aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/x509/x509path.cpp21
-rw-r--r--src/lib/x509/x509path.h46
2 files changed, 45 insertions, 22 deletions
diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp
index a889aa4d4..d0604e1c6 100644
--- a/src/lib/x509/x509path.cpp
+++ b/src/lib/x509/x509path.cpp
@@ -205,7 +205,7 @@ PKIX::check_ocsp(const std::vector<std::shared_ptr<const X509_Certificate>>& cer
const std::vector<std::shared_ptr<const OCSP::Response>>& ocsp_responses,
const std::vector<Certificate_Store*>& trusted_certstores,
std::chrono::system_clock::time_point ref_time,
- std::chrono::seconds max_age)
+ std::chrono::seconds max_ocsp_age)
{
if(cert_path.empty())
throw Invalid_Argument("PKIX::check_ocsp cert_path empty");
@@ -228,7 +228,7 @@ PKIX::check_ocsp(const std::vector<std::shared_ptr<const X509_Certificate>>& cer
if(ocsp_signature_status == Certificate_Status_Code::OCSP_SIGNATURE_OK)
{
// Signature ok, so check the claimed status
- Certificate_Status_Code ocsp_status = ocsp_responses.at(i)->status_for(*ca, *subject, ref_time, max_age);
+ Certificate_Status_Code ocsp_status = ocsp_responses.at(i)->status_for(*ca, *subject, ref_time, max_ocsp_age);
status.insert(ocsp_status);
}
else
@@ -351,7 +351,8 @@ PKIX::check_ocsp_online(const std::vector<std::shared_ptr<const X509_Certificate
const std::vector<Certificate_Store*>& trusted_certstores,
std::chrono::system_clock::time_point ref_time,
std::chrono::milliseconds timeout,
- bool ocsp_check_intermediate_CAs)
+ bool ocsp_check_intermediate_CAs,
+ std::chrono::seconds max_ocsp_age)
{
if(cert_path.empty())
throw Invalid_Argument("PKIX::check_ocsp_online cert_path empty");
@@ -410,7 +411,7 @@ PKIX::check_ocsp_online(const std::vector<std::shared_ptr<const X509_Certificate
ocsp_responses.push_back(ocsp_response_futures[i].get());
}
- return PKIX::check_ocsp(cert_path, ocsp_responses, trusted_certstores, ref_time);
+ return PKIX::check_ocsp(cert_path, ocsp_responses, trusted_certstores, ref_time, max_ocsp_age);
}
CertificatePathStatusCodes
@@ -876,7 +877,7 @@ Path_Validation_Result x509_path_validate(
if(ocsp_resp.size() > 0)
{
- ocsp_status = PKIX::check_ocsp(cert_path, ocsp_resp, trusted_roots, ref_time);
+ ocsp_status = PKIX::check_ocsp(cert_path, ocsp_resp, trusted_roots, ref_time, restrictions.max_ocsp_age());
}
if(ocsp_status.empty() && ocsp_timeout != std::chrono::milliseconds(0))
@@ -958,14 +959,16 @@ Path_Validation_Result x509_path_validate(
}
Path_Validation_Restrictions::Path_Validation_Restrictions(bool require_rev,
- size_t key_strength,
- bool ocsp_intermediates) :
+ size_t key_strength,
+ bool ocsp_intermediates,
+ std::chrono::seconds max_ocsp_age) :
m_require_revocation_information(require_rev),
m_ocsp_all_intermediates(ocsp_intermediates),
- m_minimum_key_strength(key_strength)
+ m_minimum_key_strength(key_strength),
+ m_max_ocsp_age(max_ocsp_age)
{
if(key_strength <= 80)
- m_trusted_hashes.insert("SHA-160");
+ { m_trusted_hashes.insert("SHA-160"); }
m_trusted_hashes.insert("SHA-224");
m_trusted_hashes.insert("SHA-256");
diff --git a/src/lib/x509/x509path.h b/src/lib/x509/x509path.h
index 3e457b970..ed2cbd592 100644
--- a/src/lib/x509/x509path.h
+++ b/src/lib/x509/x509path.h
@@ -47,10 +47,13 @@ class BOTAN_PUBLIC_API(2,0) Path_Validation_Restrictions final
* 128 bit strength requires ~3k bit RSA or P-256
* @param ocsp_all_intermediates Make OCSP requests for all CAs as
* well as end entity (if OCSP enabled in path validation request)
+ * @param max_ocsp_age maximum age of OCSP responses w/o next_update.
+ * If zero, there is no maximum age
*/
Path_Validation_Restrictions(bool require_rev = false,
size_t minimum_key_strength = 110,
- bool ocsp_all_intermediates = false);
+ bool ocsp_all_intermediates = false,
+ std::chrono::seconds max_ocsp_age = std::chrono::seconds::zero());
/**
* @param require_rev if true, revocation information is required
@@ -62,15 +65,19 @@ class BOTAN_PUBLIC_API(2,0) Path_Validation_Restrictions final
* @param trusted_hashes a set of trusted hashes. Any signatures
* created using a hash other than one of these will be
* rejected.
+ * @param max_ocsp_age maximum age of OCSP responses w/o next_update.
+ * If zero, there is no maximum age
*/
Path_Validation_Restrictions(bool require_rev,
size_t minimum_key_strength,
bool ocsp_all_intermediates,
- const std::set<std::string>& trusted_hashes) :
+ const std::set<std::string>& trusted_hashes,
+ std::chrono::seconds max_ocsp_age = std::chrono::seconds::zero()) :
m_require_revocation_information(require_rev),
m_ocsp_all_intermediates(ocsp_all_intermediates),
m_trusted_hashes(trusted_hashes),
- m_minimum_key_strength(minimum_key_strength) {}
+ m_minimum_key_strength(minimum_key_strength),
+ m_max_ocsp_age(max_ocsp_age) {}
/**
* @return whether revocation information is required
@@ -97,11 +104,19 @@ class BOTAN_PUBLIC_API(2,0) Path_Validation_Restrictions final
size_t minimum_key_strength() const
{ return m_minimum_key_strength; }
+ /**
+ * @return maximum age of OCSP responses w/o next_update.
+ * If zero, there is no maximum age
+ */
+ std::chrono::seconds max_ocsp_age() const
+ { return m_max_ocsp_age; }
+
private:
bool m_require_revocation_information;
bool m_ocsp_all_intermediates;
std::set<std::string> m_trusted_hashes;
size_t m_minimum_key_strength;
+ std::chrono::seconds m_max_ocsp_age;
};
/**
@@ -346,14 +361,16 @@ BOTAN_PUBLIC_API(2,0) check_chain(const std::vector<std::shared_ptr<const X509_C
* @param certstores trusted roots
* @param ref_time whatever time you want to perform the validation against
* (normally current system clock)
+* @param max_ocsp_age maximum age of OCSP responses w/o next_update. If zero,
+* there is no maximum age
* @return revocation status
*/
CertificatePathStatusCodes
-BOTAN_PUBLIC_API(2,0) check_ocsp(const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
- const std::vector<std::shared_ptr<const OCSP::Response>>& ocsp_responses,
- const std::vector<Certificate_Store*>& certstores,
- std::chrono::system_clock::time_point ref_time,
- std::chrono::seconds max_age = std::chrono::seconds::zero());
+BOTAN_PUBLIC_API(2, 0) check_ocsp(const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
+ const std::vector<std::shared_ptr<const OCSP::Response>>& ocsp_responses,
+ const std::vector<Certificate_Store*>& certstores,
+ std::chrono::system_clock::time_point ref_time,
+ std::chrono::seconds max_ocsp_age = std::chrono::seconds::zero());
/**
* Check CRLs for revocation information
@@ -396,14 +413,17 @@ BOTAN_PUBLIC_API(2,0) check_crl(const std::vector<std::shared_ptr<const X509_Cer
* may block for up to timeout*cert_path.size()*C for some small C.
* @param ocsp_check_intermediate_CAs if true also performs OCSP on any intermediate
* CA certificates. If false, only does OCSP on the end entity cert.
+* @param max_ocsp_age maximum age of OCSP responses w/o next_update. If zero,
+* there is no maximum age
* @return revocation status
*/
CertificatePathStatusCodes
-BOTAN_PUBLIC_API(2,0) check_ocsp_online(const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
- const std::vector<Certificate_Store*>& trusted_certstores,
- std::chrono::system_clock::time_point ref_time,
- std::chrono::milliseconds timeout,
- bool ocsp_check_intermediate_CAs);
+BOTAN_PUBLIC_API(2, 0) check_ocsp_online(const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
+ const std::vector<Certificate_Store*>& trusted_certstores,
+ std::chrono::system_clock::time_point ref_time,
+ std::chrono::milliseconds timeout,
+ bool ocsp_check_intermediate_CAs,
+ std::chrono::seconds max_ocsp_age = std::chrono::seconds::zero());
/**
* Check CRL using online (HTTP) access. Current version creates a thread and