r509 0.10.0 → 1.0

data/spec/certificate_authority/options_builder_spec.rb

@@ -4,39 +4,38 @@ require 'r509/config'
 describe R509::CertificateAuthority::OptionsBuilder do
 
   it "errors when the object passed is not a CAConfig" do
-    expect { R509::CertificateAuthority::OptionsBuilder.new("string") }.to raise_error(ArgumentError,"You must supply a R509::Config::CAConfig object to this class at instantiation")
+    expect { R509::CertificateAuthority::OptionsBuilder.new("string") }.to raise_error(ArgumentError, "You must supply a R509::Config::CAConfig object to this class at instantiation")
   end
 
   context "enforces subject item policies" do
     before :all do
-      config = R509::Config::CAConfig.new( :ca_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) )
-      subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => {:policy => "required"} , "O" => {:policy => "required"}, "OU" => {:policy => "optional"}, "L" => {:policy => "required"})
+      config = R509::Config::CAConfig.new(:ca_cert => R509::Cert.new(:cert => TestFixtures::TEST_CA_CERT))
+      subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => { :policy => "required" }, "O" => { :policy => "required" }, "OU" => { :policy => "optional" }, "L" => { :policy => "required" })
       profile = R509::Config::CertProfile.new(
         :default_md => "SHA512",
         :subject_item_policy => subject_item_policy
       )
-      config.set_profile("profile",profile)
+      config.set_profile("profile", profile)
       @builder = R509::CertificateAuthority::OptionsBuilder.new(config)
     end
     it "removes disallowed and keeps required/optional items" do
-      csr = R509::CSR.new(:subject => [['C','US'],['ST','Illinois'],['L','Chicago'],['O','Paul Kehrer'],['OU','Enginerding'],['CN','langui.sh']], :bit_strength => 1024)
+      csr = R509::CSR.new(:subject => [['C', 'US'], ['ST', 'Illinois'], ['L', 'Chicago'], ['O', 'Paul Kehrer'], ['OU', 'Enginerding'], ['CN', 'langui.sh']], :bit_strength => 1024)
       data = @builder.build_and_enforce(:csr => csr, :profile_name => 'profile')
-      data[:subject].to_s.should == '/L=Chicago/O=Paul Kehrer/OU=Enginerding/CN=langui.sh'
+      expect(data[:subject].to_s).to eq('/L=Chicago/O=Paul Kehrer/OU=Enginerding/CN=langui.sh')
     end
 
     it "raises error when required item is missing" do
-      csr = R509::CSR.new(:subject => [['ST','Illinois'],['L','Chicago'],['O','Paul Kehrer']], :bit_strength => 1024)
+      csr = R509::CSR.new(:subject => [['ST', 'Illinois'], ['L', 'Chicago'], ['O', 'Paul Kehrer']], :bit_strength => 1024)
       expect { @builder.build_and_enforce(:csr => csr, :profile_name => 'profile') }.to raise_error(R509::R509Error, /This profile requires you supply/)
     end
   end
 
-
   it "raises error on invalid signature" do
-    config = R509::Config::CAConfig.new( :ca_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) )
+    config = R509::Config::CAConfig.new(:ca_cert => R509::Cert.new(:cert => TestFixtures::TEST_CA_CERT))
     profile = R509::Config::CertProfile.new(
       :default_md => "SHA512"
     )
-    config.set_profile("profile",profile)
+    config.set_profile("profile", profile)
     builder = R509::CertificateAuthority::OptionsBuilder.new(config)
     csr = R509::CSR.new(:csr => TestFixtures::CSR_INVALID_SIGNATURE)
     expect { builder.build_and_enforce(:csr => csr, :profile_name => 'profile') }.to raise_error(R509::R509Error, 'Request signature is invalid.')
@@ -46,81 +45,81 @@ describe R509::CertificateAuthority::OptionsBuilder do
 
   context "extension builder" do
     before :all do
-      @config = R509::Config::CAConfig.new( :ca_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) )
+      @config = R509::Config::CAConfig.new(:ca_cert => R509::Cert.new(:cert => TestFixtures::TEST_CA_CERT))
       @csr = R509::CSR.new(:csr => TestFixtures::CSR)
     end
 
     it "adds basic constraints" do
       profile = R509::Config::CertProfile.new(
-        :basic_constraints => {:ca => false}
+        :basic_constraints => { :ca => false }
       )
-      @config.set_profile("profile",profile)
+      @config.set_profile("profile", profile)
       builder = R509::CertificateAuthority::OptionsBuilder.new(@config)
       data = builder.build_and_enforce(:csr => @csr, :profile_name => 'profile')
-      ext = data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::BasicConstraints) }
-      ext.size.should == 1
-      ext[0].is_ca?.should be_false
+      ext = data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::BasicConstraints) }
+      expect(ext.size).to eq(1)
+      expect(ext[0].is_ca?).to be false
     end
 
     it "creates subject key identifier" do
       profile = R509::Config::CertProfile.new
-      @config.set_profile("profile",profile)
+      @config.set_profile("profile", profile)
       builder = R509::CertificateAuthority::OptionsBuilder.new(@config)
       data = builder.build_and_enforce(:csr => @csr, :profile_name => 'profile')
-      data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::SubjectKeyIdentifier) }.size.should == 1
+      expect(data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::SubjectKeyIdentifier) }.size).to eq(1)
     end
 
     it "creates authority key identifier" do
       profile = R509::Config::CertProfile.new
-      @config.set_profile("profile",profile)
+      @config.set_profile("profile", profile)
       builder = R509::CertificateAuthority::OptionsBuilder.new(@config)
       data = builder.build_and_enforce(:csr => @csr, :profile_name => 'profile')
-      data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::AuthorityKeyIdentifier) }.size.should == 1
+      expect(data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::AuthorityKeyIdentifier) }.size).to eq(1)
     end
 
     it "adds key usage" do
       profile = R509::Config::CertProfile.new(
         :key_usage => { :value => ['keyEncipherment'] }
       )
-      @config.set_profile("profile",profile)
+      @config.set_profile("profile", profile)
       builder = R509::CertificateAuthority::OptionsBuilder.new(@config)
       data = builder.build_and_enforce(:csr => @csr, :profile_name => 'profile')
-      ext = data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::KeyUsage) }
-      ext.size.should == 1
-      ext[0].allowed_uses.should == ['keyEncipherment']
+      ext = data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::KeyUsage) }
+      expect(ext.size).to eq(1)
+      expect(ext[0].allowed_uses).to eq(['keyEncipherment'])
     end
 
     it "adds extended key usage" do
       profile = R509::Config::CertProfile.new(
-        :extended_key_usage => {:value => ['serverAuth'] }
+        :extended_key_usage => { :value => ['serverAuth'] }
       )
-      @config.set_profile("profile",profile)
+      @config.set_profile("profile", profile)
       builder = R509::CertificateAuthority::OptionsBuilder.new(@config)
       data = builder.build_and_enforce(:csr => @csr, :profile_name => 'profile')
-      ext = data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::ExtendedKeyUsage) }
-      ext.size.should == 1
-      ext[0].allowed_uses.should == ['serverAuth']
+      ext = data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::ExtendedKeyUsage) }
+      expect(ext.size).to eq(1)
+      expect(ext[0].allowed_uses).to eq(['serverAuth'])
     end
 
     it "adds certificate policies" do
       profile = R509::Config::CertProfile.new(
-        :certificate_policies => {:value => [{:policy_identifier => "2.16.840.1.99999.21.234"}] }
+        :certificate_policies => { :value => [{ :policy_identifier => "2.16.840.1.99999.21.234" }] }
       )
-      @config.set_profile("profile",profile)
+      @config.set_profile("profile", profile)
       builder = R509::CertificateAuthority::OptionsBuilder.new(@config)
       data = builder.build_and_enforce(:csr => @csr, :profile_name => 'profile')
-      data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::CertificatePolicies) }.size.should == 1
+      expect(data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::CertificatePolicies) }.size).to eq(1)
     end
 
     it "adds CRL distribution points" do
-      cdp = R509::Cert::Extensions::CRLDistributionPoints.new(:value => [{ :type => 'URI', :value => 'http://crl.domain.com/crl.crl'}])
+      cdp = R509::Cert::Extensions::CRLDistributionPoints.new(:value => [{ :type => 'URI', :value => 'http://crl.domain.com/crl.crl' }])
       profile = R509::Config::CertProfile.new(
         :crl_distribution_points => cdp
       )
-      @config.set_profile("profile",profile)
+      @config.set_profile("profile", profile)
       builder = R509::CertificateAuthority::OptionsBuilder.new(@config)
       data = builder.build_and_enforce(:csr => @csr, :profile_name => 'profile')
-      data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::CRLDistributionPoints) }.size.should == 1
+      expect(data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::CRLDistributionPoints) }.size).to eq(1)
     end
 
     it "adds authority info access" do
@@ -129,91 +128,91 @@ describe R509::CertificateAuthority::OptionsBuilder do
       profile = R509::Config::CertProfile.new(
         :authority_info_access => aia
       )
-      @config.set_profile("profile",profile)
+      @config.set_profile("profile", profile)
       builder = R509::CertificateAuthority::OptionsBuilder.new(@config)
       data = builder.build_and_enforce(:csr => @csr, :profile_name => 'profile')
-      data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::AuthorityInfoAccess) }.size.should == 1
+      expect(data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::AuthorityInfoAccess) }.size).to eq(1)
     end
 
     it "adds inhibit any policy" do
       profile = R509::Config::CertProfile.new(
         :inhibit_any_policy => { :value => 1 }
       )
-      @config.set_profile("profile",profile)
+      @config.set_profile("profile", profile)
       builder = R509::CertificateAuthority::OptionsBuilder.new(@config)
       data = builder.build_and_enforce(:csr => @csr, :profile_name => 'profile')
-      data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::InhibitAnyPolicy) }.size.should == 1
+      expect(data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::InhibitAnyPolicy) }.size).to eq(1)
     end
 
     it "adds policy constraints" do
       profile = R509::Config::CertProfile.new(
-        :policy_constraints => {:inhibit_policy_mapping => 1}
+        :policy_constraints => { :inhibit_policy_mapping => 1 }
       )
-      @config.set_profile("profile",profile)
+      @config.set_profile("profile", profile)
       builder = R509::CertificateAuthority::OptionsBuilder.new(@config)
       data = builder.build_and_enforce(:csr => @csr, :profile_name => 'profile')
-      data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::PolicyConstraints) }.size.should == 1
+      expect(data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::PolicyConstraints) }.size).to eq(1)
     end
 
     it "adds name constraints" do
       profile = R509::Config::CertProfile.new(
-        :name_constraints => { :permitted => [{:type => "URI", :value => "domain.com"}] }
+        :name_constraints => { :permitted => [{ :type => "URI", :value => "domain.com" }] }
       )
-      @config.set_profile("profile",profile)
+      @config.set_profile("profile", profile)
       builder = R509::CertificateAuthority::OptionsBuilder.new(@config)
       data = builder.build_and_enforce(:csr => @csr, :profile_name => 'profile')
-      data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::NameConstraints) }.size.should == 1
+      expect(data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::NameConstraints) }.size).to eq(1)
     end
 
     it "adds OCSP no check" do
       profile = R509::Config::CertProfile.new(
-        :ocsp_no_check => {:value => true }
+        :ocsp_no_check => { :value => true }
       )
-      @config.set_profile("profile",profile)
+      @config.set_profile("profile", profile)
       builder = R509::CertificateAuthority::OptionsBuilder.new(@config)
       data = builder.build_and_enforce(:csr => @csr, :profile_name => 'profile')
-      data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::OCSPNoCheck) }.size.should == 1
+      expect(data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::OCSPNoCheck) }.size).to eq(1)
     end
 
   end
   context "extension merging" do
     before :all do
-      @config = R509::Config::CAConfig.new( :ca_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) )
+      @config = R509::Config::CAConfig.new(:ca_cert => R509::Cert.new(:cert => TestFixtures::TEST_CA_CERT))
       @csr = R509::CSR.new(:csr => TestFixtures::CSR)
       profile = R509::Config::CertProfile.new(
-        :ocsp_no_check => {:value => true },
+        :ocsp_no_check => { :value => true },
         :key_usage => { :value => ['digitalSignature'] }
       )
-      @config.set_profile("profile",profile)
+      @config.set_profile("profile", profile)
       @builder = R509::CertificateAuthority::OptionsBuilder.new(@config)
     end
 
     it "adds extensions that don't exist in the profile" do
       exts = [R509::Cert::Extensions::ExtendedKeyUsage.new(:value => ['timeStamping']), R509::Cert::Extensions::InhibitAnyPolicy.new(:value => 1)]
       data = @builder.build_and_enforce(:csr => @csr, :extensions => exts, :profile_name => 'profile')
-      data[:extensions].size.should == 6
-      data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::InhibitAnyPolicy) }.size.should == 1
-      data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::ExtendedKeyUsage) }.size.should == 1
-      data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::KeyUsage) }.size.should == 1
-      data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::OCSPNoCheck) }.size.should == 1
+      expect(data[:extensions].size).to eq(6)
+      expect(data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::InhibitAnyPolicy) }.size).to eq(1)
+      expect(data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::ExtendedKeyUsage) }.size).to eq(1)
+      expect(data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::KeyUsage) }.size).to eq(1)
+      expect(data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::OCSPNoCheck) }.size).to eq(1)
     end
     it "replaces extensions that already exist in the profile" do
       exts = [R509::Cert::Extensions::KeyUsage.new(:value => ['digitalSignature'])]
       data = @builder.build_and_enforce(:csr => @csr, :extensions => exts, :profile_name => 'profile')
-      data[:extensions].size.should == 4
-      data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::OCSPNoCheck) }.size.should == 1
-      ku = data[:extensions].select{ |el| el.kind_of?(R509::Cert::Extensions::KeyUsage) }
-      ku[0].allowed_uses.should == ['digitalSignature']
+      expect(data[:extensions].size).to eq(4)
+      expect(data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::OCSPNoCheck) }.size).to eq(1)
+      ku = data[:extensions].select { |el| el.is_a?(R509::Cert::Extensions::KeyUsage) }
+      expect(ku[0].allowed_uses).to eq(['digitalSignature'])
     end
   end
 
   context "enforces message_digest without an allowed_message_digests array in the profile" do
     before :all do
-      config = R509::Config::CAConfig.new( :ca_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) )
+      config = R509::Config::CAConfig.new(:ca_cert => R509::Cert.new(:cert => TestFixtures::TEST_CA_CERT))
       profile = R509::Config::CertProfile.new(
         :default_md => "SHA512"
       )
-      config.set_profile("profile",profile)
+      config.set_profile("profile", profile)
       @builder = R509::CertificateAuthority::OptionsBuilder.new(config)
       @csr = R509::CSR.new(:csr => TestFixtures::CSR)
     end
@@ -225,46 +224,46 @@ describe R509::CertificateAuthority::OptionsBuilder do
           :profile_name => 'profile'
         }
         enforced = @builder.build_and_enforce(options)
-        enforced[:message_digest].upcase.should == md
+        expect(enforced[:message_digest].upcase).to eq(md)
       end
     end
   end
   context "enforces message_digest with an allowed_message_digests array in the profile" do
     before :all do
-      config = R509::Config::CAConfig.new( :ca_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) )
+      config = R509::Config::CAConfig.new(:ca_cert => R509::Cert.new(:cert => TestFixtures::TEST_CA_CERT))
       profile = R509::Config::CertProfile.new(
-        :basic_constraints => {:ca => false},
-        :key_usage => {:value => ["digitalSignature"] },
-        :allowed_mds => ['sha256','sha1','sha384'],
-        :default_md => 'sha1'
+        :basic_constraints => { :ca => false },
+        :key_usage => { :value => ["digitalSignature"] },
+        :allowed_mds => ['sha256', 'sha1', 'sha384'],
+        :default_md => 'sha256'
       )
-      config.set_profile("profile",profile)
+      config.set_profile("profile", profile)
       @builder = R509::CertificateAuthority::OptionsBuilder.new(config)
       @csr = R509::CSR.new(:csr => TestFixtures::CSR)
     end
     it "passes a disallowed hash" do
-      expect { @builder.build_and_enforce( :csr => @csr, :message_digest => 'md5', :profile_name => "profile") }.to raise_error(R509::R509Error,'The message digest passed is not allowed by this configuration. Allowed digests: SHA256, SHA1, SHA384')
+      expect { @builder.build_and_enforce(:csr => @csr, :message_digest => 'md5', :profile_name => "profile") }.to raise_error(R509::R509Error, 'The message digest passed is not allowed by this configuration. Allowed digests: SHA256, SHA1, SHA384')
     end
     it "permits an allowed hash (not default)" do
-      data = @builder.build_and_enforce(:csr => @csr, :message_digest => "sha384" , :profile_name => "profile")
-      data[:message_digest].should == 'sha384'
+      data = @builder.build_and_enforce(:csr => @csr, :message_digest => "sha384", :profile_name => "profile")
+      expect(data[:message_digest]).to eq('sha384')
     end
     it "returns the default hash if no hash is passed" do
       data = @builder.build_and_enforce(:csr => @csr, :profile_name => "profile")
-      data[:message_digest].should == 'sha1'
+      expect(data[:message_digest]).to eq('sha256')
     end
   end
 
   context "enforces not_after" do
     before :all do
-      config = R509::Config::CAConfig.new( :ca_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) )
+      config = R509::Config::CAConfig.new(:ca_cert => R509::Cert.new(:cert => TestFixtures::TEST_CA_CERT))
       profile = R509::Config::CertProfile.new(
-        :basic_constraints => {:ca => false},
-        :key_usage => {:value => ["digitalSignature"] },
-        :allowed_mds => ['sha256','sha1','sha384'],
-        :default_md => 'sha1'
+        :basic_constraints => { :ca => false },
+        :key_usage => { :value => ["digitalSignature"] },
+        :allowed_mds => ['sha256', 'sha1', 'sha384'],
+        :default_md => 'sha256'
       )
-      config.set_profile("profile",profile)
+      config.set_profile("profile", profile)
       @builder = R509::CertificateAuthority::OptionsBuilder.new(config)
       @csr = R509::CSR.new(:csr => TestFixtures::CSR)
     end
@@ -279,8 +278,8 @@ describe R509::CertificateAuthority::OptionsBuilder do
         :not_before => not_before,
         :not_after => not_after
       )
-      hash[:not_before].should == not_before
-      hash[:not_after].should == not_after
+      expect(hash[:not_before]).to eq(not_before)
+      expect(hash[:not_after]).to eq(not_after)
     end
 
     it "does not add a not_before or not_after key if not passed" do
@@ -289,19 +288,20 @@ describe R509::CertificateAuthority::OptionsBuilder do
         :message_digest => 'sha256',
         :profile_name => 'profile'
       )
-      hash.has_key?(:not_before).should be_false
-      hash.has_key?(:not_after).should be_false
+      expect(hash.key?(:not_before)).to be false
+      expect(hash.key?(:not_after)).to be false
     end
 
     it "raises error when not_after is after the issuing CA's expiry" do
-      expect { @builder.build_and_enforce(
-        :csr => @csr,
-        :message_digest => 'sha256',
-        :profile_name => 'profile',
-        :not_after => Time.now + 86400*7300*25
-      ) }.to raise_error(R509::R509Error,'The requested certificate lifetime would exceed the issuing CA.')
+      expect do
+        @builder.build_and_enforce(
+          :csr => @csr,
+          :message_digest => 'sha256',
+          :profile_name => 'profile',
+          :not_after => Time.now + 86400 * 7300 * 25
+        )
+      end.to raise_error(R509::R509Error, 'The requested certificate lifetime would exceed the issuing CA.')
     end
   end
 
-
 end

data/spec/certificate_authority/signer_spec.rb

@@ -5,8 +5,8 @@ shared_examples_for "signing" do |selfsign|
     @options = {}
     @options[:csr] = @csr unless @csr.nil?
     @options[:spki] = @spki unless @spki.nil?
-    if @options.has_key?(:spki)
-      @options[:subject] = R509::Subject.new([['CN','test']])
+    if @options.key?(:spki)
+      @options[:subject] = R509::Subject.new([['CN', 'test']])
     end
   end
 
@@ -16,8 +16,8 @@ shared_examples_for "signing" do |selfsign|
     else
       cert = @ca.sign(@options)
     end
-    subject = (@options[:csr].nil?)?@options[:subject]:@options[:csr].subject
-    cert.subject.to_s.should == subject.to_s
+    subject = (@options[:csr].nil?) ? @options[:subject] : @options[:csr].subject
+    expect(cert.subject.to_s).to eq(subject.to_s)
   end
 
   it "with specified subject (selfsign:#{selfsign})" do
@@ -30,13 +30,13 @@ shared_examples_for "signing" do |selfsign|
     else
       cert = @ca.sign(@options)
     end
-    cert.subject.to_s.should == '/CN=myCN/O=Org'
+    expect(cert.subject.to_s).to eq('/CN=myCN/O=Org')
   end
 
   it "with default md (selfsign:#{selfsign})" do
     cert = @ca.sign(@options)
-    regex = Regexp.new(R509::MessageDigest::DEFAULT_MD,Regexp::IGNORECASE)
-    cert.signature_algorithm.should match(regex)
+    regex = Regexp.new(R509::MessageDigest::DEFAULT_MD, Regexp::IGNORECASE)
+    expect(cert.signature_algorithm).to match(regex)
   end
 
   it "with specified md (selfsign:#{selfsign})" do
@@ -46,7 +46,7 @@ shared_examples_for "signing" do |selfsign|
     else
       cert = @ca.sign(@options)
     end
-    cert.signature_algorithm.should match(/sha256/i)
+    expect(cert.signature_algorithm).to match(/sha256/i)
   end
 
   it "with no :extensions in options hash (selfsign:#{selfsign})" do
@@ -57,7 +57,7 @@ shared_examples_for "signing" do |selfsign|
       cert = @ca.sign(@options)
       size = 2
     end
-    cert.extensions.size.should == size
+    expect(cert.extensions.size).to eq(size)
   end
 
   it "with empty extensions array (selfsign:#{selfsign})" do
@@ -67,7 +67,7 @@ shared_examples_for "signing" do |selfsign|
     else
       cert = @ca.sign(@options)
     end
-    cert.extensions.size.should == 0
+    expect(cert.extensions.size).to eq(0)
   end
 
   it "with multiple extensions (selfsign:#{selfsign})" do
@@ -80,22 +80,22 @@ shared_examples_for "signing" do |selfsign|
     else
       cert = @ca.sign(@options)
     end
-    cert.extensions.size.should == 2
-    cert.basic_constraints.is_ca?.should == false
-    cert.inhibit_any_policy.value.should == 4
+    expect(cert.extensions.size).to eq(2)
+    expect(cert.basic_constraints.is_ca?).to eq(false)
+    expect(cert.inhibit_any_policy.value).to eq(4)
   end
 
   it "with random serial when serial is not specified and uses microtime as part of the serial to prevent collision (selfsign:#{selfsign})" do
     now = Time.now
-    Time.stub(:now).and_return(now)
+    allow(Time).to receive(:now).and_return(now)
     time = now.to_i.to_s
     if selfsign
       cert = R509::CertificateAuthority::Signer.selfsign(@options)
     else
       cert = @ca.sign(@options)
     end
-    cert.serial.to_s.size.should be >= 45
-    cert.serial.to_s.index(time).should_not be_nil
+    expect(cert.serial.to_s.size).to be >= 45
+    expect(cert.serial.to_s.index(time)).not_to be_nil
   end
 
   it "with specified serial number (selfsign:#{selfsign})" do
@@ -105,7 +105,7 @@ shared_examples_for "signing" do |selfsign|
     else
       cert = @ca.sign(@options)
     end
-    cert.serial.should == 11223344
+    expect(cert.serial).to eq(11223344)
   end
 
   it "with default notBefore/notAfter dates (selfsign:#{selfsign})" do
@@ -116,8 +116,8 @@ shared_examples_for "signing" do |selfsign|
     else
       cert = @ca.sign(@options)
     end
-    cert.not_before.ctime.should == @options[:not_before].utc.ctime
-    cert.not_after.ctime.should == @options[:not_after].utc.ctime
+    expect(cert.not_before.ctime).to eq(@options[:not_before].utc.ctime)
+    expect(cert.not_after.ctime).to eq(@options[:not_after].utc.ctime)
   end
 
   it "with specified notBefore/notAfter dates (selfsign:#{selfsign})" do
@@ -128,8 +128,8 @@ shared_examples_for "signing" do |selfsign|
     else
       cert = @ca.sign(@options)
     end
-    cert.not_before.ctime.should == @options[:not_before].utc.ctime
-    cert.not_after.ctime.should == @options[:not_after].utc.ctime
+    expect(cert.not_before.ctime).to eq(@options[:not_before].utc.ctime)
+    expect(cert.not_after.ctime).to eq(@options[:not_after].utc.ctime)
   end
 
 end
@@ -150,34 +150,34 @@ describe R509::CertificateAuthority::Signer do
     end
 
     it "raises an error if you pass a config that has no private key for ca_cert" do
-      config = R509::Config::CAConfig.new( :ca_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) )
+      config = R509::Config::CAConfig.new(:ca_cert => R509::Cert.new(:cert => TestFixtures::TEST_CA_CERT))
       expect { R509::CertificateAuthority::Signer.new(config) }.to raise_error(R509::R509Error, "You must have a private key associated with your CA certificate to issue")
     end
 
     it "raises an error if you pass both csr and spki" do
       csr = R509::CSR.new(:csr => TestFixtures::CSR)
-      spki = R509::SPKI.new(:spki => TestFixtures::SPKI, :subject=>[['CN','test']])
-      expect { @ca.sign({ :spki => spki, :csr => csr }) }.to raise_error(ArgumentError, "You can't pass both :csr and :spki")
+      spki = R509::SPKI.new(:spki => TestFixtures::SPKI, :subject => [['CN', 'test']])
+      expect { @ca.sign(:spki => spki, :csr => csr) }.to raise_error(ArgumentError, "You can't pass both :csr and :spki")
     end
 
     it "raise an error if you don't pass an R509::SPKI in :spki" do
       spki = OpenSSL::Netscape::SPKI.new(TestFixtures::SPKI)
-      expect { @ca.sign({ :spki => spki }) }.to raise_error(ArgumentError, 'You must pass an R509::SPKI object for :spki')
+      expect { @ca.sign(:spki => spki) }.to raise_error(ArgumentError, 'You must pass an R509::SPKI object for :spki')
     end
 
     it "raise an error if you pass :spki without :subject" do
       spki = R509::SPKI.new(:spki => TestFixtures::SPKI)
-      expect { @ca.sign({ :spki => spki }) }.to raise_error(ArgumentError, 'You must supply :subject when passing :spki')
+      expect { @ca.sign(:spki => spki) }.to raise_error(ArgumentError, 'You must supply :subject when passing :spki')
     end
 
     it "raise an error if you don't pass an R509::CSR in :csr" do
       csr = OpenSSL::X509::Request.new(TestFixtures::CSR)
-      expect { @ca.sign({ :csr => csr }) }.to raise_error(ArgumentError, 'You must pass an R509::CSR object for :csr')
+      expect { @ca.sign(:csr => csr) }.to raise_error(ArgumentError, 'You must pass an R509::CSR object for :csr')
     end
 
     it "raises an error if attempting to self-sign without a key" do
       csr = R509::CSR.new(:csr => TestFixtures::CSR)
-      expect { R509::CertificateAuthority::Signer.selfsign( :csr => csr ) }.to raise_error(ArgumentError, "CSR must also have a private key to self sign")
+      expect { R509::CertificateAuthority::Signer.selfsign(:csr => csr) }.to raise_error(ArgumentError, "CSR must also have a private key to self sign")
     end
 
     it "raises error when passing non-hash to selfsign method" do
@@ -190,7 +190,7 @@ describe R509::CertificateAuthority::Signer do
     before :all do
       test_ca_config = TestFixtures.test_ca_config
       @ca = R509::CertificateAuthority::Signer.new(test_ca_config)
-      @csr = R509::CSR.new(:subject => [['C','US'],['ST','Illinois'],['L','Chicago'],['O','Paul Kehrer'],['CN','langui.sh']], :bit_strength => 1024)
+      @csr = R509::CSR.new(:subject => [['C', 'US'], ['ST', 'Illinois'], ['L', 'Chicago'], ['O', 'Paul Kehrer'], ['CN', 'langui.sh']], :bit_strength => 1024)
     end
 
     it_validates "signing", false
@@ -199,16 +199,16 @@ describe R509::CertificateAuthority::Signer do
     context "key in signed cert" do
       it "returns key when CSR contains key" do
         cert = R509::CertificateAuthority::Signer.selfsign(:csr => @csr)
-        cert.key.should_not be_nil
-        cert.key.should == @csr.key
+        expect(cert.key).not_to be_nil
+        expect(cert.key).to eq(@csr.key)
         cert = @ca.sign(:csr => @csr)
-        cert.key.should_not be_nil
-        cert.key.should == @csr.key
+        expect(cert.key).not_to be_nil
+        expect(cert.key).to eq(@csr.key)
       end
       it "does not return key when CSR has no key" do
         csr = R509::CSR.new(:csr => TestFixtures::CSR)
         cert = @ca.sign(:csr => csr)
-        cert.key.should be_nil
+        expect(cert.key).to be_nil
       end
     end
   end
@@ -226,16 +226,16 @@ describe R509::CertificateAuthority::Signer do
     context "key in signed cert" do
       it "does not return key with SPKI" do
         cert = @ca.sign(:spki => @spki, :subject => R509::Subject.new(:CN => 'test'))
-        cert.key.should be_nil
+        expect(cert.key).to be_nil
       end
     end
   end
 
   context "Elliptic Curve CSR + CA", :ec => true do
     before :all do
-      test_ca_ec = R509::Config::CAConfig.from_yaml("test_ca_ec", File.read("#{File.dirname(__FILE__)}/../fixtures/config_test_ec.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/../fixtures"})
+      test_ca_ec = R509::Config::CAConfig.from_yaml("test_ca_ec", File.read("#{File.dirname(__FILE__)}/../fixtures/config_test_ec.yaml"), :ca_root_path => "#{File.dirname(__FILE__)}/../fixtures")
       @ca = R509::CertificateAuthority::Signer.new(test_ca_ec)
-      @csr = R509::CSR.new(:subject => [['CN','elliptic curves']], :type => "ec")
+      @csr = R509::CSR.new(:subject => [['CN', 'elliptic curves']], :type => "ec")
     end
 
     it_validates "signing", false
@@ -244,7 +244,7 @@ describe R509::CertificateAuthority::Signer do
 
   context "Elliptic Curve SPKI + CA", :ec => true do
     before :all do
-      test_ca_ec = R509::Config::CAConfig.from_yaml("test_ca_ec", File.read("#{File.dirname(__FILE__)}/../fixtures/config_test_ec.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/../fixtures"})
+      test_ca_ec = R509::Config::CAConfig.from_yaml("test_ca_ec", File.read("#{File.dirname(__FILE__)}/../fixtures/config_test_ec.yaml"), :ca_root_path => "#{File.dirname(__FILE__)}/../fixtures")
       @ca = R509::CertificateAuthority::Signer.new(test_ca_ec)
       private_key = R509::PrivateKey.new(:type => "ec")
       @spki = R509::SPKI.new(:key => private_key)
@@ -255,10 +255,10 @@ describe R509::CertificateAuthority::Signer do
 
   context "DSA CSR + CA", :ec => true do
     before :all do
-      test_ca_dsa = R509::Config::CAConfig.from_yaml("test_ca_dsa", File.read("#{File.dirname(__FILE__)}/../fixtures/config_test_dsa.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/../fixtures"})
+      test_ca_dsa = R509::Config::CAConfig.from_yaml("test_ca_dsa", File.read("#{File.dirname(__FILE__)}/../fixtures/config_test_dsa.yaml"), :ca_root_path => "#{File.dirname(__FILE__)}/../fixtures")
 
       @ca = R509::CertificateAuthority::Signer.new(test_ca_dsa)
-      @csr = R509::CSR.new(:subject => [['CN','elliptic curves']], :type => "dsa", :bit_strength => 512)
+      @csr = R509::CSR.new(:subject => [['CN', 'elliptic curves']], :type => "dsa", :bit_strength => 512)
     end
 
     it_validates "signing", false
@@ -267,7 +267,7 @@ describe R509::CertificateAuthority::Signer do
 
   context "DSA SPKI + CA", :ec => true do
     before :all do
-      test_ca_dsa = R509::Config::CAConfig.from_yaml("test_ca_dsa", File.read("#{File.dirname(__FILE__)}/../fixtures/config_test_dsa.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/../fixtures"})
+      test_ca_dsa = R509::Config::CAConfig.from_yaml("test_ca_dsa", File.read("#{File.dirname(__FILE__)}/../fixtures/config_test_dsa.yaml"), :ca_root_path => "#{File.dirname(__FILE__)}/../fixtures")
       @ca = R509::CertificateAuthority::Signer.new(test_ca_dsa)
       private_key = R509::PrivateKey.new(:type => "dsa", :bit_strength => 512)
       @spki = R509::SPKI.new(:key => private_key)