krypt 0.0.1

data/lib/krypt/hmac.rb

@@ -0,0 +1,69 @@
+module Krypt
+  class HMAC
+    include Krypt::Helper::XOR
+
+    def initialize(digest, key)
+      @digest = digest
+      @key = process_key(key)
+
+      # hash ipad
+      hash_pad(0x36)
+    end
+
+    def update(data)
+      @digest << data
+    end
+    alias << update
+
+    def digest
+      inner_digest = @digest.digest
+      # hash opad
+      hash_pad(0x5c)
+      @digest << inner_digest
+      @digest.digest
+    end
+
+    def hexdigest
+      Krypt::Hex.encode(digest)
+    end
+
+    class << self
+
+      def digest(md, key, data)
+        hmac = self.new(md, key)
+        hmac << data
+        hmac.digest
+      end
+
+      def hexdigest(md, key, data)
+        Krypt::Hex.encode(digest(md, key, data))
+      end
+
+    end
+
+    private
+
+      def process_key(key)
+        block_len = @digest.block_length
+
+        if key.size > block_len
+          key = @digest.digest(key)
+        end
+
+        if key.size < block_len
+          new_key = key.dup.tap do |new_key|
+            (block_len - key.size).times { new_key << 0 }
+          end
+        else
+          key
+        end
+      end
+
+      def hash_pad(pad_char)
+        @digest << String.new.tap do |s|
+          @key.each_byte { |b| s << (pad_char ^ b) }
+        end
+      end
+
+  end
+end

data/lib/krypt/pkcs5.rb

@@ -0,0 +1 @@
+require_relative 'pkcs5/pbkdf2'

data/lib/krypt/pkcs5/pbkdf2.rb

@@ -0,0 +1,41 @@
+module Krypt
+  class PBKDF2
+    include Krypt::Helper::XOR
+    
+    MAX_FACTOR = (2 ** 32) - 1
+
+    def initialize(digest)
+      @digest = digest
+      @block_size = digest.digest_length
+    end
+
+    def generate(pwd, salt, iter, outlen)
+      raise "outlen too large" if outlen > MAX_FACTOR * @block_size
+
+      @digest.reset
+      num_blocks = (outlen.to_f / @block_size).ceil
+      # enforces ASCII-8BIT
+      String.new.tap do |result|
+        1.upto(num_blocks) { |i| result << f(pwd, salt, iter, i) }
+      end.slice(0, outlen)
+    end
+
+    def generate_hex(pwd, salt, iter, outlen)
+      Krypt::Hex.encode(generate(pwd, salt, iter, outlen))
+    end
+
+    private
+
+      def f(pwd, salt, iter, i)
+        u = salt + [i].pack("L>")
+        ("\0" * @block_size).force_encoding(Encoding::BINARY).tap do |result|
+          1.upto(iter) do
+            u = Krypt::HMAC.digest(@digest, pwd, u)
+            xor!(result, u)
+          end
+        end
+      end
+
+  end
+end
+

data/lib/krypt/provider.rb

@@ -0,0 +1,35 @@
+module Krypt::Provider
+
+  PROVIDERS = {}
+  PROVIDER_LIST = []
+
+  class AlreadyExistsError < Krypt::Error; end
+
+  class ServiceNotAvailableError < Krypt::Error; end
+
+  module_function
+
+    def register(name, provider)
+      raise AlreadyExistsError.new("There already is a Provider named #{name}") if PROVIDERS.has_key?(name)
+      PROVIDERS[name] = provider
+      PROVIDER_LIST << name
+    end
+
+    def by_name(name)
+      PROVIDERS[name]
+    end
+
+    def remove(name)
+      PROVIDERS.delete(name)
+      PROVIDER_LIST.delete(name)
+    end
+
+    def new_service(klass, *args)
+      PROVIDER_LIST.reverse.each do |name| 
+        service = PROVIDERS[name].new_service(klass, *args)
+        return service if service
+      end
+      raise ServiceNotAvailableError.new("The requested service is not available")
+    end
+
+end

data/lib/krypt/x509.rb

@@ -0,0 +1,3 @@
+require_relative 'x509/common'
+require_relative 'x509/certificate'
+require_relative 'x509/crl'

data/lib/krypt/x509/certificate.rb

@@ -0,0 +1,36 @@
+module Krypt
+  module X509
+
+    class Certificate
+      include ASN1::Template::Sequence
+
+      class SubjectPublicKeyInfo
+        include ASN1::Template::Sequence
+
+        asn1_template :algorithm, ASN1::AlgorithmIdentifier
+        asn1_bit_string :subject_pkey
+      end
+
+      class TBSCertificate
+        include ASN1::Template::Sequence
+
+        asn1_integer :version, tag: 0, tagging: :EXPLICIT, default: 0
+        asn1_integer :serial
+        asn1_template :algorithm, ASN1::AlgorithmIdentifier
+        asn1_template :issuer, ASN1::DistinguishedName
+        asn1_template :validity, X509::Validity
+        asn1_template :subject, ASN1::DistinguishedName
+        asn1_template :subject_pkey, SubjectPublicKeyInfo
+        asn1_bit_string :issuer_id, tag: 1, tagging: :IMPLICIT, optional: true
+        asn1_bit_string :subject_id, tag: 2, tagging: :IMPLICIT, optional: true
+        asn1_sequence_of :extensions, X509::Extension, tag: 3, tagging: :EXPLICIT, optional: true
+      end
+
+      asn1_template :tbs_cert, TBSCertificate
+      asn1_template :algorithm, ASN1::AlgorithmIdentifier
+      asn1_bit_string :signature
+    end
+
+  end
+end
+

data/lib/krypt/x509/common.rb

@@ -0,0 +1,41 @@
+module Krypt
+  module X509
+
+    class Extension
+      include ASN1::Template::Sequence
+
+      asn1_object_id :id
+      asn1_boolean :critical, default: false
+      asn1_octet_string :value
+    end
+
+    class Attribute
+      include ASN1::Template::Sequence
+
+      asn1_object_id :type
+      asn1_set_of :value, ASN1::ASN1Data
+    end
+
+    class IssuerSerialNumber
+      include Krypt::ASN1::Template::Sequence
+
+      asn1_template :issuer, ASN1::DistinguishedName
+      asn1_integer :serial
+    end
+
+    class Time
+      include ASN1::Template::Choice
+
+      asn1_utc_time
+      asn1_generalized_time
+    end
+
+    class Validity
+      include ASN1::Template::Sequence
+
+      asn1_template :not_before, X509::Time
+      asn1_template :not_after, X509::Time
+    end
+
+  end
+end

data/lib/krypt/x509/crl.rb

@@ -0,0 +1,33 @@
+module Krypt
+  module X509
+
+    class CRL
+      include ASN1::Template::Sequence
+
+      class RevokedCertificates
+        include ASN1::Template::Sequence
+
+        asn1_integer :serial_number
+        asn1_template :revocation_date, X509::Time
+        asn1_template :crl_entry_extensions, X509::Extension
+      end
+
+      class TBSCertList
+        include ASN1::Template::Sequence
+
+        asn1_integer :version, default: 1
+        asn1_template :signature_algorithm, ASN1::AlgorithmIdentifier
+        asn1_template :issuer, ASN1::DistinguishedName
+        asn1_template :this_update, X509::Time
+        asn1_template :next_update, X509::Time
+        asn1_sequence_of :revoked_certificates, RevokedCertificates, optional: true
+        asn1_template :extensions, X509::Extension, tag: 0, tagging: :EXPLICIT, optional: true
+      end
+
+      asn1_template :tbs_cert_list, TBSCertList
+      asn1_template :signature_algorithm, ASN1::AlgorithmIdentifier
+      asn1_bit_string :signature
+    end
+
+  end
+end

data/lib/krypt_missing.rb

@@ -0,0 +1,32 @@
+unless Kernel.respond_to? :private_constant
+  module Kernel
+    def private_constant(*)
+      # TODO delete when sufficiently supported
+      nil
+    end
+  end
+end
+
+module Krypt
+ module Helper
+  
+  module XOR
+    def xor(s1, s2)
+      String.new.tap do |result|
+        s1.bytes.each_with_index do |b, i|
+          result << (b ^ s2.getbyte(i))
+        end
+      end
+    end
+
+    def xor!(recv, other)
+      recv.bytes.each_with_index do |b, i|
+        recv.setbyte(i, b ^ other.getbyte(i))
+      end
+      recv
+    end
+  end
+
+ end
+end
+

data/spec/krypt-core/MEMO.txt

@@ -0,0 +1,85 @@
+module Krypt
+  class KryptError < StandardError; end
+
+  module ASN1
+    class ASN1Error < KryptError; end
+    class ParseError < ASN1Error; end
+    class SerializeError < ASN1Error; end
+
+    END_OF_CONTENTS = 0
+    BOOLEAN = 1
+    ...
+    BMP_STRING = 30
+
+    UNIVERSAL_TAG_NAME = ["END_OF_CONTENTS", "BOOLEAN", ... ]
+
+    def self.decode(str_or_file_or_readable)
+    end
+
+    class ASN1Data
+      attr_accessor :tag, :tag_class, :value
+      attr_reader :infinite_length
+
+      def initialize(value, tag, tag_class); end
+      def to_der; end
+      def encode_to(io); end #=> self
+    end
+
+    class Primitive < ASN1Data
+    end
+
+    class Constructive < ASN1Data
+      attr_writer :infinite_length # ?
+      def each; end
+    end
+
+    class EndOfContents < Primitive; end
+    class Boolean < Primitive; end
+    class Integer < Primitive; end
+    class Enumerated < Primitive; end
+    class BitString < Primitive; end
+    class OctetString < Primitive; end
+    class UTF8String < Primitive; end
+    class NumericString < Primitive; end
+    class PrintableString < Primitive; end
+    class T61String < Primitive; end
+    class VideotexString < Primitive; end
+    class IA5String < Primitive; end
+    class GraphicString < Primitive; end
+    class ISO64String < Primitive; end
+    class GeneralString < Primitive; end
+    class UniversalString < Primitive; end
+    class BMPString < Primitive; end
+    class Null < Primitive; end
+    class ObjectId < Primitive; end
+    class UTCTime < Primitive; end
+    class GeneralizedTime < Primitive; end
+
+    class Sequence < Constructive; end
+    class Set < Constructive; end
+
+    class Parser
+      def next(io); end #=> Header
+    end
+
+    class Header
+      attr_reader :tag, :tag_class, :length, :header_length
+      def constructed?; end
+      def infinite?; end
+
+      def bytes; end #=> String
+      def encode_to(io); end #=> self
+
+      def skip_value; end
+      def value; end
+      def value_io; end # get value (V of TLV) stream
+
+      def to_s; end
+    end
+
+    class Instream
+      def read(len = nil, buf = nil); end
+      def seek(offset, whence = SEEK_SET); end
+    end
+  end
+end

data/spec/krypt-core/asn1/asn1_bit_string_spec.rb

@@ -0,0 +1,475 @@
+# encoding: US-ASCII
+
+require 'rspec'
+require 'krypt'
+require 'openssl'
+require_relative './resources'
+
+describe Krypt::ASN1::BitString do 
+  include Krypt::ASN1::Resources
+
+  let(:mod) { Krypt::ASN1 }
+  let(:klass) { mod::BitString }
+  let(:decoder) { mod }
+  let(:asn1error) { mod::ASN1Error }
+
+  # For test against OpenSSL
+  #
+  #let(:mod) { OpenSSL::ASN1 }
+  #
+  # OpenSSL stub for signature mismatch
+  class OpenSSL::ASN1::BitString
+    class << self
+      alias old_new new
+      def new(*args)
+        if args.size > 1
+          args = [args[0], args[1], :IMPLICIT, args[2]]
+        end
+        old_new(*args)
+      end
+    end
+  end
+
+  def _B(bin_encode)
+    [bin_encode.reverse].pack('b*').reverse
+  end
+
+  describe '#new' do
+    context 'gets value for construct' do
+      subject { klass.new(value) }
+
+      context 'accepts binary packed 01010101 := "\x55"' do
+        let(:value) { _B('01010101') }
+        its(:tag) { should == Krypt::ASN1::BIT_STRING }
+        its(:tag_class) { should == :UNIVERSAL }
+        its(:value) { should == value }
+        its(:infinite_length) { should == false }
+      end
+
+      context 'accepts (empty)' do
+        let(:value) { '' }
+        its(:tag) { should == Krypt::ASN1::BIT_STRING }
+        its(:tag_class) { should == :UNIVERSAL }
+        its(:value) { should == '' }
+        its(:infinite_length) { should == false }
+      end
+    end
+
+    context 'gets explicit tag number as the 2nd argument' do
+      subject { klass.new(_B('01010101'), tag, :PRIVATE) }
+
+      context 'accepts default tag' do
+        let(:tag) { Krypt::ASN1::BIT_STRING }
+        its(:tag) { should == tag }
+      end
+
+      context 'accepts custom tag' do
+        let(:tag) { 14 }
+        its(:tag) { should == tag }
+      end
+    end
+
+    context 'gets tag class symbol as the 3rd argument' do
+      subject { klass.new(_B('01010101'), Krypt::ASN1::BIT_STRING, tag_class) }
+
+      context 'accepts :UNIVERSAL' do
+        let(:tag_class) { :UNIVERSAL }
+        its(:tag_class) { should == tag_class }
+      end
+
+      context 'accepts :APPLICATION' do
+        let(:tag_class) { :APPLICATION }
+        its(:tag_class) { should == tag_class }
+      end
+
+      context 'accepts :CONTEXT_SPECIFIC' do
+        let(:tag_class) { :CONTEXT_SPECIFIC }
+        its(:tag_class) { should == tag_class }
+      end
+
+      context 'accepts :PRIVATE' do
+        let(:tag_class) { :PRIVATE }
+        its(:tag_class) { should == tag_class }
+      end
+
+      context 'accepts :IMPLICIT' do
+        let(:tag_class) { :IMPLICIT }
+        its(:tag_class) { should == tag_class }
+      end
+
+      context 'accepts :EXPLICIT' do
+        let(:tag_class) { :EXPLICIT }
+        its(:tag_class) { should == tag_class }
+      end
+    end
+
+    context 'when the 2nd argument is given but 3rd argument is omitted' do
+      subject { klass.new(_B('01010101'), Krypt::ASN1::BIT_STRING) }
+      its(:tag_class) { should == :CONTEXT_SPECIFIC }
+    end
+
+    context 'sets unused_bits to 0' do
+      subject { klass.new(nil) }
+      its(:unused_bits) { should == 0 }
+    end
+  end
+
+  describe 'accessors' do
+    describe '#value' do
+      subject { o = klass.new(nil); o.value = value; o }
+
+      context 'accepts binary packed 01010101 := "\x55"' do
+        let(:value) { _B('01010101') }
+        its(:value) { should == value }
+      end
+
+      context 'accepts (empty)' do
+        let(:value) { '' }
+        its(:value) { should == '' }
+      end
+    end
+
+    describe '#tag' do
+      subject { o = klass.new(nil); o.tag = tag; o }
+
+      context 'accepts default tag' do
+        let(:tag) { Krypt::ASN1::BIT_STRING }
+        its(:tag) { should == tag }
+      end
+
+      context 'accepts custom tag' do
+        let(:tag) { 14 }
+        its(:tag) { should == tag }
+      end
+    end
+
+    describe '#tag_class' do
+      subject { o = klass.new(nil); o.tag_class = tag_class; o }
+
+      context 'accepts :UNIVERSAL' do
+        let(:tag_class) { :UNIVERSAL }
+        its(:tag_class) { should == tag_class }
+      end
+
+      context 'accepts :APPLICATION' do
+        let(:tag_class) { :APPLICATION }
+        its(:tag_class) { should == tag_class }
+      end
+
+      context 'accepts :CONTEXT_SPECIFIC' do
+        let(:tag_class) { :CONTEXT_SPECIFIC }
+        its(:tag_class) { should == tag_class }
+      end
+
+      context 'accepts :PRIVATE' do
+        let(:tag_class) { :PRIVATE }
+        its(:tag_class) { should == tag_class }
+      end
+
+      context 'accepts :IMPLICIT' do
+        let(:tag_class) { :IMPLICIT }
+        its(:tag_class) { should == tag_class }
+      end
+
+      context 'accepts :EXPLICIT' do
+        let(:tag_class) { :EXPLICIT }
+        its(:tag_class) { should == tag_class }
+      end
+    end
+  end
+
+  describe '#to_der' do
+    context 'encodes a given value' do
+      subject { klass.new(value).to_der }
+
+      context '01010101' do
+        let(:value) { _B('01010101') }
+        it { should == "\x03\x02\x00\x55" }
+      end
+
+      context '010101010' do
+        let(:value) { _B('010101010') }
+        it { should == "\x03\x03\x00\x00\xAA" }
+      end
+
+      context '(empty)' do
+        let(:value) { '' }
+        it { should == "\x03\x01\x00" }
+      end
+
+      context '999 octets' do
+        let(:value) { _B('1' * 8 * 999) }
+        it { should == "\x03\x82\x03\xE8\x00" + "\xFF" * 999 }
+      end
+
+      context '1000 octets' do
+        let(:value) { _B('0' * 8 * 1000) }
+        it { should == "\x03\x82\x03\xE9\x00" + "\x00" * 1000 }
+      end
+
+      context '1001 octets' do
+        let(:value) { _B('1' * 8 * 1001) }
+        it { should == "\x03\x82\x03\xEA\x00" + "\xFF" * 1001 }
+      end
+
+      context 'nil' do
+        let(:value) { nil }
+        it { -> { subject }.should raise_error asn1error }
+      end
+    end
+
+    context 'encodes tag number' do
+      subject { klass.new(_B('01010101'), tag, :PRIVATE).to_der }
+
+      context 'default tag' do
+        let(:tag) { Krypt::ASN1::BIT_STRING }
+        it { should == "\xC3\x02\x00\x55" }
+      end
+
+      context 'custom tag' do
+        let(:tag) { 14 }
+        it { should == "\xCE\x02\x00\x55" }
+      end
+
+      context 'nil' do
+        let(:tag) { nil }
+        it { -> { subject }.should raise_error asn1error }
+      end
+    end
+
+    context 'encodes tag class' do
+      subject { klass.new(_B('01010101'), Krypt::ASN1::BIT_STRING, tag_class).to_der }
+
+      context 'UNIVERSAL' do
+        let(:tag_class) { :UNIVERSAL }
+        it { should == "\x03\x02\x00\x55" }
+      end
+
+      context 'APPLICATION' do
+        let(:tag_class) { :APPLICATION }
+        it { should == "\x43\x02\x00\x55" }
+      end
+
+      context 'CONTEXT_SPECIFIC' do
+        let(:tag_class) { :CONTEXT_SPECIFIC }
+        it { should == "\x83\x02\x00\x55" }
+      end
+
+      context 'PRIVATE' do
+        let(:tag_class) { :PRIVATE }
+        it { should == "\xC3\x02\x00\x55" }
+      end
+
+      context "IMPLICIT" do
+        let(:tag_class) { :IMPLICIT }
+        it { should == "\x83\x02\x00\x55" }
+      end
+
+      context "EXPLICIT" do
+        let(:tag_class) { :EXPLICIT }
+        it { should == "\xA3\x04\x03\x02\x00\x55" }
+      end
+
+      context nil do
+        let(:tag_class) { nil }
+        it { -> { subject }.should raise_error asn1error } # TODO: ossl does not check nil
+      end
+
+      context :no_such_class do
+        let(:tag_class) { :no_such_class }
+        it { -> { subject }.should raise_error asn1error }
+      end
+    end
+
+    context 'encodes values set via accessors' do
+      subject {
+        o = klass.new(nil)
+        o.value = value if defined? value
+        o.tag = tag if defined? tag
+        o.tag_class = tag_class if defined? tag_class
+        o.unused_bits = unused_bits if defined? unused_bits
+        o.to_der
+      }
+
+      context 'value: 01010101' do
+        let(:value) { _B('01010101') }
+        it { should == "\x03\x02\x00\x55" }
+      end
+
+      context 'custom tag' do
+        let(:value) { _B('01010101') }
+        let(:tag) { 14 }
+        let(:tag_class) { :PRIVATE }
+        it { should == "\xCE\x02\x00\x55" }
+      end
+
+      context 'tag_class' do
+        let(:value) { _B('01010101') }
+        let(:tag_class) { :APPLICATION }
+        it { should == "\x43\x02\x00\x55" }
+      end
+
+      context 'unused_bits' do
+        let(:value) { _B('01010100') }
+        let(:unused_bits) { 2 }
+        it { should == "\x03\x02\x02\x54" }
+      end
+
+      context 'rejects unused_bits' do
+        let (:value) { _B('01010100') }
+
+        context '< 0' do
+          let(:unused_bits) { -1 }
+          it { -> { subject }.should raise_error asn1error }
+        end
+
+        context '> 7' do
+          let(:unused_bits) { 8 }
+          it { -> { subject }.should raise_error asn1error }
+        end
+      end
+    end
+  end
+
+  describe '#encode_to' do
+    context 'encodes to an IO' do
+      subject { klass.new(value).encode_to(io); io }
+
+      context "StringIO" do
+        let(:value) { _B('01010101') }
+        let(:io) { string_io_object }
+        its(:written_bytes) { should == "\x03\x02\x00\x55" }
+      end
+
+      context "Object responds to :write" do
+        let(:value) { _B('01010101') }
+        let(:io) { writable_object }
+        its(:written_bytes) { should == "\x03\x02\x00\x55" }
+      end
+
+      context "raise IO error transparently" do
+        let(:value) { _B('01010101') }
+        let(:io) { io_error_object }
+        it { -> { subject }.should raise_error asn1error }
+      end
+    end
+
+    it 'returns self' do
+      obj = klass.new(_B('01010101'))
+      obj.encode_to(string_io_object).should == obj
+    end
+  end
+
+  describe 'extracted from ASN1.decode' do
+    subject { decoder.decode(der) }
+
+    context 'extracted value' do
+      context '01010101' do
+        let(:der) { "\x03\x02\x00\x55" }
+        its(:class) { should == klass }
+        its(:tag) { should == Krypt::ASN1::BIT_STRING }
+        its(:value) { should == _B('01010101') }
+      end
+
+      context '010101010' do
+        let(:der) { "\x03\x03\x00\x00\xAA" }
+        its(:class) { should == klass }
+        its(:tag) { should == Krypt::ASN1::BIT_STRING }
+        its(:value) { should == "\x00\xAA" }
+      end
+
+      context '(empty)' do
+        let(:der) { "\x03\x01\x00" }
+        its(:class) { should == klass }
+        its(:tag) { should == Krypt::ASN1::BIT_STRING }
+        its(:value) { should == '' }
+      end
+
+      context '999 octets' do
+        let(:der) { "\x03\x82\x03\xE8\x00" + "\xFF" * 999 }
+        its(:class) { should == klass }
+        its(:tag) { should == Krypt::ASN1::BIT_STRING }
+        its(:value) { should == "\xFF" * 999 }
+      end
+
+      context '1000 octets' do
+        let(:der) { "\x03\x82\x03\xE9\x00" + "\x00" * 1000 }
+        its(:class) { should == klass }
+        its(:tag) { should == Krypt::ASN1::BIT_STRING }
+        its(:value) { should == "\x00" * 1000 }
+      end
+
+      context '1001 octets' do
+        let(:der) { "\x03\x82\x03\xEA\x00" + "\xFF" * 1001 }
+        its(:class) { should == klass }
+        its(:tag) { should == Krypt::ASN1::BIT_STRING }
+        its(:value) { should == "\xFF" * 1001 }
+      end
+
+      it 'rejects incomplete value' do
+        asn1 = decoder.decode("\x03\x00")
+        -> { asn1.value }.should raise_error asn1error
+      end
+
+      context 'unused_bits is 0 for empty value' do
+        let(:der) { "\x03\x01\x00" }
+        its(:class) { should == klass }
+        its(:tag) { should == Krypt::ASN1::BIT_STRING }
+        its(:value) { should == '' }
+        its(:unused_bits) { should == 0 }
+      end
+
+      context 'unused_bits non-zero' do
+        let(:der) { "\x03\x02\x02\x01" }
+        its(:class) { should == klass }
+        its(:tag) { should == Krypt::ASN1::BIT_STRING }
+        its(:value) { should == "\x01" }
+        its(:unused_bits) { should == 2 }
+      end
+
+      context 'rejects unused_bits larger than 7' do
+        let(:der) { "\x03\x02\x08\x01" }
+        it { -> { subject.value }.should raise_error asn1error }
+      end
+    end
+
+    context 'extracted tag class' do
+      context 'UNIVERSAL' do
+        let(:der) { "\x03\x03\x00\x00\xAA" }
+        its(:tag_class) { should == :UNIVERSAL }
+      end
+
+      context 'APPLICATION' do
+        let(:der) { "\x43\x03\x00\x00\xAA" }
+        its(:tag_class) { should == :APPLICATION }
+      end
+
+      context 'CONTEXT_SPECIFIC' do
+        let(:der) { "\x83\x03\x00\x00\xAA" }
+        its(:tag_class) { should == :CONTEXT_SPECIFIC }
+      end
+
+      context 'PRIVATE' do
+        let(:der) { "\xC3\x03\x00\x00\xAA" }
+        its(:tag_class) { should == :PRIVATE }
+      end
+
+      context "setting IMPLICIT will result in CONTEXT_SPECIFIC" do
+        let(:der) { "\x03\x03\x00\x00\xAA" }
+        it do
+          subject.tag_class = :IMPLICIT
+          subject.to_der.should == "\x83\x03\x00\x00\xAA"
+        end
+      end
+
+      context "setting EXPLICIT will reencode as CONTEXT_SPECIFIC" do
+        let(:der) { "\x03\x03\x00\x00\xAA" }
+        it do
+          subject.tag_class = :EXPLICIT
+          subject.tag = 0
+          subject.to_der.should == "\xA0\x05\x03\x03\x00\x00\xAA" 
+        end
+      end
+    end
+  end
+end