class R509::Cert::Validator::OcspValidator
Public Instance Methods
available?()
click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 7 def available? return false unless @issuer return false unless aia && aia.ocsp return false if ocsp_uris.empty? return true end
validate!()
click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 14 def validate! unless available? raise Error.new "Tried to validate OCSP but cert has no OCSP data" end uri = build_request_uri body = R509::OCSP::Response.parse(get(uri)) check_ocsp_response body check_ocsp_payload body.basic.status.first return true end
Private Instance Methods
aia()
click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 73 def aia @aia ||= @cert.authority_info_access end
build_request_uri()
click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 28 def build_request_uri @req = OpenSSL::OCSP::Request.new @req.add_nonce @req.add_certid cert_id pem = Base64.encode64(@req.to_der).strip URI(ocsp_uris.first + '/' + URI.encode_www_form_component(pem)) end
cert_id()
click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 81 def cert_id @cert_id ||= OpenSSL::OCSP::CertificateId.new @cert.cert, @issuer.cert end
check_ocsp_payload(basic)
click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 54 def check_ocsp_payload(basic) if basic[0].serial != @cert.serial raise OcspError.new "OCSP cert serial was #{basic[0].serial}, expected #{@cert.serial}" end if basic[1] == 1 raise OcspError.new "OCSP response indicates cert was revoked" end if basic[1] != 0 raise OcspError.new "OCSP response was #{basic[1]}, expected 0" end validity_range = (basic[4]..basic[5]) unless validity_range.cover? Time.now raise OcspError.new "OCSP response outside validity window" end end
check_ocsp_response(body)
click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 36 def check_ocsp_response(body) unless body.status == 0 raise OcspError.new "OCSP status was #{body.status}, expected 0" end unless body.verify(@issuer.cert) raise OcspError.new "OCSP response did not match issuer" end unless body.basic.status.first raise OcspError.new "OCSP response was missing payload" end if body.check_nonce(@req) != R509::OCSP::Request::Nonce::PRESENT_AND_EQUAL raise OcspError.new "OCSP Nonce was not present and equal to request" end end
ocsp_uris()
click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 77 def ocsp_uris aia.ocsp.uris end