pkernel_jce 0.1

data/lib/pkernel_jce/crl.rb

@@ -0,0 +1,221 @@
+
+require_relative 'io_utils'
+
+module PkernelJce
+  module CRL
+    def generate(identity, opts = {}, &block)
+      
+      if identity.nil?
+        raise PkernelJce::Error, "Identity is nil in generating CRL"
+      end
+
+      tbpCerts = opts[:tbpCerts]
+      # allow empty CRL
+      tbpCerts = {} if tbpCerts.nil?
+
+      prov = opts[:provider]
+      if prov.nil?
+        prov = PkernelJce::Provider.add_default
+      else
+        PkernelJce::Provider.add_provider(prov)
+      end
+     
+      validity = opts[:validity] || 1
+      validityUnit = opts[:validity_unit] || :days
+      signAlgo = opts[:hashAlgo]
+      if signAlgo.nil?
+        signAlgo = PkernelJce::KeyPair.derive_signing_algo(identity.privKey, "SHA256")
+      end
+      PkernelJce::GConf.instance.glog.debug "Signing algo for CRL is #{signAlgo}"
+
+      crlGen = org.bouncycastle.x509.X509V2CRLGenerator.new
+      validFrom = Time.now
+      validTo = validFrom.advance( validityUnit => validity )
+      # CRL validity should not be more then issuer's
+      if validFrom.to_java_date.before(identity.certificate.not_before)
+        PkernelJce::GConf.instance.glog.debug "CRL new valid from has adjusted to match with issuer valid from : #{validFrom} [Original] / #{identity.certificate.not_before} [Issuer's certificate not before]"
+        validFrom = identity.certificate.not_before
+      end
+      
+      if validTo.to_java_date.after(identity.certificate.not_after)
+        PkernelJce::GConf.instance.glog.debug "CRL new valid until has adjusted to match with issuer validity to : #{validTo} [Original] / #{identity.certificate.not_after} [Issuer's certificate not after]"
+        validTo = identity.certificate.not_after
+      end
+      PkernelJce::GConf.instance.glog.debug "CRL validity #{validFrom} - #{validTo}"
+
+      crlGen.issuer_dn = identity.certificate.getSubjectX500Principal
+      crlGen.this_update = validFrom
+      crlGen.next_update = validTo
+      crlGen.signature_algorithm = signAlgo
+
+      tbpCerts.each do |k,v|
+        cert = k
+        opts = v
+        time = opts[:time] || java.util.Date.new
+        reason = opts[:reason] || Pkernel::CRLReason::UNSPECIFIED
+        crlGen.addCRLEntry(cert.getSerialNumber, time, reason)
+        PkernelJce::GConf.instance.glog.debug "Added cert into entry"
+      end
+      
+      PkernelJce::GConf.instance.glog.debug "Generating CRL from issuer '#{identity.certificate.subjectDN.to_s}' [Provider #{prov.name}]"
+      crl = crlGen.generateX509CRL(identity.privKey, prov.name)
+      crl
+      
+    end
+    # end generate
+
+    def ensure_java_crl(crl)
+      if crl.nil?
+        raise PkernelJce::Error, "CRL given to convert to java object is nil"
+      end
+      
+      if crl.java_kind_of?(Java::OrgBouncycastleCert::X509CRLHolder)
+        org.bouncycastle.cert.jcajce.JcaX509CRLConverter.new.getCRL(crl)
+      else
+        crl
+      end
+    end
+    alias_method :to_java_crl, :ensure_java_crl
+    # 
+    # end ensure_java_crl / to_java_crl
+    # 
+
+    def ensure_bc_crl(crl)
+      if crl.nil?
+        raise PkernelJce::Error, "CRL given to convert to BC object is nil"
+      end
+
+      if crl.java_kind_of?(Java::OrgBouncycastleCert::X509CRLHolder)
+        crl
+      else
+        org.bouncycastle.cert.X509CRLHolder.new(java.io.ByteArrayInputStream.new(crl.encoded))
+      end
+    end
+    alias_method :to_bc_crl, :ensure_bc_crl
+    # 
+    # end to_bc_crl / ensure_bc_crl
+    # 
+
+    def is_signature_valid?(crl, opts = { }) #issuer)
+      if crl.nil?
+        raise PkernelJce::Error, "CRL pass to test signature validity for CRL is nil"
+      end
+      
+      issuer_cert = opts[:issuer_cert]
+      issuer_key = opts[:issuer_key]
+      if not issuer_cert.nil?
+        pubKey = PkernelJce::Certificate.public_key(issuer_cert)
+      elsif not issuer_key.nil?
+        pubKey = PkernelJce::KeyPair.public_key(issuer_key)
+      else
+        raise PkernelJce::Error, "Neither issuer cert or key is available for signature verification"
+      end
+      #if issuer.nil?
+      #  raise PkernelJce::Error, "Issuer pass to test signature validity for CRL is nil"
+      #end
+
+      #if PkernelJce::Certificate.is_cert_object?(issuer)
+      #  pubKey = PkernelJce::Certificate.public_key(issuer)
+      #else
+      #  pubKey = PkernelJce::KeyPair.public_key(issuer)
+      #end
+      
+      crl = ensure_java_crl(crl)
+      begin
+        crl.verify(pubKey)
+        true
+      rescue Exception => ex
+        PkernelJce::GConf.instance.glog.error ex
+        false
+      end
+    end
+
+    def is_revoked?(crl,cert,&block)
+      if crl.revoked_certificates.nil? or crl.revoked_certificates.length == 0
+        false
+      else
+        crl = ensure_java_crl(crl)
+        now = java.util.Date.new
+        if crl.next_update.before(now)
+          # expired
+          if block
+            cont = block.call(:expired, { valid_until: crl.next_update, issuer: crl.issuer_x500_principal })
+            if not cont
+              raise PkernelJce::Error, "CRL expired at #{crl.next_update}. Revocation check aborted."
+            else
+              PkernelJce::GConf.instance.glog.warn "Revocation checked against expired CRL [CRL Expired on #{crl.next_update} / Ref Date : #{now}] based on application request."
+            end
+          else
+            raise PkernelJce::Error, "CRL expired at #{crl.next_update}. Revocation check aborted."
+          end
+        end
+
+        c = PkernelJce::Certificate.to_bc_cert(cert)
+        revokedInfo = crl.get_revoked_certificate(c.serial_number)
+        if revokedInfo.nil?
+          [false,nil]
+        else
+          [true, { reason: revokedInfo.revocation_reason, on: revokedInfo.revocation_date, object: revokedInfo }]
+        end
+      end
+    end
+
+    def dump(crl, opts = {})
+
+      if crl.nil?
+        raise PkernelJce::Error, "Given CRL to dump is nil."
+      end
+
+      file = opts[:file]
+
+      if not (file.nil? or file.empty?)
+        os = java.io.FileOutputStream.new(file)        
+      else
+        os = java.io.ByteArrayOutputStream.new
+      end
+
+      os.write(crl.encoded)
+      os.flush
+      os.close
+
+      if (file.nil? or file.empty?)
+        os.toByteArray
+      end
+       
+    end    
+    # end dump
+
+    def load(opts = {})
+      file = opts[:file]
+      bin = opts[:bin]
+
+      if not (file.nil? or file.empty?)
+        crlbin = PkernelJce::IoUtils.file_to_memory_byte_array(file)
+      elsif not bin.nil?
+        crlbin = PkernelJce::IoUtils.ensure_java_bytes(bin)
+      else
+        raise PkernelJce::Error, "No source to load CRL from"
+      end
+
+      # this option shall load the CRL in Java
+      #crl = java.security.cert.CertificateFactory.getInstance("X.509").generateCRL(java.io.ByteArrayInputStream.new(crlbin))
+      
+      # this option shall load the CRL in BC but under Java interface
+      prov = PkernelJce::Provider.add_default
+      crl = java.security.cert.CertificateFactory.getInstance("X.509",prov).generateCRL(java.io.ByteArrayInputStream.new(crlbin))
+
+      # this option shall load the CRL in BC too but under BC interface
+      #crl = org.bouncycastle.cert.X509CRLHolder.new(crlbin)
+      
+      crl
+    end
+    # end load
+
+  end
+  # end module CRL
+
+  class CRLCore
+    extend CRL
+  end
+
+end

data/lib/pkernel_jce/csr.rb

@@ -0,0 +1,126 @@
+
+require 'pkernel'
+require_relative 'provider'
+require_relative 'utils'
+require_relative 'global'
+require_relative 'error'
+
+module PkernelJce
+  module CSR
+
+    def generate(identity, opts = {} )
+    
+      owner = opts[:owner]
+      if owner.nil? and identity.certificate.nil?
+        raise PkernelJce::Error, "Either Owner or Certificate must exist to issue CSR"
+      elsif not owner.nil?
+        subject = owner.to_x500_subject
+      elsif not identity.certificate.nil?
+        subject = PkernelJce::Certificate.ensure_java_cert(identity.certificate).subject_dn
+      end
+
+      signHash = opts[:signHash] || "SHA256"
+      signAlgo = opts[:signAlgo]
+      if signAlgo.nil?
+        signAlgo = PkernelJce::KeyPair.derive_signing_algo(identity.privKey,signHash)
+      end
+      provider = opts[:provider]
+      if provider.nil?
+        PkernelJce::GConf.instance.glog.debug "Adding default provider"
+        prov = PkernelJce::Provider.add_default
+      else
+        PkernelJce::GConf.instance.glog.debug "Adding provider #{provider.name}"
+        prov = PkernelJce::Provider.add_provider(provider)
+      end
+     
+      #p10Builder = org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder.new(subject, PkernelJce::KeyPair.public_key(identity.privKey))
+      p10Builder = org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder.new(subject, identity.pubKey)
+      sign = org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(signAlgo).setProvider(prov).build(identity.privKey)
+      csr = p10Builder.build(sign)
+      csr
+    end
+    # end generate()
+
+    def dump(csr, params = {})
+      if csr.nil?
+        raise PkernelJce::Error, "CSR object to be written is nil"
+      end
+      
+      file = params[:file]
+      baos = java.io.ByteArrayOutputStream.new
+
+      if not file.nil?
+        PkernelJce::GConf.instance.glog.debug "Dump CRL to file '#{file}'"
+        writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(java.io.FileOutputStream.new(file)))
+      else
+        PkernelJce::GConf.instance.glog.debug "Dump CRL to memory"
+        writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(baos))
+      end
+
+      begin
+        writer.writeObject(csr)
+      ensure
+        writer.flush
+        writer.close  
+      end 
+
+      if file.nil?
+        baos.toByteArray
+      end
+      
+    end
+    # end dump
+
+
+    def load(options = {})
+      #todo is this content pem or binary?
+      # now assumed is pem
+      file = options[:file]
+      bin = options[:bin]
+
+      if not file.nil? and not file.empty?
+        PkernelJce::GConf.instance.glog.debug "Load CSR from #{file}"
+        f = java.io.File.new(file)
+        if f.exists?
+          reader = org.bouncycastle.openssl.PEMParser.new(java.io.InputStreamReader.new(java.io.FileInputStream.new(f)))
+        else 
+          raise PkernelJce::Error, "File '#{f.absolute_path}' not found"
+        end
+
+      elsif not bin.nil?
+        PkernelJce::GConf.instance.glog.debug "Load CSR from memory"
+        reader = org.bouncycastle.openssl.PEMParser.new(java.io.InputStreamReader.new(java.io.ByteArrayInputStream.new(bin)))
+      else
+        raise PkernelJce::Error, "No bin or file input is given to load"
+      end
+      
+      obj = reader.readObject
+    end
+    # end load
+
+    def is_signature_valid?(csr)
+      cvProv = org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.new.build(csr.getSubjectPublicKeyInfo)
+      csr.isSignatureValid(cvProv)
+    end
+    # end is_signature_valid?
+
+    def public_key(csr)
+      if csr.nil?
+        raise PkernelJce::Error, "CSR given to extract public key is nil"
+      end
+
+      org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter.new.getPublicKey(csr.getSubjectPublicKeyInfo)
+    end
+    # end public_key
+
+  end
+  # end module csr
+
+
+  class CSRProxy
+    extend CSR
+  end
+
+end
+
+

data/lib/pkernel_jce/error.rb

@@ -0,0 +1,7 @@
+
+
+
+module PkernelJce
+  class Error < StandardError; end
+end
+

data/lib/pkernel_jce/global.rb

@@ -0,0 +1,17 @@
+
+require 'singleton'
+require 'tlogger'
+
+module PkernelJce
+  class GConf
+    include Singleton
+    attr_reader :logger_params, :glog
+    def initialize
+      @logger_params = STDOUT
+      @glog = Tlogger.new(STDOUT)
+      @glog.tag = :pkernel_jce
+      @glog.show_source
+    end  
+  end
+end
+

data/lib/pkernel_jce/identity.rb

@@ -0,0 +1,333 @@
+
+require_relative 'provider'
+require_relative 'csr'
+
+module PkernelJce
+
+  # 
+  # Identity
+  # Identity is abstraction consist of keypair + certificate, stored separately
+  #
+  #class Identity
+  #  attr_reader :priv_key, :cert, :keystore, :chain
+  #  def initialize(opts = {})
+  #    @priv_key = opts[:priv_key]
+  #    @cert = opts[:cert]
+  #    @keystore = opts[:keystore]
+  #    @chain = opts[:chain]
+  #  end
+  #end
+  # end Identity
+  # 
+
+  class Pkernel::Identity
+    
+    def key=(val)
+      @key = val
+      if not @key.nil?
+        @privKey = PkernelJce::KeyPair.private_key(@key)
+        @pubKey = PkernelJce::KeyPair.public_key(@key)
+      end
+    end
+
+    def key
+      if @key.nil?
+        if not @privKey.nil? 
+          if not @pubKey.nil?
+            @key = java.security.KeyPair.new(@pubKey,@privKey)
+          elsif not @certificate.nil?
+            @key = java.security.KeyPair.new(@certificate.public_key,@privKey)
+          else
+            # no possible to generate without public key
+          end
+        else
+          # not possible to generate without private key
+        end
+      else
+        # key is not nil...
+      end
+
+      @key
+    end
+
+    def privKey
+      if @privKey.nil? and not @key.nil?
+        @privKey = PkernelJce::KeyPair.private_key(@key)
+      end
+      @privKey
+    end
+
+    def pubKey
+      if @pubKey.nil?
+        if not @key.nil?
+          @pubKey = PkernelJce::KeyPair.public_key(@key)
+        elsif not @certificate.nil?
+          @pubKey = PkernelJce::KeyPair.public_key(@certificate)
+        end
+      end
+      
+      @pubKey
+    end
+    
+    def certificate
+      if not @certificate.nil? and @certificate.java_kind_of?(Java::OrgBouncycastleCert::X509CertificateHolder)
+        @certificate = @certificate.to_java_cert
+      end
+      @certificate
+    end
+
+    # In java world, JCE/JCA provides switchable engine to call if it is software/hardware
+    # This provider is tightly related to private key.
+    # Since private key is encapsulated in this object, might as well keep the pointer here.
+    # Whoever want to use the private key, also should check the provider to load correct
+    # signing engine
+    def provider=(val)
+      if not val.nil? 
+        if val.is_a?(String) and not val.empty?
+          @provider = PkernelJce::Provider.add_provider(val)
+        else
+          @provider = PkernelJce::Provider.add_provider(val)
+        end
+      end
+    end
+
+    def provider
+      if @provider.nil?
+        PkernelJce::GConf.instance.glog.debug "Provider is nil in Identity object. Setting it to default provider '#{PkernelJce::Provider::DefProvider.name}'"
+        @provider = PkernelJce::Provider.add_default
+      end
+      
+      @provider
+    end
+  end
+
+  # 
+  # IdentityFactory
+  #
+  module IdentityFactory
+    
+    def build_from_components(key, cert = nil, chain = [], provider = nil)
+      if key.nil?
+        raise PkernelJce::Error, "Key cannot be nil to build identity"
+      end
+
+      id = Pkernel::Identity.new( { key: key, certificate: cert, chain: chain } )
+      if cert.nil?
+        class_eval do
+          include PkernelJce::IdentityManagement
+        end 
+      else
+        c = PkernelJce::Certificate.ensure_java_cert(cert)
+        if PkernelJce::Certificate.is_issuer_cert?(c)
+          class_eval do
+            include PkernelJce::IdentityIssuer
+            include PkernelJce::IdentityManagement
+          end 
+        else
+          class_eval do
+            include PkernelJce::IdentityManagement
+          end 
+        end
+      end
+
+      id.provider = provider
+      
+      id
+    end
+    alias_method :build, :build_from_components
+    # end build_from_components
+
+    def dump(id, opts = {})
+      
+      if id.nil?
+        raise PkernelJce::Error, "Identity object is nil in write to keystore"
+      end
+
+      prov = opts[:provider] 
+      if prov.nil?
+        prov = PkernelJce::Provider.add_default
+      else
+        prov = PkernelJce::Provider.add_provider(prov)
+      end
+
+      format = opts[:format]
+      format = :p12 if format.nil?
+      sFormat = format
+      case format
+      when :p12, :pkcs12
+        PkernelJce::GConf.instance.glog.debug "Loading PKCS12 keystore"
+        ks = java.security.KeyStore.getInstance("PKCS12",prov)
+        sFormat = :p12
+      when :jks
+        PkernelJce::GConf.instance.glog.debug "Loading JKS keystore"
+        ks = java.security.KeyStore.getInstance("JKS")
+        sFormat = :jks
+      else
+        PkernelJce::GConf.instance.glog.debug "Loading '#{format}' keystore"
+        if prov.nil?
+          ks = java.security.KeyStore.getInstance(format)
+        else
+          ks = java.security.KeyStore.getInstance(format, prov)
+        end
+        sFormat = format
+      end
+
+      result = { }
+      pass = opts[:password]
+      if pass.nil? or pass.empty?
+        PkernelJce::GConf.instance.glog.warn "Password is not given to dump identity. Random password shall be generated."
+        pass = SecureRandom.hex(8)
+        result[:password] = pass
+        #raise PkernelJce::Error, "Password should not be empty for identity storage"
+      end
+
+      chain = id.chain.map do |c|
+        if c.java_kind_of?(org.bouncycastle.cert.X509CertificateHolder) 
+          c.to_java_cert
+        else
+          c
+        end
+      end
+
+      name = opts[:key_name] || "Pkernel JCE"
+      
+      ks.load(nil,nil)
+      ks.setKeyEntry(name, id.privKey, pass.to_java.toCharArray, chain.to_java(java.security.cert.Certificate))
+      baos = java.io.ByteArrayOutputStream.new
+      
+      file = opts[:file]
+      if file.nil? or file.empty?
+        ks.store(baos, pass.to_java.toCharArray)
+        baos.toByteArray
+      else
+        fos = java.io.FileOutputStream.new(file)
+        ks.store(fos, pass.to_java.toCharArray)
+        fos.flush
+        fos.close
+      end
+      
+      result
+    end
+
+    def load(opts = {})
+
+      prov = opts[:provider] 
+      if prov.nil?
+        prov = PkernelJce::Provider.add_default
+      else
+        prov = PkernelJce::Provider.add_provider(prov)
+      end
+
+      format = opts[:format]
+      format = :p12 if format.nil?
+      sFormat = format
+      case format
+      when :p12, :pkcs12
+        PkernelJce::GConf.instance.glog.debug "Loading PKCS12 keystore"
+        ks = java.security.KeyStore.getInstance("PKCS12",prov)
+        sFormat = :p12
+      when :jks        
+        PkernelJce::GConf.instance.glog.debug "Loading JKS keystore"
+        ks = java.security.KeyStore.getInstance("JKS")
+        sFormat = :jks
+      else
+        PkernelJce::GConf.instance.glog.debug "Loading '#{format}' keystore"
+        if prov.nil?
+          ks = java.security.KeyStore.getInstance(format.to_s)
+        else
+          ks = java.security.KeyStore.getInstance(format.to_s, prov)
+        end
+      end   
+      
+      pass = opts[:password] || ''
+      
+      file = opts[:file]
+      bin = opts[:bin]
+      baos = java.io.ByteArrayOutputStream.new
+
+      if not file.nil? or not file.empty?
+        fis = java.io.FileInputStream.new(file)
+        ks.load(fis,pass.to_java.toCharArray)
+        fis.close
+      elsif bin.nil?
+        ks.load(java.io.ByteArrayInputStream.new(bin),pass.to_java.toCharArray)
+      else
+        raise PkernelJce::Error, "No file or bin is given to load identity"
+      end
+      
+      name = opts[:key_name] || ks.aliases.to_a[0]
+   
+      key = ks.getKey(name,pass.to_java.toCharArray)
+      cert = ks.getCertificate(name)
+      chain = ks.getCertificateChain(name)
+    
+      id = Pkernel::Identity.new( { privKey: key, certificate: cert, chain: chain } )
+      id
+    end
+
+  end
+  # end IdentityFactory
+ 
+
+  module IdentityIssuer
+   
+    #def issue_cert(identity, opts = {})
+    #  src = opts[:source]
+    #  if src.nil? or src.empty?
+    #    raise PkernelJce::Error, "Issue cert requires source key indicating either from CSR or Owner structure"
+    #  end
+
+    #  conf = opts[:config]
+    #  if conf.nil? or conf.empty?
+    #    raise PkernelJce::Error, "Config for certificate generation is not given!"
+    #  end
+
+    #  if src[:csr_file].nil?
+    #    csrBin = PkernelJce::CSRCore.load({ file: src[:csr_file] }) 
+    #  elsif src[:csr].nil?
+    #    owner = Pkernel::Certificate::Owner.load_from_csr(src[:csr])
+    #  elsif src[:owner].nil?
+    #    
+    #  else
+    #    raise PkernelJce::Error, "No CSR or Owner is given to issue certificate"
+    #  end
+
+    #  issuerKey = PkernelJce::KeyPair.private_key(identity.privKey)
+
+    #  conf[:owner] = owner
+
+    #  cert = @cdriver.generate(conf) do |v|
+    #    case v
+    #    when :signAlgo
+    #      PkernelJce::KeyPair.derive_signing_algo(issuerKey, "SHA256")
+    #    when :issuerKey
+    #      issuerKey
+    #    when :issuerCert
+    #    when :keyUsage
+    #    when :extKeyUsage 
+    #    end  
+    #  end
+
+    #end
+   
+  end
+  # end IdentityIssuer
+
+  module IdentityManagement
+
+    def destroy
+      PkernelJce::GConf.instance.glog.warn "Destroy not implemented for JCE context"
+    end
+
+    
+  end
+ 
+
+  class IdentityEngine
+    extend IdentityFactory
+  end 
+  
+end
+
+
+