Botan  1.11.15
Public Member Functions
Botan::OCSP::Response Class Reference

#include <ocsp.h>

List of all members.

Public Member Functions

 Response ()
 Response (const Certificate_Store &trusted_roots, const std::vector< byte > &response)
Certificate_Status_Code status_for (const X509_Certificate &issuer, const X509_Certificate &subject) const

Detailed Description

Definition at line 40 of file ocsp.h.


Constructor & Destructor Documentation

Definition at line 43 of file ocsp.h.

{}
Botan::OCSP::Response::Response ( const Certificate_Store trusted_roots,
const std::vector< byte > &  response 
)

Definition at line 125 of file ocsp.cpp.

References Botan::BIT_STRING, Botan::CONSTRUCTED, Botan::CONTEXT_SPECIFIC, Botan::BER_Decoder::decode(), Botan::BER_Decoder::decode_and_check(), Botan::BER_Decoder::decode_list(), Botan::BER_Decoder::decode_optional(), Botan::BER_Decoder::decode_optional_string(), Botan::BER_Decoder::end_cons(), Botan::ENUMERATED, Botan::Certificate_Store::find_cert(), Botan::BER_Decoder::get_next_octet_string(), Botan::BER_Decoder::more_items(), Botan::OCTET_STRING, Botan::BER_Decoder::push_back(), Botan::BER_Decoder::raw_bytes(), Botan::SEQUENCE, Botan::BER_Decoder::start_cons(), Botan::ASN1::to_string(), and Botan::UNIVERSAL.

   {
   BER_Decoder response_outer = BER_Decoder(response_bits).start_cons(SEQUENCE);

   size_t resp_status = 0;

   response_outer.decode(resp_status, ENUMERATED, UNIVERSAL);

   if(resp_status != 0)
      throw std::runtime_error("OCSP response status " + std::to_string(resp_status));

   if(response_outer.more_items())
      {
      BER_Decoder response_bytes =
         response_outer.start_cons(ASN1_Tag(0), CONTEXT_SPECIFIC).start_cons(SEQUENCE);

      response_bytes.decode_and_check(OID("1.3.6.1.5.5.7.48.1.1"),
                                      "Unknown response type in OCSP response");

      BER_Decoder basicresponse =
         BER_Decoder(response_bytes.get_next_octet_string()).start_cons(SEQUENCE);

      std::vector<byte> tbs_bits;
      AlgorithmIdentifier sig_algo;
      std::vector<byte> signature;
      std::vector<X509_Certificate> certs;

      basicresponse.start_cons(SEQUENCE)
           .raw_bytes(tbs_bits)
         .end_cons()
         .decode(sig_algo)
         .decode(signature, BIT_STRING);
      decode_optional_list(basicresponse, ASN1_Tag(0), certs);

      size_t responsedata_version = 0;
      X509_DN name;
      std::vector<byte> key_hash;
      X509_Time produced_at;
      Extensions extensions;

      BER_Decoder(tbs_bits)
         .decode_optional(responsedata_version, ASN1_Tag(0),
                          ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC))

         .decode_optional(name, ASN1_Tag(1),
                          ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC))

         .decode_optional_string(key_hash, OCTET_STRING, 2,
                                 ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC))

         .decode(produced_at)

         .decode_list(m_responses)

         .decode_optional(extensions, ASN1_Tag(1),
                          ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC));

      if(certs.empty())
         {
         if(auto cert = trusted_roots.find_cert(name, std::vector<byte>()))
            certs.push_back(*cert);
         else
            throw std::runtime_error("Could not find certificate that signed OCSP response");
         }

      check_signature(tbs_bits, sig_algo, signature, trusted_roots, certs);
      }

   response_outer.end_cons();
   }

Member Function Documentation

Definition at line 197 of file ocsp.cpp.

References Botan::CERT_IS_REVOKED, Botan::OCSP_BAD_STATUS, Botan::OCSP_CERT_NOT_LISTED, Botan::OCSP_HAS_EXPIRED, Botan::OCSP_NOT_YET_VALID, and Botan::OCSP_RESPONSE_GOOD.

   {
   for(const auto& response : m_responses)
      {
      if(response.certid().is_id_for(issuer, subject))
         {
         X509_Time current_time(std::chrono::system_clock::now());

         if(response.cert_status() == 1)
            return Certificate_Status_Code::CERT_IS_REVOKED;

         if(response.this_update() > current_time)
            return Certificate_Status_Code::OCSP_NOT_YET_VALID;

         if(response.next_update().time_is_set() && current_time > response.next_update())
            return Certificate_Status_Code::OCSP_HAS_EXPIRED;

         if(response.cert_status() == 0)
            return Certificate_Status_Code::OCSP_RESPONSE_GOOD;
         else
            return Certificate_Status_Code::OCSP_BAD_STATUS;
         }
      }

   return Certificate_Status_Code::OCSP_CERT_NOT_LISTED;
   }

The documentation for this class was generated from the following files: