Class: OpenSSL::X509::Store

Inherits:
Object
  • Object
show all
Defined in:
ossl_x509store.c,
ossl_x509store.c

Overview

The X509 certificate store holds trusted CA certificates used to verify peer certificates.

The easiest way to create a useful certificate store is:

cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths

This will use your system’s built-in certificates.

If your system does not have a default set of certificates you can obtain a set from Mozilla here: curl.haxx.se/docs/caextract.html (Note that this set does not have an HTTPS download option so you may wish to use the firefox-db2pem.sh script to extract the certificates from a local install to avoid man-in-the-middle attacks.)

After downloading or generating a cacert.pem from the above link you can create a certificate store from the pem file like this:

cert_store = OpenSSL::X509::Store.new
cert_store.add_file 'cacert.pem'

The certificate store can be used with an SSLSocket like this:

ssl_context = OpenSSL::SSL::SSLContext.new
ssl_context.cert_store = cert_store

tcp_socket = TCPSocket.open 'example.com', 443

ssl_socket = OpenSSL::SSL::SSLSocket.new tcp_socket, ssl_context

Instance Method Summary collapse

Constructor Details

#X509::Store.newObject



145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
# File 'ossl_x509store.c', line 145

static VALUE
ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
{
    X509_STORE *store;

/* BUG: This method takes any number of arguments but appears to ignore them. */
    GetX509Store(self, store);
    store->ex_data.sk = NULL;
    X509_STORE_set_verify_cb_func(store, ossl_verify_cb);
    ossl_x509store_set_vfy_cb(self, Qnil);

#if (OPENSSL_VERSION_NUMBER < 0x00907000L)
    rb_iv_set(self, "@flags", INT2FIX(0));
    rb_iv_set(self, "@purpose", INT2FIX(0));
    rb_iv_set(self, "@trust", INT2FIX(0));
#endif

    /* last verification status */
    rb_iv_set(self, "@error", Qnil);
    rb_iv_set(self, "@error_string", Qnil);
    rb_iv_set(self, "@chain", Qnil);
    rb_iv_set(self, "@time", Qnil);

    return self;
}

Instance Method Details

#add_cert(cert) ⇒ Object

Adds the OpenSSL::X509::Certificate cert to the certificate store.



307
308
309
310
311
312
313
314
315
316
317
318
319
320
# File 'ossl_x509store.c', line 307

static VALUE
ossl_x509store_add_cert(VALUE self, VALUE arg)
{
    X509_STORE *store;
    X509 *cert;

    cert = GetX509CertPtr(arg); /* NO NEED TO DUP */
    GetX509Store(self, store);
    if (X509_STORE_add_cert(store, cert) != 1){
        ossl_raise(eX509StoreError, NULL);
    }

    return self;
}

#add_crl(arg) ⇒ Object



322
323
324
325
326
327
328
329
330
331
332
333
334
335
# File 'ossl_x509store.c', line 322

static VALUE
ossl_x509store_add_crl(VALUE self, VALUE arg)
{
    X509_STORE *store;
    X509_CRL *crl;

    crl = GetX509CRLPtr(arg); /* NO NEED TO DUP */
    GetX509Store(self, store);
    if (X509_STORE_add_crl(store, crl) != 1){
        ossl_raise(eX509StoreError, NULL);
    }

    return self;
}

#add_file(file) ⇒ Object

Adds the certificates in file to the certificate store. The file can contain multiple PEM-encoded certificates.



235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
# File 'ossl_x509store.c', line 235

static VALUE
ossl_x509store_add_file(VALUE self, VALUE file)
{
    X509_STORE *store;
    X509_LOOKUP *lookup;
    char *path = NULL;

    if(file != Qnil){
        SafeStringValue(file);
	path = RSTRING_PTR(file);
    }
    GetX509Store(self, store);
    lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
    if(lookup == NULL) ossl_raise(eX509StoreError, NULL);
    if(X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1){
        ossl_raise(eX509StoreError, NULL);
    }

    return self;
}

#add_path(dir) ⇒ Object



256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
# File 'ossl_x509store.c', line 256

static VALUE
ossl_x509store_add_path(VALUE self, VALUE dir)
{
    X509_STORE *store;
    X509_LOOKUP *lookup;
    char *path = NULL;

    if(dir != Qnil){
        SafeStringValue(dir);
	path = RSTRING_PTR(dir);
    }
    GetX509Store(self, store);
    lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
    if(lookup == NULL) ossl_raise(eX509StoreError, NULL);
    if(X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1){
        ossl_raise(eX509StoreError, NULL);
    }

    return self;
}

#flags=(flags) ⇒ Object



171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
# File 'ossl_x509store.c', line 171

static VALUE
ossl_x509store_set_flags(VALUE self, VALUE flags)
{
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
    X509_STORE *store;
    long f = NUM2LONG(flags);

    GetX509Store(self, store);
    X509_STORE_set_flags(store, f);
#else
    rb_iv_set(self, "@flags", flags);
#endif

    return flags;
}

#purpose=(purpose) ⇒ Object



187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
# File 'ossl_x509store.c', line 187

static VALUE
ossl_x509store_set_purpose(VALUE self, VALUE purpose)
{
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
    X509_STORE *store;
    int p = NUM2INT(purpose);

    GetX509Store(self, store);
    X509_STORE_set_purpose(store, p);
#else
    rb_iv_set(self, "@purpose", purpose);
#endif

    return purpose;
}

#set_default_pathsObject

Adds the default certificates to the certificate store. These certificates are loaded from the default configuration directory which can usually be determined by:

File.dirname OpenSSL::Config::DEFAULT_CONFIG_FILE


287
288
289
290
291
292
293
294
295
296
297
298
# File 'ossl_x509store.c', line 287

static VALUE
ossl_x509store_set_default_paths(VALUE self)
{
    X509_STORE *store;

    GetX509Store(self, store);
    if (X509_STORE_set_default_paths(store) != 1){
        ossl_raise(eX509StoreError, NULL);
    }

    return Qnil;
}

#time=(time) ⇒ Object



219
220
221
222
223
224
# File 'ossl_x509store.c', line 219

static VALUE
ossl_x509store_set_time(VALUE self, VALUE time)
{
    rb_iv_set(self, "@time", time);
    return time;
}

#trust=(trust) ⇒ Object



203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
# File 'ossl_x509store.c', line 203

static VALUE
ossl_x509store_set_trust(VALUE self, VALUE trust)
{
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
    X509_STORE *store;
    int t = NUM2INT(trust);

    GetX509Store(self, store);
    X509_STORE_set_trust(store, t);
#else
    rb_iv_set(self, "@trust", trust);
#endif

    return trust;
}

#verify(*args) ⇒ Object



341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
# File 'ossl_x509store.c', line 341

static VALUE
ossl_x509store_verify(int argc, VALUE *argv, VALUE self)
{
    VALUE cert, chain;
    VALUE ctx, proc, result;

    rb_scan_args(argc, argv, "11", &cert, &chain);
    ctx = rb_funcall(cX509StoreContext, rb_intern("new"), 3, self, cert, chain);
    proc = rb_block_given_p() ?  rb_block_proc() :
	   rb_iv_get(self, "@verify_callback");
    rb_iv_set(ctx, "@verify_callback", proc);
    result = rb_funcall(ctx, rb_intern("verify"), 0);

    rb_iv_set(self, "@error", ossl_x509stctx_get_err(ctx));
    rb_iv_set(self, "@error_string", ossl_x509stctx_get_err_string(ctx));
    rb_iv_set(self, "@chain", ossl_x509stctx_get_chain(ctx));

    return result;
}

#verify_callback=(cb) ⇒ Object

General callback for OpenSSL verify



127
128
129
130
131
132
133
134
135
136
137
# File 'ossl_x509store.c', line 127

static VALUE
ossl_x509store_set_vfy_cb(VALUE self, VALUE cb)
{
    X509_STORE *store;

    GetX509Store(self, store);
    X509_STORE_set_ex_data(store, ossl_verify_cb_idx, (void*)cb);
    rb_iv_set(self, "@verify_callback", cb);

    return cb;
}