module PkernelJce::OCSP::Request
end module Response
Public Instance Methods
gen_nonce(len = 16)
click to toggle source
end parse()
# File lib/pkernel_jce/ocsp.rb, line 312 def gen_nonce(len = 16) nonce = Java::byte[len].new java.util.Random.new.nextBytes(nonce) nonce end
generate(certs = [], opts = {})
click to toggle source
initiate by client
# File lib/pkernel_jce/ocsp.rb, line 319 def generate(certs = [], opts = {}) if certs.nil? raise PkernelJce::Error, "Given certificates to generate OCSP request is nil" elsif not certs.is_a?(Array) certs = [certs] end #digest = org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder.new.setProvider(PkernelJce::Provider::DefProvider).build ## for this version of BC (157) this is the only option #d = digest.get(org.bouncycastle.cert.ocsp.CertificateID::HASH_SHA1) gen = org.bouncycastle.cert.ocsp.OCSPReqBuilder.new result = {} nonce = opts[:nonce] genNonce = opts[:gen_nonce] || true if genNonce nonce = Java::byte[16].new java.util.Random.new.nextBytes(nonce) extGen = org.bouncycastle.asn1.x509.ExtensionsGenerator.new extGen.addExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce, false, org.bouncycastle.asn1.DEROctetString.new(nonce)) gen.setRequestExtensions(extGen.generate) result[:nonce] = nonce elsif not nonce.nil? extGen = org.bouncycastle.asn1.x509.ExtensionsGenerator.new extGen.addExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce, false, org.bouncycastle.asn1.DEROctetString.new(nonce)) gen.setRequestExtensions(extGen.generate) end certMap = { } certs.each do |c| #id = org.bouncycastle.cert.ocsp.CertificateID.new(d,PkernelJce::Certificate.ensure_bc_cert(c),PkernelJce::Certificate.ensure_java_cert(c).serial_number) #certMap[id] = c gen.addRequest(c) end result[:cert_id] = certMap id = opts[:identity] provider = opts[:provider] if provider.nil? prov = PkernelJce::Provider.add_default else prov = PkernelJce::Provider.add_provider(provider) end if id.nil? result[:req] = gen.build else name = opts[:requestor_name] x500Name = opts[:requestor_x500name] if not (name.nil? or name.empty?) gen.setRequestorName(org.bouncycastle.asn1.x500.X500Name.new("CN=#{name}")) elsif not (x500Name.nil? or x500Name.empty?) gen.setRequestorName(org.bouncycastle.asn1.x500.X500Name.new(x500Name)) elsif not id.certificate.nil? bcCert = PkernelJce::Certificate.ensure_bc_cert(id.certificate) gen.setRequestorName(bcCert.subject_to_x500) else raise PkernelJce::Error, "Cannot sign content as requestor name/certificate is not given" end signer = org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(PkernelJce::KeyPair.derive_signing_algo(id.privKey,"SHA256")).setProvider(prov).build(id.privKey) result[:req] = gen.build(signer, PkernelJce::Certificate.ensure_bc_cert(id.chain).to_java(Java::OrgBouncycastleCert::X509CertificateHolder)) end result[:req] end
parse(opts = {},&block)
click to toggle source
invoked by server side during response
# File lib/pkernel_jce/ocsp.rb, line 236 def parse(opts = {},&block) file = opts[:file] bin = opts[:bin] if not block raise PkernelJce::Error, "Block must be given for OCSP request parse operation" end if not file.nil? breq = PkernelJce::IoUtils.file_to_memory_byte_array(file) #f = java.io.File.new(file) #if f.exists? # breq = Java::byte[f.length].new # dis = java.io.DataInputStream.new(java.io.FileInputStream.new(f)) # dis.readFully(breq) # dis.close #else # raise PkernelJce::Error, "Given OCSP request in file '#{f.absolute_path}' does not exist" #end elsif not bin.nil? breq = PkernelJce::IoUtils.ensure_java_bytes(bin) else raise PkernelJce::Error, "No OCSP request input available for parsing" end res = {} req = org.bouncycastle.cert.ocsp.OCSPReq.new(breq) res[:req] = req verifySign = opts[:verify_sign] || true if verifySign and req.isSigned provider = opts[:provider] if provider.nil? prov = PkernelJce::Provider.add_default else prov = PkernelJce::Provider.add_provider(provider) end if not req.isSignatureValid(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.new.setProvider(prov).build(req.getCerts[0])) if block res = block.call(:ocsp_verify_failed, { request: req, signer_cert: req.getCerts[0] }) if not res raise PkernelOpenssl::Error, "OCSP request verification failed" end else raise PkernelJce::Error, "Request signature is invalid. Request parsing is aborted." end end end nonceField = req.getExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce) if not nonceField.nil? res[:nonce] = nonceField.parsed_value.getOctets end #certs = {} req.getRequestList.each do |qc| cid = qc.getCertID info = { } info[:serial] = cid.serial_number info[:issuer_key_hash] = cid.issuer_key_hash info[:issuer_name_hash] = cid.issuer_name_hash info[:cid] = cid # let block decide what is the status and mechanism block.call(info) end #res[:result] = certs res end
to_bin(req)
click to toggle source
end generate
# File lib/pkernel_jce/ocsp.rb, line 393 def to_bin(req) if req.nil? raise PkernelJce::Error, "Request object cannot be nil to convert to binary" end req.encoded end