Module: PkernelJce::Certificate

Included in:

Pkernel::Certificate, CertificateEngine

Defined in:

lib/pkernel_jce/certificate.rb

Defined Under Namespace

Modules: ExtKeyUsage, KeyUsage

Class Method Summary

• .ensure_bc_cert(cert) ⇒ Object

  end ensure_java_cert.

• .ensure_java_cert(cert) ⇒ Object

  end is_issuer_cert?.

• .get_subject_fields(cert, fields) ⇒ Object

  Support fields key :cn, :e, :ou, :o, :c.

• .is_cert_object?(obj) ⇒ Boolean
• .is_equal?(cert1, cert2) ⇒ Boolean
• .is_ext_key_usage_set?(cert, eku) ⇒ Boolean
• .is_issuer_cert?(cert) ⇒ Boolean
• .is_self_signed?(cert) ⇒ Boolean

  if_self_signed?.

• .parse_into_fields(cert) ⇒ Object

  end get_subject_fields.

• .public_key(cert) ⇒ Object

  end ensure_bc_cert.

• .to_binary(cert) ⇒ Object

  this is necessary because OpenSSL or Ruby not recognizing the .encoded method, unless patch all Certificate object in other realm with the .encoded method else this is the cleaner way to do it.

Instance Method Summary

• #dump(cert, params = {}) ⇒ Object

  end generate.

• #dump_to_file(cert, path, opts = { }) ⇒ Object (also: #dump_to_file_pem)
• #dump_to_file_b64(cert, path, opts = { }) ⇒ Object
• #dump_to_file_bin(cert, path, opts = { }) ⇒ Object
• #dump_to_file_hex(cert, path, opts = { }) ⇒ Object
• #dump_to_mem(cert, opts = { }) ⇒ Object (also: #dump_to_mem_pem)
• #dump_to_mem_b64(cert, opts = { }) ⇒ Object
• #dump_to_mem_bin(cert, opts = { }) ⇒ Object
• #dump_to_mem_hex(cert, opts = { }) ⇒ Object
• #generate(params = {}, &block) ⇒ Object
• #load(options = {}) ⇒ Object
• #load_from_file(file, opts = { }) ⇒ Object (also: #load_from_file_pem)

  end read_from.

• #load_from_file_b64(file, opts = { }) ⇒ Object
• #load_from_file_bin(file, opts = { }) ⇒ Object
• #load_from_file_hex(file, opts = { }) ⇒ Object
• #load_from_mem(bin, opts = { }) ⇒ Object (also: #load_from_mem_pem)
• #load_from_mem_b64(bin, opts = { }) ⇒ Object
• #load_from_mem_bin(bin, opts = { }) ⇒ Object
• #load_from_mem_hex(bin, opts = { }) ⇒ Object
• #load_multi_from_bin_bin(bin, opts = { }) ⇒ Object
• #load_multi_from_file(file, opts = { }) ⇒ Object (also: #load_multi_from_file_pem)
• #load_multi_from_file_b64(file, opts = { }) ⇒ Object
• #load_multi_from_file_bin(file, opts = { }) ⇒ Object
• #load_multi_from_file_hex(file, opts = { }) ⇒ Object
• #load_multi_from_mem(bin, opts = { }) ⇒ Object (also: #load_multi_from_bin_pem)
• #load_multi_from_mem_b64(bin, opts = { }) ⇒ Object
• #load_multi_from_mem_hex(bin, opts = { }) ⇒ Object

Class Method Details

.ensure_bc_cert(cert) ⇒ Object

end ensure_java_cert

# File 'lib/pkernel_jce/certificate.rb', line 701

def Certificate.ensure_bc_cert(cert)
  if cert.nil?
    raise PkernelJce::Error, "Certificate for conversion to bc is nil"
  else
    if cert.is_a?(Array)
      cert.map! do |c|
        case c
        when java.security.cert.Certificate
          c.to_bc_cert_holder
        when Java::OrgBouncycastleCert::X509CertificateHolder
          c
        else
          raise PkernelJce::Error, "Unknown certificate type '#{c.class}'"
        end
      end
      cert
    else
      case cert
      when java.security.cert.Certificate
        cert.to_bc_cert_holder
      when Java::OrgBouncycastleCert::X509CertificateHolder
        cert
      else
        raise PkernelJce::Error, "Unknown certificate type '#{cert.class}'"
      end
    end
  end
end

.ensure_java_cert(cert) ⇒ Object

end is_issuer_cert?

# File 'lib/pkernel_jce/certificate.rb', line 684

def Certificate.ensure_java_cert(cert)
  if cert.nil?
    raise PkernelJce::Error, "Certificate for conversion to java is nil"
  else
    case cert
    when java.security.cert.Certificate
      cert
    when Java::OrgBouncycastleCert::X509CertificateHolder
      cert.to_java_cert
    else
      raise PkernelJce::Error, "Unknown certificate type '#{cert.class}'"
    end
  end  
end

.get_subject_fields(cert, fields) ⇒ Object

Support fields key :cn, :e, :ou, :o, :c

# File 'lib/pkernel_jce/certificate.rb', line 782

def Certificate.get_subject_fields(cert,fields)
  if fields.is_a?(Array)
  else
    fields = [fields]
  end

  fields.map! { |f| f.to_s.upcase }

  res = { }
  if cert.nil?
    return ""
  else
    subj = Certificate.to_java_cert(cert).getSubjectDN.getName
    subj.split(",").each do |s|
      ss = s.split("=")
      if fields.include?(ss[0])
        key = ss[0].downcase.to_sym
        res[key] = []
        res[key] << ss[1]
      end 
    end
  end

  res
end

.is_cert_object?(obj) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/pkernel_jce/certificate.rb', line 749

def Certificate.is_cert_object?(obj)
  if obj.nil?
    false
  else
    case obj
    when java.security.cert.Certificate, Java::OrgBouncycastleCert::X509CertificateHolder, Java::OrgBouncycastleJcajceProviderAsymmetricX509::X509CertificateObject
      true
    else
      false
    end
  end
end

.is_equal?(cert1, cert2) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/pkernel_jce/certificate.rb', line 772

def Certificate.is_equal?(cert1,cert2)
  if not (Certificate.is_cert_object?(cert1) or Certificate.is_cert_object?(cert2))
    false
  else
    Certificate.ensure_java_cert(cert1).equals(Certificate.ensure_java_cert(cert2))
  end
end

.is_ext_key_usage_set?(cert, eku) ⇒ Boolean

Returns:

• (Boolean)

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 762

def Certificate.is_ext_key_usage_set?(cert, eku)
  raise PkernelJce::Error, "Certificate not given to check eku." if cert.nil?

  c = Certificate.to_bc_cert(cert)
  ext = c.getExtension(org.bouncycastle.asn1.x509.Extension.extendedKeyUsage)
  extKey = org.bouncycastle.asn1.x509.ExtendedKeyUsage.getInstance(ext.getParsedValue)
  
  extKey.hasKeyPurposeId(eku)
end

.is_issuer_cert?(cert) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/pkernel_jce/certificate.rb', line 674

def Certificate.is_issuer_cert?(cert)
  if cert.nil?
    false
  else
    cert = Certificate.ensure_java_cert(cert)
    (cert.getKeyUsage[5] and cert.getBasicConstraints != -1)
  end
end

.is_self_signed?(cert) ⇒ Boolean

if_self_signed?

Returns:

• (Boolean)

# File 'lib/pkernel_jce/certificate.rb', line 661

def Certificate.is_self_signed?(cert) 
  if cert.nil?
    false
  else
    begin
      cert.verify(cert.public_key)
      true
    rescue Exception
      false
    end
  end
end

.parse_into_fields(cert) ⇒ Object

end get_subject_fields

# File 'lib/pkernel_jce/certificate.rb', line 809

def Certificate.parse_into_fields(cert)
  res = { }
  if not cert.nil?
    c = Certificate.to_java_cert(cert)
    res[:subject] = c.getSubjectDN.to_s
    res[:issuer] = c.getIssuerDN.to_s
    res[:serialNo] = c.serial_number
    res[:notBefore] = c.notBefore
    res[:notAfter] = c.notAfter
    res[:keyType] = Pkernel::KeyPair::pub_key_type(Certificate.public_key(c))
    #res[:keyUsage] =
    #res[:extKeyUsage] = 
    #res[:subjKeyId] =
    #res[:authKeyId] =
    #res[:crl] = 
    #res[:ocsp] = 
    #res[:altName] = 
  end

  res
end

.public_key(cert) ⇒ Object

end ensure_bc_cert

# File 'lib/pkernel_jce/certificate.rb', line 733

def Certificate.public_key(cert)
  if cert.nil?
    raise PkernelJce::Error, "Object pass to public_key on certificate is nil"
  end

  case cert
  when java.security.cert.Certificate
    cert.public_key
  when Java::OrgBouncycastleCert::X509CertificateHolder
    PkernelJce::KeyPair.public_key(cert.subject_public_key_info)
  else
    raise PkernelJce::Error, "Unknown certificate type '#{cert.class}'"
  end

end

.to_binary(cert) ⇒ Object

this is necessary because OpenSSL or Ruby not recognizing the .encoded method, unless patch all Certificate object in other realm with the .encoded method else this is the cleaner way to do it

# File 'lib/pkernel_jce/certificate.rb', line 651

def Certificate.to_binary(cert)
  if not cert.nil?
    cert
  else
    cert.encoded
  end
end

Instance Method Details

#dump(cert, params = {}) ⇒ Object

end generate

# File 'lib/pkernel_jce/certificate.rb', line 322

def dump(cert, params = {})
  if cert.nil?
    raise PkernelJce::Error, "Certificate object to be written is nil"
  end
  
  file = params[:file]
  baos = java.io.ByteArrayOutputStream.new

  begin
    
    outForm = params[:out_form] || params[:outForm] || params[:outform]
    if outForm.nil?
  
      if not file.nil?
        PkernelJce::GConf.instance.glog.debug "[D] Dump certificate to file '#{file}'"
        writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(java.io.FileOutputStream.new(file)))
      else
        PkernelJce::GConf.instance.glog.debug "[D] Dump certificate to memory"
        writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(baos))
      end

      writer.writeObject(cert)
      
    else
      
      case outForm.to_sym
      when :b64, :base64
        res = PkernelJce::Converter.to_b64(cert.encoded)
        if not file.nil?
          fos = java.io.FileOutputStream.new(file)
          fos.write res
          fos.flush
          fos.close
        end
        baos.write(res.to_java.getBytes)
      when :hex
        res = PkernelJce::Converter.to_hex(cert.encoded)
        if not file.nil?
          fos = java.io.FileOutputStream.new(file)
          fos.write res
          fos.flush
          fos.close
        end
        baos.write(res.to_java.getBytes)
      when :bin
        res = cert.encoded
        if not file.nil?
          fos = java.io.FileOutputStream.new(file)
          fos.write res
          fos.flush
          fos.close
        end
        baos.write(res)
      else

        # this is default because openssl output this is the default
        if not file.nil?
          PkernelJce::GConf.instance.glog.debug "Dump PEM certificate to file '#{file}'"
          writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(java.io.FileOutputStream.new(file)))
        else
          PkernelJce::GConf.instance.glog.debug "Dump PEM certificate to memory"
          writer = org.bouncycastle.openssl.jcajce.JcaPEMWriter.new(java.io.OutputStreamWriter.new(baos))
        end

        writer.writeObject(cert)

      end
    end
  
  ensure
    if not writer.nil?
      writer.flush
      writer.close  
    end

    if not fos.nil?
      fos.flush
      fos.close
    end
  end 

  baos.toByteArray

end

#dump_to_file(cert, path, opts = { }) ⇒ Object Also known as: dump_to_file_pem

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 409

def dump_to_file(cert, path, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  dump(cert, opts.merge({ file: path }))  
end

#dump_to_file_b64(cert, path, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 422

def dump_to_file_b64(cert, path, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  dump(cert, opts.merge({ file: path, outForm: :b64 }))
end

#dump_to_file_bin(cert, path, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 444

def dump_to_file_bin(cert, path, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  dump(cert, opts.merge({ file: path, outForm: :bin }))
end

#dump_to_file_hex(cert, path, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 433

def dump_to_file_hex(cert, path, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  dump(cert, opts.merge({ file: path, outForm: :hex }))
end

#dump_to_mem(cert, opts = { }) ⇒ Object Also known as: dump_to_mem_pem

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 415

def dump_to_mem(cert, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  dump(cert)
end

#dump_to_mem_b64(cert, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 427

def dump_to_mem_b64(cert, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  dump(cert, opts.merge({ outForm: :b64 }))
end

#dump_to_mem_bin(cert, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 449

def dump_to_mem_bin(cert, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  dump(cert, opts.merge({ outForm: :bin }))
end

#dump_to_mem_hex(cert, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 438

def dump_to_mem_hex(cert, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  dump(cert, opts.merge({ outForm: :hex }))
end

#generate(params = {}, &block) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 100

def generate(params = {}, &block)

  raise PkernelJce::Error, "Block is required for certificate generation function" if block.nil?

  PkernelJce::GConf.instance.glog.debug "Certificate generate parameters: #{params.inspect}"
  owner = params[:owner]
  pubKey = params[:pubKey]
  serial = params[:serial]
  kProv = params[:keypair_provider] 
  cProv = params[:cert_provider]
  issuer = params[:issuer]
  matchIssuerValidity = params[:match_issuer_validity] || true
  
  warning = { }

  issuer = false if issuer.nil?

  pubKey = PkernelJce::KeyPair.public_key(pubKey)

  if cProv.nil?
    cProv = PkernelJce::Provider.add_provider(PkernelJce::Provider::DefProvider)
  else
    cProv = PkernelJce::Provider.add_provider(cProv)
  end

  if kProv.nil?
    kProv = PkernelJce::Provider.add_provider(PkernelJce::Provider::DefProvider)
  else
    kProv = PkernelJce::Provider.add_provider(kProv)
  end

  extUtils = org.bouncycastle.cert.bc.BcX509ExtensionUtils.new

  if serial.nil? or serial.empty?
    serial = block.call(:serial)
  end

  if serial.is_a?(java.math.BigInteger)
  else
    serial = java.math.BigInteger.new(serial,16)
  end

  signHash = block.call(:signHash)
  issuerKey = block.call(:issuerKey)
  issuerCert = block.call(:issuerCert)

  issuerKey = PkernelJce::KeyPair.private_key(issuerKey)
  if issuerKey.nil?
    raise PkernelJce::Error, "Issuer key cannot be nil"
  end

  signAlgo = PkernelJce::KeyPair.derive_signing_algo(issuerKey, signHash)
  signer = org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(signAlgo).setProvider(kProv).build(issuerKey)
  x500Name = owner.to_x500_subject
  
  if not issuerCert.nil?

    issuerCert = issuerCert.to_java_cert if issuerCert.java_kind_of?(org.bouncycastle.cert.X509CertificateHolder)
    
    validFrom, validTo = calculate_validity(params) do |from, to|
      if matchIssuerValidity
        
        PkernelJce::GConf.instance.glog.debug "Match issuer validity against issuer certificate is activated."
        PkernelJce::GConf.instance.glog.debug "Issuer Cert : #{issuerCert.subject_dn.to_s} / #{issuerCert.not_before} / #{issuerCert.not_after}"

        if from.to_java_date.before(issuerCert.not_before)
          PkernelJce::GConf.instance.glog.warn "Certificate valid from has adjusted to match issuer valid from: #{from} [User requested] / #{issuerCert.not_before} [Adjusted to issuer]"
          warning[:valid_from] = { }
          warning[:valid_from][:requested] = from

          from = issuerCert.not_before
          
          warning[:valid_from][:adjusted] = issuerCert.not_before
          warning[:valid_from][:reason] = "Certificate being issued cannot have validity start date before issuer's certificate validity start date."
          block.call(:warning, warning)

        end
        
        if to.to_java_date.after(issuerCert.not_after)
          PkernelJce::GConf.instance.glog.warn "Certificate valid to has adjusted to match issuer valid to: #{to} [User requested] / #{issuerCert.not_after} [Adjusted to issuer]"
          
          warning[:valid_to] = { }
          warning[:valid_to][:requested] = to

          to = issuerCert.not_after
          
          warning[:valid_to][:adjusted] = issuerCert.not_after
          warning[:valid_to][:reason] = "Certificate being issued cannot have validity end date after issuer's certificate validity end date."
          block.call(:warning, warning)
        end

        [from, to]
      else
        [from, to]
      end
    end

    certGen = org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder.new(issuerCert, serial, validFrom, validTo, x500Name, pubKey)
    # generate authority key identifier
    certGen.addExtension(org.bouncycastle.asn1.x509.Extension::authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo.getInstance(issuerCert.getPublicKey.getEncoded)))
  else

    validFrom, validTo = calculate_validity(params)

    certGen = org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder.new(x500Name, serial, validFrom, validTo, x500Name, pubKey)
    # generate authority key identifier
    certGen.addExtension(org.bouncycastle.asn1.x509.Extension::authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo.getInstance(pubKey.getEncoded)))
  end

  keyUsage = block.call(:keyUsage)
  if issuer
    certGen.addExtension(org.bouncycastle.asn1.x509.Extension::basicConstraints, true, org.bouncycastle.asn1.x509.BasicConstraints.new(true))
    if not keyUsage.nil?
      if keyUsage.is_a?(Array)
        ku = 0
        keyUsage.each do |u|
          ku |= u
        end
      else
        ku = keyUsage
      end
      
      certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(ku))
    else
      certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(KeyUsage::DEF_ISSUER))
    end
  else
    if not keyUsage.nil?
      if keyUsage.is_a?(Array)
        ku = 0
        keyUsage.each do |u|
          ku |= u
        end
      else
        ku = keyUsage
      end
      certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(ku))
    else
      certGen.addExtension(org.bouncycastle.asn1.x509.Extension::keyUsage, false, org.bouncycastle.asn1.x509.KeyUsage.new(KeyUsage::DEF_USER_IDENTITY))
    end
  end

  extKeyUsage = block.call(:extKeyUsage)
  if not extKeyUsage.nil?
    if extKeyUsage.is_a?(Hash)
      # allow user to give eku -> true/false 
      # Since timestamping required this extension to be true, not sure others
      extKeyUsage.each do |k,v|
        certGen.addExtension(org.bouncycastle.asn1.x509.Extension::extendedKeyUsage, v, org.bouncycastle.asn1.x509.ExtendedKeyUsage.new(k))
      end
    elsif extKeyUsage.is_a?(Array)
      certGen.addExtension(org.bouncycastle.asn1.x509.Extension::extendedKeyUsage, false, org.bouncycastle.asn1.x509.ExtendedKeyUsage.new(extKeyUsage.to_vector))
    else
      certGen.addExtension(org.bouncycastle.asn1.x509.Extension::extendedKeyUsage, false, org.bouncycastle.asn1.x509.ExtendedKeyUsage.new([extKeyUsage].to_vector))
    end
  end	

  # 
  # handle alternative name
  # 
  altName = []
  if owner.emails.length > 0
    owner.emails.each do |e|
      altName << org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName::rfc822Name,e)
    end
  end

  owner.dns_names.each do |n|
    altName << org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName::dNSName,n)
  end

  if altName.length > 0
    certGen.addExtension(org.bouncycastle.asn1.x509.Extension::subjectAlternativeName, false, org.bouncycastle.asn1.x509.GeneralNames.new(altName.to_java(org.bouncycastle.asn1.x509.GeneralName)) )
  end
  # 
  # Done alternative name
  #

  # 
  # handle CRL distribution point
  # 
  crl = block.call(:crls)
  if not crl.nil?
    crls = []
    if crl.is_a?(Array)
      crl.each do |c|
        crls << org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName::uniformResourceIdentifier, org.bouncycastle.asn1.DERIA5String.new(c));
      end
      gns = org.bouncycastle.asn1.x509.GeneralNames.new(crls.to_java(org.bouncycastle.asn1.x509.GeneralName));
    else
      gn = org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName::uniformResourceIdentifier, org.bouncycastle.asn1.DERIA5String.new(crl));
      gns = org.bouncycastle.asn1.x509.GeneralNames.new(gn);
    end
    
    dpn = org.bouncycastle.asn1.x509.DistributionPointName.new(gns);
    dp =  org.bouncycastle.asn1.x509.DistributionPoint.new(dpn,nil,nil);
    certGen.addExtension(org.bouncycastle.asn1.x509.X509Extensions::CRLDistributionPoints,false,org.bouncycastle.asn1.DERSequence.new(dp));      
  end
  # done adding CRL distribution point


  # 
  # handle OCSP
  #
  ocsp = block.call(:ocsp)
  if not ocsp.nil? and not ocsp.empty?
    ocspName = org.bouncycastle.asn1.x509.GeneralName.new(org.bouncycastle.asn1.x509.GeneralName.uniformResourceIdentifier, ocsp);
    authorityInformationAccess = org.bouncycastle.asn1.x509.AuthorityInformationAccess.new(org.bouncycastle.asn1.x509.X509ObjectIdentifiers.ocspAccessMethod, ocspName);
    certGen.addExtension(org.bouncycastle.asn1.x509.X509Extensions::AuthorityInfoAccess, false, authorityInformationAccess);			        
  end
  # done OCSP

  # Let's generate subject key ID as default...	
  certGen.addExtension(org.bouncycastle.asn1.x509.Extension::subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo.getInstance(pubKey.getEncoded)))

  cert = org.bouncycastle.cert.jcajce.JcaX509CertificateConverter.new().setProvider(cProv).getCertificate(certGen.build(signer))
  
  cert

end

#load(options = {}) ⇒ Object

# File 'lib/pkernel_jce/certificate.rb', line 456

def load(options = {})
 
  file = options[:file]
  bin = options[:bin]
  baos = java.io.ByteArrayOutputStream.new

  if not file.nil? and not file.empty?
    PkernelJce::GConf.instance.glog.debug "Load certificate from #{file}"
    f = java.io.File.new(file)
    if f.exists?
      b = Java::byte[f.length].new
      dis = java.io.DataInputStream.new(java.io.FileInputStream.new(f))
      dis.readFully(b)
      dis.close

      baos.write(b)
    else 
      raise PkernelJce::Error, "File '#{f.absolute_path}' not found"
    end

  elsif not bin.nil?
    PkernelJce::GConf.instance.glog.debug "Load certificate from memory"
    bin = IoUtils.ensure_java_bytes(bin)
    baos.write(bin)
  else
    raise PkernelJce::Error, "No bin or file input is given to load"
  end

  inForm = options[:in_form] || options[:inForm] || options[:inform]
  if not inForm.nil?
    case inForm.to_sym
    when :b64, :base64
      PkernelJce::GConf.instance.glog.debug "Loading b64 certificate"
      cbin = Pkernel::Converter.from_b64(baos.toByteArray)
    when :hex
      PkernelJce::GConf.instance.glog.debug "Loading hex certificate"
      cbin = Pkernel::Converter.from_hex(baos.toByteArray)
    when :bin
      PkernelJce::GConf.instance.glog.debug "Loading bin certificate"
      cbin = baos.toByteArray
    else
      PkernelJce::GConf.instance.glog.debug "Loading pem certificate"
      reader = org.bouncycastle.openssl.PEMParser.new(java.io.InputStreamReader.new(java.io.ByteArrayInputStream.new(baos.toByteArray)))
      if options[:multiple]
        obj = []
        o = reader.readObject
        while(o != nil)
          obj << o
          o = reader.readObject
        end
      else
        obj = reader.readObject
      end
    end
  
  else
    PkernelJce::GConf.instance.glog.debug "Loading pem certificate (2)"
    reader = org.bouncycastle.openssl.PEMParser.new(java.io.InputStreamReader.new(java.io.ByteArrayInputStream.new(baos.toByteArray)))
    if options[:multiple]
      obj = []
      o = reader.readObject
      while(o != nil)
        obj << o
        o = reader.readObject
      end
    else
      obj = reader.readObject
    end
  end

  if not cbin.nil?
    cf = java.security.cert.CertificateFactory.getInstance("X.509")
    if options[:multiple]
      obj = cf.generateCertificates(java.io.ByteArrayInputStream.new(baos.toByteArray))
    else
      obj = cf.generateCertificate(java.io.ByteArrayInputStream.new(baos.toByteArray))
    end
  end

  if not obj.nil?
    obj
  else
    raise PkernelJce::Error, "No valid certificate object loaded."
  end

end

#load_from_file(file, opts = { }) ⇒ Object Also known as: load_from_file_pem

end read_from

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 544

def load_from_file(file, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load(opts.merge({ file: file }))   
end

#load_from_file_b64(file, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 575

def load_from_file_b64(file, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load({ file: file, inForm: :b64 })   
end

#load_from_file_bin(file, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 623

def load_from_file_bin(file, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load({ file: file, inForm: :bin })   
end

#load_from_file_hex(file, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 599

def load_from_file_hex(file, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load({ file: file, inForm: :hex })   
end

#load_from_mem(bin, opts = { }) ⇒ Object Also known as: load_from_mem_pem

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 551

def load_from_mem(bin, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load(opts.merge({ bin: bin }))   
end

#load_from_mem_b64(bin, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 580

def load_from_mem_b64(bin, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load({ bin: bin, inForm: :b64 })   
end

#load_from_mem_bin(bin, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 628

def load_from_mem_bin(bin, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load({ bin: bin, inForm: :bin })   
end

#load_from_mem_hex(bin, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 604

def load_from_mem_hex(bin, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load({ bin: bin, inForm: :hex })   
end

#load_multi_from_bin_bin(bin, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 640

def load_multi_from_bin_bin(bin, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load({ bin: bin, inForm: :bin, multiple: true })   
end

#load_multi_from_file(file, opts = { }) ⇒ Object Also known as: load_multi_from_file_pem

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 559

def load_multi_from_file(file, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load({ file: file, multiple: true })   
end

#load_multi_from_file_b64(file, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 587

def load_multi_from_file_b64(file, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load({ file: file, inForm: :b64, multiple: true })   
end

#load_multi_from_file_bin(file, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 635

def load_multi_from_file_bin(file, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load({ file: file, inForm: :bin, multiple: true })   
end

#load_multi_from_file_hex(file, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 611

def load_multi_from_file_hex(file, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load({ file: file, inForm: :hex, multiple: true })   
end

#load_multi_from_mem(bin, opts = { }) ⇒ Object Also known as: load_multi_from_bin_pem

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 566

def load_multi_from_mem(bin, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load({ bin: bin, multiple: true })   
end

#load_multi_from_mem_b64(bin, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 592

def load_multi_from_mem_b64(bin, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load({ bin: bin, inForm: :b64, multiple: true })   
end

#load_multi_from_mem_hex(bin, opts = { }) ⇒ Object

Raises:

• (PkernelJce::Error)

# File 'lib/pkernel_jce/certificate.rb', line 616

def load_multi_from_mem_hex(bin, opts = { })
  opts = { } if opts.nil?
  raise PkernelJce::Error, "Options should be a hash" if not opts.is_a?(Hash)
  load({ bin: bin, inForm: :hex, multiple: true })   
end