ccrypto-java 0.1.0 → 0.2.0

data/lib/ccrypto/java/ext/secret_key.rb

@@ -5,71 +5,83 @@ module Ccrypto
   class SecretKey
     include Java::DataConversion
 
-    include TeLogger::TeLogHelper
-    teLogger_tag :j_secretkey_ext
+    def initialize(algo, keysize, key)
+      @algo = algo
+      @keysize = keysize
+      @native_key = key
+      @native_key = to_jce_secret_key
+    end
 
     def to_jce_secret_key
-      case @key
+      case @native_key
       when javax.crypto.spec.SecretKeySpec
-        @key
+        @native_key
       when ::Java::byte[]
-        javax.crypto.spec.SecretKeySpec.new(@key, @algo.to_s)
+        javax.crypto.spec.SecretKeySpec.new(@native_key, @algo.to_s)
+
+      when String
+        javax.crypto.spec.SecretKeySpec.new(to_java_bytes(@native_key), @algo.to_s)
 
       else
-        case @key.key
+        case @native_key.ccrypto_key
         when javax.crypto.spec.SecretKeySpec
-          @key.key
+          @native_key.ccrypto_key
         when ::Java::byte[]
-          javax.crypto.spec.SecretKeySpec.new(@key.key, @algo.to_s)
+          javax.crypto.spec.SecretKeySpec.new(@native_key.ccrypto_key, @algo.to_s)
+        when Ccrypto::SecretKey
+          @native_key.ccrypto_key.native_key
         else
-          raise Ccrypto::Error, "Unknown key to conver to jce #{@key.key}"
+          raise Ccrypto::Error, "Unknown key to conver to jce #{@native_key.ccrypto_key}"
         end
       end
     end
 
     def to_bin
-      case @key
+      case @native_key
       when javax.crypto.spec.SecretKeySpec
-        @key.encoded
+        @native_key.encoded
       else
-        raise Ccrypto::Error, "Unsupported key type #{@key.class}"
+        raise Ccrypto::Error, "Unsupported key type #{@native_key.class}"
       end
     end
 
     def length
-      case @key
+      case @native_key
       when javax.crypto.spec.SecretKeySpec
-        @key.encoded.length
-      when ::Java::byte[]
-        @key.length
+        @native_key.encoded.length
+      when ::Java::byte[], String
+        @native_key.length
       else
-        @key.key.encoded.length
+        @native_key.key.encoded.length
       end
     end
 
     def equals?(key)
       case key
       when Ccrypto::SecretKey
-        teLogger.debug "Given key is Ccrypto::SecretKey"
+        logger.debug "Given key is Ccrypto::SecretKey"
         to_jce_secret_key.encoded == key.to_jce_secret_key.encoded
       when javax.crypto.spec.SecretKeySpec
-        teLogger.debug "Given key is java SecretKeySpec"
+        logger.debug "Given key is java SecretKeySpec"
         to_jce_secret_key.encoded == key.encoded
       when ::Java::byte[]
         to_jce_secret_key.encoded == key
       when String
         to_jce_secret_key.encoded == to_java_bytes(key)
       else
-        teLogger.debug "Not sure how to compare : #{self} / #{key}"
+        logger.debug "Not sure how to compare : #{self} / #{key}"
         to_jce_secret_key == key
       end
     end
 
-    #def each_char(&block)
-    #  to_bin.each do |b|
-    #    block.call(b)
-    #  end
-    #end
+    def ==(val)
+      self.equals?(val)
+    end
+
+    private
+    def logger
+      Ccrypto::Java.logger(:seckey)
+    end
 
   end
 end

data/lib/ccrypto/java/ext/x509_cert.rb

@@ -1,15 +1,399 @@
 
 
+require_relative '../bc_const_mapping'
+
+java_import org.bouncycastle.asn1.x500.style.BCStyle
+java_import org.bouncycastle.asn1.x500.style.IETFUtils
+java_import org.bouncycastle.asn1.x509.Extension
+java_import org.bouncycastle.asn1.x509.KeyUsage
+
 module Ccrypto
+  class X509NameInfo
+    include TR::CondUtils
+
+    attr_reader :name, :org_unit, :org
+
+    def initialize(x500name)
+      @x500Name = x500name
+      extract
+    end
+
+    def email=(val)
+      if val.is_a?(Array) 
+        emails.concat(val)
+      else
+        emails << val
+      end
+    end
+
+    def emails
+      if @_emails.nil?
+        @_emails = []
+      end
+      @_emails
+    end
+
+    def has_email?(name)
+      emails.include?(name)
+    end
+
+    def to_s
+      @x500Name.toString
+    end
+
+    private
+    def extract
+      name = @x500Name.getRDNs(BCStyle::CN)[0]  
+      @name = IETFUtils.valueToString(name.first.value) if not_empty?(name)
+      
+      ou = @x500Name.getRDNs(BCStyle::OU)
+      if not_empty?(ou)
+        @org_unit = []
+        ou.each do |o|
+          @org_unit << IETFUtils.valueToString(o.first.value)
+        end
+      end
+
+      org = @x500Name.getRDNs(BCStyle::O)
+      if not_empty?(org)
+        org = org[0]
+        @org = IETFUtils.valueToString(org.first.value)
+      end
+
+      e = @x500Name.getRDNs(BCStyle::E)
+      if not_empty?(e)
+        e.each do |o|
+          email << IETFUtils.valueToString(o.first.value)
+        end
+      end
+
+      e2 = @x500Name.getRDNs(BCStyle::EmailAddress)
+      if not_empty?(e2)
+        e2.each do |o|
+          email << IETFUtils.valueToString(o.first.value)
+        end
+      end
+
+    end # extract
+
+  end # X509NameInfo
+
+  class X509CertInfo
+    include TR::CondUtils
+    include Ccrypto::Java::DataConversion
+
+    attr_reader :owner  # X509NameInfo structure
+    attr_reader :issuer # X509NameInfo structure
+    attr_reader :serial
+    attr_reader :not_before, :not_after
+    # extension
+    attr_reader :dns_name, :ip_addr, :uri
+    attr_reader :crl_dist_point, :ocsp_url, :issuer_url
+
+    def initialize(cert)
+      raise X509CertException, "Given certificate to extract cannot be nil" if cert.nil?
+      @cert = cert
+
+      @ku = []
+      @eku = []
+      @dns_name = []
+      @ip_addr = []
+      @uri = []
+      @crl_dist_point = []
+      @ocsp_url = []
+      @issuer_url = []
+
+      @domain_key_usage = []
+      @all_cert_exts = []
+ 
+      extract
+    end
+
+    def serial_no(outForm = :hex)
+      if not_empty?(@serial)
+        case outForm
+        when :b64, :base64
+          to_b64(@serial.to_s)
+        when :hex
+          @serial.to_s(16)
+        else
+          @serial
+        end
+
+      else
+        raise X509CertException, "Serial not yet loaded"
+      end
+    end
+
+    # 
+    # const taken from Ccrypto::X509::CertProfile::KeyUsage::Usages
+    #
+    def has_key_usage?(const)
+      @ku.include?(const) 
+    end
+
+    # 
+    # const taken from Ccrypto::X509::CertProfile::ExtKeyUsage::Usages
+    #
+    def has_ext_key_usage?(const)
+      @eku.include?(const)
+    end
+
+    def is_CA?
+      @isCa
+    end
+
+    def has_dns?(dns = nil)
+      if dns.nil?
+        @dns_name.length > 0
+      else
+        @dns_name.include?(dns)
+      end
+    end
+
+    def has_ip_addr?(ip = nil)
+      if ip.nil?
+        @ip_addr.length > 0
+      else
+        @ip_addr.include?(ip)
+      end
+    end
+
+    def has_uri?(uri = nil)
+      if uri.nil?
+        @uri.length > 0
+      else
+        @uri.include?(uri)
+      end
+    end
+
+    def has_crl_dist_point?(uri = nil)
+      if uri.nil?
+        @crl_dist_point.length > 0
+      else
+        @crl_dist_point.include?(uri)
+      end
+    end
+
+    def has_ocsp_url?(url = nil)
+      if url.nil?
+        @ocsp_url.length > 0
+      else
+        @ocsp_url.include?(url)
+      end
+    end
+
+    def has_issuer_url?(url = nil)
+      if url.nil?
+        @issuer_url.length > 0
+      else
+        @issuer_url.include?(url)
+      end
+    end
+
+    def has_domain_key_usage?(usage = nil)
+      if usage.nil?
+        @domain_key_usage.length > 0
+      else
+        @domain_key_usage.include?(usage)
+      end
+    end
+
+    def has_domain_extension?(ext)
+      @all_cert_exts.include?(ext)
+    end
+
+    def domain_extension(ext)
+      co = org.bouncycastle.cert.jcajce.JcaX509CertificateHolder.new(@cert)
+      extVal = co.getExtension(org.bouncycastle.asn1.ASN1ObjectIdentifier.new(ext))
+      extVal.getExtnValue.octets
+    end
+
+    private
+    # extract certificate info
+    def extract
+      co = org.bouncycastle.cert.jcajce.JcaX509CertificateHolder.new(@cert)
+      @owner = X509NameInfo.new(co.subject)
+      @issuer = X509NameInfo.new(co.issuer)
+      @not_before = co.not_before
+      @not_after = co.not_after
+      @serial = co.serial_number
+      
+      @all_cert_exts = co.getExtensionOIDs.collect { |e| e.id }
+
+      bcToConst = Ccrypto::Java::BCConstMapping::KeyUsageMapping.invert
+      ku = org.bouncycastle.asn1.x509::KeyUsage.from_extensions(co.extensions) 
+      if not ku.nil?
+        Ccrypto::Java::BCConstMapping::KeyUsageMapping.values.each do |id|
+          if ku.has_usages?(id)
+            @ku << bcToConst[id]
+          end
+        end
+      end
+
+      bcToConstExt = Ccrypto::Java::BCConstMapping::ExtKeyUsageMapping.invert
+      #eku = org.bouncycastle.asn1.x509::ExtendedKeyUsage.from_extensions(co.extensions) 
+      #if not eku.nil?
+      #  Ccrypto::Java::BCConstMapping::ExtKeyUsageMapping.values.each do |id|
+      #    if eku.has_key_purpose_id?(id)
+      #      @eku << bcToConstExt[id]
+      #    end
+      #  end
+      #end
+
+      eku = co.getExtension(org.bouncycastle.asn1.x509.Extension::extendedKeyUsage)
+      if not eku.nil?
+        eku.parsed_value.to_a.each do |v|
+          if bcToConstExt.keys.include?(v)
+            @eku << bcToConstExt[v]
+          else
+            @domain_key_usage << v.id
+          end
+        end
+      end
+
+
+      bc = org.bouncycastle.asn1.x509::BasicConstraints.from_extensions(co.extensions)
+      if not bc.nil?
+        @isCa = bc.isCA
+        if @isCa
+          @caPathLen = bc.path_len_constraint
+        end
+      else 
+        @isCa = false
+      end
+
+      sans = co.getExtension(org.bouncycastle.asn1.x509.Extension::subjectAlternativeName)
+      if not sans.nil?
+        sans.parsed_value.to_a.each do |a|
+          case a.tag_no
+          when org.bouncycastle.asn1.x509.GeneralName::rfc822Name
+            val = java.lang.String.new(a.contents)
+            @owner.email = val
+          when org.bouncycastle.asn1.x509.GeneralName::dNSName
+            val = java.lang.String.new(a.contents)
+            @dns_name << val
+          when org.bouncycastle.asn1.x509.GeneralName::iPAddress
+            @ip_addr << java.net.InetAddress.getByAddress(a.contents).host_address
+          when org.bouncycastle.asn1.x509.GeneralName::uniformResourceIdentifier
+            val = java.lang.String.new(a.contents)
+            @uri << val
+          end
+        end
+      end
+
+      cdp = org.bouncycastle.asn1.x509::CRLDistPoint.from_extensions(co.extensions) 
+      if not cdp.nil?
+        cdp.getDistributionPoints.each do |dp|
+          dpName = dp.distribution_point
+          if not dpName.nil?
+            if dpName.type == org.bouncycastle.asn1.x509.DistributionPointName::FULL_NAME
+              org.bouncycastle.asn1.x509.GeneralNames::getInstance(dpName.getName).names.each do |n|
+                if n.tag_no == org.bouncycastle.asn1.x509.GeneralName::uniformResourceIdentifier
+                  @crl_dist_point << org.bouncycastle.asn1.DERIA5String.getInstance(n.name).getString()
+                end
+              end
+            end
+          end
+        end
+      end
+
+      aia = org.bouncycastle.asn1.x509::AuthorityInformationAccess.from_extensions(co.extensions)
+      if not aia.nil?
+        aia.getAccessDescriptions.each do |ad|
+          case ad.access_method.id
+          when org.bouncycastle.asn1.x509.AccessDescription.id_ad_ocsp.id
+            if ad.access_location.tag_no == org.bouncycastle.asn1.x509.GeneralName::uniformResourceIdentifier
+              @ocsp_url << org.bouncycastle.asn1.DERIA5String.getInstance(ad.access_location.name).getString()
+            end
+          when org.bouncycastle.asn1.x509.AccessDescription.id_ad_caIssuers.id
+            if ad.access_location.tag_no == org.bouncycastle.asn1.x509.GeneralName::uniformResourceIdentifier
+              @issuer_url << org.bouncycastle.asn1.DERIA5String.getInstance(ad.access_location.name).getString()
+            end
+          end
+        end
+      end
+
+    end # extract
+
+  end # class X509CertInfo
+
+  # 
+  # X509Cert object
+  #
   class X509Cert
     include TR::CondUtils
+    include Java::DataConversion
  
     def to_der
       @nativeX509.encoded
     end
 
+    def self.to_cert_from_file(path)
+      if File.exist?(path)
+        to_java_cert(java.io.FileInputStream.new(path))
+      else
+        raise Error, "Given file to load '#{path}' does not exist"
+      end
+    end
+
+    def self.from_pem(str)
+      case str
+      when String
+        sstr = str.lines
+        if sstr[0] =~ /BEGIN CERTIFICATE/
+          certBin = from_b64_mime(sstr[1..-2].join)
+          baos = java.io.ByteArrayOutputStream.new
+          baos.write(certBin)
+          to_java_cert(baos.toByteArray) 
+        else
+          raise Error, "Not a certificate PEM"
+        end
+      else 
+        if str.to_java.is_a?(Java::byte[])
+        else
+          raise Error, "Unsupported input '#{str.class}' to read PEM format"
+        end
+      end
+    end
+
+    def to_pem
+      out = []
+      out << "-----BEGIN CERTIFICATE-----"
+      out << to_b64_mime(@nativeX509.encoded) 
+      out << "-----END CERTIFICATE-----"
+      out.join("\n")
+    end
+
+    def self.from_storage(input, opts = { format: :b64 })
+      defOpts = {
+        jce_provider: Java::JCEProvider::DEFProv
+      }
+
+      defOpts.merge!(opts)
+
+      case defOpts[:format]
+      when :b64, :base64
+        bin = from_b64(input)
+      when :hex
+        # hex
+        bin = from_hex(input)
+      else
+        # binary
+        bin = input
+      end
+
+      to_java_cert(bin, defOpts[:jce_provider])
+    end
+
     def method_missing(mtd, *args, &block)
-      @nativeX509.send(mtd, *args, &block)
+      if cert_info.respond_to?(mtd)
+        cert_info.send(mtd, *args, &block)
+      elsif @nativeX509.respond_to?(mtd)
+        @nativeX509.send(mtd, *args, &block)
+      else
+        super
+      end
     end
 
     def equal?(cert)
@@ -27,22 +411,62 @@ module Ccrypto
         tcert.encoded == @nativeX509.encoded
       end
     end
+    alias_method :equals?, :equal?
 
-    def self.to_java_cert(cert)
+
+    def owner
+      cert_info.owner 
+    end
+
+    def self.to_java_cert(cert, prov = Java::JCEProvider::DEFProv)
       raise X509CertException, "Given certificate to convert to Java certificate object is empty" if is_empty?(cert) 
 
       case cert
+      when org.bouncycastle.jcajce.provider.asymmetric.x509.X509CertificateObject
+        #Ccrypto.logger(:x509_cert).debug "Given X509CertificateObject to convert"
+        cert.to_java(java.security.cert.Certificate)
+
       when java.security.cert.Certificate
+        #Ccrypto.logger(:x509_cert).debug "Given java certificate object to convert"
         cert
       when org.bouncycastle.cert.X509CertificateHolder
-        cert.to_java_cert
+        #Ccrypto.logger(:x509_cert).debug "Given BC certificate holder to convert"
+        org.bouncycastle.cert.jcajce.JcaX509CertificateConverter.new.get_certificate(cert)
+        #cert.to_java_cert
       when Ccrypto::X509Cert
+        #Ccrypto.logger(:x509_cert).debug "Given Ccrypto::X509Cert to convert"
         to_java_cert(cert.nativeX509)
+
+      when String
+        #Ccrypto.logger(:x509_cert).debug "Given String to convert"
+        cf = java.security.cert.CertificateFactory.getInstance("X.509", prov)
+        c = cf.generateCertificate(java.io.ByteArrayInputStream.new(cert))
+        Ccrypto::X509Cert.new(c)
+
       else
-        raise X509CertException, "Unknown certificate type #{cert} for conversion"
+
+        if cert.to_java.is_a?(::Java::byte[])
+          #Ccrypto.logger(:x509_cert).debug "Given java byte array to convert"
+          cf = java.security.cert.CertificateFactory.getInstance("X.509", prov)
+          c = cf.generateCertificate(java.io.ByteArrayInputStream.new(cert)).to_java(java.security.cert.X509Certificate)
+          Ccrypto::X509Cert.new(c)
+        else
+          raise X509CertException, "Unknown certificate type #{cert.class} for conversion"
+        end
+
       end
 
     end
 
-  end
+    def cert_info
+      raise X509CertException, "Certificate not given to extract cert info" if @nativeX509.nil?
+
+      if @_cert_info.nil?
+        @_cert_info = X509CertInfo.new(@nativeX509)
+      end
+      @_cert_info
+    end
+
+  end # end X509Cert
+
 end