Class: OpenSSL::OCSP::Request
- Inherits:
-
Object
- Object
- OpenSSL::OCSP::Request
- Defined in:
- ext/rubysl/openssl/ossl_ocsp.c
Instance Method Summary collapse
-
#add_certid(certificate_id) ⇒ Object
Adds
certificate_id
to the request. -
#add_nonce(nonce = nil) ⇒ Object
Adds a
nonce
to the OCSP request. -
#certid ⇒ Array
Returns all certificate IDs in this request.
-
#check_nonce(response) ⇒ Object
Checks the nonce validity for this request and
response
. -
#initialize(*args) ⇒ Object
constructor
Creates a new OpenSSL::OCSP::Request.
-
#sign(*args) ⇒ Object
Signs this OCSP request using
signer_cert
andsigner_key
. -
#to_der ⇒ Object
Returns this request as a DER-encoded string.
-
#verify(*args) ⇒ Object
Verifies this request using the given
certificates
and X509store
.
Constructor Details
#OpenSSL::OCSP::Request.new ⇒ Object #OpenSSL::OCSP::Request.new(request_der) ⇒ Object
Creates a new OpenSSL::OCSP::Request. The request may be created empty or from a request_der
string.
175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 |
# File 'ext/rubysl/openssl/ossl_ocsp.c', line 175
static VALUE
ossl_ocspreq_initialize(int argc, VALUE *argv, VALUE self)
{
VALUE arg;
const unsigned char *p;
rb_scan_args(argc, argv, "01", &arg);
if(!NIL_P(arg)){
OCSP_REQUEST *req = DATA_PTR(self), *x;
arg = ossl_to_der_if_possible(arg);
StringValue(arg);
p = (unsigned char*)RSTRING_PTR(arg);
x = d2i_OCSP_REQUEST(&req, &p, RSTRING_LEN(arg));
DATA_PTR(self) = req;
if(!x){
ossl_raise(eOCSPError, "cannot load DER encoded request");
}
}
return self;
}
|
Instance Method Details
#add_certid(certificate_id) ⇒ Object
Adds certificate_id
to the request.
270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 |
# File 'ext/rubysl/openssl/ossl_ocsp.c', line 270
static VALUE
ossl_ocspreq_add_certid(VALUE self, VALUE certid)
{
OCSP_REQUEST *req;
OCSP_CERTID *id, *id_new;
GetOCSPReq(self, req);
GetOCSPCertId(certid, id);
if (!(id_new = OCSP_CERTID_dup(id)))
ossl_raise(eOCSPError, "OCSP_CERTID_dup");
if (!OCSP_request_add0_id(req, id_new)) {
OCSP_CERTID_free(id_new);
ossl_raise(eOCSPError, "OCSP_request_add0_id");
}
return self;
}
|
#add_nonce(nonce = nil) ⇒ Object
Adds a nonce
to the OCSP request. If no nonce is given a random one will be generated.
The nonce is used to prevent replay attacks but some servers do not support it.
208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 |
# File 'ext/rubysl/openssl/ossl_ocsp.c', line 208
static VALUE
ossl_ocspreq_add_nonce(int argc, VALUE *argv, VALUE self)
{
OCSP_REQUEST *req;
VALUE val;
int ret;
rb_scan_args(argc, argv, "01", &val);
if(NIL_P(val)) {
GetOCSPReq(self, req);
ret = OCSP_request_add1_nonce(req, NULL, -1);
}
else{
StringValue(val);
GetOCSPReq(self, req);
ret = OCSP_request_add1_nonce(req, (unsigned char *)RSTRING_PTR(val), RSTRING_LENINT(val));
}
if(!ret) ossl_raise(eOCSPError, NULL);
return self;
}
|
#certid ⇒ Array
Returns all certificate IDs in this request.
296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 |
# File 'ext/rubysl/openssl/ossl_ocsp.c', line 296
static VALUE
ossl_ocspreq_get_certid(VALUE self)
{
OCSP_REQUEST *req;
OCSP_ONEREQ *one;
OCSP_CERTID *id;
VALUE ary, tmp;
int i, count;
GetOCSPReq(self, req);
count = OCSP_request_onereq_count(req);
ary = (count > 0) ? rb_ary_new() : Qnil;
for(i = 0; i < count; i++){
one = OCSP_request_onereq_get0(req, i);
tmp = NewOCSPCertId(cOCSPCertId);
if(!(id = OCSP_CERTID_dup(OCSP_onereq_get0_id(one))))
ossl_raise(eOCSPError, NULL);
SetOCSPCertId(tmp, id);
rb_ary_push(ary, tmp);
}
return ary;
}
|
#check_nonce(response) ⇒ Object
Checks the nonce validity for this request and response
.
The return value is one of the following:
- -1
-
nonce in request only.
- 0
-
nonces both present and not equal.
- 1
-
nonces present and equal.
- 2
-
nonces both absent.
- 3
-
nonce present in response only.
For most responses, clients can check result
> 0. If a responder doesn’t handle nonces result.nonzero?
may be necessary. A result of 0
is always an error.
249 250 251 252 253 254 255 256 257 258 259 260 261 |
# File 'ext/rubysl/openssl/ossl_ocsp.c', line 249
static VALUE
ossl_ocspreq_check_nonce(VALUE self, VALUE basic_resp)
{
OCSP_REQUEST *req;
OCSP_BASICRESP *bs;
int res;
GetOCSPReq(self, req);
SafeGetOCSPBasicRes(basic_resp, bs);
res = OCSP_check_nonce(req, bs);
return INT2NUM(res);
}
|
#sign(signer_cert, signer_key) ⇒ self #sign(signer_cert, signer_key, certificates) ⇒ self #sign(signer_cert, signer_key, certificates, flags) ⇒ self
Signs this OCSP request using signer_cert
and signer_key
. certificates
is an optional Array of certificates that may be included in the request.
331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 |
# File 'ext/rubysl/openssl/ossl_ocsp.c', line 331
static VALUE
ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
{
VALUE signer_cert, signer_key, certs, flags;
OCSP_REQUEST *req;
X509 *signer;
EVP_PKEY *key;
STACK_OF(X509) *x509s;
unsigned long flg;
int ret;
rb_scan_args(argc, argv, "22", &signer_cert, &signer_key, &certs, &flags);
signer = GetX509CertPtr(signer_cert);
key = GetPrivPKeyPtr(signer_key);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
if(NIL_P(certs)){
x509s = sk_X509_new_null();
flags |= OCSP_NOCERTS;
}
else x509s = ossl_x509_ary2sk(certs);
GetOCSPReq(self, req);
ret = OCSP_request_sign(req, signer, key, EVP_sha1(), x509s, flg);
sk_X509_pop_free(x509s, X509_free);
if(!ret) ossl_raise(eOCSPError, NULL);
return self;
}
|
#to_der ⇒ Object
Returns this request as a DER-encoded string
392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 |
# File 'ext/rubysl/openssl/ossl_ocsp.c', line 392
static VALUE
ossl_ocspreq_to_der(VALUE self)
{
OCSP_REQUEST *req;
VALUE str;
unsigned char *p;
long len;
GetOCSPReq(self, req);
if((len = i2d_OCSP_REQUEST(req, NULL)) <= 0)
ossl_raise(eOCSPError, NULL);
str = rb_str_new(0, len);
p = (unsigned char *)RSTRING_PTR(str);
if(i2d_OCSP_REQUEST(req, &p) <= 0)
ossl_raise(eOCSPError, NULL);
ossl_str_adjust(str, p);
return str;
}
|
#verify(certificates, store) ⇒ Boolean #verify(certificates, store, flags) ⇒ Boolean
Verifies this request using the given certificates
and X509 store
.
367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 |
# File 'ext/rubysl/openssl/ossl_ocsp.c', line 367
static VALUE
ossl_ocspreq_verify(int argc, VALUE *argv, VALUE self)
{
VALUE certs, store, flags;
OCSP_REQUEST *req;
STACK_OF(X509) *x509s;
X509_STORE *x509st;
int flg, result;
rb_scan_args(argc, argv, "21", &certs, &store, &flags);
x509st = GetX509StorePtr(store);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
x509s = ossl_x509_ary2sk(certs);
GetOCSPReq(self, req);
result = OCSP_request_verify(req, x509s, x509st, flg);
sk_X509_pop_free(x509s, X509_free);
if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));
return result ? Qtrue : Qfalse;
}
|