Module: PkernelJce::OCSP::Request
- Included in:
- PkernelJce::OCSPRequestEngine
- Defined in:
- lib/pkernel_jce/ocsp.rb
Overview
end module Response
Instance Method Summary collapse
-
#gen_nonce(len = 16) ⇒ Object
end parse().
-
#generate(certs = [], opts = {}) ⇒ Object
initiate by client.
-
#parse(opts = {}, &block) ⇒ Object
invoked by server side during response.
- #to_bin(req) ⇒ Object
Instance Method Details
#gen_nonce(len = 16) ⇒ Object
end parse()
312 313 314 315 316 |
# File 'lib/pkernel_jce/ocsp.rb', line 312 def gen_nonce(len = 16) nonce = Java::byte[len].new java.util.Random.new.nextBytes(nonce) nonce end |
#generate(certs = [], opts = {}) ⇒ Object
initiate by client
319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 |
# File 'lib/pkernel_jce/ocsp.rb', line 319 def generate(certs = [], opts = {}) if certs.nil? raise PkernelJce::Error, "Given certificates to generate OCSP request is nil" elsif not certs.is_a?(Array) certs = [certs] end #digest = org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder.new.setProvider(PkernelJce::Provider::DefProvider).build ## for this version of BC (157) this is the only option #d = digest.get(org.bouncycastle.cert.ocsp.CertificateID::HASH_SHA1) gen = org.bouncycastle.cert.ocsp.OCSPReqBuilder.new result = {} nonce = opts[:nonce] genNonce = opts[:gen_nonce] || true if genNonce nonce = Java::byte[16].new java.util.Random.new.nextBytes(nonce) extGen = org.bouncycastle.asn1.x509.ExtensionsGenerator.new extGen.addExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce, false, org.bouncycastle.asn1.DEROctetString.new(nonce)) gen.setRequestExtensions(extGen.generate) result[:nonce] = nonce elsif not nonce.nil? extGen = org.bouncycastle.asn1.x509.ExtensionsGenerator.new extGen.addExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce, false, org.bouncycastle.asn1.DEROctetString.new(nonce)) gen.setRequestExtensions(extGen.generate) end certMap = { } certs.each do |c| #id = org.bouncycastle.cert.ocsp.CertificateID.new(d,PkernelJce::Certificate.ensure_bc_cert(c),PkernelJce::Certificate.ensure_java_cert(c).serial_number) #certMap[id] = c gen.addRequest(c) end result[:cert_id] = certMap id = opts[:identity] provider = opts[:provider] if provider.nil? prov = PkernelJce::Provider.add_default else prov = PkernelJce::Provider.add_provider(provider) end if id.nil? result[:req] = gen.build else name = opts[:requestor_name] x500Name = opts[:requestor_x500name] if not (name.nil? or name.empty?) gen.setRequestorName(org.bouncycastle.asn1.x500.X500Name.new("CN=#{name}")) elsif not (x500Name.nil? or x500Name.empty?) gen.setRequestorName(org.bouncycastle.asn1.x500.X500Name.new(x500Name)) elsif not id.certificate.nil? bcCert = PkernelJce::Certificate.ensure_bc_cert(id.certificate) gen.setRequestorName(bcCert.subject_to_x500) else raise PkernelJce::Error, "Cannot sign content as requestor name/certificate is not given" end signer = org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(PkernelJce::KeyPair.derive_signing_algo(id.privKey,"SHA256")).setProvider(prov).build(id.privKey) result[:req] = gen.build(signer, PkernelJce::Certificate.ensure_bc_cert(id.chain).to_java(Java::OrgBouncycastleCert::X509CertificateHolder)) end result[:req] end |
#parse(opts = {}, &block) ⇒ Object
invoked by server side during response
236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 |
# File 'lib/pkernel_jce/ocsp.rb', line 236 def parse(opts = {},&block) file = opts[:file] bin = opts[:bin] if not block raise PkernelJce::Error, "Block must be given for OCSP request parse operation" end if not file.nil? breq = PkernelJce::IoUtils.file_to_memory_byte_array(file) #f = java.io.File.new(file) #if f.exists? # breq = Java::byte[f.length].new # dis = java.io.DataInputStream.new(java.io.FileInputStream.new(f)) # dis.readFully(breq) # dis.close #else # raise PkernelJce::Error, "Given OCSP request in file '#{f.absolute_path}' does not exist" #end elsif not bin.nil? breq = PkernelJce::IoUtils.ensure_java_bytes(bin) else raise PkernelJce::Error, "No OCSP request input available for parsing" end res = {} req = org.bouncycastle.cert.ocsp.OCSPReq.new(breq) res[:req] = req verifySign = opts[:verify_sign] || true if verifySign and req.isSigned provider = opts[:provider] if provider.nil? prov = PkernelJce::Provider.add_default else prov = PkernelJce::Provider.add_provider(provider) end if not req.isSignatureValid(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.new.setProvider(prov).build(req.getCerts[0])) if block res = block.call(:ocsp_verify_failed, { request: req, signer_cert: req.getCerts[0] }) if not res raise PkernelOpenssl::Error, "OCSP request verification failed" end else raise PkernelJce::Error, "Request signature is invalid. Request parsing is aborted." end end end nonceField = req.getExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce) if not nonceField.nil? res[:nonce] = nonceField.parsed_value.getOctets end #certs = {} req.getRequestList.each do |qc| cid = qc.getCertID info = { } info[:serial] = cid.serial_number info[:issuer_key_hash] = cid.issuer_key_hash info[:issuer_name_hash] = cid.issuer_name_hash info[:cid] = cid # let block decide what is the status and mechanism block.call(info) end #res[:result] = certs res end |
#to_bin(req) ⇒ Object
393 394 395 396 397 398 |
# File 'lib/pkernel_jce/ocsp.rb', line 393 def to_bin(req) if req.nil? raise PkernelJce::Error, "Request object cannot be nil to convert to binary" end req.encoded end |