U:RDoc::NormalModule[iI"	OCSP:ETI"OpenSSL::OCSP;F0o:RDoc::Markup::Document:@parts[o;;[(o:RDoc::Markup::Paragraph;[I"JOpenSSL::OCSP implements Online Certificate Status Protocol requests ;TI"and responses.;To:RDoc::Markup::BlankLineo;	;[	I"ICreating and sending an OCSP request requires a subject certificate ;TI"Kthat contains an OCSP URL in an authorityInfoAccess extension and the ;TI"Missuer certificate for the subject certificate.  First, load the issuer ;TI"and subject certificates:;T@o:RDoc::Markup::Verbatim;[I":subject = OpenSSL::X509::Certificate.new subject_pem
;TI"9issuer  = OpenSSL::X509::Certificate.new issuer_pem
;T:@format0o;	;[I"FTo create the request we need to create a certificate ID for the ;TI"Isubject certificate so the CA knows which certificate we are asking ;TI"about:;T@o;;[I"(digest = OpenSSL::Digest::SHA1.new
;TI"certificate_id =
;TI"@  OpenSSL::OCSP::CertificateId.new subject, issuer, digest
;T;0o;	;[I"<Then create a request and add the certificate ID to it:;T@o;;[I"*request = OpenSSL::OCSP::Request.new
;TI"'request.add_certid certificate_id
;T;0o;	;[I"KAdding a nonce to the request protects against replay attacks but not ;TI"all CA process the nonce.;T@o;;[I"request.add_nonce
;T;0o;	;[I"MTo submit the request to the CA for verification we need to extract the ;TI"+OCSP URI from the subject certificate:;T@o;;[I"Dauthority_info_access = subject.extensions.find do |extension|
;TI".  extension.oid == 'authorityInfoAccess'
;TI"	end
;TI"
;TI";descriptions = authority_info_access.value.split "\n"
;TI"/ocsp = descriptions.find do |description|
;TI"&  description.start_with? 'OCSP'
;TI"	end
;TI"
;TI"require 'uri'
;TI"
;TI"(ocsp_uri = URI ocsp[/URI:(.*)/, 1]
;T;0o;	;[I"KTo submit the request we'll POST the request to the OCSP URI (per RFC ;TI"I2560).  Note that we only handle HTTP requests and don't handle any ;TI"Hredirects in this example, so this is insufficient for serious use.;T@o;;[I"require 'net/http'
;TI"
;TI"http_response =
;TI">  Net::HTTP.start ocsp_uri.hostname, ocsp.port do |http|
;TI"2    http.post ocsp_uri.path, request.to_der,
;TI"@              'content-type' => 'application/ocsp-request'
;TI"	end
;TI"
;TI"?response = OpenSSL::OCSP::Response.new http_response.body
;TI"%response_basic = response.basic
;T;0o;	;[	I"LFirst we check if the response has a valid signature.  Without a valid ;TI"Isignature we cannot trust it.  If you get a failure here you may be ;TI"Kmissing a system certificate store or may be missing the intermediate ;TI"certificates.;T@o;;[I"&store = OpenSSL::X509::Store.new
;TI"store.set_default_paths
;TI"
;TI"+unless response.verify [], store then
;TI"?  raise 'response is not signed by a trusted certificate'
;TI"	end
;T;0o;	;[I"JThe response contains the status information (success/fail).  We can ;TI"$display the status as a string:;T@o;;[I"0puts response.status_string #=> successful
;T;0o;	;[	I"LNext we need to know the response details to determine if the response ;TI"Imatches our request.  First we check the nonce.  Again, not all CAs ;TI"Gsupport a nonce.  See Request#check_nonce for the meanings of the ;TI"return values.;T@o;;[I"Ap request.check_nonce basic_response #=> value from -1 to 3
;T;0o;	;[I"LThen extract the status information from the basic response.  (You can ;TI"Lcheck multiple certificates in a request, but for this example we only ;TI"submitted one.);T@o;;[I"?response_certificate_id, status, reason, revocation_time,
;TI"D  this_update, next_update, extensions = basic_response.status
;T;0o;	;[I"#Then check the various fields.;T@o;;[I";unless response_certificate_id == certificate_id then
;TI"'  raise 'certificate id mismatch'
;TI"	end
;TI"
;TI"now = Time.now
;TI"
;TI"if this_update > now then
;TI",  raise 'update date is in the future'
;TI"	end
;TI"
;TI"if now > next_update then
;TI"+  raise 'next update time has passed'
;TI"end;T;0:
@fileI"ext/openssl/ossl_ocsp.c;T:0@omit_headings_from_table_of_contents_below0;
0;0[[%U:RDoc::Constant[iI""RESPONSE_STATUS_INTERNALERROR;TI"1OpenSSL::OCSP::RESPONSE_STATUS_INTERNALERROR;F00o;;[o;	;[I"Internal error in issuer;T@;
@
‹;0@
‹@cRDoc::NormalModule0U;[iI"%RESPONSE_STATUS_MALFORMEDREQUEST;TI"4OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST;F00o;;[o;	;[I"!Illegal confirmation request;T@;
@
‹;0@
‹@@
—0U;[iI"REVOKED_STATUS_NOSTATUS;TI"+OpenSSL::OCSP::REVOKED_STATUS_NOSTATUS;F00o;;[o;	;[I"6The certificate was revoked for an unknown reason;T@;
@
‹;0@
‹@@
—0U;[iI" RESPONSE_STATUS_SIGREQUIRED;TI"/OpenSSL::OCSP::RESPONSE_STATUS_SIGREQUIRED;F00o;;[o;	;[I"+You must sign the request and resubmit;T@;
@
‹;0@
‹@@
—0U;[iI"RESPONSE_STATUS_SUCCESSFUL;TI".OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL;F00o;;[o;	;[I"%Response has valid confirmations;T@;
@
‹;0@
‹@@
—0U;[iI"RESPONSE_STATUS_TRYLATER;TI",OpenSSL::OCSP::RESPONSE_STATUS_TRYLATER;F00o;;[o;	;[I"Try again later;T@;
@
‹;0@
‹@@
—0U;[iI"&REVOKED_STATUS_AFFILIATIONCHANGED;TI"5OpenSSL::OCSP::REVOKED_STATUS_AFFILIATIONCHANGED;F00o;;[o;	;[I"@The certificate subject's name or other information changed;T@;
@
‹;0@
‹@@
—0U;[iI" REVOKED_STATUS_CACOMPROMISE;TI"/OpenSSL::OCSP::REVOKED_STATUS_CACOMPROMISE;F00o;;[o;	;[I"<This CA certificate was revoked due to a key compromise;T@;
@
‹;0@
‹@@
—0U;[iI"#REVOKED_STATUS_CERTIFICATEHOLD;TI"2OpenSSL::OCSP::REVOKED_STATUS_CERTIFICATEHOLD;F00o;;[o;	;[I"The certificate is on hold;T@;
@
‹;0@
‹@@
—0U;[iI"(REVOKED_STATUS_CESSATIONOFOPERATION;TI"7OpenSSL::OCSP::REVOKED_STATUS_CESSATIONOFOPERATION;F00o;;[o;	;[I"(The certificate is no longer needed;T@;
@
‹;0@
‹@@
—0U;[iI"!REVOKED_STATUS_KEYCOMPROMISE;TI"0OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE;F00o;;[o;	;[I"8The certificate was revoked due to a key compromise;T@;
@
‹;0@
‹@@
—0U;[iI"!REVOKED_STATUS_REMOVEFROMCRL;TI"0OpenSSL::OCSP::REVOKED_STATUS_REMOVEFROMCRL;F00o;;[o;	;[I"KThe certificate was previously on hold and should now be removed from ;TI"the CRL;T@;
@
‹;0@
‹@@
—0U;[iI"REVOKED_STATUS_SUPERSEDED;TI"-OpenSSL::OCSP::REVOKED_STATUS_SUPERSEDED;F00o;;[o;	;[I"8The certificate was superseded by a new certificate;T@;
@
‹;0@
‹@@
—0U;[iI"!RESPONSE_STATUS_UNAUTHORIZED;TI"0OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED;F00o;;[o;	;[I""Your request is unauthorized.;T@;
@
‹;0@
‹@@
—0U;[iI"REVOKED_STATUS_UNSPECIFIED;TI".OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED;F00o;;[o;	;[I":The certificate was revoked for an unspecified reason;T@;
@
‹;0@
‹@@
—0U;[iI"NOCERTS;TI"OpenSSL::OCSP::NOCERTS;F00o;;[o;	;[I"0Do not include certificates in the response;T@;
@
‹;0@
‹@@
—0U;[iI"
NOINTERN;TI"OpenSSL::OCSP::NOINTERN;F00o;;[o;	;[I"FDo not search certificates contained in the response for a signer;T@;
@
‹;0@
‹@@
—0U;[iI"NOSIGS;TI"OpenSSL::OCSP::NOSIGS;F00o;;[o;	;[I"/Do not check the signature on the response;T@;
@
‹;0@
‹@@
—0U;[iI"NOCHAIN;TI"OpenSSL::OCSP::NOCHAIN;F00o;;[o;	;[I"8Do not verify the certificate chain on the response;T@;
@
‹;0@
‹@@
—0U;[iI"
NOVERIFY;TI"OpenSSL::OCSP::NOVERIFY;F00o;;[o;	;[I"&Do not verify the response at all;T@;
@
‹;0@
‹@@
—0U;[iI"NOEXPLICIT;TI"OpenSSL::OCSP::NOEXPLICIT;F00o;;[o;	;[I"Do not check trust;T@;
@
‹;0@
‹@@
—0U;[iI"
NOCASIGN;TI"OpenSSL::OCSP::NOCASIGN;F00o;;[o;	;[I".(This flag is not used by OpenSSL 1.0.1g);T@;
@
‹;0@
‹@@
—0U;[iI"NODELEGATED;TI"OpenSSL::OCSP::NODELEGATED;F00o;;[o;	;[I".(This flag is not used by OpenSSL 1.0.1g);T@;
@
‹;0@
‹@@
—0U;[iI"
NOCHECKS;TI"OpenSSL::OCSP::NOCHECKS;F00o;;[o;	;[I"6Do not make additional signing certificate checks;T@;
@
‹;0@
‹@@
—0U;[iI"TRUSTOTHER;TI"OpenSSL::OCSP::TRUSTOTHER;F00o;;[o;	;[I"*Do not verify additional certificates;T@;
@
‹;0@
‹@@
—0U;[iI"RESPID_KEY;TI"OpenSSL::OCSP::RESPID_KEY;F00o;;[o;	;[I"<Identify the response by signing the certificate key ID;T@;
@
‹;0@
‹@@
—0U;[iI"NOTIME;TI"OpenSSL::OCSP::NOTIME;F00o;;[o;	;[I"/Do not include producedAt time in response;T@;
@
‹;0@
‹@@
—0U;[iI"V_CERTSTATUS_GOOD;TI"%OpenSSL::OCSP::V_CERTSTATUS_GOOD;F00o;;[o;	;[I"LIndicates the certificate is not revoked but does not necessarily mean ;TI"Dthe certificate was issued or that this response is within the ;TI"$certificate's validity interval;T@;
@
‹;0@
‹@@
—0U;[iI"V_CERTSTATUS_REVOKED;TI"(OpenSSL::OCSP::V_CERTSTATUS_REVOKED;F00o;;[o;	;[I"FIndicates the certificate has been revoked either permanently or ;TI"temporarily (on hold).;T@;
@
‹;0@
‹@@
—0U;[iI"V_CERTSTATUS_UNKNOWN;TI"(OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN;F00o;;[o;	;[I"GIndicates the responder does not know about the certificate being ;TI"requested.;T@;
@
‹;0@
‹@@
—0U;[iI"V_RESPID_NAME;TI"!OpenSSL::OCSP::V_RESPID_NAME;F00o;;[o;	;[I"/The responder ID is based on the key name.;T@;
@
‹;0@
‹@@
—0U;[iI"V_RESPID_KEY;TI" OpenSSL::OCSP::V_RESPID_KEY;F00o;;[o;	;[I"1The responder ID is based on the public key.;T@;
@
‹;0@
‹@@
—0[[[I"
class;T[[:public[[:protected[[:private[[I"
instance;T[[;[[;[[;[[[U:RDoc::Context::Section[i0o;;[;
0;0[I"ext/openssl/ossl.c;TI"OpenSSL;F@
—