mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
c8cb26252a
* ext/openssl/ossl_x509cert.c (ossl_x509_verify): X509_verify() family may put errors on 0 return (0 means verification failure). Clear OpenSSL error queue before return to Ruby. Since the queue is thread global, remaining errors in the queue can cause an unexpected error in the next OpenSSL operation. [ruby-core:48284] [Bug #7215] * ext/openssl/ossl_x509crl.c (ossl_x509crl_verify): ditto. * ext/openssl/ossl_x509req.c (ossl_x509req_verify): ditto. * ext/openssl/ossl_x509store.c (ossl_x509stctx_verify): ditto. * ext/openssl/ossl_pkey_dh.c (dh_generate): clear the OpenSSL error queue before re-raising exception. * ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto. * ext/openssl/ossl_pkey_rsa.c (rsa_generate): ditto. * ext/openssl/ossl_ssl.c (ossl_start_ssl): ditto. * test/openssl: check that OpenSSL.errors is empty every time after running a test case. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55051 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
715 lines
17 KiB
C
715 lines
17 KiB
C
/*
|
|
* 'OpenSSL for Ruby' project
|
|
* Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
|
|
* All rights reserved.
|
|
*/
|
|
/*
|
|
* This program is licensed under the same licence as Ruby.
|
|
* (See the file 'LICENCE'.)
|
|
*/
|
|
#include "ossl.h"
|
|
|
|
#define NewX509Store(klass) \
|
|
TypedData_Wrap_Struct((klass), &ossl_x509store_type, 0)
|
|
#define SetX509Store(obj, st) do { \
|
|
if (!(st)) { \
|
|
ossl_raise(rb_eRuntimeError, "STORE wasn't initialized!"); \
|
|
} \
|
|
RTYPEDDATA_DATA(obj) = (st); \
|
|
} while (0)
|
|
#define GetX509Store(obj, st) do { \
|
|
TypedData_Get_Struct((obj), X509_STORE, &ossl_x509store_type, (st)); \
|
|
if (!(st)) { \
|
|
ossl_raise(rb_eRuntimeError, "STORE wasn't initialized!"); \
|
|
} \
|
|
} while (0)
|
|
#define SafeGetX509Store(obj, st) do { \
|
|
OSSL_Check_Kind((obj), cX509Store); \
|
|
GetX509Store((obj), (st)); \
|
|
} while (0)
|
|
|
|
#define NewX509StCtx(klass) \
|
|
TypedData_Wrap_Struct((klass), &ossl_x509stctx_type, 0)
|
|
#define SetX509StCtx(obj, ctx) do { \
|
|
if (!(ctx)) { \
|
|
ossl_raise(rb_eRuntimeError, "STORE_CTX wasn't initialized!"); \
|
|
} \
|
|
RTYPEDDATA_DATA(obj) = (ctx); \
|
|
} while (0)
|
|
#define GetX509StCtx(obj, ctx) do { \
|
|
TypedData_Get_Struct((obj), X509_STORE_CTX, &ossl_x509stctx_type, (ctx)); \
|
|
if (!(ctx)) { \
|
|
ossl_raise(rb_eRuntimeError, "STORE_CTX is out of scope!"); \
|
|
} \
|
|
} while (0)
|
|
#define SafeGetX509StCtx(obj, storep) do { \
|
|
OSSL_Check_Kind((obj), cX509StoreContext); \
|
|
GetX509Store((obj), (ctx)); \
|
|
} while (0)
|
|
|
|
/*
|
|
* Classes
|
|
*/
|
|
VALUE cX509Store;
|
|
VALUE cX509StoreContext;
|
|
VALUE eX509StoreError;
|
|
|
|
static void
|
|
ossl_x509store_free(void *ptr)
|
|
{
|
|
X509_STORE_free(ptr);
|
|
}
|
|
|
|
static const rb_data_type_t ossl_x509store_type = {
|
|
"OpenSSL/X509/STORE",
|
|
{
|
|
0, ossl_x509store_free,
|
|
},
|
|
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
|
};
|
|
|
|
/*
|
|
* Public functions
|
|
*/
|
|
VALUE
|
|
ossl_x509store_new(X509_STORE *store)
|
|
{
|
|
VALUE obj;
|
|
|
|
obj = NewX509Store(cX509Store);
|
|
SetX509Store(obj, store);
|
|
|
|
return obj;
|
|
}
|
|
|
|
X509_STORE *
|
|
GetX509StorePtr(VALUE obj)
|
|
{
|
|
X509_STORE *store;
|
|
|
|
SafeGetX509Store(obj, store);
|
|
|
|
return store;
|
|
}
|
|
|
|
X509_STORE *
|
|
DupX509StorePtr(VALUE obj)
|
|
{
|
|
X509_STORE *store;
|
|
|
|
SafeGetX509Store(obj, store);
|
|
CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE);
|
|
|
|
return store;
|
|
}
|
|
|
|
/*
|
|
* Private functions
|
|
*/
|
|
static VALUE
|
|
ossl_x509store_alloc(VALUE klass)
|
|
{
|
|
X509_STORE *store;
|
|
VALUE obj;
|
|
|
|
obj = NewX509Store(klass);
|
|
if((store = X509_STORE_new()) == NULL){
|
|
ossl_raise(eX509StoreError, NULL);
|
|
}
|
|
SetX509Store(obj, store);
|
|
|
|
return obj;
|
|
}
|
|
|
|
/*
|
|
* General callback for OpenSSL verify
|
|
*/
|
|
static VALUE
|
|
ossl_x509store_set_vfy_cb(VALUE self, VALUE cb)
|
|
{
|
|
X509_STORE *store;
|
|
|
|
GetX509Store(self, store);
|
|
X509_STORE_set_ex_data(store, ossl_verify_cb_idx, (void*)cb);
|
|
rb_iv_set(self, "@verify_callback", cb);
|
|
|
|
return cb;
|
|
}
|
|
|
|
|
|
/*
|
|
* call-seq:
|
|
* X509::Store.new => store
|
|
*
|
|
*/
|
|
static VALUE
|
|
ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
|
|
{
|
|
X509_STORE *store;
|
|
|
|
/* BUG: This method takes any number of arguments but appears to ignore them. */
|
|
GetX509Store(self, store);
|
|
store->ex_data.sk = NULL;
|
|
X509_STORE_set_verify_cb_func(store, ossl_verify_cb);
|
|
ossl_x509store_set_vfy_cb(self, Qnil);
|
|
|
|
#if (OPENSSL_VERSION_NUMBER < 0x00907000L)
|
|
rb_iv_set(self, "@flags", INT2FIX(0));
|
|
rb_iv_set(self, "@purpose", INT2FIX(0));
|
|
rb_iv_set(self, "@trust", INT2FIX(0));
|
|
#endif
|
|
|
|
/* last verification status */
|
|
rb_iv_set(self, "@error", Qnil);
|
|
rb_iv_set(self, "@error_string", Qnil);
|
|
rb_iv_set(self, "@chain", Qnil);
|
|
rb_iv_set(self, "@time", Qnil);
|
|
|
|
return self;
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509store_set_flags(VALUE self, VALUE flags)
|
|
{
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
|
|
X509_STORE *store;
|
|
long f = NUM2LONG(flags);
|
|
|
|
GetX509Store(self, store);
|
|
X509_STORE_set_flags(store, f);
|
|
#else
|
|
rb_iv_set(self, "@flags", flags);
|
|
#endif
|
|
|
|
return flags;
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509store_set_purpose(VALUE self, VALUE purpose)
|
|
{
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
|
|
X509_STORE *store;
|
|
int p = NUM2INT(purpose);
|
|
|
|
GetX509Store(self, store);
|
|
X509_STORE_set_purpose(store, p);
|
|
#else
|
|
rb_iv_set(self, "@purpose", purpose);
|
|
#endif
|
|
|
|
return purpose;
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509store_set_trust(VALUE self, VALUE trust)
|
|
{
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
|
|
X509_STORE *store;
|
|
int t = NUM2INT(trust);
|
|
|
|
GetX509Store(self, store);
|
|
X509_STORE_set_trust(store, t);
|
|
#else
|
|
rb_iv_set(self, "@trust", trust);
|
|
#endif
|
|
|
|
return trust;
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509store_set_time(VALUE self, VALUE time)
|
|
{
|
|
rb_iv_set(self, "@time", time);
|
|
return time;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* store.add_file(file) -> store
|
|
*
|
|
*
|
|
* Adds the certificates in +file+ to the certificate store. The +file+ can
|
|
* contain multiple PEM-encoded certificates.
|
|
*/
|
|
|
|
static VALUE
|
|
ossl_x509store_add_file(VALUE self, VALUE file)
|
|
{
|
|
X509_STORE *store;
|
|
X509_LOOKUP *lookup;
|
|
char *path = NULL;
|
|
|
|
if(file != Qnil){
|
|
SafeStringValue(file);
|
|
path = RSTRING_PTR(file);
|
|
}
|
|
GetX509Store(self, store);
|
|
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
|
|
if(lookup == NULL) ossl_raise(eX509StoreError, NULL);
|
|
if(X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1){
|
|
ossl_raise(eX509StoreError, NULL);
|
|
}
|
|
|
|
return self;
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509store_add_path(VALUE self, VALUE dir)
|
|
{
|
|
X509_STORE *store;
|
|
X509_LOOKUP *lookup;
|
|
char *path = NULL;
|
|
|
|
if(dir != Qnil){
|
|
SafeStringValue(dir);
|
|
path = RSTRING_PTR(dir);
|
|
}
|
|
GetX509Store(self, store);
|
|
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
|
|
if(lookup == NULL) ossl_raise(eX509StoreError, NULL);
|
|
if(X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1){
|
|
ossl_raise(eX509StoreError, NULL);
|
|
}
|
|
|
|
return self;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* store.set_default_paths
|
|
*
|
|
* Adds the default certificates to the certificate store. These certificates
|
|
* are loaded from the default configuration directory which can usually be
|
|
* determined by:
|
|
*
|
|
* File.dirname OpenSSL::Config::DEFAULT_CONFIG_FILE
|
|
*/
|
|
static VALUE
|
|
ossl_x509store_set_default_paths(VALUE self)
|
|
{
|
|
X509_STORE *store;
|
|
|
|
GetX509Store(self, store);
|
|
if (X509_STORE_set_default_paths(store) != 1){
|
|
ossl_raise(eX509StoreError, NULL);
|
|
}
|
|
|
|
return Qnil;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* store.add_cert(cert)
|
|
*
|
|
* Adds the OpenSSL::X509::Certificate +cert+ to the certificate store.
|
|
*/
|
|
|
|
static VALUE
|
|
ossl_x509store_add_cert(VALUE self, VALUE arg)
|
|
{
|
|
X509_STORE *store;
|
|
X509 *cert;
|
|
|
|
cert = GetX509CertPtr(arg); /* NO NEED TO DUP */
|
|
GetX509Store(self, store);
|
|
if (X509_STORE_add_cert(store, cert) != 1){
|
|
ossl_raise(eX509StoreError, NULL);
|
|
}
|
|
|
|
return self;
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509store_add_crl(VALUE self, VALUE arg)
|
|
{
|
|
X509_STORE *store;
|
|
X509_CRL *crl;
|
|
|
|
crl = GetX509CRLPtr(arg); /* NO NEED TO DUP */
|
|
GetX509Store(self, store);
|
|
if (X509_STORE_add_crl(store, crl) != 1){
|
|
ossl_raise(eX509StoreError, NULL);
|
|
}
|
|
|
|
return self;
|
|
}
|
|
|
|
static VALUE ossl_x509stctx_get_err(VALUE);
|
|
static VALUE ossl_x509stctx_get_err_string(VALUE);
|
|
static VALUE ossl_x509stctx_get_chain(VALUE);
|
|
|
|
static VALUE
|
|
ossl_x509store_verify(int argc, VALUE *argv, VALUE self)
|
|
{
|
|
VALUE cert, chain;
|
|
VALUE ctx, proc, result;
|
|
|
|
rb_scan_args(argc, argv, "11", &cert, &chain);
|
|
ctx = rb_funcall(cX509StoreContext, rb_intern("new"), 3, self, cert, chain);
|
|
proc = rb_block_given_p() ? rb_block_proc() :
|
|
rb_iv_get(self, "@verify_callback");
|
|
rb_iv_set(ctx, "@verify_callback", proc);
|
|
result = rb_funcall(ctx, rb_intern("verify"), 0);
|
|
|
|
rb_iv_set(self, "@error", ossl_x509stctx_get_err(ctx));
|
|
rb_iv_set(self, "@error_string", ossl_x509stctx_get_err_string(ctx));
|
|
rb_iv_set(self, "@chain", ossl_x509stctx_get_chain(ctx));
|
|
|
|
return result;
|
|
}
|
|
|
|
/*
|
|
* Public Functions
|
|
*/
|
|
static void ossl_x509stctx_free(void*);
|
|
|
|
|
|
static const rb_data_type_t ossl_x509stctx_type = {
|
|
"OpenSSL/X509/STORE_CTX",
|
|
{
|
|
0, ossl_x509stctx_free,
|
|
},
|
|
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
|
};
|
|
|
|
|
|
VALUE
|
|
ossl_x509stctx_new(X509_STORE_CTX *ctx)
|
|
{
|
|
VALUE obj;
|
|
|
|
obj = NewX509StCtx(cX509StoreContext);
|
|
SetX509StCtx(obj, ctx);
|
|
|
|
return obj;
|
|
}
|
|
|
|
VALUE
|
|
ossl_x509stctx_clear_ptr(VALUE obj)
|
|
{
|
|
OSSL_Check_Kind(obj, cX509StoreContext);
|
|
RDATA(obj)->data = NULL;
|
|
|
|
return obj;
|
|
}
|
|
|
|
/*
|
|
* Private functions
|
|
*/
|
|
static void
|
|
ossl_x509stctx_free(void *ptr)
|
|
{
|
|
X509_STORE_CTX *ctx = ptr;
|
|
if(ctx->untrusted)
|
|
sk_X509_pop_free(ctx->untrusted, X509_free);
|
|
if(ctx->cert)
|
|
X509_free(ctx->cert);
|
|
X509_STORE_CTX_free(ctx);
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509stctx_alloc(VALUE klass)
|
|
{
|
|
X509_STORE_CTX *ctx;
|
|
VALUE obj;
|
|
|
|
obj = NewX509StCtx(klass);
|
|
if((ctx = X509_STORE_CTX_new()) == NULL){
|
|
ossl_raise(eX509StoreError, NULL);
|
|
}
|
|
SetX509StCtx(obj, ctx);
|
|
|
|
return obj;
|
|
}
|
|
|
|
static VALUE ossl_x509stctx_set_flags(VALUE, VALUE);
|
|
static VALUE ossl_x509stctx_set_purpose(VALUE, VALUE);
|
|
static VALUE ossl_x509stctx_set_trust(VALUE, VALUE);
|
|
static VALUE ossl_x509stctx_set_time(VALUE, VALUE);
|
|
|
|
static VALUE
|
|
ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
|
|
{
|
|
VALUE store, cert, chain, t;
|
|
X509_STORE_CTX *ctx;
|
|
X509_STORE *x509st;
|
|
X509 *x509 = NULL;
|
|
STACK_OF(X509) *x509s = NULL;
|
|
|
|
rb_scan_args(argc, argv, "12", &store, &cert, &chain);
|
|
GetX509StCtx(self, ctx);
|
|
SafeGetX509Store(store, x509st);
|
|
if(!NIL_P(cert)) x509 = DupX509CertPtr(cert); /* NEED TO DUP */
|
|
if(!NIL_P(chain)) x509s = ossl_x509_ary2sk(chain);
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
|
|
if(X509_STORE_CTX_init(ctx, x509st, x509, x509s) != 1){
|
|
sk_X509_pop_free(x509s, X509_free);
|
|
ossl_raise(eX509StoreError, NULL);
|
|
}
|
|
#else
|
|
X509_STORE_CTX_init(ctx, x509st, x509, x509s);
|
|
ossl_x509stctx_set_flags(self, rb_iv_get(store, "@flags"));
|
|
ossl_x509stctx_set_purpose(self, rb_iv_get(store, "@purpose"));
|
|
ossl_x509stctx_set_trust(self, rb_iv_get(store, "@trust"));
|
|
#endif
|
|
if (!NIL_P(t = rb_iv_get(store, "@time")))
|
|
ossl_x509stctx_set_time(self, t);
|
|
rb_iv_set(self, "@verify_callback", rb_iv_get(store, "@verify_callback"));
|
|
rb_iv_set(self, "@cert", cert);
|
|
|
|
return self;
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509stctx_verify(VALUE self)
|
|
{
|
|
X509_STORE_CTX *ctx;
|
|
|
|
GetX509StCtx(self, ctx);
|
|
X509_STORE_CTX_set_ex_data(ctx, ossl_verify_cb_idx,
|
|
(void *)rb_iv_get(self, "@verify_callback"));
|
|
|
|
switch (X509_verify_cert(ctx)) {
|
|
case 1:
|
|
return Qtrue;
|
|
case 0:
|
|
ossl_clear_error();
|
|
return Qfalse;
|
|
default:
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509stctx_get_chain(VALUE self)
|
|
{
|
|
X509_STORE_CTX *ctx;
|
|
STACK_OF(X509) *chain;
|
|
X509 *x509;
|
|
int i, num;
|
|
VALUE ary;
|
|
|
|
GetX509StCtx(self, ctx);
|
|
if((chain = X509_STORE_CTX_get_chain(ctx)) == NULL){
|
|
return Qnil;
|
|
}
|
|
if((num = sk_X509_num(chain)) < 0){
|
|
OSSL_Debug("certs in chain < 0???");
|
|
return rb_ary_new();
|
|
}
|
|
ary = rb_ary_new2(num);
|
|
for(i = 0; i < num; i++) {
|
|
x509 = sk_X509_value(chain, i);
|
|
rb_ary_push(ary, ossl_x509_new(x509));
|
|
}
|
|
|
|
return ary;
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509stctx_get_err(VALUE self)
|
|
{
|
|
X509_STORE_CTX *ctx;
|
|
|
|
GetX509StCtx(self, ctx);
|
|
|
|
return INT2FIX(X509_STORE_CTX_get_error(ctx));
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509stctx_set_error(VALUE self, VALUE err)
|
|
{
|
|
X509_STORE_CTX *ctx;
|
|
|
|
GetX509StCtx(self, ctx);
|
|
X509_STORE_CTX_set_error(ctx, NUM2INT(err));
|
|
|
|
return err;
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509stctx_get_err_string(VALUE self)
|
|
{
|
|
X509_STORE_CTX *ctx;
|
|
long err;
|
|
|
|
GetX509StCtx(self, ctx);
|
|
err = X509_STORE_CTX_get_error(ctx);
|
|
|
|
return rb_str_new2(X509_verify_cert_error_string(err));
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509stctx_get_err_depth(VALUE self)
|
|
{
|
|
X509_STORE_CTX *ctx;
|
|
|
|
GetX509StCtx(self, ctx);
|
|
|
|
return INT2FIX(X509_STORE_CTX_get_error_depth(ctx));
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509stctx_get_curr_cert(VALUE self)
|
|
{
|
|
X509_STORE_CTX *ctx;
|
|
|
|
GetX509StCtx(self, ctx);
|
|
|
|
return ossl_x509_new(X509_STORE_CTX_get_current_cert(ctx));
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509stctx_get_curr_crl(VALUE self)
|
|
{
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
|
|
X509_STORE_CTX *ctx;
|
|
|
|
GetX509StCtx(self, ctx);
|
|
if(!ctx->current_crl) return Qnil;
|
|
|
|
return ossl_x509crl_new(ctx->current_crl);
|
|
#else
|
|
return Qnil;
|
|
#endif
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509stctx_set_flags(VALUE self, VALUE flags)
|
|
{
|
|
X509_STORE_CTX *store;
|
|
long f = NUM2LONG(flags);
|
|
|
|
GetX509StCtx(self, store);
|
|
X509_STORE_CTX_set_flags(store, f);
|
|
|
|
return flags;
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509stctx_set_purpose(VALUE self, VALUE purpose)
|
|
{
|
|
X509_STORE_CTX *store;
|
|
int p = NUM2INT(purpose);
|
|
|
|
GetX509StCtx(self, store);
|
|
X509_STORE_CTX_set_purpose(store, p);
|
|
|
|
return purpose;
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509stctx_set_trust(VALUE self, VALUE trust)
|
|
{
|
|
X509_STORE_CTX *store;
|
|
int t = NUM2INT(trust);
|
|
|
|
GetX509StCtx(self, store);
|
|
X509_STORE_CTX_set_trust(store, t);
|
|
|
|
return trust;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* storectx.time = time => time
|
|
*/
|
|
static VALUE
|
|
ossl_x509stctx_set_time(VALUE self, VALUE time)
|
|
{
|
|
X509_STORE_CTX *store;
|
|
long t;
|
|
|
|
t = NUM2LONG(rb_Integer(time));
|
|
GetX509StCtx(self, store);
|
|
X509_STORE_CTX_set_time(store, 0, t);
|
|
|
|
return time;
|
|
}
|
|
|
|
/*
|
|
* INIT
|
|
*/
|
|
void
|
|
Init_ossl_x509store(void)
|
|
{
|
|
VALUE x509stctx;
|
|
|
|
#if 0
|
|
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
|
|
mX509 = rb_define_module_under(mOSSL, "X509");
|
|
#endif
|
|
|
|
eX509StoreError = rb_define_class_under(mX509, "StoreError", eOSSLError);
|
|
|
|
/* Document-class: OpenSSL::X509::Store
|
|
*
|
|
* The X509 certificate store holds trusted CA certificates used to verify
|
|
* peer certificates.
|
|
*
|
|
* The easiest way to create a useful certificate store is:
|
|
*
|
|
* cert_store = OpenSSL::X509::Store.new
|
|
* cert_store.set_default_paths
|
|
*
|
|
* This will use your system's built-in certificates.
|
|
*
|
|
* If your system does not have a default set of certificates you can
|
|
* obtain a set from Mozilla here: http://curl.haxx.se/docs/caextract.html
|
|
* (Note that this set does not have an HTTPS download option so you may
|
|
* wish to use the firefox-db2pem.sh script to extract the certificates
|
|
* from a local install to avoid man-in-the-middle attacks.)
|
|
*
|
|
* After downloading or generating a cacert.pem from the above link you
|
|
* can create a certificate store from the pem file like this:
|
|
*
|
|
* cert_store = OpenSSL::X509::Store.new
|
|
* cert_store.add_file 'cacert.pem'
|
|
*
|
|
* The certificate store can be used with an SSLSocket like this:
|
|
*
|
|
* ssl_context = OpenSSL::SSL::SSLContext.new
|
|
* ssl_context.cert_store = cert_store
|
|
*
|
|
* tcp_socket = TCPSocket.open 'example.com', 443
|
|
*
|
|
* ssl_socket = OpenSSL::SSL::SSLSocket.new tcp_socket, ssl_context
|
|
*/
|
|
|
|
cX509Store = rb_define_class_under(mX509, "Store", rb_cObject);
|
|
rb_attr(cX509Store, rb_intern("verify_callback"), 1, 0, Qfalse);
|
|
rb_attr(cX509Store, rb_intern("error"), 1, 0, Qfalse);
|
|
rb_attr(cX509Store, rb_intern("error_string"), 1, 0, Qfalse);
|
|
rb_attr(cX509Store, rb_intern("chain"), 1, 0, Qfalse);
|
|
rb_define_alloc_func(cX509Store, ossl_x509store_alloc);
|
|
rb_define_method(cX509Store, "initialize", ossl_x509store_initialize, -1);
|
|
rb_define_method(cX509Store, "verify_callback=", ossl_x509store_set_vfy_cb, 1);
|
|
rb_define_method(cX509Store, "flags=", ossl_x509store_set_flags, 1);
|
|
rb_define_method(cX509Store, "purpose=", ossl_x509store_set_purpose, 1);
|
|
rb_define_method(cX509Store, "trust=", ossl_x509store_set_trust, 1);
|
|
rb_define_method(cX509Store, "time=", ossl_x509store_set_time, 1);
|
|
rb_define_method(cX509Store, "add_path", ossl_x509store_add_path, 1);
|
|
rb_define_method(cX509Store, "add_file", ossl_x509store_add_file, 1);
|
|
rb_define_method(cX509Store, "set_default_paths", ossl_x509store_set_default_paths, 0);
|
|
rb_define_method(cX509Store, "add_cert", ossl_x509store_add_cert, 1);
|
|
rb_define_method(cX509Store, "add_crl", ossl_x509store_add_crl, 1);
|
|
rb_define_method(cX509Store, "verify", ossl_x509store_verify, -1);
|
|
|
|
cX509StoreContext = rb_define_class_under(mX509,"StoreContext",rb_cObject);
|
|
x509stctx = cX509StoreContext;
|
|
rb_define_alloc_func(cX509StoreContext, ossl_x509stctx_alloc);
|
|
rb_define_method(x509stctx,"initialize", ossl_x509stctx_initialize, -1);
|
|
rb_define_method(x509stctx,"verify", ossl_x509stctx_verify, 0);
|
|
rb_define_method(x509stctx,"chain", ossl_x509stctx_get_chain,0);
|
|
rb_define_method(x509stctx,"error", ossl_x509stctx_get_err, 0);
|
|
rb_define_method(x509stctx,"error=", ossl_x509stctx_set_error, 1);
|
|
rb_define_method(x509stctx,"error_string",ossl_x509stctx_get_err_string,0);
|
|
rb_define_method(x509stctx,"error_depth", ossl_x509stctx_get_err_depth, 0);
|
|
rb_define_method(x509stctx,"current_cert",ossl_x509stctx_get_curr_cert, 0);
|
|
rb_define_method(x509stctx,"current_crl", ossl_x509stctx_get_curr_crl, 0);
|
|
rb_define_method(x509stctx,"flags=", ossl_x509stctx_set_flags, 1);
|
|
rb_define_method(x509stctx,"purpose=", ossl_x509stctx_set_purpose, 1);
|
|
rb_define_method(x509stctx,"trust=", ossl_x509stctx_set_trust, 1);
|
|
rb_define_method(x509stctx,"time=", ossl_x509stctx_set_time, 1);
|
|
|
|
}
|