class R509::Cert::Validator::OcspValidator

Public Instance Methods

available?() click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 7
def available?
  return false unless @issuer
  return false unless aia && aia.ocsp
  return false if ocsp_uris.empty?
  return true
end
validate!() click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 14
def validate!
  unless available?
    raise Error.new "Tried to validate OCSP but cert has no OCSP data"
  end
  
  uri = build_request_uri
  body = R509::OCSP::Response.parse(get(uri))
  
  check_ocsp_response body
  check_ocsp_payload body.basic.status.first
  return true
end

Private Instance Methods

aia() click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 73
def aia
  @aia ||= @cert.authority_info_access
end
build_request_uri() click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 28
def build_request_uri
  @req = OpenSSL::OCSP::Request.new
  @req.add_nonce
  @req.add_certid cert_id
  pem = Base64.encode64(@req.to_der).strip
  URI(ocsp_uris.first + '/' + URI.encode_www_form_component(pem))
end
cert_id() click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 81
def cert_id
  @cert_id ||= OpenSSL::OCSP::CertificateId.new @cert.cert, @issuer.cert
end
check_ocsp_payload(basic) click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 54
def check_ocsp_payload(basic)
  if basic[0].serial != @cert.serial
    raise OcspError.new "OCSP cert serial was #{basic[0].serial}, expected #{@cert.serial}"
  end
  
  if basic[1] == 1
    raise OcspError.new "OCSP response indicates cert was revoked"
  end
  
  if basic[1] != 0
    raise OcspError.new "OCSP response was #{basic[1]}, expected 0"
  end
  
  validity_range = (basic[4]..basic[5])
  unless validity_range.cover? Time.now
    raise OcspError.new "OCSP response outside validity window"
  end
end
check_ocsp_response(body) click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 36
def check_ocsp_response(body)
  unless body.status == 0
    raise OcspError.new "OCSP status was #{body.status}, expected 0"
  end

  unless body.verify(@issuer.cert)
    raise OcspError.new "OCSP response did not match issuer"
  end

  unless body.basic.status.first
    raise OcspError.new "OCSP response was missing payload"
  end

  if body.check_nonce(@req) != R509::OCSP::Request::Nonce::PRESENT_AND_EQUAL
    raise OcspError.new "OCSP Nonce was not present and equal to request"
  end
end
ocsp_uris() click to toggle source
# File lib/r509/cert/validator/ocsp_validator.rb, line 77
def ocsp_uris
  aia.ocsp.uris
end