Request::Request(const X509_Certificate& issuer_cert, const X509_Certificate& subject_cert) : m_issuer(issuer_cert), m_certid(m_issuer, BigInt::decode(subject_cert.serial_number())) { if(subject_cert.issuer_dn() != issuer_cert.subject_dn()) throw Invalid_Argument("Invalid cert pair to OCSP::Request (mismatched issuer,subject args?)"); }
std::shared_ptr<const X509_CRL> Certificate_Store_In_SQL::find_crl_for(const X509_Certificate& subject) const { auto all_crls = generate_crls(); for(auto crl: all_crls) { if(!crl.get_revoked().empty() && crl.issuer_dn() == subject.issuer_dn()) return std::shared_ptr<X509_CRL>(new X509_CRL(crl)); } return std::shared_ptr<X509_CRL>(); }
Response online_check(const X509_Certificate& issuer, const X509_Certificate& subject, Certificate_Store* trusted_roots, std::chrono::milliseconds timeout) { if(subject.issuer_dn() != issuer.subject_dn()) throw Invalid_Argument("Invalid cert pair to OCSP::online_check (mismatched issuer,subject args?)"); return online_check(issuer, BigInt::decode(subject.serial_number()), subject.ocsp_responder(), trusted_roots, timeout); }
std::shared_ptr<const X509_CRL> Certificate_Store_In_Memory::find_crl_for(const X509_Certificate& subject) const { const std::vector<uint8_t>& key_id = subject.authority_key_id(); for(const auto& c : m_crls) { // Only compare key ids if set in both call and in the CRL if(key_id.size()) { std::vector<uint8_t> akid = c->authority_key_id(); if(akid.size() && akid != key_id) // no match continue; } if(c->issuer_dn() == subject.issuer_dn()) return c; } return {}; }
/** * Check if this particular certificate is listed in the CRL */ bool X509_CRL::is_revoked(const X509_Certificate& cert) const { /* If the cert wasn't issued by the CRL issuer, it's possible the cert is revoked, but not by this CRL. Maybe throw an exception instead? */ if(cert.issuer_dn() != issuer_dn()) return false; std::vector<uint8_t> crl_akid = authority_key_id(); std::vector<uint8_t> cert_akid = cert.authority_key_id(); if(!crl_akid.empty() && !cert_akid.empty()) { if(crl_akid != cert_akid) return false; } std::vector<uint8_t> cert_serial = cert.serial_number(); bool is_revoked = false; // FIXME would be nice to avoid a linear scan here - maybe sort the entries? for(const CRL_Entry& entry : get_revoked()) { if(cert_serial == entry.serial_number()) { if(entry.reason_code() == REMOVE_FROM_CRL) is_revoked = false; else is_revoked = true; } } return is_revoked; }
/* * Match by issuer and serial number */ bool IandS_Match::match(const X509_Certificate& cert) const { if(cert.serial_number() != serial) return false; return (cert.issuer_dn() == issuer); }