certificate_authority_sonian 0.1.7

data/spec/units/distinguished_name_spec.rb

@@ -0,0 +1,59 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority::DistinguishedName do
+  before(:each) do
+    @distinguished_name = CertificateAuthority::DistinguishedName.new
+  end
+
+  it "should provide the standard x.509 distinguished name common attributes" do
+    @distinguished_name.respond_to?(:cn).should be_true
+    @distinguished_name.respond_to?(:l).should be_true
+    @distinguished_name.respond_to?(:s).should be_true
+    @distinguished_name.respond_to?(:o).should be_true
+    @distinguished_name.respond_to?(:ou).should be_true
+    @distinguished_name.respond_to?(:c).should be_true
+  end
+
+  it "should provide human-readable equivalents to the distinguished name common attributes" do
+    @distinguished_name.respond_to?(:common_name).should be_true
+    @distinguished_name.respond_to?(:locality).should be_true
+    @distinguished_name.respond_to?(:state).should be_true
+    @distinguished_name.respond_to?(:organization).should be_true
+    @distinguished_name.respond_to?(:organizational_unit).should be_true
+    @distinguished_name.respond_to?(:country).should be_true
+  end
+
+  it "should require a common name" do
+    @distinguished_name.valid?.should be_false
+    @distinguished_name.errors.size.should == 1
+    @distinguished_name.common_name = "chrischandler.name"
+    @distinguished_name.valid?.should be_true
+  end
+
+  it "should be convertible to an OpenSSL::X509::Name" do
+    @distinguished_name.common_name = "chrischandler.name"
+    @distinguished_name.to_x509_name
+  end
+
+  describe "from_openssl" do
+    before do
+      subject = "/CN=justincummins.name/L=on my laptop/ST=relaxed/C=as/O=programmer/OU=using this code"
+      @name = OpenSSL::X509::Name.parse subject
+      @dn = CertificateAuthority::DistinguishedName.from_openssl @name
+    end
+
+    it "should reject non Name objects" do
+      lambda { CertificateAuthority::DistinguishedName.from_openssl "Not a OpenSSL::X509::Name" }.should raise_error
+    end
+
+    [:common_name, :locality, :state, :country, :organization, :organizational_unit].each do |field|
+      it "should set the #{field} attribute" do
+        @dn.send(field).should_not be_nil
+      end
+    end
+
+    it "should create an equivalent object" do
+      @dn.to_x509_name.to_s.split('/').should =~ @name.to_s.split('/')
+    end
+  end
+end

data/spec/units/extensions_spec.rb

@@ -0,0 +1,115 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority::Extensions do
+  describe CertificateAuthority::Extensions::BasicContraints do
+    it "should only allow true/false" do
+      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
+      basic_constraints.valid?.should be_true
+      basic_constraints.ca = "moo"
+      basic_constraints.valid?.should be_false
+    end
+
+    it "should respond to :path_len" do
+      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
+      basic_constraints.respond_to?(:path_len).should be_true
+    end
+
+    it "should raise an error if :path_len isn't a non-negative integer" do
+      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
+      lambda {basic_constraints.path_len = "moo"}.should raise_error
+      lambda {basic_constraints.path_len = -1}.should raise_error
+      lambda {basic_constraints.path_len = 1.5}.should raise_error
+    end
+
+    it "should generate a proper OpenSSL extension string" do
+      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
+      basic_constraints.ca = true
+      basic_constraints.path_len = 2
+      basic_constraints.to_s.should == "CA:true,pathlen:2"
+    end
+  end
+
+  describe CertificateAuthority::Extensions::SubjectAlternativeName do
+    it "should respond to :uris" do
+      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      subjectAltName.respond_to?(:uris).should be_true
+    end
+
+    it "should require 'uris' to be an Array" do
+      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      lambda {subjectAltName.uris = "not an array"}.should raise_error
+    end
+
+    it "should generate a proper OpenSSL extension string for URIs" do
+      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      subjectAltName.uris = ["http://localhost.altname.example.com"]
+      subjectAltName.to_s.should == "URI:http://localhost.altname.example.com"
+
+      subjectAltName.uris = ["http://localhost.altname.example.com", "http://other.example.com"]
+      subjectAltName.to_s.should == "URI:http://localhost.altname.example.com,URI:http://other.example.com"
+    end
+
+
+    it "should respond to :dns_names" do
+      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      subjectAltName.respond_to?(:dns_names).should be_true
+    end
+
+    it "should require 'dns_names' to be an Array" do
+      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      lambda {subjectAltName.dns_names = "not an array"}.should raise_error
+    end
+
+    it "should generate a proper OpenSSL extension string for DNS names" do
+      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      subjectAltName.dns_names = ["localhost.altname.example.com"]
+      subjectAltName.to_s.should == "DNS:localhost.altname.example.com"
+
+      subjectAltName.dns_names = ["localhost.altname.example.com", "other.example.com"]
+      subjectAltName.to_s.should == "DNS:localhost.altname.example.com,DNS:other.example.com"
+    end
+
+    it "should respond to :ips" do
+      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      subjectAltName.respond_to?(:ips).should be_true
+    end
+
+    it "should require 'ips' to be an Array" do
+      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      lambda {subjectAltName.ips = "not an array"}.should raise_error
+    end
+
+    it "should generate a proper OpenSSL extension string for IPs" do
+      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      subjectAltName.ips = ["1.2.3.4"]
+      subjectAltName.to_s.should == "IP:1.2.3.4"
+
+      subjectAltName.ips = ["1.2.3.4", "5.6.7.8"]
+      subjectAltName.to_s.should == "IP:1.2.3.4,IP:5.6.7.8"
+    end
+
+    it "should generate a proper OpenSSL extension string for URIs IPs and DNS names together" do
+      subjectAltName = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      subjectAltName.ips = ["1.2.3.4"]
+      subjectAltName.to_s.should == "IP:1.2.3.4"
+
+      subjectAltName.dns_names = ["localhost.altname.example.com"]
+      subjectAltName.to_s.should == "DNS:localhost.altname.example.com,IP:1.2.3.4"
+
+      subjectAltName.dns_names = ["localhost.altname.example.com", "other.example.com"]
+      subjectAltName.to_s.should == "DNS:localhost.altname.example.com,DNS:other.example.com,IP:1.2.3.4"
+
+      subjectAltName.ips = ["1.2.3.4", "5.6.7.8"]
+      subjectAltName.to_s.should == "DNS:localhost.altname.example.com,DNS:other.example.com,IP:1.2.3.4,IP:5.6.7.8"
+
+      subjectAltName.uris = ["http://localhost.altname.example.com"]
+      subjectAltName.to_s.should == "URI:http://localhost.altname.example.com,DNS:localhost.altname.example.com,DNS:other.example.com,IP:1.2.3.4,IP:5.6.7.8"
+
+      subjectAltName.uris = ["http://localhost.altname.example.com", "http://other.altname.example.com"]
+      subjectAltName.to_s.should == "URI:http://localhost.altname.example.com,URI:http://other.altname.example.com,DNS:localhost.altname.example.com,DNS:other.example.com,IP:1.2.3.4,IP:5.6.7.8"
+
+    end
+
+
+  end
+end

data/spec/units/key_material_spec.rb

@@ -0,0 +1,154 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority::KeyMaterial do
+  [CertificateAuthority::MemoryKeyMaterial, CertificateAuthority::SigningRequestKeyMaterial].each do |key_material_class|
+    before do
+      @key_material = key_material_class.new
+    end
+
+    it "#{key_material_class} should know if a key is in memory or hardware" do
+      @key_material.is_in_hardware?.should_not be_nil
+      @key_material.is_in_memory?.should_not be_nil
+    end
+
+    it "should use memory by default" do
+      @key_material.is_in_memory?.should be_true
+    end
+  end
+end
+
+describe CertificateAuthority::MemoryKeyMaterial do
+  before(:each) do
+    @key_material = CertificateAuthority::MemoryKeyMaterial.new
+  end
+
+  it "should be able to generate an RSA key" do
+    @key_material.generate_key(1024).should_not be_nil
+  end
+
+  it "should generate a proper OpenSSL::PKey::RSA" do
+    @key_material.generate_key(1024).class.should == OpenSSL::PKey::RSA
+  end
+
+  it "should be able to specify the size of the modulus to generate" do
+    @key_material.generate_key(1024).should_not be_nil
+  end
+
+  describe "with generated key" do
+    before(:all) do
+      @key_material_in_memory = CertificateAuthority::MemoryKeyMaterial.new
+      @key_material_in_memory.generate_key(1024)
+    end
+
+    it "should be able to retrieve the private key" do
+      @key_material_in_memory.private_key.should_not be_nil
+    end
+
+    it "should be able to retrieve the public key" do
+      @key_material_in_memory.public_key.should_not be_nil
+    end
+  end
+
+  it "should not validate without public and private keys" do
+    @key_material.valid?.should be_false
+    @key_material.generate_key(1024)
+    @key_material.valid?.should be_true
+    pub = @key_material.public_key
+    @key_material.public_key = nil
+    @key_material.valid?.should be_false
+    @key_material.public_key = pub
+    @key_material.private_key = nil
+    @key_material.valid?.should be_false
+  end
+end
+
+describe CertificateAuthority::SigningRequestKeyMaterial do
+  before(:each) do
+    @request = OpenSSL::X509::Request.new <<CSR
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBjTCB9wIBADBOMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEU
+MBIGA1UEBxMLQmVyc2Vya2VsZXkxFDASBgNVBAoTC0NlcnRzICdSIFVzMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaGiBcv++581KYt6y2NNcUaZNPPeNZ0UkX
+ujzZQQllx7PlYmsKTE6ZzfTUc0AJvDBIuACg03eagaEaBZtUFbsLkSOLJyYiIfF5
+f9PuXImz2RDzBJQ/+u82gQAcvPhm94xK8jeNPcn0Ege7Y7SRK4YYonX+0ZveP02L
+FjuEfrZcZQIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAecOQz0RfnmSxxzOyHZ1e
+Wo2hQqPOmkfIbvL2l1Ml+HybJQJn6OpLmeveyU48SI2M7UqeNkHtsogMljy3re4L
+QlwK7lNd6SymdfSCPjUcdoLOaHolZXYNvCHltTc5skRHG7ti5yv4cu0ItIcCS0yp
+7L3maDEbTLsDdouHeFfbLWA=
+-----END CERTIFICATE REQUEST-----
+CSR
+    common_request = <<CSR
+-----BEGIN CERTIFICATE REQUEST-----
+MIICzzCCAbcCAQAwgYkxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczESMBAG
+A1UEBwwJQXJsaW5ndG9uMQwwCgYDVQQKDANCYWgxCzAJBgNVBAsMAk5vMRswGQYD
+VQQDDBJwemVyby5ib3VneW1hbi5jb20xHjAcBgkqhkiG9w0BCQEWD3RqQHJ1Ynlp
+c3RzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL+UD2trMNFh
+lR3utCWBO3i9/VVdz13OnsSrmrnKvVeB6wRUd1gtxJ6sTi70ywN1vJqC3OuiO53G
+CPzqWDsaVhQy7wTYCY+6uRfI23pcZZG/sGOHVJAJw+zadyd5LDqh3khsaZHBx1VK
+ZiRee09QAnN4kK1uxB5B1ZCE01GzS9ERck7thwlcH2mDMuUtMxXmtEcl8sSeCkZO
+CJ9TH21Q90oryZH14+fkhIjDTmyXAtj7kOjyAEu6aD+kYd03Yk+5XWJUVdpuug9Y
+ZX7oMd8dzg9wiWzveKWypQ23BxcUS9ejiZVhj0TE0UPAKIhTw/0QkWoNcHOkwh29
+X4fdAFIR3gkCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAqlbx13HtfXFJf2boC
+IcGrjaY+rOh9rNrXiGN9+DCZciQhEi8ZpOdygwZ4oKE/QjnPX+Q2sm/xjyhqp62v
+NZsIGR8jnu1L7c5Jik72W/E2Jz6WLb/dWcGn45pSgi1HvRm+SXTWCIpZYfUrA+A/
+x1x4CgU+tBFXtgMGTbK6F+JoaGsBeBkYG95pYurgS9mo62r0Mau3qi68DFzcXCuR
+IibGCcF9hys7LbqLLDob6i1Y9TQtw5f6ARE4SkA9TvWM3VPDxn6F+Qfg8TAj7r1q
+vecFC7r3d0ySWkdsy+Snzvt0ruu5pOfaTRBQqrIKVeGpOIp7sOhBlExtl/unHkCZ
+IpZl
+-----END CERTIFICATE REQUEST-----
+CSR
+    @openssl_req = OpenSSL::X509::Request.new common_request
+    @certificate = CertificateAuthority::Certificate.new
+    @certificate.serial_number.number = 1
+    @certificate.subject.common_name = "chrischandler.name"
+    @certificate.key_material.generate_key(1024)
+    @certificate.sign!
+    @key_material = CertificateAuthority::SigningRequestKeyMaterial.new @request
+  end
+
+  it "should generate from a CSR" do
+    @key_material.should_not be_nil
+  end
+
+  it "should be able to expose a public key" do
+    @key_material.public_key.should_not be_nil
+  end
+
+  it "should not have a private key" do
+    @key_material.private_key.should be_nil
+  end
+
+  it "should raise when signature does not verify" do
+    invalid = @request
+    invalid.public_key = OpenSSL::PKey::RSA.new 512
+    lambda { CertificateAuthority::SigningRequestKeyMaterial.new invalid }.should raise_error
+  end
+
+  it "should only accept valid OpenSSL requests" do
+    lambda { CertificateAuthority::SigningRequestKeyMaterial.new OpenSSL::X509::Request.new }.should raise_error(OpenSSL::X509::RequestError)
+    req = CertificateAuthority::SigningRequestKeyMaterial.new @openssl_req
+    req.csr.subject.should_not be_nil
+  end
+
+  it "should add a cert when signed by a root ca" do
+    csr = CertificateAuthority::SigningRequestKeyMaterial.new @openssl_req
+    signed_cert = csr.sign_and_certify(@certificate, @certificate.key_material.private_key, 555)
+    signed_cert.should_not be_nil
+    signed_cert.subject.to_x509_name.to_s.should == "/CN=pzero.bougyman.com/O=Bah/OU=No/ST=Texas/L=Arlington/C=US"
+  end
+
+  it "can sign an SPKAC SPKI and generate a certificate" do
+    spkac_raw = <<SPKAC
+MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVDEqzj21++aMWvN6zzwDXKKpR9g5hIeAPYqbUdaPFePhtz7R73l7fVxDeQZDQpQxTqts0/w0wEa/A1ehHCtAkDoTYzjwX8G0Gkb90poA156I8b4Cl1Q2veKbLsaOsMWItlXSU6HULQ5McfYfvEaPmIKiIr0UIFdzMDcy9TnY854w9TcQVvLJZcQkaM3dy/p9W4gg0a9hBJwwFUUR2UV/nEEi+++HbsOE46Z7Y3qoQhLrL4DNUrXUPDVeqac1SmNfKTA71QADbezWDfKi9habHHGXqk18i2Pl6uA2mpNPuSWnEHbQONgnfeoWZBvMWkwlolaBeWhGSmgcL/HqaRLlFAgMBAAEWADANBgkqhkiG9w0BAQQFAAOCAQEAp8wOvrl2QG9p1PS19dnrh4l0JWNAPB+d1kc64xUG6FAfGCKnOHzdDndTJfEERhWqFA0XL+mvKXCQsYKXkOuxYYmxJXZsdcCj7mOMhI2uMrEVd1ALFmG5WBW1Mo3nHHa/BX24fAOLv0+aGXYTz3oaMFydBw+XPZ26x9pO9LjlQQYGGyQRMpceWfej367KnR4a7IafDGBUI6OoWsx/7kQRIGkbmzi+dnU7HgpEExyz+uuxlUxrZqa13Ys8dBp62NBJWFanPl+AhMe8g/Li5aiERrMUbFtiXzOp48Si7J54fs+U3w0WoD9cdG5mN2Rn8Jog8azl+YC/XY987YGAi7Y8EQ==
+SPKAC
+    spkac = OpenSSL::Netscape::SPKI.new spkac_raw
+    dn = CertificateAuthority::DistinguishedName.new
+    dn.common_name = "chrischandler.name"
+    csr = CertificateAuthority::SigningRequestKeyMaterial.new spkac
+    lambda { csr.sign_and_certify(@certificate, @certificate.key_material.private_key, 554) }.should raise_error(RuntimeError)
+    signed_cert = csr.sign_and_certify(@certificate, @certificate.key_material.private_key, 555, :dn => dn)
+    signed_cert.should_not be_nil
+    signed_cert.subject.to_x509_name.to_s.should == "/CN=chrischandler.name"
+  end
+
+end

data/spec/units/ocsp_handler_spec.rb

@@ -0,0 +1,104 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority::OCSPHandler do
+  before(:each) do
+    @ocsp_handler = CertificateAuthority::OCSPHandler.new
+
+    @root_certificate = CertificateAuthority::Certificate.new
+    @root_certificate.signing_entity = true
+    @root_certificate.subject.common_name = "OCSP Root"
+    @root_certificate.key_material.generate_key(1024)
+    @root_certificate.serial_number.number = 1
+    @root_certificate.sign!
+
+    @certificate = CertificateAuthority::Certificate.new
+    @certificate.key_material.generate_key(1024)
+    @certificate.subject.common_name = "http://questionablesite.com"
+    @certificate.parent = @root_certificate
+    @certificate.serial_number.number = 2
+    @certificate.sign!
+
+    @ocsp_request = OpenSSL::OCSP::Request.new
+    openssl_cert_issuer = OpenSSL::X509::Certificate.new(@root_certificate.to_pem)
+    openssl_cert_subject = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+
+    cert_id = OpenSSL::OCSP::CertificateId.new(openssl_cert_subject, openssl_cert_issuer)
+    @ocsp_request.add_certid(cert_id)
+    @ocsp_handler.ocsp_request = @ocsp_request.to_der
+  end
+
+  it "should be able to accept an OCSP Request" do
+    @ocsp_handler.ocsp_request = @ocsp_request
+    @ocsp_handler.ocsp_request.should_not be_nil
+  end
+
+  it "should raise an error if you try and extract certificates without a raw request" do
+    @ocsp_handler.extract_certificate_serials
+    @ocsp_handler.ocsp_request = nil
+    lambda {@ocsp_handler.extract_certificate_serials}.should raise_error
+  end
+
+  it "should return a hash of extracted certificates from OCSP requests" do
+    result = @ocsp_handler.extract_certificate_serials
+    result.size.should == 1
+  end
+
+  it "should be able to generate an OCSP response" do
+    @ocsp_handler.extract_certificate_serials
+    @ocsp_handler << @certificate
+    @ocsp_handler.parent = @root_certificate
+    @ocsp_handler.response
+  end
+
+  it "should require a 'parent' entity for signing" do
+    @ocsp_handler.parent = @root_certificate
+    @ocsp_handler.parent.should_not be_nil
+  end
+
+  it "should raise an error if you ask for the signed OCSP response without generating it" do
+    @ocsp_handler.extract_certificate_serials
+    @ocsp_handler << @certificate
+    @ocsp_handler.parent = @root_certificate
+    lambda { @ocsp_handler.to_der }.should raise_error
+    @ocsp_handler.response
+    @ocsp_handler.to_der.should_not be_nil
+  end
+
+  it "should raise an error if you generate a response without adding all certificates in request" do
+    @ocsp_handler.extract_certificate_serials
+    @ocsp_handler.parent = @root_certificate
+    lambda { @ocsp_handler.response }.should raise_error
+  end
+
+  it "should raise an error if you generate a response without adding a parent signing entity" do
+    @ocsp_handler.extract_certificate_serials
+    @ocsp_handler << @certificate
+    lambda { @ocsp_handler.response }.should raise_error
+  end
+
+  describe "Response" do
+    before(:each) do
+      @ocsp_handler.extract_certificate_serials
+      @ocsp_handler << @certificate
+      @ocsp_handler.parent = @root_certificate
+      @ocsp_handler.response
+
+      @openssl_ocsp_response = OpenSSL::OCSP::Response.new(@ocsp_handler.to_der)
+    end
+
+    it "should have a correct status/status string" do
+      @openssl_ocsp_response.status_string.should == "successful"
+      @openssl_ocsp_response.status.should == 0
+    end
+
+    it "should have an embedded BasicResponse with certificate statuses" do
+      # [#<OpenSSL::OCSP::CertificateId:0x000001020ecad8>, 0, 1, nil, 2011-04-15 23:29:47 UTC, 2011-04-15 23:30:17 UTC, []]
+      @openssl_ocsp_response.basic.status.first[1].should == 0 # Everything is OK
+    end
+
+    it "should have a next_update time" do
+      @openssl_ocsp_response.basic.status.first[5].should_not be_nil
+      @openssl_ocsp_response.basic.status.first[5].class.should == Time
+    end
+  end
+end

data/spec/units/pkcs11_key_material_spec.rb

@@ -0,0 +1,41 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+## Anything that requires crypto hardware needs to be tagged as 'pkcs11'
+describe CertificateAuthority::Pkcs11KeyMaterial, :pkcs11 => true do
+  before(:each) do
+    @key_material_in_hardware = CertificateAuthority::Pkcs11KeyMaterial.new
+    @key_material_in_hardware.token_id = "46"
+    @key_material_in_hardware.pkcs11_lib = "/usr/lib/libeTPkcs11.so"
+    @key_material_in_hardware.openssl_pkcs11_engine_lib = "/usr/lib/engines/engine_pkcs11.so"
+    @key_material_in_hardware.pin = "11111111"
+  end
+
+  it "should identify as being in hardware", :pkcs11 => true do
+    @key_material_in_hardware.is_in_hardware?.should be_true
+  end
+
+  it "should return a Pkey ref if the private key is requested", :pkcs11 => true do
+    @key_material_in_hardware.private_key.class.should == OpenSSL::PKey::RSA
+  end
+
+  it "should return a Pkey ref if the public key is requested", :pkcs11 => true do
+    @key_material_in_hardware.public_key.class.should == OpenSSL::PKey::RSA
+  end
+
+  it "should accept an ID for on-token objects", :pkcs11 => true do
+    @key_material_in_hardware.respond_to?(:token_id).should be_true
+  end
+
+  it "should accept a path to a shared library for a PKCS11 driver", :pkcs11 => true do
+    @key_material_in_hardware.respond_to?(:pkcs11_lib).should be_true
+  end
+
+  it "should accept a path to OpenSSL's dynamic PKCS11 engine (provided by libengine-pkcs11-openssl)", :pkcs11 => true do
+    @key_material_in_hardware.respond_to?(:openssl_pkcs11_engine_lib).should be_true
+  end
+
+  it "should accept an optional PIN to authenticate to the token", :pkcs11 => true do
+    @key_material_in_hardware.respond_to?(:pin).should be_true
+  end
+
+end