ccrypto-java 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.java-version +1 -0
- data/.rspec +3 -0
- data/Gemfile +13 -0
- data/Gemfile.lock +94 -0
- data/README.md +150 -0
- data/Rakefile +10 -0
- data/bin/console +15 -0
- data/bin/setup +8 -0
- data/ccrypto-java.gemspec +44 -0
- data/jars/bcmail-jdk15on-165.jar +0 -0
- data/jars/bcpg-jdk15on-165.jar +0 -0
- data/jars/bcpkix-jdk15on-165.jar +0 -0
- data/jars/bcprov-ext-jdk15on-165.jar +0 -0
- data/jars/bcprov-jdk15on-165.jar +0 -0
- data/jars/bctls-jdk15on-165.jar +0 -0
- data/jars/shamir-0.6.1-p.jar +0 -0
- data/lib/ccrypto/java/data_conversion.rb +80 -0
- data/lib/ccrypto/java/engines/asn1_engine.rb +161 -0
- data/lib/ccrypto/java/engines/asn1_object.rb +12 -0
- data/lib/ccrypto/java/engines/cipher_engine.rb +255 -0
- data/lib/ccrypto/java/engines/compression_engine.rb +92 -0
- data/lib/ccrypto/java/engines/data_conversion_engine.rb +9 -0
- data/lib/ccrypto/java/engines/decompression_engine.rb +48 -0
- data/lib/ccrypto/java/engines/digest_engine.rb +208 -0
- data/lib/ccrypto/java/engines/ecc_engine.rb +263 -0
- data/lib/ccrypto/java/engines/hkdf_engine.rb +72 -0
- data/lib/ccrypto/java/engines/hmac_engine.rb +75 -0
- data/lib/ccrypto/java/engines/pbkdf2_engine.rb +87 -0
- data/lib/ccrypto/java/engines/pkcs7_engine.rb +558 -0
- data/lib/ccrypto/java/engines/rsa_engine.rb +572 -0
- data/lib/ccrypto/java/engines/scrypt_engine.rb +35 -0
- data/lib/ccrypto/java/engines/secret_key_engine.rb +44 -0
- data/lib/ccrypto/java/engines/secret_sharing_engine.rb +59 -0
- data/lib/ccrypto/java/engines/secure_random_engine.rb +76 -0
- data/lib/ccrypto/java/engines/x509_engine.rb +311 -0
- data/lib/ccrypto/java/ext/secret_key.rb +75 -0
- data/lib/ccrypto/java/ext/x509_cert.rb +48 -0
- data/lib/ccrypto/java/jce_provider.rb +52 -0
- data/lib/ccrypto/java/keybundle_store/pkcs12.rb +125 -0
- data/lib/ccrypto/java/utils/comparator.rb +20 -0
- data/lib/ccrypto/java/utils/memory_buffer.rb +77 -0
- data/lib/ccrypto/java/utils/native_helper.rb +19 -0
- data/lib/ccrypto/java/version.rb +7 -0
- data/lib/ccrypto/java.rb +30 -0
- data/lib/ccrypto/provider.rb +132 -0
- metadata +144 -0
@@ -0,0 +1,558 @@
|
|
1
|
+
|
2
|
+
require_relative '../data_conversion'
|
3
|
+
|
4
|
+
module Ccrypto
|
5
|
+
module Java
|
6
|
+
|
7
|
+
class PKCS7EngineException < StandardError; end
|
8
|
+
|
9
|
+
class PKCS7Engine
|
10
|
+
include TR::CondUtils
|
11
|
+
include DataConversion
|
12
|
+
|
13
|
+
include TeLogger::TeLogHelper
|
14
|
+
teLogger_tag :j_p7
|
15
|
+
|
16
|
+
def initialize(config)
|
17
|
+
raise PKCS7EngineException, "Ccrypto::PKCS7Config is expected. Given #{config}" if not config.is_a?(Ccrypto::PKCS7Config)
|
18
|
+
@config = config
|
19
|
+
end
|
20
|
+
|
21
|
+
def sign(val, outForm = :bin, &block)
|
22
|
+
|
23
|
+
validate_input(val, "signing")
|
24
|
+
validate_key_must_exist("signing")
|
25
|
+
|
26
|
+
raise PKCS7EngineException, "signerCert is required for PKCS7 sign operation" if is_empty?(@config.signerCert)
|
27
|
+
raise PKCS7EngineException, "Given signerCert must be a Ccrypto::X509Cert object" if not @config.signerCert.is_a?(Ccrypto::X509Cert)
|
28
|
+
|
29
|
+
privKey = @config.private_key
|
30
|
+
|
31
|
+
prov = nil
|
32
|
+
signHash = nil
|
33
|
+
attached = true
|
34
|
+
caCerts = []
|
35
|
+
os = nil
|
36
|
+
readBufSize = 1024000
|
37
|
+
signSpec = nil
|
38
|
+
if block
|
39
|
+
prov = block.call(:jce_provider)
|
40
|
+
signHash = block.call(:sign_hash)
|
41
|
+
detSign = block.call(:detached_sign)
|
42
|
+
attached = ! detSign if is_bool?(detSign)
|
43
|
+
caCerts = block.call(:ca_certs)
|
44
|
+
os = block.call(:output_stream)
|
45
|
+
if not (os.nil? or os.is_a?(java.io.OutputStream))
|
46
|
+
raise PKCS7EngineException, "Given output_stream is not type of java.io.OutputStream (Given #{os}). Please provide an java.io.OutputStream object or use default which is java.io.ByteArrayOutputStream"
|
47
|
+
end
|
48
|
+
readBufSize = block.call(:read_buffer_size)
|
49
|
+
signSpec = block.call(:signing_spec)
|
50
|
+
end
|
51
|
+
|
52
|
+
caCerts = [] if caCerts.nil?
|
53
|
+
prov = Ccrypto::Java::JCEProvider::DEFProv if is_empty?(prov)
|
54
|
+
signHash = :sha256 if is_empty?(signHash)
|
55
|
+
attached = true if is_empty?(attached)
|
56
|
+
readBufSize = 1024000 if readBufSize.to_i > 0
|
57
|
+
|
58
|
+
os = java.io.ByteArrayOutputStream.new if os.nil?
|
59
|
+
|
60
|
+
lst = java.util.ArrayList.new
|
61
|
+
lst.add(@config.signerCert.nativeX509)
|
62
|
+
caCerts.each do |cc|
|
63
|
+
list.add(cc.nativeX509)
|
64
|
+
end
|
65
|
+
store = org.bouncycastle.cert.jcajce.JcaCertStore.new(lst)
|
66
|
+
|
67
|
+
gen = org.bouncycastle.cms.CMSSignedDataStreamGenerator.new
|
68
|
+
|
69
|
+
if is_empty?(signSpec)
|
70
|
+
gKey = privKey
|
71
|
+
loop do
|
72
|
+
case gKey
|
73
|
+
when ::Java::OrgBouncycastleJcajceProviderAsymmetricEc::BCECPrivateKey
|
74
|
+
signSpec = "#{signHash.upcase}withECDSA"
|
75
|
+
break
|
76
|
+
when java.security.interfaces.RSAPrivateKey
|
77
|
+
signSpec = "#{signHash.to_s.upcase}withRSA"
|
78
|
+
break
|
79
|
+
when Ccrypto::PrivateKey
|
80
|
+
gKey = gKey.native_privKey
|
81
|
+
else
|
82
|
+
raise PKCS7EngineException, "Unknown private key type '#{gKey}' to derive the hash algo from"
|
83
|
+
end
|
84
|
+
end
|
85
|
+
end
|
86
|
+
|
87
|
+
#signer = org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(signSpec).setProvider(prov).build(privKey)
|
88
|
+
signer = org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(signSpec).setProvider(prov).build(gKey)
|
89
|
+
infoGen = org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder.new(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder.new.setProvider(prov).build()).build(signer, @config.signerCert.nativeX509)
|
90
|
+
gen.addSignerInfoGenerator(infoGen)
|
91
|
+
|
92
|
+
gen.addCertificates(store)
|
93
|
+
|
94
|
+
begin
|
95
|
+
|
96
|
+
if attached
|
97
|
+
teLogger.debug "Initiated attached sign"
|
98
|
+
else
|
99
|
+
teLogger.debug "Initiated detached sign"
|
100
|
+
end
|
101
|
+
|
102
|
+
sos = gen.open(os, attached)
|
103
|
+
|
104
|
+
case val
|
105
|
+
when java.io.InputStream
|
106
|
+
teLogger.debug "InputStream data-to-be-signed detected"
|
107
|
+
buf = ::Java::Byte[readBufSize].new
|
108
|
+
read = 0
|
109
|
+
processed = 0
|
110
|
+
while((read = val.read(buf, 0, buf.length)) != -1)
|
111
|
+
sos.write(buf, 0 ,read)
|
112
|
+
processed += read
|
113
|
+
block.call(:processed, processed) if block
|
114
|
+
end
|
115
|
+
else
|
116
|
+
teLogger.debug "Byte array data-to-be-signed detected"
|
117
|
+
ba = to_java_bytes(val)
|
118
|
+
if ba.is_a?(::Java::byte[])
|
119
|
+
sos.write(ba)
|
120
|
+
sos.flush
|
121
|
+
sos.close
|
122
|
+
else
|
123
|
+
raise PKCS7EngineException, "Not able to convert given input into byte array. Got #{val.class}"
|
124
|
+
end
|
125
|
+
end
|
126
|
+
|
127
|
+
os.toByteArray
|
128
|
+
|
129
|
+
rescue Exception => ex
|
130
|
+
raise PKCS7EngineException, ex
|
131
|
+
ensure
|
132
|
+
|
133
|
+
begin
|
134
|
+
sos.close
|
135
|
+
rescue Exception; end
|
136
|
+
end
|
137
|
+
|
138
|
+
end
|
139
|
+
|
140
|
+
def verify(val, inForm = :bin, &block)
|
141
|
+
|
142
|
+
srcData = nil
|
143
|
+
os = nil
|
144
|
+
prov = Ccrypto::Java::JCEProvider::DEFProv
|
145
|
+
if block
|
146
|
+
srcData = block.call(:signed_data)
|
147
|
+
os = block.call(:output_stream)
|
148
|
+
prov = block.call(:jce_provider)
|
149
|
+
end
|
150
|
+
|
151
|
+
os = java.io.ByteArrayOutputStream.new if os.nil?
|
152
|
+
prov = Ccrypto::Java::JCEProvider::DEFProv if is_empty?(prov)
|
153
|
+
|
154
|
+
data = nil
|
155
|
+
case srcData
|
156
|
+
when java.io.File
|
157
|
+
data = org.bouncycastle.cms.CMSProcessableFile.new(val)
|
158
|
+
teLogger.debug "Given original data is a java.io.File"
|
159
|
+
else
|
160
|
+
if not_empty?(srcData)
|
161
|
+
ba = to_java_bytes(srcData)
|
162
|
+
if ba.is_a?(::Java::byte[])
|
163
|
+
data = org.bouncycastle.cms.CMSProcessableByteArray.new(ba)
|
164
|
+
teLogger.debug "Given original data is a byte array"
|
165
|
+
else
|
166
|
+
raise PKCS7EngineException, "Failed to read original data. Given #{srcData}"
|
167
|
+
end
|
168
|
+
else
|
169
|
+
teLogger.debug "Original data for signing is not given."
|
170
|
+
end
|
171
|
+
end
|
172
|
+
|
173
|
+
case val
|
174
|
+
when java.io.InputStream
|
175
|
+
if data.nil?
|
176
|
+
teLogger.debug "Attached signature with java.io.InputStream signature detected during verification"
|
177
|
+
signed = org.bouncycastle.cms.CMSSignedData.new(val)
|
178
|
+
else
|
179
|
+
teLogger.debug "Detached signature with java.io.InputStream signature detected during verification"
|
180
|
+
signed = org.bouncycastle.cms.CMSSignedData.new(data, val)
|
181
|
+
end
|
182
|
+
else
|
183
|
+
if not_empty?(val)
|
184
|
+
ba = to_java_bytes(val)
|
185
|
+
if ba.is_a?(::Java::byte[])
|
186
|
+
if data.nil?
|
187
|
+
teLogger.debug "Attached signature with byte array signature detected during verification"
|
188
|
+
signed = org.bouncycastle.cms.CMSSignedData.new(ba)
|
189
|
+
else
|
190
|
+
teLogger.debug "Detached signature with byte array signature detected during verification"
|
191
|
+
signed = org.bouncycastle.cms.CMSSignedData.new(data, ba)
|
192
|
+
end
|
193
|
+
else
|
194
|
+
raise PKCS7EngineException, "Failed to convert input to java byte array. Given #{val.class}"
|
195
|
+
end
|
196
|
+
else
|
197
|
+
raise PKCS7EngineException, "Given signature to verify is empty."
|
198
|
+
end
|
199
|
+
end
|
200
|
+
|
201
|
+
certs = signed.certificates
|
202
|
+
signerInfo = signed.getSignerInfos
|
203
|
+
signers = signerInfo.getSigners
|
204
|
+
signatureVerified = false
|
205
|
+
signers.each do |signer|
|
206
|
+
|
207
|
+
certVerified = true
|
208
|
+
certs.getMatches(signer.getSID).each do |c|
|
209
|
+
begin
|
210
|
+
|
211
|
+
if block
|
212
|
+
certVerified = block.call(:verify_certificate, c)
|
213
|
+
if certVerified.nil?
|
214
|
+
teLogger.debug "Certificate with subject #{c.subject} / Issuer : #{c.issuer} / SN : #{c.serial_number.to_s(16)} passed through (no checking by application)"
|
215
|
+
certVerified = true
|
216
|
+
elsif is_bool?(certVerified)
|
217
|
+
if certVerified
|
218
|
+
teLogger.debug "Certificate with subject #{c.subject} / Issuer : #{c.issuer} / SN : #{c.serial_number.to_s(16)} accepted by application"
|
219
|
+
else
|
220
|
+
teLogger.debug "Certificate with subject #{c.subject} / Issuer : #{c.issuer} / SN : #{c.serial_number.to_s(16)} rejected by application"
|
221
|
+
end
|
222
|
+
else
|
223
|
+
teLogger.debug "Certificate with subject #{c.subject} / Issuer : #{c.issuer} / SN : #{c.serial_number.to_s(16)} passed through (no checking by application. Given #{certVerified})"
|
224
|
+
end
|
225
|
+
else
|
226
|
+
teLogger.debug "Certificate with subject #{c.subject} / Issuer : #{c.issuer} / SN : #{c.serial_number.to_s(16)} passed through (no checking by application)"
|
227
|
+
end
|
228
|
+
|
229
|
+
if certVerified
|
230
|
+
|
231
|
+
teLogger.debug "Verifing signature against certificate '#{c.subject}'"
|
232
|
+
verifier = org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder.new.setProvider(prov).build(c)
|
233
|
+
if signer.verify(verifier)
|
234
|
+
teLogger.debug "Signer with #{c.subject} verified!"
|
235
|
+
if block
|
236
|
+
block.call(:verification_result, true)
|
237
|
+
if data.nil?
|
238
|
+
block.call(:attached_data, signed.getSignedContent.getContent)
|
239
|
+
end
|
240
|
+
end
|
241
|
+
|
242
|
+
signatureVerified = true
|
243
|
+
|
244
|
+
else
|
245
|
+
teLogger.debug "Signer with #{c.subject} failed. Retry with subsequent certificate"
|
246
|
+
signatureVerified = false
|
247
|
+
end
|
248
|
+
|
249
|
+
end
|
250
|
+
rescue ::Java::OrgBouncycastleCms::CMSSignerDigestMismatchException => ex
|
251
|
+
teLogger.error "Signer digest mismatch exception : #{ex.message}"
|
252
|
+
signatureVerified = false
|
253
|
+
break
|
254
|
+
rescue Exception => ex
|
255
|
+
teLogger.error ex
|
256
|
+
teLogger.error ex.message
|
257
|
+
teLogger.error ex.backtrace.join("\n")
|
258
|
+
end
|
259
|
+
end
|
260
|
+
# end certs.getMatches
|
261
|
+
|
262
|
+
break if signatureVerified
|
263
|
+
|
264
|
+
end
|
265
|
+
# end signers.each
|
266
|
+
|
267
|
+
signatureVerified
|
268
|
+
|
269
|
+
end
|
270
|
+
|
271
|
+
def encrypt(val, &block)
|
272
|
+
|
273
|
+
gen = org.bouncycastle.cms.CMSEnvelopedDataStreamGenerator.new
|
274
|
+
@config.recipient_certs.each do |re|
|
275
|
+
gen.addRecipientInfoGenerator(to_cms_recipint_info(re))
|
276
|
+
end
|
277
|
+
|
278
|
+
intBufSize = 1024000
|
279
|
+
if block
|
280
|
+
cipher = block.call(:cipher)
|
281
|
+
teLogger.debug "Application given cipher #{cipher}"
|
282
|
+
|
283
|
+
prov = block.call(:jce_provider)
|
284
|
+
intBufSize = block.call(:int_buffer_size)
|
285
|
+
os = block.call(:output_stream)
|
286
|
+
if not os.nil? and not os.is_a?(java.io.OutputStream)
|
287
|
+
raise PKCS7EngineException, "java.io.OutputStream expected but was given '#{os.class}'"
|
288
|
+
end
|
289
|
+
end
|
290
|
+
|
291
|
+
cipher = Ccrypto::DirectCipherConfig.new({ algo: :aes, keysize: 256, mode: :cbc }) if cipher.nil?
|
292
|
+
prov = Ccrypto::Java::JCEProvider::DEFProv if is_empty?(prov)
|
293
|
+
intBufSize = 1024000 if is_empty?(intBufSize)
|
294
|
+
|
295
|
+
os = java.io.ByteArrayOutputStream.new if os.nil?
|
296
|
+
|
297
|
+
encOut = gen.open(os, org.bouncycastle.cms.jcajce.JceCMSContentEncryptorBuilder.new(cipher_to_bc_cms_algo(cipher)).setProvider(prov).build())
|
298
|
+
|
299
|
+
case val
|
300
|
+
when java.io.InputStream
|
301
|
+
|
302
|
+
begin
|
303
|
+
total = 0
|
304
|
+
buf = ::Java::byte[intBufSize].new
|
305
|
+
while((read = val.read(buf, 0, buf.length)) != -1)
|
306
|
+
encOut.write(buf, 0, read)
|
307
|
+
end
|
308
|
+
|
309
|
+
encOut.flush
|
310
|
+
encOut.close
|
311
|
+
|
312
|
+
rescue Exception
|
313
|
+
ensure
|
314
|
+
begin
|
315
|
+
encOut.close
|
316
|
+
rescue Exception
|
317
|
+
end
|
318
|
+
end
|
319
|
+
|
320
|
+
else
|
321
|
+
|
322
|
+
if val.nil?
|
323
|
+
raise PKCS7EngineException, "Nil input is given."
|
324
|
+
else
|
325
|
+
ba = to_java_bytes(val)
|
326
|
+
case ba
|
327
|
+
when ::Java::byte[]
|
328
|
+
encOut.write(ba)
|
329
|
+
encOut.close
|
330
|
+
encOut.close
|
331
|
+
else
|
332
|
+
raise PKCS7EngineException, "Unknown format given as input #{val}"
|
333
|
+
end
|
334
|
+
end
|
335
|
+
|
336
|
+
end
|
337
|
+
|
338
|
+
os.toByteArray if os.is_a?(java.io.ByteArrayOutputStream)
|
339
|
+
|
340
|
+
end
|
341
|
+
|
342
|
+
def decrypt(val, &block)
|
343
|
+
validate_input(val, "decrypt")
|
344
|
+
validate_key_must_exist("decrypt")
|
345
|
+
|
346
|
+
raise PKCS7EngineException, "certForDecryption is required for PKCS7 decrypt operation" if is_empty?(@config.certForDecryption)
|
347
|
+
raise PKCS7EngineException, "Given certForDecryption must be a Ccrypto::X509Cert object" if not @config.certForDecryption.is_a?(Ccrypto::X509Cert)
|
348
|
+
|
349
|
+
case val
|
350
|
+
when java.io.ByteArrayInputStream
|
351
|
+
envp = org.bouncycastle.cms.CMSEnvelopedData.new(val)
|
352
|
+
else
|
353
|
+
if not val.nil?
|
354
|
+
ba = to_java_bytes(val)
|
355
|
+
case ba
|
356
|
+
when ::Java::byte[]
|
357
|
+
envp = org.bouncycastle.cms.CMSEnvelopedData.new(ba)
|
358
|
+
else
|
359
|
+
raise PKCS7EngineException, "Unknown input type '#{ba}' is given"
|
360
|
+
end
|
361
|
+
else
|
362
|
+
raise PKCS7EngineException, "Null input is given"
|
363
|
+
end
|
364
|
+
end
|
365
|
+
|
366
|
+
if block
|
367
|
+
os = block.call(:output_stream)
|
368
|
+
intBufSize = block.call(:int_buffer_size)
|
369
|
+
end
|
370
|
+
|
371
|
+
os = java.io.ByteArrayOutputStream.new if os.nil?
|
372
|
+
intBufSize = 1024000 if is_empty?(intBufSize)
|
373
|
+
|
374
|
+
kt = decryption_key_to_recipient(@config.private_key)
|
375
|
+
|
376
|
+
lastEx = nil
|
377
|
+
recipients = envp.getRecipientInfos.getRecipients
|
378
|
+
recipients.each do |r|
|
379
|
+
|
380
|
+
begin
|
381
|
+
encIs = r.getContentStream(kt).getContentStream
|
382
|
+
rescue Exception => ex
|
383
|
+
lastEx = ex
|
384
|
+
teLogger.debug "Got exception : #{ex.message}. Retry with another envelope"
|
385
|
+
next
|
386
|
+
end
|
387
|
+
|
388
|
+
begin
|
389
|
+
total = 0
|
390
|
+
buf = ::Java::byte[intBufSize].new
|
391
|
+
while((read = encIs.read(buf, 0, buf.length)) != -1)
|
392
|
+
os.write(buf,0, read)
|
393
|
+
end
|
394
|
+
|
395
|
+
os.flush
|
396
|
+
rescue Exception
|
397
|
+
ensure
|
398
|
+
begin
|
399
|
+
encIs.close
|
400
|
+
rescue Exception
|
401
|
+
end
|
402
|
+
end
|
403
|
+
|
404
|
+
lastEx = nil
|
405
|
+
break
|
406
|
+
end
|
407
|
+
|
408
|
+
if not lastEx.nil?
|
409
|
+
raise PKCS7EngineException, lastEx
|
410
|
+
end
|
411
|
+
|
412
|
+
os.toByteArray if os.is_a?(java.io.ByteArrayOutputStream)
|
413
|
+
|
414
|
+
end
|
415
|
+
|
416
|
+
protected
|
417
|
+
def validate_input(val, ops)
|
418
|
+
raise PKCS7EngineException, "Given data to #{ops} operation is empty" if is_empty?(val)
|
419
|
+
#raise PKCS7EngineException, "X509_cert is required for PKCS7 #{ops}" if is_empty?(@config.x509_cert)
|
420
|
+
#raise PKCS7EngineException, "Given x509_cert must be a Ccrypto::X509Cert object" if not @config.x509_cert.is_a?(Ccrypto::X509Cert)
|
421
|
+
end
|
422
|
+
|
423
|
+
def validate_key_must_exist(ops)
|
424
|
+
#raise PKCS7EngineException, "Keybundle is required for PKCS7 #{ops}" if is_empty?(@config.keybundle)
|
425
|
+
#raise PKCS7EngineException, "Given key must be a Ccrypto::KeyBundle object" if not @config.keybundle.is_a?(Ccrypto::KeyBundle)
|
426
|
+
raise PKCS7EngineException, "Private key is required for PKCS7 #{ops}" if @config.private_key.nil?
|
427
|
+
raise PKCS7EngineException, "Given private key must be a Ccrypto::PrivateKey object. Given #{@config.private_key}" if not @config.private_key.is_a?(Ccrypto::PrivateKey)
|
428
|
+
end
|
429
|
+
|
430
|
+
private
|
431
|
+
def to_cms_recipint_info(obj, prov = Ccrypto::Java::JCEProvider::DEFProv)
|
432
|
+
|
433
|
+
case obj
|
434
|
+
when java.security.Certificate
|
435
|
+
teLogger.debug "Given recipient info is java.security.Certificate"
|
436
|
+
org.bouncycastle.cms.jcajce.JceKeyTransRecipientInfoGenerator.new(obj).setProvider(prov)
|
437
|
+
when Ccrypto::X509Cert
|
438
|
+
teLogger.debug "Given recipient info is Ccrypto::X509Cert"
|
439
|
+
org.bouncycastle.cms.jcajce.JceKeyTransRecipientInfoGenerator.new(obj.nativeX509).setProvider(prov)
|
440
|
+
else
|
441
|
+
raise PKCS7EngineException, "Unknown object to conver to CMS recipient info. Given #{obj}"
|
442
|
+
end
|
443
|
+
|
444
|
+
#if Pkernel::Certificate.is_cert_object?(obj)
|
445
|
+
# GcryptoBcCms::GConf.instance.glog.debug "Given recipient info is certificate"
|
446
|
+
# cert = Pkernel::Certificate.ensure_java_cert(obj)
|
447
|
+
# org.bouncycastle.cms.jcajce.JceKeyTransRecipientInfoGenerator.new(cert).setProvider(provider)
|
448
|
+
#elsif GcryptoJce::SecretKey.is_secret_key?(obj)
|
449
|
+
# GcryptoBcCms::GConf.instance.glog.debug "Given recipient info is secret key"
|
450
|
+
# #org.bouncycastle.operator.jcajce.JceSymmetricKeyWrapper.new(obj).setProvider(provider)
|
451
|
+
# org.bouncycastle.cms.jcajce.JceKEKRecipientInfoGenerator.new(SecureRandom.hex(8).to_java.getBytes, obj).setProvider(provider)
|
452
|
+
#elsif obj.is_a?(Gcrypto::SecretKeyCryptoContext)
|
453
|
+
# GcryptoBcCms::GConf.instance.glog.debug "Given recipient info is secret key crypto context"
|
454
|
+
# prov = obj.key_provider
|
455
|
+
# prov = provider if prov.nil?
|
456
|
+
# #wrapper = org.bouncycastle.operator.jcajce.JceSymmetricKeyWrapper.new(obj.key).setProvider(prov)
|
457
|
+
# org.bouncycastle.cms.jcajce.JceKEKRecipientInfoGenerator.new(obj.name.to_java.getBytes, obj.key).setProvider(prov)
|
458
|
+
#elsif obj.is_a?(String)
|
459
|
+
# GcryptoBcCms::GConf.instance.glog.debug "Given recipient info is string --> password recipient"
|
460
|
+
# #algo = org.bouncycastle.cms.CMSAlgorithm::AES256_GCM
|
461
|
+
# algo = org.bouncycastle.cms.CMSAlgorithm::AES256_CBC
|
462
|
+
# salt = GcryptoJce::SecureRandomEngine.generate
|
463
|
+
# iter = rand(1000...3000)
|
464
|
+
# org.bouncycastle.cms.jcajce.JcePasswordRecipientInfoGenerator.new(algo, obj.to_java.toCharArray).setPasswordConversionScheme(org.bouncycastle.cms.PasswordRecipient::PKCS5_SCHEME2).setSaltAndIterationCount(salt,iter)
|
465
|
+
#elsif obj.java_kind_of?(Java::byte[])
|
466
|
+
# GcryptoBcCms::GConf.instance.glog.debug "Given recipient info is java byte array. Assume string --> password recipient"
|
467
|
+
# #algo = org.bouncycastle.cms.CMSAlgorithm::AES256_GCM
|
468
|
+
# algo = org.bouncycastle.cms.CMSAlgorithm::AES256_CBC
|
469
|
+
# salt = GcryptoJce::SecureRandomEngine.generate
|
470
|
+
# iter = rand(1000...3000)
|
471
|
+
# org.bouncycastle.cms.jcajce.JcePasswordRecipientInfoGenerator.new(algo, String.from_java_bytes(obj).toCharArray).setPasswordConversionScheme(org.bouncycastle.cms.PasswordRecipient::PKCS5_SCHEME2).setSaltAndIterationCount(salt,iter)
|
472
|
+
#elsif obj.java_kind_of?(Java::char[])
|
473
|
+
# GcryptoBcCms::GConf.instance.glog.debug "Given recipient info is java char array. Assume string --> password recipient"
|
474
|
+
# #algo = org.bouncycastle.cms.CMSAlgorithm::AES256_GCM
|
475
|
+
# algo = org.bouncycastle.cms.CMSAlgorithm::AES256_CBC
|
476
|
+
# salt = GcryptoJce::SecureRandomEngine.generate
|
477
|
+
# iter = rand(1000...3000)
|
478
|
+
# org.bouncycastle.cms.jcajce.JcePasswordRecipientInfoGenerator.new(algo, obj).setPasswordConversionScheme(org.bouncycastle.cms.PasswordRecipient::PKCS5_SCHEME2).setSaltAndIterationCount(salt,iter)
|
479
|
+
#else
|
480
|
+
# raise GcryptoBcCms::Error, "Unsupported object for encryption recipient info conversion '#{obj.class}'"
|
481
|
+
#end
|
482
|
+
|
483
|
+
end # to_cms_recipient_info
|
484
|
+
|
485
|
+
def cipher_to_bc_cms_algo(cipher)
|
486
|
+
case cipher
|
487
|
+
when Ccrypto::CipherConfig
|
488
|
+
case cipher.algo
|
489
|
+
when :seed
|
490
|
+
eval("org.bouncycastle.cms.CMSAlgorithm::#{cipher.algo.to_s.upcase}_#{cipher.mode.to_s.upcase}")
|
491
|
+
else
|
492
|
+
eval("org.bouncycastle.cms.CMSAlgorithm::#{cipher.algo.to_s.upcase}#{cipher.keysize}_#{cipher.mode.to_s.upcase}")
|
493
|
+
end
|
494
|
+
else
|
495
|
+
raise PKCS7EngineException, "Invalid cipher object '#{cipher}'. Expecting Ccrypto::Cipher object"
|
496
|
+
end
|
497
|
+
end
|
498
|
+
|
499
|
+
def decryption_key_to_recipient(decKey, prov = Ccrypto::Java::JCEProvider::DEFProv)
|
500
|
+
|
501
|
+
res = nil
|
502
|
+
gKey = decKey
|
503
|
+
loop do
|
504
|
+
case gKey
|
505
|
+
when java.security.PrivateKey
|
506
|
+
res = org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient.new(gKey).setProvider(prov)
|
507
|
+
break
|
508
|
+
when Ccrypto::PrivateKey
|
509
|
+
gKey = gKey.native_privKey
|
510
|
+
else
|
511
|
+
raise PKCS7EngineException, "Unsupported decryption key type '#{decKey}'"
|
512
|
+
end
|
513
|
+
end
|
514
|
+
|
515
|
+
res
|
516
|
+
|
517
|
+
#if Pkernel::KeyPair.is_private_key?(obj)
|
518
|
+
# GcryptoBcCms::GConf.instance.glog.debug "Given decryption artifacts is private key"
|
519
|
+
# org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient.new(obj).setProvider(provider)
|
520
|
+
#elsif GcryptoJce::SecretKey.is_secret_key?(obj)
|
521
|
+
# GcryptoBcCms::GConf.instance.glog.debug "Given decryption artifacts is secret key"
|
522
|
+
# #w = org.bouncycastle.operator.jcajce.JceSymmetricKeyUnwrapper.new(obj).setProvider(provider)
|
523
|
+
# if provider.nil?
|
524
|
+
# org.bouncycastle.cms.jcajce.JceKEKEnvelopedRecipient.new(obj)
|
525
|
+
# else
|
526
|
+
# org.bouncycastle.cms.jcajce.JceKEKEnvelopedRecipient.new(obj).setProvider(provider)
|
527
|
+
# end
|
528
|
+
#elsif obj.is_a?(Gcrypto::SecretKeyCryptoContext)
|
529
|
+
# prov = obj.key_provider
|
530
|
+
# prov = provider if prov.nil?
|
531
|
+
# if prov.nil?
|
532
|
+
# GcryptoBcCms::GConf.instance.glog.debug "Given decryption artifacts is secret key crypto context."
|
533
|
+
# org.bouncycastle.cms.jcajce.JceKEKEnvelopedRecipient.new(obj.key)
|
534
|
+
# else
|
535
|
+
# GcryptoBcCms::GConf.instance.glog.debug "Given decryption artifacts is secret key crypto context. '#{prov.nil? ? '' : "Using provider #{prov.name}" }'"
|
536
|
+
# org.bouncycastle.cms.jcajce.JceKEKEnvelopedRecipient.new(obj.key).setProvider(prov)
|
537
|
+
# end
|
538
|
+
# #org.bouncycastle.operator.jcajce.JceSymmetricKeyUnwrapper.new(obj.key).setProvider(prov)
|
539
|
+
#elsif obj.is_a?(String)
|
540
|
+
# GcryptoBcCms::GConf.instance.glog.debug "Given decryption artifacts is string --> password recipient"
|
541
|
+
# org.bouncycastle.cms.jcajce.JcePasswordEnvelopedRecipient.new(obj.to_java.toCharArray).setPasswordConversionScheme(org.bouncycastle.cms.PasswordRecipient::PKCS5_SCHEME2)
|
542
|
+
#elsif obj.java_kind_of?(Java::byte[])
|
543
|
+
# GcryptoBcCms::GConf.instance.glog.debug "Given decryption artifacts is java byte array. Assume string --> password recipient"
|
544
|
+
# org.bouncycastle.cms.jcajce.JcePasswordEnvelopedRecipient.new(String.from_java_bytes(obj).to_java.toCharArray).setPasswordConversionScheme(org.bouncycastle.cms.PasswordRecipient::PKCS5_SCHEME2)
|
545
|
+
#elsif obj.java_kind_of?(Java::char[])
|
546
|
+
# GcryptoBcCms::GConf.instance.glog.debug "Given decryption artifacts is java char array. Assume string --> password recipient"
|
547
|
+
# org.bouncycastle.cms.jcajce.JcePasswordEnvelopedRecipient.new(obj).setPasswordConversionScheme(org.bouncycastle.cms.PasswordRecipient::PKCS5_SCHEME2)
|
548
|
+
#else
|
549
|
+
# raise GcryptoBcCms::Error, "Unsupported object for decryption recipient object conversion '#{obj.class}'"
|
550
|
+
#end
|
551
|
+
|
552
|
+
end
|
553
|
+
|
554
|
+
|
555
|
+
end
|
556
|
+
|
557
|
+
end
|
558
|
+
end
|