r509 0.8

data/spec/spec_helper.rb

@@ -0,0 +1,14 @@
+if (RUBY_VERSION.split('.')[1].to_i > 8)
+    begin
+        require 'simplecov'
+        SimpleCov.start
+    rescue LoadError
+    end
+end
+
+$:.unshift File.expand_path("../../lib", __FILE__)
+$:.unshift File.expand_path("../", __FILE__)
+require 'rubygems'
+require 'fixtures'
+require 'rspec'
+require 'r509'

data/spec/spki_spec.rb

@@ -0,0 +1,157 @@
+require 'spec_helper'
+require 'stringio'
+require 'r509/spki'
+
+
+describe R509::Spki do
+    before :all do
+        #also known as SPKAC (signed public key and challenge)
+        @spki_dsa = TestFixtures::SPKI_DSA.strip
+        @spki = TestFixtures::SPKI.strip
+        @spki_der = TestFixtures::SPKI_DER
+    end
+    it "raises an error if you don't provide a hash" do
+        expect { R509::Spki.new("junk") }.to raise_error(ArgumentError,'Must provide a hash of options')
+    end
+    it "raises an error if you don't provide spki and subject" do
+        expect { R509::Spki.new(:spki => @spki) }.to raise_error(ArgumentError,'Must provide both spki and subject')
+    end
+    it "raises an error if you don't provide an Array for san_names" do
+        expect { R509::Spki.new(:spki => @spki, :subject => [['CN','test']], :san_names => "hello.com") }.to raise_error(ArgumentError,'if san_names are provided they must be in an Array')
+    end
+    it "loads an RSA spkac" do
+        spki = R509::Spki.new( :spki => @spki, :subject => [['CN','spkitest.com']] )
+        spki.to_pem.should == @spki
+    end
+    it "properly strips SPKAC= prefix and loads" do
+        spki = R509::Spki.new(
+            :spki => "SPKAC="+@spki,
+            :subject => [['CN','spkitest.com']]
+        )
+        spki.to_pem.should == @spki
+    end
+    it "returns the public key" do
+        spki = R509::Spki.new(
+            :spki => @spki,
+            :subject => [['CN','spkitest.com']]
+        )
+        spki.public_key.should_not == nil
+    end
+    it "returns pem" do
+        spki = R509::Spki.new(
+            :spki => @spki,
+            :subject => [['CN','spkitest.com']]
+        )
+        spki.to_pem.should == @spki
+    end
+    it "returns der" do
+        spki = R509::Spki.new(
+            :spki => @spki,
+            :subject => [['CN','spkitest.com']]
+        )
+        spki.to_der.should == @spki_der
+    end
+    it "writes to pem" do
+        spki = R509::Spki.new(
+            :spki => @spki,
+            :subject => [['CN','spkitest.com']]
+        )
+        sio = StringIO.new
+        sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
+        spki.write_pem(sio)
+        sio.string.should == @spki
+    end
+    it "writes to der" do
+        spki = R509::Spki.new(
+            :spki => @spki,
+            :subject => [['CN','spkitest.com']]
+        )
+        sio = StringIO.new
+        sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
+        spki.write_der(sio)
+        sio.string.should ==  @spki_der
+    end
+    it "rsa?" do
+        spki = R509::Spki.new(
+            :spki => @spki,
+            :subject => [['CN','spkitest.com']]
+        )
+        spki.rsa?.should == true
+        spki.dsa?.should == false
+    end
+    it "returns RSA key algorithm for RSA" do
+        spki = R509::Spki.new(
+            :spki => @spki,
+            :subject => [['CN','spkitest.com']]
+        )
+        spki.key_algorithm.should == "RSA"
+    end
+    it "gets RSA bit strength" do
+        spki = R509::Spki.new(
+            :spki => @spki,
+            :subject => [['CN','spkitest.com']]
+        )
+        spki.bit_strength.should == 2048
+    end
+    it "loads a DSA spkac" do
+        spki = R509::Spki.new(
+            :spki => @spki_dsa,
+            :subject => [['CN','spkitest.com']]
+        )
+        spki.to_pem.should == @spki_dsa
+    end
+    it "gets DSA bit strength" do
+        spki = R509::Spki.new(
+            :spki => @spki_dsa,
+            :subject => [['CN','spkitest.com']]
+        )
+        spki.bit_strength.should == 2048
+    end
+    it "dsa?" do
+        spki = R509::Spki.new(
+            :spki => @spki_dsa,
+            :subject => [['CN','spkitest.com']]
+        )
+        spki.dsa?.should == true
+        spki.rsa?.should == false
+    end
+    it "returns DSA key algorithm for DSA" do
+        spki = R509::Spki.new(
+            :spki => @spki_dsa,
+            :subject => [['CN','spkitest.com']]
+        )
+        spki.key_algorithm.should == "DSA"
+    end
+    it "returns expected value for subject" do
+        spki = R509::Spki.new(
+            :spki => @spki,
+            :subject => [['CN','spkitest.com']]
+        )
+        spki.subject.to_s.should == '/CN=spkitest.com'
+    end
+    it "returns expected value for san names" do
+        spki = R509::Spki.new(
+            :spki => @spki,
+            :subject => [['CN','spkitest.com']],
+            :san_names => ['domain1.com','domain2.com']
+        )
+        spki.san_names.should == ['domain1.com','domain2.com']
+    end
+    it "returns empty array when passed no san_names" do
+        spki = R509::Spki.new(
+            :spki => @spki,
+            :subject => [['CN','spkitest.com']]
+        )
+        spki.san_names.empty?.should == true
+    end
+    it "creates a valid hash object with to_hash" do
+        spki = R509::Spki.new(
+            :spki => @spki,
+            :subject => [['CN','spkitest.com']],
+            :san_names => ["test.local"]
+        )
+        spki.to_hash[:subject].kind_of?(R509::Subject).should == true
+        spki.to_hash[:subject].to_s.should == '/CN=spkitest.com'
+        spki.to_hash[:san_names].should == ["test.local"]
+    end
+end

data/spec/subject_spec.rb

@@ -0,0 +1,203 @@
+require 'spec_helper'
+require 'r509/subject'
+require 'openssl'
+
+describe R509::Subject do
+    before :all do
+        @csr_unknown_oid = TestFixtures::CSR_UNKNOWN_OID
+    end
+
+    it "initializes an empty subject and gets the name" do
+        subject = R509::Subject.new
+        subject.name.to_s.should == ""
+    end
+    it "initializes an empty subject, adds a field, and gets the name" do
+        subject = R509::Subject.new
+        subject["CN"] = "domain.com"
+        subject.name.to_s.should == "/CN=domain.com"
+    end
+    it "initializes with a subject array, and gets the name" do
+        subject = R509::Subject.new([["CN", "domain.com"], ["O", "my org"]])
+        subject.name.to_s.should == "/CN=domain.com/O=my org"
+    end
+    it "initializes with a name, gets the name" do
+        name = OpenSSL::X509::Name.new([["CN", "domain.com"], ["O", "my org"], ["OU", "my unit"]])
+        subject = R509::Subject.new(name)
+        subject.name.to_s.should == "/CN=domain.com/O=my org/OU=my unit"
+    end
+    it "initializes with a subject" do
+        s1 = R509::Subject.new
+        s1["CN"] = "domain.com"
+        s1["O"] = "my org"
+
+        s2 = R509::Subject.new(s1)
+        s2.name.to_s.should == s1.name.to_s
+    end
+    it "preserves order of a full subject line" do
+        subject = R509::Subject.new([['CN','langui.sh'],['ST','Illinois'],['L','Chicago'],['C','US'],['emailAddress','ca@langui.sh']])
+        subject.name.to_s.should == '/CN=langui.sh/ST=Illinois/L=Chicago/C=US/emailAddress=ca@langui.sh'
+    end
+    it "preserves order of a full subject line and uses to_s directly" do
+        subject = R509::Subject.new([['CN','langui.sh'],['ST','Illinois'],['L','Chicago'],['C','US'],['emailAddress','ca@langui.sh']])
+        subject.to_s.should == '/CN=langui.sh/ST=Illinois/L=Chicago/C=US/emailAddress=ca@langui.sh'
+    end
+    it "preserves order with raw OIDs, and potentially fills in known OID names" do
+        subject = R509::Subject.new([['2.5.4.3','common name'],['2.5.4.15','business category'],['2.5.4.7','locality'],['1.3.6.1.4.1.311.60.2.1.3','jurisdiction oid openssl typically does not know']])
+        subject.to_s.should == "/CN=common name/businessCategory=business category/L=locality/jurisdictionOfIncorporationCountryName=jurisdiction oid openssl typically does not know"
+    end
+
+    it "edits an existing subject entry" do
+        subject = R509::Subject.new([["CN", "domain1.com"], ["O", "my org"]])
+        subject.to_s.should == "/CN=domain1.com/O=my org"
+
+        subject["CN"] = "domain2.com"
+        subject.to_s.should == "/CN=domain2.com/O=my org"
+    end
+
+    it "deletes an existing subject entry" do
+        subject = R509::Subject.new([["CN", "domain1.com"], ["O", "my org"]])
+        subject.to_s.should == "/CN=domain1.com/O=my org"
+
+        subject.delete("CN")
+        subject.to_s.should == "/O=my org"
+    end
+
+    it "is empty when initialized" do
+        subject = R509::Subject.new
+        subject.empty?.should == true
+        subject["CN"] = "domain.com"
+        subject.empty?.should == false
+    end
+
+    it "is not empty" do
+        subject = R509::Subject.new([["CN", "domain1.com"]])
+        subject.empty?.should == false
+    end
+
+    it "can get a component out of the subject" do
+        subject = R509::Subject.new([["CN", "domain.com"]])
+        subject["CN"].should == "domain.com"
+        subject["O"].should == nil
+    end
+
+    it "adds an OID" do
+        subject = R509::Subject.new
+        subject['1.3.6.1.4.1.311.60.2.1.3'] = 'jurisdiction oid openssl typically does not know'
+        subject['1.3.6.1.4.1.311.60.2.1.3'].should == 'jurisdiction oid openssl typically does not know'
+    end
+
+    it "deletes an OID" do
+        subject = R509::Subject.new([["CN", "domain.com"], ['1.3.6.1.4.1.38383.60.2.1.0.0', 'random oid']])
+        subject.to_s.should == "/CN=domain.com/1.3.6.1.4.1.38383.60.2.1.0.0=random oid"
+        subject.delete("1.3.6.1.4.1.38383.60.2.1.0.0")
+        subject.to_s.should == "/CN=domain.com"
+    end
+
+    it "fails when you instantiate with an unknown shortname" do
+        expect { R509::Subject.new([["NOTRIGHT", "foo"]]) }.to raise_error(OpenSSL::X509::NameError)
+    end
+
+    it "fails when you add an unknown shortname" do
+        subject = R509::Subject.new
+        expect { subject["WRONG"] = "bar" }.to raise_error(OpenSSL::X509::NameError)
+    end
+
+    it "parses unknown OIDs out of a CSR" do
+        csr = R509::Csr.new(:csr => @csr_unknown_oid)
+        subject = R509::Subject.new(csr.subject)
+        subject["1.2.3.4.5.6.7.8.9.8.7.6.5.4.3.2.1.0.0"].should == "random oid!"
+        subject["1.3.3.543.567.32.43.335.1.1.1"].should == "another random oid!"
+        subject["CN"].should == 'normaldomain.com'
+    end
+
+end
+
+describe R509::NameSanitizer do
+    before :all do
+        @sanitizer = R509::NameSanitizer.new
+    end
+
+    it "when it has only known OIDs" do
+        name = OpenSSL::X509::Name.new [["C", "US"], ["ST", "Illinois"]]
+        array = @sanitizer.sanitize(name)
+        array.size.should == 2
+        array[0][0].should == "C"
+        array[0][1].should == "US"
+        array[1][0].should == "ST"
+        array[1][1].should == "Illinois"
+    end
+
+    it "when it has only unknown OIDs" do
+        name = OpenSSL::X509::Name.new [["1.2.3.4", "US"], ["1.2.3.5", "Illinois"]]
+        array = @sanitizer.sanitize(name)
+        array.size.should == 2
+        array[0][0].should == "1.2.3.4"
+        array[0][1].should == "US"
+        array[1][0].should == "1.2.3.5"
+        array[1][1].should == "Illinois"
+    end
+
+    it "when it has an unknown between two knowns" do
+        name = OpenSSL::X509::Name.new [["CN", "domain.com"], ["1.2.3.4", "US"], ["ST", "Illinois"]]
+        array = @sanitizer.sanitize(name)
+        array.size.should == 3
+        array[0][0].should == "CN"
+        array[0][1].should == "domain.com"
+        array[1][0].should == "1.2.3.4"
+        array[1][1].should == "US"
+        array[2][0].should == "ST"
+        array[2][1].should == "Illinois"
+    end
+
+    it "when it has a known between two unknowns" do
+        name = OpenSSL::X509::Name.new [["1.2.3.4", "domain.com"], ["C", "US"], ["1.2.3.5", "Illinois"]]
+        array = @sanitizer.sanitize(name)
+        array.size.should == 3
+        array[0][0].should == "1.2.3.4"
+        array[0][1].should == "domain.com"
+        array[1][0].should == "C"
+        array[1][1].should == "US"
+        array[2][0].should == "1.2.3.5"
+        array[2][1].should == "Illinois"
+    end
+
+    it "when a known has the same value as an unknown defined before it" do
+        name = OpenSSL::X509::Name.new [["1.2.3.4", "domain.com"], ["CN", "domain.com"]]
+        array = @sanitizer.sanitize(name)
+        array.size.should == 2
+        array[0][0].should == "1.2.3.4"
+        array[0][1].should == "domain.com"
+        array[1][0].should == "CN"
+        array[1][1].should == "domain.com"
+    end
+
+    it "when two unknowns have the same value" do
+        name = OpenSSL::X509::Name.new [["1.2.3.4", "domain.com"], ["1.2.3.5", "domain.com"]]
+        array = @sanitizer.sanitize(name)
+        array.size.should == 2
+        array[0][0].should == "1.2.3.4"
+        array[0][1].should == "domain.com"
+        array[1][0].should == "1.2.3.5"
+        array[1][1].should == "domain.com"
+    end
+
+    it "when two unknowns have the same oid and different values" do
+        name = OpenSSL::X509::Name.new [["1.2.3.4", "domain.com"], ["1.2.3.4", "other"]]
+        array = @sanitizer.sanitize(name)
+        array.size.should == 2
+        array[0][0].should == "1.2.3.4"
+        array[0][1].should == "domain.com"
+        array[1][0].should == "1.2.3.4"
+        array[1][1].should == "other"
+    end
+
+    it "when two unknowns have the same oid and the same value" do
+        name = OpenSSL::X509::Name.new [["1.2.3.4", "domain.com"], ["1.2.3.4", "domain.com"]]
+        array = @sanitizer.sanitize(name)
+        array.size.should == 2
+        array[0][0].should == "1.2.3.4"
+        array[0][1].should == "domain.com"
+        array[1][0].should == "1.2.3.4"
+        array[1][1].should == "domain.com"
+    end
+end

data/spec/validity_spec.rb

@@ -0,0 +1,98 @@
+require 'spec_helper'
+require 'r509/validity'
+require 'openssl'
+
+describe R509::Validity do
+    context "status" do
+        it "has no status" do
+            status = R509::Validity::Status.new
+            status.status.should == nil
+            status.ocsp_status.should == OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
+        end
+        it "has a valid status" do
+            status = R509::Validity::Status.new(:status => R509::Validity::VALID)
+            status.status.should == R509::Validity::VALID
+            status.ocsp_status.should == OpenSSL::OCSP::V_CERTSTATUS_GOOD
+        end
+        it "has a revoked status" do
+            status = R509::Validity::Status.new(:status => R509::Validity::REVOKED)
+            status.status.should == R509::Validity::REVOKED
+            status.ocsp_status.should == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+            status.revocation_time.should_not == nil
+            status.revocation_reason.should == 0
+        end
+        it "has an unknown status" do
+            status = R509::Validity::Status.new(:status => R509::Validity::UNKNOWN)
+            status.status.should == R509::Validity::UNKNOWN
+            status.ocsp_status.should == OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
+        end
+        it "has some other status that we don't know about" do
+            status = R509::Validity::Status.new(:status => 10101010101)
+            status.status.should == 10101010101
+            status.ocsp_status.should == OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
+        end
+        it "has no revocation time or reason specified (and isn't revoked)" do
+            status = R509::Validity::Status.new
+            status.revocation_time.should == nil
+            status.revocation_reason.should == 0
+        end
+        it "specifies a revocation time" do
+            time = Time.now.to_i
+            status = R509::Validity::Status.new(:revocation_time => time)
+            status.revocation_time.should == time
+        end
+        it "specifies a revocation reason" do
+            status = R509::Validity::Status.new(:revocation_reason => 2)
+            status.revocation_reason.should == 2
+        end
+    end
+    context "writer base" do
+        it "calls issue" do
+            writer = R509::Validity::Writer.new
+            expect { writer.issue("a",1) }.to raise_error(NotImplementedError, "You must call #issue on a subclass of Writer")
+        end
+        it "calls revoke" do
+            writer = R509::Validity::Writer.new
+            expect { writer.revoke("a",1, 1) }.to raise_error(NotImplementedError, "You must call #revoke on a subclass of Writer")
+        end
+        it "calls is_available?" do
+            writer = R509::Validity::Writer.new
+            expect { writer.is_available? }.to raise_error(NotImplementedError, "You must call #is_available? on a subclass of Writer")
+        end
+    end
+    context "checker base" do
+        it "calls check" do
+            checker = R509::Validity::Checker.new
+            expect { checker.check("a",1) }.to raise_error(NotImplementedError, "You must call #check on a subclass of Checker")
+        end
+        it "calls is_available?" do
+            checker = R509::Validity::Checker.new
+            expect { checker.is_available? }.to raise_error(NotImplementedError, "You must call #is_available? on a subclass of Checker")
+        end
+    end
+    context "writer default" do
+        it "calls issue" do
+            writer = R509::Validity::DefaultWriter.new
+            writer.issue("a",1)
+        end
+        it "calls revoke" do
+            writer = R509::Validity::DefaultWriter.new
+            writer.revoke("a",1, 1)
+        end
+        it "calls is_available?" do
+            writer = R509::Validity::DefaultWriter.new
+            writer.is_available?.should == true
+        end
+    end
+    context "checker default" do
+        it "calls check" do
+            checker = R509::Validity::DefaultChecker.new
+            status = checker.check("a",1)
+            status.status.should == R509::Validity::VALID
+        end
+        it "calls is_available?" do
+            checker = R509::Validity::DefaultChecker.new
+            checker.is_available?.should == true
+        end
+    end
+end