openssl 2.2.0 → 3.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +33 -45
- data/History.md +260 -0
- data/ext/openssl/extconf.rb +85 -72
- data/ext/openssl/openssl_missing.c +0 -66
- data/ext/openssl/openssl_missing.h +26 -45
- data/ext/openssl/ossl.c +67 -47
- data/ext/openssl/ossl.h +26 -6
- data/ext/openssl/ossl_asn1.c +26 -13
- data/ext/openssl/ossl_bn.c +278 -142
- data/ext/openssl/ossl_bn.h +2 -1
- data/ext/openssl/ossl_cipher.c +12 -13
- data/ext/openssl/ossl_config.c +412 -41
- data/ext/openssl/ossl_config.h +4 -7
- data/ext/openssl/ossl_digest.c +15 -11
- data/ext/openssl/ossl_engine.c +16 -15
- data/ext/openssl/ossl_hmac.c +56 -135
- data/ext/openssl/ossl_kdf.c +11 -3
- data/ext/openssl/ossl_ocsp.c +5 -53
- data/ext/openssl/ossl_pkcs12.c +21 -3
- data/ext/openssl/ossl_pkcs7.c +42 -59
- data/ext/openssl/ossl_pkey.c +1142 -191
- data/ext/openssl/ossl_pkey.h +36 -73
- data/ext/openssl/ossl_pkey_dh.c +130 -340
- data/ext/openssl/ossl_pkey_dsa.c +100 -405
- data/ext/openssl/ossl_pkey_ec.c +163 -335
- data/ext/openssl/ossl_pkey_rsa.c +106 -493
- data/ext/openssl/ossl_ssl.c +529 -421
- data/ext/openssl/ossl_ssl_session.c +28 -29
- data/ext/openssl/ossl_ts.c +64 -39
- data/ext/openssl/ossl_x509.c +0 -6
- data/ext/openssl/ossl_x509cert.c +167 -11
- data/ext/openssl/ossl_x509crl.c +13 -10
- data/ext/openssl/ossl_x509ext.c +1 -2
- data/ext/openssl/ossl_x509name.c +9 -2
- data/ext/openssl/ossl_x509req.c +13 -10
- data/ext/openssl/ossl_x509revoked.c +3 -3
- data/ext/openssl/ossl_x509store.c +193 -90
- data/lib/openssl/buffering.rb +10 -1
- data/lib/openssl/hmac.rb +65 -0
- data/lib/openssl/pkey.rb +429 -0
- data/lib/openssl/ssl.rb +13 -8
- data/lib/openssl/version.rb +1 -1
- data/lib/openssl/x509.rb +22 -0
- data/lib/openssl.rb +0 -1
- metadata +8 -66
- data/ext/openssl/ruby_missing.h +0 -24
- data/lib/openssl/config.rb +0 -501
data/ext/openssl/ossl_x509name.c
CHANGED
@@ -291,7 +291,14 @@ x509name_print(VALUE self, unsigned long iflag)
|
|
291
291
|
* * OpenSSL::X509::Name::MULTILINE
|
292
292
|
*
|
293
293
|
* If _format_ is omitted, the largely broken and traditional OpenSSL format
|
294
|
-
* is
|
294
|
+
* (<tt>X509_NAME_oneline()</tt> format) is chosen.
|
295
|
+
*
|
296
|
+
* <b>Use of this method is discouraged.</b> None of the formats other than
|
297
|
+
* OpenSSL::X509::Name::RFC2253 is standardized and may show an inconsistent
|
298
|
+
* behavior through \OpenSSL versions.
|
299
|
+
*
|
300
|
+
* It is recommended to use #to_utf8 instead, which is equivalent to calling
|
301
|
+
* <tt>name.to_s(OpenSSL::X509::Name::RFC2253).force_encoding("UTF-8")</tt>.
|
295
302
|
*/
|
296
303
|
static VALUE
|
297
304
|
ossl_x509name_to_s(int argc, VALUE *argv, VALUE self)
|
@@ -498,7 +505,7 @@ ossl_x509name_to_der(VALUE self)
|
|
498
505
|
* You can create a Name by parsing a distinguished name String or by
|
499
506
|
* supplying the distinguished name as an Array.
|
500
507
|
*
|
501
|
-
* name = OpenSSL::X509::Name.
|
508
|
+
* name = OpenSSL::X509::Name.parse_rfc2253 'DC=example,CN=nobody'
|
502
509
|
*
|
503
510
|
* name = OpenSSL::X509::Name.new [['CN', 'nobody'], ['DC', 'example']]
|
504
511
|
*/
|
data/ext/openssl/ossl_x509req.c
CHANGED
@@ -79,23 +79,26 @@ static VALUE
|
|
79
79
|
ossl_x509req_initialize(int argc, VALUE *argv, VALUE self)
|
80
80
|
{
|
81
81
|
BIO *in;
|
82
|
-
X509_REQ *req, *
|
82
|
+
X509_REQ *req, *req_orig = RTYPEDDATA_DATA(self);
|
83
83
|
VALUE arg;
|
84
84
|
|
85
|
+
rb_check_frozen(self);
|
85
86
|
if (rb_scan_args(argc, argv, "01", &arg) == 0) {
|
86
87
|
return self;
|
87
88
|
}
|
88
89
|
arg = ossl_to_der_if_possible(arg);
|
89
90
|
in = ossl_obj2bio(&arg);
|
90
|
-
req =
|
91
|
-
DATA_PTR(self) = x;
|
91
|
+
req = d2i_X509_REQ_bio(in, NULL);
|
92
92
|
if (!req) {
|
93
|
-
|
94
|
-
|
95
|
-
DATA_PTR(self) = x;
|
93
|
+
OSSL_BIO_reset(in);
|
94
|
+
req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
|
96
95
|
}
|
97
96
|
BIO_free(in);
|
98
|
-
if (!req)
|
97
|
+
if (!req)
|
98
|
+
ossl_raise(eX509ReqError, "PEM_read_bio_X509_REQ");
|
99
|
+
|
100
|
+
RTYPEDDATA_DATA(self) = req;
|
101
|
+
X509_REQ_free(req_orig);
|
99
102
|
|
100
103
|
return self;
|
101
104
|
}
|
@@ -377,13 +380,13 @@ ossl_x509req_set_attributes(VALUE self, VALUE ary)
|
|
377
380
|
OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Attr);
|
378
381
|
}
|
379
382
|
GetX509Req(self, req);
|
380
|
-
|
381
|
-
|
383
|
+
for (i = X509_REQ_get_attr_count(req); i > 0; i--)
|
384
|
+
X509_ATTRIBUTE_free(X509_REQ_delete_attr(req, 0));
|
382
385
|
for (i=0;i<RARRAY_LEN(ary); i++) {
|
383
386
|
item = RARRAY_AREF(ary, i);
|
384
387
|
attr = GetX509AttrPtr(item);
|
385
388
|
if (!X509_REQ_add1_attr(req, attr)) {
|
386
|
-
ossl_raise(eX509ReqError,
|
389
|
+
ossl_raise(eX509ReqError, "X509_REQ_add1_attr");
|
387
390
|
}
|
388
391
|
}
|
389
392
|
return ary;
|
@@ -223,13 +223,13 @@ ossl_x509revoked_set_extensions(VALUE self, VALUE ary)
|
|
223
223
|
OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
|
224
224
|
}
|
225
225
|
GetX509Rev(self, rev);
|
226
|
-
|
227
|
-
|
226
|
+
for (i = X509_REVOKED_get_ext_count(rev); i > 0; i--)
|
227
|
+
X509_EXTENSION_free(X509_REVOKED_delete_ext(rev, 0));
|
228
228
|
for (i=0; i<RARRAY_LEN(ary); i++) {
|
229
229
|
item = RARRAY_AREF(ary, i);
|
230
230
|
ext = GetX509ExtPtr(item);
|
231
231
|
if(!X509_REVOKED_add_ext(rev, ext, -1)) {
|
232
|
-
ossl_raise(eX509RevError,
|
232
|
+
ossl_raise(eX509RevError, "X509_REVOKED_add_ext");
|
233
233
|
}
|
234
234
|
}
|
235
235
|
|
@@ -52,8 +52,15 @@ struct ossl_verify_cb_args {
|
|
52
52
|
};
|
53
53
|
|
54
54
|
static VALUE
|
55
|
-
|
55
|
+
ossl_x509stctx_new_i(VALUE arg)
|
56
56
|
{
|
57
|
+
return ossl_x509stctx_new((X509_STORE_CTX *)arg);
|
58
|
+
}
|
59
|
+
|
60
|
+
static VALUE
|
61
|
+
call_verify_cb_proc(VALUE arg)
|
62
|
+
{
|
63
|
+
struct ossl_verify_cb_args *args = (struct ossl_verify_cb_args *)arg;
|
57
64
|
return rb_funcall(args->proc, rb_intern("call"), 2,
|
58
65
|
args->preverify_ok, args->store_ctx);
|
59
66
|
}
|
@@ -69,7 +76,7 @@ ossl_verify_cb_call(VALUE proc, int ok, X509_STORE_CTX *ctx)
|
|
69
76
|
return ok;
|
70
77
|
|
71
78
|
ret = Qfalse;
|
72
|
-
rctx = rb_protect(
|
79
|
+
rctx = rb_protect(ossl_x509stctx_new_i, (VALUE)ctx, &state);
|
73
80
|
if (state) {
|
74
81
|
rb_set_errinfo(Qnil);
|
75
82
|
rb_warn("StoreContext initialization failure");
|
@@ -78,7 +85,7 @@ ossl_verify_cb_call(VALUE proc, int ok, X509_STORE_CTX *ctx)
|
|
78
85
|
args.proc = proc;
|
79
86
|
args.preverify_ok = ok ? Qtrue : Qfalse;
|
80
87
|
args.store_ctx = rctx;
|
81
|
-
ret = rb_protect(
|
88
|
+
ret = rb_protect(call_verify_cb_proc, (VALUE)&args, &state);
|
82
89
|
if (state) {
|
83
90
|
rb_set_errinfo(Qnil);
|
84
91
|
rb_warn("exception in verify_callback is ignored");
|
@@ -105,6 +112,13 @@ VALUE cX509Store;
|
|
105
112
|
VALUE cX509StoreContext;
|
106
113
|
VALUE eX509StoreError;
|
107
114
|
|
115
|
+
static void
|
116
|
+
ossl_x509store_mark(void *ptr)
|
117
|
+
{
|
118
|
+
X509_STORE *store = ptr;
|
119
|
+
rb_gc_mark((VALUE)X509_STORE_get_ex_data(store, store_ex_verify_cb_idx));
|
120
|
+
}
|
121
|
+
|
108
122
|
static void
|
109
123
|
ossl_x509store_free(void *ptr)
|
110
124
|
{
|
@@ -114,7 +128,7 @@ ossl_x509store_free(void *ptr)
|
|
114
128
|
static const rb_data_type_t ossl_x509store_type = {
|
115
129
|
"OpenSSL/X509/STORE",
|
116
130
|
{
|
117
|
-
|
131
|
+
ossl_x509store_mark, ossl_x509store_free,
|
118
132
|
},
|
119
133
|
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
120
134
|
};
|
@@ -157,9 +171,8 @@ ossl_x509store_alloc(VALUE klass)
|
|
157
171
|
VALUE obj;
|
158
172
|
|
159
173
|
obj = NewX509Store(klass);
|
160
|
-
if((store = X509_STORE_new()) == NULL)
|
161
|
-
ossl_raise(eX509StoreError,
|
162
|
-
}
|
174
|
+
if ((store = X509_STORE_new()) == NULL)
|
175
|
+
ossl_raise(eX509StoreError, "X509_STORE_new");
|
163
176
|
SetX509Store(obj, store);
|
164
177
|
|
165
178
|
return obj;
|
@@ -192,8 +205,9 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
|
|
192
205
|
{
|
193
206
|
X509_STORE *store;
|
194
207
|
|
195
|
-
/* BUG: This method takes any number of arguments but appears to ignore them. */
|
196
208
|
GetX509Store(self, store);
|
209
|
+
if (argc != 0)
|
210
|
+
rb_warn("OpenSSL::X509::Store.new does not take any arguments");
|
197
211
|
#if !defined(HAVE_OPAQUE_OPENSSL)
|
198
212
|
/* [Bug #405] [Bug #1678] [Bug #3000]; already fixed? */
|
199
213
|
store->ex_data.sk = NULL;
|
@@ -214,8 +228,16 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
|
|
214
228
|
* call-seq:
|
215
229
|
* store.flags = flags
|
216
230
|
*
|
217
|
-
* Sets
|
218
|
-
*
|
231
|
+
* Sets the default flags used by certificate chain verification performed with
|
232
|
+
* the Store.
|
233
|
+
*
|
234
|
+
* _flags_ consists of zero or more of the constants defined in OpenSSL::X509
|
235
|
+
* with name V_FLAG_* or'ed together.
|
236
|
+
*
|
237
|
+
* OpenSSL::X509::StoreContext#flags= can be used to change the flags for a
|
238
|
+
* single verification operation.
|
239
|
+
*
|
240
|
+
* See also the man page X509_VERIFY_PARAM_set_flags(3).
|
219
241
|
*/
|
220
242
|
static VALUE
|
221
243
|
ossl_x509store_set_flags(VALUE self, VALUE flags)
|
@@ -233,9 +255,9 @@ ossl_x509store_set_flags(VALUE self, VALUE flags)
|
|
233
255
|
* call-seq:
|
234
256
|
* store.purpose = purpose
|
235
257
|
*
|
236
|
-
* Sets the store's
|
237
|
-
* the store will check every
|
238
|
-
* with the purpose. The purpose is specified by constants:
|
258
|
+
* Sets the store's default verification purpose. If specified,
|
259
|
+
* the verifications on the store will check every certificate's extensions are
|
260
|
+
* consistent with the purpose. The purpose is specified by constants:
|
239
261
|
*
|
240
262
|
* * X509::PURPOSE_SSL_CLIENT
|
241
263
|
* * X509::PURPOSE_SSL_SERVER
|
@@ -246,6 +268,11 @@ ossl_x509store_set_flags(VALUE self, VALUE flags)
|
|
246
268
|
* * X509::PURPOSE_ANY
|
247
269
|
* * X509::PURPOSE_OCSP_HELPER
|
248
270
|
* * X509::PURPOSE_TIMESTAMP_SIGN
|
271
|
+
*
|
272
|
+
* OpenSSL::X509::StoreContext#purpose= can be used to change the value for a
|
273
|
+
* single verification operation.
|
274
|
+
*
|
275
|
+
* See also the man page X509_VERIFY_PARAM_set_purpose(3).
|
249
276
|
*/
|
250
277
|
static VALUE
|
251
278
|
ossl_x509store_set_purpose(VALUE self, VALUE purpose)
|
@@ -262,6 +289,14 @@ ossl_x509store_set_purpose(VALUE self, VALUE purpose)
|
|
262
289
|
/*
|
263
290
|
* call-seq:
|
264
291
|
* store.trust = trust
|
292
|
+
*
|
293
|
+
* Sets the default trust settings used by the certificate verification with
|
294
|
+
* the store.
|
295
|
+
*
|
296
|
+
* OpenSSL::X509::StoreContext#trust= can be used to change the value for a
|
297
|
+
* single verification operation.
|
298
|
+
*
|
299
|
+
* See also the man page X509_VERIFY_PARAM_set_trust(3).
|
265
300
|
*/
|
266
301
|
static VALUE
|
267
302
|
ossl_x509store_set_trust(VALUE self, VALUE trust)
|
@@ -279,7 +314,13 @@ ossl_x509store_set_trust(VALUE self, VALUE trust)
|
|
279
314
|
* call-seq:
|
280
315
|
* store.time = time
|
281
316
|
*
|
282
|
-
* Sets the time to be used in verifications.
|
317
|
+
* Sets the time to be used in the certificate verifications with the store.
|
318
|
+
* By default, if not specified, the current system time is used.
|
319
|
+
*
|
320
|
+
* OpenSSL::X509::StoreContext#time= can be used to change the value for a
|
321
|
+
* single verification operation.
|
322
|
+
*
|
323
|
+
* See also the man page X509_VERIFY_PARAM_set_time(3).
|
283
324
|
*/
|
284
325
|
static VALUE
|
285
326
|
ossl_x509store_set_time(VALUE self, VALUE time)
|
@@ -295,23 +336,23 @@ ossl_x509store_set_time(VALUE self, VALUE time)
|
|
295
336
|
* Adds the certificates in _file_ to the certificate store. _file_ is the path
|
296
337
|
* to the file, and the file contains one or more certificates in PEM format
|
297
338
|
* concatenated together.
|
339
|
+
*
|
340
|
+
* See also the man page X509_LOOKUP_file(3).
|
298
341
|
*/
|
299
342
|
static VALUE
|
300
343
|
ossl_x509store_add_file(VALUE self, VALUE file)
|
301
344
|
{
|
302
345
|
X509_STORE *store;
|
303
346
|
X509_LOOKUP *lookup;
|
304
|
-
char *path
|
347
|
+
const char *path;
|
305
348
|
|
306
|
-
if(file != Qnil){
|
307
|
-
path = StringValueCStr(file);
|
308
|
-
}
|
309
349
|
GetX509Store(self, store);
|
350
|
+
path = StringValueCStr(file);
|
310
351
|
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
|
311
|
-
if(lookup
|
312
|
-
|
313
|
-
|
314
|
-
|
352
|
+
if (!lookup)
|
353
|
+
ossl_raise(eX509StoreError, "X509_STORE_add_lookup");
|
354
|
+
if (X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1)
|
355
|
+
ossl_raise(eX509StoreError, "X509_LOOKUP_load_file");
|
315
356
|
#if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER)
|
316
357
|
/*
|
317
358
|
* X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file()
|
@@ -330,23 +371,23 @@ ossl_x509store_add_file(VALUE self, VALUE file)
|
|
330
371
|
* store.add_path(path) -> self
|
331
372
|
*
|
332
373
|
* Adds _path_ as the hash dir to be looked up by the store.
|
374
|
+
*
|
375
|
+
* See also the man page X509_LOOKUP_hash_dir(3).
|
333
376
|
*/
|
334
377
|
static VALUE
|
335
378
|
ossl_x509store_add_path(VALUE self, VALUE dir)
|
336
379
|
{
|
337
380
|
X509_STORE *store;
|
338
381
|
X509_LOOKUP *lookup;
|
339
|
-
char *path
|
382
|
+
const char *path;
|
340
383
|
|
341
|
-
if(dir != Qnil){
|
342
|
-
path = StringValueCStr(dir);
|
343
|
-
}
|
344
384
|
GetX509Store(self, store);
|
385
|
+
path = StringValueCStr(dir);
|
345
386
|
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
|
346
|
-
if(lookup
|
347
|
-
|
348
|
-
|
349
|
-
|
387
|
+
if (!lookup)
|
388
|
+
ossl_raise(eX509StoreError, "X509_STORE_add_lookup");
|
389
|
+
if (X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1)
|
390
|
+
ossl_raise(eX509StoreError, "X509_LOOKUP_add_dir");
|
350
391
|
|
351
392
|
return self;
|
352
393
|
}
|
@@ -361,6 +402,8 @@ ossl_x509store_add_path(VALUE self, VALUE dir)
|
|
361
402
|
*
|
362
403
|
* * OpenSSL::X509::DEFAULT_CERT_FILE
|
363
404
|
* * OpenSSL::X509::DEFAULT_CERT_DIR
|
405
|
+
*
|
406
|
+
* See also the man page X509_STORE_set_default_paths(3).
|
364
407
|
*/
|
365
408
|
static VALUE
|
366
409
|
ossl_x509store_set_default_paths(VALUE self)
|
@@ -368,18 +411,19 @@ ossl_x509store_set_default_paths(VALUE self)
|
|
368
411
|
X509_STORE *store;
|
369
412
|
|
370
413
|
GetX509Store(self, store);
|
371
|
-
if (X509_STORE_set_default_paths(store) != 1)
|
372
|
-
ossl_raise(eX509StoreError,
|
373
|
-
}
|
414
|
+
if (X509_STORE_set_default_paths(store) != 1)
|
415
|
+
ossl_raise(eX509StoreError, "X509_STORE_set_default_paths");
|
374
416
|
|
375
417
|
return Qnil;
|
376
418
|
}
|
377
419
|
|
378
420
|
/*
|
379
421
|
* call-seq:
|
380
|
-
* store.add_cert(cert)
|
422
|
+
* store.add_cert(cert) -> self
|
381
423
|
*
|
382
424
|
* Adds the OpenSSL::X509::Certificate _cert_ to the certificate store.
|
425
|
+
*
|
426
|
+
* See also the man page X509_STORE_add_cert(3).
|
383
427
|
*/
|
384
428
|
static VALUE
|
385
429
|
ossl_x509store_add_cert(VALUE self, VALUE arg)
|
@@ -389,9 +433,8 @@ ossl_x509store_add_cert(VALUE self, VALUE arg)
|
|
389
433
|
|
390
434
|
cert = GetX509CertPtr(arg); /* NO NEED TO DUP */
|
391
435
|
GetX509Store(self, store);
|
392
|
-
if (X509_STORE_add_cert(store, cert) != 1)
|
393
|
-
ossl_raise(eX509StoreError,
|
394
|
-
}
|
436
|
+
if (X509_STORE_add_cert(store, cert) != 1)
|
437
|
+
ossl_raise(eX509StoreError, "X509_STORE_add_cert");
|
395
438
|
|
396
439
|
return self;
|
397
440
|
}
|
@@ -401,6 +444,8 @@ ossl_x509store_add_cert(VALUE self, VALUE arg)
|
|
401
444
|
* store.add_crl(crl) -> self
|
402
445
|
*
|
403
446
|
* Adds the OpenSSL::X509::CRL _crl_ to the store.
|
447
|
+
*
|
448
|
+
* See also the man page X509_STORE_add_crl(3).
|
404
449
|
*/
|
405
450
|
static VALUE
|
406
451
|
ossl_x509store_add_crl(VALUE self, VALUE arg)
|
@@ -410,9 +455,8 @@ ossl_x509store_add_crl(VALUE self, VALUE arg)
|
|
410
455
|
|
411
456
|
crl = GetX509CRLPtr(arg); /* NO NEED TO DUP */
|
412
457
|
GetX509Store(self, store);
|
413
|
-
if (X509_STORE_add_crl(store, crl) != 1)
|
414
|
-
ossl_raise(eX509StoreError,
|
415
|
-
}
|
458
|
+
if (X509_STORE_add_crl(store, crl) != 1)
|
459
|
+
ossl_raise(eX509StoreError, "X509_STORE_add_crl");
|
416
460
|
|
417
461
|
return self;
|
418
462
|
}
|
@@ -456,23 +500,16 @@ ossl_x509store_verify(int argc, VALUE *argv, VALUE self)
|
|
456
500
|
return result;
|
457
501
|
}
|
458
502
|
|
459
|
-
/*
|
460
|
-
* Public Functions
|
461
|
-
*/
|
462
|
-
static void ossl_x509stctx_free(void*);
|
463
|
-
|
464
|
-
|
465
|
-
static const rb_data_type_t ossl_x509stctx_type = {
|
466
|
-
"OpenSSL/X509/STORE_CTX",
|
467
|
-
{
|
468
|
-
0, ossl_x509stctx_free,
|
469
|
-
},
|
470
|
-
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
471
|
-
};
|
472
|
-
|
473
503
|
/*
|
474
504
|
* Private functions
|
475
505
|
*/
|
506
|
+
static void
|
507
|
+
ossl_x509stctx_mark(void *ptr)
|
508
|
+
{
|
509
|
+
X509_STORE_CTX *ctx = ptr;
|
510
|
+
rb_gc_mark((VALUE)X509_STORE_CTX_get_ex_data(ctx, stctx_ex_verify_cb_idx));
|
511
|
+
}
|
512
|
+
|
476
513
|
static void
|
477
514
|
ossl_x509stctx_free(void *ptr)
|
478
515
|
{
|
@@ -484,6 +521,14 @@ ossl_x509stctx_free(void *ptr)
|
|
484
521
|
X509_STORE_CTX_free(ctx);
|
485
522
|
}
|
486
523
|
|
524
|
+
static const rb_data_type_t ossl_x509stctx_type = {
|
525
|
+
"OpenSSL/X509/STORE_CTX",
|
526
|
+
{
|
527
|
+
ossl_x509stctx_mark, ossl_x509stctx_free,
|
528
|
+
},
|
529
|
+
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
530
|
+
};
|
531
|
+
|
487
532
|
static VALUE
|
488
533
|
ossl_x509stctx_alloc(VALUE klass)
|
489
534
|
{
|
@@ -491,9 +536,8 @@ ossl_x509stctx_alloc(VALUE klass)
|
|
491
536
|
VALUE obj;
|
492
537
|
|
493
538
|
obj = NewX509StCtx(klass);
|
494
|
-
if((ctx = X509_STORE_CTX_new()) == NULL)
|
495
|
-
ossl_raise(eX509StoreError,
|
496
|
-
}
|
539
|
+
if ((ctx = X509_STORE_CTX_new()) == NULL)
|
540
|
+
ossl_raise(eX509StoreError, "X509_STORE_CTX_new");
|
497
541
|
SetX509StCtx(obj, ctx);
|
498
542
|
|
499
543
|
return obj;
|
@@ -517,7 +561,9 @@ static VALUE ossl_x509stctx_set_time(VALUE, VALUE);
|
|
517
561
|
|
518
562
|
/*
|
519
563
|
* call-seq:
|
520
|
-
* StoreContext.new(store, cert = nil,
|
564
|
+
* StoreContext.new(store, cert = nil, untrusted = nil)
|
565
|
+
*
|
566
|
+
* Sets up a StoreContext for a verification of the X.509 certificate _cert_.
|
521
567
|
*/
|
522
568
|
static VALUE
|
523
569
|
ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
|
@@ -527,15 +573,24 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
|
|
527
573
|
X509_STORE *x509st;
|
528
574
|
X509 *x509 = NULL;
|
529
575
|
STACK_OF(X509) *x509s = NULL;
|
576
|
+
int state;
|
530
577
|
|
531
578
|
rb_scan_args(argc, argv, "12", &store, &cert, &chain);
|
532
579
|
GetX509StCtx(self, ctx);
|
533
580
|
GetX509Store(store, x509st);
|
534
|
-
if(!NIL_P(cert))
|
535
|
-
|
536
|
-
if(
|
581
|
+
if (!NIL_P(cert))
|
582
|
+
x509 = DupX509CertPtr(cert); /* NEED TO DUP */
|
583
|
+
if (!NIL_P(chain)) {
|
584
|
+
x509s = ossl_protect_x509_ary2sk(chain, &state);
|
585
|
+
if (state) {
|
586
|
+
X509_free(x509);
|
587
|
+
rb_jump_tag(state);
|
588
|
+
}
|
589
|
+
}
|
590
|
+
if (X509_STORE_CTX_init(ctx, x509st, x509, x509s) != 1){
|
591
|
+
X509_free(x509);
|
537
592
|
sk_X509_pop_free(x509s, X509_free);
|
538
|
-
ossl_raise(eX509StoreError,
|
593
|
+
ossl_raise(eX509StoreError, "X509_STORE_CTX_init");
|
539
594
|
}
|
540
595
|
if (!NIL_P(t = rb_iv_get(store, "@time")))
|
541
596
|
ossl_x509stctx_set_time(self, t);
|
@@ -548,6 +603,10 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
|
|
548
603
|
/*
|
549
604
|
* call-seq:
|
550
605
|
* stctx.verify -> true | false
|
606
|
+
*
|
607
|
+
* Performs the certificate verification using the parameters set to _stctx_.
|
608
|
+
*
|
609
|
+
* See also the man page X509_verify_cert(3).
|
551
610
|
*/
|
552
611
|
static VALUE
|
553
612
|
ossl_x509stctx_verify(VALUE self)
|
@@ -560,48 +619,45 @@ ossl_x509stctx_verify(VALUE self)
|
|
560
619
|
|
561
620
|
switch (X509_verify_cert(ctx)) {
|
562
621
|
case 1:
|
563
|
-
|
622
|
+
return Qtrue;
|
564
623
|
case 0:
|
565
|
-
|
566
|
-
|
624
|
+
ossl_clear_error();
|
625
|
+
return Qfalse;
|
567
626
|
default:
|
568
|
-
|
627
|
+
ossl_raise(eX509CertError, "X509_verify_cert");
|
569
628
|
}
|
570
629
|
}
|
571
630
|
|
572
631
|
/*
|
573
632
|
* call-seq:
|
574
|
-
* stctx.chain -> Array of X509::Certificate
|
633
|
+
* stctx.chain -> nil | Array of X509::Certificate
|
634
|
+
*
|
635
|
+
* Returns the verified chain.
|
636
|
+
*
|
637
|
+
* See also the man page X509_STORE_CTX_set0_verified_chain(3).
|
575
638
|
*/
|
576
639
|
static VALUE
|
577
640
|
ossl_x509stctx_get_chain(VALUE self)
|
578
641
|
{
|
579
642
|
X509_STORE_CTX *ctx;
|
580
|
-
STACK_OF(X509) *chain;
|
581
|
-
X509 *x509;
|
582
|
-
int i, num;
|
583
|
-
VALUE ary;
|
643
|
+
const STACK_OF(X509) *chain;
|
584
644
|
|
585
645
|
GetX509StCtx(self, ctx);
|
586
|
-
|
587
|
-
|
588
|
-
|
589
|
-
|
590
|
-
OSSL_Debug("certs in chain < 0???");
|
591
|
-
return rb_ary_new();
|
592
|
-
}
|
593
|
-
ary = rb_ary_new2(num);
|
594
|
-
for(i = 0; i < num; i++) {
|
595
|
-
x509 = sk_X509_value(chain, i);
|
596
|
-
rb_ary_push(ary, ossl_x509_new(x509));
|
597
|
-
}
|
598
|
-
|
599
|
-
return ary;
|
646
|
+
chain = X509_STORE_CTX_get0_chain(ctx);
|
647
|
+
if (!chain)
|
648
|
+
return Qnil; /* Could be an empty array instead? */
|
649
|
+
return ossl_x509_sk2ary(chain);
|
600
650
|
}
|
601
651
|
|
602
652
|
/*
|
603
653
|
* call-seq:
|
604
654
|
* stctx.error -> Integer
|
655
|
+
*
|
656
|
+
* Returns the error code of _stctx_. This is typically called after #verify
|
657
|
+
* is done, or from the verification callback set to
|
658
|
+
* OpenSSL::X509::Store#verify_callback=.
|
659
|
+
*
|
660
|
+
* See also the man page X509_STORE_CTX_get_error(3).
|
605
661
|
*/
|
606
662
|
static VALUE
|
607
663
|
ossl_x509stctx_get_err(VALUE self)
|
@@ -616,6 +672,11 @@ ossl_x509stctx_get_err(VALUE self)
|
|
616
672
|
/*
|
617
673
|
* call-seq:
|
618
674
|
* stctx.error = error_code
|
675
|
+
*
|
676
|
+
* Sets the error code of _stctx_. This is used by the verification callback
|
677
|
+
* set to OpenSSL::X509::Store#verify_callback=.
|
678
|
+
*
|
679
|
+
* See also the man page X509_STORE_CTX_set_error(3).
|
619
680
|
*/
|
620
681
|
static VALUE
|
621
682
|
ossl_x509stctx_set_error(VALUE self, VALUE err)
|
@@ -632,7 +693,10 @@ ossl_x509stctx_set_error(VALUE self, VALUE err)
|
|
632
693
|
* call-seq:
|
633
694
|
* stctx.error_string -> String
|
634
695
|
*
|
635
|
-
* Returns the error string corresponding to the error code
|
696
|
+
* Returns the human readable error string corresponding to the error code
|
697
|
+
* retrieved by #error.
|
698
|
+
*
|
699
|
+
* See also the man page X509_verify_cert_error_string(3).
|
636
700
|
*/
|
637
701
|
static VALUE
|
638
702
|
ossl_x509stctx_get_err_string(VALUE self)
|
@@ -649,6 +713,10 @@ ossl_x509stctx_get_err_string(VALUE self)
|
|
649
713
|
/*
|
650
714
|
* call-seq:
|
651
715
|
* stctx.error_depth -> Integer
|
716
|
+
*
|
717
|
+
* Returns the depth of the chain. This is used in combination with #error.
|
718
|
+
*
|
719
|
+
* See also the man page X509_STORE_CTX_get_error_depth(3).
|
652
720
|
*/
|
653
721
|
static VALUE
|
654
722
|
ossl_x509stctx_get_err_depth(VALUE self)
|
@@ -663,6 +731,10 @@ ossl_x509stctx_get_err_depth(VALUE self)
|
|
663
731
|
/*
|
664
732
|
* call-seq:
|
665
733
|
* stctx.current_cert -> X509::Certificate
|
734
|
+
*
|
735
|
+
* Returns the certificate which caused the error.
|
736
|
+
*
|
737
|
+
* See also the man page X509_STORE_CTX_get_current_cert(3).
|
666
738
|
*/
|
667
739
|
static VALUE
|
668
740
|
ossl_x509stctx_get_curr_cert(VALUE self)
|
@@ -677,6 +749,10 @@ ossl_x509stctx_get_curr_cert(VALUE self)
|
|
677
749
|
/*
|
678
750
|
* call-seq:
|
679
751
|
* stctx.current_crl -> X509::CRL
|
752
|
+
*
|
753
|
+
* Returns the CRL which caused the error.
|
754
|
+
*
|
755
|
+
* See also the man page X509_STORE_CTX_get_current_crl(3).
|
680
756
|
*/
|
681
757
|
static VALUE
|
682
758
|
ossl_x509stctx_get_curr_crl(VALUE self)
|
@@ -696,7 +772,10 @@ ossl_x509stctx_get_curr_crl(VALUE self)
|
|
696
772
|
* call-seq:
|
697
773
|
* stctx.flags = flags
|
698
774
|
*
|
699
|
-
* Sets the verification flags to the context.
|
775
|
+
* Sets the verification flags to the context. This overrides the default value
|
776
|
+
* set by Store#flags=.
|
777
|
+
*
|
778
|
+
* See also the man page X509_VERIFY_PARAM_set_flags(3).
|
700
779
|
*/
|
701
780
|
static VALUE
|
702
781
|
ossl_x509stctx_set_flags(VALUE self, VALUE flags)
|
@@ -714,7 +793,10 @@ ossl_x509stctx_set_flags(VALUE self, VALUE flags)
|
|
714
793
|
* call-seq:
|
715
794
|
* stctx.purpose = purpose
|
716
795
|
*
|
717
|
-
* Sets the purpose of the context.
|
796
|
+
* Sets the purpose of the context. This overrides the default value set by
|
797
|
+
* Store#purpose=.
|
798
|
+
*
|
799
|
+
* See also the man page X509_VERIFY_PARAM_set_purpose(3).
|
718
800
|
*/
|
719
801
|
static VALUE
|
720
802
|
ossl_x509stctx_set_purpose(VALUE self, VALUE purpose)
|
@@ -731,6 +813,11 @@ ossl_x509stctx_set_purpose(VALUE self, VALUE purpose)
|
|
731
813
|
/*
|
732
814
|
* call-seq:
|
733
815
|
* stctx.trust = trust
|
816
|
+
*
|
817
|
+
* Sets the trust settings of the context. This overrides the default value set
|
818
|
+
* by Store#trust=.
|
819
|
+
*
|
820
|
+
* See also the man page X509_VERIFY_PARAM_set_trust(3).
|
734
821
|
*/
|
735
822
|
static VALUE
|
736
823
|
ossl_x509stctx_set_trust(VALUE self, VALUE trust)
|
@@ -749,6 +836,8 @@ ossl_x509stctx_set_trust(VALUE self, VALUE trust)
|
|
749
836
|
* stctx.time = time
|
750
837
|
*
|
751
838
|
* Sets the time used in the verification. If not set, the current time is used.
|
839
|
+
*
|
840
|
+
* See also the man page X509_VERIFY_PARAM_set_time(3).
|
752
841
|
*/
|
753
842
|
static VALUE
|
754
843
|
ossl_x509stctx_set_time(VALUE self, VALUE time)
|
@@ -824,23 +913,37 @@ Init_ossl_x509store(void)
|
|
824
913
|
cX509Store = rb_define_class_under(mX509, "Store", rb_cObject);
|
825
914
|
/*
|
826
915
|
* The callback for additional certificate verification. It is invoked for
|
827
|
-
* each
|
916
|
+
* each certificate in the chain and can be used to implement custom
|
917
|
+
* certificate verification conditions.
|
828
918
|
*
|
829
919
|
* The callback is invoked with two values, a boolean that indicates if the
|
830
920
|
* pre-verification by OpenSSL has succeeded or not, and the StoreContext in
|
831
|
-
* use.
|
921
|
+
* use.
|
922
|
+
*
|
923
|
+
* The callback can use StoreContext#error= to change the error code as
|
924
|
+
* needed. The callback must return either true or false.
|
925
|
+
*
|
926
|
+
* NOTE: any exception raised within the callback will be ignored.
|
927
|
+
*
|
928
|
+
* See also the man page X509_STORE_CTX_set_verify_cb(3).
|
832
929
|
*/
|
833
930
|
rb_attr(cX509Store, rb_intern("verify_callback"), 1, 0, Qfalse);
|
834
931
|
/*
|
835
932
|
* The error code set by the last call of #verify.
|
933
|
+
*
|
934
|
+
* See also StoreContext#error.
|
836
935
|
*/
|
837
936
|
rb_attr(cX509Store, rb_intern("error"), 1, 0, Qfalse);
|
838
937
|
/*
|
839
938
|
* The description for the error code set by the last call of #verify.
|
939
|
+
*
|
940
|
+
* See also StoreContext#error_string.
|
840
941
|
*/
|
841
942
|
rb_attr(cX509Store, rb_intern("error_string"), 1, 0, Qfalse);
|
842
943
|
/*
|
843
944
|
* The certificate chain constructed by the last call of #verify.
|
945
|
+
*
|
946
|
+
* See also StoreContext#chain.
|
844
947
|
*/
|
845
948
|
rb_attr(cX509Store, rb_intern("chain"), 1, 0, Qfalse);
|
846
949
|
rb_define_alloc_func(cX509Store, ossl_x509store_alloc);
|