r509 0.8

data/spec/config_spec.rb

@@ -0,0 +1,349 @@
+require 'spec_helper'
+require 'r509/config'
+require 'r509/exceptions'
+
+describe R509::Config::CaConfigPool do
+    context "defined manually" do
+        it "has no configs" do
+            pool = R509::Config::CaConfigPool.new({})
+
+            pool["first"].should == nil
+        end
+
+        it "has one config" do
+            config = R509::Config::CaConfig.new(
+                :ca_cert => TestFixtures.test_ca_cert,
+                :profiles => { "first_profile" => R509::Config::CaProfile.new }
+            )
+
+            pool = R509::Config::CaConfigPool.new({
+                "first" => config
+            })
+
+            pool["first"].should == config
+        end
+    end
+
+    context "all configs" do
+        it "no configs" do
+            pool = R509::Config::CaConfigPool.new({})
+            pool.all.should == []
+        end
+
+        it "one config" do
+            config = R509::Config::CaConfig.new(
+                :ca_cert => TestFixtures.test_ca_cert,
+                :profiles => { "first_profile" => R509::Config::CaProfile.new }
+            )
+
+            pool = R509::Config::CaConfigPool.new({
+                "first" => config
+            })
+
+            pool.all.should == [config]
+        end
+
+        it "two configs" do
+            config1 = R509::Config::CaConfig.new(
+                :ca_cert => TestFixtures.test_ca_cert,
+                :profiles => { "first_profile" => R509::Config::CaProfile.new }
+            )
+            config2 = R509::Config::CaConfig.new(
+                :ca_cert => TestFixtures.test_ca_cert,
+                :profiles => { "first_profile" => R509::Config::CaProfile.new }
+            )
+
+            pool = R509::Config::CaConfigPool.new({
+                "first" => config1,
+                "second" => config2
+            })
+
+            pool.all.size.should == 2
+            pool.all.include?(config1).should == true
+            pool.all.include?(config2).should == true
+        end
+    end
+
+    context "loaded from YAML" do
+        it "should load two configs" do
+            pool = R509::Config::CaConfigPool.from_yaml("certificate_authorities", File.read("#{File.dirname(__FILE__)}/fixtures/config_pool_test_minimal.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+
+            pool.names.should include("test_ca", "second_ca")
+
+            pool["test_ca"].should_not == nil
+            pool["test_ca"].num_profiles.should == 0
+            pool["second_ca"].should_not == nil
+            pool["second_ca"].num_profiles.should == 0
+        end
+    end
+end
+
+describe R509::Config::CaConfig do
+    before :each do
+        @config = R509::Config::CaConfig.new(
+            :ca_cert => TestFixtures.test_ca_cert
+        )
+    end
+
+    subject {@config}
+
+    its(:message_digest) {should == "SHA1"}
+    its(:crl_validity_hours) {should == 168}
+    its(:ocsp_validity_hours) {should == 168}
+    its(:ocsp_start_skew_seconds) {should == 3600}
+    its(:cdp_location) {should be_nil}
+    its(:ocsp_location) {should be_nil}
+    its(:num_profiles) {should == 0}
+
+    it "should have the proper CA cert" do
+        @config.ca_cert.to_pem.should == TestFixtures.test_ca_cert.to_pem
+    end
+
+    it "should have the proper CA key" do
+        @config.ca_cert.key.to_pem.should == TestFixtures.test_ca_cert.key.to_pem
+    end
+
+    it "raises an error if you don't pass :ca_cert" do
+        expect { R509::Config::CaConfig.new(:crl_validity_hours => 2) }.to raise_error ArgumentError, 'Config object requires that you pass :ca_cert'
+    end
+    it "raises an error if :ca_cert is not of type R509::Cert" do
+        expect { R509::Config::CaConfig.new(:ca_cert => 'not a cert, and not right type') }.to raise_error ArgumentError, ':ca_cert must be of type R509::Cert'
+    end
+    it "loads the config even if :ca_cert does not contain a private key" do
+        config = R509::Config::CaConfig.new( :ca_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) )
+        config.ca_cert.subject.to_s.should_not be_nil
+    end
+    it "raises an error if :ocsp_cert that is not R509::Cert" do
+        expect { R509::Config::CaConfig.new(:ca_cert => TestFixtures.test_ca_cert, :ocsp_cert => "not a cert") }.to raise_error ArgumentError, ':ocsp_cert, if provided, must be of type R509::Cert'
+    end
+    it "raises an error if :ocsp_cert does not contain a private key" do
+        expect { R509::Config::CaConfig.new( :ca_cert => TestFixtures.test_ca_cert, :ocsp_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) ) }.to raise_error ArgumentError, ':ocsp_cert must contain a private key, not just a certificate'
+    end
+    it "returns the correct cert object on #ocsp_cert if none is specified" do
+        @config.ocsp_cert.should == @config.ca_cert
+    end
+    it "returns the correct cert object on #ocsp_cert if an ocsp_cert was specified" do
+        ocsp_cert = R509::Cert.new(
+            :cert => TestFixtures::TEST_CA_OCSP_CERT,
+            :key => TestFixtures::TEST_CA_OCSP_KEY
+        )
+        config = R509::Config::CaConfig.new(
+            :ca_cert => TestFixtures.test_ca_cert,
+            :ocsp_cert => ocsp_cert
+        )
+
+        config.ocsp_cert.should == ocsp_cert
+    end
+    it "fails to specify a non-Config::CaProfile as the profile" do
+        config = R509::Config::CaConfig.new(
+            :ca_cert => TestFixtures.test_ca_cert
+        )
+
+        expect{ config.set_profile("bogus", "not a Config::CaProfile")}.to raise_error TypeError
+    end
+
+    it "shouldn't let you specify a profile that's not a Config::CaProfile, on instantiation" do
+        expect{ R509::Config::CaConfig.new(
+            :ca_cert => TestFixtures.test_ca_cert,
+            :profiles => { "first_profile" => "not a Config::CaProfile" }
+        ) }.to raise_error TypeError
+    end
+
+    it "can specify a single profile" do
+        first_profile = R509::Config::CaProfile.new
+
+        config = R509::Config::CaConfig.new(
+            :ca_cert => TestFixtures.test_ca_cert,
+            :profiles => { "first_profile" => first_profile }
+        )
+
+        config.profile("first_profile").should == first_profile
+    end
+
+    it "raises an error if you specify an invalid profile" do
+        first_profile = R509::Config::CaProfile.new
+
+        config = R509::Config::CaConfig.new(
+            :ca_cert => TestFixtures.test_ca_cert,
+            :profiles => { "first_profile" => first_profile }
+        )
+
+        expect { config.profile("non-existent-profile") }.to raise_error(R509::R509Error, "unknown profile 'non-existent-profile'")
+    end
+
+    it "should load YAML" do
+        config = R509::Config::CaConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+        config.crl_validity_hours.should == 72
+        config.ocsp_validity_hours.should == 96
+        config.message_digest.should == "SHA1"
+        config.num_profiles.should == 3
+    end
+    it "loads OCSP cert/key from yaml" do
+        config = R509::Config::CaConfig.from_yaml("ocsp_delegate_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+        config.ocsp_cert.has_private_key?.should == true
+        config.ocsp_cert.subject.to_s.should == "/C=US/ST=Illinois/L=Chicago/O=r509 LLC/CN=r509 OCSP Signer"
+    end
+    it "loads OCSP pkcs12 from yaml" do
+        config = R509::Config::CaConfig.from_yaml("ocsp_pkcs12_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+        config.ocsp_cert.has_private_key?.should == true
+        config.ocsp_cert.subject.to_s.should == "/C=US/ST=Illinois/L=Chicago/O=r509 LLC/CN=r509 OCSP Signer"
+    end
+    it "loads OCSP cert/key in engine from yaml" do
+        #most of this code path is tested by loading ca_cert engine.
+        #look there for the extensive doubling
+        expect { R509::Config::CaConfig.from_yaml("ocsp_engine_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(R509::R509Error,"You must supply a key_name with an engine")
+    end
+    it "loads OCSP chain from yaml" do
+        config = R509::Config::CaConfig.from_yaml("ocsp_chain_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+        config.ocsp_chain.size.should == 2
+        config.ocsp_chain[0].kind_of?(OpenSSL::X509::Certificate).should == true
+        config.ocsp_chain[1].kind_of?(OpenSSL::X509::Certificate).should == true
+    end
+    it "should load subject_item_policy from yaml (if present)" do
+        config = R509::Config::CaConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+        config.profile("server").subject_item_policy.should be_nil
+        config.profile("server_with_subject_item_policy").subject_item_policy.optional.should include("O","OU")
+        config.profile("server_with_subject_item_policy").subject_item_policy.required.should include("CN","ST","C")
+    end
+
+    it "should load YAML which only has a CA Cert and Key defined" do
+        config = R509::Config::CaConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_minimal.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+        config.num_profiles.should == 0
+    end
+
+    it "should load YAML which has CA cert and key with password" do
+        expect { R509::Config::CaConfig.from_yaml("password_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_password.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to_not raise_error
+    end
+
+    it "should load YAML which has a PKCS12 with password" do
+        expect { R509::Config::CaConfig.from_yaml("pkcs12_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to_not raise_error
+    end
+
+    it "raises error on YAML with pkcs12 and key" do
+        expect { R509::Config::CaConfig.from_yaml("pkcs12_key_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(R509::R509Error, "You can't specify both pkcs12 and key")
+    end
+
+    it "raises error on YAML with pkcs12 and cert" do
+        expect { R509::Config::CaConfig.from_yaml("pkcs12_cert_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(R509::R509Error, "You can't specify both pkcs12 and cert")
+    end
+
+    it "raises error on YAML with pkcs12 and engine" do
+        expect { R509::Config::CaConfig.from_yaml("pkcs12_engine_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(R509::R509Error, "You can't specify both engine and pkcs12")
+    end
+
+    it "loads config with cert and no key (useful in certain cases)" do
+        config = R509::Config::CaConfig.from_yaml("cert_no_key_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+        config.ca_cert.subject.to_s.should_not be_nil
+    end
+
+    it "should load YAML which has an engine" do
+        #i can test this, it's just gonna take a whole lot of floorin' it!
+        conf = double("conf")
+        engine = double("engine")
+        faux_key = double("faux_key")
+
+        public_key = OpenSSL::PKey::RSA.new("-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqLfP8948QEZMMkZNHLDP\nOHZVrPdVvecD6bp8dz96LalMQiWjgMkJf7mPHXoNMQ5rIpntiUOmhupu+sty30+C\ndbZZIbZohioTSYq9ZIC/LC9ME12F78GRMKhBGA+ZiouzWvXqOEdMnanfSgKrlSIS\nssF71dfmOEQ08fn9Vl5jAgWmGe+v615iHqBNGr64kYooTrZYLaPlTScO1UZ76vnB\nHfNQU+tsEZNXxtZXKQqkxHxLShCOj6qmYRNn/upTZoWWd04+zXjYGEC3eKvi9ctN\n9FY+KJ6QCCa8H0Kt3cU5qyw6pzdljhbG6NKhod7OMqlGjmHdsCAYAqe3xH+V/8oe\ndwIDAQAB\n-----END PUBLIC KEY-----\n")
+
+        conf.should_receive(:kind_of?).with(Hash).and_return(true)
+        conf.should_receive(:[]).with("ca_cert").and_return(
+            "cert" => "#{File.dirname(__FILE__)}/fixtures/test_ca.cer",
+            "engine" => engine,
+            "key_name" => "r509_key"
+        )
+        conf.should_receive(:[]).at_least(1).times.and_return(nil)
+        conf.should_receive(:has_key?).at_least(1).times.and_return(false)
+
+        engine.should_receive(:respond_to?).with(:load_private_key).and_return(true)
+        engine.should_receive(:kind_of?).with(OpenSSL::Engine).and_return(true)
+        faux_key.should_receive(:public_key).and_return(public_key)
+        engine.should_receive(:load_private_key).with("r509_key").and_return(faux_key)
+
+        config = R509::Config::CaConfig.load_from_hash(conf)
+    end
+
+    it "should fail if YAML for ca_cert contains engine and key" do
+        expect { R509::Config::CaConfig.from_yaml("engine_and_key", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_engine_key.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(R509::R509Error, "You can't specify both key and engine")
+    end
+
+    it "should fail if YAML for ca_cert contains engine but no key_name" do
+        expect { R509::Config::CaConfig.from_yaml("engine_no_key_name", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_engine_no_key_name.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(R509::R509Error, 'You must supply a key_name with an engine')
+    end
+
+    it "should fail if YAML config is null" do
+        expect{ R509::Config::CaConfig.from_yaml("no_config_here", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError)
+    end
+
+    it "should fail if YAML config isn't a hash" do
+        expect{ R509::Config::CaConfig.from_yaml("config_is_string", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError)
+    end
+
+    it "should fail if YAML config doesn't give a root CA directory that's a directory" do
+        expect{ R509::Config::CaConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures/no_directory_here"}) }.to raise_error(R509::R509Error)
+    end
+
+    it "should load YAML from filename" do
+        config = R509::Config::CaConfig.load_yaml("test_ca", "#{File.dirname(__FILE__)}/fixtures/config_test.yaml", {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
+        config.crl_validity_hours.should == 72
+        config.ocsp_validity_hours.should == 96
+        config.message_digest.should == "SHA1"
+    end
+
+    it "can specify crl_number_file" do
+        config = R509::Config::CaConfig.new(
+            :ca_cert => TestFixtures.test_ca_cert,
+            :crl_number_file => "crl_number_file.txt"
+        )
+        config.crl_number_file.should == 'crl_number_file.txt'
+    end
+
+    it "can specify crl_list_file" do
+        config = R509::Config::CaConfig.new(
+            :ca_cert => TestFixtures.test_ca_cert,
+            :crl_list_file => "crl_list_file.txt"
+        )
+        config.crl_list_file.should == 'crl_list_file.txt'
+    end
+
+end
+
+describe R509::Config::SubjectItemPolicy do
+    it "raises an error if you supply a non-hash" do
+        expect { R509::Config::SubjectItemPolicy.new('string') }.to raise_error(ArgumentError, "Must supply a hash in form 'shortname'=>'required/optional'")
+    end
+    it "raises an error if a required element is missing" do
+        subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required")
+        subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
+        expect { subject_item_policy.validate_subject(subject) }.to raise_error(R509::R509Error, /This profile requires you supply/)
+    end
+    it "raises an error if your hash values are anything other than required or optional" do
+        expect { R509::Config::SubjectItemPolicy.new("CN" => "somethirdoption") }.to raise_error(ArgumentError, "Unknown subject item policy value. Allowed values are required and optional")
+    end
+    it "validates a subject with the same fields as the policy" do
+        subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional")
+        subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
+        validated_subject = subject_item_policy.validate_subject(subject)
+        validated_subject.to_s.should == subject.to_s
+    end
+    it "does not match if you get case of subject_item_policy element wrong" do
+        subject_item_policy = R509::Config::SubjectItemPolicy.new("cn" => "required")
+        subject = R509::Subject.new [["CN","langui.sh"]]
+        expect { subject_item_policy.validate_subject(subject) }.to raise_error(R509::R509Error, 'This profile requires you supply cn')
+    end
+    it "removes subject items that are not in the policy" do
+        subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required")
+        subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
+        validated_subject = subject_item_policy.validate_subject(subject)
+        validated_subject.to_s.should == "/CN=langui.sh"
+    end
+    it "does not reorder subject items as it validates" do
+        subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required")
+        subject = R509::Subject.new [["L","Chicago"],["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
+        validated_subject = subject_item_policy.validate_subject(subject)
+        validated_subject.to_s.should == subject.to_s
+    end
+    it "loads all the required and optional elements" do
+        subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required", "emailAddress" => "optional")
+        subject_item_policy.optional.should include("OU","emailAddress")
+        subject_item_policy.required.should include("CN","O","L")
+    end
+end

data/spec/crl_spec.rb

@@ -0,0 +1,215 @@
+require 'spec_helper'
+require 'stringio'
+
+describe R509::Crl::Parser do
+    before :each do
+        @crl_reason = TestFixtures::CRL_REASON
+        @crl = R509::Crl::Parser.new(@crl_reason)
+        @test_ca_cert = TestFixtures::TEST_CA_CERT
+    end
+
+    it "loads a crl with load_from_file" do
+        path = File.dirname(__FILE__) + '/fixtures/crl_with_reason.pem'
+        crl = R509::Crl::Parser.load_from_file path
+        crl.revoked[12345].should_not be_nil
+    end
+
+    it "returns issuer" do
+        @crl.issuer.to_s.should == "/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA"
+    end
+
+    it "returns last_update" do
+        @crl.last_update.should == Time.at(1327446093)
+    end
+
+    it "returns next_update" do
+        @crl.next_update.should == Time.at(1328054493)
+    end
+
+    it "returns signature_algorithm" do
+        @crl.signature_algorithm.should == "sha1WithRSAEncryption"
+    end
+
+    it "verifies the CRL signature" do
+        cert = R509::Cert.new(:cert => @test_ca_cert)
+        @crl.verify(cert.public_key).should == true
+    end
+
+    it "checks if a serial is revoked?" do
+        @crl.revoked?(111111).should == false
+        @crl.revoked?(12345).should == true
+    end
+
+    it "returns a hash of all revoked certs" do
+        @crl.revoked[12345][:time].should == Time.at(1327449693)
+        @crl.revoked[12345][:reason].should == "Key Compromise"
+        @crl.revoked[123456][:time].should == Time.at(1327449693)
+        @crl.revoked[123456][:reason].should == "Unspecified"
+        @crl.revoked[1234567][:time].should == Time.at(1327449693)
+        @crl.revoked[1234567][:reason].should == "Unspecified"
+        @crl.revoked[12345678].should == nil
+    end
+
+    it "returns revocation information for a serial" do
+        @crl.revoked_cert(11111).should == nil
+        revoked_info = @crl.revoked_cert(12345)
+        revoked_info[:time].should == Time.at(1327449693)
+        revoked_info[:reason].should == "Key Compromise"
+    end
+end
+
+describe R509::Crl::Administrator do
+    before :each do
+        @cert = TestFixtures::CERT
+        @csr = TestFixtures::CSR
+        @csr3 = TestFixtures::CSR3
+        @test_ca_config = TestFixtures.test_ca_no_profile_config
+    end
+    it "generates CRL with no entries in revocation list" do
+        crl = R509::Crl::Administrator.new(@test_ca_config)
+        crl.generate_crl
+        crl.to_pem.should match(/BEGIN X509 CRL/)
+    end
+    it "raises exception when no R509::Config::CaConfig object is passed to the constructor" do
+        expect { R509::Crl::Administrator.new(['random']) }.to raise_error(R509::R509Error)
+    end
+    it "can write the crl_number_file" do
+        crl = R509::Crl::Administrator.new(@test_ca_config)
+        crl.crl_number_file.string.should == "1"
+        crl.crl_number_file.reopen("")
+        crl.save_crl_number
+        crl.crl_number_file.string.should == "1"
+    end
+    it "adds a cert to the revocation list" do
+        crl = R509::Crl::Administrator.new(@test_ca_config)
+        crl.revoked?(383834832).should == false
+        crl.revoke_cert(383834832)
+        crl.revoked?(383834832).should == true
+        parsed_crl = OpenSSL::X509::CRL.new(crl.to_der)
+        parsed_crl.revoked[0].serial.should == 383834832
+    end
+    it "can revoke (with reason)" do
+        crl = R509::Crl::Administrator.new(@test_ca_config)
+        crl.revoked?(12345).should == false
+        crl.revoke_cert(12345, 1)
+        crl.revoked?(12345).should == true
+        crl.revoked_cert(12345)[:reason].should == 1
+
+        parsed_crl = OpenSSL::X509::CRL.new(crl.to_pem)
+        parsed_crl.revoked[0].serial.should == 12345
+        parsed_crl.revoked[0].extensions[0].oid.should == "CRLReason"
+        parsed_crl.revoked[0].extensions[0].value.should == "Key Compromise"
+    end
+    it "cannot revoke the same serial twice" do
+        crl = R509::Crl::Administrator.new(@test_ca_config)
+        crl.revoked?(12345).should == false
+        crl.revoke_cert(12345, 1)
+        crl.revoked?(12345).should == true
+        crl.revoked_cert(12345)[:reason].should == 1
+        expect { crl.revoke_cert(12345, 1) }.to raise_error(R509::R509Error, "Cannot revoke a previously revoked certificate")
+        crl.revoked?(12345).should == true
+    end
+    it "adds a cert to the revocation list with an invalid reason code" do
+        crl = R509::Crl::Administrator.new(@test_ca_config)
+        crl.revoke_cert(383834832,15)
+        crl.generate_crl.should match(/BEGIN X509 CRL/)
+        crl.revoked?(383834832).should == true
+        crl.revoked_cert(383834832)[:reason].should == 0
+    end
+    it "removes a cert from the revocation list" do
+        crl = R509::Crl::Administrator.new(@test_ca_config)
+        crl.revoke_cert(383834832)
+        crl.revoked?(383834832).should == true
+        parsed_crl = OpenSSL::X509::CRL.new(crl.to_pem)
+        parsed_crl.revoked[0].serial.should == 383834832
+        crl.unrevoke_cert(383834832)
+        crl.revoked?(383834832).should == false
+        parsed_crl = OpenSSL::X509::CRL.new(crl.to_pem)
+        parsed_crl.revoked.empty?.should == true
+    end
+    it "loads an existing revocation list file" do
+        config = R509::Config::CaConfig.new(
+            :ca_cert => TestFixtures.test_ca_cert,
+            :crl_list_file => TestFixtures::CRL_LIST_FILE
+        )
+        crl = R509::Crl::Administrator.new(config)
+        crl.revoked?(12345).should == true
+        crl.revoked_cert(12345)[:revoke_time].should == 1323983885
+        crl.revoked_cert(12345)[:reason].should == 0
+
+    end
+    it "when nil crl_list_file still call generate_crl" do
+        config = R509::Config::CaConfig.new(
+            :ca_cert => TestFixtures.test_ca_cert,
+            :crl_list_file => nil
+        )
+        crl = R509::Crl::Administrator.new(config)
+        crl.to_pem.should match(/BEGIN X509 CRL/)
+    end
+    it "sets validity via yaml" do
+        crl = R509::Crl::Administrator.new(@test_ca_config)
+        now = Time.at Time.now.to_i
+        crl.generate_crl
+        crl.next_update.should == (now+168*3600) #default 168 hours (7 days)
+    end
+    it "has a last_update time" do
+        crl = R509::Crl::Administrator.new(@test_ca_config)
+        now = Time.at Time.now.to_i
+        crl.generate_crl
+        crl.last_update.should == (now - @test_ca_config.crl_start_skew_seconds)
+    end
+    it "returns der" do
+        crl = R509::Crl::Administrator.new(@test_ca_config)
+        crl.generate_crl
+        parsed_crl = crl.to_crl
+        parsed_crl.issuer.to_s.should == '/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA'
+        parsed_crl.issuer_cn.should == 'Test CA'
+    end
+    it "returns pem" do
+        crl = R509::Crl::Administrator.new(@test_ca_config)
+        crl.generate_crl
+        parsed_crl = crl.to_crl
+        parsed_crl.issuer.to_s.should == '/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA'
+        parsed_crl.issuer_cn.should == 'Test CA'
+    end
+    it "writes to pem" do
+        crl = R509::Crl::Administrator.new(@test_ca_config)
+        crl.generate_crl
+        sio = StringIO.new
+        sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
+        crl.write_pem(sio)
+        parsed_crl = R509::Crl::Parser.new(sio.string)
+        parsed_crl.issuer.to_s.should == '/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA'
+        parsed_crl.issuer_cn.should == 'Test CA'
+    end
+    it "writes to der" do
+        crl = R509::Crl::Administrator.new(@test_ca_config)
+        crl.generate_crl
+        sio = StringIO.new
+        sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
+        crl.write_der(sio)
+        parsed_crl = R509::Crl::Parser.new(sio.string)
+        parsed_crl.issuer.to_s.should == '/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA'
+        parsed_crl.issuer_cn.should == 'Test CA'
+    end
+    it "writes crl list" do
+        crl = R509::Crl::Administrator.new(@test_ca_config)
+        crl.revoke_cert(12345)
+        crl.save_crl_list
+        crl.crl_list_file.string.should match(/[0-9]+,[0-9]+,[0-9]+,[0-9]+,[0-9]+/)
+    end
+    it "doesn't write the crl_number_file when it is nil" do
+        config = R509::Config::CaConfig.new(
+            :ca_cert => TestFixtures.test_ca_cert
+        )
+        crl = R509::Crl::Administrator.new(config)
+        expect { crl.save_crl_number }.to_not raise_error(StandardError)
+    end
+    it "doesn't write the crl_list_file when it is nil" do
+        config = R509::Config::CaConfig.new(
+            :ca_cert => TestFixtures.test_ca_cert
+        )
+        crl = R509::Crl::Administrator.new(config)
+        expect { crl.save_crl_list }.to_not raise_error(StandardError)
+    end
+end