RubyGems - ccrypto-java - Versions diffs - 0.1.0 → 0.2.0 - Mend

ccrypto-java 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (62) hide show

checksums.yaml +4 -4
data/.java-version +1 -1
data/.release_history.yml +4 -0
data/.ruby-version +1 -0
data/Gemfile +1 -1
data/Gemfile.lock +68 -53
data/Rakefile +2 -1
data/bin/console +14 -0
data/jars/bcjmail-jdk18on-172.jar +0 -0
data/jars/bcmail-jdk18on-172.jar +0 -0
data/jars/bcpg-jdk18on-172.1.jar +0 -0
data/jars/bcpkix-jdk18on-172.jar +0 -0
data/jars/bcprov-ext-jdk18on-172.jar +0 -0
data/jars/bcprov-jdk18on-172.jar +0 -0
data/jars/bctls-jdk18on-172.jar +0 -0
data/jars/bcutil-jdk18on-172.jar +0 -0
data/lib/ccrypto/java/bc_const_mapping.rb +42 -0
data/lib/ccrypto/java/data_conversion.rb +23 -2
data/lib/ccrypto/java/engines/argon2_engine.rb +95 -0
data/lib/ccrypto/java/engines/asn1_engine.rb +2 -1
data/lib/ccrypto/java/engines/bcrypt_engine.rb +56 -0
data/lib/ccrypto/java/engines/cipher_engine.rb +462 -130
data/lib/ccrypto/java/engines/compression_engine.rb +7 -28
data/lib/ccrypto/java/engines/crystal_dilithium_engine.rb +226 -0
data/lib/ccrypto/java/engines/crystal_kyber_engine.rb +260 -0
data/lib/ccrypto/java/engines/decompression_engine.rb +5 -4
data/lib/ccrypto/java/engines/digest_engine.rb +221 -139
data/lib/ccrypto/java/engines/ecc_engine.rb +249 -96
data/lib/ccrypto/java/engines/ed25519_engine.rb +211 -0
data/lib/ccrypto/java/engines/hkdf_engine.rb +82 -23
data/lib/ccrypto/java/engines/hmac_engine.rb +98 -23
data/lib/ccrypto/java/engines/pbkdf2_engine.rb +82 -33
data/lib/ccrypto/java/engines/pkcs7_engine.rb +44 -33
data/lib/ccrypto/java/engines/rsa_engine.rb +85 -31
data/lib/ccrypto/java/engines/scrypt_engine.rb +12 -3
data/lib/ccrypto/java/engines/secret_key_engine.rb +77 -12
data/lib/ccrypto/java/engines/secret_sharing_engine.rb +17 -2
data/lib/ccrypto/java/engines/x25519_engine.rb +249 -0
data/lib/ccrypto/java/engines/x509_csr_engine.rb +141 -0
data/lib/ccrypto/java/engines/x509_engine.rb +365 -71
data/lib/ccrypto/java/ext/secret_key.rb +37 -25
data/lib/ccrypto/java/ext/x509_cert.rb +429 -5
data/lib/ccrypto/java/ext/x509_csr.rb +151 -0
data/lib/ccrypto/java/jce_provider.rb +0 -11
data/lib/ccrypto/java/keystore/jce_keystore.rb +205 -0
data/lib/ccrypto/java/keystore/jks_keystore.rb +52 -0
data/lib/ccrypto/java/keystore/keystore.rb +97 -0
data/lib/ccrypto/java/keystore/pem_keystore.rb +147 -0
data/lib/ccrypto/java/keystore/pkcs12_keystore.rb +56 -0
data/lib/ccrypto/java/utils/comparator.rb +25 -2
data/lib/ccrypto/java/version.rb +1 -1
data/lib/ccrypto/java.rb +46 -0
data/lib/ccrypto/provider.rb +139 -3
metadata +40 -24
data/ccrypto-java.gemspec +0 -44
data/jars/bcmail-jdk15on-165.jar +0 -0
data/jars/bcpg-jdk15on-165.jar +0 -0
data/jars/bcpkix-jdk15on-165.jar +0 -0
data/jars/bcprov-ext-jdk15on-165.jar +0 -0
data/jars/bcprov-jdk15on-165.jar +0 -0
data/jars/bctls-jdk15on-165.jar +0 -0
data/lib/ccrypto/java/keybundle_store/pkcs12.rb +0 -125

data/lib/ccrypto/java/ext/x509_csr.rb ADDED Viewed

@@ -0,0 +1,151 @@
+#require 'pry'
+require_relative '../data_conversion'
+module Ccrypto
+  class X509CSR
+    include TR::CondUtils
+    include Java::DataConversion
+    include TeLogger::TeLogHelper
+    teLogger_tag :j_x509csr
+    attr_reader :request_subject_full
+    def initialize(csr)
+      @nativeCSR = csr
+    end
+    def to_bin
+      @nativeCSR.encoded
+    end
+    def to_pem
+      baos = java.io.ByteArrayOutputStream.new
+      writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(baos))
+      begin
+        writer.writeObject(@nativeCSR)
+      ensure
+        writer.flush
+        writer.close
+      end
+      baos.toByteArray
+    end
+    def csr_info
+      if @csrInfo.nil?
+        @csrInfo = parseCSR(@nativeCSR)
+      end
+      @csrInfo
+    end
+    def parseCSR(csrBin)
+      case csrBin
+      when ::Java::byte[]
+        csr = org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest.new(csrBin)
+      when String
+        # this assumed input is a PEM formatted content
+        reader = org.bouncycastle.openssl.PEMParser.new(java.io.InputStreamReader.new(java.io.ByteArrayInputStream.new(to_java_bytes(csrBin))))
+        csr = reader.readObject
+        raise X509CSRException, "Given CSR string to load does not encapsulate a CSR structure. It is read as '#{csr.class.name}'" if not csr.is_a?(org.bouncycastle.pkcs::PKCS10CertificationRequest)
+      when Ccrypto::X509CSR
+        csr = csrBin.nativeCSR
+      else
+        raise X509CSRException, "Unknown how to handle CSR of format #{csrBin.class}"
+      end
+      cvProv = org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.new.build(csr.getSubjectPublicKeyInfo)
+      # 18 Apr 2023
+      # Not all curves are supported under X509 I think. At least those not well known curve such as B-163 from BC
+      # not able to verify the signature
+      raise X509CSRSignatureInvalid, "CSR signature is not valid" if not csr.isSignatureValid(cvProv)
+      certProfile = Ccrypto::X509::CertProfile.new
+      @request_subject_full = csr.getSubject.to_s
+      subj = csr.getSubject.to_s
+      subj.split(",").each do |e|
+        ee = e.split("=")
+        case ee[0]
+        when "CN"
+          certProfile.owner_name = ee[1]
+        when "O"
+          certProfile.org = ee[1]
+        when "OU"
+          certProfile.org_unit = ee[1]
+        when "E"
+          certProfile.email = ee[1]
+        end
+      end
+      pubKeyParam = org.bouncycastle.crypto.util.PublicKeyFactory.createKey(csr.subject_public_key_info)
+      curveName = org.bouncycastle.asn1.x9.ECNamedCurveTable.get_name(pubKeyParam.parameters.name)
+      spec = org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util.convertToSpec(pubKeyParam.getParameters)
+      point= org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util.convertPoint(pubKeyParam.getQ)
+      pubKeySpec = java.security.spec.ECPublicKeySpec.new(point, spec)
+      pubKey = java.security.KeyFactory.getInstance("EC", Ccrypto::Java::JCEProvider::DEFProv).generatePublic(pubKeySpec)
+      certProfile.public_key = Ccrypto::Java::ECCPublicKey.new(pubKey, curveName)
+      csr.attributes.each do |att|
+        ext = org.bouncycastle.asn1.x509.Extensions.getInstance(att.getAttrValues.getObjectAt(0))
+        gns = org.bouncycastle.asn1.x509.GeneralNames.fromExtensions(ext,org.bouncycastle.asn1.x509.Extension.subjectAlternativeName)
+        gns.getNames.each do |n|
+          #p n.getTagNo
+          case n.getTagNo
+          when org.bouncycastle.asn1.x509.GeneralName.dNSName
+            certProfile.dns_name = n.getName.to_s
+          when org.bouncycastle.asn1.x509.GeneralName.iPAddress
+            val = org.bouncycastle.asn1.DEROctetString.getInstance(n.getName.toASN1Primitive).getOctets
+            begin
+              certProfile.ip_addr = java.net.InetAddress.getByAddress(val).getHostAddress
+            rescue java.net.UnknownHostException => ex
+              certProfile.ip_addr = "Error decoding IP address : #{ex.message}"
+              teLogger.error "Failed to decode IP address from CSR"
+              teLogger.error ex.message
+              teLogger.error ex.backtrace.join("\n")
+            end
+          when org.bouncycastle.asn1.x509.GeneralName.uniformResourceIdentifier
+            certProfile.uri = n.getName.to_s
+          when org.bouncycastle.asn1.x509.GeneralName.rfc822Name
+            certProfile.email = n.getName.to_s
+          when org.bouncycastle.asn1.x509.GeneralName.otherName
+            ext = org.bouncycastle.asn1.x509.Extension.getInstance(n.getName)
+            certProfile.custom_extension[ext.extnId.to_s] = { value: ext.extnValue.octets.to_s, critical: ext.critical?, type: :string }
+          else
+            teLogger.debug "Unknown field tag no #{n.getTagNo}"
+          end
+        end
+        ext.oids.each do |o|
+          v = ext.getExtension(o)
+          next if v.extnId.to_s == org.bouncycastle.asn1.x509.Extension.subjectAlternativeName.to_s
+          certProfile.custom_extension[v.extnId.to_s] = { value: v.extnValue.octets.to_s, critical: v.critical?, type: :string }
+        end
+      end
+      certProfile
+    end
+  end
+end

data/lib/ccrypto/java/jce_provider.rb CHANGED Viewed

@@ -36,17 +36,6 @@ module Ccrypto
         add_provider
       end
-      #def set_default_provider(prov)
-      #  case prov
-      #  when String
-      #  when java.security.Provider
-      #    add_provider(prov) if not is_provider_registered?(prov)
-      #    @defProvider = prov
-      #  end
-      #end
     end
   end
 end

data/lib/ccrypto/java/keystore/jce_keystore.rb ADDED Viewed

@@ -0,0 +1,205 @@
+require_relative 'keystore'
+module Ccrypto
+  module Java
+    module Keystore
+      class JCEKeystore
+        include TR::CondUtils
+        include DataConversion
+        class KeystoreException < StandardError; end
+        def self.from_keystore(bin, storeType, &block)
+          raise KeystoreException, "block is required" if not block
+          logger = block.call(:logger) || TeLogger::TLogger.new(STDOUT)
+          prov = block.call(:jce_provider)
+          if not_empty?(prov)
+            logger.debug "Keystore type '#{storeType}' with provider #{prov}"
+            ks = java.security.KeyStore.getInstance(storeType, prov)
+          else
+            logger.debug "Keystore type '#{storeType}' with nil provider"
+            ks = java.security.KeyStore.getInstance(storeType)
+          end
+          pass = block.call(:store_pass)
+          name = block.call(:key_name)
+          inForm = block.call(:in_format)
+          case inForm
+          when :b64
+            inp = from_b64(bin)
+          when :hex
+            inp = from_hex(bin)
+          else
+            inp = bin
+          end
+          bbin = to_java_bytes(inp)
+          ks.load(java.io.ByteArrayInputStream.new(bbin),pass.to_java.toCharArray)
+          logger.debug "Aliases found from keystore : #{ks.aliases.to_a.join(", ")}"
+          logger.debug "Given key name : #{name}"
+          # on situation there are multiple aliases, which is an error condition
+          # all subsequent chain and userCert shall be nil
+          name = ks.aliases.to_a.first if is_empty?(name)
+          logger.debug "Alias used to select cert and key : #{name}"
+          userCert = Ccrypto::X509Cert.new(ks.getCertificate(name))
+          raise KeystoreException, "User certificate is nil. Alias used to retrieve user certificate is '#{name}'. Aliases detected from the keystore are: #{ks.aliases.to_a.join(", ")}" if userCert.nil?
+          chain = ks.get_certificate_chain(name)
+          if not chain.nil?
+            chain = chain.collect { |c| Ccrypto::X509Cert.new(c) }
+          else
+            chain = []
+          end
+          key = ks.getKey(name, pass.to_java.toCharArray)
+          raise KeystoreException, "Private key is nil. Alias used to retrieve private key is '#{name}'. Aliases detected from the keystore are: #{ks.aliases.to_a.join(", ")}" if key.nil?
+          kp = java.security.KeyPair.new(userCert.getPublicKey, key)
+          case key
+          when java.security.interfaces.ECPrivateKey
+            param = java.security.AlgorithmParameters.getInstance("EC")
+            param.init(key.params)
+            oid = param.getParameterSpec(java.security.spec.ECGenParameterSpec.java_class).name
+            curve = org.bouncycastle.asn1.x9.ECNamedCurveTable.getName(org.bouncycastle.asn1.ASN1ObjectIdentifier.new(oid))
+            logger.debug "Recover curve info : #{curve}"
+            conf = Ccrypto::Java::ECCEngine.find_curve(curve)
+            logger.debug "Found config : #{conf}"
+            [Ccrypto::Java::ECCKeyBundle.new(kp, conf), userCert, chain]
+          when org.bouncycastle.jcajce.provider.asymmetric.ec::BCECPrivateKey
+            curve = key.params.name
+            logger.debug "Recover curve info : #{curve}"
+            conf = Ccrypto::Java::ECCEngine.find_curve(curve)
+            logger.debug "Found config : #{conf}"
+            [Ccrypto::Java::ECCKeyBundle.new(kp, conf), userCert, chain]
+          when java.security.interfaces.RSAPrivateKey
+            [Ccrypto::Java::RSAKeyBundle.new(kp), userCert, chain]
+          else
+            raise KeystoreException, "Unknown key type #{key}"
+          end
+        end # from_keystore
+        def self.to_keystore(storeType, &block)
+          raise KeystoreException, "Block is required" if not block
+          logger = block.call(:logger) || TeLogger::TLogger.new(STDOUT)
+          logger.debug "storetype #{storeType}"
+          prov = block.call(:jce_provider)
+          pkcs12NewCipher = false
+          if storeType == "PKCS12"
+            pkcs12NewCipher = block.call(:pkcs12_new_cipher?)
+            if pkcs12NewCipher == true
+              storeType = "JKS"
+              prov = nil
+              logger.debug "PKCS12 new cipher is on. Write to JKS first."
+            end
+          end
+          if not_empty?(prov)
+            logger.debug "Generating keystore of #{storeType} from provider #{prov}"
+            ks = java.security.KeyStore.getInstance(storeType, prov)
+          else
+            logger.debug "Generating keystore of #{storeType} using SUN provider"
+            ks = java.security.KeyStore.getInstance(storeType)
+          end
+          ks.load(nil,nil)
+          gcert = block.call(:cert)
+          raise KeystoreException, "#{storeType.upcase} requires the owner's X.509 certificate" if is_empty?(gcert)
+          ca = block.call(:cert_chain) || block.call(:certchain) || [gcert]
+          ca = [gcert] if ca.nil?
+          ca = ca.unshift(gcert) if not ca.first.equal?(gcert)
+          ca = ca.collect { |c|
+            Ccrypto::X509Cert.to_java_cert(c)
+          }
+          logger.debug "Cert Chain : #{ca.inspect}"
+          pass = block.call(:store_pass)
+          raise KeystoreException, "Password is required" if is_empty?(pass)
+          name = block.call(:key_name)
+          name = "Keystore for #{gcert.owner.name}" if is_empty?(name)
+          keypair = block.call(:keypair)
+          raise KeystoreException, "Keypair is required" if is_empty?(keypair)
+          logger.debug "Setting key entry with name : #{name}"
+          ks.setKeyEntry(name, keypair.private, pass.to_java.toCharArray, ca.to_java(java.security.cert.Certificate))
+          baos = java.io.ByteArrayOutputStream.new
+          ks.store(baos, pass.to_java.toCharArray)
+          res = baos.toByteArray
+          output = block.call(:output)
+          if not_empty?(output)
+            if pkcs12NewCipher
+              randName = SecureRandom.uuid
+              File.open(randName,"wb") do |f|
+                f.write res
+              end
+              # temporary until BC or JCE has way to completely support this to be able to load from OpenSSL
+              `keytool -importkeystore -alias "#{name}" -destalias "#{name}" -srckeystore #{randName} -destkeystore "#{output}" -srcstoretype JKS -deststoretype PKCS12 -srcstorepass "#{pass}" -deststorepass "#{pass}" -noprompt`
+              FileUtils.rm(randName)
+            else
+              File.open(output,"wb") do |f|
+                f.write res
+              end
+            end
+          else
+            outForm = block.call(:out_format)
+            case outForm
+            when :b64
+              bres = to_b64(res)
+            when :hex
+              bres = to_hex(res)
+            else
+              bres = res
+            end
+            if pkcs12NewCipher
+              randName = SecureRandom.uuid
+              File.open(randName,"wb") do |f|
+                f.write bres
+              end
+              # temporary until BC or JCE has way to completely support this to be able to load from OpenSSL
+              `keytool -importkeystore -alias "#{name}" -destalias "#{name}" -srckeystore #{randName} -destkeystore "#{output}" -srcstoretype JKS -deststoretype PKCS12 -srcstorepass "#{pass}" -deststorepass "#{pass}" -noprompt`
+              bcres = File.read(randName)
+              FileUtils.rm(randName)
+              bcres
+            else
+              bres
+            end
+          end
+        end # to_keystore
+      end # class JCEKeystore
+    end # module Keystore
+  end # module Java
+end # module Ccrypto

data/lib/ccrypto/java/keystore/jks_keystore.rb ADDED Viewed

@@ -0,0 +1,52 @@
+require_relative 'jce_keystore'
+module Ccrypto
+  module Java
+    module Keystore
+      class JKSKeystore
+        include TR::CondUtils
+        include DataConversion
+        def self.from_jks(bin, &block)
+          raise Ccrypto::Keystore::KeystoreException, "block is required" if not block
+          JCEKeystore.from_keystore(bin, "JKS") do |k|
+            case k
+            when :logger
+              logger
+            else
+              block.call(k)
+            end
+          end
+        end # from_jks
+        def self.to_jks(&block)
+          raise Ccrypto::Keystore::KeystoreException, "Block is required" if not block
+          JCEKeystore.to_keystore("JKS") do |k|
+            case k
+            when :logger
+              logger
+            else
+              block.call(k)
+            end
+          end
+        end # to_jks
+        private
+        def self.logger
+          Ccrypto::Java.logger(:jks)
+        end
+      end # class PKCS12Keystore
+    end # module Keystore
+  end # module Java
+end # module Ccrypto

data/lib/ccrypto/java/keystore/keystore.rb ADDED Viewed

@@ -0,0 +1,97 @@
+require 'ccrypto/keystore'
+require_relative 'pkcs12_keystore'
+require_relative 'jks_keystore'
+module Ccrypto
+  module Java
+    module Keystore
+      def self.map_keystore_type(key)
+        case key.to_sym
+        when :pkcs12, :p12, :PKCS12, :P12, :Pkcs12
+          :pkcs12
+        when :jks, :Jks, :JKS, :java
+          :jks
+        else
+          raise Ccrypto::Keystore::KeystoreException, "Unsupported keystore type '#{key}'"
+        end
+      end
+      def self.load_keystore(bin, eng, &block)
+        mEng = map_keystore_type(eng)
+        case mEng
+        when :pkcs12
+          PKCS12Keystore.from_p12(bin, &block)
+        when :jks
+          JKSKeystore.from_jks(bin, &block)
+        else
+          raise Ccrypto::Keystore::KeystoreException, "Unsupported keystore type '#{eng}'"
+        end
+      end
+      def self.load_keystore_file(path, eng, &block)
+        raise Ccrypto::Keystore::KeystoreException, "Given keystore path to load '#{path}' does not exist" if not File.exist?(path)
+        raise Ccrypto::Keystore::KeystoreException, "Given keystore path to load '#{path}' cannot be read" if not File.readable?(path)
+        load_keystore(File.read(path), eng, &block)
+      end
+      def self.convert_keystore(bin, fromEng, toEng, &block)
+        srcEng = map_keystore_type(fromEng)
+        mtEng = map_keystore_type(toEng)
+        kp, cert, chain = load_keystore(bin, srcEng) do |opt|
+          case opt
+          when :store_pass
+            block.call(:source_store_pass)
+          else
+            block.call(opt)
+          end
+        end
+        outEng = map_keystore_type(mtEng)
+        case outEng
+        when :pkcs12
+          PKCS12Keystore.to_p12 do |k|
+            case k
+            when :keypair
+              kp
+            when :cert
+              cert
+            when :cert_chain
+              chain
+            when :store_pass
+              block.call(:dest_store_pass)
+            else
+              block.call(k)
+            end
+          end
+        when :jks
+          JKSKeystore.to_jks do |k|
+            case k
+            when :keypair
+              kp
+            when :cert
+              cert
+            when :cert_chain
+              chain
+            when :store_pass
+              block.call(:dest_store_pass)
+            else
+              block.call(k)
+            end
+          end
+        else
+          raise Ccrypto::Keystore::KeystoreException, "Unsupported keystore type '#{eng}'"
+        end
+      end
+      def self.convert_keystore_file(path, fromEng, toEng, &block)
+        raise Ccrypto::Keystore::KeystoreException, "Given keystore path to load '#{path}' does not exist" if not File.exist?(path)
+        raise Ccrypto::Keystore::KeystoreException, "Given keystore path to load '#{path}' cannot be read" if not File.readable?(path)
+        convert_keystore(File.read(path), fromEng, toEng, &block)
+      end
+    end
+  end
+end

data/lib/ccrypto/java/keystore/pem_keystore.rb ADDED Viewed

@@ -0,0 +1,147 @@
+module Ccrypto
+  module Java
+    module Keystore
+      class PEMKeystore
+        include TR::CondUtils
+        include DataConversion
+        def self.to_pem(&block)
+          raise KeystoreException, "Block is required" if not block
+          pass = block.call(:store_pass)
+          raise KeystoreException, "Password is required" if is_empty?(pass)
+          keypair = block.call(:keypair)
+          raise KeystoreException, "Keypair is required" if is_empty?(keypair)
+          output = block.call(:output)
+          if not_empty?(output)
+            ext = File.extname(output)
+            bname = File.basename(output, ext)
+            privPath = File.join("#{bname}_priv#{ext}")
+            pubPath = File.join("#{bname}_pub#{ext}")
+            privHead, privFoot, pubHead, pubFoot = marker(keypair)
+            File.open(privPath,"wb") do |f|
+              f.write privHead
+              f.write to_b64(keypair.private.to_bin)
+              f.write privFoot
+            end
+            File.open(pubPath,"wb") do |f|
+              f.write pubHead
+              f.write to_b64(keypair.public.to_bin)
+              f.write pubFoot
+            end
+          else
+            [to_b64(keypair.private.to_bin),to_b64(keypair.public.to_bin)]
+          end
+        end # def to_pem
+        def self.from_pem(str)
+          raise KeystoreException, "block is required" if not block
+          case check_keytype(str)
+          when :ecc
+            cont = str.lines[1..-2].join
+            Ccrypto::Java::ECCPrivateKey.to_key(from_b64(cont))
+          when :rsa
+          when :ed25519
+          when :x25519
+          when :crystal_dilithium
+          when :crystal_kyber
+          else
+            raise KeystoreException, "Unable to derive keytype from input : '#{str}'"
+          end
+          case key
+          when java.security.interfaces.ECPrivateKey
+            param = java.security.AlgorithmParameters.getInstance("EC")
+            param.init(key.params)
+            oid = param.getParameterSpec(java.security.spec.ECGenParameterSpec.java_class).name
+            curve = org.bouncycastle.asn1.x9.ECNamedCurveTable.getName(org.bouncycastle.asn1.ASN1ObjectIdentifier.new(oid))
+            logger.debug "Recover curve info : #{curve}"
+            conf = Ccrypto::Java::ECCEngine.find_curve(curve)
+            logger.debug "Found config : #{conf}"
+            [Ccrypto::Java::ECCKeyBundle.new(kp, conf), userCert, chain]
+          when org.bouncycastle.jcajce.provider.asymmetric.ec::BCECPrivateKey
+            curve = key.params.name
+            logger.debug "Recover curve info : #{curve}"
+            conf = Ccrypto::Java::ECCEngine.find_curve(curve)
+            logger.debug "Found config : #{conf}"
+            [Ccrypto::Java::ECCKeyBundle.new(kp, conf), userCert, chain]
+          when java.security.interfaces.RSAPrivateKey
+            [Ccrypto::Java::RSAKeyBundle.new(kp), userCert, chain]
+          else
+            raise KeystoreException, "Unknown key type #{key}"
+          end
+        end
+        private
+        def self.logger
+          Ccrypto::Java.logger(:pem_ks)
+        end
+        def self.marker(keypair)
+          case keypair
+          when ECCKeybundle
+            keytype = "ECC"
+          when RSAKeybundle
+            keytype = "RSA"
+          when ED25519KeyBundle
+            keytype = "ED25519"
+          when X25519KeyBundle
+            keytype = "X25519"
+          when CrystalDilithiumKeyBundle
+            keytype = "CRYSTAL DILITHIUM"
+          when CrystalKyberKeyBundle
+            keytype = "CRYSTAL KYBER"
+          else
+            raise Error, "Unsupported keypair type '#{keypair.class.name}'"
+          end
+          [
+            "-----BEGIN #{keytype} PRIVATE KEY-----\n",
+            "\n-----END #{keytype} PRIVATE KEY-----\n",
+            "-----BEGIN #{keytype} PUBLIC KEY-----\n",
+            "\n-----END #{keytype} PUBLIC KEY-----\n",
+          ]
+        end
+        def self.check_keytype(cont)
+          case cont
+          when /ECC/
+            :ecc
+          when /RSA/
+            :rsa
+          when /ED25519/
+            :ed25519
+          when /X25519/
+            :x25519
+          when /DILITHIUM/
+            :crystal_dilithium
+          when /KYBER/
+            :crystal_kyber
+          else
+            nil
+          end
+        end # def check_keytype
+      end
+    end
+  end
+end