Class: R509::Validity::CADB::Checker

Inherits:
R509::Validity::Checker
  • Object
show all
Includes:
Dependo::Mixin
Defined in:
lib/r509/validity/cadb/checker.rb

Overview

implements the R509::Validity interface for OpenSSL ca database (index) checking

Instance Method Summary (collapse)

Constructor Details

- (Checker) initialize(cadb_file_path)

Returns a new instance of Checker



12
13
14
15
16
17
18
19
20
21
22
23
24
# File 'lib/r509/validity/cadb/checker.rb', line 12

def initialize(cadb_file_path)
  @cadb_file = cadb_file_path
  load_db

  @scheduler = Rufus::Scheduler.new

  @scheduler.every '10s' do
    if File.stat(@cadb_file).mtime.to_i > @cadb_last_refresh
      log.info("Change detected in '#{@cadb_file}', reloading.")
      load_db
    end
  end
end

Instance Method Details

- (R509::Validity::Status) check(issuer, serial)

Returns:

  • (R509::Validity::Status)

Raises:

  • (ArgumentError)


27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# File 'lib/r509/validity/cadb/checker.rb', line 27

def check(issuer,serial)
  raise ArgumentError.new('Serial must be provided') if serial.to_s.empty?

  cert_data = @cadb[serial.to_i]
  if cert_data.nil?
    return R509::Validity::Status.new(status: R509::Validity::UNKNOWN)
  end

  case cert_data[:status]
  when 'R'
    return R509::Validity::Status.new(
      status: R509::Validity::REVOKED,
      revocation_time: cert_data[:revocation_date],
      revocation_reason: cert_data[:revocation_reason]
    )
  when 'V'
    return R509::Validity::Status.new(:status => R509::Validity::VALID)
  else
    return R509::Validity::Status.new(status: R509::Validity::UNKNOWN)
  end
end

- (Boolean) is_available?

Returns:

  • (Boolean)


79
80
81
# File 'lib/r509/validity/cadb/checker.rb', line 79

def is_available?
  true
end

- (Object) load_db

openssl ca database format: pki-tutorial.readthedocs.org/en/latest/cadb.html this can get memory intensive so we don't store fields we don't need.



51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# File 'lib/r509/validity/cadb/checker.rb', line 51

def load_db
  @cadb = {}
  @cadb_last_refresh = File.stat(@cadb_file).mtime.to_i

  File.open(@cadb_file).each do |line|
    status, expiration_date, revocation_info, serial, _, _ = line.chomp.split(/\t/)
    serial = serial.to_i(16)  # hex to decimal

    @cadb[serial] = {
      status: status,
      expiration_date: parse_time(expiration_date)
    }
    unless revocation_info == ''
      # revocation_info field (if not blank) format is: YYMMDDHHMMSSZ[,reason]
      revocation_date, reason = revocation_info.split(',')
      reason = reason.nil? ? OpenSSL::OCSP::REVOKED_STATUS_NOSTATUS : reason.to_i

      @cadb[serial][:revocation_date] = parse_time(revocation_date)
      @cadb[serial][:revocation_reason] = reason
    end
  end
end

- (Object) parse_time(time_string)

parse OpenSSL CA DB format dates into epoch. format: YYMMDDHHMMSSZ



75
76
77
# File 'lib/r509/validity/cadb/checker.rb', line 75

def parse_time(time_string)
  Time.strptime(time_string, '%y%m%d%H%M%S%Z').to_i
end