puppet 6.3.0 → 6.4.0

data/spec/unit/x509/pem_store_spec.rb

@@ -0,0 +1,160 @@
+# coding: utf-8
+require 'spec_helper'
+require 'puppet/x509'
+
+class Puppet::X509::TestPemStore
+  include Puppet::X509::PemStore
+end
+
+describe Puppet::X509::PemStore do
+  include PuppetSpec::Files
+
+  let(:subject) { Puppet::X509::TestPemStore.new }
+
+  def with_unreadable_file
+    path = tmpfile('pem_store')
+    Puppet::FileSystem.touch(path)
+    Puppet::FileSystem.chmod(0, path)
+    yield path
+  ensure
+    Puppet::FileSystem.chmod(0600, path)
+  end
+
+  def with_unwritable_file(&block)
+    if Puppet::Util::Platform.windows?
+      with_unwritable_file_win32(&block)
+    else
+      with_unwritable_file_posix(&block)
+    end
+  end
+
+  def with_unwritable_file_win32
+    dir = tmpdir('pem_store')
+    path = File.join(dir, 'unwritable')
+
+    # if file handle is open, then file can't be written by other processes
+    File.open(path, 'w') do |f|
+      yield path
+    end
+  end
+
+  def with_unwritable_file_posix
+    dir = tmpdir('pem_store')
+    path = File.join(dir, 'unwritable')
+    # if directory is not executable/traverseable, then file can't be written to
+    Puppet::FileSystem.chmod(0, dir)
+    begin
+      yield path
+    ensure
+      Puppet::FileSystem.chmod(0700, dir)
+    end
+  end
+
+  let(:cert_path) { File.join(PuppetSpec::FIXTURE_DIR, 'ssl', 'netlock-arany-utf8.pem') }
+
+  context 'loading' do
+    it 'returns nil if it does not exist' do
+      expect(subject.load_pem('/does/not/exist')).to be_nil
+    end
+
+    it 'returns the file content as UTF-8' do
+      expect(
+        subject.load_pem(cert_path)
+      ).to match(/\ANetLock Arany \(Class Gold\) Főtanúsítvány/)
+    end
+
+    it 'raises EACCES if the file is unreadable' do
+      with_unreadable_file do |path|
+        expect {
+          subject.load_pem(path)
+        }.to raise_error(Errno::EACCES, /Permission denied/)
+      end
+    end
+  end
+
+  context 'saving' do
+    let(:path) { tmpfile('pem_store') }
+
+    it 'writes the file content as UTF-8' do
+      # read the file directly to preserve the comments
+      utf8 = File.read(cert_path, encoding: 'UTF-8')
+
+      subject.save_pem(utf8, path)
+
+      expect(
+        File.read(path, :encoding => 'UTF-8')
+      ).to match(/\ANetLock Arany \(Class Gold\) Főtanúsítvány/)
+    end
+
+    it 'never changes the owner and group on Windows', if: Puppet::Util::Platform.windows? do
+      FileUtils.expects(:chown).never
+
+      subject.save_pem('PEM', path, owner: 'Administrator', group: 'None')
+    end
+
+    it 'changes the owner and group when running as root', unless: Puppet::Util::Platform.windows? do
+      Puppet.features.stubs(:root?).returns(true)
+      FileUtils.expects(:chown).with('root', 'root', path)
+
+      subject.save_pem('PEM', path, owner: 'root', group: 'root')
+    end
+
+    it 'does not change owner and group when running not as roo', unless: Puppet::Util::Platform.windows? do
+      Puppet.features.stubs(:root?).returns(false)
+      FileUtils.expects(:chown).never
+
+      subject.save_pem('PEM', path, owner: 'root', group: 'root')
+    end
+
+    it 'allows a mode of 0600 to be specified', unless: Puppet::Util::Platform.windows? do
+      subject.save_pem('PEM', path, mode: 0600)
+
+      expect(File.stat(path).mode & 0777).to eq(0600)
+    end
+
+    it 'defaults the mode to 0644' do
+      subject.save_pem('PEM', path)
+
+      expect(File.stat(path).mode & 0777).to eq(0644)
+    end
+
+    it 'raises EACCES if the file is unwritable' do
+      with_unwritable_file do |path|
+        expect {
+          subject.save_pem('', path)
+        }.to raise_error(Errno::EACCES, /Permission denied/)
+      end
+    end
+
+    it 'raises if the directory does not exist' do
+      dir = tmpdir('pem_store')
+      Dir.unlink(dir)
+
+      expect {
+        subject.save_pem('', File.join(dir, 'something'))
+      }.to raise_error(Errno::ENOENT, /No such file or directory/)
+    end
+  end
+
+  context 'deleting' do
+    it 'returns false if the file does not exist' do
+      expect(subject.delete_pem('/does/not/exist')).to eq(false)
+    end
+
+    it 'returns true if the file exists' do
+      path = tmpfile('pem_store')
+      FileUtils.touch(path)
+
+      expect(subject.delete_pem(path)).to eq(true)
+      expect(File).to_not be_exist(path)
+    end
+
+    it 'raises EACCES if the file is undeletable' do
+      with_unwritable_file do |path|
+        expect {
+          subject.delete_pem(path)
+        }.to raise_error(Errno::EACCES, /Permission denied/)
+      end
+    end
+  end
+end

data/tasks/generate_cert_fixtures.rake

@@ -0,0 +1,158 @@
+# Run this rake task to generate cert fixtures used in unit tests. This should
+# be run whenever new fixtures are required that derive from the existing ones
+# such as to add an extension to client certs, change expiration, etc. All
+# regenerated fixtures should be committed together.
+desc "Generate cert test fixtures"
+task(:gen_cert_fixtures) do
+  $LOAD_PATH << File.expand_path(File.join(File.dirname(__FILE__), '../spec/lib'))
+  require 'puppet/test_ca'
+
+  def save(dir, name, x509)
+    path = File.join(dir, name)
+    puts "Generating #{path}"
+    File.open(path, 'w') do |f|
+      f.write(x509.to_text)
+      text = if block_given?
+               yield x509
+             else
+               x509.to_pem
+             end
+
+      f.write(text)
+    end
+  end
+
+  # This task generates a PKI consisting of a root CA, intermediate CA and
+  # several leaf certs. A CRL is generated for each CA. The root CA CRL is
+  # empty, while the intermediate CA CRL contains the revoked cert's serial
+  # number. A textual representation of each X509 object is included in the
+  # fixture as a comment.
+  #
+  # Certs
+  # =====
+  #
+  # ca.pem                           /CN=Test CA
+  #                                   |
+  # intermediate.pem                  +- /CN=Test CA Subauthority
+  #                                   |   |
+  # signed.pem                        |   +- /CN=signed
+  # revoked.pem                       |   +- /CN=revoked
+  # 127.0.0.1.pem                     |   +- /CN=127.0.0.1 (with dns alt names)
+  # tampered.pem                      |   +- /CN=signed (with different public key)
+  #                                   |
+  #                                   + /CN=Test CA Agent Subauthority
+  #                                   |  |
+  # pluto.pem                         |  +- /CN=pluto
+  #                                   |
+  # bad-int-basic-constraints.pem     +- /CN=Test CA Subauthority (bad isCA constraint)
+  #
+  # bad-basic-constraints.pem        /CN=Test CA (bad isCA constraint)
+  #
+  # Keys
+  # ====
+  #
+  # The RSA private key for each leaf cert is also generated. In addition,
+  # `encrypted-key.pem` contains the private key for the `signed` cert.
+  #
+  # Requests
+  # ========
+  #
+  # `request.pem` contains a valid CSR for /CN=pending, while `tampered_csr.pem`
+  # is the same as `request.pem`, but it's public key has been replaced.
+  #
+  ca = Puppet::TestCa.new
+  dir = File.join(RAKE_ROOT, 'spec/fixtures/ssl')
+
+  # Create Test CA & CRL
+  save(dir, 'ca.pem', ca.ca_cert)
+  save(dir, 'crl.pem', ca.ca_crl)
+
+  # Create Intermediate CA & CRL "Test CA Subauthority" issued by "Test CA"
+  inter = ca.create_intermediate_cert('Test CA Subauthority', ca.ca_cert, ca.key)
+  save(dir, 'intermediate.pem', inter[:cert])
+  inter_crl = ca.create_crl(inter[:cert], inter[:private_key])
+
+  # Create a leaf/entity key and cert for host "signed" and issued by "Test CA Subauthority"
+  signed = ca.create_cert('signed', inter[:cert], inter[:private_key])
+  save(dir, 'signed.pem', signed[:cert])
+  save(dir, 'signed-key.pem', signed[:private_key])
+
+  # Create an encrypted version of the above private key for host "signed"
+  save(dir, 'encrypted-key.pem', signed[:private_key]) do |x509|
+    # private key password was chosen at random
+    x509.to_pem(OpenSSL::Cipher::AES.new(128, :CBC), '74695716c8b6')
+  end
+
+  # Create an SSL cert for 127.0.0.1 with dns_alt_names
+  signed = ca.create_cert('127.0.0.1', ca.ca_cert, ca.key, subject_alt_names: 'DNS:127.0.0.1,DNS:127.0.0.2')
+  save(dir, '127.0.0.1.pem', signed[:cert])
+  save(dir, '127.0.0.1-key.pem', signed[:private_key])
+
+  # Create a leaf/entity key and cert for host "revoked", issued by "Test CA Subauthority"
+  # and revoke the cert
+  revoked = ca.create_cert('revoked', inter[:cert], inter[:private_key])
+  ca.revoke(revoked[:cert], inter_crl, inter[:private_key])
+  save(dir, 'revoked.pem', revoked[:cert])
+  save(dir, 'revoked-key.pem', revoked[:private_key])
+
+  # Update intermediate CRL now that we've revoked
+  save(dir, 'intermediate-crl.pem', inter_crl)
+
+  # Create a pending request (CSR) and private key for host "pending"
+  request = ca.create_request('pending')
+  save(dir, 'request.pem', request[:csr])
+  save(dir, 'request-key.pem', request[:private_key])
+
+  # Create an intermediate for agent certs
+  inter_agent = ca.create_intermediate_cert('Test CA Agent Subauthority', ca.ca_cert, ca.key)
+  save(dir, 'intermediate-agent.pem', inter_agent[:cert])
+  inter_agent_crl = ca.create_crl(inter_agent[:cert], inter_agent[:private_key])
+  save(dir, 'intermediate-agent-crl.pem', inter_agent_crl)
+
+  # Create a leaf/entity key and cert for host "pluto" and issued by "Test CA Agent Subauthority"
+  pluto = ca.create_cert('pluto', inter_agent[:cert], inter_agent[:private_key])
+  save(dir, 'pluto.pem', pluto[:cert])
+  save(dir, 'pluto-key.pem', pluto[:private_key])
+
+  # Create a new root CA cert, but change the "isCA" basic constraint.
+  # It should not be trusted to act as a CA.
+  badconstraints = ca.create_cacert('Test CA')[:cert]
+  badconstraints.public_key = ca.ca_cert.public_key
+  badconstraints.extensions = []
+  ca.ca_cert.extensions.each do |ext|
+    if ext.oid == 'basicConstraints'
+      ef = OpenSSL::X509::ExtensionFactory.new
+      badconstraints.add_extension(ef.create_extension("basicConstraints","CA:FALSE", true))
+    else
+      badconstraints.add_extension(ext)
+    end
+  end
+  badconstraints.sign(ca.key, OpenSSL::Digest::SHA256.new)
+  save(dir, 'bad-basic-constraints.pem', badconstraints)
+
+  # Same as above, but create a new intermediate CA
+  badintconstraints = inter[:cert].dup
+  badintconstraints.public_key = inter[:cert].public_key
+  badintconstraints.extensions = []
+  inter[:cert].extensions.each do |ext|
+    if ext.oid == 'basicConstraints'
+      ef = OpenSSL::X509::ExtensionFactory.new
+      badintconstraints.add_extension(ef.create_extension("basicConstraints","CA:FALSE", true))
+    else
+      badintconstraints.add_extension(ext)
+    end
+  end
+  badintconstraints.sign(ca.key, OpenSSL::Digest::SHA256.new)
+  save(dir, 'bad-int-basic-constraints.pem', badintconstraints)
+
+  # Create a request, but replace its public key after it's signed
+  tampered_csr = ca.create_request('signed')[:csr]
+  tampered_csr.public_key = OpenSSL::PKey::RSA.new(1024).public_key
+  save(dir, 'tampered-csr.pem', tampered_csr)
+
+  # Create a cert issued from the real intermediate CA, but replace its
+  # public key
+  tampered_cert = ca.create_cert('signed', inter[:cert], inter[:private_key])[:cert]
+  tampered_cert.public_key = OpenSSL::PKey::RSA.new(1024).public_key
+  save(dir, 'tampered-cert.pem', tampered_cert)
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppet
 version: !ruby/object:Gem::Version
-  version: 6.3.0
+  version: 6.4.0
 platform: ruby
 authors:
 - Puppet Labs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-02-18 00:00:00.000000000 Z
+date: 2019-03-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -141,6 +141,7 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- CODEOWNERS
 - CODE_OF_CONDUCT.md
 - COMMITTERS.md
 - CONTRIBUTING.md
@@ -148,7 +149,6 @@ files:
 - Gemfile.lock
 - Guardfile.example
 - LICENSE
-- MAINTAINERS
 - README.md
 - Rakefile
 - bin/puppet
@@ -422,6 +422,7 @@ files:
 - lib/puppet/file_serving/terminus_selector.rb
 - lib/puppet/file_system.rb
 - lib/puppet/file_system/file_impl.rb
+- lib/puppet/file_system/jruby.rb
 - lib/puppet/file_system/memory_file.rb
 - lib/puppet/file_system/memory_impl.rb
 - lib/puppet/file_system/path_pattern.rb
@@ -670,6 +671,7 @@ files:
 - lib/puppet/network/http/api/master/v3/authorization.rb
 - lib/puppet/network/http/api/master/v3/environment.rb
 - lib/puppet/network/http/api/master/v3/environments.rb
+- lib/puppet/network/http/base_pool.rb
 - lib/puppet/network/http/compression.rb
 - lib/puppet/network/http/connection.rb
 - lib/puppet/network/http/error.rb
@@ -824,6 +826,7 @@ files:
 - lib/puppet/pops/loader/base_loader.rb
 - lib/puppet/pops/loader/dependency_loader.rb
 - lib/puppet/pops/loader/gem_support.rb
+- lib/puppet/pops/loader/generic_plan_instantiator.rb
 - lib/puppet/pops/loader/loader.rb
 - lib/puppet/pops/loader/loader_paths.rb
 - lib/puppet/pops/loader/module_loaders.rb
@@ -1081,7 +1084,6 @@ files:
 - lib/puppet/rest/response.rb
 - lib/puppet/rest/route.rb
 - lib/puppet/rest/routes.rb
-- lib/puppet/rest/ssl_context.rb
 - lib/puppet/scheduler.rb
 - lib/puppet/scheduler/job.rb
 - lib/puppet/scheduler/scheduler.rb
@@ -1117,12 +1119,18 @@ files:
 - lib/puppet/ssl/certificate_request_attributes.rb
 - lib/puppet/ssl/certificate_signer.rb
 - lib/puppet/ssl/digest.rb
+- lib/puppet/ssl/error.rb
 - lib/puppet/ssl/host.rb
 - lib/puppet/ssl/key.rb
 - lib/puppet/ssl/oids.rb
+- lib/puppet/ssl/ssl_context.rb
+- lib/puppet/ssl/ssl_provider.rb
+- lib/puppet/ssl/state_machine.rb
 - lib/puppet/ssl/validator.rb
 - lib/puppet/ssl/validator/default_validator.rb
 - lib/puppet/ssl/validator/no_validator.rb
+- lib/puppet/ssl/verifier.rb
+- lib/puppet/ssl/verifier_adapter.rb
 - lib/puppet/status.rb
 - lib/puppet/syntax_checkers.rb
 - lib/puppet/syntax_checkers/base64.rb
@@ -1303,6 +1311,9 @@ files:
 - lib/puppet/vendor/pathspec/lib/pathspec/spec.rb
 - lib/puppet/vendor/require_vendored.rb
 - lib/puppet/version.rb
+- lib/puppet/x509.rb
+- lib/puppet/x509/cert_provider.rb
+- lib/puppet/x509/pem_store.rb
 - lib/puppet_pal.rb
 - lib/puppet_x.rb
 - locales/config.yaml
@@ -1367,6 +1378,28 @@ files:
 - spec/fixtures/releases/jamtur01-apache/tests/php.pp
 - spec/fixtures/releases/jamtur01-apache/tests/ssl.pp
 - spec/fixtures/releases/jamtur01-apache/tests/vhost.pp
+- spec/fixtures/ssl/127.0.0.1-key.pem
+- spec/fixtures/ssl/127.0.0.1.pem
+- spec/fixtures/ssl/bad-basic-constraints.pem
+- spec/fixtures/ssl/bad-int-basic-constraints.pem
+- spec/fixtures/ssl/ca.pem
+- spec/fixtures/ssl/crl.pem
+- spec/fixtures/ssl/encrypted-key.pem
+- spec/fixtures/ssl/intermediate-agent-crl.pem
+- spec/fixtures/ssl/intermediate-agent.pem
+- spec/fixtures/ssl/intermediate-crl.pem
+- spec/fixtures/ssl/intermediate.pem
+- spec/fixtures/ssl/netlock-arany-utf8.pem
+- spec/fixtures/ssl/pluto-key.pem
+- spec/fixtures/ssl/pluto.pem
+- spec/fixtures/ssl/request-key.pem
+- spec/fixtures/ssl/request.pem
+- spec/fixtures/ssl/revoked-key.pem
+- spec/fixtures/ssl/revoked.pem
+- spec/fixtures/ssl/signed-key.pem
+- spec/fixtures/ssl/signed.pem
+- spec/fixtures/ssl/tampered-cert.pem
+- spec/fixtures/ssl/tampered-csr.pem
 - spec/fixtures/stdlib.tgz
 - spec/fixtures/unit/application/environments/production/data/common.yaml
 - spec/fixtures/unit/application/environments/production/environment.conf
@@ -1726,6 +1759,7 @@ files:
 - spec/integration/network/authconfig_spec.rb
 - spec/integration/network/formats_spec.rb
 - spec/integration/network/http/api/indirected_routes_spec.rb
+- spec/integration/network/http_pool_spec.rb
 - spec/integration/node/environment_spec.rb
 - spec/integration/node/facts_spec.rb
 - spec/integration/node_spec.rb
@@ -1743,6 +1777,7 @@ files:
 - spec/integration/parser/scope_spec.rb
 - spec/integration/parser/script_compiler_spec.rb
 - spec/integration/parser/undef_param_spec.rb
+- spec/integration/provider/file/windows_spec.rb
 - spec/integration/provider/service/init_spec.rb
 - spec/integration/provider/service/systemd_spec.rb
 - spec/integration/provider/service/windows_spec.rb
@@ -1750,6 +1785,7 @@ files:
 - spec/integration/reports_spec.rb
 - spec/integration/resource/catalog_spec.rb
 - spec/integration/resource/type_collection_spec.rb
+- spec/integration/rest/client_spec.rb
 - spec/integration/ssl/certificate_request_spec.rb
 - spec/integration/ssl/host_spec.rb
 - spec/integration/ssl/key_spec.rb
@@ -1798,6 +1834,7 @@ files:
 - spec/lib/puppet_spec/files.rb
 - spec/lib/puppet_spec/fixtures.rb
 - spec/lib/puppet_spec/handler.rb
+- spec/lib/puppet_spec/https.rb
 - spec/lib/puppet_spec/language.rb
 - spec/lib/puppet_spec/matchers.rb
 - spec/lib/puppet_spec/module_tool/shared_functions.rb
@@ -2388,7 +2425,10 @@ files:
 - spec/unit/ssl/host_spec.rb
 - spec/unit/ssl/key_spec.rb
 - spec/unit/ssl/oids_spec.rb
+- spec/unit/ssl/ssl_provider_spec.rb
+- spec/unit/ssl/state_machine_spec.rb
 - spec/unit/ssl/validator_spec.rb
+- spec/unit/ssl/verifier_spec.rb
 - spec/unit/status_spec.rb
 - spec/unit/task_spec.rb
 - spec/unit/transaction/additional_resource_generator_spec.rb
@@ -2503,10 +2543,13 @@ files:
 - spec/unit/util/yaml_spec.rb
 - spec/unit/util_spec.rb
 - spec/unit/version_spec.rb
+- spec/unit/x509/cert_provider_spec.rb
+- spec/unit/x509/pem_store_spec.rb
 - tasks/benchmark.rake
 - tasks/cfpropertylist.rake
 - tasks/ci.rake
 - tasks/generate_ast_model.rake
+- tasks/generate_cert_fixtures.rake
 - tasks/manpages.rake
 - tasks/memwalk.rake
 - tasks/parallel.rake
@@ -2573,6 +2616,28 @@ test_files:
 - spec/fixtures/releases/jamtur01-apache/tests/php.pp
 - spec/fixtures/releases/jamtur01-apache/tests/ssl.pp
 - spec/fixtures/releases/jamtur01-apache/tests/vhost.pp
+- spec/fixtures/ssl/127.0.0.1-key.pem
+- spec/fixtures/ssl/127.0.0.1.pem
+- spec/fixtures/ssl/bad-basic-constraints.pem
+- spec/fixtures/ssl/bad-int-basic-constraints.pem
+- spec/fixtures/ssl/ca.pem
+- spec/fixtures/ssl/crl.pem
+- spec/fixtures/ssl/encrypted-key.pem
+- spec/fixtures/ssl/intermediate-agent-crl.pem
+- spec/fixtures/ssl/intermediate-agent.pem
+- spec/fixtures/ssl/intermediate-crl.pem
+- spec/fixtures/ssl/intermediate.pem
+- spec/fixtures/ssl/netlock-arany-utf8.pem
+- spec/fixtures/ssl/pluto-key.pem
+- spec/fixtures/ssl/pluto.pem
+- spec/fixtures/ssl/request-key.pem
+- spec/fixtures/ssl/request.pem
+- spec/fixtures/ssl/revoked-key.pem
+- spec/fixtures/ssl/revoked.pem
+- spec/fixtures/ssl/signed-key.pem
+- spec/fixtures/ssl/signed.pem
+- spec/fixtures/ssl/tampered-cert.pem
+- spec/fixtures/ssl/tampered-csr.pem
 - spec/fixtures/stdlib.tgz
 - spec/fixtures/unit/application/environments/production/data/common.yaml
 - spec/fixtures/unit/application/environments/production/environment.conf
@@ -2932,6 +2997,7 @@ test_files:
 - spec/integration/network/authconfig_spec.rb
 - spec/integration/network/formats_spec.rb
 - spec/integration/network/http/api/indirected_routes_spec.rb
+- spec/integration/network/http_pool_spec.rb
 - spec/integration/node/environment_spec.rb
 - spec/integration/node/facts_spec.rb
 - spec/integration/node_spec.rb
@@ -2949,6 +3015,7 @@ test_files:
 - spec/integration/parser/scope_spec.rb
 - spec/integration/parser/script_compiler_spec.rb
 - spec/integration/parser/undef_param_spec.rb
+- spec/integration/provider/file/windows_spec.rb
 - spec/integration/provider/service/init_spec.rb
 - spec/integration/provider/service/systemd_spec.rb
 - spec/integration/provider/service/windows_spec.rb
@@ -2956,6 +3023,7 @@ test_files:
 - spec/integration/reports_spec.rb
 - spec/integration/resource/catalog_spec.rb
 - spec/integration/resource/type_collection_spec.rb
+- spec/integration/rest/client_spec.rb
 - spec/integration/ssl/certificate_request_spec.rb
 - spec/integration/ssl/host_spec.rb
 - spec/integration/ssl/key_spec.rb
@@ -3004,6 +3072,7 @@ test_files:
 - spec/lib/puppet_spec/files.rb
 - spec/lib/puppet_spec/fixtures.rb
 - spec/lib/puppet_spec/handler.rb
+- spec/lib/puppet_spec/https.rb
 - spec/lib/puppet_spec/language.rb
 - spec/lib/puppet_spec/matchers.rb
 - spec/lib/puppet_spec/module_tool/shared_functions.rb
@@ -3594,7 +3663,10 @@ test_files:
 - spec/unit/ssl/host_spec.rb
 - spec/unit/ssl/key_spec.rb
 - spec/unit/ssl/oids_spec.rb
+- spec/unit/ssl/ssl_provider_spec.rb
+- spec/unit/ssl/state_machine_spec.rb
 - spec/unit/ssl/validator_spec.rb
+- spec/unit/ssl/verifier_spec.rb
 - spec/unit/status_spec.rb
 - spec/unit/task_spec.rb
 - spec/unit/transaction/additional_resource_generator_spec.rb
@@ -3709,3 +3781,5 @@ test_files:
 - spec/unit/util/yaml_spec.rb
 - spec/unit/util_spec.rb
 - spec/unit/version_spec.rb
+- spec/unit/x509/cert_provider_spec.rb
+- spec/unit/x509/pem_store_spec.rb