Class: OpenSSL::OCSP::BasicResponse
- Inherits:
-
Object
- Object
- OpenSSL::OCSP::BasicResponse
- Defined in:
- ext/openssl/ossl_ocsp.c
Instance Method Summary collapse
-
#add_nonce(nonce = nil) ⇒ Object
Adds nonce to this response.
-
#add_status(certificate_id, status, reason, revocation_time, this_update, next_update, extensions) ⇒ Object
Adds a certificate status for certificate_id.
-
#copy_nonce(request) ⇒ Integer
Copies the nonce from request into this response.
-
#find_response(certificate_id) ⇒ SingleResponse | nil
Returns a SingleResponse whose CertId matches with certificate_id, or
nil
if this BasicResponse does not contain it. -
#OpenSSL::OCSP::BasicResponse.new(der_string = nil) ⇒ Object
constructor
Creates a new BasicResponse.
- #initialize_copy(other) ⇒ Object
-
#responses ⇒ Array of SingleResponse
Returns an Array of SingleResponse for this BasicResponse.
-
#sign(cert, key, certs = nil, flags = 0, digest = nil) ⇒ self
Signs this OCSP response using the cert, key and optional digest.
-
#status ⇒ Object
Returns an Array of statuses for this response.
-
#to_der ⇒ String
Encodes this basic response into a DER-encoded string.
-
#verify(certificates, store, flags = 0) ⇒ Boolean
Verifies the signature of the response using the given certificates and store.
Constructor Details
#OpenSSL::OCSP::BasicResponse.new(der_string = nil) ⇒ Object
Creates a new BasicResponse. If der_string is given, decodes der_string as DER.
699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 |
# File 'ext/openssl/ossl_ocsp.c', line 699
static VALUE
ossl_ocspbres_initialize(int argc, VALUE *argv, VALUE self)
{
VALUE arg;
OCSP_BASICRESP *res, *res_new;
const unsigned char *p;
rb_scan_args(argc, argv, "01", &arg);
if (!NIL_P(arg)) {
GetOCSPBasicRes(self, res);
arg = ossl_to_der_if_possible(arg);
StringValue(arg);
p = (unsigned char *)RSTRING_PTR(arg);
res_new = d2i_OCSP_BASICRESP(NULL, &p, RSTRING_LEN(arg));
if (!res_new)
ossl_raise(eOCSPError, "d2i_OCSP_BASICRESP");
SetOCSPBasicRes(self, res_new);
OCSP_BASICRESP_free(res);
}
return self;
}
|
Instance Method Details
#add_nonce(nonce = nil) ⇒ Object
Adds nonce to this response. If no nonce was provided a random nonce will be added.
752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 |
# File 'ext/openssl/ossl_ocsp.c', line 752
static VALUE
ossl_ocspbres_add_nonce(int argc, VALUE *argv, VALUE self)
{
OCSP_BASICRESP *bs;
VALUE val;
int ret;
rb_scan_args(argc, argv, "01", &val);
if(NIL_P(val)) {
GetOCSPBasicRes(self, bs);
ret = OCSP_basic_add1_nonce(bs, NULL, -1);
}
else{
StringValue(val);
GetOCSPBasicRes(self, bs);
ret = OCSP_basic_add1_nonce(bs, (unsigned char *)RSTRING_PTR(val), RSTRING_LENINT(val));
}
if(!ret) ossl_raise(eOCSPError, NULL);
return self;
}
|
#add_status(certificate_id, status, reason, revocation_time, this_update, next_update, extensions) ⇒ Object
Adds a certificate status for certificate_id. status is the status, and must be one of these:
-
OpenSSL::OCSP::V_CERTSTATUS_GOOD
-
OpenSSL::OCSP::V_CERTSTATUS_REVOKED
-
OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
reason and revocation_time can be given only when status is OpenSSL::OCSP::V_CERTSTATUS_REVOKED. reason describes the reason for the revocation, and must be one of OpenSSL::OCSP::REVOKED_STATUS_* constants. revocation_time is the time when the certificate is revoked.
this_update and next_update indicate the time at which ths status is verified to be correct and the time at or before which newer information will be available, respectively. next_update is optional.
extensions is an Array of OpenSSL::X509::Extension to be included in the SingleResponse. This is also optional.
Note that the times, revocation_time, this_update and next_update can be specified in either of Integer or Time object. If they are Integer, it is treated as the relative seconds from the current time.
817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 |
# File 'ext/openssl/ossl_ocsp.c', line 817
static VALUE
ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status,
VALUE reason, VALUE revtime,
VALUE thisupd, VALUE nextupd, VALUE ext)
{
OCSP_BASICRESP *bs;
OCSP_SINGLERESP *single;
OCSP_CERTID *id;
ASN1_TIME *ths = NULL, *nxt = NULL, *rev = NULL;
int st, rsn = 0, error = 0, rstatus = 0;
long i;
VALUE tmp;
GetOCSPBasicRes(self, bs);
GetOCSPCertId(cid, id);
st = NUM2INT(status);
if (!NIL_P(ext)) { /* All ext's members must be X509::Extension */
ext = rb_check_array_type(ext);
for (i = 0; i < RARRAY_LEN(ext); i++)
OSSL_Check_Kind(RARRAY_AREF(ext, i), cX509Ext);
}
if (st == V_OCSP_CERTSTATUS_REVOKED) {
rsn = NUM2INT(reason);
tmp = rb_protect(add_status_convert_time, revtime, &rstatus);
if (rstatus) goto err;
rev = (ASN1_TIME *)tmp;
}
tmp = rb_protect(add_status_convert_time, thisupd, &rstatus);
if (rstatus) goto err;
ths = (ASN1_TIME *)tmp;
if (!NIL_P(nextupd)) {
tmp = rb_protect(add_status_convert_time, nextupd, &rstatus);
if (rstatus) goto err;
nxt = (ASN1_TIME *)tmp;
}
if(!(single = OCSP_basic_add1_status(bs, id, st, rsn, rev, ths, nxt))){
error = 1;
goto err;
}
if(!NIL_P(ext)){
X509_EXTENSION *x509ext;
for(i = 0; i < RARRAY_LEN(ext); i++){
x509ext = GetX509ExtPtr(RARRAY_AREF(ext, i));
if(!OCSP_SINGLERESP_add_ext(single, x509ext, -1)){
error = 1;
goto err;
}
}
}
err:
ASN1_TIME_free(ths);
ASN1_TIME_free(nxt);
ASN1_TIME_free(rev);
if(error) ossl_raise(eOCSPError, NULL);
if(rstatus) rb_jump_tag(rstatus);
return self;
}
|
#copy_nonce(request) ⇒ Integer
Copies the nonce from request into this response. Returns 1 on success and 0 on failure.
730 731 732 733 734 735 736 737 738 739 740 741 742 |
# File 'ext/openssl/ossl_ocsp.c', line 730
static VALUE
ossl_ocspbres_copy_nonce(VALUE self, VALUE request)
{
OCSP_BASICRESP *bs;
OCSP_REQUEST *req;
int ret;
GetOCSPBasicRes(self, bs);
GetOCSPReq(request, req);
ret = OCSP_copy_nonce(bs, req);
return INT2NUM(ret);
}
|
#find_response(certificate_id) ⇒ SingleResponse | nil
Returns a SingleResponse whose CertId matches with certificate_id, or nil
if this BasicResponse does not contain it.
982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 |
# File 'ext/openssl/ossl_ocsp.c', line 982
static VALUE
ossl_ocspbres_find_response(VALUE self, VALUE target)
{
OCSP_BASICRESP *bs;
OCSP_SINGLERESP *sres, *sres_new;
OCSP_CERTID *id;
int n;
GetOCSPCertId(target, id);
GetOCSPBasicRes(self, bs);
if ((n = OCSP_resp_find(bs, id, -1)) == -1)
return Qnil;
sres = OCSP_resp_get0(bs, n);
sres_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_SINGLERESP), sres);
if (!sres_new)
ossl_raise(eOCSPError, "ASN1_item_dup");
return ossl_ocspsres_new(sres_new);
}
|
#initialize_copy(other) ⇒ Object
672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 |
# File 'ext/openssl/ossl_ocsp.c', line 672
static VALUE
ossl_ocspbres_initialize_copy(VALUE self, VALUE other)
{
OCSP_BASICRESP *bs, *bs_old, *bs_new;
rb_check_frozen(self);
GetOCSPBasicRes(self, bs_old);
GetOCSPBasicRes(other, bs);
bs_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs);
if (!bs_new)
ossl_raise(eOCSPError, "ASN1_item_dup");
SetOCSPBasicRes(self, bs_new);
OCSP_BASICRESP_free(bs_old);
return self;
}
|
#responses ⇒ Array of SingleResponse
Returns an Array of SingleResponse for this BasicResponse.
949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 |
# File 'ext/openssl/ossl_ocsp.c', line 949
static VALUE
ossl_ocspbres_get_responses(VALUE self)
{
OCSP_BASICRESP *bs;
VALUE ret;
int count, i;
GetOCSPBasicRes(self, bs);
count = OCSP_resp_count(bs);
ret = rb_ary_new2(count);
for (i = 0; i < count; i++) {
OCSP_SINGLERESP *sres, *sres_new;
sres = OCSP_resp_get0(bs, i);
sres_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_SINGLERESP), sres);
if (!sres_new)
ossl_raise(eOCSPError, "ASN1_item_dup");
rb_ary_push(ret, ossl_ocspsres_new(sres_new));
}
return ret;
}
|
#sign(cert, key, certs = nil, flags = 0, digest = nil) ⇒ self
Signs this OCSP response using the cert, key and optional digest. This behaves in the similar way as OpenSSL::OCSP::Request#sign.
flags can include:
- OpenSSL::OCSP::NOCERTS
-
don’t include certificates
- OpenSSL::OCSP::NOTIME
-
don’t set producedAt
- OpenSSL::OCSP::RESPID_KEY
-
use signer’s public key hash as responderID
1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 |
# File 'ext/openssl/ossl_ocsp.c', line 1017
static VALUE
ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
{
VALUE signer_cert, signer_key, certs, flags, digest;
OCSP_BASICRESP *bs;
X509 *signer;
EVP_PKEY *key;
STACK_OF(X509) *x509s = NULL;
unsigned long flg = 0;
const EVP_MD *md;
int ret;
rb_scan_args(argc, argv, "23", &signer_cert, &signer_key, &certs, &flags, &digest);
GetOCSPBasicRes(self, bs);
signer = GetX509CertPtr(signer_cert);
key = GetPrivPKeyPtr(signer_key);
if (!NIL_P(flags))
flg = NUM2INT(flags);
if (NIL_P(digest))
md = EVP_sha1();
else
md = ossl_evp_get_digestbyname(digest);
if (NIL_P(certs))
flg |= OCSP_NOCERTS;
else
x509s = ossl_x509_ary2sk(certs);
ret = OCSP_basic_sign(bs, signer, key, md, x509s, flg);
sk_X509_pop_free(x509s, X509_free);
if (!ret) ossl_raise(eOCSPError, NULL);
return self;
}
|
#status ⇒ Object
Returns an Array of statuses for this response. Each status contains a CertificateId, the status (0 for good, 1 for revoked, 2 for unknown), the reason for the status, the revocation time, the time of this update, the time for the next update and a list of OpenSSL::X509::Extension.
This should be superseded by BasicResponse#responses and #find_response that return SingleResponse.
895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 |
# File 'ext/openssl/ossl_ocsp.c', line 895
static VALUE
ossl_ocspbres_get_status(VALUE self)
{
OCSP_BASICRESP *bs;
OCSP_SINGLERESP *single;
OCSP_CERTID *cid;
ASN1_TIME *revtime, *thisupd, *nextupd;
int status, reason;
X509_EXTENSION *x509ext;
VALUE ret, ary, ext;
int count, ext_count, i, j;
GetOCSPBasicRes(self, bs);
ret = rb_ary_new();
count = OCSP_resp_count(bs);
for(i = 0; i < count; i++){
single = OCSP_resp_get0(bs, i);
if(!single) continue;
revtime = thisupd = nextupd = NULL;
status = OCSP_single_get0_status(single, &reason, &revtime,
&thisupd, &nextupd);
if(status < 0) continue;
if(!(cid = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(single)))) /* FIXME */
ossl_raise(eOCSPError, NULL);
ary = rb_ary_new();
rb_ary_push(ary, ossl_ocspcertid_new(cid));
rb_ary_push(ary, INT2NUM(status));
rb_ary_push(ary, INT2NUM(reason));
rb_ary_push(ary, revtime ? asn1time_to_time(revtime) : Qnil);
rb_ary_push(ary, thisupd ? asn1time_to_time(thisupd) : Qnil);
rb_ary_push(ary, nextupd ? asn1time_to_time(nextupd) : Qnil);
ext = rb_ary_new();
ext_count = OCSP_SINGLERESP_get_ext_count(single);
for(j = 0; j < ext_count; j++){
x509ext = OCSP_SINGLERESP_get_ext(single, j);
rb_ary_push(ext, ossl_x509ext_new(x509ext));
}
rb_ary_push(ary, ext);
rb_ary_push(ret, ary);
}
return ret;
}
|
#to_der ⇒ String
Encodes this basic response into a DER-encoded string.
1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 |
# File 'ext/openssl/ossl_ocsp.c', line 1135
static VALUE
ossl_ocspbres_to_der(VALUE self)
{
OCSP_BASICRESP *res;
VALUE str;
long len;
unsigned char *p;
GetOCSPBasicRes(self, res);
if ((len = i2d_OCSP_BASICRESP(res, NULL)) <= 0)
ossl_raise(eOCSPError, NULL);
str = rb_str_new(0, len);
p = (unsigned char *)RSTRING_PTR(str);
if (i2d_OCSP_BASICRESP(res, &p) <= 0)
ossl_raise(eOCSPError, NULL);
ossl_str_adjust(str, p);
return str;
}
|
#verify(certificates, store, flags = 0) ⇒ Boolean
Verifies the signature of the response using the given certificates and store. This works in the similar way as OpenSSL::OCSP::Request#verify.
1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 |
# File 'ext/openssl/ossl_ocsp.c', line 1058
static VALUE
ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
{
VALUE certs, store, flags;
OCSP_BASICRESP *bs;
STACK_OF(X509) *x509s;
X509_STORE *x509st;
int flg, result;
rb_scan_args(argc, argv, "21", &certs, &store, &flags);
GetOCSPBasicRes(self, bs);
x509st = GetX509StorePtr(store);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
x509s = ossl_x509_ary2sk(certs);
#if (OPENSSL_VERSION_NUMBER < 0x1000202fL) || \
defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x30500000
/*
* OpenSSL had a bug that it doesn't use the certificates in x509s for
* verifying the chain. This can be a problem when the response is signed by
* a certificate issued by an intermediate CA.
*
* root_ca
* |
* intermediate_ca
* |-------------|
* end_entity ocsp_signer
*
* When the certificate hierarchy is like this, and the response contains
* only ocsp_signer certificate, the following code wrongly fails.
*
* store = OpenSSL::X509::Store.new; store.add_cert(root_ca)
* basic_response.verify([intermediate_ca], store)
*
* So add the certificates in x509s to the embedded certificates list first.
*
* This is fixed in OpenSSL 0.9.8zg, 1.0.0s, 1.0.1n, 1.0.2b. But it still
* exists in LibreSSL 2.1.10, 2.2.9, 2.3.6, 2.4.1.
*/
if (!(flg & (OCSP_NOCHAIN | OCSP_NOVERIFY)) &&
sk_X509_num(x509s) && sk_X509_num(bs->certs)) {
int i;
bs = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs);
if (!bs) {
sk_X509_pop_free(x509s, X509_free);
ossl_raise(eOCSPError, "ASN1_item_dup");
}
for (i = 0; i < sk_X509_num(x509s); i++) {
if (!OCSP_basic_add1_cert(bs, sk_X509_value(x509s, i))) {
sk_X509_pop_free(x509s, X509_free);
OCSP_BASICRESP_free(bs);
ossl_raise(eOCSPError, "OCSP_basic_add1_cert");
}
}
result = OCSP_basic_verify(bs, x509s, x509st, flg);
OCSP_BASICRESP_free(bs);
}
else {
result = OCSP_basic_verify(bs, x509s, x509st, flg);
}
#else
result = OCSP_basic_verify(bs, x509s, x509st, flg);
#endif
sk_X509_pop_free(x509s, X509_free);
if (result <= 0)
ossl_clear_error();
return result > 0 ? Qtrue : Qfalse;
}
|