Class: OpenSSL::OCSP::Request

Inherits:
Object
  • Object
show all
Defined in:
ext/openssl/ossl_ocsp.c

Instance Method Summary collapse

Constructor Details

#OpenSSL::OCSP::Request.newObject #OpenSSL::OCSP::Request.new(request_der) ⇒ Object

Creates a new OpenSSL::OCSP::Request. The request may be created empty or from a request_der string.



224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
# File 'ext/openssl/ossl_ocsp.c', line 224

static VALUE
ossl_ocspreq_initialize(int argc, VALUE *argv, VALUE self)
{
    VALUE arg;
    OCSP_REQUEST *req, *req_new;
    const unsigned char *p;

    rb_scan_args(argc, argv, "01", &arg);
    if(!NIL_P(arg)){
	GetOCSPReq(self, req);
	arg = ossl_to_der_if_possible(arg);
	StringValue(arg);
	p = (unsigned char *)RSTRING_PTR(arg);
	req_new = d2i_OCSP_REQUEST(NULL, &p, RSTRING_LEN(arg));
	if (!req_new)
	    ossl_raise(eOCSPError, "d2i_OCSP_REQUEST");
	SetOCSPReq(self, req_new);
	OCSP_REQUEST_free(req);
    }

    return self;
}

Instance Method Details

#add_certid(certificate_id) ⇒ Object

Adds certificate_id to the request.



320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
# File 'ext/openssl/ossl_ocsp.c', line 320

static VALUE
ossl_ocspreq_add_certid(VALUE self, VALUE certid)
{
    OCSP_REQUEST *req;
    OCSP_CERTID *id, *id_new;

    GetOCSPReq(self, req);
    GetOCSPCertId(certid, id);

    if (!(id_new = OCSP_CERTID_dup(id)))
	ossl_raise(eOCSPError, "OCSP_CERTID_dup");
    if (!OCSP_request_add0_id(req, id_new)) {
	OCSP_CERTID_free(id_new);
	ossl_raise(eOCSPError, "OCSP_request_add0_id");
    }

    return self;
}

#add_nonce(nonce = nil) ⇒ Object

Adds a nonce to the OCSP request. If no nonce is given a random one will be generated.

The nonce is used to prevent replay attacks but some servers do not support it.



258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
# File 'ext/openssl/ossl_ocsp.c', line 258

static VALUE
ossl_ocspreq_add_nonce(int argc, VALUE *argv, VALUE self)
{
    OCSP_REQUEST *req;
    VALUE val;
    int ret;

    rb_scan_args(argc, argv, "01", &val);
    if(NIL_P(val)) {
	GetOCSPReq(self, req);
	ret = OCSP_request_add1_nonce(req, NULL, -1);
    }
    else{
	StringValue(val);
	GetOCSPReq(self, req);
	ret = OCSP_request_add1_nonce(req, (unsigned char *)RSTRING_PTR(val), RSTRING_LENINT(val));
    }
    if(!ret) ossl_raise(eOCSPError, NULL);

    return self;
}

#certidArray

Returns all certificate IDs in this request.

Returns:

  • (Array)


346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
# File 'ext/openssl/ossl_ocsp.c', line 346

static VALUE
ossl_ocspreq_get_certid(VALUE self)
{
    OCSP_REQUEST *req;
    OCSP_ONEREQ *one;
    OCSP_CERTID *id;
    VALUE ary, tmp;
    int i, count;

    GetOCSPReq(self, req);
    count = OCSP_request_onereq_count(req);
    ary = (count > 0) ? rb_ary_new() : Qnil;
    for(i = 0; i < count; i++){
	one = OCSP_request_onereq_get0(req, i);
	tmp = NewOCSPCertId(cOCSPCertId);
	if(!(id = OCSP_CERTID_dup(OCSP_onereq_get0_id(one))))
	    ossl_raise(eOCSPError, NULL);
	SetOCSPCertId(tmp, id);
	rb_ary_push(ary, tmp);
    }

    return ary;
}

#check_nonce(response) ⇒ Object

Checks the nonce validity for this request and response.

The return value is one of the following:

-1

nonce in request only.

0

nonces both present and not equal.

1

nonces present and equal.

2

nonces both absent.

3

nonce present in response only.

For most responses, clients can check result > 0. If a responder doesn’t handle nonces result.nonzero? may be necessary. A result of 0 is always an error.



299
300
301
302
303
304
305
306
307
308
309
310
311
# File 'ext/openssl/ossl_ocsp.c', line 299

static VALUE
ossl_ocspreq_check_nonce(VALUE self, VALUE basic_resp)
{
    OCSP_REQUEST *req;
    OCSP_BASICRESP *bs;
    int res;

    GetOCSPReq(self, req);
    SafeGetOCSPBasicRes(basic_resp, bs);
    res = OCSP_check_nonce(req, bs);

    return INT2NUM(res);
}

#sign(cert, key, certs = nil, flags = 0, digest = nil) ⇒ self

Signs this OCSP request using cert, key and optional digest. If digest is not specified, SHA-1 is used. certs is an optional Array of additional certificates which are included in the request in addition to the signer certificate. Note that if certs is nil or not given, flag OpenSSL::OCSP::NOCERTS is enabled. Pass an empty array to include only the signer certificate.

flags can be a bitwise OR of the following constants:

OpenSSL::OCSP::NOCERTS

Don’t include any certificates in the request. certs will be ignored.

Returns:

  • (self)


386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
# File 'ext/openssl/ossl_ocsp.c', line 386

static VALUE
ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
{
    VALUE signer_cert, signer_key, certs, flags, digest;
    OCSP_REQUEST *req;
    X509 *signer;
    EVP_PKEY *key;
    STACK_OF(X509) *x509s = NULL;
    unsigned long flg = 0;
    const EVP_MD *md;
    int ret;

    rb_scan_args(argc, argv, "23", &signer_cert, &signer_key, &certs, &flags, &digest);
    GetOCSPReq(self, req);
    signer = GetX509CertPtr(signer_cert);
    key = GetPrivPKeyPtr(signer_key);
    if (!NIL_P(flags))
	flg = NUM2INT(flags);
    if (NIL_P(digest))
	md = EVP_sha1();
    else
	md = GetDigestPtr(digest);
    if (NIL_P(certs))
	flg |= OCSP_NOCERTS;
    else
	x509s = ossl_x509_ary2sk(certs);

    ret = OCSP_request_sign(req, signer, key, md, x509s, flg);
    sk_X509_pop_free(x509s, X509_free);
    if (!ret) ossl_raise(eOCSPError, NULL);

    return self;
}

#to_derObject

Returns this request as a DER-encoded string



455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
# File 'ext/openssl/ossl_ocsp.c', line 455

static VALUE
ossl_ocspreq_to_der(VALUE self)
{
    OCSP_REQUEST *req;
    VALUE str;
    unsigned char *p;
    long len;

    GetOCSPReq(self, req);
    if((len = i2d_OCSP_REQUEST(req, NULL)) <= 0)
	ossl_raise(eOCSPError, NULL);
    str = rb_str_new(0, len);
    p = (unsigned char *)RSTRING_PTR(str);
    if(i2d_OCSP_REQUEST(req, &p) <= 0)
	ossl_raise(eOCSPError, NULL);
    ossl_str_adjust(str, p);

    return str;
}

#verify(certificates, store, flags = 0) ⇒ Boolean

Verifies this request using the given certificates and store. certificates is an array of OpenSSL::X509::Certificate, store is an OpenSSL::X509::Store.

Returns:

  • (Boolean)


429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
# File 'ext/openssl/ossl_ocsp.c', line 429

static VALUE
ossl_ocspreq_verify(int argc, VALUE *argv, VALUE self)
{
    VALUE certs, store, flags;
    OCSP_REQUEST *req;
    STACK_OF(X509) *x509s;
    X509_STORE *x509st;
    int flg, result;

    rb_scan_args(argc, argv, "21", &certs, &store, &flags);
    GetOCSPReq(self, req);
    x509st = GetX509StorePtr(store);
    flg = NIL_P(flags) ? 0 : NUM2INT(flags);
    x509s = ossl_x509_ary2sk(certs);
    result = OCSP_request_verify(req, x509s, x509st, flg);
    sk_X509_pop_free(x509s, X509_free);
    if (result <= 0)
	ossl_clear_error();

    return result > 0 ? Qtrue : Qfalse;
}