module PkernelJce::OCSP::Response

module Response

Constants

ST_ERROR
ST_MALFORM_REQ
ST_SIG_REQUIRED
ST_SUCCESSFUL
ST_TRY_LATER
ST_UNAUTHORIZED

Public Instance Methods

generate(identity, opts = { }, &block) click to toggle source

used by OCSP responder

# File lib/pkernel_jce/ocsp.rb, line 59
def generate(identity, opts = { }, &block)

  if identity.nil?
    raise PkernelJce::Error, "Identity is nil in generate OCSP response"
  end

  provider = opts[:provider]
  if provider.nil?
    prov = PkernelJce::Provider.add_default
  else
    prov = PkernelJce::Provider.add_provider(provider)
  end

  digest = org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder.new.setProvider(PkernelJce::Provider::DefProvider).build
  # for this version of BC (157) this is the only option
  #d = digest.get(org.bouncycastle.cert.ocsp.CertificateID::HASH_SHA1)
  
  respBuilder = org.bouncycastle.cert.ocsp.jcajce.JcaBasicOCSPRespBuilder.new(identity.pubKey, digest.get(org.bouncycastle.cert.ocsp.RespID::HASH_SHA1)) 

  reqBin = opts[:request]

  reqRes = OCSPRequestEngine.parse({ bin: reqBin }) do |info|
    if block
      block.call(respBuilder, info)
    else
      v_cert_status_unknown(respBuilder, info[:cid])
    end
  end
 
  req = reqRes[:req]

  nonceField = req.getExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce)
  if not nonceField.nil?
    extGen = org.bouncycastle.asn1.x509.ExtensionsGenerator.new
    extGen.addExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce, false, org.bouncycastle.asn1.DEROctetString.new(nonceField.parsed_value.getOctets))
    respBuilder.setResponseExtensions(extGen.generate)
  end
 
  signHash = opts[:signHash] || "SHA256"
  resp = respBuilder.build(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(PkernelJce::KeyPair.derive_signing_algo(identity.privKey,signHash)).setProvider(prov).build(identity.privKey), identity.chain, java.util.Date.new)
  
  #public class OCSPRespBuilder
  #{
  #    public static final int SUCCESSFUL = 0;  // Response has valid confirmations
  #    public static final int MALFORMED_REQUEST = 1;  // Illegal confirmation request
  #    public static final int INTERNAL_ERROR = 2;  // Internal error in issuer
  #    public static final int TRY_LATER = 3;  // Try again later
  #    // (4) is not used
  #    public static final int SIG_REQUIRED = 5;  // Must sign the request
  #    public static final int UNAUTHORIZED = 6;  // Request unauthorized
  #
  # this response should be a step higher
  #org.bouncycastle.cert.ocsp.OCSPRespBuilder.new.build(org.bouncycastle.cert.ocsp.OCSPRespBuilder::SUCCESSFUL, resp).encoded.to_s
  to_response_asn1(ST_SUCCESSFUL, resp)
end
is_cert_good?(resp, cert_id, opts = { }) click to toggle source

end parse()

# File lib/pkernel_jce/ocsp.rb, line 172
def is_cert_good?(resp, cert_id, opts = { })
  respObj = resp.response_object         
  respObj.responses.each do |re|
    if re.cert_id.equals(cert_id)
      return re.cert_status.nil?
    end
  end

  false
end
is_cert_revoked?(resp, cert_id, opts = { }) click to toggle source
# File lib/pkernel_jce/ocsp.rb, line 183
def is_cert_revoked?(resp, cert_id, opts = { })
  respObj = resp.response_object         
  respObj.responses.each do |re|
    if re.cert_id.equals(cert_id)
      if (not re.cert_status.nil? and re.cert_status.java_kind_of?(org.bouncycastle.cert.ocsp.RevokedStatus))
        return [true, re.cert_status.revocation_reason, re.cert_status.revocation_time]
      end
    end
  end

  [false]
end
is_cert_unknown?(resp, cert_id, opts = { }) click to toggle source
# File lib/pkernel_jce/ocsp.rb, line 196
def is_cert_unknown?(resp, cert_id, opts = { })
  respObj = resp.response_object         
  respObj.responses.each do |re|
    if re.cert_id.equals(cert_id)
      return (not re.cert_status.nil? and re.cert_status.java_kind_of?(org.bouncycastle.cert.ocsp.UnknownStatus))
    end
  end
  
  false
end
parse(opts = {}) click to toggle source

invoke by client side to read the result

# File lib/pkernel_jce/ocsp.rb, line 125
def parse(opts = {})
  file = opts[:file]
  bin = opts[:bin]
  
  if not file.nil? 
    bresp = IoUtils.file_to_memory_byte_array(file)
  elsif not bin.nil?
    bresp = IoUtils.ensure_java_bytes(bin)
  else
    raise PkernelJce::Error, "No OCSP response input available for parsing"
  end 
  
  resp = org.bouncycastle.cert.ocsp.OCSPResp.new(bresp)
  if resp.status == ST_SUCCESSFUL
    respObj = resp.response_object
    #
    #nonceField = respObj.getExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce)
    #if not nonceField.nil?
    #  result[:nonce] = nonceField.parsed_value.getOctets
    #end
    
    provider = opts[:provider]
    if provider.nil?
      prov = PkernelJce::Provider.add_default
    else
      prov = PkernelJce::Provider.add_provider(provider)
    end

    if respObj.is_signature_valid?(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.new.setProvider(prov).build(respObj.certs[0]))
      #vres = { }
      #respObj.responses.each do |re|
      #  vres[re.cert_id] = re.cert_status
      #end
      #result[:result] = vres
      resp
    else
      raise PkernelJce::Error, "OCSP response digital signature failed to be verified. Result discarded."
    end
  else
    raise PkernelJce::Error, "OCSP response unsuccessful. Message was : #{resp.status}"
  end
  
  #result
end
to_bin(resp) click to toggle source
# File lib/pkernel_jce/ocsp.rb, line 219
def to_bin(resp)
  if resp.nil?
    raise PkernelJce::Error, "Response object is nil to convert to bin"
  end
  resp.encoded
end
to_response_asn1(st, resp = nil) click to toggle source

end generate

# File lib/pkernel_jce/ocsp.rb, line 118
def to_response_asn1(st, resp = nil)
  org.bouncycastle.cert.ocsp.OCSPRespBuilder.new.build(st, resp)
end
v_cert_good(resp, cid, opts = { }) click to toggle source
# File lib/pkernel_jce/ocsp.rb, line 207
def v_cert_good(resp, cid, opts = { })
  resp.addResponse(cid, org.bouncycastle.cert.ocsp.CertificateStatus::GOOD)
end
v_cert_revoked(resp, cid, reason = Pkernel::CRLReason::UNSPECIFIED, revokedOn = java.util.Date.new, opts = { }) click to toggle source
# File lib/pkernel_jce/ocsp.rb, line 211
def v_cert_revoked(resp, cid, reason = Pkernel::CRLReason::UNSPECIFIED, revokedOn = java.util.Date.new, opts = { })
  resp.addResponse(cid, org.bouncycastle.cert.ocsp.RevokedStatus.new(revokedOn, reason))
end
v_cert_status_unknown(resp, cid, opts= { }) click to toggle source
# File lib/pkernel_jce/ocsp.rb, line 215
def v_cert_status_unknown(resp, cid, opts= { })
   resp.addResponse(cid, org.bouncycastle.cert.ocsp.UnknownStatus.new)
end