class UnionPei::CertUtil

Public Class Methods

getDecryptPriKey(certPath=SDKConfig.instance.signCertPath, certPwd=SDKConfig.instance.signCertPwd) click to toggle source
# File lib/unionpei/cert_util.rb, line 179
def CertUtil.getDecryptPriKey(certPath=SDKConfig.instance.signCertPath, certPwd=SDKConfig.instance.signCertPwd)
  if !@@signCerts[certPath]
    CertUtil.initSignCert(certPath, certPwd)
  end
  @@signCerts[certPath].key
end
getEncryptCertId(certPath=SDKConfig.instance.encryptCertPath) click to toggle source
# File lib/unionpei/cert_util.rb, line 113
def CertUtil.getEncryptCertId(certPath=SDKConfig.instance.encryptCertPath)
  if !@@encryptCert[certPath]
    CertUtil.initEncryptCert(certPath)
  end
  @@encryptCert[certPath].certId
end
getEncryptKey(certPath=SDKConfig.instance.encryptCertPath) click to toggle source
# File lib/unionpei/cert_util.rb, line 106
def CertUtil.getEncryptKey(certPath=SDKConfig.instance.encryptCertPath)
  if !@@encryptCert[certPath]
    CertUtil.initEncryptCert(certPath)
  end
  @@encryptCert[certPath].key
end
getSignCertId(certPath=SDKConfig.instance.signCertPath, certPwd=SDKConfig.instance.signCertPwd) click to toggle source
# File lib/unionpei/cert_util.rb, line 99
def CertUtil.getSignCertId(certPath=SDKConfig.instance.signCertPath, certPwd=SDKConfig.instance.signCertPwd)
  if !@@signCerts[certPath]
    CertUtil.initSignCert(certPath, certPwd)
  end
  @@signCerts[certPath].certId
end
getSignPriKey(certPath=SDKConfig.instance.signCertPath, certPwd=SDKConfig.instance.signCertPwd) click to toggle source
# File lib/unionpei/cert_util.rb, line 92
def CertUtil.getSignPriKey(certPath=SDKConfig.instance.signCertPath, certPwd=SDKConfig.instance.signCertPwd)
  if !@@signCerts[certPath]
    CertUtil.initSignCert(certPath, certPwd)
  end
  @@signCerts[certPath].key
end
getX509Cert(strCert) click to toggle source
# File lib/unionpei/cert_util.rb, line 191
def CertUtil.getX509Cert(strCert)
  OpenSSL::X509::Certificate.new(strCert)
end
resetEncryptCertPublicKey() click to toggle source
# File lib/unionpei/cert_util.rb, line 186
def CertUtil.resetEncryptCertPublicKey()
  @@encryptCert = {}
  CertUtil.initEncryptCert
end
verifyAndGetVerifyKey(certBase64String) click to toggle source
# File lib/unionpei/cert_util.rb, line 120
def CertUtil.verifyAndGetVerifyKey(certBase64String)

  if @@verifyCerts5_1_0[certBase64String]
    return @@verifyCerts5_1_0[certBase64String].key
  end
  initMiddleCert
  initRootCert

  x509Cert = OpenSSL::X509::Certificate.new(certBase64String)

  cert = Cert.new
  cert.cert = x509Cert
  cert.certId = x509Cert.serial.to_s
  cert.key = x509Cert.public_key

  store = OpenSSL::X509::Store.new
  store.purpose = OpenSSL::X509::PURPOSE_ANY
  store.add_cert(x509Cert)
  store.add_cert(@@middleCert)
  store.add_cert(@@rootCert)
  if !store.verify(x509Cert)
    LogUtil.error("validate signPubKeyCert by cert chain failed, error=" + store.error + ", error string=" + store.error_string)
    return nil
  end

  sSubject = x509Cert.subject.to_s
  ss = sSubject.split("@")
  if ss.length <= 2
    LogUtil.error("error sSubject: " + sSubject)
    return nil
  end
  cn = ss[2];
  if SDKConfig.instance.ifValidateCNName
    if UNIONPAY_CNNAME != cn
      LogUtil.error("cer owner is not CUP:" + cn)
      return nil
    elsif UNIONPAY_CNNAME != cn and cn != "00040000:SIGN" #测试环境目前是00040000:SIGN
      LogUtil.error("cer owner is not CUP:" + cn)
      return nil
    end
  end

  LogUtil.info("validate signPubKeyCert by cert succeed: " + certBase64String)
  @@verifyCerts5_1_0[certBase64String] = cert;
  return @@verifyCerts5_1_0[certBase64String].key

  # 用bc的jar用中级证书验证可以单独验时间,然后再用中级证书验一下,但为了和谐统一,目前改store验证书链验证了。
  # if Time.new<x509Cert.not_before or Time.new>x509Cert.not_after
  #   LogUtil..info("verifyPubKeyCert has expired")
  #   return nil
  # end
  # if x509Cert.verify(@@middleKey)
  #   return x509Cert.public_key
  # else
  #   LogUtil.info("validate signPubKeyCert by rootCert failed")
  #   return nil
  # end
end

Private Class Methods

initEncryptCert(certPath=SDKConfig.instance.encryptCertPath) click to toggle source
# File lib/unionpei/cert_util.rb, line 45
def CertUtil.initEncryptCert(certPath=SDKConfig.instance.encryptCertPath)
    if !certPath
      LogUtil.info("encryptCertPath is none, exit initEncryptCert")
      return
    end
    LogUtil.info("读取加密证书……")
    cert = Cert.new
    file = IO.binread(certPath)
    x509Cert = OpenSSL::X509::Certificate.new(file)
    cert.cert = x509Cert
    cert.certId = x509Cert.serial.to_s
    cert.key = x509Cert.public_key
    @@encryptCert[certPath] = cert
    LogUtil.info("加密证书读取成功,序列号:" + cert.certId)
end
initMiddleCert() click to toggle source
# File lib/unionpei/cert_util.rb, line 76
def CertUtil.initMiddleCert()
  if @@middleCert
    return
  end
  if !SDKConfig.instance.middleCertPath
    LogUtil.info("middleCertPath is none, exit initMiddleCert")
    return
  end
  LogUtil.info("start initMiddleCert")
  file = IO.binread(SDKConfig.instance.middleCertPath)
  x509Cert = OpenSSL::X509::Certificate.new(file)
  @@middleCert = x509Cert
  LogUtil.info("initMiddleCert succeed")
end
initRootCert() click to toggle source
# File lib/unionpei/cert_util.rb, line 61
def CertUtil.initRootCert()
  if @@rootCert
    return
  end
  if !SDKConfig.instance.rootCertPath
    LogUtil.info("rootCertPath is none, exit initRootCert")
    return
  end
  LogUtil.info("start initRootCert")
  file = IO.binread(SDKConfig.instance.rootCertPath)
  x509Cert = OpenSSL::X509::Certificate.new(file)
  @@rootCert = x509Cert
  LogUtil.info("initRootCert succeed")
end
initSignCert(certPath, certPwd) click to toggle source
# File lib/unionpei/cert_util.rb, line 29
def CertUtil.initSignCert(certPath, certPwd)
  if !certPath || !certPwd
    LogUtil.info("signCertPath or signCertPwd is none, exit initSignCert")
    return
  end
  LogUtil.info("读取签名证书……")
  cert = Cert.new
  file = IO.binread(certPath)
  p12 = OpenSSL::PKCS12.new(file, certPwd)
  cert.certId = p12.certificate.serial.to_s
  cert.cert = p12.certificate
  cert.key = p12.key
  @@signCerts[certPath] = cert
  LogUtil.info("签名证书读取成功,序列号:" + cert.certId)
end