123456789_123456789_123456789_123456789_123456789_

Class: OpenSSL::OCSP::SingleResponse

Relationships & Source Files
Inherits: Object
Defined in: ext/openssl/ossl_ocsp.c

Overview

An SingleResponse represents an ::OpenSSL::OCSP SingleResponse structure, which contains the basic information of the status of the certificate.

Class Method Summary

Instance Method Summary

Constructor Details

.new(der_string) ⇒ SingleResponse

Creates a new SingleResponse from der_string.

[ GitHub ]

  
# File 'ext/openssl/ossl_ocsp.c', line 1140

static VALUE
ossl_ocspsres_initialize(VALUE self, VALUE arg)
{
    OCSP_SINGLERESP *res, *res_new;
    const unsigned char *p;

    arg = ossl_to_der_if_possible(arg);
    StringValue(arg);
    GetOCSPSingleRes(self, res);

    p = (unsigned char*)RSTRING_PTR(arg);
    res_new = d2i_OCSP_SINGLERESP(NULL, &p, RSTRING_LEN(arg));
    if (!res_new)
	ossl_raise(eOCSPError, "d2i_OCSP_SINGLERESP");
    SetOCSPSingleRes(self, res_new);
    OCSP_SINGLERESP_free(res);

    return self;
}

Instance Method Details

#cert_statusInteger

Returns the status of the certificate identified by the certid. The return value may be one of these constant:

When the status is V_CERTSTATUS_REVOKED, the time at which the certificate was revoked can be retrieved by #revocation_time.

[ GitHub ]

  
# File 'ext/openssl/ossl_ocsp.c', line 1254

static VALUE
ossl_ocspsres_get_cert_status(VALUE self)
{
    OCSP_SINGLERESP *sres;
    int status;

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, NULL, NULL, NULL);
    if (status < 0)
	ossl_raise(eOCSPError, "OCSP_single_get0_status");

    return INT2NUM(status);
}

#certidCertificateId

Returns the CertificateId for which this SingleResponse is.

[ GitHub ]

  
# File 'ext/openssl/ossl_ocsp.c', line 1228

static VALUE
ossl_ocspsres_get_certid(VALUE self)
{
    OCSP_SINGLERESP *sres;
    OCSP_CERTID *id;

    GetOCSPSingleRes(self, sres);
    id = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sres)); /* FIXME */

    return ossl_ocspcertid_new(id);
}

#check_validity(nsec = 0, maxsec = -1) ⇒ Boolean

Checks the validity of thisUpdate and nextUpdate fields of this SingleResponse. This checks the current time is within the range thisUpdate to nextUpdate.

It is possible that the ::OpenSSL::OCSP request takes a few seconds or the time is not accurate. To avoid rejecting a valid response, this method allows the times to be within nsec seconds of the current time.

Some responders don’t set the nextUpdate field. This may cause a very old response to be considered valid. The maxsec parameter can be used to limit the age of responses.

[ GitHub ]

  
# File 'ext/openssl/ossl_ocsp.c', line 1195

static VALUE
ossl_ocspsres_check_validity(int argc, VALUE *argv, VALUE self)
{
    OCSP_SINGLERESP *sres;
    ASN1_GENERALIZEDTIME *this_update, *next_update;
    VALUE nsec_v, maxsec_v;
    int nsec, maxsec, status, ret;

    rb_scan_args(argc, argv, "02", &nsec_v, &maxsec_v);
    nsec = NIL_P(nsec_v) ? 0 : NUM2INT(nsec_v);
    maxsec = NIL_P(maxsec_v) ? -1 : NUM2INT(maxsec_v);

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, NULL, &this_update, &next_update);
    if (status < 0)
	ossl_raise(eOCSPError, "OCSP_single_get0_status");

    ret = OCSP_check_validity(this_update, next_update, nsec, maxsec);

    if (ret)
	return Qtrue;
    else {
	ossl_clear_error();
	return Qfalse;
    }
}

#extensionsArray of X509::Extension

[ GitHub ]

  
# File 'ext/openssl/ossl_ocsp.c', line 1357

static VALUE
ossl_ocspsres_get_extensions(VALUE self)
{
    OCSP_SINGLERESP *sres;
    X509_EXTENSION *ext;
    int count, i;
    VALUE ary;

    GetOCSPSingleRes(self, sres);

    count = OCSP_SINGLERESP_get_ext_count(sres);
    ary = rb_ary_new2(count);
    for (i = 0; i < count; i++) {
	ext = OCSP_SINGLERESP_get_ext(sres, i);
	rb_ary_push(ary, ossl_x509ext_new(ext)); /* will dup */
    }

    return ary;
}

#initialize_copy(other)

[ GitHub ]

  
# File 'ext/openssl/ossl_ocsp.c', line 1160

static VALUE
ossl_ocspsres_initialize_copy(VALUE self, VALUE other)
{
    OCSP_SINGLERESP *sres, *sres_old, *sres_new;

    rb_check_frozen(self);
    GetOCSPSingleRes(self, sres_old);
    GetOCSPSingleRes(other, sres);

    sres_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_SINGLERESP), sres);
    if (!sres_new)
	ossl_raise(eOCSPError, "ASN1_item_dup");

    SetOCSPSingleRes(self, sres_new);
    OCSP_SINGLERESP_free(sres_old);

    return self;
}

#next_updateTime | nil

[ GitHub ]

  
# File 'ext/openssl/ossl_ocsp.c', line 1293

static VALUE
ossl_ocspsres_get_next_update(VALUE self)
{
    OCSP_SINGLERESP *sres;
    int status;
    ASN1_GENERALIZEDTIME *time;

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, NULL, NULL, &time);
    if (status < 0)
	ossl_raise(eOCSPError, "OCSP_single_get0_status");
    if (!time)
	return Qnil;

    return asn1time_to_time(time);
}

#revocation_reasonInteger | nil

[ GitHub ]

  
# File 'ext/openssl/ossl_ocsp.c', line 1337

static VALUE
ossl_ocspsres_get_revocation_reason(VALUE self)
{
    OCSP_SINGLERESP *sres;
    int status, reason;

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, &reason, NULL, NULL, NULL);
    if (status < 0)
	ossl_raise(eOCSPError, "OCSP_single_get0_status");
    if (status != V_OCSP_CERTSTATUS_REVOKED)
	ossl_raise(eOCSPError, "certificate is not revoked");

    return INT2NUM(reason);
}

#revocation_timeTime | nil

[ GitHub ]

  
# File 'ext/openssl/ossl_ocsp.c', line 1314

static VALUE
ossl_ocspsres_get_revocation_time(VALUE self)
{
    OCSP_SINGLERESP *sres;
    int status;
    ASN1_GENERALIZEDTIME *time;

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, &time, NULL, NULL);
    if (status < 0)
	ossl_raise(eOCSPError, "OCSP_single_get0_status");
    if (status != V_OCSP_CERTSTATUS_REVOKED)
	ossl_raise(eOCSPError, "certificate is not revoked");
    if (!time)
	return Qnil;

    return asn1time_to_time(time);
}

#this_updateTime

[ GitHub ]

  
# File 'ext/openssl/ossl_ocsp.c', line 1272

static VALUE
ossl_ocspsres_get_this_update(VALUE self)
{
    OCSP_SINGLERESP *sres;
    int status;
    ASN1_GENERALIZEDTIME *time;

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, NULL, &time, NULL);
    if (status < 0)
	ossl_raise(eOCSPError, "OCSP_single_get0_status");
    if (!time)
	return Qnil;

    return asn1time_to_time(time);
}

#to_derString

Encodes this SingleResponse into a DER-encoded string.

[ GitHub ]

  
# File 'ext/openssl/ossl_ocsp.c', line 1383

static VALUE
ossl_ocspsres_to_der(VALUE self)
{
    OCSP_SINGLERESP *sres;
    VALUE str;
    long len;
    unsigned char *p;

    GetOCSPSingleRes(self, sres);
    if ((len = i2d_OCSP_SINGLERESP(sres, NULL)) <= 0)
	ossl_raise(eOCSPError, NULL);
    str = rb_str_new(0, len);
    p = (unsigned char *)RSTRING_PTR(str);
    if (i2d_OCSP_SINGLERESP(sres, &p) <= 0)
	ossl_raise(eOCSPError, NULL);
    ossl_str_adjust(str, p);

    return str;
}