Class: R509::OCSP::Helper::RequestChecker
- Inherits:
-
Object
- Object
- R509::OCSP::Helper::RequestChecker
- Includes:
- Dependo::Mixin
- Defined in:
- lib/r509/ocsp/signer.rb
Overview
checks requests for validity against a set of configs
Instance Attribute Summary (collapse)
-
- (Object) configs
readonly
Returns the value of attribute configs.
-
- (Object) configs_hash
readonly
Returns the value of attribute configs_hash.
Instance Method Summary (collapse)
-
- (Hash) check_statuses(request)
Loads and checks a raw OCSP request.
-
- (RequestChecker) initialize(configs, validity_checker)
constructor
A new instance of RequestChecker.
-
- (Boolean) validate_statuses(statuses)
Determines whether the statuses constitute a request that is compliant.
Constructor Details
- (RequestChecker) initialize(configs, validity_checker)
A new instance of RequestChecker
62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 |
# File 'lib/r509/ocsp/signer.rb', line 62 def initialize(configs, validity_checker) unless configs.kind_of?(R509::Config::CAConfigPool) raise R509::R509Error, "Must pass R509::Config::CAConfigPool object" end if configs.all.empty? raise R509::R509Error, "Must be at least one R509::Config object" end @configs = configs.all test_cid = OpenSSL::OCSP::CertificateId.new(OpenSSL::X509::Certificate.new,OpenSSL::X509::Certificate.new) if test_cid.respond_to?(:issuer_key_hash) @configs_hash = {} @configs.each do |config| ee_cert = OpenSSL::X509::Certificate.new ee_cert.issuer = config.ca_cert.cert.subject.name # per RFC 5019 # Clients MUST use SHA1 as the hashing algorithm for the # CertID.issuerNameHash and the CertID.issuerKeyHash values. # so we can safely assume that our inbound hashes will be SHA1 issuer_certid = OpenSSL::OCSP::CertificateId.new(ee_cert,config.ca_cert.cert,OpenSSL::Digest::SHA1.new) @configs_hash[issuer_certid.issuer_key_hash] = config end end @validity_checker = validity_checker if @validity_checker.nil? raise R509::R509Error, "Must supply a R509::Validity::Checker" end if not @validity_checker.respond_to?(:check) raise R509::R509Error, "The validity checker must have a check method" end end |
Instance Attribute Details
- (Object) configs (readonly)
Returns the value of attribute configs
58 59 60 |
# File 'lib/r509/ocsp/signer.rb', line 58 def configs @configs end |
- (Object) configs_hash (readonly)
Returns the value of attribute configs_hash
58 59 60 |
# File 'lib/r509/ocsp/signer.rb', line 58 def configs_hash @configs_hash end |
Instance Method Details
- (Hash) check_statuses(request)
Loads and checks a raw OCSP request
97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
# File 'lib/r509/ocsp/signer.rb', line 97 def check_statuses(request) request.certid.map { |certid| if certid.respond_to?(:issuer_key_hash) validated_config = @configs_hash[certid.issuer_key_hash] else validated_config = @configs.find do |config| #we need to create an OCSP::CertificateId object that has the right #issuer so we can pass it to #cmp_issuer. This is annoying because #CertificateId wants a cert and its issuer, but we don't want to #force users to provide an end entity cert just to make this comparison #work. So, we create a fake new cert and pass it in. ee_cert = OpenSSL::X509::Certificate.new ee_cert.issuer = config.ca_cert.cert.subject issuer_certid = OpenSSL::OCSP::CertificateId.new(ee_cert,config.ca_cert.cert) certid.cmp_issuer(issuer_certid) end end log.info "#{validated_config.ca_cert.subject.to_s} found for issuer" if validated_config check_status(certid, validated_config) } end |
- (Boolean) validate_statuses(statuses)
Determines whether the statuses constitute a request that is compliant. No config means we don't know the CA, different configs means there are requests from two different CAs in there. Both are invalid.
126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
# File 'lib/r509/ocsp/signer.rb', line 126 def validate_statuses(statuses) validity = true config = nil statuses.each do |status| if status[:config].nil? validity = false end if config.nil? config = status[:config] end if config != status[:config] validity = false end end validity end |