ocsp: add OpenSSL::OCSP::Request#signed?

rhenium · rhenium · commit af8a14df6994 · 2017-06-19T15:50:54.000+09:00
Add a method to check whether the OpenSSL::OCSP::Request is signed or
not. Currently there is no way to distinguish them except inspecting
DER encoding or parsing verification error message.
diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c
@@ -404,6 +404,9 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
  * Verifies this request using the given _certificates_ and _store_.
  * _certificates_ is an array of OpenSSL::X509::Certificate, _store_ is an
  * OpenSSL::X509::Store.
+ *
+ * Note that +false+ is returned if the request does not have a signature.
+ * Use #signed? to check whether the request is signed or not.
  */
 
 static VALUE
@@ -452,6 +455,22 @@ ossl_ocspreq_to_der(VALUE self)
     return str;
 }
 
+/*
+ * call-seq:
+ *    request.signed? -> true or false
+ *
+ * Returns +true+ if the request is signed, +false+ otherwise. Note that the
+ * validity of the signature is *not* checked. Use #verify to verify that.
+ */
+static VALUE
+ossl_ocspreq_signed_p(VALUE self)
+{
+    OCSP_REQUEST *req;
+
+    GetOCSPReq(self, req);
+    return OCSP_request_is_signed(req) ? Qtrue : Qfalse;
+}
+
 /*
  * OCSP::Response
  */
@@ -1809,6 +1828,7 @@ Init_ossl_ocsp(void)
     rb_define_method(cOCSPReq, "check_nonce", ossl_ocspreq_check_nonce, 1);
     rb_define_method(cOCSPReq, "add_certid", ossl_ocspreq_add_certid, 1);
     rb_define_method(cOCSPReq, "certid", ossl_ocspreq_get_certid, 0);
+    rb_define_method(cOCSPReq, "signed?", ossl_ocspreq_signed_p, 0);
     rb_define_method(cOCSPReq, "sign", ossl_ocspreq_sign, -1);
     rb_define_method(cOCSPReq, "verify", ossl_ocspreq_verify, -1);
     rb_define_method(cOCSPReq, "to_der", ossl_ocspreq_to_der, 0);
diff --git a/test/test_ocsp.rb b/test/test_ocsp.rb
@@ -128,6 +128,21 @@ def test_request_sign_verify
       # fixed by OpenSSL 1.0.1j, 1.0.2 and LibreSSL 2.4.2
       pend "RT2560: ocsp_req_find_signer"
     end
+
+    # not signed
+    req = OpenSSL::OCSP::Request.new.add_certid(cid)
+    assert_equal false, req.verify([], store)
+  end
+
+  def test_request_is_signed
+    cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert)
+    req = OpenSSL::OCSP::Request.new
+    req.add_certid(cid)
+    assert_equal false, req.signed?
+    assert_equal false, OpenSSL::OCSP::Request.new(req.to_der).signed?
+    req.sign(@cert, @cert_key, [])
+    assert_equal true, req.signed?
+    assert_equal true, OpenSSL::OCSP::Request.new(req.to_der).signed?
   end
 
   def test_request_nonce
