jruby-openssl 0.5.2 → 0.6

data/test/fixture/purpose/ca/ca_config.rb

@@ -0,0 +1,37 @@
+class CAConfig
+  BASE_DIR = File.dirname(__FILE__)
+  KEYPAIR_FILE = "#{BASE_DIR}/private/cakeypair.pem"
+  CERT_FILE = "#{BASE_DIR}/cacert.pem"
+  SERIAL_FILE = "#{BASE_DIR}/serial"
+  NEW_CERTS_DIR = "#{BASE_DIR}/newcerts"
+  NEW_KEYPAIR_DIR = "#{BASE_DIR}/private/keypair_backup"
+  CRL_DIR = "#{BASE_DIR}/crl"
+
+  NAME = [['C', 'JP'], ['O', 'www.ruby-lang.org'], ['OU', 'development']]
+  CA_CERT_DAYS = 20 * 365
+  CA_RSA_KEY_LENGTH = 2048
+
+  CERT_DAYS = 19 * 365
+  CERT_KEY_LENGTH_MIN = 1024
+  CERT_KEY_LENGTH_MAX = 2048
+  CDP_LOCATION = nil
+  OCSP_LOCATION = nil
+
+  CRL_FILE = "#{CRL_DIR}/jruby.crl"
+  CRL_PEM_FILE = "#{CRL_DIR}/jruby.pem"
+  CRL_DAYS = 14
+
+  PASSWD_CB = Proc.new { |flag|
+    print "Enter password: "
+    pass = $stdin.gets.chop!
+    # when the flag is true, this passphrase
+    # will be used to perform encryption; otherwise it will
+    # be used to perform decryption.
+    if flag
+      print "Verify password: "
+      pass2 = $stdin.gets.chop!
+      raise "verify failed." if pass != pass2
+    end
+    pass
+  }
+end

data/test/fixture/purpose/ca/cacert.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJKUDEa
+MBgGA1UECgwRd3d3LnJ1YnktbGFuZy5vcmcxFDASBgNVBAsMC2RldmVsb3BtZW50
+MQswCQYDVQQDDAJDQTAeFw0wOTExMTkxMDI5MjBaFw0yOTExMTQxMDI5MjBaMEwx
+CzAJBgNVBAYTAkpQMRowGAYDVQQKDBF3d3cucnVieS1sYW5nLm9yZzEUMBIGA1UE
+CwwLZGV2ZWxvcG1lbnQxCzAJBgNVBAMMAkNBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEA2nXhXZxXUs1Sfxqi8sReyzPHRcAHQM9RqDAGG9Nt1zYrLXwg
+MmUhOr4yBeW2KAxJGxdRQSzI38jyT6mrDRBpTl/OeU9zBG4p6AtFGkoMnRvUonB3
+CvgYJXhmrFjnHn34JNaRSORjaZDBmI9/fMGvaYndEM3wJ2b3jEOeizDIG60kZxA6
+XQ+X7ral+aABsjomubvjEQ9dlcDhQlssKjbjaN3NZ/kL/i/75jc6rzT05XYYkj+Z
+9rPRfT+HH3c5EYLtxcRTEHVWXMC8/of7oOFgZwwI3Cx9/v1s2Z6gdJ8J0kIkEoUL
+ziYsLIOmVB2tx0rKkmeivJB4PTM5QyHb7d1xUwIDAQABo4HsMIHpMA8GA1UdEwEB
+/wQFMAMBAf8wMQYJYIZIAYb4QgENBCQWIlJ1YnkvT3BlblNTTCBHZW5lcmF0ZWQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFBOZGvHkAfn+0Ct33rQ6tW2UmF5TMA4GA1Ud
+DwEB/wQEAwIBBjB0BgNVHSMEbTBrgBQTmRrx5AH5/tArd960OrVtlJheU6FQpE4w
+TDELMAkGA1UEBhMCSlAxGjAYBgNVBAoMEXd3dy5ydWJ5LWxhbmcub3JnMRQwEgYD
+VQQLDAtkZXZlbG9wbWVudDELMAkGA1UEAwwCQ0GCAQEwDQYJKoZIhvcNAQEFBQAD
+ggEBACfgSl3pA+e3JyjgS/zscaJHHNDwXIIoH0KY6pcrZnl7Zh8CW+Gdba621Lek
+aAy0YhAAM9bF87QZG1+sL7B2H1oSTt7F67SwQfq079oNWjhEdV5dxBKk6XaU0R31
+KXSsmLR4pMxcFdPzGM0FTiSj9FNKk2pydVySsa5jJeG0qvXVFMqsRUUwklQHl9Kx
+9GZiknt4PEGj/ThUwarhRbRjV5z7ZxXKexkangBlRWPX7TjvlpZPgLzAODG4fiRW
+ZUo8Ng7QolTJuPAhlVxhdi9n5hItm6mt21RTpQcP49KoGe8x+T4EzPO0PPdCMliD
+fH3udDO+bq2F8H4ts6ZJAYWFo8U=
+-----END CERTIFICATE-----

data/test/fixture/purpose/ca/newcerts/2_cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBjCCAe6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJKUDEa
+MBgGA1UECgwRd3d3LnJ1YnktbGFuZy5vcmcxFDASBgNVBAsMC2RldmVsb3BtZW50
+MQswCQYDVQQDDAJDQTAeFw0wOTExMTkxMDMwMTdaFw0yODExMTQxMDMwMTdaMD0x
+CzAJBgNVBAYTAkpQMRowGAYDVQQKDBF3d3cucnVieS1sYW5nLm9yZzESMBAGA1UE
+AwwJc3Nsc2VydmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgYsazavfR
+a72yK4qfnIjOrDT9Uv2ToL4swbE86PXY5N+YvUig3fVmNJo72rT5JlAODs+MtJJU
+aJ8HsczlGdrhjTWyT/0fyoY/rC4mi5UFASBCbaoaviDPgbhI6ehBY6d5vEYQOW79
+fL95KIa+OyGzUNYy+EkSxJmvt/8EJYtqIwIDAQABo4GFMIGCMAwGA1UdEwEB/wQC
+MAAwMQYJYIZIAYb4QgENBCQWIlJ1YnkvT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
+aWNhdGUwHQYDVR0OBBYEFJsUyGU/R4muSKVIeckJElcBNbipMAsGA1UdDwQEAwIF
+oDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAAc49qdDC
+TzFoWy794TYEx/uSAFQPMxp/dktYuMvtMSqhOfkDAaX7YFAD40R9tQljm6Vb7uEB
+afAecveSyBN2EPZas8NdohJJcTT/pu39E9iMuvAoxz+R8RV7S/RikFOtoet79owa
+6lnD3893tz5RR5BloRX7yRii87U5LUdxd3CvEmA7ycNTO8ZEaAuLDitsTMxhPiIJ
+DeGW5L8DCyiWuDt9K6S13XdnDxTvYUmafVPU59BncdSoY/3BebappMzDM8QM0yCZ
+GWh7ItY4sncMur1fc9ZuSsyplT3d3jysmVXolz2khxboMPVBoRSTtgBOn1PSsVma
+FWULbrbYBK5Cqg==
+-----END CERTIFICATE-----

data/test/fixture/purpose/ca/newcerts/3_cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEDCCAfigAwIBAgIBAzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJKUDEa
+MBgGA1UECgwRd3d3LnJ1YnktbGFuZy5vcmcxFDASBgNVBAsMC2RldmVsb3BtZW50
+MQswCQYDVQQDDAJDQTAeFw0wOTExMTkxMDMwMjdaFw0yODExMTQxMDMwMjdaMD0x
+CzAJBgNVBAYTAkpQMRowGAYDVQQKDBF3d3cucnVieS1sYW5nLm9yZzESMBAGA1UE
+AwwJc3NsY2xpZW50MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgemBPByEo
+KbxaYnHXJxslyYsdWWCKf6j2mVIoxzC0b7W4TS5loBzOkZ05rkuapZ7O5flSMjtH
+5NMJ2h7/zsgK5XBkNRCPFK+8HMXVFdSs+euKY+2qE01P0NIuCrkvKjJgsrXdy3sG
+2UVUEoYEt5MHDR6aBL0Km+nVKc6T7O+KtQIDAQABo4GPMIGMMAwGA1UdEwEB/wQC
+MAAwMQYJYIZIAYb4QgENBCQWIlJ1YnkvT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
+aWNhdGUwHQYDVR0OBBYEFOFnq0r6adftxM/7aApl0DDrLTNWMAsGA1UdDwQEAwIF
+4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQEFBQAD
+ggEBACiRGC9KvUP2PaU7JmcIzJHMJtz0mUsO8KJeFWmBCSkfQErF3egOzE47WcRM
+0lGy0e4fjJB3at/O2V4RgwkFpsBpGXv9LJ5ZVXkEu9PwzwLTGZ4VfSPNIXgse1lK
+9EYOXgL8XhL7c9XPJLRFOWt6Odwp1VjQ2RqkpYLYnsHZam+5gsRd5K2yS0VO8A1Q
+otxH1D4evwpoSAaRHSff71Qh7046g2jGvCvdEVqBXuAoOuY8IRvf6YpTKEcPuOOo
+t7h5kLIVKuG4/AikVZ62Xh7DjdRFxy/Pxg3uIhrvkHkG8QtEFgBBMHoQR6iSGf6N
+1SNrs9tpu1oqTSzoKFG72BsEA6M=
+-----END CERTIFICATE-----

data/test/fixture/purpose/ca/private/cakeypair.pem

@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,1381BA5304F6971E
+
+NmDiHjP3Kn3gG7q0oG8n5nyCM8wp5PYeEpuwrZmnNzpdsTTxpPV2Px8wy9EBrR4k
+SeZufUHA7T+zOLc1mSGMm+LOSSV2CMcUnby+yVRuV7CTtw7AwD+et7asff/HU1v6
+GE4SbX0tnZskiAR00zZTN/C17w27HIG7qNHrEjCng/S4fKFVNe6riQbmQqvykYQS
+8bZsQzzlB8e8kxNV5EDvYag3oevgY7RpIWUXEwTHd46o+8GsExuhs+8WpiO1az1D
+vu0u0MpO5t6PKyafp5vdiLTiwoY8VUdCF627FbyCWFkSuRbYxXNiRZzIvgwtZS7d
+wHOr5aVA2ROli2S7W5Mmx00tww05mPdzQbk5q6ZMxD+lK9bIuHEGwBY0IaWjkJtt
+a0RyBilLatVE9866D40dmNKA4mzAqtADdq6vwzoEqd7kVdwjdk7EMvaZgACrBypH
+NfadJ+HG2TW+4gnZLG60y6YaMPXAbObCUHCUYVhJe/E4mGdSkKOGgiQks9hT448T
++/YBt2TqCq3UQU2rfxLVV6AlD/tywTwPTb0Leu40oTNEQyJ9aaQXmcZHZlDWI+Sl
+xdvGule84RenlV+GnC5UlBxUopTKbVSI7tw10grJtz5/TWx7ubOQ4pCNHzxksQH7
+YqygX5F6jlR6GbZFYUozNf57Frh9zUmhc6YWGFeTz1uc6rRqTCrKcyqvRD9QCYPY
+P+8MhvztbbYOr+XRStVeuDXzMwS6/HUrlPTt0IvO3Hq9dFDaTg1bW4mzgdKuYotV
+VF5DRenkF8lalTFpMppNsfpldazrZ8VvW5qRwbKF4mu7AWsBh9IpZMW15LtI7fUA
+L+JQO8aBUq6gyXTzaJxx8kxpdcIRtubOIultptj2m/XPXNNFSsI5DMv7V5jh58sC
+ju2RwxwivcWh1XtQxc4RNzvP3/Ek85at+cO9Q74Tu4f8alJZiWT51PZRwaucdQ8y
+rYT32rsqoWw1MvkDDENHbEt1QZ7AFmO3zFeGYXbPNHoi2gKzCo7xQtCm+QXQAh7B
+87KoKqwS9BO9QA/F+htVW9mbA+Yc5a2vcykxYbGlGqyMleI8cU5AeIbGoZdyYaun
+cDX/NtyV3HGPD5aHUPcz/sP7KAbdLzwh72CzRqQQo8yxOmQEWdd7W8jtxt0on2cs
+AXj59c9jKRJl5XlXMQO+VWnWO04bWxs8PAgop5Y4ePY766/mL1bAr02kdI6DJ9mx
+Opmpqk4gPZpnksnCQWJelPPYad0S49QxbOIWf5bI9FMi+6cgVh76iC5nMGVGI+gw
+lS64zEHhSRXuAC9Nsw5d+owc3aCG15DzUjpEBhDJ8EYKP9kgiJU0rnqPqGrriyrb
+f6kNOisGvAbI3RldVDLvvZbZEffPu60yA1rP7XaBRPn4K3g+3KTiEcn00wwJaoc3
+rddzmUCbx6fOluN+34BiPdJzHBZsROEvCcT4KGw1/nZIp/GgX3f3nPW40go2RLFP
+THQ5L0tuEvyhtJWaiLzjoZ3kCiwWZUzUwYCSfP9raVVXAxLoS4wU+qqKPl6/AaLI
+NDgIDJtZ0hrnptZuCkBUzVGQzxpMr8IVK/zQDq8uSXI53heZhLQoww==
+-----END RSA PRIVATE KEY-----

data/test/fixture/purpose/ca/serial

@@ -0,0 +1 @@
+0004

data/test/fixture/purpose/cacert.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJKUDEa
+MBgGA1UECgwRd3d3LnJ1YnktbGFuZy5vcmcxFDASBgNVBAsMC2RldmVsb3BtZW50
+MQswCQYDVQQDDAJDQTAeFw0wOTExMTkxMDI5MjBaFw0yOTExMTQxMDI5MjBaMEwx
+CzAJBgNVBAYTAkpQMRowGAYDVQQKDBF3d3cucnVieS1sYW5nLm9yZzEUMBIGA1UE
+CwwLZGV2ZWxvcG1lbnQxCzAJBgNVBAMMAkNBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEA2nXhXZxXUs1Sfxqi8sReyzPHRcAHQM9RqDAGG9Nt1zYrLXwg
+MmUhOr4yBeW2KAxJGxdRQSzI38jyT6mrDRBpTl/OeU9zBG4p6AtFGkoMnRvUonB3
+CvgYJXhmrFjnHn34JNaRSORjaZDBmI9/fMGvaYndEM3wJ2b3jEOeizDIG60kZxA6
+XQ+X7ral+aABsjomubvjEQ9dlcDhQlssKjbjaN3NZ/kL/i/75jc6rzT05XYYkj+Z
+9rPRfT+HH3c5EYLtxcRTEHVWXMC8/of7oOFgZwwI3Cx9/v1s2Z6gdJ8J0kIkEoUL
+ziYsLIOmVB2tx0rKkmeivJB4PTM5QyHb7d1xUwIDAQABo4HsMIHpMA8GA1UdEwEB
+/wQFMAMBAf8wMQYJYIZIAYb4QgENBCQWIlJ1YnkvT3BlblNTTCBHZW5lcmF0ZWQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFBOZGvHkAfn+0Ct33rQ6tW2UmF5TMA4GA1Ud
+DwEB/wQEAwIBBjB0BgNVHSMEbTBrgBQTmRrx5AH5/tArd960OrVtlJheU6FQpE4w
+TDELMAkGA1UEBhMCSlAxGjAYBgNVBAoMEXd3dy5ydWJ5LWxhbmcub3JnMRQwEgYD
+VQQLDAtkZXZlbG9wbWVudDELMAkGA1UEAwwCQ0GCAQEwDQYJKoZIhvcNAQEFBQAD
+ggEBACfgSl3pA+e3JyjgS/zscaJHHNDwXIIoH0KY6pcrZnl7Zh8CW+Gdba621Lek
+aAy0YhAAM9bF87QZG1+sL7B2H1oSTt7F67SwQfq079oNWjhEdV5dxBKk6XaU0R31
+KXSsmLR4pMxcFdPzGM0FTiSj9FNKk2pydVySsa5jJeG0qvXVFMqsRUUwklQHl9Kx
+9GZiknt4PEGj/ThUwarhRbRjV5z7ZxXKexkangBlRWPX7TjvlpZPgLzAODG4fiRW
+ZUo8Ng7QolTJuPAhlVxhdi9n5hItm6mt21RTpQcP49KoGe8x+T4EzPO0PPdCMliD
+fH3udDO+bq2F8H4ts6ZJAYWFo8U=
+-----END CERTIFICATE-----

data/test/fixture/purpose/scripts/gen_cert.rb

@@ -0,0 +1,127 @@
+#!/usr/bin/env ruby
+
+require 'openssl'
+require 'ca_config'
+require 'fileutils'
+require 'getopts'
+
+include OpenSSL
+
+def usage
+  myname = File::basename($0)
+  $stderr.puts "Usage: #{myname} [--type (client|server|ca|ocsp)] [--out certfile] csr_file"
+  exit
+end
+
+getopts nil, 'type:client', 'out:', 'force'
+
+cert_type = $OPT_type
+out_file = $OPT_out || 'cert.pem'
+csr_file = ARGV.shift or usage
+ARGV.empty? or usage
+
+csr = X509::Request.new(File.open(csr_file).read)
+unless csr.verify(csr.public_key)
+  raise "CSR sign verification failed."
+end
+p csr.public_key
+if csr.public_key.n.num_bits < CAConfig::CERT_KEY_LENGTH_MIN
+  raise "Key length too short"
+end
+if csr.public_key.n.num_bits > CAConfig::CERT_KEY_LENGTH_MAX
+  raise "Key length too long"
+end
+if csr.subject.to_a[0, CAConfig::NAME.size] != CAConfig::NAME
+  unless $OPT_force
+    p csr.subject.to_a
+    p CAConfig::NAME
+    raise "DN does not match"
+  end
+end
+
+# Only checks signature here.  You must verify CSR according to your CP/CPS.
+
+$stdout.sync = true
+
+# CA setup
+
+ca_file = CAConfig::CERT_FILE
+puts "Reading CA cert (from #{ca_file})"
+ca = X509::Certificate.new(File.read(ca_file))
+
+ca_keypair_file = CAConfig::KEYPAIR_FILE
+puts "Reading CA keypair (from #{ca_keypair_file})"
+ca_keypair = PKey::RSA.new(File.read(ca_keypair_file), &CAConfig::PASSWD_CB)
+
+serial = File.open(CAConfig::SERIAL_FILE, "r").read.chomp.hex
+File.open(CAConfig::SERIAL_FILE, "w") do |f|
+  f << sprintf("%04X", serial + 1)
+end
+
+# Generate new cert
+
+cert = X509::Certificate.new
+from = Time.now # + 30 * 60	# Wait 30 minutes.
+cert.subject = csr.subject
+cert.issuer = ca.subject
+cert.not_before = from
+cert.not_after = from + CAConfig::CERT_DAYS * 24 * 60 * 60
+cert.public_key = csr.public_key
+cert.serial = serial
+cert.version = 2 # X509v3
+
+basic_constraint = nil
+key_usage = []
+ext_key_usage = []
+case cert_type
+when "ca"
+  basic_constraint = "CA:TRUE"
+  key_usage << "cRLSign" << "keyCertSign"
+when "terminalsubca"
+  basic_constraint = "CA:TRUE,pathlen:0"
+  key_usage << "cRLSign" << "keyCertSign"
+when "server"
+  basic_constraint = "CA:FALSE"
+  key_usage << "digitalSignature" << "keyEncipherment"
+  ext_key_usage << "serverAuth"
+when "ocsp"
+  basic_constraint = "CA:FALSE"
+  key_usage << "nonRepudiation" << "digitalSignature"
+  ext_key_usage << "serverAuth" << "OCSPSigning"
+when "client"
+  basic_constraint = "CA:FALSE"
+  key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment"
+  ext_key_usage << "clientAuth" << "emailProtection"
+else
+  raise "unknonw cert type \"#{cert_type}\" is specified."
+end
+
+ef = X509::ExtensionFactory.new
+ef.subject_certificate = cert
+ef.issuer_certificate = ca
+ex = []
+ex << ef.create_extension("basicConstraints", basic_constraint, true)
+ex << ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate")
+ex << ef.create_extension("subjectKeyIdentifier", "hash")
+#ex << ef.create_extension("nsCertType", "client,email")
+ex << ef.create_extension("keyUsage", key_usage.join(",")) unless key_usage.empty?
+#ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
+#ex << ef.create_extension("authorityKeyIdentifier", "keyid:always")
+ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(",")) unless ext_key_usage.empty?
+
+ex << ef.create_extension("crlDistributionPoints", CAConfig::CDP_LOCATION) if CAConfig::CDP_LOCATION
+ex << ef.create_extension("authorityInfoAccess", "OCSP;" << CAConfig::OCSP_LOCATION) if CAConfig::OCSP_LOCATION
+cert.extensions = ex
+cert.sign(ca_keypair, OpenSSL::Digest::SHA1.new)
+
+# For backup
+
+cert_file = CAConfig::NEW_CERTS_DIR + "/#{cert.serial}_cert.pem"
+File.open(cert_file, "w", 0644) do |f|
+  f << cert.to_pem
+end
+
+puts "Writing cert.pem..."
+FileUtils.copy(cert_file, out_file)
+
+puts "DONE. (Generated certificate for '#{cert.subject}')"

data/test/fixture/purpose/scripts/gen_csr.rb

@@ -0,0 +1,50 @@
+#!/usr/bin/env ruby
+
+require 'getopts'
+require 'openssl'
+
+include OpenSSL
+
+def usage
+  myname = File::basename($0)
+  $stderr.puts <<EOS
+Usage: #{myname} [--key keypair_file] name
+  name ... ex. /C=JP/O=RRR/OU=CA/CN=NaHi/emailAddress=nahi@example.org
+EOS
+  exit
+end
+
+getopts nil, "key:", "csrout:", "keyout:"
+keypair_file = $OPT_key
+csrout = $OPT_csrout || "csr.pem"
+keyout = $OPT_keyout || "keypair.pem"
+
+$stdout.sync = true
+name_str = ARGV.shift or usage()
+p name_str
+name = X509::Name.parse(name_str)
+
+keypair = nil
+if keypair_file
+  keypair = PKey::RSA.new(File.open(keypair_file).read)
+else
+  keypair = PKey::RSA.new(1024) { putc "." }
+  puts
+  puts "Writing #{keyout}..."
+  File.open(keyout, "w", 0400) do |f|
+    f << keypair.to_pem
+  end
+end
+
+puts "Generating CSR for #{name_str}"
+
+req = X509::Request.new
+req.version = 0
+req.subject = name
+req.public_key = keypair.public_key
+req.sign(keypair, OpenSSL::Digest::MD5.new)
+
+puts "Writing #{csrout}..."
+File.open(csrout, "w") do |f|
+  f << req.to_pem
+end

data/test/fixture/purpose/scripts/init_ca.rb

@@ -0,0 +1,66 @@
+#!/usr/bin/env ruby
+
+require 'openssl'
+require 'ca_config'
+
+include OpenSSL
+
+$stdout.sync = true
+
+cn = ARGV.shift || 'CA'
+
+unless FileTest.exist?('private')
+  Dir.mkdir('private', 0700)
+end
+unless FileTest.exist?('newcerts')
+  Dir.mkdir('newcerts')
+end
+unless FileTest.exist?('crl')
+  Dir.mkdir('crl')
+end
+unless FileTest.exist?('serial')
+  File.open('serial', 'w') do |f|
+    f << '2'
+  end
+end
+
+print "Generating CA keypair: "
+keypair = PKey::RSA.new(CAConfig::CA_RSA_KEY_LENGTH) { putc "." }
+putc "\n"
+
+now = Time.now
+cert = X509::Certificate.new
+name = CAConfig::NAME.dup << ['CN', cn]
+cert.subject = cert.issuer = X509::Name.new(name)
+cert.not_before = now
+cert.not_after = now + CAConfig::CA_CERT_DAYS * 24 * 60 * 60
+cert.public_key = keypair.public_key
+cert.serial = 0x1
+cert.version = 2 # X509v3
+
+key_usage = ["cRLSign", "keyCertSign"]
+ef = X509::ExtensionFactory.new
+ef.subject_certificate = cert
+ef.issuer_certificate = cert # we needed subjectKeyInfo inside, now we have it
+ext1 = ef.create_extension("basicConstraints","CA:TRUE", true)
+ext2 = ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate")
+ext3 = ef.create_extension("subjectKeyIdentifier", "hash")
+ext4 = ef.create_extension("keyUsage", key_usage.join(","), true)
+cert.extensions = [ext1, ext2, ext3, ext4]
+ext0 = ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
+cert.add_extension(ext0)
+cert.sign(keypair, OpenSSL::Digest::SHA1.new)
+
+keypair_file = CAConfig::KEYPAIR_FILE
+puts "Writing keypair."
+File.open(keypair_file, "w", 0400) do |f|
+  f << keypair.export(Cipher::DES.new(:EDE3, :CBC), &CAConfig::PASSWD_CB)
+end
+
+cert_file = CAConfig::CERT_FILE
+puts "Writing #{cert_file}."
+File.open(cert_file, "w", 0644) do |f|
+  f << cert.to_pem
+end
+
+puts "DONE. (Generated certificate for '#{cert.subject}')"

data/test/fixture/purpose/sslclient.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEDCCAfigAwIBAgIBAzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJKUDEa
+MBgGA1UECgwRd3d3LnJ1YnktbGFuZy5vcmcxFDASBgNVBAsMC2RldmVsb3BtZW50
+MQswCQYDVQQDDAJDQTAeFw0wOTExMTkxMDMwMjdaFw0yODExMTQxMDMwMjdaMD0x
+CzAJBgNVBAYTAkpQMRowGAYDVQQKDBF3d3cucnVieS1sYW5nLm9yZzESMBAGA1UE
+AwwJc3NsY2xpZW50MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgemBPByEo
+KbxaYnHXJxslyYsdWWCKf6j2mVIoxzC0b7W4TS5loBzOkZ05rkuapZ7O5flSMjtH
+5NMJ2h7/zsgK5XBkNRCPFK+8HMXVFdSs+euKY+2qE01P0NIuCrkvKjJgsrXdy3sG
+2UVUEoYEt5MHDR6aBL0Km+nVKc6T7O+KtQIDAQABo4GPMIGMMAwGA1UdEwEB/wQC
+MAAwMQYJYIZIAYb4QgENBCQWIlJ1YnkvT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
+aWNhdGUwHQYDVR0OBBYEFOFnq0r6adftxM/7aApl0DDrLTNWMAsGA1UdDwQEAwIF
+4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQEFBQAD
+ggEBACiRGC9KvUP2PaU7JmcIzJHMJtz0mUsO8KJeFWmBCSkfQErF3egOzE47WcRM
+0lGy0e4fjJB3at/O2V4RgwkFpsBpGXv9LJ5ZVXkEu9PwzwLTGZ4VfSPNIXgse1lK
+9EYOXgL8XhL7c9XPJLRFOWt6Odwp1VjQ2RqkpYLYnsHZam+5gsRd5K2yS0VO8A1Q
+otxH1D4evwpoSAaRHSff71Qh7046g2jGvCvdEVqBXuAoOuY8IRvf6YpTKEcPuOOo
+t7h5kLIVKuG4/AikVZ62Xh7DjdRFxy/Pxg3uIhrvkHkG8QtEFgBBMHoQR6iSGf6N
+1SNrs9tpu1oqTSzoKFG72BsEA6M=
+-----END CERTIFICATE-----

data/test/fixture/purpose/sslclient/csr.pem

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBfDCB5gIBADA9MQswCQYDVQQGEwJKUDEaMBgGA1UECgwRd3d3LnJ1YnktbGFu
+Zy5vcmcxEjAQBgNVBAMMCXNzbGNsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEA4HpgTwchKCm8WmJx1ycbJcmLHVlgin+o9plSKMcwtG+1uE0uZaAczpGd
+Oa5LmqWezuX5UjI7R+TTCdoe/87ICuVwZDUQjxSvvBzF1RXUrPnrimPtqhNNT9DS
+Lgq5LyoyYLK13ct7BtlFVBKGBLeTBw0emgS9Cpvp1SnOk+zvirUCAwEAAaAAMA0G
+CSqGSIb3DQEBBAUAA4GBAAg7mWW/hU/fBNLxYVoBRGjpgYKTipRieZ9UDxsxu5O5
+DpLbM/DWydzD0nWDt3zSxG4tCwgEL7gOK6rQz3D+b3BkFGSeQ5AQXjxaDurQoLdR
+OQccN93zAeDb0vBADN/90thJ7osiX8VKG6vUHHcWhA26hzaARSHcLPRR8TeTFFb6
+-----END CERTIFICATE REQUEST-----

data/test/fixture/purpose/sslclient/keypair.pem

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDgemBPByEoKbxaYnHXJxslyYsdWWCKf6j2mVIoxzC0b7W4TS5l
+oBzOkZ05rkuapZ7O5flSMjtH5NMJ2h7/zsgK5XBkNRCPFK+8HMXVFdSs+euKY+2q
+E01P0NIuCrkvKjJgsrXdy3sG2UVUEoYEt5MHDR6aBL0Km+nVKc6T7O+KtQIDAQAB
+AoGABfvdI14qSRrLtZEYPccCF0DHH5IpW6fJhkFSClo89yJfMrmD+huJiQwip834
+n/e4QwWoXsOOBv2XjpSs7N7DQFJNfZ3ivRHyEOlHYgiH2m3hOpe/47sbgvB4z7li
+SPGV6oV2BBafc+yDof3vWLX2BMmxvQKB6aJ7DUjSsc7SR2ECQQD+0m+Q03AynhST
+9ZSOnHt9mUMykeNuPXfX2oeQ1LXtpIQ9Zco/Bl9fWr94ghygAy8tsc4gtGQj+74G
+GcGGcBydAkEA4YQHyGGdZAb6bH0esNpE3hyTiqzjEshTpvF3jkKAlRU+4DS9cBhB
+fcqPrsYetIrl1fgySLdNK3vTdS8WduWu+QJBAN5u5JIf7uVQVhgdm3KtJ6KoQR8I
+d+VH5K/YAtQqyS/KluBdVSCUuHWs6kwQD1qhzPHvLkYgEPXUDriWjPaEMIUCQFf1
+wXtc56DOP/r0ynW8jMP9bWbXjDIVRNuGr1Ujhzee88lLiOAh9dl0mppW2D8fNgpB
+JovKQyVExPOeDCsP5zECQBoXPjAvdLm1BrRhQkvtX7Fkk2l54CxoKz7yBHwNWD7e
+hKa0riKKq3z+tzzfOkgFdNf3aTZyL7cfBALZJdfiLhA=
+-----END RSA PRIVATE KEY-----