libdigidocpp
digidoc::OCSP Class Reference

#include <OCSP.h>

Collaboration diagram for digidoc::OCSP:
Collaboration graph

Public Types

enum  CertStatus { GOOD, REVOKED, UNKNOWN }

Public Member Functions

 OCSP ()
 ~OCSP ()
void setUrl (const std::string &url) throw (IOException)
void setOCSPCerts (STACK_OF(X509)*ocspCerts)
void setCertStore (X509_STORE *certStore)
void setSignCert (X509 *signCert, EVP_PKEY *signKey)
void setSkew (long skew)
void setMaxAge (long maxAge)
CertStatus checkCert (X509 *cert, X509 *issuer, const std::vector< unsigned char > &nonce) throw (IOException, OCSPException)
CertStatus checkCert (X509 *cert, X509 *issuer, const std::vector< unsigned char > &nonce, std::vector< unsigned char > &ocspResponseDER, tm &producedAt) throw (IOException, OCSPException)
void verifyResponse (const std::vector< unsigned char > &ocspResponseDER) const throw (IOException)
std::vector< unsigned char > getNonce (const std::vector< unsigned char > &ocspResponseDER) const
tm getProducedAt (const std::vector< unsigned char > &ocspResponseDER) const

Private Member Functions

CertStatus checkCert (X509 *cert, X509 *issuer, const std::vector< unsigned char > &nonce, OCSP_REQUEST **req, OCSP_RESPONSE **resp) throw (IOException, OCSPException)
void connect () throw (IOException)
void connectNoSSL () throw (IOException)
void connectSSL () throw (IOException)
OCSP_REQUEST * createRequest (X509 *cert, X509 *issuer, const std::vector< unsigned char > &nonce) throw (IOException)
OCSP_RESPONSE * sendRequest (OCSP_REQUEST *req) throw (IOException)
CertStatus validateResponse (OCSP_REQUEST *req, OCSP_RESPONSE *resp, X509 *cert, X509 *issuer) throw (OCSPException)
tm convert (ASN1_GENERALIZEDTIME *time) const throw (IOException)
 STACK_OF (X509)*ocspCerts

Private Attributes

std::string url
std::string host
std::string connhost
std::string connport
bool ssl
long skew
long maxAge
BIO * connection
SSL_CTX * ctx
X509 * ocspCert
X509_STORE * certStore
X509 * signCert
EVP_PKEY * signKey

Detailed Description

Implements OCSP request to the OCSP server. This class can be used to check whether the certificate is valid or not.

If certStore and/or ocspCerts is set, the OCSP response certificate is checked, whether it comes from the correct OCSP server or not.

If signCert and signKey is set the OCSP request is signed with the certificate provided.

Author
Janari Põld

Definition at line 49 of file OCSP.h.

Member Enumeration Documentation

Enumerator:
GOOD 
REVOKED 
UNKNOWN 

Definition at line 53 of file OCSP.h.

Constructor & Destructor Documentation

digidoc::OCSP::OCSP ( )

Initialize OCSP certificate validator.

Definition at line 59 of file OCSP.cpp.

digidoc::OCSP::~OCSP ( )

Release acquired private memory.

Definition at line 74 of file OCSP.cpp.

Member Function Documentation

digidoc::OCSP::CertStatus digidoc::OCSP::checkCert ( X509 *  cert,
X509 *  issuer,
const std::vector< unsigned char > &  nonce 
) throw (IOException, OCSPException)

Checks the validity of the certificate cert in OCSP server. If the OCSP server certificate should be validated set certStore and/or ocspCerts with corresponding OCSP server certificates.

Parameters
certcertificate, which validity is checked in OCSP server.
issuercertificate issuer certificate chain.
nonceNONCE field value in OCSP request.
Returns
returns certificate status in OCSP server.
Exceptions
IOExceptionthrows exception if communication with OCSP server failed (e.g incorrect OCSP URL, host does not exist, in case of HTTPS connection cert incorrect or missing, could not create OCSP request, etc). X.509 certificate or issuer is NULL.
OCSPExceptionthrows exception if server responded with invalid response or with unsuccessful status code (e.g. 0x01: malformedRequest or 0x03: tryLater, etc).
See Also
checkCert(X509* cert, X509* issuer, OCSP_REQUEST** req, OCSP_RESPONSE** resp)
validateResponse(OCSP_REQUEST* req, OCSP_RESPONSE* resp, X509* cert, X509* issuer)

Definition at line 190 of file OCSP.cpp.

Referenced by digidoc::SignatureTM::notarize(), testOCSP(), and digidoc::SignatureBES::validateOnline().

Here is the caller graph for this function:

digidoc::OCSP::CertStatus digidoc::OCSP::checkCert ( X509 *  cert,
X509 *  issuer,
const std::vector< unsigned char > &  nonce,
std::vector< unsigned char > &  ocspResponseDER,
tm &  producedAt 
) throw (IOException, OCSPException)

Checks the validity of the certificate cert in OCSP server. If the OCSP server certificate should be validated set certStore and/or ocspCerts with corresponding OCSP server certificates. Converts the OCSP response to DER encoding and returns it in output parameter ocspResponseDER

Parameters
certcertificate, which validity is checked in OCSP server.
issuercertificate issuer certificate chain.
nonceNONCE field value in OCSP request.
ocspResponseDERoutput parameter, sets the OCSP response to here in DER format.
producedAtresponse production time.
Returns
returns certificate status in OCSP server.
Exceptions
IOExceptionthrows exception if communication with OCSP server failed (e.g incorrect OCSP URL, host does not exist, in case of HTTPS connection cert incorrect or missing, could not create OCSP request, etc). X.509 certificate or issuer is NULL.
OCSPExceptionthrows exception if server responded with invalid response or with unsuccessful status code (e.g. 0x01: malformedRequest or 0x03: tryLater, etc).
See Also
checkCert(X509* cert, X509* issuer, OCSP_REQUEST** req, OCSP_RESPONSE** resp)
validateResponse(OCSP_REQUEST* req, OCSP_RESPONSE* resp, X509* cert, X509* issuer)

Definition at line 220 of file OCSP.cpp.

References THROW_IOEXCEPTION.

digidoc::OCSP::CertStatus digidoc::OCSP::checkCert ( X509 *  cert,
X509 *  issuer,
const std::vector< unsigned char > &  nonce,
OCSP_REQUEST **  req,
OCSP_RESPONSE **  resp 
) throw (IOException, OCSPException)
private

Checks the validity of the certificate cert in OCSP server. If the OCSP server certificate should be validated set certStore and/or ocspCerts with corresponding OCSP server certificates.

Parameters
certcertificate, which validity is checked in OCSP server.
issuercertificate issuer certificate chain.
nonceNONCE field value in OCSP request.
reqoutput parameter, sets OCSP request to here.
respoutput parameter, sets OCSP response to here.
Returns
returns certificate status in OCSP server.
Exceptions
IOExceptionthrows exception if communication with OCSP server failed (e.g incorrect OCSP URL, host does not exist, in case of HTTPS connection cert incorrect or missing, could not create OCSP request, etc). X.509 certificate or issuer is NULL.
OCSPExceptionthrows exception if server responded with invalid response or with unsuccessful status code (e.g. 0x01: malformedRequest or 0x03: tryLater, etc).
See Also
validateResponse(OCSP_REQUEST* req, OCSP_RESPONSE* resp, X509* cert, X509* issuer)

Definition at line 271 of file OCSP.cpp.

References digidoc::Conf::getInstance(), digidoc::Conf::getPKCS12Cert(), digidoc::Conf::getPKCS12Disable(), digidoc::Conf::getPKCS12Pass(), and THROW_IOEXCEPTION.

Here is the call graph for this function:

void digidoc::OCSP::connect ( ) throw (IOException)
private

Creates connection to OCSP server based on the url provided.

Exceptions
IOExceptionthrows exception if connection creation failed.

Definition at line 366 of file OCSP.cpp.

References THROW_IOEXCEPTION.

void digidoc::OCSP::connectNoSSL ( ) throw (IOException)
private

Creates plain text (not crypted) connection with OCSP server.

Exceptions
IOExceptionthrows exception if the connection creation failed.

Definition at line 398 of file OCSP.cpp.

void digidoc::OCSP::connectSSL ( ) throw (IOException)
private

Creates ssl connection with OCSP server.

Exceptions
IOExceptionthrows exception if the connection creation failed.

Definition at line 407 of file OCSP.cpp.

References THROW_IOEXCEPTION.

tm digidoc::OCSP::convert ( ASN1_GENERALIZEDTIME *  asn1Time) const throw (IOException)
private

Extract date time value from ASN1_GENERALIZEDTIME struct.

Parameters
asn1TimeASN.1 generalized time struct.
Returns
returned extracted time.
Exceptions
IOExceptionexception is throws if the time is in incorrect format.

Definition at line 737 of file OCSP.cpp.

References i, and THROW_IOEXCEPTION.

OCSP_REQUEST * digidoc::OCSP::createRequest ( X509 *  cert,
X509 *  issuer,
const std::vector< unsigned char > &  nonce 
) throw (IOException)
private

Creates OCSP request to check the certificate cert validity.

Parameters
certcertificate which validity will be checked.
issuerissuer of the certificate.
nonceNONCE field value in OCSP request.
Returns
returns created OCSP request.
Exceptions
IOExceptionexception is thrown if the request creation failed.

Definition at line 428 of file OCSP.cpp.

References THROW_IOEXCEPTION.

std::vector< unsigned char > digidoc::OCSP::getNonce ( const std::vector< unsigned char > &  ocspResponseDER) const

Extract nonce field from ocspResponderDER

Parameters
ocspResponseDER
Returns
nonce bytes without any encoding

Definition at line 685 of file OCSP.cpp.

Referenced by digidoc::SignatureTM::getNonce(), digidoc::SignatureDDOC::getNonce(), and digidoc::SignatureTM::validateOffline().

Here is the caller graph for this function:

tm digidoc::OCSP::getProducedAt ( const std::vector< unsigned char > &  ocspResponseDER) const

Extract produced at field from ocspResponderDER

Parameters
ocspResponseDER
Returns
date time

Definition at line 722 of file OCSP.cpp.

Referenced by digidoc::SignatureTM::getProducedAt().

Here is the caller graph for this function:

OCSP_RESPONSE * digidoc::OCSP::sendRequest ( OCSP_REQUEST *  req) throw (IOException)
private

Sends OCSP request to the server and returns the response got from the server.

Parameters
reqOCSP request to be sent to the OCSP server.
Returns
returns OCSP response.
Exceptions
IOExceptionthrows exception if the server failed to accept request or returned incorrectly formated OCSP response.

Definition at line 476 of file OCSP.cpp.

References digidoc::appInfo(), digidoc::Conf::getInstance(), digidoc::Conf::getProxyPass(), digidoc::Conf::getProxyUser(), THROW_IOEXCEPTION, and VER_STR.

Here is the call graph for this function:

void digidoc::OCSP::setCertStore ( X509_STORE *  certStore)

Sets certificate store, which is used to validate OCSP responder and used in HTTPS connection. Default value is NULL, which means certificate store is not used to validate in OCSP responder. In case of HTTPS connection the certification store is mandatory and can not be set to NULL.

Parameters
certStorecertificate store used to validate OCSP responder and in HTTPS connection.

Definition at line 137 of file OCSP.cpp.

Referenced by digidoc::SignatureTM::validateOffline().

Here is the caller graph for this function:

void digidoc::OCSP::setMaxAge ( long  maxAge)
Parameters
maxAgehow old can the precomputed OCSP responses be in seconds. Default is 1 minute. The value is validated with OCSP response field producedAt.

Definition at line 168 of file OCSP.cpp.

Referenced by digidoc::SignatureTM::notarize(), and testOCSP().

Here is the caller graph for this function:

void digidoc::OCSP::setOCSPCerts ( STACK_OF(X509)*  ocspCerts)

Sets certificate stack, which is used to validate OCSP responder. Default value is NULL, which means certification stack is not used to validate OCSP responder.

Parameters
ocspCertscertificate stack used to validate OCSP responder.

Definition at line 123 of file OCSP.cpp.

Referenced by digidoc::SignatureTM::notarize(), digidoc::SignatureTM::validateOffline(), and digidoc::SignatureBES::validateOnline().

Here is the caller graph for this function:

void digidoc::OCSP::setSignCert ( X509 *  signCert,
EVP_PKEY *  signKey 
)

Sets OCSP request signing certificate. If this certificate is not set the OCSP request is not signed.

Parameters
signCertOCSP request signing certificate.
signKeyOCSP request signing certificates private key.

Definition at line 149 of file OCSP.cpp.

void digidoc::OCSP::setSkew ( long  skew)
Parameters
skewmaximum time difference between OCSP server and host computer in seconds. Default is 5 minutes.

Definition at line 159 of file OCSP.cpp.

Referenced by digidoc::SignatureTM::notarize(), and digidoc::SignatureBES::validateOnline().

Here is the caller graph for this function:

void digidoc::OCSP::setUrl ( const std::string &  _url) throw (IOException)

Set OCSP connection URL.

Parameters
urlfull OCSP URL (e.g. http://www.openxades.org/cgi-bin/ocsp.cgi).
Exceptions
IOExceptionexception is thrown if provided OCSP URL is in incorrect format.

Definition at line 88 of file OCSP.cpp.

References digidoc::Conf::getInstance(), digidoc::Conf::getProxyHost(), digidoc::Conf::getProxyPort(), and THROW_IOEXCEPTION.

Referenced by digidoc::SignatureTM::notarize(), and digidoc::SignatureBES::validateOnline().

Here is the call graph for this function:

Here is the caller graph for this function:

digidoc::OCSP::STACK_OF ( X509  )
private
digidoc::OCSP::CertStatus digidoc::OCSP::validateResponse ( OCSP_REQUEST *  req,
OCSP_RESPONSE *  resp,
X509 *  cert,
X509 *  issuer 
) throw (OCSPException)
private

Validates OCSP response. Checks status code and other fields to match the sent OCSP request. Parses and returns also certificate status code.

Parameters
reqOCSP request that was sent to the OCSP server.
respOCSP response that was received from the OCSP server.
cert
issuer
Returns
returns certificate status code.
Exceptions
OCSPExceptionthrows exception if server responded with invalid response or with unsuccessful status code (e.g. 0x01: malformedRequest or 0x03: tryLater, etc). Check also that the response corresponds to the request sent.

Definition at line 546 of file OCSP.cpp.

References e, digidoc::Exception::OCSPRequestUnauthorized, digidoc::Exception::OCSPTimeSlot, digidoc::Exception::setCode(), THROW_OCSPEXCEPTION, and digidoc::OCSPException::toResponseStatusMessage().

Here is the call graph for this function:

void digidoc::OCSP::verifyResponse ( const std::vector< unsigned char > &  ocspResponseDER) const throw (IOException)

Check that response was signed with trusted OCSP certificate

Parameters
ocspResponseDERDER encoded OCSP response bytes

Definition at line 628 of file OCSP.cpp.

References ERR, i, and THROW_IOEXCEPTION.

Referenced by digidoc::SignatureTM::validateOffline().

Here is the caller graph for this function:

Member Data Documentation

X509_STORE* digidoc::OCSP::certStore
private

Definition at line 93 of file OCSP.h.

BIO* digidoc::OCSP::connection
private

Definition at line 89 of file OCSP.h.

std::string digidoc::OCSP::connhost
private

Definition at line 83 of file OCSP.h.

std::string digidoc::OCSP::connport
private

Definition at line 83 of file OCSP.h.

SSL_CTX* digidoc::OCSP::ctx
private

Definition at line 90 of file OCSP.h.

std::string digidoc::OCSP::host
private

Definition at line 83 of file OCSP.h.

long digidoc::OCSP::maxAge
private

Definition at line 87 of file OCSP.h.

X509* digidoc::OCSP::ocspCert
private

Definition at line 91 of file OCSP.h.

X509* digidoc::OCSP::signCert
private

Definition at line 94 of file OCSP.h.

EVP_PKEY* digidoc::OCSP::signKey
private

Definition at line 95 of file OCSP.h.

long digidoc::OCSP::skew
private

Definition at line 86 of file OCSP.h.

bool digidoc::OCSP::ssl
private

Definition at line 84 of file OCSP.h.

std::string digidoc::OCSP::url
private

Definition at line 83 of file OCSP.h.


The documentation for this class was generated from the following files: