diff options
Diffstat (limited to 'src/lib/x509/ocsp.h')
-rw-r--r-- | src/lib/x509/ocsp.h | 62 |
1 files changed, 51 insertions, 11 deletions
diff --git a/src/lib/x509/ocsp.h b/src/lib/x509/ocsp.h index fe1796984..b86b6a5e4 100644 --- a/src/lib/x509/ocsp.h +++ b/src/lib/x509/ocsp.h @@ -29,10 +29,7 @@ class BOTAN_DLL Request * @param subject_cert subject certificate */ Request(const X509_Certificate& issuer_cert, - const X509_Certificate& subject_cert) : - m_issuer(issuer_cert), - m_subject(subject_cert) - {} + const X509_Certificate& subject_cert); /** * @return BER-encoded OCSP request @@ -53,12 +50,18 @@ class BOTAN_DLL Request * @return subject certificate */ const X509_Certificate& subject() const { return m_subject; } + + const std::vector<byte>& issuer_key_hash() const + { return m_certid.issuer_key_hash(); } private: X509_Certificate m_issuer, m_subject; + CertID m_certid; }; /** -* An OCSP response. +* OCSP response. +* +* Note this class is only usable as an OCSP client */ class BOTAN_DLL Response { @@ -69,12 +72,36 @@ class BOTAN_DLL Response Response() {} /** - * Creates an OCSP response. - * @param trusted_roots trusted roots for the OCSP response + * Parses an OCSP response. + * @param request the OCSP request this is a respone to * @param response_bits response bits received */ - Response(const Certificate_Store& trusted_roots, - const std::vector<byte>& response_bits); + Response(const std::vector<byte>& response_bits); + + /* + * Check signature and return status + * The optional cert_path is the (already validated!) certificate path of + * the end entity which is being inquired about + */ + Certificate_Status_Code check_signature(const std::vector<Certificate_Store*>& trust_roots, + const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path = {}) const; + + /* + * Verify that issuer's key signed this response + */ + Certificate_Status_Code verify_signature(const X509_Certificate& issuer) const; + + const X509_Time& produced_at() const { return m_produced_at; } + + /** + * @return DN of signer, if provided in response (may be empty) + */ + const X509_DN& signer_name() const { return m_signer_name; } + + /** + * @return key hash, if provided in response (may be empty) + */ + const std::vector<byte>& signer_key_hash() const { return m_key_hash; } /** * Searches the OCSP response for issuer and subject certificate. @@ -89,12 +116,23 @@ class BOTAN_DLL Response * OCSP_CERT_NOT_LISTED */ Certificate_Status_Code status_for(const X509_Certificate& issuer, - const X509_Certificate& subject) const; + const X509_Certificate& subject, + std::chrono::system_clock::time_point ref_time = std::chrono::system_clock::now()) const; private: + X509_Time m_produced_at; + X509_DN m_signer_name; + std::vector<byte> m_key_hash; + std::vector<byte> m_tbs_bits; + AlgorithmIdentifier m_sig_algo; + std::vector<byte> m_signature; + std::vector<X509_Certificate> m_certs; + std::vector<SingleResponse> m_responses; }; +#if defined(BOTAN_HAS_HTTP_UTIL) + /** * Makes an online OCSP request via HTTP and returns the OCSP response. * @param issuer issuer certificate @@ -104,7 +142,9 @@ class BOTAN_DLL Response */ BOTAN_DLL Response online_check(const X509_Certificate& issuer, const X509_Certificate& subject, - const Certificate_Store* trusted_roots); + Certificate_Store* trusted_roots); + +#endif } |