pkernel_jce 0.3 → 0.7.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.gitignore +3 -0
- data/Gemfile +0 -0
- data/LICENSE.txt +0 -0
- data/README.md +0 -0
- data/Rakefile +2 -0
- data/jars/bcmail-jdk15on-165.jar +0 -0
- data/jars/bcpg-jdk15on-165.jar +0 -0
- data/jars/bcpkix-jdk15on-165.jar +0 -0
- data/jars/bcprov-ext-jdk15on-165.jar +0 -0
- data/jars/bcprov-jdk15on-165.jar +0 -0
- data/jars/bctls-jdk15on-165.jar +0 -0
- data/lib/pkernel_jce.rb +16 -0
- data/lib/pkernel_jce/bc_helpers.rb +0 -0
- data/lib/pkernel_jce/certificate.rb +450 -30
- data/lib/pkernel_jce/certificate_owner.rb +0 -2
- data/lib/pkernel_jce/converter.rb +21 -0
- data/lib/pkernel_jce/crl.rb +0 -0
- data/lib/pkernel_jce/csr.rb +24 -0
- data/lib/pkernel_jce/error.rb +0 -0
- data/lib/pkernel_jce/global.rb +5 -1
- data/lib/pkernel_jce/identity.rb +557 -82
- data/lib/pkernel_jce/io_utils.rb +2 -0
- data/lib/pkernel_jce/jfile.rb +134 -0
- data/lib/pkernel_jce/jmembuf.rb +7 -0
- data/lib/pkernel_jce/keypair.rb +409 -91
- data/lib/pkernel_jce/ocsp.rb +0 -0
- data/lib/pkernel_jce/provider.rb +26 -4
- data/lib/pkernel_jce/rfc3161.rb +0 -0
- data/lib/pkernel_jce/utils.rb +0 -0
- data/lib/pkernel_jce/version.rb +1 -1
- data/pkernel_jce.gemspec +7 -4
- data/release.job +0 -0
- metadata +42 -27
- data/.ruby-version +0 -1
- data/Gemfile.lock +0 -56
- data/jars/bcmail-jdk15on-157.jar +0 -0
- data/jars/bcpg-jdk15on-157.jar +0 -0
- data/jars/bcpkix-jdk15on-157.jar +0 -0
- data/jars/bcprov-ext-jdk15on-157.jar +0 -0
- data/jars/bcprov-jdk15on-157.jar +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 8484c9f54aaa9c46d60af73b0e9c583069d2d6bbede8861b2092599968501a49
|
4
|
+
data.tar.gz: 5d7b861533448d595ff0c54510f35f1fcd851aa4cde1e32d598a5ad6b53fbdd8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9434b48698041cc3166e60ddcaab6e5ec9524b55c6e1419eb235eb5dd03fe5ab0c18d0222fe1ba08757d5dcfb8a741292385c9e85ce6a438637d2b9fd168d991
|
7
|
+
data.tar.gz: 30edd3121a79f3af2b6b4fc0b2c3d15b8671380bd15564361ee3329ff10e626f0a808144613db114e8efcaac24283776e205528b968dfe2ea263d449344ccd69
|
data/.gitignore
CHANGED
data/Gemfile
CHANGED
File without changes
|
data/LICENSE.txt
CHANGED
File without changes
|
data/README.md
CHANGED
File without changes
|
data/Rakefile
CHANGED
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
data/lib/pkernel_jce.rb
CHANGED
@@ -11,6 +11,10 @@ require_relative 'pkernel_jce/csr'
|
|
11
11
|
require_relative 'pkernel_jce/ocsp'
|
12
12
|
require_relative 'pkernel_jce/rfc3161'
|
13
13
|
require_relative 'pkernel_jce/converter'
|
14
|
+
require_relative 'pkernel_jce/jfile'
|
15
|
+
require_relative 'pkernel_jce/jmembuf'
|
16
|
+
require_relative 'pkernel_jce/io_utils'
|
17
|
+
|
14
18
|
|
15
19
|
module PkernelJce
|
16
20
|
#class Error < StandardError; end
|
@@ -99,4 +103,16 @@ module PkernelJce
|
|
99
103
|
class Pkernel::Converter
|
100
104
|
extend PkernelJce::Converter
|
101
105
|
end
|
106
|
+
|
107
|
+
#class Pkernel::File
|
108
|
+
# extend PkernelJce::JFile
|
109
|
+
#end
|
110
|
+
|
111
|
+
class Pkernel::MemBuf
|
112
|
+
extend PkernelJce::JMemBuf
|
113
|
+
end
|
114
|
+
|
115
|
+
class Pkernel::IoUtils
|
116
|
+
extend PkernelJce::IoUtils
|
117
|
+
end
|
102
118
|
end
|
File without changes
|
@@ -1,10 +1,11 @@
|
|
1
1
|
|
2
|
-
require 'pkernel'
|
2
|
+
#require 'pkernel'
|
3
3
|
require_relative 'provider'
|
4
4
|
require_relative 'utils'
|
5
5
|
require_relative 'global'
|
6
6
|
require_relative 'error'
|
7
7
|
require_relative 'certificate_owner'
|
8
|
+
require_relative 'converter'
|
8
9
|
|
9
10
|
require 'active_support/core_ext/time'
|
10
11
|
|
@@ -28,6 +29,31 @@ module PkernelJce
|
|
28
29
|
DEF_USER_IDENTITY = DIGITAL_SIGNATURE | NON_REPUDIATION | KEY_ENCIPHERMENT | KEY_AGREEMENT
|
29
30
|
DEF_USER_DATA_SEC = DATA_ENCIPHERMENT | ENCIPHER_ONLY | DECIPHER_ONLY
|
30
31
|
DEF_ISSUER = DIGITAL_SIGNATURE | NON_REPUDIATION | KEY_ENCIPHERMENT | CRL_SIGN | KEY_CERT_SIGN
|
32
|
+
|
33
|
+
KsuMap = {
|
34
|
+
:digital_sign => DIGITAL_SIGNATURE,
|
35
|
+
:non_repudiation => NON_REPUDIATION,
|
36
|
+
:key_encipherment => KEY_ENCIPHERMENT,
|
37
|
+
:data_encipherment => DATA_ENCIPHERMENT,
|
38
|
+
:key_agreement => KEY_AGREEMENT,
|
39
|
+
:key_cert_sign => KEY_CERT_SIGN,
|
40
|
+
:crl_sign => CRL_SIGN,
|
41
|
+
:encipher_only => ENCIPHER_ONLY,
|
42
|
+
:decipher_only => DECIPHER_ONLY
|
43
|
+
}
|
44
|
+
|
45
|
+
KsuKeyName = {
|
46
|
+
:digital_sign => "Digital Signature",
|
47
|
+
:non_repudiation => "Non Repudiation",
|
48
|
+
:key_encipherment => "Key Encipherment",
|
49
|
+
:data_encipherment => "Data Encipherment",
|
50
|
+
:key_agreement => "Key Agreement",
|
51
|
+
:key_cert_sign => "Key & Cert Sign",
|
52
|
+
:crl_sign => "CRL Sign",
|
53
|
+
:encipher_only => "Encipher Only",
|
54
|
+
:decipher_only => "Decipher Only"
|
55
|
+
}
|
56
|
+
|
31
57
|
end
|
32
58
|
# end module CertKeyUsage
|
33
59
|
|
@@ -41,6 +67,32 @@ module PkernelJce
|
|
41
67
|
OCSP_SIGNING = org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_OCSPSigning
|
42
68
|
DVCS = org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_dvcs
|
43
69
|
SPGP_CERT_AA_SERVER_AUTH = org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_sbgpCertAAServerAuth
|
70
|
+
|
71
|
+
EksuMap = {
|
72
|
+
:any_eksu => ANY_EXT_KEY_USAGE,
|
73
|
+
:tls_server_auth => TLS_SERVER_AUTH,
|
74
|
+
:tls_client_auth => TLS_CLIENT_AUTH,
|
75
|
+
:code_signing => CODE_SIGNING,
|
76
|
+
:email_protection => EMAIL_PROTECTION,
|
77
|
+
:timestamping => TIMESTAMPING,
|
78
|
+
:ocsp_signing => OCSP_SIGNING,
|
79
|
+
:dvcs => DVCS
|
80
|
+
#:pgp_cert_Server_auth = SPGP_CERT_AA_SERVER_AUTH
|
81
|
+
}
|
82
|
+
|
83
|
+
EksuKeyName = {
|
84
|
+
:any_eksu => "Any extended key usage",
|
85
|
+
:tls_server_auth => "TLS server authentication",
|
86
|
+
:tls_client_auth => "TLS client authentication",
|
87
|
+
:code_signing => "Code signing",
|
88
|
+
:email_protection => "Email protection",
|
89
|
+
:timestamping => "Timestamping",
|
90
|
+
:ocsp_signing => "OCSP Signing",
|
91
|
+
:dvcs => "Data Validation and Certification Server / Trusted Third Party (TTP)"
|
92
|
+
#:pgp_cert_Server_auth = "PGP cert server auth?"
|
93
|
+
}
|
94
|
+
|
95
|
+
|
44
96
|
end
|
45
97
|
# end CertExtKeyUsage
|
46
98
|
|
@@ -57,6 +109,8 @@ module PkernelJce
|
|
57
109
|
cProv = params[:cert_provider]
|
58
110
|
issuer = params[:issuer]
|
59
111
|
matchIssuerValidity = params[:match_issuer_validity] || true
|
112
|
+
|
113
|
+
warning = { }
|
60
114
|
|
61
115
|
issuer = false if issuer.nil?
|
62
116
|
|
@@ -110,12 +164,28 @@ module PkernelJce
|
|
110
164
|
|
111
165
|
if from.to_java_date.before(issuerCert.not_before)
|
112
166
|
PkernelJce::GConf.instance.glog.warn "Certificate valid from has adjusted to match issuer valid from: #{from} [User requested] / #{issuerCert.not_before} [Adjusted to issuer]"
|
167
|
+
warning[:valid_from] = { }
|
168
|
+
warning[:valid_from][:requested] = from
|
169
|
+
|
113
170
|
from = issuerCert.not_before
|
171
|
+
|
172
|
+
warning[:valid_from][:adjusted] = issuerCert.not_before
|
173
|
+
warning[:valid_from][:reason] = "Certificate being issued cannot have validity start date before issuer's certificate validity start date."
|
174
|
+
block.call(:warning, warning)
|
175
|
+
|
114
176
|
end
|
115
177
|
|
116
178
|
if to.to_java_date.after(issuerCert.not_after)
|
117
179
|
PkernelJce::GConf.instance.glog.warn "Certificate valid to has adjusted to match issuer valid to: #{to} [User requested] / #{issuerCert.not_after} [Adjusted to issuer]"
|
180
|
+
|
181
|
+
warning[:valid_to] = { }
|
182
|
+
warning[:valid_to][:requested] = to
|
183
|
+
|
118
184
|
to = issuerCert.not_after
|
185
|
+
|
186
|
+
warning[:valid_to][:adjusted] = issuerCert.not_after
|
187
|
+
warning[:valid_to][:reason] = "Certificate being issued cannot have validity end date after issuer's certificate validity end date."
|
188
|
+
block.call(:warning, warning)
|
119
189
|
end
|
120
190
|
|
121
191
|
[from, to]
|
@@ -140,13 +210,30 @@ module PkernelJce
|
|
140
210
|
if issuer
|
141
211
|
certGen.addExtension(org.bouncycastle.asn1.x509.Extension::basicConstraints, true, org.bouncycastle.asn1.x509.BasicConstraints.new(true))
|
142
212
|
if not keyUsage.nil?
|
143
|
-
|
213
|
+
if keyUsage.is_a?(Array)
|
214
|
+
ku = 0
|
215
|
+
keyUsage.each do |u|
|
216
|
+
ku |= u
|
217
|
+
end
|
218
|
+
else
|
219
|
+
ku = keyUsage
|
220
|
+
end
|
221
|
+
|
222
|
+
certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(ku))
|
144
223
|
else
|
145
224
|
certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(KeyUsage::DEF_ISSUER))
|
146
225
|
end
|
147
226
|
else
|
148
227
|
if not keyUsage.nil?
|
149
|
-
|
228
|
+
if keyUsage.is_a?(Array)
|
229
|
+
ku = 0
|
230
|
+
keyUsage.each do |u|
|
231
|
+
ku |= u
|
232
|
+
end
|
233
|
+
else
|
234
|
+
ku = keyUsage
|
235
|
+
end
|
236
|
+
certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(ku))
|
150
237
|
else
|
151
238
|
certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(KeyUsage::DEF_USER_IDENTITY))
|
152
239
|
end
|
@@ -226,6 +313,7 @@ module PkernelJce
|
|
226
313
|
certGen.addExtension(org.bouncycastle.asn1.x509.Extension::subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo.getInstance(pubKey.getEncoded)))
|
227
314
|
|
228
315
|
cert = org.bouncycastle.cert.jcajce.JcaX509CertificateConverter.new().setProvider(cProv).getCertificate(certGen.build(signer))
|
316
|
+
|
229
317
|
cert
|
230
318
|
|
231
319
|
end
|
@@ -239,34 +327,133 @@ module PkernelJce
|
|
239
327
|
file = params[:file]
|
240
328
|
baos = java.io.ByteArrayOutputStream.new
|
241
329
|
|
242
|
-
if not file.nil?
|
243
|
-
PkernelJce::GConf.instance.glog.debug "Dump certificate to file '#{file}'"
|
244
|
-
writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(java.io.FileOutputStream.new(file)))
|
245
|
-
else
|
246
|
-
PkernelJce::GConf.instance.glog.debug "Dump certificate to memory"
|
247
|
-
writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(baos))
|
248
|
-
end
|
249
|
-
|
250
330
|
begin
|
251
|
-
|
331
|
+
|
332
|
+
outForm = params[:out_form] || params[:outForm] || params[:outform]
|
333
|
+
if outForm.nil?
|
334
|
+
|
335
|
+
if not file.nil?
|
336
|
+
PkernelJce::GConf.instance.glog.debug "[D] Dump certificate to file '#{file}'"
|
337
|
+
writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(java.io.FileOutputStream.new(file)))
|
338
|
+
else
|
339
|
+
PkernelJce::GConf.instance.glog.debug "[D] Dump certificate to memory"
|
340
|
+
writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(baos))
|
341
|
+
end
|
342
|
+
|
343
|
+
writer.writeObject(cert)
|
344
|
+
|
345
|
+
else
|
346
|
+
|
347
|
+
case outForm.to_sym
|
348
|
+
when :b64, :base64
|
349
|
+
res = PkernelJce::Converter.to_b64(cert.encoded)
|
350
|
+
if not file.nil?
|
351
|
+
fos = java.io.FileOutputStream.new(file)
|
352
|
+
fos.write res
|
353
|
+
fos.flush
|
354
|
+
fos.close
|
355
|
+
end
|
356
|
+
baos.write(res.to_java.getBytes)
|
357
|
+
when :hex
|
358
|
+
res = PkernelJce::Converter.to_hex(cert.encoded)
|
359
|
+
if not file.nil?
|
360
|
+
fos = java.io.FileOutputStream.new(file)
|
361
|
+
fos.write res
|
362
|
+
fos.flush
|
363
|
+
fos.close
|
364
|
+
end
|
365
|
+
baos.write(res.to_java.getBytes)
|
366
|
+
when :bin
|
367
|
+
res = cert.encoded
|
368
|
+
if not file.nil?
|
369
|
+
fos = java.io.FileOutputStream.new(file)
|
370
|
+
fos.write res
|
371
|
+
fos.flush
|
372
|
+
fos.close
|
373
|
+
end
|
374
|
+
baos.write(res)
|
375
|
+
else
|
376
|
+
|
377
|
+
# this is default because openssl output this is the default
|
378
|
+
if not file.nil?
|
379
|
+
PkernelJce::GConf.instance.glog.debug "Dump PEM certificate to file '#{file}'"
|
380
|
+
writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(java.io.FileOutputStream.new(file)))
|
381
|
+
else
|
382
|
+
PkernelJce::GConf.instance.glog.debug "Dump PEM certificate to memory"
|
383
|
+
writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(baos))
|
384
|
+
end
|
385
|
+
|
386
|
+
writer.writeObject(cert)
|
387
|
+
|
388
|
+
end
|
389
|
+
end
|
390
|
+
|
252
391
|
ensure
|
253
|
-
writer.
|
254
|
-
|
392
|
+
if not writer.nil?
|
393
|
+
writer.flush
|
394
|
+
writer.close
|
395
|
+
end
|
396
|
+
|
397
|
+
if not fos.nil?
|
398
|
+
fos.flush
|
399
|
+
fos.close
|
400
|
+
end
|
255
401
|
end
|
256
402
|
|
257
|
-
|
258
|
-
|
259
|
-
|
260
|
-
|
403
|
+
baos.toByteArray
|
404
|
+
|
405
|
+
end
|
406
|
+
# end dump
|
407
|
+
|
408
|
+
|
409
|
+
def dump_to_file(cert, path, opts = { })
|
410
|
+
opts = { } if opts.nil?
|
411
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
412
|
+
dump(cert, opts.merge({ file: path }))
|
413
|
+
end
|
414
|
+
alias_method :dump_to_file_pem, :dump_to_file
|
415
|
+
def dump_to_mem(cert, opts = { })
|
416
|
+
opts = { } if opts.nil?
|
417
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
418
|
+
dump(cert)
|
419
|
+
end
|
420
|
+
alias_method :dump_to_mem_pem, :dump_to_mem
|
421
|
+
|
422
|
+
def dump_to_file_b64(cert, path, opts = { })
|
423
|
+
opts = { } if opts.nil?
|
424
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
425
|
+
dump(cert, opts.merge({ file: path, outForm: :b64 }))
|
426
|
+
end
|
427
|
+
def dump_to_mem_b64(cert, opts = { })
|
428
|
+
opts = { } if opts.nil?
|
429
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
430
|
+
dump(cert, opts.merge({ outForm: :b64 }))
|
431
|
+
end
|
432
|
+
|
433
|
+
def dump_to_file_hex(cert, path, opts = { })
|
434
|
+
opts = { } if opts.nil?
|
435
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
436
|
+
dump(cert, opts.merge({ file: path, outForm: :hex }))
|
437
|
+
end
|
438
|
+
def dump_to_mem_hex(cert, opts = { })
|
439
|
+
opts = { } if opts.nil?
|
440
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
441
|
+
dump(cert, opts.merge({ outForm: :hex }))
|
442
|
+
end
|
443
|
+
|
444
|
+
def dump_to_file_bin(cert, path, opts = { })
|
445
|
+
opts = { } if opts.nil?
|
446
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
447
|
+
dump(cert, opts.merge({ file: path, outForm: :bin }))
|
448
|
+
end
|
449
|
+
def dump_to_mem_bin(cert, opts = { })
|
450
|
+
opts = { } if opts.nil?
|
451
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
452
|
+
dump(cert, opts.merge({ outForm: :bin }))
|
261
453
|
end
|
262
|
-
# end write to
|
263
454
|
|
264
455
|
|
265
456
|
def load(options = {})
|
266
|
-
#is = options[:inputStream]
|
267
|
-
#if is.nil?
|
268
|
-
# raise PkernelJce::Error, "InputStream to load certificate is nil"
|
269
|
-
#end
|
270
457
|
|
271
458
|
file = options[:file]
|
272
459
|
bin = options[:bin]
|
@@ -288,20 +475,189 @@ module PkernelJce
|
|
288
475
|
|
289
476
|
elsif not bin.nil?
|
290
477
|
PkernelJce::GConf.instance.glog.debug "Load certificate from memory"
|
478
|
+
bin = IoUtils.ensure_java_bytes(bin)
|
291
479
|
baos.write(bin)
|
292
480
|
else
|
293
481
|
raise PkernelJce::Error, "No bin or file input is given to load"
|
294
482
|
end
|
295
483
|
|
296
|
-
|
297
|
-
|
298
|
-
|
299
|
-
|
300
|
-
|
301
|
-
|
484
|
+
inForm = options[:in_form] || options[:inForm] || options[:inform]
|
485
|
+
if not inForm.nil?
|
486
|
+
case inForm.to_sym
|
487
|
+
when :b64, :base64
|
488
|
+
PkernelJce::GConf.instance.glog.debug "Loading b64 certificate"
|
489
|
+
cbin = Pkernel::Converter.from_b64(baos.toByteArray)
|
490
|
+
when :hex
|
491
|
+
PkernelJce::GConf.instance.glog.debug "Loading hex certificate"
|
492
|
+
cbin = Pkernel::Converter.from_hex(baos.toByteArray)
|
493
|
+
when :bin
|
494
|
+
PkernelJce::GConf.instance.glog.debug "Loading bin certificate"
|
495
|
+
cbin = baos.toByteArray
|
496
|
+
else
|
497
|
+
PkernelJce::GConf.instance.glog.debug "Loading pem certificate"
|
498
|
+
reader = org.bouncycastle.openssl.PEMParser.new(java.io.InputStreamReader.new(java.io.ByteArrayInputStream.new(baos.toByteArray)))
|
499
|
+
if options[:multiple]
|
500
|
+
obj = []
|
501
|
+
o = reader.readObject
|
502
|
+
while(o != nil)
|
503
|
+
obj << o
|
504
|
+
o = reader.readObject
|
505
|
+
end
|
506
|
+
else
|
507
|
+
obj = reader.readObject
|
508
|
+
end
|
509
|
+
end
|
510
|
+
|
511
|
+
else
|
512
|
+
PkernelJce::GConf.instance.glog.debug "Loading pem certificate (2)"
|
513
|
+
reader = org.bouncycastle.openssl.PEMParser.new(java.io.InputStreamReader.new(java.io.ByteArrayInputStream.new(baos.toByteArray)))
|
514
|
+
if options[:multiple]
|
515
|
+
obj = []
|
516
|
+
o = reader.readObject
|
517
|
+
while(o != nil)
|
518
|
+
obj << o
|
519
|
+
o = reader.readObject
|
520
|
+
end
|
521
|
+
else
|
522
|
+
obj = reader.readObject
|
523
|
+
end
|
524
|
+
end
|
525
|
+
|
526
|
+
if not cbin.nil?
|
527
|
+
cf = java.security.cert.CertificateFactory.getInstance("X.509")
|
528
|
+
if options[:multiple]
|
529
|
+
obj = cf.generateCertificates(java.io.ByteArrayInputStream.new(baos.toByteArray))
|
530
|
+
else
|
531
|
+
obj = cf.generateCertificate(java.io.ByteArrayInputStream.new(baos.toByteArray))
|
532
|
+
end
|
533
|
+
end
|
534
|
+
|
535
|
+
if not obj.nil?
|
536
|
+
obj
|
537
|
+
else
|
538
|
+
raise PkernelJce::Error, "No valid certificate object loaded."
|
539
|
+
end
|
540
|
+
|
302
541
|
end
|
303
542
|
# end read_from
|
304
543
|
|
544
|
+
def load_from_file(file, opts = { })
|
545
|
+
opts = { } if opts.nil?
|
546
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
547
|
+
load(opts.merge({ file: file }))
|
548
|
+
end
|
549
|
+
alias_method :load_from_file_pem, :load_from_file
|
550
|
+
|
551
|
+
def load_from_mem(bin, opts = { })
|
552
|
+
opts = { } if opts.nil?
|
553
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
554
|
+
load(opts.merge({ bin: bin }))
|
555
|
+
end
|
556
|
+
alias_method :load_from_mem_pem, :load_from_mem
|
557
|
+
|
558
|
+
|
559
|
+
def load_multi_from_file(file, opts = { })
|
560
|
+
opts = { } if opts.nil?
|
561
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
562
|
+
load({ file: file, multiple: true })
|
563
|
+
end
|
564
|
+
alias_method :load_multi_from_file_pem, :load_multi_from_file
|
565
|
+
|
566
|
+
def load_multi_from_mem(bin, opts = { })
|
567
|
+
opts = { } if opts.nil?
|
568
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
569
|
+
load({ bin: bin, multiple: true })
|
570
|
+
end
|
571
|
+
alias_method :load_multi_from_bin_pem, :load_multi_from_mem
|
572
|
+
|
573
|
+
|
574
|
+
|
575
|
+
def load_from_file_b64(file, opts = { })
|
576
|
+
opts = { } if opts.nil?
|
577
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
578
|
+
load({ file: file, inForm: :b64 })
|
579
|
+
end
|
580
|
+
def load_from_mem_b64(bin, opts = { })
|
581
|
+
opts = { } if opts.nil?
|
582
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
583
|
+
load({ bin: bin, inForm: :b64 })
|
584
|
+
end
|
585
|
+
|
586
|
+
|
587
|
+
def load_multi_from_file_b64(file, opts = { })
|
588
|
+
opts = { } if opts.nil?
|
589
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
590
|
+
load({ file: file, inForm: :b64, multiple: true })
|
591
|
+
end
|
592
|
+
def load_multi_from_mem_b64(bin, opts = { })
|
593
|
+
opts = { } if opts.nil?
|
594
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
595
|
+
load({ bin: bin, inForm: :b64, multiple: true })
|
596
|
+
end
|
597
|
+
|
598
|
+
|
599
|
+
def load_from_file_hex(file, opts = { })
|
600
|
+
opts = { } if opts.nil?
|
601
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
602
|
+
load({ file: file, inForm: :hex })
|
603
|
+
end
|
604
|
+
def load_from_mem_hex(bin, opts = { })
|
605
|
+
opts = { } if opts.nil?
|
606
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
607
|
+
load({ bin: bin, inForm: :hex })
|
608
|
+
end
|
609
|
+
|
610
|
+
|
611
|
+
def load_multi_from_file_hex(file, opts = { })
|
612
|
+
opts = { } if opts.nil?
|
613
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
614
|
+
load({ file: file, inForm: :hex, multiple: true })
|
615
|
+
end
|
616
|
+
def load_multi_from_mem_hex(bin, opts = { })
|
617
|
+
opts = { } if opts.nil?
|
618
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
619
|
+
load({ bin: bin, inForm: :hex, multiple: true })
|
620
|
+
end
|
621
|
+
|
622
|
+
|
623
|
+
def load_from_file_bin(file, opts = { })
|
624
|
+
opts = { } if opts.nil?
|
625
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
626
|
+
load({ file: file, inForm: :bin })
|
627
|
+
end
|
628
|
+
def load_from_mem_bin(bin, opts = { })
|
629
|
+
opts = { } if opts.nil?
|
630
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
631
|
+
load({ bin: bin, inForm: :bin })
|
632
|
+
end
|
633
|
+
|
634
|
+
|
635
|
+
def load_multi_from_file_bin(file, opts = { })
|
636
|
+
opts = { } if opts.nil?
|
637
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
638
|
+
load({ file: file, inForm: :bin, multiple: true })
|
639
|
+
end
|
640
|
+
def load_multi_from_bin_bin(bin, opts = { })
|
641
|
+
opts = { } if opts.nil?
|
642
|
+
raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
|
643
|
+
load({ bin: bin, inForm: :bin, multiple: true })
|
644
|
+
end
|
645
|
+
|
646
|
+
|
647
|
+
# this is necessary because OpenSSL or Ruby
|
648
|
+
# not recognizing the .encoded method, unless
|
649
|
+
# patch all Certificate object in other realm
|
650
|
+
# with the .encoded method else this is the cleaner way to do it
|
651
|
+
def Certificate.to_binary(cert)
|
652
|
+
if not cert.nil?
|
653
|
+
cert
|
654
|
+
else
|
655
|
+
cert.encoded
|
656
|
+
end
|
657
|
+
end
|
658
|
+
# end to_binary()
|
659
|
+
|
660
|
+
# if_self_signed?
|
305
661
|
def Certificate.is_self_signed?(cert)
|
306
662
|
if cert.nil?
|
307
663
|
false
|
@@ -413,6 +769,65 @@ module PkernelJce
|
|
413
769
|
extKey.hasKeyPurposeId(eku)
|
414
770
|
end
|
415
771
|
|
772
|
+
def Certificate.is_equal?(cert1,cert2)
|
773
|
+
if not (Certificate.is_cert_object?(cert1) or Certificate.is_cert_object?(cert2))
|
774
|
+
false
|
775
|
+
else
|
776
|
+
Certificate.ensure_java_cert(cert1).equals(Certificate.ensure_java_cert(cert2))
|
777
|
+
end
|
778
|
+
end
|
779
|
+
|
780
|
+
# Support fields key
|
781
|
+
# :cn, :e, :ou, :o, :c
|
782
|
+
def Certificate.get_subject_fields(cert,fields)
|
783
|
+
if fields.is_a?(Array)
|
784
|
+
else
|
785
|
+
fields = [fields]
|
786
|
+
end
|
787
|
+
|
788
|
+
fields.map! { |f| f.to_s.upcase }
|
789
|
+
|
790
|
+
res = { }
|
791
|
+
if cert.nil?
|
792
|
+
return ""
|
793
|
+
else
|
794
|
+
subj = Certificate.to_java_cert(cert).getSubjectDN.getName
|
795
|
+
subj.split(",").each do |s|
|
796
|
+
ss = s.split("=")
|
797
|
+
if fields.include?(ss[0])
|
798
|
+
key = ss[0].downcase.to_sym
|
799
|
+
res[key] = []
|
800
|
+
res[key] << ss[1]
|
801
|
+
end
|
802
|
+
end
|
803
|
+
end
|
804
|
+
|
805
|
+
res
|
806
|
+
end
|
807
|
+
# end get_subject_fields
|
808
|
+
|
809
|
+
def Certificate.parse_into_fields(cert)
|
810
|
+
res = { }
|
811
|
+
if not cert.nil?
|
812
|
+
c = Certificate.to_java_cert(cert)
|
813
|
+
res[:subject] = c.getSubjectDN.to_s
|
814
|
+
res[:issuer] = c.getIssuerDN.to_s
|
815
|
+
res[:serialNo] = c.serial_number
|
816
|
+
res[:notBefore] = c.notBefore
|
817
|
+
res[:notAfter] = c.notAfter
|
818
|
+
res[:keyType] = Pkernel::KeyPair::pub_key_type(Certificate.public_key(c))
|
819
|
+
#res[:keyUsage] =
|
820
|
+
#res[:extKeyUsage] =
|
821
|
+
#res[:subjKeyId] =
|
822
|
+
#res[:authKeyId] =
|
823
|
+
#res[:crl] =
|
824
|
+
#res[:ocsp] =
|
825
|
+
#res[:altName] =
|
826
|
+
end
|
827
|
+
|
828
|
+
res
|
829
|
+
end
|
830
|
+
|
416
831
|
private
|
417
832
|
#
|
418
833
|
# all date must be in Ruby datetime object?
|
@@ -430,6 +845,10 @@ module PkernelJce
|
|
430
845
|
end
|
431
846
|
|
432
847
|
if validFrom.is_a?(Time) #or validFrom.is_a?(DateTime)
|
848
|
+
elsif validFrom.is_a?(DateTime)
|
849
|
+
# this has to be converted because if using DateTime object
|
850
|
+
# there will be error of 'nsec' not available exception
|
851
|
+
validFrom = validFrom.to_time
|
433
852
|
else
|
434
853
|
raise PkernelJce::Error, "Invalid valid from date object type : '#{validFrom.class}'"
|
435
854
|
end
|
@@ -438,7 +857,8 @@ module PkernelJce
|
|
438
857
|
if (validity.nil?) and (validityUnit.nil?)
|
439
858
|
raise PkernelJce::Error, "Valid until and validity period both are not defined."
|
440
859
|
else
|
441
|
-
validTo = validFrom.advance( validityUnit => validity )
|
860
|
+
validTo = validFrom.advance( validityUnit.to_sym => validity.to_i )
|
861
|
+
PkernelJce::GConf.instance.glog.debug "Validity unit : #{validityUnit}, validity : #{validity}, valid from : #{validFrom}, valid to : #{validTo}"
|
442
862
|
if block
|
443
863
|
# allow caller to check with issuer validity see if the valid to already surpass issuer's valid to
|
444
864
|
#validTo = block.call(validFrom, validTo)
|