模組 OpenSSL::Timestamp
提供類別和方法以請求、建立和驗證符合 RFC3161 標準的時間戳記。 Request
可用於從頭開始建立請求,或解析現有的請求,然後可用於從時間戳記伺服器請求時間戳記,例如透過 net/http。生成的時間戳記回應可使用 Response
進行解析。
請注意,Response
是唯讀且不可變的。要建立 Response
,需要 Factory
的實例以及有效的 Request
。
建立回應:¶ ↑
#Assumes ts.p12 is a PKCS#12-compatible file with a private key #and a certificate that has an extended key usage of 'timeStamping' p12 = OpenSSL::PKCS12.new(File.binread('ts.p12'), 'pwd') md = OpenSSL::Digest.new('SHA1') hash = md.digest(data) #some binary data to be timestamped req = OpenSSL::Timestamp::Request.new req.algorithm = 'SHA1' req.message_imprint = hash req.policy_id = "1.2.3.4.5" req.nonce = 42 fac = OpenSSL::Timestamp::Factory.new fac.gen_time = Time.now fac.serial_number = 1 timestamp = fac.create_timestamp(p12.key, p12.certificate, req)
驗證時間戳記回應:¶ ↑
#Assume we have a timestamp token in a file called ts.der ts = OpenSSL::Timestamp::Response.new(File.binread('ts.der')) #Assume we have the Request for this token in a file called req.der req = OpenSSL::Timestamp::Request.new(File.binread('req.der')) # Assume the associated root CA certificate is contained in a # DER-encoded file named root.cer root = OpenSSL::X509::Certificate.new(File.binread('root.cer')) # get the necessary intermediate certificates, available in # DER-encoded form in inter1.cer and inter2.cer inter1 = OpenSSL::X509::Certificate.new(File.binread('inter1.cer')) inter2 = OpenSSL::X509::Certificate.new(File.binread('inter2.cer')) ts.verify(req, root, inter1, inter2) -> ts or raises an exception if validation fails