diff options
author | GOTOU Yuuzou <gotoyuzo@notwork.org> | 2003-06-29 08:33:41 +0000 |
---|---|---|
committer | GOTOU Yuuzou <gotoyuzo@notwork.org> | 2003-06-29 08:33:41 +0000 |
commit | a66b1aec2024e6f41bc981654e67182809211936 (patch) | |
tree | b9795c0c9214a7e92979b975689bc4f4bf1d3e3e /examples | |
parent | 11dfeef14246cd6a66017ffd314c599e3042b6c1 (diff) | |
download | ruby-openssl-history-a66b1aec2024e6f41bc981654e67182809211936.tar.gz |
OpenSSL::OCSP is added.
Diffstat (limited to 'examples')
-rw-r--r-- | examples/ossl_ocsp.rb | 115 |
1 files changed, 115 insertions, 0 deletions
diff --git a/examples/ossl_ocsp.rb b/examples/ossl_ocsp.rb new file mode 100644 index 0000000..e5b65ba --- /dev/null +++ b/examples/ossl_ocsp.rb @@ -0,0 +1,115 @@ +require 'openssl' +#OpenSSL::debug = true +include OpenSSL + +cacert = X509::Certificate.new(File::read("0cert.pem")) +crl = X509::CRL.new(File::read("0crl.pem")) + +user = X509::Certificate.new(File::read("1cert.pem")) +user_key = PKey::RSA.new(File::read("1key-plain.pem")) +responder = X509::Certificate.new(File::read("2cert.pem")) +responder_key = PKey::RSA.new(File::read("2key-plain.pem")) +ee = X509::Certificate.new(File::read("3cert.pem")) + +store = X509::Store.new +store.add_cert(cacert) +#store.add_crl(crl) +store.verify_callback = lambda{|ok,ctx| + cert = ctx.current_cert + p [ cert.subject, ctx.error_string ] + return ok +} + +## +## requester create a message +## +req = OCSP::Request.new +cid = OCSP::CertificateId.new(ee, cacert) +req.add_certid(cid) +req.add_nonce +req.sign(user, user_key, [user]) +req_der = req.to_der +p req_der + +## +## send req_der to responder... +## +req = OCSP::Request.new(req_der) +myid = OCSP::CertificateId.new(responder, cacert) +res = nil +if req.verify([], store) + thisupdate = Time.now + nextupdate = Time.now + 3600 + basic = OCSP::BasicResponse.new + basic.copy_nonce(req) + req.certid.each{|id| + unless id.cmp_issuer(myid) + # Certificate: + # OCSP::V_CERTSTATUS_GOOD + # OCSP::V_CERTSTATUS_REVOKED + # OCSP::V_CERTSTATUS_UNKNOWN + # OCSP::V_RESPID_NAME + # OCSP::V_RESPID_KEY + basic.add_status(cid, OCSP::V_CERTSTATUS_UNKNOWN, 0, nil, + thisupdate, nextupdate, nil) + next + end + $stdout.printf "serial %d is good certificate? [Y/n]:", id.serial + answer = $stdin.gets + answer.chomp! + if answer.empty? || /^y/i =~ answer + basic.add_status(cid, OCSP::V_CERTSTATUS_GOOD, 0, nil, + thisupdate, nextupdate, nil) + else + # CRLReason: + # OCSP::REVOKED_STATUS_NOSTATUS + # OCSP::REVOKED_STATUS_UNSPECIFIED + # OCSP::REVOKED_STATUS_KEYCOMPROMISE + # OCSP::REVOKED_STATUS_CACOMPROMISE + # OCSP::REVOKED_STATUS_AFFILIATIONCHANGED + # OCSP::REVOKED_STATUS_SUPERSEDED + # OCSP::REVOKED_STATUS_CESSATIONOFOPERATION + # OCSP::REVOKED_STATUS_CERTIFICATEHOLD + # OCSP::REVOKED_STATUS_REMOVEFROMCRL + revoked = Time.now - 3600 + basic.add_status(cid, OCSP::V_CERTSTATUS_REVOKED, + OCSP::REVOKED_STATUS_KEYCOMPROMISE, revoked, + thisupdate, nextupdate, nil) + end + } + # Response status: + # OCSP::RESPONSE_STATUS_SUCCESSFUL + # OCSP::RESPONSE_STATUS_MALFORMEDREQUEST + # OCSP::RESPONSE_STATUS_INTERNALERROR + # OCSP::RESPONSE_STATUS_TRYLATER + # OCSP::RESPONSE_STATUS_SIGREQUIRED + # OCSP::RESPONSE_STATUS_UNAUTHORIZED); + basic.sign(responder, responder_key, [responder]) + res = OCSP::Response.create(OCSP::RESPONSE_STATUS_SUCCESSFUL, basic) +else + res = OCSP::Response.create(OCSP::RESPONSE_STATUS_UNAUTHORIZED, nil) +end +res_der = res.to_der +p res_der + +## +## send req_der to requester... +## +res = OCSP::Response.new(res_der) +p [ res.status, res.status_string ] +if res.status == OCSP::RESPONSE_STATUS_SUCCESSFUL + basic = res.basic + req.check_nonce(basic) + basic.status.each{|st| + cid, cert_status, reason, revtime, thisupd, nextupd, ext = st + p [ :cid, cid.serial ] + p [ :cert_status, cert_status ] + p [ :thisupd, thisupd ] + p [ :nextupd, nextupd ] + p [ :ext, ext ] + if cert_status == OCSP::V_CERTSTATUS_REVOKED + p [ :resson, reason ] + p [ :revtime, revtime ] + end + } +end |