r509 0.8.1 → 0.9

data/spec/ocsp_spec.rb

@@ -2,110 +2,110 @@ require 'spec_helper'
 require 'r509/ocsp'
 require 'openssl'
 
-describe R509::Ocsp::Response do
-    before :all do
-        @ocsp_test_cert = TestFixtures::OCSP_TEST_CERT
-        @test_ca_config = TestFixtures.test_ca_config
-        @test_ca_ocsp_response = TestFixtures::TEST_CA_OCSP_RESPONSE
-        @test_ca_subroot_ocsp_response = TestFixtures::TEST_CA_SUBROOT_OCSP_RESPONSE
-        @ocsp_response_der = TestFixtures::STCA_OCSP_RESPONSE
-        @stca_cert = TestFixtures::STCA_CERT
-    end
-    it "raises an exception if you try to pass the wrong type to the constructor" do
-        expect { R509::Ocsp::Response.new(@ocsp_response_der) }.to raise_error(R509::R509Error, 'You must pass an OpenSSL::OCSP::Response object to the constructor. See R509::Ocsp::Response.parse if you are trying to parse')
-    end
-    it "raises an exception if you pass nil to #parse" do
-        expect { R509::Ocsp::Response.parse(nil) }.to raise_error(R509::R509Error, 'You must pass a DER encoded OCSP response to this method')
-    end
-    it "parses a response der and returns the right object on #parse" do
-        ocsp_response = R509::Ocsp::Response.parse(@ocsp_response_der)
-        ocsp_response.kind_of?(R509::Ocsp::Response).should == true
-        ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
-    end
-    it "returns data on to_der" do
-        ocsp_response = R509::Ocsp::Response.parse(@ocsp_response_der)
-        ocsp_response.to_der.should_not == nil
-    end
-    it "returns a BasicResponse object on #basic" do
-        ocsp_response = R509::Ocsp::Response.parse(@ocsp_response_der)
-        ocsp_response.basic.kind_of?(OpenSSL::OCSP::BasicResponse).should == true
-    end
-    it "returns true if response verifies (in validity period, chain builds to trusted root that's provided)" do
-        ocsp_response = R509::Ocsp::Response.parse(@test_ca_ocsp_response)
-        ocsp_response.verify(TestFixtures.test_ca_config.ca_cert.cert).should == true
-    end
-    it "verify supports an single certificate and uses it to validate" do
-        ocsp_response = R509::Ocsp::Response.parse(@test_ca_ocsp_response)
-        ocsp_response.verify(TestFixtures.test_ca_config.ca_cert.cert).should == true
-    end
-    it "verify supports an array of certificates and uses all of them to validate a chain" do
-        ocsp_response = R509::Ocsp::Response.parse(@test_ca_subroot_ocsp_response)
-        ocsp_response.verify([TestFixtures.test_ca_config.ca_cert.cert,TestFixtures.test_ca_subroot_cert.cert]).should == true
-    end
-    it "verify returns false if you don't give it enough certs to build a chain to a trusted root" do
-        ocsp_response = R509::Ocsp::Response.parse(@test_ca_subroot_ocsp_response)
-        ocsp_response.verify([TestFixtures.test_ca_config.ca_cert.cert]).should == false
-    end
-    it "returns false if response does not verify" do
-        #expired response
-        ocsp_response = R509::Ocsp::Response.parse(@ocsp_response_der)
-        ocsp_response.verify(OpenSSL::X509::Certificate.new(@stca_cert)).should == false
-    end
-    it "nonce is present and equal" do
-        ocsp_request = OpenSSL::OCSP::Request.new
-        ocsp_request.add_nonce
-        basic_response = OpenSSL::OCSP::BasicResponse.new
-        basic_response.copy_nonce(ocsp_request)
-        response_double = double("ocsp_response")
-        response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
-        response_double.should_receive(:basic).and_return(basic_response)
-        ocsp_response = R509::Ocsp::Response.new(response_double)
-        ocsp_response.check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::PRESENT_AND_EQUAL
-    end
-    it "no nonce" do
-        ocsp_request = OpenSSL::OCSP::Request.new
-        basic_response = OpenSSL::OCSP::BasicResponse.new
-        basic_response.copy_nonce(ocsp_request)
-        response_double = double("ocsp_response")
-        response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
-        response_double.should_receive(:basic).and_return(basic_response)
-        ocsp_response = R509::Ocsp::Response.new(response_double)
-        ocsp_response.check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::BOTH_ABSENT
-    end
-    it "has a nonce in the response only" do
-        ocsp_request = OpenSSL::OCSP::Request.new
-        nonce_request = OpenSSL::OCSP::Request.new
-        nonce_request.add_nonce
-        basic_response = OpenSSL::OCSP::BasicResponse.new
-        basic_response.copy_nonce(nonce_request)
-        response_double = double("ocsp_response")
-        response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
-        response_double.should_receive(:basic).and_return(basic_response)
-        ocsp_response = R509::Ocsp::Response.new(response_double)
-        ocsp_response.check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::RESPONSE_ONLY
-    end
-    it "nonce in request and response is not equal" do
-        ocsp_request = OpenSSL::OCSP::Request.new
-        ocsp_request.add_nonce
-        second_request = OpenSSL::OCSP::Request.new
-        second_request.add_nonce
-        basic_response = OpenSSL::OCSP::BasicResponse.new
-        basic_response.copy_nonce(ocsp_request)
-        response_double = double("ocsp_response")
-        response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
-        response_double.should_receive(:basic).and_return(basic_response)
-        ocsp_response = R509::Ocsp::Response.new(response_double)
-        ocsp_response.check_nonce(second_request).should == R509::Ocsp::Request::Nonce::NOT_EQUAL
-    end
-    it "nonce in request only" do
-        ocsp_request = OpenSSL::OCSP::Request.new
-        ocsp_request.add_nonce
-        basic_response = OpenSSL::OCSP::BasicResponse.new
-        response_double = double("ocsp_response")
-        response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
-        response_double.should_receive(:basic).and_return(basic_response)
-        ocsp_response = R509::Ocsp::Response.new(response_double)
-        ocsp_response.check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::REQUEST_ONLY
-    end
+describe R509::OCSP::Response do
+  before :all do
+    @ocsp_test_cert = TestFixtures::OCSP_TEST_CERT
+    @test_ca_config = TestFixtures.test_ca_config
+    @test_ca_ocsp_response = TestFixtures::TEST_CA_OCSP_RESPONSE
+    @test_ca_subroot_ocsp_response = TestFixtures::TEST_CA_SUBROOT_OCSP_RESPONSE
+    @ocsp_response_der = TestFixtures::STCA_OCSP_RESPONSE
+    @stca_cert = TestFixtures::STCA_CERT
+  end
+  it "raises an exception if you try to pass the wrong type to the constructor" do
+    expect { R509::OCSP::Response.new(@ocsp_response_der) }.to raise_error(R509::R509Error, 'You must pass an OpenSSL::OCSP::Response object to the constructor. See R509::OCSP::Response.parse if you are trying to parse')
+  end
+  it "raises an exception if you pass nil to #parse" do
+    expect { R509::OCSP::Response.parse(nil) }.to raise_error(R509::R509Error, 'You must pass a DER encoded OCSP response to this method')
+  end
+  it "parses a response der and returns the right object on #parse" do
+    ocsp_response = R509::OCSP::Response.parse(@ocsp_response_der)
+    ocsp_response.kind_of?(R509::OCSP::Response).should == true
+    ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+  end
+  it "returns data on to_der" do
+    ocsp_response = R509::OCSP::Response.parse(@ocsp_response_der)
+    ocsp_response.to_der.should_not == nil
+  end
+  it "returns a BasicResponse object on #basic" do
+    ocsp_response = R509::OCSP::Response.parse(@ocsp_response_der)
+    ocsp_response.basic.kind_of?(OpenSSL::OCSP::BasicResponse).should == true
+  end
+  it "returns true if response verifies (in validity period, chain builds to trusted root that's provided)" do
+    ocsp_response = R509::OCSP::Response.parse(@test_ca_ocsp_response)
+    ocsp_response.verify(TestFixtures.test_ca_config.ca_cert.cert).should == true
+  end
+  it "verify supports an single certificate and uses it to validate" do
+    ocsp_response = R509::OCSP::Response.parse(@test_ca_ocsp_response)
+    ocsp_response.verify(TestFixtures.test_ca_config.ca_cert.cert).should == true
+  end
+  it "verify supports an array of certificates and uses all of them to validate a chain" do
+    ocsp_response = R509::OCSP::Response.parse(@test_ca_subroot_ocsp_response)
+    ocsp_response.verify([TestFixtures.test_ca_config.ca_cert.cert,TestFixtures.test_ca_subroot_cert.cert]).should == true
+  end
+  it "verify returns false if you don't give it enough certs to build a chain to a trusted root" do
+    ocsp_response = R509::OCSP::Response.parse(@test_ca_subroot_ocsp_response)
+    ocsp_response.verify([TestFixtures.test_ca_config.ca_cert.cert]).should == false
+  end
+  it "returns false if response does not verify" do
+    #expired response
+    ocsp_response = R509::OCSP::Response.parse(@ocsp_response_der)
+    ocsp_response.verify(OpenSSL::X509::Certificate.new(@stca_cert)).should == false
+  end
+  it "nonce is present and equal" do
+    ocsp_request = OpenSSL::OCSP::Request.new
+    ocsp_request.add_nonce
+    basic_response = OpenSSL::OCSP::BasicResponse.new
+    basic_response.copy_nonce(ocsp_request)
+    response_double = double("ocsp_response")
+    response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
+    response_double.should_receive(:basic).and_return(basic_response)
+    ocsp_response = R509::OCSP::Response.new(response_double)
+    ocsp_response.check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::PRESENT_AND_EQUAL
+  end
+  it "no nonce" do
+    ocsp_request = OpenSSL::OCSP::Request.new
+    basic_response = OpenSSL::OCSP::BasicResponse.new
+    basic_response.copy_nonce(ocsp_request)
+    response_double = double("ocsp_response")
+    response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
+    response_double.should_receive(:basic).and_return(basic_response)
+    ocsp_response = R509::OCSP::Response.new(response_double)
+    ocsp_response.check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::BOTH_ABSENT
+  end
+  it "has a nonce in the response only" do
+    ocsp_request = OpenSSL::OCSP::Request.new
+    nonce_request = OpenSSL::OCSP::Request.new
+    nonce_request.add_nonce
+    basic_response = OpenSSL::OCSP::BasicResponse.new
+    basic_response.copy_nonce(nonce_request)
+    response_double = double("ocsp_response")
+    response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
+    response_double.should_receive(:basic).and_return(basic_response)
+    ocsp_response = R509::OCSP::Response.new(response_double)
+    ocsp_response.check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::RESPONSE_ONLY
+  end
+  it "nonce in request and response is not equal" do
+    ocsp_request = OpenSSL::OCSP::Request.new
+    ocsp_request.add_nonce
+    second_request = OpenSSL::OCSP::Request.new
+    second_request.add_nonce
+    basic_response = OpenSSL::OCSP::BasicResponse.new
+    basic_response.copy_nonce(ocsp_request)
+    response_double = double("ocsp_response")
+    response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
+    response_double.should_receive(:basic).and_return(basic_response)
+    ocsp_response = R509::OCSP::Response.new(response_double)
+    ocsp_response.check_nonce(second_request).should == R509::OCSP::Request::Nonce::NOT_EQUAL
+  end
+  it "nonce in request only" do
+    ocsp_request = OpenSSL::OCSP::Request.new
+    ocsp_request.add_nonce
+    basic_response = OpenSSL::OCSP::BasicResponse.new
+    response_double = double("ocsp_response")
+    response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
+    response_double.should_receive(:basic).and_return(basic_response)
+    ocsp_response = R509::OCSP::Response.new(response_double)
+    ocsp_response.check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::REQUEST_ONLY
+  end
 
 end

data/spec/oid_mapper_spec.rb

@@ -1,5 +1,5 @@
 require 'spec_helper'
-require 'r509/oidmapper'
+require 'r509/oid_mapper'
 
 
 # NOTE
@@ -7,25 +7,25 @@ require 'r509/oidmapper'
 # each test. Accordingly, we MUST use OIDs (and short names) here that will not
 # be present in any other tests (or in the real world)
 
-describe R509::OidMapper do
-    it "registers one new oid" do
-        subject = R509::Subject.new [['1.4.3.2.1.2.3.5.5.5.5.5','random_oid']]
-        subject['1.4.3.2.1.2.3.5.5.5.5.5'].should == 'random_oid'
-        expect { R509::Subject.new [['myOidName','random_oid']] }.to raise_error(OpenSSL::X509::NameError,'invalid field name')
+describe R509::OIDMapper do
+  it "registers one new oid" do
+    subject = R509::Subject.new [['1.4.3.2.1.2.3.5.5.5.5.5','random_oid']]
+    subject['1.4.3.2.1.2.3.5.5.5.5.5'].should == 'random_oid'
+    expect { R509::Subject.new [['myOIDName','random_oid']] }.to raise_error(OpenSSL::X509::NameError,'invalid field name')
 
-        R509::OidMapper.register('1.4.3.2.1.2.3.5.5.5.5.5','myOidName').should == true
-        subject_new = R509::Subject.new [['myOidName','random_oid']]
-        subject_new['myOidName'].should == 'random_oid'
-    end
-    it "registers a batch of new oids" do
-        expect { R509::Subject.new [['testOidName','random_oid']] }.to raise_error(OpenSSL::X509::NameError,'invalid field name')
-        expect { R509::Subject.new [['anotherOidName','second_random']] }.to raise_error(OpenSSL::X509::NameError,'invalid field name')
-        R509::OidMapper.batch_register([
-        {:oid => '1.4.3.2.1.2.3.4.4.4.4', :short_name => 'testOidName'},
-        {:oid => '1.4.3.2.1.2.5.4.4.4.4', :short_name => 'anotherOidName'}
-        ])
-        subject_new = R509::Subject.new [['testOidName','random_oid'],['anotherOidName','second_random']]
-        subject_new['testOidName'].should == 'random_oid'
-        subject_new['anotherOidName'].should == 'second_random'
-    end
+    R509::OIDMapper.register('1.4.3.2.1.2.3.5.5.5.5.5','myOIDName').should == true
+    subject_new = R509::Subject.new [['myOIDName','random_oid']]
+    subject_new['myOIDName'].should == 'random_oid'
+  end
+  it "registers a batch of new oids" do
+    expect { R509::Subject.new [['testOIDName','random_oid']] }.to raise_error(OpenSSL::X509::NameError,'invalid field name')
+    expect { R509::Subject.new [['anotherOIDName','second_random']] }.to raise_error(OpenSSL::X509::NameError,'invalid field name')
+    R509::OIDMapper.batch_register([
+    {:oid => '1.4.3.2.1.2.3.4.4.4.4', :short_name => 'testOIDName'},
+    {:oid => '1.4.3.2.1.2.5.4.4.4.4', :short_name => 'anotherOIDName'}
+    ])
+    subject_new = R509::Subject.new [['testOIDName','random_oid'],['anotherOIDName','second_random']]
+    subject_new['testOIDName'].should == 'random_oid'
+    subject_new['anotherOIDName'].should == 'second_random'
+  end
 end

data/spec/private_key_spec.rb

@@ -0,0 +1,275 @@
+require 'spec_helper'
+require 'r509/private_key'
+require 'stringio'
+
+describe R509::PrivateKey do
+  before :all do
+    @key_csr = TestFixtures::KEY_CSR
+    @key_csr_encrypted = TestFixtures::KEY_CSR_ENCRYPTED
+    @csr_public_key_modulus = TestFixtures::CSR_PUBLIC_KEY_MODULUS
+    @key_csr_der = TestFixtures::KEY_CSR_DER
+    @dsa_key = TestFixtures::DSA_KEY
+    @ec_key_pem = TestFixtures::EC_KEY1
+    @ec_key_der = TestFixtures::EC_KEY1_DER
+    @ec_key_encrypted = TestFixtures::EC_KEY1_ENCRYPTED
+  end
+  it "throws an exception when given a type other than DSA, RSA, or EC" do
+    expect { R509::PrivateKey.new(:type=>:not_rsa_or_dsa) }.to raise_error(ArgumentError)
+  end
+  it "throws an exception when no hash is provided" do
+    expect { R509::PrivateKey.new('string') }.to raise_error(ArgumentError,'Must provide a hash of options')
+  end
+  it "returns the right value for #rsa?" do
+    private_key = R509::PrivateKey.new(:key=>@key_csr)
+    private_key.dsa?.should == false
+    private_key.ec?.should == false
+    private_key.rsa?.should == true
+  end
+  it "returns the right value for #dsa?" do
+    private_key = R509::PrivateKey.new(:key => @dsa_key)
+    private_key.rsa?.should == false
+    private_key.ec?.should == false
+    private_key.dsa?.should == true
+  end
+  it "generates a default 2048-bit RSA key when nothing is passed to the constructor" do
+    private_key = R509::PrivateKey.new
+    private_key.rsa?.should == true
+    private_key.bit_strength.should == 2048
+  end
+  it "defaults to RSA" do
+    private_key = R509::PrivateKey.new(:bit_strength=>1024)
+    private_key.key.kind_of?(OpenSSL::PKey::RSA).should == true
+  end
+  it "loads a pre-existing RSA key" do
+    private_key = R509::PrivateKey.new(:key=>@key_csr)
+    private_key.to_pem.should == @key_csr
+    @key_csr.should_not == nil
+  end
+  it "generates an RSA key at the default bit strength (2048)" do
+    private_key = R509::PrivateKey.new(:type => :rsa)
+    private_key.bit_strength.should == 2048
+    private_key.key.n.to_i.to_s(2).size.should == 2048
+  end
+  it "generates an RSA key at a custom bit strength" do
+    private_key = R509::PrivateKey.new(:type => :rsa, :bit_strength => 512)
+    private_key.bit_strength.should == 512
+    private_key.key.n.to_i.to_s(2).size.should == 512
+  end
+  it "loads a pre-existing DSA key" do
+    private_key = R509::PrivateKey.new(:key => @dsa_key)
+    private_key.key.kind_of?(OpenSSL::PKey::DSA).should == true
+    private_key.key.to_pem.should == @dsa_key
+    @dsa_key.should_not == nil
+  end
+  it "generates a DSA key at the default bit strength (2048)" do
+    private_key = R509::PrivateKey.new(:type => :dsa)
+    private_key.dsa?.should == true
+    private_key.bit_strength.should == 2048
+    private_key.key.p.to_i.to_s(2).size.should == 2048
+  end
+  it "generates a DSA key at a custom bit strength" do
+    private_key = R509::PrivateKey.new(:type => :dsa, :bit_strength => 512)
+    private_key.bit_strength.should == 512
+    private_key.key.p.to_i.to_s(2).size.should == 512
+  end
+  it "has an exponent of 65537 for new RSA keys" do
+    #this test actually checks ruby's underlying libs to make sure they're
+    #doing what they're supposed to be doing.
+    private_key = R509::PrivateKey.new(:type => :rsa, :bit_strength => 512)
+    private_key.key.e.should == 65537
+  end
+  it "returns the public key" do
+    private_key = R509::PrivateKey.new(:key => @key_csr)
+    private_key.public_key.n.to_i.should == @csr_public_key_modulus.to_i
+  end
+  it "returns pem" do
+    #load the DER, check that it matches the PEM on to_pem
+    private_key = R509::PrivateKey.new(:key => @key_csr_der)
+    private_key.to_pem.should == @key_csr
+  end
+  it "returns der" do
+    #load the PEM, check that it matches the DER on to_der
+    private_key = R509::PrivateKey.new(:key => @key_csr)
+    private_key.to_der.should == @key_csr_der
+  end
+  it "writes pem" do
+    private_key = R509::PrivateKey.new(:key => @key_csr)
+    sio = StringIO.new
+    sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
+    private_key.write_pem(sio)
+    sio.string.should == @key_csr
+  end
+  it "writes der" do
+    private_key = R509::PrivateKey.new(:key => @key_csr_der)
+    sio = StringIO.new
+    sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
+    private_key.write_der(sio)
+    sio.string.should == @key_csr_der
+  end
+  it "loads an encrypted private key with the right password" do
+    private_key = R509::PrivateKey.new(:key => @key_csr_encrypted, :password => 'Testing1')
+    private_key.public_key.n.to_i.should == @csr_public_key_modulus.to_i
+  end
+  it "fails to load an encrypted private key with wrong password" do
+    expect { R509::PrivateKey.new(:key => @key_csr_encrypted, :password => 'wrongPassword') }.to raise_error(R509::R509Error,"Failed to load private key. Invalid key or incorrect password.")
+  end
+  it "returns an encrypted pem" do
+    private_key = R509::PrivateKey.new(:key => @key_csr)
+    encrypted_private_key = private_key.to_encrypted_pem('des3','Testing1')
+    decrypted_private_key = R509::PrivateKey.new(:key => encrypted_private_key, :password => 'Testing1')
+    private_key.to_pem.should == decrypted_private_key.to_pem
+  end
+  it "writes an encrypted pem" do
+    private_key = R509::PrivateKey.new(:key => @key_csr)
+    sio = StringIO.new
+    sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
+    private_key.write_encrypted_pem(sio,'des3','Testing1')
+    sio.string.match(/Proc-Type: 4,ENCRYPTED/).should_not == nil
+  end
+  it "creates an encrypted private key with des3 cipher" do
+    private_key = R509::PrivateKey.new(:key => @key_csr)
+    sio = StringIO.new
+    sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
+    private_key.write_encrypted_pem(sio,'des3','Testing1')
+    sio.string.match(/DES-EDE3-CBC/).should_not == nil
+  end
+  it "creates an encrypted private key with aes128 cipher" do
+    private_key = R509::PrivateKey.new(:key => @key_csr)
+    sio = StringIO.new
+    sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
+    private_key.write_encrypted_pem(sio,'aes128','Testing1')
+    sio.string.match(/AES-128-CBC/).should_not == nil
+  end
+  it "returns false for in_hardware? when not using an engine" do
+    private_key = R509::PrivateKey.new(:key => @key_csr)
+    private_key.in_hardware?.should == false
+  end
+  it "returns true for in_hardware? when an engine is present" do
+    engine = double("engine")
+    engine.should_receive(:kind_of?).with(OpenSSL::Engine).and_return(true)
+    key_name = "r509_key"
+    key = R509::PrivateKey.new(
+      :engine => engine,
+      :key_name => key_name
+    )
+    key.in_hardware?.should == true
+  end
+  it "raises an error if you provide engine and key" do
+    expect { R509::PrivateKey.new(:key => @key_csr, :engine => 'not really an engine') }.to raise_error(ArgumentError, "You can't pass both :key and :engine")
+  end
+  it "raises an error if you provide a key_name with no engine" do
+    expect { R509::PrivateKey.new(:key_name => 'my_key') }.to raise_error(ArgumentError, 'When providing a :key_name you MUST provide an :engine')
+  end
+  it "raises an error when providing an engine with no key_name" do
+    expect { R509::PrivateKey.new(:engine => 'engine_goes_here') }.to raise_error(ArgumentError, 'When providing an :engine you MUST provide a :key_name')
+  end
+  it "raises an error if engine is not an OpenSSL::Engine" do
+    expect { R509::PrivateKey.new(:key_name => 'my_key', :engine => 'not really an engine') }.to raise_error(ArgumentError, 'When providing an engine, it must be of type OpenSSL::Engine')
+  end
+  it "raises an error if you call output methods (pem,der,write) when using a hardware key" do
+    engine = double("engine")
+    engine.should_receive(:kind_of?).with(OpenSSL::Engine).and_return(true)
+    key_name = "r509_key"
+    key = R509::PrivateKey.new(
+      :engine => engine,
+      :key_name => key_name
+    )
+    expect { key.to_pem }.to raise_error(R509::R509Error, "This method cannot be called when using keys in hardware")
+    expect { key.to_der }.to raise_error(R509::R509Error, "This method cannot be called when using keys in hardware")
+    expect { key.to_encrypted_pem('aes256','password') }.to raise_error(R509::R509Error, "This method cannot be called when using keys in hardware")
+    expect { key.write_encrypted_pem('/dev/null','aes256','password') }.to raise_error(R509::R509Error, "This method cannot be called when using keys in hardware")
+    expect { key.write_der('/dev/null') }.to raise_error(R509::R509Error, "This method cannot be called when using keys in hardware")
+  end
+  it "loads a hardware key successfully" do
+    engine = double("engine")
+    engine.should_receive(:kind_of?).with(OpenSSL::Engine).and_return(true)
+    faux_key = double("faux_key")
+    faux_key.should_receive(:public_key).and_return("returning public key")
+    key_name = "r509_key"
+    engine.should_receive(:load_private_key).twice.with(key_name).and_return(faux_key)
+    key = R509::PrivateKey.new(
+      :engine => engine,
+      :key_name => key_name
+    )
+    key.kind_of?(R509::PrivateKey).should == true
+    key.public_key.should == "returning public key"
+  end
+  it "loads a private key with load_from_file" do
+    path = File.dirname(__FILE__) + '/fixtures/key4.pem'
+    key = R509::PrivateKey.load_from_file path
+    key.rsa?.should == true
+  end
+  it "loads a private key with load_from_file with password" do
+    path = File.dirname(__FILE__) + '/fixtures/key4_encrypted_des3.pem'
+    key = R509::PrivateKey.load_from_file( path, 'r509')
+    key.rsa?.should == true
+  end
+
+  it "returns an error for curve_name for dsa/rsa" do
+    private_key = R509::PrivateKey.new(:key => @key_csr)
+    expect { private_key.curve_name }.to raise_error(R509::R509Error, 'Curve name is only available with EC private keys')
+  end
+
+  context "elliptic curves", :ec => true do
+    it "loads a pre-existing EC key" do
+      private_key = R509::PrivateKey.new(:key => @ec_key_pem)
+      private_key.to_pem.should == @ec_key_pem
+      @ec_key_pem.should_not be_nil
+    end
+
+    it "loads an encrypted private key with the right password" do
+      private_key = R509::PrivateKey.new(:key => @ec_key_encrypted, :password => 'Testing1')
+      private_key.to_pem.should == @ec_key_pem
+      @ec_key_encrypted.should_not be_nil
+      @ec_key_pem.should_not be_nil
+    end
+
+    it "returns the right value for #ec?" do
+      path = File.dirname(__FILE__) + '/fixtures/ec_key1.der'
+      private_key = R509::PrivateKey.load_from_file path
+      private_key.rsa?.should == false
+      private_key.dsa?.should == false
+      private_key.ec?.should == true
+    end
+
+    it "returns the curve_name" do
+      private_key = R509::PrivateKey.new(:key => @ec_key_pem)
+      private_key.curve_name.should == 'secp384r1'
+    end
+
+    it "generates an elliptic curve key using the default curve (secp384r1)" do
+      private_key = R509::PrivateKey.new(:type => :ec)
+      private_key.curve_name.should == 'secp384r1'
+    end
+
+    it "generates an elliptic curve key using a specified curve" do
+      private_key = R509::PrivateKey.new(:type => :ec, :curve_name => 'sect283r1')
+      private_key.curve_name.should == 'sect283r1'
+    end
+
+    it "returns the public key" do
+      private_key = R509::PrivateKey.new(:key => @ec_key_pem)
+      public_key = private_key.public_key
+      public_key.public_key?.should == true
+      public_key.private_key?.should == false
+    end
+
+    it "returns the pem" do
+      private_key = R509::PrivateKey.new(:key => @ec_key_pem)
+      private_key.to_pem.should == @ec_key_pem
+    end
+
+    it "returns the der" do
+      private_key = R509::PrivateKey.new(:key => @ec_key_pem)
+      private_key.to_der.should == @ec_key_der
+    end
+
+    it "returns error for bit_strength" do
+      private_key = R509::PrivateKey.new(:key => @ec_key_pem)
+      expect { private_key.bit_strength }.to raise_error(R509::R509Error,'Bit strength is not available for EC at this time.')
+    end
+
+
+  end
+end
+