123456789_123456789_123456789_123456789_123456789_

Class: OpenSSL::X509::Store

Relationships & Source Files
Inherits: Object
Defined in: ext/openssl/ossl_x509store.c

Overview

The X509 certificate store holds trusted CA certificates used to verify peer certificates.

The easiest way to create a useful certificate store is:

cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths

This will use your system's built-in certificates.

If your system does not have a default set of certificates you can obtain a set extracted from Mozilla CA certificate store by cURL maintainers here: curl.haxx.se/docs/caextract.html (You may wish to use the firefox-db2pem.sh script to extract the certificates from a local install to avoid man-in-the-middle attacks.)

After downloading or generating a cacert.pem from the above link you can create a certificate store from the pem file like this:

cert_store = OpenSSL::X509::Store.new
cert_store.add_file 'cacert.pem'

The certificate store can be used with an SSLSocket like this:

ssl_context = OpenSSL::SSL::SSLContext.new
ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
ssl_context.cert_store = cert_store

tcp_socket = TCPSocket.open 'example.com', 443

ssl_socket = OpenSSL::SSL::SSLSocket.new tcp_socket, ssl_context

Class Method Summary

Instance Attribute Summary

Instance Method Summary

Constructor Details

X509::Store.newStore

Creates a new Store.

Instance Attribute Details

#chain (readonly)

The certificate chain constructed by the last call of #verify.

#error (readonly)

The error code set by the last call of #verify.

#error_string (readonly)

The description for the error code set by the last call of #verify.

#flags=(flag) (writeonly)

Sets flag to the Store. flag consists of zero or more of the constants defined in with name V_FLAG_* or'ed together.

#purpose=(purpose) (writeonly)

Sets the store's purpose to purpose. If specified, the verifications on the store will check every untrusted certificate's extensions are consistent with the purpose. The purpose is specified by constants:

  • X509::PURPOSE_SSL_CLIENT

  • X509::PURPOSE_SSL_SERVER

  • X509::PURPOSE_NS_SSL_SERVER

  • X509::PURPOSE_SMIME_SIGN

  • X509::PURPOSE_SMIME_ENCRYPT

  • X509::PURPOSE_CRL_SIGN

  • X509::PURPOSE_ANY

  • X509::PURPOSE_OCSP_HELPER

  • X509::PURPOSE_TIMESTAMP_SIGN

#time=(time) (writeonly)

Sets the time to be used in verifications.

#trust=(trust) (writeonly)

#verify_callback (rw)

The callback for additional certificate verification. It is invoked for each untrusted certificate in the chain.

The callback is invoked with two values, a boolean that indicates if the pre-verification by ::OpenSSL has succeeded or not, and the StoreContext in use. The callback must return either true or false.

#verify_callback=(cb) (rw)

General callback for ::OpenSSL verify

Instance Method Details

#add_cert(cert)

Adds the Certificate cert to the certificate store.

#add_crl(crl) ⇒ self

Adds the CRL crl to the store.

#add_file(file) ⇒ self

Adds the certificates in file to the certificate store. The file can contain multiple PEM-encoded certificates.

#add_path(path) ⇒ self

Adds path as the hash dir to be looked up by the store.

#set_default_paths

Configures store to look up CA certificates from the system default certificate store as needed basis. The location of the store can usually be determined by:

  • OpenSSL::X509::DEFAULT_CERT_FILE

  • OpenSSL::X509::DEFAULT_CERT_DIR

#verify(cert, chain = nil) ⇒ Boolean

Performs a certificate verification on the Certificate cert.

#chain can be an array of Certificate that is used to construct the certificate chain.

If a block is given, it overrides the callback set by #verify_callback=.

After finishing the verification, the error information can be retrieved by #error, #error_string, and the resuting complete certificate chain can be retrieved by #chain.