Class: OpenSSL::OCSP::Request

Inherits:

Object

Object
OpenSSL::OCSP::Request

show all

Defined in:: ext/rubysl/openssl/ossl_ocsp.c

Instance Method Summary collapse

#add_certid(certificate_id) ⇒ Object

Adds certificate_id to the request.
#add_nonce(nonce = nil) ⇒ Object

Adds a nonce to the OCSP request.
#certid ⇒ Array

Returns all certificate IDs in this request.
#check_nonce(response) ⇒ Object

Checks the nonce validity for this request and response.
#initialize(*args) ⇒ Object constructor

Creates a new OpenSSL::OCSP::Request.
#sign(cert, key, certs = nil, flags = 0, digest = nil) ⇒ self

Signs this OCSP request using cert, key and optional digest.
#to_der ⇒ Object

Returns this request as a DER-encoded string.
#verify(certificates, store, flags = 0) ⇒ Boolean

Verifies this request using the given certificates and store.

Constructor Details

#OpenSSL::OCSP::Request.new ⇒ `Object` #OpenSSL::OCSP::Request.new(request_der) ⇒ `Object`

Creates a new OpenSSL::OCSP::Request. The request may be created empty or from a request_der string.

# File 'ext/rubysl/openssl/ossl_ocsp.c', line 224

static VALUE
ossl_ocspreq_initialize(int argc, VALUE *argv, VALUE self)
{
    VALUE arg;
    OCSP_REQUEST *req, *req_new;
    const unsigned char *p;

    rb_scan_args(argc, argv, "01", &arg);
    if(!NIL_P(arg)){
	GetOCSPReq(self, req);
	arg = ossl_to_der_if_possible(arg);
	StringValue(arg);
	p = (unsigned char *)RSTRING_PTR(arg);
	req_new = d2i_OCSP_REQUEST(NULL, &p, RSTRING_LEN(arg));
	if (!req_new)
	    ossl_raise(eOCSPError, "d2i_OCSP_REQUEST");
	SetOCSPReq(self, req_new);
	OCSP_REQUEST_free(req);
    }

    return self;
}

Instance Method Details

#add_certid(certificate_id) ⇒ `Object`

Adds certificate_id to the request.

# File 'ext/rubysl/openssl/ossl_ocsp.c', line 320

static VALUE
ossl_ocspreq_add_certid(VALUE self, VALUE certid)
{
    OCSP_REQUEST *req;
    OCSP_CERTID *id, *id_new;

    GetOCSPReq(self, req);
    GetOCSPCertId(certid, id);

    if (!(id_new = OCSP_CERTID_dup(id)))
	ossl_raise(eOCSPError, "OCSP_CERTID_dup");
    if (!OCSP_request_add0_id(req, id_new)) {
	OCSP_CERTID_free(id_new);
	ossl_raise(eOCSPError, "OCSP_request_add0_id");
    }

    return self;
}

#add_nonce(nonce = nil) ⇒ `Object`

Adds a nonce to the OCSP request. If no nonce is given a random one will be generated.

The nonce is used to prevent replay attacks but some servers do not support it.

# File 'ext/rubysl/openssl/ossl_ocsp.c', line 258

static VALUE
ossl_ocspreq_add_nonce(int argc, VALUE *argv, VALUE self)
{
    OCSP_REQUEST *req;
    VALUE val;
    int ret;

    rb_scan_args(argc, argv, "01", &val);
    if(NIL_P(val)) {
	GetOCSPReq(self, req);
	ret = OCSP_request_add1_nonce(req, NULL, -1);
    }
    else{
	StringValue(val);
	GetOCSPReq(self, req);
	ret = OCSP_request_add1_nonce(req, (unsigned char *)RSTRING_PTR(val), RSTRING_LENINT(val));
    }
    if(!ret) ossl_raise(eOCSPError, NULL);

    return self;
}

#certid ⇒ `Array`

Returns all certificate IDs in this request.

Returns:

(Array)

# File 'ext/rubysl/openssl/ossl_ocsp.c', line 346

static VALUE
ossl_ocspreq_get_certid(VALUE self)
{
    OCSP_REQUEST *req;
    OCSP_ONEREQ *one;
    OCSP_CERTID *id;
    VALUE ary, tmp;
    int i, count;

    GetOCSPReq(self, req);
    count = OCSP_request_onereq_count(req);
    ary = (count > 0) ? rb_ary_new() : Qnil;
    for(i = 0; i < count; i++){
	one = OCSP_request_onereq_get0(req, i);
	tmp = NewOCSPCertId(cOCSPCertId);
	if(!(id = OCSP_CERTID_dup(OCSP_onereq_get0_id(one))))
	    ossl_raise(eOCSPError, NULL);
	SetOCSPCertId(tmp, id);
	rb_ary_push(ary, tmp);
    }

    return ary;
}

#check_nonce(response) ⇒ `Object`

Checks the nonce validity for this request and response.

The return value is one of the following:

-1: nonce in request only.
0: nonces both present and not equal.
1: nonces present and equal.
2: nonces both absent.
3: nonce present in response only.

For most responses, clients can check result > 0. If a responder doesn’t handle nonces result.nonzero? may be necessary. A result of 0 is always an error.

# File 'ext/rubysl/openssl/ossl_ocsp.c', line 299

static VALUE
ossl_ocspreq_check_nonce(VALUE self, VALUE basic_resp)
{
    OCSP_REQUEST *req;
    OCSP_BASICRESP *bs;
    int res;

    GetOCSPReq(self, req);
    SafeGetOCSPBasicRes(basic_resp, bs);
    res = OCSP_check_nonce(req, bs);

    return INT2NUM(res);
}

#sign(cert, key, certs = nil, flags = 0, digest = nil) ⇒ `self`

Signs this OCSP request using cert, key and optional digest. If digest is not specified, SHA-1 is used. certs is an optional Array of additional certificates which are included in the request in addition to the signer certificate. Note that if certs is nil or not given, flag OpenSSL::OCSP::NOCERTS is enabled. Pass an empty array to include only the signer certificate.

flags can be a bitwise OR of the following constants:

OpenSSL::OCSP::NOCERTS: Don’t include any certificates in the request. certs will be ignored.

Returns:

(self)

# File 'ext/rubysl/openssl/ossl_ocsp.c', line 386

static VALUE
ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
{
    VALUE signer_cert, signer_key, certs, flags, digest;
    OCSP_REQUEST *req;
    X509 *signer;
    EVP_PKEY *key;
    STACK_OF(X509) *x509s = NULL;
    unsigned long flg = 0;
    const EVP_MD *md;
    int ret;

    rb_scan_args(argc, argv, "23", &signer_cert, &signer_key, &certs, &flags, &digest);
    GetOCSPReq(self, req);
    signer = GetX509CertPtr(signer_cert);
    key = GetPrivPKeyPtr(signer_key);
    if (!NIL_P(flags))
	flg = NUM2INT(flags);
    if (NIL_P(digest))
	md = EVP_sha1();
    else
	md = GetDigestPtr(digest);
    if (NIL_P(certs))
	flg |= OCSP_NOCERTS;
    else
	x509s = ossl_x509_ary2sk(certs);

    ret = OCSP_request_sign(req, signer, key, md, x509s, flg);
    sk_X509_pop_free(x509s, X509_free);
    if (!ret) ossl_raise(eOCSPError, NULL);

    return self;
}

#to_der ⇒ `Object`

Returns this request as a DER-encoded string

# File 'ext/rubysl/openssl/ossl_ocsp.c', line 455

static VALUE
ossl_ocspreq_to_der(VALUE self)
{
    OCSP_REQUEST *req;
    VALUE str;
    unsigned char *p;
    long len;

    GetOCSPReq(self, req);
    if((len = i2d_OCSP_REQUEST(req, NULL)) <= 0)
	ossl_raise(eOCSPError, NULL);
    str = rb_str_new(0, len);
    p = (unsigned char *)RSTRING_PTR(str);
    if(i2d_OCSP_REQUEST(req, &p) <= 0)
	ossl_raise(eOCSPError, NULL);
    ossl_str_adjust(str, p);

    return str;
}

#verify(certificates, store, flags = 0) ⇒ `Boolean`

Verifies this request using the given certificates and store. certificates is an array of OpenSSL::X509::Certificate, store is an OpenSSL::X509::Store.

Returns:

(Boolean)

# File 'ext/rubysl/openssl/ossl_ocsp.c', line 429

static VALUE
ossl_ocspreq_verify(int argc, VALUE *argv, VALUE self)
{
    VALUE certs, store, flags;
    OCSP_REQUEST *req;
    STACK_OF(X509) *x509s;
    X509_STORE *x509st;
    int flg, result;

    rb_scan_args(argc, argv, "21", &certs, &store, &flags);
    GetOCSPReq(self, req);
    x509st = GetX509StorePtr(store);
    flg = NIL_P(flags) ? 0 : NUM2INT(flags);
    x509s = ossl_x509_ary2sk(certs);
    result = OCSP_request_verify(req, x509s, x509st, flg);
    sk_X509_pop_free(x509s, X509_free);
    if (result <= 0)
	ossl_clear_error();

    return result > 0 ? Qtrue : Qfalse;
}

Class: OpenSSL::OCSP::Request

Instance Method Summary collapse

Constructor Details

#OpenSSL::OCSP::Request.new ⇒ Object #OpenSSL::OCSP::Request.new(request_der) ⇒ Object

Instance Method Details

#add_certid(certificate_id) ⇒ Object

#add_nonce(nonce = nil) ⇒ Object

#certid ⇒ Array

#check_nonce(response) ⇒ Object

#sign(cert, key, certs = nil, flags = 0, digest = nil) ⇒ self

#to_der ⇒ Object

#verify(certificates, store, flags = 0) ⇒ Boolean

#OpenSSL::OCSP::Request.new ⇒ `Object` #OpenSSL::OCSP::Request.new(request_der) ⇒ `Object`

#add_certid(certificate_id) ⇒ `Object`

#add_nonce(nonce = nil) ⇒ `Object`

#certid ⇒ `Array`

#check_nonce(response) ⇒ `Object`

#sign(cert, key, certs = nil, flags = 0, digest = nil) ⇒ `self`

#to_der ⇒ `Object`

#verify(certificates, store, flags = 0) ⇒ `Boolean`