jruby-openssl 0.0.4 → 0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of jruby-openssl might be problematic. Click here for more details.

@@ -0,0 +1,174 @@
1
+ begin
2
+ require "openssl"
3
+ require File.join(File.dirname(__FILE__), "utils.rb")
4
+ rescue LoadError
5
+ end
6
+ require "test/unit"
7
+
8
+ if defined?(OpenSSL)
9
+
10
+ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
11
+ def setup
12
+ @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
13
+ @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
14
+ @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256
15
+ @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512
16
+ @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
17
+ @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
18
+ @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
19
+ end
20
+
21
+ def teardown
22
+ end
23
+
24
+ def issue_cert(*args)
25
+ OpenSSL::TestUtils.issue_cert(*args)
26
+ end
27
+
28
+ def test_serial
29
+ [1, 2**32, 2**100].each{|s|
30
+ cert = issue_cert(@ca, @rsa2048, s, Time.now, Time.now+3600, [],
31
+ nil, nil, OpenSSL::Digest::SHA1.new)
32
+ assert_equal(s, cert.serial)
33
+ cert = OpenSSL::X509::Certificate.new(cert.to_der)
34
+ assert_equal(s, cert.serial)
35
+ }
36
+ end
37
+
38
+ def test_public_key
39
+ exts = [
40
+ ["basicConstraints","CA:TRUE",true],
41
+ ["subjectKeyIdentifier","hash",false],
42
+ ["authorityKeyIdentifier","keyid:always",false],
43
+ ]
44
+
45
+ sha1 = OpenSSL::Digest::SHA1.new
46
+ dss1 = OpenSSL::Digest::DSS1.new
47
+ [
48
+ [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dss1], [@dsa512, dss1],
49
+ ].each{|pk, digest|
50
+ cert = issue_cert(@ca, pk, 1, Time.now, Time.now+3600, exts,
51
+ nil, nil, digest)
52
+ assert_equal(cert.extensions[1].value,OpenSSL::TestUtils.get_subject_key_id(cert))
53
+ cert = OpenSSL::X509::Certificate.new(cert.to_der)
54
+ assert_equal(cert.extensions[1].value,
55
+ OpenSSL::TestUtils.get_subject_key_id(cert))
56
+ }
57
+ end
58
+
59
+ def test_validity
60
+ now = Time.now until now && now.usec != 0
61
+ cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
62
+ nil, nil, OpenSSL::Digest::SHA1.new)
63
+ assert_not_equal(now, cert.not_before)
64
+ assert_not_equal(now+3600, cert.not_after)
65
+
66
+ now = Time.at(now.to_i)
67
+ cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
68
+ nil, nil, OpenSSL::Digest::SHA1.new)
69
+ assert_equal(now.getutc, cert.not_before)
70
+ assert_equal((now+3600).getutc, cert.not_after)
71
+
72
+ now = Time.at(0)
73
+ cert = issue_cert(@ca, @rsa2048, 1, now, now, [],
74
+ nil, nil, OpenSSL::Digest::SHA1.new)
75
+ assert_equal(now.getutc, cert.not_before)
76
+ assert_equal(now.getutc, cert.not_after)
77
+
78
+ now = Time.at(0x7fffffff)
79
+ cert = issue_cert(@ca, @rsa2048, 1, now, now, [],
80
+ nil, nil, OpenSSL::Digest::SHA1.new)
81
+ assert_equal(now.getutc, cert.not_before)
82
+ assert_equal(now.getutc, cert.not_after)
83
+ end
84
+
85
+ def test_extension
86
+ ca_exts = [
87
+ ["basicConstraints","CA:TRUE",true],
88
+ ["keyUsage","keyCertSign, cRLSign",true],
89
+ ["subjectKeyIdentifier","hash",false],
90
+ ["authorityKeyIdentifier","keyid:always",false],
91
+ ]
92
+ ca_cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, ca_exts,
93
+ nil, nil, OpenSSL::Digest::SHA1.new)
94
+ ca_cert.extensions.each_with_index{|ext, i|
95
+ assert_equal(ca_exts[i].first, ext.oid)
96
+ assert_equal(ca_exts[i].last, ext.critical?)
97
+ }
98
+
99
+ ee1_exts = [
100
+ ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
101
+ ["subjectKeyIdentifier","hash",false],
102
+ ["authorityKeyIdentifier","keyid:always",false],
103
+ ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
104
+ ["subjectAltName","email:ee1@ruby-lang.org",false],
105
+ ]
106
+ ee1_cert = issue_cert(@ee1, @rsa1024, 2, Time.now, Time.now+1800, ee1_exts,
107
+ ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
108
+ assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der)
109
+ ee1_cert.extensions.each_with_index{|ext, i|
110
+ assert_equal(ee1_exts[i].first, ext.oid)
111
+ assert_equal(ee1_exts[i].last, ext.critical?)
112
+ }
113
+
114
+ ee2_exts = [
115
+ ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
116
+ ["subjectKeyIdentifier","hash",false],
117
+ ["authorityKeyIdentifier","issuer:always",false],
118
+ ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
119
+ ["subjectAltName","email:ee2@ruby-lang.org",false],
120
+ ]
121
+ ee2_cert = issue_cert(@ee2, @rsa1024, 3, Time.now, Time.now+1800, ee2_exts,
122
+ ca_cert, @rsa2048, OpenSSL::Digest::MD5.new)
123
+ assert_equal(ca_cert.subject.to_der, ee2_cert.issuer.to_der)
124
+ ee2_cert.extensions.each_with_index{|ext, i|
125
+ assert_equal(ee2_exts[i].first, ext.oid)
126
+ assert_equal(ee2_exts[i].last, ext.critical?)
127
+ }
128
+
129
+ end
130
+
131
+ def test_sign_and_verify
132
+ cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
133
+ nil, nil, OpenSSL::Digest::SHA1.new)
134
+ assert_equal(false, cert.verify(@rsa1024))
135
+ assert_equal(true, cert.verify(@rsa2048))
136
+ assert_equal(false, cert.verify(@dsa256))
137
+ assert_equal(false, cert.verify(@dsa512))
138
+ cert.serial = 2
139
+ assert_equal(false, cert.verify(@rsa2048))
140
+
141
+ cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
142
+ nil, nil, OpenSSL::Digest::MD5.new)
143
+ assert_equal(false, cert.verify(@rsa1024))
144
+ assert_equal(true, cert.verify(@rsa2048))
145
+ assert_equal(false, cert.verify(@dsa256))
146
+ assert_equal(false, cert.verify(@dsa512))
147
+ cert.subject = @ee1
148
+ assert_equal(false, cert.verify(@rsa2048))
149
+
150
+ cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
151
+ nil, nil, OpenSSL::Digest::DSS1.new)
152
+ assert_equal(false, cert.verify(@rsa1024))
153
+ assert_equal(false, cert.verify(@rsa2048))
154
+ assert_equal(false, cert.verify(@dsa256))
155
+ assert_equal(true, cert.verify(@dsa512))
156
+ cert.not_after = Time.now
157
+ assert_equal(false, cert.verify(@dsa512))
158
+
159
+ assert_raises(OpenSSL::X509::CertificateError){
160
+ cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
161
+ nil, nil, OpenSSL::Digest::DSS1.new)
162
+ }
163
+ assert_raises(OpenSSL::X509::CertificateError){
164
+ cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
165
+ nil, nil, OpenSSL::Digest::MD5.new)
166
+ }
167
+ assert_raises(OpenSSL::X509::CertificateError){
168
+ cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
169
+ nil, nil, OpenSSL::Digest::SHA1.new)
170
+ }
171
+ end
172
+ end
173
+
174
+ end
@@ -0,0 +1,218 @@
1
+ begin
2
+ require "openssl"
3
+ require File.join(File.dirname(__FILE__), "utils.rb")
4
+ rescue LoadError
5
+ end
6
+ require "test/unit"
7
+
8
+ if defined?(OpenSSL)
9
+
10
+ class OpenSSL::TestX509CRL < Test::Unit::TestCase
11
+ def setup
12
+ @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
13
+ @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
14
+ @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256
15
+ @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512
16
+ @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
17
+ @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
18
+ @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
19
+ end
20
+
21
+ def teardown
22
+ end
23
+
24
+ def issue_crl(*args)
25
+ OpenSSL::TestUtils.issue_crl(*args)
26
+ end
27
+
28
+ def issue_cert(*args)
29
+ OpenSSL::TestUtils.issue_cert(*args)
30
+ end
31
+
32
+ def test_basic
33
+ now = Time.at(Time.now.to_i)
34
+
35
+ cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
36
+ nil, nil, OpenSSL::Digest::SHA1.new)
37
+ crl = issue_crl([], 1, now, now+1600, [],
38
+ cert, @rsa2048, OpenSSL::Digest::SHA1.new)
39
+ assert_equal(1, crl.version)
40
+ assert_equal(cert.issuer.to_der, crl.issuer.to_der)
41
+ assert_equal(now, crl.last_update)
42
+ assert_equal(now+1600, crl.next_update)
43
+
44
+ crl = OpenSSL::X509::CRL.new(crl.to_der)
45
+ assert_equal(1, crl.version)
46
+ assert_equal(cert.issuer.to_der, crl.issuer.to_der)
47
+ assert_equal(now, crl.last_update)
48
+ assert_equal(now+1600, crl.next_update)
49
+ end
50
+
51
+ def test_revoked
52
+
53
+ # CRLReason ::= ENUMERATED {
54
+ # unspecified (0),
55
+ # keyCompromise (1),
56
+ # cACompromise (2),
57
+ # affiliationChanged (3),
58
+ # superseded (4),
59
+ # cessationOfOperation (5),
60
+ # certificateHold (6),
61
+ # removeFromCRL (8),
62
+ # privilegeWithdrawn (9),
63
+ # aACompromise (10) }
64
+
65
+ now = Time.at(Time.now.to_i)
66
+ revoke_info = [
67
+ [1, Time.at(0), 1],
68
+ [2, Time.at(0x7fffffff), 2],
69
+ [3, now, 3],
70
+ [4, now, 4],
71
+ [5, now, 5],
72
+ ]
73
+ cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
74
+ nil, nil, OpenSSL::Digest::SHA1.new)
75
+ crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
76
+ cert, @rsa2048, OpenSSL::Digest::SHA1.new)
77
+ revoked = crl.revoked
78
+ assert_equal(5, revoked.size)
79
+ assert_equal(1, revoked[0].serial)
80
+ assert_equal(2, revoked[1].serial)
81
+ assert_equal(3, revoked[2].serial)
82
+ assert_equal(4, revoked[3].serial)
83
+ assert_equal(5, revoked[4].serial)
84
+
85
+ assert_equal(Time.at(0), revoked[0].time)
86
+ assert_equal(Time.at(0x7fffffff), revoked[1].time)
87
+ assert_equal(now, revoked[2].time)
88
+ assert_equal(now, revoked[3].time)
89
+ assert_equal(now, revoked[4].time)
90
+
91
+ assert_equal("CRLReason", revoked[0].extensions[0].oid)
92
+ assert_equal("CRLReason", revoked[1].extensions[0].oid)
93
+ assert_equal("CRLReason", revoked[2].extensions[0].oid)
94
+ assert_equal("CRLReason", revoked[3].extensions[0].oid)
95
+ assert_equal("CRLReason", revoked[4].extensions[0].oid)
96
+
97
+ assert_equal("Key Compromise", revoked[0].extensions[0].value)
98
+ assert_equal("CA Compromise", revoked[1].extensions[0].value)
99
+ assert_equal("Affiliation Changed", revoked[2].extensions[0].value)
100
+ assert_equal("Superseded", revoked[3].extensions[0].value)
101
+ assert_equal("Cessation Of Operation", revoked[4].extensions[0].value)
102
+
103
+ assert_equal(false, revoked[0].extensions[0].critical?)
104
+ assert_equal(false, revoked[1].extensions[0].critical?)
105
+ assert_equal(false, revoked[2].extensions[0].critical?)
106
+ assert_equal(false, revoked[3].extensions[0].critical?)
107
+ assert_equal(false, revoked[4].extensions[0].critical?)
108
+
109
+ crl = OpenSSL::X509::CRL.new(crl.to_der)
110
+ assert_equal("Key Compromise", revoked[0].extensions[0].value)
111
+ assert_equal("CA Compromise", revoked[1].extensions[0].value)
112
+ assert_equal("Affiliation Changed", revoked[2].extensions[0].value)
113
+ assert_equal("Superseded", revoked[3].extensions[0].value)
114
+ assert_equal("Cessation Of Operation", revoked[4].extensions[0].value)
115
+
116
+ revoke_info = (1..1000).collect{|i| [i, now, 0] }
117
+ crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
118
+ cert, @rsa2048, OpenSSL::Digest::SHA1.new)
119
+ revoked = crl.revoked
120
+ assert_equal(1000, revoked.size)
121
+ assert_equal(1, revoked[0].serial)
122
+ assert_equal(1000, revoked[999].serial)
123
+ end
124
+
125
+ def test_extension
126
+ cert_exts = [
127
+ ["basicConstraints", "CA:TRUE", true],
128
+ ["subjectKeyIdentifier", "hash", false],
129
+ ["authorityKeyIdentifier", "keyid:always", false],
130
+ ["subjectAltName", "email:xyzzy@ruby-lang.org", false],
131
+ ["keyUsage", "cRLSign, keyCertSign", true],
132
+ ]
133
+ crl_exts = [
134
+ ["authorityKeyIdentifier", "keyid:always", false],
135
+ ["issuerAltName", "issuer:copy", false],
136
+ ]
137
+
138
+ cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, cert_exts,
139
+ nil, nil, OpenSSL::Digest::SHA1.new)
140
+ crl = issue_crl([], 1, Time.now, Time.now+1600, crl_exts,
141
+ cert, @rsa2048, OpenSSL::Digest::SHA1.new)
142
+ exts = crl.extensions
143
+ assert_equal(3, exts.size)
144
+ assert_equal("1", exts[0].value)
145
+ assert_equal("crlNumber", exts[0].oid)
146
+ assert_equal(false, exts[0].critical?)
147
+
148
+ assert_equal("authorityKeyIdentifier", exts[1].oid)
149
+ keyid = OpenSSL::TestUtils.get_subject_key_id(cert)
150
+ assert_match(/^keyid:#{keyid}/, exts[1].value)
151
+ assert_equal(false, exts[1].critical?)
152
+
153
+ assert_equal("issuerAltName", exts[2].oid)
154
+ assert_equal("email:xyzzy@ruby-lang.org", exts[2].value)
155
+ assert_equal(false, exts[2].critical?)
156
+
157
+ crl = OpenSSL::X509::CRL.new(crl.to_der)
158
+ exts = crl.extensions
159
+ assert_equal(3, exts.size)
160
+ assert_equal("1", exts[0].value)
161
+ assert_equal("crlNumber", exts[0].oid)
162
+ assert_equal(false, exts[0].critical?)
163
+
164
+ assert_equal("authorityKeyIdentifier", exts[1].oid)
165
+ keyid = OpenSSL::TestUtils.get_subject_key_id(cert)
166
+ assert_match(/^keyid:#{keyid}/, exts[1].value)
167
+ assert_equal(false, exts[1].critical?)
168
+
169
+ assert_equal("issuerAltName", exts[2].oid)
170
+ assert_equal("email:xyzzy@ruby-lang.org", exts[2].value)
171
+ assert_equal(false, exts[2].critical?)
172
+ end
173
+
174
+ def test_crlnumber
175
+ cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
176
+ nil, nil, OpenSSL::Digest::SHA1.new)
177
+ crl = issue_crl([], 1, Time.now, Time.now+1600, [],
178
+ cert, @rsa2048, OpenSSL::Digest::SHA1.new)
179
+ assert_match(1.to_s, crl.extensions[0].value)
180
+ assert_match(/X509v3 CRL Number:\s+#{1}/m, crl.to_text)
181
+
182
+ crl = issue_crl([], 2**32, Time.now, Time.now+1600, [],
183
+ cert, @rsa2048, OpenSSL::Digest::SHA1.new)
184
+ assert_match((2**32).to_s, crl.extensions[0].value)
185
+ assert_match(/X509v3 CRL Number:\s+#{2**32}/m, crl.to_text)
186
+
187
+ crl = issue_crl([], 2**100, Time.now, Time.now+1600, [],
188
+ cert, @rsa2048, OpenSSL::Digest::SHA1.new)
189
+ assert_match(/X509v3 CRL Number:\s+#{2**100}/m, crl.to_text)
190
+ assert_match((2**100).to_s, crl.extensions[0].value)
191
+ end
192
+
193
+ def test_sign_and_verify
194
+ cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
195
+ nil, nil, OpenSSL::Digest::SHA1.new)
196
+ crl = issue_crl([], 1, Time.now, Time.now+1600, [],
197
+ cert, @rsa2048, OpenSSL::Digest::SHA1.new)
198
+ assert_equal(false, crl.verify(@rsa1024))
199
+ assert_equal(true, crl.verify(@rsa2048))
200
+ assert_equal(false, crl.verify(@dsa256))
201
+ assert_equal(false, crl.verify(@dsa512))
202
+ crl.version = 0
203
+ assert_equal(false, crl.verify(@rsa2048))
204
+
205
+ cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
206
+ nil, nil, OpenSSL::Digest::DSS1.new)
207
+ crl = issue_crl([], 1, Time.now, Time.now+1600, [],
208
+ cert, @dsa512, OpenSSL::Digest::DSS1.new)
209
+ assert_equal(false, crl.verify(@rsa1024))
210
+ assert_equal(false, crl.verify(@rsa2048))
211
+ assert_equal(false, crl.verify(@dsa256))
212
+ assert_equal(true, crl.verify(@dsa512))
213
+ crl.version = 0
214
+ assert_equal(false, crl.verify(@dsa512))
215
+ end
216
+ end
217
+
218
+ end
@@ -0,0 +1,74 @@
1
+ begin
2
+ require "openssl"
3
+ require File.join(File.dirname(__FILE__), "utils.rb")
4
+ rescue LoadError
5
+ end
6
+ require "test/unit"
7
+
8
+ if defined?(OpenSSL)
9
+
10
+ class OpenSSL::TestX509Extension < Test::Unit::TestCase
11
+ def setup
12
+ @basic_constraints_value = OpenSSL::ASN1::Sequence([
13
+ OpenSSL::ASN1::Boolean(true), # CA
14
+ OpenSSL::ASN1::Integer(2) # pathlen
15
+ ])
16
+ @basic_constraints = OpenSSL::ASN1::Sequence([
17
+ OpenSSL::ASN1::ObjectId("basicConstraints"),
18
+ OpenSSL::ASN1::Boolean(true),
19
+ OpenSSL::ASN1::OctetString(@basic_constraints_value.to_der),
20
+ ])
21
+ end
22
+
23
+ def teardown
24
+ end
25
+
26
+ def test_new
27
+ ext = OpenSSL::X509::Extension.new(@basic_constraints.to_der)
28
+ assert_equal("basicConstraints", ext.oid)
29
+ assert_equal(true, ext.critical?)
30
+ assert_equal("CA:TRUE, pathlen:2", ext.value)
31
+
32
+ ext = OpenSSL::X509::Extension.new("2.5.29.19",
33
+ @basic_constraints_value.to_der, true)
34
+ assert_equal(@basic_constraints.to_der, ext.to_der)
35
+ end
36
+
37
+ def test_create_by_factory
38
+ ef = OpenSSL::X509::ExtensionFactory.new
39
+
40
+ bc = ef.create_extension("basicConstraints", "critical, CA:TRUE, pathlen:2")
41
+ assert_equal(@basic_constraints.to_der, bc.to_der)
42
+
43
+ bc = ef.create_extension("basicConstraints", "CA:TRUE, pathlen:2", true)
44
+ assert_equal(@basic_constraints.to_der, bc.to_der)
45
+
46
+ begin
47
+ ef.config = OpenSSL::Config.parse(<<-_end_of_cnf_)
48
+ [crlDistPts]
49
+ URI.1 = http://www.example.com/crl
50
+ URI.2 = ldap://ldap.example.com/cn=ca?certificateRevocationList;binary
51
+ _end_of_cnf_
52
+ rescue NotImplementedError
53
+ return
54
+ end
55
+
56
+ cdp = ef.create_extension("crlDistributionPoints", "@crlDistPts")
57
+ assert_equal(false, cdp.critical?)
58
+ assert_equal("crlDistributionPoints", cdp.oid)
59
+ assert_match(%{URI:http://www\.example\.com/crl}, cdp.value)
60
+ assert_match(
61
+ %r{URI:ldap://ldap\.example\.com/cn=ca\?certificateRevocationList;binary},
62
+ cdp.value)
63
+
64
+ cdp = ef.create_extension("crlDistributionPoints", "critical, @crlDistPts")
65
+ assert_equal(true, cdp.critical?)
66
+ assert_equal("crlDistributionPoints", cdp.oid)
67
+ assert_match(%{URI:http://www.example.com/crl}, cdp.value)
68
+ assert_match(
69
+ %r{URI:ldap://ldap.example.com/cn=ca\?certificateRevocationList;binary},
70
+ cdp.value)
71
+ end
72
+ end
73
+
74
+ end