Method: OpenSSL::OCSP::SingleResponse#check_validity

Defined in:
ossl_ocsp.c

#check_validity(nsec = 0, maxsec = -1) ⇒ Object

Checks the validity of thisUpdate and nextUpdate fields of this SingleResponse. This checks the current time is within the range thisUpdate to nextUpdate.

It is possible that the OCSP request takes a few seconds or the time is not accurate. To avoid rejecting a valid response, this method allows the times to be within nsec seconds of the current time.

Some responders don’t set the nextUpdate field. This may cause a very old response to be considered valid. The maxsec parameter can be used to limit the age of responses.



1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
 
# File 'ossl_ocsp.c', line 1195

static VALUE
ossl_ocspsres_check_validity(int argc, VALUE *argv, VALUE self)
{
    OCSP_SINGLERESP *sres;
    ASN1_GENERALIZEDTIME *this_update, *next_update;
    VALUE nsec_v, maxsec_v;
    int nsec, maxsec, status, ret;

    rb_scan_args(argc, argv, "02", &nsec_v, &maxsec_v);
    nsec = NIL_P(nsec_v) ? 0 : NUM2INT(nsec_v);
    maxsec = NIL_P(maxsec_v) ? -1 : NUM2INT(maxsec_v);

    GetOCSPSingleRes(self, sres);
    status = OCSP_single_get0_status(sres, NULL, NULL, &this_update, &next_update);
    if (status < 0)
  ossl_raise(eOCSPError, "OCSP_single_get0_status");

    ret = OCSP_check_validity(this_update, next_update, nsec, maxsec);

    if (ret)
  return Qtrue;
    else {
  ossl_clear_error();
  return Qfalse;
    }
}