jruby-openssl 0.11.0-java → 0.12.1-java

data/lib/jopenssl23/openssl/ssl.rb

@@ -1,508 +0,0 @@
-# frozen_string_literal: false
-=begin
-= Info
-  'OpenSSL for Ruby 2' project
-  Copyright (C) 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
-  All rights reserved.
-
-= Licence
-  This program is licensed under the same licence as Ruby.
-  (See the file 'LICENCE'.)
-=end
-
-require "openssl/buffering"
-require "io/nonblock"
-
-module OpenSSL
-  module SSL
-    class SSLContext
-      unless const_defined? :DEFAULT_PARAMS # JRuby does it in Java
-      DEFAULT_PARAMS = { # :nodoc:
-        :min_version => OpenSSL::SSL::TLS1_VERSION,
-        :verify_mode => OpenSSL::SSL::VERIFY_PEER,
-        :verify_hostname => true,
-        :options => -> {
-          opts = OpenSSL::SSL::OP_ALL
-          opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
-          opts |= OpenSSL::SSL::OP_NO_COMPRESSION
-          opts
-        }.call
-      }
-
-      if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
-           OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
-        DEFAULT_PARAMS.merge!(
-          ciphers: %w{
-            ECDHE-ECDSA-AES128-GCM-SHA256
-            ECDHE-RSA-AES128-GCM-SHA256
-            ECDHE-ECDSA-AES256-GCM-SHA384
-            ECDHE-RSA-AES256-GCM-SHA384
-            DHE-RSA-AES128-GCM-SHA256
-            DHE-DSS-AES128-GCM-SHA256
-            DHE-RSA-AES256-GCM-SHA384
-            DHE-DSS-AES256-GCM-SHA384
-            ECDHE-ECDSA-AES128-SHA256
-            ECDHE-RSA-AES128-SHA256
-            ECDHE-ECDSA-AES128-SHA
-            ECDHE-RSA-AES128-SHA
-            ECDHE-ECDSA-AES256-SHA384
-            ECDHE-RSA-AES256-SHA384
-            ECDHE-ECDSA-AES256-SHA
-            ECDHE-RSA-AES256-SHA
-            DHE-RSA-AES128-SHA256
-            DHE-RSA-AES256-SHA256
-            DHE-RSA-AES128-SHA
-            DHE-RSA-AES256-SHA
-            DHE-DSS-AES128-SHA256
-            DHE-DSS-AES256-SHA256
-            DHE-DSS-AES128-SHA
-            DHE-DSS-AES256-SHA
-            AES128-GCM-SHA256
-            AES256-GCM-SHA384
-            AES128-SHA256
-            AES256-SHA256
-            AES128-SHA
-            AES256-SHA
-          }.join(":"),
-        )
-      end
-      end
-
-      if defined?(OpenSSL::PKey::DH)
-        DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
-JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
-VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
-YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
-1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
-7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
------END DH PARAMETERS-----
-        _end_of_pem_
-        private_constant :DEFAULT_2048
-
-        DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc:
-          warn "using default DH parameters." if $VERBOSE
-          DEFAULT_2048
-        }
-      end
-
-      begin
-        DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc:
-        DEFAULT_CERT_STORE.set_default_paths
-        DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
-      end unless const_defined? :DEFAULT_CERT_STORE # JRuby
-
-      # A callback invoked when DH parameters are required.
-      #
-      # The callback is invoked with the Session for the key exchange, an
-      # flag indicating the use of an export cipher and the keylength
-      # required.
-      #
-      # The callback must return an OpenSSL::PKey::DH instance of the correct
-      # key length.
-
-      attr_accessor :tmp_dh_callback
-
-      # A callback invoked at connect time to distinguish between multiple
-      # server names.
-      #
-      # The callback is invoked with an SSLSocket and a server name.  The
-      # callback must return an SSLContext for the server name or nil.
-      attr_accessor :servername_cb
-
-      # call-seq:
-      #    SSLContext.new           -> ctx
-      #    SSLContext.new(:TLSv1)   -> ctx
-      #    SSLContext.new("SSLv23") -> ctx
-      #
-      # Creates a new SSL context.
-      #
-      # If an argument is given, #ssl_version= is called with the value. Note
-      # that this form is deprecated. New applications should use #min_version=
-      # and #max_version= as necessary.
-      # def initialize(version = nil)
-      #   self.options |= OpenSSL::SSL::OP_ALL
-      #   self.ssl_version = version if version
-      # end
-
-      ##
-      # call-seq:
-      #   ctx.set_params(params = {}) -> params
-      #
-      # Sets saner defaults optimized for the use with HTTP-like protocols.
-      #
-      # If a Hash _params_ is given, the parameters are overridden with it.
-      # The keys in _params_ must be assignment methods on SSLContext.
-      #
-      # If the verify_mode is not VERIFY_NONE and ca_file, ca_path and
-      # cert_store are not set then the system default certificate store is
-      # used.
-      def set_params(params={})
-        params = DEFAULT_PARAMS.merge(params)
-        # TODO JRuby: need to support SSLContext#options (since Ruby 2.5)
-        #self.options = params.delete(:options) # set before min_version/max_version
-        params.each { |name, value| self.__send__("#{name}=", value) }
-        if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
-          unless self.ca_file or self.ca_path or self.cert_store
-            self.cert_store = DEFAULT_CERT_STORE
-          end
-        end
-        return params
-      end unless method_defined? :set_params
-
-      # call-seq:
-      #    ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION
-      #    ctx.min_version = :TLS1_2
-      #    ctx.min_version = nil
-      #
-      # Sets the lower bound on the supported SSL/TLS protocol version. The
-      # version may be specified by an integer constant named
-      # OpenSSL::SSL::*_VERSION, a Symbol, or +nil+ which means "any version".
-      #
-      # Be careful that you don't overwrite OpenSSL::SSL::OP_NO_{SSL,TLS}v*
-      # options by #options= once you have called #min_version= or
-      # #max_version=.
-      #
-      # === Example
-      #   ctx = OpenSSL::SSL::SSLContext.new
-      #   ctx.min_version = OpenSSL::SSL::TLS1_1_VERSION
-      #   ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
-      #
-      #   sock = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx)
-      #   sock.connect # Initiates a connection using either TLS 1.1 or TLS 1.2
-      def min_version=(version)
-        set_minmax_proto_version(version, @max_proto_version ||= nil)
-        @min_proto_version = version
-      end
-
-      # call-seq:
-      #    ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
-      #    ctx.max_version = :TLS1_2
-      #    ctx.max_version = nil
-      #
-      # Sets the upper bound of the supported SSL/TLS protocol version. See
-      # #min_version= for the possible values.
-      def max_version=(version)
-        set_minmax_proto_version(@min_proto_version ||= nil, version)
-        @max_proto_version = version
-      end
-
-      # call-seq:
-      #    ctx.ssl_version = :TLSv1
-      #    ctx.ssl_version = "SSLv23"
-      #
-      # Sets the SSL/TLS protocol version for the context. This forces
-      # connections to use only the specified protocol version. This is
-      # deprecated and only provided for backwards compatibility. Use
-      # #min_version= and #max_version= instead.
-      #
-      # === History
-      # As the name hints, this used to call the SSL_CTX_set_ssl_version()
-      # function which sets the SSL method used for connections created from
-      # the context. As of Ruby/OpenSSL 2.1, this accessor method is
-      # implemented to call #min_version= and #max_version= instead.
-      def ssl_version=(meth)
-        meth = meth.to_s if meth.is_a?(Symbol)
-        if /(?<type>_client|_server)\z/ =~ meth
-          meth = $`
-          if $VERBOSE
-            warn "#{caller(1, 1)[0]}: method type #{type.inspect} is ignored"
-          end
-        end
-        version = METHODS_MAP[meth.intern] or
-          raise ArgumentError, "unknown SSL method `%s'" % meth
-        set_minmax_proto_version(version, version)
-        @min_proto_version = @max_proto_version = version
-      end unless method_defined? :ssl_version=
-
-      METHODS_MAP = {
-        SSLv23: 0,
-        SSLv2: OpenSSL::SSL::SSL2_VERSION,
-        SSLv3: OpenSSL::SSL::SSL3_VERSION,
-        TLSv1: OpenSSL::SSL::TLS1_VERSION,
-        TLSv1_1: OpenSSL::SSL::TLS1_1_VERSION,
-        TLSv1_2: OpenSSL::SSL::TLS1_2_VERSION,
-      }.freeze
-      private_constant :METHODS_MAP
-      
-      # METHODS setup from native (JRuby)
-      # deprecate_constant :METHODS
-    end
-
-    module SocketForwarder
-      def addr
-        to_io.addr
-      end
-
-      def peeraddr
-        to_io.peeraddr
-      end
-
-      def setsockopt(level, optname, optval)
-        to_io.setsockopt(level, optname, optval)
-      end
-
-      def getsockopt(level, optname)
-        to_io.getsockopt(level, optname)
-      end
-
-      def fcntl(*args)
-        to_io.fcntl(*args)
-      end
-
-      def closed?
-        to_io.closed?
-      end
-
-      def do_not_reverse_lookup=(flag)
-        to_io.do_not_reverse_lookup = flag
-      end
-    end unless const_defined? :SocketForwarder # JRuby: hooked up in "native" Java
-
-    def verify_certificate_identity(cert, hostname)
-      should_verify_common_name = true
-      cert.extensions.each{|ext|
-        next if ext.oid != "subjectAltName"
-        ext.value.split(/,\s+/).each { |general_name|
-          #case san.tag
-          # MRI 2.2.3 (JRuby parses ASN.1 differently)
-          #when 2 # dNSName in GeneralName (RFC5280)
-          if /\ADNS:(.*)/ =~ general_name
-            should_verify_common_name = false
-            return true if verify_hostname(hostname, $1)
-          # MRI 2.2.3 (JRuby parses ASN.1 differently)
-          #when 7 # iPAddress in GeneralName (RFC5280)
-          elsif /\AIP(?: Address)?:(.*)/ =~ general_name
-            should_verify_common_name = false
-            return true if $1 == hostname
-            # NOTE: bellow logic makes little sense JRuby reads exts differently
-            # follows GENERAL_NAME_print() in x509v3/v3_alt.c
-            #if san.value.size == 4
-            #  return true if san.value.unpack('C*').join('.') == hostname
-            #elsif san.value.size == 16
-            #  return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
-            #end
-          end
-        }
-      }
-      if should_verify_common_name
-        cert.subject.to_a.each{|oid, value|
-          if oid == "CN"
-            return true if verify_hostname(hostname, value)
-          end
-        }
-      end
-      return false
-    end
-    module_function :verify_certificate_identity
-
-    def verify_hostname(hostname, san) # :nodoc:
-      # RFC 5280, IA5String is limited to the set of ASCII characters
-      return false unless san.ascii_only?
-      return false unless hostname.ascii_only?
-
-      # See RFC 6125, section 6.4.1
-      # Matching is case-insensitive.
-      san_parts = san.downcase.split(".")
-
-      # TODO: this behavior should probably be more strict
-      return san == hostname if san_parts.size < 2
-
-      # Matching is case-insensitive.
-      host_parts = hostname.downcase.split(".")
-
-      # RFC 6125, section 6.4.3, subitem 2.
-      # If the wildcard character is the only character of the left-most
-      # label in the presented identifier, the client SHOULD NOT compare
-      # against anything but the left-most label of the reference
-      # identifier (e.g., *.example.com would match foo.example.com but
-      # not bar.foo.example.com or example.com).
-      return false unless san_parts.size == host_parts.size
-
-      # RFC 6125, section 6.4.3, subitem 1.
-      # The client SHOULD NOT attempt to match a presented identifier in
-      # which the wildcard character comprises a label other than the
-      # left-most label (e.g., do not match bar.*.example.net).
-      return false unless verify_wildcard(host_parts.shift, san_parts.shift)
-
-      san_parts.join(".") == host_parts.join(".")
-    end
-    module_function :verify_hostname
-
-    def verify_wildcard(domain_component, san_component) # :nodoc:
-      parts = san_component.split("*", -1)
-
-      return false if parts.size > 2
-      return san_component == domain_component if parts.size == 1
-
-      # RFC 6125, section 6.4.3, subitem 3.
-      # The client SHOULD NOT attempt to match a presented identifier
-      # where the wildcard character is embedded within an A-label or
-      # U-label of an internationalized domain name.
-      return false if domain_component.start_with?("xn--") && san_component != "*"
-
-      parts[0].length + parts[1].length < domain_component.length &&
-      domain_component.start_with?(parts[0]) &&
-      domain_component.end_with?(parts[1])
-    end
-    module_function :verify_wildcard
-
-    class SSLSocket
-      include Buffering
-      include SocketForwarder
-
-      # attr_reader :hostname
-      #
-      # # The underlying IO object.
-      # attr_reader :io
-      # alias :to_io :io
-      #
-      # # The SSLContext object used in this connection.
-      # attr_reader :context
-      #
-      # # Whether to close the underlying socket as well, when the SSL/TLS
-      # # connection is shut down. This defaults to +false+.
-      # attr_accessor :sync_close
-
-      # call-seq:
-      #    ssl.sysclose => nil
-      #
-      # Sends "close notify" to the peer and tries to shut down the SSL
-      # connection gracefully.
-      #
-      # If sync_close is set to +true+, the underlying IO is also closed.
-      def sysclose
-        return if closed?
-        stop
-        io.close if sync_close
-      end unless method_defined? :sysclose
-
-      # call-seq:
-      #   ssl.post_connection_check(hostname) -> true
-      #
-      # Perform hostname verification following RFC 6125.
-      #
-      # This method MUST be called after calling #connect to ensure that the
-      # hostname of a remote peer has been verified.
-      def post_connection_check(hostname)
-        if peer_cert.nil?
-          msg = "Peer verification enabled, but no certificate received."
-          if using_anon_cipher?
-            msg += " Anonymous cipher suite #{cipher[0]} was negotiated. " \
-                   "Anonymous suites must be disabled to use peer verification."
-          end
-          raise SSLError, msg
-        end
-
-        unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
-          raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
-        end
-        return true
-      end
-
-      # call-seq:
-      #   ssl.session -> aSession
-      #
-      # Returns the SSLSession object currently used, or nil if the session is
-      # not established.
-      def session
-        SSL::Session.new(self)
-      rescue SSL::Session::SessionError
-        nil
-      end unless method_defined? :session # JRuby
-
-      private
-
-      def using_anon_cipher?
-        ctx = OpenSSL::SSL::SSLContext.new
-        ctx.ciphers = "aNULL"
-        ctx.ciphers.include?(cipher)
-      end
-
-      def client_cert_cb
-        @context.client_cert_cb
-      end
-
-      def tmp_dh_callback
-        @context.tmp_dh_callback || OpenSSL::SSL::SSLContext::DEFAULT_TMP_DH_CALLBACK
-      end
-
-      def tmp_ecdh_callback
-        @context.tmp_ecdh_callback
-      end
-
-      def session_new_cb
-        @context.session_new_cb
-      end
-
-      def session_get_cb
-        @context.session_get_cb
-      end
-    end
-
-    ##
-    # SSLServer represents a TCP/IP server socket with Secure Sockets Layer.
-    class SSLServer
-      include SocketForwarder
-      # When true then #accept works exactly the same as TCPServer#accept
-      attr_accessor :start_immediately
-
-      # Creates a new instance of SSLServer.
-      # * _srv_ is an instance of TCPServer.
-      # * _ctx_ is an instance of OpenSSL::SSL::SSLContext.
-      def initialize(svr, ctx)
-        @svr = svr
-        @ctx = ctx
-        unless ctx.session_id_context
-          # see #6137 - session id may not exceed 32 bytes
-          prng = ::Random.new($0.hash)
-          session_id = prng.bytes(16).unpack('H*')[0]
-          @ctx.session_id_context = session_id
-        end
-        @start_immediately = true
-      end
-
-      # Returns the TCPServer passed to the SSLServer when initialized.
-      def to_io
-        @svr
-      end
-
-      # See TCPServer#listen for details.
-      def listen(backlog=5)
-        @svr.listen(backlog)
-      end
-
-      # See BasicSocket#shutdown for details.
-      def shutdown(how=Socket::SHUT_RDWR)
-        @svr.shutdown(how)
-      end
-
-      # Works similar to TCPServer#accept.
-      def accept
-        # Socket#accept returns [socket, addrinfo].
-        # TCPServer#accept returns a socket.
-        # The following comma strips addrinfo.
-        sock, = @svr.accept
-        begin
-          ssl = OpenSSL::SSL::SSLSocket.new(sock, @ctx)
-          ssl.sync_close = true
-          ssl.accept if @start_immediately
-          ssl
-        rescue Exception => ex
-          if ssl
-            ssl.close
-          else
-            sock.close
-          end
-          raise ex
-        end
-      end
-
-      # See IO#close for details.
-      def close
-        @svr.close
-      end
-    end
-  end
-end

data/lib/jopenssl23/openssl/x509.rb

@@ -1,208 +0,0 @@
-# frozen_string_literal: false
-#--
-# = Ruby-space definitions that completes C-space funcs for X509 and subclasses
-#
-# = Info
-# 'OpenSSL for Ruby 2' project
-# Copyright (C) 2002  Michal Rokos <m.rokos@sh.cvut.cz>
-# All rights reserved.
-#
-# = Licence
-# This program is licensed under the same licence as Ruby.
-# (See the file 'LICENCE'.)
-#++
-
-module OpenSSL
-  module X509
-    # class ExtensionFactory
-    #   def create_extension(*arg)
-    #     if arg.size > 1
-    #       create_ext(*arg)
-    #     else
-    #       send("create_ext_from_"+arg[0].class.name.downcase, arg[0])
-    #     end
-    #   end
-    #
-    #   def create_ext_from_array(ary)
-    #     raise ExtensionError, "unexpected array form" if ary.size > 3
-    #     create_ext(ary[0], ary[1], ary[2])
-    #   end
-    #
-    #   def create_ext_from_string(str) # "oid = critical, value"
-    #     oid, value = str.split(/=/, 2)
-    #     oid.strip!
-    #     value.strip!
-    #     create_ext(oid, value)
-    #   end
-    #
-    #   def create_ext_from_hash(hash)
-    #     create_ext(hash["oid"], hash["value"], hash["critical"])
-    #   end
-    # end
-    #
-    # class Extension
-    #   def ==(other)
-    #     return false unless Extension === other
-    #     to_der == other.to_der
-    #   end
-    #
-    #   def to_s # "oid = critical, value"
-    #     str = self.oid
-    #     str << " = "
-    #     str << "critical, " if self.critical?
-    #     str << self.value.gsub(/\n/, ", ")
-    #   end
-    #
-    #   def to_h # {"oid"=>sn|ln, "value"=>value, "critical"=>true|false}
-    #     {"oid"=>self.oid,"value"=>self.value,"critical"=>self.critical?}
-    #   end
-    #
-    #   def to_a
-    #     [ self.oid, self.value, self.critical? ]
-    #   end
-    # end
-
-    class Name
-      module RFC2253DN
-        Special = ',=+<>#;'
-        HexChar = /[0-9a-fA-F]/
-        HexPair = /#{HexChar}#{HexChar}/
-        HexString = /#{HexPair}+/
-        Pair = /\\(?:[#{Special}]|\\|"|#{HexPair})/
-        StringChar = /[^\\"#{Special}]/
-        QuoteChar = /[^\\"]/
-        AttributeType = /[a-zA-Z][0-9a-zA-Z]*|[0-9]+(?:\.[0-9]+)*/
-        AttributeValue = /
-          (?!["#])((?:#{StringChar}|#{Pair})*)|
-          \#(#{HexString})|
-          "((?:#{QuoteChar}|#{Pair})*)"
-        /x
-        TypeAndValue = /\A(#{AttributeType})=#{AttributeValue}/
-
-        module_function
-
-        def expand_pair(str)
-          return nil unless str
-          return str.gsub(Pair){
-            pair = $&
-            case pair.size
-            when 2 then pair[1,1]
-            when 3 then Integer("0x#{pair[1,2]}").chr
-            else raise OpenSSL::X509::NameError, "invalid pair: #{str}"
-            end
-          }
-        end
-
-        def expand_hexstring(str)
-          return nil unless str
-          der = str.gsub(HexPair){$&.to_i(16).chr }
-          a1 = OpenSSL::ASN1.decode(der)
-          return a1.value, a1.tag
-        end
-
-        def expand_value(str1, str2, str3)
-          value = expand_pair(str1)
-          value, tag = expand_hexstring(str2) unless value
-          value = expand_pair(str3) unless value
-          return value, tag
-        end
-
-        def scan(dn)
-          str = dn
-          ary = []
-          while true
-            if md = TypeAndValue.match(str)
-              remain = md.post_match
-              type = md[1]
-              value, tag = expand_value(md[2], md[3], md[4]) rescue nil
-              if value
-                type_and_value = [type, value]
-                type_and_value.push(tag) if tag
-                ary.unshift(type_and_value)
-                if remain.length > 2 && remain[0] == ?,
-                  str = remain[1..-1]
-                  next
-                elsif remain.length > 2 && remain[0] == ?+
-                  raise OpenSSL::X509::NameError,
-                    "multi-valued RDN is not supported: #{dn}"
-                elsif remain.empty?
-                  break
-                end
-              end
-            end
-            msg_dn = dn[0, dn.length - str.length] + " =>" + str
-            raise OpenSSL::X509::NameError, "malformed RDN: #{msg_dn}"
-          end
-          return ary
-        end
-      end
-
-      class << self
-        def parse_rfc2253(str, template=OBJECT_TYPE_TEMPLATE)
-          ary = OpenSSL::X509::Name::RFC2253DN.scan(str)
-          self.new(ary, template)
-        end
-
-        def parse_openssl(str, template=OBJECT_TYPE_TEMPLATE)
-          if str.start_with?("/")
-            # /A=B/C=D format
-            ary = str[1..-1].split("/").map { |i| i.split("=", 2) }
-          else
-            # Comma-separated
-            ary = str.split(",").map { |i| i.strip.split("=", 2) }
-          end
-          self.new(ary, template)
-        end
-
-        alias parse parse_openssl
-      end
-
-      def pretty_print(q)
-        q.object_group(self) {
-          q.text ' '
-          q.text to_s(OpenSSL::X509::Name::RFC2253)
-        }
-      end
-    end
-
-    # class Attribute
-    #   def ==(other)
-    #     return false unless Attribute === other
-    #     to_der == other.to_der
-    #   end
-    # end
-
-    class StoreContext
-      def cleanup
-        warn "(#{caller.first}) OpenSSL::X509::StoreContext#cleanup is deprecated with no replacement" if $VERBOSE
-      end
-    end
-
-    class Certificate
-      def pretty_print(q)
-        q.object_group(self) {
-          q.breakable
-          q.text 'subject='; q.pp self.subject; q.text ','; q.breakable
-          q.text 'issuer='; q.pp self.issuer; q.text ','; q.breakable
-          q.text 'serial='; q.pp self.serial; q.text ','; q.breakable
-          q.text 'not_before='; q.pp self.not_before; q.text ','; q.breakable
-          q.text 'not_after='; q.pp self.not_after
-        }
-      end
-    end
-
-    # class CRL
-    #   def ==(other)
-    #     return false unless CRL === other
-    #     to_der == other.to_der
-    #   end
-    # end
-
-    # class Request
-    #   def ==(other)
-    #     return false unless Request === other
-    #     to_der == other.to_der
-    #   end
-    # end
-  end
-end