Module: PkernelJce::Certificate

Included in:

Pkernel::Certificate, CertificateEngine

Defined in:

lib/pkernel_jce/certificate.rb

Defined Under Namespace

Modules: ExtKeyUsage, KeyUsage

Class Method Summary

• .ensure_bc_cert(cert) ⇒ Object

  end ensure_java_cert.

• .ensure_java_cert(cert) ⇒ Object

  end is_issuer_cert?.

• .is_cert_object?(obj) ⇒ Boolean
• .is_ext_key_usage_set?(cert, eku) ⇒ Boolean
• .is_issuer_cert?(cert) ⇒ Boolean
• .is_self_signed?(cert) ⇒ Boolean

  end read_from.

• .public_key(cert) ⇒ Object

  end ensure_bc_cert.

Instance Method Summary

• #dump(cert, params = {}) ⇒ Object

  end generate.

• #generate(params = {}, &block) ⇒ Object
• #load(options = {}) ⇒ Object

Class Method Details

.ensure_bc_cert(cert) ⇒ Object

end ensure_java_cert

# File 'lib/pkernel_jce/certificate.rb', line 345

def Certificate.ensure_bc_cert(cert)
  if cert.nil?
    raise PkernelJce::Error, "Certificate for conversion to bc is nil"
  else
    if cert.is_a?(Array)
      cert.map! do |c|
        case c
        when java.security.cert.Certificate
          c.to_bc_cert_holder
        when Java::OrgBouncycastleCert::X509CertificateHolder
          c
        else
          raise PkernelJce::Error, "Unknown certificate type '#{c.class}'"
        end
      end
      cert
    else
      case cert
      when java.security.cert.Certificate
        cert.to_bc_cert_holder
      when Java::OrgBouncycastleCert::X509CertificateHolder
        cert
      else
        raise PkernelJce::Error, "Unknown certificate type '#{cert.class}'"
      end
    end
  end
end

.ensure_java_cert(cert) ⇒ Object

end is_issuer_cert?

# File 'lib/pkernel_jce/certificate.rb', line 328

def Certificate.ensure_java_cert(cert)
  if cert.nil?
    raise PkernelJce::Error, "Certificate for conversion to java is nil"
  else
    case cert
    when java.security.cert.Certificate
      cert
    when Java::OrgBouncycastleCert::X509CertificateHolder
      cert.to_java_cert
    else
      raise PkernelJce::Error, "Unknown certificate type '#{cert.class}'"
    end
  end  
end

.is_cert_object?(obj) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/pkernel_jce/certificate.rb', line 393

def Certificate.is_cert_object?(obj)
  if obj.nil?
    false
  else
    case obj
    when java.security.cert.Certificate, Java::OrgBouncycastleCert::X509CertificateHolder, Java::OrgBouncycastleJcajceProviderAsymmetricX509::X509CertificateObject
      true
    else
      false
    end
  end
end

.is_ext_key_usage_set?(cert, eku) ⇒ Boolean

Returns:

• (Boolean)

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 406

def Certificate.is_ext_key_usage_set?(cert, eku)
  raise PkernelJce::Error, "Certificate not given to check eku." if cert.nil?

  c = Certificate.to_bc_cert(cert)
  ext = c.getExtension(org.bouncycastle.asn1.x509.Extension.extendedKeyUsage)
  extKey = org.bouncycastle.asn1.x509.ExtendedKeyUsage.getInstance(ext.getParsedValue)
  
  extKey.hasKeyPurposeId(eku)
end

.is_issuer_cert?(cert) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/pkernel_jce/certificate.rb', line 318

def Certificate.is_issuer_cert?(cert)
  if cert.nil?
    false
  else
    cert = Certificate.ensure_java_cert(cert)
    (cert.getKeyUsage[5] and cert.getBasicConstraints != -1)
  end
end

.is_self_signed?(cert) ⇒ Boolean

end read_from

Returns:

• (Boolean)

# File 'lib/pkernel_jce/certificate.rb', line 305

def Certificate.is_self_signed?(cert) 
  if cert.nil?
    false
  else
    begin
      cert.verify(cert.public_key)
      true
    rescue Exception
      false
    end
  end
end

.public_key(cert) ⇒ Object

end ensure_bc_cert

# File 'lib/pkernel_jce/certificate.rb', line 377

def Certificate.public_key(cert)
  if cert.nil?
    raise PkernelJce::Error, "Object pass to public_key on certificate is nil"
  end

  case cert
  when java.security.cert.Certificate
    cert.public_key
  when Java::OrgBouncycastleCert::X509CertificateHolder
    PkernelJce::KeyPair.public_key(cert.subject_public_key_info)
  else
    raise PkernelJce::Error, "Unknown certificate type '#{cert.class}'"
  end

end

Instance Method Details

#dump(cert, params = {}) ⇒ Object

end generate

# File 'lib/pkernel_jce/certificate.rb', line 234

def dump(cert, params = {})
  if cert.nil?
    raise PkernelJce::Error, "Certificate object to be written is nil"
  end
  
  file = params[:file]
  baos = java.io.ByteArrayOutputStream.new

  if not file.nil?
    PkernelJce::GConf.instance.glog.debug "Dump certificate to file '#{file}'"
    writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(java.io.FileOutputStream.new(file)))
  else
    PkernelJce::GConf.instance.glog.debug "Dump certificate to memory"
    writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(baos))
  end

  begin
    writer.writeObject(cert)
  ensure
    writer.flush
    writer.close  
  end 

  if file.nil?
    baos.toByteArray
  end
  
end

#generate(params = {}, &block) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 48

def generate(params = {}, &block)

  raise PkernelJce::Error, "Block is required for certificate generation function" if block.nil?

  PkernelJce::GConf.instance.glog.debug "Certificate generate parameters: #{params.inspect}"
  owner = params[:owner]
  pubKey = params[:pubKey]
  serial = params[:serial]
  kProv = params[:keypair_provider] 
  cProv = params[:cert_provider]
  issuer = params[:issuer]
  matchIssuerValidity = params[:match_issuer_validity] || true

  issuer = false if issuer.nil?

  pubKey = PkernelJce::KeyPair.public_key(pubKey)

  if cProv.nil?
    cProv = PkernelJce::Provider.add_provider(PkernelJce::Provider::DefProvider)
  else
    cProv = PkernelJce::Provider.add_provider(cProv)
  end

  if kProv.nil?
    kProv = PkernelJce::Provider.add_provider(PkernelJce::Provider::DefProvider)
  else
    kProv = PkernelJce::Provider.add_provider(kProv)
  end

  extUtils = org.bouncycastle.cert.bc.BcX509ExtensionUtils.new

  if serial.nil? or serial.empty?
    serial = block.call(:serial)
  end

  if serial.is_a?(java.math.BigInteger)
  else
    serial = java.math.BigInteger.new(serial,16)
  end

  signHash = block.call(:signHash)
  issuerKey = block.call(:issuerKey)
  issuerCert = block.call(:issuerCert)

  issuerKey = PkernelJce::KeyPair.private_key(issuerKey)
  if issuerKey.nil?
    raise PkernelJce::Error, "Issuer key cannot be nil"
  end

  signAlgo = PkernelJce::KeyPair.derive_signing_algo(issuerKey, signHash)
  signer = org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(signAlgo).setProvider(kProv).build(issuerKey)
  x500Name = owner.to_x500_subject
  
  if not issuerCert.nil?

    issuerCert = issuerCert.to_java_cert if issuerCert.java_kind_of?(org.bouncycastle.cert.X509CertificateHolder)
    
    validFrom, validTo = calculate_validity(params) do |from, to|
      if matchIssuerValidity
        
        PkernelJce::GConf.instance.glog.debug "Match issuer validity against issuer certificate is activated."
        PkernelJce::GConf.instance.glog.debug "Issuer Cert : #{issuerCert.subject_dn.to_s} / #{issuerCert.not_before} / #{issuerCert.not_after}"

        if from.to_java_date.before(issuerCert.not_before)
          PkernelJce::GConf.instance.glog.warn "Certificate valid from has adjusted to match issuer valid from: #{from} [User requested] / #{issuerCert.not_before} [Adjusted to issuer]"
          from = issuerCert.not_before
        end
        
        if to.to_java_date.after(issuerCert.not_after)
          PkernelJce::GConf.instance.glog.warn "Certificate valid to has adjusted to match issuer valid to: #{to} [User requested] / #{issuerCert.not_after} [Adjusted to issuer]"
          to = issuerCert.not_after
        end

        [from, to]
      else
        [from, to]
      end
    end

    certGen = org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder.new(issuerCert, serial, validFrom, validTo, x500Name, pubKey)
    # generate authority key identifier
    certGen.addExtension(org.bouncycastle.asn1.x509.Extension::authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo.getInstance(issuerCert.getPublicKey.getEncoded)))
  else

    validFrom, validTo = calculate_validity(params)

    certGen = org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder.new(x500Name, serial, validFrom, validTo, x500Name, pubKey)
    # generate authority key identifier
    certGen.addExtension(org.bouncycastle.asn1.x509.Extension::authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo.getInstance(pubKey.getEncoded)))
  end

  keyUsage = block.call(:keyUsage)
  if issuer
    certGen.addExtension(org.bouncycastle.asn1.x509.Extension::basicConstraints, true, org.bouncycastle.asn1.x509.BasicConstraints.new(true))
    if not keyUsage.nil?
      certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(keyUsage))
    else
      certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(KeyUsage::DEF_ISSUER))
    end
  else
    if not keyUsage.nil?
      certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(keyUsage))
    else
      certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(KeyUsage::DEF_USER_IDENTITY))
    end
  end

  extKeyUsage = block.call(:extKeyUsage)
  if not extKeyUsage.nil?
    if extKeyUsage.is_a?(Hash)
      # allow user to give eku -> true/false 
      # Since timestamping required this extension to be true, not sure others
      extKeyUsage.each do |k,v|
        certGen.addExtension(org.bouncycastle.asn1.x509.Extension::extendedKeyUsage, v, org.bouncycastle.asn1.x509.ExtendedKeyUsage.new(k))
      end
    elsif extKeyUsage.is_a?(Array)
      certGen.addExtension(org.bouncycastle.asn1.x509.Extension::extendedKeyUsage, false, org.bouncycastle.asn1.x509.ExtendedKeyUsage.new(extKeyUsage.to_vector))
    else
      certGen.addExtension(org.bouncycastle.asn1.x509.Extension::extendedKeyUsage, false, org.bouncycastle.asn1.x509.ExtendedKeyUsage.new([extKeyUsage].to_vector))
    end
  end	

  # 
  # handle alternative name
  # 
  altName = []
  if owner.emails.length > 0
    owner.emails.each do |e|
      altName << org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName::rfc822Name,e)
    end
  end

  owner.dns_names.each do |n|
    altName << org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName::dNSName,n)
  end

  if altName.length > 0
    certGen.addExtension(org.bouncycastle.asn1.x509.Extension::subjectAlternativeName, false, org.bouncycastle.asn1.x509.GeneralNames.new(altName.to_java(org.bouncycastle.asn1.x509.GeneralName)) )
  end
  # 
  # Done alternative name
  #

  # 
  # handle CRL distribution point
  # 
  crl = block.call(:crls)
  if not crl.nil?
    crls = []
    if crl.is_a?(Array)
      crl.each do |c|
        crls << org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName::uniformResourceIdentifier, org.bouncycastle.asn1.DERIA5String.new(c));
      end
      gns = org.bouncycastle.asn1.x509.GeneralNames.new(crls.to_java(org.bouncycastle.asn1.x509.GeneralName));
    else
      gn = org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName::uniformResourceIdentifier, org.bouncycastle.asn1.DERIA5String.new(crl));
      gns = org.bouncycastle.asn1.x509.GeneralNames.new(gn);
    end
    
    dpn = org.bouncycastle.asn1.x509.DistributionPointName.new(gns);
    dp =  org.bouncycastle.asn1.x509.DistributionPoint.new(dpn,nil,nil);
    certGen.addExtension(org.bouncycastle.asn1.x509.X509Extensions::CRLDistributionPoints,false,org.bouncycastle.asn1.DERSequence.new(dp));      
  end
  # done adding CRL distribution point


  # 
  # handle OCSP
  #
  ocsp = block.call(:ocsp)
  if not ocsp.nil? and not ocsp.empty?
    ocspName = org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName.uniformResourceIdentifier, ocsp);
    authorityInformationAccess = org.bouncycastle.asn1.x509.AuthorityInformationAccess.new(org.bouncycastle.asn1.x509.X509ObjectIdentifiers.ocspAccessMethod, ocspName);
    certGen.addExtension(org.bouncycastle.asn1.x509.X509Extensions::AuthorityInfoAccess, false, authorityInformationAccess);			        
  end
  # done OCSP

  # Let's generate subject key ID as default...	
  certGen.addExtension(org.bouncycastle.asn1.x509.Extension::subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo.getInstance(pubKey.getEncoded)))

  cert = org.bouncycastle.cert.jcajce.JcaX509CertificateConverter.new().setProvider(cProv).getCertificate(certGen.build(signer))
  cert

end

#load(options = {}) ⇒ Object

# File 'lib/pkernel_jce/certificate.rb', line 265

def load(options = {})
  #is = options[:inputStream]
  #if is.nil?
  #  raise PkernelJce::Error, "InputStream to load certificate is nil"
  #end
 
  file = options[:file]
  bin = options[:bin]
  baos = java.io.ByteArrayOutputStream.new

  if not file.nil? and not file.empty?
    PkernelJce::GConf.instance.glog.debug "Load certificate from #{file}"
    f = java.io.File.new(file)
    if f.exists?
      b = Java::byte[f.length].new
      dis = java.io.DataInputStream.new(java.io.FileInputStream.new(f))
      dis.readFully(b)
      dis.close

      baos.write(b)
    else 
      raise PkernelJce::Error, "File '#{f.absolute_path}' not found"
    end

  elsif not bin.nil?
    PkernelJce::GConf.instance.glog.debug "Load certificate from memory"
    baos.write(bin)
  else
    raise PkernelJce::Error, "No bin or file input is given to load"
  end

  reader = org.bouncycastle.openssl.PEMParser.new(java.io.InputStreamReader.new(java.io.ByteArrayInputStream.new(baos.toByteArray)))
  obj = reader.readObject
  # object here shall be org.bouncycastle.cert.X509CertificateHolder
  # Hence other place using Java Certificate object shall call to_java_cert on this object
  obj
  #org.bouncycastle.cert.jcajce.JcaX509CertificateConverter.new.setProvider(PkernelJce::Provider::DefProvider).getCertificate(obj)
end