diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2016-10-10 19:45:39 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2017-06-19 15:50:54 +0900 |
commit | af8a14df6994a4d22dff89b2ec1882867c0a7f19 (patch) | |
tree | 376b0307d1040d50066a61662bbb07af3bc14f9b | |
parent | 576eff66bece4c3e49d4041a3746c2a520627946 (diff) | |
download | ruby-openssl-topic/ocsp-request-is-signed.tar.gz |
ocsp: add OpenSSL::OCSP::Request#signed?topic/ocsp-request-is-signed
Add a method to check whether the OpenSSL::OCSP::Request is signed or
not. Currently there is no way to distinguish them except inspecting
DER encoding or parsing verification error message.
-rw-r--r-- | ext/openssl/ossl_ocsp.c | 20 | ||||
-rw-r--r-- | test/test_ocsp.rb | 15 |
2 files changed, 35 insertions, 0 deletions
diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c index e34eee0c..28cc2791 100644 --- a/ext/openssl/ossl_ocsp.c +++ b/ext/openssl/ossl_ocsp.c @@ -404,6 +404,9 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self) * Verifies this request using the given _certificates_ and _store_. * _certificates_ is an array of OpenSSL::X509::Certificate, _store_ is an * OpenSSL::X509::Store. + * + * Note that +false+ is returned if the request does not have a signature. + * Use #signed? to check whether the request is signed or not. */ static VALUE @@ -453,6 +456,22 @@ ossl_ocspreq_to_der(VALUE self) } /* + * call-seq: + * request.signed? -> true or false + * + * Returns +true+ if the request is signed, +false+ otherwise. Note that the + * validity of the signature is *not* checked. Use #verify to verify that. + */ +static VALUE +ossl_ocspreq_signed_p(VALUE self) +{ + OCSP_REQUEST *req; + + GetOCSPReq(self, req); + return OCSP_request_is_signed(req) ? Qtrue : Qfalse; +} + +/* * OCSP::Response */ @@ -1809,6 +1828,7 @@ Init_ossl_ocsp(void) rb_define_method(cOCSPReq, "check_nonce", ossl_ocspreq_check_nonce, 1); rb_define_method(cOCSPReq, "add_certid", ossl_ocspreq_add_certid, 1); rb_define_method(cOCSPReq, "certid", ossl_ocspreq_get_certid, 0); + rb_define_method(cOCSPReq, "signed?", ossl_ocspreq_signed_p, 0); rb_define_method(cOCSPReq, "sign", ossl_ocspreq_sign, -1); rb_define_method(cOCSPReq, "verify", ossl_ocspreq_verify, -1); rb_define_method(cOCSPReq, "to_der", ossl_ocspreq_to_der, 0); diff --git a/test/test_ocsp.rb b/test/test_ocsp.rb index 6677d751..25e052ae 100644 --- a/test/test_ocsp.rb +++ b/test/test_ocsp.rb @@ -128,6 +128,21 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase # fixed by OpenSSL 1.0.1j, 1.0.2 and LibreSSL 2.4.2 pend "RT2560: ocsp_req_find_signer" end + + # not signed + req = OpenSSL::OCSP::Request.new.add_certid(cid) + assert_equal false, req.verify([], store) + end + + def test_request_is_signed + cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert) + req = OpenSSL::OCSP::Request.new + req.add_certid(cid) + assert_equal false, req.signed? + assert_equal false, OpenSSL::OCSP::Request.new(req.to_der).signed? + req.sign(@cert, @cert_key, []) + assert_equal true, req.signed? + assert_equal true, OpenSSL::OCSP::Request.new(req.to_der).signed? end def test_request_nonce |