class OpenSSL::X509::Store
The X509 certificate store holds trusted CA certificates used to verify peer certificates.
The easiest way to create a useful certificate store is:
cert_store = OpenSSL::X509::Store.new cert_store.set_default_paths
This will use your system’s built-in certificates.
If your system does not have a default set of certificates you can obtain a set extracted from Mozilla CA certificate store by cURL maintainers here: curl.haxx.se/docs/caextract.html (You may wish to use the firefox-db2pem.sh script to extract the certificates from a local install to avoid man-in-the-middle attacks.)
After downloading or generating a cacert.pem from the above link you can create a certificate store from the pem file like this:
cert_store = OpenSSL::X509::Store.new cert_store.add_file 'cacert.pem'
The certificate store can be used with an SSLSocket like this:
ssl_context = OpenSSL::SSL::SSLContext.new ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER ssl_context.cert_store = cert_store tcp_socket = TCPSocket.open 'example.com', 443 ssl_socket = OpenSSL::SSL::SSLSocket.new tcp_socket, ssl_context
Public Class Methods
() → void
Source
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 12075
def initialize: () -> void
Creates a new X509::Store.
Public Instance Methods
(Certificate certificate) → self
Source
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 11885
def add_cert: (Certificate certificate) -> self
Adds the OpenSSL::X509::Certificate cert to the certificate store.
See also the man page X509_STORE_add_cert(3).
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 11895
def add_crl: (CRL crl) -> self
Adds the OpenSSL::X509::CRL crl to the store.
See also the man page X509_STORE_add_crl(3).
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 11907
def add_file: (String file) -> self
Adds the certificates in file to the certificate store. file is the path to the file, and the file contains one or more certificates in PEM format concatenated together.
See also the man page X509_LOOKUP_file(3).
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 11917
def add_path: (String path) -> self
Adds path as the hash dir to be looked up by the store.
See also the man page X509_LOOKUP_hash_dir(3).
() → Array[Certificate]?
Source
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 11924
def chain: () -> Array[Certificate]?
The certificate chain constructed by the last call of verify.
See also StoreContext#chain.
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 11931
def error: () -> Integer?
The error code set by the last call of verify.
See also StoreContext#error.
() → String?
Source
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 11938
def error_string: () -> String?
The description for the error code set by the last call of verify.
See also StoreContext#error_string.
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 11955
def flags=: (Integer flags) -> Integer
Sets the default flags used by certificate chain verification performed with the Store.
flags consists of zero or more of the constants defined in OpenSSL::X509 with name V_FLAG_* or’ed together.
OpenSSL::X509::StoreContext#flags= can be used to change the flags for a single verification operation.
See also the man page X509_VERIFY_PARAM_set_flags(3).
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 11980
def purpose=: (Integer purpose) -> Integer
Sets the store’s default verification purpose. If specified, the verifications on the store will check every certificate’s extensions are consistent with the purpose. The purpose is specified by constants:
OpenSSL::X509::StoreContext#purpose= can be used to change the value for a single verification operation.
See also the man page X509_VERIFY_PARAM_set_purpose(3).
() → nil
Source
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 11995
def set_default_paths: () -> nil
Configures store to look up CA certificates from the system default certificate store as needed basis. The location of the store can usually be determined by:
See also the man page X509_STORE_set_default_paths(3).
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 12009
def time=: (Time time) -> Time
Sets the time to be used in the certificate verifications with the store. By default, if not specified, the current system time is used.
OpenSSL::X509::StoreContext#time= can be used to change the value for a single verification operation.
See also the man page X509_VERIFY_PARAM_set_time(3).
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 12023
def trust=: (Integer trust) -> Integer
Sets the default trust settings used by the certificate verification with the store.
OpenSSL::X509::StoreContext#trust= can be used to change the value for a single verification operation.
See also the man page X509_VERIFY_PARAM_set_trust(3).
(Certificate certificate, ?Array[Certificate] chain) ?{ (bool preverify_ok, StoreContext store_ctx) → boolish } → boolish
Source
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 12040
def verify: (Certificate certificate, ?Array[Certificate] chain) ?{ (bool preverify_ok, StoreContext store_ctx) -> boolish } -> boolish
Performs a certificate verification on the OpenSSL::X509::Certificate cert.
chain can be an array of OpenSSL::X509::Certificate that is used to construct the certificate chain.
If a block is given, it overrides the callback set by verify_callback=.
After finishing the verification, the error information can be retrieved by
error, error_string, and the resulting complete certificate chain can be retrieved by chain.
() → (^(bool preverify_ok, StoreContext store_ctx) → boolish | nil)
Source
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 12057
def verify_callback: () -> (^(bool preverify_ok, StoreContext store_ctx) -> boolish | nil)
The callback for additional certificate verification. It is invoked for each certificate in the chain and can be used to implement custom certificate verification conditions.
The callback is invoked with two values, a boolean that indicates if the pre-verification by OpenSSL has succeeded or not, and the StoreContext in use.
The callback can use StoreContext#error= to change the error code as needed. The callback must return either true or false.
NOTE: any exception raised within the callback will be ignored.
See also the man page X509_STORE_CTX_set_verify_cb(3).
[U] (^(bool preverify_ok, StoreContext store_ctx) → boolish) → U
Source
# File vendor/bundle/ruby/4.0.0/gems/rbs-4.0.3/stdlib/openssl/0/openssl.rbs, line 12065
def verify_callback=: [U] (^(bool preverify_ok, StoreContext store_ctx) -> boolish) -> U
General callback for OpenSSL verify