One Hat Cyber Team

Your IP: 216.73.216.13
Server IP: 109.199.105.153
Server: Linux connect.inboxifs.com 5.15.0-152-generic #162-Ubuntu SMP Wed Jul 23 09:48:42 UTC 2025 x86_64
Server Software: Apache
PHP Version: 8.2.29
Buat File | Buat Folder
Dir : ~/usr/share/ri/3.0.0/system/OpenSSL/OCSP/
View File Name : cdesc-OCSP.ri

U:RDoc::NormalModule[iI"	OCSP:ETI"OpenSSL::OCSP;T0o:RDoc::Markup::Document:@parts[o;;[(o:RDoc::Markup::Paragraph;[I"JOpenSSL::OCSP implements Online Certificate Status Protocol requests ;TI"and responses.;To:RDoc::Markup::BlankLine�o;	;[	I"ICreating and sending an OCSP request requires a subject certificate ;TI"Kthat contains an OCSP URL in an authorityInfoAccess extension and the ;TI"Missuer certificate for the subject certificate.  First, load the issuer ;TI"and subject certificates:;T@o:RDoc::Markup::Verbatim;[I":subject = OpenSSL::X509::Certificate.new subject_pem
;TI"9issuer  = OpenSSL::X509::Certificate.new issuer_pem
;T:@format0o;	;[I"FTo create the request we need to create a certificate ID for the ;TI"Isubject certificate so the CA knows which certificate we are asking ;TI"about:;T@o;;[I"*digest = OpenSSL::Digest.new('SHA1')
;TI"certificate_id =
;TI"@  OpenSSL::OCSP::CertificateId.new subject, issuer, digest
;T;0o;	;[I"<Then create a request and add the certificate ID to it:;T@o;;[I"*request = OpenSSL::OCSP::Request.new
;TI"'request.add_certid certificate_id
;T;0o;	;[I"KAdding a nonce to the request protects against replay attacks but not ;TI"all CA process the nonce.;T@o;;[I"request.add_nonce
;T;0o;	;[I"MTo submit the request to the CA for verification we need to extract the ;TI"+OCSP URI from the subject certificate:;T@o;;[
I"#ocsp_uris = subject.ocsp_uris
;TI"
;TI"require 'uri'
;TI"
;TI"!ocsp_uri = URI ocsp_uris[0]
;T;0o;	;[I"KTo submit the request we'll POST the request to the OCSP URI (per RFC ;TI"I2560).  Note that we only handle HTTP requests and don't handle any ;TI"Hredirects in this example, so this is insufficient for serious use.;T@o;;[I"require 'net/http'
;TI"
;TI"http_response =
;TI">  Net::HTTP.start ocsp_uri.hostname, ocsp.port do |http|
;TI"2    http.post ocsp_uri.path, request.to_der,
;TI"@              'content-type' => 'application/ocsp-request'
;TI"	end
;TI"
;TI"?response = OpenSSL::OCSP::Response.new http_response.body
;TI"%response_basic = response.basic
;T;0o;	;[	I"LFirst we check if the response has a valid signature.  Without a valid ;TI"Isignature we cannot trust it.  If you get a failure here you may be ;TI"Kmissing a system certificate store or may be missing the intermediate ;TI"certificates.;T@o;;[I"&store = OpenSSL::X509::Store.new
;TI"store.set_default_paths
;TI"
;TI"1unless response_basic.verify [], store then
;TI"?  raise 'response is not signed by a trusted certificate'
;TI"	end
;T;0o;	;[I"JThe response contains the status information (success/fail).  We can ;TI"$display the status as a string:;T@o;;[I"0puts response.status_string #=> successful
;T;0o;	;[	I"LNext we need to know the response details to determine if the response ;TI"Imatches our request.  First we check the nonce.  Again, not all CAs ;TI"Gsupport a nonce.  See Request#check_nonce for the meanings of the ;TI"return values.;T@o;;[I"Ap request.check_nonce basic_response #=> value from -1 to 3
;T;0o;	;[I"LThen extract the status information for the certificate from the basic ;TI"response.;T@o;;[
I"Dsingle_response = basic_response.find_response(certificate_id)
;TI"
;TI"unless single_response
;TI"K  raise 'basic_response does not have the status for the certificate'
;TI"	end
;T;0o;	;[I"MThen check the validity. A status issued in the future must be rejected.;T@o;;[I"+unless single_response.check_validity
;TI"K  raise 'this_update is in the future or next_update time has passed'
;TI"	end
;TI"
;TI"&case single_response.cert_status
;TI"+when OpenSSL::OCSP::V_CERTSTATUS_GOOD
;TI")  puts 'certificate is still valid'
;TI".when OpenSSL::OCSP::V_CERTSTATUS_REVOKED
;TI"Q  puts "certificate has been revoked at #{single_response.revocation_time}"
;TI".when OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
;TI";  puts 'responder doesn't know about the certificate'
;TI"end;T;0:
@fileI"ext/openssl/ossl_ocsp.c;T:0@omit_headings_from_table_of_contents_below0;
0;0[�[%U:RDoc::Constant[i�I""RESPONSE_STATUS_INTERNALERROR;TI"1OpenSSL::OCSP::RESPONSE_STATUS_INTERNALERROR;T:public0o;;[o;	;[I"Internal error in issuer;T@;
@�;0@�@cRDoc::NormalModule0U;[i�I"%RESPONSE_STATUS_MALFORMEDREQUEST;TI"4OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST;T;0o;;[o;	;[I"!Illegal confirmation request;T@;
@�;0@�@@�0U;[i�I"REVOKED_STATUS_NOSTATUS;TI"+OpenSSL::OCSP::REVOKED_STATUS_NOSTATUS;T;0o;;[o;	;[I"6The certificate was revoked for an unknown reason;T@;
@�;0@�@@�0U;[i�I" RESPONSE_STATUS_SIGREQUIRED;TI"/OpenSSL::OCSP::RESPONSE_STATUS_SIGREQUIRED;T;0o;;[o;	;[I"+You must sign the request and resubmit;T@;
@�;0@�@@�0U;[i�I"RESPONSE_STATUS_SUCCESSFUL;TI".OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL;T;0o;;[o;	;[I"%Response has valid confirmations;T@;
@�;0@�@@�0U;[i�I"RESPONSE_STATUS_TRYLATER;TI",OpenSSL::OCSP::RESPONSE_STATUS_TRYLATER;T;0o;;[o;	;[I"Try again later;T@;
@�;0@�@@�0U;[i�I"&REVOKED_STATUS_AFFILIATIONCHANGED;TI"5OpenSSL::OCSP::REVOKED_STATUS_AFFILIATIONCHANGED;T;0o;;[o;	;[I"@The certificate subject's name or other information changed;T@;
@�;0@�@@�0U;[i�I" REVOKED_STATUS_CACOMPROMISE;TI"/OpenSSL::OCSP::REVOKED_STATUS_CACOMPROMISE;T;0o;;[o;	;[I"<This CA certificate was revoked due to a key compromise;T@;
@�;0@�@@�0U;[i�I"#REVOKED_STATUS_CERTIFICATEHOLD;TI"2OpenSSL::OCSP::REVOKED_STATUS_CERTIFICATEHOLD;T;0o;;[o;	;[I"The certificate is on hold;T@;
@�;0@�@@�0U;[i�I"(REVOKED_STATUS_CESSATIONOFOPERATION;TI"7OpenSSL::OCSP::REVOKED_STATUS_CESSATIONOFOPERATION;T;0o;;[o;	;[I"(The certificate is no longer needed;T@;
@�;0@�@@�0U;[i�I"!REVOKED_STATUS_KEYCOMPROMISE;TI"0OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE;T;0o;;[o;	;[I"8The certificate was revoked due to a key compromise;T@;
@�;0@�@@�0U;[i�I"!REVOKED_STATUS_REMOVEFROMCRL;TI"0OpenSSL::OCSP::REVOKED_STATUS_REMOVEFROMCRL;T;0o;;[o;	;[I"KThe certificate was previously on hold and should now be removed from ;TI"the CRL;T@;
@�;0@�@@�0U;[i�I"REVOKED_STATUS_SUPERSEDED;TI"-OpenSSL::OCSP::REVOKED_STATUS_SUPERSEDED;T;0o;;[o;	;[I"8The certificate was superseded by a new certificate;T@;
@�;0@�@@�0U;[i�I"!RESPONSE_STATUS_UNAUTHORIZED;TI"0OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED;T;0o;;[o;	;[I""Your request is unauthorized.;T@;
@�;0@�@@�0U;[i�I"REVOKED_STATUS_UNSPECIFIED;TI".OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED;T;0o;;[o;	;[I":The certificate was revoked for an unspecified reason;T@;
@�;0@�@@�0U;[i�I"NOCERTS;TI"OpenSSL::OCSP::NOCERTS;T;0o;;[o;	;[I"0Do not include certificates in the response;T@;
@�;0@�@@�0U;[i�I"
NOINTERN;TI"OpenSSL::OCSP::NOINTERN;T;0o;;[o;	;[I"FDo not search certificates contained in the response for a signer;T@;
@�;0@�@@�0U;[i�I"NOSIGS;TI"OpenSSL::OCSP::NOSIGS;T;0o;;[o;	;[I"/Do not check the signature on the response;T@;
@�;0@�@@�0U;[i�I"NOCHAIN;TI"OpenSSL::OCSP::NOCHAIN;T;0o;;[o;	;[I"8Do not verify the certificate chain on the response;T@;
@�;0@�@@�0U;[i�I"
NOVERIFY;TI"OpenSSL::OCSP::NOVERIFY;T;0o;;[o;	;[I"&Do not verify the response at all;T@;
@�;0@�@@�0U;[i�I"NOEXPLICIT;TI"OpenSSL::OCSP::NOEXPLICIT;T;0o;;[o;	;[I"Do not check trust;T@;
@�;0@�@@�0U;[i�I"
NOCASIGN;TI"OpenSSL::OCSP::NOCASIGN;T;0o;;[o;	;[I".(This flag is not used by OpenSSL 1.0.1g);T@;
@�;0@�@@�0U;[i�I"NODELEGATED;TI"OpenSSL::OCSP::NODELEGATED;T;0o;;[o;	;[I".(This flag is not used by OpenSSL 1.0.1g);T@;
@�;0@�@@�0U;[i�I"
NOCHECKS;TI"OpenSSL::OCSP::NOCHECKS;T;0o;;[o;	;[I"6Do not make additional signing certificate checks;T@;
@�;0@�@@�0U;[i�I"TRUSTOTHER;TI"OpenSSL::OCSP::TRUSTOTHER;T;0o;;[o;	;[I"*Do not verify additional certificates;T@;
@�;0@�@@�0U;[i�I"RESPID_KEY;TI"OpenSSL::OCSP::RESPID_KEY;T;0o;;[o;	;[I"<Identify the response by signing the certificate key ID;T@;
@�;0@�@@�0U;[i�I"NOTIME;TI"OpenSSL::OCSP::NOTIME;T;0o;;[o;	;[I"/Do not include producedAt time in response;T@;
@�;0@�@@�0U;[i�I"V_CERTSTATUS_GOOD;TI"%OpenSSL::OCSP::V_CERTSTATUS_GOOD;T;0o;;[o;	;[I"LIndicates the certificate is not revoked but does not necessarily mean ;TI"Dthe certificate was issued or that this response is within the ;TI"$certificate's validity interval;T@;
@�;0@�@@�0U;[i�I"V_CERTSTATUS_REVOKED;TI"(OpenSSL::OCSP::V_CERTSTATUS_REVOKED;T;0o;;[o;	;[I"FIndicates the certificate has been revoked either permanently or ;TI"temporarily (on hold).;T@;
@�;0@�@@�0U;[i�I"V_CERTSTATUS_UNKNOWN;TI"(OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN;T;0o;;[o;	;[I"GIndicates the responder does not know about the certificate being ;TI"requested.;T@;
@�;0@�@@�0U;[i�I"V_RESPID_NAME;TI"!OpenSSL::OCSP::V_RESPID_NAME;T;0o;;[o;	;[I"/The responder ID is based on the key name.;T@;
@�;0@�@@�0U;[i�I"V_RESPID_KEY;TI" OpenSSL::OCSP::V_RESPID_KEY;T;0o;;[o;	;[I"1The responder ID is based on the public key.;T@;
@�;0@�@@�0[�[[I"
class;T[[;[�[:protected[�[:private[�[I"
instance;T[[;[�[;[�[;[�[�[U:RDoc::Context::Section[i�0o;;[�;
0;0[I"ext/openssl/ossl.c;TI"OpenSSL;T@�