diff options
| author | Jack Lloyd <[email protected]> | 2016-11-21 20:07:26 -0500 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2016-11-23 08:31:07 -0500 |
| commit | cdd2e2babc0506d0c727aff06d1fc430cedbf695 (patch) | |
| tree | 136e8ade4c31e4086245db2d87552bde1c584fe1 /src/lib/x509/ocsp.h | |
| parent | 7dbb31c5778ac1158fbf0979739f6c3c55a007f5 (diff) | |
Refactor X.509 path validation
Splits path building, path validation, CRL checks, and OCSP checks
into distinct functions in namespace PKIX. The previous path validation
APIs remain.
Fixes to OCSP to store more information and to handle modern OCSP setups
in at least some situations.
Diffstat (limited to 'src/lib/x509/ocsp.h')
| -rw-r--r-- | src/lib/x509/ocsp.h | 62 |
1 files changed, 51 insertions, 11 deletions
diff --git a/src/lib/x509/ocsp.h b/src/lib/x509/ocsp.h index fe1796984..b86b6a5e4 100644 --- a/src/lib/x509/ocsp.h +++ b/src/lib/x509/ocsp.h @@ -29,10 +29,7 @@ class BOTAN_DLL Request * @param subject_cert subject certificate */ Request(const X509_Certificate& issuer_cert, - const X509_Certificate& subject_cert) : - m_issuer(issuer_cert), - m_subject(subject_cert) - {} + const X509_Certificate& subject_cert); /** * @return BER-encoded OCSP request @@ -53,12 +50,18 @@ class BOTAN_DLL Request * @return subject certificate */ const X509_Certificate& subject() const { return m_subject; } + + const std::vector<byte>& issuer_key_hash() const + { return m_certid.issuer_key_hash(); } private: X509_Certificate m_issuer, m_subject; + CertID m_certid; }; /** -* An OCSP response. +* OCSP response. +* +* Note this class is only usable as an OCSP client */ class BOTAN_DLL Response { @@ -69,12 +72,36 @@ class BOTAN_DLL Response Response() {} /** - * Creates an OCSP response. - * @param trusted_roots trusted roots for the OCSP response + * Parses an OCSP response. + * @param request the OCSP request this is a respone to * @param response_bits response bits received */ - Response(const Certificate_Store& trusted_roots, - const std::vector<byte>& response_bits); + Response(const std::vector<byte>& response_bits); + + /* + * Check signature and return status + * The optional cert_path is the (already validated!) certificate path of + * the end entity which is being inquired about + */ + Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots, + const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path = {}) const; + + /* + * Verify that issuer's key signed this response + */ + Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const; + + const X509_Time& produced_at() const { return m_produced_at; } + + /** + * @return DN of signer, if provided in response (may be empty) + */ + const X509_DN& signer_name() const { return m_signer_name; } + + /** + * @return key hash, if provided in response (may be empty) + */ + const std::vector<byte>& signer_key_hash() const { return m_key_hash; } /** * Searches the OCSP response for issuer and subject certificate. @@ -89,12 +116,23 @@ class BOTAN_DLL Response * OCSP_CERT_NOT_LISTED */ Certificate_Status_Code status_for(const X509_Certificate& issuer, - const X509_Certificate& subject) const; + const X509_Certificate& subject, + std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now()) const; private: + X509_Time m_produced_at; + X509_DN m_signer_name; + std::vector<byte> m_key_hash; + std::vector<byte> m_tbs_bits; + AlgorithmIdentifier m_sig_algo; + std::vector<byte> m_signature; + std::vector<X509_Certificate> m_certs; + std::vector<SingleResponse> m_responses; }; +#if defined(BOTAN_HAS_HTTP_UTIL) + /** * Makes an online OCSP request via HTTP and returns the OCSP response. * @param issuer issuer certificate @@ -104,7 +142,9 @@ class BOTAN_DLL Response */ BOTAN_DLL Response online_check(const X509_Certificate& issuer, const X509_Certificate& subject, - const Certificate_Store* trusted_roots); + Certificate_Store* trusted_roots); + +#endif } |