Botan
1.11.15
|
#include <ocsp.h>
Public Member Functions | |
Response () | |
Response (const Certificate_Store &trusted_roots, const std::vector< byte > &response) | |
Certificate_Status_Code | status_for (const X509_Certificate &issuer, const X509_Certificate &subject) const |
Botan::OCSP::Response::Response | ( | ) | [inline] |
Botan::OCSP::Response::Response | ( | const Certificate_Store & | trusted_roots, |
const std::vector< byte > & | response | ||
) |
Definition at line 125 of file ocsp.cpp.
References Botan::BIT_STRING, Botan::CONSTRUCTED, Botan::CONTEXT_SPECIFIC, Botan::BER_Decoder::decode(), Botan::BER_Decoder::decode_and_check(), Botan::BER_Decoder::decode_list(), Botan::BER_Decoder::decode_optional(), Botan::BER_Decoder::decode_optional_string(), Botan::BER_Decoder::end_cons(), Botan::ENUMERATED, Botan::Certificate_Store::find_cert(), Botan::BER_Decoder::get_next_octet_string(), Botan::BER_Decoder::more_items(), Botan::OCTET_STRING, Botan::BER_Decoder::push_back(), Botan::BER_Decoder::raw_bytes(), Botan::SEQUENCE, Botan::BER_Decoder::start_cons(), Botan::ASN1::to_string(), and Botan::UNIVERSAL.
{ BER_Decoder response_outer = BER_Decoder(response_bits).start_cons(SEQUENCE); size_t resp_status = 0; response_outer.decode(resp_status, ENUMERATED, UNIVERSAL); if(resp_status != 0) throw std::runtime_error("OCSP response status " + std::to_string(resp_status)); if(response_outer.more_items()) { BER_Decoder response_bytes = response_outer.start_cons(ASN1_Tag(0), CONTEXT_SPECIFIC).start_cons(SEQUENCE); response_bytes.decode_and_check(OID("1.3.6.1.5.5.7.48.1.1"), "Unknown response type in OCSP response"); BER_Decoder basicresponse = BER_Decoder(response_bytes.get_next_octet_string()).start_cons(SEQUENCE); std::vector<byte> tbs_bits; AlgorithmIdentifier sig_algo; std::vector<byte> signature; std::vector<X509_Certificate> certs; basicresponse.start_cons(SEQUENCE) .raw_bytes(tbs_bits) .end_cons() .decode(sig_algo) .decode(signature, BIT_STRING); decode_optional_list(basicresponse, ASN1_Tag(0), certs); size_t responsedata_version = 0; X509_DN name; std::vector<byte> key_hash; X509_Time produced_at; Extensions extensions; BER_Decoder(tbs_bits) .decode_optional(responsedata_version, ASN1_Tag(0), ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)) .decode_optional(name, ASN1_Tag(1), ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)) .decode_optional_string(key_hash, OCTET_STRING, 2, ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)) .decode(produced_at) .decode_list(m_responses) .decode_optional(extensions, ASN1_Tag(1), ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)); if(certs.empty()) { if(auto cert = trusted_roots.find_cert(name, std::vector<byte>())) certs.push_back(*cert); else throw std::runtime_error("Could not find certificate that signed OCSP response"); } check_signature(tbs_bits, sig_algo, signature, trusted_roots, certs); } response_outer.end_cons(); }
Certificate_Status_Code Botan::OCSP::Response::status_for | ( | const X509_Certificate & | issuer, |
const X509_Certificate & | subject | ||
) | const |
Definition at line 197 of file ocsp.cpp.
References Botan::CERT_IS_REVOKED, Botan::OCSP_BAD_STATUS, Botan::OCSP_CERT_NOT_LISTED, Botan::OCSP_HAS_EXPIRED, Botan::OCSP_NOT_YET_VALID, and Botan::OCSP_RESPONSE_GOOD.
{ for(const auto& response : m_responses) { if(response.certid().is_id_for(issuer, subject)) { X509_Time current_time(std::chrono::system_clock::now()); if(response.cert_status() == 1) return Certificate_Status_Code::CERT_IS_REVOKED; if(response.this_update() > current_time) return Certificate_Status_Code::OCSP_NOT_YET_VALID; if(response.next_update().time_is_set() && current_time > response.next_update()) return Certificate_Status_Code::OCSP_HAS_EXPIRED; if(response.cert_status() == 0) return Certificate_Status_Code::OCSP_RESPONSE_GOOD; else return Certificate_Status_Code::OCSP_BAD_STATUS; } } return Certificate_Status_Code::OCSP_CERT_NOT_LISTED; }