r509 0.8.1 → 0.9

data/spec/fixtures/cert_inhibit.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIDxzCCAq+gAwIBAgITBhuZ2GKrMaqouwMAdUd2WxRqaDANBgkqhkiG9w0BAQUF
+ADBeMQswCQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0No
+aWNhZ28xGDAWBgNVBAoMD1J1YnkgQ0EgUHJvamVjdDEQMA4GA1UEAwwHVGVzdCBD
+QTAeFw0xMzAyMjgxNTU1MzdaFw0xNDAyMjgxNTU1MzdaMFwxCzAJBgNVBAYTAlVT
+MREwDwYDVQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEUMBIGA1UECgwL
+UGF1bCBLZWhyZXIxEjAQBgNVBAMMCWxhbmd1aS5zaDCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEA6frmrtJEz73UkWSruBiyY5w/wp4P2VeiqL87bVHsvre9TPgk
+xv1rP77najJoTfXF0uU3BM12NOp6MPiLN6VUDqHDpxm6gMKupw8uO9imWfLempmk
+Htb9a2WatE4RlEbZ2RPE/pCw9+Qh3fnfx/hhIyy7cEVW7yt+XA2nbKEQj30CAwEA
+AaOCAQIwgf8wDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYI
+KwYBBQUHAwkwHQYDVR0OBBYEFH80pVy8eJRmpuK4LMVjEMLt5TS1MIGQBgNVHSME
+gYgwgYWAFHl1u4Q6yyzeegm+MRtDvBwqTVNYoWKkYDBeMQswCQYDVQQGEwJVUzER
+MA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28xGDAWBgNVBAoMD1J1
+YnkgQ0EgUHJvamVjdDEQMA4GA1UEAwwHVGVzdCBDQYIJAP/ZxwuHN9GUMAoGA1Ud
+NgQDAgECMA8GCSsGAQUFBzABBQQCBQAwDQYJKoZIhvcNAQEFBQADggEBAC0zbl89
+5cQTfQaKhv5/zqVkKJwDW4cd65SiifCfUXRZjLAXEX09C/otgUkfPjjyQy1zrW9g
+ASAj6vmgmMF7H/jbDrvnc41gmIP8Mjks15nzNrQGWDABSW09dvYftabtdW+a2H3s
+tP+j7ffESYjORVVdvC+K6TuWe7+DLJU3I3U8RdofBcsatoh5nrx/SAzKEoBvK+W1
+2KFEKLohfHqklKqG/CgdxYZQ0S84Y9WyZeNu6NWCatbOxfuso7UvEe3KEswydoI0
+hb7utIzS9SrOCLjrjx/+sMHmRcZLxOlXpsvWSzIER59m1IhPXW+GODr1ncm6arzJ
+HK7eM5tycWgezug=
+-----END CERTIFICATE-----
+

data/spec/fixtures/cert_name_constraints.pem

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE/DCCA+SgAwIBAgITBhuZ3ySw6h4gR/4/JytMagVO+zANBgkqhkiG9w0BAQUF
+ADBeMQswCQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0No
+aWNhZ28xGDAWBgNVBAoMD1J1YnkgQ0EgUHJvamVjdDEQMA4GA1UEAwwHVGVzdCBD
+QTAeFw0xMzAyMjgxNTU3MDdaFw0xNDAyMjgxNTU3MDdaMBUxEzARBgNVBAMMCnRl
+c3QubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCY/uX1Ubcz
+xFmF8Zreir5uqci+44YCZ7WLDuaqT2Z+z//RRBbeWabf41a/1fO+TjRVcEDse4rg
+ai8oYVPkv0qSLibS+LopWzDG561tUYFzuHccoji9l7sjpNKNPVaBUyTABVNv8Lsb
+ElXsNq8YCVUpYJjOtDR9UzLDCqnvNSNEnkOP7Ln67EqNy0R3Sdlvz7hjY8GAXK3Z
+Vf8N7llTSTEjMPw2euKTnNvUsLPNXaOFLD+QiNYdkTCFab/Mo93QwtFdJ5W0TibE
+hvMy+t6AOKwlcY5TK8NeUaVEiLlYV2vjs2qIoJjzxl50eWqfZvgg/WMsrOXMn88n
+L2Fhd0zhTLKLAgMBAAGjggH6MIIB9jAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
+oDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUmykTi7GXDZktqm1zBdyg
+uGzVePcwgZAGA1UdIwSBiDCBhYAUeXW7hDrLLN56Cb4xG0O8HCpNU1ihYqRgMF4x
+CzAJBgNVBAYTAlVTMREwDwYDVQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2Fn
+bzEYMBYGA1UECgwPUnVieSBDQSBQcm9qZWN0MRAwDgYDVQQDDAdUZXN0IENBggkA
+/9nHC4c30ZQwgZAGA1UdIASBiDCBhTCBggYLYIZIAeA5AQIDBAEwczAiBggrBgEF
+BQcCARYWaHR0cDovL2V4YW1wbGUuY29tL2NwczAgBggrBgEFBQcCARYUaHR0cDov
+L290aGVyLmNvbS9jcHMwKwYIKwYBBQUHAgIwHzAWFgZteSBvcmcwDAIBAQIBAgIB
+AwIBBBoFdGhpbmcwFwYDVR0eBBAwDqAMMAqHCMCoAAD//wAAMDIGA1UdHwQrMCkw
+J6AloCOGIWh0dHA6Ly9jcmwuZG9tYWluLmNvbS90ZXN0X2NhLmNybDAyBggrBgEF
+BQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmRvbWFpbi5jb20wDQYJ
+KoZIhvcNAQEFBQADggEBAAKT5YqwEKFpC82ZGTnggTeK6j2sJH2NhkkxnIYy87PW
+V4ZIzcxRPAnBCDsS9kgWY/ZN/sn9iS5el7ugrIDmlrFCDK1wf5LFsKjZzZYFdLHV
+TqOwuin1x412sKZq+SkNN5WOC2IgM+sDr/r408PilCepb1g51QUzzc5xauoL57gK
+JQHdZAI/VvzLI1ynA4fgoWlx7O17Cascl5qTwqoz2pUOZdjeORB28asFnBl7x6EC
+30SF14u8ysFIZFfEeNWRG0eo/YN8TAViYeEVj9YY/YfRVrL5nlFwhc8HxVggIxny
+DdK3rW3mBzFIvEScXOCoVCgqfgvlFJl1O8CJDfFo3bE=
+-----END CERTIFICATE-----

data/spec/fixtures/cert_ocsp_no_check.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAjGgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJVUzER
+MA8GA1UECgwIcjUwOSBMTEMxITAfBgNVBAMMGHI1MDkgU2VsZi1TaWduZWQgQ0Eg
+VGVzdDAeFw0xMzAyMTMwMzQ0MjZaFw0zMzAyMDgwMzQ0MjZaMEMxCzAJBgNVBAYT
+AlVTMREwDwYDVQQKDAhyNTA5IExMQzEhMB8GA1UEAwwYcjUwOSBTZWxmLVNpZ25l
+ZCBDQSBUZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/gXlcDrEOg6DE
++XDOPSWCK8AqQwTU07o/Xv6hDkTru9MqMS1aezVEWkU7efOiNV9S+/RWkJsk7v8B
+SpGJAbPmiUoBfq97PFHL9ihoYxfU3WsKwerioRXE7/S+JWg40jU0lds2RLaNm+jd
+i6zQ/EIMfaaOrTHuX7ldVyQ26oBE5wIDAQABo4HLMIHIMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFMwjK5iinqX661nU2q67sJFkiugNMB0GA1UdEQQWMBSCCHNh
+bm5hbWUxgghzYW5uYW1lMjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmRv
+bWFpbi5jb20vdGVzdF9jYS5jcmwwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB
+hhZodHRwOi8vb2NzcC5kb21haW4uY29tMA8GCSsGAQUFBzABBQQCBQAwDQYJKoZI
+hvcNAQELBQADgYEAD1LY3/3GaitU4l8CGpLhIDct4n03eS0ppP2XCmypBToFRggj
+dsYbzIUwBbxn25ovW6K9801caAKoWhJkKuQO+HUYzMosX+84tZZFuIl7Jrf2LS0Q
+m6ygdxoaFz3mFg4/gMvWvFyxMZGupgzpAC5t2aghOKzQeMXoEYRB3q4/QFw=
+-----END CERTIFICATE-----
+

data/spec/fixtures/cert_policy_constraints.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFUjCCBDqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJLUjEN
+MAsGA1UEChMES0lTQTEuMCwGA1UECxMlS29yZWEgQ2VydGlmaWNhdGlvbiBBdXRo
+b3JpdHkgQ2VudHJhbDEWMBQGA1UEAxMNS0lTQSBSb290Q0EgMzAeFw0wNDExMTkw
+NjM5NTFaFw0xNDExMTkwNjM5NTFaMGQxCzAJBgNVBAYTAktSMQ0wCwYDVQQKEwRL
+SVNBMS4wLAYDVQQLEyVLb3JlYSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBDZW50
+cmFsMRYwFAYDVQQDEw1LSVNBIFJvb3RDQSAzMIIBIDANBgkqhkiG9w0BAQEFAAOC
+AQ0AMIIBCAKCAQEA3rrtF2Wu0b1KPazbgHLMWOHn4ZPazDB6z+8Lri2nQ6u/p0LP
+CFYIpEcdffqG79gwlyY0YTyADvjU65/8IjAboW0+40zSVU4WQDfC9gdu2we1pYyW
+geKbXH6UYcjOhDyx+gDmctMJhXfp3F4hT7TkTvTiF6tQrxz/oTlYdVsSspa5jfBw
+YkhbVigqpYeRNrkeJPW5unu2UlFbF1pgBWycwubGjD756t08jP+J3kNwrB248XXN
+OMpTDUdoasY8GMq94bS+DvTQ49IT+rBRERHUQavo9DmO4TSETwuTqmo4/OXGeEeu
+dhf6oYA3BgAVCP1rI476cg2V1ktisWjC3TSbXQIBA6OCAg8wggILMB8GA1UdIwQY
+MBaAFI+B8NqmzXQ8vmb0FWtGpP4GKMyqMB0GA1UdDgQWBBSPgfDaps10PL5m9BVr
+RqT+BijMqjAOBgNVHQ8BAf8EBAMCAQYwggEuBgNVHSAEggElMIIBITCCAR0GBFUd
+IAAwggETMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3LnJvb3RjYS5vci5rci9yY2Ev
+Y3BzLmh0bWwwgd4GCCsGAQUFBwICMIHRHoHOx3QAIMd4yZ3BHLKUACCs9cd4x3jJ
+ncEcx4WyyLLkACgAVABoAGkAcwAgAGMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGkA
+cwAgAGEAYwBjAHIAZQBkAGkAdABlAGQAIAB1AG4AZABlAHIAIABFAGwAZQBjAHQA
+cgBvAG4AaQBjACAAUwBpAGcAbgBhAHQAdQByAGUAIABBAGMAdAAgAG8AZgAgAHQA
+aABlACAAUgBlAHAAdQBiAGwAaQBjACAAbwBmACAASwBvAHIAZQBhACkwMwYDVR0R
+BCwwKqQoMCYxJDAiBgNVBAMMG+2VnOq1reygleuztOuztO2YuOynhO2dpeybkDAz
+BgNVHRIELDAqpCgwJjEkMCIGA1UEAwwb7ZWc6rWt7KCV67O067O07Zi47KeE7Z2l
+7JuQMA8GA1UdEwEB/wQFMAMBAf8wDAYDVR0kBAUwA4ABADANBgkqhkiG9w0BAQUF
+AAOCAQEAz9b3Dv2wjG4FFY6oXCuyWtEeV6ZeGKqCEQj8mbdbp+PI0qLT+SQ09+Pk
+rolUR9NpScmAwRHr4inH9gaLX7riXs+rw87P7pIl3J85Hg4D9N6QW6FwmVzHc07J
+pHVJeyWhn4KSjU3sYcUMMqfHODiAVToqgx2cZHm5Dac1Smjvj/8F2LpOVmHY+Epw
+mAiWk9hgxzrsX58dKzVPSBShmrtv7tIDhlPxEMcHVGJeNo7iHCsdF03m9VrvirqC
+6HfZKBF+N4dKlArJQOk1pTr7ZD7yXxZ683bXzu4/RB1Fql8RqlMcOh9SUWJUD6OQ
+Nc9Nb7rHviwJ8TX4Absk3TC8SA/u2Q==
+-----END CERTIFICATE-----

data/spec/fixtures/cert_unknown_extension.pem

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
+VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
+ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
+KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
+ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1
+MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE
+ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j
+b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF
+bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg
+U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA
+A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/
+I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3
+wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC
+AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb
+oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5
+BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p
+dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk
+MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp
+b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu
+dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0
+MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi
+E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa
+MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI
+hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN
+95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd
+2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=
+-----END CERTIFICATE-----

data/spec/fixtures/config_pool_test_minimal.yaml

@@ -1,15 +1,15 @@
 certificate_authorities: {
-    test_ca: {
-        ca_cert: {
-            cert: 'test_ca.cer',
-            key: 'test_ca.key'
-        }
-    },
-    second_ca: {
-        ca_cert: {
-            cert: 'test_ca.cer',
-            key: 'test_ca.key'
-        }
+  test_ca: {
+    ca_cert: {
+      cert: 'test_ca.cer',
+      key: 'test_ca.key'
     }
+  },
+  second_ca: {
+    ca_cert: {
+      cert: 'test_ca.cer',
+      key: 'test_ca.key'
+    }
+  }
 }
 config_is_string: "this is bogus"

data/spec/fixtures/config_test.yaml

@@ -1,41 +1,59 @@
 test_ca: {
-    ca_cert: {
-        cert: 'test_ca.cer',
-        key: 'test_ca.key'
+  ca_cert: {
+    cert: 'test_ca.cer',
+    key: 'test_ca.key'
+  },
+  crl_list: "crl_list_file.txt",
+  crl_number: "crl_number_file.txt",
+  crl_validity_hours: 72,
+  ocsp_validity_hours: 96,
+  ocsp_start_skew_seconds: 1800,
+  message_digest: 'SHA1', #SHA1, SHA224, SHA256, SHA384, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason
+  profiles: {
+    server: {
+      basic_constraints: { "ca" : false },
+      key_usage: [digitalSignature,keyEncipherment],
+      extended_key_usage: [serverAuth],
     },
-    crl_list: "crl_list_file.txt",
-    crl_number: "crl_number_file.txt",
-    cdp_location: 'URI:http://crl.domain.com/test_ca.crl',
-    crl_validity_hours: 72,
-    ocsp_validity_hours: 96,
-    ocsp_start_skew_seconds: 1800,
-    ocsp_location: 'URI:http://ocsp.domain.com',
-    message_digest: 'SHA1', #SHA1, SHA256, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason
-    profiles: {
-        server: {
-            basic_constraints: "CA:FALSE",
-            key_usage: [digitalSignature,keyEncipherment],
-            extended_key_usage: [serverAuth],
-            certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.1", "CPS.1=http://example.com/cps"] ]
-        },
-        client: {
-            basic_constraints: "CA:FALSE",
-            key_usage: [digitalSignature,keyEncipherment],
-            extended_key_usage: [clientAuth],
-            certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.2", "CPS.1=http://example.com/cps"] ]
-        },
-        server_with_subject_item_policy: {
-            basic_constraints: "CA:FALSE",
-            key_usage: [digitalSignature,keyEncipherment],
-            extended_key_usage: [serverAuth],
-            certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.1", "CPS.1=http://example.com/cps"] ],
-            subject_item_policy: {
-                "CN" : "required",
-                "O" : "optional",
-                "ST" : "required",
-                "C" : "required",
-                "OU" : "optional" }
-        }
+    ocsp_delegate_with_no_check: {
+      ocsp_no_check: true
+    },
+    inhibit_policy: {
+      inhibit_any_policy: 2
+    },
+    policy_constraints: {
+      policy_constraints: { require_explicit_policy: 1, inhibit_policy_mapping: 0 }
+    },
+    name_constraints: {
+      name_constraints: {
+        permitted: [
+          {type: "IP", value: "192.168.0.0/255.255.0.0"},
+          {type: "dirName", value: [['CN','myCN'],['O','Org']]}
+        ],
+        excluded: [
+          {type: "email", value: "domain.com"},
+          {type: "URI", value: ".net"},
+          {type: "DNS", value: "test.us"}
+        ]
+      }
+    },
+    client: {
+      basic_constraints: { "ca" : false },
+      key_usage: [digitalSignature,keyEncipherment],
+      extended_key_usage: [clientAuth],
+      ocsp_no_check: false
+    },
+    server_with_subject_item_policy: {
+      basic_constraints: { "ca" : false },
+      key_usage: [digitalSignature,keyEncipherment],
+      extended_key_usage: [serverAuth],
+      subject_item_policy: {
+        "CN" : "required",
+        "O" : "optional",
+        "ST" : "required",
+        "C" : "required",
+        "OU" : "optional" }
     }
+  }
 }
 config_is_string: "this is bogus"

data/spec/fixtures/config_test_dsa.yaml

@@ -0,0 +1,35 @@
+test_ca_dsa: {
+  ca_cert: {
+    cert: 'dsa_root.cer',
+    key: 'dsa_root.key'
+  },
+  crl_list: "crl_list_file.txt",
+  crl_number: "crl_number_file.txt",
+  crl_validity_hours: 72,
+  ocsp_validity_hours: 96,
+  ocsp_start_skew_seconds: 1800,
+  message_digest: 'SHA1', #SHA1, SHA224, SHA256, SHA384, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason
+  profiles: {
+    server: {
+      basic_constraints: { "ca" : false },
+      key_usage: [digitalSignature,keyEncipherment],
+      extended_key_usage: [serverAuth],
+    },
+    client: {
+      basic_constraints: { "ca" : false },
+      key_usage: [digitalSignature,keyEncipherment],
+      extended_key_usage: [clientAuth],
+    },
+    server_with_subject_item_policy: {
+      basic_constraints: { "ca" : false },
+      key_usage: [digitalSignature,keyEncipherment],
+      extended_key_usage: [serverAuth],
+      subject_item_policy: {
+        "CN" : "required",
+        "O" : "optional",
+        "ST" : "required",
+        "C" : "required",
+        "OU" : "optional" }
+    }
+  }
+}

data/spec/fixtures/config_test_ec.yaml

@@ -0,0 +1,35 @@
+test_ca_ec: {
+  ca_cert: {
+    cert: 'test_ca_ec.cer',
+    key: 'test_ca_ec.key'
+  },
+  crl_list: "crl_list_file.txt",
+  crl_number: "crl_number_file.txt",
+  crl_validity_hours: 72,
+  ocsp_validity_hours: 96,
+  ocsp_start_skew_seconds: 1800,
+  message_digest: 'SHA384', #SHA1, SHA224, SHA256, SHA384, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason
+  profiles: {
+    server: {
+      basic_constraints: { "ca" : false },
+      key_usage: [digitalSignature,keyEncipherment],
+      extended_key_usage: [serverAuth],
+    },
+    client: {
+      basic_constraints: { "ca" : false },
+      key_usage: [digitalSignature,keyEncipherment],
+      extended_key_usage: [clientAuth],
+    },
+    server_with_subject_item_policy: {
+      basic_constraints: { "ca" : false },
+      key_usage: [digitalSignature,keyEncipherment],
+      extended_key_usage: [serverAuth],
+      subject_item_policy: {
+        "CN" : "required",
+        "O" : "optional",
+        "ST" : "required",
+        "C" : "required",
+        "OU" : "optional" }
+    }
+  }
+}

data/spec/fixtures/config_test_engine_key.yaml

@@ -1,7 +1,7 @@
 engine_and_key: {
-    ca_cert: {
-        cert: 'test_ca.cer',
-        key: 'test_ca.key',
-        engine: 'chil'
-    }
+  ca_cert: {
+    cert: 'test_ca.cer',
+    key: 'test_ca.key',
+    engine: 'chil'
+  }
 }

data/spec/fixtures/config_test_engine_no_key_name.yaml

@@ -1,6 +1,6 @@
 engine_no_key_name: {
-    ca_cert: {
-        cert: 'test_ca.cer',
-        engine: 'chil'
-    }
+  ca_cert: {
+    cert: 'test_ca.cer',
+    engine: 'chil'
+  }
 }

data/spec/fixtures/config_test_minimal.yaml

@@ -1,7 +1,7 @@
 test_ca: {
-    ca_cert: {
-        cert: 'test_ca.cer',
-        key: 'test_ca.key'
-    }
+  ca_cert: {
+    cert: 'test_ca.cer',
+    key: 'test_ca.key'
+  }
 }
 config_is_string: "this is bogus"

data/spec/fixtures/config_test_password.yaml

@@ -1,7 +1,7 @@
 password_ca: {
-    ca_cert: {
-        cert: 'test_ca.cer',
-        key: 'test_ca_des3.key',
-        password: 'r509'
-    }
+  ca_cert: {
+    cert: 'test_ca.cer',
+    key: 'test_ca_des3.key',
+    password: 'r509'
+  }
 }

data/spec/fixtures/config_test_various.yaml

@@ -1,100 +1,137 @@
 pkcs12_ca: {
-    ca_cert: {
-        pkcs12: "test_ca.p12",
-        password: "r509"
-    }
+  ca_cert: {
+    pkcs12: "test_ca.p12",
+    password: "r509"
+  }
 }
 pkcs12_key_ca: {
-    ca_cert: {
-        pkcs12: "test_ca.p12",
-        password: "r509",
-        key: "test_ca.cer"
-    }
+  ca_cert: {
+    pkcs12: "test_ca.p12",
+    password: "r509",
+    key: "test_ca.cer"
+  }
 }
 pkcs12_cert_ca: {
-    ca_cert: {
-        pkcs12: "test_ca.p12",
-        password: "r509",
-        cert: "test_ca.cer"
-    }
+  ca_cert: {
+    pkcs12: "test_ca.p12",
+    password: "r509",
+    cert: "test_ca.cer"
+  }
 }
 pkcs12_engine_ca: {
-    ca_cert: {
-        pkcs12: "test_ca.p12",
-        password: "r509",
-        engine: "chil",
-        key_name: "r509_key"
-    }
+  ca_cert: {
+    pkcs12: "test_ca.p12",
+    password: "r509",
+    engine: "chil",
+    key_name: "r509_key"
+  }
 }
 cert_no_key_ca: {
-    ca_cert: {
-        cert: "test_ca.cer"
-    }
+  ca_cert: {
+    cert: "test_ca.cer"
+  }
 }
 missing_key_identifier_ca: {
-    ca_cert: {
-        cert: 'missing_key_identifier_ca.cer',
-        key: 'missing_key_identifier_ca.key'
-    },
-    message_digest: 'SHA1', #SHA1, SHA256, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason
-    profiles: {
-        server: {
-            basic_constraints: "CA:FALSE",
-            key_usage: [digitalSignature,keyEncipherment],
-            extended_key_usage: [serverAuth],
-            certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.3.0"], [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.1", "CPS.1=http://example.com/cps"] ]
-        }
+  ca_cert: {
+    cert: 'missing_key_identifier_ca.cer',
+    key: 'missing_key_identifier_ca.key'
+  },
+  message_digest: 'SHA1',
+  profiles: {
+    server: {
+      basic_constraints: { "ca" : false },
+      key_usage: [digitalSignature,keyEncipherment],
+      extended_key_usage: [serverAuth],
     }
+  }
 }
 multi_policy_ca: {
-    ca_cert: {
-        cert: 'test_ca.cer',
-        key: 'test_ca.key'
-    },
-    message_digest: 'SHA1', #SHA1, SHA256, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason
-    profiles: {
-        server: {
-            basic_constraints: "CA:FALSE",
-            key_usage: [digitalSignature,keyEncipherment],
-            extended_key_usage: [serverAuth],
-            certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.3.0"], [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.1", "CPS.1=http://example.com/cps"] ]
+  ca_cert: {
+    cert: 'test_ca.cer',
+    key: 'test_ca.key'
+  },
+  message_digest: 'SHA1',
+  profiles: {
+    server: {
+      basic_constraints: { "ca" : false },
+      key_usage: [digitalSignature,keyEncipherment],
+      extended_key_usage: [serverAuth],
+      certificate_policies: [
+        { policy_identifier: "2.16.840.1.99999.21.234",
+          cps_uris: ["http://example.com/cps","http://haha.com"],
+          user_notices: [ { explicit_text: "this is a great thing", organization: "my org", notice_numbers: "1,2,3" } ]
+        },
+        { policy_identifier: "2.16.840.1.99999.21.235",
+          cps_uris: ["http://example.com/cps2"],
+          user_notices: [ { explicit_text: "this is a bad thing", organization: "another org", notice_numbers: "3,2,1" },{ explicit_text: "another user notice"} ]
         }
+      ]
     }
+  }
 }
 ocsp_delegate_ca: {
-    ca_cert: {
-        cert: 'test_ca.cer'
-    },
-    ocsp_cert: {
-        cert: 'test_ca_ocsp.cer',
-        key: 'test_ca_ocsp.key'
-    }
+  ca_cert: {
+    cert: 'test_ca.cer'
+  },
+  ocsp_cert: {
+    cert: 'test_ca_ocsp.cer',
+    key: 'test_ca_ocsp.key'
+  }
 }
 ocsp_chain_ca: {
-    ca_cert: {
-        cert: 'test_ca.cer'
-    },
-    ocsp_cert: {
-        cert: 'test_ca_ocsp.cer',
-        key: 'test_ca_ocsp.key'
-    },
-    ocsp_chain: 'test_ca_ocsp_chain.txt'
+  ca_cert: {
+    cert: 'test_ca.cer'
+  },
+  ocsp_cert: {
+    cert: 'test_ca_ocsp.cer',
+    key: 'test_ca_ocsp.key'
+  },
+  ocsp_chain: 'test_ca_ocsp_chain.txt'
 }
 ocsp_pkcs12_ca: {
-    ca_cert: {
-        cert: 'test_ca.cer'
-    },
-    ocsp_cert: {
-        pkcs12: 'test_ca_ocsp.p12',
-        password: 'r509'
-    }
+  ca_cert: {
+    cert: 'test_ca.cer'
+  },
+  ocsp_cert: {
+    pkcs12: 'test_ca_ocsp.p12',
+    password: 'r509'
+  }
 }
 ocsp_engine_ca: {
-    ca_cert: {
-        cert: 'test_ca.cer'
-    },
-    ocsp_cert: {
-        cert: 'test_ca_ocsp.cer',
-        engine: 'chil'
+  ca_cert: {
+    cert: 'test_ca.cer'
+  },
+  ocsp_cert: {
+    cert: 'test_ca_ocsp.cer',
+    engine: 'chil'
+  }
+}
+all_eku_ca: {
+  ca_cert: {
+    cert: 'test_ca.cer',
+    key: 'test_ca.key'
+  },
+  message_digest: 'SHA1',
+  profiles: {
+    smorgasbord: {
+      basic_constraints: { "ca" : false },
+      key_usage: [digitalSignature,keyEncipherment],
+      extended_key_usage: [serverAuth,clientAuth,codeSigning,emailProtection,OCSPSigning,timeStamping],
+    }
+  }
+}
+ocsp_no_check_ca: {
+  ca_cert: {
+    cert: 'test_ca.cer',
+    key: 'test_ca.key'
+  },
+  message_digest: 'SHA1',
+  profiles: {
+    ocsp_no_check_delegate: {
+      basic_constraints: { "ca" : false },
+      key_usage: [digitalSignature],
+      extended_key_usage: [OCSPSigning],
+      ocsp_no_check: true
     }
+  }
 }