module PkernelJce::CRL
Public Instance Methods
dump(crl, opts = {})
click to toggle source
# File lib/pkernel_jce/crl.rb, line 163 def dump(crl, opts = {}) if crl.nil? raise PkernelJce::Error, "Given CRL to dump is nil." end file = opts[:file] if not (file.nil? or file.empty?) os = java.io.FileOutputStream.new(file) else os = java.io.ByteArrayOutputStream.new end os.write(crl.encoded) os.flush os.close if (file.nil? or file.empty?) os.toByteArray end end
ensure_bc_crl(crl)
click to toggle source
end ensure_java_crl
/ to_java_crl
# File lib/pkernel_jce/crl.rb, line 83 def ensure_bc_crl(crl) if crl.nil? raise PkernelJce::Error, "CRL given to convert to BC object is nil" end if crl.java_kind_of?(Java::OrgBouncycastleCert::X509CRLHolder) crl else org.bouncycastle.cert.X509CRLHolder.new(java.io.ByteArrayInputStream.new(crl.encoded)) end end
Also aliased as: to_bc_crl
ensure_java_crl(crl)
click to toggle source
end generate
# File lib/pkernel_jce/crl.rb, line 67 def ensure_java_crl(crl) if crl.nil? raise PkernelJce::Error, "CRL given to convert to java object is nil" end if crl.java_kind_of?(Java::OrgBouncycastleCert::X509CRLHolder) org.bouncycastle.cert.jcajce.JcaX509CRLConverter.new.getCRL(crl) else crl end end
Also aliased as: to_java_crl
generate(identity, opts = {}, &block)
click to toggle source
# File lib/pkernel_jce/crl.rb, line 6 def generate(identity, opts = {}, &block) if identity.nil? raise PkernelJce::Error, "Identity is nil in generating CRL" end tbpCerts = opts[:tbpCerts] # allow empty CRL tbpCerts = {} if tbpCerts.nil? prov = opts[:provider] if prov.nil? prov = PkernelJce::Provider.add_default else PkernelJce::Provider.add_provider(prov) end validity = opts[:validity] || 1 validityUnit = opts[:validity_unit] || :days signAlgo = opts[:hashAlgo] if signAlgo.nil? signAlgo = PkernelJce::KeyPair.derive_signing_algo(identity.privKey, "SHA256") end PkernelJce::GConf.instance.glog.debug "Signing algo for CRL is #{signAlgo}" crlGen = org.bouncycastle.x509.X509V2CRLGenerator.new validFrom = Time.now validTo = validFrom.advance( validityUnit => validity ) # CRL validity should not be more then issuer's if validFrom.to_java_date.before(identity.certificate.not_before) PkernelJce::GConf.instance.glog.debug "CRL new valid from has adjusted to match with issuer valid from : #{validFrom} [Original] / #{identity.certificate.not_before} [Issuer's certificate not before]" validFrom = identity.certificate.not_before end if validTo.to_java_date.after(identity.certificate.not_after) PkernelJce::GConf.instance.glog.debug "CRL new valid until has adjusted to match with issuer validity to : #{validTo} [Original] / #{identity.certificate.not_after} [Issuer's certificate not after]" validTo = identity.certificate.not_after end PkernelJce::GConf.instance.glog.debug "CRL validity #{validFrom} - #{validTo}" crlGen.issuer_dn = identity.certificate.getSubjectX500Principal crlGen.this_update = validFrom crlGen.next_update = validTo crlGen.signature_algorithm = signAlgo tbpCerts.each do |k,v| cert = k opts = v time = opts[:time] || java.util.Date.new reason = opts[:reason] || Pkernel::CRLReason::UNSPECIFIED crlGen.addCRLEntry(cert.getSerialNumber, time, reason) PkernelJce::GConf.instance.glog.debug "Added cert into entry" end PkernelJce::GConf.instance.glog.debug "Generating CRL from issuer '#{identity.certificate.subjectDN.to_s}' [Provider #{prov.name}]" crl = crlGen.generateX509CRL(identity.privKey, prov.name) crl end
is_revoked?(crl,cert,&block)
click to toggle source
# File lib/pkernel_jce/crl.rb, line 133 def is_revoked?(crl,cert,&block) if crl.revoked_certificates.nil? or crl.revoked_certificates.length == 0 false else crl = ensure_java_crl(crl) now = java.util.Date.new if crl.next_update.before(now) # expired if block cont = block.call(:expired, { valid_until: crl.next_update, issuer: crl.issuer_x500_principal }) if not cont raise PkernelJce::Error, "CRL expired at #{crl.next_update}. Revocation check aborted." else PkernelJce::GConf.instance.glog.warn "Revocation checked against expired CRL [CRL Expired on #{crl.next_update} / Ref Date : #{now}] based on application request." end else raise PkernelJce::Error, "CRL expired at #{crl.next_update}. Revocation check aborted." end end c = PkernelJce::Certificate.to_bc_cert(cert) revokedInfo = crl.get_revoked_certificate(c.serial_number) if revokedInfo.nil? [false,nil] else [true, { reason: revokedInfo.revocation_reason, on: revokedInfo.revocation_date, object: revokedInfo }] end end end
is_signature_valid?(crl, opts = { })
click to toggle source
end to_bc_crl
/ ensure_bc_crl
# File lib/pkernel_jce/crl.rb, line 99 def is_signature_valid?(crl, opts = { }) #issuer) if crl.nil? raise PkernelJce::Error, "CRL pass to test signature validity for CRL is nil" end issuer_cert = opts[:issuer_cert] issuer_key = opts[:issuer_key] if not issuer_cert.nil? pubKey = PkernelJce::Certificate.public_key(issuer_cert) elsif not issuer_key.nil? pubKey = PkernelJce::KeyPair.public_key(issuer_key) else raise PkernelJce::Error, "Neither issuer cert or key is available for signature verification" end #if issuer.nil? # raise PkernelJce::Error, "Issuer pass to test signature validity for CRL is nil" #end #if PkernelJce::Certificate.is_cert_object?(issuer) # pubKey = PkernelJce::Certificate.public_key(issuer) #else # pubKey = PkernelJce::KeyPair.public_key(issuer) #end crl = ensure_java_crl(crl) begin crl.verify(pubKey) true rescue Exception => ex PkernelJce::GConf.instance.glog.error ex false end end
load(opts = {})
click to toggle source
end dump
# File lib/pkernel_jce/crl.rb, line 188 def load(opts = {}) file = opts[:file] bin = opts[:bin] if not (file.nil? or file.empty?) crlbin = PkernelJce::IoUtils.file_to_memory_byte_array(file) elsif not bin.nil? crlbin = PkernelJce::IoUtils.ensure_java_bytes(bin) else raise PkernelJce::Error, "No source to load CRL from" end # this option shall load the CRL in Java #crl = java.security.cert.CertificateFactory.getInstance("X.509").generateCRL(java.io.ByteArrayInputStream.new(crlbin)) # this option shall load the CRL in BC but under Java interface prov = PkernelJce::Provider.add_default crl = java.security.cert.CertificateFactory.getInstance("X.509",prov).generateCRL(java.io.ByteArrayInputStream.new(crlbin)) # this option shall load the CRL in BC too but under BC interface #crl = org.bouncycastle.cert.X509CRLHolder.new(crlbin) crl end