r509 0.10.0 → 1.0

data/spec/crl/reader_writer_spec.rb

@@ -34,50 +34,51 @@ describe R509::CRL::FileReaderWriter do
 
   it "handles nil crl_list_file in read_list" do
     @rw.crl_list_file = nil
-    @rw.read_list(nil).should == nil
+    expect(@rw.read_list).to be_nil
   end
 
   it "handles nil crl_list_file in write_list_entry" do
     @rw.crl_list_file = nil
-    @rw.write_list_entry(1,1,nil).should == nil
+    expect(@rw.write_list_entry(1, 1, nil)).to be_nil
   end
 
   it "handles nil crl_number_file in read_number" do
     @rw.crl_number_file = nil
-    @rw.read_number.should == 0
+    expect(@rw.read_number).to eq(0)
   end
 
   it "handles nil crl_number_file in write_number" do
     @rw.crl_number_file = nil
-    @rw.write_number(0).should == nil
+    expect(@rw.write_number(0)).to be_nil
   end
 
   it "reads a crl list" do
     @rw.crl_list_file = TestFixtures::CRL_LIST_FILE
-    admin = double("admin")
-    admin.should_receive(:revoke_cert).with(12345, 0, 1323983885, false)
-    admin.should_receive(:revoke_cert).with(12346, nil, 1323983885, false)
-    @rw.read_list(admin)
+    expect { |b| @rw.read_list(&b) }.to yield_successive_args(
+        [12345, 0, 1323983885],
+        [12346, nil, 1323983885]
+    )
+
   end
 
   it "writes a crl list entry" do
     sio = StringIO.new
     @rw.crl_list_file = sio
-    @rw.write_list_entry(1,1,nil)
-    sio.string.should == "1,1,\n"
-    @rw.write_list_entry(2,2,1)
-    sio.string.should == "1,1,\n2,2,1\n"
+    @rw.write_list_entry(1, 1, nil)
+    expect(sio.string).to eq("1,1,\n")
+    @rw.write_list_entry(2, 2, 1)
+    expect(sio.string).to eq("1,1,\n2,2,1\n")
   end
 
   it "removes a crl list entry" do
     sio = StringIO.new
     @rw.crl_list_file = sio
-    @rw.write_list_entry(1,1,nil)
-    sio.string.should == "1,1,\n"
-    @rw.write_list_entry(2,2,1)
-    sio.string.should == "1,1,\n2,2,1\n"
+    @rw.write_list_entry(1, 1, nil)
+    expect(sio.string).to eq("1,1,\n")
+    @rw.write_list_entry(2, 2, 1)
+    expect(sio.string).to eq("1,1,\n2,2,1\n")
     @rw.remove_list_entry(2)
-    sio.string.should == "1,1,\n"
+    expect(sio.string).to eq("1,1,\n")
   end
 
   it "reads a number" do
@@ -85,13 +86,13 @@ describe R509::CRL::FileReaderWriter do
     sio.write("500")
     sio.rewind # rewind the pointer to the beginning so the next read catche the 500
     @rw.crl_number_file = sio
-    @rw.read_number.should == 500
+    expect(@rw.read_number).to eq(500)
   end
 
   it "writes a crl number" do
     sio = StringIO.new
     @rw.crl_number_file = sio
     @rw.write_number(30)
-    @rw.crl_number_file.string.should == "30"
+    expect(@rw.crl_number_file.string).to eq("30")
   end
 end

data/spec/crl/signed_list_spec.rb

@@ -11,74 +11,74 @@ describe R509::CRL::SignedList do
   it "loads a crl with load_from_file" do
     path = File.dirname(__FILE__) + '/../fixtures/crl_with_reason.pem'
     crl = R509::CRL::SignedList.load_from_file path
-    crl.revoked[12345].should_not be_nil
+    expect(crl.revoked[12345]).not_to be_nil
   end
 
   it "returns issuer" do
-    @crl.issuer.to_s.should == "/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA"
+    expect(@crl.issuer.to_s).to eq("/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA")
   end
 
   it "returns last_update" do
-    @crl.last_update.should == Time.at(1327446093)
+    expect(@crl.last_update).to eq(Time.at(1327446093))
   end
 
   it "returns next_update" do
-    @crl.next_update.should == Time.at(1328054493)
+    expect(@crl.next_update).to eq(Time.at(1328054493))
   end
 
   it "returns signature_algorithm" do
-    @crl.signature_algorithm.should == "sha1WithRSAEncryption"
+    expect(@crl.signature_algorithm).to eq("sha1WithRSAEncryption")
   end
 
   it "verifies the CRL signature" do
     cert = R509::Cert.new(:cert => @test_ca_cert)
-    @crl.verify(cert.public_key).should == true
+    expect(@crl.verify(cert.public_key)).to eq(true)
   end
 
   it "checks if a serial is revoked?" do
-    @crl.revoked?(111111).should == false
-    @crl.revoked?('111111').should == false
-    @crl.revoked?(12345).should == true
-    @crl.revoked?('12345').should == true
+    expect(@crl.revoked?(111111)).to eq(false)
+    expect(@crl.revoked?('111111')).to eq(false)
+    expect(@crl.revoked?(12345)).to eq(true)
+    expect(@crl.revoked?('12345')).to eq(true)
   end
 
   it "returns a hash of all revoked certs" do
-    @crl.revoked[12345][:time].should == Time.at(1327449693)
-    @crl.revoked[12345][:reason].should == "Key Compromise"
-    @crl.revoked[123456][:time].should == Time.at(1327449693)
-    @crl.revoked[123456][:reason].should == "Unspecified"
-    @crl.revoked[1234567][:time].should == Time.at(1327449693)
-    @crl.revoked[1234567][:reason].should == "Unspecified"
-    @crl.revoked[12345678].should == nil
+    expect(@crl.revoked[12345][:time]).to eq(Time.at(1327449693))
+    expect(@crl.revoked[12345][:reason]).to eq("Key Compromise")
+    expect(@crl.revoked[123456][:time]).to eq(Time.at(1327449693))
+    expect(@crl.revoked[123456][:reason]).to eq("Unspecified")
+    expect(@crl.revoked[1234567][:time]).to eq(Time.at(1327449693))
+    expect(@crl.revoked[1234567][:reason]).to eq("Unspecified")
+    expect(@crl.revoked[12345678]).to be_nil
   end
 
   it "returns revocation information for a serial" do
-    @crl.revoked_cert(11111).should == nil
+    expect(@crl.revoked_cert(11111)).to be_nil
     revoked_info = @crl.revoked_cert(12345)
-    revoked_info[:time].should == Time.at(1327449693)
-    revoked_info[:reason].should == "Key Compromise"
+    expect(revoked_info[:time]).to eq(Time.at(1327449693))
+    expect(revoked_info[:reason]).to eq("Key Compromise")
   end
 
   it "returns der" do
-    @crl.to_der.should_not be_nil
+    expect(@crl.to_der).not_to be_nil
   end
   it "returns pem" do
-    @crl.to_pem.should_not be_nil
+    expect(@crl.to_pem).not_to be_nil
   end
   it "writes to pem" do
     sio = StringIO.new
     sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
     @crl.write_pem(sio)
     parsed_crl = R509::CRL::SignedList.new(sio.string)
-    parsed_crl.issuer.to_s.should == '/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA'
-    parsed_crl.issuer.CN.should == 'Test CA'
+    expect(parsed_crl.issuer.to_s).to eq('/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA')
+    expect(parsed_crl.issuer.CN).to eq('Test CA')
   end
   it "writes to der" do
     sio = StringIO.new
     sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
     @crl.write_der(sio)
     parsed_crl = R509::CRL::SignedList.new(sio.string)
-    parsed_crl.issuer.to_s.should == '/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA'
-    parsed_crl.issuer.CN.should == 'Test CA'
+    expect(parsed_crl.issuer.to_s).to eq('/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA')
+    expect(parsed_crl.issuer.CN).to eq('Test CA')
   end
 end

data/spec/crl/sqlite_reader_writer_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+require 'r509/crl/sqlite_reader_writer'
+
+describe R509::CRL::SQLiteReaderWriter do
+
+  let(:empty_db) { SQLite3::Database.new ':memory:' }
+  let(:db) do
+    db = SQLite3::Database.new ':memory:'
+    db.execute_batch TestFixtures::CRL_LIST_SQLITE
+    db
+  end
+  let(:rw) { R509::CRL::SQLiteReaderWriter.new db }
+
+  it 'creates the schema automatically if its missing' do
+    R509::CRL::SQLiteReaderWriter.new empty_db
+    expect(db.execute('SELECT * FROM sqlite_master')).not_to be_empty
+  end
+
+  it 'reads a crl list' do
+    expect { |b| rw.read_list(&b) }.to yield_successive_args([12345, 0, 1323983885], [12346, nil, 1323983885])
+  end
+
+  it 'writes a crl list entry' do
+    rw.write_list_entry(1, 1, nil)
+    expect(db.execute("SELECT * FROM revoked_serials WHERE serial='1' AND revoked_at=1 AND reason is null")).not_to be_empty
+  end
+
+  it 'removes a crl list entry' do
+    rw.remove_list_entry(12345)
+    expect(db.execute("SELECT * FROM revoked_serials WHERE serial='12345'")).to be_empty
+  end
+
+  it 'reads a number' do
+    db.execute("UPDATE crl_number set number=5")
+    expect(rw.read_number).to eq(5)
+  end
+
+  it 'writes a crl number' do
+    rw.write_number 6
+    expect(db.get_first_value("SELECT number from crl_number")).to eq(6)
+  end
+end

data/spec/csr_spec.rb

@@ -2,7 +2,6 @@ require 'spec_helper'
 require 'stringio'
 require 'r509/csr'
 
-
 describe R509::CSR do
   before :all do
     @csr = TestFixtures::CSR
@@ -28,326 +27,331 @@ describe R509::CSR do
     expect { R509::CSR.new('invalid') }.to raise_error(ArgumentError, 'Must provide a hash of options')
   end
   it "key creation defaults to RSA when no type or key is passed" do
-    csr = R509::CSR.new(:subject => [['CN','testing.rsa']], :bit_length => 1024)
-    csr.rsa?.should == true
-    csr.dsa?.should == false
-    csr.ec?.should == false
+    csr = R509::CSR.new(:subject => [['CN', 'testing.rsa']], :bit_length => 1024)
+    expect(csr.rsa?).to eq(true)
+    expect(csr.dsa?).to eq(false)
+    expect(csr.ec?).to eq(false)
   end
   it "returns expected value for to_der" do
     csr = R509::CSR.new(:csr => @csr)
-    csr.to_der.should == @csr_der
+    expect(csr.to_der).to eq(@csr_der)
   end
   it "loads a csr with extraneous newlines" do
     csr = R509::CSR.new(:csr => @csr_newlines)
-    csr.to_pem.should match(/-----BEGIN CERTIFICATE REQUEST-----/)
+    expect(csr.to_pem).to match(/-----BEGIN CERTIFICATE REQUEST-----/)
   end
   it "loads a csr with no begin/end lines" do
     csr = R509::CSR.new(:csr => @csr_no_begin_end)
-    csr.to_pem.should match(/-----BEGIN CERTIFICATE REQUEST-----/)
+    expect(csr.to_pem).to match(/-----BEGIN CERTIFICATE REQUEST-----/)
   end
   it "returns true from #has_private_key? when private key is present" do
-    csr = R509::CSR.new(:bit_length => 512, :subject => [['CN','private-key-check.com']])
-    csr.has_private_key?.should == true
+    csr = R509::CSR.new(:bit_length => 512, :subject => [['CN', 'private-key-check.com']])
+    expect(csr.has_private_key?).to eq(true)
   end
   it "returns false from #has_private_key? when private key is not present" do
     csr = R509::CSR.new(:csr => @csr)
-    csr.has_private_key?.should == false
+    expect(csr.has_private_key?).to eq(false)
   end
   it "key creation defaults to 2048 when no bit length or key is passed" do
-    csr = R509::CSR.new(:subject => [['CN','testing2048.rsa']])
-    csr.bit_length.should == 2048
+    csr = R509::CSR.new(:subject => [['CN', 'testing2048.rsa']])
+    expect(csr.bit_length).to eq(2048)
   end
   it "creates a CSR when a key is provided" do
-    csr = R509::CSR.new(:key => @key3, :subject => [['CN','pregenerated.com']], :bit_length => 1024)
-    csr.to_pem.should match(/CERTIFICATE REQUEST/)
-    #validate the CSR matches the key
-    csr.req.verify(csr.key.public_key).should == true
+    csr = R509::CSR.new(:key => @key3, :subject => [['CN', 'pregenerated.com']], :bit_length => 1024)
+    expect(csr.to_pem).to match(/CERTIFICATE REQUEST/)
+    # validate the CSR matches the key
+    expect(csr.req.verify(csr.key.public_key)).to eq(true)
   end
   it "loads successfully when an R509::PrivateKey is provided" do
     key = R509::PrivateKey.new(:key => @key3)
-    expect { R509::CSR.new(:key => key, :csr => @csr3)}.to_not raise_error
+    expect { R509::CSR.new(:key => key, :csr => @csr3) }.to_not raise_error
   end
   it "raises an exception when you pass :subject and :csr" do
-    expect { R509::CSR.new(:subject => [['CN','error.com']], :csr => @csr) }.to raise_error(ArgumentError,'You must provide :subject or :csr, not both')
+    expect { R509::CSR.new(:subject => [['CN', 'error.com']], :csr => @csr) }.to raise_error(ArgumentError, 'You must provide :subject or :csr, not both')
   end
   it "raises an exception for not providing valid type when key is nil" do
-    expect { R509::CSR.new(:subject => [['CN','error.com']], :type => :invalid_symbol) }.to raise_error(ArgumentError,"Must provide #{R509::PrivateKey::KNOWN_TYPES.join(", ")} as type when key is nil")
+    expect { R509::CSR.new(:subject => [['CN', 'error.com']], :type => :invalid_symbol) }.to raise_error(ArgumentError, "Must provide #{R509::PrivateKey::KNOWN_TYPES.join(", ")} as type when key is nil")
   end
   it "raises an exception when you don't provide :subject or :csr" do
-    expect { R509::CSR.new(:bit_length => 1024) }.to raise_error(ArgumentError,'You must provide :subject or :csr')
+    expect { R509::CSR.new(:bit_length => 1024) }.to raise_error(ArgumentError, 'You must provide :subject or :csr')
   end
   it "raises an exception if you provide a list of domains with an existing CSR" do
-    expect { R509::CSR.new(:csr => @csr, :san_names => ['moredomainsiwanttoadd.com']) }.to raise_error(ArgumentError,'You can\'t add domains to an existing CSR')
+    expect { R509::CSR.new(:csr => @csr, :san_names => ['moredomainsiwanttoadd.com']) }.to raise_error(ArgumentError, 'You can\'t add domains to an existing CSR')
   end
   it "changes the message_digest to DSS1 when passed a DSA key" do
-    csr = R509::CSR.new(:subject => [["CN","dsasigned.com"]], :key => @dsa_key)
-    csr.message_digest.name.should == 'dss1'
-    csr.signature_algorithm.should == 'dsaWithSHA1'
-    #dss1 is actually the same as SHA1
-    #Yes this is confusing
-    #see http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/PKey/DSA.html
+    csr = R509::CSR.new(:subject => [["CN", "dsasigned.com"]], :key => @dsa_key)
+    expect(csr.message_digest.name).to eq('dss1')
+    expect(csr.signature_algorithm).to eq('dsaWithSHA1')
+    # dss1 is actually the same as SHA1
+    # Yes this is confusing
+    # see http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/PKey/DSA.html
   end
   it "changes the message_digest to DSS1 when creating a DSA key" do
-    csr = R509::CSR.new(:subject => [["CN","dsasigned.com"]], :type => "dsa", :bit_length => 512)
-    csr.message_digest.name.should == 'dss1'
-    csr.signature_algorithm.should == 'dsaWithSHA1'
-    #dss1 is actually the same as SHA1
-    #Yes this is confusing
-    #see http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/PKey/DSA.html
+    csr = R509::CSR.new(:subject => [["CN", "dsasigned.com"]], :type => "dsa", :bit_length => 512)
+    expect(csr.message_digest.name).to eq('dss1')
+    expect(csr.signature_algorithm).to eq('dsaWithSHA1')
+    # dss1 is actually the same as SHA1
+    # Yes this is confusing
+    # see http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/PKey/DSA.html
   end
   it "signs a CSR properly when passed a DSA key" do
-    csr = R509::CSR.new(:subject => [["CN","dsasigned.com"]], :key => @dsa_key)
-    csr.verify_signature.should == true
+    csr = R509::CSR.new(:subject => [["CN", "dsasigned.com"]], :key => @dsa_key)
+    expect(csr.verify_signature).to eq(true)
   end
   it "signs a CSR properly when creating a DSA key" do
-    csr = R509::CSR.new(:subject => [["CN","dsasigned.com"]], :type => "dsa", :bit_length => 512)
-    csr.verify_signature.should == true
+    csr = R509::CSR.new(:subject => [["CN", "dsasigned.com"]], :type => "dsa", :bit_length => 512)
+    expect(csr.verify_signature).to eq(true)
   end
   it "writes to pem" do
     csr = R509::CSR.new(:csr => @csr)
     sio = StringIO.new
     sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
     csr.write_pem(sio)
-    sio.string.should == @csr
+    expect(sio.string).to eq(@csr)
   end
   it "writes to der" do
     sio = StringIO.new
     sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
     csr = R509::CSR.new(:csr => @csr)
     csr.write_der(sio)
-    sio.string.should == @csr_der
+    expect(sio.string).to eq(@csr_der)
   end
   it "duplicate SAN names should be removed" do
-    csr = R509::CSR.new( :bit_length => 512, :subject => [['CN','test2345.com']], :san_names => ["test2.local","test.local","test.local"] )
-    csr.san.dns_names.should == ["test2.local", "test.local"]
+    csr = R509::CSR.new(:bit_length => 512, :subject => [['CN', 'test2345.com']], :san_names => ["test2.local", "test.local", "test.local"])
+    expect(csr.san.dns_names).to eq(["test2.local", "test.local"])
   end
   it "existing GeneralNames object passed to CSR should be used" do
     gn = R509::ASN1::GeneralNames.new
     gn.create_item(:type => 'dNSName', :value => '127.0.0.1')
     gn.create_item(:type => 'dNSName', :value => '127.0.0.2')
-    csr = R509::CSR.new( :bit_length => 512, :subject => [['CN','test2345.com']], :san_names => gn )
-    csr.san.dns_names.should == ["127.0.0.1", "127.0.0.2"]
+    csr = R509::CSR.new(:bit_length => 512, :subject => [['CN', 'test2345.com']], :san_names => gn)
+    expect(csr.san.dns_names).to eq(["127.0.0.1", "127.0.0.2"])
   end
   it "san is nil when there are no SAN names" do
-    csr = R509::CSR.new( :subject => [['CN','langui.sh'],['emailAddress','ca@langui.sh']], :bit_length => 512)
-    csr.san.nil?.should == true
+    csr = R509::CSR.new(:subject => [['CN', 'langui.sh'], ['emailAddress', 'ca@langui.sh']], :bit_length => 512)
+    expect(csr.san.nil?).to eq(true)
   end
   context "when initialized" do
     it "raises exception when providing invalid csr" do
-      expect { R509::CSR.new({:csr => 'invalid csr'}) }.to raise_error(OpenSSL::X509::RequestError)
+      expect { R509::CSR.new(:csr => 'invalid csr') }.to raise_error(OpenSSL::X509::RequestError)
     end
     it "raises exception when providing invalid key" do
-      expect { R509::CSR.new({:csr => @csr, :key => 'invalid key'}) }.to raise_error(R509::R509Error,"Failed to load private key. Invalid key or incorrect password.")
+      expect { R509::CSR.new(:csr => @csr, :key => 'invalid key') }.to raise_error(R509::R509Error, "Failed to load private key. Invalid key or incorrect password.")
     end
   end
   context "when passing a subject array" do
     it "generates a matching CSR" do
-      csr = R509::CSR.new( :subject=> [['CN','langui.sh'],['ST','Illinois'],['L','Chicago'],['C','US'],['emailAddress','ca@langui.sh']], :bit_length => 1024)
-      csr.subject.to_s.should == '/CN=langui.sh/ST=Illinois/L=Chicago/C=US/emailAddress=ca@langui.sh'
+      csr = R509::CSR.new(:subject => [['CN', 'langui.sh'], ['ST', 'Illinois'], ['L', 'Chicago'], ['C', 'US'], ['emailAddress', 'ca@langui.sh']], :bit_length => 1024)
+      expect(csr.subject.to_s).to eq('/CN=langui.sh/ST=Illinois/L=Chicago/C=US/emailAddress=ca@langui.sh')
     end
     it "generates a matching csr when supplying raw oids" do
-      csr = R509::CSR.new( :subject => [['2.5.4.3','common name'],['2.5.4.15','business category'],['2.5.4.7','locality'],['1.3.6.1.4.1.311.60.2.1.3','jurisdiction oid openssl typically does not know']], :bit_length => 1024 )
-      csr.subject.to_s.should == "/CN=common name/businessCategory=business category/L=locality/jurisdictionOfIncorporationCountryName=jurisdiction oid openssl typically does not know"
+      csr = R509::CSR.new(:subject => [['2.5.4.3', 'common name'], ['2.5.4.15', 'business category'], ['2.5.4.7', 'locality'], ['1.3.6.1.4.1.311.60.2.1.3', 'jurisdiction oid openssl typically does not know']], :bit_length => 1024)
+      expect(csr.subject.to_s).to eq("/CN=common name/businessCategory=business category/L=locality/jurisdictionOfIncorporationCountryName=jurisdiction oid openssl typically does not know")
     end
     it "adds SAN names to a generated CSR" do
-      csr = R509::CSR.new( :subject => [['CN','test']], :bit_length => 1024, :san_names => ['1.2.3.4','http://langui.sh','email@address.local','domain.internal','2.3.4.5',[['CN','dirnametest']]])
-      csr.san.ip_addresses.should == ['1.2.3.4','2.3.4.5']
-      csr.san.dns_names.should == ['domain.internal']
-      csr.san.uris.should == ['http://langui.sh']
-      csr.san.rfc_822_names.should == ['email@address.local']
-      csr.san.directory_names.size.should == 1
-      csr.san.directory_names[0].to_s.should == '/CN=dirnametest'
+      csr = R509::CSR.new(:subject => [['CN', 'test']], :bit_length => 1024, :san_names => ['1.2.3.4', 'http://langui.sh', 'email@address.local', 'domain.internal', '2.3.4.5', [['CN', 'dirnametest']]])
+      expect(csr.san.ip_addresses).to eq(['1.2.3.4', '2.3.4.5'])
+      expect(csr.san.dns_names).to eq(['domain.internal'])
+      expect(csr.san.uris).to eq(['http://langui.sh'])
+      expect(csr.san.rfc_822_names).to eq(['email@address.local'])
+      expect(csr.san.directory_names.size).to eq(1)
+      expect(csr.san.directory_names[0].to_s).to eq('/CN=dirnametest')
     end
   end
   context "when supplying an existing csr" do
     it "populates the bit_length" do
-      csr = R509::CSR.new({ :csr => @csr })
-      csr.bit_length.should == 2048
+      csr = R509::CSR.new(:csr => @csr)
+      expect(csr.bit_length).to eq(2048)
     end
     it "populates the subject" do
-      csr = R509::CSR.new({ :csr => @csr })
-      csr.subject.to_s.should == '/CN=test.local/O=Testing CSR'
+      csr = R509::CSR.new(:csr => @csr)
+      expect(csr.subject.to_s).to eq('/CN=test.local/O=Testing CSR')
     end
     it "parses the san names" do
-      csr = R509::CSR.new({ :csr => @csr })
-      csr.san.dns_names.should == ["test.local", "additionaldomains.com", "saniam.com"]
+      csr = R509::CSR.new(:csr => @csr)
+      expect(csr.san.dns_names).to eq(["test.local", "additionaldomains.com", "saniam.com"])
     end
     it "parses san names when there are multiple non-SAN attributes" do
-      csr = R509::CSR.new({ :csr => @csr4_multiple_attrs })
-      csr.san.dns_names.should == ["adomain.com", "anotherdomain.com", "justanexample.com"]
+      csr = R509::CSR.new(:csr => @csr4_multiple_attrs)
+      expect(csr.san.dns_names).to eq(["adomain.com", "anotherdomain.com", "justanexample.com"])
     end
     it "fetches a subject component" do
-      csr = R509::CSR.new({ :csr => @csr })
-      csr.subject_component('CN').to_s.should == 'test.local'
+      csr = R509::CSR.new(:csr => @csr)
+      expect(csr.subject_component('CN').to_s).to eq('test.local')
     end
     it "returns nil when subject component not found" do
-      csr = R509::CSR.new({ :csr => @csr })
-      csr.subject_component('OU').should be_nil
+      csr = R509::CSR.new(:csr => @csr)
+      expect(csr.subject_component('OU')).to be_nil
     end
     it "returns the signature algorithm" do
-      csr = R509::CSR.new({ :csr => @csr })
-      csr.signature_algorithm.should == 'sha1WithRSAEncryption'
+      csr = R509::CSR.new(:csr => @csr)
+      expect(csr.signature_algorithm).to eq('sha256WithRSAEncryption')
     end
     it "returns RSA key algorithm for RSA CSR" do
-      csr = R509::CSR.new({ :csr => @csr })
-      csr.key_algorithm.should == "RSA"
+      csr = R509::CSR.new(:csr => @csr)
+      expect(csr.key_algorithm).to eq("RSA")
     end
     it "returns DSA key algorithm for DSA CSR" do
-      csr = R509::CSR.new({ :csr => @csr_dsa })
-      csr.key_algorithm.should == "DSA"
+      csr = R509::CSR.new(:csr => @csr_dsa)
+      expect(csr.key_algorithm).to eq("DSA")
     end
     it "returns the public key" do
-      #this is more complex than it should have to be. diff versions of openssl
-      #return subtly diff PEM encodings so we need to look at the modulus (n)
-      #but beware, because n is not present for DSA certificates
-      csr = R509::CSR.new({ :csr => @csr })
-      csr.public_key.n.to_i.should == @csr_public_key_modulus.to_i
+      # this is more complex than it should have to be. diff versions of openssl
+      # return subtly diff PEM encodings so we need to look at the modulus (n)
+      # but beware, because n is not present for DSA certificates
+      csr = R509::CSR.new(:csr => @csr)
+      expect(csr.public_key.n.to_i).to eq(@csr_public_key_modulus.to_i)
     end
     it "returns true with valid signature" do
-      csr = R509::CSR.new({ :csr => @csr })
-      csr.verify_signature.should == true
+      csr = R509::CSR.new(:csr => @csr)
+      expect(csr.verify_signature).to eq(true)
     end
     it "returns false on invalid signature" do
-      csr = R509::CSR.new({ :csr => @csr_invalid_signature })
-      csr.verify_signature.should == false
+      csr = R509::CSR.new(:csr => @csr_invalid_signature)
+      expect(csr.verify_signature).to eq(false)
     end
     it "works when the CSR has unknown OIDs" do
       csr = R509::CSR.new(:csr => @csr_unknown_oid)
-      csr.subject["1.2.3.4.5.6.7.8.9.8.7.6.5.4.3.2.1.0.0"].should == "random oid!"
-      csr.subject["1.3.3.543.567.32.43.335.1.1.1"].should == "another random oid!"
+      expect(csr.subject["1.2.3.4.5.6.7.8.9.8.7.6.5.4.3.2.1.0.0"]).to eq("random oid!")
+      expect(csr.subject["1.3.3.543.567.32.43.335.1.1.1"]).to eq("another random oid!")
     end
   end
   context "when supplying a key with csr" do
     it "raises exception on non-matching key" do
-      expect { R509::CSR.new({:csr => @csr, :key => @key_csr2}) }.to raise_error(R509::R509Error, 'Key does not match request.')
+      expect { R509::CSR.new(:csr => @csr, :key => @key_csr2) }.to raise_error(R509::R509Error, 'Key does not match request.')
     end
     it "accepts matching key" do
-      csr = R509::CSR.new({:csr => @csr2, :key => @key_csr2})
-      csr.to_pem.should == @csr2
+      csr = R509::CSR.new(:csr => @csr2, :key => @key_csr2)
+      expect(csr.to_pem).to eq(@csr2)
     end
   end
   context "when setting alternate signature algorithms" do
-    it "sets sha1 if you pass an invalid message digest" do
-      csr = R509::CSR.new(:message_digest => 'sha88', :bit_length => 512, :subject => [['CN','langui.sh']])
-      csr.message_digest.name.should == 'sha1'
-      csr.signature_algorithm.should == "sha1WithRSAEncryption"
+    it "sets sha256 if you pass an invalid message digest" do
+      csr = R509::CSR.new(:message_digest => 'sha88', :bit_length => 512, :subject => [['CN', 'langui.sh']])
+      expect(csr.message_digest.name).to eq('sha256')
+      expect(csr.signature_algorithm).to eq("sha256WithRSAEncryption")
+    end
+    it "sets sha1 properly" do
+      csr = R509::CSR.new(:message_digest => 'sha1', :bit_length => 512, :subject => [['CN', 'sha1-signature-alg.test']])
+      expect(csr.message_digest.name).to eq('sha1')
+      expect(csr.signature_algorithm).to eq("sha1WithRSAEncryption")
     end
     it "sets sha224 properly" do
-      csr = R509::CSR.new(:message_digest => 'sha224', :bit_length => 512, :subject => [['CN','sha224-signature-alg.test']])
-      csr.message_digest.name.should == 'sha224'
-      csr.signature_algorithm.should == "sha224WithRSAEncryption"
+      csr = R509::CSR.new(:message_digest => 'sha224', :bit_length => 512, :subject => [['CN', 'sha224-signature-alg.test']])
+      expect(csr.message_digest.name).to eq('sha224')
+      expect(csr.signature_algorithm).to eq("sha224WithRSAEncryption")
     end
     it "sets sha256 properly" do
-      csr = R509::CSR.new(:message_digest => 'sha256', :bit_length => 512, :subject => [['CN','sha256-signature-alg.test']])
-      csr.message_digest.name.should == 'sha256'
-      csr.signature_algorithm.should == "sha256WithRSAEncryption"
+      csr = R509::CSR.new(:message_digest => 'sha256', :bit_length => 512, :subject => [['CN', 'sha256-signature-alg.test']])
+      expect(csr.message_digest.name).to eq('sha256')
+      expect(csr.signature_algorithm).to eq("sha256WithRSAEncryption")
     end
     it "sets sha384 properly" do
-      csr = R509::CSR.new(:message_digest => 'sha384', :bit_length => 768, :subject => [['CN','sha384-signature-alg.test']])
-      csr.message_digest.name.should == 'sha384'
-      csr.signature_algorithm.should == "sha384WithRSAEncryption"
+      csr = R509::CSR.new(:message_digest => 'sha384', :bit_length => 768, :subject => [['CN', 'sha384-signature-alg.test']])
+      expect(csr.message_digest.name).to eq('sha384')
+      expect(csr.signature_algorithm).to eq("sha384WithRSAEncryption")
     end
     it "sets sha512 properly" do
-      csr = R509::CSR.new(:message_digest => 'sha512', :bit_length => 1024, :subject => [['CN','sha512-signature-alg.test']])
-      csr.message_digest.name.should == 'sha512'
-      csr.signature_algorithm.should == "sha512WithRSAEncryption"
+      csr = R509::CSR.new(:message_digest => 'sha512', :bit_length => 1024, :subject => [['CN', 'sha512-signature-alg.test']])
+      expect(csr.message_digest.name).to eq('sha512')
+      expect(csr.signature_algorithm).to eq("sha512WithRSAEncryption")
     end
     it "sets md5 properly" do
-      csr = R509::CSR.new(:message_digest => 'md5', :bit_length => 512, :subject => [['CN','md5-signature-alg.test']])
-      csr.message_digest.name.should == 'md5'
-      csr.signature_algorithm.should == "md5WithRSAEncryption"
+      csr = R509::CSR.new(:message_digest => 'md5', :bit_length => 512, :subject => [['CN', 'md5-signature-alg.test']])
+      expect(csr.message_digest.name).to eq('md5')
+      expect(csr.signature_algorithm).to eq("md5WithRSAEncryption")
     end
   end
   it "checks rsa?" do
-    csr = R509::CSR.new({:csr => @csr})
-    csr.rsa?.should == true
-    csr.ec?.should == false
-    csr.dsa?.should == false
+    csr = R509::CSR.new(:csr => @csr)
+    expect(csr.rsa?).to eq(true)
+    expect(csr.ec?).to eq(false)
+    expect(csr.dsa?).to eq(false)
   end
   it "gets RSA bit length" do
-    csr = R509::CSR.new({:csr => @csr})
-    csr.bit_length.should == 2048
+    csr = R509::CSR.new(:csr => @csr)
+    expect(csr.bit_length).to eq(2048)
   end
   it "returns an error for curve_name for dsa/rsa CSRs" do
     csr = R509::CSR.new(:csr => @csr)
     expect { csr.curve_name }.to raise_error(R509::R509Error, 'Curve name is only available with EC')
   end
   it "checks dsa?" do
-    csr = R509::CSR.new({:csr => @csr_dsa})
-    csr.rsa?.should == false
-    csr.ec?.should == false
-    csr.dsa?.should == true
+    csr = R509::CSR.new(:csr => @csr_dsa)
+    expect(csr.rsa?).to eq(false)
+    expect(csr.ec?).to eq(false)
+    expect(csr.dsa?).to eq(true)
   end
   it "gets DSA bit length" do
-    csr = R509::CSR.new({:csr => @csr_dsa})
-    csr.bit_length.should == 1024
+    csr = R509::CSR.new(:csr => @csr_dsa)
+    expect(csr.bit_length).to eq(1024)
   end
 
   it "loads a csr with load_from_file" do
     path = File.dirname(__FILE__) + '/fixtures/csr1.pem'
     csr = R509::CSR.load_from_file path
-    csr.message_digest.name.should == 'sha1'
+    expect(csr.message_digest.name).to eq('sha256')
   end
 
   context "when using elliptic curves", :ec => true do
     it "loads a pre-existing EC CSR" do
       csr = R509::CSR.new(:csr => @ec_csr2_pem)
-      csr.to_der.should == @ec_csr2_der
+      expect(csr.to_der).to eq(@ec_csr2_der)
     end
     it "returns the curve name" do
       csr = R509::CSR.new(:csr => @ec_csr2_pem)
-      csr.curve_name.should == "secp384r1"
+      expect(csr.curve_name).to eq("secp384r1")
     end
     it "generates a CSR with default curve" do
-      csr = R509::CSR.new(:type => "EC", :subject => [["CN","ec-test.local"]])
-      csr.curve_name.should == "secp384r1"
+      csr = R509::CSR.new(:type => "EC", :subject => [["CN", "ec-test.local"]])
+      expect(csr.curve_name).to eq("secp384r1")
     end
     it "generates a CSR with explicit curve" do
-      csr = R509::CSR.new(:type => "EC", :curve_name => "sect283r1", :subject => [["CN","ec-test.local"]])
-      csr.curve_name.should == "sect283r1"
+      csr = R509::CSR.new(:type => "EC", :curve_name => "sect283r1", :subject => [["CN", "ec-test.local"]])
+      expect(csr.curve_name).to eq("sect283r1")
     end
     it "raises error on bit length" do
       csr = R509::CSR.new(:csr => @ec_csr2_der)
-      expect { csr.bit_length }.to raise_error(R509::R509Error,'Bit length is not available for EC at this time.')
+      expect { csr.bit_length }.to raise_error(R509::R509Error, 'Bit length is not available for EC at this time.')
     end
     it "returns the key algorithm" do
       csr = R509::CSR.new(:csr => @ec_csr2_pem)
-      csr.key_algorithm.should == "EC"
+      expect(csr.key_algorithm).to eq("EC")
     end
     it "returns the public key" do
       csr = R509::CSR.new(:csr => @ec_csr2_pem)
-      csr.public_key.private_key?.should == false
-      csr.public_key.public_key?.should == true
+      expect(csr.public_key.private_key?).to eq(false)
+      expect(csr.public_key.public_key?).to eq(true)
     end
     it "checks ec?" do
       csr = R509::CSR.new(:csr => @ec_csr2_pem)
-      csr.ec?.should == true
+      expect(csr.ec?).to eq(true)
     end
     it "sets alternate signature properly for EC" do
-      csr = R509::CSR.new(:message_digest => 'sha256', :type => "EC", :subject => [["CN","ec-signature-alg.test"]])
-      csr.message_digest.name.should == 'sha256'
-      csr.signature_algorithm.should == 'ecdsa-with-SHA256'
+      csr = R509::CSR.new(:message_digest => 'sha256', :type => "EC", :subject => [["CN", "ec-signature-alg.test"]])
+      expect(csr.message_digest.name).to eq('sha256')
+      expect(csr.signature_algorithm).to eq('ecdsa-with-SHA256')
     end
   end
 
   context "when elliptic curve support is unavailable" do
     before :all do
-      @ec = OpenSSL::PKey.send(:remove_const,:EC) # remove EC support for test!
+      @ec = OpenSSL::PKey.send(:remove_const, :EC) # remove EC support for test!
       load('r509/ec-hack.rb')
     end
     after :all do
-      OpenSSL::PKey.send(:remove_const,:EC) # remove stubbed EC
+      OpenSSL::PKey.send(:remove_const, :EC) # remove stubbed EC
       OpenSSL::PKey::EC = @ec # add the real one back
     end
     it "checks rsa?" do
-      csr = R509::CSR.new({:csr => @csr})
-      csr.rsa?.should == true
-      csr.ec?.should == false
-      csr.dsa?.should == false
+      csr = R509::CSR.new(:csr => @csr)
+      expect(csr.rsa?).to eq(true)
+      expect(csr.ec?).to eq(false)
+      expect(csr.dsa?).to eq(false)
     end
     it "returns RSA key algorithm for RSA CSR" do
-      csr = R509::CSR.new({ :csr => @csr })
-      csr.key_algorithm.should == "RSA"
+      csr = R509::CSR.new(:csr => @csr)
+      expect(csr.key_algorithm).to eq("RSA")
     end
   end