certificate_authority 0.1.2 → 1.0.0

data/spec/units/certificate_spec.rb

@@ -1,351 +0,0 @@
-require File.dirname(__FILE__) + '/units_helper'
-
-describe CertificateAuthority::Certificate do
-  before(:each) do
-    @certificate = CertificateAuthority::Certificate.new
-  end
-  
-  describe CertificateAuthority::SigningEntity do
-    it "should behave as a signing entity" do
-      @certificate.respond_to?(:is_signing_entity?).should be_true
-    end
-    
-    it "should only be a signing entity if it's identified as a CA", :rfc3280 => true do
-      @certificate.is_signing_entity?.should be_false
-      @certificate.signing_entity = true
-      @certificate.is_signing_entity?.should be_true
-    end
-    
-    describe "Root certificates" do
-      before(:each) do
-        @certificate.signing_entity = true
-      end
-      
-      it "should be able to be identified as a root certificate" do
-        @certificate.is_root_entity?.should be_true
-      end
-      
-      it "should only be a root certificate if the parent entity is itself", :rfc3280 => true do
-        @certificate.parent.should == @certificate
-      end
-      
-      it "should be a root certificate by default" do
-        @certificate.is_root_entity?.should be_true
-      end
-      
-      it "should be able to self-sign" do
-        @certificate.serial_number.number = 1
-        @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
-        @certificate.sign!
-        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-        cert.subject.to_s.should == cert.issuer.to_s
-      end
-      
-      it "should have the basicContraint CA:TRUE" do
-        @certificate.serial_number.number = 1
-        @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
-        @certificate.sign!
-        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-        cert.extensions.map{|i| [i.oid,i.value] }.select{|i| i.first == "basicConstraints"}.first[1].should == "CA:TRUE"
-      end
-    end
-    
-    describe "Intermediate certificates" do
-      before(:each) do
-        @different_cert = CertificateAuthority::Certificate.new
-        @different_cert.signing_entity = true
-        @different_cert.subject.common_name = "chrischandler.name root"
-        @different_cert.key_material.generate_key
-        @different_cert.serial_number.number = 2
-        @different_cert.sign! #self-signed
-        @certificate.parent = @different_cert
-        @certificate.signing_entity = true
-      end
-      
-      it "should be able to be identified as an intermediate certificate" do
-        @certificate.is_intermediate_entity?.should be_true
-      end
-      
-      it "should not be identified as a root" do
-        @certificate.is_root_entity?.should be_false
-      end
-      
-      it "should only be an intermediate certificate if the parent is a different entity" do
-        @certificate.parent.should_not == @certificate
-        @certificate.parent.should_not be_nil
-      end
-      
-      it "should correctly be signed by a parent certificate" do
-        @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
-        @certificate.signing_entity = true
-        @certificate.serial_number.number = 1
-        @certificate.sign!
-        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-        cert.subject.to_s.should_not == cert.issuer.to_s
-      end
-      
-      it "should have the basicContraint CA:TRUE" do
-        @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
-        @certificate.signing_entity = true
-        @certificate.serial_number.number = 3
-        @certificate.sign!
-        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-        # cert.extensions.first.value.should == "CA:TRUE"
-        cert.extensions.map{|i| [i.oid,i.value] }.select{|i| i.first == "basicConstraints"}.first[1].should == "CA:TRUE"
-      end
-      
-    end
-    
-    describe "Terminal certificates" do
-      before(:each) do
-        @different_cert = CertificateAuthority::Certificate.new
-        @different_cert.signing_entity = true
-        @different_cert.subject.common_name = "chrischandler.name root"
-        @different_cert.key_material.generate_key
-        @different_cert.serial_number.number = 1
-        @different_cert.sign! #self-signed
-        @certificate.parent = @different_cert
-      end
-      
-      it "should not be identified as an intermediate certificate" do
-        @certificate.is_intermediate_entity?.should be_false
-      end
-      
-      it "should not be identified as a root" do
-        @certificate.is_root_entity?.should be_false
-      end
-      
-      it "should have the basicContraint CA:FALSE" do
-        @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
-        @certificate.signing_entity = false
-        @certificate.serial_number.number = 1
-        @certificate.sign!
-        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-        # cert.extensions.first.value.should == "CA:FALSE"
-        cert.extensions.map{|i| [i.oid,i.value] }.select{|i| i.first == "basicConstraints"}.first[1].should == "CA:FALSE"
-      end
-    end
-    
-
-    it "should be able to be identified as a root certificate" do
-      @certificate.respond_to?(:is_root_entity?).should be_true
-    end
-  end #End of SigningEntity
-  
-  describe "Signed certificates" do
-    before(:each) do
-      @certificate = CertificateAuthority::Certificate.new
-      @certificate.subject.common_name = "chrischandler.name"
-      @certificate.key_material.generate_key
-      @certificate.serial_number.number = 1
-      @certificate.sign!
-    end
-    
-    it "should have a PEM encoded certificate body available" do
-      @certificate.to_pem.should_not be_nil
-      OpenSSL::X509::Certificate.new(@certificate.to_pem).should_not be_nil
-    end
-  end
-  
-  describe "X.509 V3 Extensions on Signed Certificates" do
-    before(:each) do
-      @certificate = CertificateAuthority::Certificate.new
-      @certificate.subject.common_name = "chrischandler.name"
-      @certificate.key_material.generate_key
-      @certificate.serial_number.number = 1
-      @signing_profile = {
-        "extensions" => {
-          "subjectAltName" => {"uris" => ["www.chrischandler.name"]},
-          "certificatePolicies" => { 
-            "policy_identifier" => "1.3.5.7", 
-            "cps_uris" => ["http://my.host.name/", "http://my.your.name/"],
-            "user_notice" => {
-             "explicit_text" => "Testing!", "organization" => "RSpec Test organization name", "notice_numbers" => "1,2,3,4"
-            }
-          }
-        }
-      }
-      @certificate.sign!(@signing_profile)
-    end
-    
-    describe "SubjectAltName" do
-      before(:each) do
-        @certificate = CertificateAuthority::Certificate.new
-        @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
-        @certificate.serial_number.number = 1
-      end
-      
-      it  "should have a subjectAltName if specified" do
-        @certificate.sign!({"extensions" => {"subjectAltName" => {"uris" => ["www.chrischandler.name"]}}})
-        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-        cert.extensions.map(&:oid).include?("subjectAltName").should be_true
-      end
-      
-      it "should NOT have a subjectAltName if one was not specified" do
-        @certificate.sign!
-        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-        cert.extensions.map(&:oid).include?("subjectAltName").should be_false
-      end
-    end
-    
-    describe "CertificatePolicies" do
-      before(:each) do
-        @certificate = CertificateAuthority::Certificate.new
-        @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
-        @certificate.serial_number.number = 1
-      end
-      
-      it "should have a certificatePolicy if specified" do
-        @certificate.sign!({
-          "extensions" => {
-            "certificatePolicies" => { 
-              "policy_identifier" => "1.3.5.7", 
-              "cps_uris" => ["http://my.host.name/", "http://my.your.name/"]
-            }
-          }
-        })
-        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-        cert.extensions.map(&:oid).include?("certificatePolicies").should be_true
-      end
-      
-      it "should contain a nested userNotice if specified" do
-        pending
-        # @certificate.sign!({
-        #   "extensions" => {
-        #     "certificatePolicies" => { 
-        #       "policy_identifier" => "1.3.5.7", 
-        #       "cps_uris" => ["http://my.host.name/", "http://my.your.name/"],
-        #       "user_notice" => {
-        #        "explicit_text" => "Testing!", "organization" => "RSpec Test organization name", "notice_numbers" => "1,2,3,4"
-        #       }
-        #     }
-        #   }
-        # })
-        # cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-        # cert.extensions.map(&:oid).include?("certificatePolicies").should be_true
-      end
-      
-      it "should NOT include a certificatePolicy if not specified" do
-        @certificate.sign!
-        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-        cert.extensions.map(&:oid).include?("certificatePolicies").should be_false
-      end  
-    end
-    
-    
-    it "should support BasicContraints" do
-      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-      cert.extensions.map(&:oid).include?("basicConstraints").should be_true
-    end
-    
-    it "should support crlDistributionPoints" do
-      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-      cert.extensions.map(&:oid).include?("crlDistributionPoints").should be_true
-    end
-    
-    it "should support subjectKeyIdentifier" do
-      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-      cert.extensions.map(&:oid).include?("subjectKeyIdentifier").should be_true
-    end
-    
-    it "should support authorityKeyIdentifier" do
-      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-      cert.extensions.map(&:oid).include?("authorityKeyIdentifier").should be_true
-    end
-    
-    it "should support authorityInfoAccess" do
-      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-      cert.extensions.map(&:oid).include?("authorityInfoAccess").should be_true
-    end
-    
-    it "should support keyUsage" do
-      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-      cert.extensions.map(&:oid).include?("keyUsage").should be_true
-    end
-    
-    it "should support extendedKeyUsage" do
-      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-      cert.extensions.map(&:oid).include?("extendedKeyUsage").should be_true
-    end
-  end
-  
-  describe "Signing profile" do
-    before(:each) do
-      @certificate = CertificateAuthority::Certificate.new
-      @certificate.subject.common_name = "chrischandler.name"
-      @certificate.key_material.generate_key
-      @certificate.serial_number.number = 1
-      
-      @signing_profile = {
-        "extensions" => {
-          "basicConstraints" => {"ca" => false},
-          "crlDistributionPoints" => {"uri" => "http://notme.com/other.crl" },
-          "subjectKeyIdentifier" => {},
-          "authorityKeyIdentifier" => {},
-          "authorityInfoAccess" => {"ocsp" => ["http://youFillThisOut/ocsp/"] },
-          "keyUsage" => {"usage" => ["digitalSignature","nonRepudiation"] },
-          "extendedKeyUsage" => {"usage" => [ "serverAuth","clientAuth"]},
-          "subjectAltName" => {"uris" => ["http://subdomains.youFillThisOut/"]},
-          "certificatePolicies" => {
-          "policy_identifier" => "1.3.5.8", "cps_uris" => ["http://my.host.name/", "http://my.your.name/"], "user_notice" => {
-             "explicit_text" => "Explicit Text Here", "organization" => "Organization name", "notice_numbers" => "1,2,3,4"
-          }
-        }
-      }
-    }
-    end
-    
-    it "should be able to sign with an optional policy hash" do
-      @certificate.sign!(@signing_profile)
-    end
-    
-  end
-  
-  
-  it "should have a distinguished name" do
-    @certificate.distinguished_name.should_not be_nil
-  end
-  
-  it "should have a serial number" do
-    @certificate.serial_number.should_not be_nil
-  end
-  
-  it "should have a subject" do
-    @certificate.subject.should_not be_nil
-  end
-  
-  it "should be able to have a parent entity" do
-    @certificate.respond_to?(:parent).should be_true
-  end
-  
-  it "should have key material" do
-    @certificate.key_material.should_not be_nil
-  end
-  
-  it "should have a not_before field" do
-    @certificate.not_before.should_not be_nil
-  end
-  
-  it "should have a not_after field" do
-    @certificate.not_after.should_not be_nil
-  end
-  
-  it "should default to one year validity" do
-    @certificate.not_after.should < Time.now + 65 * 60 * 24 * 365 and
-    @certificate.not_after.should > Time.now + 55 * 60 * 24 * 365
-  end
-  
-  it "should be able to have a revoked at time" do
-    @certificate.revoked?.should be_false
-    @certificate.revoked_at = Time.now
-    @certificate.revoked?.should be_true
-  end
-  
-end

data/spec/units/distinguished_name_spec.rb

@@ -1,38 +0,0 @@
-require File.dirname(__FILE__) + '/units_helper'
-
-describe CertificateAuthority::DistinguishedName do
-  before(:each) do
-    @distinguished_name = CertificateAuthority::DistinguishedName.new
-  end
-  
-  it "should provide the standard x.509 distinguished name common attributes" do
-    @distinguished_name.respond_to?(:cn).should be_true
-    @distinguished_name.respond_to?(:l).should be_true
-    @distinguished_name.respond_to?(:s).should be_true
-    @distinguished_name.respond_to?(:o).should be_true
-    @distinguished_name.respond_to?(:ou).should be_true
-    @distinguished_name.respond_to?(:c).should be_true
-  end
-  
-  it "should provide human-readable equivalents to the distinguished name common attributes" do
-    @distinguished_name.respond_to?(:common_name).should be_true
-    @distinguished_name.respond_to?(:locality).should be_true
-    @distinguished_name.respond_to?(:state).should be_true
-    @distinguished_name.respond_to?(:organization).should be_true
-    @distinguished_name.respond_to?(:organizational_unit).should be_true
-    @distinguished_name.respond_to?(:country).should be_true
-  end
-  
-  it "should require a common name" do
-    @distinguished_name.valid?.should be_false
-    @distinguished_name.errors.size.should == 1
-    @distinguished_name.common_name = "chrischandler.name"
-    @distinguished_name.valid?.should be_true
-  end
-  
-  it "should be convertible to an OpenSSL::X509::Name" do
-    @distinguished_name.common_name = "chrischandler.name"
-    @distinguished_name.to_x509_name
-  end
-  
-end

data/spec/units/extensions_spec.rb

@@ -1,53 +0,0 @@
-require File.dirname(__FILE__) + '/units_helper'
-
-describe CertificateAuthority::Extensions do
-  describe CertificateAuthority::Extensions::BasicContraints do
-    it "should only allow true/false" do
-      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
-      basic_constraints.valid?.should be_true
-      basic_constraints.ca = "moo"
-      basic_constraints.valid?.should be_false
-    end
-    
-    it "should respond to :path_len" do
-      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
-      basic_constraints.respond_to?(:path_len).should be_true
-    end
-    
-    it "should raise an error if :path_len isn't a non-negative integer" do
-      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
-      lambda {basic_constraints.path_len = "moo"}.should raise_error
-      lambda {basic_constraints.path_len = -1}.should raise_error
-      lambda {basic_constraints.path_len = 1.5}.should raise_error
-    end
-    
-    it "should generate a proper OpenSSL extension string" do
-      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
-      basic_constraints.ca = true
-      basic_constraints.path_len = 2
-      basic_constraints.to_s.should == "CA:true,pathlen:2"
-    end
-  end
-  
-  describe CertificateAuthority::Extensions::SubjectAlternativeName do
-    it "should respond to :uris" do
-      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      subjectAltName.respond_to?(:uris).should be_true
-    end
-    
-    it "should require 'uris' to be an Array" do
-      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      lambda {subjectAltName.uris = "not an array"}.should raise_error
-    end
-    
-    it "should generate a proper OpenSSL extension string" do
-      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      subjectAltName.uris = ["http://localhost.altname.example.com"]
-      subjectAltName.to_s.should == "URI:http://localhost.altname.example.com"
-      
-      subjectAltName.uris = ["http://localhost.altname.example.com", "http://other.example.com"]
-      subjectAltName.to_s.should == "URI:http://localhost.altname.example.com,URI:http://other.example.com"
-    end
-    
-  end
-end

data/spec/units/key_material_spec.rb

@@ -1,96 +0,0 @@
-require File.dirname(__FILE__) + '/units_helper'
-
-describe CertificateAuthority::MemoryKeyMaterial do
-  before(:each) do
-    @key_material = CertificateAuthority::MemoryKeyMaterial.new
-  end
-  
-  it "should know if a key is in memory or hardware" do
-    @key_material.is_in_hardware?.should_not be_nil
-    @key_material.is_in_memory?.should_not be_nil
-  end
-  
-  it "should use memory by default" do
-    @key_material.is_in_memory?.should be_true
-  end
-  
-  it "should be able to generate an RSA key" do
-    @key_material.generate_key.should_not be_nil
-  end
-  
-  it "should generate a proper OpenSSL::PKey::RSA" do
-    @key_material.generate_key.class.should == OpenSSL::PKey::RSA
-  end
-  
-  it "should be able to specify the size of the modulus to generate" do
-    @key_material.generate_key(768).should_not be_nil
-  end
-  
-  describe "in memory" do
-    before(:all) do
-      @key_material_in_memory = CertificateAuthority::MemoryKeyMaterial.new
-      @key_material_in_memory.generate_key
-    end
-    
-    it "should be able to retrieve the private key" do
-      @key_material_in_memory.private_key.should_not be_nil
-    end
-    
-    it "should be able to retrieve the public key" do
-      @key_material_in_memory.public_key.should_not be_nil
-    end
-  end
-  
-  ## Anything that requires crypto hardware needs to be tagged as 'pkcs11'
-  describe "in hardware", :pkcs11 => true do
-    before(:each) do
-      @key_material_in_hardware = CertificateAuthority::Pkcs11KeyMaterial.new
-      @key_material_in_hardware.token_id = "46"
-      @key_material_in_hardware.pkcs11_lib = "/usr/lib/libeTPkcs11.so"
-      @key_material_in_hardware.openssl_pkcs11_engine_lib = "/usr/lib/engines/engine_pkcs11.so"
-      @key_material_in_hardware.pin = "11111111"
-    end
-    
-    it "should identify as being in hardware", :pkcs11 => true do
-      @key_material_in_hardware.is_in_hardware?.should be_true
-    end
-    
-    it "should return a Pkey ref if the private key is requested", :pkcs11 => true do
-      @key_material_in_hardware.private_key.class.should == OpenSSL::PKey::RSA
-    end
-    
-    it "should return a Pkey ref if the private key is requested", :pkcs11 => true do
-      @key_material_in_hardware.public_key.class.should == OpenSSL::PKey::RSA
-    end
-    
-    it "should accept an ID for on-token objects", :pkcs11 => true do
-      @key_material_in_hardware.respond_to?(:token_id).should be_true
-    end
-    
-    it "should accept a path to a shared library for a PKCS11 driver", :pkcs11 => true do
-      @key_material_in_hardware.respond_to?(:pkcs11_lib).should be_true
-    end
-    
-    it "should accept a path to OpenSSL's dynamic PKCS11 engine (provided by libengine-pkcs11-openssl)", :pkcs11 => true do
-      @key_material_in_hardware.respond_to?(:openssl_pkcs11_engine_lib).should be_true
-    end
-    
-    it "should accept an optional PIN to authenticate to the token", :pkcs11 => true do
-      @key_material_in_hardware.respond_to?(:pin).should be_true
-    end
-    
-  end
-  
-  it "not validate without public and private keys" do
-    @key_material.valid?.should be_false
-    @key_material.generate_key
-    @key_material.valid?.should be_true
-    pub = @key_material.public_key
-    @key_material.public_key = nil
-    @key_material.valid?.should be_false
-    @key_material.public_key = pub
-    @key_material.private_key = nil
-    @key_material.valid?.should be_false
-  end
-  
-end