class OpenSSL::OCSP::SingleResponse
An OpenSSL::OCSP::SingleResponse represents an OCSP SingleResponse structure, which contains the basic information of the status of the certificate.
Public Class Methods
static VALUE
ossl_ocspsres_initialize(VALUE self, VALUE arg)
{
OCSP_SINGLERESP *res, *res_new;
const unsigned char *p;
arg = ossl_to_der_if_possible(arg);
StringValue(arg);
GetOCSPSingleRes(self, res);
p = (unsigned char*)RSTRING_PTR(arg);
res_new = d2i_OCSP_SINGLERESP(NULL, &p, RSTRING_LEN(arg));
if (!res_new)
ossl_raise(eOCSPError, "d2i_OCSP_SINGLERESP");
SetOCSPSingleRes(self, res_new);
OCSP_SINGLERESP_free(res);
return self;
} Creates a new SingleResponse from der_string.
Public Instance Methods
static VALUE
ossl_ocspsres_get_cert_status(VALUE self)
{
OCSP_SINGLERESP *sres;
int status;
GetOCSPSingleRes(self, sres);
status = OCSP_single_get0_status(sres, NULL, NULL, NULL, NULL);
if (status < 0)
ossl_raise(eOCSPError, "OCSP_single_get0_status");
return INT2NUM(status);
} Returns the status of the certificate identified by the certid. The return value may be one of these constant:
-
V_CERTSTATUS_GOOD
-
V_CERTSTATUS_REVOKED
-
V_CERTSTATUS_UNKNOWN
When the status is V_CERTSTATUS_REVOKED, the time at which the certificate was revoked can be retrieved by revocation_time.
static VALUE
ossl_ocspsres_get_certid(VALUE self)
{
OCSP_SINGLERESP *sres;
OCSP_CERTID *id;
GetOCSPSingleRes(self, sres);
id = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sres)); /* FIXME */
return ossl_ocspcertid_new(id);
} Returns the CertificateId for which this SingleResponse is.
static VALUE
ossl_ocspsres_check_validity(int argc, VALUE *argv, VALUE self)
{
OCSP_SINGLERESP *sres;
ASN1_GENERALIZEDTIME *this_update, *next_update;
VALUE nsec_v, maxsec_v;
int nsec, maxsec, status, ret;
rb_scan_args(argc, argv, "02", &nsec_v, &maxsec_v);
nsec = NIL_P(nsec_v) ? 0 : NUM2INT(nsec_v);
maxsec = NIL_P(maxsec_v) ? -1 : NUM2INT(maxsec_v);
GetOCSPSingleRes(self, sres);
status = OCSP_single_get0_status(sres, NULL, NULL, &this_update, &next_update);
if (status < 0)
ossl_raise(eOCSPError, "OCSP_single_get0_status");
ret = OCSP_check_validity(this_update, next_update, nsec, maxsec);
if (ret)
return Qtrue;
else {
ossl_clear_error();
return Qfalse;
}
} Checks the validity of thisUpdate and nextUpdate fields of this SingleResponse. This checks the current time is within the range thisUpdate to nextUpdate.
It is possible that the OCSP request takes a few seconds or the time is not accurate. To avoid rejecting a valid response, this method allows the times to be within nsec of the current time.
Some responders don't set the nextUpdate field. This may cause a very old response to be considered valid. The maxsec parameter can be used to limit the age of responses.
static VALUE
ossl_ocspsres_get_extensions(VALUE self)
{
OCSP_SINGLERESP *sres;
X509_EXTENSION *ext;
int count, i;
VALUE ary;
GetOCSPSingleRes(self, sres);
count = OCSP_SINGLERESP_get_ext_count(sres);
ary = rb_ary_new2(count);
for (i = 0; i < count; i++) {
ext = OCSP_SINGLERESP_get_ext(sres, i);
rb_ary_push(ary, ossl_x509ext_new(ext)); /* will dup */
}
return ary;
} static VALUE
ossl_ocspsres_get_next_update(VALUE self)
{
OCSP_SINGLERESP *sres;
int status;
ASN1_GENERALIZEDTIME *time;
GetOCSPSingleRes(self, sres);
status = OCSP_single_get0_status(sres, NULL, NULL, NULL, &time);
if (status < 0)
ossl_raise(eOCSPError, "OCSP_single_get0_status");
return asn1time_to_time(time);
} static VALUE
ossl_ocspsres_get_revocation_reason(VALUE self)
{
OCSP_SINGLERESP *sres;
int status, reason;
GetOCSPSingleRes(self, sres);
status = OCSP_single_get0_status(sres, &reason, NULL, NULL, NULL);
if (status < 0)
ossl_raise(eOCSPError, "OCSP_single_get0_status");
if (status != V_OCSP_CERTSTATUS_REVOKED)
ossl_raise(eOCSPError, "certificate is not revoked");
return INT2NUM(reason);
} static VALUE
ossl_ocspsres_get_revocation_time(VALUE self)
{
OCSP_SINGLERESP *sres;
int status;
ASN1_GENERALIZEDTIME *time;
GetOCSPSingleRes(self, sres);
status = OCSP_single_get0_status(sres, NULL, &time, NULL, NULL);
if (status < 0)
ossl_raise(eOCSPError, "OCSP_single_get0_status");
if (status != V_OCSP_CERTSTATUS_REVOKED)
ossl_raise(eOCSPError, "certificate is not revoked");
return asn1time_to_time(time);
} static VALUE
ossl_ocspsres_get_this_update(VALUE self)
{
OCSP_SINGLERESP *sres;
int status;
ASN1_GENERALIZEDTIME *time;
GetOCSPSingleRes(self, sres);
status = OCSP_single_get0_status(sres, NULL, NULL, &time, NULL);
if (status < 0)
ossl_raise(eOCSPError, "OCSP_single_get0_status");
return asn1time_to_time(time); /* will handle NULL */
} static VALUE
ossl_ocspsres_to_der(VALUE self)
{
OCSP_SINGLERESP *sres;
VALUE str;
long len;
unsigned char *p;
GetOCSPSingleRes(self, sres);
if ((len = i2d_OCSP_SINGLERESP(sres, NULL)) <= 0)
ossl_raise(eOCSPError, NULL);
str = rb_str_new(0, len);
p = (unsigned char *)RSTRING_PTR(str);
if (i2d_OCSP_SINGLERESP(sres, &p) <= 0)
ossl_raise(eOCSPError, NULL);
ossl_str_adjust(str, p);
return str;
} Encodes this SingleResponse into a DER-encoded string.
Ruby Core © 1993–2017 Yukihiro Matsumoto
Licensed under the Ruby License.
Ruby Standard Library © contributors
Licensed under their own licenses.