r509 0.8.1 → 0.9
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +343 -151
- data/Rakefile +26 -23
- data/bin/r509 +126 -112
- data/bin/r509-parse +24 -24
- data/doc/R509.html +169 -7
- data/doc/R509/ASN1.html +370 -0
- data/doc/R509/ASN1/GeneralName.html +1121 -0
- data/doc/R509/ASN1/GeneralNames.html +843 -0
- data/doc/R509/ASN1/NoticeReference.html +392 -0
- data/doc/R509/ASN1/PolicyInformation.html +387 -0
- data/doc/R509/ASN1/PolicyQualifiers.html +455 -0
- data/doc/R509/ASN1/UserNotice.html +386 -0
- data/doc/R509/{Crl.html → CRL.html} +7 -7
- data/doc/R509/CRL/Administrator.html +1559 -0
- data/doc/R509/{Crl/Parser.html → CRL/SignedList.html} +501 -210
- data/doc/R509/{Csr.html → CSR.html} +444 -314
- data/doc/R509/Cert.html +866 -617
- data/doc/R509/Cert/Extensions.html +52 -41
- data/doc/R509/Cert/Extensions/AuthorityInfoAccess.html +70 -35
- data/doc/R509/Cert/Extensions/AuthorityKeyIdentifier.html +387 -4
- data/doc/R509/Cert/Extensions/BasicConstraints.html +61 -25
- data/doc/R509/Cert/Extensions/CRLDistributionPoints.html +354 -0
- data/doc/R509/Cert/Extensions/CertificatePolicies.html +340 -0
- data/doc/R509/Cert/Extensions/ExtendedKeyUsage.html +440 -49
- data/doc/R509/Cert/Extensions/{CrlDistributionPoints.html → InhibitAnyPolicy.html} +52 -35
- data/doc/R509/Cert/Extensions/KeyUsage.html +247 -121
- data/doc/R509/Cert/Extensions/NameConstraints.html +445 -0
- data/doc/R509/Cert/Extensions/OCSPNoCheck.html +239 -0
- data/doc/R509/Cert/Extensions/PolicyConstraints.html +424 -0
- data/doc/R509/Cert/Extensions/SubjectAlternativeName.html +437 -62
- data/doc/R509/Cert/Extensions/SubjectKeyIdentifier.html +52 -10
- data/doc/R509/CertificateAuthority.html +4 -4
- data/doc/R509/CertificateAuthority/Signer.html +154 -187
- data/doc/R509/Config.html +6 -6
- data/doc/R509/Config/{CaConfig.html → CAConfig.html} +451 -348
- data/doc/R509/Config/{CaConfigPool.html → CAConfigPool.html} +47 -47
- data/doc/R509/Config/CAProfile.html +1015 -0
- data/doc/R509/Config/SubjectItemPolicy.html +86 -86
- data/doc/R509/IOHelpers.html +22 -22
- data/doc/R509/MessageDigest.html +14 -14
- data/doc/R509/NameSanitizer.html +53 -53
- data/doc/R509/{Ocsp.html → OCSP.html} +9 -9
- data/doc/R509/{Ocsp → OCSP}/Request.html +7 -7
- data/doc/R509/{Ocsp → OCSP}/Request/Nonce.html +56 -11
- data/doc/R509/{Ocsp → OCSP}/Response.html +44 -44
- data/doc/R509/{OidMapper.html → OIDMapper.html} +23 -39
- data/doc/R509/PrivateKey.html +415 -168
- data/doc/R509/R509Error.html +3 -3
- data/doc/R509/{Spki.html → SPKI.html} +354 -192
- data/doc/R509/Subject.html +224 -113
- data/doc/R509/Validity.html +27 -5
- data/doc/R509/Validity/Checker.html +13 -13
- data/doc/R509/Validity/DefaultChecker.html +13 -13
- data/doc/R509/Validity/DefaultWriter.html +14 -14
- data/doc/R509/Validity/Status.html +39 -39
- data/doc/R509/Validity/Writer.html +18 -18
- data/doc/_index.html +138 -35
- data/doc/class_list.html +1 -1
- data/doc/css/style.css +10 -0
- data/doc/file.README.html +368 -171
- data/doc/file.r509.html +92 -69
- data/doc/frames.html +1 -1
- data/doc/index.html +368 -171
- data/doc/method_list.html +910 -390
- data/doc/top-level-namespace.html +3 -3
- data/lib/r509.rb +32 -16
- data/lib/r509/asn1.rb +375 -0
- data/lib/r509/cert.rb +381 -364
- data/lib/r509/cert/extensions.rb +443 -76
- data/lib/r509/certificate_authority.rb +407 -0
- data/lib/r509/config.rb +547 -351
- data/lib/r509/crl.rb +336 -366
- data/lib/r509/csr.rb +278 -289
- data/lib/r509/ec-hack.rb +37 -0
- data/lib/r509/exceptions.rb +3 -3
- data/lib/r509/io_helpers.rb +44 -44
- data/lib/r509/message_digest.rb +53 -0
- data/lib/r509/ocsp.rb +80 -70
- data/lib/r509/oid_mapper.rb +32 -0
- data/lib/r509/private_key.rb +228 -0
- data/lib/r509/spki.rb +145 -93
- data/lib/r509/subject.rb +203 -110
- data/lib/r509/validity.rb +70 -68
- data/lib/r509/version.rb +2 -2
- data/r509.yaml +92 -69
- data/spec/asn1_spec.rb +402 -0
- data/spec/cert/extensions_spec.rb +957 -494
- data/spec/cert_spec.rb +382 -307
- data/spec/certificate_authority_spec.rb +668 -250
- data/spec/config_spec.rb +515 -302
- data/spec/crl_spec.rb +197 -198
- data/spec/csr_spec.rb +334 -289
- data/spec/fixtures.rb +247 -171
- data/spec/fixtures/cert1.der +0 -0
- data/spec/fixtures/cert1.pem +0 -0
- data/spec/fixtures/cert1_public_key_modulus.txt +0 -0
- data/spec/fixtures/cert3.p12 +0 -0
- data/spec/fixtures/cert3.pem +0 -0
- data/spec/fixtures/cert3_key.pem +0 -0
- data/spec/fixtures/cert3_key_des3.pem +0 -0
- data/spec/fixtures/cert4.pem +0 -0
- data/spec/fixtures/cert5.pem +0 -0
- data/spec/fixtures/cert6.pem +0 -0
- data/spec/fixtures/cert_expired.pem +0 -0
- data/spec/fixtures/cert_inhibit.pem +24 -0
- data/spec/fixtures/cert_name_constraints.pem +29 -0
- data/spec/fixtures/cert_not_yet_valid.pem +0 -0
- data/spec/fixtures/cert_ocsp_no_check.pem +18 -0
- data/spec/fixtures/cert_policy_constraints.pem +31 -0
- data/spec/fixtures/cert_san.pem +0 -0
- data/spec/fixtures/cert_san2.pem +0 -0
- data/spec/fixtures/cert_unknown_extension.pem +28 -0
- data/spec/fixtures/config_pool_test_minimal.yaml +11 -11
- data/spec/fixtures/config_test.yaml +54 -36
- data/spec/fixtures/config_test_dsa.yaml +35 -0
- data/spec/fixtures/config_test_ec.yaml +35 -0
- data/spec/fixtures/config_test_engine_key.yaml +5 -5
- data/spec/fixtures/config_test_engine_no_key_name.yaml +4 -4
- data/spec/fixtures/config_test_minimal.yaml +4 -4
- data/spec/fixtures/config_test_password.yaml +5 -5
- data/spec/fixtures/config_test_various.yaml +111 -74
- data/spec/fixtures/crl_list_file.txt +0 -0
- data/spec/fixtures/crl_with_reason.pem +0 -0
- data/spec/fixtures/csr1.der +0 -0
- data/spec/fixtures/csr1.pem +0 -0
- data/spec/fixtures/csr1_key.der +0 -0
- data/spec/fixtures/csr1_key.pem +0 -0
- data/spec/fixtures/csr1_key_encrypted_des3.pem +0 -0
- data/spec/fixtures/csr1_newlines.pem +0 -0
- data/spec/fixtures/csr1_no_begin_end.pem +0 -0
- data/spec/fixtures/csr1_public_key_modulus.txt +0 -0
- data/spec/fixtures/csr2.pem +0 -0
- data/spec/fixtures/csr2_key.pem +0 -0
- data/spec/fixtures/csr3.pem +0 -0
- data/spec/fixtures/csr4.pem +0 -0
- data/spec/fixtures/csr_dsa.pem +0 -0
- data/spec/fixtures/csr_invalid_signature.pem +0 -0
- data/spec/fixtures/dsa_key.pem +0 -0
- data/spec/fixtures/dsa_root.cer +28 -0
- data/spec/fixtures/dsa_root.key +20 -0
- data/spec/fixtures/ec_csr2.der +0 -0
- data/spec/fixtures/ec_csr2.pem +8 -0
- data/spec/fixtures/ec_key1.der +0 -0
- data/spec/fixtures/ec_key1.pem +6 -0
- data/spec/fixtures/ec_key1_encrypted.pem +9 -0
- data/spec/fixtures/ec_key2.pem +6 -0
- data/spec/fixtures/hmacsha1.sig +1 -0
- data/spec/fixtures/hmacsha512.sig +1 -0
- data/spec/fixtures/key4.pem +0 -0
- data/spec/fixtures/key4_encrypted_des3.pem +0 -0
- data/spec/fixtures/missing_key_identifier_ca.cer +0 -0
- data/spec/fixtures/missing_key_identifier_ca.key +0 -0
- data/spec/fixtures/ocsptest.r509.local.pem +0 -0
- data/spec/fixtures/ocsptest.r509.local_ocsp_request.der +0 -0
- data/spec/fixtures/ocsptest2.r509.local.pem +0 -0
- data/spec/fixtures/second_ca.cer +0 -0
- data/spec/fixtures/second_ca.key +0 -0
- data/spec/fixtures/spkac.der +0 -0
- data/spec/fixtures/spkac.txt +0 -0
- data/spec/fixtures/spkac_dsa.txt +1 -1
- data/spec/fixtures/spkac_dsa_no_verify.txt +1 -0
- data/spec/fixtures/spkac_ec.txt +1 -0
- data/spec/fixtures/spkac_rsa_newlines.txt +13 -0
- data/spec/fixtures/stca.pem +0 -0
- data/spec/fixtures/stca_ocsp_request.der +0 -0
- data/spec/fixtures/stca_ocsp_response.der +0 -0
- data/spec/fixtures/test1.csr +0 -0
- data/spec/fixtures/test_ca.cer +0 -0
- data/spec/fixtures/test_ca.key +0 -0
- data/spec/fixtures/test_ca.p12 +0 -0
- data/spec/fixtures/test_ca_des3.key +0 -0
- data/spec/fixtures/test_ca_ec.cer +14 -0
- data/spec/fixtures/test_ca_ec.key +6 -0
- data/spec/fixtures/test_ca_ec_ee.cer +22 -0
- data/spec/fixtures/test_ca_ec_ee.key +6 -0
- data/spec/fixtures/test_ca_ocsp.cer +0 -0
- data/spec/fixtures/test_ca_ocsp.key +0 -0
- data/spec/fixtures/test_ca_ocsp.p12 +0 -0
- data/spec/fixtures/test_ca_ocsp_chain.txt +0 -0
- data/spec/fixtures/test_ca_ocsp_response.der +0 -0
- data/spec/fixtures/test_ca_subroot.cer +0 -0
- data/spec/fixtures/test_ca_subroot.key +0 -0
- data/spec/fixtures/test_ca_subroot_ocsp.cer +0 -0
- data/spec/fixtures/test_ca_subroot_ocsp.key +0 -0
- data/spec/fixtures/test_ca_subroot_ocsp_response.der +0 -0
- data/spec/fixtures/unknown_oid.csr +0 -0
- data/spec/message_digest_spec.rb +104 -84
- data/spec/ocsp_spec.rb +105 -105
- data/spec/oid_mapper_spec.rb +21 -21
- data/spec/private_key_spec.rb +275 -0
- data/spec/r509_spec.rb +35 -0
- data/spec/spec_helper.rb +15 -6
- data/spec/spki_spec.rb +221 -142
- data/spec/subject_spec.rb +232 -164
- data/spec/validity_spec.rb +91 -91
- metadata +79 -25
- data/doc/R509/Config/CaProfile.html +0 -651
- data/doc/R509/Crl/Administrator.html +0 -2073
- data/lib/r509/certificateauthority.rb +0 -290
- data/lib/r509/messagedigest.rb +0 -49
- data/lib/r509/oidmapper.rb +0 -32
- data/lib/r509/privatekey.rb +0 -185
- data/spec/privatekey_spec.rb +0 -198
data/spec/fixtures.rb
CHANGED
@@ -3,231 +3,307 @@ require 'pathname'
|
|
3
3
|
require 'r509/io_helpers'
|
4
4
|
|
5
5
|
module TestFixtures
|
6
|
-
|
6
|
+
extend R509::IOHelpers
|
7
7
|
|
8
|
-
|
8
|
+
FIXTURES_PATH = Pathname.new(__FILE__).dirname + "fixtures"
|
9
9
|
|
10
|
-
|
11
|
-
|
12
|
-
|
10
|
+
def self.read_fixture(filename)
|
11
|
+
read_data((FIXTURES_PATH + filename).to_s)
|
12
|
+
end
|
13
13
|
|
14
|
-
|
15
|
-
|
14
|
+
#Trustwave cert for langui.sh
|
15
|
+
CERT = read_fixture('cert1.pem')
|
16
16
|
|
17
|
-
|
18
|
-
|
17
|
+
CERT_INHIBIT = read_fixture('cert_inhibit.pem')
|
18
|
+
CERT_POLICY_CONSTRAINTS = read_fixture('cert_policy_constraints.pem')
|
19
|
+
CERT_NAME_CONSTRAINTS = read_fixture('cert_name_constraints.pem')
|
19
20
|
|
20
|
-
|
21
|
+
#Trustwave root cert
|
22
|
+
STCA_CERT = read_fixture('stca.pem')
|
21
23
|
|
22
|
-
|
23
|
-
CERT4 = read_fixture('cert4.pem')
|
24
|
+
CERT_PUBLIC_KEY_MODULUS = read_fixture('cert1_public_key_modulus.txt')
|
24
25
|
|
25
|
-
|
26
|
-
|
26
|
+
# cert without key usage
|
27
|
+
CERT4 = read_fixture('cert4.pem')
|
27
28
|
|
28
|
-
|
29
|
-
|
29
|
+
# cert with multiple EKU
|
30
|
+
CERT5 = read_fixture('cert5.pem')
|
30
31
|
|
31
|
-
|
32
|
+
# cert with DSA public key
|
33
|
+
CERT6 = read_fixture('cert6.pem')
|
32
34
|
|
33
|
-
|
35
|
+
CERT_EXPIRED = read_fixture("cert_expired.pem")
|
34
36
|
|
35
|
-
|
37
|
+
CERT_NOT_YET_VALID = read_fixture("cert_not_yet_valid.pem")
|
36
38
|
|
37
|
-
|
38
|
-
CSR_UNKNOWN_OID = read_fixture('unknown_oid.csr')
|
39
|
+
DSA_KEY = read_fixture('dsa_key.pem')
|
39
40
|
|
41
|
+
# this CSR has unknown OIDs, which we should successfully parse out into Subject
|
42
|
+
CSR_UNKNOWN_OID = read_fixture('unknown_oid.csr')
|
40
43
|
|
41
|
-
#san cert from self-signed CA for langui.sh
|
42
|
-
CERT_SAN = read_fixture('cert_san.pem')
|
43
44
|
|
44
|
-
|
45
|
-
|
46
|
-
CERT_SAN2 = read_fixture('cert_san2.pem')
|
45
|
+
#san cert from self-signed CA for langui.sh
|
46
|
+
CERT_SAN = read_fixture('cert_san.pem')
|
47
47
|
|
48
|
-
|
48
|
+
#Another san cert for langui.sh, but differentiating between the CN and
|
49
|
+
# SANs.
|
50
|
+
CERT_SAN2 = read_fixture('cert_san2.pem')
|
49
51
|
|
50
|
-
|
52
|
+
CERT_DER = read_fixture('cert1.der')
|
51
53
|
|
52
|
-
|
54
|
+
SPKI = read_fixture('spkac.txt')
|
53
55
|
|
54
|
-
|
56
|
+
SPKI_DER = read_fixture('spkac.der')
|
55
57
|
|
56
|
-
|
58
|
+
SPKI_DSA = read_fixture('spkac_dsa.txt')
|
57
59
|
|
58
|
-
|
60
|
+
SPKI_DSA_NO_VERIFY = read_fixture('spkac_dsa_no_verify.txt')
|
59
61
|
|
60
|
-
|
62
|
+
SPKI_EC = read_fixture('spkac_ec.txt')
|
61
63
|
|
62
|
-
|
64
|
+
SPKI_RSA_NEWLINES = read_fixture('spkac_rsa_newlines.txt')
|
63
65
|
|
64
|
-
|
66
|
+
CSR = read_fixture('csr1.pem')
|
65
67
|
|
66
|
-
|
68
|
+
CSR_PUBLIC_KEY_MODULUS = read_fixture('csr1_public_key_modulus.txt')
|
67
69
|
|
68
|
-
|
70
|
+
CSR_INVALID_SIGNATURE = read_fixture('csr_invalid_signature.pem')
|
69
71
|
|
70
|
-
|
72
|
+
CSR_DER = read_fixture('csr1.der')
|
71
73
|
|
72
|
-
|
74
|
+
CSR_NEWLINES = read_fixture('csr1_newlines.pem')
|
73
75
|
|
74
|
-
|
76
|
+
CSR_NO_BEGIN_END = read_fixture('csr1_no_begin_end.pem')
|
75
77
|
|
76
|
-
|
78
|
+
CSR_DSA = read_fixture('csr_dsa.pem')
|
77
79
|
|
78
|
-
|
80
|
+
KEY_CSR = read_fixture('csr1_key.pem')
|
79
81
|
|
80
|
-
|
82
|
+
KEY_CSR_DER = read_fixture('csr1_key.der')
|
81
83
|
|
82
|
-
|
84
|
+
KEY_CSR_ENCRYPTED = read_fixture('csr1_key_encrypted_des3.pem')
|
83
85
|
|
84
|
-
|
86
|
+
CSR2 = read_fixture('csr2.pem')
|
85
87
|
|
86
|
-
|
88
|
+
KEY_CSR2 = read_fixture('csr2_key.pem')
|
87
89
|
|
88
|
-
|
90
|
+
CSR3 = read_fixture('csr3.pem')
|
89
91
|
|
90
|
-
|
92
|
+
CERT3 = read_fixture('cert3.pem')
|
91
93
|
|
92
|
-
|
94
|
+
KEY3 = read_fixture('cert3_key.pem')
|
93
95
|
|
94
|
-
|
96
|
+
KEY3_ENCRYPTED = read_fixture('cert3_key_des3.pem')
|
95
97
|
|
96
|
-
|
97
|
-
TEST_CA_KEY = read_fixture('test_ca.key')
|
98
|
+
CERT3_P12 = read_fixture('cert3.p12')
|
98
99
|
|
99
|
-
|
100
|
-
TEST_CA_OCSP_KEY = read_fixture('test_ca_ocsp.key')
|
100
|
+
CSR4_MULTIPLE_ATTRS = read_fixture('csr4.pem')
|
101
101
|
|
102
|
-
|
103
|
-
TEST_CA_SUBROOT_KEY = read_fixture('test_ca_subroot.key')
|
102
|
+
KEY4_ENCRYPTED_DES3 = read_fixture('key4_encrypted_des3.pem')
|
104
103
|
|
105
|
-
|
106
|
-
#in a prod environment you'd really only need the delegate
|
107
|
-
#since the root would be present in the root store of the
|
108
|
-
#client, but I wanted to test > 1
|
109
|
-
TEST_CA_OCSP_CHAIN = read_fixture('test_ca_ocsp_chain.txt')
|
104
|
+
KEY4 = read_fixture('key4.pem')
|
110
105
|
|
111
|
-
|
106
|
+
CERT_OCSP_NO_CHECK = read_fixture('cert_ocsp_no_check.pem')
|
112
107
|
|
113
|
-
|
108
|
+
EC_KEY1 = read_fixture('ec_key1.pem')
|
109
|
+
EC_KEY1_DER = read_fixture('ec_key1.der')
|
110
|
+
EC_KEY1_ENCRYPTED = read_fixture('ec_key1_encrypted.pem')
|
114
111
|
|
115
|
-
|
116
|
-
|
112
|
+
EC_CSR2_PEM = read_fixture('ec_csr2.pem')
|
113
|
+
EC_CSR2_DER = read_fixture('ec_csr2.der')
|
114
|
+
EC_KEY2 = read_fixture('ec_key2.pem')
|
117
115
|
|
118
|
-
|
119
|
-
|
116
|
+
EC_EE_CERT = read_fixture("test_ca_ec_ee.cer")
|
117
|
+
EC_EE_KEY = read_fixture("test_ca_ec_ee.key")
|
120
118
|
|
121
|
-
|
122
|
-
|
119
|
+
DSA_CA_CERT = read_fixture('dsa_root.cer')
|
120
|
+
DSA_CA_KEY = read_fixture('dsa_root.key')
|
123
121
|
|
124
|
-
|
122
|
+
TEST_CA_EC_CERT = read_fixture('test_ca_ec.cer')
|
123
|
+
TEST_CA_EC_KEY = read_fixture('test_ca_ec.key')
|
125
124
|
|
126
|
-
|
125
|
+
TEST_CA_CERT = read_fixture('test_ca.cer')
|
126
|
+
TEST_CA_KEY = read_fixture('test_ca.key')
|
127
127
|
|
128
|
-
|
129
|
-
|
130
|
-
end
|
128
|
+
TEST_CA_OCSP_CERT = read_fixture('test_ca_ocsp.cer')
|
129
|
+
TEST_CA_OCSP_KEY = read_fixture('test_ca_ocsp.key')
|
131
130
|
|
132
|
-
|
133
|
-
|
134
|
-
end
|
131
|
+
TEST_CA_SUBROOT_CERT = read_fixture('test_ca_subroot.cer')
|
132
|
+
TEST_CA_SUBROOT_KEY = read_fixture('test_ca_subroot.key')
|
135
133
|
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
:certificate_policies => [
|
142
|
-
[
|
143
|
-
"policyIdentifier=2.16.840.1.12345.1.2.3.4.1",
|
144
|
-
"CPS.1=http://example.com/cps"
|
145
|
-
]
|
146
|
-
]
|
147
|
-
)
|
134
|
+
#this chain contains 2 certs. root and OCSP delegate
|
135
|
+
#in a prod environment you'd really only need the delegate
|
136
|
+
#since the root would be present in the root store of the
|
137
|
+
#client, but I wanted to test > 1
|
138
|
+
TEST_CA_OCSP_CHAIN = read_fixture('test_ca_ocsp_chain.txt')
|
148
139
|
|
149
|
-
|
140
|
+
TEST_CA_OCSP_RESPONSE = read_fixture('test_ca_ocsp_response.der')
|
150
141
|
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
162
|
-
|
163
|
-
|
164
|
-
|
165
|
-
|
166
|
-
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
|
172
|
-
|
173
|
-
|
174
|
-
|
175
|
-
|
176
|
-
|
177
|
-
|
178
|
-
|
179
|
-
|
180
|
-
|
181
|
-
|
182
|
-
|
183
|
-
|
184
|
-
|
185
|
-
|
186
|
-
|
187
|
-
|
188
|
-
|
189
|
-
|
190
|
-
|
191
|
-
|
192
|
-
|
193
|
-
|
194
|
-
|
195
|
-
|
196
|
-
|
197
|
-
|
198
|
-
|
199
|
-
|
200
|
-
|
201
|
-
|
202
|
-
|
203
|
-
|
204
|
-
|
205
|
-
|
206
|
-
|
207
|
-
|
208
|
-
|
209
|
-
|
210
|
-
|
211
|
-
|
212
|
-
|
213
|
-
|
214
|
-
|
215
|
-
|
216
|
-
def self.test_ca_no_profile_config
|
217
|
-
crl_list_sio = StringIO.new
|
218
|
-
crl_list_sio.set_encoding("BINARY") if crl_list_sio.respond_to?(:set_encoding)
|
219
|
-
crl_number_sio = StringIO.new
|
220
|
-
crl_number_sio.set_encoding("BINARY") if crl_number_sio.respond_to?(:set_encoding)
|
221
|
-
|
222
|
-
opts = {
|
223
|
-
:ca_cert => test_ca_cert(),
|
224
|
-
:cdp_location => 'URI:http://crl.domain.com/test_ca.crl',
|
225
|
-
:ocsp_location => 'URI:http://ocsp.domain.com',
|
226
|
-
:ocsp_start_skew_seconds => 3600,
|
227
|
-
:ocsp_validity_hours => 48,
|
228
|
-
:crl_list_file => crl_list_sio,
|
229
|
-
:crl_number_file => crl_number_sio
|
142
|
+
TEST_CA_SUBROOT_OCSP_RESPONSE = read_fixture('test_ca_subroot_ocsp_response.der')
|
143
|
+
|
144
|
+
SECOND_CA_CERT = read_fixture('second_ca.cer')
|
145
|
+
SECOND_CA_KEY = read_fixture('second_ca.key')
|
146
|
+
|
147
|
+
OCSP_TEST_CERT = read_fixture('ocsptest.r509.local.pem')
|
148
|
+
OCSP_TEST_CERT2 = read_fixture('ocsptest2.r509.local.pem')
|
149
|
+
|
150
|
+
STCA_OCSP_REQUEST = read_fixture('stca_ocsp_request.der')
|
151
|
+
STCA_OCSP_RESPONSE = read_fixture('stca_ocsp_response.der')
|
152
|
+
|
153
|
+
CRL_LIST_FILE = (FIXTURES_PATH+'crl_list_file.txt').to_s
|
154
|
+
|
155
|
+
CRL_REASON = read_fixture("crl_with_reason.pem")
|
156
|
+
|
157
|
+
HMACSHA512_SIG = read_fixture("hmacsha512.sig")
|
158
|
+
HMACSHA1_SIG = read_fixture("hmacsha1.sig")
|
159
|
+
|
160
|
+
def self.test_ca_cert
|
161
|
+
R509::Cert.new(:cert => TEST_CA_CERT, :key => TEST_CA_KEY)
|
162
|
+
end
|
163
|
+
|
164
|
+
def self.test_ca_ec_cert
|
165
|
+
R509::Cert.new(:cert => TEST_CA_EC_CERT, :key => TEST_CA_EC_KEY)
|
166
|
+
end
|
167
|
+
|
168
|
+
def self.test_ca_dsa_cert
|
169
|
+
R509::Cert.new(:cert => DSA_CA_CERT, :key => DSA_CA_KEY)
|
170
|
+
end
|
171
|
+
|
172
|
+
def self.test_ca_subroot_cert
|
173
|
+
R509::Cert.new(:cert => TEST_CA_SUBROOT_CERT, :key => TEST_CA_SUBROOT_KEY)
|
174
|
+
end
|
175
|
+
|
176
|
+
def self.test_ca_server_profile
|
177
|
+
R509::Config::CAProfile.new(
|
178
|
+
:basic_constraints => {"ca" => false },
|
179
|
+
:key_usage => ["digitalSignature","keyEncipherment"],
|
180
|
+
:extended_key_usage => ["serverAuth"],
|
181
|
+
:certificate_policies => [
|
182
|
+
{ "policy_identifier" => "2.16.840.1.12345.1.2.3.4.1",
|
183
|
+
"cps_uris" => ["http://example.com/cps","http://other.com/cps"],
|
184
|
+
"user_notices" => [ {"explicit_text" => "thing", "organization" => "my org", "notice_numbers" => "1,2,3,4"} ]
|
185
|
+
}
|
186
|
+
]
|
187
|
+
)
|
188
|
+
|
189
|
+
end
|
190
|
+
|
191
|
+
def self.test_ca_server_profile_with_subject_item_policy
|
192
|
+
subject_item_policy = R509::Config::SubjectItemPolicy.new(
|
193
|
+
"CN" => "required",
|
194
|
+
"O" => "optional",
|
195
|
+
"ST" => "required",
|
196
|
+
"C" => "required",
|
197
|
+
"OU" => "optional"
|
198
|
+
)
|
199
|
+
R509::Config::CAProfile.new(
|
200
|
+
:basic_constraints => {"ca" => false },
|
201
|
+
:key_usage => ["digitalSignature","keyEncipherment"],
|
202
|
+
:extended_key_usage => ["serverAuth"],
|
203
|
+
:certificate_policies => [
|
204
|
+
{ "policy_identifier" => "2.16.840.1.12345.1.2.3.4.1",
|
205
|
+
"cps_uris" => ["http://example.com/cps","http://other.com/cps"],
|
206
|
+
"user_notices" => [ {"explicit_text" => "thing", "organization" => "my org", "notice_numbers" => "1,2,3,4"} ]
|
230
207
|
}
|
231
|
-
|
232
|
-
|
208
|
+
],
|
209
|
+
:subject_item_policy => subject_item_policy
|
210
|
+
)
|
211
|
+
end
|
212
|
+
|
213
|
+
def self.test_ca_subroot_profile
|
214
|
+
R509::Config::CAProfile.new(
|
215
|
+
:basic_constraints => {"ca" => true, "path_length" => 0 },
|
216
|
+
:key_usage => ["keyCertSign","cRLSign"],
|
217
|
+
:extended_key_usage => [],
|
218
|
+
:certificate_policies => nil)
|
219
|
+
end
|
220
|
+
|
221
|
+
def self.test_ca_ocspsigner_profile
|
222
|
+
R509::Config::CAProfile.new(
|
223
|
+
:basic_constraints => { "ca" => false },
|
224
|
+
:key_usage => ["digitalSignature"],
|
225
|
+
:extended_key_usage => ["OCSPSigning"],
|
226
|
+
:certificate_policies => nil)
|
227
|
+
end
|
228
|
+
|
229
|
+
# @return [R509::Config::CAConfig]
|
230
|
+
def self.test_ca_config
|
231
|
+
crl_list_sio = StringIO.new
|
232
|
+
crl_list_sio.set_encoding("BINARY") if crl_list_sio.respond_to?(:set_encoding)
|
233
|
+
crl_number_sio = StringIO.new
|
234
|
+
crl_number_sio.set_encoding("BINARY") if crl_number_sio.respond_to?(:set_encoding)
|
235
|
+
|
236
|
+
opts = {
|
237
|
+
:ca_cert => test_ca_cert(),
|
238
|
+
:cdp_location => ['http://crl.domain.com/test_ca.crl'],
|
239
|
+
:ocsp_location => ['http://ocsp.domain.com'],
|
240
|
+
:ocsp_start_skew_seconds => 3600,
|
241
|
+
:ocsp_validity_hours => 48,
|
242
|
+
:crl_list_file => crl_list_sio,
|
243
|
+
:crl_number_file => crl_number_sio
|
244
|
+
}
|
245
|
+
ret = R509::Config::CAConfig.new(opts)
|
246
|
+
|
247
|
+
ret.set_profile("server", self.test_ca_server_profile)
|
248
|
+
ret.set_profile("subroot", self.test_ca_subroot_profile)
|
249
|
+
ret.set_profile("ocspsigner", self.test_ca_ocspsigner_profile)
|
250
|
+
ret.set_profile("server_with_subject_item_policy", self.test_ca_server_profile_with_subject_item_policy)
|
251
|
+
|
252
|
+
ret
|
253
|
+
end
|
254
|
+
|
255
|
+
# @return [R509::Config::CAConfig]
|
256
|
+
def self.test_ca_no_profile_config
|
257
|
+
crl_list_sio = StringIO.new
|
258
|
+
crl_list_sio.set_encoding("BINARY") if crl_list_sio.respond_to?(:set_encoding)
|
259
|
+
crl_number_sio = StringIO.new
|
260
|
+
crl_number_sio.set_encoding("BINARY") if crl_number_sio.respond_to?(:set_encoding)
|
261
|
+
|
262
|
+
opts = {
|
263
|
+
:ca_cert => test_ca_cert(),
|
264
|
+
:cdp_location => ['http://crl.domain.com/test_ca.crl'],
|
265
|
+
:ocsp_location => ['http://ocsp.domain.com'],
|
266
|
+
:ocsp_start_skew_seconds => 3600,
|
267
|
+
:ocsp_validity_hours => 48,
|
268
|
+
:crl_list_file => crl_list_sio,
|
269
|
+
:crl_number_file => crl_number_sio
|
270
|
+
}
|
271
|
+
R509::Config::CAConfig.new(opts)
|
272
|
+
end
|
273
|
+
|
274
|
+
def self.test_ca_ec_no_profile_config
|
275
|
+
crl_list_sio = StringIO.new
|
276
|
+
crl_list_sio.set_encoding("BINARY") if crl_list_sio.respond_to?(:set_encoding)
|
277
|
+
crl_number_sio = StringIO.new
|
278
|
+
crl_number_sio.set_encoding("BINARY") if crl_number_sio.respond_to?(:set_encoding)
|
279
|
+
|
280
|
+
opts = {
|
281
|
+
:ca_cert => test_ca_ec_cert(),
|
282
|
+
:cdp_location => ['http://crl.domain.com/test_ca.crl'],
|
283
|
+
:ocsp_location => ['http://ocsp.domain.com'],
|
284
|
+
:ocsp_start_skew_seconds => 3600,
|
285
|
+
:ocsp_validity_hours => 48,
|
286
|
+
:crl_list_file => crl_list_sio,
|
287
|
+
:crl_number_file => crl_number_sio
|
288
|
+
}
|
289
|
+
R509::Config::CAConfig.new(opts)
|
290
|
+
end
|
291
|
+
|
292
|
+
def self.test_ca_dsa_no_profile_config
|
293
|
+
crl_list_sio = StringIO.new
|
294
|
+
crl_list_sio.set_encoding("BINARY") if crl_list_sio.respond_to?(:set_encoding)
|
295
|
+
crl_number_sio = StringIO.new
|
296
|
+
crl_number_sio.set_encoding("BINARY") if crl_number_sio.respond_to?(:set_encoding)
|
297
|
+
|
298
|
+
opts = {
|
299
|
+
:ca_cert => test_ca_dsa_cert(),
|
300
|
+
:cdp_location => ['http://crl.domain.com/test_ca.crl'],
|
301
|
+
:ocsp_location => ['http://ocsp.domain.com'],
|
302
|
+
:ocsp_start_skew_seconds => 3600,
|
303
|
+
:ocsp_validity_hours => 48,
|
304
|
+
:crl_list_file => crl_list_sio,
|
305
|
+
:crl_number_file => crl_number_sio
|
306
|
+
}
|
307
|
+
R509::Config::CAConfig.new(opts)
|
308
|
+
end
|
233
309
|
end
|