openssl 2.1.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +35 -45
- data/History.md +426 -0
- data/README.md +38 -21
- data/ext/openssl/extconf.rb +132 -72
- data/ext/openssl/openssl_missing.c +0 -66
- data/ext/openssl/openssl_missing.h +62 -46
- data/ext/openssl/ossl.c +177 -252
- data/ext/openssl/ossl.h +39 -17
- data/ext/openssl/ossl_asn1.c +53 -14
- data/ext/openssl/ossl_bn.c +288 -146
- data/ext/openssl/ossl_bn.h +2 -1
- data/ext/openssl/ossl_cipher.c +42 -32
- data/ext/openssl/ossl_config.c +412 -41
- data/ext/openssl/ossl_config.h +4 -7
- data/ext/openssl/ossl_digest.c +32 -63
- data/ext/openssl/ossl_engine.c +19 -28
- data/ext/openssl/ossl_hmac.c +61 -146
- data/ext/openssl/ossl_kdf.c +15 -23
- data/ext/openssl/ossl_ns_spki.c +2 -2
- data/ext/openssl/ossl_ocsp.c +17 -70
- data/ext/openssl/ossl_ocsp.h +3 -3
- data/ext/openssl/ossl_pkcs12.c +23 -4
- data/ext/openssl/ossl_pkcs7.c +49 -81
- data/ext/openssl/ossl_pkcs7.h +16 -0
- data/ext/openssl/ossl_pkey.c +1508 -195
- data/ext/openssl/ossl_pkey.h +41 -78
- data/ext/openssl/ossl_pkey_dh.c +153 -348
- data/ext/openssl/ossl_pkey_dsa.c +157 -413
- data/ext/openssl/ossl_pkey_ec.c +257 -343
- data/ext/openssl/ossl_pkey_rsa.c +166 -490
- data/ext/openssl/ossl_provider.c +211 -0
- data/ext/openssl/ossl_provider.h +5 -0
- data/ext/openssl/ossl_rand.c +2 -40
- data/ext/openssl/ossl_ssl.c +666 -456
- data/ext/openssl/ossl_ssl_session.c +29 -30
- data/ext/openssl/ossl_ts.c +1539 -0
- data/ext/openssl/ossl_ts.h +16 -0
- data/ext/openssl/ossl_x509.c +86 -1
- data/ext/openssl/ossl_x509attr.c +1 -1
- data/ext/openssl/ossl_x509cert.c +170 -14
- data/ext/openssl/ossl_x509crl.c +14 -11
- data/ext/openssl/ossl_x509ext.c +29 -9
- data/ext/openssl/ossl_x509name.c +24 -12
- data/ext/openssl/ossl_x509req.c +14 -11
- data/ext/openssl/ossl_x509revoked.c +4 -4
- data/ext/openssl/ossl_x509store.c +205 -96
- data/lib/openssl/bn.rb +1 -1
- data/lib/openssl/buffering.rb +42 -20
- data/lib/openssl/cipher.rb +1 -1
- data/lib/openssl/digest.rb +10 -16
- data/lib/openssl/hmac.rb +78 -0
- data/lib/openssl/marshal.rb +30 -0
- data/lib/openssl/pkcs5.rb +1 -1
- data/lib/openssl/pkey.rb +447 -1
- data/lib/openssl/ssl.rb +68 -24
- data/lib/openssl/version.rb +5 -0
- data/lib/openssl/x509.rb +177 -1
- data/lib/openssl.rb +24 -9
- metadata +18 -71
- data/ext/openssl/deprecation.rb +0 -23
- data/ext/openssl/ossl_version.h +0 -15
- data/ext/openssl/ruby_missing.h +0 -24
- data/lib/openssl/config.rb +0 -474
@@ -52,8 +52,15 @@ struct ossl_verify_cb_args {
|
|
52
52
|
};
|
53
53
|
|
54
54
|
static VALUE
|
55
|
-
|
55
|
+
ossl_x509stctx_new_i(VALUE arg)
|
56
56
|
{
|
57
|
+
return ossl_x509stctx_new((X509_STORE_CTX *)arg);
|
58
|
+
}
|
59
|
+
|
60
|
+
static VALUE
|
61
|
+
call_verify_cb_proc(VALUE arg)
|
62
|
+
{
|
63
|
+
struct ossl_verify_cb_args *args = (struct ossl_verify_cb_args *)arg;
|
57
64
|
return rb_funcall(args->proc, rb_intern("call"), 2,
|
58
65
|
args->preverify_ok, args->store_ctx);
|
59
66
|
}
|
@@ -69,7 +76,7 @@ ossl_verify_cb_call(VALUE proc, int ok, X509_STORE_CTX *ctx)
|
|
69
76
|
return ok;
|
70
77
|
|
71
78
|
ret = Qfalse;
|
72
|
-
rctx = rb_protect(
|
79
|
+
rctx = rb_protect(ossl_x509stctx_new_i, (VALUE)ctx, &state);
|
73
80
|
if (state) {
|
74
81
|
rb_set_errinfo(Qnil);
|
75
82
|
rb_warn("StoreContext initialization failure");
|
@@ -78,7 +85,7 @@ ossl_verify_cb_call(VALUE proc, int ok, X509_STORE_CTX *ctx)
|
|
78
85
|
args.proc = proc;
|
79
86
|
args.preverify_ok = ok ? Qtrue : Qfalse;
|
80
87
|
args.store_ctx = rctx;
|
81
|
-
ret = rb_protect(
|
88
|
+
ret = rb_protect(call_verify_cb_proc, (VALUE)&args, &state);
|
82
89
|
if (state) {
|
83
90
|
rb_set_errinfo(Qnil);
|
84
91
|
rb_warn("exception in verify_callback is ignored");
|
@@ -105,6 +112,16 @@ VALUE cX509Store;
|
|
105
112
|
VALUE cX509StoreContext;
|
106
113
|
VALUE eX509StoreError;
|
107
114
|
|
115
|
+
static void
|
116
|
+
ossl_x509store_mark(void *ptr)
|
117
|
+
{
|
118
|
+
X509_STORE *store = ptr;
|
119
|
+
// Note: this reference is stored as @verify_callback so we don't need to mark it.
|
120
|
+
// However we do need to ensure GC compaction won't move it, hence why
|
121
|
+
// we call rb_gc_mark here.
|
122
|
+
rb_gc_mark((VALUE)X509_STORE_get_ex_data(store, store_ex_verify_cb_idx));
|
123
|
+
}
|
124
|
+
|
108
125
|
static void
|
109
126
|
ossl_x509store_free(void *ptr)
|
110
127
|
{
|
@@ -114,9 +131,9 @@ ossl_x509store_free(void *ptr)
|
|
114
131
|
static const rb_data_type_t ossl_x509store_type = {
|
115
132
|
"OpenSSL/X509/STORE",
|
116
133
|
{
|
117
|
-
|
134
|
+
ossl_x509store_mark, ossl_x509store_free,
|
118
135
|
},
|
119
|
-
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
136
|
+
0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
|
120
137
|
};
|
121
138
|
|
122
139
|
/*
|
@@ -157,9 +174,8 @@ ossl_x509store_alloc(VALUE klass)
|
|
157
174
|
VALUE obj;
|
158
175
|
|
159
176
|
obj = NewX509Store(klass);
|
160
|
-
if((store = X509_STORE_new()) == NULL)
|
161
|
-
ossl_raise(eX509StoreError,
|
162
|
-
}
|
177
|
+
if ((store = X509_STORE_new()) == NULL)
|
178
|
+
ossl_raise(eX509StoreError, "X509_STORE_new");
|
163
179
|
SetX509Store(obj, store);
|
164
180
|
|
165
181
|
return obj;
|
@@ -174,8 +190,9 @@ ossl_x509store_set_vfy_cb(VALUE self, VALUE cb)
|
|
174
190
|
X509_STORE *store;
|
175
191
|
|
176
192
|
GetX509Store(self, store);
|
177
|
-
X509_STORE_set_ex_data(store, store_ex_verify_cb_idx, (void *)cb);
|
178
193
|
rb_iv_set(self, "@verify_callback", cb);
|
194
|
+
// We don't need to trigger a write barrier because `rb_iv_set` did it.
|
195
|
+
X509_STORE_set_ex_data(store, store_ex_verify_cb_idx, (void *)cb);
|
179
196
|
|
180
197
|
return cb;
|
181
198
|
}
|
@@ -192,8 +209,9 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
|
|
192
209
|
{
|
193
210
|
X509_STORE *store;
|
194
211
|
|
195
|
-
/* BUG: This method takes any number of arguments but appears to ignore them. */
|
196
212
|
GetX509Store(self, store);
|
213
|
+
if (argc != 0)
|
214
|
+
rb_warn("OpenSSL::X509::Store.new does not take any arguments");
|
197
215
|
#if !defined(HAVE_OPAQUE_OPENSSL)
|
198
216
|
/* [Bug #405] [Bug #1678] [Bug #3000]; already fixed? */
|
199
217
|
store->ex_data.sk = NULL;
|
@@ -214,8 +232,16 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
|
|
214
232
|
* call-seq:
|
215
233
|
* store.flags = flags
|
216
234
|
*
|
217
|
-
* Sets
|
218
|
-
*
|
235
|
+
* Sets the default flags used by certificate chain verification performed with
|
236
|
+
* the Store.
|
237
|
+
*
|
238
|
+
* _flags_ consists of zero or more of the constants defined in OpenSSL::X509
|
239
|
+
* with name V_FLAG_* or'ed together.
|
240
|
+
*
|
241
|
+
* OpenSSL::X509::StoreContext#flags= can be used to change the flags for a
|
242
|
+
* single verification operation.
|
243
|
+
*
|
244
|
+
* See also the man page X509_VERIFY_PARAM_set_flags(3).
|
219
245
|
*/
|
220
246
|
static VALUE
|
221
247
|
ossl_x509store_set_flags(VALUE self, VALUE flags)
|
@@ -233,9 +259,9 @@ ossl_x509store_set_flags(VALUE self, VALUE flags)
|
|
233
259
|
* call-seq:
|
234
260
|
* store.purpose = purpose
|
235
261
|
*
|
236
|
-
* Sets the store's
|
237
|
-
* the store will check every
|
238
|
-
* with the purpose. The purpose is specified by constants:
|
262
|
+
* Sets the store's default verification purpose. If specified,
|
263
|
+
* the verifications on the store will check every certificate's extensions are
|
264
|
+
* consistent with the purpose. The purpose is specified by constants:
|
239
265
|
*
|
240
266
|
* * X509::PURPOSE_SSL_CLIENT
|
241
267
|
* * X509::PURPOSE_SSL_SERVER
|
@@ -246,6 +272,11 @@ ossl_x509store_set_flags(VALUE self, VALUE flags)
|
|
246
272
|
* * X509::PURPOSE_ANY
|
247
273
|
* * X509::PURPOSE_OCSP_HELPER
|
248
274
|
* * X509::PURPOSE_TIMESTAMP_SIGN
|
275
|
+
*
|
276
|
+
* OpenSSL::X509::StoreContext#purpose= can be used to change the value for a
|
277
|
+
* single verification operation.
|
278
|
+
*
|
279
|
+
* See also the man page X509_VERIFY_PARAM_set_purpose(3).
|
249
280
|
*/
|
250
281
|
static VALUE
|
251
282
|
ossl_x509store_set_purpose(VALUE self, VALUE purpose)
|
@@ -262,6 +293,14 @@ ossl_x509store_set_purpose(VALUE self, VALUE purpose)
|
|
262
293
|
/*
|
263
294
|
* call-seq:
|
264
295
|
* store.trust = trust
|
296
|
+
*
|
297
|
+
* Sets the default trust settings used by the certificate verification with
|
298
|
+
* the store.
|
299
|
+
*
|
300
|
+
* OpenSSL::X509::StoreContext#trust= can be used to change the value for a
|
301
|
+
* single verification operation.
|
302
|
+
*
|
303
|
+
* See also the man page X509_VERIFY_PARAM_set_trust(3).
|
265
304
|
*/
|
266
305
|
static VALUE
|
267
306
|
ossl_x509store_set_trust(VALUE self, VALUE trust)
|
@@ -279,7 +318,13 @@ ossl_x509store_set_trust(VALUE self, VALUE trust)
|
|
279
318
|
* call-seq:
|
280
319
|
* store.time = time
|
281
320
|
*
|
282
|
-
* Sets the time to be used in verifications.
|
321
|
+
* Sets the time to be used in the certificate verifications with the store.
|
322
|
+
* By default, if not specified, the current system time is used.
|
323
|
+
*
|
324
|
+
* OpenSSL::X509::StoreContext#time= can be used to change the value for a
|
325
|
+
* single verification operation.
|
326
|
+
*
|
327
|
+
* See also the man page X509_VERIFY_PARAM_set_time(3).
|
283
328
|
*/
|
284
329
|
static VALUE
|
285
330
|
ossl_x509store_set_time(VALUE self, VALUE time)
|
@@ -295,24 +340,23 @@ ossl_x509store_set_time(VALUE self, VALUE time)
|
|
295
340
|
* Adds the certificates in _file_ to the certificate store. _file_ is the path
|
296
341
|
* to the file, and the file contains one or more certificates in PEM format
|
297
342
|
* concatenated together.
|
343
|
+
*
|
344
|
+
* See also the man page X509_LOOKUP_file(3).
|
298
345
|
*/
|
299
346
|
static VALUE
|
300
347
|
ossl_x509store_add_file(VALUE self, VALUE file)
|
301
348
|
{
|
302
349
|
X509_STORE *store;
|
303
350
|
X509_LOOKUP *lookup;
|
304
|
-
char *path
|
351
|
+
const char *path;
|
305
352
|
|
306
|
-
if(file != Qnil){
|
307
|
-
rb_check_safe_obj(file);
|
308
|
-
path = StringValueCStr(file);
|
309
|
-
}
|
310
353
|
GetX509Store(self, store);
|
354
|
+
path = StringValueCStr(file);
|
311
355
|
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
|
312
|
-
if(lookup
|
313
|
-
|
314
|
-
|
315
|
-
|
356
|
+
if (!lookup)
|
357
|
+
ossl_raise(eX509StoreError, "X509_STORE_add_lookup");
|
358
|
+
if (X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1)
|
359
|
+
ossl_raise(eX509StoreError, "X509_LOOKUP_load_file");
|
316
360
|
#if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER)
|
317
361
|
/*
|
318
362
|
* X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file()
|
@@ -331,24 +375,23 @@ ossl_x509store_add_file(VALUE self, VALUE file)
|
|
331
375
|
* store.add_path(path) -> self
|
332
376
|
*
|
333
377
|
* Adds _path_ as the hash dir to be looked up by the store.
|
378
|
+
*
|
379
|
+
* See also the man page X509_LOOKUP_hash_dir(3).
|
334
380
|
*/
|
335
381
|
static VALUE
|
336
382
|
ossl_x509store_add_path(VALUE self, VALUE dir)
|
337
383
|
{
|
338
384
|
X509_STORE *store;
|
339
385
|
X509_LOOKUP *lookup;
|
340
|
-
char *path
|
386
|
+
const char *path;
|
341
387
|
|
342
|
-
if(dir != Qnil){
|
343
|
-
rb_check_safe_obj(dir);
|
344
|
-
path = StringValueCStr(dir);
|
345
|
-
}
|
346
388
|
GetX509Store(self, store);
|
389
|
+
path = StringValueCStr(dir);
|
347
390
|
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
|
348
|
-
if(lookup
|
349
|
-
|
350
|
-
|
351
|
-
|
391
|
+
if (!lookup)
|
392
|
+
ossl_raise(eX509StoreError, "X509_STORE_add_lookup");
|
393
|
+
if (X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1)
|
394
|
+
ossl_raise(eX509StoreError, "X509_LOOKUP_add_dir");
|
352
395
|
|
353
396
|
return self;
|
354
397
|
}
|
@@ -363,6 +406,8 @@ ossl_x509store_add_path(VALUE self, VALUE dir)
|
|
363
406
|
*
|
364
407
|
* * OpenSSL::X509::DEFAULT_CERT_FILE
|
365
408
|
* * OpenSSL::X509::DEFAULT_CERT_DIR
|
409
|
+
*
|
410
|
+
* See also the man page X509_STORE_set_default_paths(3).
|
366
411
|
*/
|
367
412
|
static VALUE
|
368
413
|
ossl_x509store_set_default_paths(VALUE self)
|
@@ -370,18 +415,19 @@ ossl_x509store_set_default_paths(VALUE self)
|
|
370
415
|
X509_STORE *store;
|
371
416
|
|
372
417
|
GetX509Store(self, store);
|
373
|
-
if (X509_STORE_set_default_paths(store) != 1)
|
374
|
-
ossl_raise(eX509StoreError,
|
375
|
-
}
|
418
|
+
if (X509_STORE_set_default_paths(store) != 1)
|
419
|
+
ossl_raise(eX509StoreError, "X509_STORE_set_default_paths");
|
376
420
|
|
377
421
|
return Qnil;
|
378
422
|
}
|
379
423
|
|
380
424
|
/*
|
381
425
|
* call-seq:
|
382
|
-
* store.add_cert(cert)
|
426
|
+
* store.add_cert(cert) -> self
|
383
427
|
*
|
384
428
|
* Adds the OpenSSL::X509::Certificate _cert_ to the certificate store.
|
429
|
+
*
|
430
|
+
* See also the man page X509_STORE_add_cert(3).
|
385
431
|
*/
|
386
432
|
static VALUE
|
387
433
|
ossl_x509store_add_cert(VALUE self, VALUE arg)
|
@@ -391,9 +437,8 @@ ossl_x509store_add_cert(VALUE self, VALUE arg)
|
|
391
437
|
|
392
438
|
cert = GetX509CertPtr(arg); /* NO NEED TO DUP */
|
393
439
|
GetX509Store(self, store);
|
394
|
-
if (X509_STORE_add_cert(store, cert) != 1)
|
395
|
-
ossl_raise(eX509StoreError,
|
396
|
-
}
|
440
|
+
if (X509_STORE_add_cert(store, cert) != 1)
|
441
|
+
ossl_raise(eX509StoreError, "X509_STORE_add_cert");
|
397
442
|
|
398
443
|
return self;
|
399
444
|
}
|
@@ -403,6 +448,8 @@ ossl_x509store_add_cert(VALUE self, VALUE arg)
|
|
403
448
|
* store.add_crl(crl) -> self
|
404
449
|
*
|
405
450
|
* Adds the OpenSSL::X509::CRL _crl_ to the store.
|
451
|
+
*
|
452
|
+
* See also the man page X509_STORE_add_crl(3).
|
406
453
|
*/
|
407
454
|
static VALUE
|
408
455
|
ossl_x509store_add_crl(VALUE self, VALUE arg)
|
@@ -412,9 +459,8 @@ ossl_x509store_add_crl(VALUE self, VALUE arg)
|
|
412
459
|
|
413
460
|
crl = GetX509CRLPtr(arg); /* NO NEED TO DUP */
|
414
461
|
GetX509Store(self, store);
|
415
|
-
if (X509_STORE_add_crl(store, crl) != 1)
|
416
|
-
ossl_raise(eX509StoreError,
|
417
|
-
}
|
462
|
+
if (X509_STORE_add_crl(store, crl) != 1)
|
463
|
+
ossl_raise(eX509StoreError, "X509_STORE_add_crl");
|
418
464
|
|
419
465
|
return self;
|
420
466
|
}
|
@@ -458,23 +504,19 @@ ossl_x509store_verify(int argc, VALUE *argv, VALUE self)
|
|
458
504
|
return result;
|
459
505
|
}
|
460
506
|
|
461
|
-
/*
|
462
|
-
* Public Functions
|
463
|
-
*/
|
464
|
-
static void ossl_x509stctx_free(void*);
|
465
|
-
|
466
|
-
|
467
|
-
static const rb_data_type_t ossl_x509stctx_type = {
|
468
|
-
"OpenSSL/X509/STORE_CTX",
|
469
|
-
{
|
470
|
-
0, ossl_x509stctx_free,
|
471
|
-
},
|
472
|
-
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
473
|
-
};
|
474
|
-
|
475
507
|
/*
|
476
508
|
* Private functions
|
477
509
|
*/
|
510
|
+
static void
|
511
|
+
ossl_x509stctx_mark(void *ptr)
|
512
|
+
{
|
513
|
+
X509_STORE_CTX *ctx = ptr;
|
514
|
+
// Note: this reference is stored as @verify_callback so we don't need to mark it.
|
515
|
+
// However we do need to ensure GC compaction won't move it, hence why
|
516
|
+
// we call rb_gc_mark here.
|
517
|
+
rb_gc_mark((VALUE)X509_STORE_CTX_get_ex_data(ctx, stctx_ex_verify_cb_idx));
|
518
|
+
}
|
519
|
+
|
478
520
|
static void
|
479
521
|
ossl_x509stctx_free(void *ptr)
|
480
522
|
{
|
@@ -486,6 +528,14 @@ ossl_x509stctx_free(void *ptr)
|
|
486
528
|
X509_STORE_CTX_free(ctx);
|
487
529
|
}
|
488
530
|
|
531
|
+
static const rb_data_type_t ossl_x509stctx_type = {
|
532
|
+
"OpenSSL/X509/STORE_CTX",
|
533
|
+
{
|
534
|
+
ossl_x509stctx_mark, ossl_x509stctx_free,
|
535
|
+
},
|
536
|
+
0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
|
537
|
+
};
|
538
|
+
|
489
539
|
static VALUE
|
490
540
|
ossl_x509stctx_alloc(VALUE klass)
|
491
541
|
{
|
@@ -493,9 +543,8 @@ ossl_x509stctx_alloc(VALUE klass)
|
|
493
543
|
VALUE obj;
|
494
544
|
|
495
545
|
obj = NewX509StCtx(klass);
|
496
|
-
if((ctx = X509_STORE_CTX_new()) == NULL)
|
497
|
-
ossl_raise(eX509StoreError,
|
498
|
-
}
|
546
|
+
if ((ctx = X509_STORE_CTX_new()) == NULL)
|
547
|
+
ossl_raise(eX509StoreError, "X509_STORE_CTX_new");
|
499
548
|
SetX509StCtx(obj, ctx);
|
500
549
|
|
501
550
|
return obj;
|
@@ -519,7 +568,9 @@ static VALUE ossl_x509stctx_set_time(VALUE, VALUE);
|
|
519
568
|
|
520
569
|
/*
|
521
570
|
* call-seq:
|
522
|
-
* StoreContext.new(store, cert = nil,
|
571
|
+
* StoreContext.new(store, cert = nil, untrusted = nil)
|
572
|
+
*
|
573
|
+
* Sets up a StoreContext for a verification of the X.509 certificate _cert_.
|
523
574
|
*/
|
524
575
|
static VALUE
|
525
576
|
ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
|
@@ -529,15 +580,24 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
|
|
529
580
|
X509_STORE *x509st;
|
530
581
|
X509 *x509 = NULL;
|
531
582
|
STACK_OF(X509) *x509s = NULL;
|
583
|
+
int state;
|
532
584
|
|
533
585
|
rb_scan_args(argc, argv, "12", &store, &cert, &chain);
|
534
586
|
GetX509StCtx(self, ctx);
|
535
587
|
GetX509Store(store, x509st);
|
536
|
-
if(!NIL_P(cert))
|
537
|
-
|
538
|
-
if(
|
588
|
+
if (!NIL_P(cert))
|
589
|
+
x509 = DupX509CertPtr(cert); /* NEED TO DUP */
|
590
|
+
if (!NIL_P(chain)) {
|
591
|
+
x509s = ossl_protect_x509_ary2sk(chain, &state);
|
592
|
+
if (state) {
|
593
|
+
X509_free(x509);
|
594
|
+
rb_jump_tag(state);
|
595
|
+
}
|
596
|
+
}
|
597
|
+
if (X509_STORE_CTX_init(ctx, x509st, x509, x509s) != 1){
|
598
|
+
X509_free(x509);
|
539
599
|
sk_X509_pop_free(x509s, X509_free);
|
540
|
-
ossl_raise(eX509StoreError,
|
600
|
+
ossl_raise(eX509StoreError, "X509_STORE_CTX_init");
|
541
601
|
}
|
542
602
|
if (!NIL_P(t = rb_iv_get(store, "@time")))
|
543
603
|
ossl_x509stctx_set_time(self, t);
|
@@ -550,6 +610,10 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
|
|
550
610
|
/*
|
551
611
|
* call-seq:
|
552
612
|
* stctx.verify -> true | false
|
613
|
+
*
|
614
|
+
* Performs the certificate verification using the parameters set to _stctx_.
|
615
|
+
*
|
616
|
+
* See also the man page X509_verify_cert(3).
|
553
617
|
*/
|
554
618
|
static VALUE
|
555
619
|
ossl_x509stctx_verify(VALUE self)
|
@@ -557,53 +621,50 @@ ossl_x509stctx_verify(VALUE self)
|
|
557
621
|
X509_STORE_CTX *ctx;
|
558
622
|
|
559
623
|
GetX509StCtx(self, ctx);
|
560
|
-
|
561
|
-
|
624
|
+
VALUE cb = rb_iv_get(self, "@verify_callback");
|
625
|
+
X509_STORE_CTX_set_ex_data(ctx, stctx_ex_verify_cb_idx, (void *)cb);
|
562
626
|
|
563
627
|
switch (X509_verify_cert(ctx)) {
|
564
628
|
case 1:
|
565
|
-
|
629
|
+
return Qtrue;
|
566
630
|
case 0:
|
567
|
-
|
568
|
-
|
631
|
+
ossl_clear_error();
|
632
|
+
return Qfalse;
|
569
633
|
default:
|
570
|
-
|
634
|
+
ossl_raise(eX509CertError, "X509_verify_cert");
|
571
635
|
}
|
572
636
|
}
|
573
637
|
|
574
638
|
/*
|
575
639
|
* call-seq:
|
576
|
-
* stctx.chain -> Array of X509::Certificate
|
640
|
+
* stctx.chain -> nil | Array of X509::Certificate
|
641
|
+
*
|
642
|
+
* Returns the verified chain.
|
643
|
+
*
|
644
|
+
* See also the man page X509_STORE_CTX_set0_verified_chain(3).
|
577
645
|
*/
|
578
646
|
static VALUE
|
579
647
|
ossl_x509stctx_get_chain(VALUE self)
|
580
648
|
{
|
581
649
|
X509_STORE_CTX *ctx;
|
582
|
-
STACK_OF(X509) *chain;
|
583
|
-
X509 *x509;
|
584
|
-
int i, num;
|
585
|
-
VALUE ary;
|
650
|
+
const STACK_OF(X509) *chain;
|
586
651
|
|
587
652
|
GetX509StCtx(self, ctx);
|
588
|
-
|
589
|
-
|
590
|
-
|
591
|
-
|
592
|
-
OSSL_Debug("certs in chain < 0???");
|
593
|
-
return rb_ary_new();
|
594
|
-
}
|
595
|
-
ary = rb_ary_new2(num);
|
596
|
-
for(i = 0; i < num; i++) {
|
597
|
-
x509 = sk_X509_value(chain, i);
|
598
|
-
rb_ary_push(ary, ossl_x509_new(x509));
|
599
|
-
}
|
600
|
-
|
601
|
-
return ary;
|
653
|
+
chain = X509_STORE_CTX_get0_chain(ctx);
|
654
|
+
if (!chain)
|
655
|
+
return Qnil; /* Could be an empty array instead? */
|
656
|
+
return ossl_x509_sk2ary(chain);
|
602
657
|
}
|
603
658
|
|
604
659
|
/*
|
605
660
|
* call-seq:
|
606
661
|
* stctx.error -> Integer
|
662
|
+
*
|
663
|
+
* Returns the error code of _stctx_. This is typically called after #verify
|
664
|
+
* is done, or from the verification callback set to
|
665
|
+
* OpenSSL::X509::Store#verify_callback=.
|
666
|
+
*
|
667
|
+
* See also the man page X509_STORE_CTX_get_error(3).
|
607
668
|
*/
|
608
669
|
static VALUE
|
609
670
|
ossl_x509stctx_get_err(VALUE self)
|
@@ -618,6 +679,11 @@ ossl_x509stctx_get_err(VALUE self)
|
|
618
679
|
/*
|
619
680
|
* call-seq:
|
620
681
|
* stctx.error = error_code
|
682
|
+
*
|
683
|
+
* Sets the error code of _stctx_. This is used by the verification callback
|
684
|
+
* set to OpenSSL::X509::Store#verify_callback=.
|
685
|
+
*
|
686
|
+
* See also the man page X509_STORE_CTX_set_error(3).
|
621
687
|
*/
|
622
688
|
static VALUE
|
623
689
|
ossl_x509stctx_set_error(VALUE self, VALUE err)
|
@@ -634,7 +700,10 @@ ossl_x509stctx_set_error(VALUE self, VALUE err)
|
|
634
700
|
* call-seq:
|
635
701
|
* stctx.error_string -> String
|
636
702
|
*
|
637
|
-
* Returns the error string corresponding to the error code
|
703
|
+
* Returns the human readable error string corresponding to the error code
|
704
|
+
* retrieved by #error.
|
705
|
+
*
|
706
|
+
* See also the man page X509_verify_cert_error_string(3).
|
638
707
|
*/
|
639
708
|
static VALUE
|
640
709
|
ossl_x509stctx_get_err_string(VALUE self)
|
@@ -651,6 +720,10 @@ ossl_x509stctx_get_err_string(VALUE self)
|
|
651
720
|
/*
|
652
721
|
* call-seq:
|
653
722
|
* stctx.error_depth -> Integer
|
723
|
+
*
|
724
|
+
* Returns the depth of the chain. This is used in combination with #error.
|
725
|
+
*
|
726
|
+
* See also the man page X509_STORE_CTX_get_error_depth(3).
|
654
727
|
*/
|
655
728
|
static VALUE
|
656
729
|
ossl_x509stctx_get_err_depth(VALUE self)
|
@@ -665,6 +738,10 @@ ossl_x509stctx_get_err_depth(VALUE self)
|
|
665
738
|
/*
|
666
739
|
* call-seq:
|
667
740
|
* stctx.current_cert -> X509::Certificate
|
741
|
+
*
|
742
|
+
* Returns the certificate which caused the error.
|
743
|
+
*
|
744
|
+
* See also the man page X509_STORE_CTX_get_current_cert(3).
|
668
745
|
*/
|
669
746
|
static VALUE
|
670
747
|
ossl_x509stctx_get_curr_cert(VALUE self)
|
@@ -679,6 +756,10 @@ ossl_x509stctx_get_curr_cert(VALUE self)
|
|
679
756
|
/*
|
680
757
|
* call-seq:
|
681
758
|
* stctx.current_crl -> X509::CRL
|
759
|
+
*
|
760
|
+
* Returns the CRL which caused the error.
|
761
|
+
*
|
762
|
+
* See also the man page X509_STORE_CTX_get_current_crl(3).
|
682
763
|
*/
|
683
764
|
static VALUE
|
684
765
|
ossl_x509stctx_get_curr_crl(VALUE self)
|
@@ -698,7 +779,10 @@ ossl_x509stctx_get_curr_crl(VALUE self)
|
|
698
779
|
* call-seq:
|
699
780
|
* stctx.flags = flags
|
700
781
|
*
|
701
|
-
* Sets the verification flags to the context.
|
782
|
+
* Sets the verification flags to the context. This overrides the default value
|
783
|
+
* set by Store#flags=.
|
784
|
+
*
|
785
|
+
* See also the man page X509_VERIFY_PARAM_set_flags(3).
|
702
786
|
*/
|
703
787
|
static VALUE
|
704
788
|
ossl_x509stctx_set_flags(VALUE self, VALUE flags)
|
@@ -716,7 +800,10 @@ ossl_x509stctx_set_flags(VALUE self, VALUE flags)
|
|
716
800
|
* call-seq:
|
717
801
|
* stctx.purpose = purpose
|
718
802
|
*
|
719
|
-
* Sets the purpose of the context.
|
803
|
+
* Sets the purpose of the context. This overrides the default value set by
|
804
|
+
* Store#purpose=.
|
805
|
+
*
|
806
|
+
* See also the man page X509_VERIFY_PARAM_set_purpose(3).
|
720
807
|
*/
|
721
808
|
static VALUE
|
722
809
|
ossl_x509stctx_set_purpose(VALUE self, VALUE purpose)
|
@@ -733,6 +820,11 @@ ossl_x509stctx_set_purpose(VALUE self, VALUE purpose)
|
|
733
820
|
/*
|
734
821
|
* call-seq:
|
735
822
|
* stctx.trust = trust
|
823
|
+
*
|
824
|
+
* Sets the trust settings of the context. This overrides the default value set
|
825
|
+
* by Store#trust=.
|
826
|
+
*
|
827
|
+
* See also the man page X509_VERIFY_PARAM_set_trust(3).
|
736
828
|
*/
|
737
829
|
static VALUE
|
738
830
|
ossl_x509stctx_set_trust(VALUE self, VALUE trust)
|
@@ -751,6 +843,8 @@ ossl_x509stctx_set_trust(VALUE self, VALUE trust)
|
|
751
843
|
* stctx.time = time
|
752
844
|
*
|
753
845
|
* Sets the time used in the verification. If not set, the current time is used.
|
846
|
+
*
|
847
|
+
* See also the man page X509_VERIFY_PARAM_set_time(3).
|
754
848
|
*/
|
755
849
|
static VALUE
|
756
850
|
ossl_x509stctx_set_time(VALUE self, VALUE time)
|
@@ -771,6 +865,7 @@ ossl_x509stctx_set_time(VALUE self, VALUE time)
|
|
771
865
|
void
|
772
866
|
Init_ossl_x509store(void)
|
773
867
|
{
|
868
|
+
#undef rb_intern
|
774
869
|
#if 0
|
775
870
|
mOSSL = rb_define_module("OpenSSL");
|
776
871
|
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
|
@@ -825,23 +920,37 @@ Init_ossl_x509store(void)
|
|
825
920
|
cX509Store = rb_define_class_under(mX509, "Store", rb_cObject);
|
826
921
|
/*
|
827
922
|
* The callback for additional certificate verification. It is invoked for
|
828
|
-
* each
|
923
|
+
* each certificate in the chain and can be used to implement custom
|
924
|
+
* certificate verification conditions.
|
829
925
|
*
|
830
926
|
* The callback is invoked with two values, a boolean that indicates if the
|
831
927
|
* pre-verification by OpenSSL has succeeded or not, and the StoreContext in
|
832
|
-
* use.
|
928
|
+
* use.
|
929
|
+
*
|
930
|
+
* The callback can use StoreContext#error= to change the error code as
|
931
|
+
* needed. The callback must return either true or false.
|
932
|
+
*
|
933
|
+
* NOTE: any exception raised within the callback will be ignored.
|
934
|
+
*
|
935
|
+
* See also the man page X509_STORE_CTX_set_verify_cb(3).
|
833
936
|
*/
|
834
937
|
rb_attr(cX509Store, rb_intern("verify_callback"), 1, 0, Qfalse);
|
835
938
|
/*
|
836
939
|
* The error code set by the last call of #verify.
|
940
|
+
*
|
941
|
+
* See also StoreContext#error.
|
837
942
|
*/
|
838
943
|
rb_attr(cX509Store, rb_intern("error"), 1, 0, Qfalse);
|
839
944
|
/*
|
840
945
|
* The description for the error code set by the last call of #verify.
|
946
|
+
*
|
947
|
+
* See also StoreContext#error_string.
|
841
948
|
*/
|
842
949
|
rb_attr(cX509Store, rb_intern("error_string"), 1, 0, Qfalse);
|
843
950
|
/*
|
844
951
|
* The certificate chain constructed by the last call of #verify.
|
952
|
+
*
|
953
|
+
* See also StoreContext#chain.
|
845
954
|
*/
|
846
955
|
rb_attr(cX509Store, rb_intern("chain"), 1, 0, Qfalse);
|
847
956
|
rb_define_alloc_func(cX509Store, ossl_x509store_alloc);
|
data/lib/openssl/bn.rb
CHANGED