module PkernelJce::CRL

Public Instance Methods

dump(crl, opts = {}) click to toggle source
# File lib/pkernel_jce/crl.rb, line 163
def dump(crl, opts = {})

  if crl.nil?
    raise PkernelJce::Error, "Given CRL to dump is nil."
  end

  file = opts[:file]

  if not (file.nil? or file.empty?)
    os = java.io.FileOutputStream.new(file)        
  else
    os = java.io.ByteArrayOutputStream.new
  end

  os.write(crl.encoded)
  os.flush
  os.close

  if (file.nil? or file.empty?)
    os.toByteArray
  end
   
end
ensure_bc_crl(crl) click to toggle source

end ensure_java_crl / to_java_crl

# File lib/pkernel_jce/crl.rb, line 83
def ensure_bc_crl(crl)
  if crl.nil?
    raise PkernelJce::Error, "CRL given to convert to BC object is nil"
  end

  if crl.java_kind_of?(Java::OrgBouncycastleCert::X509CRLHolder)
    crl
  else
    org.bouncycastle.cert.X509CRLHolder.new(java.io.ByteArrayInputStream.new(crl.encoded))
  end
end
Also aliased as: to_bc_crl
ensure_java_crl(crl) click to toggle source

end generate

# File lib/pkernel_jce/crl.rb, line 67
def ensure_java_crl(crl)
  if crl.nil?
    raise PkernelJce::Error, "CRL given to convert to java object is nil"
  end
  
  if crl.java_kind_of?(Java::OrgBouncycastleCert::X509CRLHolder)
    org.bouncycastle.cert.jcajce.JcaX509CRLConverter.new.getCRL(crl)
  else
    crl
  end
end
Also aliased as: to_java_crl
generate(identity, opts = {}, &block) click to toggle source
# File lib/pkernel_jce/crl.rb, line 6
def generate(identity, opts = {}, &block)
  
  if identity.nil?
    raise PkernelJce::Error, "Identity is nil in generating CRL"
  end

  tbpCerts = opts[:tbpCerts]
  # allow empty CRL
  tbpCerts = {} if tbpCerts.nil?

  prov = opts[:provider]
  if prov.nil?
    prov = PkernelJce::Provider.add_default
  else
    PkernelJce::Provider.add_provider(prov)
  end
 
  validity = opts[:validity] || 1
  validityUnit = opts[:validity_unit] || :days
  signAlgo = opts[:hashAlgo]
  if signAlgo.nil?
    signAlgo = PkernelJce::KeyPair.derive_signing_algo(identity.privKey, "SHA256")
  end
  PkernelJce::GConf.instance.glog.debug "Signing algo for CRL is #{signAlgo}"

  crlGen = org.bouncycastle.x509.X509V2CRLGenerator.new
  validFrom = Time.now
  validTo = validFrom.advance( validityUnit => validity )
  # CRL validity should not be more then issuer's
  if validFrom.to_java_date.before(identity.certificate.not_before)
    PkernelJce::GConf.instance.glog.debug "CRL new valid from has adjusted to match with issuer valid from : #{validFrom} [Original] / #{identity.certificate.not_before} [Issuer's certificate not before]"
    validFrom = identity.certificate.not_before
  end
  
  if validTo.to_java_date.after(identity.certificate.not_after)
    PkernelJce::GConf.instance.glog.debug "CRL new valid until has adjusted to match with issuer validity to : #{validTo} [Original] / #{identity.certificate.not_after} [Issuer's certificate not after]"
    validTo = identity.certificate.not_after
  end
  PkernelJce::GConf.instance.glog.debug "CRL validity #{validFrom} - #{validTo}"

  crlGen.issuer_dn = identity.certificate.getSubjectX500Principal
  crlGen.this_update = validFrom
  crlGen.next_update = validTo
  crlGen.signature_algorithm = signAlgo

  tbpCerts.each do |k,v|
    cert = k
    opts = v
    time = opts[:time] || java.util.Date.new
    reason = opts[:reason] || Pkernel::CRLReason::UNSPECIFIED
    crlGen.addCRLEntry(cert.getSerialNumber, time, reason)
    PkernelJce::GConf.instance.glog.debug "Added cert into entry"
  end
  
  PkernelJce::GConf.instance.glog.debug "Generating CRL from issuer '#{identity.certificate.subjectDN.to_s}' [Provider #{prov.name}]"
  crl = crlGen.generateX509CRL(identity.privKey, prov.name)
  crl
  
end
is_revoked?(crl,cert,&block) click to toggle source
# File lib/pkernel_jce/crl.rb, line 133
def is_revoked?(crl,cert,&block)
  if crl.revoked_certificates.nil? or crl.revoked_certificates.length == 0
    false
  else
    crl = ensure_java_crl(crl)
    now = java.util.Date.new
    if crl.next_update.before(now)
      # expired
      if block
        cont = block.call(:expired, { valid_until: crl.next_update, issuer: crl.issuer_x500_principal })
        if not cont
          raise PkernelJce::Error, "CRL expired at #{crl.next_update}. Revocation check aborted."
        else
          PkernelJce::GConf.instance.glog.warn "Revocation checked against expired CRL [CRL Expired on #{crl.next_update} / Ref Date : #{now}] based on application request."
        end
      else
        raise PkernelJce::Error, "CRL expired at #{crl.next_update}. Revocation check aborted."
      end
    end

    c = PkernelJce::Certificate.to_bc_cert(cert)
    revokedInfo = crl.get_revoked_certificate(c.serial_number)
    if revokedInfo.nil?
      [false,nil]
    else
      [true, { reason: revokedInfo.revocation_reason, on: revokedInfo.revocation_date, object: revokedInfo }]
    end
  end
end
is_signature_valid?(crl, opts = { }) click to toggle source

end to_bc_crl / ensure_bc_crl

# File lib/pkernel_jce/crl.rb, line 99
def is_signature_valid?(crl, opts = { }) #issuer)
  if crl.nil?
    raise PkernelJce::Error, "CRL pass to test signature validity for CRL is nil"
  end
  
  issuer_cert = opts[:issuer_cert]
  issuer_key = opts[:issuer_key]
  if not issuer_cert.nil?
    pubKey = PkernelJce::Certificate.public_key(issuer_cert)
  elsif not issuer_key.nil?
    pubKey = PkernelJce::KeyPair.public_key(issuer_key)
  else
    raise PkernelJce::Error, "Neither issuer cert or key is available for signature verification"
  end
  #if issuer.nil?
  #  raise PkernelJce::Error, "Issuer pass to test signature validity for CRL is nil"
  #end

  #if PkernelJce::Certificate.is_cert_object?(issuer)
  #  pubKey = PkernelJce::Certificate.public_key(issuer)
  #else
  #  pubKey = PkernelJce::KeyPair.public_key(issuer)
  #end
  
  crl = ensure_java_crl(crl)
  begin
    crl.verify(pubKey)
    true
  rescue Exception => ex
    PkernelJce::GConf.instance.glog.error ex
    false
  end
end
load(opts = {}) click to toggle source

end dump

# File lib/pkernel_jce/crl.rb, line 188
def load(opts = {})
  file = opts[:file]
  bin = opts[:bin]

  if not (file.nil? or file.empty?)
    crlbin = PkernelJce::IoUtils.file_to_memory_byte_array(file)
  elsif not bin.nil?
    crlbin = PkernelJce::IoUtils.ensure_java_bytes(bin)
  else
    raise PkernelJce::Error, "No source to load CRL from"
  end

  # this option shall load the CRL in Java
  #crl = java.security.cert.CertificateFactory.getInstance("X.509").generateCRL(java.io.ByteArrayInputStream.new(crlbin))
  
  # this option shall load the CRL in BC but under Java interface
  prov = PkernelJce::Provider.add_default
  crl = java.security.cert.CertificateFactory.getInstance("X.509",prov).generateCRL(java.io.ByteArrayInputStream.new(crlbin))

  # this option shall load the CRL in BC too but under BC interface
  #crl = org.bouncycastle.cert.X509CRLHolder.new(crlbin)
  
  crl
end
to_bc_crl(crl)
Alias for: ensure_bc_crl
to_java_crl(crl)
Alias for: ensure_java_crl