jruby-openssl 0.8.0.pre3 → 0.8.0

data/test/1.9/test_ssl_session.rb

@@ -1,327 +0,0 @@
-require_relative "utils"
-
-if defined?(OpenSSL) && defined?(OpenSSL::SSL::Session)
-
-class OpenSSL::TestSSLSession < OpenSSL::SSLTestCase
-  def test_session
-    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true) do |server, port|
-      sock = TCPSocket.new("127.0.0.1", port)
-      ctx = OpenSSL::SSL::SSLContext.new("TLSv1")
-      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
-      ssl.sync_close = true
-      ssl.connect
-      session = ssl.session
-      assert(session == OpenSSL::SSL::Session.new(session.to_pem))
-      assert(session == OpenSSL::SSL::Session.new(ssl))
-      assert_equal(300, session.timeout)
-      session.timeout = 5
-      assert_equal(5, session.timeout)
-      assert_not_nil(session.time)
-      # SSL_SESSION_time keeps long value so we can't keep nsec fragment.
-      session.time = t1 = Time.now.to_i
-      assert_equal(Time.at(t1), session.time)
-      if session.respond_to?(:id)
-        assert_not_nil(session.id)
-      end
-      pem = session.to_pem
-      assert_match(/\A-----BEGIN SSL SESSION PARAMETERS-----/, pem)
-      assert_match(/-----END SSL SESSION PARAMETERS-----\Z/, pem)
-      pem.gsub!(/-----(BEGIN|END) SSL SESSION PARAMETERS-----/, '').gsub!(/[\r\n]+/m, '')
-      assert_equal(session.to_der, pem.unpack('m*')[0])
-      assert_not_nil(session.to_text)
-      ssl.close
-    end
-  end
-
-  DUMMY_SESSION = <<__EOS__
------BEGIN SSL SESSION PARAMETERS-----
-MIIDzQIBAQICAwEEAgA5BCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad
-MQQwyGLbkCxE4OiMLdKKem+pyh8V7ifoP7tCxhdmwoDlJxI1v6nVCjai+FGYuncy
-NNSWoQYCBE4DDWuiAwIBCqOCAo4wggKKMIIBcqADAgECAgECMA0GCSqGSIb3DQEB
-BQUAMD0xEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5
-LWxhbmcxCzAJBgNVBAMMAkNBMB4XDTExMDYyMzA5NTQ1MVoXDTExMDYyMzEwMjQ1
-MVowRDETMBEGCgmSJomT8ixkARkWA29yZzEZMBcGCgmSJomT8ixkARkWCXJ1Ynkt
-bGFuZzESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
-iQKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7CxaKPERYHs
-k4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/Q3geLv8Z
-D9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQABoxIwEDAO
-BgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQEFBQADggEBACj5WhoZ/ODVeHpwgq1d
-8fW/13ICRYHYpv6dzlWihyqclGxbKMlMnaVCPz+4JaVtMz3QB748KJQgL3Llg3R1
-ek+f+n1MBCMfFFsQXJ2gtLB84zD6UCz8aaCWN5/czJCd7xMz7fRLy3TOIW5boXAU
-zIa8EODk+477K1uznHm286ab0Clv+9d304hwmBZgkzLg6+31Of6d6s0E0rwLGiS2
-sOWYg34Y3r4j8BS9Ak4jzpoLY6cJ0QAKCOJCgmjGr4XHpyXMLbicp3ga1uSbwtVO
-gF/gTfpLhJC+y0EQ5x3Ftl88Cq7ZJuLBDMo/TLIfReJMQu/HlrTT7+LwtneSWGmr
-KkSkAgQApQMCAROqgcMEgcAuDkAVfj6QAJMz9yqTzW5wPFyty7CxUEcwKjUqj5UP
-/Yvky1EkRuM/eQfN7ucY+MUvMqv+R8ZSkHPsnjkBN5ChvZXjrUSZKFVjR4eFVz2V
-jismLEJvIFhQh6pqTroRrOjMfTaM5Lwoytr2FTGobN9rnjIRsXeFQW1HLFbXn7Dh
-8uaQkMwIVVSGRB8T7t6z6WIdWruOjCZ6G5ASI5XoqAHwGezhLodZuvJEfsVyCF9y
-j+RBGfCFrrQbBdnkFI/ztgM=
------END SSL SESSION PARAMETERS-----
-__EOS__
-
-  DUMMY_SESSION_NO_EXT = <<-__EOS__
------BEGIN SSL SESSION PARAMETERS-----
-MIIDCAIBAQICAwAEAgA5BCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+
-lAQw9TrKzrIqlHEh6ltuQaqv/Aq83AmaAlogYktZgXAjOGnhX7ifJDNLMuCfQq53
-hPAaoQYCBE4iDeeiBAICASyjggKOMIICijCCAXKgAwIBAgIBAjANBgkqhkiG9w0B
-AQUFADA9MRMwEQYKCZImiZPyLGQBGRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVi
-eS1sYW5nMQswCQYDVQQDDAJDQTAeFw0xMTA3MTYyMjE3MTFaFw0xMTA3MTYyMjQ3
-MTFaMEQxEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5
-LWxhbmcxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
-gYkCgYEAy8LEsNRApz7U/j5DoB4XBgO9Z8Atv5y/OVQRp0ag8Tqo1YewsWijxEWB
-7JOATwpBN267U4T1nPZIxxEEO7n/WNa2ws9JWsjah8ssEBFSxZqdXKSLf0N4Hi7/
-GQ/aYoaMCiQ8jA4jegK2FJmXM71uPe+jFN/peeBOpRfyXxRFOYcCAwEAAaMSMBAw
-DgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBBQUAA4IBAQA3TRzABRG3kz8jEEYr
-tDQqXgsxwTsLhTT5d1yF0D8uFw+y15hJAJnh6GJHjqhWBrF4zNoTApFo+4iIL6g3
-q9C3mUsxIVAHx41DwZBh/FI7J4FqlAoGOguu7892CNVY3ZZjc3AXMTdKjcNoWPzz
-FCdj5fNT24JMMe+ZdGZK97ChahJsdn/6B3j6ze9NK9mfYEbiJhejGTPLOFVHJCGR
-KYYZ3ZcKhLDr9ql4d7cCo1gBtemrmFQGPui7GttNEqmXqUKvV8mYoa8farf5i7T4
-L6a/gp2cVZTaDIS1HjbJsA/Ag7AajZqiN6LfqShNUVsrMZ+5CoV8EkBDTZPJ9MSr
-a3EqpAIEAKUDAgET
------END SSL SESSION PARAMETERS-----
-__EOS__
-
-
-  def test_session_time
-    sess = OpenSSL::SSL::Session.new(DUMMY_SESSION_NO_EXT)
-    sess.time = (now = Time.now)
-    assert_equal(now.to_i, sess.time.to_i)
-    sess.time = 1
-    assert_equal(1, sess.time.to_i)
-    sess.time = 1.2345
-    assert_equal(1, sess.time.to_i)
-    # Can OpenSSL handle t>2038y correctly? Version?
-    sess.time = 2**31 - 1
-    assert_equal(2**31 - 1, sess.time.to_i)
-  end
-
-  def test_session_timeout
-    sess = OpenSSL::SSL::Session.new(DUMMY_SESSION_NO_EXT)
-    assert_raise(TypeError) do
-      sess.timeout = (now = Time.now)
-    end
-    sess.timeout = 1
-    assert_equal(1, sess.timeout.to_i)
-    sess.timeout = 1.2345
-    assert_equal(1, sess.timeout.to_i)
-    sess.timeout = 2**31 - 1
-    assert_equal(2**31 - 1, sess.timeout.to_i)
-  end
-
-  def test_session_exts_read
-    assert(OpenSSL::SSL::Session.new(DUMMY_SESSION))
-  end if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x009080bf
-
-  def test_client_session
-    last_session = nil
-    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true) do |server, port|
-      2.times do
-        sock = TCPSocket.new("127.0.0.1", port)
-        # Debian's openssl 0.9.8g-13 failed at assert(ssl.session_reused?),
-        # when use default SSLContext. [ruby-dev:36167]
-        ctx = OpenSSL::SSL::SSLContext.new("TLSv1")
-        ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
-        ssl.sync_close = true
-        ssl.session = last_session if last_session
-        ssl.connect
-
-        session = ssl.session
-        if last_session
-          assert(ssl.session_reused?)
-
-          if session.respond_to?(:id)
-            assert_equal(session.id, last_session.id)
-          end
-          assert_equal(session.to_pem, last_session.to_pem)
-          assert_equal(session.to_der, last_session.to_der)
-          # Older version of OpenSSL may not be consistent.  Look up which versions later.
-          assert_equal(session.to_text, last_session.to_text)
-        else
-          assert(!ssl.session_reused?)
-        end
-        last_session = session
-
-        str = "x" * 100 + "\n"
-        ssl.puts(str)
-        assert_equal(str, ssl.gets)
-
-        ssl.close
-      end
-    end
-  end
-
-  def test_server_session
-    connections = 0
-    saved_session = nil
-
-    ctx_proc = Proc.new do |ctx, ssl|
-# add test for session callbacks here
-    end
-
-    server_proc = Proc.new do |ctx, ssl|
-      session = ssl.session
-      stats = ctx.session_cache_stats
-
-      case connections
-      when 0
-        assert_equal(stats[:cache_num], 1)
-        assert_equal(stats[:cache_hits], 0)
-        assert_equal(stats[:cache_misses], 0)
-        assert(!ssl.session_reused?)
-      when 1
-        assert_equal(stats[:cache_num], 1)
-        assert_equal(stats[:cache_hits], 1)
-        assert_equal(stats[:cache_misses], 0)
-        assert(ssl.session_reused?)
-        ctx.session_remove(session)
-        saved_session = session
-      when 2
-        assert_equal(stats[:cache_num], 1)
-        assert_equal(stats[:cache_hits], 1)
-        assert_equal(stats[:cache_misses], 1)
-        assert(!ssl.session_reused?)
-        ctx.session_add(saved_session)
-      when 3
-        assert_equal(stats[:cache_num], 2)
-        assert_equal(stats[:cache_hits], 2)
-        assert_equal(stats[:cache_misses], 1)
-        assert(ssl.session_reused?)
-        ctx.flush_sessions(Time.now + 5000)
-      when 4
-        assert_equal(stats[:cache_num], 1)
-        assert_equal(stats[:cache_hits], 2)
-        assert_equal(stats[:cache_misses], 2)
-        assert(!ssl.session_reused?)
-        ctx.session_add(saved_session)
-      end
-      connections += 1
-
-      readwrite_loop(ctx, ssl)
-    end
-
-    first_session = nil
-    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc, :server_proc => server_proc) do |server, port|
-      10.times do |i|
-        sock = TCPSocket.new("127.0.0.1", port)
-        ctx = OpenSSL::SSL::SSLContext.new
-        if defined?(OpenSSL::SSL::OP_NO_TICKET)
-          # disable RFC4507 support
-          ctx.options = OpenSSL::SSL::OP_NO_TICKET
-        end
-        ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
-        ssl.sync_close = true
-        ssl.session = first_session if first_session
-        ssl.connect
-
-        session = ssl.session
-        if first_session
-          case i
-          when 1; assert(ssl.session_reused?)
-          when 2; assert(!ssl.session_reused?)
-          when 3; assert(ssl.session_reused?)
-          when 4; assert(!ssl.session_reused?)
-          when 5..10; assert(ssl.session_reused?)
-          end
-        end
-        first_session ||= session
-
-        str = "x" * 100 + "\n"
-        ssl.puts(str)
-        assert_equal(str, ssl.gets)
-
-        ssl.close
-      end
-    end
-  end
-
-  def test_ctx_client_session_cb
-    called = {}
-    ctx = OpenSSL::SSL::SSLContext.new("SSLv3")
-    ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_CLIENT
-
-    ctx.session_new_cb = lambda { |ary|
-      sock, sess = ary
-      called[:new] = [sock, sess]
-    }
-
-    ctx.session_remove_cb = lambda { |ary|
-      ctx, sess = ary
-      called[:remove] = [ctx, sess]
-      # any resulting value is OK (ignored)
-    }
-
-    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true) do |server, port|
-      sock = TCPSocket.new("127.0.0.1", port)
-      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
-      ssl.sync_close = true
-      ssl.connect
-      assert_equal(1, ctx.session_cache_stats[:cache_num])
-      assert_equal(1, ctx.session_cache_stats[:connect_good])
-      assert_equal([ssl, ssl.session], called[:new])
-      assert(ctx.session_remove(ssl.session))
-      assert(!ctx.session_remove(ssl.session))
-      assert_equal([ctx, ssl.session], called[:remove])
-      ssl.close
-    end
-  end
-
-  def test_ctx_server_session_cb
-    called = {}
-
-    ctx_proc = Proc.new { |ctx, ssl|
-      ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_SERVER
-      last_server_session = nil
-
-      # get_cb is called whenever a client proposed to resume a session but
-      # the session could not be found in the internal session cache.
-      ctx.session_get_cb = lambda { |ary|
-        sess, data = ary
-        if last_server_session
-          called[:get2] = [sess, data]
-          last_server_session
-        else
-          called[:get1] = [sess, data]
-          last_server_session = sess
-          nil
-        end
-      }
-
-      ctx.session_new_cb = lambda { |ary|
-        sock, sess = ary
-        called[:new] = [sock, sess]
-        # SSL server doesn't cache sessions so get_cb is called next time.
-        ctx.session_remove(sess)
-      }
-
-      ctx.session_remove_cb = lambda { |ary|
-        ctx, sess = ary
-        called[:remove] = [ctx, sess]
-      }
-    }
-
-    server_proc = Proc.new { |c, ssl|
-      session = ssl.session
-      stats = c.session_cache_stats
-      readwrite_loop(c, ssl)
-    }
-    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc, :server_proc => server_proc) do |server, port|
-      last_client_session = nil
-      3.times do
-        sock = TCPSocket.new("127.0.0.1", port)
-        ssl = OpenSSL::SSL::SSLSocket.new(sock, OpenSSL::SSL::SSLContext.new("SSLv3"))
-        ssl.sync_close = true
-        ssl.session = last_client_session if last_client_session
-        ssl.connect
-        last_client_session = ssl.session
-        ssl.close
-        Thread.pass # try to ensure server calls callbacks
-        assert(called.delete(:new))
-        assert(called.delete(:remove))
-      end
-    end
-    assert(called[:get1])
-    assert(called[:get2])
-  end
-end
-
-end

data/test/1.9/test_x509cert.rb

@@ -1,217 +0,0 @@
-require_relative "utils"
-
-if defined?(OpenSSL)
-
-class OpenSSL::TestX509Certificate < Test::Unit::TestCase
-  def setup
-    @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
-    @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
-    @dsa256  = OpenSSL::TestUtils::TEST_KEY_DSA256
-    @dsa512  = OpenSSL::TestUtils::TEST_KEY_DSA512
-    @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
-    @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
-    @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
-  end
-
-  def teardown
-  end
-
-  def issue_cert(*args)
-    OpenSSL::TestUtils.issue_cert(*args)
-  end
-
-  def test_serial
-    [1, 2**32, 2**100].each{|s|
-      cert = issue_cert(@ca, @rsa2048, s, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::SHA1.new)
-      assert_equal(s, cert.serial)
-      cert = OpenSSL::X509::Certificate.new(cert.to_der)
-      assert_equal(s, cert.serial)
-    }
-  end
-
-  def test_public_key
-    exts = [
-      ["basicConstraints","CA:TRUE",true],
-      ["subjectKeyIdentifier","hash",false],
-      ["authorityKeyIdentifier","keyid:always",false],
-    ]
-
-    sha1 = OpenSSL::Digest::SHA1.new
-    dss1 = OpenSSL::Digest::DSS1.new
-    [
-      [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dss1], [@dsa512, dss1],
-    ].each{|pk, digest|
-      cert = issue_cert(@ca, pk, 1, Time.now, Time.now+3600, exts,
-                        nil, nil, digest)
-      assert_equal(cert.extensions[1].value,
-                   OpenSSL::TestUtils.get_subject_key_id(cert))
-      cert = OpenSSL::X509::Certificate.new(cert.to_der)
-      assert_equal(cert.extensions[1].value,
-                   OpenSSL::TestUtils.get_subject_key_id(cert))
-    }
-  end
-
-  def test_validity
-    now = Time.now until now && now.usec != 0
-    cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
-    assert_not_equal(now, cert.not_before)
-    assert_not_equal(now+3600, cert.not_after)
-
-    now = Time.at(now.to_i)
-    cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
-    assert_equal(now.getutc, cert.not_before)
-    assert_equal((now+3600).getutc, cert.not_after)
-
-    now = Time.at(0)
-    cert = issue_cert(@ca, @rsa2048, 1, now, now, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
-    assert_equal(now.getutc, cert.not_before)
-    assert_equal(now.getutc, cert.not_after)
-
-    now = Time.at(0x7fffffff)
-    cert = issue_cert(@ca, @rsa2048, 1, now, now, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
-    assert_equal(now.getutc, cert.not_before)
-    assert_equal(now.getutc, cert.not_after)
-  end
-
-  def test_extension
-    ca_exts = [
-      ["basicConstraints","CA:TRUE",true],
-      ["keyUsage","keyCertSign, cRLSign",true],
-      ["subjectKeyIdentifier","hash",false],
-      ["authorityKeyIdentifier","keyid:always",false],
-    ]
-    ca_cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, ca_exts,
-                         nil, nil, OpenSSL::Digest::SHA1.new)
-    ca_cert.extensions.each_with_index{|ext, i|
-      assert_equal(ca_exts[i].first, ext.oid)
-      assert_equal(ca_exts[i].last, ext.critical?)
-    }
-
-    ee1_exts = [
-      ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
-      ["subjectKeyIdentifier","hash",false],
-      ["authorityKeyIdentifier","keyid:always",false],
-      ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
-      ["subjectAltName","email:ee1@ruby-lang.org",false],
-    ]
-    ee1_cert = issue_cert(@ee1, @rsa1024, 2, Time.now, Time.now+1800, ee1_exts,
-                          ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
-    assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der)
-    ee1_cert.extensions.each_with_index{|ext, i|
-      assert_equal(ee1_exts[i].first, ext.oid)
-      assert_equal(ee1_exts[i].last, ext.critical?)
-    }
-
-    ee2_exts = [
-      ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
-      ["subjectKeyIdentifier","hash",false],
-      ["authorityKeyIdentifier","issuer:always",false],
-      ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
-      ["subjectAltName","email:ee2@ruby-lang.org",false],
-    ]
-    ee2_cert = issue_cert(@ee2, @rsa1024, 3, Time.now, Time.now+1800, ee2_exts,
-                          ca_cert, @rsa2048, OpenSSL::Digest::MD5.new)
-    assert_equal(ca_cert.subject.to_der, ee2_cert.issuer.to_der)
-    ee2_cert.extensions.each_with_index{|ext, i|
-      assert_equal(ee2_exts[i].first, ext.oid)
-      assert_equal(ee2_exts[i].last, ext.critical?)
-    }
-
-  end
-
-  def test_sign_and_verify
-    cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
-    assert_equal(false, cert.verify(@rsa1024))
-    assert_equal(true,  cert.verify(@rsa2048))
-    assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) })
-    assert_equal(false, certificate_error_returns_false { cert.verify(@dsa512) })
-    cert.serial = 2
-    assert_equal(false, cert.verify(@rsa2048))
-
-    cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::MD5.new)
-    assert_equal(false, cert.verify(@rsa1024))
-    assert_equal(true, cert.verify(@rsa2048))
-
-    assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) })
-    assert_equal(false, certificate_error_returns_false { cert.verify(@dsa512) })
-    cert.subject = @ee1
-    assert_equal(false, cert.verify(@rsa2048))
-
-    cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::DSS1.new)
-    assert_equal(false, certificate_error_returns_false { cert.verify(@rsa1024) })
-    assert_equal(false, certificate_error_returns_false { cert.verify(@rsa2048) })
-    assert_equal(false, cert.verify(@dsa256))
-    assert_equal(true,  cert.verify(@dsa512))
-    cert.not_after = Time.now
-    assert_equal(false, cert.verify(@dsa512))
-
-    begin
-      cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::DSS1.new)
-      assert_equal(false, cert.verify(@rsa1024))
-      assert_equal(true, cert.verify(@rsa2048))
-      assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) })
-      assert_equal(false, certificate_error_returns_false { cert.verify(@dsa512) })
-      cert.subject = @ee1
-      assert_equal(false, cert.verify(@rsa2048))
-    rescue OpenSSL::X509::CertificateError
-    end
-
-    assert_raise(OpenSSL::X509::CertificateError){
-      cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::MD5.new)
-    }
-  end
-
-  def test_dsig_algorithm_mismatch
-    assert_raise(OpenSSL::X509::CertificateError) do
-      cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::DSS1.new)
-    end
-    assert_raise(OpenSSL::X509::CertificateError) do
-      cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::MD5.new)
-    end
-  end
-
-  def test_dsa_with_sha2
-    begin
-      cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::SHA256.new)
-      assert_equal("dsa_with_SHA256", cert.signature_algorithm)
-    rescue OpenSSL::X509::CertificateError
-      # dsa_with_sha2 not supported. skip following test.
-      return
-    end
-    # TODO: need more tests for dsa + sha2
-
-    # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requires DSS1)
-    cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
-    assert_equal("dsaWithSHA1", cert.signature_algorithm)
-  end if defined?(OpenSSL::Digest::SHA256)
-
-  def test_check_private_key
-    cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
-    assert_equal(true, cert.check_private_key(@rsa2048))
-  end
-
-  private
-
-  def certificate_error_returns_false
-    yield
-  rescue OpenSSL::X509::CertificateError
-    false
-  end
-end
-
-end