pkernel_jce 0.3 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 605ea350fe0ef740882d2fc72de05818e142f08e
-  data.tar.gz: 80117a39a29a299384ecf05b827d041a1c2452e1
+SHA256:
+  metadata.gz: 8484c9f54aaa9c46d60af73b0e9c583069d2d6bbede8861b2092599968501a49
+  data.tar.gz: 5d7b861533448d595ff0c54510f35f1fcd851aa4cde1e32d598a5ad6b53fbdd8
 SHA512:
-  metadata.gz: f06964dd56a1ac55be4fa342452c4a2506aaa0c71f6cbb95f48a94271303308bf03fd1f4436f518dedae132482447ab8e5cb600c8f31fa96471df9407fe8d20a
-  data.tar.gz: 9cd3c9e0c465a4cf47efecafc210e38ac343efacd2f27400d160f7cc5372fe7d16f8f5920a8bec02c9012123fda44063166588ee7418190a521ffb0e3780f6b2
+  metadata.gz: 9434b48698041cc3166e60ddcaab6e5ec9524b55c6e1419eb235eb5dd03fe5ab0c18d0222fe1ba08757d5dcfb8a741292385c9e85ce6a438637d2b9fd168d991
+  data.tar.gz: 30edd3121a79f3af2b6b4fc0b2c3d15b8671380bd15564361ee3329ff10e626f0a808144613db114e8efcaac24283776e205528b968dfe2ea263d449344ccd69

data/.gitignore

@@ -12,3 +12,6 @@ tags
 !test/artifacts/
 test/artifacts/*
 test/*.tsp
+Gemfile.lock
+*.gem
+

data/Rakefile

@@ -1,2 +1,4 @@
 require "bundler/gem_tasks"
 task :default => :spec
+
+require 'devops_helper'

data/lib/pkernel_jce.rb

@@ -11,6 +11,10 @@ require_relative 'pkernel_jce/csr'
 require_relative 'pkernel_jce/ocsp'
 require_relative 'pkernel_jce/rfc3161'
 require_relative 'pkernel_jce/converter'
+require_relative 'pkernel_jce/jfile'
+require_relative 'pkernel_jce/jmembuf'
+require_relative 'pkernel_jce/io_utils'
+
 
 module PkernelJce
   #class Error < StandardError; end
@@ -99,4 +103,16 @@ module PkernelJce
   class Pkernel::Converter
     extend PkernelJce::Converter
   end
+
+  #class Pkernel::File
+  #  extend PkernelJce::JFile
+  #end
+
+  class Pkernel::MemBuf
+    extend PkernelJce::JMemBuf
+  end
+
+  class Pkernel::IoUtils
+    extend PkernelJce::IoUtils
+  end
 end

data/lib/pkernel_jce/certificate.rb

@@ -1,10 +1,11 @@
 
-require 'pkernel'
+#require 'pkernel'
 require_relative 'provider'
 require_relative 'utils'
 require_relative 'global'
 require_relative 'error'
 require_relative 'certificate_owner'
+require_relative 'converter'
 
 require 'active_support/core_ext/time'
 
@@ -28,6 +29,31 @@ module PkernelJce
 			DEF_USER_IDENTITY = DIGITAL_SIGNATURE | NON_REPUDIATION | KEY_ENCIPHERMENT | KEY_AGREEMENT 
 			DEF_USER_DATA_SEC = DATA_ENCIPHERMENT | ENCIPHER_ONLY | DECIPHER_ONLY
 			DEF_ISSUER = DIGITAL_SIGNATURE | NON_REPUDIATION | KEY_ENCIPHERMENT | CRL_SIGN | KEY_CERT_SIGN
+
+      KsuMap = {
+        :digital_sign => DIGITAL_SIGNATURE,
+        :non_repudiation => NON_REPUDIATION,
+        :key_encipherment => KEY_ENCIPHERMENT,
+        :data_encipherment => DATA_ENCIPHERMENT,
+        :key_agreement => KEY_AGREEMENT,
+        :key_cert_sign => KEY_CERT_SIGN,
+        :crl_sign => CRL_SIGN,
+        :encipher_only => ENCIPHER_ONLY,
+        :decipher_only => DECIPHER_ONLY
+      }
+
+      KsuKeyName = {
+        :digital_sign => "Digital Signature",
+        :non_repudiation => "Non Repudiation",
+        :key_encipherment => "Key Encipherment",
+        :data_encipherment => "Data Encipherment",
+        :key_agreement => "Key Agreement",
+        :key_cert_sign => "Key & Cert Sign",
+        :crl_sign => "CRL Sign",
+        :encipher_only => "Encipher Only",
+        :decipher_only => "Decipher Only"
+      }
+
 		end
     # end module CertKeyUsage
 
@@ -41,6 +67,32 @@ module PkernelJce
 			OCSP_SIGNING = org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_OCSPSigning
 			DVCS = org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_dvcs 
 			SPGP_CERT_AA_SERVER_AUTH = org.bouncycastle.asn1.x509.KeyPurposeId::id_kp_sbgpCertAAServerAuth
+
+      EksuMap = {
+        :any_eksu => ANY_EXT_KEY_USAGE,
+        :tls_server_auth => TLS_SERVER_AUTH,
+        :tls_client_auth => TLS_CLIENT_AUTH,
+        :code_signing => CODE_SIGNING,
+        :email_protection => EMAIL_PROTECTION,
+        :timestamping => TIMESTAMPING,
+        :ocsp_signing => OCSP_SIGNING,
+        :dvcs => DVCS
+        #:pgp_cert_Server_auth = SPGP_CERT_AA_SERVER_AUTH
+      }
+
+      EksuKeyName = {
+        :any_eksu => "Any extended key usage",
+        :tls_server_auth => "TLS server authentication",
+        :tls_client_auth => "TLS client authentication",
+        :code_signing => "Code signing",
+        :email_protection => "Email protection",
+        :timestamping => "Timestamping",
+        :ocsp_signing => "OCSP Signing",
+        :dvcs => "Data Validation and Certification Server / Trusted Third Party (TTP)"
+        #:pgp_cert_Server_auth = "PGP cert server auth?"
+      }
+
+
 		end
     # end CertExtKeyUsage
     
@@ -57,6 +109,8 @@ module PkernelJce
       cProv = params[:cert_provider]
       issuer = params[:issuer]
       matchIssuerValidity = params[:match_issuer_validity] || true
+      
+      warning = { }
 
       issuer = false if issuer.nil?
 
@@ -110,12 +164,28 @@ module PkernelJce
 
             if from.to_java_date.before(issuerCert.not_before)
               PkernelJce::GConf.instance.glog.warn "Certificate valid from has adjusted to match issuer valid from: #{from} [User requested] / #{issuerCert.not_before} [Adjusted to issuer]"
+              warning[:valid_from] = { }
+              warning[:valid_from][:requested] = from
+
               from = issuerCert.not_before
+              
+              warning[:valid_from][:adjusted] = issuerCert.not_before
+              warning[:valid_from][:reason] = "Certificate being issued cannot have validity start date before issuer's certificate validity start date."
+              block.call(:warning, warning)
+
             end
             
             if to.to_java_date.after(issuerCert.not_after)
               PkernelJce::GConf.instance.glog.warn "Certificate valid to has adjusted to match issuer valid to: #{to} [User requested] / #{issuerCert.not_after} [Adjusted to issuer]"
+              
+              warning[:valid_to] = { }
+              warning[:valid_to][:requested] = to
+
               to = issuerCert.not_after
+              
+              warning[:valid_to][:adjusted] = issuerCert.not_after
+              warning[:valid_to][:reason] = "Certificate being issued cannot have validity end date after issuer's certificate validity end date."
+              block.call(:warning, warning)
             end
 
             [from, to]
@@ -140,13 +210,30 @@ module PkernelJce
       if issuer
         certGen.addExtension(org.bouncycastle.asn1.x509.Extension::basicConstraints, true, org.bouncycastle.asn1.x509.BasicConstraints.new(true))
         if not keyUsage.nil?
-          certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(keyUsage))
+          if keyUsage.is_a?(Array)
+            ku = 0
+            keyUsage.each do |u|
+              ku |= u
+            end
+          else
+            ku = keyUsage
+          end
+          
+          certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(ku))
         else
           certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(KeyUsage::DEF_ISSUER))
         end
       else
         if not keyUsage.nil?
-          certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(keyUsage))
+          if keyUsage.is_a?(Array)
+            ku = 0
+            keyUsage.each do |u|
+              ku |= u
+            end
+          else
+            ku = keyUsage
+          end
+          certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(ku))
         else
           certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(KeyUsage::DEF_USER_IDENTITY))
         end
@@ -226,6 +313,7 @@ module PkernelJce
       certGen.addExtension(org.bouncycastle.asn1.x509.Extension::subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo.getInstance(pubKey.getEncoded)))
 
       cert = org.bouncycastle.cert.jcajce.JcaX509CertificateConverter.new().setProvider(cProv).getCertificate(certGen.build(signer))
+      
       cert
 
     end
@@ -239,34 +327,133 @@ module PkernelJce
       file = params[:file]
       baos = java.io.ByteArrayOutputStream.new
 
-      if not file.nil?
-        PkernelJce::GConf.instance.glog.debug "Dump certificate to file '#{file}'"
-        writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(java.io.FileOutputStream.new(file)))
-      else
-        PkernelJce::GConf.instance.glog.debug "Dump certificate to memory"
-        writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(baos))
-      end
-
       begin
-        writer.writeObject(cert)
+        
+        outForm = params[:out_form] || params[:outForm] || params[:outform]
+        if outForm.nil?
+      
+          if not file.nil?
+            PkernelJce::GConf.instance.glog.debug "[D] Dump certificate to file '#{file}'"
+            writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(java.io.FileOutputStream.new(file)))
+          else
+            PkernelJce::GConf.instance.glog.debug "[D] Dump certificate to memory"
+            writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(baos))
+          end
+
+          writer.writeObject(cert)
+          
+        else
+          
+          case outForm.to_sym
+          when :b64, :base64
+            res = PkernelJce::Converter.to_b64(cert.encoded)
+            if not file.nil?
+              fos = java.io.FileOutputStream.new(file)
+              fos.write res
+              fos.flush
+              fos.close
+            end
+            baos.write(res.to_java.getBytes)
+          when :hex
+            res = PkernelJce::Converter.to_hex(cert.encoded)
+            if not file.nil?
+              fos = java.io.FileOutputStream.new(file)
+              fos.write res
+              fos.flush
+              fos.close
+            end
+            baos.write(res.to_java.getBytes)
+          when :bin
+            res = cert.encoded
+            if not file.nil?
+              fos = java.io.FileOutputStream.new(file)
+              fos.write res
+              fos.flush
+              fos.close
+            end
+            baos.write(res)
+          else
+
+            # this is default because openssl output this is the default
+            if not file.nil?
+              PkernelJce::GConf.instance.glog.debug "Dump PEM certificate to file '#{file}'"
+              writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(java.io.FileOutputStream.new(file)))
+            else
+              PkernelJce::GConf.instance.glog.debug "Dump PEM certificate to memory"
+              writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(baos))
+            end
+
+            writer.writeObject(cert)
+
+          end
+        end
+      
       ensure
-        writer.flush
-        writer.close  
+        if not writer.nil?
+          writer.flush
+          writer.close  
+        end
+
+        if not fos.nil?
+          fos.flush
+          fos.close
+        end
       end 
 
-      if file.nil?
-        baos.toByteArray
-      end
-      
+      baos.toByteArray
+
+    end
+    # end dump
+
+
+    def dump_to_file(cert, path, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      dump(cert, opts.merge({ file: path }))  
+    end
+    alias_method :dump_to_file_pem, :dump_to_file
+    def dump_to_mem(cert, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      dump(cert)
+    end
+    alias_method :dump_to_mem_pem, :dump_to_mem
+
+    def dump_to_file_b64(cert, path, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      dump(cert, opts.merge({ file: path, outForm: :b64 }))
+    end
+    def dump_to_mem_b64(cert, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      dump(cert, opts.merge({ outForm: :b64 }))
+    end
+
+    def dump_to_file_hex(cert, path, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      dump(cert, opts.merge({ file: path, outForm: :hex }))
+    end
+    def dump_to_mem_hex(cert, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      dump(cert, opts.merge({ outForm: :hex }))
+    end
+
+    def dump_to_file_bin(cert, path, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      dump(cert, opts.merge({ file: path, outForm: :bin }))
+    end
+    def dump_to_mem_bin(cert, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      dump(cert, opts.merge({ outForm: :bin }))
     end
-    # end write to
 
 
     def load(options = {})
-      #is = options[:inputStream]
-      #if is.nil?
-      #  raise PkernelJce::Error, "InputStream to load certificate is nil"
-      #end
      
       file = options[:file]
       bin = options[:bin]
@@ -288,20 +475,189 @@ module PkernelJce
 
       elsif not bin.nil?
         PkernelJce::GConf.instance.glog.debug "Load certificate from memory"
+        bin = IoUtils.ensure_java_bytes(bin)
         baos.write(bin)
       else
         raise PkernelJce::Error, "No bin or file input is given to load"
       end
 
-      reader = org.bouncycastle.openssl.PEMParser.new(java.io.InputStreamReader.new(java.io.ByteArrayInputStream.new(baos.toByteArray)))
-      obj = reader.readObject
-      # object here shall be org.bouncycastle.cert.X509CertificateHolder
-      # Hence other place using Java Certificate object shall call to_java_cert on this object
-      obj
-      #org.bouncycastle.cert.jcajce.JcaX509CertificateConverter.new.setProvider(PkernelJce::Provider::DefProvider).getCertificate(obj)
+      inForm = options[:in_form] || options[:inForm] || options[:inform]
+      if not inForm.nil?
+        case inForm.to_sym
+        when :b64, :base64
+          PkernelJce::GConf.instance.glog.debug "Loading b64 certificate"
+          cbin = Pkernel::Converter.from_b64(baos.toByteArray)
+        when :hex
+          PkernelJce::GConf.instance.glog.debug "Loading hex certificate"
+          cbin = Pkernel::Converter.from_hex(baos.toByteArray)
+        when :bin
+          PkernelJce::GConf.instance.glog.debug "Loading bin certificate"
+          cbin = baos.toByteArray
+        else
+          PkernelJce::GConf.instance.glog.debug "Loading pem certificate"
+          reader = org.bouncycastle.openssl.PEMParser.new(java.io.InputStreamReader.new(java.io.ByteArrayInputStream.new(baos.toByteArray)))
+          if options[:multiple]
+            obj = []
+            o = reader.readObject
+            while(o != nil)
+              obj << o
+              o = reader.readObject
+            end
+          else
+            obj = reader.readObject
+          end
+        end
+      
+      else
+        PkernelJce::GConf.instance.glog.debug "Loading pem certificate (2)"
+        reader = org.bouncycastle.openssl.PEMParser.new(java.io.InputStreamReader.new(java.io.ByteArrayInputStream.new(baos.toByteArray)))
+        if options[:multiple]
+          obj = []
+          o = reader.readObject
+          while(o != nil)
+            obj << o
+            o = reader.readObject
+          end
+        else
+          obj = reader.readObject
+        end
+      end
+
+      if not cbin.nil?
+        cf = java.security.cert.CertificateFactory.getInstance("X.509")
+        if options[:multiple]
+          obj = cf.generateCertificates(java.io.ByteArrayInputStream.new(baos.toByteArray))
+        else
+          obj = cf.generateCertificate(java.io.ByteArrayInputStream.new(baos.toByteArray))
+        end
+      end
+
+      if not obj.nil?
+        obj
+      else
+        raise PkernelJce::Error, "No valid certificate object loaded."
+      end
+
     end
     # end read_from
 
+    def load_from_file(file, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load(opts.merge({ file: file }))   
+    end
+    alias_method :load_from_file_pem, :load_from_file
+    
+    def load_from_mem(bin, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load(opts.merge({ bin: bin }))   
+    end
+    alias_method :load_from_mem_pem, :load_from_mem
+
+
+    def load_multi_from_file(file, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load({ file: file, multiple: true })   
+    end
+    alias_method :load_multi_from_file_pem, :load_multi_from_file
+
+    def load_multi_from_mem(bin, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load({ bin: bin, multiple: true })   
+    end
+    alias_method :load_multi_from_bin_pem, :load_multi_from_mem
+
+
+    
+    def load_from_file_b64(file, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load({ file: file, inForm: :b64 })   
+    end
+    def load_from_mem_b64(bin, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load({ bin: bin, inForm: :b64 })   
+    end
+
+
+    def load_multi_from_file_b64(file, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load({ file: file, inForm: :b64, multiple: true })   
+    end
+    def load_multi_from_mem_b64(bin, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load({ bin: bin, inForm: :b64, multiple: true })   
+    end
+
+    
+    def load_from_file_hex(file, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load({ file: file, inForm: :hex })   
+    end
+    def load_from_mem_hex(bin, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load({ bin: bin, inForm: :hex })   
+    end
+
+
+    def load_multi_from_file_hex(file, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load({ file: file, inForm: :hex, multiple: true })   
+    end
+    def load_multi_from_mem_hex(bin, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load({ bin: bin, inForm: :hex, multiple: true })   
+    end
+
+
+    def load_from_file_bin(file, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load({ file: file, inForm: :bin })   
+    end
+    def load_from_mem_bin(bin, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load({ bin: bin, inForm: :bin })   
+    end
+
+
+    def load_multi_from_file_bin(file, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load({ file: file, inForm: :bin, multiple: true })   
+    end
+    def load_multi_from_bin_bin(bin, opts = { })
+      opts = { } if opts.nil?
+      raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
+      load({ bin: bin, inForm: :bin, multiple: true })   
+    end
+
+
+    # this is necessary because OpenSSL or Ruby 
+    # not recognizing the .encoded method, unless
+    # patch all Certificate object in other realm 
+    # with the .encoded method else this is the cleaner way to do it
+    def Certificate.to_binary(cert)
+      if not cert.nil?
+        cert
+      else
+        cert.encoded
+      end
+    end
+    # end to_binary()
+
+    # if_self_signed?
     def Certificate.is_self_signed?(cert) 
       if cert.nil?
         false
@@ -413,6 +769,65 @@ module PkernelJce
       extKey.hasKeyPurposeId(eku)
     end
 
+    def Certificate.is_equal?(cert1,cert2)
+      if not (Certificate.is_cert_object?(cert1) or Certificate.is_cert_object?(cert2))
+        false
+      else
+        Certificate.ensure_java_cert(cert1).equals(Certificate.ensure_java_cert(cert2))
+      end
+    end
+
+    # Support fields key
+    # :cn, :e, :ou, :o, :c
+    def Certificate.get_subject_fields(cert,fields)
+      if fields.is_a?(Array)
+      else
+        fields = [fields]
+      end
+
+      fields.map! { |f| f.to_s.upcase }
+
+      res = { }
+      if cert.nil?
+        return ""
+      else
+        subj = Certificate.to_java_cert(cert).getSubjectDN.getName
+        subj.split(",").each do |s|
+          ss = s.split("=")
+          if fields.include?(ss[0])
+            key = ss[0].downcase.to_sym
+            res[key] = []
+            res[key] << ss[1]
+          end 
+        end
+      end
+
+      res
+    end
+    # end get_subject_fields
+
+    def Certificate.parse_into_fields(cert)
+      res = { }
+      if not cert.nil?
+        c = Certificate.to_java_cert(cert)
+        res[:subject] = c.getSubjectDN.to_s
+        res[:issuer] = c.getIssuerDN.to_s
+        res[:serialNo] = c.serial_number
+        res[:notBefore] = c.notBefore
+        res[:notAfter] = c.notAfter
+        res[:keyType] = Pkernel::KeyPair::pub_key_type(Certificate.public_key(c))
+        #res[:keyUsage] =
+        #res[:extKeyUsage] = 
+        #res[:subjKeyId] =
+        #res[:authKeyId] =
+        #res[:crl] = 
+        #res[:ocsp] = 
+        #res[:altName] = 
+      end
+
+      res
+    end
+
     private
     # 
     # all date must be in Ruby datetime object?
@@ -430,6 +845,10 @@ module PkernelJce
       end
 
       if validFrom.is_a?(Time) #or validFrom.is_a?(DateTime)
+      elsif validFrom.is_a?(DateTime)
+        # this has to be converted because if using DateTime object 
+        # there will be error of 'nsec' not available exception
+        validFrom = validFrom.to_time
       else
         raise PkernelJce::Error, "Invalid valid from date object type : '#{validFrom.class}'"
       end 
@@ -438,7 +857,8 @@ module PkernelJce
         if (validity.nil?) and (validityUnit.nil?)
           raise PkernelJce::Error, "Valid until and validity period both are not defined."
         else
-          validTo = validFrom.advance( validityUnit => validity )
+          validTo = validFrom.advance( validityUnit.to_sym => validity.to_i )
+          PkernelJce::GConf.instance.glog.debug "Validity unit : #{validityUnit}, validity : #{validity}, valid from : #{validFrom}, valid to : #{validTo}" 
           if block
             # allow caller to check with issuer validity see if the valid to already surpass issuer's valid to
             #validTo = block.call(validFrom, validTo)