r509-ocsp-responder 0.3.1 → 0.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README.md +112 -17
- data/doc/R509.html +6 -6
- data/doc/R509/Ocsp.html +10 -10
- data/doc/R509/Ocsp/Helper.html +9 -9
- data/doc/R509/Ocsp/Helper/RequestChecker.html +73 -73
- data/doc/R509/Ocsp/Helper/ResponseSigner.html +59 -59
- data/doc/R509/Ocsp/Responder.html +10 -10
- data/doc/R509/Ocsp/Responder/OcspConfig.html +31 -31
- data/doc/R509/Ocsp/Responder/Server.html +9 -9
- data/doc/R509/Ocsp/Responder/StatusError.html +9 -9
- data/doc/R509/Ocsp/Signer.html +36 -44
- data/doc/_index.html +23 -23
- data/doc/class_list.html +2 -2
- data/doc/css/style.css +10 -0
- data/doc/file.README.html +120 -28
- data/doc/file_list.html +1 -1
- data/doc/frames.html +1 -1
- data/doc/index.html +120 -28
- data/doc/js/full_list.js +6 -1
- data/doc/method_list.html +28 -56
- data/doc/top-level-namespace.html +5 -5
- data/lib/r509/ocsp/responder/ocsp-config.rb +27 -27
- data/lib/r509/ocsp/responder/server.rb +129 -131
- data/lib/r509/ocsp/responder/version.rb +4 -4
- data/lib/r509/ocsp/signer.rb +219 -219
- data/spec/fixtures.rb +145 -190
- data/spec/fixtures/test_ca_ec.cer +14 -0
- data/spec/fixtures/test_ca_ec.key +6 -0
- data/spec/server_spec.rb +405 -397
- data/spec/signer_spec.rb +262 -249
- data/spec/spec_helper.rb +2 -2
- metadata +10 -8
data/spec/signer_spec.rb
CHANGED
|
@@ -2,274 +2,287 @@ require 'spec_helper'
|
|
|
2
2
|
require 'r509/ocsp'
|
|
3
3
|
require 'openssl'
|
|
4
4
|
|
|
5
|
-
describe R509::
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
5
|
+
describe R509::OCSP::Signer do
|
|
6
|
+
before :all do
|
|
7
|
+
@cert = TestFixtures::CERT
|
|
8
|
+
@stca_cert = TestFixtures::STCA_CERT
|
|
9
|
+
@stca_ocsp_request = TestFixtures::STCA_OCSP_REQUEST
|
|
10
|
+
@ocsp_test_cert = TestFixtures::OCSP_TEST_CERT
|
|
11
|
+
@test_ca_config = TestFixtures.test_ca_config
|
|
12
|
+
@test_ca_ec_config = TestFixtures.test_ca_ec_config
|
|
13
|
+
@test_ca_subroot_config = TestFixtures.test_ca_subroot_config
|
|
14
|
+
@second_ca_config = TestFixtures.second_ca_config
|
|
15
|
+
@ocsp_delegate_config = R509::Config::CAConfig.from_yaml("ocsp_delegate_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
|
|
16
|
+
@ocsp_subroot_delegate_config = R509::Config::CAConfig.from_yaml("ocsp_subroot_delegate_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
|
|
17
|
+
@ocsp_chain_config = R509::Config::CAConfig.from_yaml("ocsp_chain_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
|
|
18
|
+
Dependo::Registry.clear
|
|
19
|
+
Dependo::Registry[:log] = Logger.new(nil)
|
|
19
20
|
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
21
|
+
end
|
|
22
|
+
it "allows access to the validity checker object" do
|
|
23
|
+
ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
|
|
24
|
+
ocsp_handler.validity_checker.kind_of?(R509::Validity::DefaultChecker).should == true
|
|
25
|
+
end
|
|
25
26
|
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
27
|
+
it "rejects ocsp requests from an unknown CA" do
|
|
28
|
+
ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
|
|
29
|
+
request_response = ocsp_handler.handle_request(@stca_ocsp_request)
|
|
30
|
+
request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
|
|
31
|
+
end
|
|
32
|
+
it "rejects malformed OCSP requests" do
|
|
33
|
+
ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
|
|
34
|
+
request_response = ocsp_handler.handle_request("notreallyanocsprequest")
|
|
35
|
+
request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST
|
|
36
|
+
end
|
|
37
|
+
it "responds successfully with an OCSP delegate" do
|
|
38
|
+
ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @ocsp_delegate_config) )
|
|
39
|
+
csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
|
|
40
|
+
ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
|
|
41
|
+
cert = ca.sign(:csr => csr, :profile_name => 'server')
|
|
42
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
43
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
|
|
44
|
+
ocsp_request.add_certid(certid)
|
|
45
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
46
|
+
request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
|
|
47
|
+
request_response[:response].verify(@ocsp_delegate_config.ca_cert.cert).should == true
|
|
48
|
+
#TODO Better way to check whether we're adding the certs when signing the basic_response than response size...
|
|
49
|
+
request_response[:response].to_der.size.should >= 1500
|
|
50
|
+
request_response[:response].to_der.size.should <= 1800
|
|
51
|
+
end
|
|
52
|
+
it "responds successfully for a subroot (signing via subroot)" do
|
|
53
|
+
ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_subroot_config) )
|
|
54
|
+
csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
|
|
55
|
+
ca = R509::CertificateAuthority::Signer.new(@test_ca_subroot_config)
|
|
56
|
+
cert = ca.sign(:csr => csr, :profile_name => 'server')
|
|
57
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
58
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_subroot_config.ca_cert.cert)
|
|
59
|
+
ocsp_request.add_certid(certid)
|
|
60
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
61
|
+
request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
|
|
62
|
+
request_response[:response].verify([@test_ca_subroot_config.ca_cert.cert,@test_ca_config.ca_cert.cert]).should == true
|
|
63
|
+
end
|
|
64
|
+
it "responds successfully for a subroot (signing via delegate)" do
|
|
65
|
+
ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @ocsp_subroot_delegate_config) )
|
|
66
|
+
csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
|
|
67
|
+
ca = R509::CertificateAuthority::Signer.new(@test_ca_subroot_config)
|
|
68
|
+
cert = ca.sign(:csr => csr, :profile_name => 'server')
|
|
69
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
70
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_subroot_config.ca_cert.cert)
|
|
71
|
+
ocsp_request.add_certid(certid)
|
|
72
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
73
|
+
request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
|
|
74
|
+
request_response[:response].verify([@test_ca_subroot_config.ca_cert.cert,@test_ca_config.ca_cert.cert]).should == true
|
|
75
|
+
end
|
|
76
|
+
it "responds successfully with an OCSP chain" do
|
|
77
|
+
ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @ocsp_chain_config) )
|
|
78
|
+
csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
|
|
79
|
+
ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
|
|
80
|
+
cert = ca.sign(:csr => csr, :profile_name => 'server')
|
|
81
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
82
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
|
|
83
|
+
ocsp_request.add_certid(certid)
|
|
84
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
85
|
+
request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
|
|
86
|
+
request_response[:response].verify(@ocsp_chain_config.ca_cert.cert).should == true
|
|
87
|
+
#TODO Better way to check whether we're adding the certs when signing the basic_response than response size...
|
|
88
|
+
request_response[:response].to_der.size.should >= 3600
|
|
89
|
+
request_response[:response].to_der.size.should <= 3900
|
|
90
|
+
end
|
|
91
|
+
it "responds successfully from the test_ca" do
|
|
92
|
+
csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
|
|
93
|
+
ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
|
|
94
|
+
cert = ca.sign(:csr => csr, :profile_name => 'server')
|
|
95
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
96
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
|
|
97
|
+
ocsp_request.add_certid(certid)
|
|
98
|
+
ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
|
|
99
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
100
|
+
request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
|
|
101
|
+
request_response[:request].should_not be_nil
|
|
102
|
+
end
|
|
103
|
+
it "responds successfully from an elliptic curve CA" do
|
|
104
|
+
csr = R509::CSR.new( :subject => [['CN','ocspectest.r509.local']], :type => :ec )
|
|
105
|
+
ca = R509::CertificateAuthority::Signer.new(@test_ca_ec_config)
|
|
106
|
+
cert = ca.sign(:csr => csr, :profile_name => 'server')
|
|
107
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
108
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_ec_config.ca_cert.cert)
|
|
109
|
+
ocsp_request.add_certid(certid)
|
|
110
|
+
ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca_ec' => @test_ca_ec_config) )
|
|
111
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
112
|
+
request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
|
|
113
|
+
request_response[:request].should_not be_nil
|
|
114
|
+
end
|
|
115
|
+
it "rejects request with 2 certs from different known CAs" do
|
|
116
|
+
ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
|
|
104
117
|
|
|
105
|
-
|
|
106
|
-
|
|
118
|
+
csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
|
|
119
|
+
cert = ca.sign(:csr => csr, :profile_name => 'server')
|
|
107
120
|
|
|
108
|
-
|
|
121
|
+
ca2 = R509::CertificateAuthority::Signer.new(@second_ca_config)
|
|
109
122
|
|
|
110
|
-
|
|
111
|
-
|
|
123
|
+
csr2 = R509::CSR.new( :subject => [['CN','ocsptest2.r509.local']], :bit_strength => 1024 )
|
|
124
|
+
cert2 = ca2.sign(:csr => csr2, :profile_name => 'server')
|
|
112
125
|
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
126
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
127
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
|
|
128
|
+
ocsp_request.add_certid(certid)
|
|
129
|
+
certid2 = OpenSSL::OCSP::CertificateId.new(cert2.cert,@second_ca_config.ca_cert.cert)
|
|
130
|
+
ocsp_request.add_certid(certid2)
|
|
118
131
|
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
132
|
+
ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config, 'second_ca' => @second_ca_config) )
|
|
133
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
134
|
+
request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
|
|
135
|
+
request_response[:request].should be_nil
|
|
136
|
+
end
|
|
137
|
+
it "rejects request with 1 cert from known CA and 1 cert from unknown CA" do
|
|
138
|
+
ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
|
|
126
139
|
|
|
127
|
-
|
|
128
|
-
|
|
140
|
+
csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
|
|
141
|
+
cert = ca.sign(:csr => csr, :profile_name => 'server')
|
|
129
142
|
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
143
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
144
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
|
|
145
|
+
ocsp_request.add_certid(certid)
|
|
146
|
+
certid2 = OpenSSL::OCSP::CertificateId.new(OpenSSL::X509::Certificate.new(@cert),OpenSSL::X509::Certificate.new(@stca_cert))
|
|
147
|
+
ocsp_request.add_certid(certid2)
|
|
135
148
|
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
149
|
+
ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
|
|
150
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
151
|
+
request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
|
|
152
|
+
end
|
|
153
|
+
it "responds successfully with 2 certs from 1 known CA" do
|
|
154
|
+
ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
|
|
142
155
|
|
|
143
|
-
|
|
144
|
-
|
|
156
|
+
csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
|
|
157
|
+
cert = ca.sign(:csr => csr, :profile_name => 'server')
|
|
145
158
|
|
|
146
|
-
|
|
147
|
-
|
|
159
|
+
csr2 = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
|
|
160
|
+
cert2 = ca.sign(:csr => csr2, :profile_name => 'server')
|
|
148
161
|
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
162
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
163
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
|
|
164
|
+
ocsp_request.add_certid(certid)
|
|
165
|
+
certid2 = OpenSSL::OCSP::CertificateId.new(cert2.cert,@test_ca_config.ca_cert.cert)
|
|
166
|
+
ocsp_request.add_certid(certid2)
|
|
154
167
|
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
168
|
+
ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
|
|
169
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
170
|
+
request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
|
|
171
|
+
end
|
|
172
|
+
it "signs an OCSP response properly" do
|
|
173
|
+
cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
|
|
174
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
175
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
|
|
176
|
+
ocsp_request.add_certid(certid)
|
|
177
|
+
ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
|
|
178
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
179
|
+
request_response[:response].verify(@test_ca_config.ca_cert.cert).should == true
|
|
180
|
+
request_response[:response].verify(@second_ca_config.ca_cert.cert).should == false
|
|
181
|
+
request_response[:response].basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_GOOD
|
|
182
|
+
end
|
|
183
|
+
it "passes in a specific validity checker" do
|
|
184
|
+
class R509::Validity::BogusTestChecker < R509::Validity::Checker
|
|
185
|
+
def check(issuer_fingerprint, serial)
|
|
186
|
+
R509::Validity::Status.new(:status => R509::Validity::REVOKED, :revocation_time => Time.now.to_i)
|
|
187
|
+
end
|
|
158
188
|
end
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
ocsp_request = OpenSSL::OCSP::Request.new
|
|
178
|
-
certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
|
|
179
|
-
ocsp_request.add_certid(certid)
|
|
180
|
-
ocsp_handler = R509::Ocsp::Signer.new({ :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config), :validity_checker => R509::Validity::BogusTestChecker.new })
|
|
181
|
-
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
182
|
-
request_response[:response].verify(@test_ca_config.ca_cert.cert).should == true
|
|
183
|
-
request_response[:response].basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
|
|
184
|
-
end
|
|
185
|
-
it "encodes the proper revocation time in the response" do
|
|
186
|
-
time = Time.now.to_i-3600
|
|
187
|
-
class R509::Validity::BogusTestChecker < R509::Validity::Checker
|
|
188
|
-
def initialize(time)
|
|
189
|
-
@time = time
|
|
190
|
-
end
|
|
191
|
-
def check(issuer_fingerprint, serial)
|
|
192
|
-
R509::Validity::Status.new(:status => R509::Validity::REVOKED, :revocation_time => @time)
|
|
193
|
-
end
|
|
194
|
-
end
|
|
195
|
-
cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
|
|
196
|
-
ocsp_request = OpenSSL::OCSP::Request.new
|
|
197
|
-
certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
|
|
198
|
-
ocsp_request.add_certid(certid)
|
|
199
|
-
ocsp_handler = R509::Ocsp::Signer.new({ :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config), :validity_checker => R509::Validity::BogusTestChecker.new(time) })
|
|
200
|
-
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
201
|
-
request_response[:response].basic.status[0][3].to_i.should == time
|
|
202
|
-
end
|
|
203
|
-
it "copies nonce from request to response if copy_nonce is true" do
|
|
204
|
-
cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
|
|
205
|
-
ocsp_request = OpenSSL::OCSP::Request.new
|
|
206
|
-
certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
|
|
207
|
-
ocsp_request.add_certid(certid)
|
|
208
|
-
ocsp_request.add_nonce
|
|
209
|
-
ocsp_handler = R509::Ocsp::Signer.new({ :copy_nonce => true, :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) })
|
|
210
|
-
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
211
|
-
request_response[:response].check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::PRESENT_AND_EQUAL
|
|
212
|
-
end
|
|
213
|
-
it "doesn't copy nonce if request doesn't have one and copy_nonce is true" do
|
|
214
|
-
cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
|
|
215
|
-
ocsp_request = OpenSSL::OCSP::Request.new
|
|
216
|
-
certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
|
|
217
|
-
ocsp_request.add_certid(certid)
|
|
218
|
-
ocsp_handler = R509::Ocsp::Signer.new( :copy_nonce => true, :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) )
|
|
219
|
-
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
220
|
-
request_response[:response].check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::BOTH_ABSENT
|
|
221
|
-
end
|
|
222
|
-
it "doesn't copy nonce if request doesn't have one and copy_nonce is false" do
|
|
223
|
-
cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
|
|
224
|
-
ocsp_request = OpenSSL::OCSP::Request.new
|
|
225
|
-
certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
|
|
226
|
-
ocsp_request.add_certid(certid)
|
|
227
|
-
ocsp_handler = R509::Ocsp::Signer.new( :copy_nonce => false, :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) )
|
|
228
|
-
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
229
|
-
request_response[:response].check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::BOTH_ABSENT
|
|
230
|
-
end
|
|
231
|
-
it "nonce in request only if copy_nonce is false" do
|
|
232
|
-
cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
|
|
233
|
-
ocsp_request = OpenSSL::OCSP::Request.new
|
|
234
|
-
certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
|
|
235
|
-
ocsp_request.add_certid(certid)
|
|
236
|
-
ocsp_request.add_nonce
|
|
237
|
-
ocsp_handler = R509::Ocsp::Signer.new( :copy_nonce => false, :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) )
|
|
238
|
-
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
239
|
-
request_response[:response].check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::REQUEST_ONLY
|
|
240
|
-
end
|
|
241
|
-
it "encodes thisUpdate/nextUpdate time properly" do
|
|
242
|
-
cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
|
|
243
|
-
ocsp_request = OpenSSL::OCSP::Request.new
|
|
244
|
-
certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
|
|
245
|
-
ocsp_request.add_certid(certid)
|
|
246
|
-
now = Time.now
|
|
247
|
-
ocsp_handler = R509::Ocsp::Signer.new( :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) )
|
|
248
|
-
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
249
|
-
request_response[:response].basic.status[0][4].to_i.should == now.to_i - @test_ca_config.ocsp_start_skew_seconds
|
|
250
|
-
request_response[:response].basic.status[0][5].to_i.should == now.to_i + @test_ca_config.ocsp_validity_hours*3600
|
|
189
|
+
cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
|
|
190
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
191
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
|
|
192
|
+
ocsp_request.add_certid(certid)
|
|
193
|
+
ocsp_handler = R509::OCSP::Signer.new({ :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config), :validity_checker => R509::Validity::BogusTestChecker.new })
|
|
194
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
195
|
+
request_response[:response].verify(@test_ca_config.ca_cert.cert).should == true
|
|
196
|
+
request_response[:response].basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
|
|
197
|
+
end
|
|
198
|
+
it "encodes the proper revocation time in the response" do
|
|
199
|
+
time = Time.now.to_i-3600
|
|
200
|
+
class R509::Validity::BogusTestChecker < R509::Validity::Checker
|
|
201
|
+
def initialize(time)
|
|
202
|
+
@time = time
|
|
203
|
+
end
|
|
204
|
+
def check(issuer_fingerprint, serial)
|
|
205
|
+
R509::Validity::Status.new(:status => R509::Validity::REVOKED, :revocation_time => @time)
|
|
206
|
+
end
|
|
251
207
|
end
|
|
208
|
+
cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
|
|
209
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
210
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
|
|
211
|
+
ocsp_request.add_certid(certid)
|
|
212
|
+
ocsp_handler = R509::OCSP::Signer.new({ :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config), :validity_checker => R509::Validity::BogusTestChecker.new(time) })
|
|
213
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
214
|
+
request_response[:response].basic.status[0][3].to_i.should == time
|
|
215
|
+
end
|
|
216
|
+
it "copies nonce from request to response if copy_nonce is true" do
|
|
217
|
+
cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
|
|
218
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
219
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
|
|
220
|
+
ocsp_request.add_certid(certid)
|
|
221
|
+
ocsp_request.add_nonce
|
|
222
|
+
ocsp_handler = R509::OCSP::Signer.new({ :copy_nonce => true, :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) })
|
|
223
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
224
|
+
request_response[:response].check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::PRESENT_AND_EQUAL
|
|
225
|
+
end
|
|
226
|
+
it "doesn't copy nonce if request doesn't have one and copy_nonce is true" do
|
|
227
|
+
cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
|
|
228
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
229
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
|
|
230
|
+
ocsp_request.add_certid(certid)
|
|
231
|
+
ocsp_handler = R509::OCSP::Signer.new( :copy_nonce => true, :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
|
|
232
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
233
|
+
request_response[:response].check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::BOTH_ABSENT
|
|
234
|
+
end
|
|
235
|
+
it "doesn't copy nonce if request doesn't have one and copy_nonce is false" do
|
|
236
|
+
cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
|
|
237
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
238
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
|
|
239
|
+
ocsp_request.add_certid(certid)
|
|
240
|
+
ocsp_handler = R509::OCSP::Signer.new( :copy_nonce => false, :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
|
|
241
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
242
|
+
request_response[:response].check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::BOTH_ABSENT
|
|
243
|
+
end
|
|
244
|
+
it "nonce in request only if copy_nonce is false" do
|
|
245
|
+
cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
|
|
246
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
247
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
|
|
248
|
+
ocsp_request.add_certid(certid)
|
|
249
|
+
ocsp_request.add_nonce
|
|
250
|
+
ocsp_handler = R509::OCSP::Signer.new( :copy_nonce => false, :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
|
|
251
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
252
|
+
request_response[:response].check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::REQUEST_ONLY
|
|
253
|
+
end
|
|
254
|
+
it "encodes thisUpdate/nextUpdate time properly" do
|
|
255
|
+
cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
|
|
256
|
+
ocsp_request = OpenSSL::OCSP::Request.new
|
|
257
|
+
certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
|
|
258
|
+
ocsp_request.add_certid(certid)
|
|
259
|
+
now = Time.now
|
|
260
|
+
ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
|
|
261
|
+
request_response = ocsp_handler.handle_request(ocsp_request)
|
|
262
|
+
request_response[:response].basic.status[0][4].to_i.should == now.to_i - @test_ca_config.ocsp_start_skew_seconds
|
|
263
|
+
request_response[:response].basic.status[0][5].to_i.should == now.to_i + @test_ca_config.ocsp_validity_hours*3600
|
|
264
|
+
end
|
|
252
265
|
end
|
|
253
266
|
|
|
254
|
-
describe R509::
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
|
|
262
|
-
|
|
263
|
-
|
|
264
|
-
|
|
265
|
-
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
end
|
|
269
|
-
fake_checker = FakeChecker.new
|
|
270
|
-
expect { R509::Ocsp::Helper::RequestChecker.new([@test_ca_config], fake_checker) }.to raise_error(R509::R509Error)
|
|
267
|
+
describe R509::OCSP::Helper::RequestChecker do
|
|
268
|
+
before :all do
|
|
269
|
+
@cert = TestFixtures::CERT
|
|
270
|
+
@test_ca_config = TestFixtures.test_ca_config
|
|
271
|
+
@second_ca_config = TestFixtures.second_ca_config
|
|
272
|
+
end
|
|
273
|
+
it "fails if initialized without R509::Config::CAConfigPool" do
|
|
274
|
+
expect { R509::OCSP::Helper::RequestChecker.new({}, nil) }.to raise_error(R509::R509Error,'Must pass R509::Config::CAConfigPool object')
|
|
275
|
+
end
|
|
276
|
+
it "fails if you give it a valid config but nil validity checker" do
|
|
277
|
+
expect { R509::OCSP::Helper::RequestChecker.new(R509::Config::CAConfigPool.new('testca' =>@test_ca_config), nil) }.to raise_error(R509::R509Error,'Must supply a R509::Validity::Checker')
|
|
278
|
+
end
|
|
279
|
+
it "fails if you give it a valid config but the validity checker doesn't respond to a check method" do
|
|
280
|
+
class FakeChecker
|
|
271
281
|
end
|
|
282
|
+
fake_checker = FakeChecker.new
|
|
283
|
+
expect { R509::OCSP::Helper::RequestChecker.new([@test_ca_config], fake_checker) }.to raise_error(R509::R509Error)
|
|
284
|
+
end
|
|
272
285
|
end
|
|
273
286
|
|
|
274
|
-
describe R509::
|
|
287
|
+
describe R509::OCSP::Helper::ResponseSigner do
|
|
275
288
|
end
|