r509-ca-http 0.1

data/lib/r509/certificateauthority/http/views/test_revoke.erb

@@ -0,0 +1,31 @@
+<html>
+<head>
+    <title>Revoke</title>
+</head>
+<body>
+
+<h1>Revoke a certificate</h1>
+
+<form method="post" action="/1/certificate/revoke/">
+    <p>
+        CA:
+        <br />
+        <input type="text" name="ca" />
+    </p>
+    <p>
+        Serial:
+        <br />
+        <input type="text" name="serial" />
+    </p>
+    <p>
+        Reason:
+        <br />
+        <input type="text" name="reason" value="0" />
+    </p>
+    <p>
+        <input type="submit" value="Revoke" />
+    </p>
+</form>
+
+</body>
+</html>

data/lib/r509/certificateauthority/http/views/test_unrevoke.erb

@@ -0,0 +1,26 @@
+<html>
+<head>
+    <title>Unrevoke</title>
+</head>
+<body>
+
+<h1>Unrevoke a certificate</h1>
+
+<form method="post" action="/1/certificate/unrevoke/">
+    <p>
+        CA:
+        <br />
+        <input type="text" name="ca" />
+    </p>
+    <p>
+        Serial:
+        <br />
+        <input type="text" name="serial" />
+    </p>
+    <p>
+        <input type="submit" value="Unrevoke" />
+    </p>
+</form>
+
+</body>
+</html>

data/spec/fixtures/test_ca.cer

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjzCCAnegAwIBAgIJAP/ZxwuHN9GUMA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNV
+BAYTAlVTMREwDwYDVQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEYMBYG
+A1UECgwPUnVieSBDQSBQcm9qZWN0MRAwDgYDVQQDDAdUZXN0IENBMB4XDTExMDIy
+MDIwNDkxMloXDTMwMDQyMTIwNDkxMlowXjELMAkGA1UEBhMCVVMxETAPBgNVBAgM
+CElsbGlub2lzMRAwDgYDVQQHDAdDaGljYWdvMRgwFgYDVQQKDA9SdWJ5IENBIFBy
+b2plY3QxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCot8/z3jxARkwyRk0csM84dlWs91W95wPpunx3P3otqUxCJaOAyQl/
+uY8deg0xDmsime2JQ6aG6m76y3LfT4J1tlkhtmiGKhNJir1kgL8sL0wTXYXvwZEw
+qEEYD5mKi7Na9eo4R0ydqd9KAquVIhKywXvV1+Y4RDTx+f1WXmMCBaYZ76/rXmIe
+oE0avriRiihOtlgto+VNJw7VRnvq+cEd81BT62wRk1fG1lcpCqTEfEtKEI6PqqZh
+E2f+6lNmhZZ3Tj7NeNgYQLd4q+L1y030Vj4onpAIJrwfQq3dxTmrLDqnN2WOFsbo
+0qGh3s4yqUaOYd2wIBgCp7fEf5X/yh53AgMBAAGjUDBOMB0GA1UdDgQWBBR5dbuE
+Osss3noJvjEbQ7wcKk1TWDAfBgNVHSMEGDAWgBR5dbuEOsss3noJvjEbQ7wcKk1T
+WDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAp/Fh+WWjN7x/SZzMm
+H1INAS4loufHXzkqI+3bClAzlhzpBVbY7dHwD6H8oKh06EtppbN0Bw3iqXSRyoNd
++lDXccPij5dCuTFQ97DOrv7kGlhiM95XVkx4mvnd+i6jKwgOpllgDE/nKOwC42bq
+lIikcp7XLQUPt7amyX9UeJ8lxQ/niSkT868ls2IZQkF3XEhCi+5VlefEoaiMQZmD
+RyEd/vlsSnpXI5LLpkFq+NFGvgdI7+UADNIyDplyivD4VyQ6+zisX3r1ojroa6Y+
+WyXxLx+AVJVnGjngr2fDKr4ggsYWlJEs8lJ0r90jliYrSPA6rIldTbs3k9AbUp8G
+kS6X
+-----END CERTIFICATE-----

data/spec/fixtures/test_ca.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCot8/z3jxARkwy
+Rk0csM84dlWs91W95wPpunx3P3otqUxCJaOAyQl/uY8deg0xDmsime2JQ6aG6m76
+y3LfT4J1tlkhtmiGKhNJir1kgL8sL0wTXYXvwZEwqEEYD5mKi7Na9eo4R0ydqd9K
+AquVIhKywXvV1+Y4RDTx+f1WXmMCBaYZ76/rXmIeoE0avriRiihOtlgto+VNJw7V
+Rnvq+cEd81BT62wRk1fG1lcpCqTEfEtKEI6PqqZhE2f+6lNmhZZ3Tj7NeNgYQLd4
+q+L1y030Vj4onpAIJrwfQq3dxTmrLDqnN2WOFsbo0qGh3s4yqUaOYd2wIBgCp7fE
+f5X/yh53AgMBAAECggEAMlRS5m6fDpVp2X17N1nPFwrF2AkYPMQTOL/2rSP0cHaW
+Vw0fTyWpfb5+4M4t7Tpd3z6Hy3Cw1oJMhOf35oGzayXwRMxDNfKLOl72zGpTnPym
+9wfpEnJtu1QVxvWwWdH+uN2u9wbd5hJsl4lgYeZ+KXDqXgo/lP1TxfNLDV6urkVA
+wsR5URtG2ddOTOUjhUvizWPt1QCVE6Z5YVe9haTtQ4EtLjPywd8LB01AXRkvLIlL
+2XpL/EeuzF8GLd3GRMjEwgnT7WWBLHe7zIZqsRVx318Pu+WoWRFXUbKxrwH05tUV
+kx9Gh//L01uNwGx7qHSyJxTmYibjJXQAyQqVpPY4oQKBgQDgTbRVX65AEj5x8J3A
+1UEBDZE6ZQL/AnM+yPZGFSTfM04ebLUKyeIDvoSUxrbWMSf8JJwU1OCA+zJiXSld
+0BNBwd/irr9aglEuOBx6ITJypaKtehR5TtZGWsrvJT9f7IZ5Tc29gC0wiKNOqQ09
+O4J7/tvk2j4viAawGHSlRvJDnwKBgQDAj0X1kLwaH+QlVHU9QyRbK8qJsouot8Km
+BEjkZQ4D+7BQ/3mfFszJ/AG6tMA6FgikskyEics7XrtNYPZOGZ1xxKpi1an6o8cm
+GKUavZnkR5eHNwUEl2c9V5lNMbtAbCbIz30sCBFluicw37M2O8n38xTDSnXcRTbN
+n3rqpu52KQKBgE3MRc8Sx7JrYYNNjLnUfZ5q4UNaw8ZFSEmvlFPMg6Ry/BZraAPc
+7+qSixO7NLFoDVFUNVq4V0IFXn1liLKEOBmnsArEx5QR/SxFxALMPt4q+ximbjGB
+Gar/VMHLroaL2Dx8su6WZZYe3l2rHu9tE54EUKq407bSvFcZtGObDu5LAoGAfxmS
+ueYQ4sWOF73JrOg2hR9AjucVHAY/KsnFO0wglix5Ut1ub73i6qe2lIBeKXkFt4Ag
+1ZMGXGfJBegsa5youcFwHdCeY9vaxaCayi2/+FfxAsUkQMWW1XyOqc9bo8g/SWj7
+XCbvJNBcsfvWFMQeKdV/LPBnHz9oTw0nWt9YoxECgYAA9f2l6btaIV2JuDEzR8LK
+8MjXZMwmg9pEiUT0DsiiVIkJDsHdb2i54DhkfEKxi+ZDTO8AoFpqc4GTwobQHgPk
+N6Qa+wvig8SAWTS0dbPq2usvmx8cOiuqbn88VVl9jmFT6WTRJzNVRgVMM8xwl3uS
+odNmWsnOyWhM8h5LMVNb5w==
+-----END PRIVATE KEY-----

data/spec/fixtures/test_config.yaml

@@ -0,0 +1,18 @@
+certificate_authorities: {
+    test_ca: {
+        ca_cert: {
+            cert: "test_ca.cer",
+            key: "test_ca.key"
+        },
+        cdp_location: 'URI:http://crl.domain.com/test_ca.crl',
+        message_digest: 'SHA1', #SHA1, SHA256, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason
+        profiles: {
+            server: {
+                basic_constraints: "CA:FALSE",
+                key_usage: [digitalSignature,keyEncipherment],
+                extended_key_usage: [serverAuth],
+                certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.1", "CPS.1=http://example.com/cps"] ]
+            }
+        }
+    }
+}

data/spec/http_spec.rb

@@ -0,0 +1,250 @@
+require File.dirname(__FILE__) + '/spec_helper'
+require "openssl"
+
+describe R509::CertificateAuthority::Http::Server do
+    before :all do
+        #config_pool registry is in spec_helper because we need to register it
+        #BEFORE we include r509-ca-http
+        Dependo::Registry[:log] = Logger.new(nil)
+    end
+
+    before :each do
+        @crls = { "test_ca" => double("crl") }
+        @certificate_authorities = { "test_ca" => double("test_ca") }
+        @subject_parser = double("subject parser")
+        @validity_period_converter = double("validity period converter")
+        @csr_factory = double("csr factory")
+        @spki_factory = double("spki factory")
+    end
+
+    def app
+        @app ||= R509::CertificateAuthority::Http::Server
+        @app.send(:set, :crls, @crls)
+        @app.send(:set, :certificate_authorities, @certificate_authorities)
+        @app.send(:set, :subject_parser, @subject_parser)
+        @app.send(:set, :validity_period_converter, @validity_period_converter)
+        @app.send(:set, :csr_factory, @csr_factory)
+        @app.send(:set, :spki_factory, @spki_factory)
+    end
+
+    context "get CRL" do
+        it "gets the CRL" do
+            @crls["test_ca"].should_receive(:to_pem).and_return("generated crl")
+            get "/1/crl/test_ca/get"
+            last_response.should be_ok
+            last_response.content_type.should match /text\/plain/
+            last_response.body.should == "generated crl"
+        end
+        it "when CA is not found" do
+            get "/1/crl/bogus/get/"
+            last_response.status.should == 500
+            last_response.body.should == "#<ArgumentError: CA not found>"
+        end
+    end
+
+    context "generate CRL" do
+        it "generates the CRL" do
+            @crls["test_ca"].should_receive(:generate_crl).and_return("generated crl")
+            get "/1/crl/test_ca/generate"
+            last_response.should be_ok
+            last_response.body.should == "generated crl"
+        end
+        it "when CA is not found" do
+            get "/1/crl/bogus/generate/"
+            last_response.status.should == 500
+            last_response.body.should == "#<ArgumentError: CA not found>"
+        end
+    end
+
+    context "issue certificate" do
+        it "when no parameters are given" do
+            post "/1/certificate/issue"
+            last_response.should_not be_ok
+            last_response.body.should == "#<ArgumentError: Must provide a CA>"
+        end
+        it "when there's a profile, subject, CSR, validity period, but no ca" do
+            post "/1/certificate/issue", "profile" => "my profile", "subject" => "subject", "csr" => "my csr", "validityPeriod" => 365
+            last_response.should_not be_ok
+            last_response.body.should == "#<ArgumentError: Must provide a CA>"
+        end
+        it "when there's a ca, profile, subject, CSR, but no validity period" do
+            post "/1/certificate/issue", "ca" => "test_ca", "profile" => "my profile", "subject" => "subject", "csr" => "my csr"
+            last_response.should_not be_ok
+            last_response.body.should == "#<ArgumentError: Must provide a validity period>"
+        end
+        it "when there's a ca, profile, subject, validity period, but no CSR" do
+            post "/1/certificate/issue", "ca" => "test_ca", "profile" => "my profile", "subject" => "subject", "validityPeriod" => 365
+            last_response.should_not be_ok
+            last_response.body.should == "#<ArgumentError: Must provide a CSR or SPKI>"
+        end
+        it "when there's a ca, profile, CSR, validity period, but no subject" do
+            @subject_parser.should_receive(:parse).with(anything, "subject").and_return(R509::Subject.new)
+            post "/1/certificate/issue", "ca" => "test_ca", "profile" => "profile", "validityPeriod" => 365, "csr" => "csr"
+            last_response.should_not be_ok
+            last_response.body.should == "#<ArgumentError: Must provide a subject>"
+        end
+        it "when there's a ca, subject, CSR, validity period, but no profile" do
+            post "/1/certificate/issue", "ca" => "test_ca", "subject" => "subject", "validityPeriod" => 365, "csr" => "csr"
+            last_response.should_not be_ok
+            last_response.body.should == "#<ArgumentError: Must provide a CA profile>"
+        end
+        it "when the given CA is not found" do
+            post "/1/certificate/issue", "ca" => "some bogus CA"
+            last_response.should_not be_ok
+            last_response.body.should == "#<ArgumentError: CA not found>"
+        end
+        it "fails to issue" do
+            csr = double("csr")
+            @csr_factory.should_receive(:build).with({:csr => "csr"}).and_return(csr)
+            @validity_period_converter.should_receive(:convert).with("365").and_return({:not_before => 1, :not_after => 2})
+            subject = R509::Subject.new [["CN", "domain.com"]]
+            @subject_parser.should_receive(:parse).with(anything, "subject").and_return(subject)
+            @certificate_authorities["test_ca"].should_receive(:sign).with(:csr => csr, :profile_name => "profile", :data_hash => {:subject => subject, :san_names => []}, :not_before => 1, :not_after => 2).and_raise(R509::R509Error.new("failed to issue because of: good reason"))
+
+            post "/1/certificate/issue", "ca" => "test_ca", "profile" => "profile", "subject" => "subject", "validityPeriod" => 365, "csr" => "csr"
+            last_response.should_not be_ok
+            last_response.body.should == "#<R509::R509Error: failed to issue because of: good reason>"
+        end
+        it "issues a CSR with no SAN extensions" do
+            csr = double("csr")
+            @csr_factory.should_receive(:build).with(:csr => "csr").and_return(csr)
+            @validity_period_converter.should_receive(:convert).with("365").and_return({:not_before => 1, :not_after => 2})
+            subject = R509::Subject.new [["CN", "domain.com"]]
+            @subject_parser.should_receive(:parse).with(anything, "subject").and_return(subject)
+            cert = double("cert")
+            @certificate_authorities["test_ca"].should_receive(:sign).with(:csr => csr, :profile_name => "profile", :data_hash => {:subject => subject, :san_names => []}, :not_before => 1, :not_after => 2).and_return(cert)
+            cert.should_receive(:to_pem).and_return("signed cert")
+
+            post "/1/certificate/issue", "ca" => "test_ca", "profile" => "profile", "subject" => "subject", "validityPeriod" => 365, "csr" => "csr"
+            last_response.should be_ok
+            last_response.body.should == "signed cert"
+        end
+        it "issues a CSR with SAN extensions" do
+            csr = double("csr")
+            @csr_factory.should_receive(:build).with(:csr => "csr").and_return(csr)
+            @validity_period_converter.should_receive(:convert).with("365").and_return({:not_before => 1, :not_after => 2})
+            subject = R509::Subject.new [["CN", "domain.com"]]
+            @subject_parser.should_receive(:parse).with(anything, "subject").and_return(subject)
+            cert = double("cert")
+            @certificate_authorities["test_ca"].should_receive(:sign).with(:csr => csr, :profile_name => "profile", :data_hash => {:subject => subject, :san_names => ["domain1.com", "domain2.com"]}, :not_before => 1, :not_after => 2).and_return(cert)
+            cert.should_receive(:to_pem).and_return("signed cert")
+
+            post "/1/certificate/issue", "ca" => "test_ca", "profile" => "profile", "subject" => "subject", "validityPeriod" => 365, "csr" => "csr", "extensions[subjectAlternativeName][]" => ["domain1.com","domain2.com"]
+            last_response.should be_ok
+            last_response.body.should == "signed cert"
+        end
+        it "issues an SPKI without SAN extensions" do
+            @validity_period_converter.should_receive(:convert).with("365").and_return({:not_before => 1, :not_after => 2})
+            subject = R509::Subject.new [["CN", "domain.com"]]
+            @subject_parser.should_receive(:parse).with(anything, "subject").and_return(subject)
+            spki = double("spki")
+            @spki_factory.should_receive(:build).with(:spki => "spki", :subject => subject).and_return(spki)
+            cert = double("cert")
+            @certificate_authorities["test_ca"].should_receive(:sign).with(:spki => spki, :profile_name => "profile", :data_hash => {:subject => subject, :san_names => []}, :not_before => 1, :not_after => 2).and_return(cert)
+            cert.should_receive(:to_pem).and_return("signed cert")
+
+            post "/1/certificate/issue", "ca" => "test_ca", "profile" => "profile", "subject" => "subject", "validityPeriod" => 365, "spki" => "spki"
+            last_response.should be_ok
+            last_response.body.should == "signed cert"
+        end
+        it "issues an SPKI with SAN extensions" do
+            @validity_period_converter.should_receive(:convert).with("365").and_return({:not_before => 1, :not_after => 2})
+            subject = R509::Subject.new [["CN", "domain.com"]]
+            @subject_parser.should_receive(:parse).with(anything, "subject").and_return(subject)
+            spki = double("spki")
+            @spki_factory.should_receive(:build).with(:spki => "spki", :subject => subject).and_return(spki)
+            cert = double("cert")
+            @certificate_authorities["test_ca"].should_receive(:sign).with(:spki => spki, :profile_name => "profile", :data_hash => {:subject => subject, :san_names => ["domain1.com", "domain2.com"]}, :not_before => 1, :not_after => 2).and_return(cert)
+            cert.should_receive(:to_pem).and_return("signed cert")
+
+            post "/1/certificate/issue", "ca" => "test_ca", "profile" => "profile", "subject" => "subject", "validityPeriod" => 365, "spki" => "spki", "extensions[subjectAlternativeName][]" => ["domain1.com","domain2.com"]
+            last_response.should be_ok
+            last_response.body.should == "signed cert"
+        end
+        it "when there are empty SAN names" do
+            csr = double("csr")
+            @csr_factory.should_receive(:build).with(:csr => "csr").and_return(csr)
+            @validity_period_converter.should_receive(:convert).with("365").and_return({:not_before => 1, :not_after => 2})
+            subject = R509::Subject.new [["CN", "domain.com"]]
+            @subject_parser.should_receive(:parse).with(anything, "subject").and_return(subject)
+            cert = double("cert")
+            @certificate_authorities["test_ca"].should_receive(:sign).with(:csr => csr, :profile_name => "profile", :data_hash => {:subject => subject, :san_names => ["domain1.com", "domain2.com"]}, :not_before => 1, :not_after => 2).and_return(cert)
+            cert.should_receive(:to_pem).and_return("signed cert")
+
+            post "/1/certificate/issue", "ca" => "test_ca", "profile" => "profile", "subject" => "subject", "validityPeriod" => 365, "csr" => "csr", "extensions[subjectAlternativeName][]" => ["domain1.com","domain2.com","",""]
+            last_response.should be_ok
+            last_response.body.should == "signed cert"
+        end
+    end
+
+    context "revoke certificate" do
+        it "when no CA is given" do
+            post "/1/certificate/revoke", "serial" => "foo"
+            last_response.status.should == 500
+            last_response.body.should == "#<ArgumentError: CA must be provided>"
+        end
+        it "when CA is not found" do
+            post "/1/certificate/revoke", "ca" => "bogus ca name", "serial" => "foo"
+            last_response.status.should == 500
+            last_response.body.should == "#<ArgumentError: CA not found>"
+        end
+        it "when no serial is given" do
+            post "/1/certificate/revoke", "ca" => "test_ca"
+            last_response.should_not be_ok
+            last_response.body.should == "#<ArgumentError: Serial must be provided>"
+        end
+        it "when serial is given but not reason" do
+            @crls["test_ca"].should_receive(:revoke_cert).with(12345, 0).and_return(nil)
+            @crls["test_ca"].should_receive(:to_pem).and_return("generated crl")
+            post "/1/certificate/revoke", "ca" => "test_ca", "serial" => "12345"
+            last_response.should be_ok
+            last_response.body.should == "generated crl"
+        end
+        it "when serial and reason are given" do
+            @crls["test_ca"].should_receive(:revoke_cert).with(12345, 1).and_return(nil)
+            @crls["test_ca"].should_receive(:to_pem).and_return("generated crl")
+            post "/1/certificate/revoke", "ca" => "test_ca", "serial" => "12345", "reason" => "1"
+            last_response.should be_ok
+            last_response.body.should == "generated crl"
+        end
+        it "when serial is not an integer" do
+            @crls["test_ca"].should_receive(:revoke_cert).with(0, 0).and_raise(R509::R509Error.new("some r509 error"))
+            post "/1/certificate/revoke", "ca" => "test_ca", "serial" => "foo"
+            last_response.should_not be_ok
+            last_response.body.should == "#<R509::R509Error: some r509 error>"
+        end
+        it "when reason is not an integer" do
+            @crls["test_ca"].should_receive(:revoke_cert).with(12345, 0).and_return(nil)
+            @crls["test_ca"].should_receive(:to_pem).and_return("generated crl")
+            post "/1/certificate/revoke", "ca" => "test_ca", "serial" => "12345", "reason" => "foo"
+            last_response.should be_ok
+            last_response.body.should == "generated crl"
+        end
+    end
+
+    context "unrevoke certificate" do
+        it "when no CA is given" do
+            post "/1/certificate/unrevoke", "serial" => "foo"
+            last_response.status.should == 500
+            last_response.body.should == "#<ArgumentError: CA must be provided>"
+        end
+        it "when CA is not found" do
+            post "/1/certificate/unrevoke", "ca" => "bogus ca", "serial" => "foo"
+            last_response.status.should == 500
+            last_response.body.should == "#<ArgumentError: CA not found>"
+        end
+        it "when no serial is given" do
+            post "/1/certificate/unrevoke", "ca" => "test_ca"
+            last_response.should_not be_ok
+            last_response.body.should == "#<ArgumentError: Serial must be provided>"
+        end
+        it "when serial is given" do
+            @crls["test_ca"].should_receive(:unrevoke_cert).with(12345).and_return(nil)
+            @crls["test_ca"].should_receive(:to_pem).and_return("generated crl")
+            post "/1/certificate/unrevoke", "ca" => "test_ca", "serial" => "12345"
+            last_response.should be_ok
+            last_response.body.should == "generated crl"
+        end
+    end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,22 @@
+if (RUBY_VERSION.split('.')[1].to_i > 8)
+    require 'simplecov'
+    SimpleCov.start
+end
+
+$:.unshift File.expand_path("../../lib", __FILE__)
+$:.unshift File.expand_path("../", __FILE__)
+require 'rubygems'
+#require 'fixtures'
+require 'rspec'
+require 'rack/test'
+require 'r509'
+require 'dependo'
+require 'logger'
+
+Dependo::Registry[:config_pool] = R509::Config::CaConfigPool.from_yaml("certificate_authorities", File.read(File.dirname(__FILE__)+"/fixtures/test_config.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+
+require 'r509/certificateauthority/http/server'
+
+RSpec.configure do |conf|
+  conf.include Rack::Test::Methods
+end

data/spec/subject_parser_spec.rb

@@ -0,0 +1,51 @@
+require File.dirname(__FILE__) + '/spec_helper'
+
+describe R509::CertificateAuthority::Http::SubjectParser do
+    before :all do
+        @parser = R509::CertificateAuthority::Http::SubjectParser.new
+    end
+
+    it "when the query string is nil" do
+        expect { @parser.parse(nil) }.to raise_error(ArgumentError, "Must provide a query string")
+    end
+    it "when the query string is empty" do
+        subject = @parser.parse("")
+        subject.empty?.should == true
+    end
+    it "when the query string doesn't contain any subject data" do
+        subject = @parser.parse("validityPeriod=1095&data=blahblah")
+        subject.empty?.should == true
+    end
+    it "when there is one subject component" do
+        subject = @parser.parse("validityPeriod=1095&subject[CN]=domain.com&data=blahblah")
+        subject.empty?.should == false
+        subject["CN"].should == "domain.com"
+    end
+    it "when there are three subject components should maintain order" do
+        subject = @parser.parse("validityPeriod=1095&subject[CN]=domain.com&subject[O]=org&subject[L]=locality&data=blahblah")
+        subject.empty?.should == false
+        subject["CN"].should == "domain.com"
+        subject["O"].should == "org"
+        subject["L"].should == "locality"
+        subject.to_s.should == "/CN=domain.com/O=org/L=locality"
+    end
+    it "when one of the subject components has an unknown key" do
+        expect { subject = @parser.parse("validityPeriod=1095&subject[CN]=domain.com&subject[NOTATHING]=org&subject[L]=locality&data=blahblah") }.to raise_error(OpenSSL::X509::NameError)
+    end
+    it "when one of the subject components is just an OID" do
+        subject = @parser.parse("validityPeriod=1095&subject[CN]=domain.com&subject[1.3.6.1.4.1.311.60.2.1.300]=org&subject[L]=locality&data=blahblah")
+        subject.empty?.should == false
+        subject["CN"].should == "domain.com"
+        subject["1.3.6.1.4.1.311.60.2.1.300"].should == "org"
+        subject["L"].should == "locality"
+        subject.to_s.should == "/CN=domain.com/1.3.6.1.4.1.311.60.2.1.300=org/L=locality"
+    end
+    it "when one of the subject components is an empty string" do
+        subject = @parser.parse("validityPeriod=1095&subject[CN]=domain.com&subject[O]=&subject[L]=locality&data=blahblah")
+        subject.empty?.should == false
+        subject["CN"].should == "domain.com"
+        subject["O"].should == nil
+        subject["L"].should == "locality"
+        subject.to_s.should == "/CN=domain.com/L=locality"
+    end
+end