module NemID::OCSP
Public Class Methods
request(subject:, issuer:, ca: digest = OpenSSL::Digest::SHA1.new)
click to toggle source
# File lib/nemid/ocsp.rb, line 7 def self.request subject:, issuer:, ca: digest = OpenSSL::Digest::SHA1.new certificate_id = OpenSSL::OCSP::CertificateId.new(subject, issuer, digest) request = OpenSSL::OCSP::Request.new request.add_certid(certificate_id) request.add_nonce ocsp_uris = subject.ocsp_uris ocsp_uri = URI ocsp_uris[0] http_response = Net::HTTP.start ocsp_uri.hostname do |http| http.post ocsp_uri.path, request.to_der, 'content-type' => 'application/ocsp-request' end response = OpenSSL::OCSP::Response.new http_response.body response_basic = response.basic response_has_valid_signature?(response_basic, subject, issuer, ca) single_response = response_basic.find_response(certificate_id) response_has_status_and_is_valid?(single_response) raise NonceError if request.check_nonce(response_basic) == 0 return cert_status(single_response) end
Private Class Methods
cert_status(single_response)
click to toggle source
Returns true
if the certificate has been revoked or its unknown, false
otherwise.
# File lib/nemid/ocsp.rb, line 41 def self.cert_status(single_response) case single_response.cert_status when OpenSSL::OCSP::V_CERTSTATUS_GOOD return false when OpenSSL::OCSP::V_CERTSTATUS_REVOKED return true when OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN return true end end
check_validity(single_response)
click to toggle source
# File lib/nemid/ocsp.rb, line 52 def self.check_validity(single_response) unless single_response.check_validity raise InvalidUpdateError end return true end
response_has_status_and_is_valid?(single_response)
click to toggle source
# File lib/nemid/ocsp.rb, line 60 def self.response_has_status_and_is_valid?(single_response) unless single_response raise NoStatusError end return check_validity(single_response) end
response_has_valid_signature?(response_basic, subject, issuer, ca)
click to toggle source
# File lib/nemid/ocsp.rb, line 68 def self.response_has_valid_signature?(response_basic, subject, issuer, ca) store = OpenSSL::X509::Store.new store.add_cert(subject) store.add_cert(issuer) store.add_cert(ca) unless response_basic.verify [], store then raise InvalidSignatureError end return true end