Class: OpenSSL::X509::Store
Relationships & Source Files | |
Inherits: | Object |
Defined in: | ext/openssl/ossl_x509store.c |
Overview
The X509 certificate store holds trusted CA certificates used to verify peer certificates.
The easiest way to create a useful certificate store is:
cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths
This will use your system’s built-in certificates.
If your system does not have a default set of certificates you can obtain a set extracted from Mozilla CA certificate store by cURL maintainers here: curl.haxx.se/docs/caextract.html (You may wish to use the firefox-db2pem.sh script to extract the certificates from a local install to avoid man-in-the-middle attacks.)
After downloading or generating a cacert.pem from the above link you can create a certificate store from the pem file like this:
cert_store = OpenSSL::X509::Store.new
cert_store.add_file 'cacert.pem'
The certificate store can be used with an SSLSocket like this:
ssl_context = OpenSSL::SSL::SSLContext.new
ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
ssl_context.cert_store = cert_store
tcp_socket = TCPSocket.open 'example.com', 443
ssl_socket = OpenSSL::SSL::SSLSocket.new tcp_socket, ssl_context
Class Method Summary
-
X509::Store.new ⇒ Store
constructor
Creates a new
Store
.
Instance Attribute Summary
-
#flags=(flags)
writeonly
Sets flags to the
Store
. -
#purpose=(purpose)
writeonly
Sets the store’s purpose to purpose.
-
#time=(time)
writeonly
Sets the time to be used in verifications.
- #trust=(trust) writeonly
-
#verify_callback=(cb)
writeonly
General callback for
::OpenSSL
verify.
Instance Method Summary
-
#add_cert(cert)
Adds the
Certificate
cert to the certificate store. -
#add_crl(crl) ⇒ self
Adds the
CRL
crl to the store. -
#add_file(file) ⇒ self
Adds the certificates in file to the certificate store.
-
#add_path(path) ⇒ self
Adds path as the hash dir to be looked up by the store.
-
#set_default_paths
Configures store to look up CA certificates from the system default certificate store as needed basis.
-
#verify(cert, chain = nil) ⇒ Boolean
Performs a certificate verification on the
Certificate
cert.
Constructor Details
X509::Store.new ⇒ Store
Creates a new Store
.
# File 'ext/openssl/ossl_x509store.c', line 197
static VALUE ossl_x509store_initialize(int argc, VALUE *argv, VALUE self) { X509_STORE *store; /* BUG: This method takes any number of arguments but appears to ignore them. */ GetX509Store(self, store); #if !defined(HAVE_OPAQUE_OPENSSL) /* [Bug #405] [Bug #1678] [Bug #3000]; already fixed? */ store->ex_data.sk = NULL; #endif X509_STORE_set_verify_cb(store, x509store_verify_cb); ossl_x509store_set_vfy_cb(self, Qnil); /* last verification status */ rb_iv_set(self, "@error", Qnil); rb_iv_set(self, "@error_string", Qnil); rb_iv_set(self, "@chain", Qnil); rb_iv_set(self, "@time", Qnil); return self; }
Instance Attribute Details
#flags=(flags) (writeonly)
Sets flags to the Store
. flags consists of zero or more of the constants defined in with name V_FLAG_* or’ed together.
# File 'ext/openssl/ossl_x509store.c', line 227
static VALUE ossl_x509store_set_flags(VALUE self, VALUE flags) { X509_STORE *store; long f = NUM2LONG(flags); GetX509Store(self, store); X509_STORE_set_flags(store, f); return flags; }
#purpose=(purpose) (writeonly)
Sets the store’s purpose to purpose. If specified, the verifications on the store will check every untrusted certificate’s extensions are consistent with the purpose. The purpose is specified by constants:
-
X509::PURPOSE_SSL_CLIENT
-
X509::PURPOSE_SSL_SERVER
-
X509::PURPOSE_NS_SSL_SERVER
-
X509::PURPOSE_SMIME_SIGN
-
X509::PURPOSE_SMIME_ENCRYPT
-
X509::PURPOSE_CRL_SIGN
-
X509::PURPOSE_ANY
-
X509::PURPOSE_OCSP_HELPER
-
X509::PURPOSE_TIMESTAMP_SIGN
# File 'ext/openssl/ossl_x509store.c', line 257
static VALUE ossl_x509store_set_purpose(VALUE self, VALUE purpose) { X509_STORE *store; int p = NUM2INT(purpose); GetX509Store(self, store); X509_STORE_set_purpose(store, p); return purpose; }
#time=(time) (writeonly)
Sets the time to be used in verifications.
# File 'ext/openssl/ossl_x509store.c', line 291
static VALUE ossl_x509store_set_time(VALUE self, VALUE time) { rb_iv_set(self, "@time", time); return time; }
#trust=(trust) (writeonly)
# File 'ext/openssl/ossl_x509store.c', line 273
static VALUE ossl_x509store_set_trust(VALUE self, VALUE trust) { X509_STORE *store; int t = NUM2INT(trust); GetX509Store(self, store); X509_STORE_set_trust(store, t); return trust; }
#verify_callback=(cb) (writeonly)
General callback for ::OpenSSL
verify
# File 'ext/openssl/ossl_x509store.c', line 178
static VALUE ossl_x509store_set_vfy_cb(VALUE self, VALUE cb) { X509_STORE *store; GetX509Store(self, store); X509_STORE_set_ex_data(store, store_ex_verify_cb_idx, (void *)cb); rb_iv_set(self, "@verify_callback", cb); return cb; }
Instance Method Details
#add_cert(cert)
Adds the Certificate
cert to the certificate store.
# File 'ext/openssl/ossl_x509store.c', line 391
static VALUE ossl_x509store_add_cert(VALUE self, VALUE arg) { X509_STORE *store; X509 *cert; cert = GetX509CertPtr(arg); /* NO NEED TO DUP */ GetX509Store(self, store); if (X509_STORE_add_cert(store, cert) != 1){ ossl_raise(eX509StoreError, NULL); } return self; }
#add_crl(crl) ⇒ self
Adds the CRL
crl to the store.
# File 'ext/openssl/ossl_x509store.c', line 412
static VALUE ossl_x509store_add_crl(VALUE self, VALUE arg) { X509_STORE *store; X509_CRL *crl; crl = GetX509CRLPtr(arg); /* NO NEED TO DUP */ GetX509Store(self, store); if (X509_STORE_add_crl(store, crl) != 1){ ossl_raise(eX509StoreError, NULL); } return self; }
#add_file(file) ⇒ self
Adds the certificates in file to the certificate store. file is the path to the file, and the file contains one or more certificates in PEM format concatenated together.
# File 'ext/openssl/ossl_x509store.c', line 306
static VALUE ossl_x509store_add_file(VALUE self, VALUE file) { X509_STORE *store; X509_LOOKUP *lookup; char *path = NULL; if(file != Qnil){ path = StringValueCStr(file); } GetX509Store(self, store); lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); if(lookup == NULL) ossl_raise(eX509StoreError, NULL); if(X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1){ ossl_raise(eX509StoreError, NULL); } #if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER) /* * X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file() * did not check the return value of X509_STORE_add_{cert,crl}(), leaking * "cert already in hash table" errors on the error queue, if duplicate * certificates are found. This will be fixed by OpenSSL 1.1.1. */ ossl_clear_error(); #endif return self; }
#add_path(path) ⇒ self
Adds path as the hash dir to be looked up by the store.
# File 'ext/openssl/ossl_x509store.c', line 341
static VALUE ossl_x509store_add_path(VALUE self, VALUE dir) { X509_STORE *store; X509_LOOKUP *lookup; char *path = NULL; if(dir != Qnil){ path = StringValueCStr(dir); } GetX509Store(self, store); lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); if(lookup == NULL) ossl_raise(eX509StoreError, NULL); if(X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1){ ossl_raise(eX509StoreError, NULL); } return self; }
#set_default_paths
Configures store to look up CA certificates from the system default certificate store as needed basis. The location of the store can usually be determined by:
-
OpenSSL::X509::DEFAULT_CERT_FILE
-
OpenSSL::X509::DEFAULT_CERT_DIR
# File 'ext/openssl/ossl_x509store.c', line 372
static VALUE ossl_x509store_set_default_paths(VALUE self) { X509_STORE *store; GetX509Store(self, store); if (X509_STORE_set_default_paths(store) != 1){ ossl_raise(eX509StoreError, NULL); } return Qnil; }
#verify(cert, chain = nil) ⇒ Boolean
Performs a certificate verification on the Certificate
cert.
chain can be an array of Certificate
that is used to construct the certificate chain.
If a block is given, it overrides the callback set by #verify_callback=.
After finishing the verification, the error information can be retrieved by #error
, #error_string
, and the resulting complete certificate chain can be retrieved by #chain
.
# File 'ext/openssl/ossl_x509store.c', line 446
static VALUE ossl_x509store_verify(int argc, VALUE *argv, VALUE self) { VALUE cert, chain; VALUE ctx, proc, result; rb_scan_args(argc, argv, "11", &cert, &chain); ctx = rb_funcall(cX509StoreContext, rb_intern("new"), 3, self, cert, chain); proc = rb_block_given_p() ? rb_block_proc() : rb_iv_get(self, "@verify_callback"); rb_iv_set(ctx, "@verify_callback", proc); result = rb_funcall(ctx, rb_intern("verify"), 0); rb_iv_set(self, "@error", ossl_x509stctx_get_err(ctx)); rb_iv_set(self, "@error_string", ossl_x509stctx_get_err_string(ctx)); rb_iv_set(self, "@chain", ossl_x509stctx_get_chain(ctx)); return result; }