Ruby  2.4.2p198(2017-09-14revision59899)
ossl_ocsp.c
Go to the documentation of this file.
1 /*
2  * 'OpenSSL for Ruby' project
3  * Copyright (C) 2003 Michal Rokos <m.rokos@sh.cvut.cz>
4  * Copyright (C) 2003 GOTOU Yuuzou <gotoyuzo@notwork.org>
5  * All rights reserved.
6  */
7 /*
8  * This program is licensed under the same licence as Ruby.
9  * (See the file 'LICENCE'.)
10  */
11 #include "ossl.h"
12 
13 #if !defined(OPENSSL_NO_OCSP)
14 
15 #define NewOCSPReq(klass) \
16  TypedData_Wrap_Struct((klass), &ossl_ocsp_request_type, 0)
17 #define SetOCSPReq(obj, req) do { \
18  if(!(req)) ossl_raise(rb_eRuntimeError, "Request wasn't initialized!"); \
19  RTYPEDDATA_DATA(obj) = (req); \
20 } while (0)
21 #define GetOCSPReq(obj, req) do { \
22  TypedData_Get_Struct((obj), OCSP_REQUEST, &ossl_ocsp_request_type, (req)); \
23  if(!(req)) ossl_raise(rb_eRuntimeError, "Request wasn't initialized!"); \
24 } while (0)
25 #define SafeGetOCSPReq(obj, req) do { \
26  OSSL_Check_Kind((obj), cOCSPReq); \
27  GetOCSPReq((obj), (req)); \
28 } while (0)
29 
30 #define NewOCSPRes(klass) \
31  TypedData_Wrap_Struct((klass), &ossl_ocsp_response_type, 0)
32 #define SetOCSPRes(obj, res) do { \
33  if(!(res)) ossl_raise(rb_eRuntimeError, "Response wasn't initialized!"); \
34  RTYPEDDATA_DATA(obj) = (res); \
35 } while (0)
36 #define GetOCSPRes(obj, res) do { \
37  TypedData_Get_Struct((obj), OCSP_RESPONSE, &ossl_ocsp_response_type, (res)); \
38  if(!(res)) ossl_raise(rb_eRuntimeError, "Response wasn't initialized!"); \
39 } while (0)
40 #define SafeGetOCSPRes(obj, res) do { \
41  OSSL_Check_Kind((obj), cOCSPRes); \
42  GetOCSPRes((obj), (res)); \
43 } while (0)
44 
45 #define NewOCSPBasicRes(klass) \
46  TypedData_Wrap_Struct((klass), &ossl_ocsp_basicresp_type, 0)
47 #define SetOCSPBasicRes(obj, res) do { \
48  if(!(res)) ossl_raise(rb_eRuntimeError, "Response wasn't initialized!"); \
49  RTYPEDDATA_DATA(obj) = (res); \
50 } while (0)
51 #define GetOCSPBasicRes(obj, res) do { \
52  TypedData_Get_Struct((obj), OCSP_BASICRESP, &ossl_ocsp_basicresp_type, (res)); \
53  if(!(res)) ossl_raise(rb_eRuntimeError, "Response wasn't initialized!"); \
54 } while (0)
55 #define SafeGetOCSPBasicRes(obj, res) do { \
56  OSSL_Check_Kind((obj), cOCSPBasicRes); \
57  GetOCSPBasicRes((obj), (res)); \
58 } while (0)
59 
60 #define NewOCSPSingleRes(klass) \
61  TypedData_Wrap_Struct((klass), &ossl_ocsp_singleresp_type, 0)
62 #define SetOCSPSingleRes(obj, res) do { \
63  if(!(res)) ossl_raise(rb_eRuntimeError, "SingleResponse wasn't initialized!"); \
64  RTYPEDDATA_DATA(obj) = (res); \
65 } while (0)
66 #define GetOCSPSingleRes(obj, res) do { \
67  TypedData_Get_Struct((obj), OCSP_SINGLERESP, &ossl_ocsp_singleresp_type, (res)); \
68  if(!(res)) ossl_raise(rb_eRuntimeError, "SingleResponse wasn't initialized!"); \
69 } while (0)
70 #define SafeGetOCSPSingleRes(obj, res) do { \
71  OSSL_Check_Kind((obj), cOCSPSingleRes); \
72  GetOCSPSingleRes((obj), (res)); \
73 } while (0)
74 
75 #define NewOCSPCertId(klass) \
76  TypedData_Wrap_Struct((klass), &ossl_ocsp_certid_type, 0)
77 #define SetOCSPCertId(obj, cid) do { \
78  if(!(cid)) ossl_raise(rb_eRuntimeError, "Cert ID wasn't initialized!"); \
79  RTYPEDDATA_DATA(obj) = (cid); \
80 } while (0)
81 #define GetOCSPCertId(obj, cid) do { \
82  TypedData_Get_Struct((obj), OCSP_CERTID, &ossl_ocsp_certid_type, (cid)); \
83  if(!(cid)) ossl_raise(rb_eRuntimeError, "Cert ID wasn't initialized!"); \
84 } while (0)
85 #define SafeGetOCSPCertId(obj, cid) do { \
86  OSSL_Check_Kind((obj), cOCSPCertId); \
87  GetOCSPCertId((obj), (cid)); \
88 } while (0)
89 
97 
98 static void
100 {
101  OCSP_REQUEST_free(ptr);
102 }
103 
105  "OpenSSL/OCSP/REQUEST",
106  {
108  },
110 };
111 
112 static void
114 {
115  OCSP_RESPONSE_free(ptr);
116 }
117 
119  "OpenSSL/OCSP/RESPONSE",
120  {
122  },
124 };
125 
126 static void
128 {
129  OCSP_BASICRESP_free(ptr);
130 }
131 
133  "OpenSSL/OCSP/BASICRESP",
134  {
136  },
138 };
139 
140 static void
142 {
143  OCSP_SINGLERESP_free(ptr);
144 }
145 
147  "OpenSSL/OCSP/SINGLERESP",
148  {
150  },
152 };
153 
154 static void
156 {
157  OCSP_CERTID_free(ptr);
158 }
159 
161  "OpenSSL/OCSP/CERTID",
162  {
164  },
166 };
167 
168 /*
169  * Public
170  */
171 static VALUE
172 ossl_ocspcertid_new(OCSP_CERTID *cid)
173 {
175  SetOCSPCertId(obj, cid);
176  return obj;
177 }
178 
179 /*
180  * OCSP::Resquest
181  */
182 static VALUE
184 {
185  OCSP_REQUEST *req;
186  VALUE obj;
187 
188  obj = NewOCSPReq(klass);
189  if (!(req = OCSP_REQUEST_new()))
191  SetOCSPReq(obj, req);
192 
193  return obj;
194 }
195 
196 static VALUE
198 {
199  OCSP_REQUEST *req, *req_old, *req_new;
200 
201  rb_check_frozen(self);
202  GetOCSPReq(self, req_old);
203  SafeGetOCSPReq(other, req);
204 
205  req_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_REQUEST), req);
206  if (!req_new)
207  ossl_raise(eOCSPError, "ASN1_item_dup");
208 
209  SetOCSPReq(self, req_new);
210  OCSP_REQUEST_free(req_old);
211 
212  return self;
213 }
214 
215 /*
216  * call-seq:
217  * OpenSSL::OCSP::Request.new -> request
218  * OpenSSL::OCSP::Request.new(request_der) -> request
219  *
220  * Creates a new OpenSSL::OCSP::Request. The request may be created empty or
221  * from a +request_der+ string.
222  */
223 
224 static VALUE
226 {
227  VALUE arg;
228  OCSP_REQUEST *req, *req_new;
229  const unsigned char *p;
230 
231  rb_scan_args(argc, argv, "01", &arg);
232  if(!NIL_P(arg)){
233  GetOCSPReq(self, req);
234  arg = ossl_to_der_if_possible(arg);
235  StringValue(arg);
236  p = (unsigned char *)RSTRING_PTR(arg);
237  req_new = d2i_OCSP_REQUEST(NULL, &p, RSTRING_LEN(arg));
238  if (!req_new)
239  ossl_raise(eOCSPError, "d2i_OCSP_REQUEST");
240  SetOCSPReq(self, req_new);
241  OCSP_REQUEST_free(req);
242  }
243 
244  return self;
245 }
246 
247 /*
248  * call-seq:
249  * request.add_nonce(nonce = nil) -> request
250  *
251  * Adds a +nonce+ to the OCSP request. If no nonce is given a random one will
252  * be generated.
253  *
254  * The nonce is used to prevent replay attacks but some servers do not support
255  * it.
256  */
257 
258 static VALUE
260 {
261  OCSP_REQUEST *req;
262  VALUE val;
263  int ret;
264 
265  rb_scan_args(argc, argv, "01", &val);
266  if(NIL_P(val)) {
267  GetOCSPReq(self, req);
268  ret = OCSP_request_add1_nonce(req, NULL, -1);
269  }
270  else{
271  StringValue(val);
272  GetOCSPReq(self, req);
273  ret = OCSP_request_add1_nonce(req, (unsigned char *)RSTRING_PTR(val), RSTRING_LENINT(val));
274  }
275  if(!ret) ossl_raise(eOCSPError, NULL);
276 
277  return self;
278 }
279 
280 /*
281  * call-seq:
282  * request.check_nonce(response) -> result
283  *
284  * Checks the nonce validity for this request and +response+.
285  *
286  * The return value is one of the following:
287  *
288  * -1 :: nonce in request only.
289  * 0 :: nonces both present and not equal.
290  * 1 :: nonces present and equal.
291  * 2 :: nonces both absent.
292  * 3 :: nonce present in response only.
293  *
294  * For most responses, clients can check +result+ > 0. If a responder doesn't
295  * handle nonces <code>result.nonzero?</code> may be necessary. A result of
296  * <code>0</code> is always an error.
297  */
298 
299 static VALUE
301 {
302  OCSP_REQUEST *req;
303  OCSP_BASICRESP *bs;
304  int res;
305 
306  GetOCSPReq(self, req);
307  SafeGetOCSPBasicRes(basic_resp, bs);
308  res = OCSP_check_nonce(req, bs);
309 
310  return INT2NUM(res);
311 }
312 
313 /*
314  * call-seq:
315  * request.add_certid(certificate_id) -> request
316  *
317  * Adds +certificate_id+ to the request.
318  */
319 
320 static VALUE
322 {
323  OCSP_REQUEST *req;
324  OCSP_CERTID *id, *id_new;
325 
326  GetOCSPReq(self, req);
327  GetOCSPCertId(certid, id);
328 
329  if (!(id_new = OCSP_CERTID_dup(id)))
330  ossl_raise(eOCSPError, "OCSP_CERTID_dup");
331  if (!OCSP_request_add0_id(req, id_new)) {
332  OCSP_CERTID_free(id_new);
333  ossl_raise(eOCSPError, "OCSP_request_add0_id");
334  }
335 
336  return self;
337 }
338 
339 /*
340  * call-seq:
341  * request.certid -> [certificate_id, ...]
342  *
343  * Returns all certificate IDs in this request.
344  */
345 
346 static VALUE
348 {
349  OCSP_REQUEST *req;
350  OCSP_ONEREQ *one;
351  OCSP_CERTID *id;
352  VALUE ary, tmp;
353  int i, count;
354 
355  GetOCSPReq(self, req);
356  count = OCSP_request_onereq_count(req);
357  ary = (count > 0) ? rb_ary_new() : Qnil;
358  for(i = 0; i < count; i++){
359  one = OCSP_request_onereq_get0(req, i);
360  tmp = NewOCSPCertId(cOCSPCertId);
361  if(!(id = OCSP_CERTID_dup(OCSP_onereq_get0_id(one))))
363  SetOCSPCertId(tmp, id);
364  rb_ary_push(ary, tmp);
365  }
366 
367  return ary;
368 }
369 
370 /*
371  * call-seq:
372  * request.sign(cert, key, certs = nil, flags = 0, digest = nil) -> self
373  *
374  * Signs this OCSP request using +cert+, +key+ and optional +digest+. If
375  * +digest+ is not specified, SHA-1 is used. +certs+ is an optional Array of
376  * additional certificates which are included in the request in addition to
377  * the signer certificate. Note that if +certs+ is nil or not given, flag
378  * OpenSSL::OCSP::NOCERTS is enabled. Pass an empty array to include only the
379  * signer certificate.
380  *
381  * +flags+ can be a bitwise OR of the following constants:
382  *
383  * OpenSSL::OCSP::NOCERTS::
384  * Don't include any certificates in the request. +certs+ will be ignored.
385  */
386 static VALUE
388 {
389  VALUE signer_cert, signer_key, certs, flags, digest;
390  OCSP_REQUEST *req;
391  X509 *signer;
392  EVP_PKEY *key;
393  STACK_OF(X509) *x509s = NULL;
394  unsigned long flg = 0;
395  const EVP_MD *md;
396  int ret;
397 
398  rb_scan_args(argc, argv, "23", &signer_cert, &signer_key, &certs, &flags, &digest);
399  GetOCSPReq(self, req);
400  signer = GetX509CertPtr(signer_cert);
401  key = GetPrivPKeyPtr(signer_key);
402  if (!NIL_P(flags))
403  flg = NUM2INT(flags);
404  if (NIL_P(digest))
405  md = EVP_sha1();
406  else
407  md = GetDigestPtr(digest);
408  if (NIL_P(certs))
409  flg |= OCSP_NOCERTS;
410  else
411  x509s = ossl_x509_ary2sk(certs);
412 
413  ret = OCSP_request_sign(req, signer, key, md, x509s, flg);
414  sk_X509_pop_free(x509s, X509_free);
415  if (!ret) ossl_raise(eOCSPError, NULL);
416 
417  return self;
418 }
419 
420 /*
421  * call-seq:
422  * request.verify(certificates, store, flags = 0) -> true or false
423  *
424  * Verifies this request using the given +certificates+ and +store+.
425  * +certificates+ is an array of OpenSSL::X509::Certificate, +store+ is an
426  * OpenSSL::X509::Store.
427  */
428 
429 static VALUE
431 {
432  VALUE certs, store, flags;
433  OCSP_REQUEST *req;
434  STACK_OF(X509) *x509s;
435  X509_STORE *x509st;
436  int flg, result;
437 
438  rb_scan_args(argc, argv, "21", &certs, &store, &flags);
439  GetOCSPReq(self, req);
440  x509st = GetX509StorePtr(store);
441  flg = NIL_P(flags) ? 0 : NUM2INT(flags);
442  x509s = ossl_x509_ary2sk(certs);
443  result = OCSP_request_verify(req, x509s, x509st, flg);
444  sk_X509_pop_free(x509s, X509_free);
445  if (result <= 0)
447 
448  return result > 0 ? Qtrue : Qfalse;
449 }
450 
451 /*
452  * Returns this request as a DER-encoded string
453  */
454 
455 static VALUE
457 {
458  OCSP_REQUEST *req;
459  VALUE str;
460  unsigned char *p;
461  long len;
462 
463  GetOCSPReq(self, req);
464  if((len = i2d_OCSP_REQUEST(req, NULL)) <= 0)
466  str = rb_str_new(0, len);
467  p = (unsigned char *)RSTRING_PTR(str);
468  if(i2d_OCSP_REQUEST(req, &p) <= 0)
470  ossl_str_adjust(str, p);
471 
472  return str;
473 }
474 
475 /*
476  * OCSP::Response
477  */
478 
479 /* call-seq:
480  * OpenSSL::OCSP::Response.create(status, basic_response = nil) -> response
481  *
482  * Creates an OpenSSL::OCSP::Response from +status+ and +basic_response+.
483  */
484 
485 static VALUE
486 ossl_ocspres_s_create(VALUE klass, VALUE status, VALUE basic_resp)
487 {
488  OCSP_BASICRESP *bs;
489  OCSP_RESPONSE *res;
490  VALUE obj;
491  int st = NUM2INT(status);
492 
493  if(NIL_P(basic_resp)) bs = NULL;
494  else GetOCSPBasicRes(basic_resp, bs); /* NO NEED TO DUP */
495  obj = NewOCSPRes(klass);
496  if(!(res = OCSP_response_create(st, bs)))
498  SetOCSPRes(obj, res);
499 
500  return obj;
501 }
502 
503 static VALUE
505 {
506  OCSP_RESPONSE *res;
507  VALUE obj;
508 
509  obj = NewOCSPRes(klass);
510  if(!(res = OCSP_RESPONSE_new()))
512  SetOCSPRes(obj, res);
513 
514  return obj;
515 }
516 
517 static VALUE
519 {
520  OCSP_RESPONSE *res, *res_old, *res_new;
521 
522  rb_check_frozen(self);
523  GetOCSPRes(self, res_old);
524  SafeGetOCSPRes(other, res);
525 
526  res_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_RESPONSE), res);
527  if (!res_new)
528  ossl_raise(eOCSPError, "ASN1_item_dup");
529 
530  SetOCSPRes(self, res_new);
531  OCSP_RESPONSE_free(res_old);
532 
533  return self;
534 }
535 
536 /*
537  * call-seq:
538  * OpenSSL::OCSP::Response.new -> response
539  * OpenSSL::OCSP::Response.new(response_der) -> response
540  *
541  * Creates a new OpenSSL::OCSP::Response. The response may be created empty or
542  * from a +response_der+ string.
543  */
544 
545 static VALUE
547 {
548  VALUE arg;
549  OCSP_RESPONSE *res, *res_new;
550  const unsigned char *p;
551 
552  rb_scan_args(argc, argv, "01", &arg);
553  if(!NIL_P(arg)){
554  GetOCSPRes(self, res);
555  arg = ossl_to_der_if_possible(arg);
556  StringValue(arg);
557  p = (unsigned char *)RSTRING_PTR(arg);
558  res_new = d2i_OCSP_RESPONSE(NULL, &p, RSTRING_LEN(arg));
559  if (!res_new)
560  ossl_raise(eOCSPError, "d2i_OCSP_RESPONSE");
561  SetOCSPRes(self, res_new);
562  OCSP_RESPONSE_free(res);
563  }
564 
565  return self;
566 }
567 
568 /*
569  * call-seq:
570  * response.status -> Integer
571  *
572  * Returns the status of the response.
573  */
574 
575 static VALUE
577 {
578  OCSP_RESPONSE *res;
579  int st;
580 
581  GetOCSPRes(self, res);
582  st = OCSP_response_status(res);
583 
584  return INT2NUM(st);
585 }
586 
587 /*
588  * call-seq:
589  * response.status_string -> String
590  *
591  * Returns a status string for the response.
592  */
593 
594 static VALUE
596 {
597  OCSP_RESPONSE *res;
598  int st;
599 
600  GetOCSPRes(self, res);
601  st = OCSP_response_status(res);
602 
603  return rb_str_new2(OCSP_response_status_str(st));
604 }
605 
606 /*
607  * call-seq:
608  * response.basic
609  *
610  * Returns a BasicResponse for this response
611  */
612 
613 static VALUE
615 {
616  OCSP_RESPONSE *res;
617  OCSP_BASICRESP *bs;
618  VALUE ret;
619 
620  GetOCSPRes(self, res);
622  if(!(bs = OCSP_response_get1_basic(res)))
623  return Qnil;
624  SetOCSPBasicRes(ret, bs);
625 
626  return ret;
627 }
628 
629 /*
630  * call-seq:
631  * response.to_der -> String
632  *
633  * Returns this response as a DER-encoded string.
634  */
635 
636 static VALUE
638 {
639  OCSP_RESPONSE *res;
640  VALUE str;
641  long len;
642  unsigned char *p;
643 
644  GetOCSPRes(self, res);
645  if((len = i2d_OCSP_RESPONSE(res, NULL)) <= 0)
647  str = rb_str_new(0, len);
648  p = (unsigned char *)RSTRING_PTR(str);
649  if(i2d_OCSP_RESPONSE(res, &p) <= 0)
651  ossl_str_adjust(str, p);
652 
653  return str;
654 }
655 
656 /*
657  * OCSP::BasicResponse
658  */
659 static VALUE
661 {
662  OCSP_BASICRESP *bs;
663  VALUE obj;
664 
665  obj = NewOCSPBasicRes(klass);
666  if(!(bs = OCSP_BASICRESP_new()))
668  SetOCSPBasicRes(obj, bs);
669 
670  return obj;
671 }
672 
673 static VALUE
675 {
676  OCSP_BASICRESP *bs, *bs_old, *bs_new;
677 
678  rb_check_frozen(self);
679  GetOCSPBasicRes(self, bs_old);
680  SafeGetOCSPBasicRes(other, bs);
681 
682  bs_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs);
683  if (!bs_new)
684  ossl_raise(eOCSPError, "ASN1_item_dup");
685 
686  SetOCSPBasicRes(self, bs_new);
687  OCSP_BASICRESP_free(bs_old);
688 
689  return self;
690 }
691 
692 /*
693  * call-seq:
694  * OpenSSL::OCSP::BasicResponse.new(der_string = nil) -> basic_response
695  *
696  * Creates a new BasicResponse. If +der_string+ is given, decodes +der_string+
697  * as DER.
698  */
699 
700 static VALUE
702 {
703  VALUE arg;
704  OCSP_BASICRESP *res, *res_new;
705  const unsigned char *p;
706 
707  rb_scan_args(argc, argv, "01", &arg);
708  if (!NIL_P(arg)) {
709  GetOCSPBasicRes(self, res);
710  arg = ossl_to_der_if_possible(arg);
711  StringValue(arg);
712  p = (unsigned char *)RSTRING_PTR(arg);
713  res_new = d2i_OCSP_BASICRESP(NULL, &p, RSTRING_LEN(arg));
714  if (!res_new)
715  ossl_raise(eOCSPError, "d2i_OCSP_BASICRESP");
716  SetOCSPBasicRes(self, res_new);
717  OCSP_BASICRESP_free(res);
718  }
719 
720  return self;
721 }
722 
723 /*
724  * call-seq:
725  * basic_response.copy_nonce(request) -> Integer
726  *
727  * Copies the nonce from +request+ into this response. Returns 1 on success
728  * and 0 on failure.
729  */
730 
731 static VALUE
733 {
734  OCSP_BASICRESP *bs;
735  OCSP_REQUEST *req;
736  int ret;
737 
738  GetOCSPBasicRes(self, bs);
739  SafeGetOCSPReq(request, req);
740  ret = OCSP_copy_nonce(bs, req);
741 
742  return INT2NUM(ret);
743 }
744 
745 /*
746  * call-seq:
747  * basic_response.add_nonce(nonce = nil)
748  *
749  * Adds +nonce+ to this response. If no nonce was provided a random nonce
750  * will be added.
751  */
752 
753 static VALUE
755 {
756  OCSP_BASICRESP *bs;
757  VALUE val;
758  int ret;
759 
760  rb_scan_args(argc, argv, "01", &val);
761  if(NIL_P(val)) {
762  GetOCSPBasicRes(self, bs);
763  ret = OCSP_basic_add1_nonce(bs, NULL, -1);
764  }
765  else{
766  StringValue(val);
767  GetOCSPBasicRes(self, bs);
768  ret = OCSP_basic_add1_nonce(bs, (unsigned char *)RSTRING_PTR(val), RSTRING_LENINT(val));
769  }
770  if(!ret) ossl_raise(eOCSPError, NULL);
771 
772  return self;
773 }
774 
775 static VALUE
777 {
778  ASN1_TIME *time;
779 
780  if (RB_INTEGER_TYPE_P(obj))
781  time = X509_gmtime_adj(NULL, NUM2INT(obj));
782  else
783  time = ossl_x509_time_adjust(NULL, obj);
784 
785  if (!time)
787 
788  return (VALUE)time;
789 }
790 
791 /*
792  * call-seq:
793  * basic_response.add_status(certificate_id, status, reason, revocation_time, this_update, next_update, extensions) -> basic_response
794  *
795  * Adds a certificate status for +certificate_id+. +status+ is the status, and
796  * must be one of these:
797  *
798  * - OpenSSL::OCSP::V_CERTSTATUS_GOOD
799  * - OpenSSL::OCSP::V_CERTSTATUS_REVOKED
800  * - OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
801  *
802  * +reason+ and +revocation_time+ can be given only when +status+ is
803  * OpenSSL::OCSP::V_CERTSTATUS_REVOKED. +reason+ describes the reason for the
804  * revocation, and must be one of OpenSSL::OCSP::REVOKED_STATUS_* constants.
805  * +revocation_time+ is the time when the certificate is revoked.
806  *
807  * +this_update+ and +next_update+ indicate the time at which ths status is
808  * verified to be correct and the time at or before which newer information
809  * will be available, respectively. +next_update+ is optional.
810  *
811  * +extensions+ is an Array of OpenSSL::X509::Extension to be included in the
812  * SingleResponse. This is also optional.
813  *
814  * Note that the times, +revocation_time+, +this_update+ and +next_update+
815  * can be specified in either of Integer or Time object. If they are Integer, it
816  * is treated as the relative seconds from the current time.
817  */
818 static VALUE
820  VALUE reason, VALUE revtime,
821  VALUE thisupd, VALUE nextupd, VALUE ext)
822 {
823  OCSP_BASICRESP *bs;
824  OCSP_SINGLERESP *single;
825  OCSP_CERTID *id;
826  ASN1_TIME *ths = NULL, *nxt = NULL, *rev = NULL;
827  int st, rsn = 0, error = 0, rstatus = 0;
828  long i;
829  VALUE tmp;
830 
831  GetOCSPBasicRes(self, bs);
832  SafeGetOCSPCertId(cid, id);
833  st = NUM2INT(status);
834  if (!NIL_P(ext)) { /* All ext's members must be X509::Extension */
835  ext = rb_check_array_type(ext);
836  for (i = 0; i < RARRAY_LEN(ext); i++)
838  }
839 
840  if (st == V_OCSP_CERTSTATUS_REVOKED) {
841  rsn = NUM2INT(reason);
842  tmp = rb_protect(add_status_convert_time, revtime, &rstatus);
843  if (rstatus) goto err;
844  rev = (ASN1_TIME *)tmp;
845  }
846 
847  tmp = rb_protect(add_status_convert_time, thisupd, &rstatus);
848  if (rstatus) goto err;
849  ths = (ASN1_TIME *)tmp;
850 
851  if (!NIL_P(nextupd)) {
852  tmp = rb_protect(add_status_convert_time, nextupd, &rstatus);
853  if (rstatus) goto err;
854  nxt = (ASN1_TIME *)tmp;
855  }
856 
857  if(!(single = OCSP_basic_add1_status(bs, id, st, rsn, rev, ths, nxt))){
858  error = 1;
859  goto err;
860  }
861 
862  if(!NIL_P(ext)){
863  X509_EXTENSION *x509ext;
864 
865  for(i = 0; i < RARRAY_LEN(ext); i++){
866  x509ext = GetX509ExtPtr(RARRAY_AREF(ext, i));
867  if(!OCSP_SINGLERESP_add_ext(single, x509ext, -1)){
868  error = 1;
869  goto err;
870  }
871  }
872  }
873 
874  err:
875  ASN1_TIME_free(ths);
876  ASN1_TIME_free(nxt);
877  ASN1_TIME_free(rev);
878  if(error) ossl_raise(eOCSPError, NULL);
879  if(rstatus) rb_jump_tag(rstatus);
880 
881  return self;
882 }
883 
884 /*
885  * call-seq:
886  * basic_response.status -> statuses
887  *
888  * Returns an Array of statuses for this response. Each status contains a
889  * CertificateId, the status (0 for good, 1 for revoked, 2 for unknown), the
890  * reason for the status, the revocation time, the time of this update, the time
891  * for the next update and a list of OpenSSL::X509::Extensions.
892  *
893  * This should be superseded by BasicResponse#responses and #find_response that
894  * return SingleResponse.
895  */
896 static VALUE
898 {
899  OCSP_BASICRESP *bs;
900  OCSP_SINGLERESP *single;
901  OCSP_CERTID *cid;
902  ASN1_TIME *revtime, *thisupd, *nextupd;
903  int status, reason;
904  X509_EXTENSION *x509ext;
905  VALUE ret, ary, ext;
906  int count, ext_count, i, j;
907 
908  GetOCSPBasicRes(self, bs);
909  ret = rb_ary_new();
910  count = OCSP_resp_count(bs);
911  for(i = 0; i < count; i++){
912  single = OCSP_resp_get0(bs, i);
913  if(!single) continue;
914 
915  revtime = thisupd = nextupd = NULL;
916  status = OCSP_single_get0_status(single, &reason, &revtime,
917  &thisupd, &nextupd);
918  if(status < 0) continue;
919  if(!(cid = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(single)))) /* FIXME */
921  ary = rb_ary_new();
922  rb_ary_push(ary, ossl_ocspcertid_new(cid));
923  rb_ary_push(ary, INT2NUM(status));
924  rb_ary_push(ary, INT2NUM(reason));
925  rb_ary_push(ary, revtime ? asn1time_to_time(revtime) : Qnil);
926  rb_ary_push(ary, thisupd ? asn1time_to_time(thisupd) : Qnil);
927  rb_ary_push(ary, nextupd ? asn1time_to_time(nextupd) : Qnil);
928  ext = rb_ary_new();
929  ext_count = OCSP_SINGLERESP_get_ext_count(single);
930  for(j = 0; j < ext_count; j++){
931  x509ext = OCSP_SINGLERESP_get_ext(single, j);
932  rb_ary_push(ext, ossl_x509ext_new(x509ext));
933  }
934  rb_ary_push(ary, ext);
935  rb_ary_push(ret, ary);
936  }
937 
938  return ret;
939 }
940 
941 static VALUE ossl_ocspsres_new(OCSP_SINGLERESP *);
942 
943 /*
944  * call-seq:
945  * basic_response.responses -> Array of SingleResponse
946  *
947  * Returns an Array of SingleResponse for this BasicResponse.
948  */
949 
950 static VALUE
952 {
953  OCSP_BASICRESP *bs;
954  VALUE ret;
955  int count, i;
956 
957  GetOCSPBasicRes(self, bs);
958  count = OCSP_resp_count(bs);
959  ret = rb_ary_new2(count);
960 
961  for (i = 0; i < count; i++) {
962  OCSP_SINGLERESP *sres, *sres_new;
963 
964  sres = OCSP_resp_get0(bs, i);
965  sres_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_SINGLERESP), sres);
966  if (!sres_new)
967  ossl_raise(eOCSPError, "ASN1_item_dup");
968 
969  rb_ary_push(ret, ossl_ocspsres_new(sres_new));
970  }
971 
972  return ret;
973 }
974 
975 
976 /*
977  * call-seq:
978  * basic_response.find_response(certificate_id) -> SingleResponse | nil
979  *
980  * Returns a SingleResponse whose CertId matches with +certificate_id+, or nil
981  * if this BasicResponse does not contain it.
982  */
983 static VALUE
985 {
986  OCSP_BASICRESP *bs;
987  OCSP_SINGLERESP *sres, *sres_new;
988  OCSP_CERTID *id;
989  int n;
990 
991  SafeGetOCSPCertId(target, id);
992  GetOCSPBasicRes(self, bs);
993 
994  if ((n = OCSP_resp_find(bs, id, -1)) == -1)
995  return Qnil;
996 
997  sres = OCSP_resp_get0(bs, n);
998  sres_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_SINGLERESP), sres);
999  if (!sres_new)
1000  ossl_raise(eOCSPError, "ASN1_item_dup");
1001 
1002  return ossl_ocspsres_new(sres_new);
1003 }
1004 
1005 /*
1006  * call-seq:
1007  * basic_response.sign(cert, key, certs = nil, flags = 0, digest = nil) -> self
1008  *
1009  * Signs this OCSP response using the +cert+, +key+ and optional +digest+. This
1010  * behaves in the similar way as OpenSSL::OCSP::Request#sign.
1011  *
1012  * +flags+ can include:
1013  * OpenSSL::OCSP::NOCERTS:: don't include certificates
1014  * OpenSSL::OCSP::NOTIME:: don't set producedAt
1015  * OpenSSL::OCSP::RESPID_KEY:: use signer's public key hash as responderID
1016  */
1017 
1018 static VALUE
1020 {
1021  VALUE signer_cert, signer_key, certs, flags, digest;
1022  OCSP_BASICRESP *bs;
1023  X509 *signer;
1024  EVP_PKEY *key;
1025  STACK_OF(X509) *x509s = NULL;
1026  unsigned long flg = 0;
1027  const EVP_MD *md;
1028  int ret;
1029 
1030  rb_scan_args(argc, argv, "23", &signer_cert, &signer_key, &certs, &flags, &digest);
1031  GetOCSPBasicRes(self, bs);
1032  signer = GetX509CertPtr(signer_cert);
1033  key = GetPrivPKeyPtr(signer_key);
1034  if (!NIL_P(flags))
1035  flg = NUM2INT(flags);
1036  if (NIL_P(digest))
1037  md = EVP_sha1();
1038  else
1039  md = GetDigestPtr(digest);
1040  if (NIL_P(certs))
1041  flg |= OCSP_NOCERTS;
1042  else
1043  x509s = ossl_x509_ary2sk(certs);
1044 
1045  ret = OCSP_basic_sign(bs, signer, key, md, x509s, flg);
1046  sk_X509_pop_free(x509s, X509_free);
1047  if (!ret) ossl_raise(eOCSPError, NULL);
1048 
1049  return self;
1050 }
1051 
1052 /*
1053  * call-seq:
1054  * basic_response.verify(certificates, store, flags = 0) -> true or false
1055  *
1056  * Verifies the signature of the response using the given +certificates+ and
1057  * +store+. This works in the similar way as OpenSSL::OCSP::Request#verify.
1058  */
1059 static VALUE
1061 {
1062  VALUE certs, store, flags;
1063  OCSP_BASICRESP *bs;
1064  STACK_OF(X509) *x509s;
1065  X509_STORE *x509st;
1066  int flg, result;
1067 
1068  rb_scan_args(argc, argv, "21", &certs, &store, &flags);
1069  GetOCSPBasicRes(self, bs);
1070  x509st = GetX509StorePtr(store);
1071  flg = NIL_P(flags) ? 0 : NUM2INT(flags);
1072  x509s = ossl_x509_ary2sk(certs);
1073 #if (OPENSSL_VERSION_NUMBER < 0x1000202fL) || defined(LIBRESSL_VERSION_NUMBER)
1074  /*
1075  * OpenSSL had a bug that it doesn't use the certificates in x509s for
1076  * verifying the chain. This can be a problem when the response is signed by
1077  * a certificate issued by an intermediate CA.
1078  *
1079  * root_ca
1080  * |
1081  * intermediate_ca
1082  * |-------------|
1083  * end_entity ocsp_signer
1084  *
1085  * When the certificate hierarchy is like this, and the response contains
1086  * only ocsp_signer certificate, the following code wrongly fails.
1087  *
1088  * store = OpenSSL::X509::Store.new; store.add_cert(root_ca)
1089  * basic_response.verify([intermediate_ca], store)
1090  *
1091  * So add the certificates in x509s to the embedded certificates list first.
1092  *
1093  * This is fixed in OpenSSL 0.9.8zg, 1.0.0s, 1.0.1n, 1.0.2b. But it still
1094  * exists in LibreSSL 2.1.10, 2.2.9, 2.3.6, 2.4.1.
1095  */
1096  if (!(flg & (OCSP_NOCHAIN | OCSP_NOVERIFY)) &&
1097  sk_X509_num(x509s) && sk_X509_num(bs->certs)) {
1098  int i;
1099 
1100  bs = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs);
1101  if (!bs) {
1102  sk_X509_pop_free(x509s, X509_free);
1103  ossl_raise(eOCSPError, "ASN1_item_dup");
1104  }
1105 
1106  for (i = 0; i < sk_X509_num(x509s); i++) {
1107  if (!OCSP_basic_add1_cert(bs, sk_X509_value(x509s, i))) {
1108  sk_X509_pop_free(x509s, X509_free);
1109  OCSP_BASICRESP_free(bs);
1110  ossl_raise(eOCSPError, "OCSP_basic_add1_cert");
1111  }
1112  }
1113  result = OCSP_basic_verify(bs, x509s, x509st, flg);
1114  OCSP_BASICRESP_free(bs);
1115  }
1116  else {
1117  result = OCSP_basic_verify(bs, x509s, x509st, flg);
1118  }
1119 #else
1120  result = OCSP_basic_verify(bs, x509s, x509st, flg);
1121 #endif
1122  sk_X509_pop_free(x509s, X509_free);
1123  if (result <= 0)
1124  ossl_clear_error();
1125 
1126  return result > 0 ? Qtrue : Qfalse;
1127 }
1128 
1129 /*
1130  * call-seq:
1131  * basic_response.to_der -> String
1132  *
1133  * Encodes this basic response into a DER-encoded string.
1134  */
1135 static VALUE
1137 {
1138  OCSP_BASICRESP *res;
1139  VALUE str;
1140  long len;
1141  unsigned char *p;
1142 
1143  GetOCSPBasicRes(self, res);
1144  if ((len = i2d_OCSP_BASICRESP(res, NULL)) <= 0)
1146  str = rb_str_new(0, len);
1147  p = (unsigned char *)RSTRING_PTR(str);
1148  if (i2d_OCSP_BASICRESP(res, &p) <= 0)
1150  ossl_str_adjust(str, p);
1151 
1152  return str;
1153 }
1154 
1155 /*
1156  * OCSP::SingleResponse
1157  */
1158 static VALUE
1159 ossl_ocspsres_new(OCSP_SINGLERESP *sres)
1160 {
1161  VALUE obj;
1162 
1164  SetOCSPSingleRes(obj, sres);
1165 
1166  return obj;
1167 }
1168 
1169 static VALUE
1171 {
1172  OCSP_SINGLERESP *sres;
1173  VALUE obj;
1174 
1175  obj = NewOCSPSingleRes(klass);
1176  if (!(sres = OCSP_SINGLERESP_new()))
1178  SetOCSPSingleRes(obj, sres);
1179 
1180  return obj;
1181 }
1182 
1183 /*
1184  * call-seq:
1185  * OpenSSL::OCSP::SingleResponse.new(der_string) -> SingleResponse
1186  *
1187  * Creates a new SingleResponse from +der_string+.
1188  */
1189 static VALUE
1191 {
1192  OCSP_SINGLERESP *res, *res_new;
1193  const unsigned char *p;
1194 
1195  arg = ossl_to_der_if_possible(arg);
1196  StringValue(arg);
1197  GetOCSPSingleRes(self, res);
1198 
1199  p = (unsigned char*)RSTRING_PTR(arg);
1200  res_new = d2i_OCSP_SINGLERESP(NULL, &p, RSTRING_LEN(arg));
1201  if (!res_new)
1202  ossl_raise(eOCSPError, "d2i_OCSP_SINGLERESP");
1203  SetOCSPSingleRes(self, res_new);
1204  OCSP_SINGLERESP_free(res);
1205 
1206  return self;
1207 }
1208 
1209 static VALUE
1211 {
1212  OCSP_SINGLERESP *sres, *sres_old, *sres_new;
1213 
1214  rb_check_frozen(self);
1215  GetOCSPSingleRes(self, sres_old);
1216  SafeGetOCSPSingleRes(other, sres);
1217 
1218  sres_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_SINGLERESP), sres);
1219  if (!sres_new)
1220  ossl_raise(eOCSPError, "ASN1_item_dup");
1221 
1222  SetOCSPSingleRes(self, sres_new);
1223  OCSP_SINGLERESP_free(sres_old);
1224 
1225  return self;
1226 }
1227 
1228 /*
1229  * call-seq:
1230  * single_response.check_validity(nsec = 0, maxsec = -1) -> true | false
1231  *
1232  * Checks the validity of thisUpdate and nextUpdate fields of this
1233  * SingleResponse. This checks the current time is within the range thisUpdate
1234  * to nextUpdate.
1235  *
1236  * It is possible that the OCSP request takes a few seconds or the time is not
1237  * accurate. To avoid rejecting a valid response, this method allows the times
1238  * to be within +nsec+ of the current time.
1239  *
1240  * Some responders don't set the nextUpdate field. This may cause a very old
1241  * response to be considered valid. The +maxsec+ parameter can be used to limit
1242  * the age of responses.
1243  */
1244 static VALUE
1246 {
1247  OCSP_SINGLERESP *sres;
1248  ASN1_GENERALIZEDTIME *this_update, *next_update;
1249  VALUE nsec_v, maxsec_v;
1250  int nsec, maxsec, status, ret;
1251 
1252  rb_scan_args(argc, argv, "02", &nsec_v, &maxsec_v);
1253  nsec = NIL_P(nsec_v) ? 0 : NUM2INT(nsec_v);
1254  maxsec = NIL_P(maxsec_v) ? -1 : NUM2INT(maxsec_v);
1255 
1256  GetOCSPSingleRes(self, sres);
1257  status = OCSP_single_get0_status(sres, NULL, NULL, &this_update, &next_update);
1258  if (status < 0)
1259  ossl_raise(eOCSPError, "OCSP_single_get0_status");
1260 
1261  ret = OCSP_check_validity(this_update, next_update, nsec, maxsec);
1262 
1263  if (ret)
1264  return Qtrue;
1265  else {
1266  ossl_clear_error();
1267  return Qfalse;
1268  }
1269 }
1270 
1271 /*
1272  * call-seq:
1273  * single_response.certid -> CertificateId
1274  *
1275  * Returns the CertificateId for which this SingleResponse is.
1276  */
1277 static VALUE
1279 {
1280  OCSP_SINGLERESP *sres;
1281  OCSP_CERTID *id;
1282 
1283  GetOCSPSingleRes(self, sres);
1284  id = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sres)); /* FIXME */
1285 
1286  return ossl_ocspcertid_new(id);
1287 }
1288 
1289 /*
1290  * call-seq:
1291  * single_response.cert_status -> Integer
1292  *
1293  * Returns the status of the certificate identified by the certid.
1294  * The return value may be one of these constant:
1295  *
1296  * - V_CERTSTATUS_GOOD
1297  * - V_CERTSTATUS_REVOKED
1298  * - V_CERTSTATUS_UNKNOWN
1299  *
1300  * When the status is V_CERTSTATUS_REVOKED, the time at which the certificate
1301  * was revoked can be retrieved by #revocation_time.
1302  */
1303 static VALUE
1305 {
1306  OCSP_SINGLERESP *sres;
1307  int status;
1308 
1309  GetOCSPSingleRes(self, sres);
1310  status = OCSP_single_get0_status(sres, NULL, NULL, NULL, NULL);
1311  if (status < 0)
1312  ossl_raise(eOCSPError, "OCSP_single_get0_status");
1313 
1314  return INT2NUM(status);
1315 }
1316 
1317 /*
1318  * call-seq:
1319  * single_response.this_update -> Time
1320  */
1321 static VALUE
1323 {
1324  OCSP_SINGLERESP *sres;
1325  int status;
1326  ASN1_GENERALIZEDTIME *time;
1327 
1328  GetOCSPSingleRes(self, sres);
1329  status = OCSP_single_get0_status(sres, NULL, NULL, &time, NULL);
1330  if (status < 0)
1331  ossl_raise(eOCSPError, "OCSP_single_get0_status");
1332 
1333  return asn1time_to_time(time); /* will handle NULL */
1334 }
1335 
1336 /*
1337  * call-seq:
1338  * single_response.next_update -> Time | nil
1339  */
1340 static VALUE
1342 {
1343  OCSP_SINGLERESP *sres;
1344  int status;
1345  ASN1_GENERALIZEDTIME *time;
1346 
1347  GetOCSPSingleRes(self, sres);
1348  status = OCSP_single_get0_status(sres, NULL, NULL, NULL, &time);
1349  if (status < 0)
1350  ossl_raise(eOCSPError, "OCSP_single_get0_status");
1351 
1352  return asn1time_to_time(time);
1353 }
1354 
1355 /*
1356  * call-seq:
1357  * single_response.revocation_time -> Time | nil
1358  */
1359 static VALUE
1361 {
1362  OCSP_SINGLERESP *sres;
1363  int status;
1364  ASN1_GENERALIZEDTIME *time;
1365 
1366  GetOCSPSingleRes(self, sres);
1367  status = OCSP_single_get0_status(sres, NULL, &time, NULL, NULL);
1368  if (status < 0)
1369  ossl_raise(eOCSPError, "OCSP_single_get0_status");
1370  if (status != V_OCSP_CERTSTATUS_REVOKED)
1371  ossl_raise(eOCSPError, "certificate is not revoked");
1372 
1373  return asn1time_to_time(time);
1374 }
1375 
1376 /*
1377  * call-seq:
1378  * single_response.revocation_reason -> Integer | nil
1379  */
1380 static VALUE
1382 {
1383  OCSP_SINGLERESP *sres;
1384  int status, reason;
1385 
1386  GetOCSPSingleRes(self, sres);
1387  status = OCSP_single_get0_status(sres, &reason, NULL, NULL, NULL);
1388  if (status < 0)
1389  ossl_raise(eOCSPError, "OCSP_single_get0_status");
1390  if (status != V_OCSP_CERTSTATUS_REVOKED)
1391  ossl_raise(eOCSPError, "certificate is not revoked");
1392 
1393  return INT2NUM(reason);
1394 }
1395 
1396 /*
1397  * call-seq:
1398  * single_response.extensions -> Array of X509::Extension
1399  */
1400 static VALUE
1402 {
1403  OCSP_SINGLERESP *sres;
1404  X509_EXTENSION *ext;
1405  int count, i;
1406  VALUE ary;
1407 
1408  GetOCSPSingleRes(self, sres);
1409 
1410  count = OCSP_SINGLERESP_get_ext_count(sres);
1411  ary = rb_ary_new2(count);
1412  for (i = 0; i < count; i++) {
1413  ext = OCSP_SINGLERESP_get_ext(sres, i);
1414  rb_ary_push(ary, ossl_x509ext_new(ext)); /* will dup */
1415  }
1416 
1417  return ary;
1418 }
1419 
1420 /*
1421  * call-seq:
1422  * single_response.to_der -> String
1423  *
1424  * Encodes this SingleResponse into a DER-encoded string.
1425  */
1426 static VALUE
1428 {
1429  OCSP_SINGLERESP *sres;
1430  VALUE str;
1431  long len;
1432  unsigned char *p;
1433 
1434  GetOCSPSingleRes(self, sres);
1435  if ((len = i2d_OCSP_SINGLERESP(sres, NULL)) <= 0)
1437  str = rb_str_new(0, len);
1438  p = (unsigned char *)RSTRING_PTR(str);
1439  if (i2d_OCSP_SINGLERESP(sres, &p) <= 0)
1441  ossl_str_adjust(str, p);
1442 
1443  return str;
1444 }
1445 
1446 
1447 /*
1448  * OCSP::CertificateId
1449  */
1450 static VALUE
1452 {
1453  OCSP_CERTID *id;
1454  VALUE obj;
1455 
1456  obj = NewOCSPCertId(klass);
1457  if(!(id = OCSP_CERTID_new()))
1459  SetOCSPCertId(obj, id);
1460 
1461  return obj;
1462 }
1463 
1464 static VALUE
1466 {
1467  OCSP_CERTID *cid, *cid_old, *cid_new;
1468 
1469  rb_check_frozen(self);
1470  GetOCSPCertId(self, cid_old);
1471  SafeGetOCSPCertId(other, cid);
1472 
1473  cid_new = OCSP_CERTID_dup(cid);
1474  if (!cid_new)
1475  ossl_raise(eOCSPError, "OCSP_CERTID_dup");
1476 
1477  SetOCSPCertId(self, cid_new);
1478  OCSP_CERTID_free(cid_old);
1479 
1480  return self;
1481 }
1482 
1483 /*
1484  * call-seq:
1485  * OpenSSL::OCSP::CertificateId.new(subject, issuer, digest = nil) -> certificate_id
1486  * OpenSSL::OCSP::CertificateId.new(der_string) -> certificate_id
1487  *
1488  * Creates a new OpenSSL::OCSP::CertificateId for the given +subject+ and
1489  * +issuer+ X509 certificates. The +digest+ is used to compute the
1490  * certificate ID and must be an OpenSSL::Digest instance.
1491  *
1492  * If only one argument is given, decodes it as DER representation of a
1493  * certificate ID.
1494  */
1495 
1496 static VALUE
1498 {
1499  OCSP_CERTID *id, *newid;
1500  VALUE subject, issuer, digest;
1501 
1502  GetOCSPCertId(self, id);
1503  if (rb_scan_args(argc, argv, "12", &subject, &issuer, &digest) == 1) {
1504  VALUE arg;
1505  const unsigned char *p;
1506 
1507  arg = ossl_to_der_if_possible(subject);
1508  StringValue(arg);
1509  p = (unsigned char *)RSTRING_PTR(arg);
1510  newid = d2i_OCSP_CERTID(NULL, &p, RSTRING_LEN(arg));
1511  if (!newid)
1512  ossl_raise(eOCSPError, "d2i_OCSP_CERTID");
1513  }
1514  else {
1515  X509 *x509s, *x509i;
1516  const EVP_MD *md;
1517 
1518  x509s = GetX509CertPtr(subject); /* NO NEED TO DUP */
1519  x509i = GetX509CertPtr(issuer); /* NO NEED TO DUP */
1520  md = !NIL_P(digest) ? GetDigestPtr(digest) : NULL;
1521 
1522  newid = OCSP_cert_to_id(md, x509s, x509i);
1523  if (!newid)
1524  ossl_raise(eOCSPError, "OCSP_cert_to_id");
1525  }
1526 
1527  SetOCSPCertId(self, newid);
1528  OCSP_CERTID_free(id);
1529 
1530  return self;
1531 }
1532 
1533 /*
1534  * call-seq:
1535  * certificate_id.cmp(other) -> true or false
1536  *
1537  * Compares this certificate id with +other+ and returns true if they are the
1538  * same.
1539  */
1540 static VALUE
1542 {
1543  OCSP_CERTID *id, *id2;
1544  int result;
1545 
1546  GetOCSPCertId(self, id);
1547  SafeGetOCSPCertId(other, id2);
1548  result = OCSP_id_cmp(id, id2);
1549 
1550  return (result == 0) ? Qtrue : Qfalse;
1551 }
1552 
1553 /*
1554  * call-seq:
1555  * certificate_id.cmp_issuer(other) -> true or false
1556  *
1557  * Compares this certificate id's issuer with +other+ and returns true if
1558  * they are the same.
1559  */
1560 
1561 static VALUE
1563 {
1564  OCSP_CERTID *id, *id2;
1565  int result;
1566 
1567  GetOCSPCertId(self, id);
1568  SafeGetOCSPCertId(other, id2);
1569  result = OCSP_id_issuer_cmp(id, id2);
1570 
1571  return (result == 0) ? Qtrue : Qfalse;
1572 }
1573 
1574 /*
1575  * call-seq:
1576  * certificate_id.serial -> Integer
1577  *
1578  * Returns the serial number of the certificate for which status is being
1579  * requested.
1580  */
1581 static VALUE
1583 {
1584  OCSP_CERTID *id;
1585  ASN1_INTEGER *serial;
1586 
1587  GetOCSPCertId(self, id);
1588  OCSP_id_get0_info(NULL, NULL, NULL, &serial, id);
1589 
1590  return asn1integer_to_num(serial);
1591 }
1592 
1593 /*
1594  * call-seq:
1595  * certificate_id.issuer_name_hash -> String
1596  *
1597  * Returns the issuerNameHash of this certificate ID, the hash of the
1598  * issuer's distinguished name calculated with the hashAlgorithm.
1599  */
1600 static VALUE
1602 {
1603  OCSP_CERTID *id;
1604  ASN1_OCTET_STRING *name_hash;
1605  VALUE ret;
1606 
1607  GetOCSPCertId(self, id);
1608  OCSP_id_get0_info(&name_hash, NULL, NULL, NULL, id);
1609 
1610  ret = rb_str_new(NULL, name_hash->length * 2);
1611  ossl_bin2hex(name_hash->data, RSTRING_PTR(ret), name_hash->length);
1612 
1613  return ret;
1614 }
1615 
1616 /*
1617  * call-seq:
1618  * certificate_id.issuer_key_hash -> String
1619  *
1620  * Returns the issuerKeyHash of this certificate ID, the hash of the issuer's
1621  * public key.
1622  */
1623 static VALUE
1625 {
1626  OCSP_CERTID *id;
1627  ASN1_OCTET_STRING *key_hash;
1628  VALUE ret;
1629 
1630  GetOCSPCertId(self, id);
1631  OCSP_id_get0_info(NULL, NULL, &key_hash, NULL, id);
1632 
1633  ret = rb_str_new(NULL, key_hash->length * 2);
1634  ossl_bin2hex(key_hash->data, RSTRING_PTR(ret), key_hash->length);
1635 
1636  return ret;
1637 }
1638 
1639 /*
1640  * call-seq:
1641  * certificate_id.hash_algorithm -> String
1642  *
1643  * Returns the ln (long name) of the hash algorithm used to generate
1644  * the issuerNameHash and the issuerKeyHash values.
1645  */
1646 static VALUE
1648 {
1649  OCSP_CERTID *id;
1650  ASN1_OBJECT *oid;
1651  BIO *out;
1652 
1653  GetOCSPCertId(self, id);
1654  OCSP_id_get0_info(NULL, &oid, NULL, NULL, id);
1655 
1656  if (!(out = BIO_new(BIO_s_mem())))
1657  ossl_raise(eOCSPError, "BIO_new");
1658 
1659  if (!i2a_ASN1_OBJECT(out, oid)) {
1660  BIO_free(out);
1661  ossl_raise(eOCSPError, "i2a_ASN1_OBJECT");
1662  }
1663  return ossl_membio2str(out);
1664 }
1665 
1666 /*
1667  * call-seq:
1668  * certificate_id.to_der -> String
1669  *
1670  * Encodes this certificate identifier into a DER-encoded string.
1671  */
1672 static VALUE
1674 {
1675  OCSP_CERTID *id;
1676  VALUE str;
1677  long len;
1678  unsigned char *p;
1679 
1680  GetOCSPCertId(self, id);
1681  if ((len = i2d_OCSP_CERTID(id, NULL)) <= 0)
1683  str = rb_str_new(0, len);
1684  p = (unsigned char *)RSTRING_PTR(str);
1685  if (i2d_OCSP_CERTID(id, &p) <= 0)
1687  ossl_str_adjust(str, p);
1688 
1689  return str;
1690 }
1691 
1692 void
1694 {
1695 #if 0
1696  mOSSL = rb_define_module("OpenSSL");
1698 #endif
1699 
1700  /*
1701  * OpenSSL::OCSP implements Online Certificate Status Protocol requests
1702  * and responses.
1703  *
1704  * Creating and sending an OCSP request requires a subject certificate
1705  * that contains an OCSP URL in an authorityInfoAccess extension and the
1706  * issuer certificate for the subject certificate. First, load the issuer
1707  * and subject certificates:
1708  *
1709  * subject = OpenSSL::X509::Certificate.new subject_pem
1710  * issuer = OpenSSL::X509::Certificate.new issuer_pem
1711  *
1712  * To create the request we need to create a certificate ID for the
1713  * subject certificate so the CA knows which certificate we are asking
1714  * about:
1715  *
1716  * digest = OpenSSL::Digest::SHA1.new
1717  * certificate_id =
1718  * OpenSSL::OCSP::CertificateId.new subject, issuer, digest
1719  *
1720  * Then create a request and add the certificate ID to it:
1721  *
1722  * request = OpenSSL::OCSP::Request.new
1723  * request.add_certid certificate_id
1724  *
1725  * Adding a nonce to the request protects against replay attacks but not
1726  * all CA process the nonce.
1727  *
1728  * request.add_nonce
1729  *
1730  * To submit the request to the CA for verification we need to extract the
1731  * OCSP URI from the subject certificate:
1732  *
1733  * authority_info_access = subject.extensions.find do |extension|
1734  * extension.oid == 'authorityInfoAccess'
1735  * end
1736  *
1737  * descriptions = authority_info_access.value.split "\n"
1738  * ocsp = descriptions.find do |description|
1739  * description.start_with? 'OCSP'
1740  * end
1741  *
1742  * require 'uri'
1743  *
1744  * ocsp_uri = URI ocsp[/URI:(.*)/, 1]
1745  *
1746  * To submit the request we'll POST the request to the OCSP URI (per RFC
1747  * 2560). Note that we only handle HTTP requests and don't handle any
1748  * redirects in this example, so this is insufficient for serious use.
1749  *
1750  * require 'net/http'
1751  *
1752  * http_response =
1753  * Net::HTTP.start ocsp_uri.hostname, ocsp.port do |http|
1754  * http.post ocsp_uri.path, request.to_der,
1755  * 'content-type' => 'application/ocsp-request'
1756  * end
1757  *
1758  * response = OpenSSL::OCSP::Response.new http_response.body
1759  * response_basic = response.basic
1760  *
1761  * First we check if the response has a valid signature. Without a valid
1762  * signature we cannot trust it. If you get a failure here you may be
1763  * missing a system certificate store or may be missing the intermediate
1764  * certificates.
1765  *
1766  * store = OpenSSL::X509::Store.new
1767  * store.set_default_paths
1768  *
1769  * unless response_basic.verify [], store then
1770  * raise 'response is not signed by a trusted certificate'
1771  * end
1772  *
1773  * The response contains the status information (success/fail). We can
1774  * display the status as a string:
1775  *
1776  * puts response.status_string #=> successful
1777  *
1778  * Next we need to know the response details to determine if the response
1779  * matches our request. First we check the nonce. Again, not all CAs
1780  * support a nonce. See Request#check_nonce for the meanings of the
1781  * return values.
1782  *
1783  * p request.check_nonce basic_response #=> value from -1 to 3
1784  *
1785  * Then extract the status information for the certificate from the basic
1786  * response.
1787  *
1788  * single_response = basic_response.find_response(certificate_id)
1789  *
1790  * unless single_response
1791  * raise 'basic_response does not have the status for the certificiate'
1792  * end
1793  *
1794  * Then check the validity. A status issued in the future must be rejected.
1795  *
1796  * unless single_response.check_validity
1797  * raise 'this_update is in the future or next_update time has passed'
1798  * end
1799  *
1800  * case single_response.cert_status
1801  * when OpenSSL::OCSP::V_CERTSTATUS_GOOD
1802  * puts 'certificate is still valid'
1803  * when OpenSSL::OCSP::V_CERTSTATUS_REVOKED
1804  * puts "certificate has been revoked at #{single_response.revocation_time}"
1805  * when OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
1806  * puts 'responder doesn't know about the certificate'
1807  * end
1808  */
1809 
1810  mOCSP = rb_define_module_under(mOSSL, "OCSP");
1811 
1812  /*
1813  * OCSP error class.
1814  */
1815 
1817 
1818  /*
1819  * An OpenSSL::OCSP::Request contains the certificate information for
1820  * determining if a certificate has been revoked or not. A Request can be
1821  * created for a certificate or from a DER-encoded request created
1822  * elsewhere.
1823  */
1824 
1836 
1837  /*
1838  * An OpenSSL::OCSP::Response contains the status of a certificate check
1839  * which is created from an OpenSSL::OCSP::Request.
1840  */
1841 
1851 
1852  /*
1853  * An OpenSSL::OCSP::BasicResponse contains the status of a certificate
1854  * check which is created from an OpenSSL::OCSP::Request. A
1855  * BasicResponse is more detailed than a Response.
1856  */
1857 
1858  cOCSPBasicRes = rb_define_class_under(mOCSP, "BasicResponse", rb_cObject);
1871 
1872  /*
1873  * An OpenSSL::OCSP::SingleResponse represents an OCSP SingleResponse
1874  * structure, which contains the basic information of the status of the
1875  * certificate.
1876  */
1877  cOCSPSingleRes = rb_define_class_under(mOCSP, "SingleResponse", rb_cObject);
1890 
1891  /*
1892  * An OpenSSL::OCSP::CertificateId identifies a certificate to the CA so
1893  * that a status check can be performed.
1894  */
1895 
1896  cOCSPCertId = rb_define_class_under(mOCSP, "CertificateId", rb_cObject);
1907 
1908  /* Internal error in issuer */
1909  rb_define_const(mOCSP, "RESPONSE_STATUS_INTERNALERROR", INT2NUM(OCSP_RESPONSE_STATUS_INTERNALERROR));
1910 
1911  /* Illegal confirmation request */
1912  rb_define_const(mOCSP, "RESPONSE_STATUS_MALFORMEDREQUEST", INT2NUM(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST));
1913 
1914  /* The certificate was revoked for an unknown reason */
1915  rb_define_const(mOCSP, "REVOKED_STATUS_NOSTATUS", INT2NUM(OCSP_REVOKED_STATUS_NOSTATUS));
1916 
1917  /* You must sign the request and resubmit */
1918  rb_define_const(mOCSP, "RESPONSE_STATUS_SIGREQUIRED", INT2NUM(OCSP_RESPONSE_STATUS_SIGREQUIRED));
1919 
1920  /* Response has valid confirmations */
1921  rb_define_const(mOCSP, "RESPONSE_STATUS_SUCCESSFUL", INT2NUM(OCSP_RESPONSE_STATUS_SUCCESSFUL));
1922 
1923  /* Try again later */
1924  rb_define_const(mOCSP, "RESPONSE_STATUS_TRYLATER", INT2NUM(OCSP_RESPONSE_STATUS_TRYLATER));
1925 
1926  /* The certificate subject's name or other information changed */
1927  rb_define_const(mOCSP, "REVOKED_STATUS_AFFILIATIONCHANGED", INT2NUM(OCSP_REVOKED_STATUS_AFFILIATIONCHANGED));
1928 
1929  /* This CA certificate was revoked due to a key compromise */
1930  rb_define_const(mOCSP, "REVOKED_STATUS_CACOMPROMISE", INT2NUM(OCSP_REVOKED_STATUS_CACOMPROMISE));
1931 
1932  /* The certificate is on hold */
1933  rb_define_const(mOCSP, "REVOKED_STATUS_CERTIFICATEHOLD", INT2NUM(OCSP_REVOKED_STATUS_CERTIFICATEHOLD));
1934 
1935  /* The certificate is no longer needed */
1936  rb_define_const(mOCSP, "REVOKED_STATUS_CESSATIONOFOPERATION", INT2NUM(OCSP_REVOKED_STATUS_CESSATIONOFOPERATION));
1937 
1938  /* The certificate was revoked due to a key compromise */
1939  rb_define_const(mOCSP, "REVOKED_STATUS_KEYCOMPROMISE", INT2NUM(OCSP_REVOKED_STATUS_KEYCOMPROMISE));
1940 
1941  /* The certificate was previously on hold and should now be removed from
1942  * the CRL */
1943  rb_define_const(mOCSP, "REVOKED_STATUS_REMOVEFROMCRL", INT2NUM(OCSP_REVOKED_STATUS_REMOVEFROMCRL));
1944 
1945  /* The certificate was superseded by a new certificate */
1946  rb_define_const(mOCSP, "REVOKED_STATUS_SUPERSEDED", INT2NUM(OCSP_REVOKED_STATUS_SUPERSEDED));
1947 
1948  /* Your request is unauthorized. */
1949  rb_define_const(mOCSP, "RESPONSE_STATUS_UNAUTHORIZED", INT2NUM(OCSP_RESPONSE_STATUS_UNAUTHORIZED));
1950 
1951  /* The certificate was revoked for an unspecified reason */
1952  rb_define_const(mOCSP, "REVOKED_STATUS_UNSPECIFIED", INT2NUM(OCSP_REVOKED_STATUS_UNSPECIFIED));
1953 
1954  /* Do not include certificates in the response */
1955  rb_define_const(mOCSP, "NOCERTS", INT2NUM(OCSP_NOCERTS));
1956 
1957  /* Do not search certificates contained in the response for a signer */
1958  rb_define_const(mOCSP, "NOINTERN", INT2NUM(OCSP_NOINTERN));
1959 
1960  /* Do not check the signature on the response */
1961  rb_define_const(mOCSP, "NOSIGS", INT2NUM(OCSP_NOSIGS));
1962 
1963  /* Do not verify the certificate chain on the response */
1964  rb_define_const(mOCSP, "NOCHAIN", INT2NUM(OCSP_NOCHAIN));
1965 
1966  /* Do not verify the response at all */
1967  rb_define_const(mOCSP, "NOVERIFY", INT2NUM(OCSP_NOVERIFY));
1968 
1969  /* Do not check trust */
1970  rb_define_const(mOCSP, "NOEXPLICIT", INT2NUM(OCSP_NOEXPLICIT));
1971 
1972  /* (This flag is not used by OpenSSL 1.0.1g) */
1973  rb_define_const(mOCSP, "NOCASIGN", INT2NUM(OCSP_NOCASIGN));
1974 
1975  /* (This flag is not used by OpenSSL 1.0.1g) */
1976  rb_define_const(mOCSP, "NODELEGATED", INT2NUM(OCSP_NODELEGATED));
1977 
1978  /* Do not make additional signing certificate checks */
1979  rb_define_const(mOCSP, "NOCHECKS", INT2NUM(OCSP_NOCHECKS));
1980 
1981  /* Do not verify additional certificates */
1982  rb_define_const(mOCSP, "TRUSTOTHER", INT2NUM(OCSP_TRUSTOTHER));
1983 
1984  /* Identify the response by signing the certificate key ID */
1985  rb_define_const(mOCSP, "RESPID_KEY", INT2NUM(OCSP_RESPID_KEY));
1986 
1987  /* Do not include producedAt time in response */
1988  rb_define_const(mOCSP, "NOTIME", INT2NUM(OCSP_NOTIME));
1989 
1990  /* Indicates the certificate is not revoked but does not necessarily mean
1991  * the certificate was issued or that this response is within the
1992  * certificate's validity interval */
1993  rb_define_const(mOCSP, "V_CERTSTATUS_GOOD", INT2NUM(V_OCSP_CERTSTATUS_GOOD));
1994  /* Indicates the certificate has been revoked either permanently or
1995  * temporarily (on hold). */
1996  rb_define_const(mOCSP, "V_CERTSTATUS_REVOKED", INT2NUM(V_OCSP_CERTSTATUS_REVOKED));
1997 
1998  /* Indicates the responder does not know about the certificate being
1999  * requested. */
2000  rb_define_const(mOCSP, "V_CERTSTATUS_UNKNOWN", INT2NUM(V_OCSP_CERTSTATUS_UNKNOWN));
2001 
2002  /* The responder ID is based on the key name. */
2003  rb_define_const(mOCSP, "V_RESPID_NAME", INT2NUM(V_OCSP_RESPID_NAME));
2004 
2005  /* The responder ID is based on the public key. */
2006  rb_define_const(mOCSP, "V_RESPID_KEY", INT2NUM(V_OCSP_RESPID_KEY));
2007 }
2008 #else
2009 void
2010 Init_ossl_ocsp(void)
2011 {
2012 }
2013 #endif
static VALUE ossl_ocspsres_check_validity(int argc, VALUE *argv, VALUE self)
Definition: ossl_ocsp.c:1245
static VALUE ossl_ocspres_status(VALUE self)
Definition: ossl_ocsp.c:576
VALUE rb_eStandardError
Definition: error.c:760
VALUE mOSSL
Definition: ossl.c:213
static VALUE ossl_ocspreq_check_nonce(VALUE self, VALUE basic_resp)
Definition: ossl_ocsp.c:300
#define RARRAY_LEN(a)
Definition: ruby.h:1026
#define RUBY_TYPED_FREE_IMMEDIATELY
Definition: ruby.h:1145
#define INT2NUM(x)
Definition: ruby.h:1538
VALUE cOCSPReq
Definition: ossl_ocsp.c:92
static VALUE ossl_ocspreq_verify(int argc, VALUE *argv, VALUE self)
Definition: ossl_ocsp.c:430
static VALUE ossl_ocspcid_cmp_issuer(VALUE self, VALUE other)
Definition: ossl_ocsp.c:1562
#define NUM2INT(x)
Definition: ruby.h:684
int count
Definition: encoding.c:56
static VALUE ossl_ocspreq_to_der(VALUE self)
Definition: ossl_ocsp.c:456
void rb_define_singleton_method(VALUE obj, const char *name, VALUE(*func)(ANYARGS), int argc)
Defines a singleton method for obj.
Definition: class.c:1716
static VALUE ossl_ocspcid_get_issuer_name_hash(VALUE self)
Definition: ossl_ocsp.c:1601
static const rb_data_type_t ossl_ocsp_request_type
Definition: ossl_ocsp.c:104
#define Qtrue
Definition: ruby.h:437
static VALUE ossl_ocspsres_get_this_update(VALUE self)
Definition: ossl_ocsp.c:1322
EVP_PKEY * GetPrivPKeyPtr(VALUE obj)
Definition: ossl_pkey.c:216
#define ossl_str_adjust(str, p)
Definition: ossl.h:82
static VALUE ossl_ocspbres_add_nonce(int argc, VALUE *argv, VALUE self)
Definition: ossl_ocsp.c:754
#define SafeGetOCSPSingleRes(obj, res)
Definition: ossl_ocsp.c:70
const int id
Definition: nkf.c:209
static VALUE ossl_ocspres_initialize(int argc, VALUE *argv, VALUE self)
Definition: ossl_ocsp.c:546
static VALUE ossl_ocspres_status_string(VALUE self)
Definition: ossl_ocsp.c:595
#define SafeGetOCSPCertId(obj, cid)
Definition: ossl_ocsp.c:85
VALUE rb_ary_push(VALUE ary, VALUE item)
Definition: array.c:905
VALUE cOCSPBasicRes
Definition: ossl_ocsp.c:94
static VALUE ossl_ocspcid_get_serial(VALUE self)
Definition: ossl_ocsp.c:1582
ASN1_TIME * ossl_x509_time_adjust(ASN1_TIME *s, VALUE time)
Definition: ossl_x509.c:19
static VALUE ossl_ocspsres_initialize(VALUE self, VALUE arg)
Definition: ossl_ocsp.c:1190
#define NewOCSPCertId(klass)
Definition: ossl_ocsp.c:75
VALUE rb_protect(VALUE(*proc)(VALUE), VALUE data, int *state)
Definition: eval.c:891
VALUE rb_define_class_under(VALUE outer, const char *name, VALUE super)
Defines a class under the namespace of outer.
Definition: class.c:693
static void ossl_ocsp_singleresp_free(void *ptr)
Definition: ossl_ocsp.c:141
static void ossl_ocsp_basicresp_free(void *ptr)
Definition: ossl_ocsp.c:127
void rb_define_alloc_func(VALUE, rb_alloc_func_t)
static VALUE ossl_ocspbres_get_status(VALUE self)
Definition: ossl_ocsp.c:897
STACK_OF(X509) *ossl_x509_ary2sk0(VALUE)
VALUE cX509Ext
Definition: ossl_x509ext.c:47
static VALUE ossl_ocspsres_get_cert_status(VALUE self)
Definition: ossl_ocsp.c:1304
#define NewOCSPReq(klass)
Definition: ossl_ocsp.c:15
static const rb_data_type_t ossl_ocsp_response_type
Definition: ossl_ocsp.c:118
VALUE asn1integer_to_num(const ASN1_INTEGER *ai)
Definition: ossl_asn1.c:112
void Init_ossl_ocsp(void)
Definition: ossl_ocsp.c:1693
static VALUE ossl_ocspreq_add_nonce(int argc, VALUE *argv, VALUE self)
Definition: ossl_ocsp.c:259
#define SafeGetOCSPReq(obj, req)
Definition: ossl_ocsp.c:25
VALUE ossl_membio2str(BIO *bio)
Definition: ossl_bio.c:47
static VALUE ossl_ocspsres_get_extensions(VALUE self)
Definition: ossl_ocsp.c:1401
static VALUE ossl_ocspcid_get_issuer_key_hash(VALUE self)
Definition: ossl_ocsp.c:1624
VALUE cOCSPRes
Definition: ossl_ocsp.c:93
#define rb_ary_new2
Definition: intern.h:90
VALUE mOCSP
Definition: ossl_ocsp.c:90
static VALUE ossl_ocspcid_initialize_copy(VALUE self, VALUE other)
Definition: ossl_ocsp.c:1465
static VALUE ossl_ocspreq_initialize(int argc, VALUE *argv, VALUE self)
Definition: ossl_ocsp.c:225
#define SetOCSPBasicRes(obj, res)
Definition: ossl_ocsp.c:47
static VALUE ossl_ocspbres_find_response(VALUE self, VALUE target)
Definition: ossl_ocsp.c:984
static VALUE ossl_ocspsres_initialize_copy(VALUE self, VALUE other)
Definition: ossl_ocsp.c:1210
#define rb_define_copy_func(klass, func)
Definition: ruby_missing.h:13
X509 * GetX509CertPtr(VALUE)
#define NewOCSPSingleRes(klass)
Definition: ossl_ocsp.c:60
VALUE ossl_to_der_if_possible(VALUE obj)
Definition: ossl.c:237
static VALUE ossl_ocspbres_initialize(int argc, VALUE *argv, VALUE self)
Definition: ossl_ocsp.c:701
#define SetOCSPRes(obj, res)
Definition: ossl_ocsp.c:32
void ossl_clear_error(void)
Definition: ossl.c:289
static VALUE ossl_ocspcid_to_der(VALUE self)
Definition: ossl_ocsp.c:1673
#define val
RUBY_EXTERN VALUE rb_cObject
Definition: ruby.h:1872
static VALUE ossl_ocspsres_get_revocation_time(VALUE self)
Definition: ossl_ocsp.c:1360
VALUE rb_ary_new(void)
Definition: array.c:493
static VALUE ossl_ocspres_to_der(VALUE self)
Definition: ossl_ocsp.c:637
#define NIL_P(v)
Definition: ruby.h:451
const EVP_MD * GetDigestPtr(VALUE obj)
Definition: ossl_digest.c:49
void rb_define_const(VALUE, const char *, VALUE)
Definition: variable.c:2734
VALUE eOSSLError
Definition: ossl.c:218
static double one(void)
Definition: isinf.c:52
static VALUE ossl_ocspcid_alloc(VALUE klass)
Definition: ossl_ocsp.c:1451
int argc
Definition: ruby.c:183
#define Qfalse
Definition: ruby.h:436
static VALUE ossl_ocspsres_to_der(VALUE self)
Definition: ossl_ocsp.c:1427
static VALUE add_status_convert_time(VALUE obj)
Definition: ossl_ocsp.c:776
VALUE ossl_x509ext_new(X509_EXTENSION *)
Definition: ossl_x509ext.c:69
#define rb_str_new2
Definition: intern.h:857
int err
Definition: win32.c:135
static VALUE ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
Definition: ossl_ocsp.c:387
#define GetOCSPSingleRes(obj, res)
Definition: ossl_ocsp.c:66
#define SetOCSPCertId(obj, cid)
Definition: ossl_ocsp.c:77
static void ossl_ocsp_response_free(void *ptr)
Definition: ossl_ocsp.c:113
#define RSTRING_LEN(str)
Definition: ruby.h:978
static VALUE ossl_ocspbres_to_der(VALUE self)
Definition: ossl_ocsp.c:1136
static VALUE ossl_ocspsres_get_revocation_reason(VALUE self)
Definition: ossl_ocsp.c:1381
static VALUE ossl_ocspsres_get_next_update(VALUE self)
Definition: ossl_ocsp.c:1341
static VALUE ossl_ocspcid_initialize(int argc, VALUE *argv, VALUE self)
Definition: ossl_ocsp.c:1497
int rb_scan_args(int argc, const VALUE *argv, const char *fmt,...)
Definition: class.c:1919
static VALUE ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
Definition: ossl_ocsp.c:1060
static const rb_data_type_t ossl_ocsp_certid_type
Definition: ossl_ocsp.c:160
#define Qnil
Definition: ruby.h:438
#define NewOCSPBasicRes(klass)
Definition: ossl_ocsp.c:45
unsigned long VALUE
Definition: ruby.h:85
static VALUE result
Definition: nkf.c:40
static void ossl_ocsp_request_free(void *ptr)
Definition: ossl_ocsp.c:99
VALUE eOCSPError
Definition: ossl_ocsp.c:91
static VALUE ossl_ocspreq_initialize_copy(VALUE self, VALUE other)
Definition: ossl_ocsp.c:197
static VALUE ossl_ocspres_get_basic(VALUE self)
Definition: ossl_ocsp.c:614
static VALUE ossl_ocspsres_new(OCSP_SINGLERESP *)
Definition: ossl_ocsp.c:1159
static VALUE ossl_ocspres_initialize_copy(VALUE self, VALUE other)
Definition: ossl_ocsp.c:518
void rb_jump_tag(int tag)
Definition: eval.c:788
#define NewOCSPRes(klass)
Definition: ossl_ocsp.c:30
static VALUE ossl_ocspreq_alloc(VALUE klass)
Definition: ossl_ocsp.c:183
X509_STORE * GetX509StorePtr(VALUE)
void ossl_bin2hex(unsigned char *in, char *out, size_t inlen)
Definition: ossl.c:115
#define GetOCSPReq(obj, req)
Definition: ossl_ocsp.c:21
static VALUE ossl_ocspbres_copy_nonce(VALUE self, VALUE request)
Definition: ossl_ocsp.c:732
register unsigned int len
Definition: zonetab.h:51
VALUE rb_define_module_under(VALUE outer, const char *name)
Definition: class.c:790
X509_EXTENSION * GetX509ExtPtr(VALUE)
Definition: ossl_x509ext.c:89
static VALUE ossl_ocspsres_alloc(VALUE klass)
Definition: ossl_ocsp.c:1170
#define RSTRING_PTR(str)
Definition: ruby.h:982
#define SafeGetOCSPBasicRes(obj, res)
Definition: ossl_ocsp.c:55
#define SetOCSPSingleRes(obj, res)
Definition: ossl_ocsp.c:62
static const rb_data_type_t ossl_ocsp_singleresp_type
Definition: ossl_ocsp.c:146
#define RARRAY_AREF(a, i)
Definition: ruby.h:1040
#define GetOCSPBasicRes(obj, res)
Definition: ossl_ocsp.c:51
#define SafeGetOCSPRes(obj, res)
Definition: ossl_ocsp.c:40
VALUE rb_check_array_type(VALUE ary)
Definition: array.c:635
static VALUE ossl_ocspres_alloc(VALUE klass)
Definition: ossl_ocsp.c:504
VALUE asn1time_to_time(const ASN1_TIME *time)
Definition: ossl_asn1.c:22
#define OSSL_Check_Kind(obj, klass)
Definition: ossl.h:52
static VALUE ossl_ocspsres_get_certid(VALUE self)
Definition: ossl_ocsp.c:1278
static void ossl_ocsp_certid_free(void *ptr)
Definition: ossl_ocsp.c:155
VALUE cOCSPCertId
Definition: ossl_ocsp.c:96
void ossl_raise(VALUE exc, const char *fmt,...)
Definition: ossl.c:278
static VALUE ossl_ocspreq_get_certid(VALUE self)
Definition: ossl_ocsp.c:347
VALUE cOCSPSingleRes
Definition: ossl_ocsp.c:95
#define GetOCSPRes(obj, res)
Definition: ossl_ocsp.c:36
#define OCSP_SINGLERESP_get0_id(s)
static VALUE ossl_ocspres_s_create(VALUE klass, VALUE status, VALUE basic_resp)
Definition: ossl_ocsp.c:486
#define GetOCSPCertId(obj, cid)
Definition: ossl_ocsp.c:81
static const rb_data_type_t ossl_ocsp_basicresp_type
Definition: ossl_ocsp.c:132
static VALUE ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
Definition: ossl_ocsp.c:1019
#define RSTRING_LENINT(str)
Definition: ruby.h:990
static ID id_new
Definition: enumerator.c:105
#define rb_check_frozen(obj)
Definition: intern.h:276
VALUE rb_define_module(const char *name)
Definition: class.c:768
#define RB_INTEGER_TYPE_P(obj)
Definition: ruby_missing.h:20
#define NULL
Definition: _sdbm.c:102
static VALUE ossl_ocspbres_initialize_copy(VALUE self, VALUE other)
Definition: ossl_ocsp.c:674
static VALUE ossl_ocspbres_alloc(VALUE klass)
Definition: ossl_ocsp.c:660
void rb_define_method(VALUE klass, const char *name, VALUE(*func)(ANYARGS), int argc)
Definition: class.c:1515
static VALUE ossl_ocspcid_get_hash_algorithm(VALUE self)
Definition: ossl_ocsp.c:1647
static VALUE ossl_ocspcid_cmp(VALUE self, VALUE other)
Definition: ossl_ocsp.c:1541
#define SetOCSPReq(obj, req)
Definition: ossl_ocsp.c:17
static VALUE ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status, VALUE reason, VALUE revtime, VALUE thisupd, VALUE nextupd, VALUE ext)
Definition: ossl_ocsp.c:819
static VALUE ossl_ocspbres_get_responses(VALUE self)
Definition: ossl_ocsp.c:951
static VALUE ossl_ocspcertid_new(OCSP_CERTID *cid)
Definition: ossl_ocsp.c:172
char ** argv
Definition: ruby.c:184
#define StringValue(v)
Definition: ruby.h:569
static VALUE ossl_ocspreq_add_certid(VALUE self, VALUE certid)
Definition: ossl_ocsp.c:321
VALUE rb_str_new(const char *, long)
Definition: string.c:736