RubyGems - pkernel_jce - Versions diffs - 0.1 - Mend

pkernel_jce 0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

checksums.yaml +7 -0
data/.gitignore +14 -0
data/.ruby-version +1 -0
data/Gemfile +6 -0
data/Gemfile.lock +56 -0
data/LICENSE.txt +21 -0
data/README.md +39 -0
data/Rakefile +2 -0
data/bin/console +14 -0
data/bin/setup +8 -0
data/jars/bcmail-jdk15on-157.jar +0 -0
data/jars/bcpg-jdk15on-157.jar +0 -0
data/jars/bcpkix-jdk15on-157.jar +0 -0
data/jars/bcprov-ext-jdk15on-157.jar +0 -0
data/jars/bcprov-jdk15on-157.jar +0 -0
data/lib/pkernel_jce/bc_helpers.rb +51 -0
data/lib/pkernel_jce/certificate.rb +467 -0
data/lib/pkernel_jce/certificate_owner.rb +90 -0
data/lib/pkernel_jce/crl.rb +221 -0
data/lib/pkernel_jce/csr.rb +126 -0
data/lib/pkernel_jce/error.rb +7 -0
data/lib/pkernel_jce/global.rb +17 -0
data/lib/pkernel_jce/identity.rb +333 -0
data/lib/pkernel_jce/io_utils.rb +45 -0
data/lib/pkernel_jce/keypair.rb +359 -0
data/lib/pkernel_jce/ocsp.rb +415 -0
data/lib/pkernel_jce/provider.rb +40 -0
data/lib/pkernel_jce/rfc3161.rb +389 -0
data/lib/pkernel_jce/utils.rb +59 -0
data/lib/pkernel_jce/version.rb +3 -0
data/lib/pkernel_jce.rb +102 -0
data/pkernel_jce.gemspec +45 -0
metadata +146 -0

data/lib/pkernel_jce/ocsp.rb ADDED Viewed

@@ -0,0 +1,415 @@
+require 'pkernel'
+require_relative "utils"
+require_relative "provider"
+require_relative "io_utils"
+class Pkernel::OCSP
+  GOOD_CERT = org.bouncycastle.cert.ocsp.CertificateStatus::GOOD
+  REVOKED_CERT = lambda do |dt,reason|
+    revokedOn = dt
+    revokedOn = revokedOn.to_java_date
+    org.bouncycastle.cert.ocsp.RevokedStatus.new(revokedOn, reason)
+  end
+  UNKNOWN_CERT = lambda { org.bouncycastle.cert.ocsp.UnknownStatus.new }
+  def self.request_to_bin(req)
+    PkernelJce::OCSPRequestEngine.to_bin(req)
+  end
+  def self.response_to_bin(resp)
+    PkernelJce::OCSPResponseEngine.to_bin(resp)
+  end
+  def self.to_cert_id(cert, issuer = nil, opts = { })
+    digest = org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder.new.setProvider(PkernelJce::Provider::DefProvider).build
+    signHash = opts[:signHash] || :sha1
+    case signHash
+    when :sha1, "SHA1"
+    else
+      PkernelJce::GConf.instance.glog.warn "Hashing algo '#{signHash}' not yet supported by library. Adjusted to SHA1 as default"
+    end
+    # for this version of BC (157) this is the only option
+    d = digest.get(org.bouncycastle.cert.ocsp.CertificateID::HASH_SHA1)
+    org.bouncycastle.cert.ocsp.CertificateID.new(d,PkernelJce::Certificate.ensure_bc_cert(cert),PkernelJce::Certificate.ensure_java_cert(cert).serial_number)
+  end
+end
+module PkernelJce
+  module OCSP
+    # module Response
+    module Response
+      ST_SUCCESSFUL = org.bouncycastle.cert.ocsp.OCSPRespBuilder::SUCCESSFUL
+      ST_MALFORM_REQ = org.bouncycastle.cert.ocsp.OCSPRespBuilder::MALFORMED_REQUEST
+      ST_ERROR = org.bouncycastle.cert.ocsp.OCSPRespBuilder::INTERNAL_ERROR
+      ST_TRY_LATER = org.bouncycastle.cert.ocsp.OCSPRespBuilder::TRY_LATER
+      ST_SIG_REQUIRED = org.bouncycastle.cert.ocsp.OCSPRespBuilder::SIG_REQUIRED
+      ST_UNAUTHORIZED = org.bouncycastle.cert.ocsp.OCSPRespBuilder::UNAUTHORIZED
+      #
+      # used by OCSP responder
+      #
+      def generate(identity, opts = { }, &block)
+        if identity.nil?
+          raise PkernelJce::Error, "Identity is nil in generate OCSP response"
+        end
+        provider = opts[:provider]
+        if provider.nil?
+          prov = PkernelJce::Provider.add_default
+        else
+          prov = PkernelJce::Provider.add_provider(provider)
+        end
+        digest = org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder.new.setProvider(PkernelJce::Provider::DefProvider).build
+        # for this version of BC (157) this is the only option
+        #d = digest.get(org.bouncycastle.cert.ocsp.CertificateID::HASH_SHA1)
+        respBuilder = org.bouncycastle.cert.ocsp.jcajce.JcaBasicOCSPRespBuilder.new(identity.pubKey, digest.get(org.bouncycastle.cert.ocsp.RespID::HASH_SHA1))
+        reqBin = opts[:request]
+        reqRes = OCSPRequestEngine.parse({ bin: reqBin }) do |info|
+          if block
+            block.call(respBuilder, info)
+          else
+            v_cert_status_unknown(respBuilder, info[:cid])
+          end
+        end
+        req = reqRes[:req]
+        nonceField = req.getExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce)
+        if not nonceField.nil?
+          extGen = org.bouncycastle.asn1.x509.ExtensionsGenerator.new
+          extGen.addExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce, false, org.bouncycastle.asn1.DEROctetString.new(nonceField.parsed_value.getOctets))
+          respBuilder.setResponseExtensions(extGen.generate)
+        end
+        signHash = opts[:signHash] || "SHA256"
+        resp = respBuilder.build(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(PkernelJce::KeyPair.derive_signing_algo(identity.privKey,signHash)).setProvider(prov).build(identity.privKey), identity.chain, java.util.Date.new)
+        #public class OCSPRespBuilder
+        #{
+        #    public static final int SUCCESSFUL = 0;  // Response has valid confirmations
+        #    public static final int MALFORMED_REQUEST = 1;  // Illegal confirmation request
+        #    public static final int INTERNAL_ERROR = 2;  // Internal error in issuer
+        #    public static final int TRY_LATER = 3;  // Try again later
+        #    // (4) is not used
+        #    public static final int SIG_REQUIRED = 5;  // Must sign the request
+        #    public static final int UNAUTHORIZED = 6;  // Request unauthorized
+        #
+        # this response should be a step higher
+        #org.bouncycastle.cert.ocsp.OCSPRespBuilder.new.build(org.bouncycastle.cert.ocsp.OCSPRespBuilder::SUCCESSFUL, resp).encoded.to_s
+        to_response_asn1(ST_SUCCESSFUL, resp)
+      end
+      #
+      # end generate
+      #
+      def to_response_asn1(st, resp = nil)
+        org.bouncycastle.cert.ocsp.OCSPRespBuilder.new.build(st, resp)
+      end
+      #
+      # invoke by client side to read the result
+      #
+      def parse(opts = {})
+        file = opts[:file]
+        bin = opts[:bin]
+        if not file.nil?
+          bresp = IoUtils.file_to_memory_byte_array(file)
+        elsif not bin.nil?
+          bresp = IoUtils.ensure_java_bytes(bin)
+        else
+          raise PkernelJce::Error, "No OCSP response input available for parsing"
+        end
+        resp = org.bouncycastle.cert.ocsp.OCSPResp.new(bresp)
+        if resp.status == ST_SUCCESSFUL
+          respObj = resp.response_object
+          #
+          #nonceField = respObj.getExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce)
+          #if not nonceField.nil?
+          #  result[:nonce] = nonceField.parsed_value.getOctets
+          #end
+          provider = opts[:provider]
+          if provider.nil?
+            prov = PkernelJce::Provider.add_default
+          else
+            prov = PkernelJce::Provider.add_provider(provider)
+          end
+          if respObj.is_signature_valid?(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.new.setProvider(prov).build(respObj.certs[0]))
+            #vres = { }
+            #respObj.responses.each do |re|
+            #  vres[re.cert_id] = re.cert_status
+            #end
+            #result[:result] = vres
+            resp
+          else
+            raise PkernelJce::Error, "OCSP response digital signature failed to be verified. Result discarded."
+          end
+        else
+          raise PkernelJce::Error, "OCSP response unsuccessful. Message was : #{resp.status}"
+        end
+        #result
+      end
+      # end parse()
+      #
+      def is_cert_good?(resp, cert_id, opts = { })
+        respObj = resp.response_object
+        respObj.responses.each do |re|
+          if re.cert_id.equals(cert_id)
+            return re.cert_status.nil?
+          end
+        end
+        false
+      end
+      def is_cert_revoked?(resp, cert_id, opts = { })
+        respObj = resp.response_object
+        respObj.responses.each do |re|
+          if re.cert_id.equals(cert_id)
+            if (not re.cert_status.nil? and re.cert_status.java_kind_of?(org.bouncycastle.cert.ocsp.RevokedStatus))
+              return [true, re.cert_status.revocation_reason, re.cert_status.revocation_time]
+            end
+          end
+        end
+        [false]
+      end
+      def is_cert_unknown?(resp, cert_id, opts = { })
+        respObj = resp.response_object
+        respObj.responses.each do |re|
+          if re.cert_id.equals(cert_id)
+            return (not re.cert_status.nil? and re.cert_status.java_kind_of?(org.bouncycastle.cert.ocsp.UnknownStatus))
+          end
+        end
+        false
+      end
+      def v_cert_good(resp, cid, opts = { })
+        resp.addResponse(cid, org.bouncycastle.cert.ocsp.CertificateStatus::GOOD)
+      end
+      def v_cert_revoked(resp, cid, reason = Pkernel::CRLReason::UNSPECIFIED, revokedOn = java.util.Date.new, opts = { })
+        resp.addResponse(cid, org.bouncycastle.cert.ocsp.RevokedStatus.new(revokedOn, reason))
+      end
+      def v_cert_status_unknown(resp, cid, opts= { })
+         resp.addResponse(cid, org.bouncycastle.cert.ocsp.UnknownStatus.new)
+      end
+      def to_bin(resp)
+        if resp.nil?
+          raise PkernelJce::Error, "Response object is nil to convert to bin"
+        end
+        resp.encoded
+      end
+    end
+    #
+    # end module Response
+    #
+    module Request
+      #
+      # invoked by server side during response
+      #
+      def parse(opts = {},&block)
+        file = opts[:file]
+        bin = opts[:bin]
+        if not block
+          raise PkernelJce::Error, "Block must be given for OCSP request parse operation"
+        end
+        if not file.nil?
+          breq = PkernelJce::IoUtils.file_to_memory_byte_array(file)
+          #f = java.io.File.new(file)
+          #if f.exists?
+          #  breq = Java::byte[f.length].new
+          #  dis = java.io.DataInputStream.new(java.io.FileInputStream.new(f))
+          #  dis.readFully(breq)
+          #  dis.close
+          #else
+          #  raise PkernelJce::Error, "Given OCSP request in file '#{f.absolute_path}' does not exist"
+          #end
+        elsif not bin.nil?
+          breq = PkernelJce::IoUtils.ensure_java_bytes(bin)
+        else
+          raise PkernelJce::Error, "No OCSP request input available for parsing"
+        end
+        res = {}
+        req = org.bouncycastle.cert.ocsp.OCSPReq.new(breq)
+        res[:req] = req
+        verifySign = opts[:verify_sign] || true
+        if verifySign and req.isSigned
+          provider = opts[:provider]
+          if provider.nil?
+            prov = PkernelJce::Provider.add_default
+          else
+            prov = PkernelJce::Provider.add_provider(provider)
+          end
+          if not req.isSignatureValid(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.new.setProvider(prov).build(req.getCerts[0]))
+            if block
+              res = block.call(:ocsp_verify_failed, { request: req, signer_cert: req.getCerts[0] })
+              if not res
+                raise PkernelOpenssl::Error, "OCSP request verification failed"
+              end
+            else
+              raise PkernelJce::Error, "Request signature is invalid. Request parsing is aborted."
+            end
+          end
+        end
+        nonceField = req.getExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce)
+        if not nonceField.nil?
+          res[:nonce] = nonceField.parsed_value.getOctets
+        end
+        #certs = {}
+        req.getRequestList.each do |qc|
+          cid = qc.getCertID
+          info = { }
+          info[:serial] = cid.serial_number
+          info[:issuer_key_hash] = cid.issuer_key_hash
+          info[:issuer_name_hash] = cid.issuer_name_hash
+          info[:cid] = cid
+          # let block decide what is the status and mechanism
+          block.call(info)
+        end
+        #res[:result] = certs
+        res
+      end
+      # end parse()
+      #
+      def gen_nonce(len = 16)
+        nonce = Java::byte[len].new
+        java.util.Random.new.nextBytes(nonce)
+        nonce
+      end
+      # initiate by client
+      def generate(certs = [], opts = {})
+        if certs.nil?
+          raise PkernelJce::Error, "Given certificates to generate OCSP request is nil"
+        elsif not certs.is_a?(Array)
+          certs = [certs]
+        end
+        #digest = org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder.new.setProvider(PkernelJce::Provider::DefProvider).build
+        ## for this version of BC (157) this is the only option
+        #d = digest.get(org.bouncycastle.cert.ocsp.CertificateID::HASH_SHA1)
+        gen = org.bouncycastle.cert.ocsp.OCSPReqBuilder.new
+        result = {}
+        nonce = opts[:nonce]
+        genNonce = opts[:gen_nonce] || true
+        if genNonce
+          nonce = Java::byte[16].new
+          java.util.Random.new.nextBytes(nonce)
+          extGen = org.bouncycastle.asn1.x509.ExtensionsGenerator.new
+          extGen.addExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce, false, org.bouncycastle.asn1.DEROctetString.new(nonce))
+          gen.setRequestExtensions(extGen.generate)
+          result[:nonce] = nonce
+        elsif not nonce.nil?
+          extGen = org.bouncycastle.asn1.x509.ExtensionsGenerator.new
+          extGen.addExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce, false, org.bouncycastle.asn1.DEROctetString.new(nonce))
+          gen.setRequestExtensions(extGen.generate)
+        end
+        certMap = { }
+        certs.each do |c|
+          #id = org.bouncycastle.cert.ocsp.CertificateID.new(d,PkernelJce::Certificate.ensure_bc_cert(c),PkernelJce::Certificate.ensure_java_cert(c).serial_number)
+          #certMap[id] = c
+          gen.addRequest(c)
+        end
+        result[:cert_id] = certMap
+        id = opts[:identity]
+        provider = opts[:provider]
+        if provider.nil?
+          prov = PkernelJce::Provider.add_default
+        else
+          prov = PkernelJce::Provider.add_provider(provider)
+        end
+        if id.nil?
+          result[:req] = gen.build
+        else
+          name = opts[:requestor_name]
+          x500Name = opts[:requestor_x500name]
+          if not (name.nil? or name.empty?)
+            gen.setRequestorName(org.bouncycastle.asn1.x500.X500Name.new("CN=#{name}"))
+          elsif not (x500Name.nil? or x500Name.empty?)
+            gen.setRequestorName(org.bouncycastle.asn1.x500.X500Name.new(x500Name))
+          elsif not id.certificate.nil?
+            bcCert = PkernelJce::Certificate.ensure_bc_cert(id.certificate)
+            gen.setRequestorName(bcCert.subject_to_x500)
+          else
+            raise PkernelJce::Error, "Cannot sign content as requestor name/certificate is not given"
+          end
+          signer = org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(PkernelJce::KeyPair.derive_signing_algo(id.privKey,"SHA256")).setProvider(prov).build(id.privKey)
+          result[:req] = gen.build(signer, PkernelJce::Certificate.ensure_bc_cert(id.chain).to_java(Java::OrgBouncycastleCert::X509CertificateHolder))
+        end
+        result[:req]
+      end
+      # end generate
+      #
+      def to_bin(req)
+        if req.nil?
+          raise PkernelJce::Error, "Request object cannot be nil to convert to binary"
+        end
+        req.encoded
+      end
+    end
+    #
+    # end module Request
+    #
+  end
+  class OCSPRequestEngine
+    extend OCSP::Request
+  end
+  class OCSPResponseEngine
+    extend OCSP::Response
+  end
+end

data/lib/pkernel_jce/provider.rb ADDED Viewed

@@ -0,0 +1,40 @@
+Dir.glob(File.join(File.dirname(__FILE__),'../../jars/*.jar')).each do |f|
+	require_relative f
+end
+module PkernelJce
+  module Provider
+    DefProvider = org.bouncycastle.jce.provider.BouncyCastleProvider.new
+    def Provider::add_default
+      add_provider(DefProvider)
+      DefProvider
+    end
+    def Provider::add_provider(prov)
+			if prov != nil
+				if prov.is_a?(String) and not prov.empty?
+          PkernelJce::GConf.instance.glog.error "Unknown provider by string '#{prov}'. Please use provider object."
+          raise Exception, "Unknown provider by string '#{prov}'. Please use provider object."
+				elsif prov.is_a?(java.security.Provider)
+					if prov != nil
+						if not java.security.Security.get_providers.to_a.include?(prov)
+              PkernelJce::GConf.instance.glog.debug "Adding security provider '#{prov.name}'"
+							java.security.Security.add_provider(prov)
+						end
+						prov
+					else
+						raise Exception, "Unknown provider object #{prov.inspect}"
+					end
+				end
+			end
+    end
+  end
+end