static VALUE
ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
{
VALUE certs, store, flags;
OCSP_BASICRESP *bs;
STACK_OF(X509) *x509s;
X509_STORE *x509st;
int flg, result;
rb_scan_args(argc, argv, "21", &certs, &store, &flags);
GetOCSPBasicRes(self, bs);
x509st = GetX509StorePtr(store);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
x509s = ossl_x509_ary2sk(certs);
/*
* OpenSSL had a bug that it doesn't use the certificates in x509s for
* verifying the chain. This can be a problem when the response is signed by
* a certificate issued by an intermediate CA.
*
* root_ca
* |
* intermediate_ca
* |-------------|
* end_entity ocsp_signer
*
* When the certificate hierarchy is like this, and the response contains
* only ocsp_signer certificate, the following code wrongly fails.
*
* store = OpenSSL::X509::Store.new; store.add_cert(root_ca)
* basic_response.verify([intermediate_ca], store)
*
* So add the certificates in x509s to the embedded certificates list first.
*
* This is fixed in OpenSSL 0.9.8zg, 1.0.0s, 1.0.1n, 1.0.2b. But it still
* exists in LibreSSL 2.1.10, 2.2.9, 2.3.6, 2.4.1.
*/
if (!(flg & (OCSP_NOCHAIN | OCSP_NOVERIFY)) &&
sk_X509_num(x509s) && sk_X509_num(bs->certs)) {
int i;
bs = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs);
if (!bs) {
sk_X509_pop_free(x509s, X509_free);
ossl_raise(eOCSPError, "ASN1_item_dup");
}
for (i = 0; i < sk_X509_num(x509s); i++) {
if (!OCSP_basic_add1_cert(bs, sk_X509_value(x509s, i))) {
sk_X509_pop_free(x509s, X509_free);
OCSP_BASICRESP_free(bs);
ossl_raise(eOCSPError, "OCSP_basic_add1_cert");
}
}
result = OCSP_basic_verify(bs, x509s, x509st, flg);
OCSP_BASICRESP_free(bs);
}
else {
result = OCSP_basic_verify(bs, x509s, x509st, flg);
}
result = OCSP_basic_verify(bs, x509s, x509st, flg);
sk_X509_pop_free(x509s, X509_free);
if (result <= 0)
ossl_clear_error();
return result > 0 ? Qtrue : Qfalse;
}
RSpec
Ruby on Rails
Ruby
new
add_status
initialize_copy
= private
= protected
