Module: OpenSSL::OCSP
Relationships & Source Files | |
Namespace Children | |
Classes:
| |
Exceptions:
| |
Defined in: | ext/openssl/ossl_ocsp.c |
Overview
OCSP
implements Online Certificate Status Protocol requests and responses.
Creating and sending an OCSP
request requires a subject certificate that contains an OCSP
URL in an authorityInfoAccess extension and the issuer certificate for the subject certificate. First, load the issuer and subject certificates:
subject = OpenSSL::X509::Certificate.new subject_pem
issuer = OpenSSL::X509::Certificate.new issuer_pem
To create the request we need to create a certificate ID for the subject certificate so the CA knows which certificate we are asking about:
digest = OpenSSL::Digest::SHA1.new
certificate_id =
OpenSSL::OCSP::CertificateId.new subject, issuer, digest
Then create a request and add the certificate ID to it:
request = OpenSSL::OCSP::Request.new
request.add_certid certificate_id
Adding a nonce to the request protects against replay attacks but not all CA process the nonce.
request.add_nonce
To submit the request to the CA for verification we need to extract the OCSP
URI from the subject certificate:
= subject.extensions.find do |extension|
extension.oid == 'authorityInfoAccess'
end
descriptions = .value.split "\n"
ocsp = descriptions.find do |description|
description.start_with? 'OCSP'
end
require 'uri'
ocsp_uri = URI ocsp[/URI:(.*)/, 1]
To submit the request we'll POST the request to the OCSP
URI (per RFC 2560). Note that we only handle HTTP requests and don't handle any redirects in this example, so this is insufficient for serious use.
require 'net/http'
http_response =
Net::HTTP.start ocsp_uri.hostname, ocsp.port do |http|
http.post ocsp_uri.path, request.to_der,
'content-type' => 'application/ocsp-request'
end
response = OpenSSL::OCSP::Response.new http_response.body
response_basic = response.basic
First we check if the response has a valid signature. Without a valid signature we cannot trust it. If you get a failure here you may be missing a system certificate store or may be missing the intermediate certificates.
store = OpenSSL::X509::Store.new
store.set_default_paths
unless response.verify [], store then
raise 'response is not signed by a trusted certificate'
end
The response contains the status information (success/fail). We can display the status as a string:
puts response.status_string #=> successful
Next we need to know the response details to determine if the response matches our request. First we check the nonce. Again, not all CAs support a nonce. See Request#check_nonce for the meanings of the return values.
p request.check_nonce basic_response #=> value from -1 to 3
Then extract the status information from the basic response. (You can check multiple certificates in a request, but for this example we only submitted one.)
response_certificate_id, status, reason, revocation_time,
this_update, next_update, extensions = basic_response.status
Then check the various fields.
unless response_certificate_id == certificate_id then
raise 'certificate id mismatch'
end
now = Time.now
if this_update > now then
raise 'update date is in the future'
end
if now > next_update then
raise 'next update time has passed'
end
Constant Summary
-
NOCASIGN =
(This flag is not used by ::OpenSSL 1.0.1g)
INT2NUM(OCSP_NOCASIGN)
-
NOCERTS =
Do not include certificates in the response
INT2NUM(OCSP_NOCERTS)
-
NOCHAIN =
Do not verify the certificate chain on the response
INT2NUM(OCSP_NOCHAIN)
-
NOCHECKS =
Do not make additional signing certificate checks
INT2NUM(OCSP_NOCHECKS)
-
NODELEGATED =
(This flag is not used by ::OpenSSL 1.0.1g)
INT2NUM(OCSP_NODELEGATED)
-
NOEXPLICIT =
Do not check trust
INT2NUM(OCSP_NOEXPLICIT)
-
NOINTERN =
Do not search certificates contained in the response for a signer
INT2NUM(OCSP_NOINTERN)
-
NOSIGS =
Do not check the signature on the response
INT2NUM(OCSP_NOSIGS)
-
NOTIME =
Do not include producedAt time in response
INT2NUM(OCSP_NOTIME)
-
NOVERIFY =
Do not verify the response at all
INT2NUM(OCSP_NOVERIFY)
-
RESPID_KEY =
Identify the response by signing the certificate key ID
INT2NUM(OCSP_RESPID_KEY)
-
RESPONSE_STATUS_INTERNALERROR =
Internal error in issuer
INT2NUM(OCSP_RESPONSE_STATUS_INTERNALERROR)
-
RESPONSE_STATUS_MALFORMEDREQUEST =
Illegal confirmation request
INT2NUM(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST)
-
RESPONSE_STATUS_SIGREQUIRED =
You must sign the request and resubmit
INT2NUM(OCSP_RESPONSE_STATUS_SIGREQUIRED)
-
RESPONSE_STATUS_SUCCESSFUL =
OCSP::Response has valid confirmations
INT2NUM(OCSP_RESPONSE_STATUS_SUCCESSFUL)
-
RESPONSE_STATUS_TRYLATER =
Try again later
INT2NUM(OCSP_RESPONSE_STATUS_TRYLATER)
-
RESPONSE_STATUS_UNAUTHORIZED =
Your request is unauthorized.
INT2NUM(OCSP_RESPONSE_STATUS_UNAUTHORIZED)
-
REVOKED_STATUS_AFFILIATIONCHANGED =
The certificate subject's name or other information changed
INT2NUM(OCSP_REVOKED_STATUS_AFFILIATIONCHANGED)
-
REVOKED_STATUS_CACOMPROMISE =
This CA certificate was revoked due to a key compromise
INT2NUM(OCSP_REVOKED_STATUS_CACOMPROMISE)
-
REVOKED_STATUS_CERTIFICATEHOLD =
The certificate is on hold
INT2NUM(OCSP_REVOKED_STATUS_CERTIFICATEHOLD)
-
REVOKED_STATUS_CESSATIONOFOPERATION =
The certificate is no longer needed
INT2NUM(OCSP_REVOKED_STATUS_CESSATIONOFOPERATION)
-
REVOKED_STATUS_KEYCOMPROMISE =
The certificate was revoked due to a key compromise
INT2NUM(OCSP_REVOKED_STATUS_KEYCOMPROMISE)
-
REVOKED_STATUS_NOSTATUS =
The certificate was revoked for an unknown reason
INT2NUM(OCSP_REVOKED_STATUS_NOSTATUS)
-
REVOKED_STATUS_REMOVEFROMCRL =
The certificate was previously on hold and should now be removed from the CRL
INT2NUM(OCSP_REVOKED_STATUS_REMOVEFROMCRL)
-
REVOKED_STATUS_SUPERSEDED =
The certificate was superseded by a new certificate
INT2NUM(OCSP_REVOKED_STATUS_SUPERSEDED)
-
REVOKED_STATUS_UNSPECIFIED =
The certificate was revoked for an unspecified reason
INT2NUM(OCSP_REVOKED_STATUS_UNSPECIFIED)
-
TRUSTOTHER =
Do not verify additional certificates
INT2NUM(OCSP_TRUSTOTHER)
-
V_CERTSTATUS_GOOD =
Indicates the certificate is not revoked but does not necessarily mean the certificate was issued or that this response is within the certificate's validity interval
INT2NUM(V_OCSP_CERTSTATUS_GOOD)
-
V_CERTSTATUS_REVOKED =
Indicates the certificate has been revoked either permanently or temporarily (on hold).
INT2NUM(V_OCSP_CERTSTATUS_REVOKED)
-
V_CERTSTATUS_UNKNOWN =
Indicates the responder does not know about the certificate being requested.
INT2NUM(V_OCSP_CERTSTATUS_UNKNOWN)
-
V_RESPID_KEY =
The responder ID is based on the public key.
INT2NUM(V_OCSP_RESPID_KEY)
-
V_RESPID_NAME =
The responder ID is based on the key name.
INT2NUM(V_OCSP_RESPID_NAME)