jruby-openssl 0.8.0.pre3 → 0.8.0
Sign up to get free protection for your applications and to get access to all the features.
- data/Manifest.txt +5 -124
- data/Rakefile +3 -3
- data/lib/shared/jopenssl.jar +0 -0
- data/lib/shared/jopenssl/version.rb +1 -1
- metadata +10 -116
- data/test/1.8/ssl_server.rb +0 -99
- data/test/1.8/test_asn1.rb +0 -212
- data/test/1.8/test_cipher.rb +0 -193
- data/test/1.8/test_config.rb +0 -290
- data/test/1.8/test_digest.rb +0 -88
- data/test/1.8/test_ec.rb +0 -128
- data/test/1.8/test_hmac.rb +0 -46
- data/test/1.8/test_ns_spki.rb +0 -59
- data/test/1.8/test_pair.rb +0 -149
- data/test/1.8/test_pkcs7.rb +0 -489
- data/test/1.8/test_pkey_rsa.rb +0 -49
- data/test/1.8/test_ssl.rb +0 -1032
- data/test/1.8/test_x509cert.rb +0 -277
- data/test/1.8/test_x509crl.rb +0 -253
- data/test/1.8/test_x509ext.rb +0 -99
- data/test/1.8/test_x509name.rb +0 -290
- data/test/1.8/test_x509req.rb +0 -195
- data/test/1.8/test_x509store.rb +0 -246
- data/test/1.8/utils.rb +0 -144
- data/test/1.9/ssl_server.rb +0 -81
- data/test/1.9/test_asn1.rb +0 -589
- data/test/1.9/test_bn.rb +0 -23
- data/test/1.9/test_buffering.rb +0 -88
- data/test/1.9/test_cipher.rb +0 -107
- data/test/1.9/test_config.rb +0 -288
- data/test/1.9/test_digest.rb +0 -118
- data/test/1.9/test_engine.rb +0 -15
- data/test/1.9/test_hmac.rb +0 -32
- data/test/1.9/test_ns_spki.rb +0 -50
- data/test/1.9/test_ocsp.rb +0 -47
- data/test/1.9/test_pair.rb +0 -257
- data/test/1.9/test_pkcs12.rb +0 -209
- data/test/1.9/test_pkcs7.rb +0 -156
- data/test/1.9/test_pkey_dh.rb +0 -72
- data/test/1.9/test_pkey_dsa.rb +0 -224
- data/test/1.9/test_pkey_ec.rb +0 -182
- data/test/1.9/test_pkey_rsa.rb +0 -244
- data/test/1.9/test_ssl.rb +0 -499
- data/test/1.9/test_ssl_session.rb +0 -327
- data/test/1.9/test_x509cert.rb +0 -217
- data/test/1.9/test_x509crl.rb +0 -221
- data/test/1.9/test_x509ext.rb +0 -69
- data/test/1.9/test_x509name.rb +0 -366
- data/test/1.9/test_x509req.rb +0 -150
- data/test/1.9/test_x509store.rb +0 -229
- data/test/1.9/utils.rb +0 -304
- data/test/cert_with_ec_pk.cer +0 -27
- data/test/fixture/ca-bundle.crt +0 -2794
- data/test/fixture/ca_path/72fa7371.0 +0 -19
- data/test/fixture/ca_path/verisign.pem +0 -19
- data/test/fixture/cacert.pem +0 -23
- data/test/fixture/cert_localhost.pem +0 -19
- data/test/fixture/common.pem +0 -48
- data/test/fixture/ids_in_subject_rdn_set.pem +0 -31
- data/test/fixture/imaps/cacert.pem +0 -60
- data/test/fixture/imaps/server.crt +0 -61
- data/test/fixture/imaps/server.key +0 -15
- data/test/fixture/key_then_cert.pem +0 -34
- data/test/fixture/keypair.pem +0 -27
- data/test/fixture/localhost_keypair.pem +0 -18
- data/test/fixture/max.pem +0 -29
- data/test/fixture/purpose/b70a5bc1.0 +0 -24
- data/test/fixture/purpose/ca/PASSWD_OF_CA_KEY_IS_1234 +0 -0
- data/test/fixture/purpose/ca/ca_config.rb +0 -37
- data/test/fixture/purpose/ca/cacert.pem +0 -24
- data/test/fixture/purpose/ca/newcerts/2_cert.pem +0 -19
- data/test/fixture/purpose/ca/newcerts/3_cert.pem +0 -19
- data/test/fixture/purpose/ca/newcerts/4_cert.pem +0 -19
- data/test/fixture/purpose/ca/private/cakeypair.pem +0 -30
- data/test/fixture/purpose/ca/serial +0 -1
- data/test/fixture/purpose/cacert.pem +0 -24
- data/test/fixture/purpose/scripts/gen_cert.rb +0 -127
- data/test/fixture/purpose/scripts/gen_csr.rb +0 -50
- data/test/fixture/purpose/scripts/init_ca.rb +0 -66
- data/test/fixture/purpose/sslclient.pem +0 -19
- data/test/fixture/purpose/sslclient/csr.pem +0 -10
- data/test/fixture/purpose/sslclient/keypair.pem +0 -15
- data/test/fixture/purpose/sslclient/sslclient.pem +0 -19
- data/test/fixture/purpose/sslserver.pem +0 -19
- data/test/fixture/purpose/sslserver/csr.pem +0 -10
- data/test/fixture/purpose/sslserver/keypair.pem +0 -15
- data/test/fixture/purpose/sslserver/sslserver.pem +0 -19
- data/test/fixture/purpose/sslserver_no_dsig_in_keyUsage.pem +0 -19
- data/test/fixture/selfcert.pem +0 -23
- data/test/fixture/verisign.pem +0 -19
- data/test/fixture/verisign_c3.pem +0 -14
- data/test/ref/a.out +0 -0
- data/test/ref/compile.rb +0 -8
- data/test/ref/pkcs1 +0 -0
- data/test/ref/pkcs1.c +0 -21
- data/test/ruby/envutil.rb +0 -208
- data/test/ruby/ut_eof.rb +0 -128
- data/test/test_all.rb +0 -1
- data/test/test_certificate.rb +0 -132
- data/test/test_cipher.rb +0 -197
- data/test/test_imaps.rb +0 -107
- data/test/test_integration.rb +0 -144
- data/test/test_openssl.rb +0 -4
- data/test/test_parse_certificate.rb +0 -27
- data/test/test_pkcs7.rb +0 -56
- data/test/test_pkey_dsa.rb +0 -180
- data/test/test_pkey_rsa.rb +0 -329
- data/test/test_ssl.rb +0 -97
- data/test/test_x509store.rb +0 -168
@@ -1,327 +0,0 @@
|
|
1
|
-
require_relative "utils"
|
2
|
-
|
3
|
-
if defined?(OpenSSL) && defined?(OpenSSL::SSL::Session)
|
4
|
-
|
5
|
-
class OpenSSL::TestSSLSession < OpenSSL::SSLTestCase
|
6
|
-
def test_session
|
7
|
-
start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true) do |server, port|
|
8
|
-
sock = TCPSocket.new("127.0.0.1", port)
|
9
|
-
ctx = OpenSSL::SSL::SSLContext.new("TLSv1")
|
10
|
-
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
|
11
|
-
ssl.sync_close = true
|
12
|
-
ssl.connect
|
13
|
-
session = ssl.session
|
14
|
-
assert(session == OpenSSL::SSL::Session.new(session.to_pem))
|
15
|
-
assert(session == OpenSSL::SSL::Session.new(ssl))
|
16
|
-
assert_equal(300, session.timeout)
|
17
|
-
session.timeout = 5
|
18
|
-
assert_equal(5, session.timeout)
|
19
|
-
assert_not_nil(session.time)
|
20
|
-
# SSL_SESSION_time keeps long value so we can't keep nsec fragment.
|
21
|
-
session.time = t1 = Time.now.to_i
|
22
|
-
assert_equal(Time.at(t1), session.time)
|
23
|
-
if session.respond_to?(:id)
|
24
|
-
assert_not_nil(session.id)
|
25
|
-
end
|
26
|
-
pem = session.to_pem
|
27
|
-
assert_match(/\A-----BEGIN SSL SESSION PARAMETERS-----/, pem)
|
28
|
-
assert_match(/-----END SSL SESSION PARAMETERS-----\Z/, pem)
|
29
|
-
pem.gsub!(/-----(BEGIN|END) SSL SESSION PARAMETERS-----/, '').gsub!(/[\r\n]+/m, '')
|
30
|
-
assert_equal(session.to_der, pem.unpack('m*')[0])
|
31
|
-
assert_not_nil(session.to_text)
|
32
|
-
ssl.close
|
33
|
-
end
|
34
|
-
end
|
35
|
-
|
36
|
-
DUMMY_SESSION = <<__EOS__
|
37
|
-
-----BEGIN SSL SESSION PARAMETERS-----
|
38
|
-
MIIDzQIBAQICAwEEAgA5BCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad
|
39
|
-
MQQwyGLbkCxE4OiMLdKKem+pyh8V7ifoP7tCxhdmwoDlJxI1v6nVCjai+FGYuncy
|
40
|
-
NNSWoQYCBE4DDWuiAwIBCqOCAo4wggKKMIIBcqADAgECAgECMA0GCSqGSIb3DQEB
|
41
|
-
BQUAMD0xEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5
|
42
|
-
LWxhbmcxCzAJBgNVBAMMAkNBMB4XDTExMDYyMzA5NTQ1MVoXDTExMDYyMzEwMjQ1
|
43
|
-
MVowRDETMBEGCgmSJomT8ixkARkWA29yZzEZMBcGCgmSJomT8ixkARkWCXJ1Ynkt
|
44
|
-
bGFuZzESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
|
45
|
-
iQKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7CxaKPERYHs
|
46
|
-
k4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/Q3geLv8Z
|
47
|
-
D9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQABoxIwEDAO
|
48
|
-
BgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQEFBQADggEBACj5WhoZ/ODVeHpwgq1d
|
49
|
-
8fW/13ICRYHYpv6dzlWihyqclGxbKMlMnaVCPz+4JaVtMz3QB748KJQgL3Llg3R1
|
50
|
-
ek+f+n1MBCMfFFsQXJ2gtLB84zD6UCz8aaCWN5/czJCd7xMz7fRLy3TOIW5boXAU
|
51
|
-
zIa8EODk+477K1uznHm286ab0Clv+9d304hwmBZgkzLg6+31Of6d6s0E0rwLGiS2
|
52
|
-
sOWYg34Y3r4j8BS9Ak4jzpoLY6cJ0QAKCOJCgmjGr4XHpyXMLbicp3ga1uSbwtVO
|
53
|
-
gF/gTfpLhJC+y0EQ5x3Ftl88Cq7ZJuLBDMo/TLIfReJMQu/HlrTT7+LwtneSWGmr
|
54
|
-
KkSkAgQApQMCAROqgcMEgcAuDkAVfj6QAJMz9yqTzW5wPFyty7CxUEcwKjUqj5UP
|
55
|
-
/Yvky1EkRuM/eQfN7ucY+MUvMqv+R8ZSkHPsnjkBN5ChvZXjrUSZKFVjR4eFVz2V
|
56
|
-
jismLEJvIFhQh6pqTroRrOjMfTaM5Lwoytr2FTGobN9rnjIRsXeFQW1HLFbXn7Dh
|
57
|
-
8uaQkMwIVVSGRB8T7t6z6WIdWruOjCZ6G5ASI5XoqAHwGezhLodZuvJEfsVyCF9y
|
58
|
-
j+RBGfCFrrQbBdnkFI/ztgM=
|
59
|
-
-----END SSL SESSION PARAMETERS-----
|
60
|
-
__EOS__
|
61
|
-
|
62
|
-
DUMMY_SESSION_NO_EXT = <<-__EOS__
|
63
|
-
-----BEGIN SSL SESSION PARAMETERS-----
|
64
|
-
MIIDCAIBAQICAwAEAgA5BCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+
|
65
|
-
lAQw9TrKzrIqlHEh6ltuQaqv/Aq83AmaAlogYktZgXAjOGnhX7ifJDNLMuCfQq53
|
66
|
-
hPAaoQYCBE4iDeeiBAICASyjggKOMIICijCCAXKgAwIBAgIBAjANBgkqhkiG9w0B
|
67
|
-
AQUFADA9MRMwEQYKCZImiZPyLGQBGRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVi
|
68
|
-
eS1sYW5nMQswCQYDVQQDDAJDQTAeFw0xMTA3MTYyMjE3MTFaFw0xMTA3MTYyMjQ3
|
69
|
-
MTFaMEQxEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5
|
70
|
-
LWxhbmcxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
|
71
|
-
gYkCgYEAy8LEsNRApz7U/j5DoB4XBgO9Z8Atv5y/OVQRp0ag8Tqo1YewsWijxEWB
|
72
|
-
7JOATwpBN267U4T1nPZIxxEEO7n/WNa2ws9JWsjah8ssEBFSxZqdXKSLf0N4Hi7/
|
73
|
-
GQ/aYoaMCiQ8jA4jegK2FJmXM71uPe+jFN/peeBOpRfyXxRFOYcCAwEAAaMSMBAw
|
74
|
-
DgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBBQUAA4IBAQA3TRzABRG3kz8jEEYr
|
75
|
-
tDQqXgsxwTsLhTT5d1yF0D8uFw+y15hJAJnh6GJHjqhWBrF4zNoTApFo+4iIL6g3
|
76
|
-
q9C3mUsxIVAHx41DwZBh/FI7J4FqlAoGOguu7892CNVY3ZZjc3AXMTdKjcNoWPzz
|
77
|
-
FCdj5fNT24JMMe+ZdGZK97ChahJsdn/6B3j6ze9NK9mfYEbiJhejGTPLOFVHJCGR
|
78
|
-
KYYZ3ZcKhLDr9ql4d7cCo1gBtemrmFQGPui7GttNEqmXqUKvV8mYoa8farf5i7T4
|
79
|
-
L6a/gp2cVZTaDIS1HjbJsA/Ag7AajZqiN6LfqShNUVsrMZ+5CoV8EkBDTZPJ9MSr
|
80
|
-
a3EqpAIEAKUDAgET
|
81
|
-
-----END SSL SESSION PARAMETERS-----
|
82
|
-
__EOS__
|
83
|
-
|
84
|
-
|
85
|
-
def test_session_time
|
86
|
-
sess = OpenSSL::SSL::Session.new(DUMMY_SESSION_NO_EXT)
|
87
|
-
sess.time = (now = Time.now)
|
88
|
-
assert_equal(now.to_i, sess.time.to_i)
|
89
|
-
sess.time = 1
|
90
|
-
assert_equal(1, sess.time.to_i)
|
91
|
-
sess.time = 1.2345
|
92
|
-
assert_equal(1, sess.time.to_i)
|
93
|
-
# Can OpenSSL handle t>2038y correctly? Version?
|
94
|
-
sess.time = 2**31 - 1
|
95
|
-
assert_equal(2**31 - 1, sess.time.to_i)
|
96
|
-
end
|
97
|
-
|
98
|
-
def test_session_timeout
|
99
|
-
sess = OpenSSL::SSL::Session.new(DUMMY_SESSION_NO_EXT)
|
100
|
-
assert_raise(TypeError) do
|
101
|
-
sess.timeout = (now = Time.now)
|
102
|
-
end
|
103
|
-
sess.timeout = 1
|
104
|
-
assert_equal(1, sess.timeout.to_i)
|
105
|
-
sess.timeout = 1.2345
|
106
|
-
assert_equal(1, sess.timeout.to_i)
|
107
|
-
sess.timeout = 2**31 - 1
|
108
|
-
assert_equal(2**31 - 1, sess.timeout.to_i)
|
109
|
-
end
|
110
|
-
|
111
|
-
def test_session_exts_read
|
112
|
-
assert(OpenSSL::SSL::Session.new(DUMMY_SESSION))
|
113
|
-
end if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x009080bf
|
114
|
-
|
115
|
-
def test_client_session
|
116
|
-
last_session = nil
|
117
|
-
start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true) do |server, port|
|
118
|
-
2.times do
|
119
|
-
sock = TCPSocket.new("127.0.0.1", port)
|
120
|
-
# Debian's openssl 0.9.8g-13 failed at assert(ssl.session_reused?),
|
121
|
-
# when use default SSLContext. [ruby-dev:36167]
|
122
|
-
ctx = OpenSSL::SSL::SSLContext.new("TLSv1")
|
123
|
-
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
|
124
|
-
ssl.sync_close = true
|
125
|
-
ssl.session = last_session if last_session
|
126
|
-
ssl.connect
|
127
|
-
|
128
|
-
session = ssl.session
|
129
|
-
if last_session
|
130
|
-
assert(ssl.session_reused?)
|
131
|
-
|
132
|
-
if session.respond_to?(:id)
|
133
|
-
assert_equal(session.id, last_session.id)
|
134
|
-
end
|
135
|
-
assert_equal(session.to_pem, last_session.to_pem)
|
136
|
-
assert_equal(session.to_der, last_session.to_der)
|
137
|
-
# Older version of OpenSSL may not be consistent. Look up which versions later.
|
138
|
-
assert_equal(session.to_text, last_session.to_text)
|
139
|
-
else
|
140
|
-
assert(!ssl.session_reused?)
|
141
|
-
end
|
142
|
-
last_session = session
|
143
|
-
|
144
|
-
str = "x" * 100 + "\n"
|
145
|
-
ssl.puts(str)
|
146
|
-
assert_equal(str, ssl.gets)
|
147
|
-
|
148
|
-
ssl.close
|
149
|
-
end
|
150
|
-
end
|
151
|
-
end
|
152
|
-
|
153
|
-
def test_server_session
|
154
|
-
connections = 0
|
155
|
-
saved_session = nil
|
156
|
-
|
157
|
-
ctx_proc = Proc.new do |ctx, ssl|
|
158
|
-
# add test for session callbacks here
|
159
|
-
end
|
160
|
-
|
161
|
-
server_proc = Proc.new do |ctx, ssl|
|
162
|
-
session = ssl.session
|
163
|
-
stats = ctx.session_cache_stats
|
164
|
-
|
165
|
-
case connections
|
166
|
-
when 0
|
167
|
-
assert_equal(stats[:cache_num], 1)
|
168
|
-
assert_equal(stats[:cache_hits], 0)
|
169
|
-
assert_equal(stats[:cache_misses], 0)
|
170
|
-
assert(!ssl.session_reused?)
|
171
|
-
when 1
|
172
|
-
assert_equal(stats[:cache_num], 1)
|
173
|
-
assert_equal(stats[:cache_hits], 1)
|
174
|
-
assert_equal(stats[:cache_misses], 0)
|
175
|
-
assert(ssl.session_reused?)
|
176
|
-
ctx.session_remove(session)
|
177
|
-
saved_session = session
|
178
|
-
when 2
|
179
|
-
assert_equal(stats[:cache_num], 1)
|
180
|
-
assert_equal(stats[:cache_hits], 1)
|
181
|
-
assert_equal(stats[:cache_misses], 1)
|
182
|
-
assert(!ssl.session_reused?)
|
183
|
-
ctx.session_add(saved_session)
|
184
|
-
when 3
|
185
|
-
assert_equal(stats[:cache_num], 2)
|
186
|
-
assert_equal(stats[:cache_hits], 2)
|
187
|
-
assert_equal(stats[:cache_misses], 1)
|
188
|
-
assert(ssl.session_reused?)
|
189
|
-
ctx.flush_sessions(Time.now + 5000)
|
190
|
-
when 4
|
191
|
-
assert_equal(stats[:cache_num], 1)
|
192
|
-
assert_equal(stats[:cache_hits], 2)
|
193
|
-
assert_equal(stats[:cache_misses], 2)
|
194
|
-
assert(!ssl.session_reused?)
|
195
|
-
ctx.session_add(saved_session)
|
196
|
-
end
|
197
|
-
connections += 1
|
198
|
-
|
199
|
-
readwrite_loop(ctx, ssl)
|
200
|
-
end
|
201
|
-
|
202
|
-
first_session = nil
|
203
|
-
start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc, :server_proc => server_proc) do |server, port|
|
204
|
-
10.times do |i|
|
205
|
-
sock = TCPSocket.new("127.0.0.1", port)
|
206
|
-
ctx = OpenSSL::SSL::SSLContext.new
|
207
|
-
if defined?(OpenSSL::SSL::OP_NO_TICKET)
|
208
|
-
# disable RFC4507 support
|
209
|
-
ctx.options = OpenSSL::SSL::OP_NO_TICKET
|
210
|
-
end
|
211
|
-
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
|
212
|
-
ssl.sync_close = true
|
213
|
-
ssl.session = first_session if first_session
|
214
|
-
ssl.connect
|
215
|
-
|
216
|
-
session = ssl.session
|
217
|
-
if first_session
|
218
|
-
case i
|
219
|
-
when 1; assert(ssl.session_reused?)
|
220
|
-
when 2; assert(!ssl.session_reused?)
|
221
|
-
when 3; assert(ssl.session_reused?)
|
222
|
-
when 4; assert(!ssl.session_reused?)
|
223
|
-
when 5..10; assert(ssl.session_reused?)
|
224
|
-
end
|
225
|
-
end
|
226
|
-
first_session ||= session
|
227
|
-
|
228
|
-
str = "x" * 100 + "\n"
|
229
|
-
ssl.puts(str)
|
230
|
-
assert_equal(str, ssl.gets)
|
231
|
-
|
232
|
-
ssl.close
|
233
|
-
end
|
234
|
-
end
|
235
|
-
end
|
236
|
-
|
237
|
-
def test_ctx_client_session_cb
|
238
|
-
called = {}
|
239
|
-
ctx = OpenSSL::SSL::SSLContext.new("SSLv3")
|
240
|
-
ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_CLIENT
|
241
|
-
|
242
|
-
ctx.session_new_cb = lambda { |ary|
|
243
|
-
sock, sess = ary
|
244
|
-
called[:new] = [sock, sess]
|
245
|
-
}
|
246
|
-
|
247
|
-
ctx.session_remove_cb = lambda { |ary|
|
248
|
-
ctx, sess = ary
|
249
|
-
called[:remove] = [ctx, sess]
|
250
|
-
# any resulting value is OK (ignored)
|
251
|
-
}
|
252
|
-
|
253
|
-
start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true) do |server, port|
|
254
|
-
sock = TCPSocket.new("127.0.0.1", port)
|
255
|
-
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
|
256
|
-
ssl.sync_close = true
|
257
|
-
ssl.connect
|
258
|
-
assert_equal(1, ctx.session_cache_stats[:cache_num])
|
259
|
-
assert_equal(1, ctx.session_cache_stats[:connect_good])
|
260
|
-
assert_equal([ssl, ssl.session], called[:new])
|
261
|
-
assert(ctx.session_remove(ssl.session))
|
262
|
-
assert(!ctx.session_remove(ssl.session))
|
263
|
-
assert_equal([ctx, ssl.session], called[:remove])
|
264
|
-
ssl.close
|
265
|
-
end
|
266
|
-
end
|
267
|
-
|
268
|
-
def test_ctx_server_session_cb
|
269
|
-
called = {}
|
270
|
-
|
271
|
-
ctx_proc = Proc.new { |ctx, ssl|
|
272
|
-
ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_SERVER
|
273
|
-
last_server_session = nil
|
274
|
-
|
275
|
-
# get_cb is called whenever a client proposed to resume a session but
|
276
|
-
# the session could not be found in the internal session cache.
|
277
|
-
ctx.session_get_cb = lambda { |ary|
|
278
|
-
sess, data = ary
|
279
|
-
if last_server_session
|
280
|
-
called[:get2] = [sess, data]
|
281
|
-
last_server_session
|
282
|
-
else
|
283
|
-
called[:get1] = [sess, data]
|
284
|
-
last_server_session = sess
|
285
|
-
nil
|
286
|
-
end
|
287
|
-
}
|
288
|
-
|
289
|
-
ctx.session_new_cb = lambda { |ary|
|
290
|
-
sock, sess = ary
|
291
|
-
called[:new] = [sock, sess]
|
292
|
-
# SSL server doesn't cache sessions so get_cb is called next time.
|
293
|
-
ctx.session_remove(sess)
|
294
|
-
}
|
295
|
-
|
296
|
-
ctx.session_remove_cb = lambda { |ary|
|
297
|
-
ctx, sess = ary
|
298
|
-
called[:remove] = [ctx, sess]
|
299
|
-
}
|
300
|
-
}
|
301
|
-
|
302
|
-
server_proc = Proc.new { |c, ssl|
|
303
|
-
session = ssl.session
|
304
|
-
stats = c.session_cache_stats
|
305
|
-
readwrite_loop(c, ssl)
|
306
|
-
}
|
307
|
-
start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc, :server_proc => server_proc) do |server, port|
|
308
|
-
last_client_session = nil
|
309
|
-
3.times do
|
310
|
-
sock = TCPSocket.new("127.0.0.1", port)
|
311
|
-
ssl = OpenSSL::SSL::SSLSocket.new(sock, OpenSSL::SSL::SSLContext.new("SSLv3"))
|
312
|
-
ssl.sync_close = true
|
313
|
-
ssl.session = last_client_session if last_client_session
|
314
|
-
ssl.connect
|
315
|
-
last_client_session = ssl.session
|
316
|
-
ssl.close
|
317
|
-
Thread.pass # try to ensure server calls callbacks
|
318
|
-
assert(called.delete(:new))
|
319
|
-
assert(called.delete(:remove))
|
320
|
-
end
|
321
|
-
end
|
322
|
-
assert(called[:get1])
|
323
|
-
assert(called[:get2])
|
324
|
-
end
|
325
|
-
end
|
326
|
-
|
327
|
-
end
|
data/test/1.9/test_x509cert.rb
DELETED
@@ -1,217 +0,0 @@
|
|
1
|
-
require_relative "utils"
|
2
|
-
|
3
|
-
if defined?(OpenSSL)
|
4
|
-
|
5
|
-
class OpenSSL::TestX509Certificate < Test::Unit::TestCase
|
6
|
-
def setup
|
7
|
-
@rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
|
8
|
-
@rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
|
9
|
-
@dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256
|
10
|
-
@dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512
|
11
|
-
@ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
|
12
|
-
@ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
|
13
|
-
@ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
|
14
|
-
end
|
15
|
-
|
16
|
-
def teardown
|
17
|
-
end
|
18
|
-
|
19
|
-
def issue_cert(*args)
|
20
|
-
OpenSSL::TestUtils.issue_cert(*args)
|
21
|
-
end
|
22
|
-
|
23
|
-
def test_serial
|
24
|
-
[1, 2**32, 2**100].each{|s|
|
25
|
-
cert = issue_cert(@ca, @rsa2048, s, Time.now, Time.now+3600, [],
|
26
|
-
nil, nil, OpenSSL::Digest::SHA1.new)
|
27
|
-
assert_equal(s, cert.serial)
|
28
|
-
cert = OpenSSL::X509::Certificate.new(cert.to_der)
|
29
|
-
assert_equal(s, cert.serial)
|
30
|
-
}
|
31
|
-
end
|
32
|
-
|
33
|
-
def test_public_key
|
34
|
-
exts = [
|
35
|
-
["basicConstraints","CA:TRUE",true],
|
36
|
-
["subjectKeyIdentifier","hash",false],
|
37
|
-
["authorityKeyIdentifier","keyid:always",false],
|
38
|
-
]
|
39
|
-
|
40
|
-
sha1 = OpenSSL::Digest::SHA1.new
|
41
|
-
dss1 = OpenSSL::Digest::DSS1.new
|
42
|
-
[
|
43
|
-
[@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dss1], [@dsa512, dss1],
|
44
|
-
].each{|pk, digest|
|
45
|
-
cert = issue_cert(@ca, pk, 1, Time.now, Time.now+3600, exts,
|
46
|
-
nil, nil, digest)
|
47
|
-
assert_equal(cert.extensions[1].value,
|
48
|
-
OpenSSL::TestUtils.get_subject_key_id(cert))
|
49
|
-
cert = OpenSSL::X509::Certificate.new(cert.to_der)
|
50
|
-
assert_equal(cert.extensions[1].value,
|
51
|
-
OpenSSL::TestUtils.get_subject_key_id(cert))
|
52
|
-
}
|
53
|
-
end
|
54
|
-
|
55
|
-
def test_validity
|
56
|
-
now = Time.now until now && now.usec != 0
|
57
|
-
cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
|
58
|
-
nil, nil, OpenSSL::Digest::SHA1.new)
|
59
|
-
assert_not_equal(now, cert.not_before)
|
60
|
-
assert_not_equal(now+3600, cert.not_after)
|
61
|
-
|
62
|
-
now = Time.at(now.to_i)
|
63
|
-
cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
|
64
|
-
nil, nil, OpenSSL::Digest::SHA1.new)
|
65
|
-
assert_equal(now.getutc, cert.not_before)
|
66
|
-
assert_equal((now+3600).getutc, cert.not_after)
|
67
|
-
|
68
|
-
now = Time.at(0)
|
69
|
-
cert = issue_cert(@ca, @rsa2048, 1, now, now, [],
|
70
|
-
nil, nil, OpenSSL::Digest::SHA1.new)
|
71
|
-
assert_equal(now.getutc, cert.not_before)
|
72
|
-
assert_equal(now.getutc, cert.not_after)
|
73
|
-
|
74
|
-
now = Time.at(0x7fffffff)
|
75
|
-
cert = issue_cert(@ca, @rsa2048, 1, now, now, [],
|
76
|
-
nil, nil, OpenSSL::Digest::SHA1.new)
|
77
|
-
assert_equal(now.getutc, cert.not_before)
|
78
|
-
assert_equal(now.getutc, cert.not_after)
|
79
|
-
end
|
80
|
-
|
81
|
-
def test_extension
|
82
|
-
ca_exts = [
|
83
|
-
["basicConstraints","CA:TRUE",true],
|
84
|
-
["keyUsage","keyCertSign, cRLSign",true],
|
85
|
-
["subjectKeyIdentifier","hash",false],
|
86
|
-
["authorityKeyIdentifier","keyid:always",false],
|
87
|
-
]
|
88
|
-
ca_cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, ca_exts,
|
89
|
-
nil, nil, OpenSSL::Digest::SHA1.new)
|
90
|
-
ca_cert.extensions.each_with_index{|ext, i|
|
91
|
-
assert_equal(ca_exts[i].first, ext.oid)
|
92
|
-
assert_equal(ca_exts[i].last, ext.critical?)
|
93
|
-
}
|
94
|
-
|
95
|
-
ee1_exts = [
|
96
|
-
["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
|
97
|
-
["subjectKeyIdentifier","hash",false],
|
98
|
-
["authorityKeyIdentifier","keyid:always",false],
|
99
|
-
["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
|
100
|
-
["subjectAltName","email:ee1@ruby-lang.org",false],
|
101
|
-
]
|
102
|
-
ee1_cert = issue_cert(@ee1, @rsa1024, 2, Time.now, Time.now+1800, ee1_exts,
|
103
|
-
ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
|
104
|
-
assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der)
|
105
|
-
ee1_cert.extensions.each_with_index{|ext, i|
|
106
|
-
assert_equal(ee1_exts[i].first, ext.oid)
|
107
|
-
assert_equal(ee1_exts[i].last, ext.critical?)
|
108
|
-
}
|
109
|
-
|
110
|
-
ee2_exts = [
|
111
|
-
["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
|
112
|
-
["subjectKeyIdentifier","hash",false],
|
113
|
-
["authorityKeyIdentifier","issuer:always",false],
|
114
|
-
["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
|
115
|
-
["subjectAltName","email:ee2@ruby-lang.org",false],
|
116
|
-
]
|
117
|
-
ee2_cert = issue_cert(@ee2, @rsa1024, 3, Time.now, Time.now+1800, ee2_exts,
|
118
|
-
ca_cert, @rsa2048, OpenSSL::Digest::MD5.new)
|
119
|
-
assert_equal(ca_cert.subject.to_der, ee2_cert.issuer.to_der)
|
120
|
-
ee2_cert.extensions.each_with_index{|ext, i|
|
121
|
-
assert_equal(ee2_exts[i].first, ext.oid)
|
122
|
-
assert_equal(ee2_exts[i].last, ext.critical?)
|
123
|
-
}
|
124
|
-
|
125
|
-
end
|
126
|
-
|
127
|
-
def test_sign_and_verify
|
128
|
-
cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
|
129
|
-
nil, nil, OpenSSL::Digest::SHA1.new)
|
130
|
-
assert_equal(false, cert.verify(@rsa1024))
|
131
|
-
assert_equal(true, cert.verify(@rsa2048))
|
132
|
-
assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) })
|
133
|
-
assert_equal(false, certificate_error_returns_false { cert.verify(@dsa512) })
|
134
|
-
cert.serial = 2
|
135
|
-
assert_equal(false, cert.verify(@rsa2048))
|
136
|
-
|
137
|
-
cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
|
138
|
-
nil, nil, OpenSSL::Digest::MD5.new)
|
139
|
-
assert_equal(false, cert.verify(@rsa1024))
|
140
|
-
assert_equal(true, cert.verify(@rsa2048))
|
141
|
-
|
142
|
-
assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) })
|
143
|
-
assert_equal(false, certificate_error_returns_false { cert.verify(@dsa512) })
|
144
|
-
cert.subject = @ee1
|
145
|
-
assert_equal(false, cert.verify(@rsa2048))
|
146
|
-
|
147
|
-
cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
|
148
|
-
nil, nil, OpenSSL::Digest::DSS1.new)
|
149
|
-
assert_equal(false, certificate_error_returns_false { cert.verify(@rsa1024) })
|
150
|
-
assert_equal(false, certificate_error_returns_false { cert.verify(@rsa2048) })
|
151
|
-
assert_equal(false, cert.verify(@dsa256))
|
152
|
-
assert_equal(true, cert.verify(@dsa512))
|
153
|
-
cert.not_after = Time.now
|
154
|
-
assert_equal(false, cert.verify(@dsa512))
|
155
|
-
|
156
|
-
begin
|
157
|
-
cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
|
158
|
-
nil, nil, OpenSSL::Digest::DSS1.new)
|
159
|
-
assert_equal(false, cert.verify(@rsa1024))
|
160
|
-
assert_equal(true, cert.verify(@rsa2048))
|
161
|
-
assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) })
|
162
|
-
assert_equal(false, certificate_error_returns_false { cert.verify(@dsa512) })
|
163
|
-
cert.subject = @ee1
|
164
|
-
assert_equal(false, cert.verify(@rsa2048))
|
165
|
-
rescue OpenSSL::X509::CertificateError
|
166
|
-
end
|
167
|
-
|
168
|
-
assert_raise(OpenSSL::X509::CertificateError){
|
169
|
-
cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
|
170
|
-
nil, nil, OpenSSL::Digest::MD5.new)
|
171
|
-
}
|
172
|
-
end
|
173
|
-
|
174
|
-
def test_dsig_algorithm_mismatch
|
175
|
-
assert_raise(OpenSSL::X509::CertificateError) do
|
176
|
-
cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
|
177
|
-
nil, nil, OpenSSL::Digest::DSS1.new)
|
178
|
-
end
|
179
|
-
assert_raise(OpenSSL::X509::CertificateError) do
|
180
|
-
cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
|
181
|
-
nil, nil, OpenSSL::Digest::MD5.new)
|
182
|
-
end
|
183
|
-
end
|
184
|
-
|
185
|
-
def test_dsa_with_sha2
|
186
|
-
begin
|
187
|
-
cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
|
188
|
-
nil, nil, OpenSSL::Digest::SHA256.new)
|
189
|
-
assert_equal("dsa_with_SHA256", cert.signature_algorithm)
|
190
|
-
rescue OpenSSL::X509::CertificateError
|
191
|
-
# dsa_with_sha2 not supported. skip following test.
|
192
|
-
return
|
193
|
-
end
|
194
|
-
# TODO: need more tests for dsa + sha2
|
195
|
-
|
196
|
-
# SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requires DSS1)
|
197
|
-
cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
|
198
|
-
nil, nil, OpenSSL::Digest::SHA1.new)
|
199
|
-
assert_equal("dsaWithSHA1", cert.signature_algorithm)
|
200
|
-
end if defined?(OpenSSL::Digest::SHA256)
|
201
|
-
|
202
|
-
def test_check_private_key
|
203
|
-
cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
|
204
|
-
nil, nil, OpenSSL::Digest::SHA1.new)
|
205
|
-
assert_equal(true, cert.check_private_key(@rsa2048))
|
206
|
-
end
|
207
|
-
|
208
|
-
private
|
209
|
-
|
210
|
-
def certificate_error_returns_false
|
211
|
-
yield
|
212
|
-
rescue OpenSSL::X509::CertificateError
|
213
|
-
false
|
214
|
-
end
|
215
|
-
end
|
216
|
-
|
217
|
-
end
|