ccrypto-java 0.1.0

data/lib/ccrypto/java/engines/secure_random_engine.rb

@@ -0,0 +1,76 @@
+
+require_relative '../data_conversion'
+
+module Ccrypto
+  module Java
+    class SecureRandomEngine
+      include TR::CondUtils
+      extend DataConversion
+
+
+      def self.random_bytes(size, &block)
+        buf = ::Java::byte[size].new
+        engine(&block).next_bytes(buf)
+        buf
+      end
+
+      def self.random_hex(size,&block)
+        to_hex(random_bytes(size,&block))
+      end
+
+      def self.random_b64(size, &block)
+        to_b64(random_bytes(size, &block)) 
+      end
+
+      def self.random_uuid
+        java.util.UUID.randomUUID.to_s 
+      end
+
+      def self.random_alphanu(size, &block)
+        SecureRandom.alphanumeric(size) 
+      end
+
+      def self.random_number(val, &block)
+        if val.is_a?(Range) 
+          v = engine(&block).next_int(val.max)
+          if v < val.min
+            v = v+val.min
+          end
+          v
+        elsif val.is_a?(Integer)
+          engine(&block).next_int(val)
+        elsif is_empty?(val)
+          engine(&block).next_double
+        end
+      end
+
+
+      private
+      def self.engine(&block)
+        if @srEngine.nil?
+          srJceProvider = nil
+          algo = "NativePRNG"
+          if block
+            jceProv = block.call(:jce_provider)
+            srJceProvider = jceProv 
+            
+            al = block.call(:secure_random_engine_name)
+            algo = al if not_empty?(al)
+          else
+            algo = "NativePRNG"
+          end
+
+          if srJceProvider.nil? 
+            @srEngine = java.security.SecureRandom.getInstance(algo)
+          else
+            @srEngine = java.security.SecureRandom.getInstance(algo,srJceProvider)
+          end
+        end
+
+        @srEngine
+      end
+
+
+    end
+  end
+end

data/lib/ccrypto/java/engines/x509_engine.rb

@@ -0,0 +1,311 @@
+
+module Ccrypto
+  module Java
+
+    class X509Engine
+      include TR::CondUtils
+
+      include TeLogger::TeLogHelper
+
+      teLogger_tag :j_x509
+
+      def initialize(certProf)
+        @certProfile = certProf
+      end
+
+      def generate(issuerKey, &block)
+
+        cp = @certProfile
+
+        raise X509EngineException, "Issuer key must be given" if issuerKey.nil?
+        raise X509EngineException, "Issuer key must be a private key. Given #{issuerKey}" if not issuerKey.is_a?(Ccrypto::PrivateKey)
+
+        prov = Ccrypto::Java::JCEProvider::DEFProv
+        signSpec = nil
+        if block
+          uprov = block.call(:jce_provider_name)
+          prov if not_empty?(uprov)
+          signSpec = block.call(:sign_spec)
+          signHash = block.call(:sign_hash)
+        end
+
+        signHash = :sha256 if is_empty?(signHash)
+
+        validFrom = cp.not_before 
+        validTo = cp.not_after
+
+        extUtils = org.bouncycastle.cert.bc.BcX509ExtensionUtils.new
+
+        if cp.serial.is_a?(java.math.BigInteger)
+          serial = cp.serial
+        else
+          serial = java.math.BigInteger.new(cp.serial, 16)
+        end
+
+        iss = cp.issuer_cert
+        if not_empty?(iss) 
+          raise X509EngineException, "Issuer certificate must be Ccrypto::X509Cert object (#{iss.class})" if not iss.is_a?(Ccrypto::X509Cert) #iss.is_a?(java.security.cert.Certificate)
+
+          certGen = org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder.new(Ccrypto::X509Cert.to_java_cert(iss), serial, validFrom, validTo, to_cert_subject, cp.public_key)
+          certGen.addExtension(org.bouncycastle.asn1.x509.Extension::authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo.getInstance(iss.getPublicKey.encoded)))
+
+        else
+
+          name = to_cert_subject
+          certGen = org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder.new(name, serial, validFrom, validTo, name, cp.public_key.native_pubKey)
+          certGen.addExtension(org.bouncycastle.asn1.x509.Extension::authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo.getInstance(cp.public_key.to_bin)))
+        end
+
+        certGen.addExtension(org.bouncycastle.asn1.x509.Extension::basicConstraints, true, org.bouncycastle.asn1.x509.BasicConstraints.new(true)) if cp.gen_issuer_cert?
+
+        #certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(to_keyusage))
+        #criticalKu = 0
+        #nonCriticalKu = 0
+        kuv = 0
+        criticalKu = false
+        cp.key_usage.selected.each do |ku, critical|
+          case ku
+          when :digitalSignature
+            kur = org.bouncycastle.asn1.x509::KeyUsage::digitalSignature
+          when :nonRepudiation
+            kur = org.bouncycastle.asn1.x509::KeyUsage::nonRepudiation
+          when :keyEncipherment
+            kur = org.bouncycastle.asn1.x509::KeyUsage::keyEncipherment
+          when :dataEncipherment
+            kur = org.bouncycastle.asn1.x509::KeyUsage::dataEncipherment
+          when :keyAgreement
+            kur = org.bouncycastle.asn1.x509::KeyUsage::keyAgreement
+          when :keyCertSign
+            kur = org.bouncycastle.asn1.x509::KeyUsage::keyCertSign
+          when :crlSign
+            kur = org.bouncycastle.asn1.x509::KeyUsage::cRLSign
+          when :encipherOnly
+            kur = org.bouncycastle.asn1.x509::KeyUsage::encipherOnly
+          when :decipherOnly
+            kur = org.bouncycastle.asn1.x509::KeyUsage::decipherOnly
+          end
+
+          criticalKu = critical if critical
+
+          kuv |= kur
+
+          #if critical
+          #  criticalKu |= kur
+          #else
+          #  nonCriticalKu |= kur
+          #end
+
+        end
+
+        certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, criticalKu, org.bouncycastle.asn1.x509.KeyUsage.new(kuv)) 
+        #certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, true, org.bouncycastle.asn1.x509.KeyUsage.new(criticalKu)) if criticalKu != 0
+        #certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(nonCriticalKu)) if nonCriticalKu != 0
+
+        ekuCritical = false
+        eku = java.util.Vector.new
+        #ekuCritical = java.util.Vector.new
+        #ekuNonCritical = java.util.Vector.new
+        cp.ext_key_usage.selected.each do |ku,critical|
+          case ku
+          when :allPurpose
+            kur = org.bouncycastle.asn1.x509.KeyPurposeId::anyExtendedKeyUsage
+          when :serverAuth
+            kur = org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_serverAuth
+          when :clientAuth
+            kur = org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_clientAuth
+          when :codeSigning
+            kur =  org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_codeSigning
+          when :emailProtection
+            kur = org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_emailProtection
+          when :timestamping
+            kur = org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_timeStamping
+          when :ocspSigning
+            kur = org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_OCSPSigning
+          end
+
+          ekuCritical = critical if critical
+          eku.add_element(kur)
+          #if critical
+          #  ekuCritical.add_element(kur)
+          #else
+          #  ekuNonCritical.add_element(kur)
+          #end
+        end
+
+        #extKeyUsage = java.util.Vector.new
+        cp.domain_key_usage.each do |dku, critical|
+          kur = org.bouncycastle.asn1.DERObjectIdentifier.new(dku)
+
+          ekuCritical = critical if critical
+          eku.add_element(kur)
+          #if critical
+          #  ekuCritical.add_element(kur)
+          #else
+          #  ekuNonCritical.add_element(kur)
+          #end
+        end
+
+        certGen.addExtension(org.bouncycastle.asn1.x509.Extension::extendedKeyUsage, ekuCritical, org.bouncycastle.asn1.x509.ExtendedKeyUsage.new(eku)) if not_empty?(eku)
+        #certGen.addExtension(org.bouncycastle.asn1.x509.Extension::extendedKeyUsage, true, org.bouncycastle.asn1.x509.ExtendedKeyUsage.new(ekuCritical)) if not_empty?(ekuCritical)
+        #certGen.addExtension(org.bouncycastle.asn1.x509.Extension::extendedKeyUsage, false, org.bouncycastle.asn1.x509.ExtendedKeyUsage.new(ekuNonCritical)) if not_empty?(ekuNonCritical)
+        #certGen.addExtension(org.bouncycastle.asn1.x509.Extension::extendedKeyUsage, false, org.bouncycastle.asn1.x509.ExtendedKeyUsage.new(extKeyUsage)) if not extKeyUsage.is_empty?
+
+        altName = []
+        cp.email.each do |e|
+          altName << org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName::rfc822Name,e)
+        end
+
+        cp.dns_name.each do |d|
+          altName << org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName::dNSName,d)
+        end
+
+        cp.ip_addr.each do |d|
+          altName << org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName::iPAddress,d)
+        end
+
+        cp.uri.each do |u|
+          altName << org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName::uniformResourceIdentifier,u)
+        end
+
+        certGen.addExtension(org.bouncycastle.asn1.x509.Extension::subjectAlternativeName, false, org.bouncycastle.asn1.x509.GeneralNames.new(altName.to_java(org.bouncycastle.asn1.x509.GeneralName)) )
+
+        if not_empty?(cp.crl_dist_point)
+          crls = []
+          cp.crl_dist_point.each do |c|
+            crls << org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName::uniformResourceIdentifier, org.bouncycastle.asn1.DERIA5String.new(c))
+          end
+          gns = org.bouncycastle.asn1.x509.GeneralNames.new(crls.to_java(org.bouncycastle.asn1.x509.GeneralName))
+          dpn = org.bouncycastle.asn1.x509.DistributionPointName.new(gns)
+          dp =  org.bouncycastle.asn1.x509.DistributionPoint.new(dpn,nil,nil)
+          certGen.addExtension(org.bouncycastle.asn1.x509.X509Extensions::CRLDistributionPoints,false,org.bouncycastle.asn1.DERSequence.new(dp))      
+        end
+
+        aia = []
+        cp.ocsp_url.each do |o|
+          ov = org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName::uniformResourceIdentifier, org.bouncycastle.asn1.DERIA5String.new(o))
+          aia << org.bouncycastle.asn1.x509.AccessDescription.new(org.bouncycastle.asn1.x509.AccessDescription.id_ad_ocsp, ov)
+        end
+
+        cp.issuer_url.each do |i|
+          iv = org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName::uniformResourceIdentifier, org.bouncycastle.asn1.DERIA5String.new(i))
+          aia << org.bouncycastle.asn1.x509.AccessDescription.new(org.bouncycastle.asn1.x509.AccessDescription.id_ad_caIssuers, iv)
+        end
+
+        if not_empty?(aia)
+          authorityInformationAccess = org.bouncycastle.asn1.x509.AuthorityInformationAccess.new(aia.to_java(org.bouncycastle.asn1.x509.AccessDescription))
+          certGen.addExtension(org.bouncycastle.asn1.x509.X509Extensions::AuthorityInfoAccess, false, authorityInformationAccess)			  
+        end
+
+
+        certGen.addExtension(org.bouncycastle.asn1.x509.Extension::subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo.getInstance(cp.public_key.to_bin)))
+
+        signAlgo = nil
+        if is_empty?(signSpec)
+          gKey = issuerKey
+          loop do
+            case gKey
+            when org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPrivateKey
+              signAlgo = "#{signHash.to_s.upcase}WithECDSA"
+              break
+            when java.security.interfaces.RSAPrivateKey , org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey
+              signAlgo = "#{signHash.to_s.upcase}WithRSA"
+              break
+            when Ccrypto::PrivateKey
+              teLogger.debug "Found Ccrypto::Private key #{gKey}."
+              gKey = gKey.native_privKey
+            else
+              raise X509EngineException, "Unsupported issuer key type '#{gKey}'"
+            end
+          end
+        else
+        end
+
+        #signAlgo = "SHA256WithECDSA"
+        #signer = org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(signAlgo).setProvider(prov).build(issuerKey.private_key)
+        signer = org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(signAlgo).setProvider(prov).build(gKey)
+
+        cert = org.bouncycastle.cert.jcajce.JcaX509CertificateConverter.new().setProvider(prov).getCertificate(certGen.build(signer))
+        cert
+
+        Ccrypto::X509Cert.new(cert)
+
+      end
+
+      def to_cert_subject
+
+        builder = org.bouncycastle.asn1.x500.X500NameBuilder.new
+        builder.addRDN(org.bouncycastle.asn1.x500.style::BCStyle::CN, @certProfile.owner_name)
+
+        builder.addRDN(org.bouncycastle.asn1.x500.style::BCStyle::O, @certProfile.org) if not_empty?(@certProfile.org)
+
+        @certProfile.org_unit.each do |ou|
+          builder.addRDN(org.bouncycastle.asn1.x500.style::BCStyle::OU, ou)
+        end
+
+        #builder.addRDN(Java::OrgBouncycastleAsn1X500Style::BCStyle::SN, serial) if @serial != nil and not @serial.empty?
+
+        e = @certProfile.email.first
+        if not_empty?(e)
+          builder.addRDN(org.bouncycastle.asn1.x500.style::BCStyle::EmailAddress, e) 
+        end
+
+        builder.build
+
+      end
+
+      #def to_keyusage
+      #  kur = 0
+      #  @certProfile.key_usage.selected.each do |ku|
+      #    case ku
+      #    when :digitalSignature
+      #      kur |= org.bouncycastle.asn1.x509::KeyUsage::digitalSignature
+      #    when :nonRepudiation
+      #      kur |= org.bouncycastle.asn1.x509::KeyUsage::nonRepudiation
+      #    when :keyEncipherment
+      #      kur |= org.bouncycastle.asn1.x509::KeyUsage::keyEncipherment
+      #    when :dataEncipherment
+      #      kur |= org.bouncycastle.asn1.x509::KeyUsage::dataEncipherment
+      #    when :keyAgreement
+      #      kur |= org.bouncycastle.asn1.x509::KeyUsage::keyAgreement
+      #    when :keyCertSign
+      #      kur |= org.bouncycastle.asn1.x509::KeyUsage::keyCertSign
+      #    when :crlSign
+      #      kur |= org.bouncycastle.asn1.x509::KeyUsage::cRLSign
+      #    when :encipherOnly
+      #      kur |= org.bouncycastle.asn1.x509::KeyUsage::encipherOnly
+      #    when :decipherOnly
+      #      kur |= org.bouncycastle.asn1.x509::KeyUsage::decipherOnly
+      #    end
+      #  end
+
+      #  kur
+      #end
+
+      def to_extkeyusage
+        kur = java.util.Vector.new
+        @certProfile.ext_key_usage.selected.each do |ku|
+          case ku
+          when :allPurpose
+            kur.add_element org.bouncycastle.asn1.x509.KeyPurposeId::anyExtendedKeyUsage
+          when :serverAuth
+            kur.add_element org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_serverAuth
+          when :clientAuth
+            kur.add_element org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_clientAuth
+          when :codeSigning
+            kur.add_element org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_codeSigning
+          when :emailProtection
+            kur.add_element org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_emailProtection
+          when :timestamping
+            kur.add_element org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_timeStamping
+          when :ocspSigning
+            kur.add_element org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_OCSPSigning
+          end
+        end
+
+        kur
+      end
+
+    end
+
+  end
+end

data/lib/ccrypto/java/ext/secret_key.rb

@@ -0,0 +1,75 @@
+
+require_relative '../data_conversion'
+
+module Ccrypto
+  class SecretKey
+    include Java::DataConversion
+
+    include TeLogger::TeLogHelper
+    teLogger_tag :j_secretkey_ext
+
+    def to_jce_secret_key
+      case @key
+      when javax.crypto.spec.SecretKeySpec
+        @key
+      when ::Java::byte[]
+        javax.crypto.spec.SecretKeySpec.new(@key, @algo.to_s)
+
+      else
+        case @key.key
+        when javax.crypto.spec.SecretKeySpec
+          @key.key
+        when ::Java::byte[]
+          javax.crypto.spec.SecretKeySpec.new(@key.key, @algo.to_s)
+        else
+          raise Ccrypto::Error, "Unknown key to conver to jce #{@key.key}"
+        end
+      end
+    end
+
+    def to_bin
+      case @key
+      when javax.crypto.spec.SecretKeySpec
+        @key.encoded
+      else
+        raise Ccrypto::Error, "Unsupported key type #{@key.class}"
+      end
+    end
+
+    def length
+      case @key
+      when javax.crypto.spec.SecretKeySpec
+        @key.encoded.length
+      when ::Java::byte[]
+        @key.length
+      else
+        @key.key.encoded.length
+      end
+    end
+
+    def equals?(key)
+      case key
+      when Ccrypto::SecretKey
+        teLogger.debug "Given key is Ccrypto::SecretKey"
+        to_jce_secret_key.encoded == key.to_jce_secret_key.encoded
+      when javax.crypto.spec.SecretKeySpec
+        teLogger.debug "Given key is java SecretKeySpec"
+        to_jce_secret_key.encoded == key.encoded
+      when ::Java::byte[]
+        to_jce_secret_key.encoded == key
+      when String
+        to_jce_secret_key.encoded == to_java_bytes(key)
+      else
+        teLogger.debug "Not sure how to compare : #{self} / #{key}"
+        to_jce_secret_key == key
+      end
+    end
+
+    #def each_char(&block)
+    #  to_bin.each do |b|
+    #    block.call(b)
+    #  end
+    #end
+
+  end
+end

data/lib/ccrypto/java/ext/x509_cert.rb

@@ -0,0 +1,48 @@
+
+
+module Ccrypto
+  class X509Cert
+    include TR::CondUtils
+ 
+    def to_der
+      @nativeX509.encoded
+    end
+
+    def method_missing(mtd, *args, &block)
+      @nativeX509.send(mtd, *args, &block)
+    end
+
+    def equal?(cert)
+      if cert.nil?
+        if @nativeX509.nil?
+          true
+        else
+          false
+        end
+      else
+
+        tcert = self.class.to_java_cert(cert)
+        lcert = self.class.to_java_cert(@nativeX509)
+
+        tcert.encoded == @nativeX509.encoded
+      end
+    end
+
+    def self.to_java_cert(cert)
+      raise X509CertException, "Given certificate to convert to Java certificate object is empty" if is_empty?(cert) 
+
+      case cert
+      when java.security.cert.Certificate
+        cert
+      when org.bouncycastle.cert.X509CertificateHolder
+        cert.to_java_cert
+      when Ccrypto::X509Cert
+        to_java_cert(cert.nativeX509)
+      else
+        raise X509CertException, "Unknown certificate type #{cert} for conversion"
+      end
+
+    end
+
+  end
+end

data/lib/ccrypto/java/jce_provider.rb

@@ -0,0 +1,52 @@
+
+require 'singleton'
+
+module Ccrypto
+  module Java
+    
+    class JCEProviderException < StandardError; end
+
+    class JCEProvider
+      include Singleton
+
+      BCProv = org.bouncycastle.jce.provider.BouncyCastleProvider.new
+      DEFProv = BCProv
+
+      def add_provider(prov = nil)
+        case prov
+        when java.security.Provider
+          java.security.Security.add_provider(prov) if not is_provider_registered?(prov)
+        else
+          java.security.Security.add_provider(DEFProv) if not is_provider_registered?(DEFProv)	
+        end
+      end
+
+      def is_provider_registered?(prov)
+        case prov
+        when String
+          java.security.Security.providers.to_a.map { |v| v.name }.include?(prov)
+        when java.security.Provider
+          java.security.Security.get_providers.to_a.include?(prov)
+        else
+          false
+        end
+      end
+
+      def add_bc_provider
+        add_provider
+      end
+
+      #def set_default_provider(prov)
+
+      #  case prov
+      #  when String
+      #  when java.security.Provider
+      #    add_provider(prov) if not is_provider_registered?(prov)
+      #    @defProvider = prov
+      #  end
+
+      #end
+
+    end
+  end
+end

data/lib/ccrypto/java/keybundle_store/pkcs12.rb

@@ -0,0 +1,125 @@
+
+require_relative '../data_conversion'
+
+module Ccrypto
+  module Java
+    
+    module PKCS12
+      include TR::CondUtils
+      include DataConversion
+
+      class PKCS12StorageException < KeyBundleStorageException; end
+
+      module ClassMethods
+        include DataConversion
+
+        def from_pkcs12(bin, &block)
+
+          raise PKCS12StorageException, "block is required" if not block
+
+          storeType = block.call(:store_type)
+          storeType = "PKCS12" if is_empty?(storeType)
+
+          prof = block.call(:jce_provider)
+          if not_empty?(prof)
+            ks = java.security.KeyStore.getInstance(storeType, prof)
+          else
+            ks = java.security.KeyStore.getInstance(storeType)
+          end
+
+          pass = block.call(:p12_pass) || block.call(:jks_pass)
+          name = block.call(:p12_name) || block.call(:jks_name)
+
+          #case bin
+          #when String
+          #  bbin = bin.to_java_bytes
+          #when ::Java::byte[]
+          #  bbin = bin
+          #else
+          #  raise KeypairEngineException, "Java byte array is expected. Given #{bin.class}"
+          #end
+
+          bbin = to_java_bytes(bin)
+
+          ks.load(java.io.ByteArrayInputStream.new(bbin),pass.to_java.toCharArray)
+
+          name = ks.aliases.to_a.first if is_empty?(name)
+
+          userCert = Ccrypto::X509Cert.new(ks.getCertificate(name))
+          chain = ks.get_certificate_chain(name).collect { |c| Ccrypto::X509Cert.new(c) }
+          chain = chain.delete_if { |c| c.equal?(userCert) }
+
+          key = ks.getKey(name, pass.to_java.toCharArray)
+          case key
+          when java.security.interfaces.ECPrivateKey
+            [Ccrypto::Java::ECCKeyBundle.new(key), userCert, chain]
+          when java.security.interfaces.RSAPrivateKey
+            [Ccrypto::Java::RSAKeyBundle.new(key), userCert, chain]
+          else
+            raise PKCS12StorageException, "Unknown key type #{key}"
+          end
+
+        end
+
+      end
+      def self.included(klass)
+        klass.extend(ClassMethods)
+      end
+
+      def to_pkcs12(&block)
+
+        raise KeypairEngineException, "block is required" if not block
+
+        storeType = block.call(:store_type)
+        storeType = "PKCS12" if is_empty?(storeType)
+
+        prof = block.call(:jce_provider)
+        if not_empty?(prof)
+          ks = java.security.KeyStore.getInstance(storeType, prof)
+        else
+          ks = java.security.KeyStore.getInstance(storeType)
+        end
+
+        ks.load(nil,nil)
+
+        gcert = block.call(:cert)
+        raise KeypairEngineException, "PKCS12 requires the X.509 certificate" if is_empty?(gcert)
+
+        ca = block.call(:certchain) || [cert]
+        ca = [cert] if is_empty?(ca)
+        ca = ca.unshift(gcert) if not ca.first.equal?(gcert)
+        ca = ca.collect { |c|
+          Ccrypto::X509Cert.to_java_cert(c) 
+        }
+
+        pass = block.call(:p12_pass) || block.call(:jks_pass)
+        raise KeypairEngineException, "Password is required" if is_empty?(pass)
+
+        name = block.call(:p12_name) || block.call(:jks_name)
+        name = "Ccrypto P12" if is_empty?(name)
+
+        keypair = block.call(:keypair)
+        raise KeypairEngineException, "Keypair is required" if is_empty?(keypair)
+
+        ks.setKeyEntry(name, keypair.private, pass.to_java.toCharArray, ca.to_java(java.security.cert.Certificate))
+
+        baos = java.io.ByteArrayOutputStream.new
+        ks.store(baos, pass.to_java.toCharArray)
+        res = baos.toByteArray
+
+        outForm = block.call(:out_format)
+        case outForm
+        when :b64
+          to_b64(res)
+        when :hex
+          to_hex(res)
+        else
+          res
+        end
+
+      end
+      
+    end
+
+  end
+end