class OpenSSL::OCSP::SingleResponse

Parent:
Object

An OpenSSL::OCSP::SingleResponse represents an OCSP SingleResponse structure, which contains the basic information of the status of the certificate.

Public Class Methods

OpenSSL::OCSP::SingleResponse.new(der_string) → SingleResponse Show source
static VALUE
ossl_ocspsres_initialize(VALUE self, VALUE arg)
{
    OCSP_SINGLERESP *res, *res_new;
    const unsigned char *p;

    arg = ossl_to_der_if_possible(arg);
    StringValue(arg);
    GetOCSPSingleRes(self, res);

    p = (unsigned char*)RSTRING_PTR(arg);
    res_new = d2i_OCSP_SINGLERESP(NULL, &p, RSTRING_LEN(arg));
    if (!res_new)
        ossl_raise(eOCSPError, "d2i_OCSP_SINGLERESP");
    SetOCSPSingleRes(self, res_new);
    OCSP_SINGLERESP_free(res);

    return self;
}

Creates a new SingleResponse from der_string.

Public Instance Methods

cert_status → Integer Show source
static VALUE
ossl_ocspsres_get_cert_status(VALUE self)
{
    OCSP_SINGLERESP *sres;
    int status;

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, NULL, NULL, NULL);
    if (status < 0)
        ossl_raise(eOCSPError, "OCSP_single_get0_status");

    return INT2NUM(status);
}

Returns the status of the certificate identified by the certid. The return value may be one of these constant:

  • V_CERTSTATUS_GOOD

  • V_CERTSTATUS_REVOKED

  • V_CERTSTATUS_UNKNOWN

When the status is V_CERTSTATUS_REVOKED, the time at which the certificate was revoked can be retrieved by revocation_time.

certid → CertificateId Show source
static VALUE
ossl_ocspsres_get_certid(VALUE self)
{
    OCSP_SINGLERESP *sres;
    OCSP_CERTID *id;

    GetOCSPSingleRes(self, sres);
    id = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sres)); /* FIXME */

    return ossl_ocspcertid_new(id);
}

Returns the CertificateId for which this SingleResponse is.

check_validity(nsec = 0, maxsec = -1) → true | false Show source
static VALUE
ossl_ocspsres_check_validity(int argc, VALUE *argv, VALUE self)
{
    OCSP_SINGLERESP *sres;
    ASN1_GENERALIZEDTIME *this_update, *next_update;
    VALUE nsec_v, maxsec_v;
    int nsec, maxsec, status, ret;

    rb_scan_args(argc, argv, "02", &nsec_v, &maxsec_v);
    nsec = NIL_P(nsec_v) ? 0 : NUM2INT(nsec_v);
    maxsec = NIL_P(maxsec_v) ? -1 : NUM2INT(maxsec_v);

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, NULL, &this_update, &next_update);
    if (status < 0)
        ossl_raise(eOCSPError, "OCSP_single_get0_status");

    ret = OCSP_check_validity(this_update, next_update, nsec, maxsec);

    if (ret)
        return Qtrue;
    else {
        ossl_clear_error();
        return Qfalse;
    }
}

Checks the validity of thisUpdate and nextUpdate fields of this SingleResponse. This checks the current time is within the range thisUpdate to nextUpdate.

It is possible that the OCSP request takes a few seconds or the time is not accurate. To avoid rejecting a valid response, this method allows the times to be within nsec of the current time.

Some responders don't set the nextUpdate field. This may cause a very old response to be considered valid. The maxsec parameter can be used to limit the age of responses.

extensions → Array of X509::Extension Show source
static VALUE
ossl_ocspsres_get_extensions(VALUE self)
{
    OCSP_SINGLERESP *sres;
    X509_EXTENSION *ext;
    int count, i;
    VALUE ary;

    GetOCSPSingleRes(self, sres);

    count = OCSP_SINGLERESP_get_ext_count(sres);
    ary = rb_ary_new2(count);
    for (i = 0; i < count; i++) {
        ext = OCSP_SINGLERESP_get_ext(sres, i);
        rb_ary_push(ary, ossl_x509ext_new(ext)); /* will dup */
    }

    return ary;
}
next_update → Time | nil Show source
static VALUE
ossl_ocspsres_get_next_update(VALUE self)
{
    OCSP_SINGLERESP *sres;
    int status;
    ASN1_GENERALIZEDTIME *time;

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, NULL, NULL, &time);
    if (status < 0)
        ossl_raise(eOCSPError, "OCSP_single_get0_status");

    return asn1time_to_time(time);
}
revocation_reason → Integer | nil Show source
static VALUE
ossl_ocspsres_get_revocation_reason(VALUE self)
{
    OCSP_SINGLERESP *sres;
    int status, reason;

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, &reason, NULL, NULL, NULL);
    if (status < 0)
        ossl_raise(eOCSPError, "OCSP_single_get0_status");
    if (status != V_OCSP_CERTSTATUS_REVOKED)
        ossl_raise(eOCSPError, "certificate is not revoked");

    return INT2NUM(reason);
}
revocation_time → Time | nil Show source
static VALUE
ossl_ocspsres_get_revocation_time(VALUE self)
{
    OCSP_SINGLERESP *sres;
    int status;
    ASN1_GENERALIZEDTIME *time;

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, &time, NULL, NULL);
    if (status < 0)
        ossl_raise(eOCSPError, "OCSP_single_get0_status");
    if (status != V_OCSP_CERTSTATUS_REVOKED)
        ossl_raise(eOCSPError, "certificate is not revoked");

    return asn1time_to_time(time);
}
this_update → Time Show source
static VALUE
ossl_ocspsres_get_this_update(VALUE self)
{
    OCSP_SINGLERESP *sres;
    int status;
    ASN1_GENERALIZEDTIME *time;

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, NULL, &time, NULL);
    if (status < 0)
        ossl_raise(eOCSPError, "OCSP_single_get0_status");

    return asn1time_to_time(time); /* will handle NULL */
}
to_der → String Show source
static VALUE
ossl_ocspsres_to_der(VALUE self)
{
    OCSP_SINGLERESP *sres;
    VALUE str;
    long len;
    unsigned char *p;

    GetOCSPSingleRes(self, sres);
    if ((len = i2d_OCSP_SINGLERESP(sres, NULL)) <= 0)
        ossl_raise(eOCSPError, NULL);
    str = rb_str_new(0, len);
    p = (unsigned char *)RSTRING_PTR(str);
    if (i2d_OCSP_SINGLERESP(sres, &p) <= 0)
        ossl_raise(eOCSPError, NULL);
    ossl_str_adjust(str, p);

    return str;
}

Encodes this SingleResponse into a DER-encoded string.

Ruby Core © 1993–2017 Yukihiro Matsumoto
Licensed under the Ruby License.
Ruby Standard Library © contributors
Licensed under their own licenses.