Class: R509::OCSP::Helper::RequestChecker

Inherits:

Object

• Object
• R509::OCSP::Helper::RequestChecker

Includes:

Dependo::Mixin

Defined in:

lib/r509/ocsp/signer.rb

Overview

checks requests for validity against a set of configs

Instance Attribute Summary

• #configs ⇒ Object readonly

  Returns the value of attribute configs.

• #configs_hash ⇒ Object readonly

  Returns the value of attribute configs_hash.

Instance Method Summary

• #check_statuses(request) ⇒ Hash

  Loads and checks a raw OCSP request.

• #initialize(configs, validity_checker) ⇒ RequestChecker constructor

  A new instance of RequestChecker.

• #validate_statuses(statuses) ⇒ Boolean

  Determines whether the statuses constitute a request that is compliant.

Constructor Details

#initialize(configs, validity_checker) ⇒ RequestChecker

Returns a new instance of RequestChecker.

Parameters:

• configs (R509::Config::CAConfigPool) —

  CAConfigPool object

• validity_checker (R509::Validity::Checker) —

  an implementation of the R509::Validity::Checker class

# File 'lib/r509/ocsp/signer.rb', line 62

def initialize(configs, validity_checker)
  unless configs.kind_of?(R509::Config::CAConfigPool)
    raise R509::R509Error, "Must pass R509::Config::CAConfigPool object"
  end
  if configs.all.empty?
    raise R509::R509Error, "Must be at least one R509::Config object"
  end
  @configs = configs.all
  test_cid = OpenSSL::OCSP::CertificateId.new(OpenSSL::X509::Certificate.new,OpenSSL::X509::Certificate.new)
  if test_cid.respond_to?(:issuer_key_hash)
    @configs_hash = {}
    @configs.each do |config|
      ee_cert = OpenSSL::X509::Certificate.new
      ee_cert.issuer = config.ca_cert.cert.subject.name
      # per RFC 5019
      # Clients MUST use SHA1 as the hashing algorithm for the
      # CertID.issuerNameHash and the CertID.issuerKeyHash values.
      # so we can safely assume that our inbound hashes will be SHA1
      issuer_certid = OpenSSL::OCSP::CertificateId.new(ee_cert,config.ca_cert.cert,OpenSSL::Digest::SHA1.new)
      @configs_hash[issuer_certid.issuer_key_hash] = config
    end
  end
  @validity_checker = validity_checker
  if @validity_checker.nil?
    raise R509::R509Error, "Must supply a R509::Validity::Checker"
  end
  if not @validity_checker.respond_to?(:check)
    raise R509::R509Error, "The validity checker must have a check method"
  end
end

Instance Attribute Details

#configs ⇒ Object (readonly)

Returns the value of attribute configs.

# File 'lib/r509/ocsp/signer.rb', line 58

def configs
  @configs
end

#configs_hash ⇒ Object (readonly)

Returns the value of attribute configs_hash.

# File 'lib/r509/ocsp/signer.rb', line 58

def configs_hash
  @configs_hash
end

Instance Method Details

#check_statuses(request) ⇒ Hash

Loads and checks a raw OCSP request

Parameters:

• request (OpenSSL::OCSP::Request) —

  OpenSSL OCSP Request object

Returns:

• (Hash) —

  hash from the check_status method

# File 'lib/r509/ocsp/signer.rb', line 97

def check_statuses(request)
  request.certid.map { |certid|
    if certid.respond_to?(:issuer_key_hash)
      validated_config = @configs_hash[certid.issuer_key_hash]
    else
      validated_config = @configs.find do |config|
        #we need to create an OCSP::CertificateId object that has the right
        #issuer so we can pass it to #cmp_issuer. This is annoying because
        #CertificateId wants a cert and its issuer, but we don't want to
        #force users to provide an end entity cert just to make this comparison
        #work. So, we create a fake new cert and pass it in.
        ee_cert = OpenSSL::X509::Certificate.new
        ee_cert.issuer = config.ca_cert.cert.subject
        issuer_certid = OpenSSL::OCSP::CertificateId.new(ee_cert,config.ca_cert.cert)
        certid.cmp_issuer(issuer_certid)
      end
    end

    log.info "#{validated_config.ca_cert.subject.to_s} found for issuer" if validated_config
    check_status(certid, validated_config)
  }
end

#validate_statuses(statuses) ⇒ Boolean

Determines whether the statuses constitute a request that is compliant. No config means we don’t know the CA, different configs means there are requests from two different CAs in there. Both are invalid.

Parameters:

• statuses (Array<Hash>) —

  array of hashes from check_statuses

Returns:

• (Boolean)

# File 'lib/r509/ocsp/signer.rb', line 126

def validate_statuses(statuses)
  validity = true
  config = nil

  statuses.each do |status|
    if status[:config].nil?
      validity = false
    end
    if config.nil?
      config = status[:config]
    end
    if config != status[:config]
      validity = false
    end
  end

  validity
end