Class: Mongo::Socket::OcspVerifier Private

Inherits:
Object
  • Object
show all
Includes:
Loggable
Defined in:
lib/mongo/socket/ocsp_verifier.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

OCSP endpoint verifier.

After a TLS connection is established, this verifier inspects the certificate presented by the server, and if the certificate contains an OCSP URI, performs the OCSP status request to the specified URI (following up to 5 redirects) to verify the certificate status.

Constant Summary

Constants included from Loggable

Loggable::PREFIX

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Loggable

#log_debug, #log_error, #log_fatal, #log_info, #log_warn, #logger

Constructor Details

#initialize(host_name, cert, ca_cert, cert_store, **opts) ⇒ OcspVerifier

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of OcspVerifier.

Parameters:

  • host_name (String)

    The host name being verified, for diagnostic output.

  • cert (OpenSSL::X509::Certificate)

    The certificate presented by the server at host_name.

  • ca_cert (OpenSSL::X509::Certificate)

    The CA certificate presented by the server or resolved locally from the server certificate.

  • cert_store (OpenSSL::X509::Store)

    The certificate store to use for verifying OCSP response. This should be the same store as used in SSLContext used with the SSLSocket that we are verifying the certificate for. This must NOT be the CA certificate provided by the server (i.e. anything taken out of peer_cert) - otherwise the server would dictate which CA authorities the client trusts.

Since:

  • 2.0.0



51
52
53
54
55
56
57
# File 'lib/mongo/socket/ocsp_verifier.rb', line 51

def initialize(host_name, cert, ca_cert, cert_store, **opts)
  @host_name = host_name
  @cert = cert
  @ca_cert = ca_cert
  @cert_store = cert_store
  @options = opts
end

Instance Attribute Details

#ca_certObject (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

  • 2.0.0



61
62
63
# File 'lib/mongo/socket/ocsp_verifier.rb', line 61

def ca_cert
  @ca_cert
end

#certObject (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

  • 2.0.0



60
61
62
# File 'lib/mongo/socket/ocsp_verifier.rb', line 60

def cert
  @cert
end

#cert_storeObject (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

  • 2.0.0



62
63
64
# File 'lib/mongo/socket/ocsp_verifier.rb', line 62

def cert_store
  @cert_store
end

#host_nameObject (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

  • 2.0.0



59
60
61
# File 'lib/mongo/socket/ocsp_verifier.rb', line 59

def host_name
  @host_name
end

#optionsObject (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

  • 2.0.0



63
64
65
# File 'lib/mongo/socket/ocsp_verifier.rb', line 63

def options
  @options
end

Instance Method Details

#cert_idObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

  • 2.0.0



91
92
93
94
95
96
97
# File 'lib/mongo/socket/ocsp_verifier.rb', line 91

def cert_id
  @cert_id ||= OpenSSL::OCSP::CertificateId.new(
    cert,
    ca_cert,
    OpenSSL::Digest::SHA1.new,
  )
end

#ocsp_urisArray<String>

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns OCSP URIs in the specified server certificate.

Returns:

  • (Array<String>)

    OCSP URIs in the specified server certificate.

Since:

  • 2.0.0



70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# File 'lib/mongo/socket/ocsp_verifier.rb', line 70

def ocsp_uris
  @ocsp_uris ||= begin
    # https://tools.ietf.org/html/rfc3546#section-2.3
    # prohibits multiple extensions with the same oid.
    ext = cert.extensions.detect do |ext|
      ext.oid == 'authorityInfoAccess'
    end

    if ext
      # Our test certificates have multiple OCSP URIs.
      ext.value.split("\n").select do |line|
        line.start_with?('OCSP - URI:')
      end.map do |line|
        line.split(':', 2).last
      end
    else
      []
    end
  end
end

#timeoutObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

  • 2.0.0



65
66
67
# File 'lib/mongo/socket/ocsp_verifier.rb', line 65

def timeout
  options[:timeout] || 5
end

#verifytrue | false

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Whether the certificate was verified.

Returns:

  • (true | false)

    Whether the certificate was verified.

Raises:

Since:

  • 2.0.0



122
123
124
125
126
127
128
129
# File 'lib/mongo/socket/ocsp_verifier.rb', line 122

def verify
  handle_exceptions do
    return false if ocsp_uris.empty?

    resp, errors = do_verify
    return_ocsp_response(resp, errors)
  end
end

#verify_with_cacheObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

  • 2.0.0



99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# File 'lib/mongo/socket/ocsp_verifier.rb', line 99

def verify_with_cache
  handle_exceptions do
    return false if ocsp_uris.empty?

    resp = OcspCache.get(cert_id)
    if resp
      return return_ocsp_response(resp)
    end

    resp, errors = do_verify

    if resp
      OcspCache.set(cert_id, resp)
    end

    return_ocsp_response(resp, errors)
  end
end