This Gem::StreamUI subclass records input and output to StringIO for retrieval during tests.
Raised by Timeout#timeout when the block times out.
Raised by Timeout#timeout when the block times out.
Base class for all URI exceptions.
Not a URI.
Not a URI component.
URI is valid, bad usage is not.
RefError is raised when a referenced object has been recycled by the garbage collector
An HTTP request. This is consumed by service and do_* methods in WEBrick servlets
An HTTP response. This is filled in by the service or do_* methods of a WEBrick HTTP Servlet.
Server error exception
Raised when a mathematical function is evaluated outside of its domain of definition.
For example, since cos returns values in the range -1..1, its inverse function acos is only defined on that interval:
Math.acos(42)
produces:
Math::DomainError: Numerical argument is out of domain - "acos"
Raised by Encoding and String methods when a transcoding operation fails.
Raised by Encoding and String methods when the string being transcoded contains a byte invalid for the either the source or target encoding.
Raised by transcoding methods when a named encoding does not correspond with a known converter.
Raised by Timeout#timeout when the block times out.
OpenSSL::OCSP implements Online Certificate Status Protocol requests and responses.
Creating and sending an OCSP request requires a subject certificate that contains an OCSP URL in an authorityInfoAccess extension and the issuer certificate for the subject certificate. First, load the issuer and subject certificates:
subject = OpenSSL::X509::Certificate.new subject_pem issuer = OpenSSL::X509::Certificate.new issuer_pem
To create the request we need to create a certificate ID for the subject certificate so the CA knows which certificate we are asking about:
digest = OpenSSL::Digest::SHA1.new certificate_id = OpenSSL::OCSP::CertificateId.new subject, issuer, digest
Then create a request and add the certificate ID to it:
request = OpenSSL::OCSP::Request.new request.add_certid certificate_id
Adding a nonce to the request protects against replay attacks but not all CA process the nonce.
request.add_nonce
To submit the request to the CA for verification we need to extract the OCSP URI from the subject certificate:
authority_info_access = subject.extensions.find do |extension| extension.oid == 'authorityInfoAccess' end descriptions = authority_info_access.value.split "\n" ocsp = descriptions.find do |description| description.start_with? 'OCSP' end require 'uri' ocsp_uri = URI ocsp[/URI:(.*)/, 1]
To submit the request we’ll POST the request to the OCSP URI (per RFC 2560). Note that we only handle HTTP requests and don’t handle any redirects in this example, so this is insufficient for serious use.
require 'net/http' http_response = Net::HTTP.start ocsp_uri.hostname, ocsp.port do |http| http.post ocsp_uri.path, request.to_der, 'content-type' => 'application/ocsp-request' end response = OpenSSL::OCSP::Response.new http_response.body response_basic = response.basic
First we check if the response has a valid signature. Without a valid signature we cannot trust it. If you get a failure here you may be missing a system certificate store or may be missing the intermediate certificates.
store = OpenSSL::X509::Store.new store.set_default_paths unless response.verify [], store then raise 'response is not signed by a trusted certificate' end
The response contains the status information (success/fail). We can display the status as a string:
puts response.status_string #=> successful
Next we need to know the response details to determine if the response matches our request. First we check the nonce. Again, not all CAs support a nonce. See Request#check_nonce for the meanings of the return values.
p request.check_nonce basic_response #=> value from -1 to 3
Then extract the status information from the basic response. (You can check multiple certificates in a request, but for this example we only submitted one.)
response_certificate_id, status, reason, revocation_time, this_update, next_update, extensions = basic_response.status
Then check the various fields.
unless response_certificate_id == certificate_id then raise 'certificate id mismatch' end now = Time.now if this_update > now then raise 'update date is in the future' end if now > next_update then raise 'next update time has passed' end
Provides a single method deprecate to be used to declare when something is going away.
class Legacy def self.klass_method # ... end def instance_method # ... end extend Gem::Deprecate deprecate :instance_method, "X.z", 2011, 4 class << self extend Gem::Deprecate deprecate :klass_method, :none, 2011, 4 end end
Mixin methods for local and remote Gem::Command options.