ccrypto-java 0.1.0 → 0.2.0

data/lib/ccrypto/java/ext/x509_csr.rb

@@ -0,0 +1,151 @@
+
+#require 'pry'
+
+require_relative '../data_conversion'
+
+module Ccrypto
+  class X509CSR
+    include TR::CondUtils
+
+    include Java::DataConversion
+
+    include TeLogger::TeLogHelper
+    teLogger_tag :j_x509csr
+
+    attr_reader :request_subject_full
+
+    def initialize(csr)
+      @nativeCSR = csr
+    end
+
+    def to_bin
+      @nativeCSR.encoded
+    end
+
+    def to_pem
+
+      baos = java.io.ByteArrayOutputStream.new
+
+      writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(baos))
+
+      begin
+        writer.writeObject(@nativeCSR)
+      ensure
+        writer.flush
+        writer.close  
+      end 
+
+      baos.toByteArray
+      
+    end
+
+    def csr_info
+      if @csrInfo.nil?
+        @csrInfo = parseCSR(@nativeCSR)
+      end
+      @csrInfo
+    end
+
+    def parseCSR(csrBin)
+
+      case csrBin
+      when ::Java::byte[]
+        csr = org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest.new(csrBin)
+
+      when String
+        # this assumed input is a PEM formatted content
+        reader = org.bouncycastle.openssl.PEMParser.new(java.io.InputStreamReader.new(java.io.ByteArrayInputStream.new(to_java_bytes(csrBin))))
+        csr = reader.readObject
+        raise X509CSRException, "Given CSR string to load does not encapsulate a CSR structure. It is read as '#{csr.class.name}'" if not csr.is_a?(org.bouncycastle.pkcs::PKCS10CertificationRequest)
+
+      when Ccrypto::X509CSR
+        csr = csrBin.nativeCSR
+
+      else
+        raise X509CSRException, "Unknown how to handle CSR of format #{csrBin.class}"
+
+      end
+
+
+      cvProv = org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.new.build(csr.getSubjectPublicKeyInfo)
+      # 18 Apr 2023
+      # Not all curves are supported under X509 I think. At least those not well known curve such as B-163 from BC
+      # not able to verify the signature
+      raise X509CSRSignatureInvalid, "CSR signature is not valid" if not csr.isSignatureValid(cvProv)
+
+      certProfile = Ccrypto::X509::CertProfile.new
+
+      @request_subject_full = csr.getSubject.to_s
+      subj = csr.getSubject.to_s
+      subj.split(",").each do |e|
+        ee = e.split("=")
+        case ee[0]
+        when "CN"
+          certProfile.owner_name = ee[1]
+        when "O"
+          certProfile.org = ee[1]
+        when "OU"
+          certProfile.org_unit = ee[1]
+        when "E"
+          certProfile.email = ee[1]
+        end
+      end
+
+
+      pubKeyParam = org.bouncycastle.crypto.util.PublicKeyFactory.createKey(csr.subject_public_key_info)
+      curveName = org.bouncycastle.asn1.x9.ECNamedCurveTable.get_name(pubKeyParam.parameters.name)
+
+      spec = org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util.convertToSpec(pubKeyParam.getParameters)
+      point= org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util.convertPoint(pubKeyParam.getQ)
+      pubKeySpec = java.security.spec.ECPublicKeySpec.new(point, spec)
+      pubKey = java.security.KeyFactory.getInstance("EC", Ccrypto::Java::JCEProvider::DEFProv).generatePublic(pubKeySpec)
+      certProfile.public_key = Ccrypto::Java::ECCPublicKey.new(pubKey, curveName)
+
+      csr.attributes.each do |att|
+     
+        ext = org.bouncycastle.asn1.x509.Extensions.getInstance(att.getAttrValues.getObjectAt(0))
+
+        gns = org.bouncycastle.asn1.x509.GeneralNames.fromExtensions(ext,org.bouncycastle.asn1.x509.Extension.subjectAlternativeName)
+        gns.getNames.each do |n|
+          #p n.getTagNo
+          case n.getTagNo
+          when org.bouncycastle.asn1.x509.GeneralName.dNSName
+            certProfile.dns_name = n.getName.to_s
+          when org.bouncycastle.asn1.x509.GeneralName.iPAddress
+            val = org.bouncycastle.asn1.DEROctetString.getInstance(n.getName.toASN1Primitive).getOctets
+            begin
+              certProfile.ip_addr = java.net.InetAddress.getByAddress(val).getHostAddress
+            rescue java.net.UnknownHostException => ex
+              certProfile.ip_addr = "Error decoding IP address : #{ex.message}"
+              teLogger.error "Failed to decode IP address from CSR"
+              teLogger.error ex.message
+              teLogger.error ex.backtrace.join("\n")
+            end
+          when org.bouncycastle.asn1.x509.GeneralName.uniformResourceIdentifier
+            certProfile.uri = n.getName.to_s
+          when org.bouncycastle.asn1.x509.GeneralName.rfc822Name
+            certProfile.email = n.getName.to_s
+          when org.bouncycastle.asn1.x509.GeneralName.otherName
+            ext = org.bouncycastle.asn1.x509.Extension.getInstance(n.getName)
+            certProfile.custom_extension[ext.extnId.to_s] = { value: ext.extnValue.octets.to_s, critical: ext.critical?, type: :string }
+          else
+            teLogger.debug "Unknown field tag no #{n.getTagNo}"
+          end
+        end
+
+        ext.oids.each do |o|
+          v = ext.getExtension(o)
+          next if v.extnId.to_s == org.bouncycastle.asn1.x509.Extension.subjectAlternativeName.to_s
+
+          certProfile.custom_extension[v.extnId.to_s] = { value: v.extnValue.octets.to_s, critical: v.critical?, type: :string }
+        end
+
+      
+      end
+
+      certProfile
+      
+    end
+
+  end
+end

data/lib/ccrypto/java/jce_provider.rb

@@ -36,17 +36,6 @@ module Ccrypto
         add_provider
       end
 
-      #def set_default_provider(prov)
-
-      #  case prov
-      #  when String
-      #  when java.security.Provider
-      #    add_provider(prov) if not is_provider_registered?(prov)
-      #    @defProvider = prov
-      #  end
-
-      #end
-
     end
   end
 end

data/lib/ccrypto/java/keystore/jce_keystore.rb

@@ -0,0 +1,205 @@
+
+require_relative 'keystore'
+
+module Ccrypto
+  module Java
+    module Keystore
+
+      class JCEKeystore
+        include TR::CondUtils
+        include DataConversion
+
+        class KeystoreException < StandardError; end
+
+        def self.from_keystore(bin, storeType, &block)
+
+          raise KeystoreException, "block is required" if not block
+
+          logger = block.call(:logger) || TeLogger::TLogger.new(STDOUT)
+
+          prov = block.call(:jce_provider)
+
+          if not_empty?(prov)
+            logger.debug "Keystore type '#{storeType}' with provider #{prov}"
+            ks = java.security.KeyStore.getInstance(storeType, prov)
+          else
+            logger.debug "Keystore type '#{storeType}' with nil provider"
+            ks = java.security.KeyStore.getInstance(storeType)
+          end
+
+          pass = block.call(:store_pass)
+          name = block.call(:key_name)
+
+          inForm = block.call(:in_format)
+          case inForm
+          when :b64
+            inp = from_b64(bin)
+          when :hex
+            inp = from_hex(bin)
+          else
+            inp = bin
+          end
+
+          bbin = to_java_bytes(inp)
+
+          ks.load(java.io.ByteArrayInputStream.new(bbin),pass.to_java.toCharArray)
+
+
+          logger.debug "Aliases found from keystore : #{ks.aliases.to_a.join(", ")}"
+          logger.debug "Given key name : #{name}"
+
+          # on situation there are multiple aliases, which is an error condition
+          # all subsequent chain and userCert shall be nil
+          name = ks.aliases.to_a.first if is_empty?(name)
+
+          logger.debug "Alias used to select cert and key : #{name}"
+
+          userCert = Ccrypto::X509Cert.new(ks.getCertificate(name))
+          raise KeystoreException, "User certificate is nil. Alias used to retrieve user certificate is '#{name}'. Aliases detected from the keystore are: #{ks.aliases.to_a.join(", ")}" if userCert.nil?
+          chain = ks.get_certificate_chain(name)
+          if not chain.nil?
+            chain = chain.collect { |c| Ccrypto::X509Cert.new(c) }
+          else
+            chain = []
+          end
+
+          key = ks.getKey(name, pass.to_java.toCharArray)
+          raise KeystoreException, "Private key is nil. Alias used to retrieve private key is '#{name}'. Aliases detected from the keystore are: #{ks.aliases.to_a.join(", ")}" if key.nil?
+          kp = java.security.KeyPair.new(userCert.getPublicKey, key)
+          case key
+          when java.security.interfaces.ECPrivateKey
+            param = java.security.AlgorithmParameters.getInstance("EC")
+            param.init(key.params)
+            oid = param.getParameterSpec(java.security.spec.ECGenParameterSpec.java_class).name
+            curve = org.bouncycastle.asn1.x9.ECNamedCurveTable.getName(org.bouncycastle.asn1.ASN1ObjectIdentifier.new(oid)) 
+            logger.debug "Recover curve info : #{curve}"
+            conf = Ccrypto::Java::ECCEngine.find_curve(curve) 
+            logger.debug "Found config : #{conf}"
+            [Ccrypto::Java::ECCKeyBundle.new(kp, conf), userCert, chain]
+
+          when org.bouncycastle.jcajce.provider.asymmetric.ec::BCECPrivateKey
+            curve = key.params.name
+            logger.debug "Recover curve info : #{curve}"
+            conf = Ccrypto::Java::ECCEngine.find_curve(curve) 
+            logger.debug "Found config : #{conf}"
+            [Ccrypto::Java::ECCKeyBundle.new(kp, conf), userCert, chain]
+          when java.security.interfaces.RSAPrivateKey
+            [Ccrypto::Java::RSAKeyBundle.new(kp), userCert, chain]
+          else
+            raise KeystoreException, "Unknown key type #{key}"
+          end
+          
+        end # from_keystore
+
+        def self.to_keystore(storeType, &block)
+          raise KeystoreException, "Block is required" if not block
+
+          logger = block.call(:logger) || TeLogger::TLogger.new(STDOUT)
+
+          logger.debug "storetype #{storeType}"
+
+          prov = block.call(:jce_provider)
+
+          pkcs12NewCipher = false
+          if storeType == "PKCS12"
+            pkcs12NewCipher = block.call(:pkcs12_new_cipher?)
+            if pkcs12NewCipher == true
+              storeType = "JKS"
+              prov = nil
+              logger.debug "PKCS12 new cipher is on. Write to JKS first."
+            end
+          end
+
+          if not_empty?(prov)
+            logger.debug "Generating keystore of #{storeType} from provider #{prov}"
+            ks = java.security.KeyStore.getInstance(storeType, prov)
+          else
+            logger.debug "Generating keystore of #{storeType} using SUN provider"
+            ks = java.security.KeyStore.getInstance(storeType)
+          end
+
+          ks.load(nil,nil)
+
+          gcert = block.call(:cert)
+          raise KeystoreException, "#{storeType.upcase} requires the owner's X.509 certificate" if is_empty?(gcert)
+
+          ca = block.call(:cert_chain) || block.call(:certchain) || [gcert]
+          ca = [gcert] if ca.nil?
+          ca = ca.unshift(gcert) if not ca.first.equal?(gcert)
+          ca = ca.collect { |c|
+            Ccrypto::X509Cert.to_java_cert(c) 
+          }
+
+          logger.debug "Cert Chain : #{ca.inspect}"
+
+          pass = block.call(:store_pass)
+          raise KeystoreException, "Password is required" if is_empty?(pass)
+
+          name = block.call(:key_name)
+          name = "Keystore for #{gcert.owner.name}" if is_empty?(name)
+
+          keypair = block.call(:keypair)
+          raise KeystoreException, "Keypair is required" if is_empty?(keypair)
+
+          logger.debug "Setting key entry with name : #{name}"
+          ks.setKeyEntry(name, keypair.private, pass.to_java.toCharArray, ca.to_java(java.security.cert.Certificate))
+
+          baos = java.io.ByteArrayOutputStream.new
+          ks.store(baos, pass.to_java.toCharArray)
+          res = baos.toByteArray
+
+          output = block.call(:output)
+          if not_empty?(output)
+            if pkcs12NewCipher
+              randName = SecureRandom.uuid
+              File.open(randName,"wb") do |f|
+                f.write res
+              end
+
+              # temporary until BC or JCE has way to completely support this to be able to load from OpenSSL
+              `keytool -importkeystore -alias "#{name}" -destalias "#{name}" -srckeystore #{randName} -destkeystore "#{output}" -srcstoretype JKS -deststoretype PKCS12 -srcstorepass "#{pass}" -deststorepass "#{pass}" -noprompt`
+
+              FileUtils.rm(randName)
+            else
+              File.open(output,"wb") do |f|
+                f.write res
+              end
+            end
+          else
+            outForm = block.call(:out_format)
+            case outForm
+            when :b64
+              bres = to_b64(res)
+            when :hex
+              bres = to_hex(res)
+            else
+              bres = res
+            end
+
+            if pkcs12NewCipher
+              randName = SecureRandom.uuid
+              File.open(randName,"wb") do |f|
+                f.write bres
+              end
+
+              # temporary until BC or JCE has way to completely support this to be able to load from OpenSSL
+              `keytool -importkeystore -alias "#{name}" -destalias "#{name}" -srckeystore #{randName} -destkeystore "#{output}" -srcstoretype JKS -deststoretype PKCS12 -srcstorepass "#{pass}" -deststorepass "#{pass}" -noprompt`
+
+              bcres = File.read(randName)
+              FileUtils.rm(randName)
+
+              bcres
+            else
+              bres
+            end
+
+          end
+
+        end # to_keystore
+
+
+      end # class JCEKeystore
+
+    end # module Keystore
+  end # module Java
+end # module Ccrypto

data/lib/ccrypto/java/keystore/jks_keystore.rb

@@ -0,0 +1,52 @@
+
+require_relative 'jce_keystore'
+
+module Ccrypto
+  module Java
+    module Keystore
+
+      class JKSKeystore
+        include TR::CondUtils
+        include DataConversion
+
+        def self.from_jks(bin, &block)
+
+          raise Ccrypto::Keystore::KeystoreException, "block is required" if not block
+
+          JCEKeystore.from_keystore(bin, "JKS") do |k|
+            case k
+            when :logger
+              logger
+            else
+              block.call(k)
+            end
+          end
+         
+        end # from_jks
+
+        def self.to_jks(&block)
+
+          raise Ccrypto::Keystore::KeystoreException, "Block is required" if not block
+
+          JCEKeystore.to_keystore("JKS") do |k|
+            case k
+            when :logger
+              logger
+            else
+              block.call(k)
+            end
+          end
+ 
+        end # to_jks
+
+
+        private
+        def self.logger
+          Ccrypto::Java.logger(:jks)
+        end
+
+      end # class PKCS12Keystore
+
+    end # module Keystore
+  end # module Java
+end # module Ccrypto

data/lib/ccrypto/java/keystore/keystore.rb

@@ -0,0 +1,97 @@
+
+require 'ccrypto/keystore'
+require_relative 'pkcs12_keystore'
+require_relative 'jks_keystore'
+
+module Ccrypto
+  module Java
+    module Keystore
+
+      def self.map_keystore_type(key)
+        case key.to_sym
+        when :pkcs12, :p12, :PKCS12, :P12, :Pkcs12
+          :pkcs12
+        when :jks, :Jks, :JKS, :java
+          :jks
+        else
+          raise Ccrypto::Keystore::KeystoreException, "Unsupported keystore type '#{key}'"
+        end
+      end
+
+      def self.load_keystore(bin, eng, &block)
+        mEng = map_keystore_type(eng)
+        case mEng
+        when :pkcs12
+          PKCS12Keystore.from_p12(bin, &block) 
+        when :jks
+          JKSKeystore.from_jks(bin, &block) 
+        else
+          raise Ccrypto::Keystore::KeystoreException, "Unsupported keystore type '#{eng}'"
+        end
+      end
+
+      def self.load_keystore_file(path, eng, &block)
+        raise Ccrypto::Keystore::KeystoreException, "Given keystore path to load '#{path}' does not exist" if not File.exist?(path)
+        raise Ccrypto::Keystore::KeystoreException, "Given keystore path to load '#{path}' cannot be read" if not File.readable?(path)
+        load_keystore(File.read(path), eng, &block)
+      end 
+
+      def self.convert_keystore(bin, fromEng, toEng, &block)
+        srcEng = map_keystore_type(fromEng)
+        mtEng = map_keystore_type(toEng)
+        kp, cert, chain = load_keystore(bin, srcEng) do |opt|
+          case opt
+          when :store_pass
+            block.call(:source_store_pass)
+          else
+            block.call(opt)
+          end
+        end
+
+        outEng = map_keystore_type(mtEng)
+        case outEng
+        when :pkcs12
+          PKCS12Keystore.to_p12 do |k|
+            case k
+            when :keypair
+              kp
+            when :cert
+              cert
+            when :cert_chain
+              chain
+            when :store_pass
+              block.call(:dest_store_pass)
+            else
+              block.call(k)
+            end
+          end
+        when :jks
+          JKSKeystore.to_jks do |k|
+            case k
+            when :keypair
+              kp
+            when :cert
+              cert
+            when :cert_chain
+              chain
+            when :store_pass
+              block.call(:dest_store_pass)
+            else
+              block.call(k)
+            end
+          end
+
+        else
+          raise Ccrypto::Keystore::KeystoreException, "Unsupported keystore type '#{eng}'"
+        end
+      end
+
+      def self.convert_keystore_file(path, fromEng, toEng, &block)
+        raise Ccrypto::Keystore::KeystoreException, "Given keystore path to load '#{path}' does not exist" if not File.exist?(path)
+        raise Ccrypto::Keystore::KeystoreException, "Given keystore path to load '#{path}' cannot be read" if not File.readable?(path)
+        convert_keystore(File.read(path), fromEng, toEng, &block)
+      end
+
+    end
+  end
+end

data/lib/ccrypto/java/keystore/pem_keystore.rb

@@ -0,0 +1,147 @@
+
+
+module Ccrypto
+  module Java
+    module Keystore
+
+      class PEMKeystore
+        include TR::CondUtils
+        include DataConversion
+
+        def self.to_pem(&block)
+
+          raise KeystoreException, "Block is required" if not block
+
+          pass = block.call(:store_pass)
+          raise KeystoreException, "Password is required" if is_empty?(pass)
+
+          keypair = block.call(:keypair)
+          raise KeystoreException, "Keypair is required" if is_empty?(keypair)
+
+          output = block.call(:output)
+          if not_empty?(output)
+            ext = File.extname(output)
+            bname = File.basename(output, ext)
+            privPath = File.join("#{bname}_priv#{ext}")
+            pubPath = File.join("#{bname}_pub#{ext}")
+
+            privHead, privFoot, pubHead, pubFoot = marker(keypair)
+            File.open(privPath,"wb") do |f|
+              f.write privHead
+              f.write to_b64(keypair.private.to_bin)
+              f.write privFoot
+            end
+
+            File.open(pubPath,"wb") do |f|
+              f.write pubHead
+              f.write to_b64(keypair.public.to_bin)
+              f.write pubFoot
+            end
+
+          else
+            [to_b64(keypair.private.to_bin),to_b64(keypair.public.to_bin)]
+
+          end
+          
+        end # def to_pem
+
+        def self.from_pem(str)
+ 
+          raise KeystoreException, "block is required" if not block
+
+          case check_keytype(str)
+          when :ecc
+            cont = str.lines[1..-2].join
+            Ccrypto::Java::ECCPrivateKey.to_key(from_b64(cont))
+          when :rsa
+          when :ed25519
+          when :x25519
+          when :crystal_dilithium
+          when :crystal_kyber
+          else
+            raise KeystoreException, "Unable to derive keytype from input : '#{str}'"
+          end
+
+          case key
+          when java.security.interfaces.ECPrivateKey
+            param = java.security.AlgorithmParameters.getInstance("EC")
+            param.init(key.params)
+            oid = param.getParameterSpec(java.security.spec.ECGenParameterSpec.java_class).name
+            curve = org.bouncycastle.asn1.x9.ECNamedCurveTable.getName(org.bouncycastle.asn1.ASN1ObjectIdentifier.new(oid)) 
+            logger.debug "Recover curve info : #{curve}"
+            conf = Ccrypto::Java::ECCEngine.find_curve(curve) 
+            logger.debug "Found config : #{conf}"
+            [Ccrypto::Java::ECCKeyBundle.new(kp, conf), userCert, chain]
+
+          when org.bouncycastle.jcajce.provider.asymmetric.ec::BCECPrivateKey
+            curve = key.params.name
+            logger.debug "Recover curve info : #{curve}"
+            conf = Ccrypto::Java::ECCEngine.find_curve(curve) 
+            logger.debug "Found config : #{conf}"
+            [Ccrypto::Java::ECCKeyBundle.new(kp, conf), userCert, chain]
+          when java.security.interfaces.RSAPrivateKey
+            [Ccrypto::Java::RSAKeyBundle.new(kp), userCert, chain]
+          else
+            raise KeystoreException, "Unknown key type #{key}"
+          end
+          
+         
+        end
+
+        private
+        def self.logger
+          Ccrypto::Java.logger(:pem_ks)
+        end
+
+        def self.marker(keypair)
+          case keypair
+          when ECCKeybundle
+            keytype = "ECC"
+          when RSAKeybundle
+            keytype = "RSA"
+          when ED25519KeyBundle
+            keytype = "ED25519"
+          when X25519KeyBundle
+            keytype = "X25519"
+          when CrystalDilithiumKeyBundle
+            keytype = "CRYSTAL DILITHIUM"
+          when CrystalKyberKeyBundle
+            keytype = "CRYSTAL KYBER"
+          else
+            raise Error, "Unsupported keypair type '#{keypair.class.name}'"
+          end
+
+          [
+            "-----BEGIN #{keytype} PRIVATE KEY-----\n",
+            "\n-----END #{keytype} PRIVATE KEY-----\n",
+            "-----BEGIN #{keytype} PUBLIC KEY-----\n",
+            "\n-----END #{keytype} PUBLIC KEY-----\n",
+          ]
+        end
+
+        def self.check_keytype(cont)
+
+          case cont
+          when /ECC/
+            :ecc
+          when /RSA/
+            :rsa
+          when /ED25519/
+            :ed25519
+          when /X25519/
+            :x25519
+          when /DILITHIUM/
+            :crystal_dilithium
+          when /KYBER/
+            :crystal_kyber
+          else
+            nil
+          end
+
+        end # def check_keytype
+        
+      end
+      
+    end
+  end
+end