certificate_authority 0.1.6 → 1.0.0

data/spec/units/distinguished_name_spec.rb

@@ -1,59 +0,0 @@
-require File.dirname(__FILE__) + '/units_helper'
-
-describe CertificateAuthority::DistinguishedName do
-  before(:each) do
-    @distinguished_name = CertificateAuthority::DistinguishedName.new
-  end
-
-  it "should provide the standard x.509 distinguished name common attributes" do
-    @distinguished_name.respond_to?(:cn).should be_true
-    @distinguished_name.respond_to?(:l).should be_true
-    @distinguished_name.respond_to?(:s).should be_true
-    @distinguished_name.respond_to?(:o).should be_true
-    @distinguished_name.respond_to?(:ou).should be_true
-    @distinguished_name.respond_to?(:c).should be_true
-  end
-
-  it "should provide human-readable equivalents to the distinguished name common attributes" do
-    @distinguished_name.respond_to?(:common_name).should be_true
-    @distinguished_name.respond_to?(:locality).should be_true
-    @distinguished_name.respond_to?(:state).should be_true
-    @distinguished_name.respond_to?(:organization).should be_true
-    @distinguished_name.respond_to?(:organizational_unit).should be_true
-    @distinguished_name.respond_to?(:country).should be_true
-  end
-
-  it "should require a common name" do
-    @distinguished_name.valid?.should be_false
-    @distinguished_name.errors.size.should == 1
-    @distinguished_name.common_name = "chrischandler.name"
-    @distinguished_name.valid?.should be_true
-  end
-
-  it "should be convertible to an OpenSSL::X509::Name" do
-    @distinguished_name.common_name = "chrischandler.name"
-    @distinguished_name.to_x509_name
-  end
-
-  describe "from_openssl" do
-    before do
-      subject = "/CN=justincummins.name/L=on my laptop/ST=relaxed/C=as/O=programmer/OU=using this code"
-      @name = OpenSSL::X509::Name.parse subject
-      @dn = CertificateAuthority::DistinguishedName.from_openssl @name
-    end
-
-    it "should reject non Name objects" do
-      lambda { CertificateAuthority::DistinguishedName.from_openssl "Not a OpenSSL::X509::Name" }.should raise_error
-    end
-
-    [:common_name, :locality, :state, :country, :organization, :organizational_unit].each do |field|
-      it "should set the #{field} attribute" do
-        @dn.send(field).should_not be_nil
-      end
-    end
-
-    it "should create an equivalent object" do
-      @dn.to_x509_name.to_s.split('/').should =~ @name.to_s.split('/')
-    end
-  end
-end

data/spec/units/extensions_spec.rb

@@ -1,115 +0,0 @@
-require File.dirname(__FILE__) + '/units_helper'
-
-describe CertificateAuthority::Extensions do
-  describe CertificateAuthority::Extensions::BasicContraints do
-    it "should only allow true/false" do
-      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
-      basic_constraints.valid?.should be_true
-      basic_constraints.ca = "moo"
-      basic_constraints.valid?.should be_false
-    end
-
-    it "should respond to :path_len" do
-      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
-      basic_constraints.respond_to?(:path_len).should be_true
-    end
-
-    it "should raise an error if :path_len isn't a non-negative integer" do
-      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
-      lambda {basic_constraints.path_len = "moo"}.should raise_error
-      lambda {basic_constraints.path_len = -1}.should raise_error
-      lambda {basic_constraints.path_len = 1.5}.should raise_error
-    end
-
-    it "should generate a proper OpenSSL extension string" do
-      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
-      basic_constraints.ca = true
-      basic_constraints.path_len = 2
-      basic_constraints.to_s.should == "CA:true,pathlen:2"
-    end
-  end
-
-  describe CertificateAuthority::Extensions::SubjectAlternativeName do
-    it "should respond to :uris" do
-      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      subjectAltName.respond_to?(:uris).should be_true
-    end
-
-    it "should require 'uris' to be an Array" do
-      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      lambda {subjectAltName.uris = "not an array"}.should raise_error
-    end
-
-    it "should generate a proper OpenSSL extension string for URIs" do
-      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      subjectAltName.uris = ["http://localhost.altname.example.com"]
-      subjectAltName.to_s.should == "URI:http://localhost.altname.example.com"
-
-      subjectAltName.uris = ["http://localhost.altname.example.com", "http://other.example.com"]
-      subjectAltName.to_s.should == "URI:http://localhost.altname.example.com,URI:http://other.example.com"
-    end
-
-
-    it "should respond to :dns_names" do
-      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      subjectAltName.respond_to?(:dns_names).should be_true
-    end
-
-    it "should require 'dns_names' to be an Array" do
-      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      lambda {subjectAltName.dns_names = "not an array"}.should raise_error
-    end
-
-    it "should generate a proper OpenSSL extension string for DNS names" do
-      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      subjectAltName.dns_names = ["localhost.altname.example.com"]
-      subjectAltName.to_s.should == "DNS:localhost.altname.example.com"
-
-      subjectAltName.dns_names = ["localhost.altname.example.com", "other.example.com"]
-      subjectAltName.to_s.should == "DNS:localhost.altname.example.com,DNS:other.example.com"
-    end
-
-    it "should respond to :ips" do
-      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      subjectAltName.respond_to?(:ips).should be_true
-    end
-
-    it "should require 'ips' to be an Array" do
-      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      lambda {subjectAltName.ips = "not an array"}.should raise_error
-    end
-
-    it "should generate a proper OpenSSL extension string for IPs" do
-      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      subjectAltName.ips = ["1.2.3.4"]
-      subjectAltName.to_s.should == "IP:1.2.3.4"
-
-      subjectAltName.ips = ["1.2.3.4", "5.6.7.8"]
-      subjectAltName.to_s.should == "IP:1.2.3.4,IP:5.6.7.8"
-    end
-
-    it "should generate a proper OpenSSL extension string for URIs IPs and DNS names together" do
-      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      subjectAltName.ips = ["1.2.3.4"]
-      subjectAltName.to_s.should == "IP:1.2.3.4"
-
-      subjectAltName.dns_names = ["localhost.altname.example.com"]
-      subjectAltName.to_s.should == "DNS:localhost.altname.example.com,IP:1.2.3.4"
-
-      subjectAltName.dns_names = ["localhost.altname.example.com", "other.example.com"]
-      subjectAltName.to_s.should == "DNS:localhost.altname.example.com,DNS:other.example.com,IP:1.2.3.4"
-
-      subjectAltName.ips = ["1.2.3.4", "5.6.7.8"]
-      subjectAltName.to_s.should == "DNS:localhost.altname.example.com,DNS:other.example.com,IP:1.2.3.4,IP:5.6.7.8"
-
-      subjectAltName.uris = ["http://localhost.altname.example.com"]
-      subjectAltName.to_s.should == "URI:http://localhost.altname.example.com,DNS:localhost.altname.example.com,DNS:other.example.com,IP:1.2.3.4,IP:5.6.7.8"
-
-      subjectAltName.uris = ["http://localhost.altname.example.com", "http://other.altname.example.com"]
-      subjectAltName.to_s.should == "URI:http://localhost.altname.example.com,URI:http://other.altname.example.com,DNS:localhost.altname.example.com,DNS:other.example.com,IP:1.2.3.4,IP:5.6.7.8"
-
-    end
-
-
-  end
-end

data/spec/units/key_material_spec.rb

@@ -1,100 +0,0 @@
-require File.dirname(__FILE__) + '/units_helper'
-
-describe CertificateAuthority::KeyMaterial do
-  [CertificateAuthority::MemoryKeyMaterial, CertificateAuthority::SigningRequestKeyMaterial].each do |key_material_class|
-    before do
-      @key_material = key_material_class.new
-    end
-
-    it "#{key_material_class} should know if a key is in memory or hardware" do
-      @key_material.is_in_hardware?.should_not be_nil
-      @key_material.is_in_memory?.should_not be_nil
-    end
-
-    it "should use memory by default" do
-      @key_material.is_in_memory?.should be_true
-    end
-  end
-end
-
-describe CertificateAuthority::MemoryKeyMaterial do
-  before(:each) do
-    @key_material = CertificateAuthority::MemoryKeyMaterial.new
-  end
-
-  it "should be able to generate an RSA key" do
-    @key_material.generate_key(1024).should_not be_nil
-  end
-
-  it "should generate a proper OpenSSL::PKey::RSA" do
-    @key_material.generate_key(1024).class.should == OpenSSL::PKey::RSA
-  end
-
-  it "should be able to specify the size of the modulus to generate" do
-    @key_material.generate_key(1024).should_not be_nil
-  end
-
-  describe "with generated key" do
-    before(:all) do
-      @key_material_in_memory = CertificateAuthority::MemoryKeyMaterial.new
-      @key_material_in_memory.generate_key(1024)
-    end
-
-    it "should be able to retrieve the private key" do
-      @key_material_in_memory.private_key.should_not be_nil
-    end
-
-    it "should be able to retrieve the public key" do
-      @key_material_in_memory.public_key.should_not be_nil
-    end
-  end
-
-  it "should not validate without public and private keys" do
-    @key_material.valid?.should be_false
-    @key_material.generate_key(1024)
-    @key_material.valid?.should be_true
-    pub = @key_material.public_key
-    @key_material.public_key = nil
-    @key_material.valid?.should be_false
-    @key_material.public_key = pub
-    @key_material.private_key = nil
-    @key_material.valid?.should be_false
-  end
-end
-
-describe CertificateAuthority::SigningRequestKeyMaterial do
-  before(:each) do
-    @request = OpenSSL::X509::Request.new <<CSR
------BEGIN CERTIFICATE REQUEST-----
-MIIBjTCB9wIBADBOMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEU
-MBIGA1UEBxMLQmVyc2Vya2VsZXkxFDASBgNVBAoTC0NlcnRzICdSIFVzMIGfMA0G
-CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaGiBcv++581KYt6y2NNcUaZNPPeNZ0UkX
-ujzZQQllx7PlYmsKTE6ZzfTUc0AJvDBIuACg03eagaEaBZtUFbsLkSOLJyYiIfF5
-f9PuXImz2RDzBJQ/+u82gQAcvPhm94xK8jeNPcn0Ege7Y7SRK4YYonX+0ZveP02L
-FjuEfrZcZQIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAecOQz0RfnmSxxzOyHZ1e
-Wo2hQqPOmkfIbvL2l1Ml+HybJQJn6OpLmeveyU48SI2M7UqeNkHtsogMljy3re4L
-QlwK7lNd6SymdfSCPjUcdoLOaHolZXYNvCHltTc5skRHG7ti5yv4cu0ItIcCS0yp
-7L3maDEbTLsDdouHeFfbLWA=
------END CERTIFICATE REQUEST-----
-CSR
-    @key_material = CertificateAuthority::SigningRequestKeyMaterial.new @request
-  end
-
-  it "should generate from a CSR" do
-    @key_material.should_not be_nil
-  end
-
-  it "should be able to expose a public key" do
-    @key_material.public_key.should_not be_nil
-  end
-
-  it "should not have a private key" do
-    @key_material.private_key.should be_nil
-  end
-
-  it "should raise when signature does not verify" do
-    invalid = @request
-    invalid.public_key = OpenSSL::PKey::RSA.new 512
-    lambda { CertificateAuthority::SigningRequestKeyMaterial.new invalid }.should raise_error
-  end
-end

data/spec/units/ocsp_handler_spec.rb

@@ -1,104 +0,0 @@
-require File.dirname(__FILE__) + '/units_helper'
-
-describe CertificateAuthority::OCSPHandler do
-  before(:each) do
-    @ocsp_handler = CertificateAuthority::OCSPHandler.new
-
-    @root_certificate = CertificateAuthority::Certificate.new
-    @root_certificate.signing_entity = true
-    @root_certificate.subject.common_name = "OCSP Root"
-    @root_certificate.key_material.generate_key(1024)
-    @root_certificate.serial_number.number = 1
-    @root_certificate.sign!
-
-    @certificate = CertificateAuthority::Certificate.new
-    @certificate.key_material.generate_key(1024)
-    @certificate.subject.common_name = "http://questionablesite.com"
-    @certificate.parent = @root_certificate
-    @certificate.serial_number.number = 2
-    @certificate.sign!
-
-    @ocsp_request = OpenSSL::OCSP::Request.new
-    openssl_cert_issuer = OpenSSL::X509::Certificate.new(@root_certificate.to_pem)
-    openssl_cert_subject = OpenSSL::X509::Certificate.new(@certificate.to_pem)
-
-    cert_id = OpenSSL::OCSP::CertificateId.new(openssl_cert_subject, openssl_cert_issuer)
-    @ocsp_request.add_certid(cert_id)
-    @ocsp_handler.ocsp_request = @ocsp_request.to_der
-  end
-
-  it "should be able to accept an OCSP Request" do
-    @ocsp_handler.ocsp_request = @ocsp_request
-    @ocsp_handler.ocsp_request.should_not be_nil
-  end
-
-  it "should raise an error if you try and extract certificates without a raw request" do
-    @ocsp_handler.extract_certificate_serials
-    @ocsp_handler.ocsp_request = nil
-    lambda {@ocsp_handler.extract_certificate_serials}.should raise_error
-  end
-
-  it "should return a hash of extracted certificates from OCSP requests" do
-    result = @ocsp_handler.extract_certificate_serials
-    result.size.should == 1
-  end
-
-  it "should be able to generate an OCSP response" do
-    @ocsp_handler.extract_certificate_serials
-    @ocsp_handler << @certificate
-    @ocsp_handler.parent = @root_certificate
-    @ocsp_handler.response
-  end
-
-  it "should require a 'parent' entity for signing" do
-    @ocsp_handler.parent = @root_certificate
-    @ocsp_handler.parent.should_not be_nil
-  end
-
-  it "should raise an error if you ask for the signed OCSP response without generating it" do
-    @ocsp_handler.extract_certificate_serials
-    @ocsp_handler << @certificate
-    @ocsp_handler.parent = @root_certificate
-    lambda { @ocsp_handler.to_der }.should raise_error
-    @ocsp_handler.response
-    @ocsp_handler.to_der.should_not be_nil
-  end
-
-  it "should raise an error if you generate a response without adding all certificates in request" do
-    @ocsp_handler.extract_certificate_serials
-    @ocsp_handler.parent = @root_certificate
-    lambda { @ocsp_handler.response }.should raise_error
-  end
-
-  it "should raise an error if you generate a response without adding a parent signing entity" do
-    @ocsp_handler.extract_certificate_serials
-    @ocsp_handler << @certificate
-    lambda { @ocsp_handler.response }.should raise_error
-  end
-
-  describe "Response" do
-    before(:each) do
-      @ocsp_handler.extract_certificate_serials
-      @ocsp_handler << @certificate
-      @ocsp_handler.parent = @root_certificate
-      @ocsp_handler.response
-
-      @openssl_ocsp_response = OpenSSL::OCSP::Response.new(@ocsp_handler.to_der)
-    end
-
-    it "should have a correct status/status string" do
-      @openssl_ocsp_response.status_string.should == "successful"
-      @openssl_ocsp_response.status.should == 0
-    end
-
-    it "should have an embedded BasicResponse with certificate statuses" do
-      # [#<OpenSSL::OCSP::CertificateId:0x000001020ecad8>, 0, 1, nil, 2011-04-15 23:29:47 UTC, 2011-04-15 23:30:17 UTC, []]
-      @openssl_ocsp_response.basic.status.first[1].should == 0 # Everything is OK
-    end
-
-    it "should have a next_update time" do
-      @openssl_ocsp_response.basic.status.first[5].should_not be_nil
-      @openssl_ocsp_response.basic.status.first[5].class.should == Time
-    end
-  end
-end

data/spec/units/pkcs11_key_material_spec.rb

@@ -1,41 +0,0 @@
-require File.dirname(__FILE__) + '/units_helper'
-
-## Anything that requires crypto hardware needs to be tagged as 'pkcs11'
-describe CertificateAuthority::Pkcs11KeyMaterial, :pkcs11 => true do
-  before(:each) do
-    @key_material_in_hardware = CertificateAuthority::Pkcs11KeyMaterial.new
-    @key_material_in_hardware.token_id = "46"
-    @key_material_in_hardware.pkcs11_lib = "/usr/lib/libeTPkcs11.so"
-    @key_material_in_hardware.openssl_pkcs11_engine_lib = "/usr/lib/engines/engine_pkcs11.so"
-    @key_material_in_hardware.pin = "11111111"
-  end
-
-  it "should identify as being in hardware", :pkcs11 => true do
-    @key_material_in_hardware.is_in_hardware?.should be_true
-  end
-
-  it "should return a Pkey ref if the private key is requested", :pkcs11 => true do
-    @key_material_in_hardware.private_key.class.should == OpenSSL::PKey::RSA
-  end
-
-  it "should return a Pkey ref if the public key is requested", :pkcs11 => true do
-    @key_material_in_hardware.public_key.class.should == OpenSSL::PKey::RSA
-  end
-
-  it "should accept an ID for on-token objects", :pkcs11 => true do
-    @key_material_in_hardware.respond_to?(:token_id).should be_true
-  end
-
-  it "should accept a path to a shared library for a PKCS11 driver", :pkcs11 => true do
-    @key_material_in_hardware.respond_to?(:pkcs11_lib).should be_true
-  end
-
-  it "should accept a path to OpenSSL's dynamic PKCS11 engine (provided by libengine-pkcs11-openssl)", :pkcs11 => true do
-    @key_material_in_hardware.respond_to?(:openssl_pkcs11_engine_lib).should be_true
-  end
-
-  it "should accept an optional PIN to authenticate to the token", :pkcs11 => true do
-    @key_material_in_hardware.respond_to?(:pin).should be_true
-  end
-
-end

data/spec/units/serial_number_spec.rb

@@ -1,20 +0,0 @@
-require File.dirname(__FILE__) + '/units_helper'
-
-describe CertificateAuthority::SerialNumber do
-  before(:each) do
-    @serial_number = CertificateAuthority::SerialNumber.new
-  end
-
-  it "should support basic integer serial numbers", :rfc3280 => true do
-    @serial_number.number = 25
-    @serial_number.should be_valid
-    @serial_number.number = "abc"
-    @serial_number.should_not be_valid
-  end
-
-  it "should not allow negative serial numbers", :rfc3280 => true do
-    @serial_number.number = -5
-    @serial_number.should_not be_valid
-  end
-
-end

data/spec/units/signing_entity_spec.rb

@@ -1,4 +0,0 @@
-require File.dirname(__FILE__) + '/units_helper'
-
-describe CertificateAuthority::SigningEntity do
-end