Ruby 2.7.6p219 (2022-04-12 revision c9c2245c0a25176072e02db9254f0e0c84c805cd)
ossl_ocsp.c
Go to the documentation of this file.
1/*
2 * 'OpenSSL for Ruby' project
3 * Copyright (C) 2003 Michal Rokos <m.rokos@sh.cvut.cz>
4 * Copyright (C) 2003 GOTOU Yuuzou <gotoyuzo@notwork.org>
5 * All rights reserved.
6 */
7/*
8 * This program is licensed under the same licence as Ruby.
9 * (See the file 'LICENCE'.)
10 */
11#include "ossl.h"
12
13#if !defined(OPENSSL_NO_OCSP)
14
15#define NewOCSPReq(klass) \
16 TypedData_Wrap_Struct((klass), &ossl_ocsp_request_type, 0)
17#define SetOCSPReq(obj, req) do { \
18 if(!(req)) ossl_raise(rb_eRuntimeError, "Request wasn't initialized!"); \
19 RTYPEDDATA_DATA(obj) = (req); \
20} while (0)
21#define GetOCSPReq(obj, req) do { \
22 TypedData_Get_Struct((obj), OCSP_REQUEST, &ossl_ocsp_request_type, (req)); \
23 if(!(req)) ossl_raise(rb_eRuntimeError, "Request wasn't initialized!"); \
24} while (0)
25
26#define NewOCSPRes(klass) \
27 TypedData_Wrap_Struct((klass), &ossl_ocsp_response_type, 0)
28#define SetOCSPRes(obj, res) do { \
29 if(!(res)) ossl_raise(rb_eRuntimeError, "Response wasn't initialized!"); \
30 RTYPEDDATA_DATA(obj) = (res); \
31} while (0)
32#define GetOCSPRes(obj, res) do { \
33 TypedData_Get_Struct((obj), OCSP_RESPONSE, &ossl_ocsp_response_type, (res)); \
34 if(!(res)) ossl_raise(rb_eRuntimeError, "Response wasn't initialized!"); \
35} while (0)
36
37#define NewOCSPBasicRes(klass) \
38 TypedData_Wrap_Struct((klass), &ossl_ocsp_basicresp_type, 0)
39#define SetOCSPBasicRes(obj, res) do { \
40 if(!(res)) ossl_raise(rb_eRuntimeError, "Response wasn't initialized!"); \
41 RTYPEDDATA_DATA(obj) = (res); \
42} while (0)
43#define GetOCSPBasicRes(obj, res) do { \
44 TypedData_Get_Struct((obj), OCSP_BASICRESP, &ossl_ocsp_basicresp_type, (res)); \
45 if(!(res)) ossl_raise(rb_eRuntimeError, "Response wasn't initialized!"); \
46} while (0)
47
48#define NewOCSPSingleRes(klass) \
49 TypedData_Wrap_Struct((klass), &ossl_ocsp_singleresp_type, 0)
50#define SetOCSPSingleRes(obj, res) do { \
51 if(!(res)) ossl_raise(rb_eRuntimeError, "SingleResponse wasn't initialized!"); \
52 RTYPEDDATA_DATA(obj) = (res); \
53} while (0)
54#define GetOCSPSingleRes(obj, res) do { \
55 TypedData_Get_Struct((obj), OCSP_SINGLERESP, &ossl_ocsp_singleresp_type, (res)); \
56 if(!(res)) ossl_raise(rb_eRuntimeError, "SingleResponse wasn't initialized!"); \
57} while (0)
58
59#define NewOCSPCertId(klass) \
60 TypedData_Wrap_Struct((klass), &ossl_ocsp_certid_type, 0)
61#define SetOCSPCertId(obj, cid) do { \
62 if(!(cid)) ossl_raise(rb_eRuntimeError, "Cert ID wasn't initialized!"); \
63 RTYPEDDATA_DATA(obj) = (cid); \
64} while (0)
65#define GetOCSPCertId(obj, cid) do { \
66 TypedData_Get_Struct((obj), OCSP_CERTID, &ossl_ocsp_certid_type, (cid)); \
67 if(!(cid)) ossl_raise(rb_eRuntimeError, "Cert ID wasn't initialized!"); \
68} while (0)
69
77
78static void
79ossl_ocsp_request_free(void *ptr)
80{
81 OCSP_REQUEST_free(ptr);
82}
83
84static const rb_data_type_t ossl_ocsp_request_type = {
85 "OpenSSL/OCSP/REQUEST",
86 {
87 0, ossl_ocsp_request_free,
88 },
90};
91
92static void
93ossl_ocsp_response_free(void *ptr)
94{
95 OCSP_RESPONSE_free(ptr);
96}
97
98static const rb_data_type_t ossl_ocsp_response_type = {
99 "OpenSSL/OCSP/RESPONSE",
100 {
101 0, ossl_ocsp_response_free,
102 },
104};
105
106static void
107ossl_ocsp_basicresp_free(void *ptr)
108{
109 OCSP_BASICRESP_free(ptr);
110}
111
112static const rb_data_type_t ossl_ocsp_basicresp_type = {
113 "OpenSSL/OCSP/BASICRESP",
114 {
115 0, ossl_ocsp_basicresp_free,
116 },
118};
119
120static void
121ossl_ocsp_singleresp_free(void *ptr)
122{
123 OCSP_SINGLERESP_free(ptr);
124}
125
126static const rb_data_type_t ossl_ocsp_singleresp_type = {
127 "OpenSSL/OCSP/SINGLERESP",
128 {
129 0, ossl_ocsp_singleresp_free,
130 },
132};
133
134static void
135ossl_ocsp_certid_free(void *ptr)
136{
137 OCSP_CERTID_free(ptr);
138}
139
140static const rb_data_type_t ossl_ocsp_certid_type = {
141 "OpenSSL/OCSP/CERTID",
142 {
143 0, ossl_ocsp_certid_free,
144 },
146};
147
148/*
149 * Public
150 */
151static VALUE
152ossl_ocspcertid_new(OCSP_CERTID *cid)
153{
155 SetOCSPCertId(obj, cid);
156 return obj;
157}
158
159/*
160 * OCSP::Resquest
161 */
162static VALUE
163ossl_ocspreq_alloc(VALUE klass)
164{
165 OCSP_REQUEST *req;
166 VALUE obj;
167
169 if (!(req = OCSP_REQUEST_new()))
171 SetOCSPReq(obj, req);
172
173 return obj;
174}
175
176static VALUE
177ossl_ocspreq_initialize_copy(VALUE self, VALUE other)
178{
179 OCSP_REQUEST *req, *req_old, *req_new;
180
181 rb_check_frozen(self);
182 GetOCSPReq(self, req_old);
183 GetOCSPReq(other, req);
184
185 req_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_REQUEST), req);
186 if (!req_new)
187 ossl_raise(eOCSPError, "ASN1_item_dup");
188
189 SetOCSPReq(self, req_new);
190 OCSP_REQUEST_free(req_old);
191
192 return self;
193}
194
195/*
196 * call-seq:
197 * OpenSSL::OCSP::Request.new -> request
198 * OpenSSL::OCSP::Request.new(request_der) -> request
199 *
200 * Creates a new OpenSSL::OCSP::Request. The request may be created empty or
201 * from a _request_der_ string.
202 */
203
204static VALUE
205ossl_ocspreq_initialize(int argc, VALUE *argv, VALUE self)
206{
207 VALUE arg;
208 OCSP_REQUEST *req, *req_new;
209 const unsigned char *p;
210
211 rb_scan_args(argc, argv, "01", &arg);
212 if(!NIL_P(arg)){
213 GetOCSPReq(self, req);
216 p = (unsigned char *)RSTRING_PTR(arg);
217 req_new = d2i_OCSP_REQUEST(NULL, &p, RSTRING_LEN(arg));
218 if (!req_new)
219 ossl_raise(eOCSPError, "d2i_OCSP_REQUEST");
220 SetOCSPReq(self, req_new);
221 OCSP_REQUEST_free(req);
222 }
223
224 return self;
225}
226
227/*
228 * call-seq:
229 * request.add_nonce(nonce = nil) -> request
230 *
231 * Adds a _nonce_ to the OCSP request. If no nonce is given a random one will
232 * be generated.
233 *
234 * The nonce is used to prevent replay attacks but some servers do not support
235 * it.
236 */
237
238static VALUE
239ossl_ocspreq_add_nonce(int argc, VALUE *argv, VALUE self)
240{
241 OCSP_REQUEST *req;
242 VALUE val;
243 int ret;
244
245 rb_scan_args(argc, argv, "01", &val);
246 if(NIL_P(val)) {
247 GetOCSPReq(self, req);
248 ret = OCSP_request_add1_nonce(req, NULL, -1);
249 }
250 else{
251 StringValue(val);
252 GetOCSPReq(self, req);
253 ret = OCSP_request_add1_nonce(req, (unsigned char *)RSTRING_PTR(val), RSTRING_LENINT(val));
254 }
255 if(!ret) ossl_raise(eOCSPError, NULL);
256
257 return self;
258}
259
260/*
261 * call-seq:
262 * request.check_nonce(response) -> result
263 *
264 * Checks the nonce validity for this request and _response_.
265 *
266 * The return value is one of the following:
267 *
268 * -1 :: nonce in request only.
269 * 0 :: nonces both present and not equal.
270 * 1 :: nonces present and equal.
271 * 2 :: nonces both absent.
272 * 3 :: nonce present in response only.
273 *
274 * For most responses, clients can check _result_ > 0. If a responder doesn't
275 * handle nonces <code>result.nonzero?</code> may be necessary. A result of
276 * <code>0</code> is always an error.
277 */
278
279static VALUE
280ossl_ocspreq_check_nonce(VALUE self, VALUE basic_resp)
281{
282 OCSP_REQUEST *req;
283 OCSP_BASICRESP *bs;
284 int res;
285
286 GetOCSPReq(self, req);
287 GetOCSPBasicRes(basic_resp, bs);
288 res = OCSP_check_nonce(req, bs);
289
290 return INT2NUM(res);
291}
292
293/*
294 * call-seq:
295 * request.add_certid(certificate_id) -> request
296 *
297 * Adds _certificate_id_ to the request.
298 */
299
300static VALUE
301ossl_ocspreq_add_certid(VALUE self, VALUE certid)
302{
303 OCSP_REQUEST *req;
304 OCSP_CERTID *id, *id_new;
305
306 GetOCSPReq(self, req);
307 GetOCSPCertId(certid, id);
308
309 if (!(id_new = OCSP_CERTID_dup(id)))
310 ossl_raise(eOCSPError, "OCSP_CERTID_dup");
311 if (!OCSP_request_add0_id(req, id_new)) {
312 OCSP_CERTID_free(id_new);
313 ossl_raise(eOCSPError, "OCSP_request_add0_id");
314 }
315
316 return self;
317}
318
319/*
320 * call-seq:
321 * request.certid -> [certificate_id, ...]
322 *
323 * Returns all certificate IDs in this request.
324 */
325
326static VALUE
327ossl_ocspreq_get_certid(VALUE self)
328{
329 OCSP_REQUEST *req;
330 OCSP_ONEREQ *one;
331 OCSP_CERTID *id;
332 VALUE ary, tmp;
333 int i, count;
334
335 GetOCSPReq(self, req);
336 count = OCSP_request_onereq_count(req);
337 ary = (count > 0) ? rb_ary_new() : Qnil;
338 for(i = 0; i < count; i++){
339 one = OCSP_request_onereq_get0(req, i);
341 if(!(id = OCSP_CERTID_dup(OCSP_onereq_get0_id(one))))
343 SetOCSPCertId(tmp, id);
344 rb_ary_push(ary, tmp);
345 }
346
347 return ary;
348}
349
350/*
351 * call-seq:
352 * request.sign(cert, key, certs = nil, flags = 0, digest = nil) -> self
353 *
354 * Signs this OCSP request using _cert_, _key_ and optional _digest_. If
355 * _digest_ is not specified, SHA-1 is used. _certs_ is an optional Array of
356 * additional certificates which are included in the request in addition to
357 * the signer certificate. Note that if _certs_ is +nil+ or not given, flag
358 * OpenSSL::OCSP::NOCERTS is enabled. Pass an empty array to include only the
359 * signer certificate.
360 *
361 * _flags_ is a bitwise OR of the following constants:
362 *
363 * OpenSSL::OCSP::NOCERTS::
364 * Don't include any certificates in the request. _certs_ will be ignored.
365 */
366static VALUE
367ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
368{
369 VALUE signer_cert, signer_key, certs, flags, digest;
370 OCSP_REQUEST *req;
371 X509 *signer;
372 EVP_PKEY *key;
373 STACK_OF(X509) *x509s = NULL;
374 unsigned long flg = 0;
375 const EVP_MD *md;
376 int ret;
377
378 rb_scan_args(argc, argv, "23", &signer_cert, &signer_key, &certs, &flags, &digest);
379 GetOCSPReq(self, req);
380 signer = GetX509CertPtr(signer_cert);
381 key = GetPrivPKeyPtr(signer_key);
382 if (!NIL_P(flags))
383 flg = NUM2INT(flags);
384 if (NIL_P(digest))
385 md = EVP_sha1();
386 else
387 md = ossl_evp_get_digestbyname(digest);
388 if (NIL_P(certs))
389 flg |= OCSP_NOCERTS;
390 else
391 x509s = ossl_x509_ary2sk(certs);
392
393 ret = OCSP_request_sign(req, signer, key, md, x509s, flg);
394 sk_X509_pop_free(x509s, X509_free);
395 if (!ret) ossl_raise(eOCSPError, NULL);
396
397 return self;
398}
399
400/*
401 * call-seq:
402 * request.verify(certificates, store, flags = 0) -> true or false
403 *
404 * Verifies this request using the given _certificates_ and _store_.
405 * _certificates_ is an array of OpenSSL::X509::Certificate, _store_ is an
406 * OpenSSL::X509::Store.
407 *
408 * Note that +false+ is returned if the request does not have a signature.
409 * Use #signed? to check whether the request is signed or not.
410 */
411
412static VALUE
413ossl_ocspreq_verify(int argc, VALUE *argv, VALUE self)
414{
415 VALUE certs, store, flags;
416 OCSP_REQUEST *req;
417 STACK_OF(X509) *x509s;
418 X509_STORE *x509st;
419 int flg, result;
420
421 rb_scan_args(argc, argv, "21", &certs, &store, &flags);
422 GetOCSPReq(self, req);
423 x509st = GetX509StorePtr(store);
424 flg = NIL_P(flags) ? 0 : NUM2INT(flags);
425 x509s = ossl_x509_ary2sk(certs);
426 result = OCSP_request_verify(req, x509s, x509st, flg);
427 sk_X509_pop_free(x509s, X509_free);
428 if (result <= 0)
430
431 return result > 0 ? Qtrue : Qfalse;
432}
433
434/*
435 * Returns this request as a DER-encoded string
436 */
437
438static VALUE
439ossl_ocspreq_to_der(VALUE self)
440{
441 OCSP_REQUEST *req;
442 VALUE str;
443 unsigned char *p;
444 long len;
445
446 GetOCSPReq(self, req);
447 if((len = i2d_OCSP_REQUEST(req, NULL)) <= 0)
449 str = rb_str_new(0, len);
450 p = (unsigned char *)RSTRING_PTR(str);
451 if(i2d_OCSP_REQUEST(req, &p) <= 0)
454
455 return str;
456}
457
458/*
459 * call-seq:
460 * request.signed? -> true or false
461 *
462 * Returns +true+ if the request is signed, +false+ otherwise. Note that the
463 * validity of the signature is *not* checked. Use #verify to verify that.
464 */
465static VALUE
466ossl_ocspreq_signed_p(VALUE self)
467{
468 OCSP_REQUEST *req;
469
470 GetOCSPReq(self, req);
471 return OCSP_request_is_signed(req) ? Qtrue : Qfalse;
472}
473
474/*
475 * OCSP::Response
476 */
477
478/* call-seq:
479 * OpenSSL::OCSP::Response.create(status, basic_response = nil) -> response
480 *
481 * Creates an OpenSSL::OCSP::Response from _status_ and _basic_response_.
482 */
483
484static VALUE
485ossl_ocspres_s_create(VALUE klass, VALUE status, VALUE basic_resp)
486{
487 OCSP_BASICRESP *bs;
488 OCSP_RESPONSE *res;
489 VALUE obj;
490 int st = NUM2INT(status);
491
492 if(NIL_P(basic_resp)) bs = NULL;
493 else GetOCSPBasicRes(basic_resp, bs); /* NO NEED TO DUP */
495 if(!(res = OCSP_response_create(st, bs)))
497 SetOCSPRes(obj, res);
498
499 return obj;
500}
501
502static VALUE
503ossl_ocspres_alloc(VALUE klass)
504{
505 OCSP_RESPONSE *res;
506 VALUE obj;
507
509 if(!(res = OCSP_RESPONSE_new()))
511 SetOCSPRes(obj, res);
512
513 return obj;
514}
515
516static VALUE
517ossl_ocspres_initialize_copy(VALUE self, VALUE other)
518{
519 OCSP_RESPONSE *res, *res_old, *res_new;
520
521 rb_check_frozen(self);
522 GetOCSPRes(self, res_old);
523 GetOCSPRes(other, res);
524
525 res_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_RESPONSE), res);
526 if (!res_new)
527 ossl_raise(eOCSPError, "ASN1_item_dup");
528
529 SetOCSPRes(self, res_new);
530 OCSP_RESPONSE_free(res_old);
531
532 return self;
533}
534
535/*
536 * call-seq:
537 * OpenSSL::OCSP::Response.new -> response
538 * OpenSSL::OCSP::Response.new(response_der) -> response
539 *
540 * Creates a new OpenSSL::OCSP::Response. The response may be created empty or
541 * from a _response_der_ string.
542 */
543
544static VALUE
545ossl_ocspres_initialize(int argc, VALUE *argv, VALUE self)
546{
547 VALUE arg;
548 OCSP_RESPONSE *res, *res_new;
549 const unsigned char *p;
550
551 rb_scan_args(argc, argv, "01", &arg);
552 if(!NIL_P(arg)){
553 GetOCSPRes(self, res);
556 p = (unsigned char *)RSTRING_PTR(arg);
557 res_new = d2i_OCSP_RESPONSE(NULL, &p, RSTRING_LEN(arg));
558 if (!res_new)
559 ossl_raise(eOCSPError, "d2i_OCSP_RESPONSE");
560 SetOCSPRes(self, res_new);
561 OCSP_RESPONSE_free(res);
562 }
563
564 return self;
565}
566
567/*
568 * call-seq:
569 * response.status -> Integer
570 *
571 * Returns the status of the response.
572 */
573
574static VALUE
575ossl_ocspres_status(VALUE self)
576{
577 OCSP_RESPONSE *res;
578 int st;
579
580 GetOCSPRes(self, res);
581 st = OCSP_response_status(res);
582
583 return INT2NUM(st);
584}
585
586/*
587 * call-seq:
588 * response.status_string -> String
589 *
590 * Returns a status string for the response.
591 */
592
593static VALUE
594ossl_ocspres_status_string(VALUE self)
595{
596 OCSP_RESPONSE *res;
597 int st;
598
599 GetOCSPRes(self, res);
600 st = OCSP_response_status(res);
601
602 return rb_str_new2(OCSP_response_status_str(st));
603}
604
605/*
606 * call-seq:
607 * response.basic
608 *
609 * Returns a BasicResponse for this response
610 */
611
612static VALUE
613ossl_ocspres_get_basic(VALUE self)
614{
615 OCSP_RESPONSE *res;
616 OCSP_BASICRESP *bs;
617 VALUE ret;
618
619 GetOCSPRes(self, res);
621 if(!(bs = OCSP_response_get1_basic(res)))
622 return Qnil;
623 SetOCSPBasicRes(ret, bs);
624
625 return ret;
626}
627
628/*
629 * call-seq:
630 * response.to_der -> String
631 *
632 * Returns this response as a DER-encoded string.
633 */
634
635static VALUE
636ossl_ocspres_to_der(VALUE self)
637{
638 OCSP_RESPONSE *res;
639 VALUE str;
640 long len;
641 unsigned char *p;
642
643 GetOCSPRes(self, res);
644 if((len = i2d_OCSP_RESPONSE(res, NULL)) <= 0)
646 str = rb_str_new(0, len);
647 p = (unsigned char *)RSTRING_PTR(str);
648 if(i2d_OCSP_RESPONSE(res, &p) <= 0)
651
652 return str;
653}
654
655/*
656 * OCSP::BasicResponse
657 */
658static VALUE
659ossl_ocspbres_alloc(VALUE klass)
660{
661 OCSP_BASICRESP *bs;
662 VALUE obj;
663
665 if(!(bs = OCSP_BASICRESP_new()))
667 SetOCSPBasicRes(obj, bs);
668
669 return obj;
670}
671
672static VALUE
673ossl_ocspbres_initialize_copy(VALUE self, VALUE other)
674{
675 OCSP_BASICRESP *bs, *bs_old, *bs_new;
676
677 rb_check_frozen(self);
678 GetOCSPBasicRes(self, bs_old);
679 GetOCSPBasicRes(other, bs);
680
681 bs_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs);
682 if (!bs_new)
683 ossl_raise(eOCSPError, "ASN1_item_dup");
684
685 SetOCSPBasicRes(self, bs_new);
686 OCSP_BASICRESP_free(bs_old);
687
688 return self;
689}
690
691/*
692 * call-seq:
693 * OpenSSL::OCSP::BasicResponse.new(der_string = nil) -> basic_response
694 *
695 * Creates a new BasicResponse. If _der_string_ is given, decodes _der_string_
696 * as DER.
697 */
698
699static VALUE
700ossl_ocspbres_initialize(int argc, VALUE *argv, VALUE self)
701{
702 VALUE arg;
703 OCSP_BASICRESP *res, *res_new;
704 const unsigned char *p;
705
706 rb_scan_args(argc, argv, "01", &arg);
707 if (!NIL_P(arg)) {
708 GetOCSPBasicRes(self, res);
711 p = (unsigned char *)RSTRING_PTR(arg);
712 res_new = d2i_OCSP_BASICRESP(NULL, &p, RSTRING_LEN(arg));
713 if (!res_new)
714 ossl_raise(eOCSPError, "d2i_OCSP_BASICRESP");
715 SetOCSPBasicRes(self, res_new);
716 OCSP_BASICRESP_free(res);
717 }
718
719 return self;
720}
721
722/*
723 * call-seq:
724 * basic_response.copy_nonce(request) -> Integer
725 *
726 * Copies the nonce from _request_ into this response. Returns 1 on success
727 * and 0 on failure.
728 */
729
730static VALUE
731ossl_ocspbres_copy_nonce(VALUE self, VALUE request)
732{
733 OCSP_BASICRESP *bs;
734 OCSP_REQUEST *req;
735 int ret;
736
737 GetOCSPBasicRes(self, bs);
738 GetOCSPReq(request, req);
739 ret = OCSP_copy_nonce(bs, req);
740
741 return INT2NUM(ret);
742}
743
744/*
745 * call-seq:
746 * basic_response.add_nonce(nonce = nil)
747 *
748 * Adds _nonce_ to this response. If no nonce was provided a random nonce
749 * will be added.
750 */
751
752static VALUE
753ossl_ocspbres_add_nonce(int argc, VALUE *argv, VALUE self)
754{
755 OCSP_BASICRESP *bs;
756 VALUE val;
757 int ret;
758
759 rb_scan_args(argc, argv, "01", &val);
760 if(NIL_P(val)) {
761 GetOCSPBasicRes(self, bs);
762 ret = OCSP_basic_add1_nonce(bs, NULL, -1);
763 }
764 else{
765 StringValue(val);
766 GetOCSPBasicRes(self, bs);
767 ret = OCSP_basic_add1_nonce(bs, (unsigned char *)RSTRING_PTR(val), RSTRING_LENINT(val));
768 }
769 if(!ret) ossl_raise(eOCSPError, NULL);
770
771 return self;
772}
773
774static VALUE
775add_status_convert_time(VALUE obj)
776{
777 ASN1_TIME *time;
778
780 time = X509_gmtime_adj(NULL, NUM2INT(obj));
781 else
783
784 if (!time)
786
787 return (VALUE)time;
788}
789
790/*
791 * call-seq:
792 * basic_response.add_status(certificate_id, status, reason, revocation_time, this_update, next_update, extensions) -> basic_response
793 *
794 * Adds a certificate status for _certificate_id_. _status_ is the status, and
795 * must be one of these:
796 *
797 * - OpenSSL::OCSP::V_CERTSTATUS_GOOD
798 * - OpenSSL::OCSP::V_CERTSTATUS_REVOKED
799 * - OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
800 *
801 * _reason_ and _revocation_time_ can be given only when _status_ is
802 * OpenSSL::OCSP::V_CERTSTATUS_REVOKED. _reason_ describes the reason for the
803 * revocation, and must be one of OpenSSL::OCSP::REVOKED_STATUS_* constants.
804 * _revocation_time_ is the time when the certificate is revoked.
805 *
806 * _this_update_ and _next_update_ indicate the time at which ths status is
807 * verified to be correct and the time at or before which newer information
808 * will be available, respectively. _next_update_ is optional.
809 *
810 * _extensions_ is an Array of OpenSSL::X509::Extension to be included in the
811 * SingleResponse. This is also optional.
812 *
813 * Note that the times, _revocation_time_, _this_update_ and _next_update_
814 * can be specified in either of Integer or Time object. If they are Integer, it
815 * is treated as the relative seconds from the current time.
816 */
817static VALUE
818ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status,
819 VALUE reason, VALUE revtime,
820 VALUE thisupd, VALUE nextupd, VALUE ext)
821{
822 OCSP_BASICRESP *bs;
823 OCSP_SINGLERESP *single;
824 OCSP_CERTID *id;
825 ASN1_TIME *ths = NULL, *nxt = NULL, *rev = NULL;
826 int st, rsn = 0, error = 0, rstatus = 0;
827 long i;
828 VALUE tmp;
829
830 GetOCSPBasicRes(self, bs);
831 GetOCSPCertId(cid, id);
832 st = NUM2INT(status);
833 if (!NIL_P(ext)) { /* All ext's members must be X509::Extension */
834 ext = rb_check_array_type(ext);
835 for (i = 0; i < RARRAY_LEN(ext); i++)
837 }
838
839 if (st == V_OCSP_CERTSTATUS_REVOKED) {
840 rsn = NUM2INT(reason);
841 tmp = rb_protect(add_status_convert_time, revtime, &rstatus);
842 if (rstatus) goto err;
843 rev = (ASN1_TIME *)tmp;
844 }
845
846 tmp = rb_protect(add_status_convert_time, thisupd, &rstatus);
847 if (rstatus) goto err;
848 ths = (ASN1_TIME *)tmp;
849
850 if (!NIL_P(nextupd)) {
851 tmp = rb_protect(add_status_convert_time, nextupd, &rstatus);
852 if (rstatus) goto err;
853 nxt = (ASN1_TIME *)tmp;
854 }
855
856 if(!(single = OCSP_basic_add1_status(bs, id, st, rsn, rev, ths, nxt))){
857 error = 1;
858 goto err;
859 }
860
861 if(!NIL_P(ext)){
862 X509_EXTENSION *x509ext;
863
864 for(i = 0; i < RARRAY_LEN(ext); i++){
865 x509ext = GetX509ExtPtr(RARRAY_AREF(ext, i));
866 if(!OCSP_SINGLERESP_add_ext(single, x509ext, -1)){
867 error = 1;
868 goto err;
869 }
870 }
871 }
872
873 err:
874 ASN1_TIME_free(ths);
875 ASN1_TIME_free(nxt);
876 ASN1_TIME_free(rev);
878 if(rstatus) rb_jump_tag(rstatus);
879
880 return self;
881}
882
883/*
884 * call-seq:
885 * basic_response.status -> statuses
886 *
887 * Returns an Array of statuses for this response. Each status contains a
888 * CertificateId, the status (0 for good, 1 for revoked, 2 for unknown), the
889 * reason for the status, the revocation time, the time of this update, the time
890 * for the next update and a list of OpenSSL::X509::Extension.
891 *
892 * This should be superseded by BasicResponse#responses and #find_response that
893 * return SingleResponse.
894 */
895static VALUE
896ossl_ocspbres_get_status(VALUE self)
897{
898 OCSP_BASICRESP *bs;
899 OCSP_SINGLERESP *single;
900 OCSP_CERTID *cid;
901 ASN1_TIME *revtime, *thisupd, *nextupd;
902 int status, reason;
903 X509_EXTENSION *x509ext;
904 VALUE ret, ary, ext;
905 int count, ext_count, i, j;
906
907 GetOCSPBasicRes(self, bs);
908 ret = rb_ary_new();
909 count = OCSP_resp_count(bs);
910 for(i = 0; i < count; i++){
911 single = OCSP_resp_get0(bs, i);
912 if(!single) continue;
913
914 revtime = thisupd = nextupd = NULL;
915 status = OCSP_single_get0_status(single, &reason, &revtime,
916 &thisupd, &nextupd);
917 if(status < 0) continue;
918 if(!(cid = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(single)))) /* FIXME */
920 ary = rb_ary_new();
921 rb_ary_push(ary, ossl_ocspcertid_new(cid));
922 rb_ary_push(ary, INT2NUM(status));
923 rb_ary_push(ary, INT2NUM(reason));
924 rb_ary_push(ary, revtime ? asn1time_to_time(revtime) : Qnil);
925 rb_ary_push(ary, thisupd ? asn1time_to_time(thisupd) : Qnil);
926 rb_ary_push(ary, nextupd ? asn1time_to_time(nextupd) : Qnil);
927 ext = rb_ary_new();
928 ext_count = OCSP_SINGLERESP_get_ext_count(single);
929 for(j = 0; j < ext_count; j++){
930 x509ext = OCSP_SINGLERESP_get_ext(single, j);
931 rb_ary_push(ext, ossl_x509ext_new(x509ext));
932 }
933 rb_ary_push(ary, ext);
934 rb_ary_push(ret, ary);
935 }
936
937 return ret;
938}
939
940static VALUE ossl_ocspsres_new(OCSP_SINGLERESP *);
941
942/*
943 * call-seq:
944 * basic_response.responses -> Array of SingleResponse
945 *
946 * Returns an Array of SingleResponse for this BasicResponse.
947 */
948
949static VALUE
950ossl_ocspbres_get_responses(VALUE self)
951{
952 OCSP_BASICRESP *bs;
953 VALUE ret;
954 int count, i;
955
956 GetOCSPBasicRes(self, bs);
957 count = OCSP_resp_count(bs);
958 ret = rb_ary_new2(count);
959
960 for (i = 0; i < count; i++) {
961 OCSP_SINGLERESP *sres, *sres_new;
962
963 sres = OCSP_resp_get0(bs, i);
964 sres_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_SINGLERESP), sres);
965 if (!sres_new)
966 ossl_raise(eOCSPError, "ASN1_item_dup");
967
968 rb_ary_push(ret, ossl_ocspsres_new(sres_new));
969 }
970
971 return ret;
972}
973
974
975/*
976 * call-seq:
977 * basic_response.find_response(certificate_id) -> SingleResponse | nil
978 *
979 * Returns a SingleResponse whose CertId matches with _certificate_id_, or +nil+
980 * if this BasicResponse does not contain it.
981 */
982static VALUE
983ossl_ocspbres_find_response(VALUE self, VALUE target)
984{
985 OCSP_BASICRESP *bs;
986 OCSP_SINGLERESP *sres, *sres_new;
987 OCSP_CERTID *id;
988 int n;
989
990 GetOCSPCertId(target, id);
991 GetOCSPBasicRes(self, bs);
992
993 if ((n = OCSP_resp_find(bs, id, -1)) == -1)
994 return Qnil;
995
996 sres = OCSP_resp_get0(bs, n);
997 sres_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_SINGLERESP), sres);
998 if (!sres_new)
999 ossl_raise(eOCSPError, "ASN1_item_dup");
1000
1001 return ossl_ocspsres_new(sres_new);
1002}
1003
1004/*
1005 * call-seq:
1006 * basic_response.sign(cert, key, certs = nil, flags = 0, digest = nil) -> self
1007 *
1008 * Signs this OCSP response using the _cert_, _key_ and optional _digest_. This
1009 * behaves in the similar way as OpenSSL::OCSP::Request#sign.
1010 *
1011 * _flags_ can include:
1012 * OpenSSL::OCSP::NOCERTS:: don't include certificates
1013 * OpenSSL::OCSP::NOTIME:: don't set producedAt
1014 * OpenSSL::OCSP::RESPID_KEY:: use signer's public key hash as responderID
1015 */
1016
1017static VALUE
1018ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
1019{
1020 VALUE signer_cert, signer_key, certs, flags, digest;
1021 OCSP_BASICRESP *bs;
1022 X509 *signer;
1023 EVP_PKEY *key;
1024 STACK_OF(X509) *x509s = NULL;
1025 unsigned long flg = 0;
1026 const EVP_MD *md;
1027 int ret;
1028
1029 rb_scan_args(argc, argv, "23", &signer_cert, &signer_key, &certs, &flags, &digest);
1030 GetOCSPBasicRes(self, bs);
1031 signer = GetX509CertPtr(signer_cert);
1032 key = GetPrivPKeyPtr(signer_key);
1033 if (!NIL_P(flags))
1034 flg = NUM2INT(flags);
1035 if (NIL_P(digest))
1036 md = EVP_sha1();
1037 else
1038 md = ossl_evp_get_digestbyname(digest);
1039 if (NIL_P(certs))
1040 flg |= OCSP_NOCERTS;
1041 else
1042 x509s = ossl_x509_ary2sk(certs);
1043
1044 ret = OCSP_basic_sign(bs, signer, key, md, x509s, flg);
1045 sk_X509_pop_free(x509s, X509_free);
1046 if (!ret) ossl_raise(eOCSPError, NULL);
1047
1048 return self;
1049}
1050
1051/*
1052 * call-seq:
1053 * basic_response.verify(certificates, store, flags = 0) -> true or false
1054 *
1055 * Verifies the signature of the response using the given _certificates_ and
1056 * _store_. This works in the similar way as OpenSSL::OCSP::Request#verify.
1057 */
1058static VALUE
1059ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
1060{
1061 VALUE certs, store, flags;
1062 OCSP_BASICRESP *bs;
1063 STACK_OF(X509) *x509s;
1064 X509_STORE *x509st;
1065 int flg, result;
1066
1067 rb_scan_args(argc, argv, "21", &certs, &store, &flags);
1068 GetOCSPBasicRes(self, bs);
1069 x509st = GetX509StorePtr(store);
1070 flg = NIL_P(flags) ? 0 : NUM2INT(flags);
1071 x509s = ossl_x509_ary2sk(certs);
1072#if (OPENSSL_VERSION_NUMBER < 0x1000202fL) || defined(LIBRESSL_VERSION_NUMBER)
1073 /*
1074 * OpenSSL had a bug that it doesn't use the certificates in x509s for
1075 * verifying the chain. This can be a problem when the response is signed by
1076 * a certificate issued by an intermediate CA.
1077 *
1078 * root_ca
1079 * |
1080 * intermediate_ca
1081 * |-------------|
1082 * end_entity ocsp_signer
1083 *
1084 * When the certificate hierarchy is like this, and the response contains
1085 * only ocsp_signer certificate, the following code wrongly fails.
1086 *
1087 * store = OpenSSL::X509::Store.new; store.add_cert(root_ca)
1088 * basic_response.verify([intermediate_ca], store)
1089 *
1090 * So add the certificates in x509s to the embedded certificates list first.
1091 *
1092 * This is fixed in OpenSSL 0.9.8zg, 1.0.0s, 1.0.1n, 1.0.2b. But it still
1093 * exists in LibreSSL 2.1.10, 2.2.9, 2.3.6, 2.4.1.
1094 */
1095 if (!(flg & (OCSP_NOCHAIN | OCSP_NOVERIFY)) &&
1096 sk_X509_num(x509s) && sk_X509_num(bs->certs)) {
1097 int i;
1098
1099 bs = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs);
1100 if (!bs) {
1101 sk_X509_pop_free(x509s, X509_free);
1102 ossl_raise(eOCSPError, "ASN1_item_dup");
1103 }
1104
1105 for (i = 0; i < sk_X509_num(x509s); i++) {
1106 if (!OCSP_basic_add1_cert(bs, sk_X509_value(x509s, i))) {
1107 sk_X509_pop_free(x509s, X509_free);
1108 OCSP_BASICRESP_free(bs);
1109 ossl_raise(eOCSPError, "OCSP_basic_add1_cert");
1110 }
1111 }
1112 result = OCSP_basic_verify(bs, x509s, x509st, flg);
1113 OCSP_BASICRESP_free(bs);
1114 }
1115 else {
1116 result = OCSP_basic_verify(bs, x509s, x509st, flg);
1117 }
1118#else
1119 result = OCSP_basic_verify(bs, x509s, x509st, flg);
1120#endif
1121 sk_X509_pop_free(x509s, X509_free);
1122 if (result <= 0)
1124
1125 return result > 0 ? Qtrue : Qfalse;
1126}
1127
1128/*
1129 * call-seq:
1130 * basic_response.to_der -> String
1131 *
1132 * Encodes this basic response into a DER-encoded string.
1133 */
1134static VALUE
1135ossl_ocspbres_to_der(VALUE self)
1136{
1137 OCSP_BASICRESP *res;
1138 VALUE str;
1139 long len;
1140 unsigned char *p;
1141
1142 GetOCSPBasicRes(self, res);
1143 if ((len = i2d_OCSP_BASICRESP(res, NULL)) <= 0)
1145 str = rb_str_new(0, len);
1146 p = (unsigned char *)RSTRING_PTR(str);
1147 if (i2d_OCSP_BASICRESP(res, &p) <= 0)
1149 ossl_str_adjust(str, p);
1150
1151 return str;
1152}
1153
1154/*
1155 * OCSP::SingleResponse
1156 */
1157static VALUE
1158ossl_ocspsres_new(OCSP_SINGLERESP *sres)
1159{
1160 VALUE obj;
1161
1163 SetOCSPSingleRes(obj, sres);
1164
1165 return obj;
1166}
1167
1168static VALUE
1169ossl_ocspsres_alloc(VALUE klass)
1170{
1171 OCSP_SINGLERESP *sres;
1172 VALUE obj;
1173
1175 if (!(sres = OCSP_SINGLERESP_new()))
1177 SetOCSPSingleRes(obj, sres);
1178
1179 return obj;
1180}
1181
1182/*
1183 * call-seq:
1184 * OpenSSL::OCSP::SingleResponse.new(der_string) -> SingleResponse
1185 *
1186 * Creates a new SingleResponse from _der_string_.
1187 */
1188static VALUE
1189ossl_ocspsres_initialize(VALUE self, VALUE arg)
1190{
1191 OCSP_SINGLERESP *res, *res_new;
1192 const unsigned char *p;
1193
1196 GetOCSPSingleRes(self, res);
1197
1198 p = (unsigned char*)RSTRING_PTR(arg);
1199 res_new = d2i_OCSP_SINGLERESP(NULL, &p, RSTRING_LEN(arg));
1200 if (!res_new)
1201 ossl_raise(eOCSPError, "d2i_OCSP_SINGLERESP");
1202 SetOCSPSingleRes(self, res_new);
1203 OCSP_SINGLERESP_free(res);
1204
1205 return self;
1206}
1207
1208static VALUE
1209ossl_ocspsres_initialize_copy(VALUE self, VALUE other)
1210{
1211 OCSP_SINGLERESP *sres, *sres_old, *sres_new;
1212
1213 rb_check_frozen(self);
1214 GetOCSPSingleRes(self, sres_old);
1215 GetOCSPSingleRes(other, sres);
1216
1217 sres_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_SINGLERESP), sres);
1218 if (!sres_new)
1219 ossl_raise(eOCSPError, "ASN1_item_dup");
1220
1221 SetOCSPSingleRes(self, sres_new);
1222 OCSP_SINGLERESP_free(sres_old);
1223
1224 return self;
1225}
1226
1227/*
1228 * call-seq:
1229 * single_response.check_validity(nsec = 0, maxsec = -1) -> true | false
1230 *
1231 * Checks the validity of thisUpdate and nextUpdate fields of this
1232 * SingleResponse. This checks the current time is within the range thisUpdate
1233 * to nextUpdate.
1234 *
1235 * It is possible that the OCSP request takes a few seconds or the time is not
1236 * accurate. To avoid rejecting a valid response, this method allows the times
1237 * to be within _nsec_ seconds of the current time.
1238 *
1239 * Some responders don't set the nextUpdate field. This may cause a very old
1240 * response to be considered valid. The _maxsec_ parameter can be used to limit
1241 * the age of responses.
1242 */
1243static VALUE
1244ossl_ocspsres_check_validity(int argc, VALUE *argv, VALUE self)
1245{
1246 OCSP_SINGLERESP *sres;
1247 ASN1_GENERALIZEDTIME *this_update, *next_update;
1248 VALUE nsec_v, maxsec_v;
1249 int nsec, maxsec, status, ret;
1250
1251 rb_scan_args(argc, argv, "02", &nsec_v, &maxsec_v);
1252 nsec = NIL_P(nsec_v) ? 0 : NUM2INT(nsec_v);
1253 maxsec = NIL_P(maxsec_v) ? -1 : NUM2INT(maxsec_v);
1254
1255 GetOCSPSingleRes(self, sres);
1256 status = OCSP_single_get0_status(sres, NULL, NULL, &this_update, &next_update);
1257 if (status < 0)
1258 ossl_raise(eOCSPError, "OCSP_single_get0_status");
1259
1260 ret = OCSP_check_validity(this_update, next_update, nsec, maxsec);
1261
1262 if (ret)
1263 return Qtrue;
1264 else {
1266 return Qfalse;
1267 }
1268}
1269
1270/*
1271 * call-seq:
1272 * single_response.certid -> CertificateId
1273 *
1274 * Returns the CertificateId for which this SingleResponse is.
1275 */
1276static VALUE
1277ossl_ocspsres_get_certid(VALUE self)
1278{
1279 OCSP_SINGLERESP *sres;
1280 OCSP_CERTID *id;
1281
1282 GetOCSPSingleRes(self, sres);
1283 id = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sres)); /* FIXME */
1284
1285 return ossl_ocspcertid_new(id);
1286}
1287
1288/*
1289 * call-seq:
1290 * single_response.cert_status -> Integer
1291 *
1292 * Returns the status of the certificate identified by the certid.
1293 * The return value may be one of these constant:
1294 *
1295 * - V_CERTSTATUS_GOOD
1296 * - V_CERTSTATUS_REVOKED
1297 * - V_CERTSTATUS_UNKNOWN
1298 *
1299 * When the status is V_CERTSTATUS_REVOKED, the time at which the certificate
1300 * was revoked can be retrieved by #revocation_time.
1301 */
1302static VALUE
1303ossl_ocspsres_get_cert_status(VALUE self)
1304{
1305 OCSP_SINGLERESP *sres;
1306 int status;
1307
1308 GetOCSPSingleRes(self, sres);
1309 status = OCSP_single_get0_status(sres, NULL, NULL, NULL, NULL);
1310 if (status < 0)
1311 ossl_raise(eOCSPError, "OCSP_single_get0_status");
1312
1313 return INT2NUM(status);
1314}
1315
1316/*
1317 * call-seq:
1318 * single_response.this_update -> Time
1319 */
1320static VALUE
1321ossl_ocspsres_get_this_update(VALUE self)
1322{
1323 OCSP_SINGLERESP *sres;
1324 int status;
1325 ASN1_GENERALIZEDTIME *time;
1326
1327 GetOCSPSingleRes(self, sres);
1328 status = OCSP_single_get0_status(sres, NULL, NULL, &time, NULL);
1329 if (status < 0)
1330 ossl_raise(eOCSPError, "OCSP_single_get0_status");
1331 if (!time)
1332 return Qnil;
1333
1334 return asn1time_to_time(time);
1335}
1336
1337/*
1338 * call-seq:
1339 * single_response.next_update -> Time | nil
1340 */
1341static VALUE
1342ossl_ocspsres_get_next_update(VALUE self)
1343{
1344 OCSP_SINGLERESP *sres;
1345 int status;
1346 ASN1_GENERALIZEDTIME *time;
1347
1348 GetOCSPSingleRes(self, sres);
1349 status = OCSP_single_get0_status(sres, NULL, NULL, NULL, &time);
1350 if (status < 0)
1351 ossl_raise(eOCSPError, "OCSP_single_get0_status");
1352 if (!time)
1353 return Qnil;
1354
1355 return asn1time_to_time(time);
1356}
1357
1358/*
1359 * call-seq:
1360 * single_response.revocation_time -> Time | nil
1361 */
1362static VALUE
1363ossl_ocspsres_get_revocation_time(VALUE self)
1364{
1365 OCSP_SINGLERESP *sres;
1366 int status;
1367 ASN1_GENERALIZEDTIME *time;
1368
1369 GetOCSPSingleRes(self, sres);
1370 status = OCSP_single_get0_status(sres, NULL, &time, NULL, NULL);
1371 if (status < 0)
1372 ossl_raise(eOCSPError, "OCSP_single_get0_status");
1373 if (status != V_OCSP_CERTSTATUS_REVOKED)
1374 ossl_raise(eOCSPError, "certificate is not revoked");
1375 if (!time)
1376 return Qnil;
1377
1378 return asn1time_to_time(time);
1379}
1380
1381/*
1382 * call-seq:
1383 * single_response.revocation_reason -> Integer | nil
1384 */
1385static VALUE
1386ossl_ocspsres_get_revocation_reason(VALUE self)
1387{
1388 OCSP_SINGLERESP *sres;
1389 int status, reason;
1390
1391 GetOCSPSingleRes(self, sres);
1392 status = OCSP_single_get0_status(sres, &reason, NULL, NULL, NULL);
1393 if (status < 0)
1394 ossl_raise(eOCSPError, "OCSP_single_get0_status");
1395 if (status != V_OCSP_CERTSTATUS_REVOKED)
1396 ossl_raise(eOCSPError, "certificate is not revoked");
1397
1398 return INT2NUM(reason);
1399}
1400
1401/*
1402 * call-seq:
1403 * single_response.extensions -> Array of X509::Extension
1404 */
1405static VALUE
1406ossl_ocspsres_get_extensions(VALUE self)
1407{
1408 OCSP_SINGLERESP *sres;
1409 X509_EXTENSION *ext;
1410 int count, i;
1411 VALUE ary;
1412
1413 GetOCSPSingleRes(self, sres);
1414
1415 count = OCSP_SINGLERESP_get_ext_count(sres);
1416 ary = rb_ary_new2(count);
1417 for (i = 0; i < count; i++) {
1418 ext = OCSP_SINGLERESP_get_ext(sres, i);
1419 rb_ary_push(ary, ossl_x509ext_new(ext)); /* will dup */
1420 }
1421
1422 return ary;
1423}
1424
1425/*
1426 * call-seq:
1427 * single_response.to_der -> String
1428 *
1429 * Encodes this SingleResponse into a DER-encoded string.
1430 */
1431static VALUE
1432ossl_ocspsres_to_der(VALUE self)
1433{
1434 OCSP_SINGLERESP *sres;
1435 VALUE str;
1436 long len;
1437 unsigned char *p;
1438
1439 GetOCSPSingleRes(self, sres);
1440 if ((len = i2d_OCSP_SINGLERESP(sres, NULL)) <= 0)
1442 str = rb_str_new(0, len);
1443 p = (unsigned char *)RSTRING_PTR(str);
1444 if (i2d_OCSP_SINGLERESP(sres, &p) <= 0)
1446 ossl_str_adjust(str, p);
1447
1448 return str;
1449}
1450
1451
1452/*
1453 * OCSP::CertificateId
1454 */
1455static VALUE
1456ossl_ocspcid_alloc(VALUE klass)
1457{
1458 OCSP_CERTID *id;
1459 VALUE obj;
1460
1462 if(!(id = OCSP_CERTID_new()))
1464 SetOCSPCertId(obj, id);
1465
1466 return obj;
1467}
1468
1469static VALUE
1470ossl_ocspcid_initialize_copy(VALUE self, VALUE other)
1471{
1472 OCSP_CERTID *cid, *cid_old, *cid_new;
1473
1474 rb_check_frozen(self);
1475 GetOCSPCertId(self, cid_old);
1476 GetOCSPCertId(other, cid);
1477
1478 cid_new = OCSP_CERTID_dup(cid);
1479 if (!cid_new)
1480 ossl_raise(eOCSPError, "OCSP_CERTID_dup");
1481
1482 SetOCSPCertId(self, cid_new);
1483 OCSP_CERTID_free(cid_old);
1484
1485 return self;
1486}
1487
1488/*
1489 * call-seq:
1490 * OpenSSL::OCSP::CertificateId.new(subject, issuer, digest = nil) -> certificate_id
1491 * OpenSSL::OCSP::CertificateId.new(der_string) -> certificate_id
1492 *
1493 * Creates a new OpenSSL::OCSP::CertificateId for the given _subject_ and
1494 * _issuer_ X509 certificates. The _digest_ is a digest algorithm that is used
1495 * to compute the hash values. This defaults to SHA-1.
1496 *
1497 * If only one argument is given, decodes it as DER representation of a
1498 * certificate ID.
1499 */
1500static VALUE
1501ossl_ocspcid_initialize(int argc, VALUE *argv, VALUE self)
1502{
1503 OCSP_CERTID *id, *newid;
1504 VALUE subject, issuer, digest;
1505
1506 GetOCSPCertId(self, id);
1507 if (rb_scan_args(argc, argv, "12", &subject, &issuer, &digest) == 1) {
1508 VALUE arg;
1509 const unsigned char *p;
1510
1511 arg = ossl_to_der_if_possible(subject);
1513 p = (unsigned char *)RSTRING_PTR(arg);
1514 newid = d2i_OCSP_CERTID(NULL, &p, RSTRING_LEN(arg));
1515 if (!newid)
1516 ossl_raise(eOCSPError, "d2i_OCSP_CERTID");
1517 }
1518 else {
1519 X509 *x509s, *x509i;
1520 const EVP_MD *md;
1521
1522 x509s = GetX509CertPtr(subject); /* NO NEED TO DUP */
1523 x509i = GetX509CertPtr(issuer); /* NO NEED TO DUP */
1524 md = !NIL_P(digest) ? ossl_evp_get_digestbyname(digest) : NULL;
1525
1526 newid = OCSP_cert_to_id(md, x509s, x509i);
1527 if (!newid)
1528 ossl_raise(eOCSPError, "OCSP_cert_to_id");
1529 }
1530
1531 SetOCSPCertId(self, newid);
1532 OCSP_CERTID_free(id);
1533
1534 return self;
1535}
1536
1537/*
1538 * call-seq:
1539 * certificate_id.cmp(other) -> true or false
1540 *
1541 * Compares this certificate id with _other_ and returns +true+ if they are the
1542 * same.
1543 */
1544static VALUE
1545ossl_ocspcid_cmp(VALUE self, VALUE other)
1546{
1547 OCSP_CERTID *id, *id2;
1548 int result;
1549
1550 GetOCSPCertId(self, id);
1551 GetOCSPCertId(other, id2);
1552 result = OCSP_id_cmp(id, id2);
1553
1554 return (result == 0) ? Qtrue : Qfalse;
1555}
1556
1557/*
1558 * call-seq:
1559 * certificate_id.cmp_issuer(other) -> true or false
1560 *
1561 * Compares this certificate id's issuer with _other_ and returns +true+ if
1562 * they are the same.
1563 */
1564
1565static VALUE
1566ossl_ocspcid_cmp_issuer(VALUE self, VALUE other)
1567{
1568 OCSP_CERTID *id, *id2;
1569 int result;
1570
1571 GetOCSPCertId(self, id);
1572 GetOCSPCertId(other, id2);
1573 result = OCSP_id_issuer_cmp(id, id2);
1574
1575 return (result == 0) ? Qtrue : Qfalse;
1576}
1577
1578/*
1579 * call-seq:
1580 * certificate_id.serial -> Integer
1581 *
1582 * Returns the serial number of the certificate for which status is being
1583 * requested.
1584 */
1585static VALUE
1586ossl_ocspcid_get_serial(VALUE self)
1587{
1588 OCSP_CERTID *id;
1589 ASN1_INTEGER *serial;
1590
1591 GetOCSPCertId(self, id);
1592 OCSP_id_get0_info(NULL, NULL, NULL, &serial, id);
1593
1594 return asn1integer_to_num(serial);
1595}
1596
1597/*
1598 * call-seq:
1599 * certificate_id.issuer_name_hash -> String
1600 *
1601 * Returns the issuerNameHash of this certificate ID, the hash of the
1602 * issuer's distinguished name calculated with the hashAlgorithm.
1603 */
1604static VALUE
1605ossl_ocspcid_get_issuer_name_hash(VALUE self)
1606{
1607 OCSP_CERTID *id;
1608 ASN1_OCTET_STRING *name_hash;
1609 VALUE ret;
1610
1611 GetOCSPCertId(self, id);
1612 OCSP_id_get0_info(&name_hash, NULL, NULL, NULL, id);
1613
1614 ret = rb_str_new(NULL, name_hash->length * 2);
1615 ossl_bin2hex(name_hash->data, RSTRING_PTR(ret), name_hash->length);
1616
1617 return ret;
1618}
1619
1620/*
1621 * call-seq:
1622 * certificate_id.issuer_key_hash -> String
1623 *
1624 * Returns the issuerKeyHash of this certificate ID, the hash of the issuer's
1625 * public key.
1626 */
1627static VALUE
1628ossl_ocspcid_get_issuer_key_hash(VALUE self)
1629{
1630 OCSP_CERTID *id;
1631 ASN1_OCTET_STRING *key_hash;
1632 VALUE ret;
1633
1634 GetOCSPCertId(self, id);
1635 OCSP_id_get0_info(NULL, NULL, &key_hash, NULL, id);
1636
1637 ret = rb_str_new(NULL, key_hash->length * 2);
1638 ossl_bin2hex(key_hash->data, RSTRING_PTR(ret), key_hash->length);
1639
1640 return ret;
1641}
1642
1643/*
1644 * call-seq:
1645 * certificate_id.hash_algorithm -> String
1646 *
1647 * Returns the ln (long name) of the hash algorithm used to generate
1648 * the issuerNameHash and the issuerKeyHash values.
1649 */
1650static VALUE
1651ossl_ocspcid_get_hash_algorithm(VALUE self)
1652{
1653 OCSP_CERTID *id;
1654 ASN1_OBJECT *oid;
1655 BIO *out;
1656
1657 GetOCSPCertId(self, id);
1658 OCSP_id_get0_info(NULL, &oid, NULL, NULL, id);
1659
1660 if (!(out = BIO_new(BIO_s_mem())))
1661 ossl_raise(eOCSPError, "BIO_new");
1662
1663 if (!i2a_ASN1_OBJECT(out, oid)) {
1664 BIO_free(out);
1665 ossl_raise(eOCSPError, "i2a_ASN1_OBJECT");
1666 }
1667 return ossl_membio2str(out);
1668}
1669
1670/*
1671 * call-seq:
1672 * certificate_id.to_der -> String
1673 *
1674 * Encodes this certificate identifier into a DER-encoded string.
1675 */
1676static VALUE
1677ossl_ocspcid_to_der(VALUE self)
1678{
1679 OCSP_CERTID *id;
1680 VALUE str;
1681 long len;
1682 unsigned char *p;
1683
1684 GetOCSPCertId(self, id);
1685 if ((len = i2d_OCSP_CERTID(id, NULL)) <= 0)
1687 str = rb_str_new(0, len);
1688 p = (unsigned char *)RSTRING_PTR(str);
1689 if (i2d_OCSP_CERTID(id, &p) <= 0)
1691 ossl_str_adjust(str, p);
1692
1693 return str;
1694}
1695
1696void
1698{
1699#if 0
1700 mOSSL = rb_define_module("OpenSSL");
1702#endif
1703
1704 /*
1705 * OpenSSL::OCSP implements Online Certificate Status Protocol requests
1706 * and responses.
1707 *
1708 * Creating and sending an OCSP request requires a subject certificate
1709 * that contains an OCSP URL in an authorityInfoAccess extension and the
1710 * issuer certificate for the subject certificate. First, load the issuer
1711 * and subject certificates:
1712 *
1713 * subject = OpenSSL::X509::Certificate.new subject_pem
1714 * issuer = OpenSSL::X509::Certificate.new issuer_pem
1715 *
1716 * To create the request we need to create a certificate ID for the
1717 * subject certificate so the CA knows which certificate we are asking
1718 * about:
1719 *
1720 * digest = OpenSSL::Digest::SHA1.new
1721 * certificate_id =
1722 * OpenSSL::OCSP::CertificateId.new subject, issuer, digest
1723 *
1724 * Then create a request and add the certificate ID to it:
1725 *
1726 * request = OpenSSL::OCSP::Request.new
1727 * request.add_certid certificate_id
1728 *
1729 * Adding a nonce to the request protects against replay attacks but not
1730 * all CA process the nonce.
1731 *
1732 * request.add_nonce
1733 *
1734 * To submit the request to the CA for verification we need to extract the
1735 * OCSP URI from the subject certificate:
1736 *
1737 * authority_info_access = subject.extensions.find do |extension|
1738 * extension.oid == 'authorityInfoAccess'
1739 * end
1740 *
1741 * descriptions = authority_info_access.value.split "\n"
1742 * ocsp = descriptions.find do |description|
1743 * description.start_with? 'OCSP'
1744 * end
1745 *
1746 * require 'uri'
1747 *
1748 * ocsp_uri = URI ocsp[/URI:(.*)/, 1]
1749 *
1750 * To submit the request we'll POST the request to the OCSP URI (per RFC
1751 * 2560). Note that we only handle HTTP requests and don't handle any
1752 * redirects in this example, so this is insufficient for serious use.
1753 *
1754 * require 'net/http'
1755 *
1756 * http_response =
1757 * Net::HTTP.start ocsp_uri.hostname, ocsp.port do |http|
1758 * http.post ocsp_uri.path, request.to_der,
1759 * 'content-type' => 'application/ocsp-request'
1760 * end
1761 *
1762 * response = OpenSSL::OCSP::Response.new http_response.body
1763 * response_basic = response.basic
1764 *
1765 * First we check if the response has a valid signature. Without a valid
1766 * signature we cannot trust it. If you get a failure here you may be
1767 * missing a system certificate store or may be missing the intermediate
1768 * certificates.
1769 *
1770 * store = OpenSSL::X509::Store.new
1771 * store.set_default_paths
1772 *
1773 * unless response_basic.verify [], store then
1774 * raise 'response is not signed by a trusted certificate'
1775 * end
1776 *
1777 * The response contains the status information (success/fail). We can
1778 * display the status as a string:
1779 *
1780 * puts response.status_string #=> successful
1781 *
1782 * Next we need to know the response details to determine if the response
1783 * matches our request. First we check the nonce. Again, not all CAs
1784 * support a nonce. See Request#check_nonce for the meanings of the
1785 * return values.
1786 *
1787 * p request.check_nonce basic_response #=> value from -1 to 3
1788 *
1789 * Then extract the status information for the certificate from the basic
1790 * response.
1791 *
1792 * single_response = basic_response.find_response(certificate_id)
1793 *
1794 * unless single_response
1795 * raise 'basic_response does not have the status for the certificiate'
1796 * end
1797 *
1798 * Then check the validity. A status issued in the future must be rejected.
1799 *
1800 * unless single_response.check_validity
1801 * raise 'this_update is in the future or next_update time has passed'
1802 * end
1803 *
1804 * case single_response.cert_status
1805 * when OpenSSL::OCSP::V_CERTSTATUS_GOOD
1806 * puts 'certificate is still valid'
1807 * when OpenSSL::OCSP::V_CERTSTATUS_REVOKED
1808 * puts "certificate has been revoked at #{single_response.revocation_time}"
1809 * when OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
1810 * puts 'responder doesn't know about the certificate'
1811 * end
1812 */
1813
1815
1816 /*
1817 * OCSP error class.
1818 */
1819
1821
1822 /*
1823 * An OpenSSL::OCSP::Request contains the certificate information for
1824 * determining if a certificate has been revoked or not. A Request can be
1825 * created for a certificate or from a DER-encoded request created
1826 * elsewhere.
1827 */
1828
1830 rb_define_alloc_func(cOCSPReq, ossl_ocspreq_alloc);
1831 rb_define_method(cOCSPReq, "initialize_copy", ossl_ocspreq_initialize_copy, 1);
1832 rb_define_method(cOCSPReq, "initialize", ossl_ocspreq_initialize, -1);
1833 rb_define_method(cOCSPReq, "add_nonce", ossl_ocspreq_add_nonce, -1);
1834 rb_define_method(cOCSPReq, "check_nonce", ossl_ocspreq_check_nonce, 1);
1835 rb_define_method(cOCSPReq, "add_certid", ossl_ocspreq_add_certid, 1);
1836 rb_define_method(cOCSPReq, "certid", ossl_ocspreq_get_certid, 0);
1837 rb_define_method(cOCSPReq, "signed?", ossl_ocspreq_signed_p, 0);
1838 rb_define_method(cOCSPReq, "sign", ossl_ocspreq_sign, -1);
1839 rb_define_method(cOCSPReq, "verify", ossl_ocspreq_verify, -1);
1840 rb_define_method(cOCSPReq, "to_der", ossl_ocspreq_to_der, 0);
1841
1842 /*
1843 * An OpenSSL::OCSP::Response contains the status of a certificate check
1844 * which is created from an OpenSSL::OCSP::Request.
1845 */
1846
1848 rb_define_singleton_method(cOCSPRes, "create", ossl_ocspres_s_create, 2);
1849 rb_define_alloc_func(cOCSPRes, ossl_ocspres_alloc);
1850 rb_define_method(cOCSPRes, "initialize_copy", ossl_ocspres_initialize_copy, 1);
1851 rb_define_method(cOCSPRes, "initialize", ossl_ocspres_initialize, -1);
1852 rb_define_method(cOCSPRes, "status", ossl_ocspres_status, 0);
1853 rb_define_method(cOCSPRes, "status_string", ossl_ocspres_status_string, 0);
1854 rb_define_method(cOCSPRes, "basic", ossl_ocspres_get_basic, 0);
1855 rb_define_method(cOCSPRes, "to_der", ossl_ocspres_to_der, 0);
1856
1857 /*
1858 * An OpenSSL::OCSP::BasicResponse contains the status of a certificate
1859 * check which is created from an OpenSSL::OCSP::Request. A
1860 * BasicResponse is more detailed than a Response.
1861 */
1862
1864 rb_define_alloc_func(cOCSPBasicRes, ossl_ocspbres_alloc);
1865 rb_define_method(cOCSPBasicRes, "initialize_copy", ossl_ocspbres_initialize_copy, 1);
1866 rb_define_method(cOCSPBasicRes, "initialize", ossl_ocspbres_initialize, -1);
1867 rb_define_method(cOCSPBasicRes, "copy_nonce", ossl_ocspbres_copy_nonce, 1);
1868 rb_define_method(cOCSPBasicRes, "add_nonce", ossl_ocspbres_add_nonce, -1);
1869 rb_define_method(cOCSPBasicRes, "add_status", ossl_ocspbres_add_status, 7);
1870 rb_define_method(cOCSPBasicRes, "status", ossl_ocspbres_get_status, 0);
1871 rb_define_method(cOCSPBasicRes, "responses", ossl_ocspbres_get_responses, 0);
1872 rb_define_method(cOCSPBasicRes, "find_response", ossl_ocspbres_find_response, 1);
1873 rb_define_method(cOCSPBasicRes, "sign", ossl_ocspbres_sign, -1);
1874 rb_define_method(cOCSPBasicRes, "verify", ossl_ocspbres_verify, -1);
1875 rb_define_method(cOCSPBasicRes, "to_der", ossl_ocspbres_to_der, 0);
1876
1877 /*
1878 * An OpenSSL::OCSP::SingleResponse represents an OCSP SingleResponse
1879 * structure, which contains the basic information of the status of the
1880 * certificate.
1881 */
1883 rb_define_alloc_func(cOCSPSingleRes, ossl_ocspsres_alloc);
1884 rb_define_method(cOCSPSingleRes, "initialize_copy", ossl_ocspsres_initialize_copy, 1);
1885 rb_define_method(cOCSPSingleRes, "initialize", ossl_ocspsres_initialize, 1);
1886 rb_define_method(cOCSPSingleRes, "check_validity", ossl_ocspsres_check_validity, -1);
1887 rb_define_method(cOCSPSingleRes, "certid", ossl_ocspsres_get_certid, 0);
1888 rb_define_method(cOCSPSingleRes, "cert_status", ossl_ocspsres_get_cert_status, 0);
1889 rb_define_method(cOCSPSingleRes, "this_update", ossl_ocspsres_get_this_update, 0);
1890 rb_define_method(cOCSPSingleRes, "next_update", ossl_ocspsres_get_next_update, 0);
1891 rb_define_method(cOCSPSingleRes, "revocation_time", ossl_ocspsres_get_revocation_time, 0);
1892 rb_define_method(cOCSPSingleRes, "revocation_reason", ossl_ocspsres_get_revocation_reason, 0);
1893 rb_define_method(cOCSPSingleRes, "extensions", ossl_ocspsres_get_extensions, 0);
1894 rb_define_method(cOCSPSingleRes, "to_der", ossl_ocspsres_to_der, 0);
1895
1896 /*
1897 * An OpenSSL::OCSP::CertificateId identifies a certificate to the CA so
1898 * that a status check can be performed.
1899 */
1900
1902 rb_define_alloc_func(cOCSPCertId, ossl_ocspcid_alloc);
1903 rb_define_method(cOCSPCertId, "initialize_copy", ossl_ocspcid_initialize_copy, 1);
1904 rb_define_method(cOCSPCertId, "initialize", ossl_ocspcid_initialize, -1);
1905 rb_define_method(cOCSPCertId, "cmp", ossl_ocspcid_cmp, 1);
1906 rb_define_method(cOCSPCertId, "cmp_issuer", ossl_ocspcid_cmp_issuer, 1);
1907 rb_define_method(cOCSPCertId, "serial", ossl_ocspcid_get_serial, 0);
1908 rb_define_method(cOCSPCertId, "issuer_name_hash", ossl_ocspcid_get_issuer_name_hash, 0);
1909 rb_define_method(cOCSPCertId, "issuer_key_hash", ossl_ocspcid_get_issuer_key_hash, 0);
1910 rb_define_method(cOCSPCertId, "hash_algorithm", ossl_ocspcid_get_hash_algorithm, 0);
1911 rb_define_method(cOCSPCertId, "to_der", ossl_ocspcid_to_der, 0);
1912
1913 /* Internal error in issuer */
1914 rb_define_const(mOCSP, "RESPONSE_STATUS_INTERNALERROR", INT2NUM(OCSP_RESPONSE_STATUS_INTERNALERROR));
1915
1916 /* Illegal confirmation request */
1917 rb_define_const(mOCSP, "RESPONSE_STATUS_MALFORMEDREQUEST", INT2NUM(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST));
1918
1919 /* The certificate was revoked for an unknown reason */
1920 rb_define_const(mOCSP, "REVOKED_STATUS_NOSTATUS", INT2NUM(OCSP_REVOKED_STATUS_NOSTATUS));
1921
1922 /* You must sign the request and resubmit */
1923 rb_define_const(mOCSP, "RESPONSE_STATUS_SIGREQUIRED", INT2NUM(OCSP_RESPONSE_STATUS_SIGREQUIRED));
1924
1925 /* Response has valid confirmations */
1926 rb_define_const(mOCSP, "RESPONSE_STATUS_SUCCESSFUL", INT2NUM(OCSP_RESPONSE_STATUS_SUCCESSFUL));
1927
1928 /* Try again later */
1929 rb_define_const(mOCSP, "RESPONSE_STATUS_TRYLATER", INT2NUM(OCSP_RESPONSE_STATUS_TRYLATER));
1930
1931 /* The certificate subject's name or other information changed */
1932 rb_define_const(mOCSP, "REVOKED_STATUS_AFFILIATIONCHANGED", INT2NUM(OCSP_REVOKED_STATUS_AFFILIATIONCHANGED));
1933
1934 /* This CA certificate was revoked due to a key compromise */
1935 rb_define_const(mOCSP, "REVOKED_STATUS_CACOMPROMISE", INT2NUM(OCSP_REVOKED_STATUS_CACOMPROMISE));
1936
1937 /* The certificate is on hold */
1938 rb_define_const(mOCSP, "REVOKED_STATUS_CERTIFICATEHOLD", INT2NUM(OCSP_REVOKED_STATUS_CERTIFICATEHOLD));
1939
1940 /* The certificate is no longer needed */
1941 rb_define_const(mOCSP, "REVOKED_STATUS_CESSATIONOFOPERATION", INT2NUM(OCSP_REVOKED_STATUS_CESSATIONOFOPERATION));
1942
1943 /* The certificate was revoked due to a key compromise */
1944 rb_define_const(mOCSP, "REVOKED_STATUS_KEYCOMPROMISE", INT2NUM(OCSP_REVOKED_STATUS_KEYCOMPROMISE));
1945
1946 /* The certificate was previously on hold and should now be removed from
1947 * the CRL */
1948 rb_define_const(mOCSP, "REVOKED_STATUS_REMOVEFROMCRL", INT2NUM(OCSP_REVOKED_STATUS_REMOVEFROMCRL));
1949
1950 /* The certificate was superseded by a new certificate */
1951 rb_define_const(mOCSP, "REVOKED_STATUS_SUPERSEDED", INT2NUM(OCSP_REVOKED_STATUS_SUPERSEDED));
1952
1953 /* Your request is unauthorized. */
1954 rb_define_const(mOCSP, "RESPONSE_STATUS_UNAUTHORIZED", INT2NUM(OCSP_RESPONSE_STATUS_UNAUTHORIZED));
1955
1956 /* The certificate was revoked for an unspecified reason */
1957 rb_define_const(mOCSP, "REVOKED_STATUS_UNSPECIFIED", INT2NUM(OCSP_REVOKED_STATUS_UNSPECIFIED));
1958
1959 /* Do not include certificates in the response */
1960 rb_define_const(mOCSP, "NOCERTS", INT2NUM(OCSP_NOCERTS));
1961
1962 /* Do not search certificates contained in the response for a signer */
1963 rb_define_const(mOCSP, "NOINTERN", INT2NUM(OCSP_NOINTERN));
1964
1965 /* Do not check the signature on the response */
1966 rb_define_const(mOCSP, "NOSIGS", INT2NUM(OCSP_NOSIGS));
1967
1968 /* Do not verify the certificate chain on the response */
1969 rb_define_const(mOCSP, "NOCHAIN", INT2NUM(OCSP_NOCHAIN));
1970
1971 /* Do not verify the response at all */
1972 rb_define_const(mOCSP, "NOVERIFY", INT2NUM(OCSP_NOVERIFY));
1973
1974 /* Do not check trust */
1975 rb_define_const(mOCSP, "NOEXPLICIT", INT2NUM(OCSP_NOEXPLICIT));
1976
1977 /* (This flag is not used by OpenSSL 1.0.1g) */
1978 rb_define_const(mOCSP, "NOCASIGN", INT2NUM(OCSP_NOCASIGN));
1979
1980 /* (This flag is not used by OpenSSL 1.0.1g) */
1981 rb_define_const(mOCSP, "NODELEGATED", INT2NUM(OCSP_NODELEGATED));
1982
1983 /* Do not make additional signing certificate checks */
1984 rb_define_const(mOCSP, "NOCHECKS", INT2NUM(OCSP_NOCHECKS));
1985
1986 /* Do not verify additional certificates */
1987 rb_define_const(mOCSP, "TRUSTOTHER", INT2NUM(OCSP_TRUSTOTHER));
1988
1989 /* Identify the response by signing the certificate key ID */
1990 rb_define_const(mOCSP, "RESPID_KEY", INT2NUM(OCSP_RESPID_KEY));
1991
1992 /* Do not include producedAt time in response */
1993 rb_define_const(mOCSP, "NOTIME", INT2NUM(OCSP_NOTIME));
1994
1995 /* Indicates the certificate is not revoked but does not necessarily mean
1996 * the certificate was issued or that this response is within the
1997 * certificate's validity interval */
1998 rb_define_const(mOCSP, "V_CERTSTATUS_GOOD", INT2NUM(V_OCSP_CERTSTATUS_GOOD));
1999 /* Indicates the certificate has been revoked either permanently or
2000 * temporarily (on hold). */
2001 rb_define_const(mOCSP, "V_CERTSTATUS_REVOKED", INT2NUM(V_OCSP_CERTSTATUS_REVOKED));
2002
2003 /* Indicates the responder does not know about the certificate being
2004 * requested. */
2005 rb_define_const(mOCSP, "V_CERTSTATUS_UNKNOWN", INT2NUM(V_OCSP_CERTSTATUS_UNKNOWN));
2006
2007 /* The responder ID is based on the key name. */
2008 rb_define_const(mOCSP, "V_RESPID_NAME", INT2NUM(V_OCSP_RESPID_NAME));
2009
2010 /* The responder ID is based on the public key. */
2011 rb_define_const(mOCSP, "V_RESPID_KEY", INT2NUM(V_OCSP_RESPID_KEY));
2012}
2013#else
2014void
2015Init_ossl_ocsp(void)
2016{
2017}
2018#endif
struct RIMemo * ptr
Definition: debug.c:65
int count
Definition: encoding.c:57
char str[HTML_ESCAPE_MAX_LEN+1]
Definition: escape.c:18
VALUE rb_define_class_under(VALUE, const char *, VALUE)
Defines a class under the namespace of outer.
Definition: class.c:711
VALUE rb_define_module(const char *)
Definition: class.c:785
VALUE rb_define_module_under(VALUE, const char *)
Definition: class.c:810
VALUE rb_cObject
Object class.
Definition: ruby.h:2012
VALUE rb_eStandardError
Definition: error.c:921
VALUE rb_protect(VALUE(*)(VALUE), VALUE, int *)
Protects a function call from potential global escapes from the function.
Definition: eval.c:1072
void rb_jump_tag(int tag)
Continues the exception caught by rb_protect() and rb_eval_string_protect().
Definition: eval.c:884
#define OCSP_SINGLERESP_get0_id(s)
void ossl_bin2hex(unsigned char *in, char *out, size_t inlen)
Definition: ossl.c:133
VALUE mOSSL
Definition: ossl.c:231
VALUE ossl_to_der_if_possible(VALUE obj)
Definition: ossl.c:255
void ossl_raise(VALUE exc, const char *fmt,...)
Definition: ossl.c:293
VALUE eOSSLError
Definition: ossl.c:236
void ossl_clear_error(void)
Definition: ossl.c:304
#define ossl_str_adjust(str, p)
Definition: ossl.h:87
#define OSSL_Check_Kind(obj, klass)
Definition: ossl.h:57
STACK_OF(X509) *ossl_x509_ary2sk(VALUE)
VALUE asn1integer_to_num(const ASN1_INTEGER *ai)
Definition: ossl_asn1.c:101
VALUE asn1time_to_time(const ASN1_TIME *time)
Definition: ossl_asn1.c:20
VALUE ossl_membio2str(BIO *bio)
Definition: ossl_bio.c:29
const EVP_MD * ossl_evp_get_digestbyname(VALUE obj)
Definition: ossl_digest.c:45
#define NewOCSPCertId(klass)
Definition: ossl_ocsp.c:59
#define NewOCSPRes(klass)
Definition: ossl_ocsp.c:26
VALUE eOCSPError
Definition: ossl_ocsp.c:71
#define SetOCSPCertId(obj, cid)
Definition: ossl_ocsp.c:61
VALUE cOCSPBasicRes
Definition: ossl_ocsp.c:74
#define NewOCSPReq(klass)
Definition: ossl_ocsp.c:15
#define GetOCSPRes(obj, res)
Definition: ossl_ocsp.c:32
#define GetOCSPCertId(obj, cid)
Definition: ossl_ocsp.c:65
#define SetOCSPSingleRes(obj, res)
Definition: ossl_ocsp.c:50
#define SetOCSPRes(obj, res)
Definition: ossl_ocsp.c:28
#define SetOCSPReq(obj, req)
Definition: ossl_ocsp.c:17
void Init_ossl_ocsp(void)
Definition: ossl_ocsp.c:1697
#define GetOCSPSingleRes(obj, res)
Definition: ossl_ocsp.c:54
VALUE cOCSPCertId
Definition: ossl_ocsp.c:76
#define NewOCSPSingleRes(klass)
Definition: ossl_ocsp.c:48
VALUE cOCSPRes
Definition: ossl_ocsp.c:73
#define GetOCSPBasicRes(obj, res)
Definition: ossl_ocsp.c:43
VALUE cOCSPSingleRes
Definition: ossl_ocsp.c:75
VALUE cOCSPReq
Definition: ossl_ocsp.c:72
#define GetOCSPReq(obj, req)
Definition: ossl_ocsp.c:21
#define NewOCSPBasicRes(klass)
Definition: ossl_ocsp.c:37
VALUE mOCSP
Definition: ossl_ocsp.c:70
#define SetOCSPBasicRes(obj, res)
Definition: ossl_ocsp.c:39
EVP_PKEY * GetPrivPKeyPtr(VALUE obj)
Definition: ossl_pkey.c:239
ASN1_TIME * ossl_x509_time_adjust(ASN1_TIME *s, VALUE time)
Definition: ossl_x509.c:19
X509_STORE * GetX509StorePtr(VALUE)
VALUE cX509Ext
Definition: ossl_x509ext.c:43
VALUE ossl_x509ext_new(X509_EXTENSION *)
Definition: ossl_x509ext.c:65
X509 * GetX509CertPtr(VALUE)
Definition: ossl_x509cert.c:71
X509_EXTENSION * GetX509ExtPtr(VALUE)
Definition: ossl_x509ext.c:85
#define RARRAY_LEN(a)
#define rb_str_new2
#define NULL
use StringValue() instead")))
#define RSTRING_LEN(str)
enum ruby_tag_type st
time_t time(time_t *_timer)
const VALUE VALUE obj
#define rb_check_frozen(obj)
#define RSTRING_PTR(str)
const rb_iseq_t const char * error
#define rb_str_new(str, len)
#define NIL_P(v)
#define RSTRING_LENINT(str)
const char size_t n
unsigned long VALUE
VALUE rb_ary_push(VALUE, VALUE)
Definition: array.c:1195
void rb_define_alloc_func(VALUE, rb_alloc_func_t)
uint32_t i
__inline__ const void *__restrict__ size_t len
#define INT2NUM(x)
void rb_define_const(VALUE, const char *, VALUE)
Definition: variable.c:2891
#define NUM2INT(x)
void rb_define_singleton_method(VALUE, const char *, VALUE(*)(), int)
#define RUBY_TYPED_FREE_IMMEDIATELY
VALUE rb_ary_new(void)
Definition: array.c:723
#define rb_scan_args(argc, argvp, fmt,...)
#define Qtrue
#define Qnil
#define Qfalse
VALUE rb_check_array_type(VALUE)
Definition: array.c:909
const VALUE * argv
#define RB_INTEGER_TYPE_P(obj)
VALUE ID id
void rb_define_method(VALUE, const char *, VALUE(*)(), int)
#define rb_ary_new2
#define RARRAY_AREF(a, i)