类 OpenSSL::OCSP::SingleResponse

一个 OpenSSL::OCSP::SingleResponse 代表一个 OCSP SingleResponse 结构，它包含证书状态的基本信息。

公共类方法

OpenSSL::OCSP::SingleResponse.new(der_string) → SingleResponse 点击切换源代码

从 der_string 创建一个新的 SingleResponse。

static VALUE
ossl_ocspsres_initialize(VALUE self, VALUE arg)
{
    OCSP_SINGLERESP *res, *res_new;
    const unsigned char *p;

    arg = ossl_to_der_if_possible(arg);
    StringValue(arg);
    GetOCSPSingleRes(self, res);

    p = (unsigned char*)RSTRING_PTR(arg);
    res_new = d2i_OCSP_SINGLERESP(NULL, &p, RSTRING_LEN(arg));
    if (!res_new)
        ossl_raise(eOCSPError, "d2i_OCSP_SINGLERESP");
    SetOCSPSingleRes(self, res_new);
    OCSP_SINGLERESP_free(res);

    return self;
}

公共实例方法

cert_status → Integer 点击切换源代码

返回由 certid 标识的证书的状态。返回值可能是以下常量之一

V_CERTSTATUS_GOOD
V_CERTSTATUS_REVOKED
V_CERTSTATUS_UNKNOWN

当状态为 V_CERTSTATUS_REVOKED 时，可以通过 revocation_time 获取证书被吊销的时间。

static VALUE
ossl_ocspsres_get_cert_status(VALUE self)
{
    OCSP_SINGLERESP *sres;
    int status;

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, NULL, NULL, NULL);
    if (status < 0)
        ossl_raise(eOCSPError, "OCSP_single_get0_status");

    return INT2NUM(status);
}

certid → CertificateId 点击切换源代码

返回此 SingleResponse 所属的 CertificateId。

static VALUE
ossl_ocspsres_get_certid(VALUE self)
{
    OCSP_SINGLERESP *sres;
    OCSP_CERTID *id;

    GetOCSPSingleRes(self, sres);
    id = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sres)); /* FIXME */

    return ossl_ocspcertid_new(id);
}

check_validity(nsec = 0, maxsec = -1) → true | false 点击切换源代码

检查此 SingleResponse 的 thisUpdate 和 nextUpdate 字段的有效性。这将检查当前时间是否在 thisUpdate 到 nextUpdate 的范围内。

有可能 OCSP 请求需要几秒钟，或者时间不准确。为了避免拒绝有效的响应，此方法允许时间在当前时间的 nsec 秒范围内。

一些响应者没有设置 nextUpdate 字段。这可能会导致非常旧的响应被认为有效。maxsec 参数可用于限制响应的年龄。

static VALUE
ossl_ocspsres_check_validity(int argc, VALUE *argv, VALUE self)
{
    OCSP_SINGLERESP *sres;
    ASN1_GENERALIZEDTIME *this_update, *next_update;
    VALUE nsec_v, maxsec_v;
    int nsec, maxsec, status, ret;

    rb_scan_args(argc, argv, "02", &nsec_v, &maxsec_v);
    nsec = NIL_P(nsec_v) ? 0 : NUM2INT(nsec_v);
    maxsec = NIL_P(maxsec_v) ? -1 : NUM2INT(maxsec_v);

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, NULL, &this_update, &next_update);
    if (status < 0)
        ossl_raise(eOCSPError, "OCSP_single_get0_status");

    ret = OCSP_check_validity(this_update, next_update, nsec, maxsec);

    if (ret)
        return Qtrue;
    else {
        ossl_clear_error();
        return Qfalse;
    }
}

extensions → Array of X509::Extension 点击切换源代码

static VALUE
ossl_ocspsres_get_extensions(VALUE self)
{
    OCSP_SINGLERESP *sres;
    X509_EXTENSION *ext;
    int count, i;
    VALUE ary;

    GetOCSPSingleRes(self, sres);

    count = OCSP_SINGLERESP_get_ext_count(sres);
    ary = rb_ary_new2(count);
    for (i = 0; i < count; i++) {
        ext = OCSP_SINGLERESP_get_ext(sres, i);
        rb_ary_push(ary, ossl_x509ext_new(ext)); /* will dup */
    }

    return ary;
}

initialize_copy(p1) 点击切换源代码

static VALUE
ossl_ocspsres_initialize_copy(VALUE self, VALUE other)
{
    OCSP_SINGLERESP *sres, *sres_old, *sres_new;

    rb_check_frozen(self);
    GetOCSPSingleRes(self, sres_old);
    GetOCSPSingleRes(other, sres);

    sres_new = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_SINGLERESP), sres);
    if (!sres_new)
        ossl_raise(eOCSPError, "ASN1_item_dup");

    SetOCSPSingleRes(self, sres_new);
    OCSP_SINGLERESP_free(sres_old);

    return self;
}

next_update → Time | nil 点击切换源代码

static VALUE
ossl_ocspsres_get_next_update(VALUE self)
{
    OCSP_SINGLERESP *sres;
    int status;
    ASN1_GENERALIZEDTIME *time;

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, NULL, NULL, &time);
    if (status < 0)
        ossl_raise(eOCSPError, "OCSP_single_get0_status");
    if (!time)
        return Qnil;

    return asn1time_to_time(time);
}

revocation_reason → Integer | nil 点击切换源代码

static VALUE
ossl_ocspsres_get_revocation_reason(VALUE self)
{
    OCSP_SINGLERESP *sres;
    int status, reason;

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, &reason, NULL, NULL, NULL);
    if (status < 0)
        ossl_raise(eOCSPError, "OCSP_single_get0_status");
    if (status != V_OCSP_CERTSTATUS_REVOKED)
        ossl_raise(eOCSPError, "certificate is not revoked");

    return INT2NUM(reason);
}

revocation_time → Time | nil 点击切换源代码

static VALUE
ossl_ocspsres_get_revocation_time(VALUE self)
{
    OCSP_SINGLERESP *sres;
    int status;
    ASN1_GENERALIZEDTIME *time;

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, &time, NULL, NULL);
    if (status < 0)
        ossl_raise(eOCSPError, "OCSP_single_get0_status");
    if (status != V_OCSP_CERTSTATUS_REVOKED)
        ossl_raise(eOCSPError, "certificate is not revoked");
    if (!time)
        return Qnil;

    return asn1time_to_time(time);
}

this_update → Time 点击切换源代码

static VALUE
ossl_ocspsres_get_this_update(VALUE self)
{
    OCSP_SINGLERESP *sres;
    int status;
    ASN1_GENERALIZEDTIME *time;

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, NULL, &time, NULL);
    if (status < 0)
        ossl_raise(eOCSPError, "OCSP_single_get0_status");
    if (!time)
        return Qnil;

    return asn1time_to_time(time);
}

to_der → String 点击切换源代码

将此 SingleResponse 编码为 DER 编码的字符串。

static VALUE
ossl_ocspsres_to_der(VALUE self)
{
    OCSP_SINGLERESP *sres;
    VALUE str;
    long len;
    unsigned char *p;

    GetOCSPSingleRes(self, sres);
    if ((len = i2d_OCSP_SINGLERESP(sres, NULL)) <= 0)
        ossl_raise(eOCSPError, NULL);
    str = rb_str_new(0, len);
    p = (unsigned char *)RSTRING_PTR(str);
    if (i2d_OCSP_SINGLERESP(sres, &p) <= 0)
        ossl_raise(eOCSPError, NULL);
    ossl_str_adjust(str, p);

    return str;
}