Class: Ccrypto::Ruby::PKCS7Engine

Inherits:
Object
  • Object
show all
Includes:
DataConversion, TR::CondUtils, TeLogger::TeLogHelper
Defined in:
lib/ccrypto/ruby/engines/pkcs7_engine.rb

Instance Method Summary collapse

Methods included from DataConversion

#from_b64, #from_hex, included, #to_b64, #to_hex, #to_int_array

Constructor Details

#initialize(config) ⇒ PKCS7Engine

Returns a new instance of PKCS7Engine.

Raises:



17
18
19
20
 
# File 'lib/ccrypto/ruby/engines/pkcs7_engine.rb', line 17

def initialize(config)
  @config = config
  raise PKCS7EngineException, "Ccrypto::PKCS7Config is expected" if not @config.is_a?(Ccrypto::PKCS7Config)
end

Instance Method Details

#decrypt(val, &block) ⇒ Object

Raises:



150
151
152
153
154
155
156
157
158
159
 
# File 'lib/ccrypto/ruby/engines/pkcs7_engine.rb', line 150

def decrypt(val, &block)
  validate_input(val, "decrypt") 
  validate_key_must_exist("decrypt")

  raise PKCS7EngineException, "certForDecryption is required for PKCS7 decrypt operation" if is_empty?(@config.certForDecryption)
  raise PKCS7EngineException, "Given certForDecryption must be a Ccrypto::X509Cert object" if not @config.certForDecryption.is_a?(Ccrypto::X509Cert)

  p7 = OpenSSL::PKCS7.new(val)
  p7.decrypt(@config.private_key.native_privKey, @config.certForDecryption.nativeX509)
end

#encrypt(val, &block) ⇒ Object

Raises:



123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
 
# File 'lib/ccrypto/ruby/engines/pkcs7_engine.rb', line 123

def encrypt(val, &block)
  validate_input(val, "encrypt") 
  raise PKCS7EngineException, "At least one recipient_cert is required for PKCS7 encrypt" if is_empty?(@config.recipient_certs)
  
  recps = @config.recipient_certs.map do |c|
    raise PKCS7EngineException, "Given recipient_cert must be a Ccrypto::X509Cert object" if not c.is_a?(Ccrypto::X509Cert)
    c.nativeX509
  end

  if block
    cipher = block.call(:cipher)
    teLogger.debug "Application given cipher : #{cipher}"
  end

  cipher = "AES-256-CBC" if is_empty?(cipher)

  teLogger.debug "Setting P7 encryption cipher #{cipher}"
  cip = OpenSSL::Cipher.new(cipher)

  begin
    OpenSSL::PKCS7.encrypt(recps, val, cip, OpenSSL::PKCS7::BINARY)
  rescue OpenSSL::PKCS7::PKCS7Error => ex
    raise PKCS7EngineException, ex
  end

end

#sign(val, outFormat = :bin, &block) ⇒ Object

Raises:



22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
 
# File 'lib/ccrypto/ruby/engines/pkcs7_engine.rb', line 22

def sign(val, outFormat = :bin, &block)
  validate_input(val, "signing") 
  validate_key_must_exist("signing")
  raise PKCS7EngineException, "signerCert is required for PKCS7 sign operation" if is_empty?(@config.signerCert)
  raise PKCS7EngineException, "Given signerCert must be a Ccrypto::X509Cert object" if not @config.signerCert.is_a?(Ccrypto::X509Cert)

  privKey = @config.private_key.native_privKey

  caCerts = []
  attached = true
  if block
    caCerts = block.call(:ca_certs)
    detachedSign = block.call(:detached_sign)
    attached = ! detachedSign if is_bool?(detachedSign)
  end

  caCerts = [] if caCerts.nil?
  attached = true if is_empty?(attached) and not is_bool?(attached)

  if not attached
    flag = OpenSSL::PKCS7::BINARY | OpenSSL::PKCS7::DETACHED
  else
    flag = OpenSSL::PKCS7::BINARY
  end

  res = OpenSSL::PKCS7.sign(@config.signerCert.nativeX509, privKey, val, caCerts, flag) 
  case outFormat
  when :b64
    to_b64(res.to_der)
  when :hex
    to_hex(res.to_der)
  else
    res.to_der
  end
end

#verify(val, inForm = :bin, &block) ⇒ Object 



58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
 
# File 'lib/ccrypto/ruby/engines/pkcs7_engine.rb', line 58

def verify(val, inForm = :bin, &block)
  validate_input(val, "verify") 

  case inForm
  when :b64
    v = from_b64(val)
  when :hex
    v = from_hex(val)
  else
    v = val
  end

  p7 = OpenSSL::PKCS7.new(v)

  certVerified = true
  store = OpenSSL::X509::Store.new
  p7.certificates.each do |c|
    if block
      certVerified = block.call(:verify_certificate, c)
      if is_empty?(certVerified)
        teLogger.debug "Certificate with subject #{c.subject.to_s} / Issuer: #{c.issuer.to_s} / SN: #{c.serial.to_s(16)} passed through (no checking by application). Assumed good cert."
        store.add_cert(c)
        certVerified = true
      else
        if certVerified
          teLogger.debug "Certificate with subject #{c.subject.to_s} / Issuer: #{c.issuer.to_s} / SN: #{c.serial.to_s(16)} accepted by application"
          store.add_cert(c)
        else
          teLogger.debug "Certificate with subject #{c.subject.to_s} / Issuer: #{c.issuer.to_s} / SN: #{c.serial.to_s(16)} rejected by application"
        end
      end
    else
      teLogger.debug "Certificate with subject #{c.subject.to_s} / Issuer: #{c.issuer.to_s} / SN: #{c.serial.to_s(16)} passed through (no checking by application)"
      store.add_cert(c)
    end
  end

  if certVerified
    
    if p7.detached?
      teLogger.debug "Detached signature detected during signature verification"
      raise PKCS7EngineException, "block is required for detached signature" if not block
      data = block.call(:signed_data)
      p7.data = data
    else
      teLogger.debug "Attached signature detected during signature verification"
    end

    res = p7.verify([], store, nil, OpenSSL::PKCS7::NOVERIFY)

    if block
      block.call(:verification_result, res)
      if res and not p7.detached?
        block.call(:attached_data, p7.data)
      end
    end

    res

  else
    certVerified
  end

end