Module: PkernelJce::OCSP::Response

Included in:

PkernelJce::OCSPResponseEngine

Defined in:

lib/pkernel_jce/ocsp.rb

Overview

module Response

Constant Summary

ST_SUCCESSFUL =

org.bouncycastle.cert.ocsp.OCSPRespBuilder::SUCCESSFUL

ST_MALFORM_REQ =

org.bouncycastle.cert.ocsp.OCSPRespBuilder::MALFORMED_REQUEST

ST_ERROR =

org.bouncycastle.cert.ocsp.OCSPRespBuilder::INTERNAL_ERROR

ST_TRY_LATER =

org.bouncycastle.cert.ocsp.OCSPRespBuilder::TRY_LATER

ST_SIG_REQUIRED =

org.bouncycastle.cert.ocsp.OCSPRespBuilder::SIG_REQUIRED

ST_UNAUTHORIZED =

org.bouncycastle.cert.ocsp.OCSPRespBuilder::UNAUTHORIZED

Instance Method Summary

• #generate(identity, opts = { }, &block) ⇒ Object

  used by OCSP responder.

• #is_cert_good?(resp, cert_id, opts = { }) ⇒ Boolean

  end parse().

• #is_cert_revoked?(resp, cert_id, opts = { }) ⇒ Boolean
• #is_cert_unknown?(resp, cert_id, opts = { }) ⇒ Boolean
• #parse(opts = {}) ⇒ Object

  invoke by client side to read the result.

• #to_bin(resp) ⇒ Object
• #to_response_asn1(st, resp = nil) ⇒ Object

  end generate.

• #v_cert_good(resp, cid, opts = { }) ⇒ Object
• #v_cert_revoked(resp, cid, reason = Pkernel::CRLReason::UNSPECIFIED, revokedOn = java.util.Date.new, opts = { }) ⇒ Object
• #v_cert_status_unknown(resp, cid, opts = { }) ⇒ Object

Instance Method Details

#generate(identity, opts = { }, &block) ⇒ Object

used by OCSP responder

# File 'lib/pkernel_jce/ocsp.rb', line 59

def generate(identity, opts = { }, &block)

  if identity.nil?
    raise PkernelJce::Error, "Identity is nil in generate OCSP response"
  end

  provider = opts[:provider]
  if provider.nil?
    prov = PkernelJce::Provider.add_default
  else
    prov = PkernelJce::Provider.add_provider(provider)
  end

  digest = org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder.new.setProvider(PkernelJce::Provider::DefProvider).build
  # for this version of BC (157) this is the only option
  #d = digest.get(org.bouncycastle.cert.ocsp.CertificateID::HASH_SHA1)
  
  respBuilder = org.bouncycastle.cert.ocsp.jcajce.JcaBasicOCSPRespBuilder.new(identity.pubKey, digest.get(org.bouncycastle.cert.ocsp.RespID::HASH_SHA1)) 

  reqBin = opts[:request]

  reqRes = OCSPRequestEngine.parse({ bin: reqBin }) do |info|
    if block
      block.call(respBuilder, info)
    else
      v_cert_status_unknown(respBuilder, info[:cid])
    end
  end
 
  req = reqRes[:req]

  nonceField = req.getExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce)
  if not nonceField.nil?
    extGen = org.bouncycastle.asn1.x509.ExtensionsGenerator.new
    extGen.addExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce, false, org.bouncycastle.asn1.DEROctetString.new(nonceField.parsed_value.getOctets))
    respBuilder.setResponseExtensions(extGen.generate)
  end
 
  signHash = opts[:signHash] || "SHA256"
  resp = respBuilder.build(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.new(PkernelJce::KeyPair.derive_signing_algo(identity.privKey,signHash)).setProvider(prov).build(identity.privKey), identity.chain, java.util.Date.new)
  
  #public class OCSPRespBuilder
  #{
  #    public static final int SUCCESSFUL = 0;  // Response has valid confirmations
  #    public static final int MALFORMED_REQUEST = 1;  // Illegal confirmation request
  #    public static final int INTERNAL_ERROR = 2;  // Internal error in issuer
  #    public static final int TRY_LATER = 3;  // Try again later
  #    // (4) is not used
  #    public static final int SIG_REQUIRED = 5;  // Must sign the request
  #    public static final int UNAUTHORIZED = 6;  // Request unauthorized        
  #
  # this response should be a step higher
  #org.bouncycastle.cert.ocsp.OCSPRespBuilder.new.build(org.bouncycastle.cert.ocsp.OCSPRespBuilder::SUCCESSFUL, resp).encoded.to_s
  to_response_asn1(ST_SUCCESSFUL, resp)
end

#is_cert_good?(resp, cert_id, opts = { }) ⇒ Boolean

end parse()

Returns:

• (Boolean)

# File 'lib/pkernel_jce/ocsp.rb', line 172

def is_cert_good?(resp, cert_id, opts = { })
  respObj = resp.response_object         
  respObj.responses.each do |re|
    if re.cert_id.equals(cert_id)
      return re.cert_status.nil?
    end
  end

  false
end

#is_cert_revoked?(resp, cert_id, opts = { }) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/pkernel_jce/ocsp.rb', line 183

def is_cert_revoked?(resp, cert_id, opts = { })
  respObj = resp.response_object         
  respObj.responses.each do |re|
    if re.cert_id.equals(cert_id)
      if (not re.cert_status.nil? and re.cert_status.java_kind_of?(org.bouncycastle.cert.ocsp.RevokedStatus))
        return [true, re.cert_status.revocation_reason, re.cert_status.revocation_time]
      end
    end
  end

  [false]
end

#is_cert_unknown?(resp, cert_id, opts = { }) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/pkernel_jce/ocsp.rb', line 196

def is_cert_unknown?(resp, cert_id, opts = { })
  respObj = resp.response_object         
  respObj.responses.each do |re|
    if re.cert_id.equals(cert_id)
      return (not re.cert_status.nil? and re.cert_status.java_kind_of?(org.bouncycastle.cert.ocsp.UnknownStatus))
    end
  end
  
  false
end

#parse(opts = {}) ⇒ Object

invoke by client side to read the result

# File 'lib/pkernel_jce/ocsp.rb', line 125

def parse(opts = {})
  file = opts[:file]
  bin = opts[:bin]
  
  if not file.nil? 
    bresp = IoUtils.file_to_memory_byte_array(file)
  elsif not bin.nil?
    bresp = IoUtils.ensure_java_bytes(bin)
  else
    raise PkernelJce::Error, "No OCSP response input available for parsing"
  end 
  
  resp = org.bouncycastle.cert.ocsp.OCSPResp.new(bresp)
  if resp.status == ST_SUCCESSFUL
    respObj = resp.response_object
    #
    #nonceField = respObj.getExtension(org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers::id_pkix_ocsp_nonce)
    #if not nonceField.nil?
    #  result[:nonce] = nonceField.parsed_value.getOctets
    #end
    
    provider = opts[:provider]
    if provider.nil?
      prov = PkernelJce::Provider.add_default
    else
      prov = PkernelJce::Provider.add_provider(provider)
    end

    if respObj.is_signature_valid?(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.new.setProvider(prov).build(respObj.certs[0]))
      #vres = { }
      #respObj.responses.each do |re|
      #  vres[re.cert_id] = re.cert_status
      #end
      #result[:result] = vres
      resp
    else
      raise PkernelJce::Error, "OCSP response digital signature failed to be verified. Result discarded."
    end
  else
    raise PkernelJce::Error, "OCSP response unsuccessful. Message was : #{resp.status}"
  end
  
  #result
end

#to_bin(resp) ⇒ Object

# File 'lib/pkernel_jce/ocsp.rb', line 219

def to_bin(resp)
  if resp.nil?
    raise PkernelJce::Error, "Response object is nil to convert to bin"
  end
  resp.encoded
end

#to_response_asn1(st, resp = nil) ⇒ Object

end generate

# File 'lib/pkernel_jce/ocsp.rb', line 118

def to_response_asn1(st, resp = nil)
  org.bouncycastle.cert.ocsp.OCSPRespBuilder.new.build(st, resp)
end

#v_cert_good(resp, cid, opts = { }) ⇒ Object

# File 'lib/pkernel_jce/ocsp.rb', line 207

def v_cert_good(resp, cid, opts = { })
  resp.addResponse(cid, org.bouncycastle.cert.ocsp.CertificateStatus::GOOD)
end

#v_cert_revoked(resp, cid, reason = Pkernel::CRLReason::UNSPECIFIED, revokedOn = java.util.Date.new, opts = { }) ⇒ Object

# File 'lib/pkernel_jce/ocsp.rb', line 211

def v_cert_revoked(resp, cid, reason = Pkernel::CRLReason::UNSPECIFIED, revokedOn = java.util.Date.new, opts = { })
  resp.addResponse(cid, org.bouncycastle.cert.ocsp.RevokedStatus.new(revokedOn, reason))
end

#v_cert_status_unknown(resp, cid, opts = { }) ⇒ Object

# File 'lib/pkernel_jce/ocsp.rb', line 215

def v_cert_status_unknown(resp, cid, opts= { })
   resp.addResponse(cid, org.bouncycastle.cert.ocsp.UnknownStatus.new)
end