Class: OpenSSL::X509::Store
- Inherits:
-
Object
- Object
- OpenSSL::X509::Store
- Defined in:
- ext/openssl/ossl_x509store.c,
ext/openssl/ossl_x509store.c
Overview
The X509 certificate store holds trusted CA certificates used to verify peer certificates.
The easiest way to create a useful certificate store is:
cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths
This will use your system’s built-in certificates.
If your system does not have a default set of certificates you can obtain a set extracted from Mozilla CA certificate store by cURL maintainers here: curl.haxx.se/docs/caextract.html (You may wish to use the firefox-db2pem.sh script to extract the certificates from a local install to avoid man-in-the-middle attacks.)
After downloading or generating a cacert.pem from the above link you can create a certificate store from the pem file like this:
cert_store = OpenSSL::X509::Store.new
cert_store.add_file 'cacert.pem'
The certificate store can be used with an SSLSocket like this:
ssl_context = OpenSSL::SSL::SSLContext.new
ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
ssl_context.cert_store = cert_store
tcp_socket = TCPSocket.open 'example.com', 443
ssl_socket = OpenSSL::SSL::SSLSocket.new tcp_socket, ssl_context
Instance Method Summary collapse
-
#add_cert(cert) ⇒ self
Adds the OpenSSL::X509::Certificate cert to the certificate store.
-
#add_crl(crl) ⇒ self
Adds the OpenSSL::X509::CRL crl to the store.
-
#add_file(file) ⇒ self
Adds the certificates in file to the certificate store.
-
#add_path(path) ⇒ self
Adds path as the hash dir to be looked up by the store.
-
#flags=(flags) ⇒ Object
Sets the default flags used by certificate chain verification performed with the Store.
-
#X509::Store.new ⇒ Object
constructor
Creates a new X509::Store.
-
#purpose=(purpose) ⇒ Object
Sets the store’s default verification purpose.
-
#set_default_paths ⇒ Object
Configures store to look up CA certificates from the system default certificate store as needed basis.
-
#time=(time) ⇒ Object
Sets the time to be used in the certificate verifications with the store.
-
#trust=(trust) ⇒ Object
Sets the default trust settings used by the certificate verification with the store.
-
#verify(cert, chain = nil) ⇒ Object
Performs a certificate verification on the OpenSSL::X509::Certificate cert.
-
#verify_callback=(cb) ⇒ Object
General callback for OpenSSL verify.
Constructor Details
#X509::Store.new ⇒ Object
Creates a new X509::Store.
203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 |
# File 'ext/openssl/ossl_x509store.c', line 203
static VALUE
ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
{
X509_STORE *store;
GetX509Store(self, store);
if (argc != 0)
rb_warn("OpenSSL::X509::Store.new does not take any arguments");
#if !defined(HAVE_OPAQUE_OPENSSL)
/* [Bug #405] [Bug #1678] [Bug #3000]; already fixed? */
store->ex_data.sk = NULL;
#endif
X509_STORE_set_verify_cb(store, x509store_verify_cb);
ossl_x509store_set_vfy_cb(self, Qnil);
/* last verification status */
rb_iv_set(self, "@error", Qnil);
rb_iv_set(self, "@error_string", Qnil);
rb_iv_set(self, "@chain", Qnil);
rb_iv_set(self, "@time", Qnil);
return self;
}
|
Instance Method Details
#add_cert(cert) ⇒ self
Adds the OpenSSL::X509::Certificate cert to the certificate store.
See also the man page X509_STORE_add_cert(3).
428 429 430 431 432 433 434 435 436 437 438 439 440 |
# File 'ext/openssl/ossl_x509store.c', line 428
static VALUE
ossl_x509store_add_cert(VALUE self, VALUE arg)
{
X509_STORE *store;
X509 *cert;
cert = GetX509CertPtr(arg); /* NO NEED TO DUP */
GetX509Store(self, store);
if (X509_STORE_add_cert(store, cert) != 1)
ossl_raise(eX509StoreError, "X509_STORE_add_cert");
return self;
}
|
#add_crl(crl) ⇒ self
Adds the OpenSSL::X509::CRL crl to the store.
See also the man page X509_STORE_add_crl(3).
450 451 452 453 454 455 456 457 458 459 460 461 462 |
# File 'ext/openssl/ossl_x509store.c', line 450
static VALUE
ossl_x509store_add_crl(VALUE self, VALUE arg)
{
X509_STORE *store;
X509_CRL *crl;
crl = GetX509CRLPtr(arg); /* NO NEED TO DUP */
GetX509Store(self, store);
if (X509_STORE_add_crl(store, crl) != 1)
ossl_raise(eX509StoreError, "X509_STORE_add_crl");
return self;
}
|
#add_file(file) ⇒ self
Adds the certificates in file to the certificate store. file is the path to the file, and the file contains one or more certificates in PEM format concatenated together.
See also the man page X509_LOOKUP_file(3).
342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 |
# File 'ext/openssl/ossl_x509store.c', line 342
static VALUE
ossl_x509store_add_file(VALUE self, VALUE file)
{
X509_STORE *store;
X509_LOOKUP *lookup;
const char *path;
GetX509Store(self, store);
path = StringValueCStr(file);
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (!lookup)
ossl_raise(eX509StoreError, "X509_STORE_add_lookup");
if (X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1)
ossl_raise(eX509StoreError, "X509_LOOKUP_load_file");
#if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER)
/*
* X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file()
* did not check the return value of X509_STORE_add_{cert,crl}(), leaking
* "cert already in hash table" errors on the error queue, if duplicate
* certificates are found. This will be fixed by OpenSSL 1.1.1.
*/
ossl_clear_error();
#endif
return self;
}
|
#add_path(path) ⇒ self
Adds path as the hash dir to be looked up by the store.
See also the man page X509_LOOKUP_hash_dir(3).
377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 |
# File 'ext/openssl/ossl_x509store.c', line 377
static VALUE
ossl_x509store_add_path(VALUE self, VALUE dir)
{
X509_STORE *store;
X509_LOOKUP *lookup;
const char *path;
GetX509Store(self, store);
path = StringValueCStr(dir);
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
if (!lookup)
ossl_raise(eX509StoreError, "X509_STORE_add_lookup");
if (X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1)
ossl_raise(eX509StoreError, "X509_LOOKUP_add_dir");
return self;
}
|
#flags=(flags) ⇒ Object
Sets the default flags used by certificate chain verification performed with the Store.
flags consists of zero or more of the constants defined in OpenSSL::X509 with name V_FLAG_* or’ed together.
OpenSSL::X509::StoreContext#flags= can be used to change the flags for a single verification operation.
See also the man page X509_VERIFY_PARAM_set_flags(3).
242 243 244 245 246 247 248 249 250 251 252 |
# File 'ext/openssl/ossl_x509store.c', line 242
static VALUE
ossl_x509store_set_flags(VALUE self, VALUE flags)
{
X509_STORE *store;
long f = NUM2LONG(flags);
GetX509Store(self, store);
X509_STORE_set_flags(store, f);
return flags;
}
|
#purpose=(purpose) ⇒ Object
Sets the store’s default verification purpose. If specified, the verifications on the store will check every certificate’s extensions are consistent with the purpose. The purpose is specified by constants:
-
X509::PURPOSE_SSL_CLIENT
-
X509::PURPOSE_SSL_SERVER
-
X509::PURPOSE_NS_SSL_SERVER
-
X509::PURPOSE_SMIME_SIGN
-
X509::PURPOSE_SMIME_ENCRYPT
-
X509::PURPOSE_CRL_SIGN
-
X509::PURPOSE_ANY
-
X509::PURPOSE_OCSP_HELPER
-
X509::PURPOSE_TIMESTAMP_SIGN
OpenSSL::X509::StoreContext#purpose= can be used to change the value for a single verification operation.
See also the man page X509_VERIFY_PARAM_set_purpose(3).
277 278 279 280 281 282 283 284 285 286 287 |
# File 'ext/openssl/ossl_x509store.c', line 277
static VALUE
ossl_x509store_set_purpose(VALUE self, VALUE purpose)
{
X509_STORE *store;
int p = NUM2INT(purpose);
GetX509Store(self, store);
X509_STORE_set_purpose(store, p);
return purpose;
}
|
#set_default_paths ⇒ Object
Configures store to look up CA certificates from the system default certificate store as needed basis. The location of the store can usually be determined by:
-
OpenSSL::X509::DEFAULT_CERT_FILE
-
OpenSSL::X509::DEFAULT_CERT_DIR
See also the man page X509_STORE_set_default_paths(3).
408 409 410 411 412 413 414 415 416 417 418 |
# File 'ext/openssl/ossl_x509store.c', line 408
static VALUE
ossl_x509store_set_default_paths(VALUE self)
{
X509_STORE *store;
GetX509Store(self, store);
if (X509_STORE_set_default_paths(store) != 1)
ossl_raise(eX509StoreError, "X509_STORE_set_default_paths");
return Qnil;
}
|
#time=(time) ⇒ Object
Sets the time to be used in the certificate verifications with the store. By default, if not specified, the current system time is used.
OpenSSL::X509::StoreContext#time= can be used to change the value for a single verification operation.
See also the man page X509_VERIFY_PARAM_set_time(3).
325 326 327 328 329 330 |
# File 'ext/openssl/ossl_x509store.c', line 325
static VALUE
ossl_x509store_set_time(VALUE self, VALUE time)
{
rb_iv_set(self, "@time", time);
return time;
}
|
#trust=(trust) ⇒ Object
Sets the default trust settings used by the certificate verification with the store.
OpenSSL::X509::StoreContext#trust= can be used to change the value for a single verification operation.
See also the man page X509_VERIFY_PARAM_set_trust(3).
301 302 303 304 305 306 307 308 309 310 311 |
# File 'ext/openssl/ossl_x509store.c', line 301
static VALUE
ossl_x509store_set_trust(VALUE self, VALUE trust)
{
X509_STORE *store;
int t = NUM2INT(trust);
GetX509Store(self, store);
X509_STORE_set_trust(store, t);
return trust;
}
|
#verify(cert, chain = nil) ⇒ Object
Performs a certificate verification on the OpenSSL::X509::Certificate cert.
chain can be an array of OpenSSL::X509::Certificate that is used to construct the certificate chain.
If a block is given, it overrides the callback set by #verify_callback=.
After finishing the verification, the error information can be retrieved by #error, #error_string, and the resulting complete certificate chain can be retrieved by #chain.
483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 |
# File 'ext/openssl/ossl_x509store.c', line 483
static VALUE
ossl_x509store_verify(int argc, VALUE *argv, VALUE self)
{
VALUE cert, chain;
VALUE ctx, proc, result;
rb_scan_args(argc, argv, "11", &cert, &chain);
ctx = rb_funcall(cX509StoreContext, rb_intern("new"), 3, self, cert, chain);
proc = rb_block_given_p() ? rb_block_proc() :
rb_iv_get(self, "@verify_callback");
rb_iv_set(ctx, "@verify_callback", proc);
result = rb_funcall(ctx, rb_intern("verify"), 0);
rb_iv_set(self, "@error", ossl_x509stctx_get_err(ctx));
rb_iv_set(self, "@error_string", ossl_x509stctx_get_err_string(ctx));
rb_iv_set(self, "@chain", ossl_x509stctx_get_chain(ctx));
return result;
}
|
#verify_callback=(cb) ⇒ Object
General callback for OpenSSL verify
184 185 186 187 188 189 190 191 192 193 194 |
# File 'ext/openssl/ossl_x509store.c', line 184
static VALUE
ossl_x509store_set_vfy_cb(VALUE self, VALUE cb)
{
X509_STORE *store;
GetX509Store(self, store);
X509_STORE_set_ex_data(store, store_ex_verify_cb_idx, (void *)cb);
rb_iv_set(self, "@verify_callback", cb);
return cb;
}
|