r509-ocsp-responder 0.3.1 → 0.3.2

data/README.md

@@ -3,15 +3,112 @@ r509-ocsp-responder is an OCSP responder written using [r509](https://github.com
 
 ##Requirements
 
-r509-ocsp-responder depends on [r509](https://github.com/reaperhulk/r509), [redis](http://redis.io), [r509-validity-redis](https://github.com/sirsean/r509-validity-redis) (or another library that implements R509::Validity), [sinatra](http://sinatrarb.com), [r509-ocsp-stats](https://github.com/sirsean/r509-ocsp-stats), and [dependo](https://github.com/sirsean/dependo). These must be installed as gems.
+r509-ocsp-responder depends on [r509](https://github.com/reaperhulk/r509), [redis](http://redis.io), [r509-validity-redis](https://github.com/sirsean/r509-validity-redis) (or another library that implements R509::Validity), [sinatra](http://sinatrarb.com), and [dependo](https://github.com/sirsean/dependo). Optionally, you can install [r509-ocsp-stats](https://github.com/sirsean/r509-ocsp-stats) for stats collection. These must be installed as gems.
 
 ##Basic Usage
 
-1. Build the gem. If you have cloned the repo you can build the gem with ```rake gem:build```. You will need
-2. Install the gem. ```rake gem:install```
-3. Set up your config.ru and config.yaml. At this time you'll need to copy the config.ru from the gem install to another dir with your config.yaml. You should also copy (and modify) the config.yaml.example file from the gem. You'll need to alter the config.ru's require line from ```require './lib/r509/ocsp/responder/server'``` to ```require 'r509/ocsp/responder/server'``` if you have it installed as a gem.
+###Build/Install
+If you have cloned the repo you can build the gem with ```rake gem:build``` and install with ```rake gem:install``` . Alternately you can use a prebuilt gem by typing ```gem install r509-ocsp-responder``` .
 
-Once you've done that you can set up your rack server. The example below is an example yaml config for thin. You will want to have as many servers as you have cores.
+###Set Up config.ru
+Save the below into a config.ru (or rackup) file
+
+```ruby
+require "r509"
+require "dependo"
+require 'r509/ocsp/responder/server'
+
+Dependo::Registry[:log] = Logger.new(STDOUT)
+
+require "r509/validity/redis"
+require 'redis'
+begin
+  gem "hiredis"
+  Dependo::Registry[:log].warn "Loading redis with hiredis driver"
+  redis = Redis.new(:driver => :hiredis)
+rescue Gem::LoadError
+  Dependo::Registry[:log].warn "Loading redis with standard ruby driver"
+  redis = Redis.new
+end
+Dependo::Registry[:validity_checker] = R509::Validity::Redis::Checker.new(redis)
+
+
+R509::OCSP::Responder::OCSPConfig.load_config
+
+R509::OCSP::Responder::OCSPConfig.print_config
+
+# Uncomment the next two lines if you want to collect stats via r509-ocsp-stats
+# require "r509/ocsp/stats/redis"
+# Dependo::Registry[:stats] = R509::OCSP::Stats::Redis.new
+
+responder = R509::OCSP::Responder::Server
+run responder
+```
+
+
+###Configure config.yaml
+The config.yaml contains certificate authority nodes as well as options like copy_nonce (documented below). Each CA node has an arbitrary name like test_ca and contains a ca_cert and (optional) ocsp_cert node. If you want to sign OCSP responses directly from your root you'll set your config up like this:
+
+```yaml
+copy_nonce: true
+cache_headers: true
+max_cache_age: 60
+certificate_authorities: {
+  second_ca: {
+    ca_cert: {
+      cert: "spec/fixtures/second_ca.cer",
+      key: "spec/fixtures/second_ca.key"
+    }
+  }
+}
+```
+
+If you want to use an OCSP delegate
+
+```yaml
+copy_nonce: true
+cache_headers: true
+max_cache_age: 60
+certificate_authorities: {
+  test_ca: {
+    ca_cert: {
+      cert: "spec/fixtures/test_ca.cer"
+    },
+    ocsp_cert: {
+      cert: "spec/fixtures/test_ca_ocsp.cer",
+      key: "spec/fixtures/test_ca_ocsp.key"
+    }
+  }
+}
+```
+
+Finally, if you're responding for multiple roots you specify them like so:
+
+```yaml
+copy_nonce: true
+cache_headers: true
+max_cache_age: 60
+certificate_authorities: {
+  test_ca: {
+    ca_cert: {
+      cert: "spec/fixtures/test_ca.cer"
+    },
+    ocsp_cert: {
+      cert: "spec/fixtures/test_ca_ocsp.cer",
+      key: "spec/fixtures/test_ca_ocsp.key"
+    }
+  },
+  second_ca: {
+    ca_cert: {
+      cert: "spec/fixtures/second_ca.cer",
+      key: "spec/fixtures/second_ca.key"
+    }
+  }
+}
+```
+
+###Configure Thin & nginx
+The example below is an example yaml config for thin. You will want to have as many servers as you have cores.
 
 ```yaml
 chdir: /var/www/r509-ocsp-responder
@@ -30,18 +127,18 @@ proxy_cache_path  /var/www/cache levels=1:2 keys_zone=ocsp:8m max_size=16m inact
 proxy_temp_path /var/www/cache/tmp;
 
 upstream thin_ocsp_responder{
-    server unix:/var/run/r509-ocsp-responder.0.sock fail_timeout=0;
-    server unix:/var/run/r509-ocsp-responder.1.sock fail_timeout=0;
+  server unix:/var/run/r509-ocsp-responder.0.sock fail_timeout=0;
+  server unix:/var/run/r509-ocsp-responder.1.sock fail_timeout=0;
 }
 server {
-    listen       80;
-    server_name  ocsp.r509.org;
-
-    location / {
-        proxy_pass http://thin_ocsp_responder;
-        proxy_cache ocsp;
-        proxy_cache_use_stale updating;
-    }
+  listen     80;
+  server_name  ocsp.r509.org;
+
+  location / {
+    proxy_pass http://thin_ocsp_responder;
+    proxy_cache ocsp;
+    proxy_cache_use_stale updating;
+  }
 }
 ```
 
@@ -65,8 +162,6 @@ This OCSP responder supports several optional flags (in addition to supporting a
 
 * __max\_cache\_age__ - (integer) Sets the maximum age in __seconds__ a response can be cached. At this time r509-ocsp-responder does not support cache invalidation so it is recommended to set this to a low value to reduce the time you may serve stale responses in the event of a revocation.
 
-See the config.yaml.example for an example configuration.
-
 ##Signals
 You can send a kill -USR2 signal to any running r509-ocsp-responder process to cause it to reload and print its config to the logs (provided your app server isn't trapping USR2 first).
 

data/doc/R509.html

@@ -6,13 +6,13 @@
 <title>
   Module: R509
   
-    &mdash; Documentation by YARD 0.8.2.1
+    &mdash; Documentation by YARD 0.8.6.1
   
 </title>
 
-  <link rel="stylesheet" href="css/style.css" type="text/css" media="screen" charset="utf-8" />
+  <link rel="stylesheet" href="css/style.css" type="text/css" charset="utf-8" />
 
-  <link rel="stylesheet" href="css/common.css" type="text/css" media="screen" charset="utf-8" />
+  <link rel="stylesheet" href="css/common.css" type="text/css" charset="utf-8" />
 
 <script type="text/javascript" charset="utf-8">
   hasFrames = window.top.frames.main ? true : false;
@@ -88,7 +88,7 @@
 <p class="children">
   
     
-      <strong class="modules">Modules:</strong> <span class='object_link'><a href="R509/Ocsp.html" title="R509::Ocsp (module)">Ocsp</a></span>
+      <strong class="modules">Modules:</strong> <span class='object_link'><a href="R509/OCSP.html" title="R509::OCSP (module)">OCSP</a></span>
     
   
     
@@ -106,9 +106,9 @@
 </div>
 
     <div id="footer">
-  Generated on Thu Nov  8 14:33:52 2012 by
+  Generated on Tue Apr 16 13:57:16 2013 by
   <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
-  0.8.2.1 (ruby-1.9.3).
+  0.8.6.1 (ruby-1.9.3).
 </div>
 
   </body>

data/doc/R509/Ocsp.html

@@ -4,15 +4,15 @@
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <title>
-  Module: R509::Ocsp
+  Module: R509::OCSP
   
-    &mdash; Documentation by YARD 0.8.2.1
+    &mdash; Documentation by YARD 0.8.6.1
   
 </title>
 
-  <link rel="stylesheet" href="../css/style.css" type="text/css" media="screen" charset="utf-8" />
+  <link rel="stylesheet" href="../css/style.css" type="text/css" charset="utf-8" />
 
-  <link rel="stylesheet" href="../css/common.css" type="text/css" media="screen" charset="utf-8" />
+  <link rel="stylesheet" href="../css/common.css" type="text/css" charset="utf-8" />
 
 <script type="text/javascript" charset="utf-8">
   hasFrames = window.top.frames.main ? true : false;
@@ -34,7 +34,7 @@
     <a href="../_index.html">Index (O)</a> &raquo;
     <span class='title'><span class='object_link'><a href="../R509.html" title="R509 (module)">R509</a></span></span>
      &raquo; 
-    <span class="title">Ocsp</span>
+    <span class="title">OCSP</span>
   
 
   <div class="noframes"><span class="title">(</span><a href="." target="_top">no frames</a><span class="title">)</span></div>
@@ -63,7 +63,7 @@
 
     <iframe id="search_frame"></iframe>
 
-    <div id="content"><h1>Module: R509::Ocsp
+    <div id="content"><h1>Module: R509::OCSP
   
   
   
@@ -101,11 +101,11 @@
 <p class="children">
   
     
-      <strong class="modules">Modules:</strong> <span class='object_link'><a href="Ocsp/Helper.html" title="R509::Ocsp::Helper (module)">Helper</a></span>, <span class='object_link'><a href="Ocsp/Responder.html" title="R509::Ocsp::Responder (module)">Responder</a></span>
+      <strong class="modules">Modules:</strong> <span class='object_link'><a href="OCSP/Helper.html" title="R509::OCSP::Helper (module)">Helper</a></span>, <span class='object_link'><a href="OCSP/Responder.html" title="R509::OCSP::Responder (module)">Responder</a></span>
     
   
     
-      <strong class="classes">Classes:</strong> <span class='object_link'><a href="Ocsp/Signer.html" title="R509::Ocsp::Signer (class)">Signer</a></span>
+      <strong class="classes">Classes:</strong> <span class='object_link'><a href="OCSP/Signer.html" title="R509::OCSP::Signer (class)">Signer</a></span>
     
   
 </p>
@@ -121,9 +121,9 @@
 </div>
 
     <div id="footer">
-  Generated on Thu Nov  8 14:33:52 2012 by
+  Generated on Tue Apr 16 13:57:16 2013 by
   <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
-  0.8.2.1 (ruby-1.9.3).
+  0.8.6.1 (ruby-1.9.3).
 </div>
 
   </body>

data/doc/R509/Ocsp/Helper.html

@@ -4,15 +4,15 @@
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <title>
-  Module: R509::Ocsp::Helper
+  Module: R509::OCSP::Helper
   
-    &mdash; Documentation by YARD 0.8.2.1
+    &mdash; Documentation by YARD 0.8.6.1
   
 </title>
 
-  <link rel="stylesheet" href="../../css/style.css" type="text/css" media="screen" charset="utf-8" />
+  <link rel="stylesheet" href="../../css/style.css" type="text/css" charset="utf-8" />
 
-  <link rel="stylesheet" href="../../css/common.css" type="text/css" media="screen" charset="utf-8" />
+  <link rel="stylesheet" href="../../css/common.css" type="text/css" charset="utf-8" />
 
 <script type="text/javascript" charset="utf-8">
   hasFrames = window.top.frames.main ? true : false;
@@ -32,7 +32,7 @@
       <div id="menu">
   
     <a href="../../_index.html">Index (H)</a> &raquo;
-    <span class='title'><span class='object_link'><a href="../../R509.html" title="R509 (module)">R509</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../Ocsp.html" title="R509::Ocsp (module)">Ocsp</a></span></span>
+    <span class='title'><span class='object_link'><a href="../../R509.html" title="R509 (module)">R509</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../OCSP.html" title="R509::OCSP (module)">OCSP</a></span></span>
      &raquo; 
     <span class="title">Helper</span>
   
@@ -63,7 +63,7 @@
 
     <iframe id="search_frame"></iframe>
 
-    <div id="content"><h1>Module: R509::Ocsp::Helper
+    <div id="content"><h1>Module: R509::OCSP::Helper
   
   
   
@@ -101,7 +101,7 @@
     
   
     
-      <strong class="classes">Classes:</strong> <span class='object_link'><a href="Helper/RequestChecker.html" title="R509::Ocsp::Helper::RequestChecker (class)">RequestChecker</a></span>, <span class='object_link'><a href="Helper/ResponseSigner.html" title="R509::Ocsp::Helper::ResponseSigner (class)">ResponseSigner</a></span>
+      <strong class="classes">Classes:</strong> <span class='object_link'><a href="Helper/RequestChecker.html" title="R509::OCSP::Helper::RequestChecker (class)">RequestChecker</a></span>, <span class='object_link'><a href="Helper/ResponseSigner.html" title="R509::OCSP::Helper::ResponseSigner (class)">ResponseSigner</a></span>
     
   
 </p>
@@ -117,9 +117,9 @@
 </div>
 
     <div id="footer">
-  Generated on Thu Nov  8 14:33:52 2012 by
+  Generated on Tue Apr 16 13:57:16 2013 by
   <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
-  0.8.2.1 (ruby-1.9.3).
+  0.8.6.1 (ruby-1.9.3).
 </div>
 
   </body>

data/doc/R509/Ocsp/Helper/RequestChecker.html

@@ -4,15 +4,15 @@
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <title>
-  Class: R509::Ocsp::Helper::RequestChecker
+  Class: R509::OCSP::Helper::RequestChecker
   
-    &mdash; Documentation by YARD 0.8.2.1
+    &mdash; Documentation by YARD 0.8.6.1
   
 </title>
 
-  <link rel="stylesheet" href="../../../css/style.css" type="text/css" media="screen" charset="utf-8" />
+  <link rel="stylesheet" href="../../../css/style.css" type="text/css" charset="utf-8" />
 
-  <link rel="stylesheet" href="../../../css/common.css" type="text/css" media="screen" charset="utf-8" />
+  <link rel="stylesheet" href="../../../css/common.css" type="text/css" charset="utf-8" />
 
 <script type="text/javascript" charset="utf-8">
   hasFrames = window.top.frames.main ? true : false;
@@ -32,7 +32,7 @@
       <div id="menu">
   
     <a href="../../../_index.html">Index (R)</a> &raquo;
-    <span class='title'><span class='object_link'><a href="../../../R509.html" title="R509 (module)">R509</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../../Ocsp.html" title="R509::Ocsp (module)">Ocsp</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../Helper.html" title="R509::Ocsp::Helper (module)">Helper</a></span></span>
+    <span class='title'><span class='object_link'><a href="../../../R509.html" title="R509 (module)">R509</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../../OCSP.html" title="R509::OCSP (module)">OCSP</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../Helper.html" title="R509::OCSP::Helper (module)">Helper</a></span></span>
      &raquo; 
     <span class="title">RequestChecker</span>
   
@@ -63,7 +63,7 @@
 
     <iframe id="search_frame"></iframe>
 
-    <div id="content"><h1>Class: R509::Ocsp::Helper::RequestChecker
+    <div id="content"><h1>Class: R509::OCSP::Helper::RequestChecker
   
   
   
@@ -78,7 +78,7 @@
         <ul class="fullTree">
           <li>Object</li>
           
-            <li class="next">R509::Ocsp::Helper::RequestChecker</li>
+            <li class="next">R509::OCSP::Helper::RequestChecker</li>
           
         </ul>
         <a href="#" class="inheritanceTree">show all</a>
@@ -276,7 +276,7 @@
     <div class="method_details first">
   <h3 class="signature first" id="initialize-instance_method">
   
-    - (<tt><span class='object_link'><a href="" title="R509::Ocsp::Helper::RequestChecker (class)">RequestChecker</a></span></tt>) <strong>initialize</strong>(configs, validity_checker) 
+    - (<tt><span class='object_link'><a href="" title="R509::OCSP::Helper::RequestChecker (class)">RequestChecker</a></span></tt>) <strong>initialize</strong>(configs, validity_checker) 
   
 
   
@@ -299,13 +299,13 @@
         <span class='name'>configs</span>
       
       
-        <span class='type'>(<tt>R509::Config::CaConfigPool</tt>)</span>
+        <span class='type'>(<tt>R509::Config::CAConfigPool</tt>)</span>
       
       
       
         &mdash;
         <div class='inline'>
-<p>CaConfigPool object</p>
+<p>CAConfigPool object</p>
 </div>
       
     </li>
@@ -370,34 +370,34 @@
       <pre class="code"><span class="info file"># File 'lib/r509/ocsp/signer.rb', line 62</span>
 
 <span class='kw'>def</span> <span class='id identifier rubyid_initialize'>initialize</span><span class='lparen'>(</span><span class='id identifier rubyid_configs'>configs</span><span class='comma'>,</span> <span class='id identifier rubyid_validity_checker'>validity_checker</span><span class='rparen'>)</span>
-    <span class='kw'>unless</span> <span class='id identifier rubyid_configs'>configs</span><span class='period'>.</span><span class='id identifier rubyid_kind_of?'>kind_of?</span><span class='lparen'>(</span><span class='const'>R509</span><span class='op'>::</span><span class='const'>Config</span><span class='op'>::</span><span class='const'>CaConfigPool</span><span class='rparen'>)</span>
-        <span class='id identifier rubyid_raise'>raise</span> <span class='const'>R509</span><span class='op'>::</span><span class='const'>R509Error</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Must pass R509::Config::CaConfigPool object</span><span class='tstring_end'>&quot;</span></span>
-    <span class='kw'>end</span>
-    <span class='kw'>if</span> <span class='id identifier rubyid_configs'>configs</span><span class='period'>.</span><span class='id identifier rubyid_all'>all</span><span class='period'>.</span><span class='id identifier rubyid_empty?'>empty?</span>
-        <span class='id identifier rubyid_raise'>raise</span> <span class='const'>R509</span><span class='op'>::</span><span class='const'>R509Error</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Must be at least one R509::Config object</span><span class='tstring_end'>&quot;</span></span>
-    <span class='kw'>end</span>
-    <span class='ivar'>@configs</span> <span class='op'>=</span> <span class='id identifier rubyid_configs'>configs</span><span class='period'>.</span><span class='id identifier rubyid_all'>all</span>
-    <span class='id identifier rubyid_test_cid'>test_cid</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>OCSP</span><span class='op'>::</span><span class='const'>CertificateId</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>X509</span><span class='op'>::</span><span class='const'>Certificate</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='comma'>,</span><span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>X509</span><span class='op'>::</span><span class='const'>Certificate</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='rparen'>)</span>
-    <span class='kw'>if</span> <span class='id identifier rubyid_test_cid'>test_cid</span><span class='period'>.</span><span class='id identifier rubyid_respond_to?'>respond_to?</span><span class='lparen'>(</span><span class='symbol'>:issuer_key_hash</span><span class='rparen'>)</span>
-        <span class='ivar'>@configs_hash</span> <span class='op'>=</span> <span class='lbrace'>{</span><span class='rbrace'>}</span>
-        <span class='ivar'>@configs</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_config'>config</span><span class='op'>|</span>
-            <span class='id identifier rubyid_ee_cert'>ee_cert</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>X509</span><span class='op'>::</span><span class='const'>Certificate</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
-            <span class='id identifier rubyid_ee_cert'>ee_cert</span><span class='period'>.</span><span class='id identifier rubyid_issuer'>issuer</span> <span class='op'>=</span> <span class='id identifier rubyid_config'>config</span><span class='period'>.</span><span class='id identifier rubyid_ca_cert'>ca_cert</span><span class='period'>.</span><span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_subject'>subject</span>
-            <span class='comment'># per RFC 5019
-</span>            <span class='comment'># Clients MUST use SHA1 as the hashing algorithm for the
-</span>            <span class='comment'># CertID.issuerNameHash and the CertID.issuerKeyHash values.
-</span>            <span class='comment'># so we can safely assume that our inbound hashes will be SHA1
-</span>            <span class='id identifier rubyid_issuer_certid'>issuer_certid</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>OCSP</span><span class='op'>::</span><span class='const'>CertificateId</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_ee_cert'>ee_cert</span><span class='comma'>,</span><span class='id identifier rubyid_config'>config</span><span class='period'>.</span><span class='id identifier rubyid_ca_cert'>ca_cert</span><span class='period'>.</span><span class='id identifier rubyid_cert'>cert</span><span class='comma'>,</span><span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>Digest</span><span class='op'>::</span><span class='const'>SHA1</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='rparen'>)</span>
-            <span class='ivar'>@configs_hash</span><span class='lbracket'>[</span><span class='id identifier rubyid_issuer_certid'>issuer_certid</span><span class='period'>.</span><span class='id identifier rubyid_issuer_key_hash'>issuer_key_hash</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='id identifier rubyid_config'>config</span>
-        <span class='kw'>end</span>
-    <span class='kw'>end</span>
-    <span class='ivar'>@validity_checker</span> <span class='op'>=</span> <span class='id identifier rubyid_validity_checker'>validity_checker</span>
-    <span class='kw'>if</span> <span class='ivar'>@validity_checker</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
-        <span class='id identifier rubyid_raise'>raise</span> <span class='const'>R509</span><span class='op'>::</span><span class='const'>R509Error</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Must supply a R509::Validity::Checker</span><span class='tstring_end'>&quot;</span></span>
-    <span class='kw'>end</span>
-    <span class='kw'>if</span> <span class='kw'>not</span> <span class='ivar'>@validity_checker</span><span class='period'>.</span><span class='id identifier rubyid_respond_to?'>respond_to?</span><span class='lparen'>(</span><span class='symbol'>:check</span><span class='rparen'>)</span>
-        <span class='id identifier rubyid_raise'>raise</span> <span class='const'>R509</span><span class='op'>::</span><span class='const'>R509Error</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>The validity checker must have a check method</span><span class='tstring_end'>&quot;</span></span>
+  <span class='kw'>unless</span> <span class='id identifier rubyid_configs'>configs</span><span class='period'>.</span><span class='id identifier rubyid_kind_of?'>kind_of?</span><span class='lparen'>(</span><span class='const'>R509</span><span class='op'>::</span><span class='const'>Config</span><span class='op'>::</span><span class='const'>CAConfigPool</span><span class='rparen'>)</span>
+    <span class='id identifier rubyid_raise'>raise</span> <span class='const'>R509</span><span class='op'>::</span><span class='const'>R509Error</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Must pass R509::Config::CAConfigPool object</span><span class='tstring_end'>&quot;</span></span>
+  <span class='kw'>end</span>
+  <span class='kw'>if</span> <span class='id identifier rubyid_configs'>configs</span><span class='period'>.</span><span class='id identifier rubyid_all'>all</span><span class='period'>.</span><span class='id identifier rubyid_empty?'>empty?</span>
+    <span class='id identifier rubyid_raise'>raise</span> <span class='const'>R509</span><span class='op'>::</span><span class='const'>R509Error</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Must be at least one R509::Config object</span><span class='tstring_end'>&quot;</span></span>
+  <span class='kw'>end</span>
+  <span class='ivar'>@configs</span> <span class='op'>=</span> <span class='id identifier rubyid_configs'>configs</span><span class='period'>.</span><span class='id identifier rubyid_all'>all</span>
+  <span class='id identifier rubyid_test_cid'>test_cid</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>OCSP</span><span class='op'>::</span><span class='const'>CertificateId</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>X509</span><span class='op'>::</span><span class='const'>Certificate</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='comma'>,</span><span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>X509</span><span class='op'>::</span><span class='const'>Certificate</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='rparen'>)</span>
+  <span class='kw'>if</span> <span class='id identifier rubyid_test_cid'>test_cid</span><span class='period'>.</span><span class='id identifier rubyid_respond_to?'>respond_to?</span><span class='lparen'>(</span><span class='symbol'>:issuer_key_hash</span><span class='rparen'>)</span>
+    <span class='ivar'>@configs_hash</span> <span class='op'>=</span> <span class='lbrace'>{</span><span class='rbrace'>}</span>
+    <span class='ivar'>@configs</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_config'>config</span><span class='op'>|</span>
+      <span class='id identifier rubyid_ee_cert'>ee_cert</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>X509</span><span class='op'>::</span><span class='const'>Certificate</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
+      <span class='id identifier rubyid_ee_cert'>ee_cert</span><span class='period'>.</span><span class='id identifier rubyid_issuer'>issuer</span> <span class='op'>=</span> <span class='id identifier rubyid_config'>config</span><span class='period'>.</span><span class='id identifier rubyid_ca_cert'>ca_cert</span><span class='period'>.</span><span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_subject'>subject</span><span class='period'>.</span><span class='id identifier rubyid_name'>name</span>
+      <span class='comment'># per RFC 5019
+</span>      <span class='comment'># Clients MUST use SHA1 as the hashing algorithm for the
+</span>      <span class='comment'># CertID.issuerNameHash and the CertID.issuerKeyHash values.
+</span>      <span class='comment'># so we can safely assume that our inbound hashes will be SHA1
+</span>      <span class='id identifier rubyid_issuer_certid'>issuer_certid</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>OCSP</span><span class='op'>::</span><span class='const'>CertificateId</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_ee_cert'>ee_cert</span><span class='comma'>,</span><span class='id identifier rubyid_config'>config</span><span class='period'>.</span><span class='id identifier rubyid_ca_cert'>ca_cert</span><span class='period'>.</span><span class='id identifier rubyid_cert'>cert</span><span class='comma'>,</span><span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>Digest</span><span class='op'>::</span><span class='const'>SHA1</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='rparen'>)</span>
+      <span class='ivar'>@configs_hash</span><span class='lbracket'>[</span><span class='id identifier rubyid_issuer_certid'>issuer_certid</span><span class='period'>.</span><span class='id identifier rubyid_issuer_key_hash'>issuer_key_hash</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='id identifier rubyid_config'>config</span>
     <span class='kw'>end</span>
+  <span class='kw'>end</span>
+  <span class='ivar'>@validity_checker</span> <span class='op'>=</span> <span class='id identifier rubyid_validity_checker'>validity_checker</span>
+  <span class='kw'>if</span> <span class='ivar'>@validity_checker</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
+    <span class='id identifier rubyid_raise'>raise</span> <span class='const'>R509</span><span class='op'>::</span><span class='const'>R509Error</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Must supply a R509::Validity::Checker</span><span class='tstring_end'>&quot;</span></span>
+  <span class='kw'>end</span>
+  <span class='kw'>if</span> <span class='kw'>not</span> <span class='ivar'>@validity_checker</span><span class='period'>.</span><span class='id identifier rubyid_respond_to?'>respond_to?</span><span class='lparen'>(</span><span class='symbol'>:check</span><span class='rparen'>)</span>
+    <span class='id identifier rubyid_raise'>raise</span> <span class='const'>R509</span><span class='op'>::</span><span class='const'>R509Error</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>The validity checker must have a check method</span><span class='tstring_end'>&quot;</span></span>
+  <span class='kw'>end</span>
 <span class='kw'>end</span></pre>
     </td>
   </tr>
@@ -593,26 +593,26 @@
       <pre class="code"><span class="info file"># File 'lib/r509/ocsp/signer.rb', line 97</span>
 
 <span class='kw'>def</span> <span class='id identifier rubyid_check_statuses'>check_statuses</span><span class='lparen'>(</span><span class='id identifier rubyid_request'>request</span><span class='rparen'>)</span>
-    <span class='id identifier rubyid_request'>request</span><span class='period'>.</span><span class='id identifier rubyid_certid'>certid</span><span class='period'>.</span><span class='id identifier rubyid_map'>map</span> <span class='lbrace'>{</span> <span class='op'>|</span><span class='id identifier rubyid_certid'>certid</span><span class='op'>|</span>
-        <span class='kw'>if</span> <span class='id identifier rubyid_certid'>certid</span><span class='period'>.</span><span class='id identifier rubyid_respond_to?'>respond_to?</span><span class='lparen'>(</span><span class='symbol'>:issuer_key_hash</span><span class='rparen'>)</span>
-            <span class='id identifier rubyid_validated_config'>validated_config</span> <span class='op'>=</span> <span class='ivar'>@configs_hash</span><span class='lbracket'>[</span><span class='id identifier rubyid_certid'>certid</span><span class='period'>.</span><span class='id identifier rubyid_issuer_key_hash'>issuer_key_hash</span><span class='rbracket'>]</span>
-        <span class='kw'>else</span>
-            <span class='id identifier rubyid_validated_config'>validated_config</span> <span class='op'>=</span> <span class='ivar'>@configs</span><span class='period'>.</span><span class='id identifier rubyid_find'>find</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_config'>config</span><span class='op'>|</span>
-                <span class='comment'>#we need to create an OCSP::CertificateId object that has the right
-</span>                <span class='comment'>#issuer so we can pass it to #cmp_issuer. This is annoying because
-</span>                <span class='comment'>#CertificateId wants a cert and its issuer, but we don't want to
-</span>                <span class='comment'>#force users to provide an end entity cert just to make this comparison
-</span>                <span class='comment'>#work. So, we create a fake new cert and pass it in.
-</span>                <span class='id identifier rubyid_ee_cert'>ee_cert</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>X509</span><span class='op'>::</span><span class='const'>Certificate</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
-                <span class='id identifier rubyid_ee_cert'>ee_cert</span><span class='period'>.</span><span class='id identifier rubyid_issuer'>issuer</span> <span class='op'>=</span> <span class='id identifier rubyid_config'>config</span><span class='period'>.</span><span class='id identifier rubyid_ca_cert'>ca_cert</span><span class='period'>.</span><span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_subject'>subject</span>
-                <span class='id identifier rubyid_issuer_certid'>issuer_certid</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>OCSP</span><span class='op'>::</span><span class='const'>CertificateId</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_ee_cert'>ee_cert</span><span class='comma'>,</span><span class='id identifier rubyid_config'>config</span><span class='period'>.</span><span class='id identifier rubyid_ca_cert'>ca_cert</span><span class='period'>.</span><span class='id identifier rubyid_cert'>cert</span><span class='rparen'>)</span>
-                <span class='id identifier rubyid_certid'>certid</span><span class='period'>.</span><span class='id identifier rubyid_cmp_issuer'>cmp_issuer</span><span class='lparen'>(</span><span class='id identifier rubyid_issuer_certid'>issuer_certid</span><span class='rparen'>)</span>
-            <span class='kw'>end</span>
-        <span class='kw'>end</span>
-
-        <span class='id identifier rubyid_log'>log</span><span class='period'>.</span><span class='id identifier rubyid_info'>info</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_validated_config'>validated_config</span><span class='period'>.</span><span class='id identifier rubyid_ca_cert'>ca_cert</span><span class='period'>.</span><span class='id identifier rubyid_subject'>subject</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span><span class='rbrace'>}</span><span class='tstring_content'> found for issuer</span><span class='tstring_end'>&quot;</span></span> <span class='kw'>if</span> <span class='id identifier rubyid_validated_config'>validated_config</span>
-        <span class='id identifier rubyid_check_status'>check_status</span><span class='lparen'>(</span><span class='id identifier rubyid_certid'>certid</span><span class='comma'>,</span> <span class='id identifier rubyid_validated_config'>validated_config</span><span class='rparen'>)</span>
-    <span class='rbrace'>}</span>
+  <span class='id identifier rubyid_request'>request</span><span class='period'>.</span><span class='id identifier rubyid_certid'>certid</span><span class='period'>.</span><span class='id identifier rubyid_map'>map</span> <span class='lbrace'>{</span> <span class='op'>|</span><span class='id identifier rubyid_certid'>certid</span><span class='op'>|</span>
+    <span class='kw'>if</span> <span class='id identifier rubyid_certid'>certid</span><span class='period'>.</span><span class='id identifier rubyid_respond_to?'>respond_to?</span><span class='lparen'>(</span><span class='symbol'>:issuer_key_hash</span><span class='rparen'>)</span>
+      <span class='id identifier rubyid_validated_config'>validated_config</span> <span class='op'>=</span> <span class='ivar'>@configs_hash</span><span class='lbracket'>[</span><span class='id identifier rubyid_certid'>certid</span><span class='period'>.</span><span class='id identifier rubyid_issuer_key_hash'>issuer_key_hash</span><span class='rbracket'>]</span>
+    <span class='kw'>else</span>
+      <span class='id identifier rubyid_validated_config'>validated_config</span> <span class='op'>=</span> <span class='ivar'>@configs</span><span class='period'>.</span><span class='id identifier rubyid_find'>find</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_config'>config</span><span class='op'>|</span>
+        <span class='comment'>#we need to create an OCSP::CertificateId object that has the right
+</span>        <span class='comment'>#issuer so we can pass it to #cmp_issuer. This is annoying because
+</span>        <span class='comment'>#CertificateId wants a cert and its issuer, but we don't want to
+</span>        <span class='comment'>#force users to provide an end entity cert just to make this comparison
+</span>        <span class='comment'>#work. So, we create a fake new cert and pass it in.
+</span>        <span class='id identifier rubyid_ee_cert'>ee_cert</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>X509</span><span class='op'>::</span><span class='const'>Certificate</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
+        <span class='id identifier rubyid_ee_cert'>ee_cert</span><span class='period'>.</span><span class='id identifier rubyid_issuer'>issuer</span> <span class='op'>=</span> <span class='id identifier rubyid_config'>config</span><span class='period'>.</span><span class='id identifier rubyid_ca_cert'>ca_cert</span><span class='period'>.</span><span class='id identifier rubyid_cert'>cert</span><span class='period'>.</span><span class='id identifier rubyid_subject'>subject</span>
+        <span class='id identifier rubyid_issuer_certid'>issuer_certid</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>OCSP</span><span class='op'>::</span><span class='const'>CertificateId</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_ee_cert'>ee_cert</span><span class='comma'>,</span><span class='id identifier rubyid_config'>config</span><span class='period'>.</span><span class='id identifier rubyid_ca_cert'>ca_cert</span><span class='period'>.</span><span class='id identifier rubyid_cert'>cert</span><span class='rparen'>)</span>
+        <span class='id identifier rubyid_certid'>certid</span><span class='period'>.</span><span class='id identifier rubyid_cmp_issuer'>cmp_issuer</span><span class='lparen'>(</span><span class='id identifier rubyid_issuer_certid'>issuer_certid</span><span class='rparen'>)</span>
+      <span class='kw'>end</span>
+    <span class='kw'>end</span>
+
+    <span class='id identifier rubyid_log'>log</span><span class='period'>.</span><span class='id identifier rubyid_info'>info</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_validated_config'>validated_config</span><span class='period'>.</span><span class='id identifier rubyid_ca_cert'>ca_cert</span><span class='period'>.</span><span class='id identifier rubyid_subject'>subject</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span><span class='rbrace'>}</span><span class='tstring_content'> found for issuer</span><span class='tstring_end'>&quot;</span></span> <span class='kw'>if</span> <span class='id identifier rubyid_validated_config'>validated_config</span>
+    <span class='id identifier rubyid_check_status'>check_status</span><span class='lparen'>(</span><span class='id identifier rubyid_certid'>certid</span><span class='comma'>,</span> <span class='id identifier rubyid_validated_config'>validated_config</span><span class='rparen'>)</span>
+  <span class='rbrace'>}</span>
 <span class='kw'>end</span></pre>
     </td>
   </tr>
@@ -703,22 +703,22 @@ requests from two different CAs in there. Both are invalid.</p>
       <pre class="code"><span class="info file"># File 'lib/r509/ocsp/signer.rb', line 126</span>
 
 <span class='kw'>def</span> <span class='id identifier rubyid_validate_statuses'>validate_statuses</span><span class='lparen'>(</span><span class='id identifier rubyid_statuses'>statuses</span><span class='rparen'>)</span>
-    <span class='id identifier rubyid_validity'>validity</span> <span class='op'>=</span> <span class='kw'>true</span>
-    <span class='id identifier rubyid_config'>config</span> <span class='op'>=</span> <span class='kw'>nil</span>
-
-    <span class='id identifier rubyid_statuses'>statuses</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_status'>status</span><span class='op'>|</span>
-        <span class='kw'>if</span> <span class='id identifier rubyid_status'>status</span><span class='lbracket'>[</span><span class='symbol'>:config</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
-            <span class='id identifier rubyid_validity'>validity</span> <span class='op'>=</span> <span class='kw'>false</span>
-        <span class='kw'>end</span>
-        <span class='kw'>if</span> <span class='id identifier rubyid_config'>config</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
-            <span class='id identifier rubyid_config'>config</span> <span class='op'>=</span> <span class='id identifier rubyid_status'>status</span><span class='lbracket'>[</span><span class='symbol'>:config</span><span class='rbracket'>]</span>
-        <span class='kw'>end</span>
-        <span class='kw'>if</span> <span class='id identifier rubyid_config'>config</span> <span class='op'>!=</span> <span class='id identifier rubyid_status'>status</span><span class='lbracket'>[</span><span class='symbol'>:config</span><span class='rbracket'>]</span>
-            <span class='id identifier rubyid_validity'>validity</span> <span class='op'>=</span> <span class='kw'>false</span>
-        <span class='kw'>end</span>
+  <span class='id identifier rubyid_validity'>validity</span> <span class='op'>=</span> <span class='kw'>true</span>
+  <span class='id identifier rubyid_config'>config</span> <span class='op'>=</span> <span class='kw'>nil</span>
+
+  <span class='id identifier rubyid_statuses'>statuses</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_status'>status</span><span class='op'>|</span>
+    <span class='kw'>if</span> <span class='id identifier rubyid_status'>status</span><span class='lbracket'>[</span><span class='symbol'>:config</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
+      <span class='id identifier rubyid_validity'>validity</span> <span class='op'>=</span> <span class='kw'>false</span>
+    <span class='kw'>end</span>
+    <span class='kw'>if</span> <span class='id identifier rubyid_config'>config</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
+      <span class='id identifier rubyid_config'>config</span> <span class='op'>=</span> <span class='id identifier rubyid_status'>status</span><span class='lbracket'>[</span><span class='symbol'>:config</span><span class='rbracket'>]</span>
+    <span class='kw'>end</span>
+    <span class='kw'>if</span> <span class='id identifier rubyid_config'>config</span> <span class='op'>!=</span> <span class='id identifier rubyid_status'>status</span><span class='lbracket'>[</span><span class='symbol'>:config</span><span class='rbracket'>]</span>
+      <span class='id identifier rubyid_validity'>validity</span> <span class='op'>=</span> <span class='kw'>false</span>
     <span class='kw'>end</span>
+  <span class='kw'>end</span>
 
-    <span class='id identifier rubyid_validity'>validity</span>
+  <span class='id identifier rubyid_validity'>validity</span>
 <span class='kw'>end</span></pre>
     </td>
   </tr>
@@ -730,9 +730,9 @@ requests from two different CAs in there. Both are invalid.</p>
 </div>
 
     <div id="footer">
-  Generated on Thu Nov  8 14:33:52 2012 by
+  Generated on Tue Apr 16 13:57:17 2013 by
   <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
-  0.8.2.1 (ruby-1.9.3).
+  0.8.6.1 (ruby-1.9.3).
 </div>
 
   </body>