certificate_authority 0.1.1

data/spec/units/distinguished_name_spec.rb

@@ -0,0 +1,38 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority::DistinguishedName do
+  before(:each) do
+    @distinguished_name = CertificateAuthority::DistinguishedName.new
+  end
+  
+  it "should provide the standard x.509 distinguished name common attributes" do
+    @distinguished_name.respond_to?(:cn).should be_true
+    @distinguished_name.respond_to?(:l).should be_true
+    @distinguished_name.respond_to?(:s).should be_true
+    @distinguished_name.respond_to?(:o).should be_true
+    @distinguished_name.respond_to?(:ou).should be_true
+    @distinguished_name.respond_to?(:c).should be_true
+  end
+  
+  it "should provide human-readable equivalents to the distinguished name common attributes" do
+    @distinguished_name.respond_to?(:common_name).should be_true
+    @distinguished_name.respond_to?(:locality).should be_true
+    @distinguished_name.respond_to?(:state).should be_true
+    @distinguished_name.respond_to?(:organization).should be_true
+    @distinguished_name.respond_to?(:organizational_unit).should be_true
+    @distinguished_name.respond_to?(:country).should be_true
+  end
+  
+  it "should require a common name" do
+    @distinguished_name.valid?.should be_false
+    @distinguished_name.errors.size.should == 1
+    @distinguished_name.common_name = "chrischandler.name"
+    @distinguished_name.valid?.should be_true
+  end
+  
+  it "should be convertible to an OpenSSL::X509::Name" do
+    @distinguished_name.common_name = "chrischandler.name"
+    @distinguished_name.to_x509_name
+  end
+  
+end

data/spec/units/extensions_spec.rb

@@ -0,0 +1,53 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority::Extensions do
+  describe CertificateAuthority::Extensions::BasicContraints do
+    it "should only allow true/false" do
+      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
+      basic_constraints.valid?.should be_true
+      basic_constraints.ca = "moo"
+      basic_constraints.valid?.should be_false
+    end
+    
+    it "should respond to :path_len" do
+      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
+      basic_constraints.respond_to?(:path_len).should be_true
+    end
+    
+    it "should raise an error if :path_len isn't a non-negative integer" do
+      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
+      lambda {basic_constraints.path_len = "moo"}.should raise_error
+      lambda {basic_constraints.path_len = -1}.should raise_error
+      lambda {basic_constraints.path_len = 1.5}.should raise_error
+    end
+    
+    it "should generate a proper OpenSSL extension string" do
+      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
+      basic_constraints.ca = true
+      basic_constraints.path_len = 2
+      basic_constraints.to_s.should == "CA:true,pathlen:2"
+    end
+  end
+  
+  describe CertificateAuthority::Extensions::SubjectAlternativeName do
+    it "should respond to :uris" do
+      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      subjectAltName.respond_to?(:uris).should be_true
+    end
+    
+    it "should require 'uris' to be an Array" do
+      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      lambda {subjectAltName.uris = "not an array"}.should raise_error
+    end
+    
+    it "should generate a proper OpenSSL extension string" do
+      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      subjectAltName.uris = ["http://localhost.altname.example.com"]
+      subjectAltName.to_s.should == "URI:http://localhost.altname.example.com"
+      
+      subjectAltName.uris = ["http://localhost.altname.example.com", "http://other.example.com"]
+      subjectAltName.to_s.should == "URI:http://localhost.altname.example.com,URI:http://other.example.com"
+    end
+    
+  end
+end

data/spec/units/key_material_spec.rb

@@ -0,0 +1,96 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority::MemoryKeyMaterial do
+  before(:each) do
+    @key_material = CertificateAuthority::MemoryKeyMaterial.new
+  end
+  
+  it "should know if a key is in memory or hardware" do
+    @key_material.is_in_hardware?.should_not be_nil
+    @key_material.is_in_memory?.should_not be_nil
+  end
+  
+  it "should use memory by default" do
+    @key_material.is_in_memory?.should be_true
+  end
+  
+  it "should be able to generate an RSA key" do
+    @key_material.generate_key.should_not be_nil
+  end
+  
+  it "should generate a proper OpenSSL::PKey::RSA" do
+    @key_material.generate_key.class.should == OpenSSL::PKey::RSA
+  end
+  
+  it "should be able to specify the size of the modulus to generate" do
+    @key_material.generate_key(768).should_not be_nil
+  end
+  
+  describe "in memory" do
+    before(:all) do
+      @key_material_in_memory = CertificateAuthority::MemoryKeyMaterial.new
+      @key_material_in_memory.generate_key
+    end
+    
+    it "should be able to retrieve the private key" do
+      @key_material_in_memory.private_key.should_not be_nil
+    end
+    
+    it "should be able to retrieve the public key" do
+      @key_material_in_memory.public_key.should_not be_nil
+    end
+  end
+  
+  ## Anything that requires crypto hardware needs to be tagged as 'pkcs11'
+  describe "in hardware", :pkcs11 => true do
+    before(:each) do
+      @key_material_in_hardware = CertificateAuthority::Pkcs11KeyMaterial.new
+      @key_material_in_hardware.token_id = "46"
+      @key_material_in_hardware.pkcs11_lib = "/usr/lib/libeTPkcs11.so"
+      @key_material_in_hardware.openssl_pkcs11_engine_lib = "/usr/lib/engines/engine_pkcs11.so"
+      @key_material_in_hardware.pin = "11111111"
+    end
+    
+    it "should identify as being in hardware", :pkcs11 => true do
+      @key_material_in_hardware.is_in_hardware?.should be_true
+    end
+    
+    it "should return a Pkey ref if the private key is requested", :pkcs11 => true do
+      @key_material_in_hardware.private_key.class.should == OpenSSL::PKey::RSA
+    end
+    
+    it "should return a Pkey ref if the private key is requested", :pkcs11 => true do
+      @key_material_in_hardware.public_key.class.should == OpenSSL::PKey::RSA
+    end
+    
+    it "should accept an ID for on-token objects", :pkcs11 => true do
+      @key_material_in_hardware.respond_to?(:token_id).should be_true
+    end
+    
+    it "should accept a path to a shared library for a PKCS11 driver", :pkcs11 => true do
+      @key_material_in_hardware.respond_to?(:pkcs11_lib).should be_true
+    end
+    
+    it "should accept a path to OpenSSL's dynamic PKCS11 engine (provided by libengine-pkcs11-openssl)", :pkcs11 => true do
+      @key_material_in_hardware.respond_to?(:openssl_pkcs11_engine_lib).should be_true
+    end
+    
+    it "should accept an optional PIN to authenticate to the token", :pkcs11 => true do
+      @key_material_in_hardware.respond_to?(:pin).should be_true
+    end
+    
+  end
+  
+  it "not validate without public and private keys" do
+    @key_material.valid?.should be_false
+    @key_material.generate_key
+    @key_material.valid?.should be_true
+    pub = @key_material.public_key
+    @key_material.public_key = nil
+    @key_material.valid?.should be_false
+    @key_material.public_key = pub
+    @key_material.private_key = nil
+    @key_material.valid?.should be_false
+  end
+  
+end

data/spec/units/ocsp_handler_spec.rb

@@ -0,0 +1,104 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority::OCSPHandler do
+  before(:each) do
+    @ocsp_handler = CertificateAuthority::OCSPHandler.new
+    
+    @root_certificate = CertificateAuthority::Certificate.new
+    @root_certificate.signing_entity = true
+    @root_certificate.subject.common_name = "OCSP Root"
+    @root_certificate.key_material.generate_key
+    @root_certificate.serial_number.number = 1
+    @root_certificate.sign!
+    
+    @certificate = CertificateAuthority::Certificate.new
+    @certificate.key_material.generate_key
+    @certificate.subject.common_name = "http://questionablesite.com"
+    @certificate.parent = @root_certificate
+    @certificate.serial_number.number = 2
+    @certificate.sign!
+    
+    @ocsp_request = OpenSSL::OCSP::Request.new
+    openssl_cert_issuer = OpenSSL::X509::Certificate.new(@root_certificate.to_pem)
+    openssl_cert_subject = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+    
+    cert_id = OpenSSL::OCSP::CertificateId.new(openssl_cert_subject, openssl_cert_issuer)
+    @ocsp_request.add_certid(cert_id)
+    @ocsp_handler.ocsp_request = @ocsp_request.to_der
+  end
+  
+  it "should be able to accept an OCSP Request" do
+    @ocsp_handler.ocsp_request = @ocsp_request
+    @ocsp_handler.ocsp_request.should_not be_nil
+  end
+  
+  it "should raise an error if you try and extract certificates without a raw request" do
+    @ocsp_handler.extract_certificate_serials
+    @ocsp_handler.ocsp_request = nil
+    lambda {@ocsp_handler.extract_certificate_serials}.should raise_error
+  end
+  
+  it "should return a hash of extracted certificates from OCSP requests" do
+    result = @ocsp_handler.extract_certificate_serials
+    result.size.should == 1
+  end
+  
+  it "should be able to generate an OCSP response" do
+    @ocsp_handler.extract_certificate_serials
+    @ocsp_handler << @certificate
+    @ocsp_handler.parent = @root_certificate
+    @ocsp_handler.response
+  end
+  
+  it "should require a 'parent' entity for signing" do
+    @ocsp_handler.parent = @root_certificate
+    @ocsp_handler.parent.should_not be_nil
+  end
+  
+  it "should raise an error if you ask for the signed OCSP response without generating it" do
+    @ocsp_handler.extract_certificate_serials
+    @ocsp_handler << @certificate
+    @ocsp_handler.parent = @root_certificate
+    lambda { @ocsp_handler.to_der }.should raise_error
+    @ocsp_handler.response
+    @ocsp_handler.to_der.should_not be_nil
+  end
+  
+  it "should raise an error if you generate a response without adding all certificates in request" do
+    @ocsp_handler.extract_certificate_serials
+    @ocsp_handler.parent = @root_certificate
+    lambda { @ocsp_handler.response }.should raise_error
+  end
+  
+  it "should raise an error if you generate a response without adding a parent signing entity" do
+    @ocsp_handler.extract_certificate_serials
+    @ocsp_handler << @certificate
+    lambda { @ocsp_handler.response }.should raise_error
+  end
+  
+  describe "Response" do
+    before(:each) do
+      @ocsp_handler.extract_certificate_serials
+      @ocsp_handler << @certificate
+      @ocsp_handler.parent = @root_certificate
+      @ocsp_handler.response
+      
+      @openssl_ocsp_response = OpenSSL::OCSP::Response.new(@ocsp_handler.to_der)
+    end
+    
+    it "should have a correct status/status string" do
+      @openssl_ocsp_response.status_string.should == "successful"
+      @openssl_ocsp_response.status.should == 0
+    end
+    
+    it "should have an embedded BasicResponse with certificate statuses" do
+      # [#<OpenSSL::OCSP::CertificateId:0x000001020ecad8>, 0, 1, nil, 2011-04-15 23:29:47 UTC, 2011-04-15 23:30:17 UTC, []]
+      @openssl_ocsp_response.basic.status.first[1].should == 0 # Everything is OK
+    end
+    
+    it "should have a next_update time" do
+      @openssl_ocsp_response.basic.status.first[5].should_not be_nil
+      @openssl_ocsp_response.basic.status.first[5].class.should == Time
+    end
+  end
+end

data/spec/units/serial_number_spec.rb

@@ -0,0 +1,20 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority::SerialNumber do
+  before(:each) do
+    @serial_number = CertificateAuthority::SerialNumber.new
+  end
+  
+  it "should support basic integer serial numbers", :rfc3280 => true do
+    @serial_number.number = 25
+    @serial_number.should be_valid
+    @serial_number.number = "abc"
+    @serial_number.should_not be_valid
+  end
+  
+  it "should not allow negative serial numbers", :rfc3280 => true do
+    @serial_number.number = -5
+    @serial_number.should_not be_valid
+  end
+  
+end

data/spec/units/signing_entity_spec.rb

@@ -0,0 +1,4 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority::SigningEntity do
+end

data/spec/units/units_helper.rb

@@ -0,0 +1 @@
+require File.dirname(__FILE__) + '/../spec_helper'

metadata

@@ -0,0 +1,148 @@
+--- !ruby/object:Gem::Specification 
+name: certificate_authority
+version: !ruby/object:Gem::Version 
+  prerelease: 
+  version: 0.1.1
+platform: ruby
+authors: 
+- Chris Chandler
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-04-20 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: activemodel
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+  type: :runtime
+  prerelease: false
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+  type: :runtime
+  prerelease: false
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: jeweler
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: 1.5.2
+  type: :runtime
+  prerelease: false
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: rcov
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+  type: :runtime
+  prerelease: false
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: activemodel
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
+        version: 3.0.6
+  type: :runtime
+  prerelease: false
+  version_requirements: *id005
+description: 
+email: chris@flatterline.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README.rdoc
+files: 
+- Gemfile
+- Gemfile.lock
+- README.rdoc
+- Rakefile
+- VERSION.yml
+- certificate_authority.gemspec
+- lib/certificate_authority.rb
+- lib/certificate_authority/certificate.rb
+- lib/certificate_authority/certificate_revocation_list.rb
+- lib/certificate_authority/distinguished_name.rb
+- lib/certificate_authority/extensions.rb
+- lib/certificate_authority/key_material.rb
+- lib/certificate_authority/ocsp_handler.rb
+- lib/certificate_authority/pkcs11_key_material.rb
+- lib/certificate_authority/serial_number.rb
+- lib/certificate_authority/signing_entity.rb
+- lib/tasks/certificate_authority.rake
+- spec/spec_helper.rb
+- spec/units/certificate_authority_spec.rb
+- spec/units/certificate_revocation_list_spec.rb
+- spec/units/certificate_spec.rb
+- spec/units/distinguished_name_spec.rb
+- spec/units/extensions_spec.rb
+- spec/units/key_material_spec.rb
+- spec/units/ocsp_handler_spec.rb
+- spec/units/serial_number_spec.rb
+- spec/units/signing_entity_spec.rb
+- spec/units/units_helper.rb
+homepage: http://github.com/cchandler/certificate_authority
+licenses: 
+- MIT
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: -1515713382704752763
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.7.2
+signing_key: 
+specification_version: 3
+summary: Ruby gem for managing the core functions outlined in RFC-3280 for PKI
+test_files: 
+- spec/spec_helper.rb
+- spec/units/certificate_authority_spec.rb
+- spec/units/certificate_revocation_list_spec.rb
+- spec/units/certificate_spec.rb
+- spec/units/distinguished_name_spec.rb
+- spec/units/extensions_spec.rb
+- spec/units/key_material_spec.rb
+- spec/units/ocsp_handler_spec.rb
+- spec/units/serial_number_spec.rb
+- spec/units/signing_entity_spec.rb
+- spec/units/units_helper.rb