Class: OpenSSL::OCSP::Request

Inherits:

Object

Object
OpenSSL::OCSP::Request

show all

Defined in:: ossl_ocsp.c

Instance Method Summary collapse

#add_certid(certificate_id) ⇒ Object

Adds certificate_id to the request.
#add_nonce(nonce = nil) ⇒ Object

Adds a nonce to the OCSP request.
#certid ⇒ Array

Returns all certificate IDs in this request.
#check_nonce(response) ⇒ Object

Checks the nonce validity for this request and response.
#initialize(*args) ⇒ Object constructor

Creates a new OpenSSL::OCSP::Request.
#sign(*args) ⇒ Object

Signs this OCSP request using signer_cert and signer_key.
#to_der ⇒ Object

Returns this request as a DER-encoded string.
#verify(*args) ⇒ Object

Verifies this request using the given certificates and X509 store.

Constructor Details

#OpenSSL::OCSP::Request.new ⇒ `Object` #OpenSSL::OCSP::Request.new(request_der) ⇒ `Object`

Creates a new OpenSSL::OCSP::Request. The request may be created empty or from a request_der string.

# File 'ossl_ocsp.c', line 175

static VALUE
ossl_ocspreq_initialize(int argc, VALUE *argv, VALUE self)
{
    VALUE arg;
    const unsigned char *p;

    rb_scan_args(argc, argv, "01", &arg);
    if(!NIL_P(arg)){
	OCSP_REQUEST *req = DATA_PTR(self), *x;
	arg = ossl_to_der_if_possible(arg);
	StringValue(arg);
	p = (unsigned char*)RSTRING_PTR(arg);
	x = d2i_OCSP_REQUEST(&req, &p, RSTRING_LEN(arg));
	DATA_PTR(self) = req;
	if(!x){
	    ossl_raise(eOCSPError, "cannot load DER encoded request");
	}
    }

    return self;
}

Instance Method Details

#add_certid(certificate_id) ⇒ `Object`

Adds certificate_id to the request.

# File 'ossl_ocsp.c', line 270

static VALUE
ossl_ocspreq_add_certid(VALUE self, VALUE certid)
{
    OCSP_REQUEST *req;
    OCSP_CERTID *id;

    GetOCSPReq(self, req);
    GetOCSPCertId(certid, id);
    if(!OCSP_request_add0_id(req, OCSP_CERTID_dup(id)))
	ossl_raise(eOCSPError, NULL);

    return self;
}

#add_nonce(nonce = nil) ⇒ `Object`

Adds a nonce to the OCSP request. If no nonce is given a random one will be generated.

The nonce is used to prevent replay attacks but some servers do not support it.

# File 'ossl_ocsp.c', line 208

static VALUE
ossl_ocspreq_add_nonce(int argc, VALUE *argv, VALUE self)
{
    OCSP_REQUEST *req;
    VALUE val;
    int ret;

    rb_scan_args(argc, argv, "01", &val);
    if(NIL_P(val)) {
	GetOCSPReq(self, req);
	ret = OCSP_request_add1_nonce(req, NULL, -1);
    }
    else{
	StringValue(val);
	GetOCSPReq(self, req);
	ret = OCSP_request_add1_nonce(req, (unsigned char *)RSTRING_PTR(val), RSTRING_LENINT(val));
    }
    if(!ret) ossl_raise(eOCSPError, NULL);

    return self;
}

#certid ⇒ `Array`

Returns all certificate IDs in this request.

Returns:

(Array)

# File 'ossl_ocsp.c', line 291

static VALUE
ossl_ocspreq_get_certid(VALUE self)
{
    OCSP_REQUEST *req;
    OCSP_ONEREQ *one;
    OCSP_CERTID *id;
    VALUE ary, tmp;
    int i, count;

    GetOCSPReq(self, req);
    count = OCSP_request_onereq_count(req);
    ary = (count > 0) ? rb_ary_new() : Qnil;
    for(i = 0; i < count; i++){
	one = OCSP_request_onereq_get0(req, i);
	tmp = NewOCSPCertId(cOCSPCertId);
	if(!(id = OCSP_CERTID_dup(OCSP_onereq_get0_id(one))))
	    ossl_raise(eOCSPError, NULL);
	SetOCSPCertId(tmp, id);
	rb_ary_push(ary, tmp);
    }

    return ary;
}

#check_nonce(response) ⇒ `Object`

Checks the nonce validity for this request and response.

The return value is one of the following:

-1: nonce in request only.
0: nonces both present and not equal.
1: nonces present and equal.
2: nonces both absent.
3: nonce present in response only.

For most responses, clients can check result > 0. If a responder doesn’t handle nonces result.nonzero? may be necessary. A result of 0 is always an error.

# File 'ossl_ocsp.c', line 249

static VALUE
ossl_ocspreq_check_nonce(VALUE self, VALUE basic_resp)
{
    OCSP_REQUEST *req;
    OCSP_BASICRESP *bs;
    int res;

    GetOCSPReq(self, req);
    SafeGetOCSPBasicRes(basic_resp, bs);
    res = OCSP_check_nonce(req, bs);

    return INT2NUM(res);
}

#sign(signer_cert, signer_key) ⇒ `self` #sign(signer_cert, signer_key, certificates) ⇒ `self` #sign(signer_cert, signer_key, certificates, flags) ⇒ `self`

Signs this OCSP request using signer_cert and signer_key. certificates is an optional Array of certificates that may be included in the request.

Overloads:

#sign(signer_cert, signer_key) ⇒ self
Returns:
- (self)
#sign(signer_cert, signer_key, certificates) ⇒ self
Returns:
- (self)
#sign(signer_cert, signer_key, certificates, flags) ⇒ self
Returns:
- (self)

# File 'ossl_ocsp.c', line 326

static VALUE
ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
{
    VALUE signer_cert, signer_key, certs, flags;
    OCSP_REQUEST *req;
    X509 *signer;
    EVP_PKEY *key;
    STACK_OF(X509) *x509s;
    unsigned long flg;
    int ret;

    rb_scan_args(argc, argv, "22", &signer_cert, &signer_key, &certs, &flags);
    signer = GetX509CertPtr(signer_cert);
    key = GetPrivPKeyPtr(signer_key);
    flg = NIL_P(flags) ? 0 : NUM2INT(flags);
    if(NIL_P(certs)){
	x509s = sk_X509_new_null();
	flags |= OCSP_NOCERTS;
    }
    else x509s = ossl_x509_ary2sk(certs);
    GetOCSPReq(self, req);
    ret = OCSP_request_sign(req, signer, key, EVP_sha1(), x509s, flg);
    sk_X509_pop_free(x509s, X509_free);
    if(!ret) ossl_raise(eOCSPError, NULL);

    return self;
}

#to_der ⇒ `Object`

Returns this request as a DER-encoded string

# File 'ossl_ocsp.c', line 387

static VALUE
ossl_ocspreq_to_der(VALUE self)
{
    OCSP_REQUEST *req;
    VALUE str;
    unsigned char *p;
    long len;

    GetOCSPReq(self, req);
    if((len = i2d_OCSP_REQUEST(req, NULL)) <= 0)
	ossl_raise(eOCSPError, NULL);
    str = rb_str_new(0, len);
    p = (unsigned char *)RSTRING_PTR(str);
    if(i2d_OCSP_REQUEST(req, &p) <= 0)
	ossl_raise(eOCSPError, NULL);
    ossl_str_adjust(str, p);

    return str;
}

#verify(certificates, store) ⇒ `Boolean` #verify(certificates, store, flags) ⇒ `Boolean`

Verifies this request using the given certificates and X509 store.

Overloads:

#verify(certificates, store) ⇒ Boolean
Returns:
- (Boolean)
#verify(certificates, store, flags) ⇒ Boolean
Returns:
- (Boolean)

# File 'ossl_ocsp.c', line 362

static VALUE
ossl_ocspreq_verify(int argc, VALUE *argv, VALUE self)
{
    VALUE certs, store, flags;
    OCSP_REQUEST *req;
    STACK_OF(X509) *x509s;
    X509_STORE *x509st;
    int flg, result;

    rb_scan_args(argc, argv, "21", &certs, &store, &flags);
    x509st = GetX509StorePtr(store);
    flg = NIL_P(flags) ? 0 : NUM2INT(flags);
    x509s = ossl_x509_ary2sk(certs);
    GetOCSPReq(self, req);
    result = OCSP_request_verify(req, x509s, x509st, flg);
    sk_X509_pop_free(x509s, X509_free);
    if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));

    return result ? Qtrue : Qfalse;
}

Class: OpenSSL::OCSP::Request

Instance Method Summary collapse

Constructor Details

#OpenSSL::OCSP::Request.new ⇒ Object #OpenSSL::OCSP::Request.new(request_der) ⇒ Object

Instance Method Details

#add_certid(certificate_id) ⇒ Object

#add_nonce(nonce = nil) ⇒ Object

#certid ⇒ Array

#check_nonce(response) ⇒ Object

#sign(signer_cert, signer_key) ⇒ self #sign(signer_cert, signer_key, certificates) ⇒ self #sign(signer_cert, signer_key, certificates, flags) ⇒ self

#to_der ⇒ Object

#verify(certificates, store) ⇒ Boolean #verify(certificates, store, flags) ⇒ Boolean