Hexa/ocsp-client.rb

## ocsp-client.rb
## module OpenSSL::OCSP
## http://doc.ruby-lang.org/ja/1.9.3/class/OpenSSL=3a=3aOCSP.html

require 'openssl'
require 'net/http'

## 動作確認のために追記
ca_cert = OpenSSL::X509::Certificate.new(File.read('client-ca.pem'))
cert = OpenSSL::X509::Certificate.new(File.read('client.pem'))
store = OpenSSL::X509::Store.new
store.add_cert(cert)
store.add_cert(ca_cert)
##

cid = OpenSSL::OCSP::CertificateId.new(cert, ca_cert)
req = OpenSSL::OCSP::Request.new
req.add_certid(cid)
req.add_nonce

http = Net::HTTP.new('ocsp.example.com', 8000)
httpres = http.post("/", req.to_der, 'content-type' => 'application/ocsp-request')
raise "HTTP error" if !httpres.kind_of?(Net::HTTPOK)
res = OpenSSL::OCSP::Response.new(httpres.body)

puts "Response status: #{res.status_string}"
exit if res.status != OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL

basic_resp = res.basic
raise "nonce error" unless req.check_nonce(basic_resp) == 1
unless basic_resp.verify([], store)
  puts "verify response fail"
end
rescid, status, reason, revtime, thisupd, nextupd, exts = basic_resp.status.first
STATUS2MESSAGE = {
  OpenSSL::OCSP::V_CERTSTATUS_GOOD => "OK",
  OpenSSL::OCSP::V_CERTSTATUS_REVOKED => "REVOKED",
  OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN => "UNKNOWN",
}
puts "status: #{STATUS2MESSAGE[status]}"
puts "reason: #{reason}" if status == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
puts "revoked time: #{revtime}" if status == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
puts "crl update: #{thisupd}"
puts "crl next update: #{nextupd}"
puts "extensions:"
exts.each{|ext| p ext}
	## module OpenSSL::OCSP
	## http://doc.ruby-lang.org/ja/1.9.3/class/OpenSSL=3a=3aOCSP.html

	require 'openssl'
	require 'net/http'

	## 動作確認のために追記
	ca_cert = OpenSSL::X509::Certificate.new(File.read('client-ca.pem'))
	cert = OpenSSL::X509::Certificate.new(File.read('client.pem'))
	store = OpenSSL::X509::Store.new
	store.add_cert(cert)
	store.add_cert(ca_cert)
	##

	cid = OpenSSL::OCSP::CertificateId.new(cert, ca_cert)
	req = OpenSSL::OCSP::Request.new
	req.add_certid(cid)
	req.add_nonce

	http = Net::HTTP.new('ocsp.example.com', 8000)
	httpres = http.post("/", req.to_der, 'content-type' => 'application/ocsp-request')
	raise "HTTP error" if !httpres.kind_of?(Net::HTTPOK)
	res = OpenSSL::OCSP::Response.new(httpres.body)

	puts "Response status: #{res.status_string}"
	exit if res.status != OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL

	basic_resp = res.basic
	raise "nonce error" unless req.check_nonce(basic_resp) == 1
	unless basic_resp.verify([], store)
	puts "verify response fail"
	end
	rescid, status, reason, revtime, thisupd, nextupd, exts = basic_resp.status.first
	STATUS2MESSAGE = {
	OpenSSL::OCSP::V_CERTSTATUS_GOOD => "OK",
	OpenSSL::OCSP::V_CERTSTATUS_REVOKED => "REVOKED",
	OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN => "UNKNOWN",
	}
	puts "status: #{STATUS2MESSAGE[status]}"
	puts "reason: #{reason}" if status == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
	puts "revoked time: #{revtime}" if status == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
	puts "crl update: #{thisupd}"
	puts "crl next update: #{nextupd}"
	puts "extensions:"
	exts.each{\|ext\| p ext}