Class: OpenSSL::X509::Store

Inherits:
Object
  • Object
show all
Defined in:
ext/openssl/ossl_x509store.c,
ext/openssl/ossl_x509store.c

Overview

The X509 certificate store holds trusted CA certificates used to verify peer certificates.

The easiest way to create a useful certificate store is:

cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths

This will use your system’s built-in certificates.

If your system does not have a default set of certificates you can obtain a set extracted from Mozilla CA certificate store by cURL maintainers here: curl.haxx.se/docs/caextract.html (You may wish to use the firefox-db2pem.sh script to extract the certificates from a local install to avoid man-in-the-middle attacks.)

After downloading or generating a cacert.pem from the above link you can create a certificate store from the pem file like this:

cert_store = OpenSSL::X509::Store.new
cert_store.add_file 'cacert.pem'

The certificate store can be used with an SSLSocket like this:

ssl_context = OpenSSL::SSL::SSLContext.new
ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
ssl_context.cert_store = cert_store

tcp_socket = TCPSocket.open 'example.com', 443

ssl_socket = OpenSSL::SSL::SSLSocket.new tcp_socket, ssl_context

Instance Method Summary collapse

Constructor Details

#X509::Store.newObject

Creates a new X509::Store.



220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
# File 'ext/openssl/ossl_x509store.c', line 220

static VALUE
ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
{
    X509_STORE *store;

/* BUG: This method takes any number of arguments but appears to ignore them. */
    GetX509Store(self, store);
#if !defined(HAVE_OPAQUE_OPENSSL)
    /* [Bug #405] [Bug #1678] [Bug #3000]; already fixed? */
    store->ex_data.sk = NULL;
#endif
    X509_STORE_set_verify_cb(store, x509store_verify_cb);
    ossl_x509store_set_vfy_cb(self, Qnil);

    /* last verification status */
    rb_iv_set(self, "@error", Qnil);
    rb_iv_set(self, "@error_string", Qnil);
    rb_iv_set(self, "@chain", Qnil);
    rb_iv_set(self, "@time", Qnil);

    return self;
}

Instance Method Details

#add_cert(cert) ⇒ Object

Adds the OpenSSL::X509::Certificate cert to the certificate store.



406
407
408
409
410
411
412
413
414
415
416
417
418
419
# File 'ext/openssl/ossl_x509store.c', line 406

static VALUE
ossl_x509store_add_cert(VALUE self, VALUE arg)
{
    X509_STORE *store;
    X509 *cert;

    cert = GetX509CertPtr(arg); /* NO NEED TO DUP */
    GetX509Store(self, store);
    if (X509_STORE_add_cert(store, cert) != 1){
        ossl_raise(eX509StoreError, NULL);
    }

    return self;
}

#add_crl(crl) ⇒ self

Adds the OpenSSL::X509::CRL crl to the store.

Returns:

  • (self)


427
428
429
430
431
432
433
434
435
436
437
438
439
440
# File 'ext/openssl/ossl_x509store.c', line 427

static VALUE
ossl_x509store_add_crl(VALUE self, VALUE arg)
{
    X509_STORE *store;
    X509_CRL *crl;

    crl = GetX509CRLPtr(arg); /* NO NEED TO DUP */
    GetX509Store(self, store);
    if (X509_STORE_add_crl(store, crl) != 1){
        ossl_raise(eX509StoreError, NULL);
    }

    return self;
}

#add_file(file) ⇒ self

Adds the certificates in file to the certificate store. The file can contain multiple PEM-encoded certificates.

Returns:

  • (self)


328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
# File 'ext/openssl/ossl_x509store.c', line 328

static VALUE
ossl_x509store_add_file(VALUE self, VALUE file)
{
    X509_STORE *store;
    X509_LOOKUP *lookup;
    char *path = NULL;

    if(file != Qnil){
	rb_check_safe_obj(file);
	path = StringValueCStr(file);
    }
    GetX509Store(self, store);
    lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
    if(lookup == NULL) ossl_raise(eX509StoreError, NULL);
    if(X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1){
        ossl_raise(eX509StoreError, NULL);
    }

    return self;
}

#add_path(path) ⇒ self

Adds path as the hash dir to be looked up by the store.

Returns:

  • (self)


355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
# File 'ext/openssl/ossl_x509store.c', line 355

static VALUE
ossl_x509store_add_path(VALUE self, VALUE dir)
{
    X509_STORE *store;
    X509_LOOKUP *lookup;
    char *path = NULL;

    if(dir != Qnil){
	rb_check_safe_obj(dir);
	path = StringValueCStr(dir);
    }
    GetX509Store(self, store);
    lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
    if(lookup == NULL) ossl_raise(eX509StoreError, NULL);
    if(X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1){
        ossl_raise(eX509StoreError, NULL);
    }

    return self;
}

#flags=(flag) ⇒ Object

Sets flag to the Store. flag consists of zero or more of the constants defined in with name V_FLAG_* or’ed together.



250
251
252
253
254
255
256
257
258
259
260
# File 'ext/openssl/ossl_x509store.c', line 250

static VALUE
ossl_x509store_set_flags(VALUE self, VALUE flags)
{
    X509_STORE *store;
    long f = NUM2LONG(flags);

    GetX509Store(self, store);
    X509_STORE_set_flags(store, f);

    return flags;
}

#purpose=(purpose) ⇒ Object

Sets the store’s purpose to purpose. If specified, the verifications on the store will check every untrusted certificate’s extensions are consistent with the purpose. The purpose is specified by constants:

  • X509::PURPOSE_SSL_CLIENT

  • X509::PURPOSE_SSL_SERVER

  • X509::PURPOSE_NS_SSL_SERVER

  • X509::PURPOSE_SMIME_SIGN

  • X509::PURPOSE_SMIME_ENCRYPT

  • X509::PURPOSE_CRL_SIGN

  • X509::PURPOSE_ANY

  • X509::PURPOSE_OCSP_HELPER

  • X509::PURPOSE_TIMESTAMP_SIGN



280
281
282
283
284
285
286
287
288
289
290
# File 'ext/openssl/ossl_x509store.c', line 280

static VALUE
ossl_x509store_set_purpose(VALUE self, VALUE purpose)
{
    X509_STORE *store;
    int p = NUM2INT(purpose);

    GetX509Store(self, store);
    X509_STORE_set_purpose(store, p);

    return purpose;
}

#set_default_pathsObject

Configures store to look up CA certificates from the system default certificate store as needed basis. The location of the store can usually be determined by:

  • OpenSSL::X509::DEFAULT_CERT_FILE

  • OpenSSL::X509::DEFAULT_CERT_DIR



387
388
389
390
391
392
393
394
395
396
397
398
# File 'ext/openssl/ossl_x509store.c', line 387

static VALUE
ossl_x509store_set_default_paths(VALUE self)
{
    X509_STORE *store;

    GetX509Store(self, store);
    if (X509_STORE_set_default_paths(store) != 1){
        ossl_raise(eX509StoreError, NULL);
    }

    return Qnil;
}

#time=(time) ⇒ Object

Sets the time to be used in verifications.



314
315
316
317
318
319
# File 'ext/openssl/ossl_x509store.c', line 314

static VALUE
ossl_x509store_set_time(VALUE self, VALUE time)
{
    rb_iv_set(self, "@time", time);
    return time;
}

#trust=(trust) ⇒ Object



296
297
298
299
300
301
302
303
304
305
306
# File 'ext/openssl/ossl_x509store.c', line 296

static VALUE
ossl_x509store_set_trust(VALUE self, VALUE trust)
{
    X509_STORE *store;
    int t = NUM2INT(trust);

    GetX509Store(self, store);
    X509_STORE_set_trust(store, t);

    return trust;
}

#verify(cert, chain = nil) ⇒ Object

Performs a certificate verification on the OpenSSL::X509::Certificate cert.

chain can be an array of OpenSSL::X509::Certificate that is used to construct the certificate chain.

If a block is given, it overrides the callback set by #verify_callback=.

After finishing the verification, the error information can be retrieved by #error, #error_string, and the resuting complete certificate chain can be retrieved by #chain.



461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
# File 'ext/openssl/ossl_x509store.c', line 461

static VALUE
ossl_x509store_verify(int argc, VALUE *argv, VALUE self)
{
    VALUE cert, chain;
    VALUE ctx, proc, result;

    rb_scan_args(argc, argv, "11", &cert, &chain);
    ctx = rb_funcall(cX509StoreContext, rb_intern("new"), 3, self, cert, chain);
    proc = rb_block_given_p() ?  rb_block_proc() :
	   rb_iv_get(self, "@verify_callback");
    rb_iv_set(ctx, "@verify_callback", proc);
    result = rb_funcall(ctx, rb_intern("verify"), 0);

    rb_iv_set(self, "@error", ossl_x509stctx_get_err(ctx));
    rb_iv_set(self, "@error_string", ossl_x509stctx_get_err_string(ctx));
    rb_iv_set(self, "@chain", ossl_x509stctx_get_chain(ctx));

    return result;
}

#verify_callback=(cb) ⇒ Object

General callback for OpenSSL verify



201
202
203
204
205
206
207
208
209
210
211
# File 'ext/openssl/ossl_x509store.c', line 201

static VALUE
ossl_x509store_set_vfy_cb(VALUE self, VALUE cb)
{
    X509_STORE *store;

    GetX509Store(self, store);
    X509_STORE_set_ex_data(store, store_ex_verify_cb_idx, (void *)cb);
    rb_iv_set(self, "@verify_callback", cb);

    return cb;
}