r509 0.8.1 → 0.9

data/lib/r509/certificate_authority.rb

@@ -0,0 +1,407 @@
+require 'openssl'
+require 'r509/config'
+require 'r509/cert'
+require 'r509/exceptions'
+require 'r509/ec-hack'
+
+# CertificateAuthority related classes
+module R509::CertificateAuthority
+  # Contains the certification authority signing operation methods
+  class Signer
+    # @param [R509::Config] config
+    def initialize(config=nil)
+      @config = config
+
+      if not @config.nil? and not @config.kind_of?(R509::Config::CAConfig)
+        raise R509::R509Error, "config must be a kind of R509::Config::CAConfig or nil (for self-sign only)"
+      end
+      if not @config.nil? and not @config.ca_cert.has_private_key?
+        raise R509::R509Error, "You must have a private key associated with your CA certificate to issue"
+      end
+    end
+
+    # Signs a CSR
+    # @option options :csr [R509::CSR]
+    # @option options :spki [R509::SPKI]
+    # @option options :profile_name [String] The CA profile you want to use (eg "server" in your config)
+    # @option options :subject [R509::Subject,OpenSSL::X509::Subject,Array] (optional for R509::CSR, required for R509::SPKI)
+    # @option options :san_names [Array,R509::ASN1::GeneralNames] optional either an array of names that will be automatically parsed to determine their type, or an explicit R509::ASN1::GeneralNames object
+    # @option options :message_digest [String] the message digest to use for this certificate instead of the config's default
+    # @option options :serial [String] the serial number you want to issue the certificate with
+    # @option options :not_before [Time] the notBefore for the certificate
+    # @option options :not_after [Time] the notAfter for the certificate
+    # @return [R509::Cert] the signed cert object
+    def sign(options)
+      if @config.nil?
+        raise R509::R509Error, "When instantiating the signer without a config you can only call #selfsign"
+      elsif @config.num_profiles == 0
+        raise R509::R509Error, "You must have at least one CAProfile on your CAConfig to issue"
+      end
+
+      check_options(options)
+
+      subject, san_names, public_key = extract_public_key_subject_san(options)
+
+
+      if options.has_key?(:csr) and not options[:csr].verify_signature
+        raise R509::R509Error, "Certificate request signature is invalid."
+      end
+
+      # prior to OpenSSL 1.0 DSA could only use DSS1 (aka SHA1) signatures. post-1.0 anything
+      # goes but at the moment we don't enforce this restriction so an OpenSSL error could
+      # bubble up if they do it wrong.
+      message_digest = (options.has_key?(:message_digest))? R509::MessageDigest.new(options[:message_digest]) : R509::MessageDigest.new(@config.message_digest)
+
+      profile = @config.profile(options[:profile_name])
+
+      validated_subject = validate_subject(subject,profile)
+
+      cert = build_cert(
+        :subject => validated_subject.name,
+        :issuer => @config.ca_cert.subject.name,
+        :not_before => options[:not_before],
+        :not_after => options[:not_after],
+        :public_key => public_key,
+        :serial => options[:serial]
+      )
+
+      basic_constraints = profile.basic_constraints
+      key_usage = profile.key_usage
+      extended_key_usage = profile.extended_key_usage
+      certificate_policies = profile.certificate_policies
+      ocsp_no_check = profile.ocsp_no_check
+
+      build_extensions(
+        :subject_certificate => cert,
+        :issuer_certificate => @config.ca_cert.cert,
+        :basic_constraints => basic_constraints,
+        :key_usage => key_usage,
+        :extended_key_usage => extended_key_usage,
+        :ocsp_no_check => ocsp_no_check,
+        :certificate_policies => certificate_policies,
+        :san_names => san_names,
+        :inhibit_any_policy => profile.inhibit_any_policy,
+        :policy_constraints => profile.policy_constraints,
+        :name_constraints => profile.name_constraints
+      )
+
+
+      #@config.ca_cert.key.key ... ugly. ca_cert returns R509::Cert
+      # #key returns R509::PrivateKey and #key on that returns OpenSSL object we need
+      cert.sign( @config.ca_cert.key.key, message_digest.digest )
+      R509::Cert.new(:cert => cert)
+    end
+
+    # Self-signs a CSR
+    # @option options :csr [R509::CSR]
+    # @option options :message_digest [String] the message digest to use for this certificate (defaults to sha1)
+    # @option options :serial [String] the serial number you want to issue the certificate with (defaults to random)
+    # @option options :not_before [Time] the notBefore for the certificate (defaults to now)
+    # @option options :not_after [Time] the notAfter for the certificate (defaults to 1 year)
+    # @option options :san_names [Array,R509::ASN1::GeneralNames] optional either an array of names that will be automatically parsed to determine their type, or an explicit R509::ASN1::GeneralNames object
+    # @return [R509::Cert] the signed cert object
+    def selfsign(options)
+      if not options.kind_of?(Hash)
+        raise ArgumentError, "You must pass a hash of options consisting of at minimum :csr"
+      end
+      csr = options[:csr]
+      if csr.key.nil?
+        raise ArgumentError, 'CSR must also have a private key to self sign'
+      end
+      cert = build_cert(
+        :subject => csr.subject.name,
+        :issuer => csr.subject.name,
+        :not_before => options[:not_before],
+        :not_after => options[:not_after],
+        :public_key => csr.public_key,
+        :serial => options[:serial]
+      )
+
+      sans = (options.has_key?(:san_names))? options[:san_names] : csr.san
+      san_names = parse_san_names(sans)
+
+      build_extensions(
+        :subject_certificate => cert,
+        :issuer_certificate => cert,
+        :basic_constraints => {"ca" => true },
+        :san_names => san_names
+      )
+
+
+      if options.has_key?(:message_digest)
+        message_digest = R509::MessageDigest.new(options[:message_digest])
+      else
+        message_digest = R509::MessageDigest.new('sha1')
+      end
+
+      # CSR#key returns R509::PrivateKey and #key on that returns OpenSSL object we need
+      cert.sign( csr.key.key, message_digest.digest )
+      R509::Cert.new(:cert => cert)
+    end
+
+    private
+
+    def check_options(options)
+      if options.has_key?(:csr) and options.has_key?(:spki)
+        raise ArgumentError, "You can't pass both :csr and :spki"
+      elsif not options.has_key?(:csr) and not options.has_key?(:spki)
+        raise ArgumentError, "You must supply either :csr or :spki"
+      elsif options.has_key?(:csr)
+        if not options[:csr].kind_of?(R509::CSR)
+          raise ArgumentError, "You must pass an R509::CSR object for :csr"
+        end
+      elsif not options.has_key?(:csr) and options.has_key?(:spki)
+        if not options[:spki].kind_of?(R509::SPKI)
+          raise ArgumentError, "You must pass an R509::SPKI object for :spki"
+        end
+      end
+    end
+
+    def extract_public_key_subject_san(options)
+      if options.has_key?(:csr)
+        subject = (options.has_key?(:subject))? R509::Subject.new(options[:subject]) : options[:csr].subject
+        sans = (options.has_key?(:san_names))? options[:san_names] : options[:csr].san
+        san_names = parse_san_names(sans)
+        public_key = options[:csr].public_key
+      else
+        # spki
+        if not options.has_key?(:subject)
+          raise ArgumentError, "You must supply :subject when passing :spki"
+        end
+        public_key = options[:spki].public_key
+        subject = R509::Subject.new(options[:subject])
+        san_names = parse_san_names(options[:san_names]) # optional
+      end
+
+      [subject,san_names,public_key]
+    end
+
+    def parse_san_names(sans)
+      case sans
+      when nil then nil
+      when R509::ASN1::GeneralNames then sans
+      when Array then R509::ASN1.general_name_parser(sans)
+      else
+        raise ArgumentError, "When passing SAN names it must be provided as either an array of strings or an R509::ASN1::GeneralNames object"
+      end
+    end
+
+    def build_conf(section,hash,index)
+      conf = ["[#{section}]"]
+      conf.push "policyIdentifier=#{hash["policy_identifier"]}" unless hash["policy_identifier"].nil?
+      hash["cps_uris"].each_with_index do |cps,idx|
+        conf.push "CPS.#{idx+1}=\"#{cps}\""
+      end if hash["cps_uris"].respond_to?(:each_with_index)
+
+      user_notice_confs = []
+      hash["user_notices"].each_with_index do |un,k|
+        conf.push "userNotice.#{k+1}=@user_notice#{k+1}#{index}"
+        user_notice_confs.push "[user_notice#{k+1}#{index}]"
+        user_notice_confs.push "explicitText=\"#{un["explicit_text"]}\"" unless un["explicit_text"].nil?
+        # if org is supplied notice numbers is also required (and vice versa). enforced in CAProfile
+        user_notice_confs.push "organization=\"#{un["organization"]}\"" unless un["organization"].nil?
+        user_notice_confs.push "noticeNumbers=\"#{un["notice_numbers"]}\"" unless un["notice_numbers"].nil?
+      end unless not hash["user_notices"].kind_of?(Array)
+
+      conf.concat(user_notice_confs)
+      conf.join "\n"
+    end
+
+    def validate_subject(subject,profile)
+      if profile.subject_item_policy.nil? then
+        subject
+      else
+        profile.subject_item_policy.validate_subject(subject)
+      end
+    end
+
+    def build_cert(options)
+
+      cert = OpenSSL::X509::Certificate.new
+
+      cert.subject = options[:subject]
+      cert.issuer = options[:issuer]
+      cert.not_before = calculate_not_before(options[:not_before])
+      cert.not_after = calculate_not_after(options[:not_after],cert.not_before)
+      cert.public_key = options[:public_key]
+      cert.serial = create_serial(options[:serial])
+      cert.version = 2 #2 means v3
+      cert
+    end
+
+    def create_serial(serial)
+      if not serial.nil?
+        serial = OpenSSL::BN.new(serial.to_s)
+      else
+        # generate random serial in accordance with best practices
+        # guidelines state 20-bits of entropy, but we can cram more in
+        # per rfc5280 conforming CAs can make the serial field up to 20 octets
+        # to prevent even the incredibly remote possibility of collision we'll
+        # concatenate current time (to the microsecond) with a random num
+        rand = OpenSSL::BN.rand(96,0) # 96 bits is 12 bytes (octets).
+        serial = OpenSSL::BN.new((Time.now.to_f*1000000).to_i.to_s + rand.to_s)
+        # since second param is 0 the most significant bit must always be 1
+        # this theoretically gives us 95 bits of entropy + microtime, which
+        # adds a non-zero quantity of entropy. depending upon how predictable
+        # your issuance is, this could range from a reasonably large quantity
+        # of entropy to very little
+      end
+      serial
+    end
+
+    def build_extensions(options)
+      ef = OpenSSL::X509::ExtensionFactory.new
+
+      ef.subject_certificate = options[:subject_certificate]
+
+      ef.issuer_certificate = options[:issuer_certificate]
+
+      ext = []
+      if not options[:basic_constraints].nil?
+        bc = options[:basic_constraints]
+        if bc["ca"] == true
+          bc_value = "CA:TRUE"
+          if not bc["path_length"].nil?
+            bc_value += ",pathlen:#{bc["path_length"]}"
+          end
+        else
+          bc_value = "CA:FALSE"
+        end
+
+        ext << ef.create_extension("basicConstraints", bc_value, true)
+      end
+      if not options[:key_usage].nil? and not options[:key_usage].empty?
+        ext << ef.create_extension("keyUsage", options[:key_usage].join(","))
+      end
+      if not options[:extended_key_usage].nil? and not options[:extended_key_usage].empty?
+        ext << ef.create_extension("extendedKeyUsage", options[:extended_key_usage].join(","))
+      end
+      ext << ef.create_extension("subjectKeyIdentifier", "hash")
+
+      #attach the key identifier if it's not a self-sign
+      if not ef.subject_certificate == ef.issuer_certificate and not R509::Cert.new(:cert=>options[:issuer_certificate]).authority_key_identifier.nil?
+        ext << ef.create_extension("authorityKeyIdentifier", "keyid:always") # this could also be keyid:always,issuer:always
+      end
+
+      if not options[:certificate_policies].nil? and options[:certificate_policies].respond_to?(:each)
+        conf = []
+        policy_names = ["ia5org"]
+        options[:certificate_policies].each_with_index do |policy,i|
+          conf << build_conf("certPolicies#{i}",policy,i)
+          policy_names << "@certPolicies#{i}"
+        end
+        ef.config = OpenSSL::Config.parse(conf.join("\n"))
+        ext << ef.create_extension("certificatePolicies", policy_names.join(","))
+      end
+
+      if not options[:san_names].nil? and not options[:san_names].names.empty?
+        serialize = options[:san_names].serialize_names
+        ef.config = OpenSSL::Config.parse(serialize[:conf])
+        ext << ef.create_extension("subjectAltName", serialize[:extension_string])
+      end
+
+      if not @config.nil? and not @config.cdp_location.nil? and not @config.cdp_location.empty?
+        gns = R509::ASN1.general_name_parser(@config.cdp_location)
+        serialize = gns.serialize_names
+        ef.config = OpenSSL::Config.parse(serialize[:conf])
+        ext << ef.create_extension("crlDistributionPoints", serialize[:extension_string])
+      end
+
+      #authorityInfoAccess processing
+      if not @config.nil?
+        aia = []
+        aia_conf = []
+
+        if not @config.ocsp_location.nil? and not @config.ocsp_location.empty?
+          gns = R509::ASN1.general_name_parser(@config.ocsp_location)
+          gns.names.each do |ocsp|
+            serialize = ocsp.serialize_name
+            aia.push "OCSP;#{serialize[:extension_string]}"
+            aia_conf.push serialize[:conf]
+          end
+        end
+
+        if not @config.nil? and not @config.ca_issuers_location.nil? and not @config.ca_issuers_location.empty?
+          gns = R509::ASN1.general_name_parser(@config.ca_issuers_location)
+          gns.names.each do |ca_issuers|
+            serialize = ca_issuers.serialize_name
+            aia.push "caIssuers;#{serialize[:extension_string]}"
+            aia_conf.push serialize[:conf]
+          end
+        end
+
+        if not aia.empty?
+          ef.config = OpenSSL::Config.parse(aia_conf.join("\n"))
+          ext << ef.create_extension("authorityInfoAccess",aia.join(","))
+        end
+      end
+
+      if options[:inhibit_any_policy]
+        ext << ef.create_extension("inhibitAnyPolicy",options[:inhibit_any_policy].to_s,true) # must be set critical per RFC 5280
+      end
+
+      if options[:policy_constraints]
+        pc = options[:policy_constraints]
+        constraints = []
+        constraints << "requireExplicitPolicy:#{pc["require_explicit_policy"]}" unless pc["require_explicit_policy"].nil?
+        constraints << "inhibitPolicyMapping:#{pc["inhibit_policy_mapping"]}" unless pc["inhibit_policy_mapping"].nil?
+        ext << ef.create_extension("policyConstraints",constraints.join(","),true) # must be set critical per RFC 5280
+      end
+
+      if options[:name_constraints]
+        nc = options[:name_constraints]
+        nc_data = []
+        nc_conf = []
+        if not nc["permitted"].nil?
+          gns = R509::ASN1::GeneralNames.new
+          nc["permitted"].each do |p|
+            gns.create_item(:type => p["type"], :value => p["value"])
+          end
+          gns.names.each do |permitted|
+            serialize = permitted.serialize_name
+            nc_data.push "permitted;#{serialize[:extension_string]}"
+            nc_conf.push serialize[:conf]
+          end
+        end
+        if not nc["excluded"].nil?
+          gns = R509::ASN1::GeneralNames.new
+          nc["excluded"].each do |p|
+            gns.create_item(:type => p["type"], :value => p["value"])
+          end
+          gns.names.each do |excluded|
+            serialize = excluded.serialize_name
+            nc_data.push "excluded;#{serialize[:extension_string]}"
+            nc_conf.push serialize[:conf]
+          end
+        end
+
+        ef.config = OpenSSL::Config.parse nc_conf.join("\n")
+        ext << ef.create_extension("nameConstraints",nc_data.join(","))
+      end
+
+      if options[:ocsp_no_check]
+        # the value of this extension is not encoded. presence is all that matters
+        ext << ef.create_extension("noCheck","yes")
+      end
+
+      options[:subject_certificate].extensions = ext
+      nil
+    end
+
+    def calculate_not_before(not_before)
+      if not_before.nil?
+        #not_before will be set to 6 hours before now to prevent issues with bad system clocks (clients don't sync)
+        not_before = Time.now - 6 * 60 * 60
+      end
+      not_before
+    end
+
+    def calculate_not_after(not_after,not_before)
+      if not_after.nil?
+        not_after = not_before + 365 * 24 * 60 * 60
+      end
+      not_after
+    end
+
+  end
+end

data/lib/r509/config.rb

@@ -3,405 +3,601 @@ require 'openssl'
 require 'r509/exceptions'
 require 'r509/io_helpers'
 require 'r509/subject'
-require 'r509/privatekey'
+require 'r509/private_key'
 require 'fileutils'
 require 'pathname'
 
 module R509
-    # Module to contain all configuration related classes (e.g. CaConfig, CaProfile, SubjectItemPolicy)
-    module Config
-        # Provides access to configuration profiles
-        class CaProfile
-            attr_reader :basic_constraints, :key_usage, :extended_key_usage,
-              :certificate_policies, :subject_item_policy
-
-            # @option [String] :basic_constraints
-            # @option [Array] :key_usage
-            # @option [Array] :extended_key_usage
-            # @option [Array] :certificate_policies
-            # @option [R509::Config::SubjectItemPolicy] :subject_item_policy optional
-            def initialize(opts = {})
-                @basic_constraints = opts[:basic_constraints]
-                @key_usage = opts[:key_usage]
-                @extended_key_usage = opts[:extended_key_usage]
-                @certificate_policies = opts[:certificate_policies]
-                if opts.has_key?(:subject_item_policy) and not opts[:subject_item_policy].kind_of?(R509::Config::SubjectItemPolicy)
-                end
-                @subject_item_policy = opts[:subject_item_policy] || nil
-            end
+  # Module to contain all configuration related classes (e.g. CAConfig, CAProfile, SubjectItemPolicy)
+  module Config
+    # Provides access to configuration profiles
+    class CAProfile
+      attr_reader :basic_constraints, :key_usage, :extended_key_usage,
+        :certificate_policies, :subject_item_policy, :ocsp_no_check,
+        :inhibit_any_policy, :policy_constraints, :name_constraints
+
+      # All hash options for CAProfile are optional.
+      # @option opts [String] :basic_constraints
+      # @option opts [Array] :key_usage
+      # @option opts [Array] :extended_key_usage
+      # @option opts [Array] :certificate_policies
+      # @option opts [Boolean] :ocsp_no_check Sets OCSP No Check extension in the certificate if true
+      # @option opts [Integer] :inhibit_any_policy Sets the value of the inhibitAnyPolicy extension
+      # @option opts [Hash] :policy_constraints Sets the value of the policyConstriants extension
+      # @option opts [Hash] :name_constraints Sets the value of the nameConstraints extension
+      # @option opts [R509::Config::SubjectItemPolicy] :subject_item_policy
+      def initialize(opts = {})
+        validate_basic_constraints opts[:basic_constraints]
+        validate_key_usage opts[:key_usage]
+        validate_extended_key_usage opts[:extended_key_usage]
+        validate_certificate_policies opts[:certificate_policies]
+        validate_inhibit_any_policy opts[:inhibit_any_policy]
+        validate_policy_constraints opts[:policy_constraints]
+        validate_name_constraints opts[:name_constraints]
+        @ocsp_no_check = (opts[:ocsp_no_check] == true or opts[:ocsp_no_check] == "true")?true:false
+        validate_subject_item_policy opts[:subject_item_policy]
+      end
+
+      private
+      # @private
+      # validates subject item policy
+      def validate_subject_item_policy(sip)
+        if not sip.nil? and not sip.kind_of?(R509::Config::SubjectItemPolicy)
+          raise ArgumentError, "subject_item_policy must be of type R509::Config::SubjectItemPolicy"
         end
-
-        # returns information about the subject item policy for a profile
-        class SubjectItemPolicy
-            attr_reader :required, :optional
-
-            # @param [Hash] hash of required/optional subject items. These must be in OpenSSL shortname format.
-            # @example sample hash
-            #   {"CN" => "required",
-            #   "O" => "required",
-            #   "OU" => "optional",
-            #   "ST" => "required",
-            #   "C" => "required",
-            #   "L" => "required",
-            #   "emailAddress" => "optional"}
-            def initialize(hash={})
-                if not hash.kind_of?(Hash)
-                    raise ArgumentError, "Must supply a hash in form 'shortname'=>'required/optional'"
+        @subject_item_policy = sip
+      end
+
+      # @private
+      # validates key usage array
+      def validate_key_usage(ku)
+        if not ku.nil? and not ku.kind_of?(Array)
+          raise ArgumentError, "key_usage must be an array of strings (see README)"
+        end
+        @key_usage = ku
+      end
+
+      # @private
+      # validates inhibit any policy
+      def validate_inhibit_any_policy(iap)
+        if not iap.nil?
+          validate_non_negative_integer("Inhibit any policy",iap)
+        end
+        @inhibit_any_policy = iap
+      end
+
+      # @private
+      def validate_policy_constraints(pc)
+        if not pc.nil?
+          if not pc.kind_of?(Hash)
+            raise ArgumentError, 'Policy constraints must be provided as a hash with at least one of the two allowed keys: "inhibit_policy_mapping" and "require_explicit_policy"'
+          end
+          if not pc["inhibit_policy_mapping"].nil?
+            ipm = validate_non_negative_integer("inhibit_policy_mapping",pc["inhibit_policy_mapping"])
+          end
+          if not pc["require_explicit_policy"].nil?
+            rep = validate_non_negative_integer("require_explicit_policy",pc["require_explicit_policy"])
+          end
+          if not ipm and not rep
+            raise ArgumentError, 'Policy constraints must have at least one of two keys: "inhibit_policy_mapping" and "require_explicit_policy" and the value must be non-negative'
+          end
+        end
+        @policy_constraints = pc
+      end
+
+      # @private
+      # used by iap and pc validation methods
+      def validate_non_negative_integer(source,value)
+          if not value.kind_of?(Integer) or value < 0
+            raise ArgumentError, "#{source} must be a non-negative integer"
+          end
+          value
+      end
+
+      # @private
+      # validates extended key usage array
+      def validate_extended_key_usage(eku)
+        if not eku.nil? and not eku.kind_of?(Array)
+          raise ArgumentError, "extended_key_usage must be an array of strings (see README)"
+        end
+        @extended_key_usage = eku
+      end
+
+
+      # @private
+      # validates the structure of the certificate policies array
+      def validate_certificate_policies(policies)
+        if not policies.nil?
+          if not policies.respond_to?(:each)
+            raise ArgumentError, "Not a valid certificate policy structure. Must be an array of hashes"
+          else
+            policies.each do |policy|
+              if policy["policy_identifier"].nil?
+                raise ArgumentError, "Each policy requires a policy identifier"
+              end
+              if not policy["cps_uris"].nil?
+                if not policy["cps_uris"].respond_to?(:each)
+                  raise ArgumentError, "CPS URIs must be an array of strings"
                 end
-                @required = []
-                @optional = []
-                if not hash.empty?
-                    hash.each_pair do |key,value|
-                        if value == "required"
-                            @required.push(key)
-                        elsif value == "optional"
-                            @optional.push(key)
-                        else
-                            raise ArgumentError, "Unknown subject item policy value. Allowed values are required and optional"
-                        end
+              end
+              if not policy["user_notices"].nil?
+                if not policy["user_notices"].respond_to?(:each)
+                  raise ArgumentError, "User notices must be an array of hashes"
+                else
+                  policy["user_notices"].each do |un|
+                    if not un["organization"].nil? and un["notice_numbers"].nil?
+                      raise ArgumentError, "If you provide an organization you must provide notice numbers"
                     end
+                    if not un["notice_numbers"].nil? and un["organization"].nil?
+                      raise ArgumentError, "If you provide notice numbers you must provide an organization"
+                    end
+                  end
                 end
+              end
             end
-
-            # @param [R509::Subject] subject
-            # @return [R509::Subject] validated version of the subject or error
-            def validate_subject(subject)
-                # convert the subject components into an array of component names that match
-                # those that are on the required list
-                supplied = subject.to_a.each do |item|
-                    @required.include?(item[0])
-                end.map do |item|
-                    item[0]
-                end
-                # so we can make sure they gave us everything that's required
-                diff = @required - supplied
-                if not diff.empty?
-                    raise R509::R509Error, "This profile requires you supply "+@required.join(", ")
-                end
-
-                # the validated subject contains only those subject components that are either
-                # required or optional
-                R509::Subject.new(subject.to_a.select do |item|
-                    @required.include?(item[0]) or @optional.include?(item[0])
-                end)
-            end
+          end
+          @certificate_policies = policies
         end
-
-        # pool of configs, so we can support multiple CAs from a single config file
-        class CaConfigPool
-            # @option configs [Hash<String, R509::Config::CaConfig>] the configs to add to the pool
-            def initialize(configs)
-                @configs = configs
-            end
-
-            # get all the config names
-            def names
-                @configs.keys
-            end
-
-            # retrieve a particular config by its name
-            def [](name)
-                @configs[name]
+      end
+
+      # @private
+      def validate_name_constraints(nc)
+        if not nc.nil?
+          if not nc.kind_of?(Hash)
+            raise ArgumentError, "name_constraints must be provided as a hash"
+          end
+          ["permitted","excluded"].each do |key|
+            if not nc[key].nil?
+              validate_name_constraints_elements(key,nc[key])
             end
+          end
+          if (nc["permitted"].nil? or nc["permitted"].empty?) and (nc["excluded"].nil? or nc["excluded"].empty?)
+            raise ArgumentError, "If name_constraints are supplied you must have at least one valid permitted or excluded element"
+          end
+        end
+        @name_constraints = nc
+      end
 
-            # @return a list of all the configs in this pool
-            def all
-                @configs.values
-            end
+      # @private
+      def validate_name_constraints_elements(type,arr)
+        if not arr.kind_of?(Array)
+          raise ArgumentError, "#{type} must be an array"
+        end
+        arr.each do |el|
+          if not el.kind_of?(Hash) or not el.has_key?("type") or not el.has_key?("value")
+            raise ArgumentError, "Elements within the #{type} array must be hashes with both type and value"
+          end
+          if R509::ASN1::GeneralName.map_type_to_tag(el["type"]) == nil
+            raise ArgumentError, "#{el["type"]} is not an allowed type. Check R509::ASN1::GeneralName.map_type_to_tag to see a list of types"
+          end
+        end
+      end
+
+      # @private
+      # validates the structure of the certificate policies array
+      def validate_basic_constraints(constraints)
+        if not constraints.nil?
+          if not constraints.respond_to?(:has_key?) or not constraints.has_key?("ca")
+            raise ArgumentError, "You must supply a hash with a key named \"ca\" with a boolean value"
+          end
+          if constraints["ca"].nil? or (not constraints["ca"].kind_of?(TrueClass) and not constraints["ca"].kind_of?(FalseClass))
+            raise ArgumentError, "You must supply true/false for the ca key when specifying basic constraints"
+          end
+          if constraints["ca"] == false and not constraints["path_length"].nil?
+            raise ArgumentError, "path_length is not allowed when ca is false"
+          end
+          if constraints["ca"] == true and not constraints["path_length"].nil? and (constraints["path_length"] < 0 or not constraints["path_length"].kind_of?(Integer))
+            raise ArgumentError, "Path length must be a non-negative integer (>= 0)"
+          end
+        end
+        @basic_constraints = constraints
+      end
+    end
 
-            # Loads the named configuration config from a yaml string.
-            # @param [String] name The name of the config within the file. Note
-            #  that a single yaml file can contain more than one configuration.
-            # @param [String] yaml_data The filename to load yaml config data from.
-            def self.from_yaml(name, yaml_data, opts = {})
-                conf = YAML.load(yaml_data)
-                configs = {}
-                conf[name].each_pair do |ca_name, data|
-                    configs[ca_name] = R509::Config::CaConfig.load_from_hash(data, opts)
-                end
-                R509::Config::CaConfigPool.new(configs)
+    # returns information about the subject item policy for a profile
+    class SubjectItemPolicy
+      attr_reader :required, :optional
+
+      # @param [Hash] hash of required/optional subject items. These must be in OpenSSL shortname format.
+      # @example sample hash
+      #  {"CN" => "required",
+      #  "O" => "required",
+      #  "OU" => "optional",
+      #  "ST" => "required",
+      #  "C" => "required",
+      #  "L" => "required",
+      #  "emailAddress" => "optional"}
+      def initialize(hash={})
+        if not hash.kind_of?(Hash)
+          raise ArgumentError, "Must supply a hash in form 'shortname'=>'required/optional'"
+        end
+        @required = []
+        @optional = []
+        if not hash.empty?
+          hash.each_pair do |key,value|
+            if value == "required"
+              @required.push(key)
+            elsif value == "optional"
+              @optional.push(key)
+            else
+              raise ArgumentError, "Unknown subject item policy value. Allowed values are required and optional"
             end
+          end
+        end
+      end
+
+      # @param [R509::Subject] subject
+      # @return [R509::Subject] validated version of the subject or error
+      def validate_subject(subject)
+        # convert the subject components into an array of component names that match
+        # those that are on the required list
+        supplied = subject.to_a.each do |item|
+          @required.include?(item[0])
+        end.map do |item|
+          item[0]
+        end
+        # so we can make sure they gave us everything that's required
+        diff = @required - supplied
+        if not diff.empty?
+          raise R509::R509Error, "This profile requires you supply "+@required.join(", ")
         end
 
-        # Stores a configuration for our CA.
-        class CaConfig
-            include R509::IOHelpers
-            extend R509::IOHelpers
-            attr_accessor :ca_cert, :crl_validity_hours, :message_digest,
-              :cdp_location, :crl_start_skew_seconds, :ocsp_location, :ocsp_chain,
-              :ocsp_start_skew_seconds, :ocsp_validity_hours, :crl_number_file, :crl_list_file
-
-            # @option opts [R509::Cert] :ca_cert Cert+Key pair
-            # @option opts [Integer] :crl_validity_hours (168) The number of hours that
-            #  a CRL will be valid. Defaults to 7 days.
-            # @option opts [Hash<String, R509::Config::CaProfile>] :profiles
-            # @option opts [String] :message_digest (SHA1) The hashing algorithm to use.
-            # @option opts [String] :cdp_location
-            # @option opts [String] :ocsp_location
-            # @option opts [String] :crl_number_file The file that we will save
-            #  the CRL numbers to. defaults to a StringIO object if not provided
-            # @option opts [String] :crl_list_file The file that we will save
-            #  the CRL list data to. defaults to a StringIO object if not provided
-            # @option opts [R509::Cert] :ocsp_cert An optional cert+key pair
-            # OCSP signing delegate
-            # @option opts [Array<OpenSSL::X509::Certificate>] :ocsp_chain An optional array
-            # that constitutes the chain to attach to an OCSP response
-            #
-            def initialize(opts = {} )
-                if not opts.has_key?(:ca_cert) then
-                    raise ArgumentError, 'Config object requires that you pass :ca_cert'
-                end
-
-                @ca_cert = opts[:ca_cert]
-
-                if not @ca_cert.kind_of?(R509::Cert) then
-                    raise ArgumentError, ':ca_cert must be of type R509::Cert'
-                end
-
-                #ocsp data
-                if opts.has_key?(:ocsp_cert) and not opts[:ocsp_cert].kind_of?(R509::Cert) and not opts[:ocsp_cert].nil?
-                    raise ArgumentError, ':ocsp_cert, if provided, must be of type R509::Cert'
-                end
-                if opts.has_key?(:ocsp_cert) and not opts[:ocsp_cert].nil? and not opts[:ocsp_cert].has_private_key?
-                    raise ArgumentError, ':ocsp_cert must contain a private key, not just a certificate'
-                end
-                @ocsp_cert = opts[:ocsp_cert] unless opts[:ocsp_cert].nil?
-                @ocsp_location = opts[:ocsp_location]
-                @ocsp_chain = opts[:ocsp_chain] if opts[:ocsp_chain].kind_of?(Array)
-                @ocsp_validity_hours = opts[:ocsp_validity_hours] || 168
-                @ocsp_start_skew_seconds = opts[:ocsp_start_skew_seconds] || 3600
-
-                @crl_validity_hours = opts[:crl_validity_hours] || 168
-                @crl_start_skew_seconds = opts[:crl_start_skew_seconds] || 3600
-                @crl_number_file = opts[:crl_number_file] || nil
-                @crl_list_file = opts[:crl_list_file] || nil
-                @cdp_location = opts[:cdp_location]
-                @message_digest = opts[:message_digest] || "SHA1"
-
-
+        # the validated subject contains only those subject components that are either
+        # required or optional
+        R509::Subject.new(subject.to_a.select do |item|
+          @required.include?(item[0]) or @optional.include?(item[0])
+        end)
+      end
+    end
 
-                @profiles = {}
-                    if opts[:profiles]
-                    opts[:profiles].each_pair do |name, prof|
-                      set_profile(name, prof)
-                    end
-                end
+    # pool of configs, so we can support multiple CAs from a single config file
+    class CAConfigPool
+      # @option configs [Hash<String, R509::Config::CAConfig>] the configs to add to the pool
+      def initialize(configs)
+        @configs = configs
+      end
+
+      # get all the config names
+      def names
+        @configs.keys
+      end
+
+      # retrieve a particular config by its name
+      def [](name)
+        @configs[name]
+      end
+
+      # @return a list of all the configs in this pool
+      def all
+        @configs.values
+      end
+
+      # Loads the named configuration config from a yaml string.
+      # @param [String] name The name of the config within the file. Note
+      #  that a single yaml file can contain more than one configuration.
+      # @param [String] yaml_data The filename to load yaml config data from.
+      def self.from_yaml(name, yaml_data, opts = {})
+        conf = YAML.load(yaml_data)
+        configs = {}
+        conf[name].each_pair do |ca_name, data|
+          configs[ca_name] = R509::Config::CAConfig.load_from_hash(data, opts)
+        end
+        R509::Config::CAConfigPool.new(configs)
+      end
+    end
 
-            end
+    # Stores a configuration for our CA.
+    class CAConfig
+      include R509::IOHelpers
+      extend R509::IOHelpers
+      attr_accessor :ca_cert, :crl_validity_hours, :message_digest,
+        :cdp_location, :crl_start_skew_seconds, :ocsp_location, :ocsp_chain,
+        :ocsp_start_skew_seconds, :ocsp_validity_hours, :crl_number_file, :crl_list_file,
+        :ca_issuers_location
+
+      # @option opts [R509::Cert] :ca_cert Cert+Key pair
+      # @option opts [Integer] :crl_validity_hours (168) The number of hours that
+      #  a CRL will be valid. Defaults to 7 days.
+      # @option opts [Hash<String, R509::Config::CAProfile>] :profiles
+      # @option opts [String] :message_digest (SHA1) The hashing algorithm to use.
+      # @option opts [Array] :cdp_location array of strings (URLs)
+      # @option opts [Array] :ocsp_location array of strings (URLs)
+      # @option opts [Array] :ca_issuers_location array of strings (URLs)
+      # @option opts [String] :crl_number_file The file that we will save
+      #  the CRL numbers to. defaults to a StringIO object if not provided
+      # @option opts [String] :crl_list_file The file that we will save
+      #  the CRL list data to. defaults to a StringIO object if not provided
+      # @option opts [R509::Cert] :ocsp_cert An optional cert+key pair
+      # OCSP signing delegate
+      # @option opts [Array<OpenSSL::X509::Certificate>] :ocsp_chain An optional array
+      # that constitutes the chain to attach to an OCSP response
+      #
+      def initialize(opts = {} )
+        if not opts.has_key?(:ca_cert) then
+          raise ArgumentError, 'Config object requires that you pass :ca_cert'
+        end
 
-            # @return [R509::Cert] either a custom OCSP cert or the ca_cert
-            def ocsp_cert
-                if @ocsp_cert.nil? then @ca_cert else @ocsp_cert end
-            end
+        @ca_cert = opts[:ca_cert]
 
-            # @param [String] name The name of the profile
-            # @param [R509::Config::CaProfile] prof The profile configuration
-            def set_profile(name, prof)
-                unless prof.is_a?(R509::Config::CaProfile)
-                    raise TypeError, "profile is supposed to be a R509::Config::CaProfile"
-                end
-                @profiles[name] = prof
-            end
+        if not @ca_cert.kind_of?(R509::Cert) then
+          raise ArgumentError, ':ca_cert must be of type R509::Cert'
+        end
 
-            # @param [String] prof
-            # @return [R509::Config::CaProfile] The config profile.
-            def profile(prof)
-                if !@profiles.has_key?(prof)
-                    raise R509::R509Error, "unknown profile '#{prof}'"
-                end
-                @profiles[prof]
-            end
+        #ocsp data
+        if opts.has_key?(:ocsp_cert) and not opts[:ocsp_cert].kind_of?(R509::Cert) and not opts[:ocsp_cert].nil?
+          raise ArgumentError, ':ocsp_cert, if provided, must be of type R509::Cert'
+        end
+        if opts.has_key?(:ocsp_cert) and not opts[:ocsp_cert].nil? and not opts[:ocsp_cert].has_private_key?
+          raise ArgumentError, ':ocsp_cert must contain a private key, not just a certificate'
+        end
+        @ocsp_cert = opts[:ocsp_cert] unless opts[:ocsp_cert].nil?
+        validate_ocsp_location opts[:ocsp_location]
+        validate_ca_issuers_location opts[:ca_issuers_location]
+        @ocsp_chain = opts[:ocsp_chain] if opts[:ocsp_chain].kind_of?(Array)
+        @ocsp_validity_hours = opts[:ocsp_validity_hours] || 168
+        @ocsp_start_skew_seconds = opts[:ocsp_start_skew_seconds] || 3600
+
+        @crl_validity_hours = opts[:crl_validity_hours] || 168
+        @crl_start_skew_seconds = opts[:crl_start_skew_seconds] || 3600
+        @crl_number_file = opts[:crl_number_file] || nil
+        @crl_list_file = opts[:crl_list_file] || nil
+        validate_cdp_location opts[:cdp_location]
+        @message_digest = opts[:message_digest] || "SHA1"
+
+
+
+        @profiles = {}
+          if opts[:profiles]
+          opts[:profiles].each_pair do |name, prof|
+            set_profile(name, prof)
+          end
+        end
 
-            # @return [Integer] The number of profiles
-            def num_profiles
-              @profiles.count
-            end
+      end
 
+      # @return [R509::Cert] either a custom OCSP cert or the ca_cert
+      def ocsp_cert
+        if @ocsp_cert.nil? then @ca_cert else @ocsp_cert end
+      end
 
-            ######### Class Methods ##########
+      # @param [String] name The name of the profile
+      # @param [R509::Config::CAProfile] prof The profile configuration
+      def set_profile(name, prof)
+        unless prof.is_a?(R509::Config::CAProfile)
+          raise TypeError, "profile is supposed to be a R509::Config::CAProfile"
+        end
+        @profiles[name] = prof
+      end
+
+      # @param [String] prof
+      # @return [R509::Config::CAProfile] The config profile.
+      def profile(prof)
+        if !@profiles.has_key?(prof)
+          raise R509::R509Error, "unknown profile '#{prof}'"
+        end
+        @profiles[prof]
+      end
 
-            # Load the configuration from a data hash. The same type that might be
-            # used when loading from a YAML file.
-            # @param [Hash] conf A hash containing all the configuration options
-            # @option opts [String] :ca_root_path The root path for the CA. Defaults to
-            #  the current working directory.
-            def self.load_from_hash(conf, opts = {})
-                if conf.nil?
-                    raise ArgumentError, "conf not found"
-                end
-                unless conf.kind_of?(Hash)
-                    raise ArgumentError, "conf must be a Hash"
-                end
+      # @return [Integer] The number of profiles
+      def num_profiles
+        @profiles.count
+      end
 
-                ca_root_path = Pathname.new(opts[:ca_root_path] || FileUtils.getwd)
 
-                unless File.directory?(ca_root_path)
-                    raise R509Error, "ca_root_path is not a directory: #{ca_root_path}"
-                end
+      ######### Class Methods ##########
 
-                ca_cert_hash = conf['ca_cert']
+      # Load the configuration from a data hash. The same type that might be
+      # used when loading from a YAML file.
+      # @param [Hash] conf A hash containing all the configuration options
+      # @option opts [String] :ca_root_path The root path for the CA. Defaults to
+      #  the current working directory.
+      def self.load_from_hash(conf, opts = {})
+        if conf.nil?
+          raise ArgumentError, "conf not found"
+        end
+        unless conf.kind_of?(Hash)
+          raise ArgumentError, "conf must be a Hash"
+        end
 
-                if ca_cert_hash.has_key?('engine')
-                    ca_cert = self.load_with_engine(ca_cert_hash,ca_root_path)
-                end
+        ca_root_path = Pathname.new(opts[:ca_root_path] || FileUtils.getwd)
 
-                if ca_cert.nil? and ca_cert_hash.has_key?('pkcs12')
-                    ca_cert = self.load_with_pkcs12(ca_cert_hash,ca_root_path)
-                end
+        unless File.directory?(ca_root_path)
+          raise R509Error, "ca_root_path is not a directory: #{ca_root_path}"
+        end
 
-                if ca_cert.nil? and ca_cert_hash.has_key?('cert')
-                    ca_cert = self.load_with_key(ca_cert_hash,ca_root_path)
-                end
+        ca_cert_hash = conf['ca_cert']
 
-                if conf.has_key?("ocsp_cert")
-                    if conf["ocsp_cert"].has_key?('engine')
-                        ocsp_cert = self.load_with_engine(conf["ocsp_cert"],ca_root_path)
-                    end
+        if ca_cert_hash.has_key?('engine')
+          ca_cert = self.load_with_engine(ca_cert_hash,ca_root_path)
+        end
 
-                    if ocsp_cert.nil? and conf["ocsp_cert"].has_key?('pkcs12')
-                        ocsp_cert = self.load_with_pkcs12(conf["ocsp_cert"],ca_root_path)
-                    end
+        if ca_cert.nil? and ca_cert_hash.has_key?('pkcs12')
+          ca_cert = self.load_with_pkcs12(ca_cert_hash,ca_root_path)
+        end
 
-                    if ocsp_cert.nil? and conf["ocsp_cert"].has_key?('cert')
-                        ocsp_cert = self.load_with_key(conf["ocsp_cert"],ca_root_path)
-                    end
-                end
+        if ca_cert.nil? and ca_cert_hash.has_key?('cert')
+          ca_cert = self.load_with_key(ca_cert_hash,ca_root_path)
+        end
 
-                ocsp_chain = []
-                if conf.has_key?("ocsp_chain")
-                    ocsp_chain_data = read_data(ca_root_path+conf["ocsp_chain"])
-                    cert_regex = /-----BEGIN CERTIFICATE-----.+?-----END CERTIFICATE-----/m
-                    ocsp_chain_data.scan(cert_regex) do |cert|
-                        ocsp_chain.push(OpenSSL::X509::Certificate.new(cert))
-                    end
-                end
+        if conf.has_key?("ocsp_cert")
+          if conf["ocsp_cert"].has_key?('engine')
+            ocsp_cert = self.load_with_engine(conf["ocsp_cert"],ca_root_path)
+          end
 
-                opts = {
-                    :ca_cert => ca_cert,
-                    :ocsp_cert => ocsp_cert,
-                    :ocsp_chain => ocsp_chain,
-                    :crl_validity_hours => conf['crl_validity_hours'],
-                    :ocsp_validity_hours => conf['ocsp_validity_hours'],
-                    :ocsp_start_skew_seconds => conf['ocsp_start_skew_seconds'],
-                    :ocsp_location => conf['ocsp_location'],
-                    :cdp_location => conf['cdp_location'],
-                    :message_digest => conf['message_digest'],
-                }
-
-                if conf.has_key?("crl_list")
-                    opts[:crl_list_file] = (ca_root_path + conf['crl_list']).to_s
-                end
+          if ocsp_cert.nil? and conf["ocsp_cert"].has_key?('pkcs12')
+            ocsp_cert = self.load_with_pkcs12(conf["ocsp_cert"],ca_root_path)
+          end
 
-                if conf.has_key?("crl_number")
-                    opts[:crl_number_file] = (ca_root_path + conf['crl_number']).to_s
-                end
+          if ocsp_cert.nil? and conf["ocsp_cert"].has_key?('cert')
+            ocsp_cert = self.load_with_key(conf["ocsp_cert"],ca_root_path)
+          end
+        end
 
+        ocsp_chain = []
+        if conf.has_key?("ocsp_chain")
+          ocsp_chain_data = read_data(ca_root_path+conf["ocsp_chain"])
+          cert_regex = /-----BEGIN CERTIFICATE-----.+?-----END CERTIFICATE-----/m
+          ocsp_chain_data.scan(cert_regex) do |cert|
+            ocsp_chain.push(OpenSSL::X509::Certificate.new(cert))
+          end
+        end
 
-                profs = {}
-                conf['profiles'].keys.each do |profile|
-                    data = conf['profiles'][profile]
-                    if not data["subject_item_policy"].nil?
-                        subject_item_policy = R509::Config::SubjectItemPolicy.new(data["subject_item_policy"])
-                    end
-                    profs[profile] = R509::Config::CaProfile.new(:key_usage => data["key_usage"],
-                                                       :extended_key_usage => data["extended_key_usage"],
-                                                       :basic_constraints => data["basic_constraints"],
-                                                       :certificate_policies => data["certificate_policies"],
-                                                       :subject_item_policy => subject_item_policy)
-                end unless conf['profiles'].nil?
-                opts[:profiles] = profs
-
-                # Create the instance.
-                self.new(opts)
-            end
+        opts = {
+          :ca_cert => ca_cert,
+          :ocsp_cert => ocsp_cert,
+          :ocsp_chain => ocsp_chain,
+          :crl_validity_hours => conf['crl_validity_hours'],
+          :ocsp_validity_hours => conf['ocsp_validity_hours'],
+          :ocsp_start_skew_seconds => conf['ocsp_start_skew_seconds'],
+          :ocsp_location => conf['ocsp_location'],
+          :ca_issuers_location => conf['ca_issuers_location'],
+          :cdp_location => conf['cdp_location'],
+          :message_digest => conf['message_digest'],
+        }
+
+        if conf.has_key?("crl_list")
+          opts[:crl_list_file] = (ca_root_path + conf['crl_list']).to_s
+        end
 
-            # Loads the named configuration config from a yaml file.
-            # @param [String] conf_name The name of the config within the file. Note
-            #  that a single yaml file can contain more than one configuration.
-            # @param [String] yaml_file The filename to load yaml config data from.
-            def self.load_yaml(conf_name, yaml_file, opts = {})
-                conf = YAML.load_file(yaml_file)
-                self.load_from_hash(conf[conf_name], opts)
-            end
+        if conf.has_key?("crl_number")
+          opts[:crl_number_file] = (ca_root_path + conf['crl_number']).to_s
+        end
 
-            # Loads the named configuration config from a yaml string.
-            # @param [String] conf_name The name of the config within the file. Note
-            #  that a single yaml file can contain more than one configuration.
-            # @param [String] yaml_data The filename to load yaml config data from.
-            def self.from_yaml(conf_name, yaml_data, opts = {})
-                conf = YAML.load(yaml_data)
-                self.load_from_hash(conf[conf_name], opts)
-            end
 
-            private
+        profs = {}
+        conf['profiles'].keys.each do |profile|
+          data = conf['profiles'][profile]
+          if not data["subject_item_policy"].nil?
+            subject_item_policy = R509::Config::SubjectItemPolicy.new(data["subject_item_policy"])
+          end
+          profs[profile] = R509::Config::CAProfile.new(:key_usage => data["key_usage"],
+                             :extended_key_usage => data["extended_key_usage"],
+                             :basic_constraints => data["basic_constraints"],
+                             :certificate_policies => data["certificate_policies"],
+                             :ocsp_no_check => data["ocsp_no_check"],
+                             :inhibit_any_policy => data["inhibit_any_policy"],
+                             :policy_constraints => data["policy_constraints"],
+                             :name_constraints => data["name_constraints"],
+                             :subject_item_policy => subject_item_policy)
+        end unless conf['profiles'].nil?
+        opts[:profiles] = profs
+
+        # Create the instance.
+        self.new(opts)
+      end
+
+      # Loads the named configuration config from a yaml file.
+      # @param [String] conf_name The name of the config within the file. Note
+      #  that a single yaml file can contain more than one configuration.
+      # @param [String] yaml_file The filename to load yaml config data from.
+      def self.load_yaml(conf_name, yaml_file, opts = {})
+        conf = YAML.load_file(yaml_file)
+        self.load_from_hash(conf[conf_name], opts)
+      end
+
+      # Loads the named configuration config from a yaml string.
+      # @param [String] conf_name The name of the config within the file. Note
+      #  that a single yaml file can contain more than one configuration.
+      # @param [String] yaml_data The filename to load yaml config data from.
+      def self.from_yaml(conf_name, yaml_data, opts = {})
+        conf = YAML.load(yaml_data)
+        self.load_from_hash(conf[conf_name], opts)
+      end
+
+      private
+
+      def self.load_with_engine(ca_cert_hash,ca_root_path)
+        if ca_cert_hash.has_key?('key')
+          raise ArgumentError, "You can't specify both key and engine"
+        end
+        if ca_cert_hash.has_key?('pkcs12')
+          raise ArgumentError, "You can't specify both engine and pkcs12"
+        end
+        if not ca_cert_hash.has_key?('key_name')
+          raise ArgumentError, "You must supply a key_name with an engine"
+        end
 
-            def self.load_with_engine(ca_cert_hash,ca_root_path)
-                if ca_cert_hash.has_key?('key')
-                    raise R509Error, "You can't specify both key and engine"
-                end
-                if ca_cert_hash.has_key?('pkcs12')
-                    raise R509Error, "You can't specify both engine and pkcs12"
-                end
-                if not ca_cert_hash.has_key?('key_name')
-                    raise R509Error, "You must supply a key_name with an engine"
-                end
+        if ca_cert_hash['engine'].respond_to?(:load_private_key)
+          #this path is only for testing...ugh
+          engine = ca_cert_hash['engine']
+        else
+          #this path can't be tested by unit tests. bah!
+          engine = OpenSSL::Engine.by_id(ca_cert_hash['engine'])
+        end
+        ca_key = R509::PrivateKey.new(
+          :engine => engine,
+          :key_name => ca_cert_hash['key_name']
+        )
+        ca_cert_file = ca_root_path + ca_cert_hash['cert']
+        ca_cert = R509::Cert.new(
+          :cert => read_data(ca_cert_file),
+          :key => ca_key
+        )
+        ca_cert
+      end
+
+      def self.load_with_pkcs12(ca_cert_hash,ca_root_path)
+        if ca_cert_hash.has_key?('cert')
+          raise ArgumentError, "You can't specify both pkcs12 and cert"
+        end
+        if ca_cert_hash.has_key?('key')
+          raise ArgumentError, "You can't specify both pkcs12 and key"
+        end
 
-                if ca_cert_hash['engine'].respond_to?(:load_private_key)
-                    #this path is only for testing...ugh
-                    engine = ca_cert_hash['engine']
-                else
-                    #this path can't be tested by unit tests. bah!
-                    engine = OpenSSL::Engine.by_id(ca_cert_hash['engine'])
-                end
-                ca_key = R509::PrivateKey.new(
-                    :engine => engine,
-                    :key_name => ca_cert_hash['key_name']
-                )
-                ca_cert_file = ca_root_path + ca_cert_hash['cert']
-                ca_cert = R509::Cert.new(
-                    :cert => read_data(ca_cert_file),
-                    :key => ca_key
-                )
-                ca_cert
-            end
+        pkcs12_file = ca_root_path + ca_cert_hash['pkcs12']
+        ca_cert = R509::Cert.new(
+          :pkcs12 => read_data(pkcs12_file),
+          :password => ca_cert_hash['password']
+        )
+        ca_cert
+      end
+
+      def self.load_with_key(ca_cert_hash,ca_root_path)
+        ca_cert_file = ca_root_path + ca_cert_hash['cert']
+
+        if ca_cert_hash.has_key?('key')
+          ca_key_file = ca_root_path + ca_cert_hash['key']
+          ca_key = R509::PrivateKey.new(
+            :key => read_data(ca_key_file),
+            :password => ca_cert_hash['password']
+          )
+          ca_cert = R509::Cert.new(
+            :cert => read_data(ca_cert_file),
+            :key => ca_key
+          )
+        else
+          # in certain cases (OCSP responders for example) we may want
+          # to load a ca_cert with no private key
+          ca_cert = R509::Cert.new(:cert => read_data(ca_cert_file))
+        end
+        ca_cert
+      end
 
-            def self.load_with_pkcs12(ca_cert_hash,ca_root_path)
-                if ca_cert_hash.has_key?('cert')
-                    raise R509Error, "You can't specify both pkcs12 and cert"
-                end
-                if ca_cert_hash.has_key?('key')
-                    raise R509Error, "You can't specify both pkcs12 and key"
-                end
+      private
 
-                pkcs12_file = ca_root_path + ca_cert_hash['pkcs12']
-                ca_cert = R509::Cert.new(
-                    :pkcs12 => read_data(pkcs12_file),
-                    :password => ca_cert_hash['password']
-                )
-                ca_cert
-            end
+      # @private
+      def validate_cdp_location(location)
+        if not location.nil? and not location.kind_of?(Array)
+          raise ArgumentError, "cdp_location must be an array if provided"
+        end
+        @cdp_location = location
+      end
 
-            def self.load_with_key(ca_cert_hash,ca_root_path)
-                ca_cert_file = ca_root_path + ca_cert_hash['cert']
-
-                if ca_cert_hash.has_key?('key')
-                    ca_key_file = ca_root_path + ca_cert_hash['key']
-                    ca_key = R509::PrivateKey.new(
-                        :key => read_data(ca_key_file),
-                        :password => ca_cert_hash['password']
-                    )
-                    ca_cert = R509::Cert.new(
-                        :cert => read_data(ca_cert_file),
-                        :key => ca_key
-                    )
-                else
-                    # in certain cases (OCSP responders for example) we may want
-                    # to load a ca_cert with no private key
-                    ca_cert = R509::Cert.new(:cert => read_data(ca_cert_file))
-                end
-                ca_cert
-            end
+      # @private
+      def validate_ocsp_location(location)
+        if not location.nil? and not location.kind_of?(Array)
+          raise ArgumentError, "ocsp_location must be an array if provided"
+        end
+        @ocsp_location = location
+      end
 
+      # @private
+      def validate_ca_issuers_location(location)
+        if not location.nil? and not location.kind_of?(Array)
+          raise ArgumentError, "ca_issuers_location must be an array if provided"
         end
+        @ca_issuers_location = location
+      end
     end
+  end
 end