Class: OpenSSL::OCSP::Request
- Inherits:
-
Object
- Object
- OpenSSL::OCSP::Request
- Defined in:
- ext/openssl/ossl_ocsp.c
Instance Method Summary collapse
-
#add_certid(certificate_id) ⇒ Object
Adds
certificate_id
to the request. -
#add_nonce(nonce = nil) ⇒ Object
Adds a
nonce
to the OCSP request. -
#certid ⇒ Array
Returns all certificate IDs in this request.
-
#check_nonce(response) ⇒ Object
Checks the nonce validity for this request and
response
. -
#initialize(*args) ⇒ Object
constructor
Creates a new OpenSSL::OCSP::Request.
-
#sign(cert, key, certs = nil, flags = 0, digest = nil) ⇒ self
Signs this OCSP request using
cert
,key
and optionaldigest
. -
#to_der ⇒ Object
Returns this request as a DER-encoded string.
-
#verify(certificates, store, flags = 0) ⇒ Boolean
Verifies this request using the given
certificates
andstore
.
Constructor Details
#OpenSSL::OCSP::Request.new ⇒ Object #OpenSSL::OCSP::Request.new(request_der) ⇒ Object
Creates a new OpenSSL::OCSP::Request. The request may be created empty or from a request_der
string.
224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 |
# File 'ext/openssl/ossl_ocsp.c', line 224
static VALUE
ossl_ocspreq_initialize(int argc, VALUE *argv, VALUE self)
{
VALUE arg;
OCSP_REQUEST *req, *req_new;
const unsigned char *p;
rb_scan_args(argc, argv, "01", &arg);
if(!NIL_P(arg)){
GetOCSPReq(self, req);
arg = ossl_to_der_if_possible(arg);
StringValue(arg);
p = (unsigned char *)RSTRING_PTR(arg);
req_new = d2i_OCSP_REQUEST(NULL, &p, RSTRING_LEN(arg));
if (!req_new)
ossl_raise(eOCSPError, "d2i_OCSP_REQUEST");
SetOCSPReq(self, req_new);
OCSP_REQUEST_free(req);
}
return self;
}
|
Instance Method Details
#add_certid(certificate_id) ⇒ Object
Adds certificate_id
to the request.
320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 |
# File 'ext/openssl/ossl_ocsp.c', line 320
static VALUE
ossl_ocspreq_add_certid(VALUE self, VALUE certid)
{
OCSP_REQUEST *req;
OCSP_CERTID *id, *id_new;
GetOCSPReq(self, req);
GetOCSPCertId(certid, id);
if (!(id_new = OCSP_CERTID_dup(id)))
ossl_raise(eOCSPError, "OCSP_CERTID_dup");
if (!OCSP_request_add0_id(req, id_new)) {
OCSP_CERTID_free(id_new);
ossl_raise(eOCSPError, "OCSP_request_add0_id");
}
return self;
}
|
#add_nonce(nonce = nil) ⇒ Object
Adds a nonce
to the OCSP request. If no nonce is given a random one will be generated.
The nonce is used to prevent replay attacks but some servers do not support it.
258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 |
# File 'ext/openssl/ossl_ocsp.c', line 258
static VALUE
ossl_ocspreq_add_nonce(int argc, VALUE *argv, VALUE self)
{
OCSP_REQUEST *req;
VALUE val;
int ret;
rb_scan_args(argc, argv, "01", &val);
if(NIL_P(val)) {
GetOCSPReq(self, req);
ret = OCSP_request_add1_nonce(req, NULL, -1);
}
else{
StringValue(val);
GetOCSPReq(self, req);
ret = OCSP_request_add1_nonce(req, (unsigned char *)RSTRING_PTR(val), RSTRING_LENINT(val));
}
if(!ret) ossl_raise(eOCSPError, NULL);
return self;
}
|
#certid ⇒ Array
Returns all certificate IDs in this request.
346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 |
# File 'ext/openssl/ossl_ocsp.c', line 346
static VALUE
ossl_ocspreq_get_certid(VALUE self)
{
OCSP_REQUEST *req;
OCSP_ONEREQ *one;
OCSP_CERTID *id;
VALUE ary, tmp;
int i, count;
GetOCSPReq(self, req);
count = OCSP_request_onereq_count(req);
ary = (count > 0) ? rb_ary_new() : Qnil;
for(i = 0; i < count; i++){
one = OCSP_request_onereq_get0(req, i);
tmp = NewOCSPCertId(cOCSPCertId);
if(!(id = OCSP_CERTID_dup(OCSP_onereq_get0_id(one))))
ossl_raise(eOCSPError, NULL);
SetOCSPCertId(tmp, id);
rb_ary_push(ary, tmp);
}
return ary;
}
|
#check_nonce(response) ⇒ Object
Checks the nonce validity for this request and response
.
The return value is one of the following:
- -1
-
nonce in request only.
- 0
-
nonces both present and not equal.
- 1
-
nonces present and equal.
- 2
-
nonces both absent.
- 3
-
nonce present in response only.
For most responses, clients can check result
> 0. If a responder doesn’t handle nonces result.nonzero?
may be necessary. A result of 0
is always an error.
299 300 301 302 303 304 305 306 307 308 309 310 311 |
# File 'ext/openssl/ossl_ocsp.c', line 299
static VALUE
ossl_ocspreq_check_nonce(VALUE self, VALUE basic_resp)
{
OCSP_REQUEST *req;
OCSP_BASICRESP *bs;
int res;
GetOCSPReq(self, req);
SafeGetOCSPBasicRes(basic_resp, bs);
res = OCSP_check_nonce(req, bs);
return INT2NUM(res);
}
|
#sign(cert, key, certs = nil, flags = 0, digest = nil) ⇒ self
Signs this OCSP request using cert
, key
and optional digest
. If digest
is not specified, SHA-1 is used. certs
is an optional Array of additional certificates which are included in the request in addition to the signer certificate. Note that if certs
is nil or not given, flag OpenSSL::OCSP::NOCERTS is enabled. Pass an empty array to include only the signer certificate.
flags
can be a bitwise OR of the following constants:
- OpenSSL::OCSP::NOCERTS
-
Don’t include any certificates in the request.
certs
will be ignored.
386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 |
# File 'ext/openssl/ossl_ocsp.c', line 386
static VALUE
ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
{
VALUE signer_cert, signer_key, certs, flags, digest;
OCSP_REQUEST *req;
X509 *signer;
EVP_PKEY *key;
STACK_OF(X509) *x509s = NULL;
unsigned long flg = 0;
const EVP_MD *md;
int ret;
rb_scan_args(argc, argv, "23", &signer_cert, &signer_key, &certs, &flags, &digest);
GetOCSPReq(self, req);
signer = GetX509CertPtr(signer_cert);
key = GetPrivPKeyPtr(signer_key);
if (!NIL_P(flags))
flg = NUM2INT(flags);
if (NIL_P(digest))
md = EVP_sha1();
else
md = GetDigestPtr(digest);
if (NIL_P(certs))
flg |= OCSP_NOCERTS;
else
x509s = ossl_x509_ary2sk(certs);
ret = OCSP_request_sign(req, signer, key, md, x509s, flg);
sk_X509_pop_free(x509s, X509_free);
if (!ret) ossl_raise(eOCSPError, NULL);
return self;
}
|
#to_der ⇒ Object
Returns this request as a DER-encoded string
455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 |
# File 'ext/openssl/ossl_ocsp.c', line 455
static VALUE
ossl_ocspreq_to_der(VALUE self)
{
OCSP_REQUEST *req;
VALUE str;
unsigned char *p;
long len;
GetOCSPReq(self, req);
if((len = i2d_OCSP_REQUEST(req, NULL)) <= 0)
ossl_raise(eOCSPError, NULL);
str = rb_str_new(0, len);
p = (unsigned char *)RSTRING_PTR(str);
if(i2d_OCSP_REQUEST(req, &p) <= 0)
ossl_raise(eOCSPError, NULL);
ossl_str_adjust(str, p);
return str;
}
|
#verify(certificates, store, flags = 0) ⇒ Boolean
Verifies this request using the given certificates
and store
. certificates
is an array of OpenSSL::X509::Certificate, store
is an OpenSSL::X509::Store.
429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 |
# File 'ext/openssl/ossl_ocsp.c', line 429
static VALUE
ossl_ocspreq_verify(int argc, VALUE *argv, VALUE self)
{
VALUE certs, store, flags;
OCSP_REQUEST *req;
STACK_OF(X509) *x509s;
X509_STORE *x509st;
int flg, result;
rb_scan_args(argc, argv, "21", &certs, &store, &flags);
GetOCSPReq(self, req);
x509st = GetX509StorePtr(store);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
x509s = ossl_x509_ary2sk(certs);
result = OCSP_request_verify(req, x509s, x509st, flg);
sk_X509_pop_free(x509s, X509_free);
if (result <= 0)
ossl_clear_error();
return result > 0 ? Qtrue : Qfalse;
}
|