jruby-openssl-maven 0.7.4.1

data/test/test_openssl.rb

@@ -0,0 +1,4 @@
+files = File.join(File.dirname(__FILE__), 'openssl', 'test_*.rb')
+Dir.glob(files).sort.each do |tc|
+  require tc
+end

data/test/test_parse_certificate.rb

@@ -0,0 +1,27 @@
+require 'openssl'
+require "test/unit"
+
+class TestParseCertificate < Test::Unit::TestCase
+  CERT = File.dirname(__FILE__) + '/cert_with_ec_pk.cer'
+
+  def test_certificate_parse_works_with_ec_pk_cert
+    cer = OpenSSL::X509::Certificate.new(File.read(CERT))
+    assert cer.to_s != nil
+    assert cer.issuer.to_s != nil
+    assert cer.subject.to_s != nil
+    assert cer.extensions.to_s != nil
+  end
+
+  def test_certificate_with_ec_pk_cert_fails_requesting_pk
+    cer = OpenSSL::X509::Certificate.new(File.read(CERT))
+    assert_raise(OpenSSL::X509::CertificateError) { cer.public_key }
+  end
+
+  def test_loading_key_raise_certificate_error
+    key_file = File.expand_path('fixture/keypair.pem', File.dirname(__FILE__))
+    assert_raises(OpenSSL::X509::CertificateError) do
+      OpenSSL::X509::Certificate.new(File.read(key_file))
+    end
+  end
+end
+

data/test/test_pkcs7.rb

@@ -0,0 +1,40 @@
+require 'openssl'
+require "test/unit"
+
+class TestPkcs7 < Test::Unit::TestCase
+
+  CERT_PEM = <<END
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIBATANBgkqhkiG9w0BAQQFADA9MRMwEQYKCZImiZPyLGQB
+GRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVieS1sYW5nMQswCQYDVQQDDAJDQTAe
+Fw0wOTA1MjMxNTAzNDNaFw0wOTA1MjMxNjAzNDNaMD0xEzARBgoJkiaJk/IsZAEZ
+FgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5LWxhbmcxCzAJBgNVBAMMAkNBMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuV9ht9J7k4NBs38jOXvvTKY9
+gW8nLICSno5EETR1cuF7i4pNs9I1QJGAFAX0BEO4KbzXmuOvfCpD3CU+Slp1enen
+fzq/t/e/1IRW0wkJUJUFQign4CtrkJL+P07yx18UjyPlBXb81ApEmAB5mrJVSrWm
+qbjs07JbuS4QQGGXLc+Su96DkYKmSNVjBiLxVVSpyZfAY3hD37d60uG+X8xdW5v6
+8JkRFIhdGlb6JL8fllf/A/blNwdJOhVr9mESHhwGjwfSeTDPfd8ZLE027E5lyAVX
+9KZYcU00mOX+fdxOSnGqS/8JDRh0EPHDL15RcJjV2J6vZjPb0rOYGDoMcH+94wID
+AQABMA0GCSqGSIb3DQEBBAUAA4IBAQB8UTw1agA9wdXxHMUACduYu6oNL7pdF0dr
+w7a4QPJyj62h4+Umxvp13q0PBw0E+mSjhXMcqUhDLjrmMcvvNGhuh5Sdjbe3GI/M
+3lCC9OwYYIzzul7omvGC3JEIGfzzdNnPPCPKEWp5X9f0MKLMR79qOf+sjHTjN2BY
+SY3YGsEFxyTXDdqrlaYaOtTAdi/C+g1WxR8fkPLefymVwIFwvyc9/bnp7iBn7Hcw
+mbxtLPbtQ9mURT0GHewZRTGJ1aiTq9Ag3xXME2FPF04eFRd3mclOQZNXKQ+LDxYf
+k0X5FeZvsWf4srFxoVxlcDdJtHh91ZRpDDJYGQlsUm9CPTnO+e4E
+-----END CERTIFICATE-----
+END
+
+  def test_pkcs7_des3_key_generation_for_encrypt
+    # SunJCE requires DES/DES3 keybits = 21/168 for key generation.
+    # BC allows 24/192 keybits and treats it as 21/168.
+    msg = "Hello World"
+    password = "password"
+    cert = OpenSSL::X509::Certificate.new(CERT_PEM)
+    certs = [cert]
+    cipher = OpenSSL::Cipher.new("des-ede3-cbc")
+    cipher.encrypt
+    cipher.pkcs5_keyivgen(password)
+    p7 = OpenSSL::PKCS7.encrypt(certs, msg, cipher, OpenSSL::PKCS7::BINARY)
+    assert_equal(msg, p7.data)
+  end
+end

data/test/test_pkey.rb

@@ -0,0 +1,204 @@
+begin
+  require "openssl"
+rescue LoadError
+end
+
+require "test/unit"
+
+class TestPKey < Test::Unit::TestCase
+  def test_has_correct_methods
+    pkey_methods = OpenSSL::PKey::PKey.instance_methods(false).sort - ["initialize"]
+    assert_equal ["sign", "verify"], pkey_methods
+
+    rsa_methods = OpenSSL::PKey::RSA.instance_methods(false).sort - ["initialize"]
+    assert_equal ["d", "d=", "dmp1", "dmp1=", "dmq1", "dmq1=", "e", "e=", "export", "iqmp", "iqmp=", "n", "n=", "p", "p=", "params", "private?", "private_decrypt", "private_encrypt", "public?", "public_decrypt", "public_encrypt", "public_key", "q", "q=", "to_der", "to_pem", "to_s", "to_text"], rsa_methods
+
+    assert_equal ["generate"], OpenSSL::PKey::RSA.methods(false)
+    
+#     dsa_methods = OpenSSL::PKey::DSA.instance_methods(false).sort - ["initialize"]
+#     assert_equal ["export", "g", "g=", "p", "p=", "params", "priv_key", "priv_key=", "private?", "pub_key", "pub_key=", "public?", "public_key", "q", "q=", "syssign", "sysverify", "to_der", "to_pem", "to_s", "to_text"], dsa_methods
+
+#     assert_equal ["generate"], OpenSSL::PKey::DSA.methods(false)
+  end
+  
+  #iqmp == coefficient
+  #e == public exponent
+  #n == modulus
+  #d == private exponent
+  #p == prime1
+  #q == prime2
+  #dmq1 == exponent2
+  #dmp1 == exponent1
+  
+  def test_can_generate_rsa_key
+    OpenSSL::PKey::RSA.generate(512)
+  end
+
+  def test_can_generate_dsa_key
+    OpenSSL::PKey::DSA.generate(512)
+  end
+
+  def test_malformed_rsa_handling
+    pem = <<__EOP__
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtiU1/UMzIQ1On9OlZGoV
+S0yySFYWoXLH12nmP69fg9jwdRbQlb0rxLn7zATbwfqcvGpCcW+8SmdwW74elNrc
+wRtbKjJKfbJCsVfDssbbj6BF+Bcq3ihi8+CGNXFdJOYhZZ+5Adg2Qc9Qp3Ubw9wu
+/3Ai87+1aQxoZPMFwdX2BRiZvxch9dwHVyL8EuFGUOYId/8JQepHyZMbTqp/8wlA
+UAbMcPW+IKp3N0WMgred3CjXKHAqqM0Ira9RLSXdlO2uFV4OrM0ak8rnTN5w1DsI
+McjvVvOck0aIxfHEEmeadt3YMn4PCW33/j8geulZLvt0ci60/OWMSCcIqByITlvY
+DwIDAQAB
+-----END PUBLIC KEY-----
+__EOP__
+    pkey = OpenSSL::PKey::RSA.new(pem)
+    # jruby-openssl/0.6 raises NativeException
+    assert_raise(OpenSSL::PKey::RSAError, 'JRUBY-4492') do
+      pkey.public_decrypt("rah")
+    end
+  end
+
+  # http://github.com/jruby/jruby-openssl/issues#issue/1
+  def test_load_pkey_rsa
+    pem = <<__EOP__
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALRiMLAh9iimur8V
+A7qVvdqxevEuUkW4K+2KdMXmnQbG9Aa7k7eBjK1S+0LYmVjPKlJGNXHDGuy5Fw/d
+7rjVJ0BLB+ubPK8iA/Tw3hLQgXMRRGRXXCn8ikfuQfjUS1uZSatdLB81mydBETlJ
+hI6GH4twrbDJCR2Bwy/XWXgqgGRzAgMBAAECgYBYWVtleUzavkbrPjy0T5FMou8H
+X9u2AC2ry8vD/l7cqedtwMPp9k7TubgNFo+NGvKsl2ynyprOZR1xjQ7WgrgVB+mm
+uScOM/5HVceFuGRDhYTCObE+y1kxRloNYXnx3ei1zbeYLPCHdhxRYW7T0qcynNmw
+rn05/KO2RLjgQNalsQJBANeA3Q4Nugqy4QBUCEC09SqylT2K9FrrItqL2QKc9v0Z
+zO2uwllCbg0dwpVuYPYXYvikNHHg+aCWF+VXsb9rpPsCQQDWR9TT4ORdzoj+Nccn
+qkMsDmzt0EfNaAOwHOmVJ2RVBspPcxt5iN4HI7HNeG6U5YsFBb+/GZbgfBT3kpNG
+WPTpAkBI+gFhjfJvRw38n3g/+UeAkwMI2TJQS4n8+hid0uus3/zOjDySH3XHCUno
+cn1xOJAyZODBo47E+67R4jV1/gzbAkEAklJaspRPXP877NssM5nAZMU0/O/NGCZ+
+3jPgDUno6WbJn5cqm8MqWhW1xGkImgRk+fkDBquiq4gPiT898jusgQJAd5Zrr6Q8
+AO/0isr/3aa6O6NLQxISLKcPDk2NOccAfS/xOtfOz4sJYM3+Bs4Io9+dZGSDCA54
+Lw03eHTNQghS0A==
+-----END PRIVATE KEY-----
+__EOP__
+    assert_nothing_raised do
+      pkey = OpenSSL::PKey::RSA.new(pem)
+      pkey2 = OpenSSL::PKey::RSA.new(pkey.to_pem)
+      assert_equal(pkey.n, pkey2.n)
+      assert_equal(pkey.e, pkey2.e)
+      assert_equal(pkey.d, pkey2.d)
+    end
+  end
+
+  def test_load_pkey_rsa_enc
+    # password is '1234'
+    pem = <<__EOP__
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIICoTAbBgkqhkiG9w0BBQMwDgQIfvehP6JEg2wCAggABIICgD7kzSr+xWgdAuzG
+cYNkCEWyKF6V0cJ58AKSoL4FQ59OQvQP/hMnSZEMiUpeGNRE6efC7O02RUjNarIk
+ciCYIBqd5EFG3OSypK5l777AbCChIkzZHbyE/pIbadr8ZX9C4pkwzPqS0Avzavxi
+5s1WDX2GggJkBcQUijqG9QuOZcOvoYbojHPT4tdJq+J6s+0LFas9Jp3a6dYkxtgv
+u8Z6EFDZoLGOSVy/jCSMuZAnhoOxUCYqd9FFo2jryV7tQ/CaYAUApAQFTLgBA9qk
+4WmyKRpwzIx6EG1pkqulvPXJCcTat9YwllEDVuQ2rKVwDepSl9O7X170Kx1sBecz
+mGcfqviU9xwP5mkXO/TLoTZExkHF08Y3d/PTMdxGEDZH37/yRqCIb3Uyqv/jLibM
+/s9fm52aWsfO1ndHEhciovlMJvGXq3+e+9gmq1w2TyNQahRc5fwfhwWKhPKfYDBk
+7AtjPGfELDX61WZ5m+4Kb70BcGSAEgXCaBydVsMROy0B8jkYgtAnVBb4EMrGOsCG
+jmNeW9MRIhrhDcifdyq1DMNg7IONMF+5mDdQ3FhK6WzlFU+8cTN517qA8L3A3+ZX
+asiS+rx5/50InINknjuvVkmTGMzjl89nMNrZCjhx9sIDfXQ3ZKFmh1mvnXq/fLan
+CgXn/UtLoykrSlobgqIxZslhj3p01kMCgGe62S3kokYrDTQEc57rlKWWR3Xyjy/T
+LsecXAKEROj95IHSMMnT4jl+TJnbvGKQ2U9tOOB3W+OOOlDEFE59pQlcmQPAwdzr
+mzI4kupi3QRTFjOgvX29leII9sPtpr4dKMKVIRxKnvMZhUAkS/n3+Szfa6zKexLa
+4CHVgDo=
+-----END ENCRYPTED PRIVATE KEY-----
+__EOP__
+    assert_nothing_raised do
+      pkey = OpenSSL::PKey::RSA.new(pem, '1234')
+      pkey2 = OpenSSL::PKey::RSA.new(pkey.to_pem)
+      assert_equal(pkey.n, pkey2.n)
+      assert_equal(pkey.e, pkey2.e)
+      assert_equal(pkey.d, pkey2.d)
+    end
+  end
+
+  # jruby-openssl/0.6 causes NPE
+  def test_generate_pkey_rsa_empty
+    assert_nothing_raised do
+      OpenSSL::PKey::RSA.new.to_pem
+    end
+  end
+
+  def test_generate_pkey_rsa_length
+    assert_nothing_raised do
+      OpenSSL::PKey::RSA.new(512).to_pem
+    end
+  end
+
+  def test_generate_pkey_rsa_to_text
+    assert_match(
+      /Private-Key: \(512 bit\)/,
+      OpenSSL::PKey::RSA.new(512).to_text
+    )
+  end
+
+  def test_load_pkey_rsa
+    pkey = OpenSSL::PKey::RSA.new(512)
+    assert_equal(pkey.to_pem, OpenSSL::PKey::RSA.new(pkey.to_pem).to_pem)
+  end
+
+  def test_load_pkey_rsa_public
+    pkey = OpenSSL::PKey::RSA.new(512).public_key
+    assert_equal(pkey.to_pem, OpenSSL::PKey::RSA.new(pkey.to_pem).to_pem)
+  end
+
+  def test_load_pkey_rsa_der
+    pkey = OpenSSL::PKey::RSA.new(512)
+    assert_equal(pkey.to_der, OpenSSL::PKey::RSA.new(pkey.to_der).to_der)
+  end
+
+  def test_load_pkey_rsa_public_der
+    pkey = OpenSSL::PKey::RSA.new(512).public_key
+    assert_equal(pkey.to_der, OpenSSL::PKey::RSA.new(pkey.to_der).to_der)
+  end
+
+  # jruby-openssl/0.6 causes NPE
+  def test_generate_pkey_dsa_empty
+    assert_nothing_raised do
+      OpenSSL::PKey::DSA.new.to_pem
+    end
+  end
+
+  # jruby-openssl/0.6 ignores fixnum arg => to_pem returned 65 bytes with 'MAA='
+  def test_generate_pkey_dsa_length
+    assert(OpenSSL::PKey::DSA.new(512).to_pem.size > 100)
+  end
+
+  # jruby-openssl/0.6 returns nil for DSA#to_text
+  def test_generate_pkey_dsa_to_text
+    assert_match(
+      /Private-Key: \(512 bit\)/,
+      OpenSSL::PKey::DSA.new(512).to_text
+    )
+  end
+
+  def test_load_pkey_dsa
+    pkey = OpenSSL::PKey::DSA.new(512)
+    assert_equal(pkey.to_pem, OpenSSL::PKey::DSA.new(pkey.to_pem).to_pem)
+  end
+
+  def test_load_pkey_dsa_public
+    pkey = OpenSSL::PKey::DSA.new(512).public_key
+    assert_equal(pkey.to_pem, OpenSSL::PKey::DSA.new(pkey.to_pem).to_pem)
+  end
+
+  def test_load_pkey_dsa_der
+    pkey = OpenSSL::PKey::DSA.new(512)
+    assert_equal(pkey.to_der, OpenSSL::PKey::DSA.new(pkey.to_der).to_der)
+  end
+
+  def test_load_pkey_dsa_public_der
+    pkey = OpenSSL::PKey::DSA.new(512).public_key
+    assert_equal(pkey.to_der, OpenSSL::PKey::DSA.new(pkey.to_der).to_der)
+  end
+
+  def test_load_pkey_dsa_net_ssh
+    blob = "0\201\367\002\001\000\002A\000\203\316/\037u\272&J\265\003l3\315d\324h\372{\t8\252#\331_\026\006\035\270\266\255\343\353Z\302\276\335\336\306\220\375\202L\244\244J\206>\346\b\315\211\302L\246x\247u\a\376\366\345\302\016#\002\025\000\244\274\302\221Og\275/\302+\356\346\360\024\373wI\2573\361\002@\027\215\270r*\f\213\350C\245\021:\350 \006\\\376\345\022`\210b\262\3643\023XLKS\320\370\002\276\347A\nU\204\276\324\256`=\026\240\330\306J\316V\213\024\e\030\215\355\006\037q\337\356ln\002@\017\257\034\f\260\333'S\271#\237\230E\321\312\027\021\226\331\251Vj\220\305\316\036\v\266+\000\230\270\177B\003?t\a\305]e\344\261\334\023\253\323\251\223M\2175)a(\004\"lI8\312\303\307\a\002\024_\aznW\345\343\203V\326\246ua\203\376\201o\350\302\002"
+    pkey = OpenSSL::PKey::DSA.new(blob)
+    assert_equal(blob, pkey.to_der)
+  end
+end

data/test/test_ssl.rb

@@ -0,0 +1,97 @@
+require 'openssl'
+require 'test/unit'
+require 'webrick/https'
+require 'net/https'
+require 'logger'
+require File.join(File.dirname(__FILE__), "openssl/utils.rb")
+
+
+class TestSSL < Test::Unit::TestCase
+  PORT = 17171
+  DIR = File.dirname(File.expand_path(__FILE__))
+
+  def setup
+    @server = @server_thread = nil
+    @verbose, $VERBOSE = $VERBOSE, nil
+    setup_server
+  end
+
+  def teardown
+    $VERBOSE = @verbose
+    teardown_server
+  end
+
+  def test_jruby_4826
+    assert_nothing_raised do
+      100.times do
+        http = Net::HTTP.new('localhost', PORT)
+        http.use_ssl = true
+        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        req = Net::HTTP::Post.new('/post')
+        http.request(req).body
+      end
+    end
+  end
+
+private
+
+  def make_certificate(key, cn)
+    subject = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=#{cn}")
+    exts = [
+      ["keyUsage", "keyEncipherment,digitalSignature", true],
+    ]
+    OpenSSL::TestUtils.issue_cert(
+      subject, key, 1, Time.now, Time.now + 3600, exts,
+      nil, nil, OpenSSL::Digest::SHA1.new
+    )
+  end
+
+  def setup_server
+    key = OpenSSL::TestUtils::TEST_KEY_RSA1024
+    cert = make_certificate(key, "localhost")
+    logger = Logger.new(STDERR)
+    logger.level = Logger::Severity::FATAL	# avoid logging SSLError (ERROR level)
+    @server = WEBrick::HTTPServer.new(
+      :Logger => logger,
+      :Port => PORT,
+      :AccessLog => [],
+      :SSLEnable => true,
+      :ServerName => "localhost",
+      :SSLCertificate => cert,
+      :SSLPrivateKey => key
+    )
+    @server.mount(
+      "/post",
+      WEBrick::HTTPServlet::ProcHandler.new(method("do_post").to_proc)
+    )
+    @server_thread = start_server_thread(@server)
+  end
+
+  def do_post(req, res)
+    res.chunked = true
+    res['content-type'] = 'text/plain'
+    piper, pipew = IO.pipe
+    res.body = piper
+    10.times { pipew << "A" * 10 }
+    pipew.close
+  end
+
+  def start_server_thread(server)
+    t = Thread.new {
+      Thread.current.abort_on_exception = true
+      server.start
+    }
+    while server.status != :Running
+      Thread.pass
+      unless t.alive?
+	t.join
+	raise
+      end
+    end
+    t
+  end
+
+  def teardown_server
+    @server.shutdown if @server
+  end
+end

data/test/test_x509store.rb

@@ -0,0 +1,160 @@
+begin
+  require "openssl"
+rescue LoadError
+end
+
+require "test/unit"
+require "tempfile"
+
+class TestX509Store < Test::Unit::TestCase
+  def setup
+    @store = OpenSSL::X509::Store.new
+  end
+
+  def path(file)
+    File.expand_path(file, File.dirname(__FILE__))
+  end
+
+  def teardown
+  end
+
+  def test_ns_cert_type
+    f = Tempfile.new("globalsign-root.pem")
+    f << GLOBALSIGN_ROOT_CA
+    f.close
+    @store.add_file(f.path)
+    f.unlink
+
+    # CAUTION !
+    #
+    # sgc is an issuing CA certificate so we should not verify it for the
+    # purpose 'PURPOSE_SSL_SERVER'. It's not a SSL server certificate.
+    # We're just checking the code for 'PURPOSE_SSL_SERVER'.
+    # jruby-openssl/0.5.2 raises the following exception around ASN.1
+    # nsCertType handling.
+    #   Purpose.java:344:in `call': java.lang.ClassCastException: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.DERBitString
+    sgc = OpenSSL::X509::Certificate.new(GLOBALSIGN_ORGANIZATION_VALIDATION_CA)
+
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_SERVER
+    assert_nothing_raised do
+      @store.verify(sgc) # => should be false
+    end
+  end
+
+  def test_purpose_ssl_client
+    @store.add_file(path("fixture/purpose/cacert.pem"))
+    cert = OpenSSL::X509::Certificate.new(File.read(path("fixture/purpose/sslclient.pem")))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+    assert_equal(true, @store.verify(cert))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_SERVER
+    assert_equal(false, @store.verify(cert))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+    assert_equal(true, @store.verify(cert))
+  end
+
+  def test_purpose_ssl_server
+    @store.add_file(path("fixture/purpose/cacert.pem"))
+    cert = OpenSSL::X509::Certificate.new(File.read(path("fixture/purpose/sslserver.pem")))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_SERVER
+    assert_equal(true, @store.verify(cert))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+    assert_equal(false, @store.verify(cert))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_SERVER
+    assert_equal(true, @store.verify(cert))
+  end
+
+  def test_add_file_multiple
+    f = Tempfile.new("globalsign-root.pem")
+    f << GLOBALSIGN_ROOT_CA
+    f << "junk junk\n"
+    f << "junk junk\n"
+    f << "junk junk\n"
+    f << File.read(path("fixture/purpose/cacert.pem"))
+    f.close
+    @store.add_file(f.path)
+    f.unlink
+
+    cert = OpenSSL::X509::Certificate.new(File.read(path("fixture/purpose/sslserver.pem")))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_SERVER
+    assert_equal(true, @store.verify(cert))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+    assert_equal(false, @store.verify(cert))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_SERVER
+    assert_equal(true, @store.verify(cert))
+  end
+
+  # jruby-openssl/0.6 raises "can't store certificate" because of duplicated
+  # subject. ruby-openssl just ignores the second certificate.
+  def test_add_file_JRUBY_4409
+    assert_nothing_raised do
+      @store.add_file(path("fixture/ca-bundle.crt"))
+    end
+  end
+
+  def test_set_default_paths
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_SERVER
+    cert = OpenSSL::X509::Certificate.new(File.read(path("fixture/purpose/sslserver.pem")))
+    assert_equal(false, @store.verify(cert))
+    begin
+      backup = ENV['SSL_CERT_DIR']
+      ENV['SSL_CERT_DIR'] = path('fixture/purpose/')
+      @store.set_default_paths
+      assert_equal(true, @store.verify(cert))
+    ensure
+      ENV['SSL_CERT_DIR'] = backup if backup
+    end
+  end
+
+  GLOBALSIGN_ROOT_CA = <<__EOS__
+-----BEGIN CERTIFICATE-----
+MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
+MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
+aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
+jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
+xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
+1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
+snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
+U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
+9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
+AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
+yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
+38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
+AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
+DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
+HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
+-----END CERTIFICATE-----
+__EOS__
+
+  GLOBALSIGN_ORGANIZATION_VALIDATION_CA = <<__EOS__
+-----BEGIN CERTIFICATE-----
+MIIEZzCCA0+gAwIBAgILBAAAAAABHkSl9SowDQYJKoZIhvcNAQEFBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0wNzA0MTExMjAw
+MDBaFw0xNzA0MTExMjAwMDBaMGoxIzAhBgNVBAsTGk9yZ2FuaXphdGlvbiBWYWxp
+ZGF0aW9uIENBMRMwEQYDVQQKEwpHbG9iYWxTaWduMS4wLAYDVQQDEyVHbG9iYWxT
+aWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAoS/EvM6HA+lnwYnI5ZP8fbStnvZjTmronCxziaIB9I8h
++P0lnVgWbYb27klXdX516iIRfj37x0JB3PzFDJFVgHvrZDMdm/nKOOmrxiVDUSVA
+9OR+GFVqqY8QOkAe1leD738vNC8t0vZTwhkNt+3JgfVGLLQjQl6dEwN17Opq/Fd8
+yTaXO5jcExPs7EH6XTTquZPnEBZlzJyS/fXFnT5KuQn85F8eaV9N9FZyRLEdIwPI
+NvZliMi/ORZFjh4mbFEWxSoAOMWkE2mVfasBO6jEFLSA2qwaRCDV/qkGexQnr+Aw
+Id2Q9KnVIxkuHgPmwd+VKeTBlEPdPpCqy0vJvorTOQIDAQABo4IBHzCCARswDgYD
+VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFH1tKuxm
+q6dRNqsCafFwj8RZC5ofMEsGA1UdIAREMEIwQAYJKwYBBAGgMgEUMDMwMQYIKwYB
+BQUHAgEWJWh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5uZXQvcmVwb3NpdG9yeS8wMwYD
+VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNy
+bDARBglghkgBhvhCAQEEBAMCAgQwIAYDVR0lBBkwFwYKKwYBBAGCNwoDAwYJYIZI
+AYb4QgQBMB8GA1UdIwQYMBaAFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA0GCSqGSIb3
+DQEBBQUAA4IBAQB5R/wV10x53w96ns7UfEtjyYm1ez+ZEuicjJpJL+BOlUrtx7y+
+8aLbjpMdunFUqkvZiSIkh8UEqKyCUqBS+LjhT6EnZmMhSjnnx8VOX7LWHRNtMOnO
+16IcvCkKczxbI0n+1v/KsE/18meYwEcR+LdIppAJ1kK+6rG5U0LDnCDJ+6FbtVZt
+h4HIYKzEuXInCo4eqLEuzTKieFewnPiVu0OOjDGGblMNxhIFukFuqDUwCRgdAmH/
+/e413mrDO9BNS05QslY2DERd2hplKuaYVqljMy4E567o9I63stp9wMjirqYoL+PJ
+c738B0E0t6pu7qfb0ZM87ZDsMpKI2cgjbHQh
+-----END CERTIFICATE-----
+__EOS__
+end