Check signature and return status The optional cert_path is the (already validated!) certificate path of the end entity which is being inquired about
190 {
191 if (m_responses.empty())
192 return m_dummy_response_status;
193
194 std::shared_ptr<const X509_Certificate> signing_cert;
195
196 for(size_t i = 0; i != trusted_roots.size(); ++i)
197 {
198 if(m_signer_name.
empty() && m_key_hash.empty())
200
201 if(!m_signer_name.
empty())
202 {
203 signing_cert = trusted_roots[i]->find_cert(m_signer_name, std::vector<uint8_t>());
204 if(signing_cert)
205 {
206 break;
207 }
208 }
209
210 if(m_key_hash.size() > 0)
211 {
212 signing_cert = trusted_roots[i]->find_cert_by_pubkey_sha1(m_key_hash);
213 if(signing_cert)
214 {
215 break;
216 }
217 }
218 }
219
220 if(!signing_cert && ee_cert_path.size() > 1)
221 {
222
223 for(size_t i = 1; i < ee_cert_path.size(); ++i)
224 {
225
226 if(!m_signer_name.
empty() && ee_cert_path[i]->subject_dn() == m_signer_name)
227 {
228 signing_cert = ee_cert_path[i];
229 break;
230 }
231
232 if(m_key_hash.size() > 0 && ee_cert_path[i]->subject_public_key_bitstring_sha1() == m_key_hash)
233 {
234 signing_cert = ee_cert_path[i];
235 break;
236 }
237 }
238 }
239
240 if(!signing_cert && m_certs.size() > 0)
241 {
242 for(size_t i = 0; i < m_certs.size(); ++i)
243 {
244 if(!m_signer_name.
empty() && m_certs[i].subject_dn() == m_signer_name)
245 {
246 signing_cert = std::make_shared<const X509_Certificate>(m_certs[i]);
247 break;
248 }
249
250 if(m_key_hash.size() > 0 && m_certs[i].subject_public_key_bitstring_sha1() == m_key_hash)
251 {
252 signing_cert = std::make_shared<const X509_Certificate>(m_certs[i]);
253 break;
254 }
255 }
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277 if(signing_cert)
278 {
279 const auto issuer =
280 Certificate_Store_In_Memory(ee_cert_path)
281 .find_cert(signing_cert->issuer_dn(), signing_cert->authority_key_id());
282
283
284 if(!issuer)
285 {
287 }
288
289 if(!issuer->is_CA_cert())
290 {
292 }
293
294
295
296
297
298
299
300
301
302
303 try
304 {
305 const auto issuer_pubkey = issuer->load_subject_public_key();
306 const auto sig = signing_cert->verify_signature(*issuer_pubkey);
307
309 {
311 }
312
314 {
316 }
317 }
318 catch(const Exception& ex)
319 {
321 }
322 }
323 }
324
325 if(!signing_cert)
327
328 if(!signing_cert->allowed_usage(
CRL_SIGN) &&
329 !signing_cert->allowed_extended_usage("PKIX.OCSPSigning"))
330 {
332 }
333
335 }
Certificate_Status_Code verify_signature(const X509_Certificate &issuer) const
static OID from_string(const std::string &str)
@ OCSP_RESPONSE_MISSING_KEYUSAGE