aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-05-27 14:56:48 +0000
committerlloyd <[email protected]>2012-05-27 14:56:48 +0000
commit446d572d4984fa1f62001a0db7ac65b1201cbf45 (patch)
tree9f137c1498507466aa919bb0a0307ca5ef284bc5
parenta674eec6aac733ef2cf10d3cf4840c2ec9d9ebc1 (diff)
Initial ability to check the results.
-rw-r--r--src/cert/ocsp/ocsp.cpp47
-rw-r--r--src/cert/ocsp/ocsp.h9
-rw-r--r--src/cert/ocsp/ocsp_types.cpp4
3 files changed, 34 insertions, 26 deletions
diff --git a/src/cert/ocsp/ocsp.cpp b/src/cert/ocsp/ocsp.cpp
index 35490876c..c08f09efb 100644
--- a/src/cert/ocsp/ocsp.cpp
+++ b/src/cert/ocsp/ocsp.cpp
@@ -48,20 +48,18 @@ std::vector<byte> Request::BER_encode() const
{
CertID certid(m_issuer, m_subject);
- DER_Encoder der;
-
- der.start_cons(SEQUENCE)
- .start_cons(SEQUENCE)
- .start_explicit(0)
- .encode(static_cast<size_t>(0)) // version #
- .end_explicit()
- .start_cons(SEQUENCE);
-
- der.start_cons(SEQUENCE).encode(certid).end_cons();
-
- der.end_cons().end_cons().end_cons();
-
- return der.get_contents_unlocked();
+ return DER_Encoder().start_cons(SEQUENCE)
+ .start_cons(SEQUENCE)
+ .start_explicit(0)
+ .encode(static_cast<size_t>(0)) // version #
+ .end_explicit()
+ .start_cons(SEQUENCE)
+ .start_cons(SEQUENCE)
+ .encode(certid)
+ .end_cons()
+ .end_cons()
+ .end_cons()
+ .end_cons().get_contents_unlocked();
}
std::string Request::base64_encode() const
@@ -78,7 +76,6 @@ Response::Response(const std::vector<byte>& response_bits)
size_t resp_status = 0;
response_outer.decode(resp_status, ENUMERATED, UNIVERSAL);
- std::cout << resp_status << "\n";
if(response_outer.more_items())
{
@@ -94,7 +91,6 @@ Response::Response(const std::vector<byte>& response_bits)
BER_Decoder basicresponse_x(response_vec);
BER_Decoder basicresponse = basicresponse_x.start_cons(SEQUENCE);
-
BER_Decoder tbs_response = basicresponse.start_cons(SEQUENCE);
AlgorithmIdentifier sig_algo;
@@ -106,9 +102,6 @@ Response::Response(const std::vector<byte>& response_bits)
std::vector<X509_Certificate> certs;
decode_optional_list(basicresponse, ASN1_Tag(0), certs);
- for(auto c : certs)
- std::cout << c.to_string() << "\n";
-
size_t responsedata_version = 0;
X509_DN name;
std::vector<byte> key_hash;
@@ -127,13 +120,7 @@ Response::Response(const std::vector<byte>& response_bits)
tbs_response.decode(produced_at);
- std::cout << responsedata_version << "\n";
- std::cout << "Name = " << name << "\n";
- std::cout << "Key hash = " << hex_encode(key_hash) << "\n";
- std::cout << produced_at.readable_string() << "\n";
-
- std::vector<SingleResponse> sr;
- tbs_response.decode_list(sr);
+ tbs_response.decode_list(m_responses);
Extensions extensions;
tbs_response.decode_optional(extensions, ASN1_Tag(1),
@@ -144,6 +131,14 @@ Response::Response(const std::vector<byte>& response_bits)
}
+bool Response::affirmative_response_for(const Request& req)
+ {
+ for(auto response : m_responses)
+ if(response.affirmative_response_for(req.issuer(), req.subject()))
+ return true;
+
+ return false;
+ }
}
diff --git a/src/cert/ocsp/ocsp.h b/src/cert/ocsp/ocsp.h
index a93b77f5a..f576ba41e 100644
--- a/src/cert/ocsp/ocsp.h
+++ b/src/cert/ocsp/ocsp.h
@@ -26,6 +26,10 @@ class BOTAN_DLL Request
std::vector<byte> BER_encode() const;
std::string base64_encode() const;
+
+ const X509_Certificate& issuer() const { return m_issuer; }
+
+ const X509_Certificate& subject() const { return m_subject; }
private:
X509_Certificate m_issuer, m_subject;
};
@@ -34,6 +38,11 @@ class BOTAN_DLL Response
{
public:
Response(const std::vector<byte>& response);
+
+ bool affirmative_response_for(const Request&);
+
+ private:
+ std::vector<SingleResponse> m_responses;
};
}
diff --git a/src/cert/ocsp/ocsp_types.cpp b/src/cert/ocsp/ocsp_types.cpp
index 188c7661c..bead099ab 100644
--- a/src/cert/ocsp/ocsp_types.cpp
+++ b/src/cert/ocsp/ocsp_types.cpp
@@ -23,6 +23,10 @@ namespace OCSP {
CertID::CertID(const X509_Certificate& issuer,
const X509_Certificate& subject)
{
+ /*
+ In practice it seems some responders, including, notably,
+ ocsp.verisign.com, will reject anything but SHA-1 here
+ */
std::unique_ptr<HashFunction> hash(get_hash("SHA-160"));
m_hash_id = AlgorithmIdentifier(hash->name(), AlgorithmIdentifier::USE_NULL_PARAM);