module Mongo::Socket::OcspCache

This module caches OCSP responses for their indicated validity time.

The key is the CertificateId used for the OCSP request. The value is the SingleResponse.

@api private

Constants

LOCK

Public Instance Methods

clear() click to toggle source

Clears the driver's OCSP response cache.

@note Use Mongo#clear_ocsp_cache from applications instead of invoking

this method directly.
# File lib/mongo/socket/ocsp_cache.rb, line 83
                def clear
  responses.replace([])
end
delete(cert_id) click to toggle source
# File lib/mongo/socket/ocsp_cache.rb, line 73
                def delete(cert_id)
  responses.delete_if do |resp|
    resp.certid.cmp(cert_id)
  end
end
get(cert_id) click to toggle source

Retrieves a cached SingleResponse for the specified CertificateId.

This method may return expired responses if they are revoked. Such responses were valid when they were first received.

This method may also return responses that are valid but that may expire by the time caller uses them. The caller should not perform update time checks on the returned response.

@return [ OpenSSL::OCSP::SingleResponse ] The previously

retrieved response.
# File lib/mongo/socket/ocsp_cache.rb, line 43
                def get(cert_id)
  resp = responses.detect do |resp|
    resp.certid.cmp(cert_id)
  end
  if resp
    # Only expire responses with good status.
    # Once a certificate is revoked, it should stay revoked forever,
    # hence we should be able to cache revoked responses indefinitely.
    if resp.cert_status == OpenSSL::OCSP::V_CERTSTATUS_GOOD &&
      resp.next_update < Time.now
    then
      responses.delete(resp)
      resp = nil
    end
  end

  # If we have connected to a server and cached the OCSP response for it,
  # and then never connect to that server again, the cached OCSP response
  # is going to remain in memory indefinitely. Periodically remove all
  # expired OCSP responses, not just the ones matching the certificate id
  # we are querying by.
  if rand < 0.01
    responses.delete_if do |resp|
      resp.next_update < Time.now
    end
  end

  resp
end
responses() click to toggle source
# File lib/mongo/socket/ocsp_cache.rb, line 91
                def responses
  LOCK.synchronize do
    @responses ||= []
  end
end
set(cert_id, response) click to toggle source
# File lib/mongo/socket/ocsp_cache.rb, line 27
                def set(cert_id, response)
  delete(cert_id)
  responses << response
end