module PkernelJce::OCSP::Request

end module Response

Public Instance Methods

gen_nonce(len = 16) click to toggle source

end parse()

# File lib/pkernel_jce/ocsp.rb, line 312
def gen_nonce(len = 16)
  nonce = Java::byte[len].new
  java.util.Random.new.nextBytes(nonce)
  nonce 
end
generate(certs = [], opts = {}) click to toggle source

initiate by client

# File lib/pkernel_jce/ocsp.rb, line 319
def generate(certs = [], opts = {})
  
  if certs.nil?
    raise PkernelJce::Error, "Given certificates to generate OCSP request is nil"
  elsif not certs.is_a?(Array)
    certs = [certs]
  end

  #digest = org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder.new.setProvider(PkernelJce::Provider::DefProvider).build
  ## for this version of BC (157) this is the only option
  #d = digest.get(org.bouncycastle.cert.ocsp.CertificateID::HASH_SHA1)
  
  gen = org.bouncycastle.cert.ocsp.OCSPReqBuilder.new

  result = {}

  nonce = opts[:nonce]
  genNonce = opts[:gen_nonce] || true
  if genNonce
    nonce = Java::byte[16].new
    java.util.Random.new.nextBytes(nonce)
    extGen = org.bouncycastle.asn1.x509.ExtensionsGenerator.new
    extGen.addExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce, false, org.bouncycastle.asn1.DEROctetString.new(nonce))
    gen.setRequestExtensions(extGen.generate)
    result[:nonce] = nonce
  elsif not nonce.nil?
    extGen = org.bouncycastle.asn1.x509.ExtensionsGenerator.new
    extGen.addExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce, false, org.bouncycastle.asn1.DEROctetString.new(nonce))
    gen.setRequestExtensions(extGen.generate)
  end
 
  certMap = { }
  certs.each do |c|
    #id = org.bouncycastle.cert.ocsp.CertificateID.new(d,PkernelJce::Certificate.ensure_bc_cert(c),PkernelJce::Certificate.ensure_java_cert(c).serial_number)
    #certMap[id] = c
    gen.addRequest(c)
  end
  result[:cert_id] = certMap
  
  id = opts[:identity]
  provider = opts[:provider]
  if provider.nil?
    prov = PkernelJce::Provider.add_default
  else
    prov = PkernelJce::Provider.add_provider(provider)
  end
  
  if id.nil?
    result[:req] = gen.build
  else
    name = opts[:requestor_name]
    x500Name = opts[:requestor_x500name]
    
    if not (name.nil? or name.empty?)
      gen.setRequestorName(org.bouncycastle.asn1.x500.X500Name.new("CN=#{name}"))
    elsif not (x500Name.nil? or x500Name.empty?)
      gen.setRequestorName(org.bouncycastle.asn1.x500.X500Name.new(x500Name))
    elsif not id.certificate.nil?
      bcCert = PkernelJce::Certificate.ensure_bc_cert(id.certificate)
      gen.setRequestorName(bcCert.subject_to_x500)
    else
      raise PkernelJce::Error, "Cannot sign content as requestor name/certificate is not given"
    end
    
    signer = org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(PkernelJce::KeyPair.derive_signing_algo(id.privKey,"SHA256")).setProvider(prov).build(id.privKey)
    result[:req] = gen.build(signer, PkernelJce::Certificate.ensure_bc_cert(id.chain).to_java(Java::OrgBouncycastleCert::X509CertificateHolder))
  end

  result[:req]
end
parse(opts = {},&block) click to toggle source

invoked by server side during response

# File lib/pkernel_jce/ocsp.rb, line 236
def parse(opts = {},&block)
  file = opts[:file]
  bin = opts[:bin]

  if not block
    raise PkernelJce::Error, "Block must be given for OCSP request parse operation"
  end

  if not file.nil?
    breq = PkernelJce::IoUtils.file_to_memory_byte_array(file)
    #f = java.io.File.new(file)
    #if f.exists?
    #  breq = Java::byte[f.length].new
    #  dis = java.io.DataInputStream.new(java.io.FileInputStream.new(f))
    #  dis.readFully(breq)
    #  dis.close
    #else
    #  raise PkernelJce::Error, "Given OCSP request in file '#{f.absolute_path}' does not exist"
    #end
  elsif not bin.nil?
    breq = PkernelJce::IoUtils.ensure_java_bytes(bin)
  else
    raise PkernelJce::Error, "No OCSP request input available for parsing"
  end 

  res = {}
  req = org.bouncycastle.cert.ocsp.OCSPReq.new(breq)

  res[:req] = req
  
  verifySign = opts[:verify_sign] || true
  if verifySign and req.isSigned
    
    provider = opts[:provider]
    if provider.nil?
      prov = PkernelJce::Provider.add_default
    else
      prov = PkernelJce::Provider.add_provider(provider)
    end

    if not req.isSignatureValid(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.new.setProvider(prov).build(req.getCerts[0]))
      if block
        res = block.call(:ocsp_verify_failed, { request: req, signer_cert: req.getCerts[0] })
        if not res
          raise PkernelOpenssl::Error, "OCSP request verification failed"
        end
      else
        raise PkernelJce::Error, "Request signature is invalid. Request parsing is aborted." 
      end
    end
  end

  nonceField = req.getExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce)
  if not nonceField.nil?
    res[:nonce] = nonceField.parsed_value.getOctets
  end

  #certs = {}
  req.getRequestList.each do |qc|
    cid = qc.getCertID
    info = { }
    info[:serial] = cid.serial_number
    info[:issuer_key_hash] = cid.issuer_key_hash
    info[:issuer_name_hash] = cid.issuer_name_hash
    info[:cid] = cid
    # let block decide what is the status and mechanism
    block.call(info)
  end    
  
  #res[:result] = certs
  
  res
end
to_bin(req) click to toggle source

end generate

# File lib/pkernel_jce/ocsp.rb, line 393
def to_bin(req)
  if req.nil?
    raise PkernelJce::Error, "Request object cannot be nil to convert to binary" 
  end
  req.encoded
end