module PkernelJce::OCSP::Response
module Response
Constants
- ST_ERROR
- ST_MALFORM_REQ
- ST_SIG_REQUIRED
- ST_SUCCESSFUL
- ST_TRY_LATER
- ST_UNAUTHORIZED
Public Instance Methods
generate(identity, opts = { }, &block)
click to toggle source
used by OCSP
responder
# File lib/pkernel_jce/ocsp.rb, line 59 def generate(identity, opts = { }, &block) if identity.nil? raise PkernelJce::Error, "Identity is nil in generate OCSP response" end provider = opts[:provider] if provider.nil? prov = PkernelJce::Provider.add_default else prov = PkernelJce::Provider.add_provider(provider) end digest = org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder.new.setProvider(PkernelJce::Provider::DefProvider).build # for this version of BC (157) this is the only option #d = digest.get(org.bouncycastle.cert.ocsp.CertificateID::HASH_SHA1) respBuilder = org.bouncycastle.cert.ocsp.jcajce.JcaBasicOCSPRespBuilder.new(identity.pubKey, digest.get(org.bouncycastle.cert.ocsp.RespID::HASH_SHA1)) reqBin = opts[:request] reqRes = OCSPRequestEngine.parse({ bin: reqBin }) do |info| if block block.call(respBuilder, info) else v_cert_status_unknown(respBuilder, info[:cid]) end end req = reqRes[:req] nonceField = req.getExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce) if not nonceField.nil? extGen = org.bouncycastle.asn1.x509.ExtensionsGenerator.new extGen.addExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce, false, org.bouncycastle.asn1.DEROctetString.new(nonceField.parsed_value.getOctets)) respBuilder.setResponseExtensions(extGen.generate) end signHash = opts[:signHash] || "SHA256" resp = respBuilder.build(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(PkernelJce::KeyPair.derive_signing_algo(identity.privKey,signHash)).setProvider(prov).build(identity.privKey), identity.chain, java.util.Date.new) #public class OCSPRespBuilder #{ # public static final int SUCCESSFUL = 0; // Response has valid confirmations # public static final int MALFORMED_REQUEST = 1; // Illegal confirmation request # public static final int INTERNAL_ERROR = 2; // Internal error in issuer # public static final int TRY_LATER = 3; // Try again later # // (4) is not used # public static final int SIG_REQUIRED = 5; // Must sign the request # public static final int UNAUTHORIZED = 6; // Request unauthorized # # this response should be a step higher #org.bouncycastle.cert.ocsp.OCSPRespBuilder.new.build(org.bouncycastle.cert.ocsp.OCSPRespBuilder::SUCCESSFUL, resp).encoded.to_s to_response_asn1(ST_SUCCESSFUL, resp) end
is_cert_good?(resp, cert_id, opts = { })
click to toggle source
end parse()
# File lib/pkernel_jce/ocsp.rb, line 172 def is_cert_good?(resp, cert_id, opts = { }) respObj = resp.response_object respObj.responses.each do |re| if re.cert_id.equals(cert_id) return re.cert_status.nil? end end false end
is_cert_revoked?(resp, cert_id, opts = { })
click to toggle source
# File lib/pkernel_jce/ocsp.rb, line 183 def is_cert_revoked?(resp, cert_id, opts = { }) respObj = resp.response_object respObj.responses.each do |re| if re.cert_id.equals(cert_id) if (not re.cert_status.nil? and re.cert_status.java_kind_of?(org.bouncycastle.cert.ocsp.RevokedStatus)) return [true, re.cert_status.revocation_reason, re.cert_status.revocation_time] end end end [false] end
is_cert_unknown?(resp, cert_id, opts = { })
click to toggle source
# File lib/pkernel_jce/ocsp.rb, line 196 def is_cert_unknown?(resp, cert_id, opts = { }) respObj = resp.response_object respObj.responses.each do |re| if re.cert_id.equals(cert_id) return (not re.cert_status.nil? and re.cert_status.java_kind_of?(org.bouncycastle.cert.ocsp.UnknownStatus)) end end false end
parse(opts = {})
click to toggle source
invoke by client side to read the result
# File lib/pkernel_jce/ocsp.rb, line 125 def parse(opts = {}) file = opts[:file] bin = opts[:bin] if not file.nil? bresp = IoUtils.file_to_memory_byte_array(file) elsif not bin.nil? bresp = IoUtils.ensure_java_bytes(bin) else raise PkernelJce::Error, "No OCSP response input available for parsing" end resp = org.bouncycastle.cert.ocsp.OCSPResp.new(bresp) if resp.status == ST_SUCCESSFUL respObj = resp.response_object # #nonceField = respObj.getExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce) #if not nonceField.nil? # result[:nonce] = nonceField.parsed_value.getOctets #end provider = opts[:provider] if provider.nil? prov = PkernelJce::Provider.add_default else prov = PkernelJce::Provider.add_provider(provider) end if respObj.is_signature_valid?(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.new.setProvider(prov).build(respObj.certs[0])) #vres = { } #respObj.responses.each do |re| # vres[re.cert_id] = re.cert_status #end #result[:result] = vres resp else raise PkernelJce::Error, "OCSP response digital signature failed to be verified. Result discarded." end else raise PkernelJce::Error, "OCSP response unsuccessful. Message was : #{resp.status}" end #result end
to_bin(resp)
click to toggle source
# File lib/pkernel_jce/ocsp.rb, line 219 def to_bin(resp) if resp.nil? raise PkernelJce::Error, "Response object is nil to convert to bin" end resp.encoded end
to_response_asn1(st, resp = nil)
click to toggle source
end generate
# File lib/pkernel_jce/ocsp.rb, line 118 def to_response_asn1(st, resp = nil) org.bouncycastle.cert.ocsp.OCSPRespBuilder.new.build(st, resp) end
v_cert_good(resp, cid, opts = { })
click to toggle source
# File lib/pkernel_jce/ocsp.rb, line 207 def v_cert_good(resp, cid, opts = { }) resp.addResponse(cid, org.bouncycastle.cert.ocsp.CertificateStatus::GOOD) end
v_cert_revoked(resp, cid, reason = Pkernel::CRLReason::UNSPECIFIED, revokedOn = java.util.Date.new, opts = { })
click to toggle source
# File lib/pkernel_jce/ocsp.rb, line 211 def v_cert_revoked(resp, cid, reason = Pkernel::CRLReason::UNSPECIFIED, revokedOn = java.util.Date.new, opts = { }) resp.addResponse(cid, org.bouncycastle.cert.ocsp.RevokedStatus.new(revokedOn, reason)) end
v_cert_status_unknown(resp, cid, opts= { })
click to toggle source
# File lib/pkernel_jce/ocsp.rb, line 215 def v_cert_status_unknown(resp, cid, opts= { }) resp.addResponse(cid, org.bouncycastle.cert.ocsp.UnknownStatus.new) end