r509-ocsp-responder 0.3.1 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/spec/signer_spec.rb CHANGED
@@ -2,274 +2,287 @@ require 'spec_helper'
2
2
  require 'r509/ocsp'
3
3
  require 'openssl'
4
4
 
5
- describe R509::Ocsp::Signer do
6
- before :all do
7
- @cert = TestFixtures::CERT
8
- @stca_cert = TestFixtures::STCA_CERT
9
- @stca_ocsp_request = TestFixtures::STCA_OCSP_REQUEST
10
- @ocsp_test_cert = TestFixtures::OCSP_TEST_CERT
11
- @test_ca_config = TestFixtures.test_ca_config
12
- @test_ca_subroot_config = TestFixtures.test_ca_subroot_config
13
- @second_ca_config = TestFixtures.second_ca_config
14
- @ocsp_delegate_config = R509::Config::CaConfig.from_yaml("ocsp_delegate_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
15
- @ocsp_subroot_delegate_config = R509::Config::CaConfig.from_yaml("ocsp_subroot_delegate_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
16
- @ocsp_chain_config = R509::Config::CaConfig.from_yaml("ocsp_chain_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
17
- Dependo::Registry.clear
18
- Dependo::Registry[:log] = Logger.new(nil)
5
+ describe R509::OCSP::Signer do
6
+ before :all do
7
+ @cert = TestFixtures::CERT
8
+ @stca_cert = TestFixtures::STCA_CERT
9
+ @stca_ocsp_request = TestFixtures::STCA_OCSP_REQUEST
10
+ @ocsp_test_cert = TestFixtures::OCSP_TEST_CERT
11
+ @test_ca_config = TestFixtures.test_ca_config
12
+ @test_ca_ec_config = TestFixtures.test_ca_ec_config
13
+ @test_ca_subroot_config = TestFixtures.test_ca_subroot_config
14
+ @second_ca_config = TestFixtures.second_ca_config
15
+ @ocsp_delegate_config = R509::Config::CAConfig.from_yaml("ocsp_delegate_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
16
+ @ocsp_subroot_delegate_config = R509::Config::CAConfig.from_yaml("ocsp_subroot_delegate_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
17
+ @ocsp_chain_config = R509::Config::CAConfig.from_yaml("ocsp_chain_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
18
+ Dependo::Registry.clear
19
+ Dependo::Registry[:log] = Logger.new(nil)
19
20
 
20
- end
21
- it "allows access to the validity checker object" do
22
- ocsp_handler = R509::Ocsp::Signer.new( :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) )
23
- ocsp_handler.validity_checker.kind_of?(R509::Validity::DefaultChecker).should == true
24
- end
21
+ end
22
+ it "allows access to the validity checker object" do
23
+ ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
24
+ ocsp_handler.validity_checker.kind_of?(R509::Validity::DefaultChecker).should == true
25
+ end
25
26
 
26
- it "rejects ocsp requests from an unknown CA" do
27
- ocsp_handler = R509::Ocsp::Signer.new( :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) )
28
- request_response = ocsp_handler.handle_request(@stca_ocsp_request)
29
- request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
30
- end
31
- it "rejects malformed OCSP requests" do
32
- ocsp_handler = R509::Ocsp::Signer.new( :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) )
33
- request_response = ocsp_handler.handle_request("notreallyanocsprequest")
34
- request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST
35
- end
36
- it "responds successfully with an OCSP delegate" do
37
- ocsp_handler = R509::Ocsp::Signer.new( :configs => R509::Config::CaConfigPool.new('testca' => @ocsp_delegate_config) )
38
- csr = R509::Csr.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
39
- ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
40
- cert = ca.sign(:csr => csr, :profile_name => 'server')
41
- ocsp_request = OpenSSL::OCSP::Request.new
42
- certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
43
- ocsp_request.add_certid(certid)
44
- request_response = ocsp_handler.handle_request(ocsp_request)
45
- request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
46
- request_response[:response].verify(@ocsp_delegate_config.ca_cert.cert).should == true
47
- #TODO Better way to check whether we're adding the certs when signing the basic_response than response size...
48
- request_response[:response].to_der.size.should >= 1500
49
- request_response[:response].to_der.size.should <= 1800
50
- end
51
- it "responds successfully for a subroot (signing via subroot)" do
52
- ocsp_handler = R509::Ocsp::Signer.new( :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_subroot_config) )
53
- csr = R509::Csr.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
54
- ca = R509::CertificateAuthority::Signer.new(@test_ca_subroot_config)
55
- cert = ca.sign(:csr => csr, :profile_name => 'server')
56
- ocsp_request = OpenSSL::OCSP::Request.new
57
- certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_subroot_config.ca_cert.cert)
58
- ocsp_request.add_certid(certid)
59
- request_response = ocsp_handler.handle_request(ocsp_request)
60
- request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
61
- request_response[:response].verify([@test_ca_subroot_config.ca_cert.cert,@test_ca_config.ca_cert.cert]).should == true
62
- end
63
- it "responds successfully for a subroot (signing via delegate)" do
64
- ocsp_handler = R509::Ocsp::Signer.new( :configs => R509::Config::CaConfigPool.new('testca' => @ocsp_subroot_delegate_config) )
65
- csr = R509::Csr.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
66
- ca = R509::CertificateAuthority::Signer.new(@test_ca_subroot_config)
67
- cert = ca.sign(:csr => csr, :profile_name => 'server')
68
- ocsp_request = OpenSSL::OCSP::Request.new
69
- certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_subroot_config.ca_cert.cert)
70
- ocsp_request.add_certid(certid)
71
- request_response = ocsp_handler.handle_request(ocsp_request)
72
- request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
73
- request_response[:response].verify([@test_ca_subroot_config.ca_cert.cert,@test_ca_config.ca_cert.cert]).should == true
74
- end
75
- it "responds successfully with an OCSP chain" do
76
- ocsp_handler = R509::Ocsp::Signer.new( :configs => R509::Config::CaConfigPool.new('testca' => @ocsp_chain_config) )
77
- csr = R509::Csr.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
78
- ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
79
- cert = ca.sign(:csr => csr, :profile_name => 'server')
80
- ocsp_request = OpenSSL::OCSP::Request.new
81
- certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
82
- ocsp_request.add_certid(certid)
83
- request_response = ocsp_handler.handle_request(ocsp_request)
84
- request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
85
- request_response[:response].verify(@ocsp_chain_config.ca_cert.cert).should == true
86
- #TODO Better way to check whether we're adding the certs when signing the basic_response than response size...
87
- request_response[:response].to_der.size.should >= 3600
88
- request_response[:response].to_der.size.should <= 3900
89
- end
90
- it "responds successfully from the test_ca" do
91
- csr = R509::Csr.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
92
- ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
93
- cert = ca.sign(:csr => csr, :profile_name => 'server')
94
- ocsp_request = OpenSSL::OCSP::Request.new
95
- certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
96
- ocsp_request.add_certid(certid)
97
- ocsp_handler = R509::Ocsp::Signer.new( :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) )
98
- request_response = ocsp_handler.handle_request(ocsp_request)
99
- request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
100
- request_response[:request].should_not be_nil
101
- end
102
- it "rejects request with 2 certs from different known CAs" do
103
- ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
27
+ it "rejects ocsp requests from an unknown CA" do
28
+ ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
29
+ request_response = ocsp_handler.handle_request(@stca_ocsp_request)
30
+ request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
31
+ end
32
+ it "rejects malformed OCSP requests" do
33
+ ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
34
+ request_response = ocsp_handler.handle_request("notreallyanocsprequest")
35
+ request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST
36
+ end
37
+ it "responds successfully with an OCSP delegate" do
38
+ ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @ocsp_delegate_config) )
39
+ csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
40
+ ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
41
+ cert = ca.sign(:csr => csr, :profile_name => 'server')
42
+ ocsp_request = OpenSSL::OCSP::Request.new
43
+ certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
44
+ ocsp_request.add_certid(certid)
45
+ request_response = ocsp_handler.handle_request(ocsp_request)
46
+ request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
47
+ request_response[:response].verify(@ocsp_delegate_config.ca_cert.cert).should == true
48
+ #TODO Better way to check whether we're adding the certs when signing the basic_response than response size...
49
+ request_response[:response].to_der.size.should >= 1500
50
+ request_response[:response].to_der.size.should <= 1800
51
+ end
52
+ it "responds successfully for a subroot (signing via subroot)" do
53
+ ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_subroot_config) )
54
+ csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
55
+ ca = R509::CertificateAuthority::Signer.new(@test_ca_subroot_config)
56
+ cert = ca.sign(:csr => csr, :profile_name => 'server')
57
+ ocsp_request = OpenSSL::OCSP::Request.new
58
+ certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_subroot_config.ca_cert.cert)
59
+ ocsp_request.add_certid(certid)
60
+ request_response = ocsp_handler.handle_request(ocsp_request)
61
+ request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
62
+ request_response[:response].verify([@test_ca_subroot_config.ca_cert.cert,@test_ca_config.ca_cert.cert]).should == true
63
+ end
64
+ it "responds successfully for a subroot (signing via delegate)" do
65
+ ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @ocsp_subroot_delegate_config) )
66
+ csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
67
+ ca = R509::CertificateAuthority::Signer.new(@test_ca_subroot_config)
68
+ cert = ca.sign(:csr => csr, :profile_name => 'server')
69
+ ocsp_request = OpenSSL::OCSP::Request.new
70
+ certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_subroot_config.ca_cert.cert)
71
+ ocsp_request.add_certid(certid)
72
+ request_response = ocsp_handler.handle_request(ocsp_request)
73
+ request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
74
+ request_response[:response].verify([@test_ca_subroot_config.ca_cert.cert,@test_ca_config.ca_cert.cert]).should == true
75
+ end
76
+ it "responds successfully with an OCSP chain" do
77
+ ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @ocsp_chain_config) )
78
+ csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
79
+ ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
80
+ cert = ca.sign(:csr => csr, :profile_name => 'server')
81
+ ocsp_request = OpenSSL::OCSP::Request.new
82
+ certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
83
+ ocsp_request.add_certid(certid)
84
+ request_response = ocsp_handler.handle_request(ocsp_request)
85
+ request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
86
+ request_response[:response].verify(@ocsp_chain_config.ca_cert.cert).should == true
87
+ #TODO Better way to check whether we're adding the certs when signing the basic_response than response size...
88
+ request_response[:response].to_der.size.should >= 3600
89
+ request_response[:response].to_der.size.should <= 3900
90
+ end
91
+ it "responds successfully from the test_ca" do
92
+ csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
93
+ ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
94
+ cert = ca.sign(:csr => csr, :profile_name => 'server')
95
+ ocsp_request = OpenSSL::OCSP::Request.new
96
+ certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
97
+ ocsp_request.add_certid(certid)
98
+ ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
99
+ request_response = ocsp_handler.handle_request(ocsp_request)
100
+ request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
101
+ request_response[:request].should_not be_nil
102
+ end
103
+ it "responds successfully from an elliptic curve CA" do
104
+ csr = R509::CSR.new( :subject => [['CN','ocspectest.r509.local']], :type => :ec )
105
+ ca = R509::CertificateAuthority::Signer.new(@test_ca_ec_config)
106
+ cert = ca.sign(:csr => csr, :profile_name => 'server')
107
+ ocsp_request = OpenSSL::OCSP::Request.new
108
+ certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_ec_config.ca_cert.cert)
109
+ ocsp_request.add_certid(certid)
110
+ ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca_ec' => @test_ca_ec_config) )
111
+ request_response = ocsp_handler.handle_request(ocsp_request)
112
+ request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
113
+ request_response[:request].should_not be_nil
114
+ end
115
+ it "rejects request with 2 certs from different known CAs" do
116
+ ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
104
117
 
105
- csr = R509::Csr.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
106
- cert = ca.sign(:csr => csr, :profile_name => 'server')
118
+ csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
119
+ cert = ca.sign(:csr => csr, :profile_name => 'server')
107
120
 
108
- ca2 = R509::CertificateAuthority::Signer.new(@second_ca_config)
121
+ ca2 = R509::CertificateAuthority::Signer.new(@second_ca_config)
109
122
 
110
- csr2 = R509::Csr.new( :subject => [['CN','ocsptest2.r509.local']], :bit_strength => 1024 )
111
- cert2 = ca2.sign(:csr => csr2, :profile_name => 'server')
123
+ csr2 = R509::CSR.new( :subject => [['CN','ocsptest2.r509.local']], :bit_strength => 1024 )
124
+ cert2 = ca2.sign(:csr => csr2, :profile_name => 'server')
112
125
 
113
- ocsp_request = OpenSSL::OCSP::Request.new
114
- certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
115
- ocsp_request.add_certid(certid)
116
- certid2 = OpenSSL::OCSP::CertificateId.new(cert2.cert,@second_ca_config.ca_cert.cert)
117
- ocsp_request.add_certid(certid2)
126
+ ocsp_request = OpenSSL::OCSP::Request.new
127
+ certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
128
+ ocsp_request.add_certid(certid)
129
+ certid2 = OpenSSL::OCSP::CertificateId.new(cert2.cert,@second_ca_config.ca_cert.cert)
130
+ ocsp_request.add_certid(certid2)
118
131
 
119
- ocsp_handler = R509::Ocsp::Signer.new( :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config, 'second_ca' => @second_ca_config) )
120
- request_response = ocsp_handler.handle_request(ocsp_request)
121
- request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
122
- request_response[:request].should be_nil
123
- end
124
- it "rejects request with 1 cert from known CA and 1 cert from unknown CA" do
125
- ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
132
+ ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config, 'second_ca' => @second_ca_config) )
133
+ request_response = ocsp_handler.handle_request(ocsp_request)
134
+ request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
135
+ request_response[:request].should be_nil
136
+ end
137
+ it "rejects request with 1 cert from known CA and 1 cert from unknown CA" do
138
+ ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
126
139
 
127
- csr = R509::Csr.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
128
- cert = ca.sign(:csr => csr, :profile_name => 'server')
140
+ csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
141
+ cert = ca.sign(:csr => csr, :profile_name => 'server')
129
142
 
130
- ocsp_request = OpenSSL::OCSP::Request.new
131
- certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
132
- ocsp_request.add_certid(certid)
133
- certid2 = OpenSSL::OCSP::CertificateId.new(OpenSSL::X509::Certificate.new(@cert),OpenSSL::X509::Certificate.new(@stca_cert))
134
- ocsp_request.add_certid(certid2)
143
+ ocsp_request = OpenSSL::OCSP::Request.new
144
+ certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
145
+ ocsp_request.add_certid(certid)
146
+ certid2 = OpenSSL::OCSP::CertificateId.new(OpenSSL::X509::Certificate.new(@cert),OpenSSL::X509::Certificate.new(@stca_cert))
147
+ ocsp_request.add_certid(certid2)
135
148
 
136
- ocsp_handler = R509::Ocsp::Signer.new( :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) )
137
- request_response = ocsp_handler.handle_request(ocsp_request)
138
- request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
139
- end
140
- it "responds successfully with 2 certs from 1 known CA" do
141
- ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
149
+ ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
150
+ request_response = ocsp_handler.handle_request(ocsp_request)
151
+ request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
152
+ end
153
+ it "responds successfully with 2 certs from 1 known CA" do
154
+ ca = R509::CertificateAuthority::Signer.new(@test_ca_config)
142
155
 
143
- csr = R509::Csr.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
144
- cert = ca.sign(:csr => csr, :profile_name => 'server')
156
+ csr = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
157
+ cert = ca.sign(:csr => csr, :profile_name => 'server')
145
158
 
146
- csr2 = R509::Csr.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
147
- cert2 = ca.sign(:csr => csr2, :profile_name => 'server')
159
+ csr2 = R509::CSR.new( :subject => [['CN','ocsptest.r509.local']], :bit_strength => 1024 )
160
+ cert2 = ca.sign(:csr => csr2, :profile_name => 'server')
148
161
 
149
- ocsp_request = OpenSSL::OCSP::Request.new
150
- certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
151
- ocsp_request.add_certid(certid)
152
- certid2 = OpenSSL::OCSP::CertificateId.new(cert2.cert,@test_ca_config.ca_cert.cert)
153
- ocsp_request.add_certid(certid2)
162
+ ocsp_request = OpenSSL::OCSP::Request.new
163
+ certid = OpenSSL::OCSP::CertificateId.new(cert.cert,@test_ca_config.ca_cert.cert)
164
+ ocsp_request.add_certid(certid)
165
+ certid2 = OpenSSL::OCSP::CertificateId.new(cert2.cert,@test_ca_config.ca_cert.cert)
166
+ ocsp_request.add_certid(certid2)
154
167
 
155
- ocsp_handler = R509::Ocsp::Signer.new( :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) )
156
- request_response = ocsp_handler.handle_request(ocsp_request)
157
- request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
168
+ ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
169
+ request_response = ocsp_handler.handle_request(ocsp_request)
170
+ request_response[:response].status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
171
+ end
172
+ it "signs an OCSP response properly" do
173
+ cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
174
+ ocsp_request = OpenSSL::OCSP::Request.new
175
+ certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
176
+ ocsp_request.add_certid(certid)
177
+ ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
178
+ request_response = ocsp_handler.handle_request(ocsp_request)
179
+ request_response[:response].verify(@test_ca_config.ca_cert.cert).should == true
180
+ request_response[:response].verify(@second_ca_config.ca_cert.cert).should == false
181
+ request_response[:response].basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_GOOD
182
+ end
183
+ it "passes in a specific validity checker" do
184
+ class R509::Validity::BogusTestChecker < R509::Validity::Checker
185
+ def check(issuer_fingerprint, serial)
186
+ R509::Validity::Status.new(:status => R509::Validity::REVOKED, :revocation_time => Time.now.to_i)
187
+ end
158
188
  end
159
- it "signs an OCSP response properly" do
160
- cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
161
- ocsp_request = OpenSSL::OCSP::Request.new
162
- certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
163
- ocsp_request.add_certid(certid)
164
- ocsp_handler = R509::Ocsp::Signer.new( :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) )
165
- request_response = ocsp_handler.handle_request(ocsp_request)
166
- request_response[:response].verify(@test_ca_config.ca_cert.cert).should == true
167
- request_response[:response].verify(@second_ca_config.ca_cert.cert).should == false
168
- request_response[:response].basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_GOOD
169
- end
170
- it "passes in a specific validity checker" do
171
- class R509::Validity::BogusTestChecker < R509::Validity::Checker
172
- def check(issuer_fingerprint, serial)
173
- R509::Validity::Status.new(:status => R509::Validity::REVOKED, :revocation_time => Time.now.to_i)
174
- end
175
- end
176
- cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
177
- ocsp_request = OpenSSL::OCSP::Request.new
178
- certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
179
- ocsp_request.add_certid(certid)
180
- ocsp_handler = R509::Ocsp::Signer.new({ :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config), :validity_checker => R509::Validity::BogusTestChecker.new })
181
- request_response = ocsp_handler.handle_request(ocsp_request)
182
- request_response[:response].verify(@test_ca_config.ca_cert.cert).should == true
183
- request_response[:response].basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
184
- end
185
- it "encodes the proper revocation time in the response" do
186
- time = Time.now.to_i-3600
187
- class R509::Validity::BogusTestChecker < R509::Validity::Checker
188
- def initialize(time)
189
- @time = time
190
- end
191
- def check(issuer_fingerprint, serial)
192
- R509::Validity::Status.new(:status => R509::Validity::REVOKED, :revocation_time => @time)
193
- end
194
- end
195
- cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
196
- ocsp_request = OpenSSL::OCSP::Request.new
197
- certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
198
- ocsp_request.add_certid(certid)
199
- ocsp_handler = R509::Ocsp::Signer.new({ :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config), :validity_checker => R509::Validity::BogusTestChecker.new(time) })
200
- request_response = ocsp_handler.handle_request(ocsp_request)
201
- request_response[:response].basic.status[0][3].to_i.should == time
202
- end
203
- it "copies nonce from request to response if copy_nonce is true" do
204
- cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
205
- ocsp_request = OpenSSL::OCSP::Request.new
206
- certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
207
- ocsp_request.add_certid(certid)
208
- ocsp_request.add_nonce
209
- ocsp_handler = R509::Ocsp::Signer.new({ :copy_nonce => true, :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) })
210
- request_response = ocsp_handler.handle_request(ocsp_request)
211
- request_response[:response].check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::PRESENT_AND_EQUAL
212
- end
213
- it "doesn't copy nonce if request doesn't have one and copy_nonce is true" do
214
- cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
215
- ocsp_request = OpenSSL::OCSP::Request.new
216
- certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
217
- ocsp_request.add_certid(certid)
218
- ocsp_handler = R509::Ocsp::Signer.new( :copy_nonce => true, :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) )
219
- request_response = ocsp_handler.handle_request(ocsp_request)
220
- request_response[:response].check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::BOTH_ABSENT
221
- end
222
- it "doesn't copy nonce if request doesn't have one and copy_nonce is false" do
223
- cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
224
- ocsp_request = OpenSSL::OCSP::Request.new
225
- certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
226
- ocsp_request.add_certid(certid)
227
- ocsp_handler = R509::Ocsp::Signer.new( :copy_nonce => false, :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) )
228
- request_response = ocsp_handler.handle_request(ocsp_request)
229
- request_response[:response].check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::BOTH_ABSENT
230
- end
231
- it "nonce in request only if copy_nonce is false" do
232
- cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
233
- ocsp_request = OpenSSL::OCSP::Request.new
234
- certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
235
- ocsp_request.add_certid(certid)
236
- ocsp_request.add_nonce
237
- ocsp_handler = R509::Ocsp::Signer.new( :copy_nonce => false, :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) )
238
- request_response = ocsp_handler.handle_request(ocsp_request)
239
- request_response[:response].check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::REQUEST_ONLY
240
- end
241
- it "encodes thisUpdate/nextUpdate time properly" do
242
- cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
243
- ocsp_request = OpenSSL::OCSP::Request.new
244
- certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
245
- ocsp_request.add_certid(certid)
246
- now = Time.now
247
- ocsp_handler = R509::Ocsp::Signer.new( :configs => R509::Config::CaConfigPool.new('testca' => @test_ca_config) )
248
- request_response = ocsp_handler.handle_request(ocsp_request)
249
- request_response[:response].basic.status[0][4].to_i.should == now.to_i - @test_ca_config.ocsp_start_skew_seconds
250
- request_response[:response].basic.status[0][5].to_i.should == now.to_i + @test_ca_config.ocsp_validity_hours*3600
189
+ cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
190
+ ocsp_request = OpenSSL::OCSP::Request.new
191
+ certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
192
+ ocsp_request.add_certid(certid)
193
+ ocsp_handler = R509::OCSP::Signer.new({ :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config), :validity_checker => R509::Validity::BogusTestChecker.new })
194
+ request_response = ocsp_handler.handle_request(ocsp_request)
195
+ request_response[:response].verify(@test_ca_config.ca_cert.cert).should == true
196
+ request_response[:response].basic.status[0][1].should == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
197
+ end
198
+ it "encodes the proper revocation time in the response" do
199
+ time = Time.now.to_i-3600
200
+ class R509::Validity::BogusTestChecker < R509::Validity::Checker
201
+ def initialize(time)
202
+ @time = time
203
+ end
204
+ def check(issuer_fingerprint, serial)
205
+ R509::Validity::Status.new(:status => R509::Validity::REVOKED, :revocation_time => @time)
206
+ end
251
207
  end
208
+ cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
209
+ ocsp_request = OpenSSL::OCSP::Request.new
210
+ certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
211
+ ocsp_request.add_certid(certid)
212
+ ocsp_handler = R509::OCSP::Signer.new({ :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config), :validity_checker => R509::Validity::BogusTestChecker.new(time) })
213
+ request_response = ocsp_handler.handle_request(ocsp_request)
214
+ request_response[:response].basic.status[0][3].to_i.should == time
215
+ end
216
+ it "copies nonce from request to response if copy_nonce is true" do
217
+ cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
218
+ ocsp_request = OpenSSL::OCSP::Request.new
219
+ certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
220
+ ocsp_request.add_certid(certid)
221
+ ocsp_request.add_nonce
222
+ ocsp_handler = R509::OCSP::Signer.new({ :copy_nonce => true, :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) })
223
+ request_response = ocsp_handler.handle_request(ocsp_request)
224
+ request_response[:response].check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::PRESENT_AND_EQUAL
225
+ end
226
+ it "doesn't copy nonce if request doesn't have one and copy_nonce is true" do
227
+ cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
228
+ ocsp_request = OpenSSL::OCSP::Request.new
229
+ certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
230
+ ocsp_request.add_certid(certid)
231
+ ocsp_handler = R509::OCSP::Signer.new( :copy_nonce => true, :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
232
+ request_response = ocsp_handler.handle_request(ocsp_request)
233
+ request_response[:response].check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::BOTH_ABSENT
234
+ end
235
+ it "doesn't copy nonce if request doesn't have one and copy_nonce is false" do
236
+ cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
237
+ ocsp_request = OpenSSL::OCSP::Request.new
238
+ certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
239
+ ocsp_request.add_certid(certid)
240
+ ocsp_handler = R509::OCSP::Signer.new( :copy_nonce => false, :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
241
+ request_response = ocsp_handler.handle_request(ocsp_request)
242
+ request_response[:response].check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::BOTH_ABSENT
243
+ end
244
+ it "nonce in request only if copy_nonce is false" do
245
+ cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
246
+ ocsp_request = OpenSSL::OCSP::Request.new
247
+ certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
248
+ ocsp_request.add_certid(certid)
249
+ ocsp_request.add_nonce
250
+ ocsp_handler = R509::OCSP::Signer.new( :copy_nonce => false, :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
251
+ request_response = ocsp_handler.handle_request(ocsp_request)
252
+ request_response[:response].check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::REQUEST_ONLY
253
+ end
254
+ it "encodes thisUpdate/nextUpdate time properly" do
255
+ cert = OpenSSL::X509::Certificate.new(@ocsp_test_cert)
256
+ ocsp_request = OpenSSL::OCSP::Request.new
257
+ certid = OpenSSL::OCSP::CertificateId.new(cert,@test_ca_config.ca_cert.cert)
258
+ ocsp_request.add_certid(certid)
259
+ now = Time.now
260
+ ocsp_handler = R509::OCSP::Signer.new( :configs => R509::Config::CAConfigPool.new('testca' => @test_ca_config) )
261
+ request_response = ocsp_handler.handle_request(ocsp_request)
262
+ request_response[:response].basic.status[0][4].to_i.should == now.to_i - @test_ca_config.ocsp_start_skew_seconds
263
+ request_response[:response].basic.status[0][5].to_i.should == now.to_i + @test_ca_config.ocsp_validity_hours*3600
264
+ end
252
265
  end
253
266
 
254
- describe R509::Ocsp::Helper::RequestChecker do
255
- before :all do
256
- @cert = TestFixtures::CERT
257
- @test_ca_config = TestFixtures.test_ca_config
258
- @second_ca_config = TestFixtures.second_ca_config
259
- end
260
- it "fails if initialized without R509::Config::CaConfigPool" do
261
- expect { R509::Ocsp::Helper::RequestChecker.new({}, nil) }.to raise_error(R509::R509Error,'Must pass R509::Config::CaConfigPool object')
262
- end
263
- it "fails if you give it a valid config but nil validity checker" do
264
- expect { R509::Ocsp::Helper::RequestChecker.new(R509::Config::CaConfigPool.new('testca' =>@test_ca_config), nil) }.to raise_error(R509::R509Error,'Must supply a R509::Validity::Checker')
265
- end
266
- it "fails if you give it a valid config but the validity checker doesn't respond to a check method" do
267
- class FakeChecker
268
- end
269
- fake_checker = FakeChecker.new
270
- expect { R509::Ocsp::Helper::RequestChecker.new([@test_ca_config], fake_checker) }.to raise_error(R509::R509Error)
267
+ describe R509::OCSP::Helper::RequestChecker do
268
+ before :all do
269
+ @cert = TestFixtures::CERT
270
+ @test_ca_config = TestFixtures.test_ca_config
271
+ @second_ca_config = TestFixtures.second_ca_config
272
+ end
273
+ it "fails if initialized without R509::Config::CAConfigPool" do
274
+ expect { R509::OCSP::Helper::RequestChecker.new({}, nil) }.to raise_error(R509::R509Error,'Must pass R509::Config::CAConfigPool object')
275
+ end
276
+ it "fails if you give it a valid config but nil validity checker" do
277
+ expect { R509::OCSP::Helper::RequestChecker.new(R509::Config::CAConfigPool.new('testca' =>@test_ca_config), nil) }.to raise_error(R509::R509Error,'Must supply a R509::Validity::Checker')
278
+ end
279
+ it "fails if you give it a valid config but the validity checker doesn't respond to a check method" do
280
+ class FakeChecker
271
281
  end
282
+ fake_checker = FakeChecker.new
283
+ expect { R509::OCSP::Helper::RequestChecker.new([@test_ca_config], fake_checker) }.to raise_error(R509::R509Error)
284
+ end
272
285
  end
273
286
 
274
- describe R509::Ocsp::Helper::ResponseSigner do
287
+ describe R509::OCSP::Helper::ResponseSigner do
275
288
  end