Class: OpenSSL::X509::Store

Inherits:
Object
  • Object
show all
Defined in:
ext/openssl/ossl_x509store.c,
ext/openssl/ossl_x509store.c

Overview

The X509 certificate store holds trusted CA certificates used to verify peer certificates.

The easiest way to create a useful certificate store is:

cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths

This will use your system’s built-in certificates.

If your system does not have a default set of certificates you can obtain a set extracted from Mozilla CA certificate store by cURL maintainers here: curl.haxx.se/docs/caextract.html (You may wish to use the firefox-db2pem.sh script to extract the certificates from a local install to avoid man-in-the-middle attacks.)

After downloading or generating a cacert.pem from the above link you can create a certificate store from the pem file like this:

cert_store = OpenSSL::X509::Store.new
cert_store.add_file 'cacert.pem'

The certificate store can be used with an SSLSocket like this:

ssl_context = OpenSSL::SSL::SSLContext.new
ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
ssl_context.cert_store = cert_store

tcp_socket = TCPSocket.open 'example.com', 443

ssl_socket = OpenSSL::SSL::SSLSocket.new tcp_socket, ssl_context

Instance Method Summary collapse

Constructor Details

#X509::Store.newObject

Creates a new X509::Store.



207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
# File 'ext/openssl/ossl_x509store.c', line 207

static VALUE
ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
{
    X509_STORE *store;

    GetX509Store(self, store);
    if (argc != 0)
        rb_warn("OpenSSL::X509::Store.new does not take any arguments");
#if !defined(HAVE_OPAQUE_OPENSSL)
    /* [Bug #405] [Bug #1678] [Bug #3000]; already fixed? */
    store->ex_data.sk = NULL;
#endif
    X509_STORE_set_verify_cb(store, x509store_verify_cb);
    ossl_x509store_set_vfy_cb(self, Qnil);

    /* last verification status */
    rb_iv_set(self, "@error", Qnil);
    rb_iv_set(self, "@error_string", Qnil);
    rb_iv_set(self, "@chain", Qnil);
    rb_iv_set(self, "@time", Qnil);

    return self;
}

Instance Method Details

#add_cert(cert) ⇒ self

Adds the OpenSSL::X509::Certificate cert to the certificate store.

See also the man page X509_STORE_add_cert(3).

Returns:

  • (self)


432
433
434
435
436
437
438
439
440
441
442
443
444
# File 'ext/openssl/ossl_x509store.c', line 432

static VALUE
ossl_x509store_add_cert(VALUE self, VALUE arg)
{
    X509_STORE *store;
    X509 *cert;

    cert = GetX509CertPtr(arg); /* NO NEED TO DUP */
    GetX509Store(self, store);
    if (X509_STORE_add_cert(store, cert) != 1)
        ossl_raise(eX509StoreError, "X509_STORE_add_cert");

    return self;
}

#add_crl(crl) ⇒ self

Adds the OpenSSL::X509::CRL crl to the store.

See also the man page X509_STORE_add_crl(3).

Returns:

  • (self)


454
455
456
457
458
459
460
461
462
463
464
465
466
# File 'ext/openssl/ossl_x509store.c', line 454

static VALUE
ossl_x509store_add_crl(VALUE self, VALUE arg)
{
    X509_STORE *store;
    X509_CRL *crl;

    crl = GetX509CRLPtr(arg); /* NO NEED TO DUP */
    GetX509Store(self, store);
    if (X509_STORE_add_crl(store, crl) != 1)
        ossl_raise(eX509StoreError, "X509_STORE_add_crl");

    return self;
}

#add_file(file) ⇒ self

Adds the certificates in file to the certificate store. file is the path to the file, and the file contains one or more certificates in PEM format concatenated together.

See also the man page X509_LOOKUP_file(3).

Returns:

  • (self)


346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
# File 'ext/openssl/ossl_x509store.c', line 346

static VALUE
ossl_x509store_add_file(VALUE self, VALUE file)
{
    X509_STORE *store;
    X509_LOOKUP *lookup;
    const char *path;

    GetX509Store(self, store);
    path = StringValueCStr(file);
    lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
    if (!lookup)
        ossl_raise(eX509StoreError, "X509_STORE_add_lookup");
    if (X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1)
        ossl_raise(eX509StoreError, "X509_LOOKUP_load_file");
#if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER)
    /*
     * X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file()
     * did not check the return value of X509_STORE_add_{cert,crl}(), leaking
     * "cert already in hash table" errors on the error queue, if duplicate
     * certificates are found. This will be fixed by OpenSSL 1.1.1.
     */
    ossl_clear_error();
#endif

    return self;
}

#add_path(path) ⇒ self

Adds path as the hash dir to be looked up by the store.

See also the man page X509_LOOKUP_hash_dir(3).

Returns:

  • (self)


381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
# File 'ext/openssl/ossl_x509store.c', line 381

static VALUE
ossl_x509store_add_path(VALUE self, VALUE dir)
{
    X509_STORE *store;
    X509_LOOKUP *lookup;
    const char *path;

    GetX509Store(self, store);
    path = StringValueCStr(dir);
    lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
    if (!lookup)
        ossl_raise(eX509StoreError, "X509_STORE_add_lookup");
    if (X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1)
        ossl_raise(eX509StoreError, "X509_LOOKUP_add_dir");

    return self;
}

#flags=(flags) ⇒ Object

Sets the default flags used by certificate chain verification performed with the Store.

flags consists of zero or more of the constants defined in OpenSSL::X509 with name V_FLAG_* or’ed together.

OpenSSL::X509::StoreContext#flags= can be used to change the flags for a single verification operation.

See also the man page X509_VERIFY_PARAM_set_flags(3).



246
247
248
249
250
251
252
253
254
255
256
# File 'ext/openssl/ossl_x509store.c', line 246

static VALUE
ossl_x509store_set_flags(VALUE self, VALUE flags)
{
    X509_STORE *store;
    long f = NUM2LONG(flags);

    GetX509Store(self, store);
    X509_STORE_set_flags(store, f);

    return flags;
}

#purpose=(purpose) ⇒ Object

Sets the store’s default verification purpose. If specified, the verifications on the store will check every certificate’s extensions are consistent with the purpose. The purpose is specified by constants:

  • X509::PURPOSE_SSL_CLIENT

  • X509::PURPOSE_SSL_SERVER

  • X509::PURPOSE_NS_SSL_SERVER

  • X509::PURPOSE_SMIME_SIGN

  • X509::PURPOSE_SMIME_ENCRYPT

  • X509::PURPOSE_CRL_SIGN

  • X509::PURPOSE_ANY

  • X509::PURPOSE_OCSP_HELPER

  • X509::PURPOSE_TIMESTAMP_SIGN

OpenSSL::X509::StoreContext#purpose= can be used to change the value for a single verification operation.

See also the man page X509_VERIFY_PARAM_set_purpose(3).



281
282
283
284
285
286
287
288
289
290
291
# File 'ext/openssl/ossl_x509store.c', line 281

static VALUE
ossl_x509store_set_purpose(VALUE self, VALUE purpose)
{
    X509_STORE *store;
    int p = NUM2INT(purpose);

    GetX509Store(self, store);
    X509_STORE_set_purpose(store, p);

    return purpose;
}

#set_default_pathsObject

Configures store to look up CA certificates from the system default certificate store as needed basis. The location of the store can usually be determined by:

  • OpenSSL::X509::DEFAULT_CERT_FILE

  • OpenSSL::X509::DEFAULT_CERT_DIR

See also the man page X509_STORE_set_default_paths(3).



412
413
414
415
416
417
418
419
420
421
422
# File 'ext/openssl/ossl_x509store.c', line 412

static VALUE
ossl_x509store_set_default_paths(VALUE self)
{
    X509_STORE *store;

    GetX509Store(self, store);
    if (X509_STORE_set_default_paths(store) != 1)
        ossl_raise(eX509StoreError, "X509_STORE_set_default_paths");

    return Qnil;
}

#time=(time) ⇒ Object

Sets the time to be used in the certificate verifications with the store. By default, if not specified, the current system time is used.

OpenSSL::X509::StoreContext#time= can be used to change the value for a single verification operation.

See also the man page X509_VERIFY_PARAM_set_time(3).



329
330
331
332
333
334
# File 'ext/openssl/ossl_x509store.c', line 329

static VALUE
ossl_x509store_set_time(VALUE self, VALUE time)
{
    rb_iv_set(self, "@time", time);
    return time;
}

#trust=(trust) ⇒ Object

Sets the default trust settings used by the certificate verification with the store.

OpenSSL::X509::StoreContext#trust= can be used to change the value for a single verification operation.

See also the man page X509_VERIFY_PARAM_set_trust(3).



305
306
307
308
309
310
311
312
313
314
315
# File 'ext/openssl/ossl_x509store.c', line 305

static VALUE
ossl_x509store_set_trust(VALUE self, VALUE trust)
{
    X509_STORE *store;
    int t = NUM2INT(trust);

    GetX509Store(self, store);
    X509_STORE_set_trust(store, t);

    return trust;
}

#verify(cert, chain = nil) ⇒ Object

Performs a certificate verification on the OpenSSL::X509::Certificate cert.

chain can be an array of OpenSSL::X509::Certificate that is used to construct the certificate chain.

If a block is given, it overrides the callback set by #verify_callback=.

After finishing the verification, the error information can be retrieved by #error, #error_string, and the resulting complete certificate chain can be retrieved by #chain.



487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
# File 'ext/openssl/ossl_x509store.c', line 487

static VALUE
ossl_x509store_verify(int argc, VALUE *argv, VALUE self)
{
    VALUE cert, chain;
    VALUE ctx, proc, result;

    rb_scan_args(argc, argv, "11", &cert, &chain);
    ctx = rb_funcall(cX509StoreContext, rb_intern("new"), 3, self, cert, chain);
    proc = rb_block_given_p() ?  rb_block_proc() :
	   rb_iv_get(self, "@verify_callback");
    rb_iv_set(ctx, "@verify_callback", proc);
    result = rb_funcall(ctx, rb_intern("verify"), 0);

    rb_iv_set(self, "@error", ossl_x509stctx_get_err(ctx));
    rb_iv_set(self, "@error_string", ossl_x509stctx_get_err_string(ctx));
    rb_iv_set(self, "@chain", ossl_x509stctx_get_chain(ctx));

    return result;
}

#verify_callback=(cb) ⇒ Object

General callback for OpenSSL verify



187
188
189
190
191
192
193
194
195
196
197
198
# File 'ext/openssl/ossl_x509store.c', line 187

static VALUE
ossl_x509store_set_vfy_cb(VALUE self, VALUE cb)
{
    X509_STORE *store;

    GetX509Store(self, store);
    rb_iv_set(self, "@verify_callback", cb);
    // We don't need to trigger a write barrier because `rb_iv_set` did it.
    X509_STORE_set_ex_data(store, store_ex_verify_cb_idx, (void *)cb);

    return cb;
}