Allow OCSP requests without the full subject certificate

A OCSP request doesn't need the full subject certificate. This extends the API to require instead of the subject certificate: * OCSP::Request: subject serial. * OCSP::online_check: subject serial AND ocsp responder url. API breaking change: * removal of OCSP::Request::subject() as OCSP::Request doesn't need to hold the certificate, but only the serial. Signed-off-by: Nuno Goncalves <[email protected]>
author: Nuno Goncalves <[email protected]> 2017-02-27 18:12:28 +0100
committer: Nuno Goncalves <[email protected]> 2017-03-04 12:20:46 +0100
commit: 9048a00464a1dcbcaa793fb3b76382589114d05f (patch)
tree: 95e5b3b7082ff67cca6fd91df7a7e28bf62d6d39 /src/lib
parent: 6203025a02b052fbaebb4b309104497a22737187 (diff)
5 files changed, 43 insertions, 16 deletions
diff --git a/src/lib/x509/ocsp.cpp b/src/lib/x509/ocsp.cpp
index 964299f64..be8e6ed1d 100644
--- a/src/lib/x509/ocsp.cpp
+++ b/src/lib/x509/ocsp.cpp
@@ -53,13 +53,19 @@ void decode_optional_list(BER_Decoder& ber,
 Request::Request(const X509_Certificate& issuer_cert,
                  const X509_Certificate& subject_cert) :
    m_issuer(issuer_cert),
-   m_subject(subject_cert),
-   m_certid(m_issuer, m_subject)
+   m_certid(m_issuer, BigInt::decode(subject_cert.serial_number()))
    {
    if(subject_cert.issuer_dn() != issuer_cert.subject_dn())
       throw Invalid_Argument("Invalid cert pair to OCSP::Request (mismatched issuer,subject args?)");
    }
 
+Request::Request(const X509_Certificate& issuer_cert,
+                 const BigInt& subject_serial) :
+   m_issuer(issuer_cert),
+   m_certid(m_issuer, subject_serial)
+   {
+   }
+
 std::vector<uint8_t> Request::BER_encode() const
    {
    return DER_Encoder().start_cons(SEQUENCE)
@@ -275,17 +281,16 @@ Certificate_Status_Code Response::status_for(const X509_Certificate& issuer,
 #if defined(BOTAN_HAS_HTTP_UTIL)
 
 Response online_check(const X509_Certificate& issuer,
-                      const X509_Certificate& subject,
+                      const BigInt& subject_serial,
+                      const std::string& ocsp_responder,
                       Certificate_Store* trusted_roots)
    {
-   const std::string responder_url = subject.ocsp_responder();
+   if(ocsp_responder.empty())
+      throw Invalid_Argument("No OCSP responder specified");
 
-   if(responder_url.empty())
-      throw Exception("No OCSP responder specified");
+   OCSP::Request req(issuer, subject_serial);
 
-   OCSP::Request req(issuer, subject);
-
-   auto http = HTTP::POST_sync(responder_url,
+   auto http = HTTP::POST_sync(ocsp_responder,
                                "application/ocsp-request",
                                req.BER_encode());
 
@@ -304,6 +309,20 @@ Response online_check(const X509_Certificate& issuer,
    return response;
    }
 
+
+Response online_check(const X509_Certificate& issuer,
+                      const X509_Certificate& subject,
+                      Certificate_Store* trusted_roots)
+   {
+   if(subject.issuer_dn() != issuer.subject_dn())
+      throw Invalid_Argument("Invalid cert pair to OCSP::online_check (mismatched issuer,subject args?)");
+
+   return online_check(issuer,
+                       BigInt::decode(subject.serial_number()),
+                       subject.ocsp_responder(),
+                       trusted_roots);
+   }
+
 #endif
 
 }
diff --git a/src/lib/x509/ocsp.h b/src/lib/x509/ocsp.h
index ff6a19567..881eee124 100644
--- a/src/lib/x509/ocsp.h
+++ b/src/lib/x509/ocsp.h
@@ -31,6 +31,9 @@ class BOTAN_DLL Request
       Request(const X509_Certificate& issuer_cert,
               const X509_Certificate& subject_cert);
 
+      Request(const X509_Certificate& issuer_cert,
+              const BigInt& subject_serial);
+
       /**
       * @return BER-encoded OCSP request
       */
@@ -49,12 +52,12 @@ class BOTAN_DLL Request
       /**
       * @return subject certificate
       */
-      const X509_Certificate& subject() const { return m_subject; }
+      const X509_Certificate& subject() const { throw Not_Implemented("Method have been deprecated"); }
 
       const std::vector<uint8_t>& issuer_key_hash() const
          { return m_certid.issuer_key_hash(); }
    private:
-      X509_Certificate m_issuer, m_subject;
+      X509_Certificate m_issuer;
       CertID m_certid;
    };
 
@@ -155,6 +158,11 @@ class BOTAN_DLL Response
 
 #if defined(BOTAN_HAS_HTTP_UTIL)
 
+BOTAN_DLL Response online_check(const X509_Certificate& issuer,
+                                const BigInt& subject_serial,
+                                const std::string& ocsp_responder,
+                                Certificate_Store* trusted_roots);
+
 /**
 * Makes an online OCSP request via HTTP and returns the OCSP response.
 * @param issuer issuer certificate
diff --git a/src/lib/x509/ocsp_types.cpp b/src/lib/x509/ocsp_types.cpp
index c9d349a4b..470acffa6 100644
--- a/src/lib/x509/ocsp_types.cpp
+++ b/src/lib/x509/ocsp_types.cpp
@@ -17,7 +17,7 @@ namespace Botan {
 namespace OCSP {
 
 CertID::CertID(const X509_Certificate& issuer,
-               const X509_Certificate& subject)
+               const BigInt& subject_serial)
    {
    /*
    In practice it seems some responders, including, notably,
@@ -27,8 +27,8 @@ CertID::CertID(const X509_Certificate& issuer,
 
    m_hash_id = AlgorithmIdentifier(hash->name(), AlgorithmIdentifier::USE_NULL_PARAM);
    m_issuer_key_hash = unlock(hash->process(issuer.subject_public_key_bitstring()));
-   m_issuer_dn_hash = unlock(hash->process(subject.raw_issuer_dn()));
-   m_subject_serial = BigInt::decode(subject.serial_number());
+   m_issuer_dn_hash = unlock(hash->process(issuer.raw_subject_dn()));
+   m_subject_serial = subject_serial;
    }
 
 bool CertID::is_id_for(const X509_Certificate& issuer,
diff --git a/src/lib/x509/ocsp_types.h b/src/lib/x509/ocsp_types.h
index 1cbf207b8..be7ae716a 100644
--- a/src/lib/x509/ocsp_types.h
+++ b/src/lib/x509/ocsp_types.h
@@ -22,7 +22,7 @@ class BOTAN_DLL CertID final : public ASN1_Object
       CertID() {}
 
       CertID(const X509_Certificate& issuer,
-             const X509_Certificate& subject);
+             const BigInt& subject_serial);
 
       bool is_id_for(const X509_Certificate& issuer,
                      const X509_Certificate& subject) const;
diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp
index c70ecae7a..eeb75b279 100644
--- a/src/lib/x509/x509path.cpp
+++ b/src/lib/x509/x509path.cpp
@@ -275,7 +275,7 @@ PKIX::check_ocsp_online(const std::vector<std::shared_ptr<const X509_Certificate
          else
             {
             ocsp_response_futures.emplace_back(std::async(std::launch::async, [&]() -> std::shared_ptr<const OCSP::Response> {
-                  OCSP::Request req(*issuer, *subject);
+                  OCSP::Request req(*issuer, BigInt::decode(subject->serial_number()));
 
                   auto http = HTTP::POST_sync(subject->ocsp_responder(),
                                               "application/ocsp-request",
author	Nuno Goncalves <[email protected]>	2017-02-27 18:12:28 +0100
committer	Nuno Goncalves <[email protected]>	2017-03-04 12:20:46 +0100
commit	9048a00464a1dcbcaa793fb3b76382589114d05f (patch)
tree	95e5b3b7082ff67cca6fd91df7a7e28bf62d6d39 /src/lib
parent	6203025a02b052fbaebb4b309104497a22737187 (diff)