class OpenSSL::OCSP::SingleResponse
An OpenSSL::OCSP::SingleResponse represents an OCSP SingleResponse structure, which contains the basic information of the status of the certificate.
Public Class Methods
Creates a new SingleResponse from der_string.
static VALUE ossl_ocspsres_initialize(VALUE self, VALUE arg) { OCSP_SINGLERESP *res, *res_new; const unsigned char *p; arg = ossl_to_der_if_possible(arg); StringValue(arg); GetOCSPSingleRes(self, res); p = (unsigned char*)RSTRING_PTR(arg); res_new = d2i_OCSP_SINGLERESP(NULL, &p, RSTRING_LEN(arg)); if (!res_new) ossl_raise(eOCSPError, "d2i_OCSP_SINGLERESP"); SetOCSPSingleRes(self, res_new); OCSP_SINGLERESP_free(res); return self; }
Public Instance Methods
Returns the status of the certificate identified by the certid. The return value may be one of these constant:
-
V_CERTSTATUS_GOOD
-
V_CERTSTATUS_REVOKED
-
V_CERTSTATUS_UNKNOWN
When the status is V_CERTSTATUS_REVOKED, the time at which the certificate was revoked can be retrieved by revocation_time.
static VALUE ossl_ocspsres_get_cert_status(VALUE self) { OCSP_SINGLERESP *sres; int status; GetOCSPSingleRes(self, sres); status = OCSP_single_get0_status(sres, NULL, NULL, NULL, NULL); if (status < 0) ossl_raise(eOCSPError, "OCSP_single_get0_status"); return INT2NUM(status); }
Returns the CertificateId for which this SingleResponse is.
static VALUE ossl_ocspsres_get_certid(VALUE self) { OCSP_SINGLERESP *sres; OCSP_CERTID *id; GetOCSPSingleRes(self, sres); id = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sres)); /* FIXME */ return ossl_ocspcertid_new(id); }
Checks the validity of thisUpdate and nextUpdate fields of this SingleResponse. This checks the current time is within the range thisUpdate to nextUpdate.
It is possible that the OCSP request takes a few seconds or the time is not accurate. To avoid rejecting a valid response, this method allows the times to be within nsec seconds of the current time.
Some responders don't set the nextUpdate field. This may cause a very old response to be considered valid. The maxsec parameter can be used to limit the age of responses.
static VALUE ossl_ocspsres_check_validity(int argc, VALUE *argv, VALUE self) { OCSP_SINGLERESP *sres; ASN1_GENERALIZEDTIME *this_update, *next_update; VALUE nsec_v, maxsec_v; int nsec, maxsec, status, ret; rb_scan_args(argc, argv, "02", &nsec_v, &maxsec_v); nsec = NIL_P(nsec_v) ? 0 : NUM2INT(nsec_v); maxsec = NIL_P(maxsec_v) ? -1 : NUM2INT(maxsec_v); GetOCSPSingleRes(self, sres); status = OCSP_single_get0_status(sres, NULL, NULL, &this_update, &next_update); if (status < 0) ossl_raise(eOCSPError, "OCSP_single_get0_status"); ret = OCSP_check_validity(this_update, next_update, nsec, maxsec); if (ret) return Qtrue; else { ossl_clear_error(); return Qfalse; } }
static VALUE ossl_ocspsres_get_extensions(VALUE self) { OCSP_SINGLERESP *sres; X509_EXTENSION *ext; int count, i; VALUE ary; GetOCSPSingleRes(self, sres); count = OCSP_SINGLERESP_get_ext_count(sres); ary = rb_ary_new2(count); for (i = 0; i < count; i++) { ext = OCSP_SINGLERESP_get_ext(sres, i); rb_ary_push(ary, ossl_x509ext_new(ext)); /* will dup */ } return ary; }
static VALUE ossl_ocspsres_initialize_copy(VALUE self, VALUE other) { OCSP_SINGLERESP *sres, *sres_old, *sres_new; rb_check_frozen(self); GetOCSPSingleRes(self, sres_old); GetOCSPSingleRes(other, sres); sres_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_SINGLERESP), sres); if (!sres_new) ossl_raise(eOCSPError, "ASN1_item_dup"); SetOCSPSingleRes(self, sres_new); OCSP_SINGLERESP_free(sres_old); return self; }
static VALUE ossl_ocspsres_get_next_update(VALUE self) { OCSP_SINGLERESP *sres; int status; ASN1_GENERALIZEDTIME *time; GetOCSPSingleRes(self, sres); status = OCSP_single_get0_status(sres, NULL, NULL, NULL, &time); if (status < 0) ossl_raise(eOCSPError, "OCSP_single_get0_status"); if (!time) return Qnil; return asn1time_to_time(time); }
static VALUE ossl_ocspsres_get_revocation_reason(VALUE self) { OCSP_SINGLERESP *sres; int status, reason; GetOCSPSingleRes(self, sres); status = OCSP_single_get0_status(sres, &reason, NULL, NULL, NULL); if (status < 0) ossl_raise(eOCSPError, "OCSP_single_get0_status"); if (status != V_OCSP_CERTSTATUS_REVOKED) ossl_raise(eOCSPError, "certificate is not revoked"); return INT2NUM(reason); }
static VALUE ossl_ocspsres_get_revocation_time(VALUE self) { OCSP_SINGLERESP *sres; int status; ASN1_GENERALIZEDTIME *time; GetOCSPSingleRes(self, sres); status = OCSP_single_get0_status(sres, NULL, &time, NULL, NULL); if (status < 0) ossl_raise(eOCSPError, "OCSP_single_get0_status"); if (status != V_OCSP_CERTSTATUS_REVOKED) ossl_raise(eOCSPError, "certificate is not revoked"); if (!time) return Qnil; return asn1time_to_time(time); }
static VALUE ossl_ocspsres_get_this_update(VALUE self) { OCSP_SINGLERESP *sres; int status; ASN1_GENERALIZEDTIME *time; GetOCSPSingleRes(self, sres); status = OCSP_single_get0_status(sres, NULL, NULL, &time, NULL); if (status < 0) ossl_raise(eOCSPError, "OCSP_single_get0_status"); if (!time) return Qnil; return asn1time_to_time(time); }
Encodes this SingleResponse into a DER-encoded string.
static VALUE ossl_ocspsres_to_der(VALUE self) { OCSP_SINGLERESP *sres; VALUE str; long len; unsigned char *p; GetOCSPSingleRes(self, sres); if ((len = i2d_OCSP_SINGLERESP(sres, NULL)) <= 0) ossl_raise(eOCSPError, NULL); str = rb_str_new(0, len); p = (unsigned char *)RSTRING_PTR(str); if (i2d_OCSP_SINGLERESP(sres, &p) <= 0) ossl_raise(eOCSPError, NULL); ossl_str_adjust(str, p); return str; }