Class: R509::Ocsp::Helper::ResponseSigner

Inherits:
Object
  • Object
show all
Defined in:
lib/r509/ocsp/signer.rb

Overview

signs OCSP responses

Instance Method Summary (collapse)

Constructor Details

- (ResponseSigner) initialize(options)

A new instance of ResponseSigner

Parameters:

  • options (Hash)

    a customizable set of options

Options Hash (options):

  • :copy_nonce (Boolean)


172
173
174
175
176
177
178
# File 'lib/r509/ocsp/signer.rb', line 172

def initialize(options)
    if options.has_key?(:copy_nonce)
        @copy_nonce = options[:copy_nonce]
    else
        @copy_nonce = false
    end
end

Instance Method Details

- (OpenSSL::OCSP::BasicResponse) create_basic_response(request, statuses)

It is UNWISE to call this method directly because it assumes that the request is validated. You probably want to take a look at R509::Ocsp::Signer#handle_request

Parameters:

  • request (OpenSSL::OCSP::Request)
  • statuses (Hash)

    hash from R509::Ocsp::Helper::RequestChecker#check_statuses

Returns:

  • (OpenSSL::OCSP::BasicResponse)


186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
# File 'lib/r509/ocsp/signer.rb', line 186

def create_basic_response(request,statuses)
    basic_response = OpenSSL::OCSP::BasicResponse.new

    basic_response.copy_nonce(request) if @copy_nonce

    statuses.each do |status|
        #revocation time is retarded and is relative to now, so
        #let's figure out what that is.
        if status[:status] == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
            revocation_time = status[:revocation_time].to_i - Time.now.to_i
        end
        basic_response.add_status(status[:certid],
                                status[:status],
                                status[:revocation_reason],
                                revocation_time,
                                -1*status[:config].ocsp_start_skew_seconds,
                                status[:config].ocsp_validity_hours*3600,
                                [] #array of OpenSSL::X509::Extensions
                                )
    end

    #this method assumes the request data is validated by validate_request so all configs will be the same and
    #we can choose to use the first one safely
    config = statuses[0][:config]

    #confusing, but R509::Cert contains R509::PrivateKey under #key. PrivateKey#key gives the OpenSSL object
    #turns out BasicResponse#sign can take up to 4 params
    #cert, key, array of OpenSSL::X509::Certificates, flags (not sure what the enumeration of those are)
    basic_response.sign(config.ocsp_cert.cert,config.ocsp_cert.key.key,config.ocsp_chain)
end

- (OpenSSL::OCSP::OCSPResponse) create_response(response_status, basic_response = nil)

Builds final response.

generated by create_basic_response

Parameters:

  • response_status (OpenSSL::OCSP::RESPONSE_STATUS_*)

    the primary response status

  • basic_response (OpenSSL::OCSP::BasicResponse) (defaults to: nil)

    an optional basic response object

Returns:

  • (OpenSSL::OCSP::OCSPResponse)


223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
# File 'lib/r509/ocsp/signer.rb', line 223

def create_response(response_status,basic_response=nil)

    # first arg is the response status code, comes from this list
    # these can also be enumerated via OpenSSL::OCSP::RESPONSE_STATUS_*
    #OCSPResponseStatus ::= ENUMERATED {
    #    successful            (0),      --Response has valid confirmations
    #    malformedRequest      (1),      --Illegal confirmation request
    #    internalError         (2),      --Internal error in issuer
    #    tryLater              (3),      --Try again later
    #                       --(4) is not used
    #    sigRequired           (5),      --Must sign the request
    #    unauthorized          (6)       --Request unauthorized
    #}
    #
    R509::Ocsp::Response.new(
        OpenSSL::OCSP::Response.create(
            response_status, basic_response
        )
    )
end