rubysl-openssl 2.2.1 → 2.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +4 -4
- data/MRI_LICENSE +56 -0
- data/ext/rubysl/openssl/openssl_missing.c +1 -1
- data/ext/rubysl/openssl/openssl_missing.h +1 -1
- data/ext/rubysl/openssl/ossl.c +17 -16
- data/ext/rubysl/openssl/ossl.h +7 -7
- data/ext/rubysl/openssl/ossl_asn1.c +5 -5
- data/ext/rubysl/openssl/ossl_asn1.h +1 -1
- data/ext/rubysl/openssl/ossl_bio.c +2 -2
- data/ext/rubysl/openssl/ossl_bio.h +1 -1
- data/ext/rubysl/openssl/ossl_bn.c +37 -13
- data/ext/rubysl/openssl/ossl_bn.h +1 -1
- data/ext/rubysl/openssl/ossl_cipher.c +64 -17
- data/ext/rubysl/openssl/ossl_cipher.h +1 -1
- data/ext/rubysl/openssl/ossl_config.c +3 -3
- data/ext/rubysl/openssl/ossl_config.h +1 -1
- data/ext/rubysl/openssl/ossl_digest.c +19 -7
- data/ext/rubysl/openssl/ossl_digest.h +1 -1
- data/ext/rubysl/openssl/ossl_engine.c +24 -17
- data/ext/rubysl/openssl/ossl_engine.h +1 -1
- data/ext/rubysl/openssl/ossl_hmac.c +15 -7
- data/ext/rubysl/openssl/ossl_hmac.h +1 -1
- data/ext/rubysl/openssl/ossl_ns_spki.c +19 -4
- data/ext/rubysl/openssl/ossl_ns_spki.h +1 -1
- data/ext/rubysl/openssl/ossl_ocsp.c +518 -60
- data/ext/rubysl/openssl/ossl_ocsp.h +1 -1
- data/ext/rubysl/openssl/ossl_pkcs12.c +18 -4
- data/ext/rubysl/openssl/ossl_pkcs12.h +1 -1
- data/ext/rubysl/openssl/ossl_pkcs5.c +1 -1
- data/ext/rubysl/openssl/ossl_pkcs7.c +59 -15
- data/ext/rubysl/openssl/ossl_pkcs7.h +1 -1
- data/ext/rubysl/openssl/ossl_pkey.c +16 -2
- data/ext/rubysl/openssl/ossl_pkey.h +4 -3
- data/ext/rubysl/openssl/ossl_pkey_dh.c +3 -3
- data/ext/rubysl/openssl/ossl_pkey_dsa.c +3 -3
- data/ext/rubysl/openssl/ossl_pkey_ec.c +32 -12
- data/ext/rubysl/openssl/ossl_pkey_rsa.c +3 -3
- data/ext/rubysl/openssl/ossl_rand.c +58 -34
- data/ext/rubysl/openssl/ossl_rand.h +1 -1
- data/ext/rubysl/openssl/ossl_ssl.c +75 -46
- data/ext/rubysl/openssl/ossl_ssl.h +8 -2
- data/ext/rubysl/openssl/ossl_ssl_session.c +16 -15
- data/ext/rubysl/openssl/ossl_version.h +1 -1
- data/ext/rubysl/openssl/ossl_x509.c +2 -2
- data/ext/rubysl/openssl/ossl_x509.h +1 -1
- data/ext/rubysl/openssl/ossl_x509attr.c +18 -4
- data/ext/rubysl/openssl/ossl_x509cert.c +27 -33
- data/ext/rubysl/openssl/ossl_x509crl.c +18 -4
- data/ext/rubysl/openssl/ossl_x509ext.c +29 -7
- data/ext/rubysl/openssl/ossl_x509name.c +22 -7
- data/ext/rubysl/openssl/ossl_x509req.c +18 -4
- data/ext/rubysl/openssl/ossl_x509revoked.c +18 -4
- data/ext/rubysl/openssl/ossl_x509store.c +33 -8
- data/ext/rubysl/openssl/ruby_missing.h +1 -1
- data/lib/openssl/bn.rb +8 -1
- data/lib/openssl/buffering.rb +1 -1
- data/lib/openssl/cipher.rb +1 -1
- data/lib/openssl/digest.rb +1 -1
- data/lib/openssl/ssl.rb +65 -7
- data/lib/openssl/x509.rb +22 -2
- data/lib/rubysl/openssl.rb +1 -1
- data/lib/rubysl/openssl/version.rb +1 -1
- metadata +4 -3
@@ -1,5 +1,5 @@
|
|
1
1
|
/*
|
2
|
-
* $Id$
|
2
|
+
* $Id: ossl_config.c 47744 2014-09-30 05:25:32Z nobu $
|
3
3
|
* 'OpenSSL for Ruby' project
|
4
4
|
* Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
|
5
5
|
* All rights reserved.
|
@@ -17,7 +17,7 @@
|
|
17
17
|
VALUE cConfig;
|
18
18
|
/* Document-class: OpenSSL::ConfigError
|
19
19
|
*
|
20
|
-
* General error for openssl library configuration files. Including
|
20
|
+
* General error for openssl library configuration files. Including formatting,
|
21
21
|
* parsing errors, etc.
|
22
22
|
*/
|
23
23
|
VALUE eConfigError;
|
@@ -69,7 +69,7 @@ GetConfigPtr(VALUE obj)
|
|
69
69
|
* INIT
|
70
70
|
*/
|
71
71
|
void
|
72
|
-
Init_ossl_config()
|
72
|
+
Init_ossl_config(void)
|
73
73
|
{
|
74
74
|
char *default_config_file;
|
75
75
|
eConfigError = rb_define_class_under(mOSSL, "ConfigError", eOSSLError);
|
@@ -1,5 +1,5 @@
|
|
1
1
|
/*
|
2
|
-
* $Id$
|
2
|
+
* $Id: ossl_digest.c 48791 2014-12-12 21:57:44Z nobu $
|
3
3
|
* 'OpenSSL for Ruby' project
|
4
4
|
* Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
|
5
5
|
* All rights reserved.
|
@@ -11,7 +11,7 @@
|
|
11
11
|
#include "ossl.h"
|
12
12
|
|
13
13
|
#define GetDigest(obj, ctx) do { \
|
14
|
-
|
14
|
+
TypedData_Get_Struct((obj), EVP_MD_CTX, &ossl_digest_type, (ctx)); \
|
15
15
|
if (!(ctx)) { \
|
16
16
|
ossl_raise(rb_eRuntimeError, "Digest CTX wasn't initialized!"); \
|
17
17
|
} \
|
@@ -29,6 +29,20 @@ VALUE eDigestError;
|
|
29
29
|
|
30
30
|
static VALUE ossl_digest_alloc(VALUE klass);
|
31
31
|
|
32
|
+
static void
|
33
|
+
ossl_digest_free(void *ctx)
|
34
|
+
{
|
35
|
+
EVP_MD_CTX_destroy(ctx);
|
36
|
+
}
|
37
|
+
|
38
|
+
static const rb_data_type_t ossl_digest_type = {
|
39
|
+
"OpenSSL/Digest",
|
40
|
+
{
|
41
|
+
0, ossl_digest_free,
|
42
|
+
},
|
43
|
+
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
44
|
+
};
|
45
|
+
|
32
46
|
/*
|
33
47
|
* Public
|
34
48
|
*/
|
@@ -38,7 +52,7 @@ GetDigestPtr(VALUE obj)
|
|
38
52
|
const EVP_MD *md;
|
39
53
|
ASN1_OBJECT *oid = NULL;
|
40
54
|
|
41
|
-
if (
|
55
|
+
if (RB_TYPE_P(obj, T_STRING)) {
|
42
56
|
const char *name = StringValueCStr(obj);
|
43
57
|
|
44
58
|
md = EVP_get_digestbyname(name);
|
@@ -87,7 +101,7 @@ ossl_digest_alloc(VALUE klass)
|
|
87
101
|
ctx = EVP_MD_CTX_create();
|
88
102
|
if (ctx == NULL)
|
89
103
|
ossl_raise(rb_eRuntimeError, "EVP_MD_CTX_create() failed");
|
90
|
-
obj =
|
104
|
+
obj = TypedData_Wrap_Struct(klass, &ossl_digest_type, ctx);
|
91
105
|
|
92
106
|
return obj;
|
93
107
|
}
|
@@ -294,10 +308,8 @@ ossl_digest_block_length(VALUE self)
|
|
294
308
|
* INIT
|
295
309
|
*/
|
296
310
|
void
|
297
|
-
Init_ossl_digest()
|
311
|
+
Init_ossl_digest(void)
|
298
312
|
{
|
299
|
-
rb_require("digest");
|
300
|
-
|
301
313
|
#if 0
|
302
314
|
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
|
303
315
|
#endif
|
@@ -1,5 +1,5 @@
|
|
1
1
|
/*
|
2
|
-
* $Id$
|
2
|
+
* $Id: ossl_engine.c 48792 2014-12-12 21:57:49Z nobu $
|
3
3
|
* 'OpenSSL for Ruby' project
|
4
4
|
* Copyright (C) 2003 GOTOU Yuuzou <gotoyuzo@notwork.org>
|
5
5
|
* All rights reserved.
|
@@ -16,10 +16,10 @@
|
|
16
16
|
if (!(engine)) { \
|
17
17
|
ossl_raise(rb_eRuntimeError, "ENGINE wasn't initialized."); \
|
18
18
|
} \
|
19
|
-
(obj) =
|
19
|
+
(obj) = TypedData_Wrap_Struct((klass), &ossl_engine_type, (engine)); \
|
20
20
|
} while(0)
|
21
21
|
#define GetEngine(obj, engine) do { \
|
22
|
-
|
22
|
+
TypedData_Get_Struct((obj), ENGINE, &ossl_engine_type, (engine)); \
|
23
23
|
if (!(engine)) { \
|
24
24
|
ossl_raise(rb_eRuntimeError, "ENGINE wasn't initialized."); \
|
25
25
|
} \
|
@@ -57,6 +57,20 @@ do{\
|
|
57
57
|
}\
|
58
58
|
}while(0)
|
59
59
|
|
60
|
+
static void
|
61
|
+
ossl_engine_free(void *engine)
|
62
|
+
{
|
63
|
+
ENGINE_free(engine);
|
64
|
+
}
|
65
|
+
|
66
|
+
static const rb_data_type_t ossl_engine_type = {
|
67
|
+
"OpenSSL/Engine",
|
68
|
+
{
|
69
|
+
0, ossl_engine_free,
|
70
|
+
},
|
71
|
+
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
72
|
+
};
|
73
|
+
|
60
74
|
/* Document-method: OpenSSL::Engine.load
|
61
75
|
*
|
62
76
|
* call-seq:
|
@@ -523,24 +537,17 @@ ossl_engine_get_cmds(VALUE self)
|
|
523
537
|
static VALUE
|
524
538
|
ossl_engine_inspect(VALUE self)
|
525
539
|
{
|
526
|
-
|
527
|
-
|
528
|
-
|
529
|
-
|
530
|
-
|
531
|
-
rb_str_cat2(str, " id=\"");
|
532
|
-
rb_str_append(str, ossl_engine_get_id(self));
|
533
|
-
rb_str_cat2(str, "\" name=\"");
|
534
|
-
rb_str_append(str, ossl_engine_get_name(self));
|
535
|
-
rb_str_cat2(str, "\">");
|
536
|
-
|
537
|
-
return str;
|
540
|
+
ENGINE *e;
|
541
|
+
|
542
|
+
GetEngine(self, e);
|
543
|
+
return rb_sprintf("#<%"PRIsVALUE" id=\"%s\" name=\"%s\">",
|
544
|
+
rb_obj_class(self), ENGINE_get_id(e), ENGINE_get_name(e));
|
538
545
|
}
|
539
546
|
|
540
547
|
#define DefEngineConst(x) rb_define_const(cEngine, #x, INT2NUM(ENGINE_##x))
|
541
548
|
|
542
549
|
void
|
543
|
-
Init_ossl_engine()
|
550
|
+
Init_ossl_engine(void)
|
544
551
|
{
|
545
552
|
cEngine = rb_define_class_under(mOSSL, "Engine", rb_cObject);
|
546
553
|
eEngineError = rb_define_class_under(cEngine, "EngineError", eOSSLError);
|
@@ -585,7 +592,7 @@ Init_ossl_engine()
|
|
585
592
|
}
|
586
593
|
#else
|
587
594
|
void
|
588
|
-
Init_ossl_engine()
|
595
|
+
Init_ossl_engine(void)
|
589
596
|
{
|
590
597
|
}
|
591
598
|
#endif
|
@@ -1,5 +1,5 @@
|
|
1
1
|
/*
|
2
|
-
* $Id$
|
2
|
+
* $Id: ossl_hmac.c 48793 2014-12-12 21:57:56Z nobu $
|
3
3
|
* 'OpenSSL for Ruby' project
|
4
4
|
* Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
|
5
5
|
* All rights reserved.
|
@@ -13,9 +13,9 @@
|
|
13
13
|
#include "ossl.h"
|
14
14
|
|
15
15
|
#define MakeHMAC(obj, klass, ctx) \
|
16
|
-
(obj) =
|
16
|
+
(obj) = TypedData_Make_Struct((klass), HMAC_CTX, &ossl_hmac_type, (ctx))
|
17
17
|
#define GetHMAC(obj, ctx) do { \
|
18
|
-
|
18
|
+
TypedData_Get_Struct((obj), HMAC_CTX, &ossl_hmac_type, (ctx)); \
|
19
19
|
if (!(ctx)) { \
|
20
20
|
ossl_raise(rb_eRuntimeError, "HMAC wasn't initialized"); \
|
21
21
|
} \
|
@@ -39,12 +39,20 @@ VALUE eHMACError;
|
|
39
39
|
* Private
|
40
40
|
*/
|
41
41
|
static void
|
42
|
-
ossl_hmac_free(
|
42
|
+
ossl_hmac_free(void *ctx)
|
43
43
|
{
|
44
44
|
HMAC_CTX_cleanup(ctx);
|
45
45
|
ruby_xfree(ctx);
|
46
46
|
}
|
47
47
|
|
48
|
+
static const rb_data_type_t ossl_hmac_type = {
|
49
|
+
"OpenSSL/HMAC",
|
50
|
+
{
|
51
|
+
0, ossl_hmac_free,
|
52
|
+
},
|
53
|
+
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
54
|
+
};
|
55
|
+
|
48
56
|
static VALUE
|
49
57
|
ossl_hmac_alloc(VALUE klass)
|
50
58
|
{
|
@@ -327,7 +335,7 @@ ossl_hmac_s_hexdigest(VALUE klass, VALUE digest, VALUE key, VALUE data)
|
|
327
335
|
* INIT
|
328
336
|
*/
|
329
337
|
void
|
330
|
-
Init_ossl_hmac()
|
338
|
+
Init_ossl_hmac(void)
|
331
339
|
{
|
332
340
|
#if 0
|
333
341
|
/* :nodoc: */
|
@@ -357,8 +365,8 @@ Init_ossl_hmac()
|
|
357
365
|
#else /* NO_HMAC */
|
358
366
|
# warning >>> OpenSSL is compiled without HMAC support <<<
|
359
367
|
void
|
360
|
-
Init_ossl_hmac()
|
368
|
+
Init_ossl_hmac(void)
|
361
369
|
{
|
362
|
-
rb_warning("HMAC
|
370
|
+
rb_warning("HMAC is not available: OpenSSL is compiled without HMAC.");
|
363
371
|
}
|
364
372
|
#endif /* NO_HMAC */
|
@@ -1,5 +1,5 @@
|
|
1
1
|
/*
|
2
|
-
* $Id$
|
2
|
+
* $Id: ossl_ns_spki.c 48794 2014-12-12 21:58:03Z nobu $
|
3
3
|
* 'OpenSSL for Ruby' project
|
4
4
|
* Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
|
5
5
|
* All rights reserved.
|
@@ -14,10 +14,10 @@
|
|
14
14
|
if (!(spki)) { \
|
15
15
|
ossl_raise(rb_eRuntimeError, "SPKI wasn't initialized!"); \
|
16
16
|
} \
|
17
|
-
(obj) =
|
17
|
+
(obj) = TypedData_Wrap_Struct((klass), &ossl_netscape_spki_type, (spki)); \
|
18
18
|
} while (0)
|
19
19
|
#define GetSPKI(obj, spki) do { \
|
20
|
-
|
20
|
+
TypedData_Get_Struct((obj), NETSCAPE_SPKI, &ossl_netscape_spki_type, (spki)); \
|
21
21
|
if (!(spki)) { \
|
22
22
|
ossl_raise(rb_eRuntimeError, "SPKI wasn't initialized!"); \
|
23
23
|
} \
|
@@ -37,6 +37,21 @@ VALUE eSPKIError;
|
|
37
37
|
/*
|
38
38
|
* Private functions
|
39
39
|
*/
|
40
|
+
|
41
|
+
static void
|
42
|
+
ossl_netscape_spki_free(void *spki)
|
43
|
+
{
|
44
|
+
NETSCAPE_SPKI_free(spki);
|
45
|
+
}
|
46
|
+
|
47
|
+
static const rb_data_type_t ossl_netscape_spki_type = {
|
48
|
+
"OpenSSL/NETSCAPE_SPKI",
|
49
|
+
{
|
50
|
+
0, ossl_netscape_spki_free,
|
51
|
+
},
|
52
|
+
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
53
|
+
};
|
54
|
+
|
40
55
|
static VALUE
|
41
56
|
ossl_spki_alloc(VALUE klass)
|
42
57
|
{
|
@@ -360,7 +375,7 @@ ossl_spki_verify(VALUE self, VALUE key)
|
|
360
375
|
*/
|
361
376
|
|
362
377
|
void
|
363
|
-
Init_ossl_ns_spki()
|
378
|
+
Init_ossl_ns_spki(void)
|
364
379
|
{
|
365
380
|
#if 0
|
366
381
|
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
|
@@ -1,5 +1,5 @@
|
|
1
1
|
/*
|
2
|
-
* $Id$
|
2
|
+
* $Id: ossl_ocsp.c 48798 2014-12-12 21:58:22Z nobu $
|
3
3
|
* 'OpenSSL for Ruby' project
|
4
4
|
* Copyright (C) 2003 Michal Rokos <m.rokos@sh.cvut.cz>
|
5
5
|
* Copyright (C) 2003 GOTOU Yuuzou <gotoyuzo@notwork.org>
|
@@ -15,10 +15,10 @@
|
|
15
15
|
|
16
16
|
#define WrapOCSPReq(klass, obj, req) do { \
|
17
17
|
if(!(req)) ossl_raise(rb_eRuntimeError, "Request wasn't initialized!"); \
|
18
|
-
(obj) =
|
18
|
+
(obj) = TypedData_Wrap_Struct((klass), &ossl_ocsp_request_type, (req)); \
|
19
19
|
} while (0)
|
20
20
|
#define GetOCSPReq(obj, req) do { \
|
21
|
-
|
21
|
+
TypedData_Get_Struct((obj), OCSP_REQUEST, &ossl_ocsp_request_type, (req)); \
|
22
22
|
if(!(req)) ossl_raise(rb_eRuntimeError, "Request wasn't initialized!"); \
|
23
23
|
} while (0)
|
24
24
|
#define SafeGetOCSPReq(obj, req) do { \
|
@@ -28,10 +28,10 @@
|
|
28
28
|
|
29
29
|
#define WrapOCSPRes(klass, obj, res) do { \
|
30
30
|
if(!(res)) ossl_raise(rb_eRuntimeError, "Response wasn't initialized!"); \
|
31
|
-
(obj) =
|
31
|
+
(obj) = TypedData_Wrap_Struct((klass), &ossl_ocsp_response_type, (res)); \
|
32
32
|
} while (0)
|
33
33
|
#define GetOCSPRes(obj, res) do { \
|
34
|
-
|
34
|
+
TypedData_Get_Struct((obj), OCSP_RESPONSE, &ossl_ocsp_response_type, (res)); \
|
35
35
|
if(!(res)) ossl_raise(rb_eRuntimeError, "Response wasn't initialized!"); \
|
36
36
|
} while (0)
|
37
37
|
#define SafeGetOCSPRes(obj, res) do { \
|
@@ -41,10 +41,10 @@
|
|
41
41
|
|
42
42
|
#define WrapOCSPBasicRes(klass, obj, res) do { \
|
43
43
|
if(!(res)) ossl_raise(rb_eRuntimeError, "Response wasn't initialized!"); \
|
44
|
-
(obj) =
|
44
|
+
(obj) = TypedData_Wrap_Struct((klass), &ossl_ocsp_basicresp_type, (res)); \
|
45
45
|
} while (0)
|
46
46
|
#define GetOCSPBasicRes(obj, res) do { \
|
47
|
-
|
47
|
+
TypedData_Get_Struct((obj), OCSP_BASICRESP, &ossl_ocsp_basicresp_type, (res)); \
|
48
48
|
if(!(res)) ossl_raise(rb_eRuntimeError, "Response wasn't initialized!"); \
|
49
49
|
} while (0)
|
50
50
|
#define SafeGetOCSPBasicRes(obj, res) do { \
|
@@ -54,10 +54,10 @@
|
|
54
54
|
|
55
55
|
#define WrapOCSPCertId(klass, obj, cid) do { \
|
56
56
|
if(!(cid)) ossl_raise(rb_eRuntimeError, "Cert ID wasn't initialized!"); \
|
57
|
-
(obj) =
|
57
|
+
(obj) = TypedData_Wrap_Struct((klass), &ossl_ocsp_certid_type, (cid)); \
|
58
58
|
} while (0)
|
59
59
|
#define GetOCSPCertId(obj, cid) do { \
|
60
|
-
|
60
|
+
TypedData_Get_Struct((obj), OCSP_CERTID, &ossl_ocsp_certid_type, (cid)); \
|
61
61
|
if(!(cid)) ossl_raise(rb_eRuntimeError, "Cert ID wasn't initialized!"); \
|
62
62
|
} while (0)
|
63
63
|
#define SafeGetOCSPCertId(obj, cid) do { \
|
@@ -72,6 +72,62 @@ VALUE cOCSPRes;
|
|
72
72
|
VALUE cOCSPBasicRes;
|
73
73
|
VALUE cOCSPCertId;
|
74
74
|
|
75
|
+
static void
|
76
|
+
ossl_ocsp_request_free(void *ptr)
|
77
|
+
{
|
78
|
+
OCSP_REQUEST_free(ptr);
|
79
|
+
}
|
80
|
+
|
81
|
+
static const rb_data_type_t ossl_ocsp_request_type = {
|
82
|
+
"OpenSSL/OCSP/REQUEST",
|
83
|
+
{
|
84
|
+
0, ossl_ocsp_request_free,
|
85
|
+
},
|
86
|
+
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
87
|
+
};
|
88
|
+
|
89
|
+
static void
|
90
|
+
ossl_ocsp_response_free(void *ptr)
|
91
|
+
{
|
92
|
+
OCSP_RESPONSE_free(ptr);
|
93
|
+
}
|
94
|
+
|
95
|
+
static const rb_data_type_t ossl_ocsp_response_type = {
|
96
|
+
"OpenSSL/OCSP/RESPONSE",
|
97
|
+
{
|
98
|
+
0, ossl_ocsp_response_free,
|
99
|
+
},
|
100
|
+
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
101
|
+
};
|
102
|
+
|
103
|
+
static void
|
104
|
+
ossl_ocsp_basicresp_free(void *ptr)
|
105
|
+
{
|
106
|
+
OCSP_BASICRESP_free(ptr);
|
107
|
+
}
|
108
|
+
|
109
|
+
static const rb_data_type_t ossl_ocsp_basicresp_type = {
|
110
|
+
"OpenSSL/OCSP/BASICRESP",
|
111
|
+
{
|
112
|
+
0, ossl_ocsp_basicresp_free,
|
113
|
+
},
|
114
|
+
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
115
|
+
};
|
116
|
+
|
117
|
+
static void
|
118
|
+
ossl_ocsp_certid_free(void *ptr)
|
119
|
+
{
|
120
|
+
OCSP_CERTID_free(ptr);
|
121
|
+
}
|
122
|
+
|
123
|
+
static const rb_data_type_t ossl_ocsp_certid_type = {
|
124
|
+
"OpenSSL/OCSP/CERTID",
|
125
|
+
{
|
126
|
+
0, ossl_ocsp_certid_free,
|
127
|
+
},
|
128
|
+
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
129
|
+
};
|
130
|
+
|
75
131
|
/*
|
76
132
|
* Public
|
77
133
|
*/
|
@@ -99,6 +155,15 @@ ossl_ocspreq_alloc(VALUE klass)
|
|
99
155
|
return obj;
|
100
156
|
}
|
101
157
|
|
158
|
+
/*
|
159
|
+
* call-seq:
|
160
|
+
* OpenSSL::OCSP::Request.new -> request
|
161
|
+
* OpenSSL::OCSP::Request.new(request_der) -> request
|
162
|
+
*
|
163
|
+
* Creates a new OpenSSL::OCSP::Request. The request may be created empty or
|
164
|
+
* from a +request_der+ string.
|
165
|
+
*/
|
166
|
+
|
102
167
|
static VALUE
|
103
168
|
ossl_ocspreq_initialize(int argc, VALUE *argv, VALUE self)
|
104
169
|
{
|
@@ -121,6 +186,17 @@ ossl_ocspreq_initialize(int argc, VALUE *argv, VALUE self)
|
|
121
186
|
return self;
|
122
187
|
}
|
123
188
|
|
189
|
+
/*
|
190
|
+
* call-seq:
|
191
|
+
* request.add_nonce(nonce = nil) -> request
|
192
|
+
*
|
193
|
+
* Adds a +nonce+ to the OCSP request. If no nonce is given a random one will
|
194
|
+
* be generated.
|
195
|
+
*
|
196
|
+
* The nonce is used to prevent replay attacks but some servers do not support
|
197
|
+
* it.
|
198
|
+
*/
|
199
|
+
|
124
200
|
static VALUE
|
125
201
|
ossl_ocspreq_add_nonce(int argc, VALUE *argv, VALUE self)
|
126
202
|
{
|
@@ -143,18 +219,25 @@ ossl_ocspreq_add_nonce(int argc, VALUE *argv, VALUE self)
|
|
143
219
|
return self;
|
144
220
|
}
|
145
221
|
|
146
|
-
/*
|
147
|
-
*
|
148
|
-
*
|
149
|
-
*
|
150
|
-
*
|
151
|
-
*
|
152
|
-
*
|
222
|
+
/*
|
223
|
+
* call-seq:
|
224
|
+
* request.check_nonce(response) -> result
|
225
|
+
*
|
226
|
+
* Checks the nonce validity for this request and +response+.
|
227
|
+
*
|
228
|
+
* The return value is one of the following:
|
153
229
|
*
|
154
|
-
*
|
155
|
-
*
|
156
|
-
*
|
230
|
+
* -1 :: nonce in request only.
|
231
|
+
* 0 :: nonces both present and not equal.
|
232
|
+
* 1 :: nonces present and equal.
|
233
|
+
* 2 :: nonces both absent.
|
234
|
+
* 3 :: nonce present in response only.
|
235
|
+
*
|
236
|
+
* For most responses, clients can check +result+ > 0. If a responder doesn't
|
237
|
+
* handle nonces <code>result.nonzero?</code> may be necessary. A result of
|
238
|
+
* <code>0</code> is always an error.
|
157
239
|
*/
|
240
|
+
|
158
241
|
static VALUE
|
159
242
|
ossl_ocspreq_check_nonce(VALUE self, VALUE basic_resp)
|
160
243
|
{
|
@@ -169,6 +252,13 @@ ossl_ocspreq_check_nonce(VALUE self, VALUE basic_resp)
|
|
169
252
|
return INT2NUM(res);
|
170
253
|
}
|
171
254
|
|
255
|
+
/*
|
256
|
+
* call-seq:
|
257
|
+
* request.add_certid(certificate_id) -> request
|
258
|
+
*
|
259
|
+
* Adds +certificate_id+ to the request.
|
260
|
+
*/
|
261
|
+
|
172
262
|
static VALUE
|
173
263
|
ossl_ocspreq_add_certid(VALUE self, VALUE certid)
|
174
264
|
{
|
@@ -183,6 +273,13 @@ ossl_ocspreq_add_certid(VALUE self, VALUE certid)
|
|
183
273
|
return self;
|
184
274
|
}
|
185
275
|
|
276
|
+
/*
|
277
|
+
* call-seq:
|
278
|
+
* request.certid -> [certificate_id, ...]
|
279
|
+
*
|
280
|
+
* Returns all certificate IDs in this request.
|
281
|
+
*/
|
282
|
+
|
186
283
|
static VALUE
|
187
284
|
ossl_ocspreq_get_certid(VALUE self)
|
188
285
|
{
|
@@ -206,6 +303,17 @@ ossl_ocspreq_get_certid(VALUE self)
|
|
206
303
|
return ary;
|
207
304
|
}
|
208
305
|
|
306
|
+
/*
|
307
|
+
* call-seq:
|
308
|
+
* request.sign(signer_cert, signer_key) -> self
|
309
|
+
* request.sign(signer_cert, signer_key, certificates) -> self
|
310
|
+
* request.sign(signer_cert, signer_key, certificates, flags) -> self
|
311
|
+
*
|
312
|
+
* Signs this OCSP request using +signer_cert+ and +signer_key+.
|
313
|
+
* +certificates+ is an optional Array of certificates that may be included in
|
314
|
+
* the request.
|
315
|
+
*/
|
316
|
+
|
209
317
|
static VALUE
|
210
318
|
ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
|
211
319
|
{
|
@@ -234,6 +342,14 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
|
|
234
342
|
return self;
|
235
343
|
}
|
236
344
|
|
345
|
+
/*
|
346
|
+
* call-seq:
|
347
|
+
* request.verify(certificates, store) -> true or false
|
348
|
+
* request.verify(certificates, store, flags) -> true or false
|
349
|
+
*
|
350
|
+
* Verifies this request using the given +certificates+ and X509 +store+.
|
351
|
+
*/
|
352
|
+
|
237
353
|
static VALUE
|
238
354
|
ossl_ocspreq_verify(int argc, VALUE *argv, VALUE self)
|
239
355
|
{
|
@@ -255,6 +371,10 @@ ossl_ocspreq_verify(int argc, VALUE *argv, VALUE self)
|
|
255
371
|
return result ? Qtrue : Qfalse;
|
256
372
|
}
|
257
373
|
|
374
|
+
/*
|
375
|
+
* Returns this request as a DER-encoded string
|
376
|
+
*/
|
377
|
+
|
258
378
|
static VALUE
|
259
379
|
ossl_ocspreq_to_der(VALUE self)
|
260
380
|
{
|
@@ -278,6 +398,13 @@ ossl_ocspreq_to_der(VALUE self)
|
|
278
398
|
/*
|
279
399
|
* OCSP::Response
|
280
400
|
*/
|
401
|
+
|
402
|
+
/* call-seq:
|
403
|
+
* OpenSSL::OCSP::Response.create(status, basic_response = nil) -> response
|
404
|
+
*
|
405
|
+
* Creates an OpenSSL::OCSP::Response from +status+ and +basic_response+.
|
406
|
+
*/
|
407
|
+
|
281
408
|
static VALUE
|
282
409
|
ossl_ocspres_s_create(VALUE klass, VALUE status, VALUE basic_resp)
|
283
410
|
{
|
@@ -308,6 +435,15 @@ ossl_ocspres_alloc(VALUE klass)
|
|
308
435
|
return obj;
|
309
436
|
}
|
310
437
|
|
438
|
+
/*
|
439
|
+
* call-seq:
|
440
|
+
* OpenSSL::OCSP::Response.new -> response
|
441
|
+
* OpenSSL::OCSP::Response.new(response_der) -> response
|
442
|
+
*
|
443
|
+
* Creates a new OpenSSL::OCSP::Response. The response may be created empty or
|
444
|
+
* from a +response_der+ string.
|
445
|
+
*/
|
446
|
+
|
311
447
|
static VALUE
|
312
448
|
ossl_ocspres_initialize(int argc, VALUE *argv, VALUE self)
|
313
449
|
{
|
@@ -330,6 +466,13 @@ ossl_ocspres_initialize(int argc, VALUE *argv, VALUE self)
|
|
330
466
|
return self;
|
331
467
|
}
|
332
468
|
|
469
|
+
/*
|
470
|
+
* call-seq:
|
471
|
+
* response.status -> Integer
|
472
|
+
*
|
473
|
+
* Returns the status of the response.
|
474
|
+
*/
|
475
|
+
|
333
476
|
static VALUE
|
334
477
|
ossl_ocspres_status(VALUE self)
|
335
478
|
{
|
@@ -342,6 +485,13 @@ ossl_ocspres_status(VALUE self)
|
|
342
485
|
return INT2NUM(st);
|
343
486
|
}
|
344
487
|
|
488
|
+
/*
|
489
|
+
* call-seq:
|
490
|
+
* response.status_string -> String
|
491
|
+
*
|
492
|
+
* Returns a status string for the response.
|
493
|
+
*/
|
494
|
+
|
345
495
|
static VALUE
|
346
496
|
ossl_ocspres_status_string(VALUE self)
|
347
497
|
{
|
@@ -354,6 +504,13 @@ ossl_ocspres_status_string(VALUE self)
|
|
354
504
|
return rb_str_new2(OCSP_response_status_str(st));
|
355
505
|
}
|
356
506
|
|
507
|
+
/*
|
508
|
+
* call-seq:
|
509
|
+
* response.basic
|
510
|
+
*
|
511
|
+
* Returns a BasicResponse for this response
|
512
|
+
*/
|
513
|
+
|
357
514
|
static VALUE
|
358
515
|
ossl_ocspres_get_basic(VALUE self)
|
359
516
|
{
|
@@ -369,6 +526,13 @@ ossl_ocspres_get_basic(VALUE self)
|
|
369
526
|
return ret;
|
370
527
|
}
|
371
528
|
|
529
|
+
/*
|
530
|
+
* call-seq:
|
531
|
+
* response.to_der -> String
|
532
|
+
*
|
533
|
+
* Returns this response as a DER-encoded string.
|
534
|
+
*/
|
535
|
+
|
372
536
|
static VALUE
|
373
537
|
ossl_ocspres_to_der(VALUE self)
|
374
538
|
{
|
@@ -405,12 +569,27 @@ ossl_ocspbres_alloc(VALUE klass)
|
|
405
569
|
return obj;
|
406
570
|
}
|
407
571
|
|
572
|
+
/*
|
573
|
+
* call-seq:
|
574
|
+
* OpenSSL::OCSP::BasicResponse.new(*) -> basic_response
|
575
|
+
*
|
576
|
+
* Creates a new BasicResponse and ignores all arguments.
|
577
|
+
*/
|
578
|
+
|
408
579
|
static VALUE
|
409
580
|
ossl_ocspbres_initialize(int argc, VALUE *argv, VALUE self)
|
410
581
|
{
|
411
582
|
return self;
|
412
583
|
}
|
413
584
|
|
585
|
+
/*
|
586
|
+
* call-seq:
|
587
|
+
* basic_response.copy_nonce(request) -> Integer
|
588
|
+
*
|
589
|
+
* Copies the nonce from +request+ into this response. Returns 1 on success
|
590
|
+
* and 0 on failure.
|
591
|
+
*/
|
592
|
+
|
414
593
|
static VALUE
|
415
594
|
ossl_ocspbres_copy_nonce(VALUE self, VALUE request)
|
416
595
|
{
|
@@ -425,6 +604,14 @@ ossl_ocspbres_copy_nonce(VALUE self, VALUE request)
|
|
425
604
|
return INT2NUM(ret);
|
426
605
|
}
|
427
606
|
|
607
|
+
/*
|
608
|
+
* call-seq:
|
609
|
+
* basic_response.add_nonce(nonce = nil)
|
610
|
+
*
|
611
|
+
* Adds +nonce+ to this response. If no nonce was provided a random nonce
|
612
|
+
* will be added.
|
613
|
+
*/
|
614
|
+
|
428
615
|
static VALUE
|
429
616
|
ossl_ocspbres_add_nonce(int argc, VALUE *argv, VALUE self)
|
430
617
|
{
|
@@ -447,6 +634,22 @@ ossl_ocspbres_add_nonce(int argc, VALUE *argv, VALUE self)
|
|
447
634
|
return self;
|
448
635
|
}
|
449
636
|
|
637
|
+
/*
|
638
|
+
* call-seq:
|
639
|
+
* basic_response.add_status(certificate_id, status, reason, revocation_time, this_update, next_update, extensions) -> basic_response
|
640
|
+
*
|
641
|
+
* Adds a validation +status+ (0 for revoked, 1 for success) to this
|
642
|
+
* response for +certificate_id+. +reason+ describes the reason for the
|
643
|
+
* revocation, if any.
|
644
|
+
*
|
645
|
+
* The +revocation_time+, +this_update+ and +next_update+ are times for the
|
646
|
+
* certificate's revocation time, the time of this status and the next update
|
647
|
+
* time for a new status, respectively.
|
648
|
+
*
|
649
|
+
* +extensions+ may be an Array of OpenSSL::X509::Extension that will
|
650
|
+
* be added to this response or nil.
|
651
|
+
*/
|
652
|
+
|
450
653
|
static VALUE
|
451
654
|
ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status,
|
452
655
|
VALUE reason, VALUE revtime,
|
@@ -515,6 +718,16 @@ ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status,
|
|
515
718
|
return self;
|
516
719
|
}
|
517
720
|
|
721
|
+
/*
|
722
|
+
* call-seq:
|
723
|
+
* basic_response.status -> statuses
|
724
|
+
*
|
725
|
+
* Returns an Array of statuses for this response. Each status contains a
|
726
|
+
* CertificateId, the status (0 for success, 1 for revoked), the reason for
|
727
|
+
* the status, the revocation time, the time of this update, the time for the
|
728
|
+
* next update and a list of OpenSSL::X509::Extensions.
|
729
|
+
*/
|
730
|
+
|
518
731
|
static VALUE
|
519
732
|
ossl_ocspbres_get_status(VALUE self)
|
520
733
|
{
|
@@ -560,6 +773,16 @@ ossl_ocspbres_get_status(VALUE self)
|
|
560
773
|
return ret;
|
561
774
|
}
|
562
775
|
|
776
|
+
/*
|
777
|
+
* call-seq:
|
778
|
+
* basic_response.sign(signer_cert, signer_key) -> self
|
779
|
+
* basic_response.sign(signer_cert, signer_key, certificates) -> self
|
780
|
+
* basic_response.sign(signer_cert, signer_key, certificates, flags) -> self
|
781
|
+
*
|
782
|
+
* Signs this response using the +signer_cert+ and +signer_key+. Additional
|
783
|
+
* +certificates+ may be added to the signature along with a set of +flags+.
|
784
|
+
*/
|
785
|
+
|
563
786
|
static VALUE
|
564
787
|
ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
|
565
788
|
{
|
@@ -590,6 +813,14 @@ ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
|
|
590
813
|
return self;
|
591
814
|
}
|
592
815
|
|
816
|
+
/*
|
817
|
+
* call-seq:
|
818
|
+
* basic_response.verify(certificates, store) -> true or false
|
819
|
+
* basic_response.verify(certificates, store, flags) -> true or false
|
820
|
+
*
|
821
|
+
* Verifies the signature of the response using the given +certificates+,
|
822
|
+
* +store+ and +flags+.
|
823
|
+
*/
|
593
824
|
static VALUE
|
594
825
|
ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
|
595
826
|
{
|
@@ -627,6 +858,15 @@ ossl_ocspcid_alloc(VALUE klass)
|
|
627
858
|
return obj;
|
628
859
|
}
|
629
860
|
|
861
|
+
/*
|
862
|
+
* call-seq:
|
863
|
+
* OpenSSL::OCSP::CertificateId.new(subject, issuer, digest = nil) -> certificate_id
|
864
|
+
*
|
865
|
+
* Creates a new OpenSSL::OCSP::CertificateId for the given +subject+ and
|
866
|
+
* +issuer+ X509 certificates. The +digest+ is used to compute the
|
867
|
+
* certificate ID and must be an OpenSSL::Digest instance.
|
868
|
+
*/
|
869
|
+
|
630
870
|
static VALUE
|
631
871
|
ossl_ocspcid_initialize(int argc, VALUE *argv, VALUE self)
|
632
872
|
{
|
@@ -657,6 +897,13 @@ ossl_ocspcid_initialize(int argc, VALUE *argv, VALUE self)
|
|
657
897
|
return self;
|
658
898
|
}
|
659
899
|
|
900
|
+
/*
|
901
|
+
* call-seq:
|
902
|
+
* certificate_id.cmp(other) -> true or false
|
903
|
+
*
|
904
|
+
* Compares this certificate id with +other+ and returns true if they are the
|
905
|
+
* same.
|
906
|
+
*/
|
660
907
|
static VALUE
|
661
908
|
ossl_ocspcid_cmp(VALUE self, VALUE other)
|
662
909
|
{
|
@@ -670,6 +917,14 @@ ossl_ocspcid_cmp(VALUE self, VALUE other)
|
|
670
917
|
return (result == 0) ? Qtrue : Qfalse;
|
671
918
|
}
|
672
919
|
|
920
|
+
/*
|
921
|
+
* call-seq:
|
922
|
+
* certificate_id.cmp_issuer(other) -> true or false
|
923
|
+
*
|
924
|
+
* Compares this certificate id's issuer with +other+ and returns true if
|
925
|
+
* they are the same.
|
926
|
+
*/
|
927
|
+
|
673
928
|
static VALUE
|
674
929
|
ossl_ocspcid_cmp_issuer(VALUE self, VALUE other)
|
675
930
|
{
|
@@ -683,6 +938,13 @@ ossl_ocspcid_cmp_issuer(VALUE self, VALUE other)
|
|
683
938
|
return (result == 0) ? Qtrue : Qfalse;
|
684
939
|
}
|
685
940
|
|
941
|
+
/*
|
942
|
+
* call-seq:
|
943
|
+
* certificate_id.get_serial -> Integer
|
944
|
+
*
|
945
|
+
* Returns the serial number of the issuing certificate.
|
946
|
+
*/
|
947
|
+
|
686
948
|
static VALUE
|
687
949
|
ossl_ocspcid_get_serial(VALUE self)
|
688
950
|
{
|
@@ -694,12 +956,132 @@ ossl_ocspcid_get_serial(VALUE self)
|
|
694
956
|
}
|
695
957
|
|
696
958
|
void
|
697
|
-
Init_ossl_ocsp()
|
959
|
+
Init_ossl_ocsp(void)
|
698
960
|
{
|
961
|
+
/*
|
962
|
+
* OpenSSL::OCSP implements Online Certificate Status Protocol requests
|
963
|
+
* and responses.
|
964
|
+
*
|
965
|
+
* Creating and sending an OCSP request requires a subject certificate
|
966
|
+
* that contains an OCSP URL in an authorityInfoAccess extension and the
|
967
|
+
* issuer certificate for the subject certificate. First, load the issuer
|
968
|
+
* and subject certificates:
|
969
|
+
*
|
970
|
+
* subject = OpenSSL::X509::Certificate.new subject_pem
|
971
|
+
* issuer = OpenSSL::X509::Certificate.new issuer_pem
|
972
|
+
*
|
973
|
+
* To create the request we need to create a certificate ID for the
|
974
|
+
* subject certificate so the CA knows which certificate we are asking
|
975
|
+
* about:
|
976
|
+
*
|
977
|
+
* digest = OpenSSL::Digest::SHA1.new
|
978
|
+
* certificate_id =
|
979
|
+
* OpenSSL::OCSP::CertificateId.new subject, issuer, digest
|
980
|
+
*
|
981
|
+
* Then create a request and add the certificate ID to it:
|
982
|
+
*
|
983
|
+
* request = OpenSSL::OCSP::Request.new
|
984
|
+
* request.add_certid certificate_id
|
985
|
+
*
|
986
|
+
* Adding a nonce to the request protects against replay attacks but not
|
987
|
+
* all CA process the nonce.
|
988
|
+
*
|
989
|
+
* request.add_nonce
|
990
|
+
*
|
991
|
+
* To submit the request to the CA for verification we need to extract the
|
992
|
+
* OCSP URI from the subject certificate:
|
993
|
+
*
|
994
|
+
* authority_info_access = subject.extensions.find do |extension|
|
995
|
+
* extension.oid == 'authorityInfoAccess'
|
996
|
+
* end
|
997
|
+
*
|
998
|
+
* descriptions = authority_info_access.value.split "\n"
|
999
|
+
* ocsp = descriptions.find do |description|
|
1000
|
+
* description.start_with? 'OCSP'
|
1001
|
+
* end
|
1002
|
+
*
|
1003
|
+
* require 'uri'
|
1004
|
+
*
|
1005
|
+
* ocsp_uri = URI ocsp[/URI:(.*)/, 1]
|
1006
|
+
*
|
1007
|
+
* To submit the request we'll POST the request to the OCSP URI (per RFC
|
1008
|
+
* 2560). Note that we only handle HTTP requests and don't handle any
|
1009
|
+
* redirects in this example, so this is insufficient for serious use.
|
1010
|
+
*
|
1011
|
+
* require 'net/http'
|
1012
|
+
*
|
1013
|
+
* http_response =
|
1014
|
+
* Net::HTTP.start ocsp_uri.hostname, ocsp.port do |http|
|
1015
|
+
* http.post ocsp_uri.path, request.to_der,
|
1016
|
+
* 'content-type' => 'application/ocsp-request'
|
1017
|
+
* end
|
1018
|
+
*
|
1019
|
+
* response = OpenSSL::OCSP::Response.new http_response.body
|
1020
|
+
* response_basic = response.basic
|
1021
|
+
*
|
1022
|
+
* First we check if the response has a valid signature. Without a valid
|
1023
|
+
* signature we cannot trust it. If you get a failure here you may be
|
1024
|
+
* missing a system certificate store or may be missing the intermediate
|
1025
|
+
* certificates.
|
1026
|
+
*
|
1027
|
+
* store = OpenSSL::X509::Store.new
|
1028
|
+
* store.set_default_paths
|
1029
|
+
*
|
1030
|
+
* unless response.verify [], store then
|
1031
|
+
* raise 'response is not signed by a trusted certificate'
|
1032
|
+
* end
|
1033
|
+
*
|
1034
|
+
* The response contains the status information (success/fail). We can
|
1035
|
+
* display the status as a string:
|
1036
|
+
*
|
1037
|
+
* puts response.status_string #=> successful
|
1038
|
+
*
|
1039
|
+
* Next we need to know the response details to determine if the response
|
1040
|
+
* matches our request. First we check the nonce. Again, not all CAs
|
1041
|
+
* support a nonce. See Request#check_nonce for the meanings of the
|
1042
|
+
* return values.
|
1043
|
+
*
|
1044
|
+
* p request.check_nonce basic_response #=> value from -1 to 3
|
1045
|
+
*
|
1046
|
+
* Then extract the status information from the basic response. (You can
|
1047
|
+
* check multiple certificates in a request, but for this example we only
|
1048
|
+
* submitted one.)
|
1049
|
+
*
|
1050
|
+
* response_certificate_id, status, reason, revocation_time,
|
1051
|
+
* this_update, next_update, extensions = basic_response.status
|
1052
|
+
*
|
1053
|
+
* Then check the various fields.
|
1054
|
+
*
|
1055
|
+
* unless response_certificate_id == certificate_id then
|
1056
|
+
* raise 'certificate id mismatch'
|
1057
|
+
* end
|
1058
|
+
*
|
1059
|
+
* now = Time.now
|
1060
|
+
*
|
1061
|
+
* if this_update > now then
|
1062
|
+
* raise 'update date is in the future'
|
1063
|
+
* end
|
1064
|
+
*
|
1065
|
+
* if now > next_update then
|
1066
|
+
* raise 'next update time has passed'
|
1067
|
+
* end
|
1068
|
+
*/
|
1069
|
+
|
699
1070
|
mOCSP = rb_define_module_under(mOSSL, "OCSP");
|
700
1071
|
|
1072
|
+
/*
|
1073
|
+
* OCSP error class.
|
1074
|
+
*/
|
1075
|
+
|
701
1076
|
eOCSPError = rb_define_class_under(mOCSP, "OCSPError", eOSSLError);
|
702
1077
|
|
1078
|
+
/*
|
1079
|
+
* An OpenSSL::OCSP::Request contains the certificate information for
|
1080
|
+
* determining if a certificate has been revoked or not. A Request can be
|
1081
|
+
* created for a certificate or from a DER-encoded request created
|
1082
|
+
* elsewhere.
|
1083
|
+
*/
|
1084
|
+
|
703
1085
|
cOCSPReq = rb_define_class_under(mOCSP, "Request", rb_cObject);
|
704
1086
|
rb_define_alloc_func(cOCSPReq, ossl_ocspreq_alloc);
|
705
1087
|
rb_define_method(cOCSPReq, "initialize", ossl_ocspreq_initialize, -1);
|
@@ -711,6 +1093,11 @@ Init_ossl_ocsp()
|
|
711
1093
|
rb_define_method(cOCSPReq, "verify", ossl_ocspreq_verify, -1);
|
712
1094
|
rb_define_method(cOCSPReq, "to_der", ossl_ocspreq_to_der, 0);
|
713
1095
|
|
1096
|
+
/*
|
1097
|
+
* An OpenSSL::OCSP::Response contains the status of a certificate check
|
1098
|
+
* which is created from an OpenSSL::OCSP::Request.
|
1099
|
+
*/
|
1100
|
+
|
714
1101
|
cOCSPRes = rb_define_class_under(mOCSP, "Response", rb_cObject);
|
715
1102
|
rb_define_singleton_method(cOCSPRes, "create", ossl_ocspres_s_create, 2);
|
716
1103
|
rb_define_alloc_func(cOCSPRes, ossl_ocspres_alloc);
|
@@ -720,6 +1107,12 @@ Init_ossl_ocsp()
|
|
720
1107
|
rb_define_method(cOCSPRes, "basic", ossl_ocspres_get_basic, 0);
|
721
1108
|
rb_define_method(cOCSPRes, "to_der", ossl_ocspres_to_der, 0);
|
722
1109
|
|
1110
|
+
/*
|
1111
|
+
* An OpenSSL::OCSP::BasicResponse contains the status of a certificate
|
1112
|
+
* check which is created from an OpenSSL::OCSP::Request. A
|
1113
|
+
* BasicResponse is more detailed than a Response.
|
1114
|
+
*/
|
1115
|
+
|
723
1116
|
cOCSPBasicRes = rb_define_class_under(mOCSP, "BasicResponse", rb_cObject);
|
724
1117
|
rb_define_alloc_func(cOCSPBasicRes, ossl_ocspbres_alloc);
|
725
1118
|
rb_define_method(cOCSPBasicRes, "initialize", ossl_ocspbres_initialize, -1);
|
@@ -730,6 +1123,11 @@ Init_ossl_ocsp()
|
|
730
1123
|
rb_define_method(cOCSPBasicRes, "sign", ossl_ocspbres_sign, -1);
|
731
1124
|
rb_define_method(cOCSPBasicRes, "verify", ossl_ocspbres_verify, -1);
|
732
1125
|
|
1126
|
+
/*
|
1127
|
+
* An OpenSSL::OCSP::CertificateId identifies a certificate to the CA so
|
1128
|
+
* that a status check can be performed.
|
1129
|
+
*/
|
1130
|
+
|
733
1131
|
cOCSPCertId = rb_define_class_under(mOCSP, "CertificateId", rb_cObject);
|
734
1132
|
rb_define_alloc_func(cOCSPCertId, ossl_ocspcid_alloc);
|
735
1133
|
rb_define_method(cOCSPCertId, "initialize", ossl_ocspcid_initialize, -1);
|
@@ -737,50 +1135,110 @@ Init_ossl_ocsp()
|
|
737
1135
|
rb_define_method(cOCSPCertId, "cmp_issuer", ossl_ocspcid_cmp_issuer, 1);
|
738
1136
|
rb_define_method(cOCSPCertId, "serial", ossl_ocspcid_get_serial, 0);
|
739
1137
|
|
740
|
-
|
741
|
-
|
742
|
-
|
743
|
-
|
744
|
-
|
745
|
-
|
746
|
-
|
747
|
-
|
748
|
-
|
749
|
-
|
750
|
-
|
751
|
-
|
752
|
-
|
753
|
-
|
754
|
-
|
755
|
-
|
756
|
-
|
757
|
-
|
758
|
-
|
759
|
-
|
760
|
-
|
761
|
-
|
762
|
-
|
763
|
-
|
764
|
-
|
765
|
-
|
766
|
-
|
767
|
-
|
768
|
-
|
769
|
-
|
770
|
-
|
771
|
-
|
772
|
-
|
773
|
-
|
774
|
-
|
775
|
-
|
776
|
-
|
777
|
-
|
778
|
-
|
1138
|
+
/* Internal error in issuer */
|
1139
|
+
rb_define_const(mOCSP, "RESPONSE_STATUS_INTERNALERROR", INT2NUM(OCSP_RESPONSE_STATUS_INTERNALERROR));
|
1140
|
+
|
1141
|
+
/* Illegal confirmation request */
|
1142
|
+
rb_define_const(mOCSP, "RESPONSE_STATUS_MALFORMEDREQUEST", INT2NUM(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST));
|
1143
|
+
|
1144
|
+
/* The certificate was revoked for an unknown reason */
|
1145
|
+
rb_define_const(mOCSP, "REVOKED_STATUS_NOSTATUS", INT2NUM(OCSP_REVOKED_STATUS_NOSTATUS));
|
1146
|
+
|
1147
|
+
/* You must sign the request and resubmit */
|
1148
|
+
rb_define_const(mOCSP, "RESPONSE_STATUS_SIGREQUIRED", INT2NUM(OCSP_RESPONSE_STATUS_SIGREQUIRED));
|
1149
|
+
|
1150
|
+
/* Response has valid confirmations */
|
1151
|
+
rb_define_const(mOCSP, "RESPONSE_STATUS_SUCCESSFUL", INT2NUM(OCSP_RESPONSE_STATUS_SUCCESSFUL));
|
1152
|
+
|
1153
|
+
/* Try again later */
|
1154
|
+
rb_define_const(mOCSP, "RESPONSE_STATUS_TRYLATER", INT2NUM(OCSP_RESPONSE_STATUS_TRYLATER));
|
1155
|
+
|
1156
|
+
/* The certificate subject's name or other information changed */
|
1157
|
+
rb_define_const(mOCSP, "REVOKED_STATUS_AFFILIATIONCHANGED", INT2NUM(OCSP_REVOKED_STATUS_AFFILIATIONCHANGED));
|
1158
|
+
|
1159
|
+
/* This CA certificate was revoked due to a key compromise */
|
1160
|
+
rb_define_const(mOCSP, "REVOKED_STATUS_CACOMPROMISE", INT2NUM(OCSP_REVOKED_STATUS_CACOMPROMISE));
|
1161
|
+
|
1162
|
+
/* The certificate is on hold */
|
1163
|
+
rb_define_const(mOCSP, "REVOKED_STATUS_CERTIFICATEHOLD", INT2NUM(OCSP_REVOKED_STATUS_CERTIFICATEHOLD));
|
1164
|
+
|
1165
|
+
/* The certificate is no longer needed */
|
1166
|
+
rb_define_const(mOCSP, "REVOKED_STATUS_CESSATIONOFOPERATION", INT2NUM(OCSP_REVOKED_STATUS_CESSATIONOFOPERATION));
|
1167
|
+
|
1168
|
+
/* The certificate was revoked due to a key compromise */
|
1169
|
+
rb_define_const(mOCSP, "REVOKED_STATUS_KEYCOMPROMISE", INT2NUM(OCSP_REVOKED_STATUS_KEYCOMPROMISE));
|
1170
|
+
|
1171
|
+
/* The certificate was previously on hold and should now be removed from
|
1172
|
+
* the CRL */
|
1173
|
+
rb_define_const(mOCSP, "REVOKED_STATUS_REMOVEFROMCRL", INT2NUM(OCSP_REVOKED_STATUS_REMOVEFROMCRL));
|
1174
|
+
|
1175
|
+
/* The certificate was superseded by a new certificate */
|
1176
|
+
rb_define_const(mOCSP, "REVOKED_STATUS_SUPERSEDED", INT2NUM(OCSP_REVOKED_STATUS_SUPERSEDED));
|
1177
|
+
|
1178
|
+
/* Your request is unauthorized. */
|
1179
|
+
rb_define_const(mOCSP, "RESPONSE_STATUS_UNAUTHORIZED", INT2NUM(OCSP_RESPONSE_STATUS_UNAUTHORIZED));
|
1180
|
+
|
1181
|
+
/* The certificate was revoked for an unspecified reason */
|
1182
|
+
rb_define_const(mOCSP, "REVOKED_STATUS_UNSPECIFIED", INT2NUM(OCSP_REVOKED_STATUS_UNSPECIFIED));
|
1183
|
+
|
1184
|
+
/* Do not include certificates in the response */
|
1185
|
+
rb_define_const(mOCSP, "NOCERTS", INT2NUM(OCSP_NOCERTS));
|
1186
|
+
|
1187
|
+
/* Do not search certificates contained in the response for a signer */
|
1188
|
+
rb_define_const(mOCSP, "NOINTERN", INT2NUM(OCSP_NOINTERN));
|
1189
|
+
|
1190
|
+
/* Do not check the signature on the response */
|
1191
|
+
rb_define_const(mOCSP, "NOSIGS", INT2NUM(OCSP_NOSIGS));
|
1192
|
+
|
1193
|
+
/* Do not verify the certificate chain on the response */
|
1194
|
+
rb_define_const(mOCSP, "NOCHAIN", INT2NUM(OCSP_NOCHAIN));
|
1195
|
+
|
1196
|
+
/* Do not verify the response at all */
|
1197
|
+
rb_define_const(mOCSP, "NOVERIFY", INT2NUM(OCSP_NOVERIFY));
|
1198
|
+
|
1199
|
+
/* Do not check trust */
|
1200
|
+
rb_define_const(mOCSP, "NOEXPLICIT", INT2NUM(OCSP_NOEXPLICIT));
|
1201
|
+
|
1202
|
+
/* (This flag is not used by OpenSSL 1.0.1g) */
|
1203
|
+
rb_define_const(mOCSP, "NOCASIGN", INT2NUM(OCSP_NOCASIGN));
|
1204
|
+
|
1205
|
+
/* (This flag is not used by OpenSSL 1.0.1g) */
|
1206
|
+
rb_define_const(mOCSP, "NODELEGATED", INT2NUM(OCSP_NODELEGATED));
|
1207
|
+
|
1208
|
+
/* Do not make additional signing certificate checks */
|
1209
|
+
rb_define_const(mOCSP, "NOCHECKS", INT2NUM(OCSP_NOCHECKS));
|
1210
|
+
|
1211
|
+
/* Do not verify additional certificates */
|
1212
|
+
rb_define_const(mOCSP, "TRUSTOTHER", INT2NUM(OCSP_TRUSTOTHER));
|
1213
|
+
|
1214
|
+
/* Identify the response by signing the certificate key ID */
|
1215
|
+
rb_define_const(mOCSP, "RESPID_KEY", INT2NUM(OCSP_RESPID_KEY));
|
1216
|
+
|
1217
|
+
/* Do not include producedAt time in response */
|
1218
|
+
rb_define_const(mOCSP, "NOTIME", INT2NUM(OCSP_NOTIME));
|
1219
|
+
|
1220
|
+
/* Indicates the certificate is not revoked but does not necessarily mean
|
1221
|
+
* the certificate was issued or that this response is within the
|
1222
|
+
* certificate's validity interval */
|
1223
|
+
rb_define_const(mOCSP, "V_CERTSTATUS_GOOD", INT2NUM(V_OCSP_CERTSTATUS_GOOD));
|
1224
|
+
/* Indicates the certificate has been revoked either permanently or
|
1225
|
+
* temporarily (on hold). */
|
1226
|
+
rb_define_const(mOCSP, "V_CERTSTATUS_REVOKED", INT2NUM(V_OCSP_CERTSTATUS_REVOKED));
|
1227
|
+
|
1228
|
+
/* Indicates the responder does not know about the certificate being
|
1229
|
+
* requested. */
|
1230
|
+
rb_define_const(mOCSP, "V_CERTSTATUS_UNKNOWN", INT2NUM(V_OCSP_CERTSTATUS_UNKNOWN));
|
1231
|
+
|
1232
|
+
/* The responder ID is based on the key name. */
|
1233
|
+
rb_define_const(mOCSP, "V_RESPID_NAME", INT2NUM(V_OCSP_RESPID_NAME));
|
1234
|
+
|
1235
|
+
/* The responder ID is based on the public key. */
|
1236
|
+
rb_define_const(mOCSP, "V_RESPID_KEY", INT2NUM(V_OCSP_RESPID_KEY));
|
779
1237
|
}
|
780
1238
|
|
781
1239
|
#else /* ! OSSL_OCSP_ENABLED */
|
782
1240
|
void
|
783
|
-
Init_ossl_ocsp()
|
1241
|
+
Init_ossl_ocsp(void)
|
784
1242
|
{
|
785
1243
|
}
|
786
1244
|
#endif
|