pkernel_jce 0.1

data/lib/pkernel_jce/ocsp.rb

@@ -0,0 +1,415 @@
+
+require 'pkernel'
+require_relative "utils"
+require_relative "provider"
+require_relative "io_utils"
+
+class Pkernel::OCSP
+  GOOD_CERT = org.bouncycastle.cert.ocsp.CertificateStatus::GOOD
+  REVOKED_CERT = lambda do |dt,reason|
+    revokedOn = dt
+    revokedOn = revokedOn.to_java_date
+    org.bouncycastle.cert.ocsp.RevokedStatus.new(revokedOn, reason)
+  end
+  UNKNOWN_CERT = lambda { org.bouncycastle.cert.ocsp.UnknownStatus.new }
+
+  def self.request_to_bin(req)
+    PkernelJce::OCSPRequestEngine.to_bin(req) 
+  end
+
+  def self.response_to_bin(resp)
+    PkernelJce::OCSPResponseEngine.to_bin(resp)
+  end
+
+  def self.to_cert_id(cert, issuer = nil, opts = { })
+    
+    digest = org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder.new.setProvider(PkernelJce::Provider::DefProvider).build
+    signHash = opts[:signHash] || :sha1
+    case signHash
+    when :sha1, "SHA1"
+    else
+      PkernelJce::GConf.instance.glog.warn "Hashing algo '#{signHash}' not yet supported by library. Adjusted to SHA1 as default"
+    end
+
+    # for this version of BC (157) this is the only option
+    d = digest.get(org.bouncycastle.cert.ocsp.CertificateID::HASH_SHA1)
+    
+    org.bouncycastle.cert.ocsp.CertificateID.new(d,PkernelJce::Certificate.ensure_bc_cert(cert),PkernelJce::Certificate.ensure_java_cert(cert).serial_number)
+  end
+end
+
+
+
+module PkernelJce
+  module OCSP
+
+    # module Response
+    module Response
+     
+      ST_SUCCESSFUL = org.bouncycastle.cert.ocsp.OCSPRespBuilder::SUCCESSFUL
+      ST_MALFORM_REQ = org.bouncycastle.cert.ocsp.OCSPRespBuilder::MALFORMED_REQUEST
+      ST_ERROR = org.bouncycastle.cert.ocsp.OCSPRespBuilder::INTERNAL_ERROR
+      ST_TRY_LATER = org.bouncycastle.cert.ocsp.OCSPRespBuilder::TRY_LATER
+      ST_SIG_REQUIRED = org.bouncycastle.cert.ocsp.OCSPRespBuilder::SIG_REQUIRED
+      ST_UNAUTHORIZED = org.bouncycastle.cert.ocsp.OCSPRespBuilder::UNAUTHORIZED
+
+      # 
+      # used by OCSP responder
+      #
+      def generate(identity, opts = { }, &block)
+
+        if identity.nil?
+          raise PkernelJce::Error, "Identity is nil in generate OCSP response"
+        end
+
+        provider = opts[:provider]
+        if provider.nil?
+          prov = PkernelJce::Provider.add_default
+        else
+          prov = PkernelJce::Provider.add_provider(provider)
+        end
+
+        digest = org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder.new.setProvider(PkernelJce::Provider::DefProvider).build
+        # for this version of BC (157) this is the only option
+        #d = digest.get(org.bouncycastle.cert.ocsp.CertificateID::HASH_SHA1)
+        
+        respBuilder = org.bouncycastle.cert.ocsp.jcajce.JcaBasicOCSPRespBuilder.new(identity.pubKey, digest.get(org.bouncycastle.cert.ocsp.RespID::HASH_SHA1)) 
+
+        reqBin = opts[:request]
+
+        reqRes = OCSPRequestEngine.parse({ bin: reqBin }) do |info|
+          if block
+            block.call(respBuilder, info)
+          else
+            v_cert_status_unknown(respBuilder, info[:cid])
+          end
+        end
+       
+        req = reqRes[:req]
+
+        nonceField = req.getExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce)
+        if not nonceField.nil?
+          extGen = org.bouncycastle.asn1.x509.ExtensionsGenerator.new
+          extGen.addExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce, false, org.bouncycastle.asn1.DEROctetString.new(nonceField.parsed_value.getOctets))
+          respBuilder.setResponseExtensions(extGen.generate)
+        end
+ 
+        signHash = opts[:signHash] || "SHA256"
+        resp = respBuilder.build(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(PkernelJce::KeyPair.derive_signing_algo(identity.privKey,signHash)).setProvider(prov).build(identity.privKey), identity.chain, java.util.Date.new)
+        
+        #public class OCSPRespBuilder
+        #{
+        #    public static final int SUCCESSFUL = 0;  // Response has valid confirmations
+        #    public static final int MALFORMED_REQUEST = 1;  // Illegal confirmation request
+        #    public static final int INTERNAL_ERROR = 2;  // Internal error in issuer
+        #    public static final int TRY_LATER = 3;  // Try again later
+        #    // (4) is not used
+        #    public static final int SIG_REQUIRED = 5;  // Must sign the request
+        #    public static final int UNAUTHORIZED = 6;  // Request unauthorized        
+        #
+        # this response should be a step higher
+        #org.bouncycastle.cert.ocsp.OCSPRespBuilder.new.build(org.bouncycastle.cert.ocsp.OCSPRespBuilder::SUCCESSFUL, resp).encoded.to_s
+        to_response_asn1(ST_SUCCESSFUL, resp)
+      end
+      # 
+      # end generate
+      # 
+
+      def to_response_asn1(st, resp = nil)
+        org.bouncycastle.cert.ocsp.OCSPRespBuilder.new.build(st, resp)
+      end
+
+      # 
+      # invoke by client side to read the result
+      #
+      def parse(opts = {})
+        file = opts[:file]
+        bin = opts[:bin]
+        
+        if not file.nil? 
+          bresp = IoUtils.file_to_memory_byte_array(file)
+        elsif not bin.nil?
+          bresp = IoUtils.ensure_java_bytes(bin)
+        else
+          raise PkernelJce::Error, "No OCSP response input available for parsing"
+        end 
+        
+        resp = org.bouncycastle.cert.ocsp.OCSPResp.new(bresp)
+        if resp.status == ST_SUCCESSFUL
+          respObj = resp.response_object
+          #
+          #nonceField = respObj.getExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce)
+          #if not nonceField.nil?
+          #  result[:nonce] = nonceField.parsed_value.getOctets
+          #end
+          
+          provider = opts[:provider]
+          if provider.nil?
+            prov = PkernelJce::Provider.add_default
+          else
+            prov = PkernelJce::Provider.add_provider(provider)
+          end
+
+          if respObj.is_signature_valid?(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.new.setProvider(prov).build(respObj.certs[0]))
+            #vres = { }
+            #respObj.responses.each do |re|
+            #  vres[re.cert_id] = re.cert_status
+            #end
+            #result[:result] = vres
+            resp
+          else
+            raise PkernelJce::Error, "OCSP response digital signature failed to be verified. Result discarded."
+          end
+        else
+          raise PkernelJce::Error, "OCSP response unsuccessful. Message was : #{resp.status}"
+        end
+        
+        #result
+      end
+      # end parse()
+      # 
+    
+      def is_cert_good?(resp, cert_id, opts = { })
+        respObj = resp.response_object         
+        respObj.responses.each do |re|
+          if re.cert_id.equals(cert_id)
+            return re.cert_status.nil?
+          end
+        end
+
+        false
+      end
+      
+      def is_cert_revoked?(resp, cert_id, opts = { })
+        respObj = resp.response_object         
+        respObj.responses.each do |re|
+          if re.cert_id.equals(cert_id)
+            if (not re.cert_status.nil? and re.cert_status.java_kind_of?(org.bouncycastle.cert.ocsp.RevokedStatus))
+              return [true, re.cert_status.revocation_reason, re.cert_status.revocation_time]
+            end
+          end
+        end
+
+        [false]
+      end
+
+      def is_cert_unknown?(resp, cert_id, opts = { })
+        respObj = resp.response_object         
+        respObj.responses.each do |re|
+          if re.cert_id.equals(cert_id)
+            return (not re.cert_status.nil? and re.cert_status.java_kind_of?(org.bouncycastle.cert.ocsp.UnknownStatus))
+          end
+        end
+        
+        false
+      end
+
+      def v_cert_good(resp, cid, opts = { })
+        resp.addResponse(cid, org.bouncycastle.cert.ocsp.CertificateStatus::GOOD)
+      end
+
+      def v_cert_revoked(resp, cid, reason = Pkernel::CRLReason::UNSPECIFIED, revokedOn = java.util.Date.new, opts = { })
+        resp.addResponse(cid, org.bouncycastle.cert.ocsp.RevokedStatus.new(revokedOn, reason))
+      end
+
+      def v_cert_status_unknown(resp, cid, opts= { })
+         resp.addResponse(cid, org.bouncycastle.cert.ocsp.UnknownStatus.new)
+      end
+
+      def to_bin(resp)
+        if resp.nil?
+          raise PkernelJce::Error, "Response object is nil to convert to bin"
+        end
+        resp.encoded
+      end
+
+    end
+    # 
+    # end module Response
+    # 
+  
+    module Request
+
+      # 
+      # invoked by server side during response
+      #
+      def parse(opts = {},&block)
+        file = opts[:file]
+        bin = opts[:bin]
+
+        if not block
+          raise PkernelJce::Error, "Block must be given for OCSP request parse operation"
+        end
+
+        if not file.nil?
+          breq = PkernelJce::IoUtils.file_to_memory_byte_array(file)
+          #f = java.io.File.new(file)
+          #if f.exists?
+          #  breq = Java::byte[f.length].new
+          #  dis = java.io.DataInputStream.new(java.io.FileInputStream.new(f))
+          #  dis.readFully(breq)
+          #  dis.close
+          #else
+          #  raise PkernelJce::Error, "Given OCSP request in file '#{f.absolute_path}' does not exist"
+          #end
+        elsif not bin.nil?
+          breq = PkernelJce::IoUtils.ensure_java_bytes(bin)
+        else
+          raise PkernelJce::Error, "No OCSP request input available for parsing"
+        end 
+
+        res = {}
+        req = org.bouncycastle.cert.ocsp.OCSPReq.new(breq)
+
+        res[:req] = req
+        
+        verifySign = opts[:verify_sign] || true
+        if verifySign and req.isSigned
+          
+          provider = opts[:provider]
+          if provider.nil?
+            prov = PkernelJce::Provider.add_default
+          else
+            prov = PkernelJce::Provider.add_provider(provider)
+          end
+
+          if not req.isSignatureValid(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.new.setProvider(prov).build(req.getCerts[0]))
+            if block
+              res = block.call(:ocsp_verify_failed, { request: req, signer_cert: req.getCerts[0] })
+              if not res
+                raise PkernelOpenssl::Error, "OCSP request verification failed"
+              end
+            else
+              raise PkernelJce::Error, "Request signature is invalid. Request parsing is aborted." 
+            end
+          end
+        end
+
+        nonceField = req.getExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce)
+        if not nonceField.nil?
+          res[:nonce] = nonceField.parsed_value.getOctets
+        end
+
+        #certs = {}
+        req.getRequestList.each do |qc|
+          cid = qc.getCertID
+          info = { }
+          info[:serial] = cid.serial_number
+          info[:issuer_key_hash] = cid.issuer_key_hash
+          info[:issuer_name_hash] = cid.issuer_name_hash
+          info[:cid] = cid
+          # let block decide what is the status and mechanism
+          block.call(info)
+        end    
+        
+        #res[:result] = certs    
+        
+        res
+      end
+      # end parse()
+      # 
+    
+      def gen_nonce(len = 16)
+        nonce = Java::byte[len].new
+        java.util.Random.new.nextBytes(nonce)
+        nonce 
+      end
+
+      # initiate by client
+      def generate(certs = [], opts = {})
+        
+        if certs.nil?
+          raise PkernelJce::Error, "Given certificates to generate OCSP request is nil"
+        elsif not certs.is_a?(Array)
+          certs = [certs]
+        end
+
+        #digest = org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder.new.setProvider(PkernelJce::Provider::DefProvider).build
+        ## for this version of BC (157) this is the only option
+        #d = digest.get(org.bouncycastle.cert.ocsp.CertificateID::HASH_SHA1)
+        
+        gen = org.bouncycastle.cert.ocsp.OCSPReqBuilder.new
+
+        result = {}
+
+        nonce = opts[:nonce]
+        genNonce = opts[:gen_nonce] || true
+        if genNonce
+          nonce = Java::byte[16].new
+          java.util.Random.new.nextBytes(nonce)
+          extGen = org.bouncycastle.asn1.x509.ExtensionsGenerator.new
+          extGen.addExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce, false, org.bouncycastle.asn1.DEROctetString.new(nonce))
+          gen.setRequestExtensions(extGen.generate)
+          result[:nonce] = nonce
+        elsif not nonce.nil?
+          extGen = org.bouncycastle.asn1.x509.ExtensionsGenerator.new
+          extGen.addExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce, false, org.bouncycastle.asn1.DEROctetString.new(nonce))
+          gen.setRequestExtensions(extGen.generate)
+        end
+ 
+        certMap = { }
+        certs.each do |c|
+          #id = org.bouncycastle.cert.ocsp.CertificateID.new(d,PkernelJce::Certificate.ensure_bc_cert(c),PkernelJce::Certificate.ensure_java_cert(c).serial_number)
+          #certMap[id] = c
+          gen.addRequest(c)
+        end
+        result[:cert_id] = certMap
+        
+        id = opts[:identity]
+        provider = opts[:provider]
+        if provider.nil?
+          prov = PkernelJce::Provider.add_default
+        else
+          prov = PkernelJce::Provider.add_provider(provider)
+        end
+        
+        if id.nil?
+          result[:req] = gen.build
+        else
+          name = opts[:requestor_name]
+          x500Name = opts[:requestor_x500name]
+          
+          if not (name.nil? or name.empty?)
+            gen.setRequestorName(org.bouncycastle.asn1.x500.X500Name.new("CN=#{name}"))
+          elsif not (x500Name.nil? or x500Name.empty?)
+            gen.setRequestorName(org.bouncycastle.asn1.x500.X500Name.new(x500Name))
+          elsif not id.certificate.nil?
+            bcCert = PkernelJce::Certificate.ensure_bc_cert(id.certificate)
+            gen.setRequestorName(bcCert.subject_to_x500)
+          else
+            raise PkernelJce::Error, "Cannot sign content as requestor name/certificate is not given"
+          end
+          
+          signer = org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(PkernelJce::KeyPair.derive_signing_algo(id.privKey,"SHA256")).setProvider(prov).build(id.privKey)
+          result[:req] = gen.build(signer, PkernelJce::Certificate.ensure_bc_cert(id.chain).to_java(Java::OrgBouncycastleCert::X509CertificateHolder))
+        end
+
+        result[:req]
+      end
+      # end generate
+      # 
+    
+    
+      def to_bin(req)
+        if req.nil?
+          raise PkernelJce::Error, "Request object cannot be nil to convert to binary" 
+        end
+        req.encoded
+      end
+    
+    end
+    # 
+    # end module Request
+    #
+  
+  end
+
+  class OCSPRequestEngine
+    extend OCSP::Request
+  end
+
+  class OCSPResponseEngine
+    extend OCSP::Response
+  end
+
+end

data/lib/pkernel_jce/provider.rb

@@ -0,0 +1,40 @@
+
+
+Dir.glob(File.join(File.dirname(__FILE__),'../../jars/*.jar')).each do |f|
+	require_relative f
+end
+
+module PkernelJce
+  module Provider
+    
+    DefProvider = org.bouncycastle.jce.provider.BouncyCastleProvider.new
+
+    def Provider::add_default
+      add_provider(DefProvider)
+      DefProvider
+    end
+
+    def Provider::add_provider(prov)
+			if prov != nil
+				if prov.is_a?(String) and not prov.empty?
+          PkernelJce::GConf.instance.glog.error "Unknown provider by string '#{prov}'. Please use provider object."
+          raise Exception, "Unknown provider by string '#{prov}'. Please use provider object."
+				elsif prov.is_a?(java.security.Provider)
+					if prov != nil
+						if not java.security.Security.get_providers.to_a.include?(prov)
+              PkernelJce::GConf.instance.glog.debug "Adding security provider '#{prov.name}'" 
+							java.security.Security.add_provider(prov)
+						end
+						prov
+					else
+						raise Exception, "Unknown provider object #{prov.inspect}"
+					end
+
+				end
+			end
+      
+    end
+
+  end
+end
+