certificate_authority_sonian 0.1.7

data/lib/certificate_authority/key_material.rb

@@ -0,0 +1,135 @@
+module CertificateAuthority
+  module KeyMaterial
+    def public_key
+      raise "Required implementation"
+    end
+
+    def private_key
+      raise "Required implementation"
+    end
+
+    def is_in_hardware?
+      raise "Required implementation"
+    end
+
+    def is_in_memory?
+      raise "Required implementation"
+    end
+  end
+
+  class MemoryKeyMaterial
+    include KeyMaterial
+    include ActiveModel::Validations
+
+    attr_accessor :keypair
+    attr_accessor :private_key
+    attr_accessor :public_key
+
+    def initialize
+    end
+
+    validates_each :private_key do |record, attr, value|
+        record.errors.add :private_key, "cannot be blank" if record.private_key.nil?
+    end
+    validates_each :public_key do |record, attr, value|
+      record.errors.add :public_key, "cannot be blank" if record.public_key.nil?
+    end
+
+    # @return [Boolean]
+    def is_in_hardware?
+      false
+    end
+
+    # @return [Boolean]
+    def is_in_memory?
+      true
+    end
+
+    # @param modulus_bits [Integer] number of bits to generate the key with
+    # @return [OpenSSL::Pkey::RSA]
+    def generate_key(modulus_bits=2048)
+      self.keypair = OpenSSL::PKey::RSA.new(modulus_bits)
+      self.private_key = keypair
+      self.public_key = keypair.public_key
+      self.keypair
+    end
+
+    # @return [OpenSSL::Pkey::RSA]
+    def private_key
+      @private_key
+    end
+
+    # @return [OpenSSL::Pkey::RSA]
+    def public_key
+      @public_key
+    end
+  end
+
+  class SigningRequestKeyMaterial
+    include KeyMaterial
+    include ActiveModel::Validations
+
+    validates_each :public_key do |record, attr, value|
+      record.errors.add :public_key, "cannot be blank" if record.public_key.nil?
+    end
+
+    attr_accessor :public_key
+    attr_reader :csr # @return [OpenSSL::X509::Request,OpenSSL::Netscape::SPKI]
+    attr_reader :certificate # @return [CertificateAuthority::Certificate]
+
+    # @param request [OpenSSL::X508::Request,OpenSSL::Netscape::SPKI,String] a signing request
+    def initialize(request=nil)
+      if request.is_a?(OpenSSL::X509::Request) || request.is_a?(OpenSSL::Netscape::SPKI)
+        @csr = request
+        raise "Invalid certificate signing request" unless @csr.verify(@csr.public_key)
+        self.public_key = @csr.public_key
+      end
+    end
+
+    # Given a root certificate and a key, will generate a signed certificate
+    # @param root_cert [CertificateAuthority::Certificate] the parent certificate (CA)
+    # @param key [OpenSSL::Pkey::RSA] the private key to sign with
+    # @param serial_number [Integer] the serial number for the generated certificate
+    # @param options [Hash{:dn => CertificateAuthority::DistinguishedName, :algorithm => OpenSSL::Digest, :not_after => Time}] :dn is required for SPKAC signing
+    # @return [CertificateAuthority::Certificate] A signed certificate instance
+    def sign_and_certify(root_cert, key, serial_number, options = {})
+      if csr.is_a? OpenSSL::Netscape::SPKI
+        raise "Must pass :dn in options to generate certificates for OpenSSL::Netscape::SPKI requests" unless options[:dn]
+      end
+      algorithm = options[:algorithm] || OpenSSL::Digest::SHA1.new
+      cert = OpenSSL::X509::Certificate.new
+      if options[:dn]
+        cert.subject = options[:dn].to_x509_name
+      else
+        cert.subject = csr.subject
+      end
+      cert.public_key = public_key
+      cert.not_before = Time.now
+      cert.not_after = options[:not_after] || (Time.now + 100000000)
+      cert.issuer = root_cert.subject.to_x509_name
+      cert.serial = serial_number
+      cert.sign key, algorithm
+      @certificate = CertificateAuthority::Certificate.from_openssl cert
+    end
+
+    # @return [Boolean]
+    def is_in_hardware?
+      false
+    end
+
+    # @return [Boolean]
+    def is_in_memory?
+      true
+    end
+
+    # @return [NilClass]
+    def private_key
+      nil
+    end
+
+    # @return [OpenSSL::Pkey::RSA]
+    def public_key
+      @public_key
+    end
+  end
+end

data/lib/certificate_authority/ocsp_handler.rb

@@ -0,0 +1,77 @@
+module CertificateAuthority
+  class OCSPHandler
+    include ActiveModel::Validations
+
+    attr_accessor :ocsp_request
+    attr_accessor :certificate_ids
+
+    attr_accessor :certificates
+    attr_accessor :parent
+
+    attr_accessor :ocsp_response_body
+
+    validate do |crl|
+      errors.add :parent, "A parent entity must be set" if parent.nil?
+    end
+    validate :all_certificates_available
+
+    def initialize
+      self.certificates = {}
+    end
+
+    def <<(cert)
+      self.certificates[cert.serial_number.number.to_s] = cert
+    end
+
+    def extract_certificate_serials
+      raise "No valid OCSP request was supplied" if self.ocsp_request.nil?
+      openssl_request = OpenSSL::OCSP::Request.new(self.ocsp_request)
+
+      self.certificate_ids = openssl_request.certid.collect do |cert_id|
+        cert_id.serial
+      end
+
+      self.certificate_ids
+    end
+
+
+    def response
+      raise "Invalid response" unless valid?
+
+      openssl_ocsp_response = OpenSSL::OCSP::BasicResponse.new
+      openssl_ocsp_request = OpenSSL::OCSP::Request.new(self.ocsp_request)
+      openssl_ocsp_response.copy_nonce(openssl_ocsp_request)
+
+      openssl_ocsp_request.certid.each do |cert_id|
+        certificate = self.certificates[cert_id.serial.to_s]
+
+        openssl_ocsp_response.add_status(cert_id,
+        OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0,
+          0, 0, 30, nil)
+      end
+
+
+      openssl_ocsp_response.sign(OpenSSL::X509::Certificate.new(self.parent.to_pem), self.parent.key_material.private_key, nil, nil)
+      final_response = OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, openssl_ocsp_response)
+      self.ocsp_response_body = final_response
+      self.ocsp_response_body
+    end
+
+    def to_der
+      raise "No signed OCSP response body available" if self.ocsp_response_body.nil?
+      self.ocsp_response_body.to_der
+    end
+
+    private
+
+    def all_certificates_available
+      openssl_ocsp_request = OpenSSL::OCSP::Request.new(self.ocsp_request)
+
+      openssl_ocsp_request.certid.each do |cert_id|
+        certificate = self.certificates[cert_id.serial.to_s]
+        errors.add(:base, "Certificate #{cert_id.serial} has not been added yet") if certificate.nil?
+      end
+    end
+
+  end
+end

data/lib/certificate_authority/pkcs11_key_material.rb

@@ -0,0 +1,65 @@
+module CertificateAuthority
+  class Pkcs11KeyMaterial
+    include KeyMaterial
+    include ActiveModel::Validations
+    include ActiveModel::Serialization
+
+    attr_accessor :engine
+    attr_accessor :token_id
+    attr_accessor :pkcs11_lib
+    attr_accessor :openssl_pkcs11_engine_lib
+    attr_accessor :pin
+
+    def initialize(attributes = {})
+      @attributes = attributes
+      initialize_engine
+    end
+
+    def is_in_hardware?
+      true
+    end
+
+    def is_in_memory?
+      false
+    end
+
+    def generate_key(modulus_bits=1024)
+      puts "Key generation is not currently supported in hardware"
+      nil
+    end
+
+    def private_key
+      initialize_engine
+      self.engine.load_private_key(self.token_id)
+    end
+
+    def public_key
+      initialize_engine
+      self.engine.load_public_key(self.token_id)
+    end
+
+    private
+
+    def initialize_engine
+      ## We're going to return early and try again later if params weren't passed in
+      ## at initialization.  Any attempt at getting a public/private key will try
+      ## again.
+      return false if self.openssl_pkcs11_engine_lib.nil? or self.pkcs11_lib.nil?
+      return self.engine unless self.engine.nil?
+      OpenSSL::Engine.load
+
+      pkcs11 = OpenSSL::Engine.by_id("dynamic") do |e|
+        e.ctrl_cmd("SO_PATH",self.openssl_pkcs11_engine_lib)
+        e.ctrl_cmd("ID","pkcs11")
+        e.ctrl_cmd("LIST_ADD","1")
+        e.ctrl_cmd("LOAD")
+        e.ctrl_cmd("PIN",self.pin) unless self.pin.nil? or self.pin == ""
+        e.ctrl_cmd("MODULE_PATH",self.pkcs11_lib)
+      end
+
+      self.engine = pkcs11
+      pkcs11
+    end
+
+  end
+end

data/lib/certificate_authority/serial_number.rb

@@ -0,0 +1,9 @@
+module CertificateAuthority
+  class SerialNumber
+    include ActiveModel::Validations
+
+    attr_accessor :number
+
+    validates :number, :presence => true, :numericality => {:greater_than => 0}
+  end
+end

data/lib/certificate_authority/signing_entity.rb

@@ -0,0 +1,16 @@
+module CertificateAuthority
+  module SigningEntity
+
+    def self.included(mod)
+      mod.class_eval do
+        attr_accessor :signing_entity
+      end
+    end
+
+    def signing_entity=(val)
+      raise "invalid param" unless [true,false].include?(val)
+      @signing_entity = val
+    end
+
+  end
+end

data/lib/tasks/certificate_authority.rake

@@ -0,0 +1,23 @@
+require 'certificate_authority'
+
+namespace :certificate_authority do
+  desc "Generate a quick self-signed cert"
+  task :self_signed do
+    
+    cn = "http://localhost"
+    cn = ENV['DOMAIN'] unless ENV['DOMAIN'].nil?
+    
+  	root = CertificateAuthority::Certificate.new
+  	root.subject.common_name= cn
+  	root.key_material.generate_key
+  	root.signing_entity = true
+  	root.valid?
+  	root.sign!
+  	
+  	print "Your cert for #{cn}\n"
+  	print root.to_pem
+  	
+  	print "Your private key\n"
+  	print root.key_material.private_key.to_pem
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,4 @@
+require 'rubygems'
+require 'rspec'
+
+require File.dirname(__FILE__) + '/../lib/certificate_authority'

data/spec/units/certificate_authority_spec.rb

@@ -0,0 +1,4 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority do
+end

data/spec/units/certificate_revocation_list_spec.rb

@@ -0,0 +1,68 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority::CertificateRevocationList do
+  before(:each) do
+    @crl = CertificateAuthority::CertificateRevocationList.new
+
+    @root_certificate = CertificateAuthority::Certificate.new
+    @root_certificate.signing_entity = true
+    @root_certificate.subject.common_name = "CRL Root"
+    @root_certificate.key_material.generate_key(1024)
+    @root_certificate.serial_number.number = 1
+    @root_certificate.sign!
+
+    @certificate = CertificateAuthority::Certificate.new
+    @certificate.key_material.generate_key(1024)
+    @certificate.subject.common_name = "http://bogusSite.com"
+    @certificate.parent = @root_certificate
+    @certificate.serial_number.number = 2
+    @certificate.sign!
+
+    @crl.parent = @root_certificate
+    @certificate.revoked_at = Time.now
+  end
+
+  it "should accept a list of certificates" do
+    @crl << @certificate
+  end
+
+  it "should complain if you add a certificate without a revocation time" do
+    @certificate.revoked_at = nil
+    lambda{ @crl << @certificate}.should raise_error
+  end
+
+  it "should have a 'parent' that will be responsible for signing" do
+    @crl.parent = @root_certificate
+    @crl.parent.should_not be_nil
+  end
+
+  it "should raise an error if you try and sign a CRL without attaching a parent" do
+    @crl.parent = nil
+    lambda { @crl.sign! }.should raise_error
+  end
+
+  it "should be able to generate a proper CRL" do
+    @crl << @certificate
+    lambda {@crl.to_pem}.should raise_error
+    @crl.parent = @root_certificate
+    @crl.sign!
+    @crl.to_pem.should_not be_nil
+    OpenSSL::X509::CRL.new(@crl.to_pem).should_not be_nil
+  end
+
+  describe "Next update" do
+    it "should be able to set a 'next_update' value" do
+      @crl.next_update = (60 * 60 * 10) # 10 Hours
+      @crl.next_update.should_not be_nil
+    end
+
+    it "should throw an error if we try and sign up with a negative next_update" do
+      @crl.sign!
+      @crl.next_update = - (60 * 60 * 10)
+      lambda{@crl.sign!}.should raise_error
+    end
+
+  end
+
+
+end

data/spec/units/certificate_spec.rb

@@ -0,0 +1,428 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority::Certificate do
+  before(:each) do
+    @certificate = CertificateAuthority::Certificate.new
+  end
+
+  describe CertificateAuthority::SigningEntity do
+    it "should behave as a signing entity" do
+      @certificate.respond_to?(:is_signing_entity?).should be_true
+    end
+
+    it "should only be a signing entity if it's identified as a CA", :rfc3280 => true do
+      @certificate.is_signing_entity?.should be_false
+      @certificate.signing_entity = true
+      @certificate.is_signing_entity?.should be_true
+    end
+
+    describe "Root certificates" do
+      before(:each) do
+        @certificate.signing_entity = true
+      end
+
+      it "should be able to be identified as a root certificate" do
+        @certificate.is_root_entity?.should be_true
+      end
+
+      it "should only be a root certificate if the parent entity is itself", :rfc3280 => true do
+        @certificate.parent.should == @certificate
+      end
+
+      it "should be a root certificate by default" do
+        @certificate.is_root_entity?.should be_true
+      end
+
+      it "should be able to self-sign" do
+        @certificate.serial_number.number = 1
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key(1024)
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.subject.to_s.should == cert.issuer.to_s
+      end
+
+      it "should have the basicContraint CA:TRUE" do
+        @certificate.serial_number.number = 1
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key(1024)
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map{|i| [i.oid,i.value] }.select{|i| i.first == "basicConstraints"}.first[1].should == "CA:TRUE"
+      end
+    end
+
+    describe "Intermediate certificates" do
+      before(:each) do
+        @different_cert = CertificateAuthority::Certificate.new
+        @different_cert.signing_entity = true
+        @different_cert.subject.common_name = "chrischandler.name root"
+        @different_cert.key_material.generate_key(1024)
+        @different_cert.serial_number.number = 2
+        @different_cert.sign! #self-signed
+        @certificate.parent = @different_cert
+        @certificate.signing_entity = true
+      end
+
+      it "should be able to be identified as an intermediate certificate" do
+        @certificate.is_intermediate_entity?.should be_true
+      end
+
+      it "should not be identified as a root" do
+        @certificate.is_root_entity?.should be_false
+      end
+
+      it "should only be an intermediate certificate if the parent is a different entity" do
+        @certificate.parent.should_not == @certificate
+        @certificate.parent.should_not be_nil
+      end
+
+      it "should correctly be signed by a parent certificate" do
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key(1024)
+        @certificate.signing_entity = true
+        @certificate.serial_number.number = 1
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.subject.to_s.should_not == cert.issuer.to_s
+      end
+
+      it "should have the basicContraint CA:TRUE" do
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key(1024)
+        @certificate.signing_entity = true
+        @certificate.serial_number.number = 3
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map{|i| [i.oid,i.value] }.select{|i| i.first == "basicConstraints"}.first[1].should == "CA:TRUE"
+      end
+
+    end
+
+    describe "Terminal certificates" do
+      before(:each) do
+        @different_cert = CertificateAuthority::Certificate.new
+        @different_cert.signing_entity = true
+        @different_cert.subject.common_name = "chrischandler.name root"
+        @different_cert.key_material.generate_key(1024)
+        @different_cert.serial_number.number = 1
+        @different_cert.sign! #self-signed
+        @certificate.parent = @different_cert
+      end
+
+      it "should not be identified as an intermediate certificate" do
+        @certificate.is_intermediate_entity?.should be_false
+      end
+
+      it "should not be identified as a root" do
+        @certificate.is_root_entity?.should be_false
+      end
+
+      it "should have the basicContraint CA:FALSE" do
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key(1024)
+        @certificate.signing_entity = false
+        @certificate.serial_number.number = 1
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map{|i| [i.oid,i.value] }.select{|i| i.first == "basicConstraints"}.first[1].should == "CA:FALSE"
+      end
+    end
+
+
+    it "should be able to be identified as a root certificate" do
+      @certificate.respond_to?(:is_root_entity?).should be_true
+    end
+  end #End of SigningEntity
+
+  describe "Signed certificates" do
+    before(:each) do
+      @certificate = CertificateAuthority::Certificate.new
+      @certificate.subject.common_name = "chrischandler.name"
+      @certificate.key_material.generate_key(1024)
+      @certificate.serial_number.number = 1
+      @certificate.sign!
+    end
+
+    it "should have a PEM encoded certificate body available" do
+      @certificate.to_pem.should_not be_nil
+      OpenSSL::X509::Certificate.new(@certificate.to_pem).should_not be_nil
+    end
+  end
+
+  describe "X.509 V3 Extensions on Signed Certificates" do
+    before(:each) do
+      @certificate = CertificateAuthority::Certificate.new
+      @certificate.subject.common_name = "chrischandler.name"
+      @certificate.key_material.generate_key(1024)
+      @certificate.serial_number.number = 1
+      @signing_profile = {
+        "extensions" => {
+          "subjectAltName" => {"uris" => ["www.chrischandler.name"]},
+          "certificatePolicies" => {
+            "policy_identifier" => "1.3.5.7",
+            "cps_uris" => ["http://my.host.name/", "http://my.your.name/"],
+            "user_notice" => {
+             "explicit_text" => "Testing!", "organization" => "RSpec Test organization name", "notice_numbers" => "1,2,3,4"
+            }
+          }
+        }
+      }
+      @certificate.sign!(@signing_profile)
+    end
+
+    describe "SubjectAltName" do
+      before(:each) do
+        @certificate = CertificateAuthority::Certificate.new
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key(1024)
+        @certificate.serial_number.number = 1
+      end
+
+      it "should have a subjectAltName if specified" do
+        @certificate.sign!({"extensions" => {"subjectAltName" => {"uris" => ["www.chrischandler.name"]}}})
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map(&:oid).include?("subjectAltName").should be_true
+      end
+
+      it "should NOT have a subjectAltName if one was not specified" do
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map(&:oid).include?("subjectAltName").should be_false
+      end
+    end
+
+    describe "AuthorityInfoAccess" do
+      before(:each) do
+        @certificate = CertificateAuthority::Certificate.new
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key(1024)
+        @certificate.serial_number.number = 1
+      end
+
+      it "should have an authority info access if specified" do
+        @certificate.sign!({"extensions" => {"authorityInfoAccess" => {"ocsp" => ["www.chrischandler.name"]}}})
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map(&:oid).include?("authorityInfoAccess").should be_true
+      end
+    end
+
+    describe "CrlDistributionPoints" do
+      before(:each) do
+        @certificate = CertificateAuthority::Certificate.new
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key(1024)
+        @certificate.serial_number.number = 1
+      end
+
+      it "should have a crlDistributionPoint if specified" do
+        @certificate.sign!({"extensions" => {"crlDistributionPoints" => {"uri" => ["http://crlThingy.com"]}}})
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map(&:oid).include?("crlDistributionPoints").should be_true
+      end
+
+      it "should NOT have a crlDistributionPoint if one was not specified" do
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map(&:oid).include?("crlDistributionPoints").should be_false
+      end
+    end
+
+
+    describe "CertificatePolicies" do
+      before(:each) do
+        @certificate = CertificateAuthority::Certificate.new
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key(1024)
+        @certificate.serial_number.number = 1
+      end
+
+      it "should have a certificatePolicy if specified" do
+        @certificate.sign!({
+          "extensions" => {
+            "certificatePolicies" => {
+              "policy_identifier" => "1.3.5.7",
+              "cps_uris" => ["http://my.host.name/", "http://my.your.name/"]
+            }
+          }
+        })
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map(&:oid).include?("certificatePolicies").should be_true
+      end
+
+      it "should contain a nested userNotice if specified" do
+        pending
+        # @certificate.sign!({
+        #   "extensions" => {
+        #     "certificatePolicies" => {
+        #       "policy_identifier" => "1.3.5.7",
+        #       "cps_uris" => ["http://my.host.name/", "http://my.your.name/"],
+        #       "user_notice" => {
+        #        "explicit_text" => "Testing!", "organization" => "RSpec Test organization name", "notice_numbers" => "1,2,3,4"
+        #       }
+        #     }
+        #   }
+        # })
+        # cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        # cert.extensions.map(&:oid).include?("certificatePolicies").should be_true
+      end
+
+      it "should NOT include a certificatePolicy if not specified" do
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map(&:oid).include?("certificatePolicies").should be_false
+      end
+    end
+
+
+    it "should support BasicContraints" do
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.extensions.map(&:oid).include?("basicConstraints").should be_true
+    end
+
+    it "should support subjectKeyIdentifier" do
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.extensions.map(&:oid).include?("subjectKeyIdentifier").should be_true
+    end
+
+    it "should support authorityKeyIdentifier" do
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.extensions.map(&:oid).include?("authorityKeyIdentifier").should be_true
+    end
+
+    it "should order subjectKeyIdentifier before authorityKeyIdentifier" do
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.extensions.map(&:oid).select do |oid|
+        ["subjectKeyIdentifier", "authorityKeyIdentifier"].include?(oid)
+      end.should == ["subjectKeyIdentifier", "authorityKeyIdentifier"]
+    end
+
+    it "should support keyUsage" do
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.extensions.map(&:oid).include?("keyUsage").should be_true
+    end
+
+    it "should support extendedKeyUsage" do
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.extensions.map(&:oid).include?("extendedKeyUsage").should be_true
+    end
+  end
+
+  describe "Signing profile" do
+    before(:each) do
+      @certificate = CertificateAuthority::Certificate.new
+      @certificate.subject.common_name = "chrischandler.name"
+      @certificate.key_material.generate_key(1024)
+      @certificate.serial_number.number = 1
+
+      @signing_profile = {
+        "extensions" => {
+          "basicConstraints" => {"ca" => false},
+          "crlDistributionPoints" => {"uri" => "http://notme.com/other.crl" },
+          "subjectKeyIdentifier" => {},
+          "authorityKeyIdentifier" => {},
+          "authorityInfoAccess" => {"ocsp" => ["http://youFillThisOut/ocsp/"] },
+          "keyUsage" => {"usage" => ["digitalSignature","nonRepudiation"] },
+          "extendedKeyUsage" => {"usage" => [ "serverAuth","clientAuth"]},
+          "subjectAltName" => {"uris" => ["http://subdomains.youFillThisOut/"]},
+          "certificatePolicies" => {
+          "policy_identifier" => "1.3.5.8", "cps_uris" => ["http://my.host.name/", "http://my.your.name/"], "user_notice" => {
+             "explicit_text" => "Explicit Text Here", "organization" => "Organization name", "notice_numbers" => "1,2,3,4"
+          }
+        }
+      }
+    }
+    end
+
+    it "should be able to sign with an optional policy hash" do
+      @certificate.sign!(@signing_profile)
+    end
+
+    it "should support a default signing digest of SHA512" do
+      @certificate.sign!(@signing_profile)
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.signature_algorithm.should == "sha512WithRSAEncryption"
+    end
+
+    it "should support a configurable digest algorithm" do
+      @signing_profile.merge!({"digest" => "SHA1"})
+      @certificate.sign!(@signing_profile)
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.signature_algorithm.should == "sha1WithRSAEncryption"
+    end
+
+  end
+
+  describe "from_openssl" do
+    before(:each) do
+      @pem_cert=<<CERT
+-----BEGIN CERTIFICATE-----
+MIICFDCCAc6gAwIBAgIJAPDLgMilKuayMA0GCSqGSIb3DQEBBQUAMEgxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMQowCAYDVQQKEwEgMRgwFgYDVQQD
+Ew9WZXJ5IFNtYWxsIENlcnQwHhcNMTIwNTAzMDMyODI1WhcNMTMwNTAzMDMyODI1
+WjBIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEKMAgGA1UEChMB
+IDEYMBYGA1UEAxMPVmVyeSBTbWFsbCBDZXJ0MEwwDQYJKoZIhvcNAQEBBQADOwAw
+OAIxAN6+33+WQ3FBMt+vMhshxOj+8W7V64pDKCJ3pVlnSn36imBWqrN0AGWX8qjv
+S+GzGwIDAQABo4GqMIGnMB0GA1UdDgQWBBRMUQ/HpPrAkKOufS5h+xPtEuzyWDB4
+BgNVHSMEcTBvgBRMUQ/HpPrAkKOufS5h+xPtEuzyWKFMpEowSDELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTClNvbWUtU3RhdGUxCjAIBgNVBAoTASAxGDAWBgNVBAMTD1Zl
+cnkgU21hbGwgQ2VydIIJAPDLgMilKuayMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADMQAq0CsqEChn4uf6MkXYBwaAAmS3JLmagyliJe5zM3y8dZz6Em2Ugb8o
+1cCaKaHJHSg=
+-----END CERTIFICATE-----
+CERT
+      @openssl_cert = OpenSSL::X509::Certificate.new @pem_cert
+      @small_cert = CertificateAuthority::Certificate.from_openssl @openssl_cert
+    end
+
+    it "should reject non-Certificate arguments" do
+      lambda { CertificateAuthority::Certificate.from_openssl "a string" }.should raise_error
+    end
+
+    it "should only be missing a private key" do
+      @small_cert.should_not be_valid
+      @small_cert.key_material.private_key = "data"
+      @small_cert.should be_valid
+    end
+  end
+
+  it "should have a distinguished name" do
+    @certificate.distinguished_name.should_not be_nil
+  end
+
+  it "should have a serial number" do
+    @certificate.serial_number.should_not be_nil
+  end
+
+  it "should have a subject" do
+    @certificate.subject.should_not be_nil
+  end
+
+  it "should be able to have a parent entity" do
+    @certificate.respond_to?(:parent).should be_true
+  end
+
+  it "should have key material" do
+    @certificate.key_material.should_not be_nil
+  end
+
+  it "should have a not_before field" do
+    @certificate.not_before.should_not be_nil
+  end
+
+  it "should have a not_after field" do
+    @certificate.not_after.should_not be_nil
+  end
+
+  it "should default to one year validity" do
+    @certificate.not_after.should < Time.now + 65 * 60 * 24 * 365 and
+    @certificate.not_after.should > Time.now + 55 * 60 * 24 * 365
+  end
+
+  it "should be able to have a revoked at time" do
+    @certificate.revoked?.should be_false
+    @certificate.revoked_at = Time.now
+    @certificate.revoked?.should be_true
+  end
+
+end