certificate_authority 0.1.3 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (22) hide show
  1. data/README.rdoc +92 -86
  2. data/VERSION.yml +2 -2
  3. data/certificate_authority.gemspec +9 -7
  4. data/lib/certificate_authority.rb +1 -1
  5. data/lib/certificate_authority/certificate.rb +60 -38
  6. data/lib/certificate_authority/certificate_revocation_list.rb +12 -12
  7. data/lib/certificate_authority/distinguished_name.rb +33 -14
  8. data/lib/certificate_authority/extensions.rb +77 -63
  9. data/lib/certificate_authority/key_material.rb +48 -15
  10. data/lib/certificate_authority/ocsp_handler.rb +24 -24
  11. data/lib/certificate_authority/pkcs11_key_material.rb +13 -13
  12. data/lib/certificate_authority/serial_number.rb +3 -3
  13. data/lib/certificate_authority/signing_entity.rb +5 -7
  14. data/spec/units/certificate_revocation_list_spec.rb +16 -16
  15. data/spec/units/certificate_spec.rb +149 -84
  16. data/spec/units/distinguished_name_spec.rb +26 -5
  17. data/spec/units/extensions_spec.rb +72 -10
  18. data/spec/units/key_material_spec.rb +69 -65
  19. data/spec/units/ocsp_handler_spec.rb +20 -20
  20. data/spec/units/pkcs11_key_material_spec.rb +41 -0
  21. data/spec/units/serial_number_spec.rb +4 -4
  22. metadata +50 -53
data/spec/units/distinguished_name_spec.rb CHANGED
@@ -4,7 +4,7 @@ describe CertificateAuthority::DistinguishedName do
4
4
  before(:each) do
5
5
  @distinguished_name = CertificateAuthority::DistinguishedName.new
6
6
  end
7
-
7
+
8
8
  it "should provide the standard x.509 distinguished name common attributes" do
9
9
  @distinguished_name.respond_to?(:cn).should be_true
10
10
  @distinguished_name.respond_to?(:l).should be_true
@@ -13,7 +13,7 @@ describe CertificateAuthority::DistinguishedName do
13
13
  @distinguished_name.respond_to?(:ou).should be_true
14
14
  @distinguished_name.respond_to?(:c).should be_true
15
15
  end
16
-
16
+
17
17
  it "should provide human-readable equivalents to the distinguished name common attributes" do
18
18
  @distinguished_name.respond_to?(:common_name).should be_true
19
19
  @distinguished_name.respond_to?(:locality).should be_true
@@ -22,17 +22,38 @@ describe CertificateAuthority::DistinguishedName do
22
22
  @distinguished_name.respond_to?(:organizational_unit).should be_true
23
23
  @distinguished_name.respond_to?(:country).should be_true
24
24
  end
25
-
25
+
26
26
  it "should require a common name" do
27
27
  @distinguished_name.valid?.should be_false
28
28
  @distinguished_name.errors.size.should == 1
29
29
  @distinguished_name.common_name = "chrischandler.name"
30
30
  @distinguished_name.valid?.should be_true
31
31
  end
32
-
32
+
33
33
  it "should be convertible to an OpenSSL::X509::Name" do
34
34
  @distinguished_name.common_name = "chrischandler.name"
35
35
  @distinguished_name.to_x509_name
36
36
  end
37
-
37
+
38
+ describe "from_openssl" do
39
+ before do
40
+ subject = "/CN=justincummins.name/L=on my laptop/ST=relaxed/C=as/O=programmer/OU=using this code"
41
+ @name = OpenSSL::X509::Name.parse subject
42
+ @dn = CertificateAuthority::DistinguishedName.from_openssl @name
43
+ end
44
+
45
+ it "should reject non Name objects" do
46
+ lambda { CertificateAuthority::DistinguishedName.from_openssl "Not a OpenSSL::X509::Name" }.should raise_error
47
+ end
48
+
49
+ [:common_name, :locality, :state, :country, :organization, :organizational_unit].each do |field|
50
+ it "should set the #{field} attribute" do
51
+ @dn.send(field).should_not be_nil
52
+ end
53
+ end
54
+
55
+ it "should create an equivalent object" do
56
+ @dn.to_x509_name.to_s.split('/').should =~ @name.to_s.split('/')
57
+ end
58
+ end
38
59
  end
data/spec/units/extensions_spec.rb CHANGED
@@ -8,19 +8,19 @@ describe CertificateAuthority::Extensions do
8
8
  basic_constraints.ca = "moo"
9
9
  basic_constraints.valid?.should be_false
10
10
  end
11
-
11
+
12
12
  it "should respond to :path_len" do
13
13
  basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
14
14
  basic_constraints.respond_to?(:path_len).should be_true
15
15
  end
16
-
16
+
17
17
  it "should raise an error if :path_len isn't a non-negative integer" do
18
18
  basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
19
19
  lambda {basic_constraints.path_len = "moo"}.should raise_error
20
20
  lambda {basic_constraints.path_len = -1}.should raise_error
21
21
  lambda {basic_constraints.path_len = 1.5}.should raise_error
22
22
  end
23
-
23
+
24
24
  it "should generate a proper OpenSSL extension string" do
25
25
  basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
26
26
  basic_constraints.ca = true
@@ -28,26 +28,88 @@ describe CertificateAuthority::Extensions do
28
28
  basic_constraints.to_s.should == "CA:true,pathlen:2"
29
29
  end
30
30
  end
31
-
31
+
32
32
  describe CertificateAuthority::Extensions::SubjectAlternativeName do
33
33
  it "should respond to :uris" do
34
34
  subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
35
35
  subjectAltName.respond_to?(:uris).should be_true
36
36
  end
37
-
37
+
38
38
  it "should require 'uris' to be an Array" do
39
39
  subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
40
40
  lambda {subjectAltName.uris = "not an array"}.should raise_error
41
41
  end
42
-
43
- it "should generate a proper OpenSSL extension string" do
42
+
43
+ it "should generate a proper OpenSSL extension string for URIs" do
44
44
  subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
45
45
  subjectAltName.uris = ["http://localhost.altname.example.com"]
46
46
  subjectAltName.to_s.should == "URI:http://localhost.altname.example.com"
47
-
47
+
48
48
  subjectAltName.uris = ["http://localhost.altname.example.com", "http://other.example.com"]
49
49
  subjectAltName.to_s.should == "URI:http://localhost.altname.example.com,URI:http://other.example.com"
50
50
  end
51
-
51
+
52
+
53
+ it "should respond to :dns_names" do
54
+ subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
55
+ subjectAltName.respond_to?(:dns_names).should be_true
56
+ end
57
+
58
+ it "should require 'dns_names' to be an Array" do
59
+ subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
60
+ lambda {subjectAltName.dns_names = "not an array"}.should raise_error
61
+ end
62
+
63
+ it "should generate a proper OpenSSL extension string for DNS names" do
64
+ subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
65
+ subjectAltName.dns_names = ["localhost.altname.example.com"]
66
+ subjectAltName.to_s.should == "DNS:localhost.altname.example.com"
67
+
68
+ subjectAltName.dns_names = ["localhost.altname.example.com", "other.example.com"]
69
+ subjectAltName.to_s.should == "DNS:localhost.altname.example.com,DNS:other.example.com"
70
+ end
71
+
72
+ it "should respond to :ips" do
73
+ subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
74
+ subjectAltName.respond_to?(:ips).should be_true
75
+ end
76
+
77
+ it "should require 'ips' to be an Array" do
78
+ subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
79
+ lambda {subjectAltName.ips = "not an array"}.should raise_error
80
+ end
81
+
82
+ it "should generate a proper OpenSSL extension string for IPs" do
83
+ subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
84
+ subjectAltName.ips = ["1.2.3.4"]
85
+ subjectAltName.to_s.should == "IP:1.2.3.4"
86
+
87
+ subjectAltName.ips = ["1.2.3.4", "5.6.7.8"]
88
+ subjectAltName.to_s.should == "IP:1.2.3.4,IP:5.6.7.8"
89
+ end
90
+
91
+ it "should generate a proper OpenSSL extension string for URIs IPs and DNS names together" do
92
+ subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
93
+ subjectAltName.ips = ["1.2.3.4"]
94
+ subjectAltName.to_s.should == "IP:1.2.3.4"
95
+
96
+ subjectAltName.dns_names = ["localhost.altname.example.com"]
97
+ subjectAltName.to_s.should == "DNS:localhost.altname.example.com,IP:1.2.3.4"
98
+
99
+ subjectAltName.dns_names = ["localhost.altname.example.com", "other.example.com"]
100
+ subjectAltName.to_s.should == "DNS:localhost.altname.example.com,DNS:other.example.com,IP:1.2.3.4"
101
+
102
+ subjectAltName.ips = ["1.2.3.4", "5.6.7.8"]
103
+ subjectAltName.to_s.should == "DNS:localhost.altname.example.com,DNS:other.example.com,IP:1.2.3.4,IP:5.6.7.8"
104
+
105
+ subjectAltName.uris = ["http://localhost.altname.example.com"]
106
+ subjectAltName.to_s.should == "URI:http://localhost.altname.example.com,DNS:localhost.altname.example.com,DNS:other.example.com,IP:1.2.3.4,IP:5.6.7.8"
107
+
108
+ subjectAltName.uris = ["http://localhost.altname.example.com", "http://other.altname.example.com"]
109
+ subjectAltName.to_s.should == "URI:http://localhost.altname.example.com,URI:http://other.altname.example.com,DNS:localhost.altname.example.com,DNS:other.example.com,IP:1.2.3.4,IP:5.6.7.8"
110
+
111
+ end
112
+
113
+
52
114
  end
53
- end
115
+ end
data/spec/units/key_material_spec.rb CHANGED
@@ -1,89 +1,57 @@
1
1
  require File.dirname(__FILE__) + '/units_helper'
2
2
 
3
+ describe CertificateAuthority::KeyMaterial do
4
+ [CertificateAuthority::MemoryKeyMaterial, CertificateAuthority::SigningRequestKeyMaterial].each do |key_material_class|
5
+ before do
6
+ @key_material = key_material_class.new
7
+ end
8
+
9
+ it "#{key_material_class} should know if a key is in memory or hardware" do
10
+ @key_material.is_in_hardware?.should_not be_nil
11
+ @key_material.is_in_memory?.should_not be_nil
12
+ end
13
+
14
+ it "should use memory by default" do
15
+ @key_material.is_in_memory?.should be_true
16
+ end
17
+ end
18
+ end
19
+
3
20
  describe CertificateAuthority::MemoryKeyMaterial do
4
21
  before(:each) do
5
22
  @key_material = CertificateAuthority::MemoryKeyMaterial.new
6
23
  end
7
-
8
- it "should know if a key is in memory or hardware" do
9
- @key_material.is_in_hardware?.should_not be_nil
10
- @key_material.is_in_memory?.should_not be_nil
11
- end
12
-
13
- it "should use memory by default" do
14
- @key_material.is_in_memory?.should be_true
15
- end
16
-
24
+
17
25
  it "should be able to generate an RSA key" do
18
- @key_material.generate_key.should_not be_nil
26
+ @key_material.generate_key(1024).should_not be_nil
19
27
  end
20
-
28
+
21
29
  it "should generate a proper OpenSSL::PKey::RSA" do
22
- @key_material.generate_key.class.should == OpenSSL::PKey::RSA
30
+ @key_material.generate_key(1024).class.should == OpenSSL::PKey::RSA
23
31
  end
24
-
32
+
25
33
  it "should be able to specify the size of the modulus to generate" do
26
- @key_material.generate_key(768).should_not be_nil
34
+ @key_material.generate_key(1024).should_not be_nil
27
35
  end
28
-
29
- describe "in memory" do
36
+
37
+ describe "with generated key" do
30
38
  before(:all) do
31
39
  @key_material_in_memory = CertificateAuthority::MemoryKeyMaterial.new
32
- @key_material_in_memory.generate_key
40
+ @key_material_in_memory.generate_key(1024)
33
41
  end
34
-
42
+
35
43
  it "should be able to retrieve the private key" do
36
44
  @key_material_in_memory.private_key.should_not be_nil
37
45
  end
38
-
46
+
39
47
  it "should be able to retrieve the public key" do
40
48
  @key_material_in_memory.public_key.should_not be_nil
41
49
  end
42
50
  end
43
-
44
- ## Anything that requires crypto hardware needs to be tagged as 'pkcs11'
45
- describe "in hardware", :pkcs11 => true do
46
- before(:each) do
47
- @key_material_in_hardware = CertificateAuthority::Pkcs11KeyMaterial.new
48
- @key_material_in_hardware.token_id = "46"
49
- @key_material_in_hardware.pkcs11_lib = "/usr/lib/libeTPkcs11.so"
50
- @key_material_in_hardware.openssl_pkcs11_engine_lib = "/usr/lib/engines/engine_pkcs11.so"
51
- @key_material_in_hardware.pin = "11111111"
52
- end
53
-
54
- it "should identify as being in hardware", :pkcs11 => true do
55
- @key_material_in_hardware.is_in_hardware?.should be_true
56
- end
57
-
58
- it "should return a Pkey ref if the private key is requested", :pkcs11 => true do
59
- @key_material_in_hardware.private_key.class.should == OpenSSL::PKey::RSA
60
- end
61
-
62
- it "should return a Pkey ref if the private key is requested", :pkcs11 => true do
63
- @key_material_in_hardware.public_key.class.should == OpenSSL::PKey::RSA
64
- end
65
-
66
- it "should accept an ID for on-token objects", :pkcs11 => true do
67
- @key_material_in_hardware.respond_to?(:token_id).should be_true
68
- end
69
-
70
- it "should accept a path to a shared library for a PKCS11 driver", :pkcs11 => true do
71
- @key_material_in_hardware.respond_to?(:pkcs11_lib).should be_true
72
- end
73
-
74
- it "should accept a path to OpenSSL's dynamic PKCS11 engine (provided by libengine-pkcs11-openssl)", :pkcs11 => true do
75
- @key_material_in_hardware.respond_to?(:openssl_pkcs11_engine_lib).should be_true
76
- end
77
-
78
- it "should accept an optional PIN to authenticate to the token", :pkcs11 => true do
79
- @key_material_in_hardware.respond_to?(:pin).should be_true
80
- end
81
-
82
- end
83
-
84
- it "not validate without public and private keys" do
51
+
52
+ it "should not validate without public and private keys" do
85
53
  @key_material.valid?.should be_false
86
- @key_material.generate_key
54
+ @key_material.generate_key(1024)
87
55
  @key_material.valid?.should be_true
88
56
  pub = @key_material.public_key
89
57
  @key_material.public_key = nil
@@ -92,5 +60,41 @@ describe CertificateAuthority::MemoryKeyMaterial do
92
60
  @key_material.private_key = nil
93
61
  @key_material.valid?.should be_false
94
62
  end
95
-
96
- end
63
+ end
64
+
65
+ describe CertificateAuthority::SigningRequestKeyMaterial do
66
+ before(:each) do
67
+ @request = OpenSSL::X509::Request.new <<CSR
68
+ -----BEGIN CERTIFICATE REQUEST-----
69
+ MIIBjTCB9wIBADBOMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEU
70
+ MBIGA1UEBxMLQmVyc2Vya2VsZXkxFDASBgNVBAoTC0NlcnRzICdSIFVzMIGfMA0G
71
+ CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaGiBcv++581KYt6y2NNcUaZNPPeNZ0UkX
72
+ ujzZQQllx7PlYmsKTE6ZzfTUc0AJvDBIuACg03eagaEaBZtUFbsLkSOLJyYiIfF5
73
+ f9PuXImz2RDzBJQ/+u82gQAcvPhm94xK8jeNPcn0Ege7Y7SRK4YYonX+0ZveP02L
74
+ FjuEfrZcZQIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAecOQz0RfnmSxxzOyHZ1e
75
+ Wo2hQqPOmkfIbvL2l1Ml+HybJQJn6OpLmeveyU48SI2M7UqeNkHtsogMljy3re4L
76
+ QlwK7lNd6SymdfSCPjUcdoLOaHolZXYNvCHltTc5skRHG7ti5yv4cu0ItIcCS0yp
77
+ 7L3maDEbTLsDdouHeFfbLWA=
78
+ -----END CERTIFICATE REQUEST-----
79
+ CSR
80
+ @key_material = CertificateAuthority::SigningRequestKeyMaterial.new @request
81
+ end
82
+
83
+ it "should generate from a CSR" do
84
+ @key_material.should_not be_nil
85
+ end
86
+
87
+ it "should be able to expose a public key" do
88
+ @key_material.public_key.should_not be_nil
89
+ end
90
+
91
+ it "should not have a private key" do
92
+ @key_material.private_key.should be_nil
93
+ end
94
+
95
+ it "should raise when signature does not verify" do
96
+ invalid = @request
97
+ invalid.public_key = OpenSSL::PKey::RSA.new 512
98
+ lambda { CertificateAuthority::SigningRequestKeyMaterial.new invalid }.should raise_error
99
+ end
100
+ end
data/spec/units/ocsp_handler_spec.rb CHANGED
@@ -3,58 +3,58 @@ require File.dirname(__FILE__) + '/units_helper'
3
3
  describe CertificateAuthority::OCSPHandler do
4
4
  before(:each) do
5
5
  @ocsp_handler = CertificateAuthority::OCSPHandler.new
6
-
6
+
7
7
  @root_certificate = CertificateAuthority::Certificate.new
8
8
  @root_certificate.signing_entity = true
9
9
  @root_certificate.subject.common_name = "OCSP Root"
10
- @root_certificate.key_material.generate_key
10
+ @root_certificate.key_material.generate_key(1024)
11
11
  @root_certificate.serial_number.number = 1
12
12
  @root_certificate.sign!
13
-
13
+
14
14
  @certificate = CertificateAuthority::Certificate.new
15
- @certificate.key_material.generate_key
15
+ @certificate.key_material.generate_key(1024)
16
16
  @certificate.subject.common_name = "http://questionablesite.com"
17
17
  @certificate.parent = @root_certificate
18
18
  @certificate.serial_number.number = 2
19
19
  @certificate.sign!
20
-
20
+
21
21
  @ocsp_request = OpenSSL::OCSP::Request.new
22
22
  openssl_cert_issuer = OpenSSL::X509::Certificate.new(@root_certificate.to_pem)
23
23
  openssl_cert_subject = OpenSSL::X509::Certificate.new(@certificate.to_pem)
24
-
24
+
25
25
  cert_id = OpenSSL::OCSP::CertificateId.new(openssl_cert_subject, openssl_cert_issuer)
26
26
  @ocsp_request.add_certid(cert_id)
27
27
  @ocsp_handler.ocsp_request = @ocsp_request.to_der
28
28
  end
29
-
29
+
30
30
  it "should be able to accept an OCSP Request" do
31
31
  @ocsp_handler.ocsp_request = @ocsp_request
32
32
  @ocsp_handler.ocsp_request.should_not be_nil
33
33
  end
34
-
34
+
35
35
  it "should raise an error if you try and extract certificates without a raw request" do
36
36
  @ocsp_handler.extract_certificate_serials
37
37
  @ocsp_handler.ocsp_request = nil
38
38
  lambda {@ocsp_handler.extract_certificate_serials}.should raise_error
39
39
  end
40
-
40
+
41
41
  it "should return a hash of extracted certificates from OCSP requests" do
42
42
  result = @ocsp_handler.extract_certificate_serials
43
43
  result.size.should == 1
44
44
  end
45
-
45
+
46
46
  it "should be able to generate an OCSP response" do
47
47
  @ocsp_handler.extract_certificate_serials
48
48
  @ocsp_handler << @certificate
49
49
  @ocsp_handler.parent = @root_certificate
50
50
  @ocsp_handler.response
51
51
  end
52
-
52
+
53
53
  it "should require a 'parent' entity for signing" do
54
54
  @ocsp_handler.parent = @root_certificate
55
55
  @ocsp_handler.parent.should_not be_nil
56
56
  end
57
-
57
+
58
58
  it "should raise an error if you ask for the signed OCSP response without generating it" do
59
59
  @ocsp_handler.extract_certificate_serials
60
60
  @ocsp_handler << @certificate
@@ -63,42 +63,42 @@ describe CertificateAuthority::OCSPHandler do
63
63
  @ocsp_handler.response
64
64
  @ocsp_handler.to_der.should_not be_nil
65
65
  end
66
-
66
+
67
67
  it "should raise an error if you generate a response without adding all certificates in request" do
68
68
  @ocsp_handler.extract_certificate_serials
69
69
  @ocsp_handler.parent = @root_certificate
70
70
  lambda { @ocsp_handler.response }.should raise_error
71
71
  end
72
-
72
+
73
73
  it "should raise an error if you generate a response without adding a parent signing entity" do
74
74
  @ocsp_handler.extract_certificate_serials
75
75
  @ocsp_handler << @certificate
76
76
  lambda { @ocsp_handler.response }.should raise_error
77
77
  end
78
-
78
+
79
79
  describe "Response" do
80
80
  before(:each) do
81
81
  @ocsp_handler.extract_certificate_serials
82
82
  @ocsp_handler << @certificate
83
83
  @ocsp_handler.parent = @root_certificate
84
84
  @ocsp_handler.response
85
-
85
+
86
86
  @openssl_ocsp_response = OpenSSL::OCSP::Response.new(@ocsp_handler.to_der)
87
87
  end
88
-
88
+
89
89
  it "should have a correct status/status string" do
90
90
  @openssl_ocsp_response.status_string.should == "successful"
91
91
  @openssl_ocsp_response.status.should == 0
92
92
  end
93
-
93
+
94
94
  it "should have an embedded BasicResponse with certificate statuses" do
95
95
  # [#<OpenSSL::OCSP::CertificateId:0x000001020ecad8>, 0, 1, nil, 2011-04-15 23:29:47 UTC, 2011-04-15 23:30:17 UTC, []]
96
96
  @openssl_ocsp_response.basic.status.first[1].should == 0 # Everything is OK
97
97
  end
98
-
98
+
99
99
  it "should have a next_update time" do
100
100
  @openssl_ocsp_response.basic.status.first[5].should_not be_nil
101
101
  @openssl_ocsp_response.basic.status.first[5].class.should == Time
102
102
  end
103
103
  end
104
- end
104
+ end