RubyGems - r509-ocsp-responder - Versions diffs - 0.3.1 → 0.3.2 - Mend

r509-ocsp-responder 0.3.1 → 0.3.2

Files changed (32) hide show

data/README.md +112 -17
data/doc/R509.html +6 -6
data/doc/R509/Ocsp.html +10 -10
data/doc/R509/Ocsp/Helper.html +9 -9
data/doc/R509/Ocsp/Helper/RequestChecker.html +73 -73
data/doc/R509/Ocsp/Helper/ResponseSigner.html +59 -59
data/doc/R509/Ocsp/Responder.html +10 -10
data/doc/R509/Ocsp/Responder/OcspConfig.html +31 -31
data/doc/R509/Ocsp/Responder/Server.html +9 -9
data/doc/R509/Ocsp/Responder/StatusError.html +9 -9
data/doc/R509/Ocsp/Signer.html +36 -44
data/doc/_index.html +23 -23
data/doc/class_list.html +2 -2
data/doc/css/style.css +10 -0
data/doc/file.README.html +120 -28
data/doc/file_list.html +1 -1
data/doc/frames.html +1 -1
data/doc/index.html +120 -28
data/doc/js/full_list.js +6 -1
data/doc/method_list.html +28 -56
data/doc/top-level-namespace.html +5 -5
data/lib/r509/ocsp/responder/ocsp-config.rb +27 -27
data/lib/r509/ocsp/responder/server.rb +129 -131
data/lib/r509/ocsp/responder/version.rb +4 -4
data/lib/r509/ocsp/signer.rb +219 -219
data/spec/fixtures.rb +145 -190
data/spec/fixtures/test_ca_ec.cer +14 -0
data/spec/fixtures/test_ca_ec.key +6 -0
data/spec/server_spec.rb +405 -397
data/spec/signer_spec.rb +262 -249
data/spec/spec_helper.rb +2 -2
metadata +10 -8

data/lib/r509/ocsp/responder/server.rb CHANGED Viewed

@@ -1,8 +1,6 @@
-require 'rubygems' if RUBY_VERSION < "1.9"
 require 'sinatra/base'
 require 'r509'
 require 'r509/ocsp/signer'
-require 'r509/validity/redis'
 require 'base64'
 require 'dependo'
 require 'logger'
@@ -13,157 +11,157 @@ require File.dirname(__FILE__)+'/ocsp-config.rb'
 # I'd rather use HUP, but daemons like thin already capture that
 # so we can't use it.
 Signal.trap("USR2") do
-    R509::Ocsp::Responder::OcspConfig.load_config
-    R509::Ocsp::Responder::OcspConfig.print_config
+  R509::OCSP::Responder::OCSPConfig.load_config
+  R509::OCSP::Responder::OCSPConfig.print_config
 end
-module R509::Ocsp::Responder
-    #error for status checking
-    class StatusError < StandardError
-    end
-    class Server < Sinatra::Base
-        include Dependo::Mixin
+module R509::OCSP::Responder
+  #error for status checking
+  class StatusError < StandardError
+  end
-        configure do
-            mime_type :ocsp, 'application/ocsp-response'
-            disable :protection #disable Rack::Protection (for speed)
-            disable :logging
-            set :environment, :production
-        end
+  class Server < Sinatra::Base
+    include Dependo::Mixin
-        error do
-            log.error env["sinatra.error"].inspect
-            log.error env["sinatra.error"].backtrace.join("\n")
-            "Something is amiss with our OCSP responder. You should ... wait?"
-        end
+    configure do
+      mime_type :ocsp, 'application/ocsp-response'
+      disable :protection #disable Rack::Protection (for speed)
+      disable :logging
+      set :environment, :production
+    end
-        error OpenSSL::OCSP::OCSPError do
-            "Invalid request"
-        end
+    error do
+      log.error env["sinatra.error"].inspect
+      log.error env["sinatra.error"].backtrace.join("\n")
+      "Something is amiss with our OCSP responder. You should ... wait?"
+    end
-        error R509::Ocsp::Responder::StatusError do
-            "Down"
-        end
+    error OpenSSL::OCSP::OCSPError do
+      "Invalid request"
+    end
-        get '/favicon.ico' do
-            log.debug "go away. no children."
-            "go away. no children"
-        end
+    error R509::OCSP::Responder::StatusError do
+      "Down"
+    end
-        get '/status/?' do
-            begin
-                if Dependo::Registry[:ocsp_signer].validity_checker.is_available?
-                    "OK"
-                else
-                    raise R509::Ocsp::Responder::StatusError
-                end
-            rescue
-                raise R509::Ocsp::Responder::StatusError
-            end
-        end
+    get '/favicon.ico' do
+      log.debug "go away. no children."
+      "go away. no children"
+    end
-        get '/*' do
-            raw_request = params[:splat].join("/")
-            #remove any leading slashes (looking at you MS Crypto API)
-            raw_request.sub!(/^\/+/,"")
-            log.info { "GET Request: "+raw_request }
-            der = Base64.decode64(raw_request)
-            request_response = handle_ocsp_request(der, "GET")
-            build_headers(request_response)
-            request_response[:response].to_der
+    get '/status/?' do
+      begin
+        if Dependo::Registry[:ocsp_signer].validity_checker.is_available?
+          "OK"
+        else
+          raise R509::OCSP::Responder::StatusError
         end
+      rescue
+        raise R509::OCSP::Responder::StatusError
+      end
+    end
-        post '/' do
-            if request.media_type == 'application/ocsp-request'
-                der = request.env["rack.input"].read
-                log.info { "POST Request: "+Base64.encode64(der).gsub!(/\n/,"") }
-                request_response = handle_ocsp_request(der, "POST")
-                request_response[:response].to_der
-            end
-        end
+    get '/*' do
+      raw_request = params[:splat].join("/")
+      #remove any leading slashes (looking at you MS Crypto API)
+      raw_request.sub!(/^\/+/,"")
+      log.info { "GET Request: "+raw_request }
+      der = Base64.decode64(raw_request)
+      request_response = handle_ocsp_request(der, "GET")
+      build_headers(request_response)
+      request_response[:response].to_der
+    end
-        private
+    post '/' do
+      if request.media_type == 'application/ocsp-request'
+        der = request.env["rack.input"].read
+        log.info { "POST Request: "+Base64.encode64(der).gsub!(/\n/,"") }
+        request_response = handle_ocsp_request(der, "POST")
+        request_response[:response].to_der
+      end
+    end
-        def handle_ocsp_request(der, method)
-            begin
-                request_response = ocsp_signer.handle_request(der)
+    private
-                log_ocsp_response(request_response[:response],method)
+    def handle_ocsp_request(der, method)
+      begin
+        request_response = ocsp_signer.handle_request(der)
-                content_type :ocsp
-                request_response
-            rescue StandardError => e
-                log.error "unexpected error #{e}"
-                raise e
-            end
-        end
+        log_ocsp_response(request_response[:response],method)
-        def log_ocsp_response(ocsp_response, method="?")
-            if response.nil?
-                log.error "Something went horribly wrong"
-                return
-            end
+        content_type :ocsp
+        request_response
+      rescue StandardError => e
+        log.error "unexpected error #{e}"
+        raise e
+      end
+    end
-            case ocsp_response.status
-            when OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
-                serial_data = ocsp_response.basic.status.map do |status|
-                    friendly_status = case status[1]
-                    when 0
-                        "VALID"
-                    when 1
-                        "REVOKED"
-                    when 2
-                        "UNKNOWN"
-                    end
-                    if ocsp_response.basic.status[0][0].respond_to?(:issuer_key_hash)
-                        config_used = ocsp_signer.request_checker.configs_hash[ocsp_response.basic.status[0][0].issuer_key_hash]
-                    else
-                        config_used = ocsp_signer.request_checker.configs.find do |config|
-                            #we need to create an OCSP::CertificateId object that has the right
-                            #issuer so we can pass it to #cmp_issuer. This is annoying because
-                            #CertificateId wants a cert and its issuer, but we don't want to
-                            #force users to provide an end entity cert just to make this comparison
-                            #work. So, we create a fake new cert and pass it in.
-                            ee_cert = OpenSSL::X509::Certificate.new
-                            ee_cert.issuer = config.ca_cert.cert.subject
-                            issuer_certid = OpenSSL::OCSP::CertificateId.new(ee_cert,config.ca_cert.cert)
-                            ocsp_response.basic.status[0][0].cmp_issuer(issuer_certid)
-                        end
-                    end
-                    stats.record(config_used.ca_cert.subject.to_s, status[0].serial.to_s, friendly_status) if Dependo::Registry.has_key?(:stats)
-                    status[0].serial.to_s+" Status: #{friendly_status}"
-                end
-                log.info { "#{method} Request For Serial(s): #{serial_data.join(",")} UserAgent: #{env["HTTP_USER_AGENT"]}" }
-            when OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
-                log.info { "#{method} Request For Unauthorized CA. UserAgent: #{env["HTTP_USER_AGENT"]}" }
-            when OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST
-                log.info { "#{method} Malformed Request. UserAgent: #{env["HTTP_USER_AGENT"]}" }
+    def log_ocsp_response(ocsp_response, method="?")
+      if response.nil?
+        log.error "Something went horribly wrong"
+        return
+      end
+      case ocsp_response.status
+      when OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+        serial_data = ocsp_response.basic.status.map do |status|
+          friendly_status = case status[1]
+          when 0
+            "VALID"
+          when 1
+            "REVOKED"
+          when 2
+            "UNKNOWN"
+          end
+          if ocsp_response.basic.status[0][0].respond_to?(:issuer_key_hash)
+            config_used = ocsp_signer.request_checker.configs_hash[ocsp_response.basic.status[0][0].issuer_key_hash]
+          else
+            config_used = ocsp_signer.request_checker.configs.find do |config|
+              #we need to create an OCSP::CertificateId object that has the right
+              #issuer so we can pass it to #cmp_issuer. This is annoying because
+              #CertificateId wants a cert and its issuer, but we don't want to
+              #force users to provide an end entity cert just to make this comparison
+              #work. So, we create a fake new cert and pass it in.
+              ee_cert = OpenSSL::X509::Certificate.new
+              ee_cert.issuer = config.ca_cert.cert.subject
+              issuer_certid = OpenSSL::OCSP::CertificateId.new(ee_cert,config.ca_cert.cert)
+              ocsp_response.basic.status[0][0].cmp_issuer(issuer_certid)
             end
+          end
+          stats.record(config_used.ca_cert.subject.to_s, status[0].serial.to_s, friendly_status) if Dependo::Registry.has_key?(:stats)
+          status[0].serial.to_s+" Status: #{friendly_status}"
         end
+        log.info { "#{method} Request For Serial(s): #{serial_data.join(",")} UserAgent: #{env["HTTP_USER_AGENT"]}" }
+      when OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
+        log.info { "#{method} Request For Unauthorized CA. UserAgent: #{env["HTTP_USER_AGENT"]}" }
+      when OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST
+        log.info { "#{method} Malformed Request. UserAgent: #{env["HTTP_USER_AGENT"]}" }
+      end
+    end
-        def build_headers(request_response)
-            ocsp_response = request_response[:response]
-            ocsp_request = request_response[:request]
-            # cache_headers is injected via config.ru
-            # we only cache if it's a RESPONSE_STATUS_SUCCESSFUL response and there's no nonce.
-            if cache_headers and not ocsp_response.basic.nil? and ocsp_response.check_nonce(ocsp_request) == R509::Ocsp::Request::Nonce::BOTH_ABSENT
-                calculated_max_age =  ocsp_response.basic.status[0][5] - Time.now
-                #same with max_cache_age
-                if not max_cache_age or ( max_cache_age > calculated_max_age )
-                    max_age = calculated_max_age
-                else
-                    max_age = max_cache_age
-                end
-                response["Last-Modified"] = Time.now.httpdate
-                response["ETag"] = OpenSSL::Digest::SHA1.new(ocsp_response.to_der).to_s
-                response["Expires"] = ocsp_response.basic.status[0][5].httpdate
-                response["Cache-Control"] = "max-age=#{max_age.to_i}, public, no-transform, must-revalidate"
-            end
+    def build_headers(request_response)
+      ocsp_response = request_response[:response]
+      ocsp_request = request_response[:request]
+      # cache_headers is injected via config.ru
+      # we only cache if it's a RESPONSE_STATUS_SUCCESSFUL response and there's no nonce.
+      if cache_headers and not ocsp_response.basic.nil? and ocsp_response.check_nonce(ocsp_request) == R509::OCSP::Request::Nonce::BOTH_ABSENT
+        calculated_max_age =  ocsp_response.basic.status[0][5] - Time.now
+        #same with max_cache_age
+        if not max_cache_age or ( max_cache_age > calculated_max_age )
+          max_age = calculated_max_age
+        else
+          max_age = max_cache_age
         end
+        response["Last-Modified"] = Time.now.httpdate
+        response["ETag"] = OpenSSL::Digest::SHA1.new(ocsp_response.to_der).to_s
+        response["Expires"] = ocsp_response.basic.status[0][5].httpdate
+        response["Cache-Control"] = "max-age=#{max_age.to_i}, public, no-transform, must-revalidate"
+      end
     end
+  end
 end

data/lib/r509/ocsp/responder/version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 module R509
-    module Ocsp
-        module Responder
-            VERSION="0.3.1"
-        end
+  module OCSP
+    module Responder
+      VERSION="0.3.2"
     end
+  end
 end

data/lib/r509/ocsp/signer.rb CHANGED Viewed

@@ -4,241 +4,241 @@ require 'r509/config'
 require 'dependo'
 # OCSP related classes (signing, response, request)
-module R509::Ocsp
-    # A class for signing OCSP responses
-    class Signer
-        attr_reader :validity_checker,:request_checker
-        # @option options [Boolean] :copy_nonce copy nonce from request to response?
-        # @option options [R509::Config::CaConfigPool] :configs CaConfigPool object
-        # possible OCSP issuance roots that we want to issue OCSP responses for
-        def initialize(options)
-            if options.has_key?(:validity_checker)
-                @validity_checker = options[:validity_checker]
-            else
-                @validity_checker = R509::Validity::DefaultChecker.new
-            end
-            @request_checker = Helper::RequestChecker.new(options[:configs], @validity_checker)
-            @response_signer = Helper::ResponseSigner.new(options)
-        end
+module R509::OCSP
+  # A class for signing OCSP responses
+  class Signer
+    attr_reader :validity_checker,:request_checker
+    # @option options [Boolean] :copy_nonce copy nonce from request to response?
+    # @option options [R509::Config::CAConfigPool] :configs CAConfigPool object
+    # possible OCSP issuance roots that we want to issue OCSP responses for
+    def initialize(options)
+      if options.has_key?(:validity_checker)
+        @validity_checker = options[:validity_checker]
+      else
+        @validity_checker = R509::Validity::DefaultChecker.new
+      end
+      @request_checker = Helper::RequestChecker.new(options[:configs], @validity_checker)
+      @response_signer = Helper::ResponseSigner.new(options)
+    end
-        # @param request [String,OpenSSL::OCSP::Request] OCSP request (string or parsed object)
-        # @return [Hash]
-        #   * :request [OpenSSL::OCSP::Request] parsed request object
-        #   * :response [OpenSSL::OCSP::Response] full response object
-        def handle_request(request)
-            begin
-                parsed_request = OpenSSL::OCSP::Request.new request
-            rescue
-                return {:response => @response_signer.create_response(OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST), :request => nil}
-            end
-            statuses = @request_checker.check_statuses(parsed_request)
-            if not @request_checker.validate_statuses(statuses)
-                return {:response => @response_signer.create_response(OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED), :request => nil}
-            end
-            basic_response = @response_signer.create_basic_response(parsed_request,statuses)
-            {:response => @response_signer.create_response(
-                OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL,
-                basic_response
-            ), :request => parsed_request}
-        end
+    # @param request [String,OpenSSL::OCSP::Request] OCSP request (string or parsed object)
+    # @return [Hash]
+    # * :request [OpenSSL::OCSP::Request] parsed request object
+    # * :response [OpenSSL::OCSP::Response] full response object
+    def handle_request(request)
+      begin
+        parsed_request = OpenSSL::OCSP::Request.new request
+      rescue
+        return {:response => @response_signer.create_response(OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST), :request => nil}
+      end
+      statuses = @request_checker.check_statuses(parsed_request)
+      if not @request_checker.validate_statuses(statuses)
+        return {:response => @response_signer.create_response(OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED), :request => nil}
+      end
+      basic_response = @response_signer.create_basic_response(parsed_request,statuses)
+      {:response => @response_signer.create_response(
+        OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL,
+        basic_response
+      ), :request => parsed_request}
     end
+  end
 end
 #Helper module for OCSP handling
-module R509::Ocsp::Helper
-    # checks requests for validity against a set of configs
-    class RequestChecker
-        include Dependo::Mixin
-        attr_reader :configs,:configs_hash
-        # @param [R509::Config::CaConfigPool] configs CaConfigPool object
-        # @param [R509::Validity::Checker] validity_checker an implementation of the R509::Validity::Checker class
-        def initialize(configs, validity_checker)
-            unless configs.kind_of?(R509::Config::CaConfigPool)
-                raise R509::R509Error, "Must pass R509::Config::CaConfigPool object"
-            end
-            if configs.all.empty?
-                raise R509::R509Error, "Must be at least one R509::Config object"
-            end
-            @configs = configs.all
-            test_cid = OpenSSL::OCSP::CertificateId.new(OpenSSL::X509::Certificate.new,OpenSSL::X509::Certificate.new)
-            if test_cid.respond_to?(:issuer_key_hash)
-                @configs_hash = {}
-                @configs.each do |config|
-                    ee_cert = OpenSSL::X509::Certificate.new
-                    ee_cert.issuer = config.ca_cert.cert.subject
-                    # per RFC 5019
-                    # Clients MUST use SHA1 as the hashing algorithm for the
-                    # CertID.issuerNameHash and the CertID.issuerKeyHash values.
-                    # so we can safely assume that our inbound hashes will be SHA1
-                    issuer_certid = OpenSSL::OCSP::CertificateId.new(ee_cert,config.ca_cert.cert,OpenSSL::Digest::SHA1.new)
-                    @configs_hash[issuer_certid.issuer_key_hash] = config
-                end
-            end
-            @validity_checker = validity_checker
-            if @validity_checker.nil?
-                raise R509::R509Error, "Must supply a R509::Validity::Checker"
-            end
-            if not @validity_checker.respond_to?(:check)
-                raise R509::R509Error, "The validity checker must have a check method"
-            end
+module R509::OCSP::Helper
+  # checks requests for validity against a set of configs
+  class RequestChecker
+    include Dependo::Mixin
+    attr_reader :configs,:configs_hash
+    # @param [R509::Config::CAConfigPool] configs CAConfigPool object
+    # @param [R509::Validity::Checker] validity_checker an implementation of the R509::Validity::Checker class
+    def initialize(configs, validity_checker)
+      unless configs.kind_of?(R509::Config::CAConfigPool)
+        raise R509::R509Error, "Must pass R509::Config::CAConfigPool object"
+      end
+      if configs.all.empty?
+        raise R509::R509Error, "Must be at least one R509::Config object"
+      end
+      @configs = configs.all
+      test_cid = OpenSSL::OCSP::CertificateId.new(OpenSSL::X509::Certificate.new,OpenSSL::X509::Certificate.new)
+      if test_cid.respond_to?(:issuer_key_hash)
+        @configs_hash = {}
+        @configs.each do |config|
+          ee_cert = OpenSSL::X509::Certificate.new
+          ee_cert.issuer = config.ca_cert.cert.subject.name
+          # per RFC 5019
+          # Clients MUST use SHA1 as the hashing algorithm for the
+          # CertID.issuerNameHash and the CertID.issuerKeyHash values.
+          # so we can safely assume that our inbound hashes will be SHA1
+          issuer_certid = OpenSSL::OCSP::CertificateId.new(ee_cert,config.ca_cert.cert,OpenSSL::Digest::SHA1.new)
+          @configs_hash[issuer_certid.issuer_key_hash] = config
         end
+      end
+      @validity_checker = validity_checker
+      if @validity_checker.nil?
+        raise R509::R509Error, "Must supply a R509::Validity::Checker"
+      end
+      if not @validity_checker.respond_to?(:check)
+        raise R509::R509Error, "The validity checker must have a check method"
+      end
+    end
-        # Loads and checks a raw OCSP request
-        #
-        # @param request [OpenSSL::OCSP::Request] OpenSSL OCSP Request object
-        # @return [Hash] hash from the check_status method
-        def check_statuses(request)
-            request.certid.map { |certid|
-                if certid.respond_to?(:issuer_key_hash)
-                    validated_config = @configs_hash[certid.issuer_key_hash]
-                else
-                    validated_config = @configs.find do |config|
-                        #we need to create an OCSP::CertificateId object that has the right
-                        #issuer so we can pass it to #cmp_issuer. This is annoying because
-                        #CertificateId wants a cert and its issuer, but we don't want to
-                        #force users to provide an end entity cert just to make this comparison
-                        #work. So, we create a fake new cert and pass it in.
-                        ee_cert = OpenSSL::X509::Certificate.new
-                        ee_cert.issuer = config.ca_cert.cert.subject
-                        issuer_certid = OpenSSL::OCSP::CertificateId.new(ee_cert,config.ca_cert.cert)
-                        certid.cmp_issuer(issuer_certid)
-                    end
-                end
-                log.info "#{validated_config.ca_cert.subject.to_s} found for issuer" if validated_config
-                check_status(certid, validated_config)
-            }
+    # Loads and checks a raw OCSP request
+    #
+    # @param request [OpenSSL::OCSP::Request] OpenSSL OCSP Request object
+    # @return [Hash] hash from the check_status method
+    def check_statuses(request)
+      request.certid.map { |certid|
+        if certid.respond_to?(:issuer_key_hash)
+          validated_config = @configs_hash[certid.issuer_key_hash]
+        else
+          validated_config = @configs.find do |config|
+            #we need to create an OCSP::CertificateId object that has the right
+            #issuer so we can pass it to #cmp_issuer. This is annoying because
+            #CertificateId wants a cert and its issuer, but we don't want to
+            #force users to provide an end entity cert just to make this comparison
+            #work. So, we create a fake new cert and pass it in.
+            ee_cert = OpenSSL::X509::Certificate.new
+            ee_cert.issuer = config.ca_cert.cert.subject
+            issuer_certid = OpenSSL::OCSP::CertificateId.new(ee_cert,config.ca_cert.cert)
+            certid.cmp_issuer(issuer_certid)
+          end
         end
-        # Determines whether the statuses constitute a request that is compliant.
-        # No config means we don't know the CA, different configs means there are
-        # requests from two different CAs in there. Both are invalid.
-        #
-        # @param statuses [Array<Hash>] array of hashes from check_statuses
-        # @return [Boolean]
-        def validate_statuses(statuses)
-            validity = true
-            config = nil
-            statuses.each do |status|
-                if status[:config].nil?
-                    validity = false
-                end
-                if config.nil?
-                    config = status[:config]
-                end
-                if config != status[:config]
-                    validity = false
-                end
-            end
-            validity
-        end
+        log.info "#{validated_config.ca_cert.subject.to_s} found for issuer" if validated_config
+        check_status(certid, validated_config)
+      }
+    end
-        private
-        # Checks the status of a certificate with the corresponding CA
-        # @param certid [OpenSSL::OCSP::CertificateId] The certId object from check_statuses
-        # @param validated_config [R509::Config]
-        def check_status(certid, validated_config)
-            if(validated_config == nil) then
-                return {
-                    :certid => certid,
-                    :config => nil
-                }
-            else
-                validity_status = @validity_checker.check(validated_config.ca_cert.subject.to_s,certid.serial)
-                return {
-                    :certid => certid,
-                    :status => validity_status.ocsp_status,
-                    :revocation_reason => validity_status.revocation_reason,
-                    :revocation_time => validity_status.revocation_time,
-                    :config => validated_config
-                }
-            end
+    # Determines whether the statuses constitute a request that is compliant.
+    # No config means we don't know the CA, different configs means there are
+    # requests from two different CAs in there. Both are invalid.
+    #
+    # @param statuses [Array<Hash>] array of hashes from check_statuses
+    # @return [Boolean]
+    def validate_statuses(statuses)
+      validity = true
+      config = nil
+      statuses.each do |status|
+        if status[:config].nil?
+          validity = false
         end
+        if config.nil?
+          config = status[:config]
+        end
+        if config != status[:config]
+          validity = false
+        end
+      end
+      validity
     end
-    #signs OCSP responses
-    class ResponseSigner
-        # @option options [Boolean] :copy_nonce
-        def initialize(options)
-            if options.has_key?(:copy_nonce)
-                @copy_nonce = options[:copy_nonce]
-            else
-                @copy_nonce = false
-            end
-        end
+    private
+    # Checks the status of a certificate with the corresponding CA
+    # @param certid [OpenSSL::OCSP::CertificateId] The certId object from check_statuses
+    # @param validated_config [R509::Config]
+    def check_status(certid, validated_config)
+      if(validated_config == nil) then
+        return {
+          :certid => certid,
+          :config => nil
+        }
+      else
+        validity_status = @validity_checker.check(validated_config.ca_cert.subject.to_s,certid.serial)
+        return {
+          :certid => certid,
+          :status => validity_status.ocsp_status,
+          :revocation_reason => validity_status.revocation_reason,
+          :revocation_time => validity_status.revocation_time,
+          :config => validated_config
+        }
+      end
+    end
+  end
+  #signs OCSP responses
+  class ResponseSigner
+    # @option options [Boolean] :copy_nonce
+    def initialize(options)
+      if options.has_key?(:copy_nonce)
+        @copy_nonce = options[:copy_nonce]
+      else
+        @copy_nonce = false
+      end
+    end
-        # It is UNWISE to call this method directly because it assumes that the request is
-        # validated. You probably want to take a look at R509::Ocsp::Signer#handle_request
-        #
-        # @param request [OpenSSL::OCSP::Request]
-        # @param statuses [Hash] hash from R509::Ocsp::Helper::RequestChecker#check_statuses
-        # @return [OpenSSL::OCSP::BasicResponse]
-        def create_basic_response(request,statuses)
-            basic_response = OpenSSL::OCSP::BasicResponse.new
-            basic_response.copy_nonce(request) if @copy_nonce
-            statuses.each do |status|
-                #revocation time is retarded and is relative to now, so
-                #let's figure out what that is.
-                if status[:status] == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
-                    revocation_time = status[:revocation_time].to_i - Time.now.to_i
-                end
-                basic_response.add_status(status[:certid],
-                                        status[:status],
-                                        status[:revocation_reason],
-                                        revocation_time,
-                                        -1*status[:config].ocsp_start_skew_seconds,
-                                        status[:config].ocsp_validity_hours*3600,
-                                        [] #array of OpenSSL::X509::Extensions
-                                        )
-            end
-            #this method assumes the request data is validated by validate_request so all configs will be the same and
-            #we can choose to use the first one safely
-            config = statuses[0][:config]
-            #confusing, but R509::Cert contains R509::PrivateKey under #key. PrivateKey#key gives the OpenSSL object
-            #turns out BasicResponse#sign can take up to 4 params
-            #cert, key, array of OpenSSL::X509::Certificates, flags (not sure what the enumeration of those are)
-            basic_response.sign(config.ocsp_cert.cert,config.ocsp_cert.key.key,config.ocsp_chain)
+    # It is UNWISE to call this method directly because it assumes that the request is
+    # validated. You probably want to take a look at R509::OCSP::Signer#handle_request
+    #
+    # @param request [OpenSSL::OCSP::Request]
+    # @param statuses [Hash] hash from R509::OCSP::Helper::RequestChecker#check_statuses
+    # @return [OpenSSL::OCSP::BasicResponse]
+    def create_basic_response(request,statuses)
+      basic_response = OpenSSL::OCSP::BasicResponse.new
+      basic_response.copy_nonce(request) if @copy_nonce
+      statuses.each do |status|
+        #revocation time is retarded and is relative to now, so
+        #let's figure out what that is.
+        if status[:status] == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+          revocation_time = status[:revocation_time].to_i - Time.now.to_i
         end
+        basic_response.add_status(status[:certid],
+                    status[:status],
+                    status[:revocation_reason],
+                    revocation_time,
+                    -1*status[:config].ocsp_start_skew_seconds,
+                    status[:config].ocsp_validity_hours*3600,
+                    [] #array of OpenSSL::X509::Extensions
+                    )
+      end
+      #this method assumes the request data is validated by validate_request so all configs will be the same and
+      #we can choose to use the first one safely
+      config = statuses[0][:config]
+      #confusing, but R509::Cert contains R509::PrivateKey under #key. PrivateKey#key gives the OpenSSL object
+      #turns out BasicResponse#sign can take up to 4 params
+      #cert, key, array of OpenSSL::X509::Certificates, flags (not sure what the enumeration of those are)
+      basic_response.sign(config.ocsp_cert.cert,config.ocsp_cert.key.key,config.ocsp_chain)
+    end
-        # Builds final response.
-        #
-        # @param response_status [OpenSSL::OCSP::RESPONSE_STATUS_*] the primary response status
-        # @param basic_response [OpenSSL::OCSP::BasicResponse] an optional basic response object
-        # generated by create_basic_response
-        # @return [OpenSSL::OCSP::OCSPResponse]
-        def create_response(response_status,basic_response=nil)
-            # first arg is the response status code, comes from this list
-            # these can also be enumerated via OpenSSL::OCSP::RESPONSE_STATUS_*
-            #OCSPResponseStatus ::= ENUMERATED {
-            #    successful            (0),      --Response has valid confirmations
-            #    malformedRequest      (1),      --Illegal confirmation request
-            #    internalError         (2),      --Internal error in issuer
-            #    tryLater              (3),      --Try again later
-            #                       --(4) is not used
-            #    sigRequired           (5),      --Must sign the request
-            #    unauthorized          (6)       --Request unauthorized
-            #}
-            #
-            R509::Ocsp::Response.new(
-                OpenSSL::OCSP::Response.create(
-                    response_status, basic_response
-                )
-            )
-        end
+    # Builds final response.
+    #
+    # @param response_status [OpenSSL::OCSP::RESPONSE_STATUS_*] the primary response status
+    # @param basic_response [OpenSSL::OCSP::BasicResponse] an optional basic response object
+    # generated by create_basic_response
+    # @return [OpenSSL::OCSP::OCSPResponse]
+    def create_response(response_status,basic_response=nil)
+      # first arg is the response status code, comes from this list
+      # these can also be enumerated via OpenSSL::OCSP::RESPONSE_STATUS_*
+      #OCSPResponseStatus ::= ENUMERATED {
+      #  successful        (0),    --Response has valid confirmations
+      #  malformedRequest    (1),    --Illegal confirmation request
+      #  internalError       (2),    --Internal error in issuer
+      #  tryLater        (3),    --Try again later
+      #           --(4) is not used
+      #  sigRequired       (5),    --Must sign the request
+      #  unauthorized      (6)     --Request unauthorized
+      #}
+      #
+      R509::OCSP::Response.new(
+        OpenSSL::OCSP::Response.create(
+          response_status, basic_response
+        )
+      )
     end
+  end
 end