ocsprf 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b574da141094b8dbcbdc3f6a5d50d7c9a378f17432e9391e857b83e5e522f320
+  data.tar.gz: e5b3ee60a8164a1788afc2c74120a7e256445d8eeb84df9c718a18f21fa047e6
+SHA512:
+  metadata.gz: e722fab4df04282da7f3a72aa6e19dccb5b32fcbb54fc42aaa1d7176aee31e6090fdbdfd9aaddf3169f5dc9e95b29cddeee73fdde5bc4ad93b7ebfedaa6ce8d8
+  data.tar.gz: 3a8e2c864d036f5b83ed0a4443947cf117bf673c007e7385911e6da0ed15b96f60d3e1ea6ed945ba46679ef6ad09874d80cb351bbb46907d3102b2c97ee3db09

data/.github/workflows/main.yml

@@ -0,0 +1,29 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['2.6.x', '2.7.x']
+    steps:
+      - name: Set up Ruby
+        uses: actions/setup-ruby@v1
+      - uses: actions/checkout@v1
+      - name: Install dependencies
+        run: |
+          gem --version
+          gem install bundler
+          bundle --version
+          bundle install
+      - name: Run test
+        run: |
+          bundle exec rake

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+Gemfile.lock
+.config
+.rvmrc
+/.bundle/
+/vendor/
+/lib/bundler/man/
+/pkg/
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+/coverage/
+/spec/reports/
+/tmp/
+*.rdb

data/.rubocop.yml

@@ -0,0 +1,24 @@
+AllCops:
+  TargetRubyVersion: 2.6
+
+Style/ConditionalAssignment:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/NumericLiterals:
+  Enabled: false
+
+Metrics/AbcSize:
+  Max: 30
+
+Metrics/MethodLength:
+  Max: 30
+
+Naming/MethodParameterName:
+  MinNameLength: 1
+
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/*.rb'

data/Gemfile

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+gem 'openssl'
+gem 'rake'
+
+group :test do
+  gem 'pry'
+  gem 'pry-byebug'
+  gem 'rspec', '3.9.0'
+  gem 'rubocop', '0.78.0'
+end
+
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Tomoya Kuwayama
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,74 @@
+# ocsprf
+
+[![Gem Version](https://badge.fury.io/rb/ocsprf.svg)](https://badge.fury.io/rb/ocsprf)
+[![Actions Status](https://github.com/thekuwayama/ocsprf/workflows/CI/badge.svg)](https://github.com/thekuwayama/ocsprf/actions?workflow=CI)
+[![Maintainability](https://api.codeclimate.com/v1/badges/4d5bb71e2dca46f5a239/maintainability)](https://codeclimate.com/github/thekuwayama/ocsprf/maintainability)
+
+OCSP Response Fetch
+
+
+## Installation
+
+The gem is available at [rubygems.org](https://rubygems.org/gems/ocsprf). You can install it the following.
+
+```bash
+$ gem install ocsprf
+```
+
+
+## Usage
+
+```bash
+$ ocsprf --help
+Usage: ocsprf [options] PATH
+    -i, --issuer PATH                issuer certificate path
+    -s, --strict                     strict mode                   (default false)
+    -v, --verbose                    verbose mode                  (default false)
+```
+
+You can run it the following and print the DER-encoded OCSP Response that fetched.
+
+```bash
+$ ocsprf /path/to/subject/certificate
+$DER_BINARY
+```
+
+If you need to print OCSP Response text, you can run it the following.
+
+```bash
+$ ocsprf /path/to/subject/certificate --verbose > /dev/null
+OCSP Response Data:
+    OCSP Response Status: (0x0)
+    Responses:
+    Certificate ID:
+      Hash Algorithm: sha1
+      Issuer Name Hash: 0123456789ABCDEF0123456789ABCDEF01234567
+      Issuer Key Hash: 0123456789ABCDEF0123456789ABCDEF01234567
+      Serial Number: 0123456789ABCDEF0123456789ABCDEF01234567
+    Cert Status: good
+    This Update: 2020-01-01 12:00:00 UTC
+    Next Update: 2020-01-08 12:00:00 UTC
+```
+
+If you have the issuer certificate corresponding to the subject certificate, you can pass it using `--issuer` option.
+By default, `ocsprf` tries to get the issuer certificate using AIA extension.
+
+```bash
+$ ocsprf /path/to/subject/certificate --issuer /path/to/issuer/certificate --verbose > /dev/null
+OCSP Response Data:
+    OCSP Response Status: (0x0)
+    Responses:
+    Certificate ID:
+      Hash Algorithm: sha1
+      Issuer Name Hash: 0123456789ABCDEF0123456789ABCDEF01234567
+      Issuer Key Hash: 0123456789ABCDEF0123456789ABCDEF01234567
+      Serial Number: 0123456789ABCDEF0123456789ABCDEF01234567
+    Cert Status: good
+    This Update: 2020-01-01 12:00:00 UTC
+    Next Update: 2020-01-08 12:00:00 UTC
+```
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rubocop/rake_task'
+require 'rspec/core/rake_task'
+
+RuboCop::RakeTask.new
+RSpec::Core::RakeTask.new(:spec)
+
+task default: %i[rubocop spec]

data/exe/ocsprf

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+$LOAD_PATH << __dir__ + '/../lib'
+
+require 'ocsp_response_fetch'
+
+OCSPResponseFetch::CLI.run

data/lib/ocsp_response_fetch/cli.rb

@@ -0,0 +1,158 @@
+# frozen_string_literal: true
+
+using OCSPResponseFetch::Refinements
+
+module OCSPResponseFetch
+  # rubocop: disable Metrics/ClassLength
+  class CLI
+    class << self
+      def run
+        subject, opts = parse_options
+        issuer = opts[:issuer]
+        subject_cert, issuer_cert = read_certs(subject, issuer)
+
+        fetcher = Fetcher.new(subject_cert, issuer_cert)
+        begin
+          ocsp_response = fetcher.run
+        rescue OCSPResponseFetch::Error::RevokedError
+          warn 'error: end entity certificate is revoked'
+          exit 1
+        rescue OCSPResponseFetch::Error::Error => e
+          warn e
+          exit 1 if opts[:strict]
+          exit 0
+        end
+
+        warn ocsp_response.to_text if opts[:verbose]
+        puts ocsp_response.to_der
+      end
+
+      private
+
+      # rubocop: disable Metrics/AbcSize
+      # rubocop: disable Metrics/MethodLength
+      def parse_options(argv = ARGV)
+        op = OptionParser.new
+
+        # default value
+        opts = {
+          issuer: nil,
+          strict: false,
+          verbose: false
+        }
+
+        op.on(
+          '-i PATH',
+          '--issuer PATH',
+          'issuer certificate path'
+        ) do |v|
+          opts[:issuer] = v
+        end
+
+        op.on(
+          '-s',
+          '--strict',
+          "strict mode                   (default #{opts[:strict]})"
+        ) do |v|
+          opts[:strict] = v
+        end
+
+        op.on(
+          '-v',
+          '--verbose',
+          "verbose mode                  (default #{opts[:verbose]})"
+        ) do |v|
+          opts[:verbose] = v
+        end
+
+        op.banner += ' PATH'
+        begin
+          args = op.parse(argv)
+        rescue OptionParser::InvalidOption => e
+          warn op.to_s
+          warn "error: #{e.message}"
+          exit 1
+        end
+
+        if args.size != 1
+          warn op.to_s
+          warn 'error: number of arguments is not 1'
+          exit 1
+        end
+
+        unless File.exist?(args.first)
+          warn "error: file #{args.first} is not found"
+          exit 1
+        end
+
+        if !opts[:issuer].nil? && !File.exist?(opts[:issuer])
+          warn "error: file #{opts[:issuer]} is not found"
+          exit 1
+        end
+
+        [args[0], opts]
+      end
+      # rubocop: enable Metrics/AbcSize
+      # rubocop: enable Metrics/MethodLength
+
+      # @param subject [String]
+      # @param issuer [String]
+      #
+      # @raise [OCSPResponseFetch::Error::Error]
+      #
+      # @return [Array of OpenSSL::X509::Certificate]
+      def read_certs(subject, issuer = nil)
+        subject_cert = OpenSSL::X509::Certificate.new(File.read(subject))
+        issuer_cert = nil
+        if issuer.nil? || issuer.empty?
+          ca_issuer = subject_cert.ca_issuer_uris
+                        &.find { |u| URI::DEFAULT_PARSER.make_regexp =~ u }
+          if ca_issuer.nil?
+            raise OCSPResponseFetch::Error::FetchFailedError,
+                  'The subject Certificate does not contain Issuer URL'
+          end
+
+          begin
+            issuer_cert = get_issuer_cert(ca_issuer)
+          rescue OpenSSL::X509::CertificateError, Net::OpenTimeout
+            raise OCSPResponseFetch::Error::FetchFailedEreror,
+                  'Failed to get the issuser Certificate'
+          end
+        else
+          begin
+            issuer_cert = OpenSSL::X509::Certificate.new(File.read(issuer))
+          rescue OpenSSL::X509::CertificateError
+            raise OCSPResponseFetch::Error::FetchFailedEreror,
+                  'Failed to get the issuser Certificate'
+          end
+        end
+
+        [subject_cert, issuer_cert]
+      end
+
+      # @param uri_string [String]
+      #
+      # @return [OpenSSL::X509::Certificate]
+      def get_issuer_cert(uri_string)
+        OpenSSL::X509::Certificate.new(
+          send_http_get(uri_string)
+        )
+      end
+
+      # @param uri_string [String]
+      #
+      # @return [String]
+      def send_http_get(uri_string)
+        uri = URI.parse(uri_string)
+        path = uri.path
+        path = '/' if path.nil? || path.empty?
+        http_response = Net::HTTP.start(uri.host, uri.port) do |http|
+          http.get(path)
+        end
+
+        http_response.body
+      end
+    end
+  end
+  # rubocop: enable Metrics/ClassLength
+end

data/lib/ocsp_response_fetch/error.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module OCSPResponseFetch
+  module Error
+    # Generic error
+    class Error < StandardError; end
+
+    class RevokedError < Error; end
+    class FetchFailedError < Error; end
+  end
+end

data/lib/ocsp_response_fetch/fetcher.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+using OCSPResponseFetch::Refinements
+
+module OCSPResponseFetch
+  class Fetcher
+    # @param subject_cert [OpenSSL::X509::Certificate]
+    # @param issuer_cert [OpenSSL::X509::Certificate]
+    #
+    # @raise [OCSPResponseFetch::Error::Error]
+    def initialize(subject_cert, issuer_cert)
+      @certs_chain = [subject_cert, issuer_cert]
+      @cid = OpenSSL::OCSP::CertificateId.new(subject_cert, issuer_cert)
+      @ocsp_uri = subject_cert.ocsp_uris
+                    &.find { |u| URI::DEFAULT_PARSER.make_regexp =~ u }
+      return unless @ocsp_uri.nil?
+
+      raise OCSPResponseFetch::Error::FetchFailedError,
+            'Certificate does not contain OCSP URL'
+    end
+
+    # @raise [OCSPResponseFetch::Error::Error]
+    #
+    # @return [OpenSSL::OCSP::Response]
+    def run
+      Fetcher.request_and_validate(@cid, @ocsp_uri, @certs_chain)
+    end
+
+    class << self
+      # @param cid [OpenSSL::OCSP::CertificateId]
+      # @param ocsp_uri [String]
+      # @param certs [Array of OpenSSL::X509::Certificate]
+      #
+      # @raise [OCSPResponseFetch::Error::Error]
+      #
+      # @return [OpenSSL::OCSP::Response]
+      # rubocop: disable Metrics/CyclomaticComplexity
+      # rubocop: disable Metrics/MethodLength
+      # rubocop: disable Metrics/PerceivedComplexity
+      def request_and_validate(cid, ocsp_uri, certs)
+        ocsp_request = gen_ocsp_request(cid)
+        ocsp_response = nil
+        begin
+          Timeout.timeout(2) do
+            ocsp_response = send_ocsp_request(ocsp_request, ocsp_uri)
+          end
+        rescue Timeout::Error
+          raise OCSPResponseFetch::Error::FetchFailedError,
+                'Timeout to access OCSP Responder'
+        end
+
+        if ocsp_response&.status != OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+          raise OCSPResponseFetch::Error::FetchFailedError,
+                'OCSPResponseStatus is not successful'
+        end
+
+        check_nonce = ocsp_request.check_nonce(ocsp_response.basic)
+        unless [-1, 1].include?(check_nonce)
+          raise OCSPResponseFetch::Error::FetchFailedError,
+                'OCSPResponse nonce is invalid'
+        end
+
+        store = OpenSSL::X509::Store.new
+        store.set_default_paths
+        unless ocsp_response.basic.verify(certs, store)
+          raise OCSPResponseFetch::Error::FetchFailedError,
+                'OCSPResponse signature is invalid'
+        end
+
+        status = ocsp_response.basic.find_response(cid)
+        if status.cert_status == OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
+          raise OCSPResponseFetch::Error::FetchFailedError,
+                'OCSPResponse CertStatus is unknown'
+        elsif status.cert_status == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+          raise OCSPResponseFetch::Error::RevokedError,
+                'OCSPResponse CertStatus is revoked'
+        end
+
+        ocsp_response
+      end
+      # rubocop: enable Metrics/CyclomaticComplexity
+      # rubocop: enable Metrics/MethodLength
+      # rubocop: enable Metrics/PerceivedComplexity
+
+      # @param cid [OpenSSL::OCSP::CertificateId]
+      #
+      # @return [OpenSSL::OCSP::Request]
+      def gen_ocsp_request(cid)
+        ocsp_request = OpenSSL::OCSP::Request.new
+        ocsp_request.add_certid(cid)
+        ocsp_request.add_nonce
+        ocsp_request
+      end
+
+      # @param ocsp_request [OpenSSL::OCSP::Request]
+      # @param uri_string [String]
+      #
+      # @return [OpenSSL::OCSP::Response]
+      def send_ocsp_request(ocsp_request, uri_string)
+        uri = URI.parse(uri_string)
+        path = uri.path
+        path = '/' if path.nil? || path.empty?
+        http_response = Net::HTTP.start(uri.host, uri.port) do |http|
+          http.post(
+            path,
+            ocsp_request.to_der,
+            'content-type' => 'application/ocsp-request'
+          )
+        end
+
+        OpenSSL::OCSP::Response.new(http_response.body)
+      end
+    end
+  end
+end

data/lib/ocsp_response_fetch/utils.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module OCSPResponseFetch
+  module Refinements
+    refine OpenSSL::X509::Certificate do
+      unless method_defined?(:ocsp_uris)
+        define_method(:ocsp_uris) do
+          aia = extensions.find { |ex| ex.oid == 'authorityInfoAccess' }
+          return nil if aia.nil?
+
+          ostr = OpenSSL::ASN1.decode(aia.to_der).value.last
+          ocsp = OpenSSL::ASN1.decode(ostr.value)
+                              .map(&:value)
+                              .select { |des| des.first.value == 'OCSP' }
+          ocsp&.map { |o| o[1].value }
+        end
+      end
+    end
+
+    refine OpenSSL::X509::Certificate do
+      unless method_defined?(:ca_issuer_uris)
+        define_method(:ca_issuer_uris) do
+          aia = extensions.find { |ex| ex.oid == 'authorityInfoAccess' }
+          return nil if aia.nil?
+
+          ostr = OpenSSL::ASN1.decode(aia.to_der).value.last
+          ocsp = OpenSSL::ASN1.decode(ostr.value)
+                              .map(&:value)
+                              .select { |des| des.first.value == 'caIssuers' }
+          ocsp&.map { |o| o[1].value }
+        end
+      end
+    end
+
+    refine OpenSSL::OCSP::Response do
+      # @return [String]
+      def to_text
+        cert_status = %w[good revoked unknown]
+
+        basic.responses.map do |res|
+          <<~"OCSP_RESPONSE"
+            OCSP Response Data:
+                OCSP Response Status: (#{format('0x%<status>x', status: status)})
+                Responses:
+                Certificate ID:
+                  Hash Algorithm: #{res.certid.hash_algorithm}
+                  Issuer Name Hash: #{res.certid.issuer_name_hash.upcase}
+                  Issuer Key Hash: #{res.certid.issuer_key_hash.upcase}
+                  Serial Number: #{res.certid.serial.to_s(16)}
+                Cert Status: #{cert_status[res.cert_status]}
+                This Update: #{res.this_update}
+                Next Update: #{res.next_update}
+          OCSP_RESPONSE
+        end.join
+      end
+    end
+  end
+end

data/lib/ocsp_response_fetch/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module OCSPResponseFetch
+  VERSION = '0.0.1'
+end

data/lib/ocsp_response_fetch.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'openssl'
+require 'optparse'
+require 'timeout'
+
+require 'ocsp_response_fetch/version'
+require 'ocsp_response_fetch/error'
+require 'ocsp_response_fetch/utils'
+require 'ocsp_response_fetch/fetcher'
+require 'ocsp_response_fetch/cli'

data/ocsprf.gemspec

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'ocsp_response_fetch/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'ocsprf'
+  spec.version       = OCSPResponseFetch::VERSION
+  spec.authors       = ['thekuwayama']
+  spec.email         = ['thekuwayama@gmail.com']
+  spec.summary       = 'OCSP Response Fetch'
+  spec.description   = spec.summary
+  spec.homepage      = 'https://github.com/thekuwayama/ocsprf'
+  spec.license       = 'MIT'
+  spec.required_ruby_version = '>=2.6.0'
+
+  spec.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+  spec.bindir        = 'exe'
+  spec.executables   = ['ocsprf']
+
+  spec.add_development_dependency 'bundler'
+  spec.add_dependency             'openssl'
+end

data/spec/cli_spec.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require_relative 'spec_helper'
+
+RSpec.describe OCSPResponseFetch::CLI do
+  let(:subject) do
+    __dir__ + '/fixtures/rsa_rsassaPss.crt'
+  end
+
+  let(:issuer) do
+    __dir__ + '/fixtures/rsa_ca.crt'
+  end
+
+  context 'read_certs' do
+    it 'should return subject_cert and issuer_cert' do
+      expect(OCSPResponseFetch::CLI.send(:read_certs, subject, issuer))
+        .to eq [
+          OpenSSL::X509::Certificate.new(File.read(subject)),
+          OpenSSL::X509::Certificate.new(File.read(issuer))
+        ]
+    end
+  end
+
+  context 'read_certs (no issuer)' do
+    it 'should return subject_cert and issuer_cert' do
+      allow(OCSPResponseFetch::CLI).to receive(:send_http_get).and_return(
+        OpenSSL::X509::Certificate.new(File.read(issuer)).to_der
+      )
+
+      expect(OCSPResponseFetch::CLI.send(:read_certs, subject))
+        .to eq [
+          OpenSSL::X509::Certificate.new(File.read(subject)),
+          OpenSSL::X509::Certificate.new(File.read(issuer))
+        ]
+    end
+  end
+end

data/spec/fetcher_spec.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require_relative 'spec_helper'
+
+RSpec.describe OCSPResponseFetch::Fetcher do
+  let(:subject_cert) do
+    OpenSSL::X509::Certificate.new(
+      File.read(__dir__ + '/fixtures/rsa_rsassaPss.crt')
+    )
+  end
+
+  let(:issuer_cert) do
+    OpenSSL::X509::Certificate.new(
+      File.read(__dir__ + '/fixtures/rsa_ca.crt')
+    )
+  end
+
+  let(:cid) do
+    OpenSSL::OCSP::CertificateId.new(subject_cert, issuer_cert)
+  end
+
+  let(:nonce) do
+    'nonce'
+  end
+
+  let(:ocsp_request) do
+    ocsp_request = OpenSSL::OCSP::Request.new
+    ocsp_request.add_certid(cid)
+    ocsp_request.add_nonce(nonce)
+    ocsp_request
+  end
+
+  let(:ocsp_response) do
+    bres = OpenSSL::OCSP::BasicResponse.new
+    bres.add_status(
+      cid,
+      OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL,
+      OpenSSL::OCSP::V_CERTSTATUS_GOOD,
+      Time.now + (60 * 60 * 24 * 365 * 10),
+      Time.now,
+      Time.now + (60 * 60 * 24 * 7),
+      []
+    )
+    bres.add_nonce(nonce)
+    bres.sign(
+      issuer_cert,
+      OpenSSL::PKey.read(
+        File.read(__dir__ + '/fixtures/rsa_ca.key')
+      )
+    )
+
+    OpenSSL::OCSP::Response.create(
+      OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL,
+      bres
+    )
+  end
+
+  before do
+    ENV[OpenSSL::X509::DEFAULT_CERT_FILE_ENV] = __dir__ + '/fixtures/rsa_ca.crt'
+  end
+
+  context 'request_and_validate' do
+    it 'should return a valid OCSP Response' do
+      allow(OCSPResponseFetch::Fetcher).to receive(:new)
+      allow(OCSPResponseFetch::Fetcher).to receive(:gen_ocsp_request)
+        .and_return(ocsp_request)
+      allow(OCSPResponseFetch::Fetcher).to receive(:send_ocsp_request)
+        .and_return(ocsp_response)
+
+      expect(OCSPResponseFetch::Fetcher.request_and_validate(
+               cid,
+               'http://localhost/ocsp',
+               [subject_cert, issuer_cert]
+             )).to eq ocsp_response
+    end
+  end
+end

data/spec/fixtures/rsa_ca.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBTCCAe2gAwIBAgIUKd5CmRpCLwNfg6b0Ws4Ed7DLE7IwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHdGVzdC1jYTAeFw0yMDAxMTcxODQ5NDZaFw0zMDAxMTQx
+ODQ5NDZaMBIxEDAOBgNVBAMMB3Rlc3QtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDkLEwerUWX9qt43e74ZYYMoS5TJCtItdymFwJU6WeTVW+zfRP5
+KHlPQ0ZBhqhSMNGgw/KndqQKmQYOX0Bkbi6txe5ubWy5G1hgCLj54gGneLEMAYLN
+wjkUA0bF8WEHL6QjuUZR/6b05RVDwPRKDJjkhz+LfL2UeiX+ja3bOZlrV6bbzTZ5
+rdgr5plMt5OLuA5BdBpm+M6ND+PVjkniUYPXp1r9TkRBgYoveH1IXjxe4hYK4Z64
+NDLrORvq3U+RA/FM/GIXtOeTo/8YogGUF9LTDla8cjG9uR1T/shJDPybVhVWYp50
+/TsS2VTTo61L6OohADq/0AVGPwch/CSYiPinAgMBAAGjUzBRMB0GA1UdDgQWBBRn
+WhmG70QfJDGMSzyMD6pOuTpb/zAfBgNVHSMEGDAWgBRnWhmG70QfJDGMSzyMD6pO
+uTpb/zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDR/X6urm5R
+Ob18uXXStRaCTYqjcF0OfCknnuXF2gwDRgJ/vk4ODvmLy+ErqMicHVZezAIvXjQC
+1Tmws6At0TRtezGV8Hxfkry1QEKTq6x0tIMizFAFcCgNwfTukvorsqkUHCTzXwbS
+1pXz8zBJKMuONMyqzUR70MgVerKBCG8DTG4t7X5Jrla33zyfNgEKY3uK82IwFLoN
+PivqkBUsk4oqTrOklVu6rXOLIDX+Q4NXx5ouqt+o2q4rOGk5qWK1olgv5c49Mfj5
+z5fzjiLJbO0GBrOd8idqXs4W2IZGHJ+kM5qMxl/IBOL7tVv+ptTA3fSp1cGj1E37
+TDewsLQ/BeTA
+-----END CERTIFICATE-----

data/spec/fixtures/rsa_ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA5CxMHq1Fl/areN3u+GWGDKEuUyQrSLXcphcCVOlnk1Vvs30T
++Sh5T0NGQYaoUjDRoMPyp3akCpkGDl9AZG4urcXubm1suRtYYAi4+eIBp3ixDAGC
+zcI5FANGxfFhBy+kI7lGUf+m9OUVQ8D0SgyY5Ic/i3y9lHol/o2t2zmZa1em2802
+ea3YK+aZTLeTi7gOQXQaZvjOjQ/j1Y5J4lGD16da/U5EQYGKL3h9SF48XuIWCuGe
+uDQy6zkb6t1PkQPxTPxiF7Tnk6P/GKIBlBfS0w5WvHIxvbkdU/7ISQz8m1YVVmKe
+dP07EtlU06OtS+jqIQA6v9AFRj8HIfwkmIj4pwIDAQABAoIBAHcDxBCcQJirSXWa
+DXPzQKCF0iv7ybf7ZEQd7FFuDWCER+dPboOf4Oa/KH41RsbYP/+jNYa0E4yTlN0a
+QfQgpKhvfZaL7RIAeXBeHF36zPIVugORJjE9BZiyvM+yv/GHoA4iLdPHjcZfV2An
+3URinb1V7odLYXd43yiPrgeTW7ro2RWvkaSh4sUboD8hfbvdgIMRaaSNjua8Ojg6
+suxiGVeMq6hGnJbRN0v6QZhmCcAgRhOnGxqS+yhQQ4SB+zM+mhoGt1eSQ3KKdQpu
+awozclfTjsACrg2VMTg2qILM5PXMoGD87C9FAHVtWB7h/kyer7fAgJ0AG4CR9XT0
+WcDtMUECgYEA+Yg1FrrIThdd5BBzy0Abh/f1LGJmplcnPKptKiNwZ63cGbrdXcm2
+Qq9kWMm6BDCQ3h/ctDUPDFFBoTvj7mnTumltLguijFXG5m9Zced/NgZhAqrJLFA0
+YYL8gj/jtf2fv4ELwG+J7xBC2UDpSexaXE0ph3kIkj4+l4S4wp8dFdsCgYEA6hZc
+N8xo/R3zuptUpBGnN0KXdUCbmN8Dqm4iDxjjWACHtgyQYIarHwV9L1GXUo44P7yr
+TGT220S/X7ASPqpCoIHl8b0Jd4sqJSVkra9dBuCkpuY2yQkVTtuN3GbSWL+6155c
+dc32vmwMOfBabobw5T/bT4sSg58dzqQzCWLfcCUCgYEAqeESC4Rj485CrIaK3p+p
+XprvviTLr4j7/HAmW56+4sbZZmbyV+yAecvAbDYBvuJ1bdORRNougXs8TBFi7qf7
+bhhiLQvcwN+QxsadxU8OKvCS0OcGiHWeA5jSYbYvR3IAdLbdEkidRjTy3cc0S5Bu
+QBKEKGe87xsTL8I6qrz6ZysCgYBS5hJIbGpt4TKUTjf+VoYaSsnqazPvQmNA8vm6
+0PyKCL4G2ZIzrN1jAgWgQUvOn7EJ2V3skwDdDA6d63O6n38y6m2tW13D6RPGzeRG
+ogjWy61jsbmLHl1ebOBjQkKRzWx0uY9S5NrR+t+lkRnldIJRHXkkRUMMO8hJitrM
+IyivxQKBgQCJOuOG+VldtQUWDcwjSCp4WaXPSnnDGq9yiOdxl3n2fTNa3jB8thp6
+DN2h4UWo4WBcB67nuK/z+8Fj5vdT2yqT+1hX2vz/0p4zqmqWgIYHfTmIah/JXKf6
+EofzG6tRXmxJteDbHUOGrvvOBV8ZjO0626pxPY8gRyN4VmQcF8J4oA==
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/rsa_rsassaPss.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDljCCAk6gAwIBAgIJAMYRH8WIV/+pMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZI
+AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgMBIxEDAOBgNV
+BAMMB3Rlc3QtY2EwHhcNMjAwMTE3MTg0OTQ2WhcNMzAwMTE0MTg0OTQ2WjAUMRIw
+EAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC1vsbOx5jU4hZ9ppox2quxYOQVUg0YvLAsuhbb3EebuWtcPvYPzqKh7FkqNFtm
+doX1gTb0HPiyXvDbivxDkgUxrhbUte1jOMp81MAryyccdPAH2kATXuCYYH3+fIgg
+Y1P+6dP9R2ZM6zVCIr6g7oJF1OhASu45taW5IbMYM4BwdxXsz1jIFK7Z0sBB7rVo
+KenCLuFy4XFt1Tj3tn2ilMYvUeBckTwYuLIUKpR49gFNlcShw7uowIbvkvbAyjMd
+yqaSDGuAS677JiC0gInYFEe/PK//T/92fzoCa9eojxxtp3k4DWU2Fnq+hfETtjAS
+DhFWaRBTgdyzdgkid174B8IHAgMBAAGjgYwwgYkwCQYDVR0TBAIwADALBgNVHQ8E
+BAMCAoQwFAYDVR0RBA0wC4IJbG9jYWxob3N0MFkGCCsGAQUFBwEBBE0wSzAhBggr
+BgEFBQcwAYYVaHR0cDovL2xvY2FsaG9zdC9vY3NwMCYGCCsGAQUFBzAChhpodHRw
+Oi8vbG9jYWxob3N0L2NhSXNzdWVyczA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFl
+AwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIAOCAQEApWVE9xV9
+M4LnQcrnoKeGIoc+8ux+5u9lmvugGlU+2PX9XBy5Y5KEWQ5q4QdKTFEXxzkkixfd
+K1goaR2zVTxAEy+Wz8iaouy4FaRYR7h62XrDgxuTCwB4QFmi1UCggjp4u67j4IMm
+yd7ajQFZW4aZZfGGxD4hrwOSX+f2jRLW14BvKuafoiBmUe4GJMdvds35HkDerS04
+fIz5TSD8oxRCJf5MKHQvBcFK0CN11I/taL2ZP+U7rpIFWC/lDLaEkDtvsmEx+/c5
+OsaDJ/N9++aMKfXzWXIQLkFVGTUic17PcpVa4VyAIqAqqqCNCDQdfd/4GbQUEzHN
+TMskxId96tZnMg==
+-----END CERTIFICATE-----

data/spec/fixtures/rsa_rsassaPss.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpgIBAAKCAQEAtb7GzseY1OIWfaaaMdqrsWDkFVINGLywLLoW29xHm7lrXD72
+D86ioexZKjRbZnaF9YE29Bz4sl7w24r8Q5IFMa4W1LXtYzjKfNTAK8snHHTwB9pA
+E17gmGB9/nyIIGNT/unT/UdmTOs1QiK+oO6CRdToQEruObWluSGzGDOAcHcV7M9Y
+yBSu2dLAQe61aCnpwi7hcuFxbdU497Z9opTGL1HgXJE8GLiyFCqUePYBTZXEocO7
+qMCG75L2wMozHcqmkgxrgEuu+yYgtICJ2BRHvzyv/0//dn86AmvXqI8cbad5OA1l
+NhZ6voXxE7YwEg4RVmkQU4Hcs3YJInde+AfCBwIDAQABAoIBAQC1LqkXP1gW8gUl
+4k7Z4HtFa6g1sQSpYoHnNOTQ7frdPa3P2lyHSaJL9ki1kFiF/yZwpw5XsgIkIA3R
+b+8olYtkCX9tMqijP9xtMdMaVX56GgGocmVqai1Q+vDgINm8IAl+mTDi0KkliV4g
+vm54FQ39+9BFN+3hzjqWIwhd2gnzErSQU53RVSCZkz6he+BkuA13Yup1f2zzOhjD
+Y6JkP69BvGJlwxbyEPsFPlX7CAV2yzXMZJ00wPZWUksRs9sD5FDfxtzn7BempIF5
+/jbvGCObX6SU49ygPmsn0eD5Pv+HhBi4WgUkpd+bks0ueqnOssS148v6l5KR3yhR
+/q79Co8RAoGBAO7s1AZh9alHRT7YSqn0m5GckKNpcozL+nQGyHq/rucHRqMzcxoH
+MH4zzNvZ/l7TyOZ1QegcLjX0AbARW0xa+OtTyuVjdao4DRN/fs+DVajL7PHp+Jks
+KaBsuo0QnFEv+WJG5VTDTgeTeroTOcYLr5cTT2jQ6cW4wQ7/FdCvGH4jAoGBAMK7
+1V5OkX322MyeQQ12jEJQ9A3nCd54Vvby5yu1OcHXfgmcS4cuKN2QCPqHmzMLDs+d
+aoGMgBeC73WcdwJw6cVyNsj0y2zUepwRO8877febwWfQvNLN2lTrRcj4iwqZKKVp
+H/yUb/0ccUjJPPmuXHVCfqtZO+cTdsjfWuAHtkDNAoGBAIxRSEArXdQ5yCAddNQV
+lRvSQFvIPP8VeJSVuz3jvzttWX3VZH7fxAoKMADaKPrWFIHMUZWYn0cOc8NMnjrc
+np3OSzWm0N7UJlHSKc6DSlZk1VZJ27dRaW0PDgx0uekwbJzcGClMvlHSulv3mJGI
+IWpva86aCwEU/UTqaIxzmMXTAoGBAJMCAALw508jwek+8zc5rosF2CiCqWWkjWpi
+V3gcmNyoVMLmlfIYO8t/x/dx1g1DpMvBN71TFwQo2aN9Gi7ilOh037z3aHbhNSqK
+rA83W9+YWvqHj3TI6LFA5+7fCwBWPWQaJ4ajfKOlDDR5jymiorP3He83L0yz2fGt
+BEqqJ8FlAoGBAJQpxTdpoYZqGFHR05Blo9xAINsylRS1cHtoxIeYI0citu0g4H7z
++G3Ks3fJqiS7nGXdB4uMCDcBINLzVed1MWJCGhoNb8fLNO3aYg0my7H2cYfBALj5
+MSR2pc8Q1Rl0Q2TdyYKPaqeyo6HoPGpNUqTGKLvbs5SFbyRRUJJQF/ai
+-----END RSA PRIVATE KEY-----

data/spec/spec_helper.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+RSpec.configure(&:disable_monkey_patching!)
+
+require 'ocsp_response_fetch'

data/spec/utils_spec.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require_relative 'spec_helper'
+using OCSPResponseFetch::Refinements
+
+RSpec.describe OCSPResponseFetch::Refinements do
+  context 'OpenSSL::X509::Certificate#ocsp_uris' do
+    let(:cert) do
+      OpenSSL::X509::Certificate.new(
+        File.read(__dir__ + '/fixtures/rsa_rsassaPss.crt')
+      )
+    end
+
+    it 'should return URL' do
+      expect(cert.ocsp_uris).to eq ['http://localhost/ocsp']
+    end
+  end
+
+  context 'OpenSSL::X509::Certificate#ca_issuer_uris' do
+    let(:cert) do
+      OpenSSL::X509::Certificate.new(
+        File.read(__dir__ + '/fixtures/rsa_rsassaPss.crt')
+      )
+    end
+
+    it 'should return URL' do
+      expect(cert.ca_issuer_uris).to eq ['http://localhost/caIssuers']
+    end
+  end
+
+  context 'OpenSSL::OCSP::Response#to_text' do
+    let(:subject_cert) do
+      OpenSSL::X509::Certificate.new(
+        File.read(__dir__ + '/fixtures/rsa_rsassaPss.crt')
+      )
+    end
+
+    let(:issuer_cert) do
+      OpenSSL::X509::Certificate.new(
+        File.read(__dir__ + '/fixtures/rsa_rsassaPss.crt')
+      )
+    end
+
+    let(:cid) do
+      OpenSSL::OCSP::CertificateId.new(subject_cert, issuer_cert)
+    end
+
+    let(:thisupd) do
+      Time.now
+    end
+
+    let(:nextupd) do
+      Time.now + (60 * 60 * 24 * 7)
+    end
+
+    let(:ocsp_response) do
+      bres = OpenSSL::OCSP::BasicResponse.new
+      bres.add_status(
+        cid,
+        OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL,
+        OpenSSL::OCSP::V_CERTSTATUS_GOOD,
+        Time.now + (60 * 60 * 24 * 365 * 10),
+        thisupd,
+        nextupd,
+        []
+      )
+      bres.add_nonce
+      bres.sign(
+        subject_cert,
+        OpenSSL::PKey.read(
+          File.read(__dir__ + '/fixtures/rsa_rsassaPss.key')
+        )
+      )
+
+      OpenSSL::OCSP::Response.create(
+        OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL,
+        bres
+      )
+    end
+
+    it 'should return text' do
+      expect(ocsp_response.to_text).to eq <<~"OCSP_RESPONSE"
+        OCSP Response Data:
+            OCSP Response Status: (0x0)
+            Responses:
+            Certificate ID:
+              Hash Algorithm: sha1
+              Issuer Name Hash: #{cid.issuer_name_hash.upcase}
+              Issuer Key Hash: #{cid.issuer_key_hash.upcase}
+              Serial Number: #{cid.serial.to_s(16)}
+            Cert Status: good
+            This Update: #{thisupd.utc}
+            Next Update: #{nextupd.utc}
+      OCSP_RESPONSE
+    end
+  end
+end

metadata

@@ -0,0 +1,103 @@
+--- !ruby/object:Gem::Specification
+name: ocsprf
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- thekuwayama
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2020-01-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: openssl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: OCSP Response Fetch
+email:
+- thekuwayama@gmail.com
+executables:
+- ocsprf
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/main.yml"
+- ".gitignore"
+- ".rubocop.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- exe/ocsprf
+- lib/ocsp_response_fetch.rb
+- lib/ocsp_response_fetch/cli.rb
+- lib/ocsp_response_fetch/error.rb
+- lib/ocsp_response_fetch/fetcher.rb
+- lib/ocsp_response_fetch/utils.rb
+- lib/ocsp_response_fetch/version.rb
+- ocsprf.gemspec
+- spec/cli_spec.rb
+- spec/fetcher_spec.rb
+- spec/fixtures/rsa_ca.crt
+- spec/fixtures/rsa_ca.key
+- spec/fixtures/rsa_rsassaPss.crt
+- spec/fixtures/rsa_rsassaPss.key
+- spec/spec_helper.rb
+- spec/utils_spec.rb
+homepage: https://github.com/thekuwayama/ocsprf
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.6.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key: 
+specification_version: 4
+summary: OCSP Response Fetch
+test_files:
+- spec/cli_spec.rb
+- spec/fetcher_spec.rb
+- spec/fixtures/rsa_ca.crt
+- spec/fixtures/rsa_ca.key
+- spec/fixtures/rsa_rsassaPss.crt
+- spec/fixtures/rsa_rsassaPss.key
+- spec/spec_helper.rb
+- spec/utils_spec.rb