RubyGems - certificate_authority - Versions diffs - 0.1.3 → 0.1.4 - Mend

certificate_authority 0.1.3 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

data/README.rdoc +92 -86
data/VERSION.yml +2 -2
data/certificate_authority.gemspec +9 -7
data/lib/certificate_authority.rb +1 -1
data/lib/certificate_authority/certificate.rb +60 -38
data/lib/certificate_authority/certificate_revocation_list.rb +12 -12
data/lib/certificate_authority/distinguished_name.rb +33 -14
data/lib/certificate_authority/extensions.rb +77 -63
data/lib/certificate_authority/key_material.rb +48 -15
data/lib/certificate_authority/ocsp_handler.rb +24 -24
data/lib/certificate_authority/pkcs11_key_material.rb +13 -13
data/lib/certificate_authority/serial_number.rb +3 -3
data/lib/certificate_authority/signing_entity.rb +5 -7
data/spec/units/certificate_revocation_list_spec.rb +16 -16
data/spec/units/certificate_spec.rb +149 -84
data/spec/units/distinguished_name_spec.rb +26 -5
data/spec/units/extensions_spec.rb +72 -10
data/spec/units/key_material_spec.rb +69 -65
data/spec/units/ocsp_handler_spec.rb +20 -20
data/spec/units/pkcs11_key_material_spec.rb +41 -0
data/spec/units/serial_number_spec.rb +4 -4
metadata +50 -53

data/lib/certificate_authority/key_material.rb CHANGED Viewed

@@ -3,60 +3,93 @@ module CertificateAuthority
     def public_key
       raise "Required implementation"
     end
     def private_key
       raise "Required implementation"
     end
     def is_in_hardware?
       raise "Required implementation"
     end
     def is_in_memory?
       raise "Required implementation"
     end
   end
   class MemoryKeyMaterial
     include KeyMaterial
     include ActiveModel::Validations
     attr_accessor :keypair
     attr_accessor :private_key
     attr_accessor :public_key
     def initialize
     end
     validates_each :private_key do |record, attr, value|
         record.errors.add :private_key, "cannot be blank" if record.private_key.nil?
     end
     validates_each :public_key do |record, attr, value|
       record.errors.add :public_key, "cannot be blank" if record.public_key.nil?
     end
     def is_in_hardware?
       false
     end
     def is_in_memory?
       true
     end
-    def generate_key(modulus_bits=1024)
+    def generate_key(modulus_bits=2048)
       self.keypair = OpenSSL::PKey::RSA.new(modulus_bits)
       self.private_key = keypair
       self.public_key = keypair.public_key
       self.keypair
     end
     def private_key
       @private_key
     end
     def public_key
       @public_key
     end
   end
-end
+  class SigningRequestKeyMaterial
+    include KeyMaterial
+    include ActiveModel::Validations
+    validates_each :public_key do |record, attr, value|
+      record.errors.add :public_key, "cannot be blank" if record.public_key.nil?
+    end
+    attr_accessor :public_key
+    def initialize(request=nil)
+      if request.is_a? OpenSSL::X509::Request
+        raise "Invalid certificate signing request" unless request.verify request.public_key
+        self.public_key = request.public_key
+      end
+    end
+    def is_in_hardware?
+      false
+    end
+    def is_in_memory?
+      true
+    end
+    def private_key
+      nil
+    end
+    def public_key
+      @public_key
+    end
+  end
+end

data/lib/certificate_authority/ocsp_handler.rb CHANGED Viewed

@@ -1,77 +1,77 @@
 module CertificateAuthority
   class OCSPHandler
     include ActiveModel::Validations
     attr_accessor :ocsp_request
     attr_accessor :certificate_ids
     attr_accessor :certificates
     attr_accessor :parent
     attr_accessor :ocsp_response_body
     validate do |crl|
       errors.add :parent, "A parent entity must be set" if parent.nil?
     end
     validate :all_certificates_available
     def initialize
       self.certificates = {}
     end
     def <<(cert)
       self.certificates[cert.serial_number.number.to_s] = cert
     end
     def extract_certificate_serials
       raise "No valid OCSP request was supplied" if self.ocsp_request.nil?
       openssl_request = OpenSSL::OCSP::Request.new(self.ocsp_request)
       self.certificate_ids = openssl_request.certid.collect do |cert_id|
         cert_id.serial
       end
       self.certificate_ids
     end
     def response
       raise "Invalid response" unless valid?
       openssl_ocsp_response = OpenSSL::OCSP::BasicResponse.new
       openssl_ocsp_request = OpenSSL::OCSP::Request.new(self.ocsp_request)
       openssl_ocsp_response.copy_nonce(openssl_ocsp_request)
       openssl_ocsp_request.certid.each do |cert_id|
         certificate = self.certificates[cert_id.serial.to_s]
-        openssl_ocsp_response.add_status(cert_id,
-        OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0,
+        openssl_ocsp_response.add_status(cert_id,
+        OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0,
           0, 0, 30, nil)
       end
       openssl_ocsp_response.sign(OpenSSL::X509::Certificate.new(self.parent.to_pem), self.parent.key_material.private_key, nil, nil)
       final_response = OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, openssl_ocsp_response)
       self.ocsp_response_body = final_response
       self.ocsp_response_body
     end
     def to_der
       raise "No signed OCSP response body available" if self.ocsp_response_body.nil?
       self.ocsp_response_body.to_der
     end
     private
     def all_certificates_available
       openssl_ocsp_request = OpenSSL::OCSP::Request.new(self.ocsp_request)
       openssl_ocsp_request.certid.each do |cert_id|
         certificate = self.certificates[cert_id.serial.to_s]
         errors.add(:base, "Certificate #{cert_id.serial} has not been added yet") if certificate.nil?
       end
     end
   end
-end
+end

data/lib/certificate_authority/pkcs11_key_material.rb CHANGED Viewed

@@ -3,43 +3,43 @@ module CertificateAuthority
     include KeyMaterial
     include ActiveModel::Validations
     include ActiveModel::Serialization
     attr_accessor :engine
     attr_accessor :token_id
     attr_accessor :pkcs11_lib
     attr_accessor :openssl_pkcs11_engine_lib
     attr_accessor :pin
     def initialize(attributes = {})
       @attributes = attributes
       initialize_engine
     end
     def is_in_hardware?
       true
     end
     def is_in_memory?
       false
     end
     def generate_key(modulus_bits=1024)
       puts "Key generation is not currently supported in hardware"
       nil
     end
     def private_key
       initialize_engine
       self.engine.load_private_key(self.token_id)
     end
     def public_key
       initialize_engine
       self.engine.load_public_key(self.token_id)
     end
     private
     def initialize_engine
       ## We're going to return early and try again later if params weren't passed in
       ## at initialization.  Any attempt at getting a public/private key will try
@@ -47,7 +47,7 @@ module CertificateAuthority
       return false if self.openssl_pkcs11_engine_lib.nil? or self.pkcs11_lib.nil?
       return self.engine unless self.engine.nil?
       OpenSSL::Engine.load
       pkcs11 = OpenSSL::Engine.by_id("dynamic") do |e|
         e.ctrl_cmd("SO_PATH",self.openssl_pkcs11_engine_lib)
         e.ctrl_cmd("ID","pkcs11")
@@ -56,10 +56,10 @@ module CertificateAuthority
         e.ctrl_cmd("PIN",self.pin) unless self.pin.nil? or self.pin == ""
         e.ctrl_cmd("MODULE_PATH",self.pkcs11_lib)
       end
       self.engine = pkcs11
       pkcs11
     end
   end
-end
+end

data/lib/certificate_authority/serial_number.rb CHANGED Viewed

@@ -1,9 +1,9 @@
 module CertificateAuthority
   class SerialNumber
     include ActiveModel::Validations
     attr_accessor :number
     validates :number, :presence => true, :numericality => {:greater_than => 0}
   end
-end
+end

data/lib/certificate_authority/signing_entity.rb CHANGED Viewed

@@ -1,18 +1,16 @@
 module CertificateAuthority
   module SigningEntity
     def self.included(mod)
       mod.class_eval do
-        attr_accessor :signing_entity
+        attr_accessor :signing_entity
       end
     end
     def signing_entity=(val)
       raise "invalid param" unless [true,false].include?(val)
       @signing_entity = val
     end
   end
-end
+end

data/spec/units/certificate_revocation_list_spec.rb CHANGED Viewed

@@ -3,44 +3,44 @@ require File.dirname(__FILE__) + '/units_helper'
 describe CertificateAuthority::CertificateRevocationList do
   before(:each) do
     @crl = CertificateAuthority::CertificateRevocationList.new
     @root_certificate = CertificateAuthority::Certificate.new
     @root_certificate.signing_entity = true
     @root_certificate.subject.common_name = "CRL Root"
-    @root_certificate.key_material.generate_key
+    @root_certificate.key_material.generate_key(1024)
     @root_certificate.serial_number.number = 1
     @root_certificate.sign!
     @certificate = CertificateAuthority::Certificate.new
-    @certificate.key_material.generate_key
+    @certificate.key_material.generate_key(1024)
     @certificate.subject.common_name = "http://bogusSite.com"
     @certificate.parent = @root_certificate
     @certificate.serial_number.number = 2
     @certificate.sign!
     @crl.parent = @root_certificate
     @certificate.revoked_at = Time.now
   end
   it "should accept a list of certificates" do
     @crl << @certificate
   end
   it "should complain if you add a certificate without a revocation time" do
     @certificate.revoked_at = nil
     lambda{ @crl << @certificate}.should raise_error
   end
   it "should have a 'parent' that will be responsible for signing" do
     @crl.parent = @root_certificate
     @crl.parent.should_not be_nil
   end
   it "should raise an error if you try and sign a CRL without attaching a parent" do
     @crl.parent = nil
     lambda { @crl.sign! }.should raise_error
   end
   it "should be able to generate a proper CRL" do
     @crl << @certificate
     lambda {@crl.to_pem}.should raise_error
@@ -49,20 +49,20 @@ describe CertificateAuthority::CertificateRevocationList do
     @crl.to_pem.should_not be_nil
     OpenSSL::X509::CRL.new(@crl.to_pem).should_not be_nil
   end
   describe "Next update" do
     it "should be able to set a 'next_update' value" do
       @crl.next_update = (60 * 60 * 10) # 10 Hours
       @crl.next_update.should_not be_nil
     end
     it "should throw an error if we try and sign up with a negative next_update" do
       @crl.sign!
       @crl.next_update = - (60 * 60 * 10)
       lambda{@crl.sign!}.should raise_error
     end
   end
-end
+end

data/spec/units/certificate_spec.rb CHANGED Viewed

@@ -4,165 +4,163 @@ describe CertificateAuthority::Certificate do
   before(:each) do
     @certificate = CertificateAuthority::Certificate.new
   end
   describe CertificateAuthority::SigningEntity do
     it "should behave as a signing entity" do
       @certificate.respond_to?(:is_signing_entity?).should be_true
     end
     it "should only be a signing entity if it's identified as a CA", :rfc3280 => true do
       @certificate.is_signing_entity?.should be_false
       @certificate.signing_entity = true
       @certificate.is_signing_entity?.should be_true
     end
     describe "Root certificates" do
       before(:each) do
         @certificate.signing_entity = true
       end
       it "should be able to be identified as a root certificate" do
         @certificate.is_root_entity?.should be_true
       end
       it "should only be a root certificate if the parent entity is itself", :rfc3280 => true do
         @certificate.parent.should == @certificate
       end
       it "should be a root certificate by default" do
         @certificate.is_root_entity?.should be_true
       end
       it "should be able to self-sign" do
         @certificate.serial_number.number = 1
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.sign!
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.subject.to_s.should == cert.issuer.to_s
       end
       it "should have the basicContraint CA:TRUE" do
         @certificate.serial_number.number = 1
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.sign!
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.extensions.map{|i| [i.oid,i.value] }.select{|i| i.first == "basicConstraints"}.first[1].should == "CA:TRUE"
       end
     end
     describe "Intermediate certificates" do
       before(:each) do
         @different_cert = CertificateAuthority::Certificate.new
         @different_cert.signing_entity = true
         @different_cert.subject.common_name = "chrischandler.name root"
-        @different_cert.key_material.generate_key
+        @different_cert.key_material.generate_key(1024)
         @different_cert.serial_number.number = 2
         @different_cert.sign! #self-signed
         @certificate.parent = @different_cert
         @certificate.signing_entity = true
       end
       it "should be able to be identified as an intermediate certificate" do
         @certificate.is_intermediate_entity?.should be_true
       end
       it "should not be identified as a root" do
         @certificate.is_root_entity?.should be_false
       end
       it "should only be an intermediate certificate if the parent is a different entity" do
         @certificate.parent.should_not == @certificate
         @certificate.parent.should_not be_nil
       end
       it "should correctly be signed by a parent certificate" do
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.signing_entity = true
         @certificate.serial_number.number = 1
         @certificate.sign!
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.subject.to_s.should_not == cert.issuer.to_s
       end
       it "should have the basicContraint CA:TRUE" do
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.signing_entity = true
         @certificate.serial_number.number = 3
         @certificate.sign!
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-        # cert.extensions.first.value.should == "CA:TRUE"
         cert.extensions.map{|i| [i.oid,i.value] }.select{|i| i.first == "basicConstraints"}.first[1].should == "CA:TRUE"
       end
     end
     describe "Terminal certificates" do
       before(:each) do
         @different_cert = CertificateAuthority::Certificate.new
         @different_cert.signing_entity = true
         @different_cert.subject.common_name = "chrischandler.name root"
-        @different_cert.key_material.generate_key
+        @different_cert.key_material.generate_key(1024)
         @different_cert.serial_number.number = 1
         @different_cert.sign! #self-signed
         @certificate.parent = @different_cert
       end
       it "should not be identified as an intermediate certificate" do
         @certificate.is_intermediate_entity?.should be_false
       end
       it "should not be identified as a root" do
         @certificate.is_root_entity?.should be_false
       end
       it "should have the basicContraint CA:FALSE" do
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.signing_entity = false
         @certificate.serial_number.number = 1
         @certificate.sign!
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-        # cert.extensions.first.value.should == "CA:FALSE"
         cert.extensions.map{|i| [i.oid,i.value] }.select{|i| i.first == "basicConstraints"}.first[1].should == "CA:FALSE"
       end
     end
     it "should be able to be identified as a root certificate" do
       @certificate.respond_to?(:is_root_entity?).should be_true
     end
   end #End of SigningEntity
   describe "Signed certificates" do
     before(:each) do
       @certificate = CertificateAuthority::Certificate.new
       @certificate.subject.common_name = "chrischandler.name"
-      @certificate.key_material.generate_key
+      @certificate.key_material.generate_key(1024)
       @certificate.serial_number.number = 1
       @certificate.sign!
     end
     it "should have a PEM encoded certificate body available" do
       @certificate.to_pem.should_not be_nil
       OpenSSL::X509::Certificate.new(@certificate.to_pem).should_not be_nil
     end
   end
   describe "X.509 V3 Extensions on Signed Certificates" do
     before(:each) do
       @certificate = CertificateAuthority::Certificate.new
       @certificate.subject.common_name = "chrischandler.name"
-      @certificate.key_material.generate_key
+      @certificate.key_material.generate_key(1024)
       @certificate.serial_number.number = 1
       @signing_profile = {
         "extensions" => {
           "subjectAltName" => {"uris" => ["www.chrischandler.name"]},
-          "certificatePolicies" => {
-            "policy_identifier" => "1.3.5.7",
+          "certificatePolicies" => {
+            "policy_identifier" => "1.3.5.7",
             "cps_uris" => ["http://my.host.name/", "http://my.your.name/"],
             "user_notice" => {
              "explicit_text" => "Testing!", "organization" => "RSpec Test organization name", "notice_numbers" => "1,2,3,4"
@@ -172,58 +170,78 @@ describe CertificateAuthority::Certificate do
       }
       @certificate.sign!(@signing_profile)
     end
     describe "SubjectAltName" do
       before(:each) do
         @certificate = CertificateAuthority::Certificate.new
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.serial_number.number = 1
       end
-      it  "should have a subjectAltName if specified" do
+      it "should have a subjectAltName if specified" do
         @certificate.sign!({"extensions" => {"subjectAltName" => {"uris" => ["www.chrischandler.name"]}}})
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.extensions.map(&:oid).include?("subjectAltName").should be_true
       end
       it "should NOT have a subjectAltName if one was not specified" do
         @certificate.sign!
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.extensions.map(&:oid).include?("subjectAltName").should be_false
       end
     end
     describe "AuthorityInfoAccess" do
       before(:each) do
         @certificate = CertificateAuthority::Certificate.new
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.serial_number.number = 1
       end
       it "should have an authority info access if specified" do
         @certificate.sign!({"extensions" => {"authorityInfoAccess" => {"ocsp" => ["www.chrischandler.name"]}}})
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.extensions.map(&:oid).include?("authorityInfoAccess").should be_true
       end
     end
+    describe "CrlDistributionPoints" do
+      before(:each) do
+        @certificate = CertificateAuthority::Certificate.new
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key(1024)
+        @certificate.serial_number.number = 1
+      end
+      it "should have a crlDistributionPoint if specified" do
+        @certificate.sign!({"extensions" => {"crlDistributionPoints" => {"uri" => ["http://crlThingy.com"]}}})
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map(&:oid).include?("crlDistributionPoints").should be_true
+      end
+      it "should NOT have a crlDistributionPoint if one was not specified" do
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map(&:oid).include?("crlDistributionPoints").should be_false
+      end
+    end
     describe "CertificatePolicies" do
       before(:each) do
         @certificate = CertificateAuthority::Certificate.new
         @certificate.subject.common_name = "chrischandler.name"
-        @certificate.key_material.generate_key
+        @certificate.key_material.generate_key(1024)
         @certificate.serial_number.number = 1
       end
       it "should have a certificatePolicy if specified" do
         @certificate.sign!({
           "extensions" => {
-            "certificatePolicies" => {
-              "policy_identifier" => "1.3.5.7",
+            "certificatePolicies" => {
+              "policy_identifier" => "1.3.5.7",
               "cps_uris" => ["http://my.host.name/", "http://my.your.name/"]
             }
           }
@@ -231,13 +249,13 @@ describe CertificateAuthority::Certificate do
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.extensions.map(&:oid).include?("certificatePolicies").should be_true
       end
       it "should contain a nested userNotice if specified" do
         pending
         # @certificate.sign!({
         #   "extensions" => {
-        #     "certificatePolicies" => {
-        #       "policy_identifier" => "1.3.5.7",
+        #     "certificatePolicies" => {
+        #       "policy_identifier" => "1.3.5.7",
         #       "cps_uris" => ["http://my.host.name/", "http://my.your.name/"],
         #       "user_notice" => {
         #        "explicit_text" => "Testing!", "organization" => "RSpec Test organization name", "notice_numbers" => "1,2,3,4"
@@ -248,53 +266,55 @@ describe CertificateAuthority::Certificate do
         # cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         # cert.extensions.map(&:oid).include?("certificatePolicies").should be_true
       end
       it "should NOT include a certificatePolicy if not specified" do
         @certificate.sign!
         cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
         cert.extensions.map(&:oid).include?("certificatePolicies").should be_false
-      end
+      end
     end
     it "should support BasicContraints" do
       cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
       cert.extensions.map(&:oid).include?("basicConstraints").should be_true
     end
-    it "should support crlDistributionPoints" do
-      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-      cert.extensions.map(&:oid).include?("crlDistributionPoints").should be_true
-    end
     it "should support subjectKeyIdentifier" do
       cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
       cert.extensions.map(&:oid).include?("subjectKeyIdentifier").should be_true
     end
     it "should support authorityKeyIdentifier" do
       cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
       cert.extensions.map(&:oid).include?("authorityKeyIdentifier").should be_true
     end
+    it "should order subjectKeyIdentifier before authorityKeyIdentifier" do
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.extensions.map(&:oid).select do |oid|
+        ["subjectKeyIdentifier", "authorityKeyIdentifier"].include?(oid)
+      end.should == ["subjectKeyIdentifier", "authorityKeyIdentifier"]
+    end
     it "should support keyUsage" do
       cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
       cert.extensions.map(&:oid).include?("keyUsage").should be_true
     end
     it "should support extendedKeyUsage" do
       cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
       cert.extensions.map(&:oid).include?("extendedKeyUsage").should be_true
     end
   end
   describe "Signing profile" do
     before(:each) do
       @certificate = CertificateAuthority::Certificate.new
       @certificate.subject.common_name = "chrischandler.name"
-      @certificate.key_material.generate_key
+      @certificate.key_material.generate_key(1024)
       @certificate.serial_number.number = 1
       @signing_profile = {
         "extensions" => {
           "basicConstraints" => {"ca" => false},
@@ -313,51 +333,96 @@ describe CertificateAuthority::Certificate do
       }
     }
     end
     it "should be able to sign with an optional policy hash" do
       @certificate.sign!(@signing_profile)
     end
+    it "should support a default signing digest of SHA512" do
+      @certificate.sign!(@signing_profile)
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.signature_algorithm.should == "sha512WithRSAEncryption"
+    end
+    it "should support a configurable digest algorithm" do
+      @signing_profile.merge!({"digest" => "SHA1"})
+      @certificate.sign!(@signing_profile)
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.signature_algorithm.should == "sha1WithRSAEncryption"
+    end
+  end
+  describe "from_openssl" do
+    before(:each) do
+      @pem_cert=<<CERT
+-----BEGIN CERTIFICATE-----
+MIICFDCCAc6gAwIBAgIJAPDLgMilKuayMA0GCSqGSIb3DQEBBQUAMEgxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMQowCAYDVQQKEwEgMRgwFgYDVQQD
+Ew9WZXJ5IFNtYWxsIENlcnQwHhcNMTIwNTAzMDMyODI1WhcNMTMwNTAzMDMyODI1
+WjBIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEKMAgGA1UEChMB
+IDEYMBYGA1UEAxMPVmVyeSBTbWFsbCBDZXJ0MEwwDQYJKoZIhvcNAQEBBQADOwAw
+OAIxAN6+33+WQ3FBMt+vMhshxOj+8W7V64pDKCJ3pVlnSn36imBWqrN0AGWX8qjv
+S+GzGwIDAQABo4GqMIGnMB0GA1UdDgQWBBRMUQ/HpPrAkKOufS5h+xPtEuzyWDB4
+BgNVHSMEcTBvgBRMUQ/HpPrAkKOufS5h+xPtEuzyWKFMpEowSDELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTClNvbWUtU3RhdGUxCjAIBgNVBAoTASAxGDAWBgNVBAMTD1Zl
+cnkgU21hbGwgQ2VydIIJAPDLgMilKuayMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADMQAq0CsqEChn4uf6MkXYBwaAAmS3JLmagyliJe5zM3y8dZz6Em2Ugb8o
+1cCaKaHJHSg=
+-----END CERTIFICATE-----
+CERT
+      @openssl_cert = OpenSSL::X509::Certificate.new @pem_cert
+      @small_cert = CertificateAuthority::Certificate.from_openssl @openssl_cert
+    end
+    it "should reject non-Certificate arguments" do
+      lambda { CertificateAuthority::Certificate.from_openssl "a string" }.should raise_error
+    end
+    it "should only be missing a private key" do
+      @small_cert.should_not be_valid
+      @small_cert.key_material.private_key = "data"
+      @small_cert.should be_valid
+    end
   end
   it "should have a distinguished name" do
     @certificate.distinguished_name.should_not be_nil
   end
   it "should have a serial number" do
     @certificate.serial_number.should_not be_nil
   end
   it "should have a subject" do
     @certificate.subject.should_not be_nil
   end
   it "should be able to have a parent entity" do
     @certificate.respond_to?(:parent).should be_true
   end
   it "should have key material" do
     @certificate.key_material.should_not be_nil
   end
   it "should have a not_before field" do
     @certificate.not_before.should_not be_nil
   end
   it "should have a not_after field" do
     @certificate.not_after.should_not be_nil
   end
   it "should default to one year validity" do
     @certificate.not_after.should < Time.now + 65 * 60 * 24 * 365 and
     @certificate.not_after.should > Time.now + 55 * 60 * 24 * 365
   end
   it "should be able to have a revoked at time" do
     @certificate.revoked?.should be_false
     @certificate.revoked_at = Time.now
     @certificate.revoked?.should be_true
   end
-end
+end