Class: WSDL::Security::Verifier::CertificateValidator

Inherits:
Base
  • Object
show all
Defined in:
lib/wsdl/security/verifier/certificate_validator.rb

Overview

Validates X.509 certificates for trust and validity.

This class performs two types of validation:

  • Validity period — Checks the certificate is not expired and not yet valid
  • Chain validation — Verifies the certificate chain against a trust store

Validity period checking is enabled by default and runs first (fast, no I/O). Chain validation only runs if a trust store is provided.

Examples:

Basic validity checking (default)

validator = CertificateValidator.new(certificate)
validator.valid?  # Checks validity period only

With system CA trust store

validator = CertificateValidator.new(certificate, trust_store: :system)
validator.valid?  # Checks validity + chain against system CAs

With custom CA certificates

validator = CertificateValidator.new(
  certificate,
  trust_store: [ca_cert]
)
validator.valid?

Skip validity checking (not recommended)

validator = CertificateValidator.new(
  certificate,
  trust_store: :system,
  check_validity: false
)

Constant Summary

Constants inherited from Base

Base::SOAPNS, Base::SOAP_NAMESPACES, Base::SecurityNS, Base::SignatureNS, Base::VALID_ID_PATTERN

Instance Attribute Summary

Attributes inherited from Base

#errors

Instance Method Summary collapse

Constructor Details

#initialize(certificate, trust_store: nil, check_validity: true, at_time: nil) ⇒ CertificateValidator

Creates a new certificate validator.

Parameters:

  • certificate (OpenSSL::X509::Certificate)

    the certificate to validate

  • trust_store (OpenSSL::X509::Store, Symbol, String, Array, nil) (defaults to: nil)

    trust store for chain validation:

    • :system — Use system default CA certificates
    • String — Path to CA bundle file or directory
    • Array<OpenSSL::X509::Certificate> — Array of trusted CA certificates
    • OpenSSL::X509::Store — Pre-configured certificate store
    • nil — Skip chain validation (default)
  • check_validity (Boolean) (defaults to: true)

    whether to check the certificate's validity period (not_before and not_after). Default: true

  • at_time (Time, nil) (defaults to: nil)

    time to use for validation. Useful for testing or verifying messages received in the past. Default: current time



55
56
57
58
59
60
61
 
# File 'lib/wsdl/security/verifier/certificate_validator.rb', line 55

def initialize(certificate, trust_store: nil, check_validity: true, at_time: nil)
  super()
  @certificate = certificate
  @trust_store = trust_store
  @check_validity = check_validity
  @at_time = at_time || Time.now
end

Instance Method Details

#valid?Boolean

Validates the certificate.

Runs validity period checking first (if enabled), then chain validation (if a trust store is configured). Returns false on the first failure.

Returns:

  • (Boolean)

    true if all enabled checks pass



69
70
71
72
73
74
75
76
77
 
# File 'lib/wsdl/security/verifier/certificate_validator.rb', line 69

def valid?
  # Validity period first (fast, no I/O)
  return false if @check_validity && !validate_validity_period

  # Chain validation (if trust store configured)
  return false if @trust_store && !validate_chain

  true
end