r509 0.8.1 → 0.9

data/spec/config_spec.rb

@@ -2,348 +2,561 @@ require 'spec_helper'
 require 'r509/config'
 require 'r509/exceptions'
 
-describe R509::Config::CaConfigPool do
-    context "defined manually" do
-        it "has no configs" do
-            pool = R509::Config::CaConfigPool.new({})
-
-            pool["first"].should == nil
-        end
-
-        it "has one config" do
-            config = R509::Config::CaConfig.new(
-                :ca_cert => TestFixtures.test_ca_cert,
-                :profiles => { "first_profile" => R509::Config::CaProfile.new }
-            )
-
-            pool = R509::Config::CaConfigPool.new({
-                "first" => config
-            })
-
-            pool["first"].should == config
-        end
-    end
-
-    context "all configs" do
-        it "no configs" do
-            pool = R509::Config::CaConfigPool.new({})
-            pool.all.should == []
-        end
-
-        it "one config" do
-            config = R509::Config::CaConfig.new(
-                :ca_cert => TestFixtures.test_ca_cert,
-                :profiles => { "first_profile" => R509::Config::CaProfile.new }
-            )
-
-            pool = R509::Config::CaConfigPool.new({
-                "first" => config
-            })
-
-            pool.all.should == [config]
-        end
-
-        it "two configs" do
-            config1 = R509::Config::CaConfig.new(
-                :ca_cert => TestFixtures.test_ca_cert,
-                :profiles => { "first_profile" => R509::Config::CaProfile.new }
-            )
-            config2 = R509::Config::CaConfig.new(
-                :ca_cert => TestFixtures.test_ca_cert,
-                :profiles => { "first_profile" => R509::Config::CaProfile.new }
-            )
-
-            pool = R509::Config::CaConfigPool.new({
-                "first" => config1,
-                "second" => config2
-            })
-
-            pool.all.size.should == 2
-            pool.all.include?(config1).should == true
-            pool.all.include?(config2).should == true
-        end
-    end
-
-    context "loaded from YAML" do
-        it "should load two configs" do
-            pool = R509::Config::CaConfigPool.from_yaml("certificate_authorities", File.read("#{File.dirname(__FILE__)}/fixtures/config_pool_test_minimal.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-
-            pool.names.should include("test_ca", "second_ca")
-
-            pool["test_ca"].should_not == nil
-            pool["test_ca"].num_profiles.should == 0
-            pool["second_ca"].should_not == nil
-            pool["second_ca"].num_profiles.should == 0
-        end
-    end
-end
+describe R509::Config::CAConfigPool do
+  context "defined manually" do
+    it "has no configs" do
+      pool = R509::Config::CAConfigPool.new({})
 
-describe R509::Config::CaConfig do
-    before :each do
-        @config = R509::Config::CaConfig.new(
-            :ca_cert => TestFixtures.test_ca_cert
-        )
+      pool["first"].should == nil
     end
 
-    subject {@config}
+    it "has one config" do
+      config = R509::Config::CAConfig.new(
+        :ca_cert => TestFixtures.test_ca_cert,
+        :profiles => { "first_profile" => R509::Config::CAProfile.new }
+      )
 
-    its(:message_digest) {should == "SHA1"}
-    its(:crl_validity_hours) {should == 168}
-    its(:ocsp_validity_hours) {should == 168}
-    its(:ocsp_start_skew_seconds) {should == 3600}
-    its(:cdp_location) {should be_nil}
-    its(:ocsp_location) {should be_nil}
-    its(:num_profiles) {should == 0}
+      pool = R509::Config::CAConfigPool.new({
+        "first" => config
+      })
 
-    it "should have the proper CA cert" do
-        @config.ca_cert.to_pem.should == TestFixtures.test_ca_cert.to_pem
+      pool["first"].should == config
     end
+  end
 
-    it "should have the proper CA key" do
-        @config.ca_cert.key.to_pem.should == TestFixtures.test_ca_cert.key.to_pem
+  context "all configs" do
+    it "no configs" do
+      pool = R509::Config::CAConfigPool.new({})
+      pool.all.should == []
     end
 
-    it "raises an error if you don't pass :ca_cert" do
-        expect { R509::Config::CaConfig.new(:crl_validity_hours => 2) }.to raise_error ArgumentError, 'Config object requires that you pass :ca_cert'
-    end
-    it "raises an error if :ca_cert is not of type R509::Cert" do
-        expect { R509::Config::CaConfig.new(:ca_cert => 'not a cert, and not right type') }.to raise_error ArgumentError, ':ca_cert must be of type R509::Cert'
-    end
-    it "loads the config even if :ca_cert does not contain a private key" do
-        config = R509::Config::CaConfig.new( :ca_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) )
-        config.ca_cert.subject.to_s.should_not be_nil
-    end
-    it "raises an error if :ocsp_cert that is not R509::Cert" do
-        expect { R509::Config::CaConfig.new(:ca_cert => TestFixtures.test_ca_cert, :ocsp_cert => "not a cert") }.to raise_error ArgumentError, ':ocsp_cert, if provided, must be of type R509::Cert'
-    end
-    it "raises an error if :ocsp_cert does not contain a private key" do
-        expect { R509::Config::CaConfig.new( :ca_cert => TestFixtures.test_ca_cert, :ocsp_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) ) }.to raise_error ArgumentError, ':ocsp_cert must contain a private key, not just a certificate'
-    end
-    it "returns the correct cert object on #ocsp_cert if none is specified" do
-        @config.ocsp_cert.should == @config.ca_cert
-    end
-    it "returns the correct cert object on #ocsp_cert if an ocsp_cert was specified" do
-        ocsp_cert = R509::Cert.new(
-            :cert => TestFixtures::TEST_CA_OCSP_CERT,
-            :key => TestFixtures::TEST_CA_OCSP_KEY
-        )
-        config = R509::Config::CaConfig.new(
-            :ca_cert => TestFixtures.test_ca_cert,
-            :ocsp_cert => ocsp_cert
-        )
+    it "one config" do
+      config = R509::Config::CAConfig.new(
+        :ca_cert => TestFixtures.test_ca_cert,
+        :profiles => { "first_profile" => R509::Config::CAProfile.new }
+      )
 
-        config.ocsp_cert.should == ocsp_cert
-    end
-    it "fails to specify a non-Config::CaProfile as the profile" do
-        config = R509::Config::CaConfig.new(
-            :ca_cert => TestFixtures.test_ca_cert
-        )
+      pool = R509::Config::CAConfigPool.new({
+        "first" => config
+      })
 
-        expect{ config.set_profile("bogus", "not a Config::CaProfile")}.to raise_error TypeError
+      pool.all.should == [config]
     end
 
-    it "shouldn't let you specify a profile that's not a Config::CaProfile, on instantiation" do
-        expect{ R509::Config::CaConfig.new(
-            :ca_cert => TestFixtures.test_ca_cert,
-            :profiles => { "first_profile" => "not a Config::CaProfile" }
-        ) }.to raise_error TypeError
-    end
+    it "two configs" do
+      config1 = R509::Config::CAConfig.new(
+        :ca_cert => TestFixtures.test_ca_cert,
+        :profiles => { "first_profile" => R509::Config::CAProfile.new }
+      )
+      config2 = R509::Config::CAConfig.new(
+        :ca_cert => TestFixtures.test_ca_cert,
+        :profiles => { "first_profile" => R509::Config::CAProfile.new }
+      )
 
-    it "can specify a single profile" do
-        first_profile = R509::Config::CaProfile.new
+      pool = R509::Config::CAConfigPool.new({
+        "first" => config1,
+        "second" => config2
+      })
 
-        config = R509::Config::CaConfig.new(
-            :ca_cert => TestFixtures.test_ca_cert,
-            :profiles => { "first_profile" => first_profile }
-        )
-
-        config.profile("first_profile").should == first_profile
+      pool.all.size.should == 2
+      pool.all.include?(config1).should == true
+      pool.all.include?(config2).should == true
     end
+  end
 
-    it "raises an error if you specify an invalid profile" do
-        first_profile = R509::Config::CaProfile.new
+  context "loaded from YAML" do
+    it "should load two configs" do
+      pool = R509::Config::CAConfigPool.from_yaml("certificate_authorities", File.read("#{File.dirname(__FILE__)}/fixtures/config_pool_test_minimal.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
 
-        config = R509::Config::CaConfig.new(
-            :ca_cert => TestFixtures.test_ca_cert,
-            :profiles => { "first_profile" => first_profile }
-        )
+      pool.names.should include("test_ca", "second_ca")
 
-        expect { config.profile("non-existent-profile") }.to raise_error(R509::R509Error, "unknown profile 'non-existent-profile'")
+      pool["test_ca"].should_not == nil
+      pool["test_ca"].num_profiles.should == 0
+      pool["second_ca"].should_not == nil
+      pool["second_ca"].num_profiles.should == 0
     end
+  end
+end
 
-    it "should load YAML" do
-        config = R509::Config::CaConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-        config.crl_validity_hours.should == 72
-        config.ocsp_validity_hours.should == 96
-        config.message_digest.should == "SHA1"
-        config.num_profiles.should == 3
-    end
-    it "loads OCSP cert/key from yaml" do
-        config = R509::Config::CaConfig.from_yaml("ocsp_delegate_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-        config.ocsp_cert.has_private_key?.should == true
-        config.ocsp_cert.subject.to_s.should == "/C=US/ST=Illinois/L=Chicago/O=r509 LLC/CN=r509 OCSP Signer"
-    end
-    it "loads OCSP pkcs12 from yaml" do
-        config = R509::Config::CaConfig.from_yaml("ocsp_pkcs12_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-        config.ocsp_cert.has_private_key?.should == true
-        config.ocsp_cert.subject.to_s.should == "/C=US/ST=Illinois/L=Chicago/O=r509 LLC/CN=r509 OCSP Signer"
-    end
-    it "loads OCSP cert/key in engine from yaml" do
-        #most of this code path is tested by loading ca_cert engine.
-        #look there for the extensive doubling
-        expect { R509::Config::CaConfig.from_yaml("ocsp_engine_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(R509::R509Error,"You must supply a key_name with an engine")
-    end
-    it "loads OCSP chain from yaml" do
-        config = R509::Config::CaConfig.from_yaml("ocsp_chain_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-        config.ocsp_chain.size.should == 2
-        config.ocsp_chain[0].kind_of?(OpenSSL::X509::Certificate).should == true
-        config.ocsp_chain[1].kind_of?(OpenSSL::X509::Certificate).should == true
-    end
-    it "should load subject_item_policy from yaml (if present)" do
-        config = R509::Config::CaConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-        config.profile("server").subject_item_policy.should be_nil
-        config.profile("server_with_subject_item_policy").subject_item_policy.optional.should include("O","OU")
-        config.profile("server_with_subject_item_policy").subject_item_policy.required.should include("CN","ST","C")
-    end
+describe R509::Config::CAConfig do
+  before :each do
+    @config = R509::Config::CAConfig.new(
+      :ca_cert => TestFixtures.test_ca_cert
+    )
+  end
 
-    it "should load YAML which only has a CA Cert and Key defined" do
-        config = R509::Config::CaConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_minimal.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-        config.num_profiles.should == 0
-    end
+  subject {@config}
 
-    it "should load YAML which has CA cert and key with password" do
-        expect { R509::Config::CaConfig.from_yaml("password_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_password.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to_not raise_error
-    end
+  its(:message_digest) {should == "SHA1"}
+  its(:crl_validity_hours) {should == 168}
+  its(:ocsp_validity_hours) {should == 168}
+  its(:ocsp_start_skew_seconds) {should == 3600}
+  its(:cdp_location) {should be_nil}
+  its(:ocsp_location) {should be_nil}
+  its(:num_profiles) {should == 0}
 
-    it "should load YAML which has a PKCS12 with password" do
-        expect { R509::Config::CaConfig.from_yaml("pkcs12_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to_not raise_error
-    end
+  it "should have the proper CA cert" do
+    @config.ca_cert.to_pem.should == TestFixtures.test_ca_cert.to_pem
+  end
 
-    it "raises error on YAML with pkcs12 and key" do
-        expect { R509::Config::CaConfig.from_yaml("pkcs12_key_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(R509::R509Error, "You can't specify both pkcs12 and key")
-    end
+  it "should have the proper CA key" do
+    @config.ca_cert.key.to_pem.should == TestFixtures.test_ca_cert.key.to_pem
+  end
 
-    it "raises error on YAML with pkcs12 and cert" do
-        expect { R509::Config::CaConfig.from_yaml("pkcs12_cert_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(R509::R509Error, "You can't specify both pkcs12 and cert")
+  context "validates data" do
+    it "raises an error if you don't pass :ca_cert" do
+      expect { R509::Config::CAConfig.new(:crl_validity_hours => 2) }.to raise_error ArgumentError, 'Config object requires that you pass :ca_cert'
     end
-
-    it "raises error on YAML with pkcs12 and engine" do
-        expect { R509::Config::CaConfig.from_yaml("pkcs12_engine_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(R509::R509Error, "You can't specify both engine and pkcs12")
+    it "raises an error if :ca_cert is not of type R509::Cert" do
+      expect { R509::Config::CAConfig.new(:ca_cert => 'not a cert, and not right type') }.to raise_error ArgumentError, ':ca_cert must be of type R509::Cert'
     end
-
-    it "loads config with cert and no key (useful in certain cases)" do
-        config = R509::Config::CaConfig.from_yaml("cert_no_key_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-        config.ca_cert.subject.to_s.should_not be_nil
+    it "raises an error if :ocsp_cert that is not R509::Cert" do
+      expect { R509::Config::CAConfig.new(:ca_cert => TestFixtures.test_ca_cert, :ocsp_cert => "not a cert") }.to raise_error ArgumentError, ':ocsp_cert, if provided, must be of type R509::Cert'
     end
+    it "raises an error if :ocsp_cert does not contain a private key" do
+      expect { R509::Config::CAConfig.new( :ca_cert => TestFixtures.test_ca_cert, :ocsp_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) ) }.to raise_error ArgumentError, ':ocsp_cert must contain a private key, not just a certificate'
+    end
+    it "raises an error if you pass an ocsp_location that is not an array" do
+      expect { R509::Config::CAConfig.new( :ca_cert => TestFixtures.test_ca_cert, :ocsp_location => "some-url" ) }.to raise_error(ArgumentError, 'ocsp_location must be an array if provided')
+    end
+    it "raises an error if you pass a ca_issuers_location that is not an array" do
+      expect { R509::Config::CAConfig.new( :ca_cert => TestFixtures.test_ca_cert, :ca_issuers_location => "some-url" ) }.to raise_error(ArgumentError, 'ca_issuers_location must be an array if provided')
+    end
+    it "raises an error if you pass a cdp_location that is not an array" do
+      expect { R509::Config::CAConfig.new( :ca_cert => TestFixtures.test_ca_cert, :cdp_location => "some-url" ) }.to raise_error(ArgumentError, 'cdp_location must be an array if provided')
+    end
+  end
+  it "loads the config even if :ca_cert does not contain a private key" do
+    config = R509::Config::CAConfig.new( :ca_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) )
+    config.ca_cert.subject.to_s.should_not be_nil
+  end
+  it "returns the correct cert object on #ocsp_cert if none is specified" do
+    @config.ocsp_cert.should == @config.ca_cert
+  end
+  it "returns the correct cert object on #ocsp_cert if an ocsp_cert was specified" do
+    ocsp_cert = R509::Cert.new(
+      :cert => TestFixtures::TEST_CA_OCSP_CERT,
+      :key => TestFixtures::TEST_CA_OCSP_KEY
+    )
+    config = R509::Config::CAConfig.new(
+      :ca_cert => TestFixtures.test_ca_cert,
+      :ocsp_cert => ocsp_cert
+    )
+
+    config.ocsp_cert.should == ocsp_cert
+  end
+  it "fails to specify a non-Config::CAProfile as the profile" do
+    config = R509::Config::CAConfig.new(
+      :ca_cert => TestFixtures.test_ca_cert
+    )
+
+    expect{ config.set_profile("bogus", "not a Config::CAProfile")}.to raise_error TypeError
+  end
+
+  it "shouldn't let you specify a profile that's not a Config::CAProfile, on instantiation" do
+    expect{ R509::Config::CAConfig.new(
+      :ca_cert => TestFixtures.test_ca_cert,
+      :profiles => { "first_profile" => "not a Config::CAProfile" }
+    ) }.to raise_error TypeError
+  end
+
+  it "can specify a single profile" do
+    first_profile = R509::Config::CAProfile.new
+
+    config = R509::Config::CAConfig.new(
+      :ca_cert => TestFixtures.test_ca_cert,
+      :profiles => { "first_profile" => first_profile }
+    )
+
+    config.profile("first_profile").should == first_profile
+  end
+
+  it "raises an error if you specify an invalid profile" do
+    first_profile = R509::Config::CAProfile.new
+
+    config = R509::Config::CAConfig.new(
+      :ca_cert => TestFixtures.test_ca_cert,
+      :profiles => { "first_profile" => first_profile }
+    )
+
+    expect { config.profile("non-existent-profile") }.to raise_error(R509::R509Error, "unknown profile 'non-existent-profile'")
+  end
+
+  it "should load YAML" do
+    config = R509::Config::CAConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+    config.crl_validity_hours.should == 72
+    config.ocsp_validity_hours.should == 96
+    config.message_digest.should == "SHA1"
+    config.num_profiles.should == 7
+    config.profile("ocsp_delegate_with_no_check").ocsp_no_check.should == true
+    config.profile("inhibit_policy").inhibit_any_policy.should == 2
+    config.profile("policy_constraints").policy_constraints["require_explicit_policy"].should == 1
+    config.profile("policy_constraints").policy_constraints["inhibit_policy_mapping"].should == 0
+    config.profile("name_constraints").name_constraints.should_not be_nil
+  end
+  it "loads OCSP cert/key from yaml" do
+    config = R509::Config::CAConfig.from_yaml("ocsp_delegate_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+    config.ocsp_cert.has_private_key?.should == true
+    config.ocsp_cert.subject.to_s.should == "/C=US/ST=Illinois/L=Chicago/O=r509 LLC/CN=r509 OCSP Signer"
+  end
+  it "loads OCSP pkcs12 from yaml" do
+    config = R509::Config::CAConfig.from_yaml("ocsp_pkcs12_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+    config.ocsp_cert.has_private_key?.should == true
+    config.ocsp_cert.subject.to_s.should == "/C=US/ST=Illinois/L=Chicago/O=r509 LLC/CN=r509 OCSP Signer"
+  end
+  it "loads OCSP cert/key in engine from yaml" do
+    #most of this code path is tested by loading ca_cert engine.
+    #look there for the extensive doubling
+    expect { R509::Config::CAConfig.from_yaml("ocsp_engine_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError,"You must supply a key_name with an engine")
+  end
+  it "loads OCSP chain from yaml" do
+    config = R509::Config::CAConfig.from_yaml("ocsp_chain_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+    config.ocsp_chain.size.should == 2
+    config.ocsp_chain[0].kind_of?(OpenSSL::X509::Certificate).should == true
+    config.ocsp_chain[1].kind_of?(OpenSSL::X509::Certificate).should == true
+  end
+  it "should load subject_item_policy from yaml (if present)" do
+    config = R509::Config::CAConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+    config.profile("server").subject_item_policy.should be_nil
+    config.profile("server_with_subject_item_policy").subject_item_policy.optional.should include("O","OU")
+    config.profile("server_with_subject_item_policy").subject_item_policy.required.should include("CN","ST","C")
+  end
+
+  it "should load YAML which only has a CA Cert and Key defined" do
+    config = R509::Config::CAConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_minimal.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+    config.num_profiles.should == 0
+  end
+
+  it "should load YAML which has CA cert and key with password" do
+    expect { R509::Config::CAConfig.from_yaml("password_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_password.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to_not raise_error
+  end
+
+  it "should load YAML which has a PKCS12 with password" do
+    expect { R509::Config::CAConfig.from_yaml("pkcs12_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to_not raise_error
+  end
+
+  it "raises error on YAML with pkcs12 and key" do
+    expect { R509::Config::CAConfig.from_yaml("pkcs12_key_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError, "You can't specify both pkcs12 and key")
+  end
+
+  it "raises error on YAML with pkcs12 and cert" do
+    expect { R509::Config::CAConfig.from_yaml("pkcs12_cert_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError, "You can't specify both pkcs12 and cert")
+  end
+
+  it "raises error on YAML with pkcs12 and engine" do
+    expect { R509::Config::CAConfig.from_yaml("pkcs12_engine_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError, "You can't specify both engine and pkcs12")
+  end
+
+  it "loads config with cert and no key (useful in certain cases)" do
+    config = R509::Config::CAConfig.from_yaml("cert_no_key_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+    config.ca_cert.subject.to_s.should_not be_nil
+  end
+
+  it "should load YAML which has an engine" do
+    #i can test this, it's just gonna take a whole lot of floorin' it!
+    conf = double("conf")
+    engine = double("engine")
+    faux_key = double("faux_key")
+
+    public_key = OpenSSL::PKey::RSA.new("-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqLfP8948QEZMMkZNHLDP\nOHZVrPdVvecD6bp8dz96LalMQiWjgMkJf7mPHXoNMQ5rIpntiUOmhupu+sty30+C\ndbZZIbZohioTSYq9ZIC/LC9ME12F78GRMKhBGA+ZiouzWvXqOEdMnanfSgKrlSIS\nssF71dfmOEQ08fn9Vl5jAgWmGe+v615iHqBNGr64kYooTrZYLaPlTScO1UZ76vnB\nHfNQU+tsEZNXxtZXKQqkxHxLShCOj6qmYRNn/upTZoWWd04+zXjYGEC3eKvi9ctN\n9FY+KJ6QCCa8H0Kt3cU5qyw6pzdljhbG6NKhod7OMqlGjmHdsCAYAqe3xH+V/8oe\ndwIDAQAB\n-----END PUBLIC KEY-----\n")
+
+    conf.should_receive(:kind_of?).with(Hash).and_return(true)
+    conf.should_receive(:[]).with("ca_cert").and_return(
+      "cert" => "#{File.dirname(__FILE__)}/fixtures/test_ca.cer",
+      "engine" => engine,
+      "key_name" => "r509_key"
+    )
+    conf.should_receive(:[]).at_least(1).times.and_return(nil)
+    conf.should_receive(:has_key?).at_least(1).times.and_return(false)
+
+    engine.should_receive(:respond_to?).with(:load_private_key).and_return(true)
+    engine.should_receive(:kind_of?).with(OpenSSL::Engine).and_return(true)
+    faux_key.should_receive(:public_key).and_return(public_key)
+    engine.should_receive(:load_private_key).twice.with("r509_key").and_return(faux_key)
+
+    config = R509::Config::CAConfig.load_from_hash(conf)
+  end
+
+  it "should fail if YAML for ca_cert contains engine and key" do
+    expect { R509::Config::CAConfig.from_yaml("engine_and_key", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_engine_key.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError, "You can't specify both key and engine")
+  end
+
+  it "should fail if YAML for ca_cert contains engine but no key_name" do
+    expect { R509::Config::CAConfig.from_yaml("engine_no_key_name", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_engine_no_key_name.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError, 'You must supply a key_name with an engine')
+  end
+
+  it "should fail if YAML config is null" do
+    expect{ R509::Config::CAConfig.from_yaml("no_config_here", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError)
+  end
+
+  it "should fail if YAML config isn't a hash" do
+    expect{ R509::Config::CAConfig.from_yaml("config_is_string", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError)
+  end
+
+  it "should fail if YAML config doesn't give a root CA directory that's a directory" do
+    expect{ R509::Config::CAConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures/no_directory_here"}) }.to raise_error(R509::R509Error)
+  end
+
+  it "should load YAML from filename" do
+    config = R509::Config::CAConfig.load_yaml("test_ca", "#{File.dirname(__FILE__)}/fixtures/config_test.yaml", {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+    config.crl_validity_hours.should == 72
+    config.ocsp_validity_hours.should == 96
+    config.message_digest.should == "SHA1"
+  end
+
+  it "can specify crl_number_file" do
+    config = R509::Config::CAConfig.new(
+      :ca_cert => TestFixtures.test_ca_cert,
+      :crl_number_file => "crl_number_file.txt"
+    )
+    config.crl_number_file.should == 'crl_number_file.txt'
+  end
+
+  it "can specify crl_list_file" do
+    config = R509::Config::CAConfig.new(
+      :ca_cert => TestFixtures.test_ca_cert,
+      :crl_list_file => "crl_list_file.txt"
+    )
+    config.crl_list_file.should == 'crl_list_file.txt'
+  end
 
-    it "should load YAML which has an engine" do
-        #i can test this, it's just gonna take a whole lot of floorin' it!
-        conf = double("conf")
-        engine = double("engine")
-        faux_key = double("faux_key")
-
-        public_key = OpenSSL::PKey::RSA.new("-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqLfP8948QEZMMkZNHLDP\nOHZVrPdVvecD6bp8dz96LalMQiWjgMkJf7mPHXoNMQ5rIpntiUOmhupu+sty30+C\ndbZZIbZohioTSYq9ZIC/LC9ME12F78GRMKhBGA+ZiouzWvXqOEdMnanfSgKrlSIS\nssF71dfmOEQ08fn9Vl5jAgWmGe+v615iHqBNGr64kYooTrZYLaPlTScO1UZ76vnB\nHfNQU+tsEZNXxtZXKQqkxHxLShCOj6qmYRNn/upTZoWWd04+zXjYGEC3eKvi9ctN\n9FY+KJ6QCCa8H0Kt3cU5qyw6pzdljhbG6NKhod7OMqlGjmHdsCAYAqe3xH+V/8oe\ndwIDAQAB\n-----END PUBLIC KEY-----\n")
-
-        conf.should_receive(:kind_of?).with(Hash).and_return(true)
-        conf.should_receive(:[]).with("ca_cert").and_return(
-            "cert" => "#{File.dirname(__FILE__)}/fixtures/test_ca.cer",
-            "engine" => engine,
-            "key_name" => "r509_key"
-        )
-        conf.should_receive(:[]).at_least(1).times.and_return(nil)
-        conf.should_receive(:has_key?).at_least(1).times.and_return(false)
+end
 
-        engine.should_receive(:respond_to?).with(:load_private_key).and_return(true)
-        engine.should_receive(:kind_of?).with(OpenSSL::Engine).and_return(true)
-        faux_key.should_receive(:public_key).and_return(public_key)
-        engine.should_receive(:load_private_key).with("r509_key").and_return(faux_key)
+describe R509::Config::SubjectItemPolicy do
+  it "raises an error if you supply a non-hash" do
+    expect { R509::Config::SubjectItemPolicy.new('string') }.to raise_error(ArgumentError, "Must supply a hash in form 'shortname'=>'required/optional'")
+  end
+  it "raises an error if a required element is missing" do
+    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required")
+    subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
+    expect { subject_item_policy.validate_subject(subject) }.to raise_error(R509::R509Error, /This profile requires you supply/)
+  end
+  it "raises an error if your hash values are anything other than required or optional" do
+    expect { R509::Config::SubjectItemPolicy.new("CN" => "somethirdoption") }.to raise_error(ArgumentError, "Unknown subject item policy value. Allowed values are required and optional")
+  end
+  it "validates a subject with the same fields as the policy" do
+    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional")
+    subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
+    validated_subject = subject_item_policy.validate_subject(subject)
+    validated_subject.to_s.should == subject.to_s
+  end
+  it "preserves subject order when applying policies" do
+    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required", "C" => "required")
+    subject = R509::Subject.new [["C","US"],["L","Chicago"],["ST","Illinois"],["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
+    validated_subject = subject_item_policy.validate_subject(subject)
+    validated_subject.to_s.should == "/C=US/L=Chicago/CN=langui.sh/OU=Org Unit/O=Org"
+  end
+  it "does not match if you get case of subject_item_policy element wrong" do
+    subject_item_policy = R509::Config::SubjectItemPolicy.new("cn" => "required")
+    subject = R509::Subject.new [["CN","langui.sh"]]
+    expect { subject_item_policy.validate_subject(subject) }.to raise_error(R509::R509Error, 'This profile requires you supply cn')
+  end
+  it "removes subject items that are not in the policy" do
+    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required")
+    subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
+    validated_subject = subject_item_policy.validate_subject(subject)
+    validated_subject.to_s.should == "/CN=langui.sh"
+  end
+  it "does not reorder subject items as it validates" do
+    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required")
+    subject = R509::Subject.new [["L","Chicago"],["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
+    validated_subject = subject_item_policy.validate_subject(subject)
+    validated_subject.to_s.should == subject.to_s
+  end
+  it "loads all the required and optional elements" do
+    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required", "emailAddress" => "optional")
+    subject_item_policy.optional.should include("OU","emailAddress")
+    subject_item_policy.required.should include("CN","O","L")
+  end
+end
 
-        config = R509::Config::CaConfig.load_from_hash(conf)
+describe R509::Config::CAProfile do
+  context "validate certificate policy structure" do
+    it "must be an array" do
+      expect { R509::Config::CAProfile.new(:certificate_policies => "whatever") }.to raise_error(ArgumentError,'Not a valid certificate policy structure. Must be an array of hashes')
     end
-
-    it "should fail if YAML for ca_cert contains engine and key" do
-        expect { R509::Config::CaConfig.from_yaml("engine_and_key", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_engine_key.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(R509::R509Error, "You can't specify both key and engine")
+    it "require a policy identifier" do
+      expect { R509::Config::CAProfile.new(:certificate_policies => [{"stuff" => "thing"}]) }.to raise_error(ArgumentError,'Each policy requires a policy identifier')
     end
-
-    it "should fail if YAML for ca_cert contains engine but no key_name" do
-        expect { R509::Config::CaConfig.from_yaml("engine_no_key_name", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_engine_no_key_name.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(R509::R509Error, 'You must supply a key_name with an engine')
+    it "the cps uri must be array of strings" do
+      expect { R509::Config::CAProfile.new(:certificate_policies => [{"policy_identifier" => "1.2.3.4.5", "cps_uris" => "not an array"}]) }.to raise_error(ArgumentError,'CPS URIs must be an array of strings')
     end
-
-    it "should fail if YAML config is null" do
-        expect{ R509::Config::CaConfig.from_yaml("no_config_here", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError)
+    it "user notices must be an array of hashes" do
+      expect { R509::Config::CAProfile.new(:certificate_policies => [{"policy_identifier" => "1.2.3.4.5", "user_notices" => "not an array"}]) }.to raise_error(ArgumentError,'User notices must be an array of hashes')
     end
-
-    it "should fail if YAML config isn't a hash" do
-        expect{ R509::Config::CaConfig.from_yaml("config_is_string", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError)
+    it "org in user notice requires notice numbers" do
+      expect { R509::Config::CAProfile.new(:certificate_policies => [{"policy_identifier" => "1.2.3.4.5", "user_notices" => [{"explicit_text" => "explicit", "organization" => "something"}]}]) }.to raise_error(ArgumentError,'If you provide an organization you must provide notice numbers')
     end
-
-    it "should fail if YAML config doesn't give a root CA directory that's a directory" do
-        expect{ R509::Config::CaConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures/no_directory_here"}) }.to raise_error(R509::R509Error)
+    it "notice numbers in user notice requires org" do
+      expect { R509::Config::CAProfile.new(:certificate_policies => [{"policy_identifier" => "1.2.3.4.5", "user_notices" => [{"explicit_text" => "explicit", "notice_numbers" => "1,2,3"}]}]) }.to raise_error(ArgumentError,'If you provide notice numbers you must provide an organization')
     end
-
-    it "should load YAML from filename" do
-        config = R509::Config::CaConfig.load_yaml("test_ca", "#{File.dirname(__FILE__)}/fixtures/config_test.yaml", {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-        config.crl_validity_hours.should == 72
-        config.ocsp_validity_hours.should == 96
-        config.message_digest.should == "SHA1"
+  end
+  context "validate basic constraints structure" do
+    it "must be a hash with key \"ca\"" do
+      expect { R509::Config::CAProfile.new(:basic_constraints => 'string') }.to raise_error(ArgumentError, "You must supply a hash with a key named \"ca\" with a boolean value")
+      expect { R509::Config::CAProfile.new(:basic_constraints => {}) }.to raise_error(ArgumentError, "You must supply a hash with a key named \"ca\" with a boolean value")
     end
-
-    it "can specify crl_number_file" do
-        config = R509::Config::CaConfig.new(
-            :ca_cert => TestFixtures.test_ca_cert,
-            :crl_number_file => "crl_number_file.txt"
-        )
-        config.crl_number_file.should == 'crl_number_file.txt'
+    it "must have true or false for the ca key value" do
+      expect { R509::Config::CAProfile.new(:basic_constraints => {"ca" => 'truestring'}) }.to raise_error(ArgumentError, "You must supply true/false for the ca key when specifying basic constraints")
     end
-
-    it "can specify crl_list_file" do
-        config = R509::Config::CaConfig.new(
-            :ca_cert => TestFixtures.test_ca_cert,
-            :crl_list_file => "crl_list_file.txt"
-        )
-        config.crl_list_file.should == 'crl_list_file.txt'
+    it "must not pass a path_length if ca is false" do
+      expect { R509::Config::CAProfile.new(:basic_constraints => {"ca" => false, "path_length" => 5}) }.to raise_error(ArgumentError, "path_length is not allowed when ca is false")
     end
-
-end
-
-describe R509::Config::SubjectItemPolicy do
-    it "raises an error if you supply a non-hash" do
-        expect { R509::Config::SubjectItemPolicy.new('string') }.to raise_error(ArgumentError, "Must supply a hash in form 'shortname'=>'required/optional'")
-    end
-    it "raises an error if a required element is missing" do
-        subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required")
-        subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
-        expect { subject_item_policy.validate_subject(subject) }.to raise_error(R509::R509Error, /This profile requires you supply/)
-    end
-    it "raises an error if your hash values are anything other than required or optional" do
-        expect { R509::Config::SubjectItemPolicy.new("CN" => "somethirdoption") }.to raise_error(ArgumentError, "Unknown subject item policy value. Allowed values are required and optional")
-    end
-    it "validates a subject with the same fields as the policy" do
-        subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional")
-        subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
-        validated_subject = subject_item_policy.validate_subject(subject)
-        validated_subject.to_s.should == subject.to_s
-    end
-    it "does not match if you get case of subject_item_policy element wrong" do
-        subject_item_policy = R509::Config::SubjectItemPolicy.new("cn" => "required")
-        subject = R509::Subject.new [["CN","langui.sh"]]
-        expect { subject_item_policy.validate_subject(subject) }.to raise_error(R509::R509Error, 'This profile requires you supply cn')
-    end
-    it "removes subject items that are not in the policy" do
-        subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required")
-        subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
-        validated_subject = subject_item_policy.validate_subject(subject)
-        validated_subject.to_s.should == "/CN=langui.sh"
-    end
-    it "does not reorder subject items as it validates" do
-        subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required")
-        subject = R509::Subject.new [["L","Chicago"],["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
-        validated_subject = subject_item_policy.validate_subject(subject)
-        validated_subject.to_s.should == subject.to_s
-    end
-    it "loads all the required and optional elements" do
-        subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required", "emailAddress" => "optional")
-        subject_item_policy.optional.should include("OU","emailAddress")
-        subject_item_policy.required.should include("CN","O","L")
+    it "must pass a non-negative integer to path_length" do
+      expect { R509::Config::CAProfile.new(:basic_constraints => {"ca" => true, "path_length" => -1.5}) }.to raise_error(ArgumentError, "Path length must be a non-negative integer (>= 0)")
+      expect { R509::Config::CAProfile.new(:basic_constraints => {"ca" => true, "path_length" => 1.5}) }.to raise_error(ArgumentError, "Path length must be a non-negative integer (>= 0)")
+    end
+    it "does not require a path_length when ca is true" do
+      ca_profile = R509::Config::CAProfile.new(:basic_constraints => {"ca" => true})
+      ca_profile.basic_constraints.should == {"ca" => true }
+    end
+    it "allows ca:false" do
+      ca_profile = R509::Config::CAProfile.new(:basic_constraints => {"ca" => false})
+      ca_profile.basic_constraints.should == {"ca" => false }
+    end
+    it "allows ca:true and a valid path length" do
+      ca_profile = R509::Config::CAProfile.new(:basic_constraints => {"ca" => true, "path_length" => 2})
+      ca_profile.basic_constraints.should == {"ca" => true, "path_length" => 2 }
+    end
+  end
+  context "validate key usage" do
+    it "errors with non-array" do
+      expect { R509::Config::CAProfile.new( :key_usage => 'not an array' ) }.to raise_error(ArgumentError, 'key_usage must be an array of strings (see README)')
     end
+    it "loads properly" do
+      ku = ['digitalSignature']
+      profile = R509::Config::CAProfile.new( :key_usage => ku )
+      profile.key_usage.should == ku
+    end
+  end
+  context "validate extended key usage" do
+    it "errors with non-array" do
+      expect { R509::Config::CAProfile.new( :extended_key_usage => 'not an array' ) }.to raise_error(ArgumentError, 'extended_key_usage must be an array of strings (see README)')
+    end
+    it "loads properly" do
+      eku = ['serverAuth']
+      profile = R509::Config::CAProfile.new( :extended_key_usage => eku )
+      profile.extended_key_usage.should == eku
+    end
+  end
+  context "validate subject item policy" do
+    it "raises an error with an invalid subject_item_policy" do
+      expect { R509::Config::CAProfile.new( :subject_item_policy => "lenient!" ) }.to raise_error(ArgumentError,'subject_item_policy must be of type R509::Config::SubjectItemPolicy')
+    end
+    it "stores a valid subject_item_policy" do
+      policy = R509::Config::SubjectItemPolicy.new("CN" => "required")
+      expect { R509::Config::CAProfile.new( :subject_item_policy => policy) }.to_not raise_error
+    end
+  end
+  context "validate inhibit any policy" do
+    it "raises an error when not a number" do
+      expect { R509::Config::CAProfile.new( :inhibit_any_policy => "string" ) }.to raise_error(ArgumentError,'Inhibit any policy must be a non-negative integer')
+    end
+    it "raises an error when not >= 0" do
+      expect { R509::Config::CAProfile.new( :inhibit_any_policy => -5 ) }.to raise_error(ArgumentError,'Inhibit any policy must be a non-negative integer')
+    end
+    it "loads when providing valid data" do
+      profile = R509::Config::CAProfile.new(:inhibit_any_policy => 3)
+      profile.inhibit_any_policy.should == 3
+    end
+  end
+  context "validate policy constraints" do
+    it "raises an error when not a hash" do
+      expect { R509::Config::CAProfile.new( :policy_constraints => "string" ) }.to raise_error(ArgumentError,'Policy constraints must be provided as a hash with at least one of the two allowed keys: "inhibit_policy_mapping" and "require_explicit_policy"')
+    end
+    it "raises an error when no keys" do
+      expect { R509::Config::CAProfile.new( :policy_constraints => {} ) }.to raise_error(ArgumentError,'Policy constraints must have at least one of two keys: "inhibit_policy_mapping" and "require_explicit_policy" and the value must be non-negative')
+    end
+    it "raises an error when inhibit_policy_mapping is not valid" do
+      expect { R509::Config::CAProfile.new( :policy_constraints => {"inhibit_policy_mapping" => -5} ) }.to raise_error(ArgumentError,'inhibit_policy_mapping must be a non-negative integer')
+    end
+    it "raises an error when require_explicit_policy is not valid" do
+      expect { R509::Config::CAProfile.new( :policy_constraints => {"require_explicit_policy" => -1} ) }.to raise_error(ArgumentError,'require_explicit_policy must be a non-negative integer')
+    end
+    it "loads when provided inhibit_policy_mapping" do
+      profile = R509::Config::CAProfile.new( :policy_constraints => {"require_explicit_policy" => 1} )
+      profile.policy_constraints["require_explicit_policy"].should == 1
+    end
+    it "loads when provided require_explicit_policy" do
+      profile = R509::Config::CAProfile.new( :policy_constraints => {"inhibit_policy_mapping" => 0} )
+      profile.policy_constraints["inhibit_policy_mapping"].should == 0
+    end
+    it "loads when provided values for both keys" do
+      profile = R509::Config::CAProfile.new( :policy_constraints => {"require_explicit_policy" => 1, "inhibit_policy_mapping" => 4} )
+      profile.policy_constraints["require_explicit_policy"].should == 1
+      profile.policy_constraints["inhibit_policy_mapping"].should == 4
+    end
+  end
+  context "validate name constraints"do
+    it "raises an error when not a hash" do
+      expect { R509::Config::CAProfile.new( :name_constraints => 'a string' ) }.to raise_error(ArgumentError,'name_constraints must be provided as a hash')
+    end
+    it "raises an error when permitted and excluded are empty" do
+      expect { R509::Config::CAProfile.new( :name_constraints => {"permitted" => [], "excluded" => []} ) }.to raise_error(ArgumentError,'If name_constraints are supplied you must have at least one valid permitted or excluded element')
+    end
+    it "raises an error when permitted or excluded are not arrays" do
+      expect { R509::Config::CAProfile.new( :name_constraints => {"permitted" => 'string', "excluded" => 'string'} ) }.to raise_error(ArgumentError,'permitted must be an array')
+    end
+    it "raises an error when permitted or excluded elements are not hashes with the required values" do
+      expect { R509::Config::CAProfile.new( :name_constraints => {"permitted" => [{"type" => 'DNS'}]} ) }.to raise_error(ArgumentError,'Elements within the permitted array must be hashes with both type and value')
+      expect { R509::Config::CAProfile.new( :name_constraints => {"permitted" => [{'value' => '127'}]} ) }.to raise_error(ArgumentError,'Elements within the permitted array must be hashes with both type and value')
+    end
+    it "raises an error when an invalid type is specified" do
+      expect { R509::Config::CAProfile.new( :name_constraints => {"permitted" => [{'type' => 'invalid', 'value' => '127'}]} ) }.to raise_error(ArgumentError,'invalid is not an allowed type. Check R509::ASN1::GeneralName.map_type_to_tag to see a list of types')
+    end
+    it "loads a config with just permitted" do
+      profile = R509::Config::CAProfile.new(:name_constraints => {"permitted" => [ { 'type' => 'DNS', 'value' => 'domain.com' } ] } )
+      profile.name_constraints["permitted"][0]['type'] = 'DNS'
+      profile.name_constraints["permitted"][0]['value'] = 'domain.com'
+    end
+    it "loads a config with just excluded" do
+      profile = R509::Config::CAProfile.new(:name_constraints => {"excluded" => [ { 'type' => 'IP', 'value' => '127.0.0.1/255.255.255.255' } ] } )
+      profile.name_constraints["excluded"][0]['type'] = 'IP'
+      profile.name_constraints["excluded"][0]['value'] = '127.0.0.1/255.255.255.255'
+    end
+    it "loads a config with both permitted and excluded" do
+      profile = R509::Config::CAProfile.new(:name_constraints => {"permitted" => [ { 'type' => 'DNS', 'value' => 'domain.com' } ], "excluded" => [ { 'type' => 'IP', 'value' => '127.0.0.1/255.255.255.255' } ] } )
+      profile.name_constraints["permitted"][0]['type'] = 'DNS'
+      profile.name_constraints["permitted"][0]['value'] = 'domain.com'
+      profile.name_constraints["excluded"][0]['type'] = 'IP'
+      profile.name_constraints["excluded"][0]['value'] = '127.0.0.1/255.255.255.255'
+    end
+  end
+  it "initializes and stores the options provided" do
+    profile = R509::Config::CAProfile.new(
+      :basic_constraints => {"ca" => true},
+      :key_usage => ["digitalSignature"],
+      :extended_key_usage => ["serverAuth"],
+      :certificate_policies => [
+          { "policy_identifier" => "2.16.840.1.12345.1.2.3.4.1",
+  "cps_uris" => ["http://example.com/cps","http://other.com/cps"],
+  "user_notices" => [ {"explicit_text" => "thing", "organization" => "my org", "notice_numbers" => "1,2,3,4"} ]
+          }
+      ],
+      :ocsp_no_check => true
+    )
+    profile.basic_constraints.should == {"ca" => true}
+    profile.key_usage.should == ["digitalSignature"]
+    profile.extended_key_usage.should == ["serverAuth"]
+    profile.certificate_policies[0]["policy_identifier"].should == "2.16.840.1.12345.1.2.3.4.1"
+    profile.ocsp_no_check.should == true
+  end
+  it "initializes with expected defaults" do
+    profile = R509::Config::CAProfile.new
+    profile.basic_constraints.should == nil
+    profile.key_usage.should == nil
+    profile.extended_key_usage.should == nil
+    profile.certificate_policies.should == nil
+    profile.ocsp_no_check.should == false
+    profile.subject_item_policy.should == nil
+  end
+  it "loads profiles from YAML while setting expected defaults" do
+    config = R509::Config::CAConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+    server_profile = config.profile("server") # no ocsp_no_check node
+    server_profile.ocsp_no_check.should == false
+    ocsp_profile = config.profile("ocsp_delegate_with_no_check") # ocsp_no_check => true
+    ocsp_profile.ocsp_no_check.should == true
+    client_profile = config.profile("client") # ocsp_no_check => false
+    client_profile.ocsp_no_check.should == false
+  end
 end