Class: OpenSSL::OCSP::Request

Inherits:
Object
  • Object
show all
Defined in:
ossl_ocsp.c

Instance Method Summary collapse

Constructor Details

#OpenSSL::OCSP::Request.newObject #OpenSSL::OCSP::Request.new(request_der) ⇒ Object

Creates a new OpenSSL::OCSP::Request. The request may be created empty or from a request_der string.


175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
# File 'ossl_ocsp.c', line 175

static VALUE
ossl_ocspreq_initialize(int argc, VALUE *argv, VALUE self)
{
    VALUE arg;
    const unsigned char *p;

    rb_scan_args(argc, argv, "01", &arg);
    if(!NIL_P(arg)){
	OCSP_REQUEST *req = DATA_PTR(self), *x;
	arg = ossl_to_der_if_possible(arg);
	StringValue(arg);
	p = (unsigned char*)RSTRING_PTR(arg);
	x = d2i_OCSP_REQUEST(&req, &p, RSTRING_LEN(arg));
	DATA_PTR(self) = req;
	if(!x){
	    ossl_raise(eOCSPError, "cannot load DER encoded request");
	}
    }

    return self;
}

Instance Method Details

#add_certid(certificate_id) ⇒ Object

Adds certificate_id to the request.


270
271
272
273
274
275
276
277
278
279
280
281
282
# File 'ossl_ocsp.c', line 270

static VALUE
ossl_ocspreq_add_certid(VALUE self, VALUE certid)
{
    OCSP_REQUEST *req;
    OCSP_CERTID *id;

    GetOCSPReq(self, req);
    GetOCSPCertId(certid, id);
    if(!OCSP_request_add0_id(req, OCSP_CERTID_dup(id)))
	ossl_raise(eOCSPError, NULL);

    return self;
}

#add_nonce(nonce = nil) ⇒ Object

Adds a nonce to the OCSP request. If no nonce is given a random one will be generated.

The nonce is used to prevent replay attacks but some servers do not support it.


208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
# File 'ossl_ocsp.c', line 208

static VALUE
ossl_ocspreq_add_nonce(int argc, VALUE *argv, VALUE self)
{
    OCSP_REQUEST *req;
    VALUE val;
    int ret;

    rb_scan_args(argc, argv, "01", &val);
    if(NIL_P(val)) {
	GetOCSPReq(self, req);
	ret = OCSP_request_add1_nonce(req, NULL, -1);
    }
    else{
	StringValue(val);
	GetOCSPReq(self, req);
	ret = OCSP_request_add1_nonce(req, (unsigned char *)RSTRING_PTR(val), RSTRING_LENINT(val));
    }
    if(!ret) ossl_raise(eOCSPError, NULL);

    return self;
}

#certidArray

Returns all certificate IDs in this request.

Returns:

  • (Array)

291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
# File 'ossl_ocsp.c', line 291

static VALUE
ossl_ocspreq_get_certid(VALUE self)
{
    OCSP_REQUEST *req;
    OCSP_ONEREQ *one;
    OCSP_CERTID *id;
    VALUE ary, tmp;
    int i, count;

    GetOCSPReq(self, req);
    count = OCSP_request_onereq_count(req);
    ary = (count > 0) ? rb_ary_new() : Qnil;
    for(i = 0; i < count; i++){
	one = OCSP_request_onereq_get0(req, i);
	tmp = NewOCSPCertId(cOCSPCertId);
	if(!(id = OCSP_CERTID_dup(OCSP_onereq_get0_id(one))))
	    ossl_raise(eOCSPError, NULL);
	SetOCSPCertId(tmp, id);
	rb_ary_push(ary, tmp);
    }

    return ary;
}

#check_nonce(response) ⇒ Object

Checks the nonce validity for this request and response.

The return value is one of the following:

-1

nonce in request only.

0

nonces both present and not equal.

1

nonces present and equal.

2

nonces both absent.

3

nonce present in response only.

For most responses, clients can check result > 0. If a responder doesn't handle nonces result.nonzero? may be necessary. A result of 0 is always an error.


249
250
251
252
253
254
255
256
257
258
259
260
261
# File 'ossl_ocsp.c', line 249

static VALUE
ossl_ocspreq_check_nonce(VALUE self, VALUE basic_resp)
{
    OCSP_REQUEST *req;
    OCSP_BASICRESP *bs;
    int res;

    GetOCSPReq(self, req);
    SafeGetOCSPBasicRes(basic_resp, bs);
    res = OCSP_check_nonce(req, bs);

    return INT2NUM(res);
}

#sign(signer_cert, signer_key) ⇒ self #sign(signer_cert, signer_key, certificates) ⇒ self #sign(signer_cert, signer_key, certificates, flags) ⇒ self

Signs this OCSP request using signer_cert and signer_key. certificates is an optional Array of certificates that may be included in the request.

Overloads:

  • #sign(signer_cert, signer_key) ⇒ self

    Returns:

    • (self)
  • #sign(signer_cert, signer_key, certificates) ⇒ self

    Returns:

    • (self)
  • #sign(signer_cert, signer_key, certificates, flags) ⇒ self

    Returns:

    • (self)

326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
# File 'ossl_ocsp.c', line 326

static VALUE
ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
{
    VALUE signer_cert, signer_key, certs, flags;
    OCSP_REQUEST *req;
    X509 *signer;
    EVP_PKEY *key;
    STACK_OF(X509) *x509s;
    unsigned long flg;
    int ret;

    rb_scan_args(argc, argv, "22", &signer_cert, &signer_key, &certs, &flags);
    signer = GetX509CertPtr(signer_cert);
    key = GetPrivPKeyPtr(signer_key);
    flg = NIL_P(flags) ? 0 : NUM2INT(flags);
    if(NIL_P(certs)){
	x509s = sk_X509_new_null();
	flags |= OCSP_NOCERTS;
    }
    else x509s = ossl_x509_ary2sk(certs);
    GetOCSPReq(self, req);
    ret = OCSP_request_sign(req, signer, key, EVP_sha1(), x509s, flg);
    sk_X509_pop_free(x509s, X509_free);
    if(!ret) ossl_raise(eOCSPError, NULL);

    return self;
}

#to_derObject

Returns this request as a DER-encoded string


387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
# File 'ossl_ocsp.c', line 387

static VALUE
ossl_ocspreq_to_der(VALUE self)
{
    OCSP_REQUEST *req;
    VALUE str;
    unsigned char *p;
    long len;

    GetOCSPReq(self, req);
    if((len = i2d_OCSP_REQUEST(req, NULL)) <= 0)
	ossl_raise(eOCSPError, NULL);
    str = rb_str_new(0, len);
    p = (unsigned char *)RSTRING_PTR(str);
    if(i2d_OCSP_REQUEST(req, &p) <= 0)
	ossl_raise(eOCSPError, NULL);
    ossl_str_adjust(str, p);

    return str;
}

#verify(certificates, store) ⇒ Boolean #verify(certificates, store, flags) ⇒ Boolean

Verifies this request using the given certificates and X509 store.

Overloads:

  • #verify(certificates, store) ⇒ Boolean

    Returns:

    • (Boolean)
  • #verify(certificates, store, flags) ⇒ Boolean

    Returns:

    • (Boolean)

362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
# File 'ossl_ocsp.c', line 362

static VALUE
ossl_ocspreq_verify(int argc, VALUE *argv, VALUE self)
{
    VALUE certs, store, flags;
    OCSP_REQUEST *req;
    STACK_OF(X509) *x509s;
    X509_STORE *x509st;
    int flg, result;

    rb_scan_args(argc, argv, "21", &certs, &store, &flags);
    x509st = GetX509StorePtr(store);
    flg = NIL_P(flags) ? 0 : NUM2INT(flags);
    x509s = ossl_x509_ary2sk(certs);
    GetOCSPReq(self, req);
    result = OCSP_request_verify(req, x509s, x509st, flg);
    sk_X509_pop_free(x509s, X509_free);
    if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));

    return result ? Qtrue : Qfalse;
}