |
91 | 19 | .decode_optional(m_nextupdate, ASN1_Type(0), |
92 | 19 | ASN1_Class::ContextSpecific | ASN1_Class::Constructed) |
93 | 19 | .decode_optional(extensions, |
94 | 19 | ASN1_Type(1), |
95 | 19 | ASN1_Class::ContextSpecific | ASN1_Class::Constructed) |
96 | 19 | .end_cons(); |
97 | | |
98 | | /* CertStatus ::= CHOICE { |
99 | | good [0] IMPLICIT NULL, |
100 | | revoked [1] IMPLICIT RevokedInfo, |
101 | | unknown [2] IMPLICIT UnknownInfo } |
102 | | |
103 | | RevokedInfo ::= SEQUENCE { |
104 | | revocationTime GeneralizedTime, |
105 | | revocationReason [0] EXPLICIT CRLReason OPTIONAL } |
106 | | |
107 | | UnknownInfo ::= NULL |
108 | | |
109 | | We should verify the expected body and decode the RevokedInfo |
110 | | */ |
111 | 19 | m_cert_status = static_cast<uint32_t>(cert_status.type()); |
112 | 19 | } |
113 | | |
114 | | } |