Example 6 with X509AuxCertificate
use of org.jruby.ext.openssl.x509store.X509AuxCertificate in project jruby-openssl by jruby.
the class OCSPRequest method verify.
@JRubyMethod(name = "verify", rest = true)
public IRubyObject verify(IRubyObject[] args) {
Ruby runtime = getRuntime();
ThreadContext context = runtime.getCurrentContext();
int flags = 0;
boolean ret = false;
if (Arity.checkArgumentCount(runtime, args, 2, 3) == 3) {
flags = RubyFixnum.fix2int((RubyFixnum) args[2]);
}
IRubyObject certificates = args[0];
IRubyObject store = args[1];
OCSPReq bcOCSPReq = getBCOCSPReq();
if (bcOCSPReq == null) {
throw newOCSPError(runtime, new NullPointerException("Missing BC asn1bcReq. Missing certIDs or signature?"));
}
if (!bcOCSPReq.isSigned()) {
return RubyBoolean.newBoolean(runtime, ret);
}
GeneralName genName = bcOCSPReq.getRequestorName();
if (genName.getTagNo() != 4) {
return RubyBoolean.newBoolean(runtime, ret);
}
X500Name genX500Name = X500Name.getInstance(genName.getName());
X509StoreContext storeContext = null;
JcaContentVerifierProviderBuilder jcacvpb = new JcaContentVerifierProviderBuilder();
jcacvpb.setProvider("BC");
try {
java.security.cert.Certificate signer = findCertByName(genX500Name, certificates, flags);
if (signer == null)
return RubyBoolean.newBoolean(runtime, ret);
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOINTERN))) > 0 && ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_TRUSTOTHER))) > 0))
flags |= RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOVERIFY));
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOSIGS))) == 0) {
PublicKey signerPubKey = signer.getPublicKey();
ContentVerifierProvider cvp = jcacvpb.build(signerPubKey);
ret = bcOCSPReq.isSignatureValid(cvp);
if (!ret) {
return RubyBoolean.newBoolean(runtime, ret);
}
}
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOVERIFY))) == 0) {
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOCHAIN))) > 0) {
storeContext = X509StoreContext.newStoreContext(context, (X509Store) store, X509Cert.wrap(runtime, signer), context.nil);
} else {
RubyArray certs = RubyArray.newEmptyArray(runtime);
ASN1Sequence bcCerts = asn1bcReq.getOptionalSignature().getCerts();
if (bcCerts != null) {
Iterator<ASN1Encodable> it = bcCerts.iterator();
while (it.hasNext()) {
Certificate cert = Certificate.getInstance(it.next());
certs.add(X509Cert.wrap(runtime, new X509AuxCertificate(cert)));
}
}
storeContext = X509StoreContext.newStoreContext(context, (X509Store) store, X509Cert.wrap(runtime, signer), certs);
}
storeContext.set_purpose(context, _X509(runtime).getConstant("PURPOSE_OCSP_HELPER"));
storeContext.set_trust(context, _X509(runtime).getConstant("TRUST_OCSP_REQUEST"));
ret = storeContext.verify(context).isTrue();
if (!ret)
return RubyBoolean.newBoolean(runtime, false);
}
} catch (Exception e) {
debugStackTrace(e);
throw newOCSPError(runtime, e);
}
return RubyBoolean.newBoolean(getRuntime(), ret);
}
Also used :
RubyArray(org.jruby.RubyArray)
X500Name(org.bouncycastle.asn1.x500.X500Name)
IRubyObject(org.jruby.runtime.builtin.IRubyObject)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
Ruby(org.jruby.Ruby)
ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)
PublicKey(java.security.PublicKey)
ThreadContext(org.jruby.runtime.ThreadContext)
RubyFixnum(org.jruby.RubyFixnum)
RaiseException(org.jruby.exceptions.RaiseException)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
JcaContentVerifierProviderBuilder(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
X509AuxCertificate(org.jruby.ext.openssl.x509store.X509AuxCertificate)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
X509AuxCertificate(org.jruby.ext.openssl.x509store.X509AuxCertificate)
JRubyMethod(org.jruby.anno.JRubyMethod)
Example 7 with X509AuxCertificate
use of org.jruby.ext.openssl.x509store.X509AuxCertificate in project jruby-openssl by jruby.
the class OCSPBasicResponse method findSignerCert.
private java.security.cert.Certificate findSignerCert(final ThreadContext context, BasicOCSPResponse basicResp, List<java.security.cert.Certificate> certificates, int flags) {
final Ruby runtime = context.runtime;
ResponderID respID = basicResp.getTbsResponseData().getResponderID();
java.security.cert.Certificate ret;
ret = findSignerByRespId(context, certificates, respID);
if (ret == null && (flags & RubyFixnum.fix2int((RubyFixnum) _OCSP(runtime).getConstant(OCSP_NOINTERN))) == 0) {
List<X509AuxCertificate> javaCerts = new ArrayList<X509AuxCertificate>();
for (X509CertificateHolder cert : getBasicOCSPResp().getCerts()) {
try {
javaCerts.add(X509Cert.wrap(context, cert.getEncoded()).getAuxCert());
} catch (IOException e) {
throw newOCSPError(runtime, e);
}
}
ret = findSignerByRespId(context, javaCerts, respID);
}
return ret;
}
Also used :
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
ResponderID(org.bouncycastle.asn1.ocsp.ResponderID)
ArrayList(java.util.ArrayList)
IOException(java.io.IOException)
X509AuxCertificate(org.jruby.ext.openssl.x509store.X509AuxCertificate)
Ruby(org.jruby.Ruby)
Example 8 with X509AuxCertificate
use of org.jruby.ext.openssl.x509store.X509AuxCertificate in project jruby-openssl by jruby.
the class PKCS7 method verify.
/* c: PKCS7_verify
*
*/
public void verify(Collection<X509AuxCertificate> certs, Store store, BIO indata, BIO out, int flags) throws PKCS7Exception {
if (!isSigned()) {
throw new PKCS7Exception(F_PKCS7_VERIFY, R_WRONG_CONTENT_TYPE);
}
if (getDetached() != 0 && indata == null) {
throw new PKCS7Exception(F_PKCS7_VERIFY, R_NO_CONTENT);
}
Collection<SignerInfoWithPkey> infos = getSignerInfo();
if (infos == null || infos.size() == 0) {
throw new PKCS7Exception(F_PKCS7_VERIFY, R_NO_SIGNATURES_ON_DATA);
}
List<X509AuxCertificate> signers = getSigners(certs, infos, flags);
if (signers == null) {
throw new NotVerifiedPKCS7Exception();
}
/* Now verify the certificates */
if ((flags & NOVERIFY) == 0) {
for (final X509AuxCertificate signer : signers) {
final StoreContext certContext = new StoreContext(store);
if ((flags & NOCHAIN) == 0) {
if (certContext.init(signer, new ArrayList<X509AuxCertificate>(getSign().getCert())) == 0) {
throw new PKCS7Exception(F_PKCS7_VERIFY, -1);
}
certContext.setPurpose(X509Utils.X509_PURPOSE_SMIME_SIGN);
} else if (certContext.init(signer, null) == 0) {
throw new PKCS7Exception(F_PKCS7_VERIFY, -1);
}
certContext.setExtraData(1, store.getExtraData(1));
if ((flags & NOCRL) == 0) {
certContext.setCRLs((List<X509CRL>) getSign().getCrl());
}
try {
int i = certContext.verifyCertificate();
int j = 0;
if (i <= 0) {
j = certContext.getError();
}
certContext.cleanup();
if (i <= 0) {
throw new PKCS7Exception(F_PKCS7_VERIFY, R_CERTIFICATE_VERIFY_ERROR, "Verify error:" + X509Utils.verifyCertificateErrorString(j));
}
} catch (PKCS7Exception e) {
throw e;
} catch (Exception e) {
throw new PKCS7Exception(F_PKCS7_VERIFY, R_CERTIFICATE_VERIFY_ERROR, e);
}
}
}
BIO tmpin = indata;
BIO p7bio = dataInit(tmpin);
final BIO tmpout = (flags & TEXT) != 0 ? BIO.mem() : out;
final byte[] buf = new byte[4096];
for (; ; ) {
try {
final int i = p7bio.read(buf, 0, buf.length);
if (i <= 0)
break;
if (tmpout != null)
tmpout.write(buf, 0, i);
} catch (IOException e) {
throw new PKCS7Exception(F_PKCS7_VERIFY, -1, e);
}
}
if ((flags & TEXT) != 0) {
new SMIME(Mime.DEFAULT).text(tmpout, out);
}
if ((flags & NOSIGS) == 0) {
int i = 0;
for (SignerInfoWithPkey info : infos) {
X509AuxCertificate signer = signers.get(i++);
signatureVerify(p7bio, info, signer);
}
}
if (tmpin == indata) {
if (indata != null)
p7bio.pop();
}
}
Also used :
X509CRL(java.security.cert.X509CRL)
ArrayList(java.util.ArrayList)
IOException(java.io.IOException)
PKCSException(org.bouncycastle.pkcs.PKCSException)
IOException(java.io.IOException)
X509AuxCertificate(org.jruby.ext.openssl.x509store.X509AuxCertificate)
StoreContext(org.jruby.ext.openssl.x509store.StoreContext)
Example 9 with X509AuxCertificate
use of org.jruby.ext.openssl.x509store.X509AuxCertificate in project jruby-openssl by jruby.
the class PKCS7 method encrypt.
/* c: PKCS7_encrypt
*
*/
public static PKCS7 encrypt(Collection<X509AuxCertificate> certs, byte[] in, CipherSpec cipher, int flags) throws PKCS7Exception {
PKCS7 p7 = new PKCS7();
p7.setType(ASN1Registry.NID_pkcs7_enveloped);
try {
p7.setCipher(cipher);
for (X509AuxCertificate x509 : certs) {
p7.addRecipient(x509);
}
BIO p7bio = p7.dataInit(null);
BIO.memBuf(in).crlfCopy(p7bio, flags);
p7bio.flush();
p7.dataFinal(p7bio);
return p7;
} catch (IOException e) {
throw new PKCS7Exception(F_PKCS7_ENCRYPT, R_PKCS7_DATAFINAL_ERROR, e);
}
}
Also used :
IOException(java.io.IOException)
X509AuxCertificate(org.jruby.ext.openssl.x509store.X509AuxCertificate)
Example 10 with X509AuxCertificate
use of org.jruby.ext.openssl.x509store.X509AuxCertificate in project jruby-openssl by jruby.
the class OCSPRequest method findCertByName.
private java.security.cert.Certificate findCertByName(ASN1Encodable genX500Name, IRubyObject certificates, int flags) throws CertificateException, IOException {
Ruby runtime = getRuntime();
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOINTERN))) == 0) {
ASN1Sequence certs = asn1bcReq.getOptionalSignature().getCerts();
if (certs != null) {
Iterator<ASN1Encodable> it = certs.iterator();
while (it.hasNext()) {
Certificate cert = Certificate.getInstance(it.next());
if (genX500Name.equals(cert.getSubject()))
return new X509AuxCertificate(cert);
}
}
}
@SuppressWarnings("unchecked") List<X509Certificate> certList = (RubyArray) certificates;
for (X509Certificate cert : certList) {
if (genX500Name.equals(X500Name.getInstance(cert.getSubjectX500Principal().getEncoded())))
return new X509AuxCertificate(cert);
}
return null;
}
Also used :
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
RubyArray(org.jruby.RubyArray)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
X509AuxCertificate(org.jruby.ext.openssl.x509store.X509AuxCertificate)
Ruby(org.jruby.Ruby)
X509Certificate(java.security.cert.X509Certificate)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
X509AuxCertificate(org.jruby.ext.openssl.x509store.X509AuxCertificate)
Aggregations
X509AuxCertificate (org.jruby.ext.openssl.x509store.X509AuxCertificate)17
Ruby (org.jruby.Ruby)8
JRubyMethod (org.jruby.anno.JRubyMethod)8
IRubyObject (org.jruby.runtime.builtin.IRubyObject)7
ArrayList (java.util.ArrayList)6
RubyArray (org.jruby.RubyArray)6
IOException (java.io.IOException)5
NotVerifiedPKCS7Exception (org.jruby.ext.openssl.impl.NotVerifiedPKCS7Exception)4
PKCS7Exception (org.jruby.ext.openssl.impl.PKCS7Exception)4
ThreadContext (org.jruby.runtime.ThreadContext)4
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)3
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)3
BIO (org.jruby.ext.openssl.impl.BIO)3
MemBIO (org.jruby.ext.openssl.impl.MemBIO)3
GeneralSecurityException (java.security.GeneralSecurityException)2
PrivateKey (java.security.PrivateKey)2
CertificateException (java.security.cert.CertificateException)2
X509Certificate (java.security.cert.X509Certificate)2
Certificate (org.bouncycastle.asn1.x509.Certificate)2
Store (org.jruby.ext.openssl.x509store.Store)2
