类 OpenSSL::OCSP::BasicResponse

一个 OpenSSL::OCSP::BasicResponse 包含从 OpenSSL::OCSP::Request 创建的证书检查状态。一个 BasicResponseResponse 更详细。

公共类方法

OpenSSL::OCSP::BasicResponse.new(der_string = nil) → basic_response 点击切换源代码

创建一个新的 BasicResponse。如果提供了 der_string,则将其作为 DER 解码。

static VALUE
ossl_ocspbres_initialize(int argc, VALUE *argv, VALUE self)
{
    VALUE arg;
    OCSP_BASICRESP *res, *res_new;
    const unsigned char *p;

    rb_scan_args(argc, argv, "01", &arg);
    if (!NIL_P(arg)) {
        GetOCSPBasicRes(self, res);
        arg = ossl_to_der_if_possible(arg);
        StringValue(arg);
        p = (unsigned char *)RSTRING_PTR(arg);
        res_new = d2i_OCSP_BASICRESP(NULL, &p, RSTRING_LEN(arg));
        if (!res_new)
            ossl_raise(eOCSPError, "d2i_OCSP_BASICRESP");
        SetOCSPBasicRes(self, res_new);
        OCSP_BASICRESP_free(res);
    }

    return self;
}

公共实例方法

add_nonce(nonce = nil) 点击切换源代码

nonce 添加到此响应中。如果没有提供 nonce,将添加一个随机 nonce。

static VALUE
ossl_ocspbres_add_nonce(int argc, VALUE *argv, VALUE self)
{
    OCSP_BASICRESP *bs;
    VALUE val;
    int ret;

    rb_scan_args(argc, argv, "01", &val);
    if(NIL_P(val)) {
        GetOCSPBasicRes(self, bs);
        ret = OCSP_basic_add1_nonce(bs, NULL, -1);
    }
    else{
        StringValue(val);
        GetOCSPBasicRes(self, bs);
        ret = OCSP_basic_add1_nonce(bs, (unsigned char *)RSTRING_PTR(val), RSTRING_LENINT(val));
    }
    if(!ret) ossl_raise(eOCSPError, NULL);

    return self;
}
add_status(certificate_id, status, reason, revocation_time, this_update, next_update, extensions) → basic_response 点击切换源代码

certificate_id 添加证书状态。status 是状态,必须是以下之一:

  • OpenSSL::OCSP::V_CERTSTATUS_GOOD

  • OpenSSL::OCSP::V_CERTSTATUS_REVOKED

  • OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN

只有当 status 为 OpenSSL::OCSP::V_CERTSTATUS_REVOKED 时,才能提供 reasonrevocation_timereason 描述撤销的原因,必须是 OpenSSL::OCSP::REVOKED_STATUS_* 常量之一。revocation_time 是证书被撤销的时间。

this_updatenext_update 分别指示验证状态正确的时间和可以获得更新信息的时间。next_update 是可选的。

extensions 是一个 OpenSSL::X509::Extension 数组,将被包含在 SingleResponse 中。这也是可选的。

请注意,时间 revocation_timethis_updatenext_update 可以用 Integer 或 Time 对象指定。如果它们是 Integer,则将其视为相对于当前时间的秒数。

static VALUE
ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status,
                         VALUE reason, VALUE revtime,
                         VALUE thisupd, VALUE nextupd, VALUE ext)
{
    OCSP_BASICRESP *bs;
    OCSP_SINGLERESP *single;
    OCSP_CERTID *id;
    ASN1_TIME *ths = NULL, *nxt = NULL, *rev = NULL;
    int st, rsn = 0, error = 0, rstatus = 0;
    long i;
    VALUE tmp;

    GetOCSPBasicRes(self, bs);
    GetOCSPCertId(cid, id);
    st = NUM2INT(status);
    if (!NIL_P(ext)) { /* All ext's members must be X509::Extension */
        ext = rb_check_array_type(ext);
        for (i = 0; i < RARRAY_LEN(ext); i++)
            OSSL_Check_Kind(RARRAY_AREF(ext, i), cX509Ext);
    }

    if (st == V_OCSP_CERTSTATUS_REVOKED) {
        rsn = NUM2INT(reason);
        tmp = rb_protect(add_status_convert_time, revtime, &rstatus);
        if (rstatus) goto err;
        rev = (ASN1_TIME *)tmp;
    }

    tmp = rb_protect(add_status_convert_time, thisupd, &rstatus);
    if (rstatus) goto err;
    ths = (ASN1_TIME *)tmp;

    if (!NIL_P(nextupd)) {
        tmp = rb_protect(add_status_convert_time, nextupd, &rstatus);
        if (rstatus) goto err;
        nxt = (ASN1_TIME *)tmp;
    }

    if(!(single = OCSP_basic_add1_status(bs, id, st, rsn, rev, ths, nxt))){
        error = 1;
        goto err;
    }

    if(!NIL_P(ext)){
        X509_EXTENSION *x509ext;

        for(i = 0; i < RARRAY_LEN(ext); i++){
            x509ext = GetX509ExtPtr(RARRAY_AREF(ext, i));
            if(!OCSP_SINGLERESP_add_ext(single, x509ext, -1)){
                error = 1;
                goto err;
            }
        }
    }

 err:
    ASN1_TIME_free(ths);
    ASN1_TIME_free(nxt);
    ASN1_TIME_free(rev);
    if(error) ossl_raise(eOCSPError, NULL);
    if(rstatus) rb_jump_tag(rstatus);

    return self;
}
copy_nonce(request) → Integer 点击切换源代码

request中的nonce复制到此响应中。成功返回1,失败返回0。

static VALUE
ossl_ocspbres_copy_nonce(VALUE self, VALUE request)
{
    OCSP_BASICRESP *bs;
    OCSP_REQUEST *req;
    int ret;

    GetOCSPBasicRes(self, bs);
    GetOCSPReq(request, req);
    ret = OCSP_copy_nonce(bs, req);

    return INT2NUM(ret);
}
find_response(certificate_id) → SingleResponse | nil 点击切换源代码

返回一个SingleResponse,其CertId与certificate_id匹配,如果此BasicResponse不包含它,则返回nil

static VALUE
ossl_ocspbres_find_response(VALUE self, VALUE target)
{
    OCSP_BASICRESP *bs;
    OCSP_SINGLERESP *sres, *sres_new;
    OCSP_CERTID *id;
    int n;

    GetOCSPCertId(target, id);
    GetOCSPBasicRes(self, bs);

    if ((n = OCSP_resp_find(bs, id, -1)) == -1)
        return Qnil;

    sres = OCSP_resp_get0(bs, n);
    sres_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_SINGLERESP), sres);
    if (!sres_new)
        ossl_raise(eOCSPError, "ASN1_item_dup");

    return ossl_ocspsres_new(sres_new);
}
initialize_copy(p1) 点击切换源代码
static VALUE
ossl_ocspbres_initialize_copy(VALUE self, VALUE other)
{
    OCSP_BASICRESP *bs, *bs_old, *bs_new;

    rb_check_frozen(self);
    GetOCSPBasicRes(self, bs_old);
    GetOCSPBasicRes(other, bs);

    bs_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs);
    if (!bs_new)
        ossl_raise(eOCSPError, "ASN1_item_dup");

    SetOCSPBasicRes(self, bs_new);
    OCSP_BASICRESP_free(bs_old);

    return self;
}
responses → Array of SingleResponse 点击切换源代码

返回此BasicResponseSingleResponse数组。

static VALUE
ossl_ocspbres_get_responses(VALUE self)
{
    OCSP_BASICRESP *bs;
    VALUE ret;
    int count, i;

    GetOCSPBasicRes(self, bs);
    count = OCSP_resp_count(bs);
    ret = rb_ary_new2(count);

    for (i = 0; i < count; i++) {
        OCSP_SINGLERESP *sres, *sres_new;

        sres = OCSP_resp_get0(bs, i);
        sres_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_SINGLERESP), sres);
        if (!sres_new)
            ossl_raise(eOCSPError, "ASN1_item_dup");

        rb_ary_push(ret, ossl_ocspsres_new(sres_new));
    }

    return ret;
}
sign(cert, key, certs = nil, flags = 0, digest = nil) → self 点击切换源代码

使用certkey和可选的digest对这个OCSP响应进行签名。这与OpenSSL::OCSP::Request#sign的行为类似。

flags可以包含

OpenSSL::OCSP::NOCERTS

不包含证书

OpenSSL::OCSP::NOTIME

不设置producedAt

OpenSSL::OCSP::RESPID_KEY

使用签名者的公钥哈希作为responderID

static VALUE
ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
{
    VALUE signer_cert, signer_key, certs, flags, digest;
    OCSP_BASICRESP *bs;
    X509 *signer;
    EVP_PKEY *key;
    STACK_OF(X509) *x509s = NULL;
    unsigned long flg = 0;
    const EVP_MD *md;
    int ret;

    rb_scan_args(argc, argv, "23", &signer_cert, &signer_key, &certs, &flags, &digest);
    GetOCSPBasicRes(self, bs);
    signer = GetX509CertPtr(signer_cert);
    key = GetPrivPKeyPtr(signer_key);
    if (!NIL_P(flags))
        flg = NUM2INT(flags);
    if (NIL_P(digest))
        md = NULL;
    else
        md = ossl_evp_get_digestbyname(digest);
    if (NIL_P(certs))
        flg |= OCSP_NOCERTS;
    else
        x509s = ossl_x509_ary2sk(certs);

    ret = OCSP_basic_sign(bs, signer, key, md, x509s, flg);
    sk_X509_pop_free(x509s, X509_free);
    if (!ret) ossl_raise(eOCSPError, NULL);

    return self;
}
status → statuses 点击切换源代码

返回此响应的状态数组。每个状态包含一个CertificateId、状态(0表示良好,1表示已吊销,2表示未知)、状态原因、吊销时间、更新时间、下次更新时间以及OpenSSL::X509::Extension列表。

这应该由BasicResponse#responsesfind_response取代,它们返回SingleResponse

static VALUE
ossl_ocspbres_get_status(VALUE self)
{
    OCSP_BASICRESP *bs;
    OCSP_SINGLERESP *single;
    OCSP_CERTID *cid;
    ASN1_TIME *revtime, *thisupd, *nextupd;
    int status, reason;
    X509_EXTENSION *x509ext;
    VALUE ret, ary, ext;
    int count, ext_count, i, j;

    GetOCSPBasicRes(self, bs);
    ret = rb_ary_new();
    count = OCSP_resp_count(bs);
    for(i = 0; i < count; i++){
        single = OCSP_resp_get0(bs, i);
        if(!single) continue;

        revtime = thisupd = nextupd = NULL;
        status = OCSP_single_get0_status(single, &reason, &revtime,
                                         &thisupd, &nextupd);
        if(status < 0) continue;
        if(!(cid = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(single)))) /* FIXME */
            ossl_raise(eOCSPError, NULL);
        ary = rb_ary_new();
        rb_ary_push(ary, ossl_ocspcertid_new(cid));
        rb_ary_push(ary, INT2NUM(status));
        rb_ary_push(ary, INT2NUM(reason));
        rb_ary_push(ary, revtime ? asn1time_to_time(revtime) : Qnil);
        rb_ary_push(ary, thisupd ? asn1time_to_time(thisupd) : Qnil);
        rb_ary_push(ary, nextupd ? asn1time_to_time(nextupd) : Qnil);
        ext = rb_ary_new();
        ext_count = OCSP_SINGLERESP_get_ext_count(single);
        for(j = 0; j < ext_count; j++){
            x509ext = OCSP_SINGLERESP_get_ext(single, j);
            rb_ary_push(ext, ossl_x509ext_new(x509ext));
        }
        rb_ary_push(ary, ext);
        rb_ary_push(ret, ary);
    }

    return ret;
}
to_der → String 点击切换源代码

将此基本响应编码为DER编码的字符串。

static VALUE
ossl_ocspbres_to_der(VALUE self)
{
    OCSP_BASICRESP *res;
    VALUE str;
    long len;
    unsigned char *p;

    GetOCSPBasicRes(self, res);
    if ((len = i2d_OCSP_BASICRESP(res, NULL)) <= 0)
        ossl_raise(eOCSPError, NULL);
    str = rb_str_new(0, len);
    p = (unsigned char *)RSTRING_PTR(str);
    if (i2d_OCSP_BASICRESP(res, &p) <= 0)
        ossl_raise(eOCSPError, NULL);
    ossl_str_adjust(str, p);

    return str;
}
verify(certificates, store, flags = 0) → true or false 点击切换源代码

使用给定的证书存储验证响应的签名。这与OpenSSL::OCSP::Request#verify的工作方式类似。

static VALUE
ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
{
    VALUE certs, store, flags;
    OCSP_BASICRESP *bs;
    STACK_OF(X509) *x509s;
    X509_STORE *x509st;
    int flg, result;

    rb_scan_args(argc, argv, "21", &certs, &store, &flags);
    GetOCSPBasicRes(self, bs);
    x509st = GetX509StorePtr(store);
    flg = NIL_P(flags) ? 0 : NUM2INT(flags);
    x509s = ossl_x509_ary2sk(certs);
    result = OCSP_basic_verify(bs, x509s, x509st, flg);
    sk_X509_pop_free(x509s, X509_free);
    if (result <= 0)
        ossl_clear_error();

    return result > 0 ? Qtrue : Qfalse;
}