Class: R509::OCSP::Helper::ResponseSigner

Inherits:
Object
  • Object
show all
Defined in:
lib/r509/ocsp/signer.rb

Overview

signs OCSP responses

Instance Method Summary (collapse)

Constructor Details

- (ResponseSigner) initialize(options)

A new instance of ResponseSigner

Parameters:

  • options (Hash)

    a customizable set of options

Options Hash (options):

  • :copy_nonce (Boolean)


172
173
174
175
176
177
178
# File 'lib/r509/ocsp/signer.rb', line 172

def initialize(options)
  if options.has_key?(:copy_nonce)
    @copy_nonce = options[:copy_nonce]
  else
    @copy_nonce = false
  end
end

Instance Method Details

- (OpenSSL::OCSP::BasicResponse) create_basic_response(request, statuses)

It is UNWISE to call this method directly because it assumes that the request is validated. You probably want to take a look at R509::OCSP::Signer#handle_request

Parameters:

  • request (OpenSSL::OCSP::Request)
  • statuses (Hash)

    hash from R509::OCSP::Helper::RequestChecker#check_statuses

Returns:

  • (OpenSSL::OCSP::BasicResponse)


186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
# File 'lib/r509/ocsp/signer.rb', line 186

def create_basic_response(request,statuses)
  basic_response = OpenSSL::OCSP::BasicResponse.new

  basic_response.copy_nonce(request) if @copy_nonce

  statuses.each do |status|
    #revocation time is retarded and is relative to now, so
    #let's figure out what that is.
    if status[:status] == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
      revocation_time = status[:revocation_time].to_i - Time.now.to_i
    end
    basic_response.add_status(status[:certid],
                status[:status],
                status[:revocation_reason],
                revocation_time,
                -1*status[:config].ocsp_start_skew_seconds,
                status[:config].ocsp_validity_hours*3600,
                [] #array of OpenSSL::X509::Extensions
                )
  end

  #this method assumes the request data is validated by validate_request so all configs will be the same and
  #we can choose to use the first one safely
  config = statuses[0][:config]

  #confusing, but R509::Cert contains R509::PrivateKey under #key. PrivateKey#key gives the OpenSSL object
  #turns out BasicResponse#sign can take up to 4 params
  #cert, key, array of OpenSSL::X509::Certificates, flags (not sure what the enumeration of those are)
  basic_response.sign(config.ocsp_cert.cert,config.ocsp_cert.key.key,config.ocsp_chain)
end

- (OpenSSL::OCSP::OCSPResponse) create_response(response_status, basic_response = nil)

Builds final response.

generated by create_basic_response

Parameters:

  • response_status (OpenSSL::OCSP::RESPONSE_STATUS_*)

    the primary response status

  • basic_response (OpenSSL::OCSP::BasicResponse) (defaults to: nil)

    an optional basic response object

Returns:

  • (OpenSSL::OCSP::OCSPResponse)


223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
# File 'lib/r509/ocsp/signer.rb', line 223

def create_response(response_status,basic_response=nil)

  # first arg is the response status code, comes from this list
  # these can also be enumerated via OpenSSL::OCSP::RESPONSE_STATUS_*
  #OCSPResponseStatus ::= ENUMERATED {
  #  successful        (0),    --Response has valid confirmations
  #  malformedRequest    (1),    --Illegal confirmation request
  #  internalError       (2),    --Internal error in issuer
  #  tryLater        (3),    --Try again later
  #           --(4) is not used
  #  sigRequired       (5),    --Must sign the request
  #  unauthorized      (6)     --Request unauthorized
  #}
  #
  R509::OCSP::Response.new(
    OpenSSL::OCSP::Response.create(
      response_status, basic_response
    )
  )
end