Class: Mongo::Socket::OcspVerifier Private

Inherits:

Object

• Object
• Mongo::Socket::OcspVerifier

Includes:

Loggable

Defined in:

lib/mongo/socket/ocsp_verifier.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

OCSP endpoint verifier.

After a TLS connection is established, this verifier inspects the certificate presented by the server, and if the certificate contains an OCSP URI, performs the OCSP status request to the specified URI (following up to 5 redirects) to verify the certificate status.

See Also:

• https://ruby-doc.org/stdlib/libdoc/openssl/rdoc/OpenSSL/OCSP.html

Since:

• 2.0.0

Constant Summary

Constants included from Loggable

Loggable::PREFIX

Instance Attribute Summary

• #ca_cert ⇒ Object readonly private
• #cert ⇒ Object readonly private
• #cert_store ⇒ Object readonly private
• #host_name ⇒ Object readonly private
• #options ⇒ Object readonly private

Instance Method Summary

• #cert_id ⇒ Object private
• #initialize(host_name, cert, ca_cert, cert_store, **opts) ⇒ OcspVerifier constructor private

  A new instance of OcspVerifier.

• #ocsp_uris ⇒ Array<String> private

  OCSP URIs in the specified server certificate.

• #timeout ⇒ Object private
• #verify ⇒ true | false private

  Whether the certificate was verified.

• #verify_with_cache ⇒ Object private

Methods included from Loggable

#log_debug, #log_error, #log_fatal, #log_info, #log_warn, #logger

Constructor Details

#initialize(host_name, cert, ca_cert, cert_store, **opts) ⇒ OcspVerifier

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of OcspVerifier.

Parameters:

• host_name (String) —

  The host name being verified, for diagnostic output.

• cert (OpenSSL::X509::Certificate) —

  The certificate presented by the server at host_name.

• ca_cert (OpenSSL::X509::Certificate) —

  The CA certificate presented by the server or resolved locally from the server certificate.

• cert_store (OpenSSL::X509::Store) —

  The certificate store to use for verifying OCSP response. This should be the same store as used in SSLContext used with the SSLSocket that we are verifying the certificate for. This must NOT be the CA certificate provided by the server (i.e. anything taken out of peer_cert) - otherwise the server would dictate which CA authorities the client trusts.

Since:

• 2.0.0

# File 'lib/mongo/socket/ocsp_verifier.rb', line 51

def initialize(host_name, cert, ca_cert, cert_store, **opts)
  @host_name = host_name
  @cert = cert
  @ca_cert = ca_cert
  @cert_store = cert_store
  @options = opts
end

Instance Attribute Details

#ca_cert ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

• 2.0.0

# File 'lib/mongo/socket/ocsp_verifier.rb', line 61

def ca_cert
  @ca_cert
end

#cert ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

• 2.0.0

# File 'lib/mongo/socket/ocsp_verifier.rb', line 60

def cert
  @cert
end

#cert_store ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

• 2.0.0

# File 'lib/mongo/socket/ocsp_verifier.rb', line 62

def cert_store
  @cert_store
end

#host_name ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

• 2.0.0

# File 'lib/mongo/socket/ocsp_verifier.rb', line 59

def host_name
  @host_name
end

#options ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

• 2.0.0

# File 'lib/mongo/socket/ocsp_verifier.rb', line 63

def options
  @options
end

Instance Method Details

#cert_id ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

• 2.0.0

# File 'lib/mongo/socket/ocsp_verifier.rb', line 91

def cert_id
  @cert_id ||= OpenSSL::OCSP::CertificateId.new(
    cert,
    ca_cert,
    OpenSSL::Digest::SHA1.new,
  )
end

#ocsp_uris ⇒ Array<String>

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns OCSP URIs in the specified server certificate.

Returns:

• (Array<String>) —

  OCSP URIs in the specified server certificate.

Since:

• 2.0.0

# File 'lib/mongo/socket/ocsp_verifier.rb', line 70

def ocsp_uris
  @ocsp_uris ||= begin
    # https://tools.ietf.org/html/rfc3546#section-2.3
    # prohibits multiple extensions with the same oid.
    ext = cert.extensions.detect do |ext|
      ext.oid == 'authorityInfoAccess'
    end

    if ext
      # Our test certificates have multiple OCSP URIs.
      ext.value.split("\n").select do |line|
        line.start_with?('OCSP - URI:')
      end.map do |line|
        line.split(':', 2).last
      end
    else
      []
    end
  end
end

#timeout ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

• 2.0.0

# File 'lib/mongo/socket/ocsp_verifier.rb', line 65

def timeout
  options[:timeout] || 5
end

#verify ⇒ true | false

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Whether the certificate was verified.

Returns:

• (true | false) —

  Whether the certificate was verified.

Raises:

• (Error::ServerCertificateRevoked) —

  If the certificate was definitively revoked.

Since:

• 2.0.0

# File 'lib/mongo/socket/ocsp_verifier.rb', line 122

def verify
  handle_exceptions do
    return false if ocsp_uris.empty?

    resp, errors = do_verify
    return_ocsp_response(resp, errors)
  end
end

#verify_with_cache ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

• 2.0.0

# File 'lib/mongo/socket/ocsp_verifier.rb', line 99

def verify_with_cache
  handle_exceptions do
    return false if ocsp_uris.empty?

    resp = OcspCache.get(cert_id)
    if resp
      return return_ocsp_response(resp)
    end

    resp, errors = do_verify

    if resp
      OcspCache.set(cert_id, resp)
    end

    return_ocsp_response(resp, errors)
  end
end