Class: Mongo::Socket::OcspVerifier Private

Inherits:

Object

Object
Mongo::Socket::OcspVerifier

show all

Includes:: Loggable

Defined in:: lib/mongo/socket/ocsp_verifier.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

OCSP endpoint verifier.

After a TLS connection is established, this verifier inspects the certificate presented by the server, and if the certificate contains an OCSP URI, performs the OCSP status request to the specified URI (following up to 5 redirects) to verify the certificate status.

Constant Summary

Constants included from Loggable

Loggable::PREFIX

Instance Attribute Summary collapse

#ca_cert ⇒ Object readonly private
#cert ⇒ Object readonly private
#cert_store ⇒ Object readonly private
#host_name ⇒ Object readonly private
#options ⇒ Object readonly private

Instance Method Summary collapse

#cert_id ⇒ Object private
#initialize(host_name, cert, ca_cert, cert_store, **opts) ⇒ OcspVerifier constructor private

A new instance of OcspVerifier.
#ocsp_uris ⇒ Array<String> private

OCSP URIs in the specified server certificate.
#timeout ⇒ Object private
#verify ⇒ true | false private

Whether the certificate was verified.
#verify_with_cache ⇒ Object private

Methods included from Loggable

#log_debug, #log_error, #log_fatal, #log_info, #log_warn, #logger

Constructor Details

#initialize(host_name, cert, ca_cert, cert_store, **opts) ⇒ `OcspVerifier`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of OcspVerifier.

Parameters:

The host name being verified, for diagnostic output.
The certificate presented by the server at host_name.
The CA certificate presented by the server or resolved locally from the server certificate.
The certificate store to use for verifying OCSP response. This should be the same store as used in SSLContext used with the SSLSocket that we are verifying the certificate for. This must NOT be the CA certificate provided by the server (i.e. anything taken out of peer_cert) - otherwise the server would dictate which CA authorities the client trusts.

Since:

2.0.0

API:

private

# File 'lib/mongo/socket/ocsp_verifier.rb', line 51

def initialize(host_name, cert, ca_cert, cert_store, **opts)
  @host_name = host_name
  @cert = cert
  @ca_cert = ca_cert
  @cert_store = cert_store
  @options = opts
end

Instance Attribute Details

#ca_cert ⇒ `Object` (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

2.0.0

API:

private



61
62
63

# File 'lib/mongo/socket/ocsp_verifier.rb', line 61

def ca_cert
  @ca_cert
end

#cert ⇒ `Object` (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

2.0.0

API:

private



60
61
62

# File 'lib/mongo/socket/ocsp_verifier.rb', line 60

def cert
  @cert
end

#cert_store ⇒ `Object` (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

2.0.0

API:

private



62
63
64

# File 'lib/mongo/socket/ocsp_verifier.rb', line 62

def cert_store
  @cert_store
end

#host_name ⇒ `Object` (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

2.0.0

API:

private



59
60
61

# File 'lib/mongo/socket/ocsp_verifier.rb', line 59

def host_name
  @host_name
end

#options ⇒ `Object` (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

2.0.0

API:

private



63
64
65

# File 'lib/mongo/socket/ocsp_verifier.rb', line 63

def options
  @options
end

Instance Method Details

#cert_id ⇒ `Object`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

2.0.0

API:

private

# File 'lib/mongo/socket/ocsp_verifier.rb', line 91

def cert_id
  @cert_id ||= OpenSSL::OCSP::CertificateId.new(
    cert,
    ca_cert,
    OpenSSL::Digest::SHA1.new,
  )
end

#ocsp_uris ⇒ `Array<String>`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns OCSP URIs in the specified server certificate.

Returns:

OCSP URIs in the specified server certificate.

Since:

2.0.0

API:

private

# File 'lib/mongo/socket/ocsp_verifier.rb', line 70

def ocsp_uris
  @ocsp_uris ||= begin
    # https://tools.ietf.org/html/rfc3546#section-2.3
    # prohibits multiple extensions with the same oid.
    ext = cert.extensions.detect do |ext|
      ext.oid == 'authorityInfoAccess'
    end

    if ext
      # Our test certificates have multiple OCSP URIs.
      ext.value.split("\n").select do |line|
        line.start_with?('OCSP - URI:')
      end.map do |line|
        line.split(':', 2).last
      end
    else
      []
    end
  end
end

#timeout ⇒ `Object`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

2.0.0

API:

private



65
66
67

# File 'lib/mongo/socket/ocsp_verifier.rb', line 65

def timeout
  options[:timeout] || 5
end

#verify ⇒ `true | false`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Whether the certificate was verified.

Returns:

Whether the certificate was verified.

Raises:

If the certificate was definitively revoked.

Since:

2.0.0

API:

private

# File 'lib/mongo/socket/ocsp_verifier.rb', line 122

def verify
  handle_exceptions do
    return false if ocsp_uris.empty?

    resp, errors = do_verify
    return_ocsp_response(resp, errors)
  end
end

#verify_with_cache ⇒ `Object`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

2.0.0

API:

private

# File 'lib/mongo/socket/ocsp_verifier.rb', line 99

def verify_with_cache
  handle_exceptions do
    return false if ocsp_uris.empty?

    resp = OcspCache.get(cert_id)
    if resp
      return return_ocsp_response(resp)
    end

    resp, errors = do_verify

    if resp
      OcspCache.set(cert_id, resp)
    end

    return_ocsp_response(resp, errors)
  end
end

Class: Mongo::Socket::OcspVerifier Private

Overview

Constant Summary

Constants included from Loggable

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Loggable

Constructor Details

#initialize(host_name, cert, ca_cert, cert_store, **opts) ⇒ OcspVerifier

Instance Attribute Details

#ca_cert ⇒ Object (readonly)

#cert ⇒ Object (readonly)

#cert_store ⇒ Object (readonly)

#host_name ⇒ Object (readonly)

#options ⇒ Object (readonly)

Instance Method Details

#cert_id ⇒ Object

#ocsp_uris ⇒ Array<String>

#timeout ⇒ Object

#verify ⇒ true | false

#verify_with_cache ⇒ Object

#initialize(host_name, cert, ca_cert, cert_store, **opts) ⇒ `OcspVerifier`

#ca_cert ⇒ `Object` (readonly)

#cert ⇒ `Object` (readonly)

#cert_store ⇒ `Object` (readonly)

#host_name ⇒ `Object` (readonly)

#options ⇒ `Object` (readonly)

#cert_id ⇒ `Object`

#ocsp_uris ⇒ `Array<String>`

#timeout ⇒ `Object`

#verify ⇒ `true | false`

#verify_with_cache ⇒ `Object`