r509 0.8.1 → 0.9

data/lib/r509/validity.rb

@@ -2,91 +2,93 @@ require 'openssl'
 
 #Module for holding classes for writing and reading certificate validity information (used for serving OCSP responses)
 module R509::Validity
-    #mapping from OpenSSL
-    VALID = OpenSSL::OCSP::V_CERTSTATUS_GOOD
-    REVOKED = OpenSSL::OCSP::V_CERTSTATUS_REVOKED
-    UNKNOWN = OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
+  #mapping from OpenSSL
+  VALID = OpenSSL::OCSP::V_CERTSTATUS_GOOD
+  #mapping from OpenSSL
+  REVOKED = OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+  #mapping from OpenSSL
+  UNKNOWN = OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
 
-    #data about the status of a certificate
-    class Status
-        attr_reader :status, :revocation_time, :revocation_reason
+  #data about the status of a certificate
+  class Status
+    attr_reader :status, :revocation_time, :revocation_reason
 
-        def initialize(options={})
-            @status = options[:status]
-            @revocation_time = options[:revocation_time] || nil
-            @revocation_reason = options[:revocation_reason] || 0
+    def initialize(options={})
+      @status = options[:status]
+      @revocation_time = options[:revocation_time] || nil
+      @revocation_reason = options[:revocation_reason] || 0
 
-            if (@status == R509::Validity::REVOKED and @revocation_time.nil?)
-                @revocation_time = Time.now.to_i
-            end
-        end
+      if (@status == R509::Validity::REVOKED and @revocation_time.nil?)
+        @revocation_time = Time.now.to_i
+      end
+    end
 
-        # @return [OpenSSL::OCSP::STATUS] OpenSSL status constants when passing R509 constants
-        def ocsp_status
-            case @status
-            when R509::Validity::VALID
-                OpenSSL::OCSP::V_CERTSTATUS_GOOD
-            when R509::Validity::REVOKED
-                OpenSSL::OCSP::V_CERTSTATUS_REVOKED
-            when R509::Validity::UNKNOWN
-                OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
-            else
-                OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
-            end
-        end
+    # @return [OpenSSL::OCSP::STATUS] OpenSSL status constants when passing R509 constants
+    def ocsp_status
+      case @status
+      when R509::Validity::VALID
+        OpenSSL::OCSP::V_CERTSTATUS_GOOD
+      when R509::Validity::REVOKED
+        OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+      when R509::Validity::UNKNOWN
+        OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
+      else
+        OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
+      end
     end
+  end
 
-    #abstract base class for a Writer
-    class Writer
-        def issue(issuer, serial)
-            raise NotImplementedError, "You must call #issue on a subclass of Writer"
-        end
+  #abstract base class for a Writer
+  class Writer
+    def issue(issuer, serial)
+      raise NotImplementedError, "You must call #issue on a subclass of Writer"
+    end
 
-        def revoke(issuer, serial, reason)
-            raise NotImplementedError, "You must call #revoke on a subclass of Writer"
-        end
+    def revoke(issuer, serial, reason)
+      raise NotImplementedError, "You must call #revoke on a subclass of Writer"
+    end
 
-        # is_available? is meant to be implemented to check if the backend store you choose to implement is currently working.
-        # see r509-ocsp-responder and r509-validity-redis for an example of use
-        def is_available?
-            raise NotImplementedError, "You must call #is_available? on a subclass of Writer"
-        end
+    # is_available? is meant to be implemented to check if the backend store you choose to implement is currently working.
+    # see r509-ocsp-responder and r509-validity-redis for an example of use
+    def is_available?
+      raise NotImplementedError, "You must call #is_available? on a subclass of Writer"
     end
+  end
 
-    #abstract base class for a Checker
-    class Checker
-        def check(issuer, serial)
-            raise NotImplementedError, "You must call #check on a subclass of Checker"
-        end
+  #abstract base class for a Checker
+  class Checker
+    def check(issuer, serial)
+      raise NotImplementedError, "You must call #check on a subclass of Checker"
+    end
 
-        # is_available? is meant to be implemented to check if the backend store you choose to implement is currently working.
-        # see r509-ocsp-responder and r509-validity-redis for an example of use
-        def is_available?
-            raise NotImplementedError, "You must call #is_available? on a subclass of Checker"
-        end
+    # is_available? is meant to be implemented to check if the backend store you choose to implement is currently working.
+    # see r509-ocsp-responder and r509-validity-redis for an example of use
+    def is_available?
+      raise NotImplementedError, "You must call #is_available? on a subclass of Checker"
     end
+  end
 
-    #default implementaton of the Checker class. Used for tests. DO NOT USE OTHERWISE
-    class DefaultChecker < R509::Validity::Checker
-        def check(issuer, serial)
-            R509::Validity::Status.new(:status => R509::Validity::VALID)
-        end
+  #default implementaton of the Checker class. Used for tests. DO NOT USE OTHERWISE
+  class DefaultChecker < R509::Validity::Checker
+    def check(issuer, serial)
+      R509::Validity::Status.new(:status => R509::Validity::VALID)
+    end
 
-        def is_available?
-            true
-        end
+    def is_available?
+      true
     end
+  end
 
-    #default implementaton of the Writer class. Does nothing (obviously)
-    class DefaultWriter < R509::Validity::Writer
-        def issue(issuer, serial)
-        end
+  #default implementaton of the Writer class. Does nothing (obviously)
+  class DefaultWriter < R509::Validity::Writer
+    def issue(issuer, serial)
+    end
 
-        def revoke(issuer, serial, reason)
-        end
+    def revoke(issuer, serial, reason)
+    end
 
-        def is_available?
-            true
-        end
+    def is_available?
+      true
     end
+  end
 end

data/lib/r509/version.rb

@@ -1,4 +1,4 @@
 module R509
-    #The version of the r509 gem
-    VERSION="0.8.1"
+  #The version of the r509 gem
+  VERSION="0.9"
 end

data/r509.yaml

@@ -1,73 +1,96 @@
 certificate_authorities: {
-    test_ca: {
-        ca_cert: {
-            cert: 'spec/fixtures/test_ca.cer',
-            key: 'spec/fixtures/test_ca.key'
-        },
-        ocsp_cert: {
-            :pkcs12: 'spec/fixtures/test_ca_ocsp.p12',
-            :password: 'r509'
-        },
-        ocsp_location: 'URI:http://ocsp.domain.com',
-        ocsp_chain: 'spec/fixtures/test_ca_ocsp_chain.txt',
-        ocsp_start_skew_seconds: 3600,
-        ocsp_validity_hours: 168,
-        cdp_location: 'URI:http://crl.domain.com/test_ca.crl',
-        crl_list: 'spec/fixtures/test_ca_crl_list.txt',
-        crl_number: 'spec/fixtures/test_ca_crl_number.txt',
-        crl_validity_hours: 168, #7 days
-        message_digest: 'SHA1', #SHA1, SHA256, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason
-        profiles: {
-            server: {
-                basic_constraints: "CA:FALSE",
-                key_usage: [digitalSignature,keyEncipherment],
-                extended_key_usage: [serverAuth],
-                certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.1", "CPS.1=http://example.com/cps"] ],
-                subject_item_policy: {
-                    CN: "required",
-                    O:  "required",
-                    OU: "optional",
-                    ST: "required",
-                    C:  "required",
-                    L:  "required"
-                }
-            },
-            client: {
-                basic_constraints: "CA:FALSE",
-                key_usage: [digitalSignature,keyEncipherment],
-                extended_key_usage: [clientAuth],
-                certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.2", "CPS.1=http://example.com/cps"] ]
-            },
-            email: {
-                basic_constraints: "CA:FALSE",
-                key_usage: [digitalSignature,keyEncipherment],
-                extended_key_usage: [emailProtection],
-                certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.3", "CPS.1=http://example.com/cps"] ]
-            },
-            clientserver: {
-                basic_constraints:  "CA:FALSE",
-                key_usage: [digitalSignature,keyEncipherment],
-                extended_key_usage: [serverAuth,clientAuth],
-                certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.4", "CPS.1=http://example.com/cps"] ]
-            },
-            codesigning: {
-                basic_constraints:  "CA:FALSE",
-                key_usage: [digitalSignature],
-                extended_key_usage: [codeSigning],
-                certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.5", "CPS.1=http://example.com/cps"] ]
-            },
-            timestamping: {
-                basic_constraints:  "CA:FALSE",
-                key_usage: [digitalSignature],
-                extended_key_usage: [timeStamping],
-                certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.6", "CPS.1=http://example.com/cps"] ]
-            },
-            subroot: {
-                basic_constraints:  "CA:TRUE,pathlen:0",
-                key_usage: [keyCertSign,cRLSign],
-                extended_key_usage: [],
-                certificate_policies: [ ]
-            }
+  test_ca: {
+    ca_cert: {
+      cert: 'spec/fixtures/test_ca.cer',
+      key: 'spec/fixtures/test_ca.key'
+    },
+    ocsp_cert: {
+      pkcs12: 'spec/fixtures/test_ca_ocsp.p12',
+      password: 'r509'
+    },
+    ocsp_location: ['http://ocsp.domain.com'],
+    ca_issuers_location: ['http://domain.com/ca.html'],
+    ocsp_chain: 'spec/fixtures/test_ca_ocsp_chain.txt',
+    ocsp_start_skew_seconds: 3600,
+    ocsp_validity_hours: 168,
+    cdp_location: ['http://crl.domain.com/test_ca.crl'],
+    crl_list: 'spec/fixtures/test_ca_crl_list.txt',
+    crl_number: 'spec/fixtures/test_ca_crl_number.txt',
+    crl_validity_hours: 168, #7 days
+    message_digest: 'SHA1', #SHA1, SHA256, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason
+    profiles: {
+      server: {
+        basic_constraints: {"ca" : false},
+        key_usage: [digitalSignature,keyEncipherment],
+        extended_key_usage: [serverAuth],
+        subject_item_policy: {
+          CN: "required",
+          O:  "required",
+          OU: "optional",
+          ST: "required",
+          C:  "required",
+          L:  "required"
         }
+      },
+      client: {
+        basic_constraints: {"ca" : false},
+        key_usage: [digitalSignature,keyEncipherment],
+        extended_key_usage: [clientAuth],
+      },
+      email: {
+        basic_constraints: {"ca" : false},
+        key_usage: [digitalSignature,keyEncipherment],
+        extended_key_usage: [emailProtection],
+      },
+      clientserver: {
+        basic_constraints:  {"ca" : false},
+        key_usage: [digitalSignature,keyEncipherment],
+        extended_key_usage: [serverAuth,clientAuth],
+      },
+      codesigning: {
+        basic_constraints:  {"ca" : false},
+        key_usage: [digitalSignature],
+        extended_key_usage: [codeSigning],
+      },
+      timestamping: {
+        basic_constraints:  {"ca" : false},
+        key_usage: [digitalSignature],
+        extended_key_usage: [timeStamping],
+      },
+      subroot: {
+        basic_constraints:  {"ca" : true, "path_length" : 0},
+        key_usage: [keyCertSign,cRLSign],
+        extended_key_usage: [],
+        certificate_policies: [
+          { policy_identifier: "2.16.840.1.99999.21.234",
+            cps_uris: ["http://example.com/cps","http://haha.com"],
+            user_notices: [ { explicit_text: "this is a great thing", organization: "my org", notice_numbers: "1,2,3" } ]
+          },
+          { policy_identifier: "2.16.840.1.99999.21.235",
+            cps_uris: ["http://example.com/cps2"],
+            user_notices: [ { explicit_text: "this is a bad thing", organization: "another org", notice_numbers: "3,2,1" },{ explicit_text: "another user notice"} ]
+          }
+        ],
+        inhibit_any_policy: 0,
+        policy_constraints: { require_explicit_policy: 0, inhibit_policy_mapping: 0},
+        name_constraints: {
+          permitted: [
+            {type: "IP", value: "192.168.0.0/255.255.0.0"},
+            {type: "dirName", value: [['CN','myCN'],['O','Org']]}
+          ],
+          excluded: [
+            {type: "email", value: "domain.com"},
+            {type: "URI", value: ".net"},
+            {type: "DNS", value: "test.us"}
+          ]
+        }
+      },
+      ocsp_delegate: {
+        basic_constraints:  {"ca" : false},
+        key_usage: [digitalSignature],
+        extended_key_usage: [OCSPSigning],
+        ocsp_no_check: true
+      }
     }
+  }
 }

data/spec/asn1_spec.rb

@@ -0,0 +1,402 @@
+require 'spec_helper'
+require 'r509/asn1'
+
+describe R509::ASN1 do
+  it "does not error with valid extension on get_extension_payload" do
+    #SAN extension
+    der = "0L\u0006\u0003U\u001D\u0011\u0001\u0001\xFF\u0004B0@\x82\u000Ewww.test.local\x87\u0004\n\u0001\u0002\u0003\x86\u0015http://www.test.local\x81\u0011myemail@email.com"
+    ext = OpenSSL::X509::Extension.new(der)
+    payload = R509::ASN1.get_extension_payload(ext)
+    payload.should_not be_nil
+  end
+
+  context "general_name_parser" do
+    it "returns nil if passed nil" do
+      general_names = R509::ASN1.general_name_parser(nil)
+      general_names.should be_nil
+    end
+    it "correctly parses dns names" do
+      general_names = R509::ASN1.general_name_parser(['domain2.com','domain3.com'])
+      general_names.dns_names.should == ["domain2.com", "domain3.com"]
+    end
+
+    it "adds SAN IPv4 names" do
+      general_names = R509::ASN1.general_name_parser(['1.2.3.4','2.3.4.5'])
+      general_names.ip_addresses.should == ["1.2.3.4", "2.3.4.5"]
+    end
+
+    it "adds SAN IPv6 names" do
+      general_names = R509::ASN1.general_name_parser(['FE80:0:0:0:0:0:0:1','fe80::2',])
+      general_names.ip_addresses.should == ["fe80::1", "fe80::2"]
+    end
+
+    it "adds SAN URI names" do
+      general_names = R509::ASN1.general_name_parser(['http://myuri.com','ftp://whyftp'])
+      general_names.uris.should == ['http://myuri.com','ftp://whyftp']
+    end
+
+    it "adds SAN rfc822 names" do
+      general_names = R509::ASN1.general_name_parser(['email@domain.com','some@other.com'])
+      general_names.rfc_822_names.should == ['email@domain.com','some@other.com']
+    end
+
+    it "adds directoryNames via R509::Subject objects" do
+      s = R509::Subject.new([['CN','what-what']])
+      s2 = R509::Subject.new([['C','US'],['L','locality']])
+      general_names = R509::ASN1.general_name_parser([s,s2])
+      general_names.directory_names.size.should == 2
+      general_names.directory_names[0].CN.should == 'what-what'
+      general_names.directory_names[0].C.should be_nil
+      general_names.directory_names[1].C.should == 'US'
+      general_names.directory_names[1].L.should == 'locality'
+    end
+
+    it "adds directoryNames via arrays" do
+      s = [['CN','what-what']]
+      s2 = [['C','US'],['L','locality']]
+      general_names = R509::ASN1.general_name_parser([s,s2])
+      general_names.directory_names.size.should == 2
+      general_names.directory_names[0].CN.should == 'what-what'
+      general_names.directory_names[0].C.should be_nil
+      general_names.directory_names[1].C.should == 'US'
+      general_names.directory_names[1].L.should == 'locality'
+    end
+
+    it "adds a mix of SAN name types" do
+      general_names = R509::ASN1.general_name_parser(['1.2.3.4','http://langui.sh','email@address.local','domain.internal','2.3.4.5'])
+      general_names.ip_addresses.should == ['1.2.3.4','2.3.4.5']
+      general_names.dns_names.should == ['domain.internal']
+      general_names.uris.should == ['http://langui.sh']
+      general_names.rfc_822_names.should == ['email@address.local']
+    end
+
+    it "handles empty array" do
+      general_names = R509::ASN1.general_name_parser([])
+      general_names.names.size.should == 0
+    end
+
+  end
+end
+
+describe R509::ASN1::GeneralName do
+  context "parses types to tags within ::map_type_to_tag" do
+    it "handles otherName" do
+      R509::ASN1::GeneralName.map_type_to_tag(:otherName).should == 0
+      R509::ASN1::GeneralName.map_type_to_tag("otherName").should == 0
+    end
+    it "handles rfc822Name" do
+      R509::ASN1::GeneralName.map_type_to_tag(:rfc822Name).should == 1
+      R509::ASN1::GeneralName.map_type_to_tag("rfc822Name").should == 1
+      R509::ASN1::GeneralName.map_type_to_tag("email").should == 1
+    end
+    it "handles dNSName" do
+      R509::ASN1::GeneralName.map_type_to_tag(:dNSName).should == 2
+      R509::ASN1::GeneralName.map_type_to_tag("dNSName").should == 2
+      R509::ASN1::GeneralName.map_type_to_tag("DNS").should == 2
+    end
+    it "handles x400Address" do
+      R509::ASN1::GeneralName.map_type_to_tag(:x400Address).should == 3
+      R509::ASN1::GeneralName.map_type_to_tag("x400Address").should == 3
+    end
+    it "handles directoryName" do
+      R509::ASN1::GeneralName.map_type_to_tag(:directoryName).should == 4
+      R509::ASN1::GeneralName.map_type_to_tag("directoryName").should == 4
+      R509::ASN1::GeneralName.map_type_to_tag("dirName").should == 4
+    end
+    it "handles ediPartyName" do
+      R509::ASN1::GeneralName.map_type_to_tag(:ediPartyName).should == 5
+      R509::ASN1::GeneralName.map_type_to_tag("ediPartyName").should == 5
+    end
+    it "handles uniformResourceIdentifier" do
+      R509::ASN1::GeneralName.map_type_to_tag(:uniformResourceIdentifier).should == 6
+      R509::ASN1::GeneralName.map_type_to_tag("uniformResourceIdentifier").should == 6
+      R509::ASN1::GeneralName.map_type_to_tag("URI").should == 6
+    end
+    it "handles iPAddress" do
+      R509::ASN1::GeneralName.map_type_to_tag(:iPAddress).should == 7
+      R509::ASN1::GeneralName.map_type_to_tag("iPAddress").should == 7
+      R509::ASN1::GeneralName.map_type_to_tag("IP").should == 7
+    end
+    it "handles registeredID" do
+      R509::ASN1::GeneralName.map_type_to_tag(:registeredID).should == 8
+      R509::ASN1::GeneralName.map_type_to_tag("registeredID").should == 8
+    end
+  end
+  context "::map_tag_to_type" do
+    it "handles otherName" do
+      R509::ASN1::GeneralName.map_tag_to_type(0).should == :otherName
+    end
+    it "handles rfc822Name" do
+      R509::ASN1::GeneralName.map_tag_to_type(1).should == :rfc822Name
+    end
+    it "handles dNSName" do
+      R509::ASN1::GeneralName.map_tag_to_type(2).should == :dNSName
+    end
+    it "handles x400Address" do
+      R509::ASN1::GeneralName.map_tag_to_type(3).should == :x400Address
+    end
+    it "handles directoryName" do
+      R509::ASN1::GeneralName.map_tag_to_type(4).should == :directoryName
+    end
+    it "handles ediPartyName" do
+      R509::ASN1::GeneralName.map_tag_to_type(5).should == :ediPartyName
+    end
+    it "handles uniformResourceIdentifier" do
+      R509::ASN1::GeneralName.map_tag_to_type(6).should == :uniformResourceIdentifier
+    end
+    it "handles iPAddress" do
+      R509::ASN1::GeneralName.map_tag_to_type(7).should == :iPAddress
+    end
+    it "handles registeredID" do
+      R509::ASN1::GeneralName.map_tag_to_type(8).should == :registeredID
+    end
+    it "raises error with invalid tag" do
+      expect { R509::ASN1::GeneralName.map_tag_to_type(28) }.to raise_error(R509::R509Error,"Invalid tag 28")
+    end
+
+  end
+  context "::map_tag_to_serial_prefix" do
+    it "handles otherName" do
+      expect { R509::ASN1::GeneralName.map_tag_to_serial_prefix(0) }.to raise_error(R509::R509Error)
+    end
+    it "handles rfc822Name" do
+      R509::ASN1::GeneralName.map_tag_to_serial_prefix(1).should == "email"
+    end
+    it "handles dNSName" do
+      R509::ASN1::GeneralName.map_tag_to_serial_prefix(2).should == "DNS"
+    end
+    it "handles x400Address" do
+      expect { R509::ASN1::GeneralName.map_tag_to_serial_prefix(3) }.to raise_error(R509::R509Error)
+    end
+    it "handles directoryName" do
+      R509::ASN1::GeneralName.map_tag_to_serial_prefix(4).should == "dirName"
+    end
+    it "handles ediPartyName" do
+      expect { R509::ASN1::GeneralName.map_tag_to_serial_prefix(5) }.to raise_error(R509::R509Error)
+    end
+    it "handles uniformResourceIdentifier" do
+      R509::ASN1::GeneralName.map_tag_to_serial_prefix(6).should == "URI"
+    end
+    it "handles iPAddress" do
+      R509::ASN1::GeneralName.map_tag_to_serial_prefix(7).should == "IP"
+    end
+    it "handles registeredID" do
+      expect { R509::ASN1::GeneralName.map_tag_to_serial_prefix(8) }.to raise_error(R509::R509Error)
+    end
+  end
+  it "handles rfc822Name" do
+    der = "\x81\u0011myemail@email.com"
+    asn = OpenSSL::ASN1.decode der
+    gn = R509::ASN1::GeneralName.new(asn)
+    gn.type.should == :rfc822Name
+    gn.value.should == 'myemail@email.com'
+  end
+  it "handles dNSName" do
+    der = "\x82\u000Ewww.test.local"
+    asn = OpenSSL::ASN1.decode der
+    gn = R509::ASN1::GeneralName.new(asn)
+    gn.type.should == :dNSName
+    gn.value.should == 'www.test.local'
+  end
+  it "handles uniformResourceIdentifier" do
+    der = "\x86\u001Fhttp://www.test.local/subca.crl"
+    asn = OpenSSL::ASN1.decode der
+    gn = R509::ASN1::GeneralName.new(asn)
+    gn.type.should == :uniformResourceIdentifier
+    gn.value.should == "http://www.test.local/subca.crl"
+  end
+  it "handles iPAddress v4" do
+    der = "\x87\u0004\n\u0001\u0002\u0003"
+    asn = OpenSSL::ASN1.decode der
+    gn = R509::ASN1::GeneralName.new(asn)
+    gn.type.should == :iPAddress
+    gn.value.should == '10.1.2.3'
+  end
+  it "handles iPAddress v6" do
+    der = "\x87\x10\x00\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    asn = OpenSSL::ASN1.decode der
+    gn = R509::ASN1::GeneralName.new(asn)
+    gn.type.should == :iPAddress
+    gn.value.should == 'ff::'
+  end
+  it "handles iPAddress v4 with netmask" do
+    der = "\x87\b\n\x01\x02\x03\xFF\xFF\xFF\xFF"
+    asn = OpenSSL::ASN1.decode der
+    gn = R509::ASN1::GeneralName.new(asn)
+    gn.type.should == :iPAddress
+    gn.value.should == '10.1.2.3/255.255.255.255'
+  end
+  it "handles iPAddress v6 with netmask" do
+    der = "\x87 \x00\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\x00\xFF\x00\xFF\x00\xFF\x00\xFF\x00\xFF\x00\xFF\x00\xFF"
+    asn = OpenSSL::ASN1.decode der
+    gn = R509::ASN1::GeneralName.new(asn)
+    gn.type.should == :iPAddress
+    gn.value.should == 'ff::/ff:ff:ff:ff:ff:ff:ff:ff'
+  end
+  it "handles directoryName" do
+    der = "\xA4`0^1\v0\t\u0006\u0003U\u0004\u0006\u0013\u0002US1\u00110\u000F\u0006\u0003U\u0004\b\f\bIllinois1\u00100\u000E\u0006\u0003U\u0004\a\f\aChicago1\u00180\u0016\u0006\u0003U\u0004\n\f\u000FRuby CA Project1\u00100\u000E\u0006\u0003U\u0004\u0003\f\aTest CA"
+    asn = OpenSSL::ASN1.decode der
+    gn = R509::ASN1::GeneralName.new(asn)
+    gn.type.should == :directoryName
+    gn.value.to_s.should == '/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA'
+  end
+  it "errors on unimplemented type" do
+    # otherName type
+    der = "\xA0\u0014\u0006\u0003*\u0003\u0004\xA0\r\u0016\vHello World"
+    asn = OpenSSL::ASN1.decode der
+    expect { R509::ASN1::GeneralName.new(asn) }.to raise_error(R509::R509Error, "Unimplemented GeneralName tag: 0. At this time R509 does not support GeneralName types other than rfc822Name, dNSName, uniformResourceIdentifier, iPAddress, and directoryName")
+  end
+end
+
+describe R509::ASN1::GeneralNames do
+  it "adds items of allowed type to the object" do
+    asn = OpenSSL::ASN1.decode "\x82\u000Ewww.test.local"
+    asn2 = OpenSSL::ASN1.decode "\x81\u0011myemail@email.com"
+    asn3 = OpenSSL::ASN1.decode "\x82\u000Ewww.text.local"
+    gns = R509::ASN1::GeneralNames.new
+    gns.add_item(asn)
+    gns.add_item(asn2)
+    gns.add_item(asn3)
+    gns.dns_names.should == ["www.test.local","www.text.local"]
+    gns.rfc_822_names.should == ["myemail@email.com"]
+  end
+  it "errors on unimplemented type" do
+    # otherName type
+    gns = R509::ASN1::GeneralNames.new
+    der = "\xA0\u0014\u0006\u0003*\u0003\u0004\xA0\r\u0016\vHello World"
+    asn = OpenSSL::ASN1.decode der
+    expect { gns.add_item(asn) }.to raise_error(R509::R509Error, "Unimplemented GeneralName tag: 0. At this time R509 does not support GeneralName types other than rfc822Name, dNSName, uniformResourceIdentifier, iPAddress, and directoryName")
+  end
+  it "preserves order" do
+    asn = OpenSSL::ASN1.decode "\x82\u000Ewww.test.local"
+    asn2 = OpenSSL::ASN1.decode "\x81\u0011myemail@email.com"
+    asn3 = OpenSSL::ASN1.decode "\x82\u000Ewww.text.local"
+    gns = R509::ASN1::GeneralNames.new
+    gns.add_item(asn)
+    gns.add_item(asn2)
+    gns.add_item(asn3)
+    gns.names.count.should == 3
+    gns.names[0].type.should == :dNSName
+    gns.names[0].value.should == "www.test.local"
+    gns.names[1].type.should == :rfc822Name
+    gns.names[1].value.should == "myemail@email.com"
+    gns.names[2].type.should == :dNSName
+    gns.names[2].value.should == "www.text.local"
+  end
+
+  it "allows #uniq-ing of #names" do
+    gns = R509::ASN1::GeneralNames.new
+    gns.create_item(:tag => 1, :value => "test")
+    gns.create_item(:tag => 1, :value => "test")
+    gns.names.count.should == 2
+    gns.names.uniq.count.should == 1
+  end
+
+  it "errors with invalid params to #create_item" do
+    gns = R509::ASN1::GeneralNames.new
+    expect { gns.create_item({}) }.to raise_error(ArgumentError,'Must be a hash with (:tag or :type) and :value nodes')
+  end
+
+  it "allows addition of directoryNames with #create_item passing existing subject object" do
+    gns = R509::ASN1::GeneralNames.new
+    s = R509::Subject.new([['C','US'],['L','locality']])
+    gns.directory_names.size.should == 0
+    gns.create_item( :tag => 4, :value => s )
+    gns.directory_names.size.should == 1
+  end
+  it "allows addition of directoryNames with #create_item passing array" do
+    gns = R509::ASN1::GeneralNames.new
+    gns.directory_names.size.should == 0
+    gns.create_item( :tag => 4, :value => [['C','US'],['L','locality']] )
+    gns.directory_names.size.should == 1
+  end
+end
+
+describe R509::ASN1::PolicyInformation do
+  it "loads data with a policy oid but no qualifiers" do
+    data = OpenSSL::ASN1.decode "0\r\u0006\v`\x86H\u0001\xE09\u0001\u0002\u0003\u0004\u0001"
+    pi = R509::ASN1::PolicyInformation.new(data)
+    pi.policy_identifier.should == '2.16.840.1.12345.1.2.3.4.1'
+    pi.policy_qualifiers.should be_nil
+  end
+  it "loads data with a policy oid and a single qualifier" do
+    data = OpenSSL::ASN1.decode "0U\u0006\v`\x86H\u0001\xE09\u0001\u0002\u0003\u0004\u00010F0\"\u0006\b+\u0006\u0001\u0005\u0005\a\u0002\u0001\u0016\u0016http://example.com/cps0 \u0006\b+\u0006\u0001\u0005\u0005\a\u0002\u0001\u0016\u0014http://other.com/cps"
+    pi = R509::ASN1::PolicyInformation.new(data)
+    pi.policy_identifier.should == '2.16.840.1.12345.1.2.3.4.1'
+    pi.policy_qualifiers.cps_uris.empty?.should == false
+    pi.policy_qualifiers.user_notices.empty?.should == true
+  end
+  it "loads data with a policy oid and multiple qualifiers" do
+    data = OpenSSL::ASN1.decode "0\x81\x94\u0006\n`\x86H\u0001\x86\x8D\u001F\u0015\x81k0\x81\x850#\u0006\b+\u0006\u0001\u0005\u0005\a\u0002\u0001\u0016\u0017http://example.com/cps20;\u0006\b+\u0006\u0001\u0005\u0005\a\u0002\u00020/0\u0018\u0016\vanother org0\t\u0002\u0001\u0003\u0002\u0001\u0002\u0002\u0001\u0001\u001A\u0013this is a bad thing0!\u0006\b+\u0006\u0001\u0005\u0005\a\u0002\u00020\u0015\u001A\u0013another user notice"
+    pi = R509::ASN1::PolicyInformation.new(data)
+    pi.policy_identifier.should == '2.16.840.1.99999.21.235'
+    pi.policy_qualifiers.cps_uris.empty?.should == false
+    pi.policy_qualifiers.user_notices.empty?.should == false
+  end
+end
+
+describe R509::ASN1::PolicyQualifiers do
+  before :each do
+    @pq = R509::ASN1::PolicyQualifiers.new
+  end
+
+  it "initializes empty cps_uris and user_notices" do
+    @pq.should_not be_nil
+    @pq.cps_uris.empty?.should == true
+    @pq.user_notices.empty?.should == true
+  end
+  it "parses a cps qualifier and adds it to cps_uris" do
+    data = OpenSSL::ASN1.decode "0#\u0006\b+\u0006\u0001\u0005\u0005\a\u0002\u0001\u0016\u0017http://example.com/cps2"
+    @pq.parse(data)
+    @pq.cps_uris.should == ['http://example.com/cps2']
+    @pq.user_notices.should == []
+  end
+  it "parses a user notice and adds it to user_notices" do
+    data = OpenSSL::ASN1.decode "0!\u0006\b+\u0006\u0001\u0005\u0005\a\u0002\u00020\u0015\u001A\u0013another user notice"
+    @pq.parse(data)
+    @pq.cps_uris.should == []
+    @pq.user_notices.count.should == 1
+  end
+end
+
+describe R509::ASN1::UserNotice do
+  it "loads data with both a notice reference and explicit text" do
+    data = OpenSSL::ASN1.decode "0\u001F0\u0016\u0016\u0006my org0\f\u0002\u0001\u0001\u0002\u0001\u0002\u0002\u0001\u0003\u0002\u0001\u0004\u001A\u0005thing"
+    un = R509::ASN1::UserNotice.new(data)
+    un.notice_reference.should_not be_nil
+    un.explicit_text.should == 'thing'
+  end
+  it "loads data with a notice reference" do
+    data = OpenSSL::ASN1.decode "0\u00180\u0016\u0016\u0006my org0\f\u0002\u0001\u0001\u0002\u0001\u0002\u0002\u0001\u0003\u0002\u0001\u0004"
+    un = R509::ASN1::UserNotice.new(data)
+    un.notice_reference.should_not be_nil
+    un.explicit_text.should be_nil
+  end
+  it "loads data with an explicit text" do
+    data = OpenSSL::ASN1.decode "0\a\u001A\u0005thing"
+    un = R509::ASN1::UserNotice.new(data)
+    un.notice_reference.should be_nil
+    un.explicit_text.should == 'thing'
+  end
+end
+
+describe R509::ASN1::NoticeReference do
+  it "loads data with an org and no notice numbers" do
+    data = OpenSSL::ASN1.decode "0\n\u0016\u0006my org0\u0000"
+    nr = R509::ASN1::NoticeReference.new(data)
+    nr.organization.should == 'my org'
+    nr.notice_numbers.should == []
+  end
+  it "loads data with an org and 1 notice number" do
+    data = OpenSSL::ASN1.decode "0\r\u0016\u0006my org0\u0003\u0002\u0001\u0001"
+    nr = R509::ASN1::NoticeReference.new(data)
+    nr.organization.should == 'my org'
+    nr.notice_numbers.should == [1]
+  end
+  it "loads data with an org and more than 1 notice number" do
+    data = OpenSSL::ASN1.decode "0\u0016\u0016\u0006my org0\f\u0002\u0001\u0001\u0002\u0001\u0002\u0002\u0001\u0003\u0002\u0001\u0004"
+    nr = R509::ASN1::NoticeReference.new(data)
+    nr.organization.should == 'my org'
+    nr.notice_numbers.should == [1,2,3,4]
+  end
+end