r509 0.8.1 → 0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (203) hide show
  1. data/README.md +343 -151
  2. data/Rakefile +26 -23
  3. data/bin/r509 +126 -112
  4. data/bin/r509-parse +24 -24
  5. data/doc/R509.html +169 -7
  6. data/doc/R509/ASN1.html +370 -0
  7. data/doc/R509/ASN1/GeneralName.html +1121 -0
  8. data/doc/R509/ASN1/GeneralNames.html +843 -0
  9. data/doc/R509/ASN1/NoticeReference.html +392 -0
  10. data/doc/R509/ASN1/PolicyInformation.html +387 -0
  11. data/doc/R509/ASN1/PolicyQualifiers.html +455 -0
  12. data/doc/R509/ASN1/UserNotice.html +386 -0
  13. data/doc/R509/{Crl.html → CRL.html} +7 -7
  14. data/doc/R509/CRL/Administrator.html +1559 -0
  15. data/doc/R509/{Crl/Parser.html → CRL/SignedList.html} +501 -210
  16. data/doc/R509/{Csr.html → CSR.html} +444 -314
  17. data/doc/R509/Cert.html +866 -617
  18. data/doc/R509/Cert/Extensions.html +52 -41
  19. data/doc/R509/Cert/Extensions/AuthorityInfoAccess.html +70 -35
  20. data/doc/R509/Cert/Extensions/AuthorityKeyIdentifier.html +387 -4
  21. data/doc/R509/Cert/Extensions/BasicConstraints.html +61 -25
  22. data/doc/R509/Cert/Extensions/CRLDistributionPoints.html +354 -0
  23. data/doc/R509/Cert/Extensions/CertificatePolicies.html +340 -0
  24. data/doc/R509/Cert/Extensions/ExtendedKeyUsage.html +440 -49
  25. data/doc/R509/Cert/Extensions/{CrlDistributionPoints.html → InhibitAnyPolicy.html} +52 -35
  26. data/doc/R509/Cert/Extensions/KeyUsage.html +247 -121
  27. data/doc/R509/Cert/Extensions/NameConstraints.html +445 -0
  28. data/doc/R509/Cert/Extensions/OCSPNoCheck.html +239 -0
  29. data/doc/R509/Cert/Extensions/PolicyConstraints.html +424 -0
  30. data/doc/R509/Cert/Extensions/SubjectAlternativeName.html +437 -62
  31. data/doc/R509/Cert/Extensions/SubjectKeyIdentifier.html +52 -10
  32. data/doc/R509/CertificateAuthority.html +4 -4
  33. data/doc/R509/CertificateAuthority/Signer.html +154 -187
  34. data/doc/R509/Config.html +6 -6
  35. data/doc/R509/Config/{CaConfig.html → CAConfig.html} +451 -348
  36. data/doc/R509/Config/{CaConfigPool.html → CAConfigPool.html} +47 -47
  37. data/doc/R509/Config/CAProfile.html +1015 -0
  38. data/doc/R509/Config/SubjectItemPolicy.html +86 -86
  39. data/doc/R509/IOHelpers.html +22 -22
  40. data/doc/R509/MessageDigest.html +14 -14
  41. data/doc/R509/NameSanitizer.html +53 -53
  42. data/doc/R509/{Ocsp.html → OCSP.html} +9 -9
  43. data/doc/R509/{Ocsp → OCSP}/Request.html +7 -7
  44. data/doc/R509/{Ocsp → OCSP}/Request/Nonce.html +56 -11
  45. data/doc/R509/{Ocsp → OCSP}/Response.html +44 -44
  46. data/doc/R509/{OidMapper.html → OIDMapper.html} +23 -39
  47. data/doc/R509/PrivateKey.html +415 -168
  48. data/doc/R509/R509Error.html +3 -3
  49. data/doc/R509/{Spki.html → SPKI.html} +354 -192
  50. data/doc/R509/Subject.html +224 -113
  51. data/doc/R509/Validity.html +27 -5
  52. data/doc/R509/Validity/Checker.html +13 -13
  53. data/doc/R509/Validity/DefaultChecker.html +13 -13
  54. data/doc/R509/Validity/DefaultWriter.html +14 -14
  55. data/doc/R509/Validity/Status.html +39 -39
  56. data/doc/R509/Validity/Writer.html +18 -18
  57. data/doc/_index.html +138 -35
  58. data/doc/class_list.html +1 -1
  59. data/doc/css/style.css +10 -0
  60. data/doc/file.README.html +368 -171
  61. data/doc/file.r509.html +92 -69
  62. data/doc/frames.html +1 -1
  63. data/doc/index.html +368 -171
  64. data/doc/method_list.html +910 -390
  65. data/doc/top-level-namespace.html +3 -3
  66. data/lib/r509.rb +32 -16
  67. data/lib/r509/asn1.rb +375 -0
  68. data/lib/r509/cert.rb +381 -364
  69. data/lib/r509/cert/extensions.rb +443 -76
  70. data/lib/r509/certificate_authority.rb +407 -0
  71. data/lib/r509/config.rb +547 -351
  72. data/lib/r509/crl.rb +336 -366
  73. data/lib/r509/csr.rb +278 -289
  74. data/lib/r509/ec-hack.rb +37 -0
  75. data/lib/r509/exceptions.rb +3 -3
  76. data/lib/r509/io_helpers.rb +44 -44
  77. data/lib/r509/message_digest.rb +53 -0
  78. data/lib/r509/ocsp.rb +80 -70
  79. data/lib/r509/oid_mapper.rb +32 -0
  80. data/lib/r509/private_key.rb +228 -0
  81. data/lib/r509/spki.rb +145 -93
  82. data/lib/r509/subject.rb +203 -110
  83. data/lib/r509/validity.rb +70 -68
  84. data/lib/r509/version.rb +2 -2
  85. data/r509.yaml +92 -69
  86. data/spec/asn1_spec.rb +402 -0
  87. data/spec/cert/extensions_spec.rb +957 -494
  88. data/spec/cert_spec.rb +382 -307
  89. data/spec/certificate_authority_spec.rb +668 -250
  90. data/spec/config_spec.rb +515 -302
  91. data/spec/crl_spec.rb +197 -198
  92. data/spec/csr_spec.rb +334 -289
  93. data/spec/fixtures.rb +247 -171
  94. data/spec/fixtures/cert1.der +0 -0
  95. data/spec/fixtures/cert1.pem +0 -0
  96. data/spec/fixtures/cert1_public_key_modulus.txt +0 -0
  97. data/spec/fixtures/cert3.p12 +0 -0
  98. data/spec/fixtures/cert3.pem +0 -0
  99. data/spec/fixtures/cert3_key.pem +0 -0
  100. data/spec/fixtures/cert3_key_des3.pem +0 -0
  101. data/spec/fixtures/cert4.pem +0 -0
  102. data/spec/fixtures/cert5.pem +0 -0
  103. data/spec/fixtures/cert6.pem +0 -0
  104. data/spec/fixtures/cert_expired.pem +0 -0
  105. data/spec/fixtures/cert_inhibit.pem +24 -0
  106. data/spec/fixtures/cert_name_constraints.pem +29 -0
  107. data/spec/fixtures/cert_not_yet_valid.pem +0 -0
  108. data/spec/fixtures/cert_ocsp_no_check.pem +18 -0
  109. data/spec/fixtures/cert_policy_constraints.pem +31 -0
  110. data/spec/fixtures/cert_san.pem +0 -0
  111. data/spec/fixtures/cert_san2.pem +0 -0
  112. data/spec/fixtures/cert_unknown_extension.pem +28 -0
  113. data/spec/fixtures/config_pool_test_minimal.yaml +11 -11
  114. data/spec/fixtures/config_test.yaml +54 -36
  115. data/spec/fixtures/config_test_dsa.yaml +35 -0
  116. data/spec/fixtures/config_test_ec.yaml +35 -0
  117. data/spec/fixtures/config_test_engine_key.yaml +5 -5
  118. data/spec/fixtures/config_test_engine_no_key_name.yaml +4 -4
  119. data/spec/fixtures/config_test_minimal.yaml +4 -4
  120. data/spec/fixtures/config_test_password.yaml +5 -5
  121. data/spec/fixtures/config_test_various.yaml +111 -74
  122. data/spec/fixtures/crl_list_file.txt +0 -0
  123. data/spec/fixtures/crl_with_reason.pem +0 -0
  124. data/spec/fixtures/csr1.der +0 -0
  125. data/spec/fixtures/csr1.pem +0 -0
  126. data/spec/fixtures/csr1_key.der +0 -0
  127. data/spec/fixtures/csr1_key.pem +0 -0
  128. data/spec/fixtures/csr1_key_encrypted_des3.pem +0 -0
  129. data/spec/fixtures/csr1_newlines.pem +0 -0
  130. data/spec/fixtures/csr1_no_begin_end.pem +0 -0
  131. data/spec/fixtures/csr1_public_key_modulus.txt +0 -0
  132. data/spec/fixtures/csr2.pem +0 -0
  133. data/spec/fixtures/csr2_key.pem +0 -0
  134. data/spec/fixtures/csr3.pem +0 -0
  135. data/spec/fixtures/csr4.pem +0 -0
  136. data/spec/fixtures/csr_dsa.pem +0 -0
  137. data/spec/fixtures/csr_invalid_signature.pem +0 -0
  138. data/spec/fixtures/dsa_key.pem +0 -0
  139. data/spec/fixtures/dsa_root.cer +28 -0
  140. data/spec/fixtures/dsa_root.key +20 -0
  141. data/spec/fixtures/ec_csr2.der +0 -0
  142. data/spec/fixtures/ec_csr2.pem +8 -0
  143. data/spec/fixtures/ec_key1.der +0 -0
  144. data/spec/fixtures/ec_key1.pem +6 -0
  145. data/spec/fixtures/ec_key1_encrypted.pem +9 -0
  146. data/spec/fixtures/ec_key2.pem +6 -0
  147. data/spec/fixtures/hmacsha1.sig +1 -0
  148. data/spec/fixtures/hmacsha512.sig +1 -0
  149. data/spec/fixtures/key4.pem +0 -0
  150. data/spec/fixtures/key4_encrypted_des3.pem +0 -0
  151. data/spec/fixtures/missing_key_identifier_ca.cer +0 -0
  152. data/spec/fixtures/missing_key_identifier_ca.key +0 -0
  153. data/spec/fixtures/ocsptest.r509.local.pem +0 -0
  154. data/spec/fixtures/ocsptest.r509.local_ocsp_request.der +0 -0
  155. data/spec/fixtures/ocsptest2.r509.local.pem +0 -0
  156. data/spec/fixtures/second_ca.cer +0 -0
  157. data/spec/fixtures/second_ca.key +0 -0
  158. data/spec/fixtures/spkac.der +0 -0
  159. data/spec/fixtures/spkac.txt +0 -0
  160. data/spec/fixtures/spkac_dsa.txt +1 -1
  161. data/spec/fixtures/spkac_dsa_no_verify.txt +1 -0
  162. data/spec/fixtures/spkac_ec.txt +1 -0
  163. data/spec/fixtures/spkac_rsa_newlines.txt +13 -0
  164. data/spec/fixtures/stca.pem +0 -0
  165. data/spec/fixtures/stca_ocsp_request.der +0 -0
  166. data/spec/fixtures/stca_ocsp_response.der +0 -0
  167. data/spec/fixtures/test1.csr +0 -0
  168. data/spec/fixtures/test_ca.cer +0 -0
  169. data/spec/fixtures/test_ca.key +0 -0
  170. data/spec/fixtures/test_ca.p12 +0 -0
  171. data/spec/fixtures/test_ca_des3.key +0 -0
  172. data/spec/fixtures/test_ca_ec.cer +14 -0
  173. data/spec/fixtures/test_ca_ec.key +6 -0
  174. data/spec/fixtures/test_ca_ec_ee.cer +22 -0
  175. data/spec/fixtures/test_ca_ec_ee.key +6 -0
  176. data/spec/fixtures/test_ca_ocsp.cer +0 -0
  177. data/spec/fixtures/test_ca_ocsp.key +0 -0
  178. data/spec/fixtures/test_ca_ocsp.p12 +0 -0
  179. data/spec/fixtures/test_ca_ocsp_chain.txt +0 -0
  180. data/spec/fixtures/test_ca_ocsp_response.der +0 -0
  181. data/spec/fixtures/test_ca_subroot.cer +0 -0
  182. data/spec/fixtures/test_ca_subroot.key +0 -0
  183. data/spec/fixtures/test_ca_subroot_ocsp.cer +0 -0
  184. data/spec/fixtures/test_ca_subroot_ocsp.key +0 -0
  185. data/spec/fixtures/test_ca_subroot_ocsp_response.der +0 -0
  186. data/spec/fixtures/unknown_oid.csr +0 -0
  187. data/spec/message_digest_spec.rb +104 -84
  188. data/spec/ocsp_spec.rb +105 -105
  189. data/spec/oid_mapper_spec.rb +21 -21
  190. data/spec/private_key_spec.rb +275 -0
  191. data/spec/r509_spec.rb +35 -0
  192. data/spec/spec_helper.rb +15 -6
  193. data/spec/spki_spec.rb +221 -142
  194. data/spec/subject_spec.rb +232 -164
  195. data/spec/validity_spec.rb +91 -91
  196. metadata +79 -25
  197. data/doc/R509/Config/CaProfile.html +0 -651
  198. data/doc/R509/Crl/Administrator.html +0 -2073
  199. data/lib/r509/certificateauthority.rb +0 -290
  200. data/lib/r509/messagedigest.rb +0 -49
  201. data/lib/r509/oidmapper.rb +0 -32
  202. data/lib/r509/privatekey.rb +0 -185
  203. data/spec/privatekey_spec.rb +0 -198
data/spec/privatekey_spec.rb DELETED
@@ -1,198 +0,0 @@
1
- require 'spec_helper'
2
- require 'r509/privatekey'
3
- require 'stringio'
4
-
5
- describe R509::PrivateKey do
6
- before :all do
7
- @key_csr = TestFixtures::KEY_CSR
8
- @key_csr_encrypted = TestFixtures::KEY_CSR_ENCRYPTED
9
- @csr_public_key_modulus = TestFixtures::CSR_PUBLIC_KEY_MODULUS
10
- @key_csr_der = TestFixtures::KEY_CSR_DER
11
- @dsa_key = TestFixtures::DSA_KEY
12
- end
13
- it "throws an exception when given a type other than DSA or RSA" do
14
- expect { R509::PrivateKey.new(:type=>:not_rsa_or_dsa) }.to raise_error(ArgumentError)
15
- end
16
- it "throws an exception when no hash is provided" do
17
- expect { R509::PrivateKey.new('string') }.to raise_error(ArgumentError,'Must provide a hash of options')
18
- end
19
- it "returns the right value for #rsa?" do
20
- private_key = R509::PrivateKey.new(:key=>@key_csr)
21
- private_key.dsa?.should == false
22
- private_key.rsa?.should == true
23
- end
24
- it "returns the right value for #dsa?" do
25
- private_key = R509::PrivateKey.new(:key => @dsa_key)
26
- private_key.rsa?.should == false
27
- private_key.dsa?.should == true
28
- end
29
- it "defaults to RSA" do
30
- private_key = R509::PrivateKey.new(:bit_strength=>1024)
31
- private_key.key.kind_of?(OpenSSL::PKey::RSA).should == true
32
- end
33
- it "loads a pre-existing RSA key" do
34
- private_key = R509::PrivateKey.new(:key=>@key_csr)
35
- private_key.to_pem.should == @key_csr
36
- @key_csr.should_not == nil
37
- end
38
- it "generates an RSA key at the default bit strength (2048)" do
39
- private_key = R509::PrivateKey.new(:type => :rsa)
40
- private_key.bit_strength.should == 2048
41
- private_key.key.n.to_i.to_s(2).size.should == 2048
42
- end
43
- it "generates an RSA key at a custom bit strength" do
44
- private_key = R509::PrivateKey.new(:type => :rsa, :bit_strength => 512)
45
- private_key.bit_strength.should == 512
46
- private_key.key.n.to_i.to_s(2).size.should == 512
47
- end
48
- it "loads a pre-existing DSA key" do
49
- private_key = R509::PrivateKey.new(:key => @dsa_key)
50
- private_key.key.kind_of?(OpenSSL::PKey::DSA).should == true
51
- private_key.key.to_pem.should == @dsa_key
52
- @dsa_key.should_not == nil
53
- end
54
- it "generates a DSA key at the default bit strength (2048)" do
55
- private_key = R509::PrivateKey.new(:type => :dsa)
56
- private_key.dsa?.should == true
57
- private_key.bit_strength.should == 2048
58
- private_key.key.p.to_i.to_s(2).size.should == 2048
59
- end
60
- it "generates a DSA key at a custom bit strength" do
61
- private_key = R509::PrivateKey.new(:type => :dsa, :bit_strength => 512)
62
- private_key.bit_strength.should == 512
63
- private_key.key.p.to_i.to_s(2).size.should == 512
64
- end
65
- it "has an exponent of 65537 for new RSA keys" do
66
- #this test actually checks ruby's underlying libs to make sure they're
67
- #doing what they're supposed to be doing.
68
- private_key = R509::PrivateKey.new(:type => :rsa, :bit_strength => 512)
69
- private_key.key.e.should == 65537
70
- end
71
- it "returns the public key" do
72
- private_key = R509::PrivateKey.new(:key => @key_csr)
73
- private_key.public_key.n.to_i.should == @csr_public_key_modulus.to_i
74
- end
75
- it "returns pem" do
76
- #load the DER, check that it matches the PEM on to_pem
77
- private_key = R509::PrivateKey.new(:key => @key_csr_der)
78
- private_key.to_pem.should == @key_csr
79
- end
80
- it "returns der" do
81
- #load the PEM, check that it matches the DER on to_der
82
- private_key = R509::PrivateKey.new(:key => @key_csr)
83
- private_key.to_der.should == @key_csr_der
84
- end
85
- it "writes pem" do
86
- private_key = R509::PrivateKey.new(:key => @key_csr)
87
- sio = StringIO.new
88
- sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
89
- private_key.write_pem(sio)
90
- sio.string.should == @key_csr
91
- end
92
- it "writes der" do
93
- private_key = R509::PrivateKey.new(:key => @key_csr_der)
94
- sio = StringIO.new
95
- sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
96
- private_key.write_der(sio)
97
- sio.string.should == @key_csr_der
98
- end
99
- it "loads an encrypted private key with the right password" do
100
- private_key = R509::PrivateKey.new(:key => @key_csr_encrypted, :password => 'Testing1')
101
- private_key.public_key.n.to_i.should == @csr_public_key_modulus.to_i
102
- end
103
- it "fails to load an encrypted private key with wrong password" do
104
- expect { R509::PrivateKey.new(:key => @key_csr_encrypted, :password => 'wrongPassword') }.to raise_error(R509::R509Error,"Failed to load private key. Invalid key or incorrect password.")
105
- end
106
- it "returns an encrypted pem" do
107
- private_key = R509::PrivateKey.new(:key => @key_csr)
108
- encrypted_private_key = private_key.to_encrypted_pem('des3','Testing1')
109
- decrypted_private_key = R509::PrivateKey.new(:key => encrypted_private_key, :password => 'Testing1')
110
- private_key.to_pem.should == decrypted_private_key.to_pem
111
- end
112
- it "writes an encrypted pem" do
113
- private_key = R509::PrivateKey.new(:key => @key_csr)
114
- sio = StringIO.new
115
- sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
116
- private_key.write_encrypted_pem(sio,'des3','Testing1')
117
- sio.string.match(/Proc-Type: 4,ENCRYPTED/).should_not == nil
118
- end
119
- it "creates an encrypted private key with des3 cipher" do
120
- private_key = R509::PrivateKey.new(:key => @key_csr)
121
- sio = StringIO.new
122
- sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
123
- private_key.write_encrypted_pem(sio,'des3','Testing1')
124
- sio.string.match(/DES-EDE3-CBC/).should_not == nil
125
- end
126
- it "creates an encrypted private key with aes128 cipher" do
127
- private_key = R509::PrivateKey.new(:key => @key_csr)
128
- sio = StringIO.new
129
- sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
130
- private_key.write_encrypted_pem(sio,'aes128','Testing1')
131
- sio.string.match(/AES-128-CBC/).should_not == nil
132
- end
133
- it "returns false for in_hardware? when not using an engine" do
134
- private_key = R509::PrivateKey.new(:key => @key_csr)
135
- private_key.in_hardware?.should == false
136
- end
137
- it "returns true for in_hardware? when an engine is present" do
138
- engine = double("engine")
139
- engine.should_receive(:kind_of?).with(OpenSSL::Engine).and_return(true)
140
- key_name = "r509_key"
141
- key = R509::PrivateKey.new(
142
- :engine => engine,
143
- :key_name => key_name
144
- )
145
- key.in_hardware?.should == true
146
- end
147
- it "raises an error if you provide engine and key" do
148
- expect { R509::PrivateKey.new(:key => @key_csr, :engine => 'not really an engine') }.to raise_error(ArgumentError, "You can't pass both :key and :engine")
149
- end
150
- it "raises an error if you provide a key_name with no engine" do
151
- expect { R509::PrivateKey.new(:key_name => 'my_key') }.to raise_error(ArgumentError, 'When providing a :key_name you MUST provide an :engine')
152
- end
153
- it "raises an error when providing an engine with no key_name" do
154
- expect { R509::PrivateKey.new(:engine => 'engine_goes_here') }.to raise_error(ArgumentError, 'When providing an :engine you MUST provide a :key_name')
155
- end
156
- it "raises an error if engine is not an OpenSSL::Engine" do
157
- expect { R509::PrivateKey.new(:key_name => 'my_key', :engine => 'not really an engine') }.to raise_error(ArgumentError, 'When providing an engine, it must be of type OpenSSL::Engine')
158
- end
159
- it "raises an error if you call output methods (pem,der,write) when using a hardware key" do
160
- engine = double("engine")
161
- engine.should_receive(:kind_of?).with(OpenSSL::Engine).and_return(true)
162
- key_name = "r509_key"
163
- key = R509::PrivateKey.new(
164
- :engine => engine,
165
- :key_name => key_name
166
- )
167
- expect { key.to_pem }.to raise_error(R509::R509Error, "This method cannot be called when using keys in hardware")
168
- expect { key.to_der }.to raise_error(R509::R509Error, "This method cannot be called when using keys in hardware")
169
- expect { key.to_encrypted_pem('aes256','password') }.to raise_error(R509::R509Error, "This method cannot be called when using keys in hardware")
170
- expect { key.write_encrypted_pem('/dev/null','aes256','password') }.to raise_error(R509::R509Error, "This method cannot be called when using keys in hardware")
171
- expect { key.write_der('/dev/null') }.to raise_error(R509::R509Error, "This method cannot be called when using keys in hardware")
172
- end
173
- it "loads a hardware key successfully" do
174
- engine = double("engine")
175
- engine.should_receive(:kind_of?).with(OpenSSL::Engine).and_return(true)
176
- faux_key = double("faux_key")
177
- faux_key.should_receive(:public_key).and_return("returning public key")
178
- key_name = "r509_key"
179
- engine.should_receive(:load_private_key).with(key_name).and_return(faux_key)
180
- key = R509::PrivateKey.new(
181
- :engine => engine,
182
- :key_name => key_name
183
- )
184
- key.kind_of?(R509::PrivateKey).should == true
185
- key.public_key.should == "returning public key"
186
- end
187
- it "loads a private key with load_from_file" do
188
- path = File.dirname(__FILE__) + '/fixtures/key4.pem'
189
- key = R509::PrivateKey.load_from_file path
190
- key.rsa?.should == true
191
- end
192
- it "loads a private key with load_from_file with password" do
193
- path = File.dirname(__FILE__) + '/fixtures/key4_encrypted_des3.pem'
194
- key = R509::PrivateKey.load_from_file( path, 'r509')
195
- key.rsa?.should == true
196
- end
197
- end
198
-