aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/x509/ocsp.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/x509/ocsp.h')
-rw-r--r--src/lib/x509/ocsp.h62
1 files changed, 51 insertions, 11 deletions
diff --git a/src/lib/x509/ocsp.h b/src/lib/x509/ocsp.h
index fe1796984..b86b6a5e4 100644
--- a/src/lib/x509/ocsp.h
+++ b/src/lib/x509/ocsp.h
@@ -29,10 +29,7 @@ class BOTAN_DLL Request
* @param subject_cert subject certificate
*/
Request(const X509_Certificate& issuer_cert,
- const X509_Certificate& subject_cert) :
- m_issuer(issuer_cert),
- m_subject(subject_cert)
- {}
+ const X509_Certificate& subject_cert);
/**
* @return BER-encoded OCSP request
@@ -53,12 +50,18 @@ class BOTAN_DLL Request
* @return subject certificate
*/
const X509_Certificate& subject() const { return m_subject; }
+
+ const std::vector<byte>& issuer_key_hash() const
+ { return m_certid.issuer_key_hash(); }
private:
X509_Certificate m_issuer, m_subject;
+ CertID m_certid;
};
/**
-* An OCSP response.
+* OCSP response.
+*
+* Note this class is only usable as an OCSP client
*/
class BOTAN_DLL Response
{
@@ -69,12 +72,36 @@ class BOTAN_DLL Response
Response() {}
/**
- * Creates an OCSP response.
- * @param trusted_roots trusted roots for the OCSP response
+ * Parses an OCSP response.
+ * @param request the OCSP request this is a respone to
* @param response_bits response bits received
*/
- Response(const Certificate_Store& trusted_roots,
- const std::vector<byte>& response_bits);
+ Response(const std::vector<byte>& response_bits);
+
+ /*
+ * Check signature and return status
+ * The optional cert_path is the (already validated!) certificate path of
+ * the end entity which is being inquired about
+ */
+ Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots,
+ const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path = {}) const;
+
+ /*
+ * Verify that issuer's key signed this response
+ */
+ Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const;
+
+ const X509_Time& produced_at() const { return m_produced_at; }
+
+ /**
+ * @return DN of signer, if provided in response (may be empty)
+ */
+ const X509_DN& signer_name() const { return m_signer_name; }
+
+ /**
+ * @return key hash, if provided in response (may be empty)
+ */
+ const std::vector<byte>& signer_key_hash() const { return m_key_hash; }
/**
* Searches the OCSP response for issuer and subject certificate.
@@ -89,12 +116,23 @@ class BOTAN_DLL Response
* OCSP_CERT_NOT_LISTED
*/
Certificate_Status_Code status_for(const X509_Certificate& issuer,
- const X509_Certificate& subject) const;
+ const X509_Certificate& subject,
+ std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now()) const;
private:
+ X509_Time m_produced_at;
+ X509_DN m_signer_name;
+ std::vector<byte> m_key_hash;
+ std::vector<byte> m_tbs_bits;
+ AlgorithmIdentifier m_sig_algo;
+ std::vector<byte> m_signature;
+ std::vector<X509_Certificate> m_certs;
+
std::vector<SingleResponse> m_responses;
};
+#if defined(BOTAN_HAS_HTTP_UTIL)
+
/**
* Makes an online OCSP request via HTTP and returns the OCSP response.
* @param issuer issuer certificate
@@ -104,7 +142,9 @@ class BOTAN_DLL Response
*/
BOTAN_DLL Response online_check(const X509_Certificate& issuer,
const X509_Certificate& subject,
- const Certificate_Store* trusted_roots);
+ Certificate_Store* trusted_roots);
+
+#endif
}