RubyGems - certificate_authority - Versions diffs - 0.1.3 → 0.1.4 - Mend

certificate_authority 0.1.3 → 0.1.4

Files changed (22) hide show

data/README.rdoc +92 -86
data/VERSION.yml +2 -2
data/certificate_authority.gemspec +9 -7
data/lib/certificate_authority.rb +1 -1
data/lib/certificate_authority/certificate.rb +60 -38
data/lib/certificate_authority/certificate_revocation_list.rb +12 -12
data/lib/certificate_authority/distinguished_name.rb +33 -14
data/lib/certificate_authority/extensions.rb +77 -63
data/lib/certificate_authority/key_material.rb +48 -15
data/lib/certificate_authority/ocsp_handler.rb +24 -24
data/lib/certificate_authority/pkcs11_key_material.rb +13 -13
data/lib/certificate_authority/serial_number.rb +3 -3
data/lib/certificate_authority/signing_entity.rb +5 -7
data/spec/units/certificate_revocation_list_spec.rb +16 -16
data/spec/units/certificate_spec.rb +149 -84
data/spec/units/distinguished_name_spec.rb +26 -5
data/spec/units/extensions_spec.rb +72 -10
data/spec/units/key_material_spec.rb +69 -65
data/spec/units/ocsp_handler_spec.rb +20 -20
data/spec/units/pkcs11_key_material_spec.rb +41 -0
data/spec/units/serial_number_spec.rb +4 -4
metadata +50 -53

data/lib/certificate_authority/key_material.rb CHANGED Viewed

@@ -3,60 +3,93 @@ module CertificateAuthority
     def public_key
       raise "Required implementation"
     end
     def private_key
       raise "Required implementation"
     end
     def is_in_hardware?
       raise "Required implementation"
     end
     def is_in_memory?
       raise "Required implementation"
     end
   end
   class MemoryKeyMaterial
     include KeyMaterial
     include ActiveModel::Validations
     attr_accessor :keypair
     attr_accessor :private_key
     attr_accessor :public_key
     def initialize
     end
     validates_each :private_key do |record, attr, value|
         record.errors.add :private_key, "cannot be blank" if record.private_key.nil?
     end
     validates_each :public_key do |record, attr, value|
       record.errors.add :public_key, "cannot be blank" if record.public_key.nil?
     end
     def is_in_hardware?
       false
     end
     def is_in_memory?
       true
     end
-    def generate_key(modulus_bits=1024)
+    def generate_key(modulus_bits=2048)
       self.keypair = OpenSSL::PKey::RSA.new(modulus_bits)
       self.private_key = keypair
       self.public_key = keypair.public_key
       self.keypair
     end
     def private_key
       @private_key
     end
     def public_key
       @public_key
     end
   end
-end
+  class SigningRequestKeyMaterial
+    include KeyMaterial
+    include ActiveModel::Validations
+    validates_each :public_key do |record, attr, value|
+      record.errors.add :public_key, "cannot be blank" if record.public_key.nil?
+    end
+    attr_accessor :public_key
+    def initialize(request=nil)
+      if request.is_a? OpenSSL::X509::Request
+        raise "Invalid certificate signing request" unless request.verify request.public_key
+        self.public_key = request.public_key
+      end
+    end
+    def is_in_hardware?
+      false
+    end
+    def is_in_memory?
+      true
+    end
+    def private_key
+      nil
+    end
+    def public_key
+      @public_key
+    end
+  end
+end

data/lib/certificate_authority/ocsp_handler.rb CHANGED Viewed

@@ -1,77 +1,77 @@
 module CertificateAuthority
   class OCSPHandler
     include ActiveModel::Validations
     attr_accessor :ocsp_request
     attr_accessor :certificate_ids
     attr_accessor :certificates
     attr_accessor :parent
     attr_accessor :ocsp_response_body
     validate do |crl|
       errors.add :parent, "A parent entity must be set" if parent.nil?
     end
     validate :all_certificates_available
     def initialize
       self.certificates = {}
     end
     def <<(cert)
       self.certificates[cert.serial_number.number.to_s] = cert
     end
     def extract_certificate_serials
       raise "No valid OCSP request was supplied" if self.ocsp_request.nil?
       openssl_request = OpenSSL::OCSP::Request.new(self.ocsp_request)
       self.certificate_ids = openssl_request.certid.collect do |cert_id|
         cert_id.serial
       end
       self.certificate_ids
     end
     def response
       raise "Invalid response" unless valid?
       openssl_ocsp_response = OpenSSL::OCSP::BasicResponse.new
       openssl_ocsp_request = OpenSSL::OCSP::Request.new(self.ocsp_request)
       openssl_ocsp_response.copy_nonce(openssl_ocsp_request)
       openssl_ocsp_request.certid.each do |cert_id|
         certificate = self.certificates[cert_id.serial.to_s]
-        openssl_ocsp_response.add_status(cert_id,
-        OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0,
+        openssl_ocsp_response.add_status(cert_id,
+        OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0,
           0, 0, 30, nil)
       end
       openssl_ocsp_response.sign(OpenSSL::X509::Certificate.new(self.parent.to_pem), self.parent.key_material.private_key, nil, nil)
       final_response = OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, openssl_ocsp_response)
       self.ocsp_response_body = final_response
       self.ocsp_response_body
     end
     def to_der
       raise "No signed OCSP response body available" if self.ocsp_response_body.nil?
       self.ocsp_response_body.to_der
     end
     private
     def all_certificates_available
       openssl_ocsp_request = OpenSSL::OCSP::Request.new(self.ocsp_request)
       openssl_ocsp_request.certid.each do |cert_id|
         certificate = self.certificates[cert_id.serial.to_s]
         errors.add(:base, "Certificate #{cert_id.serial} has not been added yet") if certificate.nil?
       end
     end
   end
-end
+end

data/lib/certificate_authority/pkcs11_key_material.rb CHANGED Viewed

@@ -3,43 +3,43 @@ module CertificateAuthority
     include KeyMaterial
     include ActiveModel::Validations
     include ActiveModel::Serialization
     attr_accessor :engine
     attr_accessor :token_id
     attr_accessor :pkcs11_lib
     attr_accessor :openssl_pkcs11_engine_lib
     attr_accessor :pin
     def initialize(attributes = {})
       @attributes = attributes
       initialize_engine
     end
     def is_in_hardware?
       true
     end
     def is_in_memory?
       false
     end
     def generate_key(modulus_bits=1024)
       puts "Key generation is not currently supported in hardware"
       nil
     end
     def private_key
       initialize_engine
       self.engine.load_private_key(self.token_id)
     end
     def public_key
       initialize_engine
       self.engine.load_public_key(self.token_id)
     end
     private
     def initialize_engine
       ## We're going to return early and try again later if params weren't passed in
       ## at initialization.  Any attempt at getting a public/private key will try
@@ -47,7 +47,7 @@ module CertificateAuthority
       return false if self.openssl_pkcs11_engine_lib.nil? or self.pkcs11_lib.nil?
       return self.engine unless self.engine.nil?
       OpenSSL::Engine.load
       pkcs11 = OpenSSL::Engine.by_id("dynamic") do |e|
         e.ctrl_cmd("SO_PATH",self.openssl_pkcs11_engine_lib)
         e.ctrl_cmd("ID","pkcs11")
@@ -56,10 +56,10 @@ module CertificateAuthority
         e.ctrl_cmd("PIN",self.pin) unless self.pin.nil? or self.pin == ""
         e.ctrl_cmd("MODULE_PATH",self.pkcs11_lib)
       end
       self.engine = pkcs11
       pkcs11
     end
   end
-end
+end

data/lib/certificate_authority/serial_number.rb CHANGED Viewed

@@ -1,9 +1,9 @@
 module CertificateAuthority
   class SerialNumber
     include ActiveModel::Validations
     attr_accessor :number
     validates :number, :presence => true, :numericality => {:greater_than => 0}
   end
-end
+end

data/lib/certificate_authority/signing_entity.rb CHANGED Viewed

@@ -1,18 +1,16 @@
 module CertificateAuthority
   module SigningEntity
     def self.included(mod)
       mod.class_eval do
-        attr_accessor :signing_entity
+        attr_accessor :signing_entity
       end
     end
     def signing_entity=(val)
       raise "invalid param" unless [true,false].include?(val)
       @signing_entity = val
     end
   end
-end
+end

data/spec/units/certificate_revocation_list_spec.rb CHANGED Viewed

@@ -3,44 +3,44 @@ require File.dirname(__FILE__) + '/units_helper'
 describe CertificateAuthority::CertificateRevocationList do
   before(:each) do
     @crl = CertificateAuthority::CertificateRevocationList.new
     @root_certificate = CertificateAuthority::Certificate.new
     @root_certificate.signing_entity = true
     @root_certificate.subject.common_name = "CRL Root"
-    @root_certificate.key_material.generate_key
+    @root_certificate.key_material.generate_key(1024)
     @root_certificate.serial_number.number = 1
     @root_certificate.sign!
     @certificate = CertificateAuthority::Certificate.new
-    @certificate.key_material.generate_key
+    @certificate.key_material.generate_key(1024)
     @certificate.subject.common_name = "http://bogusSite.com"
     @certificate.parent = @root_certificate
     @certificate.serial_number.number = 2
     @certificate.sign!
     @crl.parent = @root_certificate
     @certificate.revoked_at = Time.now
   end
   it "should accept a list of certificates" do
     @crl << @certificate
   end
   it "should complain if you add a certificate without a revocation time" do
     @certificate.revoked_at = nil
     lambda{ @crl << @certificate}.should raise_error
   end
   it "should have a 'parent' that will be responsible for signing" do
     @crl.parent = @root_certificate
     @crl.parent.should_not be_nil
   end
   it "should raise an error if you try and sign a CRL without attaching a parent" do
     @crl.parent = nil
     lambda { @crl.sign! }.should raise_error
   end
   it "should be able to generate a proper CRL" do
     @crl << @certificate
     lambda {@crl.to_pem}.should raise_error
@@ -49,20 +49,20 @@ describe CertificateAuthority::CertificateRevocationList do
     @crl.to_pem.should_not be_nil
     OpenSSL::X509::CRL.new(@crl.to_pem).should_not be_nil
   end
   describe "Next update" do
     it "should be able to set a 'next_update' value" do
       @crl.next_update = (60 * 60 * 10) # 10 Hours
       @crl.next_update.should_not be_nil
     end
     it "should throw an error if we try and sign up with a negative next_update" do
       @crl.sign!
       @crl.next_update = - (60 * 60 * 10)
       lambda{@crl.sign!}.should raise_error
     end
   end
-end
+end

data/spec/units/certificate_spec.rb CHANGED Viewed

@@ -4,165 +4,163 @@ describe CertificateAuthority::Certificate do
   before(:each) do
     @certificate = CertificateAuthority::Certificate.new
   end
   describe CertificateAuthority::SigningEntity do
     it "should behave as a signing entity" do
       @certificate.respond_to?(:is_signing_entity?).should be_true
     end
     it "should only be a signing entity if it's identified as a CA", :rfc3280 => true do
       @certificate.is_signing_entity?.should be_false
       @certificate.signing_entity = true
       @certificate.is_signing_entity?.should be_true
     end
     describe "Root certificates" do
       before(:each) do
         @certificate.signing_entity = true
       end
       it "should be able to be identified as a root certificate" do
         @certificate.is_root_entity?.should be_true
       end
       it "should only be a root certificate if the parent entity is itself", :rfc3280 => true do
         @certificate.parent.should == @certificate
       end
       it "should be a root certificate by default" do
         @certificate.is_root_entity?.should be_true
       end
       it "should be able to self-sign" do
         @certificate.serial_number.number = 1
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.sign!
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.subject.to_s.should == cert.issuer.to_s
       end
       it "should have the basicContraint CA:TRUE" do
         @certificate.serial_number.number = 1
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.sign!
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.extensions.map{|i| [i.oid,i.value] }.select{|i| i.first == "basicConstraints"}.first[1].should == "CA:TRUE"
       end
     end
     describe "Intermediate certificates" do
       before(:each) do
         @different_cert = CertificateAuthority::Certificate.new
         @different_cert.signing_entity = true
         @different_cert.subject.common_name = "chrischandler.name root"
-        @different_cert.key_material.generate_key
+        @different_cert.key_material.generate_key(1024)
         @different_cert.serial_number.number = 2
         @different_cert.sign! #self-signed
         @certificate.parent = @different_cert
         @certificate.signing_entity = true
       end
       it "should be able to be identified as an intermediate certificate" do
         @certificate.is_intermediate_entity?.should be_true
       end
       it "should not be identified as a root" do
         @certificate.is_root_entity?.should be_false
       end
       it "should only be an intermediate certificate if the parent is a different entity" do
         @certificate.parent.should_not == @certificate
         @certificate.parent.should_not be_nil
       end
       it "should correctly be signed by a parent certificate" do
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.signing_entity = true
         @certificate.serial_number.number = 1
         @certificate.sign!
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.subject.to_s.should_not == cert.issuer.to_s
       end
       it "should have the basicContraint CA:TRUE" do
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.signing_entity = true
         @certificate.serial_number.number = 3
         @certificate.sign!
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-        # cert.extensions.first.value.should == "CA:TRUE"
         cert.extensions.map{|i| [i.oid,i.value] }.select{|i| i.first == "basicConstraints"}.first[1].should == "CA:TRUE"
       end
     end
     describe "Terminal certificates" do
       before(:each) do
         @different_cert = CertificateAuthority::Certificate.new
         @different_cert.signing_entity = true
         @different_cert.subject.common_name = "chrischandler.name root"
-        @different_cert.key_material.generate_key
+        @different_cert.key_material.generate_key(1024)
         @different_cert.serial_number.number = 1
         @different_cert.sign! #self-signed
         @certificate.parent = @different_cert
       end
       it "should not be identified as an intermediate certificate" do
         @certificate.is_intermediate_entity?.should be_false
       end
       it "should not be identified as a root" do
         @certificate.is_root_entity?.should be_false
       end
       it "should have the basicContraint CA:FALSE" do
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.signing_entity = false
         @certificate.serial_number.number = 1
         @certificate.sign!
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-        # cert.extensions.first.value.should == "CA:FALSE"
         cert.extensions.map{|i| [i.oid,i.value] }.select{|i| i.first == "basicConstraints"}.first[1].should == "CA:FALSE"
       end
     end
     it "should be able to be identified as a root certificate" do
       @certificate.respond_to?(:is_root_entity?).should be_true
     end
   end #End of SigningEntity
   describe "Signed certificates" do
     before(:each) do
       @certificate = CertificateAuthority::Certificate.new
       @certificate.subject.common_name = "chrischandler.name"
-      @certificate.key_material.generate_key
+      @certificate.key_material.generate_key(1024)
       @certificate.serial_number.number = 1
       @certificate.sign!
     end
     it "should have a PEM encoded certificate body available" do
       @certificate.to_pem.should_not be_nil
       OpenSSL::X509::Certificate.new(@certificate.to_pem).should_not be_nil
     end
   end
   describe "X.509 V3 Extensions on Signed Certificates" do
     before(:each) do
       @certificate = CertificateAuthority::Certificate.new
       @certificate.subject.common_name = "chrischandler.name"
-      @certificate.key_material.generate_key
+      @certificate.key_material.generate_key(1024)
       @certificate.serial_number.number = 1
       @signing_profile = {
         "extensions" => {
           "subjectAltName" => {"uris" => ["www.chrischandler.name"]},
-          "certificatePolicies" => {
-            "policy_identifier" => "1.3.5.7",
+          "certificatePolicies" => {
+            "policy_identifier" => "1.3.5.7",
             "cps_uris" => ["http://my.host.name/", "http://my.your.name/"],
             "user_notice" => {
              "explicit_text" => "Testing!", "organization" => "RSpec Test organization name", "notice_numbers" => "1,2,3,4"
@@ -172,58 +170,78 @@ describe CertificateAuthority::Certificate do
       }
       @certificate.sign!(@signing_profile)
     end
     describe "SubjectAltName" do
       before(:each) do
         @certificate = CertificateAuthority::Certificate.new
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.serial_number.number = 1
       end
-      it  "should have a subjectAltName if specified" do
+      it "should have a subjectAltName if specified" do
         @certificate.sign!({"extensions" => {"subjectAltName" => {"uris" => ["www.chrischandler.name"]}}})
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.extensions.map(&:oid).include?("subjectAltName").should be_true
       end
       it "should NOT have a subjectAltName if one was not specified" do
         @certificate.sign!
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.extensions.map(&:oid).include?("subjectAltName").should be_false
       end
     end
     describe "AuthorityInfoAccess" do
       before(:each) do
         @certificate = CertificateAuthority::Certificate.new
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.serial_number.number = 1
       end
       it "should have an authority info access if specified" do
         @certificate.sign!({"extensions" => {"authorityInfoAccess" => {"ocsp" => ["www.chrischandler.name"]}}})
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.extensions.map(&:oid).include?("authorityInfoAccess").should be_true
       end
     end
+    describe "CrlDistributionPoints" do
+      before(:each) do
+        @certificate = CertificateAuthority::Certificate.new
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key(1024)
+        @certificate.serial_number.number = 1
+      end
+      it "should have a crlDistributionPoint if specified" do
+        @certificate.sign!({"extensions" => {"crlDistributionPoints" => {"uri" => ["http://crlThingy.com"]}}})
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map(&:oid).include?("crlDistributionPoints").should be_true
+      end
+      it "should NOT have a crlDistributionPoint if one was not specified" do
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map(&:oid).include?("crlDistributionPoints").should be_false
+      end
+    end
     describe "CertificatePolicies" do
       before(:each) do
         @certificate = CertificateAuthority::Certificate.new
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.serial_number.number = 1
       end
       it "should have a certificatePolicy if specified" do
         @certificate.sign!({
           "extensions" => {
-            "certificatePolicies" => {
-              "policy_identifier" => "1.3.5.7",
+            "certificatePolicies" => {
+              "policy_identifier" => "1.3.5.7",
               "cps_uris" => ["http://my.host.name/", "http://my.your.name/"]
             }
           }
@@ -231,13 +249,13 @@ describe CertificateAuthority::Certificate do
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.extensions.map(&:oid).include?("certificatePolicies").should be_true
       end
       it "should contain a nested userNotice if specified" do
         pending
         # @certificate.sign!({
         #   "extensions" => {
-        #     "certificatePolicies" => {
-        #       "policy_identifier" => "1.3.5.7",
+        #     "certificatePolicies" => {
+        #       "policy_identifier" => "1.3.5.7",
         #       "cps_uris" => ["http://my.host.name/", "http://my.your.name/"],
         #       "user_notice" => {
         #        "explicit_text" => "Testing!", "organization" => "RSpec Test organization name", "notice_numbers" => "1,2,3,4"
@@ -248,53 +266,55 @@ describe CertificateAuthority::Certificate do
         # cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         # cert.extensions.map(&:oid).include?("certificatePolicies").should be_true
       end
       it "should NOT include a certificatePolicy if not specified" do
         @certificate.sign!
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.extensions.map(&:oid).include?("certificatePolicies").should be_false
-      end
+      end
     end
     it "should support BasicContraints" do
       cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
       cert.extensions.map(&:oid).include?("basicConstraints").should be_true
     end
-    it "should support crlDistributionPoints" do
-      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-      cert.extensions.map(&:oid).include?("crlDistributionPoints").should be_true
-    end
     it "should support subjectKeyIdentifier" do
       cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
       cert.extensions.map(&:oid).include?("subjectKeyIdentifier").should be_true
     end
     it "should support authorityKeyIdentifier" do
       cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
       cert.extensions.map(&:oid).include?("authorityKeyIdentifier").should be_true
     end
+    it "should order subjectKeyIdentifier before authorityKeyIdentifier" do
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.extensions.map(&:oid).select do |oid|
+        ["subjectKeyIdentifier", "authorityKeyIdentifier"].include?(oid)
+      end.should == ["subjectKeyIdentifier", "authorityKeyIdentifier"]
+    end
     it "should support keyUsage" do
       cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
       cert.extensions.map(&:oid).include?("keyUsage").should be_true
     end
     it "should support extendedKeyUsage" do
       cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
       cert.extensions.map(&:oid).include?("extendedKeyUsage").should be_true
     end
   end
   describe "Signing profile" do
     before(:each) do
       @certificate = CertificateAuthority::Certificate.new
       @certificate.subject.common_name = "chrischandler.name"
-      @certificate.key_material.generate_key
+      @certificate.key_material.generate_key(1024)
       @certificate.serial_number.number = 1
       @signing_profile = {
         "extensions" => {
           "basicConstraints" => {"ca" => false},
@@ -313,51 +333,96 @@ describe CertificateAuthority::Certificate do
       }
     }
     end
     it "should be able to sign with an optional policy hash" do
       @certificate.sign!(@signing_profile)
     end
+    it "should support a default signing digest of SHA512" do
+      @certificate.sign!(@signing_profile)
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.signature_algorithm.should == "sha512WithRSAEncryption"
+    end
+    it "should support a configurable digest algorithm" do
+      @signing_profile.merge!({"digest" => "SHA1"})
+      @certificate.sign!(@signing_profile)
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.signature_algorithm.should == "sha1WithRSAEncryption"
+    end
+  end
+  describe "from_openssl" do
+    before(:each) do
+      @pem_cert=<<CERT
+-----BEGIN CERTIFICATE-----
+MIICFDCCAc6gAwIBAgIJAPDLgMilKuayMA0GCSqGSIb3DQEBBQUAMEgxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMQowCAYDVQQKEwEgMRgwFgYDVQQD
+Ew9WZXJ5IFNtYWxsIENlcnQwHhcNMTIwNTAzMDMyODI1WhcNMTMwNTAzMDMyODI1
+WjBIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEKMAgGA1UEChMB
+IDEYMBYGA1UEAxMPVmVyeSBTbWFsbCBDZXJ0MEwwDQYJKoZIhvcNAQEBBQADOwAw
+OAIxAN6+33+WQ3FBMt+vMhshxOj+8W7V64pDKCJ3pVlnSn36imBWqrN0AGWX8qjv
+S+GzGwIDAQABo4GqMIGnMB0GA1UdDgQWBBRMUQ/HpPrAkKOufS5h+xPtEuzyWDB4
+BgNVHSMEcTBvgBRMUQ/HpPrAkKOufS5h+xPtEuzyWKFMpEowSDELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTClNvbWUtU3RhdGUxCjAIBgNVBAoTASAxGDAWBgNVBAMTD1Zl
+cnkgU21hbGwgQ2VydIIJAPDLgMilKuayMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADMQAq0CsqEChn4uf6MkXYBwaAAmS3JLmagyliJe5zM3y8dZz6Em2Ugb8o
+1cCaKaHJHSg=
+-----END CERTIFICATE-----
+CERT
+      @openssl_cert = OpenSSL::X509::Certificate.new @pem_cert
+      @small_cert = CertificateAuthority::Certificate.from_openssl @openssl_cert
+    end
+    it "should reject non-Certificate arguments" do
+      lambda { CertificateAuthority::Certificate.from_openssl "a string" }.should raise_error
+    end
+    it "should only be missing a private key" do
+      @small_cert.should_not be_valid
+      @small_cert.key_material.private_key = "data"
+      @small_cert.should be_valid
+    end
   end
   it "should have a distinguished name" do
     @certificate.distinguished_name.should_not be_nil
   end
   it "should have a serial number" do
     @certificate.serial_number.should_not be_nil
   end
   it "should have a subject" do
     @certificate.subject.should_not be_nil
   end
   it "should be able to have a parent entity" do
     @certificate.respond_to?(:parent).should be_true
   end
   it "should have key material" do
     @certificate.key_material.should_not be_nil
   end
   it "should have a not_before field" do
     @certificate.not_before.should_not be_nil
   end
   it "should have a not_after field" do
     @certificate.not_after.should_not be_nil
   end
   it "should default to one year validity" do
     @certificate.not_after.should < Time.now + 65 * 60 * 24 * 365 and
     @certificate.not_after.should > Time.now + 55 * 60 * 24 * 365
   end
   it "should be able to have a revoked at time" do
     @certificate.revoked?.should be_false
     @certificate.revoked_at = Time.now
     @certificate.revoked?.should be_true
   end
-end
+end