JRuby-OpenSSL 0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,140 @@
1
+ begin
2
+ require "openssl"
3
+ require File.join(File.dirname(__FILE__), "utils.rb")
4
+ rescue LoadError
5
+ end
6
+ require "test/unit"
7
+
8
+ if defined?(OpenSSL)
9
+
10
+ class OpenSSL::TestX509Request < Test::Unit::TestCase
11
+ def setup
12
+ @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
13
+ @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
14
+ @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256
15
+ @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512
16
+ @dn = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou")
17
+ end
18
+
19
+ def issue_csr(ver, dn, key, digest)
20
+ req = OpenSSL::X509::Request.new
21
+ req.version = ver
22
+ req.subject = dn
23
+ req.public_key = key.public_key
24
+ req.sign(key, digest)
25
+ req
26
+ end
27
+
28
+ def test_public_key
29
+ req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
30
+ assert_equal(@rsa1024.public_key.to_der, req.public_key.to_der)
31
+ req = OpenSSL::X509::Request.new(req.to_der)
32
+ assert_equal(@rsa1024.public_key.to_der, req.public_key.to_der)
33
+
34
+ req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
35
+ assert_equal(@dsa512.public_key.to_der, req.public_key.to_der)
36
+ req = OpenSSL::X509::Request.new(req.to_der)
37
+ assert_equal(@dsa512.public_key.to_der, req.public_key.to_der)
38
+ end
39
+
40
+ def test_version
41
+ req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
42
+ assert_equal(0, req.version)
43
+ req = OpenSSL::X509::Request.new(req.to_der)
44
+ assert_equal(0, req.version)
45
+
46
+ req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
47
+ assert_equal(1, req.version)
48
+ req = OpenSSL::X509::Request.new(req.to_der)
49
+ assert_equal(1, req.version)
50
+ end
51
+
52
+ def test_subject
53
+ req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
54
+ assert_equal(@dn.to_der, req.subject.to_der)
55
+ req = OpenSSL::X509::Request.new(req.to_der)
56
+ assert_equal(@dn.to_der, req.subject.to_der)
57
+ end
58
+
59
+ def create_ext_req(exts)
60
+ ef = OpenSSL::X509::ExtensionFactory.new
61
+ exts = exts.collect{|e| ef.create_extension(*e) }
62
+ return OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence(exts)])
63
+ end
64
+
65
+ def get_ext_req(ext_req_value)
66
+ set = OpenSSL::ASN1.decode(ext_req_value)
67
+ seq = set.value[0]
68
+ seq.value.collect{|asn1ext|
69
+ OpenSSL::X509::Extension.new(asn1ext).to_a
70
+ }
71
+ end
72
+
73
+ def test_attr
74
+ exts = [
75
+ ["keyUsage", "Digital Signature, Key Encipherment", true],
76
+ ["subjectAltName", "email:gotoyuzo@ruby-lang.org", false],
77
+ ]
78
+ attrval = create_ext_req(exts)
79
+ attrs = [
80
+ OpenSSL::X509::Attribute.new("extReq", attrval),
81
+ OpenSSL::X509::Attribute.new("msExtReq", attrval),
82
+ ]
83
+
84
+ req0 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
85
+ attrs.each{|attr| req0.add_attribute(attr) }
86
+ req1 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
87
+ req1.attributes = attrs
88
+ assert_equal(req0.to_der, req1.to_der)
89
+
90
+ attrs = req0.attributes
91
+ assert_equal(2, attrs.size)
92
+ assert_equal("extReq", attrs[0].oid)
93
+ assert_equal("msExtReq", attrs[1].oid)
94
+ assert_equal(exts, get_ext_req(attrs[0].value))
95
+ assert_equal(exts, get_ext_req(attrs[1].value))
96
+
97
+ req = OpenSSL::X509::Request.new(req0.to_der)
98
+ attrs = req.attributes
99
+ assert_equal(2, attrs.size)
100
+ assert_equal("extReq", attrs[0].oid)
101
+ assert_equal("msExtReq", attrs[1].oid)
102
+ assert_equal(exts, get_ext_req(attrs[0].value))
103
+ assert_equal(exts, get_ext_req(attrs[1].value))
104
+ end
105
+
106
+ def test_sign_and_verify
107
+ req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
108
+ assert_equal(true, req.verify(@rsa1024))
109
+ assert_equal(false, req.verify(@rsa2048))
110
+ assert_equal(false, req.verify(@dsa256))
111
+ assert_equal(false, req.verify(@dsa512))
112
+ req.version = 1
113
+ assert_equal(false, req.verify(@rsa1024))
114
+
115
+ req = issue_csr(0, @dn, @rsa2048, OpenSSL::Digest::MD5.new)
116
+ assert_equal(false, req.verify(@rsa1024))
117
+ assert_equal(true, req.verify(@rsa2048))
118
+ assert_equal(false, req.verify(@dsa256))
119
+ assert_equal(false, req.verify(@dsa512))
120
+ req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar")
121
+ assert_equal(false, req.verify(@rsa2048))
122
+
123
+ req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
124
+ assert_equal(false, req.verify(@rsa1024))
125
+ assert_equal(false, req.verify(@rsa2048))
126
+ assert_equal(false, req.verify(@dsa256))
127
+ assert_equal(true, req.verify(@dsa512))
128
+ req.public_key = @rsa1024.public_key
129
+ assert_equal(false, req.verify(@dsa512))
130
+
131
+ assert_raise(OpenSSL::X509::RequestError){
132
+ issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) }
133
+ assert_raise(OpenSSL::X509::RequestError){
134
+ issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new) }
135
+ assert_raise(OpenSSL::X509::RequestError){
136
+ issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) }
137
+ end
138
+ end
139
+
140
+ end
@@ -0,0 +1,217 @@
1
+ begin
2
+ require "openssl"
3
+ require File.join(File.dirname(__FILE__), "utils.rb")
4
+ rescue LoadError
5
+ end
6
+ require "test/unit"
7
+
8
+ if defined?(OpenSSL)
9
+
10
+ class OpenSSL::TestX509Store < Test::Unit::TestCase
11
+ def setup
12
+ @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
13
+ @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
14
+ @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256
15
+ @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512
16
+ @ca1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA1")
17
+ @ca2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA2")
18
+ @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
19
+ @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
20
+ end
21
+
22
+ def teardown
23
+ end
24
+
25
+ def issue_cert(*args)
26
+ OpenSSL::TestUtils.issue_cert(*args)
27
+ end
28
+
29
+ def issue_crl(*args)
30
+ OpenSSL::TestUtils.issue_crl(*args)
31
+ end
32
+
33
+ def test_verify
34
+ now = Time.at(Time.now.to_i)
35
+ ca_exts = [
36
+ ["basicConstraints","CA:TRUE",true],
37
+ ["keyUsage","cRLSign,keyCertSign",true],
38
+ ]
39
+ ee_exts = [
40
+ ["keyUsage","keyEncipherment,digitalSignature",true],
41
+ ]
42
+ ca1_cert = issue_cert(@ca1, @rsa2048, 1, now, now+3600, ca_exts,
43
+ nil, nil, OpenSSL::Digest::SHA1.new)
44
+ ca2_cert = issue_cert(@ca2, @rsa1024, 2, now, now+1800, ca_exts,
45
+ ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
46
+ ee1_cert = issue_cert(@ee1, @dsa256, 10, now, now+1800, ee_exts,
47
+ ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
48
+ ee2_cert = issue_cert(@ee2, @dsa512, 20, now, now+1800, ee_exts,
49
+ ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
50
+ ee3_cert = issue_cert(@ee2, @dsa512, 30, now-100, now-1, ee_exts,
51
+ ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
52
+ ee4_cert = issue_cert(@ee2, @dsa512, 40, now+1000, now+2000, ee_exts,
53
+ ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
54
+
55
+ revoke_info = []
56
+ crl1 = issue_crl(revoke_info, 1, now, now+1800, [],
57
+ ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
58
+ revoke_info = [ [2, now, 1], ]
59
+ crl1_2 = issue_crl(revoke_info, 2, now, now+1800, [],
60
+ ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
61
+ revoke_info = [ [20, now, 1], ]
62
+ crl2 = issue_crl(revoke_info, 1, now, now+1800, [],
63
+ ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
64
+ revoke_info = []
65
+ crl2_2 = issue_crl(revoke_info, 2, now-100, now-1, [],
66
+ ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
67
+
68
+ assert(true, ca1_cert.verify(ca1_cert.public_key)) # self signed
69
+ assert(true, ca2_cert.verify(ca1_cert.public_key)) # issued by ca1
70
+ assert(true, ee1_cert.verify(ca2_cert.public_key)) # issued by ca2
71
+ assert(true, ee2_cert.verify(ca2_cert.public_key)) # issued by ca2
72
+ assert(true, ee3_cert.verify(ca2_cert.public_key)) # issued by ca2
73
+ assert(true, crl1.verify(ca1_cert.public_key)) # issued by ca1
74
+ assert(true, crl1_2.verify(ca1_cert.public_key)) # issued by ca1
75
+ assert(true, crl2.verify(ca2_cert.public_key)) # issued by ca2
76
+ assert(true, crl2_2.verify(ca2_cert.public_key)) # issued by ca2
77
+
78
+ store = OpenSSL::X509::Store.new
79
+ assert_equal(false, store.verify(ca1_cert))
80
+ assert_not_equal(OpenSSL::X509::V_OK, store.error)
81
+
82
+ assert_equal(false, store.verify(ca2_cert))
83
+ assert_not_equal(OpenSSL::X509::V_OK, store.error)
84
+
85
+ store.add_cert(ca1_cert)
86
+ assert_equal(true, store.verify(ca2_cert))
87
+ assert_equal(OpenSSL::X509::V_OK, store.error)
88
+ assert_equal("ok", store.error_string)
89
+ chain = store.chain
90
+ assert_equal(2, chain.size)
91
+ assert_equal(@ca2.to_der, chain[0].subject.to_der)
92
+ assert_equal(@ca1.to_der, chain[1].subject.to_der)
93
+
94
+ store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
95
+ assert_equal(false, store.verify(ca2_cert))
96
+ assert_not_equal(OpenSSL::X509::V_OK, store.error)
97
+
98
+ store.purpose = OpenSSL::X509::PURPOSE_CRL_SIGN
99
+ assert_equal(true, store.verify(ca2_cert))
100
+ assert_equal(OpenSSL::X509::V_OK, store.error)
101
+ store.add_cert(ca2_cert)
102
+ store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
103
+ assert_equal(true, store.verify(ee1_cert))
104
+ assert_equal(true, store.verify(ee2_cert))
105
+ assert_equal(OpenSSL::X509::V_OK, store.error)
106
+ assert_equal("ok", store.error_string)
107
+ chain = store.chain
108
+ assert_equal(3, chain.size)
109
+ assert_equal(@ee2.to_der, chain[0].subject.to_der)
110
+ assert_equal(@ca2.to_der, chain[1].subject.to_der)
111
+ assert_equal(@ca1.to_der, chain[2].subject.to_der)
112
+ assert_equal(false, store.verify(ee3_cert))
113
+ assert_equal(OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED, store.error)
114
+ assert_match(/expire/i, store.error_string)
115
+ assert_equal(false, store.verify(ee4_cert))
116
+ assert_equal(OpenSSL::X509::V_ERR_CERT_NOT_YET_VALID, store.error)
117
+ assert_match(/not yet valid/i, store.error_string)
118
+
119
+ store = OpenSSL::X509::Store.new
120
+ store.add_cert(ca1_cert)
121
+ store.add_cert(ca2_cert)
122
+ store.time = now + 1500
123
+ assert_equal(true, store.verify(ca1_cert))
124
+ assert_equal(true, store.verify(ca2_cert))
125
+ assert_equal(true, store.verify(ee4_cert))
126
+ store.time = now + 1900
127
+ assert_equal(true, store.verify(ca1_cert))
128
+ assert_equal(false, store.verify(ca2_cert))
129
+ assert_equal(OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED, store.error)
130
+ assert_equal(false, store.verify(ee4_cert))
131
+ assert_equal(OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED, store.error)
132
+ store.time = now + 4000
133
+ assert_equal(false, store.verify(ee1_cert))
134
+ assert_equal(OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED, store.error)
135
+ assert_equal(false, store.verify(ee4_cert))
136
+ assert_equal(OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED, store.error)
137
+
138
+ # the underlying X509 struct caches the result of the last
139
+ # verification for signature and not-before. so the following code
140
+ # rebuilds new objects to avoid site effect.
141
+ store.time = Time.now - 4000
142
+ assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ca2_cert)))
143
+ assert_equal(OpenSSL::X509::V_ERR_CERT_NOT_YET_VALID, store.error)
144
+ assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ee1_cert)))
145
+ assert_equal(OpenSSL::X509::V_ERR_CERT_NOT_YET_VALID, store.error)
146
+
147
+ return unless defined?(OpenSSL::X509::V_FLAG_CRL_CHECK)
148
+
149
+ store = OpenSSL::X509::Store.new
150
+ store.purpose = OpenSSL::X509::PURPOSE_ANY
151
+ store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK
152
+ store.add_cert(ca1_cert)
153
+ store.add_crl(crl1) # revoke no cert
154
+ store.add_crl(crl2) # revoke ee2_cert
155
+ assert_equal(true, store.verify(ca1_cert))
156
+ assert_equal(true, store.verify(ca2_cert))
157
+ assert_equal(true, store.verify(ee1_cert, [ca2_cert]))
158
+ assert_equal(false, store.verify(ee2_cert, [ca2_cert]))
159
+
160
+ store = OpenSSL::X509::Store.new
161
+ store.purpose = OpenSSL::X509::PURPOSE_ANY
162
+ store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK
163
+ store.add_cert(ca1_cert)
164
+ store.add_crl(crl1_2) # revoke ca2_cert
165
+ store.add_crl(crl2) # revoke ee2_cert
166
+ assert_equal(true, store.verify(ca1_cert))
167
+ assert_equal(false, store.verify(ca2_cert))
168
+ assert_equal(true, store.verify(ee1_cert, [ca2_cert]),
169
+ "This test is expected to be success with OpenSSL 0.9.7c or later.")
170
+ assert_equal(false, store.verify(ee2_cert, [ca2_cert]))
171
+
172
+ store.flags =
173
+ OpenSSL::X509::V_FLAG_CRL_CHECK|OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
174
+ assert_equal(true, store.verify(ca1_cert))
175
+ assert_equal(false, store.verify(ca2_cert))
176
+ assert_equal(false, store.verify(ee1_cert, [ca2_cert]))
177
+ assert_equal(false, store.verify(ee2_cert, [ca2_cert]))
178
+
179
+ store = OpenSSL::X509::Store.new
180
+ store.purpose = OpenSSL::X509::PURPOSE_ANY
181
+ store.flags =
182
+ OpenSSL::X509::V_FLAG_CRL_CHECK|OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
183
+ store.add_cert(ca1_cert)
184
+ store.add_cert(ca2_cert)
185
+ store.add_crl(crl1)
186
+ store.add_crl(crl2_2) # issued by ca2 but expired.
187
+ assert_equal(true, store.verify(ca1_cert))
188
+ assert_equal(true, store.verify(ca2_cert))
189
+ assert_equal(false, store.verify(ee1_cert))
190
+ assert_equal(OpenSSL::X509::V_ERR_CRL_HAS_EXPIRED, store.error)
191
+ assert_equal(false, store.verify(ee2_cert))
192
+ end
193
+
194
+ def test_set_errors
195
+ now = Time.now
196
+ ca1_cert = issue_cert(@ca1, @rsa2048, 1, now, now+3600, [],
197
+ nil, nil, OpenSSL::Digest::SHA1.new)
198
+ store = OpenSSL::X509::Store.new
199
+ store.add_cert(ca1_cert)
200
+ assert_raises(OpenSSL::X509::StoreError){
201
+ store.add_cert(ca1_cert) # add same certificate twice
202
+ }
203
+
204
+ revoke_info = []
205
+ crl1 = issue_crl(revoke_info, 1, now, now+1800, [],
206
+ ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
207
+ revoke_info = [ [2, now, 1], ]
208
+ crl2 = issue_crl(revoke_info, 2, now+1800, now+3600, [],
209
+ ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
210
+ store.add_crl(crl1)
211
+ assert_raises(OpenSSL::X509::StoreError){
212
+ store.add_crl(crl2) # add CRL issued by same CA twice.
213
+ }
214
+ end
215
+ end
216
+
217
+ end
@@ -0,0 +1,135 @@
1
+ require "openssl"
2
+ require "test/unit"
3
+
4
+ module OpenSSL::TestUtils
5
+ TEST_KEY_RSA1024 = OpenSSL::PKey::RSA.new <<-_end_of_pem_
6
+ -----BEGIN RSA PRIVATE KEY-----
7
+ MIICXgIBAAKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7Cx
8
+ aKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/
9
+ Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQAB
10
+ AoGBAKSl/MQarye1yOysqX6P8fDFQt68VvtXkNmlSiKOGuzyho0M+UVSFcs6k1L0
11
+ maDE25AMZUiGzuWHyaU55d7RXDgeskDMakD1v6ZejYtxJkSXbETOTLDwUWTn618T
12
+ gnb17tU1jktUtU67xK/08i/XodlgnQhs6VoHTuCh3Hu77O6RAkEA7+gxqBuZR572
13
+ 74/akiW/SuXm0SXPEviyO1MuSRwtI87B02D0qgV8D1UHRm4AhMnJ8MCs1809kMQE
14
+ JiQUCrp9mQJBANlt2ngBO14us6NnhuAseFDTBzCHXwUUu1YKHpMMmxpnGqaldGgX
15
+ sOZB3lgJsT9VlGf3YGYdkLTNVbogQKlKpB8CQQDiSwkb4vyQfDe8/NpU5Not0fII
16
+ 8jsDUCb+opWUTMmfbxWRR3FBNu8wnym/m19N4fFj8LqYzHX4KY0oVPu6qvJxAkEA
17
+ wa5snNekFcqONLIE4G5cosrIrb74sqL8GbGb+KuTAprzj5z1K8Bm0UW9lTjVDjDi
18
+ qRYgZfZSL+x1P/54+xTFSwJAY1FxA/N3QPCXCjPh5YqFxAMQs2VVYTfg+t0MEcJD
19
+ dPMQD5JX6g5HKnHFg2mZtoXQrWmJSn7p8GJK8yNTopEErA==
20
+ -----END RSA PRIVATE KEY-----
21
+ _end_of_pem_
22
+
23
+ TEST_KEY_RSA2048 = OpenSSL::PKey::RSA.new <<-_end_of_pem_
24
+ -----BEGIN RSA PRIVATE KEY-----
25
+ MIIEpAIBAAKCAQEAuV9ht9J7k4NBs38jOXvvTKY9gW8nLICSno5EETR1cuF7i4pN
26
+ s9I1QJGAFAX0BEO4KbzXmuOvfCpD3CU+Slp1enenfzq/t/e/1IRW0wkJUJUFQign
27
+ 4CtrkJL+P07yx18UjyPlBXb81ApEmAB5mrJVSrWmqbjs07JbuS4QQGGXLc+Su96D
28
+ kYKmSNVjBiLxVVSpyZfAY3hD37d60uG+X8xdW5v68JkRFIhdGlb6JL8fllf/A/bl
29
+ NwdJOhVr9mESHhwGjwfSeTDPfd8ZLE027E5lyAVX9KZYcU00mOX+fdxOSnGqS/8J
30
+ DRh0EPHDL15RcJjV2J6vZjPb0rOYGDoMcH+94wIDAQABAoIBAAzsamqfYQAqwXTb
31
+ I0CJtGg6msUgU7HVkOM+9d3hM2L791oGHV6xBAdpXW2H8LgvZHJ8eOeSghR8+dgq
32
+ PIqAffo4x1Oma+FOg3A0fb0evyiACyrOk+EcBdbBeLo/LcvahBtqnDfiUMQTpy6V
33
+ seSoFCwuN91TSCeGIsDpRjbG1vxZgtx+uI+oH5+ytqJOmfCksRDCkMglGkzyfcl0
34
+ Xc5CUhIJ0my53xijEUQl19rtWdMnNnnkdbG8PT3LZlOta5Do86BElzUYka0C6dUc
35
+ VsBDQ0Nup0P6rEQgy7tephHoRlUGTYamsajGJaAo1F3IQVIrRSuagi7+YpSpCqsW
36
+ wORqorkCgYEA7RdX6MDVrbw7LePnhyuaqTiMK+055/R1TqhB1JvvxJ1CXk2rDL6G
37
+ 0TLHQ7oGofd5LYiemg4ZVtWdJe43BPZlVgT6lvL/iGo8JnrncB9Da6L7nrq/+Rvj
38
+ XGjf1qODCK+LmreZWEsaLPURIoR/Ewwxb9J2zd0CaMjeTwafJo1CZvcCgYEAyCgb
39
+ aqoWvUecX8VvARfuA593Lsi50t4MEArnOXXcd1RnXoZWhbx5rgO8/ATKfXr0BK/n
40
+ h2GF9PfKzHFm/4V6e82OL7gu/kLy2u9bXN74vOvWFL5NOrOKPM7Kg+9I131kNYOw
41
+ Ivnr/VtHE5s0dY7JChYWE1F3vArrOw3T00a4CXUCgYEA0SqY+dS2LvIzW4cHCe9k
42
+ IQqsT0yYm5TFsUEr4sA3xcPfe4cV8sZb9k/QEGYb1+SWWZ+AHPV3UW5fl8kTbSNb
43
+ v4ng8i8rVVQ0ANbJO9e5CUrepein2MPL0AkOATR8M7t7dGGpvYV0cFk8ZrFx0oId
44
+ U0PgYDotF/iueBWlbsOM430CgYEAqYI95dFyPI5/AiSkY5queeb8+mQH62sdcCCr
45
+ vd/w/CZA/K5sbAo4SoTj8dLk4evU6HtIa0DOP63y071eaxvRpTNqLUOgmLh+D6gS
46
+ Cc7TfLuFrD+WDBatBd5jZ+SoHccVrLR/4L8jeodo5FPW05A+9gnKXEXsTxY4LOUC
47
+ 9bS4e1kCgYAqVXZh63JsMwoaxCYmQ66eJojKa47VNrOeIZDZvd2BPVf30glBOT41
48
+ gBoDG3WMPZoQj9pb7uMcrnvs4APj2FIhMU8U15LcPAj59cD6S6rWnAxO8NFK7HQG
49
+ 4Jxg3JNNf8ErQoCHb1B3oVdXJkmbJkARoDpBKmTCgKtP8ADYLmVPQw==
50
+ -----END RSA PRIVATE KEY-----
51
+ _end_of_pem_
52
+
53
+ TEST_KEY_DSA256 = OpenSSL::PKey::DSA.new <<-_end_of_pem_
54
+ -----BEGIN DSA PRIVATE KEY-----
55
+ MIH3AgEAAkEAhk2libbY2a8y2Pt21+YPYGZeW6wzaW2yfj5oiClXro9XMR7XWLkE
56
+ 9B7XxLNFCS2gmCCdMsMW1HulaHtLFQmB2wIVAM43JZrcgpu6ajZ01VkLc93gu/Ed
57
+ AkAOhujZrrKV5CzBKutKLb0GVyVWmdC7InoNSMZEeGU72rT96IjM59YzoqmD0pGM
58
+ 3I1o4cGqg1D1DfM1rQlnN1eSAkBq6xXfEDwJ1mLNxF6q8Zm/ugFYWR5xcX/3wFiT
59
+ b4+EjHP/DbNh9Vm5wcfnDBJ1zKvrMEf2xqngYdrV/3CiGJeKAhRvL57QvJZcQGvn
60
+ ISNX5cMzFHRW3Q==
61
+ -----END DSA PRIVATE KEY-----
62
+ _end_of_pem_
63
+
64
+ TEST_KEY_DSA512 = OpenSSL::PKey::DSA.new <<-_end_of_pem_
65
+ -----BEGIN DSA PRIVATE KEY-----
66
+ MIH4AgEAAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgTYiEEHaOYhkIxv0Ok
67
+ RZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB4DZGH7UyarcaGy6D
68
+ AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR
69
+ S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++
70
+ Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S
71
+ 55jreJD3Se3slps=
72
+ -----END DSA PRIVATE KEY-----
73
+ _end_of_pem_
74
+
75
+ module_function
76
+
77
+ def issue_cert(dn, key, serial, not_before, not_after, extensions,
78
+ issuer, issuer_key, digest)
79
+ cert = OpenSSL::X509::Certificate.new
80
+ issuer = cert unless issuer
81
+ issuer_key = key unless issuer_key
82
+ cert.version = 2
83
+ cert.serial = serial
84
+ cert.subject = dn
85
+ cert.issuer = issuer.subject
86
+ cert.public_key = key.public_key
87
+ cert.not_before = not_before
88
+ cert.not_after = not_after
89
+ ef = OpenSSL::X509::ExtensionFactory.new
90
+ ef.subject_certificate = cert
91
+ ef.issuer_certificate = issuer
92
+ extensions.each{|oid, value, critical|
93
+ cert.add_extension(ef.create_extension(oid, value, critical))
94
+ }
95
+ cert.sign(issuer_key, digest)
96
+ cert
97
+ end
98
+
99
+ def issue_crl(revoke_info, serial, lastup, nextup, extensions,
100
+ issuer, issuer_key, digest)
101
+ crl = OpenSSL::X509::CRL.new
102
+ crl.issuer = issuer.subject
103
+ crl.version = 1
104
+ crl.last_update = lastup
105
+ crl.next_update = nextup
106
+ revoke_info.each{|serial, time, reason_code|
107
+ revoked = OpenSSL::X509::Revoked.new
108
+ revoked.serial = serial
109
+ revoked.time = time
110
+ enum = OpenSSL::ASN1::Enumerated(reason_code)
111
+ ext = OpenSSL::X509::Extension.new("CRLReason", enum)
112
+ revoked.add_extension(ext)
113
+ crl.add_revoked(revoked)
114
+ }
115
+ ef = OpenSSL::X509::ExtensionFactory.new
116
+ ef.issuer_certificate = issuer
117
+ ef.crl = crl
118
+ crlnum = OpenSSL::ASN1::Integer(serial)
119
+ crl.add_extension(OpenSSL::X509::Extension.new("crlNumber", crlnum))
120
+ extensions.each{|oid, value, critical|
121
+ crl.add_extension(ef.create_extension(oid, value, critical))
122
+ }
123
+ crl.sign(issuer_key, digest)
124
+ crl
125
+ end
126
+
127
+ def get_subject_key_id(cert)
128
+ asn1_cert = OpenSSL::ASN1.decode(cert)
129
+ tbscert = asn1_cert.value[0]
130
+ pkinfo = tbscert.value[6]
131
+ publickey = pkinfo.value[1]
132
+ pkvalue = publickey.value
133
+ OpenSSL::Digest::SHA1.hexdigest(pkvalue).scan(/../).join(":").upcase
134
+ end
135
+ end