openssl 2.0.0.beta.1

data/ext/openssl/ossl_engine.h

@@ -0,0 +1,19 @@
+/*
+ * 'OpenSSL for Ruby' project
+ * Copyright (C) 2003  Michal Rokos <m.rokos@sh.cvut.cz>
+ * Copyright (C) 2003  GOTOU Yuuzou <gotoyuzo@notwork.org>
+ * All rights reserved.
+ */
+/*
+ * This program is licensed under the same licence as Ruby.
+ * (See the file 'LICENCE'.)
+ */
+#if !defined(OSSL_ENGINE_H)
+#define OSSL_ENGINE_H
+
+extern VALUE cEngine;
+extern VALUE eEngineError;
+
+void Init_ossl_engine(void);
+
+#endif /* OSSL_ENGINE_H */

data/ext/openssl/ossl_hmac.c

@@ -0,0 +1,398 @@
+/*
+ * 'OpenSSL for Ruby' project
+ * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
+ * All rights reserved.
+ */
+/*
+ * This program is licensed under the same licence as Ruby.
+ * (See the file 'LICENCE'.)
+ */
+#if !defined(OPENSSL_NO_HMAC)
+
+#include "ossl.h"
+
+#define NewHMAC(klass) \
+    TypedData_Wrap_Struct((klass), &ossl_hmac_type, 0)
+#define GetHMAC(obj, ctx) do { \
+    TypedData_Get_Struct((obj), HMAC_CTX, &ossl_hmac_type, (ctx)); \
+    if (!(ctx)) { \
+	ossl_raise(rb_eRuntimeError, "HMAC wasn't initialized"); \
+    } \
+} while (0)
+#define SafeGetHMAC(obj, ctx) do { \
+    OSSL_Check_Kind((obj), cHMAC); \
+    GetHMAC((obj), (ctx)); \
+} while (0)
+
+/*
+ * Classes
+ */
+VALUE cHMAC;
+VALUE eHMACError;
+
+/*
+ * Public
+ */
+
+/*
+ * Private
+ */
+static void
+ossl_hmac_free(void *ctx)
+{
+    HMAC_CTX_free(ctx);
+}
+
+static const rb_data_type_t ossl_hmac_type = {
+    "OpenSSL/HMAC",
+    {
+	0, ossl_hmac_free,
+    },
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+};
+
+static VALUE
+ossl_hmac_alloc(VALUE klass)
+{
+    VALUE obj;
+    HMAC_CTX *ctx;
+
+    obj = NewHMAC(klass);
+    ctx = HMAC_CTX_new();
+    if (!ctx)
+	ossl_raise(eHMACError, NULL);
+    RTYPEDDATA_DATA(obj) = ctx;
+
+    return obj;
+}
+
+
+/*
+ *  call-seq:
+ *     HMAC.new(key, digest) -> hmac
+ *
+ * Returns an instance of OpenSSL::HMAC set with the key and digest
+ * algorithm to be used. The instance represents the initial state of
+ * the message authentication code before any data has been processed.
+ * To process data with it, use the instance method #update with your
+ * data as an argument.
+ *
+ * === Example
+ *
+ *	key = 'key'
+ * 	digest = OpenSSL::Digest.new('sha1')
+ * 	instance = OpenSSL::HMAC.new(key, digest)
+ * 	#=> f42bb0eeb018ebbd4597ae7213711ec60760843f
+ * 	instance.class
+ * 	#=> OpenSSL::HMAC
+ *
+ * === A note about comparisons
+ *
+ * Two instances won't be equal when they're compared, even if they have the
+ * same value. Use #to_s or #hexdigest to return the authentication code that
+ * the instance represents. For example:
+ *
+ *	other_instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
+ *  	#=> f42bb0eeb018ebbd4597ae7213711ec60760843f
+ *  	instance
+ *  	#=> f42bb0eeb018ebbd4597ae7213711ec60760843f
+ *  	instance == other_instance
+ *  	#=> false
+ *  	instance.to_s == other_instance.to_s
+ *  	#=> true
+ *
+ */
+static VALUE
+ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest)
+{
+    HMAC_CTX *ctx;
+
+    StringValue(key);
+    GetHMAC(self, ctx);
+    HMAC_Init_ex(ctx, RSTRING_PTR(key), RSTRING_LENINT(key),
+		 GetDigestPtr(digest), NULL);
+
+    return self;
+}
+
+static VALUE
+ossl_hmac_copy(VALUE self, VALUE other)
+{
+    HMAC_CTX *ctx1, *ctx2;
+
+    rb_check_frozen(self);
+    if (self == other) return self;
+
+    GetHMAC(self, ctx1);
+    SafeGetHMAC(other, ctx2);
+
+    if (!HMAC_CTX_copy(ctx1, ctx2))
+	ossl_raise(eHMACError, "HMAC_CTX_copy");
+    return self;
+}
+
+/*
+ *  call-seq:
+ *     hmac.update(string) -> self
+ *
+ * Returns +self+ updated with the message to be authenticated.
+ * Can be called repeatedly with chunks of the message.
+ *
+ * === Example
+ *
+ *	first_chunk = 'The quick brown fox jumps '
+ * 	second_chunk = 'over the lazy dog'
+ *
+ * 	instance.update(first_chunk)
+ * 	#=> 5b9a8038a65d571076d97fe783989e52278a492a
+ * 	instance.update(second_chunk)
+ * 	#=> de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9
+ *
+ */
+static VALUE
+ossl_hmac_update(VALUE self, VALUE data)
+{
+    HMAC_CTX *ctx;
+
+    StringValue(data);
+    GetHMAC(self, ctx);
+    HMAC_Update(ctx, (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data));
+
+    return self;
+}
+
+static void
+hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
+{
+    HMAC_CTX *final;
+
+    final = HMAC_CTX_new();
+    if (!final)
+	ossl_raise(eHMACError, "HMAC_CTX_new");
+
+    if (!HMAC_CTX_copy(final, ctx)) {
+	HMAC_CTX_free(final);
+	ossl_raise(eHMACError, "HMAC_CTX_copy");
+    }
+
+    HMAC_Final(final, buf, buf_len);
+    HMAC_CTX_free(final);
+}
+
+/*
+ *  call-seq:
+ *     hmac.digest -> string
+ *
+ * Returns the authentication code an instance represents as a binary string.
+ *
+ * === Example
+ *  instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
+ *  #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
+ *  instance.digest
+ *  #=> "\xF4+\xB0\xEE\xB0\x18\xEB\xBDE\x97\xAEr\x13q\x1E\xC6\a`\x84?"
+ */
+static VALUE
+ossl_hmac_digest(VALUE self)
+{
+    HMAC_CTX *ctx;
+    unsigned int buf_len;
+    VALUE ret;
+
+    GetHMAC(self, ctx);
+    ret = rb_str_new(NULL, EVP_MAX_MD_SIZE);
+    hmac_final(ctx, (unsigned char *)RSTRING_PTR(ret), &buf_len);
+    assert(buf_len <= EVP_MAX_MD_SIZE);
+    rb_str_set_len(ret, buf_len);
+
+    return ret;
+}
+
+/*
+ *  call-seq:
+ *     hmac.hexdigest -> string
+ *
+ * Returns the authentication code an instance represents as a hex-encoded
+ * string.
+ */
+static VALUE
+ossl_hmac_hexdigest(VALUE self)
+{
+    HMAC_CTX *ctx;
+    unsigned char buf[EVP_MAX_MD_SIZE];
+    unsigned int buf_len;
+    VALUE ret;
+
+    GetHMAC(self, ctx);
+    hmac_final(ctx, buf, &buf_len);
+    ret = rb_str_new(NULL, buf_len * 2);
+    ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);
+
+    return ret;
+}
+
+/*
+ *  call-seq:
+ *     hmac.reset -> self
+ *
+ * Returns +self+ as it was when it was first initialized, with all processed
+ * data cleared from it.
+ *
+ * === Example
+ *
+ *	data = "The quick brown fox jumps over the lazy dog"
+ * 	instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
+ * 	#=> f42bb0eeb018ebbd4597ae7213711ec60760843f
+ *
+ * 	instance.update(data)
+ * 	#=> de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9
+ * 	instance.reset
+ * 	#=> f42bb0eeb018ebbd4597ae7213711ec60760843f
+ *
+ */
+static VALUE
+ossl_hmac_reset(VALUE self)
+{
+    HMAC_CTX *ctx;
+
+    GetHMAC(self, ctx);
+    HMAC_Init_ex(ctx, NULL, 0, NULL, NULL);
+
+    return self;
+}
+
+/*
+ *  call-seq:
+ *     HMAC.digest(digest, key, data) -> aString
+ *
+ * Returns the authentication code as a binary string. The +digest+ parameter
+ * must be an instance of OpenSSL::Digest.
+ *
+ * === Example
+ *
+ *	key = 'key'
+ * 	data = 'The quick brown fox jumps over the lazy dog'
+ * 	digest = OpenSSL::Digest.new('sha1')
+ *
+ * 	hmac = OpenSSL::HMAC.digest(digest, key, data)
+ * 	#=> "\xDE|\x9B\x85\xB8\xB7\x8A\xA6\xBC\x8Az6\xF7\n\x90p\x1C\x9D\xB4\xD9"
+ *
+ */
+static VALUE
+ossl_hmac_s_digest(VALUE klass, VALUE digest, VALUE key, VALUE data)
+{
+    unsigned char *buf;
+    unsigned int buf_len;
+
+    StringValue(key);
+    StringValue(data);
+    buf = HMAC(GetDigestPtr(digest), RSTRING_PTR(key), RSTRING_LENINT(key),
+	       (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data), NULL, &buf_len);
+
+    return rb_str_new((const char *)buf, buf_len);
+}
+
+/*
+ *  call-seq:
+ *     HMAC.hexdigest(digest, key, data) -> aString
+ *
+ * Returns the authentication code as a hex-encoded string. The +digest+
+ * parameter must be an instance of OpenSSL::Digest.
+ *
+ * === Example
+ *
+ *	key = 'key'
+ * 	data = 'The quick brown fox jumps over the lazy dog'
+ * 	digest = OpenSSL::Digest.new('sha1')
+ *
+ * 	hmac = OpenSSL::HMAC.hexdigest(digest, key, data)
+ * 	#=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"
+ *
+ */
+static VALUE
+ossl_hmac_s_hexdigest(VALUE klass, VALUE digest, VALUE key, VALUE data)
+{
+    unsigned char buf[EVP_MAX_MD_SIZE];
+    unsigned int buf_len;
+    VALUE ret;
+
+    StringValue(key);
+    StringValue(data);
+
+    if (!HMAC(GetDigestPtr(digest), RSTRING_PTR(key), RSTRING_LENINT(key),
+	      (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data),
+	      buf, &buf_len))
+	ossl_raise(eHMACError, "HMAC");
+
+    ret = rb_str_new(NULL, buf_len * 2);
+    ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);
+
+    return ret;
+}
+
+/*
+ * INIT
+ */
+void
+Init_ossl_hmac(void)
+{
+#if 0
+    mOSSL = rb_define_module("OpenSSL");
+    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+#endif
+
+    /*
+     * Document-class: OpenSSL::HMAC
+     *
+     * OpenSSL::HMAC allows computing Hash-based Message Authentication Code
+     * (HMAC). It is a type of message authentication code (MAC) involving a
+     * hash function in combination with a key. HMAC can be used to verify the
+     * integrity of a message as well as the authenticity.
+     *
+     * OpenSSL::HMAC has a similar interface to OpenSSL::Digest.
+     *
+     * === HMAC-SHA256 using one-shot interface
+     *
+     *   key = "key"
+     *   data = "message-to-be-authenticated"
+     *   mac = OpenSSL::HMAC.hexdigest("SHA256", key, data)
+     *   #=> "cddb0db23f469c8bf072b21fd837149bd6ace9ab771cceef14c9e517cc93282e"
+     *
+     * === HMAC-SHA256 using incremental interface
+     *
+     *   data1 = File.read("file1")
+     *   data2 = File.read("file2")
+     *   key = "key"
+     *   digest = OpenSSL::Digest::SHA256.new
+     *   hmac = OpenSSL::HMAC.new(key, digest)
+     *   hmac << data1
+     *   hmac << data2
+     *   mac = hmac.digest
+     */
+    eHMACError = rb_define_class_under(mOSSL, "HMACError", eOSSLError);
+
+    cHMAC = rb_define_class_under(mOSSL, "HMAC", rb_cObject);
+
+    rb_define_alloc_func(cHMAC, ossl_hmac_alloc);
+    rb_define_singleton_method(cHMAC, "digest", ossl_hmac_s_digest, 3);
+    rb_define_singleton_method(cHMAC, "hexdigest", ossl_hmac_s_hexdigest, 3);
+
+    rb_define_method(cHMAC, "initialize", ossl_hmac_initialize, 2);
+    rb_define_copy_func(cHMAC, ossl_hmac_copy);
+
+    rb_define_method(cHMAC, "reset", ossl_hmac_reset, 0);
+    rb_define_method(cHMAC, "update", ossl_hmac_update, 1);
+    rb_define_alias(cHMAC, "<<", "update");
+    rb_define_method(cHMAC, "digest", ossl_hmac_digest, 0);
+    rb_define_method(cHMAC, "hexdigest", ossl_hmac_hexdigest, 0);
+    rb_define_alias(cHMAC, "inspect", "hexdigest");
+    rb_define_alias(cHMAC, "to_s", "hexdigest");
+}
+
+#else /* NO_HMAC */
+#  warning >>> OpenSSL is compiled without HMAC support <<<
+void
+Init_ossl_hmac(void)
+{
+    rb_warning("HMAC is not available: OpenSSL is compiled without HMAC.");
+}
+#endif /* NO_HMAC */

data/ext/openssl/ossl_hmac.h

@@ -0,0 +1,18 @@
+/*
+ * 'OpenSSL for Ruby' project
+ * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
+ * All rights reserved.
+ */
+/*
+ * This program is licensed under the same licence as Ruby.
+ * (See the file 'LICENCE'.)
+ */
+#if !defined(_OSSL_HMAC_H_)
+#define _OSSL_HMAC_H_
+
+extern VALUE cHMAC;
+extern VALUE eHMACError;
+
+void Init_ossl_hmac(void);
+
+#endif /* _OSSL_HMAC_H_ */

data/ext/openssl/ossl_ns_spki.c

@@ -0,0 +1,406 @@
+/*
+ * 'OpenSSL for Ruby' project
+ * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
+ * All rights reserved.
+ */
+/*
+ * This program is licensed under the same licence as Ruby.
+ * (See the file 'LICENCE'.)
+ */
+#include "ossl.h"
+
+#define NewSPKI(klass) \
+    TypedData_Wrap_Struct((klass), &ossl_netscape_spki_type, 0)
+#define SetSPKI(obj, spki) do { \
+    if (!(spki)) { \
+	ossl_raise(rb_eRuntimeError, "SPKI wasn't initialized!"); \
+    } \
+    RTYPEDDATA_DATA(obj) = (spki); \
+} while (0)
+#define GetSPKI(obj, spki) do { \
+    TypedData_Get_Struct((obj), NETSCAPE_SPKI, &ossl_netscape_spki_type, (spki)); \
+    if (!(spki)) { \
+	ossl_raise(rb_eRuntimeError, "SPKI wasn't initialized!"); \
+    } \
+} while (0)
+
+/*
+ * Classes
+ */
+VALUE mNetscape;
+VALUE cSPKI;
+VALUE eSPKIError;
+
+/*
+ * Public functions
+ */
+
+/*
+ * Private functions
+ */
+
+static void
+ossl_netscape_spki_free(void *spki)
+{
+    NETSCAPE_SPKI_free(spki);
+}
+
+static const rb_data_type_t ossl_netscape_spki_type = {
+    "OpenSSL/NETSCAPE_SPKI",
+    {
+	0, ossl_netscape_spki_free,
+    },
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+};
+
+static VALUE
+ossl_spki_alloc(VALUE klass)
+{
+    NETSCAPE_SPKI *spki;
+    VALUE obj;
+
+    obj = NewSPKI(klass);
+    if (!(spki = NETSCAPE_SPKI_new())) {
+	ossl_raise(eSPKIError, NULL);
+    }
+    SetSPKI(obj, spki);
+
+    return obj;
+}
+
+/*
+ * call-seq:
+ *    SPKI.new([request]) => spki
+ *
+ * === Parameters
+ * * +request+ - optional raw request, either in PEM or DER format.
+ */
+static VALUE
+ossl_spki_initialize(int argc, VALUE *argv, VALUE self)
+{
+    NETSCAPE_SPKI *spki;
+    VALUE buffer;
+    const unsigned char *p;
+
+    if (rb_scan_args(argc, argv, "01", &buffer) == 0) {
+	return self;
+    }
+    StringValue(buffer);
+    if (!(spki = NETSCAPE_SPKI_b64_decode(RSTRING_PTR(buffer), RSTRING_LENINT(buffer)))) {
+	ossl_clear_error();
+	p = (unsigned char *)RSTRING_PTR(buffer);
+	if (!(spki = d2i_NETSCAPE_SPKI(NULL, &p, RSTRING_LEN(buffer)))) {
+	    ossl_raise(eSPKIError, NULL);
+	}
+    }
+    NETSCAPE_SPKI_free(DATA_PTR(self));
+    SetSPKI(self, spki);
+
+    return self;
+}
+
+/*
+ * call-seq:
+ *    spki.to_der => DER-encoded string
+ *
+ * Returns the DER encoding of this SPKI.
+ */
+static VALUE
+ossl_spki_to_der(VALUE self)
+{
+    NETSCAPE_SPKI *spki;
+    VALUE str;
+    long len;
+    unsigned char *p;
+
+    GetSPKI(self, spki);
+    if ((len = i2d_NETSCAPE_SPKI(spki, NULL)) <= 0)
+        ossl_raise(eX509CertError, NULL);
+    str = rb_str_new(0, len);
+    p = (unsigned char *)RSTRING_PTR(str);
+    if (i2d_NETSCAPE_SPKI(spki, &p) <= 0)
+        ossl_raise(eX509CertError, NULL);
+    ossl_str_adjust(str, p);
+
+    return str;
+}
+
+/*
+ * call-seq:
+ *    spki.to_pem => PEM-encoded string
+ *
+ * Returns the PEM encoding of this SPKI.
+ */
+static VALUE
+ossl_spki_to_pem(VALUE self)
+{
+    NETSCAPE_SPKI *spki;
+    char *data;
+    VALUE str;
+
+    GetSPKI(self, spki);
+    if (!(data = NETSCAPE_SPKI_b64_encode(spki))) {
+	ossl_raise(eSPKIError, NULL);
+    }
+    str = ossl_buf2str(data, rb_long2int(strlen(data)));
+
+    return str;
+}
+
+/*
+ * call-seq:
+ *    spki.to_text => string
+ *
+ * Returns a textual representation of this SPKI, useful for debugging
+ * purposes.
+ */
+static VALUE
+ossl_spki_print(VALUE self)
+{
+    NETSCAPE_SPKI *spki;
+    BIO *out;
+    BUF_MEM *buf;
+    VALUE str;
+
+    GetSPKI(self, spki);
+    if (!(out = BIO_new(BIO_s_mem()))) {
+	ossl_raise(eSPKIError, NULL);
+    }
+    if (!NETSCAPE_SPKI_print(out, spki)) {
+	BIO_free(out);
+	ossl_raise(eSPKIError, NULL);
+    }
+    BIO_get_mem_ptr(out, &buf);
+    str = rb_str_new(buf->data, buf->length);
+    BIO_free(out);
+
+    return str;
+}
+
+/*
+ * call-seq:
+ *    spki.public_key => pkey
+ *
+ * Returns the public key associated with the SPKI, an instance of
+ * OpenSSL::PKey.
+ */
+static VALUE
+ossl_spki_get_public_key(VALUE self)
+{
+    NETSCAPE_SPKI *spki;
+    EVP_PKEY *pkey;
+
+    GetSPKI(self, spki);
+    if (!(pkey = NETSCAPE_SPKI_get_pubkey(spki))) { /* adds an reference */
+	ossl_raise(eSPKIError, NULL);
+    }
+
+    return ossl_pkey_new(pkey); /* NO DUP - OK */
+}
+
+/*
+ * call-seq:
+ *    spki.public_key = pub => pkey
+ *
+ * === Parameters
+ * * +pub+ - the public key to be set for this instance
+ *
+ * Sets the public key to be associated with the SPKI, an instance of
+ * OpenSSL::PKey. This should be the public key corresponding to the
+ * private key used for signing the SPKI.
+ */
+static VALUE
+ossl_spki_set_public_key(VALUE self, VALUE key)
+{
+    NETSCAPE_SPKI *spki;
+
+    GetSPKI(self, spki);
+    if (!NETSCAPE_SPKI_set_pubkey(spki, GetPKeyPtr(key))) { /* NO NEED TO DUP */
+	ossl_raise(eSPKIError, NULL);
+    }
+
+    return key;
+}
+
+/*
+ * call-seq:
+ *    spki.challenge => string
+ *
+ * Returns the challenge string associated with this SPKI.
+ */
+static VALUE
+ossl_spki_get_challenge(VALUE self)
+{
+    NETSCAPE_SPKI *spki;
+
+    GetSPKI(self, spki);
+    if (spki->spkac->challenge->length <= 0) {
+	OSSL_Debug("Challenge.length <= 0?");
+	return rb_str_new(0, 0);
+    }
+
+    return rb_str_new((const char *)spki->spkac->challenge->data,
+		      spki->spkac->challenge->length);
+}
+
+/*
+ * call-seq:
+ *    spki.challenge = str => string
+ *
+ * === Parameters
+ * * +str+ - the challenge string to be set for this instance
+ *
+ * Sets the challenge to be associated with the SPKI. May be used by the
+ * server, e.g. to prevent replay.
+ */
+static VALUE
+ossl_spki_set_challenge(VALUE self, VALUE str)
+{
+    NETSCAPE_SPKI *spki;
+
+    StringValue(str);
+    GetSPKI(self, spki);
+    if (!ASN1_STRING_set(spki->spkac->challenge, RSTRING_PTR(str),
+			 RSTRING_LENINT(str))) {
+	ossl_raise(eSPKIError, NULL);
+    }
+
+    return str;
+}
+
+/*
+ * call-seq:
+ *    spki.sign(key, digest) => spki
+ *
+ * === Parameters
+ * * +key+ - the private key to be used for signing this instance
+ * * +digest+ - the digest to be used for signing this instance
+ *
+ * To sign an SPKI, the private key corresponding to the public key set
+ * for this instance should be used, in addition to a digest algorithm in
+ * the form of an OpenSSL::Digest. The private key should be an instance of
+ * OpenSSL::PKey.
+ */
+static VALUE
+ossl_spki_sign(VALUE self, VALUE key, VALUE digest)
+{
+    NETSCAPE_SPKI *spki;
+    EVP_PKEY *pkey;
+    const EVP_MD *md;
+
+    pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
+    md = GetDigestPtr(digest);
+    GetSPKI(self, spki);
+    if (!NETSCAPE_SPKI_sign(spki, pkey, md)) {
+	ossl_raise(eSPKIError, NULL);
+    }
+
+    return self;
+}
+
+/*
+ * call-seq:
+ *    spki.verify(key) => boolean
+ *
+ * === Parameters
+ * * +key+ - the public key to be used for verifying the SPKI signature
+ *
+ * Returns +true+ if the signature is valid, +false+ otherwise. To verify an
+ * SPKI, the public key contained within the SPKI should be used.
+ */
+static VALUE
+ossl_spki_verify(VALUE self, VALUE key)
+{
+    NETSCAPE_SPKI *spki;
+
+    GetSPKI(self, spki);
+    switch (NETSCAPE_SPKI_verify(spki, GetPKeyPtr(key))) { /* NO NEED TO DUP */
+    case 0:
+	return Qfalse;
+    case 1:
+	return Qtrue;
+    default:
+	ossl_raise(eSPKIError, NULL);
+    }
+    return Qnil; /* dummy */
+}
+
+/* Document-class: OpenSSL::Netscape::SPKI
+ *
+ * A Simple Public Key Infrastructure implementation (pronounced "spookey").
+ * The structure is defined as
+ *   PublicKeyAndChallenge ::= SEQUENCE {
+ *     spki SubjectPublicKeyInfo,
+ *     challenge IA5STRING
+ *   }
+ *
+ *   SignedPublicKeyAndChallenge ::= SEQUENCE {
+ *     publicKeyAndChallenge PublicKeyAndChallenge,
+ *     signatureAlgorithm AlgorithmIdentifier,
+ *     signature BIT STRING
+ *   }
+ * where the definitions of SubjectPublicKeyInfo and AlgorithmIdentifier can
+ * be found in RFC5280. SPKI is typically used in browsers for generating
+ * a public/private key pair and a subsequent certificate request, using
+ * the HTML <keygen> element.
+ *
+ * == Examples
+ *
+ * === Creating an SPKI
+ *   key = OpenSSL::PKey::RSA.new 2048
+ *   spki = OpenSSL::Netscape::SPKI.new
+ *   spki.challenge = "RandomChallenge"
+ *   spki.public_key = key.public_key
+ *   spki.sign(key, OpenSSL::Digest::SHA256.new)
+ *   #send a request containing this to a server generating a certificate
+ * === Verifiying an SPKI request
+ *   request = #...
+ *   spki = OpenSSL::Netscape::SPKI.new request
+ *   unless spki.verify(spki.public_key)
+ *     # signature is invalid
+ *   end
+ *   #proceed
+ */
+
+/* Document-module: OpenSSL::Netscape
+ *
+ * OpenSSL::Netscape is a namespace for SPKI (Simple Public Key
+ * Infrastructure) which implements Signed Public Key and Challenge.
+ * See {RFC 2692}[http://tools.ietf.org/html/rfc2692] and {RFC
+ * 2693}[http://tools.ietf.org/html/rfc2692] for details.
+ */
+
+/* Document-class: OpenSSL::Netscape::SPKIError
+ *
+ * Generic Exception class that is raised if an error occurs during an
+ * operation on an instance of OpenSSL::Netscape::SPKI.
+ */
+
+void
+Init_ossl_ns_spki(void)
+{
+#if 0
+    mOSSL = rb_define_module("OpenSSL");
+    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+#endif
+
+    mNetscape = rb_define_module_under(mOSSL, "Netscape");
+
+    eSPKIError = rb_define_class_under(mNetscape, "SPKIError", eOSSLError);
+
+    cSPKI = rb_define_class_under(mNetscape, "SPKI", rb_cObject);
+
+    rb_define_alloc_func(cSPKI, ossl_spki_alloc);
+    rb_define_method(cSPKI, "initialize", ossl_spki_initialize, -1);
+
+    rb_define_method(cSPKI, "to_der", ossl_spki_to_der, 0);
+    rb_define_method(cSPKI, "to_pem", ossl_spki_to_pem, 0);
+    rb_define_alias(cSPKI, "to_s", "to_pem");
+    rb_define_method(cSPKI, "to_text", ossl_spki_print, 0);
+    rb_define_method(cSPKI, "public_key", ossl_spki_get_public_key, 0);
+    rb_define_method(cSPKI, "public_key=", ossl_spki_set_public_key, 1);
+    rb_define_method(cSPKI, "sign", ossl_spki_sign, 2);
+    rb_define_method(cSPKI, "verify", ossl_spki_verify, 1);
+    rb_define_method(cSPKI, "challenge", ossl_spki_get_challenge, 0);
+    rb_define_method(cSPKI, "challenge=", ossl_spki_set_challenge, 1);
+}