aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/x509
diff options
context:
space:
mode:
authorNuno Goncalves <[email protected]>2017-02-27 18:12:28 +0100
committerNuno Goncalves <[email protected]>2017-03-04 12:20:46 +0100
commit9048a00464a1dcbcaa793fb3b76382589114d05f (patch)
tree95e5b3b7082ff67cca6fd91df7a7e28bf62d6d39 /src/lib/x509
parent6203025a02b052fbaebb4b309104497a22737187 (diff)
Allow OCSP requests without the full subject certificate
A OCSP request doesn't need the full subject certificate. This extends the API to require instead of the subject certificate: * OCSP::Request: subject serial. * OCSP::online_check: subject serial AND ocsp responder url. API breaking change: * removal of OCSP::Request::subject() as OCSP::Request doesn't need to hold the certificate, but only the serial. Signed-off-by: Nuno Goncalves <[email protected]>
Diffstat (limited to 'src/lib/x509')
-rw-r--r--src/lib/x509/ocsp.cpp37
-rw-r--r--src/lib/x509/ocsp.h12
-rw-r--r--src/lib/x509/ocsp_types.cpp6
-rw-r--r--src/lib/x509/ocsp_types.h2
-rw-r--r--src/lib/x509/x509path.cpp2
5 files changed, 43 insertions, 16 deletions
diff --git a/src/lib/x509/ocsp.cpp b/src/lib/x509/ocsp.cpp
index 964299f64..be8e6ed1d 100644
--- a/src/lib/x509/ocsp.cpp
+++ b/src/lib/x509/ocsp.cpp
@@ -53,13 +53,19 @@ void decode_optional_list(BER_Decoder& ber,
Request::Request(const X509_Certificate& issuer_cert,
const X509_Certificate& subject_cert) :
m_issuer(issuer_cert),
- m_subject(subject_cert),
- m_certid(m_issuer, m_subject)
+ m_certid(m_issuer, BigInt::decode(subject_cert.serial_number()))
{
if(subject_cert.issuer_dn() != issuer_cert.subject_dn())
throw Invalid_Argument("Invalid cert pair to OCSP::Request (mismatched issuer,subject args?)");
}
+Request::Request(const X509_Certificate& issuer_cert,
+ const BigInt& subject_serial) :
+ m_issuer(issuer_cert),
+ m_certid(m_issuer, subject_serial)
+ {
+ }
+
std::vector<uint8_t> Request::BER_encode() const
{
return DER_Encoder().start_cons(SEQUENCE)
@@ -275,17 +281,16 @@ Certificate_Status_Code Response::status_for(const X509_Certificate& issuer,
#if defined(BOTAN_HAS_HTTP_UTIL)
Response online_check(const X509_Certificate& issuer,
- const X509_Certificate& subject,
+ const BigInt& subject_serial,
+ const std::string& ocsp_responder,
Certificate_Store* trusted_roots)
{
- const std::string responder_url = subject.ocsp_responder();
+ if(ocsp_responder.empty())
+ throw Invalid_Argument("No OCSP responder specified");
- if(responder_url.empty())
- throw Exception("No OCSP responder specified");
+ OCSP::Request req(issuer, subject_serial);
- OCSP::Request req(issuer, subject);
-
- auto http = HTTP::POST_sync(responder_url,
+ auto http = HTTP::POST_sync(ocsp_responder,
"application/ocsp-request",
req.BER_encode());
@@ -304,6 +309,20 @@ Response online_check(const X509_Certificate& issuer,
return response;
}
+
+Response online_check(const X509_Certificate& issuer,
+ const X509_Certificate& subject,
+ Certificate_Store* trusted_roots)
+ {
+ if(subject.issuer_dn() != issuer.subject_dn())
+ throw Invalid_Argument("Invalid cert pair to OCSP::online_check (mismatched issuer,subject args?)");
+
+ return online_check(issuer,
+ BigInt::decode(subject.serial_number()),
+ subject.ocsp_responder(),
+ trusted_roots);
+ }
+
#endif
}
diff --git a/src/lib/x509/ocsp.h b/src/lib/x509/ocsp.h
index ff6a19567..881eee124 100644
--- a/src/lib/x509/ocsp.h
+++ b/src/lib/x509/ocsp.h
@@ -31,6 +31,9 @@ class BOTAN_DLL Request
Request(const X509_Certificate& issuer_cert,
const X509_Certificate& subject_cert);
+ Request(const X509_Certificate& issuer_cert,
+ const BigInt& subject_serial);
+
/**
* @return BER-encoded OCSP request
*/
@@ -49,12 +52,12 @@ class BOTAN_DLL Request
/**
* @return subject certificate
*/
- const X509_Certificate& subject() const { return m_subject; }
+ const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); }
const std::vector<uint8_t>& issuer_key_hash() const
{ return m_certid.issuer_key_hash(); }
private:
- X509_Certificate m_issuer, m_subject;
+ X509_Certificate m_issuer;
CertID m_certid;
};
@@ -155,6 +158,11 @@ class BOTAN_DLL Response
#if defined(BOTAN_HAS_HTTP_UTIL)
+BOTAN_DLL Response online_check(const X509_Certificate& issuer,
+ const BigInt& subject_serial,
+ const std::string& ocsp_responder,
+ Certificate_Store* trusted_roots);
+
/**
* Makes an online OCSP request via HTTP and returns the OCSP response.
* @param issuer issuer certificate
diff --git a/src/lib/x509/ocsp_types.cpp b/src/lib/x509/ocsp_types.cpp
index c9d349a4b..470acffa6 100644
--- a/src/lib/x509/ocsp_types.cpp
+++ b/src/lib/x509/ocsp_types.cpp
@@ -17,7 +17,7 @@ namespace Botan {
namespace OCSP {
CertID::CertID(const X509_Certificate& issuer,
- const X509_Certificate& subject)
+ const BigInt& subject_serial)
{
/*
In practice it seems some responders, including, notably,
@@ -27,8 +27,8 @@ CertID::CertID(const X509_Certificate& issuer,
m_hash_id = AlgorithmIdentifier(hash->name(), AlgorithmIdentifier::USE_NULL_PARAM);
m_issuer_key_hash = unlock(hash->process(issuer.subject_public_key_bitstring()));
- m_issuer_dn_hash = unlock(hash->process(subject.raw_issuer_dn()));
- m_subject_serial = BigInt::decode(subject.serial_number());
+ m_issuer_dn_hash = unlock(hash->process(issuer.raw_subject_dn()));
+ m_subject_serial = subject_serial;
}
bool CertID::is_id_for(const X509_Certificate& issuer,
diff --git a/src/lib/x509/ocsp_types.h b/src/lib/x509/ocsp_types.h
index 1cbf207b8..be7ae716a 100644
--- a/src/lib/x509/ocsp_types.h
+++ b/src/lib/x509/ocsp_types.h
@@ -22,7 +22,7 @@ class BOTAN_DLL CertID final : public ASN1_Object
CertID() {}
CertID(const X509_Certificate& issuer,
- const X509_Certificate& subject);
+ const BigInt& subject_serial);
bool is_id_for(const X509_Certificate& issuer,
const X509_Certificate& subject) const;
diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp
index c70ecae7a..eeb75b279 100644
--- a/src/lib/x509/x509path.cpp
+++ b/src/lib/x509/x509path.cpp
@@ -275,7 +275,7 @@ PKIX::check_ocsp_online(const std::vector<std::shared_ptr<const X509_Certificate
else
{
ocsp_response_futures.emplace_back(std::async(std::launch::async, [&]() -> std::shared_ptr<const OCSP::Response> {
- OCSP::Request req(*issuer, *subject);
+ OCSP::Request req(*issuer, BigInt::decode(subject->serial_number()));
auto http = HTTP::POST_sync(subject->ocsp_responder(),
"application/ocsp-request",