jruby-openssl 0.5.2 → 0.6

data/test/fixture/purpose/sslclient/sslclient.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEDCCAfigAwIBAgIBAzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJKUDEa
+MBgGA1UECgwRd3d3LnJ1YnktbGFuZy5vcmcxFDASBgNVBAsMC2RldmVsb3BtZW50
+MQswCQYDVQQDDAJDQTAeFw0wOTExMTkxMDMwMjdaFw0yODExMTQxMDMwMjdaMD0x
+CzAJBgNVBAYTAkpQMRowGAYDVQQKDBF3d3cucnVieS1sYW5nLm9yZzESMBAGA1UE
+AwwJc3NsY2xpZW50MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgemBPByEo
+KbxaYnHXJxslyYsdWWCKf6j2mVIoxzC0b7W4TS5loBzOkZ05rkuapZ7O5flSMjtH
+5NMJ2h7/zsgK5XBkNRCPFK+8HMXVFdSs+euKY+2qE01P0NIuCrkvKjJgsrXdy3sG
+2UVUEoYEt5MHDR6aBL0Km+nVKc6T7O+KtQIDAQABo4GPMIGMMAwGA1UdEwEB/wQC
+MAAwMQYJYIZIAYb4QgENBCQWIlJ1YnkvT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
+aWNhdGUwHQYDVR0OBBYEFOFnq0r6adftxM/7aApl0DDrLTNWMAsGA1UdDwQEAwIF
+4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQEFBQAD
+ggEBACiRGC9KvUP2PaU7JmcIzJHMJtz0mUsO8KJeFWmBCSkfQErF3egOzE47WcRM
+0lGy0e4fjJB3at/O2V4RgwkFpsBpGXv9LJ5ZVXkEu9PwzwLTGZ4VfSPNIXgse1lK
+9EYOXgL8XhL7c9XPJLRFOWt6Odwp1VjQ2RqkpYLYnsHZam+5gsRd5K2yS0VO8A1Q
+otxH1D4evwpoSAaRHSff71Qh7046g2jGvCvdEVqBXuAoOuY8IRvf6YpTKEcPuOOo
+t7h5kLIVKuG4/AikVZ62Xh7DjdRFxy/Pxg3uIhrvkHkG8QtEFgBBMHoQR6iSGf6N
+1SNrs9tpu1oqTSzoKFG72BsEA6M=
+-----END CERTIFICATE-----

data/test/fixture/purpose/sslserver.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBjCCAe6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJKUDEa
+MBgGA1UECgwRd3d3LnJ1YnktbGFuZy5vcmcxFDASBgNVBAsMC2RldmVsb3BtZW50
+MQswCQYDVQQDDAJDQTAeFw0wOTExMTkxMDMwMTdaFw0yODExMTQxMDMwMTdaMD0x
+CzAJBgNVBAYTAkpQMRowGAYDVQQKDBF3d3cucnVieS1sYW5nLm9yZzESMBAGA1UE
+AwwJc3Nsc2VydmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgYsazavfR
+a72yK4qfnIjOrDT9Uv2ToL4swbE86PXY5N+YvUig3fVmNJo72rT5JlAODs+MtJJU
+aJ8HsczlGdrhjTWyT/0fyoY/rC4mi5UFASBCbaoaviDPgbhI6ehBY6d5vEYQOW79
+fL95KIa+OyGzUNYy+EkSxJmvt/8EJYtqIwIDAQABo4GFMIGCMAwGA1UdEwEB/wQC
+MAAwMQYJYIZIAYb4QgENBCQWIlJ1YnkvT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
+aWNhdGUwHQYDVR0OBBYEFJsUyGU/R4muSKVIeckJElcBNbipMAsGA1UdDwQEAwIF
+oDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAAc49qdDC
+TzFoWy794TYEx/uSAFQPMxp/dktYuMvtMSqhOfkDAaX7YFAD40R9tQljm6Vb7uEB
+afAecveSyBN2EPZas8NdohJJcTT/pu39E9iMuvAoxz+R8RV7S/RikFOtoet79owa
+6lnD3893tz5RR5BloRX7yRii87U5LUdxd3CvEmA7ycNTO8ZEaAuLDitsTMxhPiIJ
+DeGW5L8DCyiWuDt9K6S13XdnDxTvYUmafVPU59BncdSoY/3BebappMzDM8QM0yCZ
+GWh7ItY4sncMur1fc9ZuSsyplT3d3jysmVXolz2khxboMPVBoRSTtgBOn1PSsVma
+FWULbrbYBK5Cqg==
+-----END CERTIFICATE-----

data/test/fixture/purpose/sslserver/csr.pem

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBfDCB5gIBADA9MQswCQYDVQQGEwJKUDEaMBgGA1UECgwRd3d3LnJ1YnktbGFu
+Zy5vcmcxEjAQBgNVBAMMCXNzbHNlcnZlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEA4GLGs2r30Wu9siuKn5yIzqw0/VL9k6C+LMGxPOj12OTfmL1IoN31ZjSa
+O9q0+SZQDg7PjLSSVGifB7HM5Rna4Y01sk/9H8qGP6wuJouVBQEgQm2qGr4gz4G4
+SOnoQWOnebxGEDlu/Xy/eSiGvjshs1DWMvhJEsSZr7f/BCWLaiMCAwEAAaAAMA0G
+CSqGSIb3DQEBBAUAA4GBAFpQTo9v0rOmfP/m9WSfUMEXsWUl/NP8c7slM4M0wNOX
+iI/e2XiyywgOSJlmCdvmrMeSmrhHbLZvIsQUj7CR9fZ4pxz0eX/JwclmlhS+StH8
+C3HHxlLUOZpnLVl4R3PXoDTCHLuSiQod3WNNiqEdzaRn4jrNv8LgzJtgSseikwDA
+-----END CERTIFICATE REQUEST-----

data/test/fixture/purpose/sslserver/keypair.pem

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXwIBAAKBgQDgYsazavfRa72yK4qfnIjOrDT9Uv2ToL4swbE86PXY5N+YvUig
+3fVmNJo72rT5JlAODs+MtJJUaJ8HsczlGdrhjTWyT/0fyoY/rC4mi5UFASBCbaoa
+viDPgbhI6ehBY6d5vEYQOW79fL95KIa+OyGzUNYy+EkSxJmvt/8EJYtqIwIDAQAB
+AoGBAJy/o/s2YIRldZD/pck2esOVvTayQP5eLjvp2zynqQapbCGxKQlnxMRvPsdN
+U1sxjn8jjY3HnulkZKPlazMoSqQy+7JIOzgG8UelDk/4OuuJWQZ26P/Qzza0k5we
+Sisc8/3xkCzv9RoRIm2VvAAuuSHiZwQTHBP0M6yg9R2+sSpxAkEA+RL48KB9tCyx
+wo8Tn1WKK2GUoGj+pJJ16uq5taUlRKBwvasHNEu96TlrAHNeq+YnFCeLTbvCkU5P
+2GaauRV8TQJBAOagD5u+duKB3go+YywRHVcFrv+u9ejS9onfhvwhgciVpCrNR5RX
+YqhJ3K4ciHEs5OQGsDLPY+dtl1b4AP5r+C8CQQCpyLcNQDmwEi9yUpmrqWGwRKpN
+1oSOpo/e/PZuzg5jg4KWp/kXOvJQAyXffsVwJElLQdGBwZXV+y4Oc5LQy8aZAkEA
+3dsaSMO3z/wIYqhTdL/eDqncCAECdQAExOswCnodRJ2XeMlTU4Og161+SkwOgXkj
+k6xPcgGJ5MbLMJGROy8YZwJBAK+wq+c/x/BeqtnOIqQnDpgxH7Ox1VA0bbaGPq++
+l24EYVsaJpPty7w7M+B7N5XD5GDVDSeG9Xdf/uyCDX7isFc=
+-----END RSA PRIVATE KEY-----

data/test/fixture/purpose/sslserver/sslserver.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBjCCAe6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJKUDEa
+MBgGA1UECgwRd3d3LnJ1YnktbGFuZy5vcmcxFDASBgNVBAsMC2RldmVsb3BtZW50
+MQswCQYDVQQDDAJDQTAeFw0wOTExMTkxMDMwMTdaFw0yODExMTQxMDMwMTdaMD0x
+CzAJBgNVBAYTAkpQMRowGAYDVQQKDBF3d3cucnVieS1sYW5nLm9yZzESMBAGA1UE
+AwwJc3Nsc2VydmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgYsazavfR
+a72yK4qfnIjOrDT9Uv2ToL4swbE86PXY5N+YvUig3fVmNJo72rT5JlAODs+MtJJU
+aJ8HsczlGdrhjTWyT/0fyoY/rC4mi5UFASBCbaoaviDPgbhI6ehBY6d5vEYQOW79
+fL95KIa+OyGzUNYy+EkSxJmvt/8EJYtqIwIDAQABo4GFMIGCMAwGA1UdEwEB/wQC
+MAAwMQYJYIZIAYb4QgENBCQWIlJ1YnkvT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
+aWNhdGUwHQYDVR0OBBYEFJsUyGU/R4muSKVIeckJElcBNbipMAsGA1UdDwQEAwIF
+oDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAAc49qdDC
+TzFoWy794TYEx/uSAFQPMxp/dktYuMvtMSqhOfkDAaX7YFAD40R9tQljm6Vb7uEB
+afAecveSyBN2EPZas8NdohJJcTT/pu39E9iMuvAoxz+R8RV7S/RikFOtoet79owa
+6lnD3893tz5RR5BloRX7yRii87U5LUdxd3CvEmA7ycNTO8ZEaAuLDitsTMxhPiIJ
+DeGW5L8DCyiWuDt9K6S13XdnDxTvYUmafVPU59BncdSoY/3BebappMzDM8QM0yCZ
+GWh7ItY4sncMur1fc9ZuSsyplT3d3jysmVXolz2khxboMPVBoRSTtgBOn1PSsVma
+FWULbrbYBK5Cqg==
+-----END CERTIFICATE-----

data/test/fixture/verisign.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
+BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
+c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
+MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
+emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
+DTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
+FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMg
+UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
+YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
+MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4
+pO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg0
+13gfqLptQ5GVj0VXXn7F+8qkBOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwID
+AQABMA0GCSqGSIb3DQEBBQUAA4GBAFFNzb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSk
+U01UbSuvDV1Ai2TT1+7eVmGSX6bEHRBhNtMsJzzoKQm5EWR0zLVznxxIqbxhAe7i
+F6YM40AIOw7n60RzKprxaZLvcRTDOaxxp5EJb+RxBrO6WVcmeQD2+A2iMzAo1KpY
+oJ2daZH9
+-----END CERTIFICATE-----

data/test/fixture/verisign_c3.pem

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
+A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
+cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
+MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
+BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
+YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
+BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
+I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
+CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
+lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
+AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
+-----END CERTIFICATE-----

data/test/openssl/test_cipher.rb

@@ -169,6 +169,28 @@ class OpenSSL::TestCipher < Test::Unit::TestCase
       }
     end
   end
+
+  # JRUBY-4028
+  def test_jruby_4028
+    key = "0599E113A7EE32A9"
+    data = "1234567890~5J96LC303C1D22DD~20090930005944~http%3A%2F%2Flocalhost%3A8080%2Flogin%3B0%3B1~http%3A%2F%2Fmix-stage.oracle.com%2F~00"
+    c1 = OpenSSL::Cipher::Cipher.new("DES-CBC")
+    c1.padding = 0
+    c1.encrypt
+    c1.key = key
+    e = c1.update data
+    e << c1.final
+    
+    c2 = OpenSSL::Cipher::Cipher.new("DES-CBC")
+    c2.padding = 0
+    c2.decrypt
+    c2.key = key
+    d = c2.update e
+    d << c2.final
+
+    assert_equal "]s\345F\251\250\223uO\315\220\255g\031\363c\006\205L\260G7\016`\265\377K5?\375\310\025\026\"\a\246N\270\234]\206\n\r\351\262\257\305\3632p_\205\257\026\226~-7\av#BZx\024\246'\f\216\005\201\r\372\201\316%W\250\210^\340{\371\245\374<~/YnV\277\311\230\250{\336\302W\353\032\321+\200pA\037\274\262\022*u\344\363\304\e\214J\353!\2352\267)s\360c\a", e
+    assert_equal data, d
+  end
 end
 
 end

data/test/openssl/test_pkcs7.rb

@@ -33,6 +33,7 @@ class OpenSSL::TestPKCS7 < Test::Unit::TestCase
       ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
       ["authorityKeyIdentifier","keyid:always",false],
       ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
+      ["nsCertType","client,email",false],
     ]
     @ee1_cert = issue_cert(ee1, @rsa1024, 2, Time.now, Time.now+1800, ee_exts,
                            @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)

data/test/openssl/test_ssl.rb

@@ -169,6 +169,8 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
       ssl.sync_close = true
       ssl.connect
 
+      assert_raises(ArgumentError) { ssl.sysread(-1) }
+
       # syswrite and sysread
       ITERATIONS.times{|i|
         str = "x" * 100 + "\n"

data/test/openssl/test_x509ext.rb

@@ -69,6 +69,27 @@ class OpenSSL::TestX509Extension < Test::Unit::TestCase
       %r{URI:ldap://ldap.example.com/cn=ca\?certificateRevocationList;binary},
       cdp.value)
   end
+  
+  # JRUBY-3888
+  # Problems with subjectKeyIdentifier with non 20-bytes sha1 digested keys
+  def test_certificate_with_rare_extension
+	cert_file = File.join(File.dirname(__FILE__), "..", "fixture", "max.pem")
+    cer = OpenSSL::X509::Certificate.new(File.read(cert_file))
+    exts = Hash.new
+    cer.extensions.each{|ext| exts[ext.oid] = ext.value}
+
+    assert exts["subjectKeyIdentifier"] == "4C:B9:E1:DC:7A:AC:35:CF"
+  end
+
+  def test_extension_from_20_byte_sha1_digests
+    cert_file = File.join(File.dirname(__FILE__), "..", "fixture", "common.pem")
+    cer = OpenSSL::X509::Certificate.new(File.read(cert_file))
+    exts = Hash.new
+    cer.extensions.each{|ext| exts[ext.oid] = ext.value}
+
+    assert exts["subjectKeyIdentifier"] == "B4:AC:83:5D:21:FB:D6:8A:56:7E:B2:49:6D:69:BB:E4:6F:D8:5A:AC"
+  end
+  
 end
 
 end

data/test/openssl/test_x509name.rb

@@ -6,6 +6,8 @@ require "test/unit"
 
 if defined?(OpenSSL)
 
+require 'digest/md5'
+
 class OpenSSL::TestX509Name < Test::Unit::TestCase
   OpenSSL::ASN1::ObjectId.register(
     "1.2.840.113549.1.9.1", "emailAddress", "emailAddress")
@@ -260,6 +262,20 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase
     assert_equal(OpenSSL::ASN1::IA5STRING, ary[3][2])
     assert_equal(OpenSSL::ASN1::PRINTABLESTRING, ary[4][2])
   end
+
+  def test_hash
+    dn = "/DC=org/DC=ruby-lang/CN=www.ruby-lang.org"
+    name = OpenSSL::X509::Name.parse(dn)
+    d = Digest::MD5.digest(name.to_der)
+    expected = (d[0] & 0xff) | (d[1] & 0xff) << 8 | (d[2] & 0xff) << 16 | (d[3] & 0xff) << 24
+    assert_equal(expected, name.hash)
+    #
+    dn = "/DC=org/DC=ruby-lang/CN=baz.ruby-lang.org"
+    name = OpenSSL::X509::Name.parse(dn)
+    d = Digest::MD5.digest(name.to_der)
+    expected = (d[0] & 0xff) | (d[1] & 0xff) << 8 | (d[2] & 0xff) << 16 | (d[3] & 0xff) << 24
+    assert_equal(expected, name.hash)
+  end
 end
 
 end

data/test/test_cipher.rb

@@ -13,6 +13,13 @@ end
 require "test/unit"
 
 class TestCipher < Test::Unit::TestCase
+  def test_keylen
+    cipher = OpenSSL::Cipher::Cipher.new('DES-EDE3-CBC')
+    # must be 24 but it returns 16 on JRE6 without unlimited jurisdiction
+    # policy. it returns 24 on JRE6 with the unlimited policy.
+    assert_equal(24, cipher.key_len)
+  end
+
   def test_encrypt_takes_parameter
     enc = OpenSSL::Cipher::Cipher.new('DES-EDE3-CBC')
     enc.encrypt("123")
@@ -43,6 +50,15 @@ class TestCipher < Test::Unit::TestCase
                      )
   end
 
+  def test_rc2
+    do_repeated_test(
+                     "RC2",
+                     "foobarbazboofarf",
+                     "\x18imZ\x9Ed\x15\xF3\xD6\xE6M\xCDf\xAA\xD3\xFE",
+		     "\xEF\xF7\x16\x06\x93)-##\xB2~\xAD,\xAD\x82\xF5"
+		    )
+  end
+
   private
   def do_repeated_test(algo, string, enc1, enc2)
     do_repeated_encrypt_test(algo, string, enc1, enc2)
@@ -58,10 +74,9 @@ class TestCipher < Test::Unit::TestCase
     cipher.key     = KEY_TEMPLATE[0, cipher.key_len]
 
     assert_equal result1, cipher.update(string)
-    cipher.final
+    assert_equal "", cipher.final
 
-    assert_equal result2, cipher.update(string)
-    cipher.final
+    assert_equal result2, cipher.update(string) + cipher.final
   end
 
   def do_repeated_decrypt_test(algo, result, string1, string2)
@@ -73,9 +88,8 @@ class TestCipher < Test::Unit::TestCase
     cipher.key     = KEY_TEMPLATE[0, cipher.key_len]
 
     assert_equal result, cipher.update(string1)
-    cipher.final
+    assert_equal "", cipher.final
 
-    assert_equal result, cipher.update(string2)
-    cipher.final
+    assert_equal result, cipher.update(string2) + cipher.final
   end
 end

data/test/test_integration.rb

@@ -29,18 +29,57 @@ class TestIntegration < Test::Unit::TestCase
   # Warning - this test actually uses the internet connection.
   # If there is no connection, it will fail.
   def test_ca_path_name
-    uri = URI.parse('https://www.paypal.com')
-
+    uri = URI.parse('https://www.amazon.com')
     http = Net::HTTP.new(uri.host, uri.port)
     http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-    http.ca_path = "./"
+    http.ca_path = "test/fixture/ca_path/"
     http.use_ssl = true
+    response = http.start do |s|
+      assert s.get(uri.request_uri).length > 0
+    end
+  end
+
+  # Warning - this test actually uses the internet connection.
+  # If there is no connection, it will fail.
+  def test_ssl_verify
+    uri = URI.parse('https://www.amazon.com/')
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.use_ssl = true
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    # right trust anchor for www.amazon.com
+    http.ca_file = 'test/fixture/verisign.pem'
+    response = http.start do |s|
+      assert s.get(uri.request_uri).length > 0
+    end
+    # wrong trust anchor for www.amazon.com
+    http.ca_file = 'test/fixture/verisign_c3.pem'
+    assert_raises(OpenSSL::SSL::SSLError) do
+      # it must cause SSLError for verification failure.
+      response = http.start do |s|
+        s.get(uri.request_uri)
+      end
+    end
+    # round trip
+    http.ca_file = 'test/fixture/verisign.pem'
+    response = http.start do |s|
+      assert s.get(uri.request_uri).length > 0
+    end
+  end
 
+  # Warning - this test actually uses the internet connection.
+  # If there is no connection, it will fail.
+  def test_pathlen_does_not_appear
+    uri = URI.parse('https://www.paypal.com/')
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.use_ssl = true
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    # right trust anchor for www.amazon.com
+    http.ca_file = 'test/fixture/verisign_c3.pem'
     response = http.start do |s|
       assert s.get(uri.request_uri).length > 0
     end
   end
-  
+
   # JRUBY-2178 and JRUBY-1307
   # Warning - this test actually uses the internet connection.
   # If there is no connection, it will fail.

data/test/test_parse_certificate.rb

@@ -0,0 +1,20 @@
+require 'openssl'
+require "test/unit"
+
+class TestParseCertificate < Test::Unit::TestCase
+  CERT = File.dirname(__FILE__) + '/cert_with_ec_pk.cer'
+
+  def test_certificate_parse_works_with_ec_pk_cert
+    cer = OpenSSL::X509::Certificate.new(File.read(CERT))
+    assert cer.to_s != nil
+    assert cer.issuer.to_s != nil
+    assert cer.subject.to_s != nil
+    assert cer.extensions.to_s != nil
+  end
+
+  def test_certificate_with_ec_pk_cert_fails_requesting_pk
+    cer = OpenSSL::X509::Certificate.new(File.read(CERT))
+    assert_raises(OpenSSL::X509::CertificateError) { cer.public_key }
+  end
+end
+

data/test/test_x509store.rb

@@ -0,0 +1,155 @@
+if defined?(JRUBY_VERSION)
+  require "java"
+  base = File.dirname(__FILE__)
+  $CLASSPATH << File.join(base, '..', 'pkg', 'classes')
+  $CLASSPATH << File.join(base, '..', 'lib', 'bcprov-jdk14-139.jar')
+end
+
+begin
+  require "openssl"
+rescue LoadError
+end
+
+require "test/unit"
+require "tempfile"
+
+class TestX509Store < Test::Unit::TestCase
+  def setup
+    @store = OpenSSL::X509::Store.new
+  end
+
+  def teardown
+  end
+
+  def test_ns_cert_type
+    f = Tempfile.new("globalsign-root.pem")
+    f << GLOBALSIGN_ROOT_CA
+    f.close
+    @store.add_file(f.path)
+    f.unlink
+
+    # CAUTION !
+    #
+    # sgc is an issuing CA certificate so we should not verify it for the
+    # purpose 'PURPOSE_SSL_SERVER'. It's not a SSL server certificate.
+    # We're just checking the code for 'PURPOSE_SSL_SERVER'.
+    # jruby-openssl/0.5.2 raises the following exception around ASN.1
+    # nsCertType handling.
+    #   Purpose.java:344:in `call': java.lang.ClassCastException: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.DERBitString
+    sgc = OpenSSL::X509::Certificate.new(GLOBALSIGN_ORGANIZATION_VALIDATION_CA)
+
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_SERVER
+    assert_nothing_raised do
+      @store.verify(sgc) # => should be false
+    end
+  end
+
+  def test_purpose_ssl_client
+    @store.add_file("test/fixture/purpose/cacert.pem")
+    cert = OpenSSL::X509::Certificate.new(File.read("test/fixture/purpose/sslclient.pem"))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+    assert_equal(true, @store.verify(cert))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_SERVER
+    assert_equal(false, @store.verify(cert))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+    assert_equal(true, @store.verify(cert))
+  end
+
+  def test_purpose_ssl_server
+    @store.add_file("test/fixture/purpose/cacert.pem")
+    cert = OpenSSL::X509::Certificate.new(File.read("test/fixture/purpose/sslserver.pem"))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_SERVER
+    assert_equal(true, @store.verify(cert))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+    assert_equal(false, @store.verify(cert))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_SERVER
+    assert_equal(true, @store.verify(cert))
+  end
+
+  def test_add_file_multiple
+    f = Tempfile.new("globalsign-root.pem")
+    f << GLOBALSIGN_ROOT_CA
+    f << "junk junk\n"
+    f << "junk junk\n"
+    f << "junk junk\n"
+    f << File.read("test/fixture/purpose/cacert.pem")
+    f.close
+    @store.add_file(f.path)
+    f.unlink
+
+    cert = OpenSSL::X509::Certificate.new(File.read("test/fixture/purpose/sslserver.pem"))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_SERVER
+    assert_equal(true, @store.verify(cert))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+    assert_equal(false, @store.verify(cert))
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_SERVER
+    assert_equal(true, @store.verify(cert))
+  end
+
+  def test_set_default_paths
+    @store.purpose = OpenSSL::X509::PURPOSE_SSL_SERVER
+    cert = OpenSSL::X509::Certificate.new(File.read("test/fixture/purpose/sslserver.pem"))
+    assert_equal(false, @store.verify(cert))
+    begin
+      backup = ENV['SSL_CERT_DIR']
+      ENV['SSL_CERT_DIR'] = 'test/fixture/purpose/'
+      @store.set_default_paths
+      assert_equal(true, @store.verify(cert))
+    ensure
+      ENV['SSL_CERT_DIR'] = backup if backup
+    end
+  end
+
+  GLOBALSIGN_ROOT_CA = <<__EOS__
+-----BEGIN CERTIFICATE-----
+MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
+MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
+aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
+jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
+xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
+1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
+snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
+U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
+9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
+AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
+yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
+38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
+AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
+DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
+HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
+-----END CERTIFICATE-----
+__EOS__
+
+  GLOBALSIGN_ORGANIZATION_VALIDATION_CA = <<__EOS__
+-----BEGIN CERTIFICATE-----
+MIIEZzCCA0+gAwIBAgILBAAAAAABHkSl9SowDQYJKoZIhvcNAQEFBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0wNzA0MTExMjAw
+MDBaFw0xNzA0MTExMjAwMDBaMGoxIzAhBgNVBAsTGk9yZ2FuaXphdGlvbiBWYWxp
+ZGF0aW9uIENBMRMwEQYDVQQKEwpHbG9iYWxTaWduMS4wLAYDVQQDEyVHbG9iYWxT
+aWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAoS/EvM6HA+lnwYnI5ZP8fbStnvZjTmronCxziaIB9I8h
++P0lnVgWbYb27klXdX516iIRfj37x0JB3PzFDJFVgHvrZDMdm/nKOOmrxiVDUSVA
+9OR+GFVqqY8QOkAe1leD738vNC8t0vZTwhkNt+3JgfVGLLQjQl6dEwN17Opq/Fd8
+yTaXO5jcExPs7EH6XTTquZPnEBZlzJyS/fXFnT5KuQn85F8eaV9N9FZyRLEdIwPI
+NvZliMi/ORZFjh4mbFEWxSoAOMWkE2mVfasBO6jEFLSA2qwaRCDV/qkGexQnr+Aw
+Id2Q9KnVIxkuHgPmwd+VKeTBlEPdPpCqy0vJvorTOQIDAQABo4IBHzCCARswDgYD
+VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFH1tKuxm
+q6dRNqsCafFwj8RZC5ofMEsGA1UdIAREMEIwQAYJKwYBBAGgMgEUMDMwMQYIKwYB
+BQUHAgEWJWh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5uZXQvcmVwb3NpdG9yeS8wMwYD
+VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNy
+bDARBglghkgBhvhCAQEEBAMCAgQwIAYDVR0lBBkwFwYKKwYBBAGCNwoDAwYJYIZI
+AYb4QgQBMB8GA1UdIwQYMBaAFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA0GCSqGSIb3
+DQEBBQUAA4IBAQB5R/wV10x53w96ns7UfEtjyYm1ez+ZEuicjJpJL+BOlUrtx7y+
+8aLbjpMdunFUqkvZiSIkh8UEqKyCUqBS+LjhT6EnZmMhSjnnx8VOX7LWHRNtMOnO
+16IcvCkKczxbI0n+1v/KsE/18meYwEcR+LdIppAJ1kK+6rG5U0LDnCDJ+6FbtVZt
+h4HIYKzEuXInCo4eqLEuzTKieFewnPiVu0OOjDGGblMNxhIFukFuqDUwCRgdAmH/
+/e413mrDO9BNS05QslY2DERd2hplKuaYVqljMy4E567o9I63stp9wMjirqYoL+PJ
+c738B0E0t6pu7qfb0ZM87ZDsMpKI2cgjbHQh
+-----END CERTIFICATE-----
+__EOS__
+end