An OpenSSL::OCSP::SingleResponse
represents an OCSP
SingleResponse
structure, which contains the basic information of the status of the certificate.
static VALUE
ossl_ocspsres_initialize(VALUE self, VALUE arg)
{
OCSP_SINGLERESP *res, *res_new;
const unsigned char *p;
arg = ossl_to_der_if_possible(arg);
StringValue(arg);
GetOCSPSingleRes(self, res);
p = (unsigned char*)RSTRING_PTR(arg);
res_new = d2i_OCSP_SINGLERESP(NULL, &p, RSTRING_LEN(arg));
if (!res_new)
ossl_raise(eOCSPError, "d2i_OCSP_SINGLERESP");
SetOCSPSingleRes(self, res_new);
OCSP_SINGLERESP_free(res);
return self;
}
Creates a new SingleResponse
from der_string
.
static VALUE
ossl_ocspsres_get_cert_status(VALUE self)
{
OCSP_SINGLERESP *sres;
int status;
GetOCSPSingleRes(self, sres);
status = OCSP_single_get0_status(sres, NULL, NULL, NULL, NULL);
if (status < 0)
ossl_raise(eOCSPError, "OCSP_single_get0_status");
return INT2NUM(status);
}
Returns the status of the certificate identified by the certid. The return value may be one of these constant:
-
V_CERTSTATUS_GOOD
-
V_CERTSTATUS_REVOKED
-
V_CERTSTATUS_UNKNOWN
When the status is V_CERTSTATUS_REVOKED, the time at which the certificate was revoked can be retrieved by revocation_time
.
static VALUE
ossl_ocspsres_get_certid(VALUE self)
{
OCSP_SINGLERESP *sres;
OCSP_CERTID *id;
GetOCSPSingleRes(self, sres);
id = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sres)); /* FIXME */
return ossl_ocspcertid_new(id);
}
Returns the CertificateId
for which this SingleResponse
is.
static VALUE
ossl_ocspsres_check_validity(int argc, VALUE *argv, VALUE self)
{
OCSP_SINGLERESP *sres;
ASN1_GENERALIZEDTIME *this_update, *next_update;
VALUE nsec_v, maxsec_v;
int nsec, maxsec, status, ret;
rb_scan_args(argc, argv, "02", &nsec_v, &maxsec_v);
nsec = NIL_P(nsec_v) ? 0 : NUM2INT(nsec_v);
maxsec = NIL_P(maxsec_v) ? -1 : NUM2INT(maxsec_v);
GetOCSPSingleRes(self, sres);
status = OCSP_single_get0_status(sres, NULL, NULL, &this_update, &next_update);
if (status < 0)
ossl_raise(eOCSPError, "OCSP_single_get0_status");
ret = OCSP_check_validity(this_update, next_update, nsec, maxsec);
if (ret)
return Qtrue;
else {
ossl_clear_error();
return Qfalse;
}
}
Checks the validity of thisUpdate and nextUpdate fields of this SingleResponse
. This checks the current time is within the range thisUpdate to nextUpdate.
It is possible that the OCSP
request takes a few seconds or the time is not accurate. To avoid rejecting a valid response, this method allows the times to be within nsec
of the current time.
Some responders don’t set the nextUpdate field. This may cause a very old response to be considered valid. The maxsec
parameter can be used to limit the age of responses.
static VALUE
ossl_ocspsres_get_extensions(VALUE self)
{
OCSP_SINGLERESP *sres;
X509_EXTENSION *ext;
int count, i;
VALUE ary;
GetOCSPSingleRes(self, sres);
count = OCSP_SINGLERESP_get_ext_count(sres);
ary = rb_ary_new2(count);
for (i = 0; i < count; i++) {
ext = OCSP_SINGLERESP_get_ext(sres, i);
rb_ary_push(ary, ossl_x509ext_new(ext)); /* will dup */
}
return ary;
}
static VALUE
ossl_ocspsres_get_next_update(VALUE self)
{
OCSP_SINGLERESP *sres;
int status;
ASN1_GENERALIZEDTIME *time;
GetOCSPSingleRes(self, sres);
status = OCSP_single_get0_status(sres, NULL, NULL, NULL, &time);
if (status < 0)
ossl_raise(eOCSPError, "OCSP_single_get0_status");
return asn1time_to_time(time);
}
static VALUE
ossl_ocspsres_get_revocation_reason(VALUE self)
{
OCSP_SINGLERESP *sres;
int status, reason;
GetOCSPSingleRes(self, sres);
status = OCSP_single_get0_status(sres, &reason, NULL, NULL, NULL);
if (status < 0)
ossl_raise(eOCSPError, "OCSP_single_get0_status");
if (status != V_OCSP_CERTSTATUS_REVOKED)
ossl_raise(eOCSPError, "certificate is not revoked");
return INT2NUM(reason);
}
static VALUE
ossl_ocspsres_get_revocation_time(VALUE self)
{
OCSP_SINGLERESP *sres;
int status;
ASN1_GENERALIZEDTIME *time;
GetOCSPSingleRes(self, sres);
status = OCSP_single_get0_status(sres, NULL, &time, NULL, NULL);
if (status < 0)
ossl_raise(eOCSPError, "OCSP_single_get0_status");
if (status != V_OCSP_CERTSTATUS_REVOKED)
ossl_raise(eOCSPError, "certificate is not revoked");
return asn1time_to_time(time);
}
static VALUE
ossl_ocspsres_get_this_update(VALUE self)
{
OCSP_SINGLERESP *sres;
int status;
ASN1_GENERALIZEDTIME *time;
GetOCSPSingleRes(self, sres);
status = OCSP_single_get0_status(sres, NULL, NULL, &time, NULL);
if (status < 0)
ossl_raise(eOCSPError, "OCSP_single_get0_status");
return asn1time_to_time(time); /* will handle NULL */
}
static VALUE
ossl_ocspsres_to_der(VALUE self)
{
OCSP_SINGLERESP *sres;
VALUE str;
long len;
unsigned char *p;
GetOCSPSingleRes(self, sres);
if ((len = i2d_OCSP_SINGLERESP(sres, NULL)) <= 0)
ossl_raise(eOCSPError, NULL);
str = rb_str_new(0, len);
p = (unsigned char *)RSTRING_PTR(str);
if (i2d_OCSP_SINGLERESP(sres, &p) <= 0)
ossl_raise(eOCSPError, NULL);
ossl_str_adjust(str, p);
return str;
}
Encodes this SingleResponse
into a DER-encoded string.