|
Server IP : 111.118.215.189 / Your IP : 216.73.216.153 Web Server : Apache System : Linux md-in-83.webhostbox.net 4.19.286-203.ELK.el7.x86_64 #1 SMP Wed Jun 14 04:33:55 CDT 2023 x86_64 User : a1673wkz ( 2475) PHP Version : 8.2.25 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON Directory (0755) : /proc/thread-self/root/opt/cpanel/ea-ruby24/root/usr/share/ri/system/OpenSSL/OCSP/ |
| [ Home ] | [ C0mmand ] | [ Upload File ] |
|---|
U:RDoc::NormalModule[iI" OCSP:ETI"OpenSSL::OCSP;T0o:RDoc::Markup::Document:
@parts[o;;[(o:
RDoc::Markup::Paragraph;[I"JOpenSSL::OCSP implements Online Certificate Status Protocol requests ;TI"and responses.;To:
RDoc::Markup::BlankLine�o; ;[ I"ICreating and sending an OCSP request requires a subject certificate ;TI"Kthat contains an OCSP URL in an authorityInfoAccess extension and the ;TI"Missuer certificate for the subject certificate. First, load the issuer ;TI"
and subject certificates:;T@o:RDoc::Markup::Verbatim;[I":subject = OpenSSL::X509::Certificate.new subject_pem
;TI"9issuer = OpenSSL::X509::Certificate.new issuer_pem
;T:
@format0o; ;[I"FTo create the request we need to create a certificate ID for the ;TI"Isubject certificate so the CA knows which certificate we are asking ;TI"
about:;T@o;
;[I"(digest = OpenSSL::Digest::SHA1.new
;TI"certificate_id =
;TI"@ OpenSSL::OCSP::CertificateId.new subject, issuer, digest
;T;
0o; ;[I"<Then create a request and add the certificate ID to it:;T@o;
;[I"*request = OpenSSL::OCSP::Request.new
;TI"'request.add_certid certificate_id
;T;
0o; ;[I"KAdding a nonce to the request protects against replay attacks but not ;TI"
all CA process the nonce.;T@o;
;[I"request.add_nonce
;T;
0o; ;[I"MTo submit the request to the CA for verification we need to extract the ;TI"+OCSP URI from the subject certificate:;T@o;
;[I"Dauthority_info_access = subject.extensions.find do |extension|
;TI". extension.oid == 'authorityInfoAccess'
;TI" end
;TI"
;TI";descriptions = authority_info_access.value.split "\n"
;TI"/ocsp = descriptions.find do |description|
;TI"& description.start_with? 'OCSP'
;TI" end
;TI"
;TI"require 'uri'
;TI"
;TI"(ocsp_uri = URI ocsp[/URI:(.*)/, 1]
;T;
0o; ;[I"KTo submit the request we'll POST the request to the OCSP URI (per RFC ;TI"I2560). Note that we only handle HTTP requests and don't handle any ;TI"Hredirects in this example, so this is insufficient for serious use.;T@o;
;[I"require 'net/http'
;TI"
;TI"http_response =
;TI"> Net::HTTP.start ocsp_uri.hostname, ocsp.port do |http|
;TI"2 http.post ocsp_uri.path, request.to_der,
;TI"@ 'content-type' => 'application/ocsp-request'
;TI" end
;TI"
;TI"?response = OpenSSL::OCSP::Response.new http_response.body
;TI"%response_basic = response.basic
;T;
0o; ;[ I"LFirst we check if the response has a valid signature. Without a valid ;TI"Isignature we cannot trust it. If you get a failure here you may be ;TI"Kmissing a system certificate store or may be missing the intermediate ;TI"certificates.;T@o;
;[
I"&store = OpenSSL::X509::Store.new
;TI"
store.set_default_paths
;TI"
;TI"1unless response_basic.verify [], store then
;TI"? raise 'response is not signed by a trusted certificate'
;TI" end
;T;
0o; ;[I"JThe response contains the status information (success/fail). We can ;TI"$display the status as a string:;T@o;
;[I"0puts response.status_string #=> successful
;T;
0o; ;[ I"LNext we need to know the response details to determine if the response ;TI"Imatches our request. First we check the nonce. Again, not all CAs ;TI"Gsupport a nonce. See Request#check_nonce for the meanings of the ;TI"return values.;T@o;
;[I"Ap request.check_nonce basic_response #=> value from -1 to 3
;T;
0o; ;[I"LThen extract the status information for the certificate from the basic ;TI"response.;T@o;
;[
I"Dsingle_response = basic_response.find_response(certificate_id)
;TI"
;TI"
unless single_response
;TI"L raise 'basic_response does not have the status for the certificiate'
;TI" end
;T;
0o; ;[I"MThen check the validity. A status issued in the future must be rejected.;T@o;
;[I"+unless single_response.check_validity
;TI"K raise 'this_update is in the future or next_update time has passed'
;TI" end
;TI"
;TI"&case single_response.cert_status
;TI"+when OpenSSL::OCSP::V_CERTSTATUS_GOOD
;TI") puts 'certificate is still valid'
;TI".when OpenSSL::OCSP::V_CERTSTATUS_REVOKED
;TI"Q puts "certificate has been revoked at #{single_response.revocation_time}"
;TI".when OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
;TI"; puts 'responder doesn't know about the certificate'
;TI"end;T;
0:
@fileI"
ext/openssl/ossl_ocsp.c;T:0@omit_headings_from_table_of_contents_below0;
0;0[�[%U:RDoc::Constant[i�I""RESPONSE_STATUS_INTERNALERROR;TI"1OpenSSL::OCSP::RESPONSE_STATUS_INTERNALERROR;T00o;;[o; ;[I"
Internal error in issuer;T@;
@�;0@�@cRDoc::NormalModule0U;[i�I"%RESPONSE_STATUS_MALFORMEDREQUEST;TI"4OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST;T00o;;[o; ;[I"!Illegal confirmation request;T@;
@�;0@�@@�0U;[i�I"
REVOKED_STATUS_NOSTATUS;TI"+OpenSSL::OCSP::REVOKED_STATUS_NOSTATUS;T00o;;[o; ;[I"6The certificate was revoked for an unknown reason;T@;
@�;0@�@@�0U;[i�I" RESPONSE_STATUS_SIGREQUIRED;TI"/OpenSSL::OCSP::RESPONSE_STATUS_SIGREQUIRED;T00o;;[o; ;[I"+You must sign the request and resubmit;T@;
@�;0@�@@�0U;[i�I" RESPONSE_STATUS_SUCCESSFUL;TI".OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL;T00o;;[o; ;[I"%Response has valid confirmations;T@;
@�;0@�@@�0U;[i�I"
RESPONSE_STATUS_TRYLATER;TI",OpenSSL::OCSP::RESPONSE_STATUS_TRYLATER;T00o;;[o; ;[I"Try again later;T@;
@�;0@�@@�0U;[i�I"&REVOKED_STATUS_AFFILIATIONCHANGED;TI"5OpenSSL::OCSP::REVOKED_STATUS_AFFILIATIONCHANGED;T00o;;[o; ;[I"@The certificate subject's name or other information changed;T@;
@�;0@�@@�0U;[i�I" REVOKED_STATUS_CACOMPROMISE;TI"/OpenSSL::OCSP::REVOKED_STATUS_CACOMPROMISE;T00o;;[o; ;[I"<This CA certificate was revoked due to a key compromise;T@;
@�;0@�@@�0U;[i�I"#REVOKED_STATUS_CERTIFICATEHOLD;TI"2OpenSSL::OCSP::REVOKED_STATUS_CERTIFICATEHOLD;T00o;;[o; ;[I" The certificate is on hold;T@;
@�;0@�@@�0U;[i�I"(REVOKED_STATUS_CESSATIONOFOPERATION;TI"7OpenSSL::OCSP::REVOKED_STATUS_CESSATIONOFOPERATION;T00o;;[o; ;[I"(The certificate is no longer needed;T@;
@�;0@�@@�0U;[i�I"!REVOKED_STATUS_KEYCOMPROMISE;TI"0OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE;T00o;;[o; ;[I"8The certificate was revoked due to a key compromise;T@;
@�;0@�@@�0U;[i�I"!REVOKED_STATUS_REMOVEFROMCRL;TI"0OpenSSL::OCSP::REVOKED_STATUS_REMOVEFROMCRL;T00o;;[o; ;[I"KThe certificate was previously on hold and should now be removed from ;TI"
the CRL;T@;
@�;0@�@@�0U;[i�I"
REVOKED_STATUS_SUPERSEDED;TI"-OpenSSL::OCSP::REVOKED_STATUS_SUPERSEDED;T00o;;[o; ;[I"8The certificate was superseded by a new certificate;T@;
@�;0@�@@�0U;[i�I"!RESPONSE_STATUS_UNAUTHORIZED;TI"0OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED;T00o;;[o; ;[I""Your request is unauthorized.;T@;
@�;0@�@@�0U;[i�I" REVOKED_STATUS_UNSPECIFIED;TI".OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED;T00o;;[o; ;[I":The certificate was revoked for an unspecified reason;T@;
@�;0@�@@�0U;[i�I"
NOCERTS;TI"OpenSSL::OCSP::NOCERTS;T00o;;[o; ;[I"0Do not include certificates in the response;T@;
@�;0@�@@�0U;[i�I"
NOINTERN;TI"
OpenSSL::OCSP::NOINTERN;T00o;;[o; ;[I"FDo not search certificates contained in the response for a signer;T@;
@�;0@�@@�0U;[i�I"
NOSIGS;TI"OpenSSL::OCSP::NOSIGS;T00o;;[o; ;[I"/Do not check the signature on the response;T@;
@�;0@�@@�0U;[i�I"
NOCHAIN;TI"OpenSSL::OCSP::NOCHAIN;T00o;;[o; ;[I"8Do not verify the certificate chain on the response;T@;
@�;0@�@@�0U;[i�I"
NOVERIFY;TI"
OpenSSL::OCSP::NOVERIFY;T00o;;[o; ;[I"&Do not verify the response at all;T@;
@�;0@�@@�0U;[i�I"NOEXPLICIT;TI"
OpenSSL::OCSP::NOEXPLICIT;T00o;;[o; ;[I"Do not check trust;T@;
@�;0@�@@�0U;[i�I"
NOCASIGN;TI"
OpenSSL::OCSP::NOCASIGN;T00o;;[o; ;[I".(This flag is not used by OpenSSL 1.0.1g);T@;
@�;0@�@@�0U;[i�I"NODELEGATED;TI" OpenSSL::OCSP::NODELEGATED;T00o;;[o; ;[I".(This flag is not used by OpenSSL 1.0.1g);T@;
@�;0@�@@�0U;[i�I"
NOCHECKS;TI"
OpenSSL::OCSP::NOCHECKS;T00o;;[o; ;[I"6Do not make additional signing certificate checks;T@;
@�;0@�@@�0U;[i�I"TRUSTOTHER;TI"
OpenSSL::OCSP::TRUSTOTHER;T00o;;[o; ;[I"*Do not verify additional certificates;T@;
@�;0@�@@�0U;[i�I"RESPID_KEY;TI"
OpenSSL::OCSP::RESPID_KEY;T00o;;[o; ;[I"<Identify the response by signing the certificate key ID;T@;
@�;0@�@@�0U;[i�I"
NOTIME;TI"OpenSSL::OCSP::NOTIME;T00o;;[o; ;[I"/Do not include producedAt time in response;T@;
@�;0@�@@�0U;[i�I"V_CERTSTATUS_GOOD;TI"%OpenSSL::OCSP::V_CERTSTATUS_GOOD;T00o;;[o; ;[I"LIndicates the certificate is not revoked but does not necessarily mean ;TI"Dthe certificate was issued or that this response is within the ;TI"$certificate's validity interval;T@;
@�;0@�@@�0U;[i�I"V_CERTSTATUS_REVOKED;TI"(OpenSSL::OCSP::V_CERTSTATUS_REVOKED;T00o;;[o; ;[I"FIndicates the certificate has been revoked either permanently or ;TI"temporarily (on hold).;T@;
@�;0@�@@�0U;[i�I"V_CERTSTATUS_UNKNOWN;TI"(OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN;T00o;;[o; ;[I"GIndicates the responder does not know about the certificate being ;TI"requested.;T@;
@�;0@�@@�0U;[i�I"V_RESPID_NAME;TI"!OpenSSL::OCSP::V_RESPID_NAME;T00o;;[o; ;[I"/The responder ID is based on the key name.;T@;
@�;0@�@@�0U;[i�I"V_RESPID_KEY;TI" OpenSSL::OCSP::V_RESPID_KEY;T00o;;[o; ;[I"1The responder ID is based on the public key.;T@;
@�;0@�@@�0[�[[I"
class;T[[:
public[�[:protected[�[:
private[�[I"
instance;T[[;[�[;[�[;[�[�[U:RDoc::Context::Section[i�0o;;[�;
0;0[I"ext/openssl/ossl.c;TI"
OpenSSL;F@�