r509 0.10.0 → 1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/README.mdown +2 -2
- data/Rakefile +2 -3
- data/bin/r509 +77 -80
- data/bin/r509-parse +4 -4
- data/doc/R509.html +60 -60
- data/doc/R509/ASN1.html +158 -48
- data/doc/R509/ASN1/GeneralName.html +157 -154
- data/doc/R509/ASN1/GeneralNames.html +246 -237
- data/doc/R509/CRL.html +41 -39
- data/doc/R509/CRL/Administrator.html +105 -100
- data/doc/R509/CRL/FileReaderWriter.html +146 -98
- data/doc/R509/CRL/ReaderWriter.html +57 -54
- data/doc/R509/CRL/SQLiteReaderWriter.html +727 -0
- data/doc/R509/CRL/SignedList.html +83 -80
- data/doc/R509/CSR.html +184 -162
- data/doc/R509/Cert.html +271 -269
- data/doc/R509/Cert/Extensions.html +62 -63
- data/doc/R509/Cert/Extensions/AuthorityInfoAccess.html +138 -108
- data/doc/R509/Cert/Extensions/AuthorityKeyIdentifier.html +100 -84
- data/doc/R509/Cert/Extensions/BasicConstraints.html +89 -88
- data/doc/R509/Cert/Extensions/CRLDistributionPoints.html +87 -83
- data/doc/R509/Cert/Extensions/CertificatePolicies.html +78 -76
- data/doc/R509/Cert/Extensions/ExtendedKeyUsage.html +128 -125
- data/doc/R509/Cert/Extensions/GeneralNamesMixin.html +83 -78
- data/doc/R509/Cert/Extensions/InhibitAnyPolicy.html +69 -67
- data/doc/R509/Cert/Extensions/KeyUsage.html +138 -135
- data/doc/R509/Cert/Extensions/NameConstraints.html +82 -81
- data/doc/R509/Cert/Extensions/NoticeReference.html +59 -56
- data/doc/R509/Cert/Extensions/OCSPNoCheck.html +70 -69
- data/doc/R509/Cert/Extensions/PolicyConstraints.html +71 -69
- data/doc/R509/Cert/Extensions/PolicyInformation.html +63 -60
- data/doc/R509/Cert/Extensions/PolicyQualifiers.html +60 -57
- data/doc/R509/Cert/Extensions/SubjectAlternativeName.html +91 -87
- data/doc/R509/Cert/Extensions/SubjectKeyIdentifier.html +72 -71
- data/doc/R509/Cert/Extensions/UserNotice.html +60 -57
- data/doc/R509/Cert/Extensions/ValidationMixin.html +43 -40
- data/doc/R509/CertificateAuthority.html +39 -37
- data/doc/R509/CertificateAuthority/OptionsBuilder.html +58 -55
- data/doc/R509/CertificateAuthority/Signer.html +277 -60
- data/doc/R509/Config.html +40 -38
- data/doc/R509/Config/CAConfig.html +255 -188
- data/doc/R509/Config/CAConfigPool.html +64 -61
- data/doc/R509/Config/CertProfile.html +119 -116
- data/doc/R509/Config/SubjectItemPolicy.html +94 -93
- data/doc/R509/Engine.html +60 -56
- data/doc/R509/Helpers.html +99 -96
- data/doc/R509/MessageDigest.html +69 -68
- data/doc/R509/NameSanitizer.html +51 -48
- data/doc/R509/OCSP.html +39 -37
- data/doc/R509/OCSP/Request.html +39 -37
- data/doc/R509/OCSP/Request/Nonce.html +67 -67
- data/doc/R509/OCSP/Response.html +93 -90
- data/doc/R509/OIDMapper.html +48 -46
- data/doc/R509/PrivateKey.html +170 -169
- data/doc/R509/R509Error.html +45 -42
- data/doc/R509/SPKI.html +99 -89
- data/doc/R509/Subject.html +86 -83
- data/doc/R509/Validity.html +57 -57
- data/doc/R509/Validity/Checker.html +63 -93
- data/doc/R509/Validity/DefaultChecker.html +58 -55
- data/doc/R509/Validity/DefaultWriter.html +62 -59
- data/doc/R509/Validity/Status.html +77 -74
- data/doc/R509/Validity/Writer.html +75 -123
- data/doc/_index.html +37 -31
- data/doc/class_list.html +25 -27
- data/doc/css/full_list.css +32 -31
- data/doc/css/style.css +221 -78
- data/doc/file.CONTRIBUTING.html +29 -30
- data/doc/file.LICENSE.html +29 -30
- data/doc/file.README.html +31 -32
- data/doc/file.YAML.html +33 -34
- data/doc/file.r509.html +39 -48
- data/doc/file_list.html +39 -30
- data/doc/frames.html +10 -21
- data/doc/index.html +31 -32
- data/doc/js/app.js +100 -71
- data/doc/js/full_list.js +168 -130
- data/doc/method_list.html +1788 -1119
- data/doc/top-level-namespace.html +45 -49
- data/lib/r509.rb +21 -7
- data/lib/r509/asn1.rb +45 -32
- data/lib/r509/cert.rb +45 -51
- data/lib/r509/cert/extensions/authority_info_access.rb +49 -23
- data/lib/r509/cert/extensions/authority_key_identifier.rb +16 -11
- data/lib/r509/cert/extensions/base.rb +22 -23
- data/lib/r509/cert/extensions/basic_constraints.rb +11 -12
- data/lib/r509/cert/extensions/certificate_policies.rb +26 -26
- data/lib/r509/cert/extensions/crl_distribution_points.rb +5 -7
- data/lib/r509/cert/extensions/extended_key_usage.rb +5 -5
- data/lib/r509/cert/extensions/inhibit_any_policy.rb +4 -3
- data/lib/r509/cert/extensions/key_usage.rb +5 -5
- data/lib/r509/cert/extensions/name_constraints.rb +16 -16
- data/lib/r509/cert/extensions/ocsp_no_check.rb +3 -3
- data/lib/r509/cert/extensions/policy_constraints.rb +8 -8
- data/lib/r509/cert/extensions/subject_alternative_name.rb +5 -4
- data/lib/r509/cert/extensions/subject_key_identifier.rb +5 -5
- data/lib/r509/cert/extensions/validation_mixin.rb +11 -10
- data/lib/r509/certificate_authority/options_builder.rb +19 -21
- data/lib/r509/certificate_authority/signer.rb +26 -27
- data/lib/r509/config.rb +1 -0
- data/lib/r509/config/ca_config.rb +70 -75
- data/lib/r509/config/cert_profile.rb +9 -8
- data/lib/r509/config/subject_item_policy.rb +25 -28
- data/lib/r509/crl/administrator.rb +19 -20
- data/lib/r509/crl/reader_writer.rb +10 -8
- data/lib/r509/crl/signed_list.rb +4 -4
- data/lib/r509/crl/sqlite_reader_writer.rb +75 -0
- data/lib/r509/csr.rb +54 -60
- data/lib/r509/ec-hack.rb +3 -2
- data/lib/r509/engine.rb +5 -6
- data/lib/r509/exceptions.rb +1 -1
- data/lib/r509/helpers.rb +11 -14
- data/lib/r509/io_helpers.rb +7 -7
- data/lib/r509/message_digest.rb +5 -6
- data/lib/r509/ocsp.rb +11 -13
- data/lib/r509/oid_mapper.rb +2 -2
- data/lib/r509/private_key.rb +28 -32
- data/lib/r509/spki.rb +17 -20
- data/lib/r509/subject.rb +26 -27
- data/lib/r509/trollop.rb +1 -0
- data/lib/r509/validity.rb +30 -21
- data/lib/r509/version.rb +4 -2
- data/r509.yaml +9 -17
- data/spec/asn1_spec.rb +145 -146
- data/spec/cert/extensions/authority_info_access_spec.rb +41 -41
- data/spec/cert/extensions/authority_key_identifier_spec.rb +29 -23
- data/spec/cert/extensions/base_spec.rb +38 -34
- data/spec/cert/extensions/basic_constraints_spec.rb +21 -21
- data/spec/cert/extensions/certificate_policies_spec.rb +99 -87
- data/spec/cert/extensions/crl_distribution_points_spec.rb +24 -25
- data/spec/cert/extensions/extended_key_usage_spec.rb +40 -36
- data/spec/cert/extensions/inhibit_any_policy_spec.rb +12 -12
- data/spec/cert/extensions/key_usage_spec.rb +44 -39
- data/spec/cert/extensions/name_constraints_spec.rb +83 -83
- data/spec/cert/extensions/ocsp_no_check_spec.rb +10 -10
- data/spec/cert/extensions/policy_constraints_spec.rb +19 -19
- data/spec/cert/extensions/subject_alternative_name_spec.rb +46 -47
- data/spec/cert/extensions/subject_key_identifier_spec.rb +10 -10
- data/spec/cert_spec.rb +105 -101
- data/spec/certificate_authority/options_builder_spec.rb +90 -90
- data/spec/certificate_authority/signer_spec.rb +41 -41
- data/spec/config/ca_config_spec.rb +169 -119
- data/spec/config/cert_profile_spec.rb +33 -33
- data/spec/config/subject_item_policy_spec.rb +22 -22
- data/spec/crl/administrator_spec.rb +65 -65
- data/spec/crl/reader_writer_spec.rb +20 -19
- data/spec/crl/signed_list_spec.rb +26 -26
- data/spec/crl/sqlite_reader_writer_spec.rb +42 -0
- data/spec/csr_spec.rb +149 -145
- data/spec/engine_spec.rb +14 -14
- data/spec/fixtures.rb +56 -39
- data/spec/fixtures/crl_list.sql +13 -0
- data/spec/fixtures/csr1.der +0 -0
- data/spec/fixtures/csr1.pem +6 -6
- data/spec/message_digest_spec.rb +43 -43
- data/spec/ocsp_spec.rb +25 -25
- data/spec/oid_mapper_spec.rb +18 -19
- data/spec/private_key_spec.rb +79 -81
- data/spec/r509_spec.rb +16 -16
- data/spec/spec_helper.rb +3 -3
- data/spec/spki_spec.rb +94 -94
- data/spec/subject_spec.rb +107 -107
- data/spec/validity_spec.rb +25 -25
- metadata +113 -111
- metadata.gz.sig +0 -0
|
@@ -8,20 +8,20 @@ shared_examples_for "a correct R509 NameConstraints object" do |critical|
|
|
|
8
8
|
klass = NameConstraints
|
|
9
9
|
ef = OpenSSL::X509::ExtensionFactory.new
|
|
10
10
|
ef.config = OpenSSL::Config.parse(@conf)
|
|
11
|
-
openssl_ext = ef.create_extension(
|
|
12
|
-
@r509_ext = klass.new(
|
|
11
|
+
openssl_ext = ef.create_extension(extension_name, @extension_value, critical)
|
|
12
|
+
@r509_ext = klass.new(openssl_ext)
|
|
13
13
|
end
|
|
14
14
|
|
|
15
15
|
it "should have the permitted names" do
|
|
16
|
-
@permitted.each_with_index do |name,index|
|
|
17
|
-
@r509_ext.permitted.names[index].tag.
|
|
18
|
-
@r509_ext.permitted.names[index].value.
|
|
16
|
+
@permitted.each_with_index do |name, index|
|
|
17
|
+
expect(@r509_ext.permitted.names[index].tag).to eq(name[:tag])
|
|
18
|
+
expect(@r509_ext.permitted.names[index].value).to eq(name[:value])
|
|
19
19
|
end
|
|
20
20
|
end
|
|
21
21
|
it "should have the excluded names" do
|
|
22
|
-
@excluded.each_with_index do |name,index|
|
|
23
|
-
@r509_ext.excluded.names[index].tag.
|
|
24
|
-
@r509_ext.excluded.names[index].value.
|
|
22
|
+
@excluded.each_with_index do |name, index|
|
|
23
|
+
expect(@r509_ext.excluded.names[index].tag).to eq(name[:tag])
|
|
24
|
+
expect(@r509_ext.excluded.names[index].value).to eq(name[:value])
|
|
25
25
|
end
|
|
26
26
|
end
|
|
27
27
|
end
|
|
@@ -31,24 +31,24 @@ describe R509::Cert::Extensions::NameConstraints do
|
|
|
31
31
|
|
|
32
32
|
context "validate name constraints"do
|
|
33
33
|
it "raises an error when not a hash" do
|
|
34
|
-
expect { R509::Cert::Extensions::NameConstraints.new(
|
|
34
|
+
expect { R509::Cert::Extensions::NameConstraints.new('a string') }.to raise_error(ArgumentError, 'name_constraints must be provided as a hash')
|
|
35
35
|
end
|
|
36
36
|
|
|
37
37
|
it "raises an error when permitted and excluded are empty" do
|
|
38
|
-
expect { R509::Cert::Extensions::NameConstraints.new(
|
|
38
|
+
expect { R509::Cert::Extensions::NameConstraints.new(:permitted => [], :excluded => []) }.to raise_error(ArgumentError, 'If name_constraints are supplied you must have at least one valid :permitted or :excluded element')
|
|
39
39
|
end
|
|
40
40
|
|
|
41
41
|
it "raises an error when permitted or excluded are not arrays" do
|
|
42
|
-
expect { R509::Cert::Extensions::NameConstraints.new(
|
|
42
|
+
expect { R509::Cert::Extensions::NameConstraints.new(:permitted => 'string', :excluded => 'string') }.to raise_error(ArgumentError, 'permitted must be an array')
|
|
43
43
|
end
|
|
44
44
|
|
|
45
45
|
it "raises an error when permitted or excluded elements are not hashes with the required values" do
|
|
46
|
-
expect { R509::Cert::Extensions::NameConstraints.new(
|
|
47
|
-
expect { R509::Cert::Extensions::NameConstraints.new(
|
|
46
|
+
expect { R509::Cert::Extensions::NameConstraints.new(:permitted => [{ "type" => 'DNS' }]) }.to raise_error(ArgumentError, 'Elements within the permitted array must be hashes with both type and value')
|
|
47
|
+
expect { R509::Cert::Extensions::NameConstraints.new(:permitted => [{ 'value' => '127' }]) }.to raise_error(ArgumentError, 'Elements within the permitted array must be hashes with both type and value')
|
|
48
48
|
end
|
|
49
49
|
|
|
50
50
|
it "raises an error when an invalid type is specified" do
|
|
51
|
-
expect { R509::Cert::Extensions::NameConstraints.new(
|
|
51
|
+
expect { R509::Cert::Extensions::NameConstraints.new(:permitted => [{ :type => 'invalid', :value => '127' }]) }.to raise_error(ArgumentError, 'invalid is not an allowed type. Check R509::ASN1::GeneralName.map_type_to_tag to see a list of types')
|
|
52
52
|
end
|
|
53
53
|
end
|
|
54
54
|
|
|
@@ -56,18 +56,18 @@ describe R509::Cert::Extensions::NameConstraints do
|
|
|
56
56
|
context "creation & yaml generation" do
|
|
57
57
|
context "one permitted" do
|
|
58
58
|
before :all do
|
|
59
|
-
@args = { :permitted => [
|
|
59
|
+
@args = { :permitted => [{ :type => 'DNS', :value => 'domain.com' }], :critical => true }
|
|
60
60
|
@nc = R509::Cert::Extensions::NameConstraints.new(@args)
|
|
61
61
|
end
|
|
62
62
|
|
|
63
63
|
it "creates extension" do
|
|
64
|
-
@nc.permitted.names.size.
|
|
65
|
-
@nc.permitted.names[0].value.
|
|
66
|
-
@nc.permitted.names[0].short_type.
|
|
64
|
+
expect(@nc.permitted.names.size).to eq(1)
|
|
65
|
+
expect(@nc.permitted.names[0].value).to eq('domain.com')
|
|
66
|
+
expect(@nc.permitted.names[0].short_type).to eq('DNS')
|
|
67
67
|
end
|
|
68
68
|
|
|
69
69
|
it "builds yaml" do
|
|
70
|
-
YAML.load(@nc.to_yaml).
|
|
70
|
+
expect(YAML.load(@nc.to_yaml)).to eq(@args)
|
|
71
71
|
end
|
|
72
72
|
end
|
|
73
73
|
|
|
@@ -78,41 +78,41 @@ describe R509::Cert::Extensions::NameConstraints do
|
|
|
78
78
|
:permitted => [
|
|
79
79
|
{ :type => 'DNS', :value => 'domain.com' },
|
|
80
80
|
{ :type => 'IP', :value => '127.0.0.1/255.255.255.255' },
|
|
81
|
-
{ :type => 'dirName', :value => {:CN => 'myCN', :O => 'myO', :C => "US" } }
|
|
81
|
+
{ :type => 'dirName', :value => { :CN => 'myCN', :O => 'myO', :C => "US" } }
|
|
82
82
|
]
|
|
83
83
|
}
|
|
84
84
|
@nc = R509::Cert::Extensions::NameConstraints.new(@args)
|
|
85
85
|
end
|
|
86
86
|
|
|
87
87
|
it "creates extension" do
|
|
88
|
-
@nc.permitted.names.size.
|
|
89
|
-
@nc.permitted.names[0].value.
|
|
90
|
-
@nc.permitted.names[0].short_type.
|
|
91
|
-
@nc.permitted.names[1].value.
|
|
92
|
-
@nc.permitted.names[1].short_type.
|
|
93
|
-
@nc.permitted.names[2].value.to_s.
|
|
94
|
-
@nc.permitted.names[2].short_type.
|
|
88
|
+
expect(@nc.permitted.names.size).to eq(3)
|
|
89
|
+
expect(@nc.permitted.names[0].value).to eq('domain.com')
|
|
90
|
+
expect(@nc.permitted.names[0].short_type).to eq('DNS')
|
|
91
|
+
expect(@nc.permitted.names[1].value).to eq('127.0.0.1/255.255.255.255')
|
|
92
|
+
expect(@nc.permitted.names[1].short_type).to eq('IP')
|
|
93
|
+
expect(@nc.permitted.names[2].value.to_s).to eq('/CN=myCN/O=myO/C=US')
|
|
94
|
+
expect(@nc.permitted.names[2].short_type).to eq('dirName')
|
|
95
95
|
end
|
|
96
96
|
|
|
97
97
|
it "builds yaml" do
|
|
98
|
-
YAML.load(@nc.to_yaml).
|
|
98
|
+
expect(YAML.load(@nc.to_yaml)).to eq(@args)
|
|
99
99
|
end
|
|
100
100
|
end
|
|
101
101
|
|
|
102
102
|
context "creates with one excluded" do
|
|
103
103
|
before :all do
|
|
104
|
-
@args = { :excluded => [
|
|
104
|
+
@args = { :excluded => [{ :type => 'DNS', :value => 'domain.com' }], :critical => true }
|
|
105
105
|
@nc = R509::Cert::Extensions::NameConstraints.new(@args)
|
|
106
106
|
end
|
|
107
107
|
|
|
108
108
|
it "creates extension" do
|
|
109
|
-
@nc.excluded.names.size.
|
|
110
|
-
@nc.excluded.names[0].value.
|
|
111
|
-
@nc.excluded.names[0].short_type.
|
|
109
|
+
expect(@nc.excluded.names.size).to eq(1)
|
|
110
|
+
expect(@nc.excluded.names[0].value).to eq('domain.com')
|
|
111
|
+
expect(@nc.excluded.names[0].short_type).to eq('DNS')
|
|
112
112
|
end
|
|
113
113
|
|
|
114
114
|
it "builds yaml" do
|
|
115
|
-
YAML.load(@nc.to_yaml).
|
|
115
|
+
expect(YAML.load(@nc.to_yaml)).to eq(@args)
|
|
116
116
|
end
|
|
117
117
|
end
|
|
118
118
|
|
|
@@ -123,24 +123,24 @@ describe R509::Cert::Extensions::NameConstraints do
|
|
|
123
123
|
:excluded => [
|
|
124
124
|
{ :type => 'DNS', :value => 'domain.com' },
|
|
125
125
|
{ :type => 'IP', :value => '127.0.0.1/255.255.255.255' },
|
|
126
|
-
{ :type => 'dirName', :value => {:CN => 'myCN', :O => 'myO', :C => "US" } }
|
|
126
|
+
{ :type => 'dirName', :value => { :CN => 'myCN', :O => 'myO', :C => "US" } }
|
|
127
127
|
]
|
|
128
128
|
}
|
|
129
129
|
@nc = R509::Cert::Extensions::NameConstraints.new(@args)
|
|
130
130
|
end
|
|
131
131
|
|
|
132
132
|
it "creates extension" do
|
|
133
|
-
@nc.excluded.names.size.
|
|
134
|
-
@nc.excluded.names[0].value.
|
|
135
|
-
@nc.excluded.names[0].short_type.
|
|
136
|
-
@nc.excluded.names[1].value.
|
|
137
|
-
@nc.excluded.names[1].short_type.
|
|
138
|
-
@nc.excluded.names[2].value.to_s.
|
|
139
|
-
@nc.excluded.names[2].short_type.
|
|
133
|
+
expect(@nc.excluded.names.size).to eq(3)
|
|
134
|
+
expect(@nc.excluded.names[0].value).to eq('domain.com')
|
|
135
|
+
expect(@nc.excluded.names[0].short_type).to eq('DNS')
|
|
136
|
+
expect(@nc.excluded.names[1].value).to eq('127.0.0.1/255.255.255.255')
|
|
137
|
+
expect(@nc.excluded.names[1].short_type).to eq('IP')
|
|
138
|
+
expect(@nc.excluded.names[2].value.to_s).to eq('/CN=myCN/O=myO/C=US')
|
|
139
|
+
expect(@nc.excluded.names[2].short_type).to eq('dirName')
|
|
140
140
|
end
|
|
141
141
|
|
|
142
142
|
it "builds yaml" do
|
|
143
|
-
YAML.load(@nc.to_yaml).
|
|
143
|
+
expect(YAML.load(@nc.to_yaml)).to eq(@args)
|
|
144
144
|
end
|
|
145
145
|
end
|
|
146
146
|
|
|
@@ -151,66 +151,66 @@ describe R509::Cert::Extensions::NameConstraints do
|
|
|
151
151
|
:excluded => [
|
|
152
152
|
{ :type => 'DNS', :value => 'domain.com' },
|
|
153
153
|
{ :type => 'IP', :value => '127.0.0.1/255.255.255.255' },
|
|
154
|
-
{ :type => 'dirName', :value => {:CN => 'myCN', :O => 'myO', :C => "US" } }
|
|
154
|
+
{ :type => 'dirName', :value => { :CN => 'myCN', :O => 'myO', :C => "US" } }
|
|
155
155
|
],
|
|
156
156
|
:permitted => [
|
|
157
157
|
{ :type => 'DNS', :value => 'domain.com' },
|
|
158
158
|
{ :type => 'IP', :value => '127.0.0.1/255.255.255.255' },
|
|
159
|
-
{ :type => 'dirName', :value => {:CN => 'myCN', :O => 'myO', :C => "US" } }
|
|
159
|
+
{ :type => 'dirName', :value => { :CN => 'myCN', :O => 'myO', :C => "US" } }
|
|
160
160
|
]
|
|
161
161
|
}
|
|
162
162
|
@nc = R509::Cert::Extensions::NameConstraints.new(@args)
|
|
163
163
|
end
|
|
164
164
|
|
|
165
165
|
it "creates extension" do
|
|
166
|
-
@nc.permitted.names.size.
|
|
167
|
-
@nc.permitted.names[0].value.
|
|
168
|
-
@nc.permitted.names[0].short_type.
|
|
169
|
-
@nc.permitted.names[1].value.
|
|
170
|
-
@nc.permitted.names[1].short_type.
|
|
171
|
-
@nc.permitted.names[2].value.to_s.
|
|
172
|
-
@nc.permitted.names[2].short_type.
|
|
173
|
-
@nc.excluded.names.size.
|
|
174
|
-
@nc.excluded.names[0].value.
|
|
175
|
-
@nc.excluded.names[0].short_type.
|
|
176
|
-
@nc.excluded.names[1].value.
|
|
177
|
-
@nc.excluded.names[1].short_type.
|
|
178
|
-
@nc.excluded.names[2].value.to_s.
|
|
179
|
-
@nc.excluded.names[2].short_type.
|
|
166
|
+
expect(@nc.permitted.names.size).to eq(3)
|
|
167
|
+
expect(@nc.permitted.names[0].value).to eq('domain.com')
|
|
168
|
+
expect(@nc.permitted.names[0].short_type).to eq('DNS')
|
|
169
|
+
expect(@nc.permitted.names[1].value).to eq('127.0.0.1/255.255.255.255')
|
|
170
|
+
expect(@nc.permitted.names[1].short_type).to eq('IP')
|
|
171
|
+
expect(@nc.permitted.names[2].value.to_s).to eq('/CN=myCN/O=myO/C=US')
|
|
172
|
+
expect(@nc.permitted.names[2].short_type).to eq('dirName')
|
|
173
|
+
expect(@nc.excluded.names.size).to eq(3)
|
|
174
|
+
expect(@nc.excluded.names[0].value).to eq('domain.com')
|
|
175
|
+
expect(@nc.excluded.names[0].short_type).to eq('DNS')
|
|
176
|
+
expect(@nc.excluded.names[1].value).to eq('127.0.0.1/255.255.255.255')
|
|
177
|
+
expect(@nc.excluded.names[1].short_type).to eq('IP')
|
|
178
|
+
expect(@nc.excluded.names[2].value.to_s).to eq('/CN=myCN/O=myO/C=US')
|
|
179
|
+
expect(@nc.excluded.names[2].short_type).to eq('dirName')
|
|
180
180
|
end
|
|
181
181
|
|
|
182
182
|
it "builds yaml" do
|
|
183
|
-
YAML.load(@nc.to_yaml).
|
|
183
|
+
expect(YAML.load(@nc.to_yaml)).to eq(@args)
|
|
184
184
|
end
|
|
185
185
|
end
|
|
186
186
|
|
|
187
187
|
context "creates with default criticality" do
|
|
188
188
|
before :all do
|
|
189
|
-
@args = { :permitted => [
|
|
189
|
+
@args = { :permitted => [{ :type => 'DNS', :value => 'domain.com' }] }
|
|
190
190
|
@nc = R509::Cert::Extensions::NameConstraints.new(@args)
|
|
191
191
|
end
|
|
192
192
|
|
|
193
193
|
it "creates extension" do
|
|
194
|
-
@nc.critical
|
|
194
|
+
expect(@nc.critical?).to eq(true)
|
|
195
195
|
end
|
|
196
196
|
|
|
197
197
|
it "builds yaml" do
|
|
198
|
-
YAML.load(@nc.to_yaml).
|
|
198
|
+
expect(YAML.load(@nc.to_yaml)).to eq(@args.merge(:critical => true))
|
|
199
199
|
end
|
|
200
200
|
end
|
|
201
201
|
|
|
202
202
|
context "creates with non-default criticality" do
|
|
203
203
|
before :all do
|
|
204
|
-
@args = { :permitted => [
|
|
204
|
+
@args = { :permitted => [{ :type => 'DNS', :value => 'domain.com' }], :critical => false }
|
|
205
205
|
@nc = R509::Cert::Extensions::NameConstraints.new(@args)
|
|
206
206
|
end
|
|
207
207
|
|
|
208
208
|
it "creates extension" do
|
|
209
|
-
@nc.critical
|
|
209
|
+
expect(@nc.critical?).to eq(false)
|
|
210
210
|
end
|
|
211
211
|
|
|
212
212
|
it "builds yaml" do
|
|
213
|
-
YAML.load(@nc.to_yaml).
|
|
213
|
+
expect(YAML.load(@nc.to_yaml)).to eq(@args)
|
|
214
214
|
end
|
|
215
215
|
end
|
|
216
216
|
|
|
@@ -219,17 +219,17 @@ describe R509::Cert::Extensions::NameConstraints do
|
|
|
219
219
|
context "with one permitted name" do
|
|
220
220
|
before :all do
|
|
221
221
|
@excluded = []
|
|
222
|
-
@permitted = [{:tag => 2, :value => ".whatever.com"}]
|
|
222
|
+
@permitted = [{ :tag => 2, :value => ".whatever.com" }]
|
|
223
223
|
gns = R509::ASN1::GeneralNames.new
|
|
224
224
|
@permitted.each do |name|
|
|
225
225
|
gns.add_item(name)
|
|
226
226
|
end
|
|
227
227
|
@conf = []
|
|
228
|
-
permitted = gns.names.map
|
|
228
|
+
permitted = gns.names.map do |name|
|
|
229
229
|
serialized = name.serialize_name
|
|
230
230
|
@conf << serialized[:conf]
|
|
231
231
|
"permitted;" + serialized[:extension_string]
|
|
232
|
-
|
|
232
|
+
end.join(",")
|
|
233
233
|
@extension_value = permitted
|
|
234
234
|
@conf = @conf.join("\n")
|
|
235
235
|
end
|
|
@@ -240,17 +240,17 @@ describe R509::Cert::Extensions::NameConstraints do
|
|
|
240
240
|
context "with multiple permitted names" do
|
|
241
241
|
before :all do
|
|
242
242
|
@excluded = []
|
|
243
|
-
@permitted = [{:tag => 2, :value => ".whatever.com"}, {:tag => 1, :value => "user@emaildomain.com" }
|
|
243
|
+
@permitted = [{ :tag => 2, :value => ".whatever.com" }, { :tag => 1, :value => "user@emaildomain.com" }]
|
|
244
244
|
gns = R509::ASN1::GeneralNames.new
|
|
245
245
|
@permitted.each do |name|
|
|
246
246
|
gns.add_item(name)
|
|
247
247
|
end
|
|
248
248
|
@conf = []
|
|
249
|
-
permitted = gns.names.map
|
|
249
|
+
permitted = gns.names.map do |name|
|
|
250
250
|
serialized = name.serialize_name
|
|
251
251
|
@conf << serialized[:conf]
|
|
252
252
|
"permitted;" + serialized[:extension_string]
|
|
253
|
-
|
|
253
|
+
end.join(",")
|
|
254
254
|
@extension_value = permitted
|
|
255
255
|
@conf = @conf.join("\n")
|
|
256
256
|
end
|
|
@@ -261,17 +261,17 @@ describe R509::Cert::Extensions::NameConstraints do
|
|
|
261
261
|
context "with one excluded name" do
|
|
262
262
|
before :all do
|
|
263
263
|
@permitted = []
|
|
264
|
-
@excluded = [{:tag => 7, :value => "127.0.0.1/255.255.255.255"}]
|
|
264
|
+
@excluded = [{ :tag => 7, :value => "127.0.0.1/255.255.255.255" }]
|
|
265
265
|
egns = R509::ASN1::GeneralNames.new
|
|
266
266
|
@excluded.each do |name|
|
|
267
267
|
egns.add_item(name)
|
|
268
268
|
end
|
|
269
269
|
@conf = []
|
|
270
|
-
excluded = egns.names.map
|
|
270
|
+
excluded = egns.names.map do |name|
|
|
271
271
|
serialized = name.serialize_name
|
|
272
272
|
@conf << serialized[:conf]
|
|
273
273
|
"excluded;" + serialized[:extension_string]
|
|
274
|
-
|
|
274
|
+
end.join(",")
|
|
275
275
|
@extension_value = excluded
|
|
276
276
|
@conf = @conf.join("\n")
|
|
277
277
|
end
|
|
@@ -282,18 +282,18 @@ describe R509::Cert::Extensions::NameConstraints do
|
|
|
282
282
|
context "with multiple excluded names" do
|
|
283
283
|
before :all do
|
|
284
284
|
@permitted = []
|
|
285
|
-
@excluded = [{:tag => 7, :value => "127.0.0.1/255.255.255.255"}, {:tag => 1, :value => "emaildomain.com" }
|
|
285
|
+
@excluded = [{ :tag => 7, :value => "127.0.0.1/255.255.255.255" }, { :tag => 1, :value => "emaildomain.com" }]
|
|
286
286
|
@permitted = []
|
|
287
287
|
egns = R509::ASN1::GeneralNames.new
|
|
288
288
|
@excluded.each do |name|
|
|
289
289
|
egns.add_item(name)
|
|
290
290
|
end
|
|
291
291
|
@conf = []
|
|
292
|
-
excluded = egns.names.map
|
|
292
|
+
excluded = egns.names.map do |name|
|
|
293
293
|
serialized = name.serialize_name
|
|
294
294
|
@conf << serialized[:conf]
|
|
295
295
|
"excluded;" + serialized[:extension_string]
|
|
296
|
-
|
|
296
|
+
end.join(",")
|
|
297
297
|
@extension_value = excluded
|
|
298
298
|
@conf = @conf.join("\n")
|
|
299
299
|
end
|
|
@@ -303,27 +303,27 @@ describe R509::Cert::Extensions::NameConstraints do
|
|
|
303
303
|
end
|
|
304
304
|
context "with both permitted and excluded names" do
|
|
305
305
|
before :all do
|
|
306
|
-
@excluded = [{:tag => 7, :value => "127.0.0.1/255.255.255.255"}, {:tag => 1, :value => "emaildomain.com" }
|
|
307
|
-
@permitted = [{:tag => 2, :value => ".whatever.com"}, {:tag => 1, :value => "user@emaildomain.com"}
|
|
306
|
+
@excluded = [{ :tag => 7, :value => "127.0.0.1/255.255.255.255" }, { :tag => 1, :value => "emaildomain.com" }]
|
|
307
|
+
@permitted = [{ :tag => 2, :value => ".whatever.com" }, { :tag => 1, :value => "user@emaildomain.com" }]
|
|
308
308
|
gns = R509::ASN1::GeneralNames.new
|
|
309
309
|
@permitted.each do |name|
|
|
310
310
|
gns.add_item(name)
|
|
311
311
|
end
|
|
312
312
|
@conf = []
|
|
313
|
-
permitted = gns.names.map
|
|
313
|
+
permitted = gns.names.map do |name|
|
|
314
314
|
serialized = name.serialize_name
|
|
315
315
|
@conf << serialized[:conf]
|
|
316
316
|
"permitted;" + serialized[:extension_string]
|
|
317
|
-
|
|
317
|
+
end.join(",")
|
|
318
318
|
egns = R509::ASN1::GeneralNames.new
|
|
319
319
|
@excluded.each do |name|
|
|
320
320
|
egns.add_item(name)
|
|
321
321
|
end
|
|
322
|
-
excluded = egns.names.map
|
|
322
|
+
excluded = egns.names.map do |name|
|
|
323
323
|
serialized = name.serialize_name
|
|
324
324
|
@conf << serialized[:conf]
|
|
325
325
|
"excluded;" + serialized[:extension_string]
|
|
326
|
-
|
|
326
|
+
end.join(",")
|
|
327
327
|
@extension_value = permitted + "," + excluded
|
|
328
328
|
@conf = @conf.join("\n")
|
|
329
329
|
end
|
|
@@ -7,16 +7,16 @@ shared_examples_for "a correct R509 OCSPNoCheck object" do |critical|
|
|
|
7
7
|
extension_name = "noCheck"
|
|
8
8
|
klass = OCSPNoCheck
|
|
9
9
|
ef = OpenSSL::X509::ExtensionFactory.new
|
|
10
|
-
openssl_ext = ef.create_extension(
|
|
11
|
-
@r509_ext = klass.new(
|
|
10
|
+
openssl_ext = ef.create_extension(extension_name, "irrelevant", critical)
|
|
11
|
+
@r509_ext = klass.new(openssl_ext)
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
it "has the expected type" do
|
|
15
|
-
@r509_ext.oid.
|
|
15
|
+
expect(@r509_ext.oid).to eq("noCheck")
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
it "reports #critical? properly" do
|
|
19
|
-
@r509_ext.critical
|
|
19
|
+
expect(@r509_ext.critical?).to eq(critical)
|
|
20
20
|
end
|
|
21
21
|
end
|
|
22
22
|
|
|
@@ -31,11 +31,11 @@ describe R509::Cert::Extensions::OCSPNoCheck do
|
|
|
31
31
|
end
|
|
32
32
|
|
|
33
33
|
it "creates extension" do
|
|
34
|
-
@no_check.
|
|
34
|
+
expect(@no_check).not_to be_nil
|
|
35
35
|
end
|
|
36
36
|
|
|
37
37
|
it "builds yaml" do
|
|
38
|
-
YAML.load(@no_check.to_yaml).
|
|
38
|
+
expect(YAML.load(@no_check.to_yaml)).to eq(:critical => false)
|
|
39
39
|
end
|
|
40
40
|
end
|
|
41
41
|
|
|
@@ -45,11 +45,11 @@ describe R509::Cert::Extensions::OCSPNoCheck do
|
|
|
45
45
|
end
|
|
46
46
|
|
|
47
47
|
it "creates extension" do
|
|
48
|
-
@no_check.critical
|
|
48
|
+
expect(@no_check.critical?).to be false
|
|
49
49
|
end
|
|
50
50
|
|
|
51
51
|
it "builds yaml" do
|
|
52
|
-
YAML.load(@no_check.to_yaml).
|
|
52
|
+
expect(YAML.load(@no_check.to_yaml)).to eq(:critical => false)
|
|
53
53
|
end
|
|
54
54
|
end
|
|
55
55
|
|
|
@@ -59,11 +59,11 @@ describe R509::Cert::Extensions::OCSPNoCheck do
|
|
|
59
59
|
end
|
|
60
60
|
|
|
61
61
|
it "creates extension" do
|
|
62
|
-
@no_check.critical
|
|
62
|
+
expect(@no_check.critical?).to be true
|
|
63
63
|
end
|
|
64
64
|
|
|
65
65
|
it "builds yaml" do
|
|
66
|
-
YAML.load(@no_check.to_yaml).
|
|
66
|
+
expect(YAML.load(@no_check.to_yaml)).to eq(:critical => true)
|
|
67
67
|
end
|
|
68
68
|
end
|
|
69
69
|
|
|
@@ -7,15 +7,15 @@ shared_examples_for "a correct R509 PolicyConstraints object" do |critical|
|
|
|
7
7
|
extension_name = "policyConstraints"
|
|
8
8
|
klass = PolicyConstraints
|
|
9
9
|
ef = OpenSSL::X509::ExtensionFactory.new
|
|
10
|
-
openssl_ext = ef.create_extension(
|
|
11
|
-
@r509_ext = klass.new(
|
|
10
|
+
openssl_ext = ef.create_extension(extension_name, @extension_value, critical)
|
|
11
|
+
@r509_ext = klass.new(openssl_ext)
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
it "should have the expected require policy" do
|
|
15
|
-
@r509_ext.require_explicit_policy.
|
|
15
|
+
expect(@r509_ext.require_explicit_policy).to eq(@require_explicit_policy)
|
|
16
16
|
end
|
|
17
17
|
it "should have the expected inhibit mapping" do
|
|
18
|
-
@r509_ext.inhibit_policy_mapping.
|
|
18
|
+
expect(@r509_ext.inhibit_policy_mapping).to eq(@inhibit_policy_mapping)
|
|
19
19
|
end
|
|
20
20
|
end
|
|
21
21
|
|
|
@@ -24,19 +24,19 @@ describe R509::Cert::Extensions::PolicyConstraints do
|
|
|
24
24
|
|
|
25
25
|
context "validate policy constraints" do
|
|
26
26
|
it "raises an error when not a hash" do
|
|
27
|
-
expect { R509::Cert::Extensions::PolicyConstraints.new(
|
|
27
|
+
expect { R509::Cert::Extensions::PolicyConstraints.new("string") }.to raise_error(ArgumentError, 'Policy constraints must be provided as a hash with at least one of the two allowed keys: :inhibit_policy_mapping and :require_explicit_policy')
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
it "raises an error when no keys" do
|
|
31
|
-
expect { R509::Cert::Extensions::PolicyConstraints.new(
|
|
31
|
+
expect { R509::Cert::Extensions::PolicyConstraints.new({}) }.to raise_error(ArgumentError, 'Policy constraints must have at least one of two keys: :inhibit_policy_mapping and :require_explicit_policy and the value must be non-negative')
|
|
32
32
|
end
|
|
33
33
|
|
|
34
34
|
it "raises an error when inhibit_policy_mapping is not valid" do
|
|
35
|
-
expect { R509::Cert::Extensions::PolicyConstraints.new(
|
|
35
|
+
expect { R509::Cert::Extensions::PolicyConstraints.new(:inhibit_policy_mapping => -5) }.to raise_error(ArgumentError, 'inhibit_policy_mapping must be a non-negative integer')
|
|
36
36
|
end
|
|
37
37
|
|
|
38
38
|
it "raises an error when require_explicit_policy is not valid" do
|
|
39
|
-
expect { R509::Cert::Extensions::PolicyConstraints.new(
|
|
39
|
+
expect { R509::Cert::Extensions::PolicyConstraints.new(:require_explicit_policy => -1) }.to raise_error(ArgumentError, 'require_explicit_policy must be a non-negative integer')
|
|
40
40
|
end
|
|
41
41
|
end
|
|
42
42
|
|
|
@@ -49,11 +49,11 @@ describe R509::Cert::Extensions::PolicyConstraints do
|
|
|
49
49
|
end
|
|
50
50
|
|
|
51
51
|
it "creates extension" do
|
|
52
|
-
@pc.require_explicit_policy.
|
|
52
|
+
expect(@pc.require_explicit_policy).to eq(1)
|
|
53
53
|
end
|
|
54
54
|
|
|
55
55
|
it "builds yaml" do
|
|
56
|
-
YAML.load(@pc.to_yaml).
|
|
56
|
+
expect(YAML.load(@pc.to_yaml)).to eq(@args)
|
|
57
57
|
end
|
|
58
58
|
end
|
|
59
59
|
|
|
@@ -64,11 +64,11 @@ describe R509::Cert::Extensions::PolicyConstraints do
|
|
|
64
64
|
end
|
|
65
65
|
|
|
66
66
|
it "creates extension" do
|
|
67
|
-
@pc.inhibit_policy_mapping.
|
|
67
|
+
expect(@pc.inhibit_policy_mapping).to eq(1)
|
|
68
68
|
end
|
|
69
69
|
|
|
70
70
|
it "builds yaml" do
|
|
71
|
-
YAML.load(@pc.to_yaml).
|
|
71
|
+
expect(YAML.load(@pc.to_yaml)).to eq(@args)
|
|
72
72
|
end
|
|
73
73
|
end
|
|
74
74
|
|
|
@@ -83,12 +83,12 @@ describe R509::Cert::Extensions::PolicyConstraints do
|
|
|
83
83
|
end
|
|
84
84
|
|
|
85
85
|
it "creates extension" do
|
|
86
|
-
@pc.inhibit_policy_mapping.
|
|
87
|
-
@pc.require_explicit_policy.
|
|
86
|
+
expect(@pc.inhibit_policy_mapping).to eq(1)
|
|
87
|
+
expect(@pc.require_explicit_policy).to eq(3)
|
|
88
88
|
end
|
|
89
89
|
|
|
90
90
|
it "builds yaml" do
|
|
91
|
-
YAML.load(@pc.to_yaml).
|
|
91
|
+
expect(YAML.load(@pc.to_yaml)).to eq(@args)
|
|
92
92
|
end
|
|
93
93
|
end
|
|
94
94
|
|
|
@@ -99,11 +99,11 @@ describe R509::Cert::Extensions::PolicyConstraints do
|
|
|
99
99
|
end
|
|
100
100
|
|
|
101
101
|
it "creates extension" do
|
|
102
|
-
@pc.critical
|
|
102
|
+
expect(@pc.critical?).to eq(true)
|
|
103
103
|
end
|
|
104
104
|
|
|
105
105
|
it "builds yaml" do
|
|
106
|
-
YAML.load(@pc.to_yaml).
|
|
106
|
+
expect(YAML.load(@pc.to_yaml)).to eq(@args.merge(:critical => true))
|
|
107
107
|
end
|
|
108
108
|
end
|
|
109
109
|
|
|
@@ -114,11 +114,11 @@ describe R509::Cert::Extensions::PolicyConstraints do
|
|
|
114
114
|
end
|
|
115
115
|
|
|
116
116
|
it "creates extension" do
|
|
117
|
-
@pc.critical
|
|
117
|
+
expect(@pc.critical?).to eq(false)
|
|
118
118
|
end
|
|
119
119
|
|
|
120
120
|
it "builds yaml" do
|
|
121
|
-
YAML.load(@pc.to_yaml).
|
|
121
|
+
expect(YAML.load(@pc.to_yaml)).to eq(@args)
|
|
122
122
|
end
|
|
123
123
|
end
|
|
124
124
|
|