|
Botan
1.11.15
|
#include <ocsp.h>
Public Member Functions | |
| Response () | |
| Response (const Certificate_Store &trusted_roots, const std::vector< byte > &response) | |
| Certificate_Status_Code | status_for (const X509_Certificate &issuer, const X509_Certificate &subject) const |
| Botan::OCSP::Response::Response | ( | ) | [inline] |
| Botan::OCSP::Response::Response | ( | const Certificate_Store & | trusted_roots, |
| const std::vector< byte > & | response | ||
| ) |
Definition at line 125 of file ocsp.cpp.
References Botan::BIT_STRING, Botan::CONSTRUCTED, Botan::CONTEXT_SPECIFIC, Botan::BER_Decoder::decode(), Botan::BER_Decoder::decode_and_check(), Botan::BER_Decoder::decode_list(), Botan::BER_Decoder::decode_optional(), Botan::BER_Decoder::decode_optional_string(), Botan::BER_Decoder::end_cons(), Botan::ENUMERATED, Botan::Certificate_Store::find_cert(), Botan::BER_Decoder::get_next_octet_string(), Botan::BER_Decoder::more_items(), Botan::OCTET_STRING, Botan::BER_Decoder::push_back(), Botan::BER_Decoder::raw_bytes(), Botan::SEQUENCE, Botan::BER_Decoder::start_cons(), Botan::ASN1::to_string(), and Botan::UNIVERSAL.
{
BER_Decoder response_outer = BER_Decoder(response_bits).start_cons(SEQUENCE);
size_t resp_status = 0;
response_outer.decode(resp_status, ENUMERATED, UNIVERSAL);
if(resp_status != 0)
throw std::runtime_error("OCSP response status " + std::to_string(resp_status));
if(response_outer.more_items())
{
BER_Decoder response_bytes =
response_outer.start_cons(ASN1_Tag(0), CONTEXT_SPECIFIC).start_cons(SEQUENCE);
response_bytes.decode_and_check(OID("1.3.6.1.5.5.7.48.1.1"),
"Unknown response type in OCSP response");
BER_Decoder basicresponse =
BER_Decoder(response_bytes.get_next_octet_string()).start_cons(SEQUENCE);
std::vector<byte> tbs_bits;
AlgorithmIdentifier sig_algo;
std::vector<byte> signature;
std::vector<X509_Certificate> certs;
basicresponse.start_cons(SEQUENCE)
.raw_bytes(tbs_bits)
.end_cons()
.decode(sig_algo)
.decode(signature, BIT_STRING);
decode_optional_list(basicresponse, ASN1_Tag(0), certs);
size_t responsedata_version = 0;
X509_DN name;
std::vector<byte> key_hash;
X509_Time produced_at;
Extensions extensions;
BER_Decoder(tbs_bits)
.decode_optional(responsedata_version, ASN1_Tag(0),
ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC))
.decode_optional(name, ASN1_Tag(1),
ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC))
.decode_optional_string(key_hash, OCTET_STRING, 2,
ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC))
.decode(produced_at)
.decode_list(m_responses)
.decode_optional(extensions, ASN1_Tag(1),
ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC));
if(certs.empty())
{
if(auto cert = trusted_roots.find_cert(name, std::vector<byte>()))
certs.push_back(*cert);
else
throw std::runtime_error("Could not find certificate that signed OCSP response");
}
check_signature(tbs_bits, sig_algo, signature, trusted_roots, certs);
}
response_outer.end_cons();
}
| Certificate_Status_Code Botan::OCSP::Response::status_for | ( | const X509_Certificate & | issuer, |
| const X509_Certificate & | subject | ||
| ) | const |
Definition at line 197 of file ocsp.cpp.
References Botan::CERT_IS_REVOKED, Botan::OCSP_BAD_STATUS, Botan::OCSP_CERT_NOT_LISTED, Botan::OCSP_HAS_EXPIRED, Botan::OCSP_NOT_YET_VALID, and Botan::OCSP_RESPONSE_GOOD.
{
for(const auto& response : m_responses)
{
if(response.certid().is_id_for(issuer, subject))
{
X509_Time current_time(std::chrono::system_clock::now());
if(response.cert_status() == 1)
return Certificate_Status_Code::CERT_IS_REVOKED;
if(response.this_update() > current_time)
return Certificate_Status_Code::OCSP_NOT_YET_VALID;
if(response.next_update().time_is_set() && current_time > response.next_update())
return Certificate_Status_Code::OCSP_HAS_EXPIRED;
if(response.cert_status() == 0)
return Certificate_Status_Code::OCSP_RESPONSE_GOOD;
else
return Certificate_Status_Code::OCSP_BAD_STATUS;
}
}
return Certificate_Status_Code::OCSP_CERT_NOT_LISTED;
}
1.7.6.1