Class: R509::Ocsp::Helper::RequestChecker

Inherits:

Object

• Object
• R509::Ocsp::Helper::RequestChecker

Includes:

Dependo::Mixin

Defined in:

lib/r509/ocsp/signer.rb

Overview

checks requests for validity against a set of configs

Instance Attribute Summary

• #configs ⇒ Object readonly

  Returns the value of attribute configs.

• #configs_hash ⇒ Object readonly

  Returns the value of attribute configs_hash.

Instance Method Summary

• #check_statuses(request) ⇒ Hash

  Loads and checks a raw OCSP request.

• #initialize(configs, validity_checker) ⇒ RequestChecker constructor

  A new instance of RequestChecker.

• #validate_statuses(statuses) ⇒ Boolean

  Determines whether the statuses constitute a request that is compliant.

Constructor Details

#initialize(configs, validity_checker) ⇒ RequestChecker

Returns a new instance of RequestChecker.

Parameters:

• configs (R509::Config::CaConfigPool) —

  CaConfigPool object

• validity_checker (R509::Validity::Checker) —

  an implementation of the R509::Validity::Checker class

# File 'lib/r509/ocsp/signer.rb', line 62

def initialize(configs, validity_checker)
    unless configs.kind_of?(R509::Config::CaConfigPool)
        raise R509::R509Error, "Must pass R509::Config::CaConfigPool object"
    end
    if configs.all.empty?
        raise R509::R509Error, "Must be at least one R509::Config object"
    end
    @configs = configs.all
    test_cid = OpenSSL::OCSP::CertificateId.new(OpenSSL::X509::Certificate.new,OpenSSL::X509::Certificate.new)
    if test_cid.respond_to?(:issuer_key_hash)
        @configs_hash = {}
        @configs.each do |config|
            ee_cert = OpenSSL::X509::Certificate.new
            ee_cert.issuer = config.ca_cert.cert.subject
            # per RFC 5019
            # Clients MUST use SHA1 as the hashing algorithm for the
            # CertID.issuerNameHash and the CertID.issuerKeyHash values.
            # so we can safely assume that our inbound hashes will be SHA1
            issuer_certid = OpenSSL::OCSP::CertificateId.new(ee_cert,config.ca_cert.cert,OpenSSL::Digest::SHA1.new)
            @configs_hash[issuer_certid.issuer_key_hash] = config
        end
    end
    @validity_checker = validity_checker
    if @validity_checker.nil?
        raise R509::R509Error, "Must supply a R509::Validity::Checker"
    end
    if not @validity_checker.respond_to?(:check)
        raise R509::R509Error, "The validity checker must have a check method"
    end
end

Instance Attribute Details

#configs ⇒ Object (readonly)

Returns the value of attribute configs.

# File 'lib/r509/ocsp/signer.rb', line 58

def configs
  @configs
end

#configs_hash ⇒ Object (readonly)

Returns the value of attribute configs_hash.

# File 'lib/r509/ocsp/signer.rb', line 58

def configs_hash
  @configs_hash
end

Instance Method Details

#check_statuses(request) ⇒ Hash

Loads and checks a raw OCSP request

Parameters:

• request (OpenSSL::OCSP::Request) —

  OpenSSL OCSP Request object

Returns:

• (Hash) —

  hash from the check_status method

# File 'lib/r509/ocsp/signer.rb', line 97

def check_statuses(request)
    request.certid.map { |certid|
        if certid.respond_to?(:issuer_key_hash)
            validated_config = @configs_hash[certid.issuer_key_hash]
        else
            validated_config = @configs.find do |config|
                #we need to create an OCSP::CertificateId object that has the right
                #issuer so we can pass it to #cmp_issuer. This is annoying because
                #CertificateId wants a cert and its issuer, but we don't want to
                #force users to provide an end entity cert just to make this comparison
                #work. So, we create a fake new cert and pass it in.
                ee_cert = OpenSSL::X509::Certificate.new
                ee_cert.issuer = config.ca_cert.cert.subject
                issuer_certid = OpenSSL::OCSP::CertificateId.new(ee_cert,config.ca_cert.cert)
                certid.cmp_issuer(issuer_certid)
            end
        end

        log.info "#{validated_config.ca_cert.subject.to_s} found for issuer" if validated_config
        check_status(certid, validated_config)
    }
end

#validate_statuses(statuses) ⇒ Boolean

Determines whether the statuses constitute a request that is compliant. No config means we don’t know the CA, different configs means there are requests from two different CAs in there. Both are invalid.

Parameters:

• statuses (Array<Hash>) —

  array of hashes from check_statuses

Returns:

• (Boolean)

# File 'lib/r509/ocsp/signer.rb', line 126

def validate_statuses(statuses)
    validity = true
    config = nil

    statuses.each do |status|
        if status[:config].nil?
            validity = false
        end
        if config.nil?
            config = status[:config]
        end
        if config != status[:config]
            validity = false
        end
    end

    validity
end