U:RDoc::NormalModule[iI"	OCSP:ETI"OpenSSL::OCSP;T0o:RDoc::Markup::Document:@parts[o;;[(o:RDoc::Markup::Paragraph;[I"JOpenSSL::OCSP implements Online Certificate Status Protocol requests ;TI"and responses.;To:RDoc::Markup::BlankLine o;	;[	I"ICreating and sending an OCSP request requires a subject certificate ;TI"Kthat contains an OCSP URL in an authorityInfoAccess extension and the ;TI"Missuer certificate for the subject certificate.  First, load the issuer ;TI"and subject certificates:;T@o:RDoc::Markup::Verbatim;[I":subject = OpenSSL::X509::Certificate.new subject_pem
;TI"9issuer  = OpenSSL::X509::Certificate.new issuer_pem
;T:@format0o;	;[I"FTo create the request we need to create a certificate ID for the ;TI"Isubject certificate so the CA knows which certificate we are asking ;TI"about:;T@o;;[I"(digest = OpenSSL::Digest::SHA1.new
;TI"certificate_id =
;TI"@  OpenSSL::OCSP::CertificateId.new subject, issuer, digest
;T;0o;	;[I"<Then create a request and add the certificate ID to it:;T@o;;[I"*request = OpenSSL::OCSP::Request.new
;TI"'request.add_certid certificate_id
;T;0o;	;[I"KAdding a nonce to the request protects against replay attacks but not ;TI"all CA process the nonce.;T@o;;[I"request.add_nonce
;T;0o;	;[I"MTo submit the request to the CA for verification we need to extract the ;TI"+OCSP URI from the subject certificate:;T@o;;[I"Dauthority_info_access = subject.extensions.find do |extension|
;TI".  extension.oid == 'authorityInfoAccess'
;TI"	end
;TI"
;TI";descriptions = authority_info_access.value.split "\n"
;TI"/ocsp = descriptions.find do |description|
;TI"&  description.start_with? 'OCSP'
;TI"	end
;TI"
;TI"require 'uri'
;TI"
;TI"(ocsp_uri = URI ocsp[/URI:(.*)/, 1]
;T;0o;	;[I"KTo submit the request we'll POST the request to the OCSP URI (per RFC ;TI"I2560).  Note that we only handle HTTP requests and don't handle any ;TI"Hredirects in this example, so this is insufficient for serious use.;T@o;;[I"require 'net/http'
;TI"
;TI"http_response =
;TI">  Net::HTTP.start ocsp_uri.hostname, ocsp.port do |http|
;TI"2    http.post ocsp_uri.path, request.to_der,
;TI"@              'content-type' => 'application/ocsp-request'
;TI"	end
;TI"
;TI"?response = OpenSSL::OCSP::Response.new http_response.body
;TI"%response_basic = response.basic
;T;0o;	;[	I"LFirst we check if the response has a valid signature.  Without a valid ;TI"Isignature we cannot trust it.  If you get a failure here you may be ;TI"Kmissing a system certificate store or may be missing the intermediate ;TI"certificates.;T@o;;[I"&store = OpenSSL::X509::Store.new
;TI"store.set_default_paths
;TI"
;TI"1unless response_basic.verify [], store then
;TI"?  raise 'response is not signed by a trusted certificate'
;TI"	end
;T;0o;	;[I"JThe response contains the status information (success/fail).  We can ;TI"$display the status as a string:;T@o;;[I"0puts response.status_string #=> successful
;T;0o;	;[	I"LNext we need to know the response details to determine if the response ;TI"Imatches our request.  First we check the nonce.  Again, not all CAs ;TI"Gsupport a nonce.  See Request#check_nonce for the meanings of the ;TI"return values.;T@o;;[I"Ap request.check_nonce basic_response #=> value from -1 to 3
;T;0o;	;[I"LThen extract the status information for the certificate from the basic ;TI"response.;T@o;;[
I"Dsingle_response = basic_response.find_response(certificate_id)
;TI"
;TI"unless single_response
;TI"L  raise 'basic_response does not have the status for the certificiate'
;TI"	end
;T;0o;	;[I"MThen check the validity. A status issued in the future must be rejected.;T@o;;[I"+unless single_response.check_validity
;TI"K  raise 'this_update is in the future or next_update time has passed'
;TI"	end
;TI"
;TI"&case single_response.cert_status
;TI"+when OpenSSL::OCSP::V_CERTSTATUS_GOOD
;TI")  puts 'certificate is still valid'
;TI".when OpenSSL::OCSP::V_CERTSTATUS_REVOKED
;TI"Q  puts "certificate has been revoked at #{single_response.revocation_time}"
;TI".when OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
;TI";  puts 'responder doesn't know about the certificate'
;TI"end;T;0:
@fileI"ext/openssl/ossl_ocsp.c;T:0@omit_headings_from_table_of_contents_below0;0;0[ [%U:RDoc::Constant[i I""RESPONSE_STATUS_INTERNALERROR;TI"1OpenSSL::OCSP::RESPONSE_STATUS_INTERNALERROR;T00o;;[o;	;[I"Internal error in issuer;T@;@�;0@�@cRDoc::NormalModule0U;[i I"%RESPONSE_STATUS_MALFORMEDREQUEST;TI"4OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST;T00o;;[o;	;[I"!Illegal confirmation request;T@;@�;0@�@@�0U;[i I"REVOKED_STATUS_NOSTATUS;TI"+OpenSSL::OCSP::REVOKED_STATUS_NOSTATUS;T00o;;[o;	;[I"6The certificate was revoked for an unknown reason;T@;@�;0@�@@�0U;[i I" RESPONSE_STATUS_SIGREQUIRED;TI"/OpenSSL::OCSP::RESPONSE_STATUS_SIGREQUIRED;T00o;;[o;	;[I"+You must sign the request and resubmit;T@;@�;0@�@@�0U;[i I"RESPONSE_STATUS_SUCCESSFUL;TI".OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL;T00o;;[o;	;[I"%Response has valid confirmations;T@;@�;0@�@@�0U;[i I"RESPONSE_STATUS_TRYLATER;TI",OpenSSL::OCSP::RESPONSE_STATUS_TRYLATER;T00o;;[o;	;[I"Try again later;T@;@�;0@�@@�0U;[i I"&REVOKED_STATUS_AFFILIATIONCHANGED;TI"5OpenSSL::OCSP::REVOKED_STATUS_AFFILIATIONCHANGED;T00o;;[o;	;[I"@The certificate subject's name or other information changed;T@;@�;0@�@@�0U;[i I" REVOKED_STATUS_CACOMPROMISE;TI"/OpenSSL::OCSP::REVOKED_STATUS_CACOMPROMISE;T00o;;[o;	;[I"<This CA certificate was revoked due to a key compromise;T@;@�;0@�@@�0U;[i I"#REVOKED_STATUS_CERTIFICATEHOLD;TI"2OpenSSL::OCSP::REVOKED_STATUS_CERTIFICATEHOLD;T00o;;[o;	;[I"The certificate is on hold;T@;@�;0@�@@�0U;[i I"(REVOKED_STATUS_CESSATIONOFOPERATION;TI"7OpenSSL::OCSP::REVOKED_STATUS_CESSATIONOFOPERATION;T00o;;[o;	;[I"(The certificate is no longer needed;T@;@�;0@�@@�0U;[i I"!REVOKED_STATUS_KEYCOMPROMISE;TI"0OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE;T00o;;[o;	;[I"8The certificate was revoked due to a key compromise;T@;@�;0@�@@�0U;[i I"!REVOKED_STATUS_REMOVEFROMCRL;TI"0OpenSSL::OCSP::REVOKED_STATUS_REMOVEFROMCRL;T00o;;[o;	;[I"KThe certificate was previously on hold and should now be removed from ;TI"the CRL;T@;@�;0@�@@�0U;[i I"REVOKED_STATUS_SUPERSEDED;TI"-OpenSSL::OCSP::REVOKED_STATUS_SUPERSEDED;T00o;;[o;	;[I"8The certificate was superseded by a new certificate;T@;@�;0@�@@�0U;[i I"!RESPONSE_STATUS_UNAUTHORIZED;TI"0OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED;T00o;;[o;	;[I""Your request is unauthorized.;T@;@�;0@�@@�0U;[i I"REVOKED_STATUS_UNSPECIFIED;TI".OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED;T00o;;[o;	;[I":The certificate was revoked for an unspecified reason;T@;@�;0@�@@�0U;[i I"NOCERTS;TI"OpenSSL::OCSP::NOCERTS;T00o;;[o;	;[I"0Do not include certificates in the response;T@;@�;0@�@@�0U;[i I"NOINTERN;TI"OpenSSL::OCSP::NOINTERN;T00o;;[o;	;[I"FDo not search certificates contained in the response for a signer;T@;@�;0@�@@�0U;[i I"NOSIGS;TI"OpenSSL::OCSP::NOSIGS;T00o;;[o;	;[I"/Do not check the signature on the response;T@;@�;0@�@@�0U;[i I"NOCHAIN;TI"OpenSSL::OCSP::NOCHAIN;T00o;;[o;	;[I"8Do not verify the certificate chain on the response;T@;@�;0@�@@�0U;[i I"NOVERIFY;TI"OpenSSL::OCSP::NOVERIFY;T00o;;[o;	;[I"&Do not verify the response at all;T@;@�;0@�@@�0U;[i I"NOEXPLICIT;TI"OpenSSL::OCSP::NOEXPLICIT;T00o;;[o;	;[I"Do not check trust;T@;@�;0@�@@�0U;[i I"NOCASIGN;TI"OpenSSL::OCSP::NOCASIGN;T00o;;[o;	;[I".(This flag is not used by OpenSSL 1.0.1g);T@;@�;0@�@@�0U;[i I"NODELEGATED;TI"OpenSSL::OCSP::NODELEGATED;T00o;;[o;	;[I".(This flag is not used by OpenSSL 1.0.1g);T@;@�;0@�@@�0U;[i I"NOCHECKS;TI"OpenSSL::OCSP::NOCHECKS;T00o;;[o;	;[I"6Do not make additional signing certificate checks;T@;@�;0@�@@�0U;[i I"TRUSTOTHER;TI"OpenSSL::OCSP::TRUSTOTHER;T00o;;[o;	;[I"*Do not verify additional certificates;T@;@�;0@�@@�0U;[i I"RESPID_KEY;TI"OpenSSL::OCSP::RESPID_KEY;T00o;;[o;	;[I"<Identify the response by signing the certificate key ID;T@;@�;0@�@@�0U;[i I"NOTIME;TI"OpenSSL::OCSP::NOTIME;T00o;;[o;	;[I"/Do not include producedAt time in response;T@;@�;0@�@@�0U;[i I"V_CERTSTATUS_GOOD;TI"%OpenSSL::OCSP::V_CERTSTATUS_GOOD;T00o;;[o;	;[I"LIndicates the certificate is not revoked but does not necessarily mean ;TI"Dthe certificate was issued or that this response is within the ;TI"$certificate's validity interval;T@;@�;0@�@@�0U;[i I"V_CERTSTATUS_REVOKED;TI"(OpenSSL::OCSP::V_CERTSTATUS_REVOKED;T00o;;[o;	;[I"FIndicates the certificate has been revoked either permanently or ;TI"temporarily (on hold).;T@;@�;0@�@@�0U;[i I"V_CERTSTATUS_UNKNOWN;TI"(OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN;T00o;;[o;	;[I"GIndicates the responder does not know about the certificate being ;TI"requested.;T@;@�;0@�@@�0U;[i I"V_RESPID_NAME;TI"!OpenSSL::OCSP::V_RESPID_NAME;T00o;;[o;	;[I"/The responder ID is based on the key name.;T@;@�;0@�@@�0U;[i I"V_RESPID_KEY;TI" OpenSSL::OCSP::V_RESPID_KEY;T00o;;[o;	;[I"1The responder ID is based on the public key.;T@;@�;0@�@@�0[ [[I"
class;T[[:public[ [:protected[ [:private[ [I"instance;T[[;[ [;[ [;[ [ [U:RDoc::Context::Section[i 0o;;[ ;0;0[I"ext/openssl/ossl.c;TI"OpenSSL;F@�