/usr/share/doc/ruby1.8-examples/examples/openssl/crlstore.rb is in ruby1.8-examples 1.8.7.352-2ubuntu1.6.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 | begin
require 'http-access2'
rescue LoadError
STDERR.puts("Cannot load http-access2. CRL might not be fetched.")
end
require 'c_rehash'
class CrlStore
def initialize(c_store)
@c_store = c_store
@c_store.hash_dir(true)
end
def find_crl(cert)
do_find_crl(cert)
end
private
def do_find_crl(cert)
unless ca = find_ca(cert)
return nil
end
unless crlfiles = @c_store.get_crls(ca.subject)
if crl = renew_crl(cert, ca)
@c_store.add_crl(crl)
return crl
end
return nil
end
crlfiles.each do |crlfile|
next unless crl = load_crl(crlfile)
if crl.next_update < Time.now
if new_crl = renew_crl(cert, ca)
@c_store.delete_crl(crl)
@c_store.add_crl(new_crl)
crl = new_crl
end
end
if check_valid(crl, ca)
return crl
end
end
nil
end
def find_ca(cert)
@c_store.get_certs(cert.issuer).each do |cafile|
ca = load_cert(cafile)
if cert.verify(ca.public_key)
return ca
end
end
nil
end
def fetch(location)
if /\AURI:(.*)\z/ =~ location
begin
c = HTTPAccess2::Client.new(ENV['http_proxy'] || ENV['HTTP_PROXY'])
c.get_content($1)
rescue NameError, StandardError
nil
end
else
nil
end
end
def load_cert(certfile)
load_cert_str(File.read(certfile))
end
def load_crl(crlfile)
load_crl_str(File.read(crlfile))
end
def load_cert_str(cert_str)
OpenSSL::X509::Certificate.new(cert_str)
end
def load_crl_str(crl_str)
OpenSSL::X509::CRL.new(crl_str)
end
def check_valid(crl, ca)
unless crl.verify(ca.public_key)
return false
end
crl.last_update <= Time.now
end
RE_CDP = /\AcrlDistributionPoints\z/
def get_cdp(cert)
if cdp_ext = cert.extensions.find { |ext| RE_CDP =~ ext.oid }
cdp_ext.value.chomp
else
false
end
end
def renew_crl(cert, ca)
if cdp = get_cdp(cert)
if new_crl_str = fetch(cdp)
new_crl = load_crl_str(new_crl_str)
if check_valid(new_crl, ca)
return new_crl
end
end
end
false
end
end
if $0 == __FILE__
dir = "trust_certs"
c_store = CHashDir.new(dir)
s = CrlStore.new(c_store)
c = OpenSSL::X509::Certificate.new(File.read("cert_store/google_codesign.pem"))
p s.find_crl(c)
end
|