jruby-openssl 0.7.5.dev → 0.7.5

data/test/1.9/test_pkcs12.rb

@@ -0,0 +1,209 @@
+require_relative "utils"
+
+if defined?(OpenSSL)
+
+module OpenSSL
+  class TestPKCS12 < Test::Unit::TestCase
+    include OpenSSL::TestUtils
+
+    def setup
+      ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
+
+      now = Time.now
+      ca_exts = [
+        ["basicConstraints","CA:TRUE",true],
+        ["keyUsage","keyCertSign, cRLSign",true],
+        ["subjectKeyIdentifier","hash",false],
+        ["authorityKeyIdentifier","keyid:always",false],
+      ]
+      
+      @cacert = issue_cert(ca, TEST_KEY_RSA2048, 1, now, now+3600, ca_exts,
+                            nil, nil, OpenSSL::Digest::SHA1.new)
+
+      inter_ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Intermediate CA")
+      inter_ca_key = OpenSSL::PKey.read <<-_EOS_
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDp7hIG0SFMG/VWv1dBUWziAPrNmkMXJgTCAoB7jffzRtyyN04K
+oq/89HAszTMStZoMigQURfokzKsjpUp8OYCAEsBtt9d5zPndWMz/gHN73GrXk3LT
+ZsxEn7Xv5Da+Y9F/Hx2QZUHarV5cdZixq2NbzWGwrToogOQMh2pxN3Z/0wIDAQAB
+AoGBAJysUyx3olpsGzv3OMRJeahASbmsSKTXVLZvoIefxOINosBFpCIhZccAG6UV
+5c/xCvS89xBw8aD15uUfziw3AuT8QPEtHCgfSjeT7aWzBfYswEgOW4XPuWr7EeI9
+iNHGD6z+hCN/IQr7FiEBgTp6A+i/hffcSdR83fHWKyb4M7TRAkEA+y4BNd668HmC
+G5MPRx25n6LixuBxrNp1umfjEI6UZgEFVpYOg4agNuimN6NqM253kcTR94QNTUs5
+Kj3EhG1YWwJBAO5rUjiOyCNVX2WUQrOMYK/c1lU7fvrkdygXkvIGkhsPoNRzLPeA
+HGJszKtrKD8bNihWpWNIyqKRHfKVD7yXT+kCQGCAhVCIGTRoypcDghwljHqLnysf
+ci0h5ZdPcIqc7ODfxYhFsJ/Rql5ONgYsT5Ig/+lOQAkjf+TRYM4c2xKx2/8CQBvG
+jv6dy70qDgIUgqzONtlmHeYyFzn9cdBO5sShdVYHvRHjFSMEXsosqK9zvW2UqvuK
+FJx7d3f29gkzynCLJDkCQGQZlEZJC4vWmWJGRKJ24P6MyQn3VsPfErSKOg4lvyM3
+Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
+-----END RSA PRIVATE KEY-----
+      _EOS_
+
+      @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, now, now+3600, ca_exts,
+                                 @ca_cert, TEST_KEY_RSA2048, OpenSSL::Digest::SHA1.new)
+
+      exts = [
+        ["keyUsage","digitalSignature",true],
+        ["subjectKeyIdentifier","hash",false],
+      ]
+      ee = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Ruby PKCS12 Test Certificate")
+      @mycert = issue_cert(ee, TEST_KEY_RSA1024, 3, now, now+3600, exts,
+                           @inter_cacert, inter_ca_key, OpenSSL::Digest::SHA1.new)
+    end
+
+    def test_create
+      pkcs12 = OpenSSL::PKCS12.create(
+        "omg",
+        "hello",
+        TEST_KEY_RSA1024,
+        @mycert
+      )
+      assert_equal @mycert, pkcs12.certificate
+      assert_equal TEST_KEY_RSA1024, pkcs12.key
+      assert_nil pkcs12.ca_certs
+    end
+
+    def test_create_no_pass
+      pkcs12 = OpenSSL::PKCS12.create(
+        nil,
+        "hello",
+        TEST_KEY_RSA1024,
+        @mycert
+      )
+      assert_equal @mycert, pkcs12.certificate
+      assert_equal TEST_KEY_RSA1024, pkcs12.key
+      assert_nil pkcs12.ca_certs
+
+      decoded = OpenSSL::PKCS12.new(pkcs12.to_der)
+      assert_cert @mycert, decoded.certificate
+    end
+
+    def test_create_with_chain
+      chain = [@inter_cacert, @cacert]
+
+      pkcs12 = OpenSSL::PKCS12.create(
+        "omg",
+        "hello",
+        TEST_KEY_RSA1024,
+        @mycert,
+        chain
+      )
+      assert_equal chain, pkcs12.ca_certs
+    end
+
+    def test_create_with_chain_decode
+      chain = [@cacert, @inter_cacert]
+
+      passwd = "omg"
+
+      pkcs12 = OpenSSL::PKCS12.create(
+        passwd,
+        "hello",
+        TEST_KEY_RSA1024,
+        @mycert,
+        chain
+      )
+
+      decoded = OpenSSL::PKCS12.new(pkcs12.to_der, passwd)
+      assert_equal chain.size, decoded.ca_certs.size
+      assert_include_cert @cacert, decoded.ca_certs
+      assert_include_cert @inter_cacert, decoded.ca_certs
+      assert_cert @mycert, decoded.certificate 
+      assert_equal TEST_KEY_RSA1024.to_der, decoded.key.to_der
+    end
+
+    def test_create_with_bad_nid
+      assert_raises(ArgumentError) do
+        OpenSSL::PKCS12.create(
+          "omg",
+          "hello",
+          TEST_KEY_RSA1024,
+          @mycert,
+          [],
+          "foo"
+        )
+      end
+    end
+
+    def test_create_with_itr
+      OpenSSL::PKCS12.create(
+        "omg",
+        "hello",
+        TEST_KEY_RSA1024,
+        @mycert,
+        [],
+        nil,
+        nil,
+        2048
+      )
+
+      assert_raises(TypeError) do
+        OpenSSL::PKCS12.create(
+          "omg",
+          "hello",
+          TEST_KEY_RSA1024,
+          @mycert,
+          [],
+          nil,
+          nil,
+          "omg"
+        )
+      end
+    end
+
+    def test_create_with_mac_itr
+      OpenSSL::PKCS12.create(
+        "omg",
+        "hello",
+        TEST_KEY_RSA1024,
+        @mycert,
+        [],
+        nil,
+        nil,
+        nil,
+        2048
+      )
+
+      assert_raises(TypeError) do
+        OpenSSL::PKCS12.create(
+          "omg",
+          "hello",
+          TEST_KEY_RSA1024,
+          @mycert,
+          [],
+          nil,
+          nil,
+          nil,
+          "omg"
+        )
+      end
+    end
+
+    private
+    def assert_cert expected, actual
+      [
+        :subject,
+        :issuer,
+        :serial,
+        :not_before,
+        :not_after,
+      ].each do |attribute|
+        assert_equal expected.send(attribute), actual.send(attribute)
+      end
+      assert_equal expected.to_der, actual.to_der
+    end
+
+    def assert_include_cert cert, ary
+      der = cert.to_der
+      ary.each do |candidate|
+        if candidate.to_der == der
+          return true
+        end
+      end
+      false
+    end
+
+  end
+end
+
+end

data/test/1.9/test_pkcs7.rb

@@ -0,0 +1,151 @@
+require_relative 'utils'
+
+if defined?(OpenSSL)
+
+class OpenSSL::TestPKCS7 < Test::Unit::TestCase
+  def setup
+    @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
+    @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
+    ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
+    ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
+    ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
+
+    now = Time.now
+    ca_exts = [
+      ["basicConstraints","CA:TRUE",true],
+      ["keyUsage","keyCertSign, cRLSign",true],
+      ["subjectKeyIdentifier","hash",false],
+      ["authorityKeyIdentifier","keyid:always",false],
+    ]
+    @ca_cert = issue_cert(ca, @rsa2048, 1, now, now+3600, ca_exts,
+                           nil, nil, OpenSSL::Digest::SHA1.new)
+    ee_exts = [
+      ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
+      ["authorityKeyIdentifier","keyid:always",false],
+      ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
+    ]
+    @ee1_cert = issue_cert(ee1, @rsa1024, 2, now, now+1800, ee_exts,
+                           @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+    @ee2_cert = issue_cert(ee2, @rsa1024, 3, now, now+1800, ee_exts,
+                           @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+  end
+
+  def issue_cert(*args)
+    OpenSSL::TestUtils.issue_cert(*args)
+  end
+
+  def test_signed
+    store = OpenSSL::X509::Store.new
+    store.add_cert(@ca_cert)
+    ca_certs = [@ca_cert]
+
+    data = "aaaaa\r\nbbbbb\r\nccccc\r\n"
+    tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs)
+    p7 = OpenSSL::PKCS7.new(tmp.to_der)
+    certs = p7.certificates
+    signers = p7.signers
+    assert(p7.verify([], store))
+    assert_equal(data, p7.data)
+    assert_equal(2, certs.size)
+    assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
+    assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
+    assert_equal(1, signers.size)
+    assert_equal(@ee1_cert.serial, signers[0].serial)
+    assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
+
+    # Normaly OpenSSL tries to translate the supplied content into canonical
+    # MIME format (e.g. a newline character is converted into CR+LF).
+    # If the content is a binary, PKCS7::BINARY flag should be used.
+
+    data = "aaaaa\nbbbbb\nccccc\n"
+    flag = OpenSSL::PKCS7::BINARY
+    tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs, flag)
+    p7 = OpenSSL::PKCS7.new(tmp.to_der)
+    certs = p7.certificates
+    signers = p7.signers
+    assert(p7.verify([], store))
+    assert_equal(data, p7.data)
+    assert_equal(2, certs.size)
+    assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
+    assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
+    assert_equal(1, signers.size)
+    assert_equal(@ee1_cert.serial, signers[0].serial)
+    assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
+
+    # A signed-data which have multiple signatures can be created
+    # through the following steps.
+    #   1. create two signed-data
+    #   2. copy signerInfo and certificate from one to another
+
+    tmp1 = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, [], flag)
+    tmp2 = OpenSSL::PKCS7.sign(@ee2_cert, @rsa1024, data, [], flag)
+    tmp1.add_signer(tmp2.signers[0])
+    tmp1.add_certificate(@ee2_cert)
+
+    p7 = OpenSSL::PKCS7.new(tmp1.to_der)
+    certs = p7.certificates
+    signers = p7.signers
+    assert(p7.verify([], store))
+    assert_equal(data, p7.data)
+    assert_equal(2, certs.size)
+    assert_equal(2, signers.size)
+    assert_equal(@ee1_cert.serial, signers[0].serial)
+    assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
+    assert_equal(@ee2_cert.serial, signers[1].serial)
+    assert_equal(@ee2_cert.issuer.to_s, signers[1].issuer.to_s)
+  end
+
+  def test_detached_sign
+    store = OpenSSL::X509::Store.new
+    store.add_cert(@ca_cert)
+    ca_certs = [@ca_cert]
+
+    data = "aaaaa\nbbbbb\nccccc\n"
+    flag = OpenSSL::PKCS7::BINARY|OpenSSL::PKCS7::DETACHED
+    tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs, flag)
+    p7 = OpenSSL::PKCS7.new(tmp.to_der)
+    assert_nothing_raised do
+      OpenSSL::ASN1.decode(p7)
+    end
+
+    certs = p7.certificates
+    signers = p7.signers
+    assert(!p7.verify([], store))
+    assert(p7.verify([], store, data))
+    assert_equal(data, p7.data)
+    assert_equal(2, certs.size)
+    assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
+    assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
+    assert_equal(1, signers.size)
+    assert_equal(@ee1_cert.serial, signers[0].serial)
+    assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
+  end
+
+  def test_enveloped
+    if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x0090704f
+      # PKCS7_encrypt() of OpenSSL-0.9.7d goes to SEGV.
+      # http://www.mail-archive.com/openssl-dev@openssl.org/msg17376.html
+      return
+    end
+
+    certs = [@ee1_cert, @ee2_cert]
+    cipher = OpenSSL::Cipher::AES.new("128-CBC")
+    data = "aaaaa\nbbbbb\nccccc\n"
+
+    tmp = OpenSSL::PKCS7.encrypt(certs, data, cipher, OpenSSL::PKCS7::BINARY)
+    p7 = OpenSSL::PKCS7.new(tmp.to_der)
+    recip = p7.recipients
+    assert_equal(:enveloped, p7.type)
+    assert_equal(2, recip.size)
+
+    assert_equal(@ca_cert.subject.to_s, recip[0].issuer.to_s)
+    assert_equal(2, recip[0].serial)
+    assert_equal(data, p7.decrypt(@rsa1024, @ee1_cert))
+
+    assert_equal(@ca_cert.subject.to_s, recip[1].issuer.to_s)
+    assert_equal(3, recip[1].serial)
+    assert_equal(data, p7.decrypt(@rsa1024, @ee2_cert))
+  end
+end
+
+end

data/test/1.9/test_pkey_dh.rb

@@ -0,0 +1,72 @@
+require_relative 'utils'
+
+if defined?(OpenSSL)
+
+class OpenSSL::TestPKeyDH < Test::Unit::TestCase
+  def test_new
+    dh = OpenSSL::PKey::DH.new(256)
+    assert_key(dh)
+  end
+
+  def test_to_der
+    dh = OpenSSL::PKey::DH.new(256)
+    der = dh.to_der
+    dh2 = OpenSSL::PKey::DH.new(der)
+    assert_equal_params(dh, dh2)
+    assert_no_key(dh2)
+  end
+
+  def test_to_pem
+    dh = OpenSSL::PKey::DH.new(256)
+    pem = dh.to_pem
+    dh2 = OpenSSL::PKey::DH.new(pem)
+    assert_equal_params(dh, dh2)
+    assert_no_key(dh2)
+  end
+
+  def test_public_key
+    dh = OpenSSL::PKey::DH.new(256)
+    public_key = dh.public_key
+    assert_no_key(public_key) #implies public_key.public? is false!
+    assert_equal(dh.to_der, public_key.to_der)
+    assert_equal(dh.to_pem, public_key.to_pem)
+  end
+
+  def test_generate_key
+    dh = OpenSSL::TestUtils::TEST_KEY_DH512.public_key # creates a copy
+    assert_no_key(dh)
+    dh.generate_key!
+    assert_key(dh)
+  end
+
+  def test_key_exchange
+    dh = OpenSSL::TestUtils::TEST_KEY_DH512
+    dh2 = dh.public_key
+    dh.generate_key!
+    dh2.generate_key!
+    assert_equal(dh.compute_key(dh2.pub_key), dh2.compute_key(dh.pub_key))
+  end
+
+  private
+
+  def assert_equal_params(dh1, dh2)
+    assert_equal(dh1.g, dh2.g)
+    assert_equal(dh1.p, dh2.p)
+  end
+
+  def assert_no_key(dh)
+    assert_equal(false, dh.public?)
+    assert_equal(false, dh.private?)
+    assert_equal(nil, dh.pub_key)
+    assert_equal(nil, dh.priv_key)
+  end
+
+  def assert_key(dh)
+    assert(dh.public?)
+    assert(dh.private?)
+    assert(dh.pub_key)
+    assert(dh.priv_key)
+  end
+end
+
+end

data/test/1.9/test_pkey_dsa.rb

@@ -0,0 +1,224 @@
+require_relative 'utils'
+require 'base64'
+
+if defined?(OpenSSL)
+
+class OpenSSL::TestPKeyDSA < Test::Unit::TestCase
+  def test_private
+    key = OpenSSL::PKey::DSA.new(256)
+    assert(key.private?)
+    key2 = OpenSSL::PKey::DSA.new(key.to_der)
+    assert(key2.private?)
+    key3 = key.public_key
+    assert(!key3.private?)
+    key4 = OpenSSL::PKey::DSA.new(key3.to_der)
+    assert(!key4.private?)
+  end
+
+  def test_new
+    key = OpenSSL::PKey::DSA.new 256
+    pem  = key.public_key.to_pem
+    OpenSSL::PKey::DSA.new pem
+    assert_equal([], OpenSSL.errors)
+  end
+
+  def test_sys_sign_verify
+    key = OpenSSL::TestUtils::TEST_KEY_DSA256
+    data = 'Sign me!'
+    digest = OpenSSL::Digest::SHA1.digest(data)
+    sig = key.syssign(digest)
+    assert(key.sysverify(digest, sig))
+  end
+
+  def test_sign_verify
+    check_sign_verify(OpenSSL::Digest::DSS1.new)
+  end
+
+if (OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000)
+  def test_sign_verify_sha1
+    check_sign_verify(OpenSSL::Digest::SHA1.new)
+  end
+
+  def test_sign_verify_sha256
+    check_sign_verify(OpenSSL::Digest::SHA256.new)
+  end
+end
+
+  def test_digest_state_irrelevant_verify
+    key = OpenSSL::TestUtils::TEST_KEY_DSA256
+    digest1 = OpenSSL::Digest::DSS1.new
+    digest2 = OpenSSL::Digest::DSS1.new
+    data = 'Sign me!'
+    sig = key.sign(digest1, data)
+    digest1.reset
+    digest1 << 'Change state of digest1'
+    assert(key.verify(digest1, sig, data))
+    assert(key.verify(digest2, sig, data))
+  end
+
+  def test_read_DSA_PUBKEY
+    p = 7188211954100152441468596248707152960171255279130004340103875772401008316444412091945435731597638374542374929457672178957081124632837356913990200866056699
+    q = 957032439192465935099784319494405376402293318491
+    g = 122928973717064636255205666162891733518376475981809749897454444301389338825906076467196186192907631719698166056821519884939865041993585844526937010746285
+    y = 1235756183583465414789073313502727057075641172514181938731172021825149551960029708596057102104063395063907739571546165975727369183495540798749742124846271
+    algo = OpenSSL::ASN1::ObjectId.new('DSA')
+    params = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new(p),
+                                          OpenSSL::ASN1::Integer.new(q),
+                                          OpenSSL::ASN1::Integer.new(g)])
+    algo_id = OpenSSL::ASN1::Sequence.new ([algo, params])
+    pub_key = OpenSSL::ASN1::Integer.new(y)
+    seq = OpenSSL::ASN1::Sequence.new([algo_id, OpenSSL::ASN1::BitString.new(pub_key.to_der)])
+    key = OpenSSL::PKey::DSA.new(seq.to_der)
+    assert(key.public?)
+    assert(!key.private?)
+    assert_equal(p, key.p)
+    assert_equal(q, key.q)
+    assert_equal(g, key.g)
+    assert_equal(y, key.pub_key)
+    assert_equal(nil, key.priv_key)
+    assert_equal([], OpenSSL.errors)
+  end
+
+  def test_read_DSAPublicKey_pem
+    p = 12260055936871293565827712385212529106400444521449663325576634579961635627321079536132296996623400607469624537382977152381984332395192110731059176842635699
+    q = 979494906553787301107832405790107343409973851677
+    g = 3731695366899846297271147240305742456317979984190506040697507048095553842519347835107669437969086119948785140453492839427038591924536131566350847469993845
+    y = 10505239074982761504240823422422813362721498896040719759460296306305851824586095328615844661273887569281276387605297130014564808567159023649684010036304695
+    pem = <<-EOF
+-----BEGIN DSA PUBLIC KEY-----
+MIHfAkEAyJSJ+g+P/knVcgDwwTzC7Pwg/pWs2EMd/r+lYlXhNfzg0biuXRul8VR4
+VUC/phySExY0PdcqItkR/xYAYNMbNwJBAOoV57X0FxKO/PrNa/MkoWzkCKV/hzhE
+p0zbFdsicw+hIjJ7S6Sd/FlDlo89HQZ2FuvWJ6wGLM1j00r39+F2qbMCFQCrkhIX
+SG+is37hz1IaBeEudjB2HQJAR0AloavBvtsng8obsjLb7EKnB+pSeHr/BdIQ3VH7
+fWLOqqkzFeRrYMDzUpl36XktY6Yq8EJYlW9pCMmBVNy/dQ==
+-----END DSA PUBLIC KEY-----
+    EOF
+    key = OpenSSL::PKey::DSA.new(pem)
+    assert(key.public?)
+    assert(!key.private?)
+    assert_equal(p, key.p)
+    assert_equal(q, key.q)
+    assert_equal(g, key.g)
+    assert_equal(y, key.pub_key)
+    assert_equal(nil, key.priv_key)
+    assert_equal([], OpenSSL.errors)
+  end
+
+  def test_read_DSA_PUBKEY_pem
+    p = 12260055936871293565827712385212529106400444521449663325576634579961635627321079536132296996623400607469624537382977152381984332395192110731059176842635699
+    q = 979494906553787301107832405790107343409973851677
+    g = 3731695366899846297271147240305742456317979984190506040697507048095553842519347835107669437969086119948785140453492839427038591924536131566350847469993845
+    y = 10505239074982761504240823422422813362721498896040719759460296306305851824586095328615844661273887569281276387605297130014564808567159023649684010036304695
+    pem = <<-EOF
+-----BEGIN PUBLIC KEY-----
+MIHxMIGoBgcqhkjOOAQBMIGcAkEA6hXntfQXEo78+s1r8yShbOQIpX+HOESnTNsV
+2yJzD6EiMntLpJ38WUOWjz0dBnYW69YnrAYszWPTSvf34XapswIVAKuSEhdIb6Kz
+fuHPUhoF4S52MHYdAkBHQCWhq8G+2yeDyhuyMtvsQqcH6lJ4ev8F0hDdUft9Ys6q
+qTMV5GtgwPNSmXfpeS1jpirwQliVb2kIyYFU3L91A0QAAkEAyJSJ+g+P/knVcgDw
+wTzC7Pwg/pWs2EMd/r+lYlXhNfzg0biuXRul8VR4VUC/phySExY0PdcqItkR/xYA
+YNMbNw==
+-----END PUBLIC KEY-----
+    EOF
+    key = OpenSSL::PKey::DSA.new(pem)
+    assert(key.public?)
+    assert(!key.private?)
+    assert_equal(p, key.p)
+    assert_equal(q, key.q)
+    assert_equal(g, key.g)
+    assert_equal(y, key.pub_key)
+    assert_equal(nil, key.priv_key)
+    assert_equal([], OpenSSL.errors)
+  end
+
+  def test_export_format_is_DSA_PUBKEY_pem
+    key = OpenSSL::TestUtils::TEST_KEY_DSA256
+    pem = key.public_key.to_pem
+    pem.gsub!(/^-+(\w|\s)+-+$/, "") # eliminate --------BEGIN...-------
+    asn1 = OpenSSL::ASN1.decode(Base64.decode64(pem))
+    assert_equal(OpenSSL::ASN1::SEQUENCE, asn1.tag)
+    assert_equal(2, asn1.value.size)
+    seq = asn1.value
+    assert_equal(OpenSSL::ASN1::SEQUENCE, seq[0].tag)
+    assert_equal(2, seq[0].value.size)
+    algo_id = seq[0].value
+    assert_equal(OpenSSL::ASN1::OBJECT, algo_id[0].tag)
+    assert_equal('DSA', algo_id[0].value)
+    assert_equal(OpenSSL::ASN1::SEQUENCE, algo_id[1].tag)
+    assert_equal(3, algo_id[1].value.size)
+    params = algo_id[1].value
+    assert_equal(OpenSSL::ASN1::INTEGER, params[0].tag)
+    assert_equal(key.p, params[0].value)
+    assert_equal(OpenSSL::ASN1::INTEGER, params[1].tag)
+    assert_equal(key.q, params[1].value)
+    assert_equal(OpenSSL::ASN1::INTEGER, params[2].tag)
+    assert_equal(key.g, params[2].value)
+    assert_equal(OpenSSL::ASN1::BIT_STRING, seq[1].tag)
+    assert_equal(0, seq[1].unused_bits)
+    pub_key = OpenSSL::ASN1.decode(seq[1].value)
+    assert_equal(OpenSSL::ASN1::INTEGER, pub_key.tag)
+    assert_equal(key.pub_key, pub_key.value)
+    assert_equal([], OpenSSL.errors)
+  end
+
+  def test_read_private_key_der
+    key = OpenSSL::TestUtils::TEST_KEY_DSA256
+    der = key.to_der
+    key2 = OpenSSL::PKey.read(der)
+    assert(key2.private?)
+    assert_equal(der, key2.to_der)
+    assert_equal([], OpenSSL.errors)
+  end
+
+  def test_read_private_key_pem
+    key = OpenSSL::TestUtils::TEST_KEY_DSA256
+    pem = key.to_pem
+    key2 = OpenSSL::PKey.read(pem)
+    assert(key2.private?)
+    assert_equal(pem, key2.to_pem)
+    assert_equal([], OpenSSL.errors)
+  end
+
+  def test_read_public_key_der
+    key = OpenSSL::TestUtils::TEST_KEY_DSA256.public_key
+    der = key.to_der
+    key2 = OpenSSL::PKey.read(der)
+    assert(!key2.private?)
+    assert_equal(der, key2.to_der)
+    assert_equal([], OpenSSL.errors)
+  end
+
+  def test_read_public_key_pem
+    key = OpenSSL::TestUtils::TEST_KEY_DSA256.public_key
+    pem = key.to_pem
+    key2 = OpenSSL::PKey.read(pem)
+    assert(!key2.private?)
+    assert_equal(pem, key2.to_pem)
+    assert_equal([], OpenSSL.errors)
+  end
+
+  def test_read_private_key_pem_pw
+    key = OpenSSL::TestUtils::TEST_KEY_DSA256
+    pem = key.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret')
+    #callback form for password
+    key2 = OpenSSL::PKey.read(pem) do
+      'secret'
+    end
+    assert(key2.private?)
+    # pass password directly
+    key2 = OpenSSL::PKey.read(pem, 'secret')
+    assert(key2.private?)
+    #omit pem equality check, will be different due to cipher iv
+    assert_equal([], OpenSSL.errors)
+  end
+
+  private
+
+  def check_sign_verify(digest)
+    key = OpenSSL::TestUtils::TEST_KEY_DSA256
+    data = 'Sign me!'
+    sig = key.sign(digest, data)
+    assert(key.verify(digest, sig, data))
+  end
+end
+
+end