r509 0.9.2 → 0.10.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +2 -0
- data/CONTRIBUTING.mdown +21 -0
- data/LICENSE +13 -0
- data/README.mdown +548 -0
- data/Rakefile +5 -0
- data/bin/r509 +16 -17
- data/doc/R509.html +42 -26
- data/doc/R509/ASN1.html +22 -16
- data/doc/R509/ASN1/GeneralName.html +180 -173
- data/doc/R509/ASN1/GeneralNames.html +390 -62
- data/doc/R509/CRL.html +9 -7
- data/doc/R509/CRL/Administrator.html +208 -623
- data/doc/R509/CRL/FileReaderWriter.html +856 -0
- data/doc/R509/CRL/ReaderWriter.html +524 -0
- data/doc/R509/CRL/SignedList.html +29 -42
- data/doc/R509/CSR.html +248 -333
- data/doc/R509/Cert.html +364 -491
- data/doc/R509/Cert/Extensions.html +134 -43
- data/doc/R509/Cert/Extensions/AuthorityInfoAccess.html +335 -65
- data/doc/R509/Cert/Extensions/AuthorityKeyIdentifier.html +201 -102
- data/doc/R509/Cert/Extensions/BasicConstraints.html +297 -68
- data/doc/R509/Cert/Extensions/CRLDistributionPoints.html +690 -77
- data/doc/R509/Cert/Extensions/CertificatePolicies.html +293 -43
- data/doc/R509/Cert/Extensions/ExtendedKeyUsage.html +321 -173
- data/doc/R509/Cert/Extensions/GeneralNamesMixin.html +656 -0
- data/doc/R509/Cert/Extensions/InhibitAnyPolicy.html +270 -42
- data/doc/R509/Cert/Extensions/KeyUsage.html +334 -184
- data/doc/R509/Cert/Extensions/NameConstraints.html +363 -93
- data/doc/R509/{ASN1 → Cert/Extensions}/NoticeReference.html +209 -48
- data/doc/R509/Cert/Extensions/OCSPNoCheck.html +244 -17
- data/doc/R509/Cert/Extensions/PolicyConstraints.html +322 -71
- data/doc/R509/{ASN1 → Cert/Extensions}/PolicyInformation.html +204 -43
- data/doc/R509/{ASN1 → Cert/Extensions}/PolicyQualifiers.html +205 -48
- data/doc/R509/Cert/Extensions/SubjectAlternativeName.html +348 -143
- data/doc/R509/Cert/Extensions/SubjectKeyIdentifier.html +165 -13
- data/doc/R509/{ASN1 → Cert/Extensions}/UserNotice.html +204 -43
- data/doc/R509/Cert/Extensions/ValidationMixin.html +120 -0
- data/doc/R509/CertificateAuthority.html +9 -7
- data/doc/R509/CertificateAuthority/OptionsBuilder.html +475 -0
- data/doc/R509/CertificateAuthority/Signer.html +149 -198
- data/doc/R509/Config.html +10 -8
- data/doc/R509/Config/CAConfig.html +708 -625
- data/doc/R509/Config/CAConfigPool.html +179 -31
- data/doc/R509/Config/CertProfile.html +1544 -0
- data/doc/R509/Config/SubjectItemPolicy.html +437 -99
- data/doc/R509/Engine.html +14 -28
- data/doc/R509/Helpers.html +1014 -0
- data/doc/R509/MessageDigest.html +73 -25
- data/doc/R509/NameSanitizer.html +39 -39
- data/doc/R509/OCSP.html +5 -5
- data/doc/R509/OCSP/Request.html +5 -5
- data/doc/R509/OCSP/Request/Nonce.html +5 -5
- data/doc/R509/OCSP/Response.html +7 -7
- data/doc/R509/OIDMapper.html +121 -6
- data/doc/R509/PrivateKey.html +226 -227
- data/doc/R509/R509Error.html +5 -5
- data/doc/R509/SPKI.html +244 -342
- data/doc/R509/Subject.html +241 -70
- data/doc/R509/Validity.html +5 -5
- data/doc/R509/Validity/Checker.html +5 -5
- data/doc/R509/Validity/DefaultChecker.html +5 -9
- data/doc/R509/Validity/DefaultWriter.html +5 -9
- data/doc/R509/Validity/Status.html +5 -5
- data/doc/R509/Validity/Writer.html +5 -5
- data/doc/_index.html +92 -30
- data/doc/class_list.html +2 -2
- data/doc/file.CONTRIBUTING.html +96 -0
- data/doc/file.LICENSE.html +87 -0
- data/doc/file.README.html +279 -389
- data/doc/file.YAML.html +243 -0
- data/doc/file.r509.html +298 -105
- data/doc/file_list.html +11 -2
- data/doc/frames.html +1 -1
- data/doc/index.html +279 -389
- data/doc/js/full_list.js +6 -1
- data/doc/method_list.html +869 -1139
- data/doc/top-level-namespace.html +103 -5
- data/lib/r509.rb +7 -2
- data/lib/r509/asn1.rb +97 -135
- data/lib/r509/cert.rb +17 -106
- data/lib/r509/cert/extensions.rb +13 -676
- data/lib/r509/cert/extensions/authority_info_access.rb +128 -0
- data/lib/r509/cert/extensions/authority_key_identifier.rb +100 -0
- data/lib/r509/cert/extensions/base.rb +142 -0
- data/lib/r509/cert/extensions/basic_constraints.rb +119 -0
- data/lib/r509/cert/extensions/certificate_policies.rb +262 -0
- data/lib/r509/cert/extensions/crl_distribution_points.rb +98 -0
- data/lib/r509/cert/extensions/extended_key_usage.rb +189 -0
- data/lib/r509/cert/extensions/inhibit_any_policy.rb +70 -0
- data/lib/r509/cert/extensions/key_usage.rb +209 -0
- data/lib/r509/cert/extensions/name_constraints.rb +179 -0
- data/lib/r509/cert/extensions/ocsp_no_check.rb +56 -0
- data/lib/r509/cert/extensions/policy_constraints.rb +122 -0
- data/lib/r509/cert/extensions/subject_alternative_name.rb +88 -0
- data/lib/r509/cert/extensions/subject_key_identifier.rb +56 -0
- data/lib/r509/cert/extensions/validation_mixin.rb +42 -0
- data/lib/r509/certificate_authority/options_builder.rb +142 -0
- data/lib/r509/certificate_authority/signer.rb +189 -0
- data/lib/r509/config.rb +3 -600
- data/lib/r509/config/ca_config.rb +414 -0
- data/lib/r509/config/cert_profile.rb +110 -0
- data/lib/r509/config/subject_item_policy.rb +118 -0
- data/lib/r509/crl/administrator.rb +169 -0
- data/lib/r509/crl/reader_writer.rb +109 -0
- data/lib/r509/crl/signed_list.rb +135 -0
- data/lib/r509/csr.rb +35 -116
- data/lib/r509/engine.rb +21 -11
- data/lib/r509/helpers.rb +110 -0
- data/lib/r509/io_helpers.rb +18 -13
- data/lib/r509/message_digest.rb +13 -3
- data/lib/r509/oid_mapper.rb +14 -0
- data/lib/r509/private_key.rb +74 -50
- data/lib/r509/spki.rb +50 -113
- data/lib/r509/subject.rb +24 -2
- data/lib/r509/trollop.rb +788 -0
- data/lib/r509/version.rb +1 -1
- data/r509.yaml +289 -96
- data/spec/asn1_spec.rb +171 -98
- data/spec/cert/extensions/authority_info_access_spec.rb +247 -0
- data/spec/cert/extensions/authority_key_identifier_spec.rb +85 -0
- data/spec/cert/extensions/base_spec.rb +172 -0
- data/spec/cert/extensions/basic_constraints_spec.rb +185 -0
- data/spec/cert/extensions/certificate_policies_spec.rb +288 -0
- data/spec/cert/extensions/crl_distribution_points_spec.rb +149 -0
- data/spec/cert/extensions/extended_key_usage_spec.rb +174 -0
- data/spec/cert/extensions/inhibit_any_policy_spec.rb +92 -0
- data/spec/cert/extensions/key_usage_spec.rb +172 -0
- data/spec/cert/extensions/name_constraints_spec.rb +335 -0
- data/spec/cert/extensions/ocsp_no_check_spec.rb +76 -0
- data/spec/cert/extensions/policy_constraints_spec.rb +155 -0
- data/spec/cert/extensions/subject_alternative_name_spec.rb +354 -0
- data/spec/cert/extensions/subject_key_identifier_spec.rb +64 -0
- data/spec/cert_spec.rb +11 -9
- data/spec/certificate_authority/options_builder_spec.rb +307 -0
- data/spec/certificate_authority/signer_spec.rb +278 -0
- data/spec/config/ca_config_spec.rb +405 -0
- data/spec/config/cert_profile_spec.rb +88 -0
- data/spec/config/subject_item_policy_spec.rb +81 -0
- data/spec/crl/administrator_spec.rb +199 -0
- data/spec/crl/reader_writer_spec.rb +97 -0
- data/spec/crl/signed_list_spec.rb +84 -0
- data/spec/csr_spec.rb +43 -36
- data/spec/engine_spec.rb +51 -0
- data/spec/fixtures.rb +40 -40
- data/spec/fixtures/cert1.pem +1 -1
- data/spec/fixtures/config_pool_test_minimal.yaml +11 -15
- data/spec/fixtures/config_test.yaml +96 -59
- data/spec/fixtures/config_test_dsa.yaml +29 -35
- data/spec/fixtures/config_test_ec.yaml +29 -35
- data/spec/fixtures/config_test_engine_key.yaml +7 -7
- data/spec/fixtures/config_test_engine_no_key_name.yaml +6 -6
- data/spec/fixtures/config_test_minimal.yaml +3 -5
- data/spec/fixtures/config_test_password.yaml +4 -6
- data/spec/fixtures/config_test_various.yaml +147 -137
- data/spec/fixtures/crl_list_file.txt +1 -1
- data/spec/fixtures/test_ca_crl.cer +20 -0
- data/spec/fixtures/test_ca_crl.key +28 -0
- data/spec/fixtures/test_ca_crl.p12 +0 -0
- data/spec/message_digest_spec.rb +6 -0
- data/spec/oid_mapper_spec.rb +11 -0
- data/spec/private_key_spec.rb +19 -18
- data/spec/spec_helper.rb +10 -6
- data/spec/spki_spec.rb +38 -19
- data/spec/subject_spec.rb +16 -0
- metadata +108 -59
- metadata.gz.sig +0 -0
- data/README.md +0 -638
- data/doc/R509/Config/CAProfile.html +0 -1015
- data/doc/R509/IOHelpers.html +0 -564
- data/lib/r509/certificate_authority.rb +0 -407
- data/lib/r509/crl.rb +0 -351
- data/spec/cert/extensions_spec.rb +0 -1095
- data/spec/certificate_authority_spec.rb +0 -681
- data/spec/config_spec.rb +0 -562
- data/spec/crl_spec.rb +0 -226
@@ -0,0 +1,149 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
include R509::Cert::Extensions
|
4
|
+
|
5
|
+
shared_examples_for "a correct R509 CRLDistributionPoints object" do |critical|
|
6
|
+
before :all do
|
7
|
+
extension_name = "crlDistributionPoints"
|
8
|
+
klass = CRLDistributionPoints
|
9
|
+
ef = OpenSSL::X509::ExtensionFactory.new
|
10
|
+
openssl_ext = ef.create_extension( extension_name, @extension_value , critical )
|
11
|
+
@r509_ext = klass.new( openssl_ext )
|
12
|
+
end
|
13
|
+
|
14
|
+
it "crl_uri should be correct critical:#{critical}" do
|
15
|
+
@r509_ext.uris.should == @crl_uris
|
16
|
+
end
|
17
|
+
|
18
|
+
it "reports #critical? properly" do
|
19
|
+
@r509_ext.critical?.should == critical
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
23
|
+
describe R509::Cert::Extensions::CRLDistributionPoints do
|
24
|
+
include R509::Cert::Extensions
|
25
|
+
|
26
|
+
context "validation" do
|
27
|
+
it "raises an error if you pass a non-hash" do
|
28
|
+
expect { CRLDistributionPoints.new( "test" ) }.to raise_error(ArgumentError, 'You must pass a hash with a :value key')
|
29
|
+
end
|
30
|
+
|
31
|
+
it "raises an error if you pass a value that is not an array" do
|
32
|
+
expect { CRLDistributionPoints.new( :value => "some-url" ) }.to raise_error(ArgumentError, 'crl_distribution_points must contain an array or R509::ASN1::GeneralNames object if provided')
|
33
|
+
end
|
34
|
+
|
35
|
+
it "raises an error if you pass an array that does not contain hashes" do
|
36
|
+
expect { CRLDistributionPoints.new( :value => [{},"string"] ) }.to raise_error(ArgumentError, 'All elements of the array must be hashes with a :type and :value')
|
37
|
+
end
|
38
|
+
|
39
|
+
it "raises an error if you pass an array that does not contain both :type and :value" do
|
40
|
+
expect { CRLDistributionPoints.new( :value => [{:type => 'URI'}] ) }.to raise_error(ArgumentError, 'All elements of the array must be hashes with a :type and :value')
|
41
|
+
expect { CRLDistributionPoints.new( :value => [{:value => 'value'}] ) }.to raise_error(ArgumentError, 'All elements of the array must be hashes with a :type and :value')
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
|
46
|
+
context "CRLDistributionPoints" do
|
47
|
+
context "creation & yaml generation" do
|
48
|
+
context "GeneralNames object" do
|
49
|
+
before :all do
|
50
|
+
gns = R509::ASN1::GeneralNames.new
|
51
|
+
gns.create_item(:type => "rfc822Name", :value => "random string")
|
52
|
+
args = { :value => gns, :critical => false }
|
53
|
+
@cdp = R509::Cert::Extensions::CRLDistributionPoints.new(args)
|
54
|
+
end
|
55
|
+
|
56
|
+
it "creates extension" do
|
57
|
+
@cdp.rfc_822_names.should == ['random string']
|
58
|
+
end
|
59
|
+
|
60
|
+
it "builds yaml" do
|
61
|
+
YAML.load(@cdp.to_yaml).should == {:critical=>false, :value=>[{:type=>"email", :value=>"random string"}]}
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
65
|
+
context "one CDP" do
|
66
|
+
before :all do
|
67
|
+
@args = { :value => [{ :type => 'URI', :value => 'http://crl.r509.org/ca.crl'}], :critical => false }
|
68
|
+
@cdp = R509::Cert::Extensions::CRLDistributionPoints.new(@args)
|
69
|
+
end
|
70
|
+
|
71
|
+
it "creates extension" do
|
72
|
+
@cdp.uris.should == ['http://crl.r509.org/ca.crl']
|
73
|
+
end
|
74
|
+
|
75
|
+
it "builds yaml" do
|
76
|
+
YAML.load(@cdp.to_yaml).should == @args
|
77
|
+
end
|
78
|
+
end
|
79
|
+
|
80
|
+
context "multiple CDP" do
|
81
|
+
before :all do
|
82
|
+
@args = { :value => [{ :type => 'URI', :value => 'http://crl.r509.org/ca.crl' },{ :type => 'dirName', :value => {:CN => 'myCN'}}], :critical => false }
|
83
|
+
@cdp = R509::Cert::Extensions::CRLDistributionPoints.new(@args)
|
84
|
+
end
|
85
|
+
|
86
|
+
it "creates extension" do
|
87
|
+
@cdp.uris.should == ['http://crl.r509.org/ca.crl']
|
88
|
+
@cdp.directory_names[0].to_s.should == '/CN=myCN'
|
89
|
+
end
|
90
|
+
|
91
|
+
it "builds yaml" do
|
92
|
+
YAML.load(@cdp.to_yaml).should == @args
|
93
|
+
end
|
94
|
+
end
|
95
|
+
|
96
|
+
context "default criticality" do
|
97
|
+
before :all do
|
98
|
+
@args = { :value => [{:type => "URI", :value => 'http://crl.r509.org/ca.crl'}] }
|
99
|
+
@cdp = R509::Cert::Extensions::CRLDistributionPoints.new(@args)
|
100
|
+
end
|
101
|
+
|
102
|
+
it "creates extension" do
|
103
|
+
@cdp.critical?.should be_false
|
104
|
+
end
|
105
|
+
|
106
|
+
it "builds yaml" do
|
107
|
+
YAML.load(@cdp.to_yaml).should == @args.merge(:critical => false)
|
108
|
+
end
|
109
|
+
end
|
110
|
+
|
111
|
+
context "non-default criticality" do
|
112
|
+
before :all do
|
113
|
+
@args = { :value => [{:type => "URI", :value => 'http://crl.r509.org/ca.crl'}], :critical => true }
|
114
|
+
@cdp = R509::Cert::Extensions::CRLDistributionPoints.new(@args)
|
115
|
+
end
|
116
|
+
|
117
|
+
it "creates extension" do
|
118
|
+
@cdp.critical?.should be_true
|
119
|
+
end
|
120
|
+
|
121
|
+
it "builds yaml" do
|
122
|
+
YAML.load(@cdp.to_yaml).should == @args
|
123
|
+
end
|
124
|
+
end
|
125
|
+
|
126
|
+
end
|
127
|
+
|
128
|
+
context "with a single CRL URI" do
|
129
|
+
before :all do
|
130
|
+
@crl_uris = ["http://www.test.local/ca.crl"]
|
131
|
+
@extension_value = "URI:#{@crl_uris.join(",URI:")}"
|
132
|
+
end
|
133
|
+
|
134
|
+
it_should_behave_like "a correct R509 CRLDistributionPoints object", false
|
135
|
+
it_should_behave_like "a correct R509 CRLDistributionPoints object", true
|
136
|
+
end
|
137
|
+
|
138
|
+
context "with multiple CRL URIs" do
|
139
|
+
before :all do
|
140
|
+
@crl_uris = ["http://www.test.local/ca.crl", "http://www.test.local/subca.crl"]
|
141
|
+
@extension_value = "URI:#{@crl_uris.join(",URI:")}"
|
142
|
+
end
|
143
|
+
|
144
|
+
it_should_behave_like "a correct R509 CRLDistributionPoints object", false
|
145
|
+
it_should_behave_like "a correct R509 CRLDistributionPoints object", true
|
146
|
+
end
|
147
|
+
end
|
148
|
+
|
149
|
+
end
|
@@ -0,0 +1,174 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
include R509::Cert::Extensions
|
4
|
+
|
5
|
+
shared_examples_for "a correct R509 ExtendedKeyUsage object" do |critical|
|
6
|
+
before :all do
|
7
|
+
extension_name = "extendedKeyUsage"
|
8
|
+
klass = ExtendedKeyUsage
|
9
|
+
ef = OpenSSL::X509::ExtensionFactory.new
|
10
|
+
openssl_ext = ef.create_extension( extension_name, @extension_value , critical )
|
11
|
+
@r509_ext = klass.new( openssl_ext )
|
12
|
+
end
|
13
|
+
|
14
|
+
it "allowed_uses should be non-nil critical:#{critical}" do
|
15
|
+
@r509_ext.allowed_uses.should_not == nil
|
16
|
+
end
|
17
|
+
|
18
|
+
it "allowed_uses should be correct critical:#{critical}" do
|
19
|
+
@r509_ext.allowed_uses.should == @allowed_uses
|
20
|
+
end
|
21
|
+
|
22
|
+
it "the individual allowed-use functions should be correct critical:#{critical}" do
|
23
|
+
@r509_ext.web_server_authentication?.should == @allowed_uses.include?( ExtendedKeyUsage::AU_WEB_SERVER_AUTH )
|
24
|
+
@r509_ext.web_client_authentication?.should == @allowed_uses.include?( ExtendedKeyUsage::AU_WEB_CLIENT_AUTH )
|
25
|
+
@r509_ext.code_signing?.should == @allowed_uses.include?( ExtendedKeyUsage::AU_CODE_SIGNING )
|
26
|
+
@r509_ext.email_protection?.should == @allowed_uses.include?( ExtendedKeyUsage::AU_EMAIL_PROTECTION )
|
27
|
+
@r509_ext.ocsp_signing?.should == @allowed_uses.include?( ExtendedKeyUsage::AU_OCSP_SIGNING )
|
28
|
+
@r509_ext.time_stamping?.should == @allowed_uses.include?( ExtendedKeyUsage::AU_TIME_STAMPING )
|
29
|
+
@r509_ext.any_extended_key_usage?.should == @allowed_uses.include?( ExtendedKeyUsage::AU_ANY_EXTENDED_KEY_USAGE )
|
30
|
+
end
|
31
|
+
|
32
|
+
it "the #allows? method should work critical:#{critical}" do
|
33
|
+
@allowed_uses.each do |au|
|
34
|
+
@r509_ext.allows?(au).should == true
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
it "reports #critical? properly" do
|
39
|
+
@r509_ext.critical?.should == critical
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
|
44
|
+
describe R509::Cert::Extensions::ExtendedKeyUsage do
|
45
|
+
include R509::Cert::Extensions
|
46
|
+
|
47
|
+
context "validate extended key usage" do
|
48
|
+
it "errors with non-array" do
|
49
|
+
expect { R509::Cert::Extensions::ExtendedKeyUsage.new( 'not an array' ) }.to raise_error(ArgumentError, 'You must pass a hash with a key :value that contains an array of strings (see README)')
|
50
|
+
end
|
51
|
+
|
52
|
+
it "errors with nil" do
|
53
|
+
expect { R509::Cert::Extensions::ExtendedKeyUsage.new(nil) }.to raise_error(ArgumentError, 'You must pass a hash with a key :value that contains an array of strings (see README)')
|
54
|
+
end
|
55
|
+
|
56
|
+
it "errors with hash with no :value" do
|
57
|
+
expect { R509::Cert::Extensions::ExtendedKeyUsage.new({}) }.to raise_error(ArgumentError, 'You must pass a hash with a key :value that contains an array of strings (see README)')
|
58
|
+
end
|
59
|
+
|
60
|
+
it "errors with hash with non-array :value" do
|
61
|
+
expect { R509::Cert::Extensions::KeyUsage.new({:value => "string"}) }.to raise_error(ArgumentError, 'You must pass a hash with a key :value that contains an array of strings (see README)')
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
65
|
+
context "ExtendedKeyUsage" do
|
66
|
+
context "creation & yaml generation" do
|
67
|
+
context "single EKU" do
|
68
|
+
before :all do
|
69
|
+
@args = { :value => ['serverAuth'], :critical => false }
|
70
|
+
@eku = R509::Cert::Extensions::ExtendedKeyUsage.new(@args)
|
71
|
+
end
|
72
|
+
|
73
|
+
it "creates extension" do
|
74
|
+
@eku.allowed_uses.should == ['serverAuth']
|
75
|
+
end
|
76
|
+
|
77
|
+
it "builds yaml" do
|
78
|
+
YAML.load(@eku.to_yaml).should == @args
|
79
|
+
end
|
80
|
+
end
|
81
|
+
|
82
|
+
context "multiple EKU" do
|
83
|
+
before :all do
|
84
|
+
@args = { :value => ['serverAuth','codeSigning'], :critical => false }
|
85
|
+
@eku = R509::Cert::Extensions::ExtendedKeyUsage.new(@args)
|
86
|
+
end
|
87
|
+
|
88
|
+
it "creates extension" do
|
89
|
+
@eku.allowed_uses.should == ['serverAuth','codeSigning']
|
90
|
+
end
|
91
|
+
|
92
|
+
it "builds yaml" do
|
93
|
+
YAML.load(@eku.to_yaml).should == @args
|
94
|
+
end
|
95
|
+
end
|
96
|
+
|
97
|
+
context "default criticality" do
|
98
|
+
before :all do
|
99
|
+
@args = { :value => ['serverAuth'] }
|
100
|
+
@eku = R509::Cert::Extensions::ExtendedKeyUsage.new(@args)
|
101
|
+
end
|
102
|
+
|
103
|
+
it "creates extension" do
|
104
|
+
@eku.critical?.should be_false
|
105
|
+
end
|
106
|
+
|
107
|
+
it "builds yaml" do
|
108
|
+
YAML.load(@eku.to_yaml).should == @args.merge(:critical => false)
|
109
|
+
end
|
110
|
+
end
|
111
|
+
|
112
|
+
context "non-default criticality" do
|
113
|
+
before :all do
|
114
|
+
@args = { :value => ['serverAuth'], :critical => true }
|
115
|
+
@eku = R509::Cert::Extensions::ExtendedKeyUsage.new(@args)
|
116
|
+
end
|
117
|
+
|
118
|
+
it "creates extension" do
|
119
|
+
@eku.critical?.should be_true
|
120
|
+
end
|
121
|
+
|
122
|
+
it "builds yaml" do
|
123
|
+
YAML.load(@eku.to_yaml).should == @args
|
124
|
+
end
|
125
|
+
end
|
126
|
+
|
127
|
+
end
|
128
|
+
|
129
|
+
context "with one allowed use" do
|
130
|
+
before :all do
|
131
|
+
@allowed_uses = [ ExtendedKeyUsage::AU_WEB_SERVER_AUTH ]
|
132
|
+
@extension_value = @allowed_uses.join( ", " )
|
133
|
+
end
|
134
|
+
|
135
|
+
it_should_behave_like "a correct R509 ExtendedKeyUsage object", false
|
136
|
+
it_should_behave_like "a correct R509 ExtendedKeyUsage object", true
|
137
|
+
end
|
138
|
+
|
139
|
+
context "with some allowed uses" do
|
140
|
+
before :all do
|
141
|
+
# this spec and the one below alternate the uses
|
142
|
+
@allowed_uses = [ ExtendedKeyUsage::AU_WEB_SERVER_AUTH, ExtendedKeyUsage::AU_CODE_SIGNING ]
|
143
|
+
@extension_value = @allowed_uses.join( ", " )
|
144
|
+
end
|
145
|
+
|
146
|
+
it_should_behave_like "a correct R509 ExtendedKeyUsage object", false
|
147
|
+
it_should_behave_like "a correct R509 ExtendedKeyUsage object", true
|
148
|
+
end
|
149
|
+
|
150
|
+
context "with some different allowed uses" do
|
151
|
+
before :all do
|
152
|
+
@allowed_uses = [ ExtendedKeyUsage::AU_WEB_CLIENT_AUTH, ExtendedKeyUsage::AU_EMAIL_PROTECTION ]
|
153
|
+
@extension_value = @allowed_uses.join( ", " )
|
154
|
+
end
|
155
|
+
|
156
|
+
it_should_behave_like "a correct R509 ExtendedKeyUsage object", false
|
157
|
+
it_should_behave_like "a correct R509 ExtendedKeyUsage object", true
|
158
|
+
end
|
159
|
+
|
160
|
+
context "with all allowed uses" do
|
161
|
+
before :all do
|
162
|
+
@allowed_uses = [ ExtendedKeyUsage::AU_WEB_SERVER_AUTH, ExtendedKeyUsage::AU_CODE_SIGNING,
|
163
|
+
ExtendedKeyUsage::AU_WEB_CLIENT_AUTH, ExtendedKeyUsage::AU_EMAIL_PROTECTION,
|
164
|
+
ExtendedKeyUsage::AU_TIME_STAMPING, ExtendedKeyUsage::AU_OCSP_SIGNING,
|
165
|
+
ExtendedKeyUsage::AU_ANY_EXTENDED_KEY_USAGE]
|
166
|
+
@extension_value = @allowed_uses.join( ", " )
|
167
|
+
end
|
168
|
+
|
169
|
+
it_should_behave_like "a correct R509 ExtendedKeyUsage object", false
|
170
|
+
it_should_behave_like "a correct R509 ExtendedKeyUsage object", true
|
171
|
+
end
|
172
|
+
end
|
173
|
+
|
174
|
+
end
|
@@ -0,0 +1,92 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
include R509::Cert::Extensions
|
4
|
+
|
5
|
+
shared_examples_for "a correct R509 InhibitAnyPolicy object" do |critical|
|
6
|
+
before :all do
|
7
|
+
extension_name = "inhibitAnyPolicy"
|
8
|
+
klass = InhibitAnyPolicy
|
9
|
+
ef = OpenSSL::X509::ExtensionFactory.new
|
10
|
+
openssl_ext = ef.create_extension( extension_name, @value.to_s,critical)
|
11
|
+
@r509_ext = klass.new( openssl_ext )
|
12
|
+
end
|
13
|
+
|
14
|
+
it "should parse the integer value out of the extension" do
|
15
|
+
@r509_ext.value.should == @value
|
16
|
+
end
|
17
|
+
|
18
|
+
it "reports #critical? properly" do
|
19
|
+
@r509_ext.critical?.should == critical
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
23
|
+
describe R509::Cert::Extensions::InhibitAnyPolicy do
|
24
|
+
include R509::Cert::Extensions
|
25
|
+
|
26
|
+
context "validate inhibit any policy" do
|
27
|
+
it "raises an error when not a number" do
|
28
|
+
expect { R509::Cert::Extensions::InhibitAnyPolicy.new( :value => "string" ) }.to raise_error(ArgumentError,'Inhibit any policy must be a non-negative integer')
|
29
|
+
end
|
30
|
+
it "raises an error when not >= 0" do
|
31
|
+
expect { R509::Cert::Extensions::InhibitAnyPolicy.new( :value => -5 ) }.to raise_error(ArgumentError,'Inhibit any policy must be a non-negative integer')
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
context "InhibitAnyPolicy" do
|
36
|
+
before :all do
|
37
|
+
@value = 3
|
38
|
+
end
|
39
|
+
|
40
|
+
context "creation & yaml generation" do
|
41
|
+
context "creates with a positive skip #" do
|
42
|
+
before :all do
|
43
|
+
@args = { :value => 1, :critical => true }
|
44
|
+
@iap = R509::Cert::Extensions::InhibitAnyPolicy.new(@args)
|
45
|
+
end
|
46
|
+
|
47
|
+
it "creates extension" do
|
48
|
+
@iap.value.should == 1
|
49
|
+
end
|
50
|
+
|
51
|
+
it "builds yaml" do
|
52
|
+
YAML.load(@iap.to_yaml).should == @args
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
context "creates with default criticality" do
|
57
|
+
before :all do
|
58
|
+
@args = { :value => 1 }
|
59
|
+
@iap = R509::Cert::Extensions::InhibitAnyPolicy.new(@args)
|
60
|
+
end
|
61
|
+
|
62
|
+
it "creates extension" do
|
63
|
+
@iap.critical?.should == true
|
64
|
+
end
|
65
|
+
|
66
|
+
it "builds yaml" do
|
67
|
+
YAML.load(@iap.to_yaml).should == @args.merge(:critical => true)
|
68
|
+
end
|
69
|
+
end
|
70
|
+
|
71
|
+
context "creates with non-default criticality" do
|
72
|
+
before :all do
|
73
|
+
@args = { :value => 1, :critical => false }
|
74
|
+
@iap = R509::Cert::Extensions::InhibitAnyPolicy.new(@args)
|
75
|
+
end
|
76
|
+
|
77
|
+
it "creates extension" do
|
78
|
+
@iap.critical?.should == false
|
79
|
+
end
|
80
|
+
|
81
|
+
it "builds yaml" do
|
82
|
+
YAML.load(@iap.to_yaml).should == @args
|
83
|
+
end
|
84
|
+
end
|
85
|
+
|
86
|
+
end
|
87
|
+
|
88
|
+
it_should_behave_like "a correct R509 InhibitAnyPolicy object", false
|
89
|
+
it_should_behave_like "a correct R509 InhibitAnyPolicy object", true
|
90
|
+
end
|
91
|
+
|
92
|
+
end
|
@@ -0,0 +1,172 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
shared_examples_for "a correct R509 KeyUsage object" do |critical|
|
4
|
+
before :each do
|
5
|
+
extension_name = "keyUsage"
|
6
|
+
klass = R509::Cert::Extensions::KeyUsage
|
7
|
+
ef = OpenSSL::X509::ExtensionFactory.new
|
8
|
+
openssl_ext = ef.create_extension( extension_name, @extension_value, critical )
|
9
|
+
@r509_ext = klass.new( openssl_ext )
|
10
|
+
end
|
11
|
+
|
12
|
+
it "allowed_uses should be non-nil critical:#{critical}" do
|
13
|
+
@r509_ext.allowed_uses.should_not == nil
|
14
|
+
end
|
15
|
+
|
16
|
+
it "allowed_uses should be correct critical:#{critical}" do
|
17
|
+
@r509_ext.allowed_uses.should == @allowed_uses
|
18
|
+
end
|
19
|
+
|
20
|
+
it "the individual allowed-use functions should be correct critical:#{critical}" do
|
21
|
+
@r509_ext.digital_signature?.should == @allowed_uses.include?( R509::Cert::Extensions::KeyUsage::AU_DIGITAL_SIGNATURE )
|
22
|
+
@r509_ext.non_repudiation?.should == @allowed_uses.include?( R509::Cert::Extensions::KeyUsage::AU_NON_REPUDIATION )
|
23
|
+
@r509_ext.key_encipherment?.should == @allowed_uses.include?( R509::Cert::Extensions::KeyUsage::AU_KEY_ENCIPHERMENT )
|
24
|
+
@r509_ext.data_encipherment?.should == @allowed_uses.include?( R509::Cert::Extensions::KeyUsage::AU_DATA_ENCIPHERMENT )
|
25
|
+
@r509_ext.key_agreement?.should == @allowed_uses.include?( R509::Cert::Extensions::KeyUsage::AU_KEY_AGREEMENT )
|
26
|
+
@r509_ext.key_cert_sign?.should == @allowed_uses.include?( R509::Cert::Extensions::KeyUsage::AU_KEY_CERT_SIGN )
|
27
|
+
@r509_ext.crl_sign?.should == @allowed_uses.include?( R509::Cert::Extensions::KeyUsage::AU_CRL_SIGN )
|
28
|
+
@r509_ext.encipher_only?.should == @allowed_uses.include?( R509::Cert::Extensions::KeyUsage::AU_ENCIPHER_ONLY )
|
29
|
+
@r509_ext.decipher_only?.should == @allowed_uses.include?( R509::Cert::Extensions::KeyUsage::AU_DECIPHER_ONLY )
|
30
|
+
end
|
31
|
+
|
32
|
+
it "the #allows? method should work critical:#{critical}" do
|
33
|
+
@allowed_uses.each do |au|
|
34
|
+
@r509_ext.allows?(au).should == true
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
it "reports #critical? properly" do
|
39
|
+
@r509_ext.critical?.should == critical
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
describe R509::Cert::Extensions::KeyUsage do
|
44
|
+
context "validate key usage" do
|
45
|
+
it "errors with non-array" do
|
46
|
+
expect { R509::Cert::Extensions::KeyUsage.new( 'not an array' ) }.to raise_error(ArgumentError, 'You must pass a hash with a key :value that contains an array of strings (see README)')
|
47
|
+
end
|
48
|
+
|
49
|
+
it "errors with nil" do
|
50
|
+
expect { R509::Cert::Extensions::KeyUsage.new(nil) }.to raise_error(ArgumentError, 'You must pass a hash with a key :value that contains an array of strings (see README)')
|
51
|
+
end
|
52
|
+
|
53
|
+
it "errors with hash with no :value" do
|
54
|
+
expect { R509::Cert::Extensions::KeyUsage.new({}) }.to raise_error(ArgumentError, 'You must pass a hash with a key :value that contains an array of strings (see README)')
|
55
|
+
end
|
56
|
+
|
57
|
+
it "errors with hash with non-array :value" do
|
58
|
+
expect { R509::Cert::Extensions::KeyUsage.new({:value => "string"}) }.to raise_error(ArgumentError, 'You must pass a hash with a key :value that contains an array of strings (see README)')
|
59
|
+
end
|
60
|
+
end
|
61
|
+
|
62
|
+
context "KeyUsage" do
|
63
|
+
context "creation & yaml generation" do
|
64
|
+
context "single KU" do
|
65
|
+
before :all do
|
66
|
+
@args = { :value => ['digitalSignature'] }
|
67
|
+
@ku = R509::Cert::Extensions::KeyUsage.new(@args)
|
68
|
+
end
|
69
|
+
|
70
|
+
it "creates extension" do
|
71
|
+
@ku.allowed_uses.should == ['digitalSignature']
|
72
|
+
end
|
73
|
+
|
74
|
+
it "builds yaml" do
|
75
|
+
YAML.load(@ku.to_yaml).should == @args.merge(:critical => false)
|
76
|
+
end
|
77
|
+
end
|
78
|
+
|
79
|
+
|
80
|
+
context "multiple KU" do
|
81
|
+
before :all do
|
82
|
+
@args = { :value => ['digitalSignature','keyAgreement'] }
|
83
|
+
@ku = R509::Cert::Extensions::KeyUsage.new(@args)
|
84
|
+
end
|
85
|
+
|
86
|
+
it "creates extension" do
|
87
|
+
@ku.allowed_uses.should == ['digitalSignature','keyAgreement']
|
88
|
+
end
|
89
|
+
|
90
|
+
it "builds_yaml" do
|
91
|
+
YAML.load(@ku.to_yaml).should == @args.merge(:critical => false)
|
92
|
+
end
|
93
|
+
end
|
94
|
+
|
95
|
+
context "default criticality" do
|
96
|
+
before :all do
|
97
|
+
@args = { :value => ['keyAgreement'] }
|
98
|
+
@ku = R509::Cert::Extensions::KeyUsage.new(@args)
|
99
|
+
end
|
100
|
+
|
101
|
+
it "creates extension" do
|
102
|
+
@ku.critical?.should be_false
|
103
|
+
end
|
104
|
+
|
105
|
+
it "builds yaml" do
|
106
|
+
YAML.load(@ku.to_yaml).should == @args.merge(:critical => false)
|
107
|
+
end
|
108
|
+
end
|
109
|
+
|
110
|
+
context "non-default criticality" do
|
111
|
+
before :all do
|
112
|
+
@args = { :value => ['keyAgreement'], :critical => true }
|
113
|
+
@ku = R509::Cert::Extensions::KeyUsage.new(@args)
|
114
|
+
end
|
115
|
+
|
116
|
+
it "creates extension" do
|
117
|
+
@ku.critical?.should be_true
|
118
|
+
end
|
119
|
+
|
120
|
+
it "builds yaml" do
|
121
|
+
YAML.load(@ku.to_yaml).should == @args
|
122
|
+
end
|
123
|
+
end
|
124
|
+
|
125
|
+
end
|
126
|
+
|
127
|
+
context "with one allowed use" do
|
128
|
+
before :all do
|
129
|
+
@allowed_uses = [ R509::Cert::Extensions::KeyUsage::AU_DIGITAL_SIGNATURE ]
|
130
|
+
@extension_value = @allowed_uses.join( ", " )
|
131
|
+
end
|
132
|
+
|
133
|
+
it_should_behave_like "a correct R509 KeyUsage object", false
|
134
|
+
it_should_behave_like "a correct R509 KeyUsage object", true
|
135
|
+
end
|
136
|
+
|
137
|
+
context "with some allowed uses" do
|
138
|
+
before :all do
|
139
|
+
# this spec and the one below alternate the uses
|
140
|
+
@allowed_uses = [ R509::Cert::Extensions::KeyUsage::AU_DIGITAL_SIGNATURE, R509::Cert::Extensions::KeyUsage::AU_KEY_ENCIPHERMENT, R509::Cert::Extensions::KeyUsage::AU_KEY_AGREEMENT, R509::Cert::Extensions::KeyUsage::AU_CRL_SIGN, R509::Cert::Extensions::KeyUsage::AU_DECIPHER_ONLY ]
|
141
|
+
@extension_value = @allowed_uses.join( ", " )
|
142
|
+
end
|
143
|
+
|
144
|
+
it_should_behave_like "a correct R509 KeyUsage object", false
|
145
|
+
it_should_behave_like "a correct R509 KeyUsage object", true
|
146
|
+
end
|
147
|
+
|
148
|
+
context "with some different allowed uses" do
|
149
|
+
before :all do
|
150
|
+
@allowed_uses = [ R509::Cert::Extensions::KeyUsage::AU_NON_REPUDIATION, R509::Cert::Extensions::KeyUsage::AU_DATA_ENCIPHERMENT, R509::Cert::Extensions::KeyUsage::AU_KEY_CERT_SIGN, R509::Cert::Extensions::KeyUsage::AU_ENCIPHER_ONLY ]
|
151
|
+
@extension_value = @allowed_uses.join( ", " )
|
152
|
+
end
|
153
|
+
|
154
|
+
it_should_behave_like "a correct R509 KeyUsage object", false
|
155
|
+
it_should_behave_like "a correct R509 KeyUsage object", true
|
156
|
+
end
|
157
|
+
|
158
|
+
context "with all allowed uses" do
|
159
|
+
before :all do
|
160
|
+
@allowed_uses = [ R509::Cert::Extensions::KeyUsage::AU_DIGITAL_SIGNATURE, R509::Cert::Extensions::KeyUsage::AU_NON_REPUDIATION,
|
161
|
+
R509::Cert::Extensions::KeyUsage::AU_KEY_ENCIPHERMENT, R509::Cert::Extensions::KeyUsage::AU_DATA_ENCIPHERMENT,
|
162
|
+
R509::Cert::Extensions::KeyUsage::AU_KEY_AGREEMENT, R509::Cert::Extensions::KeyUsage::AU_KEY_CERT_SIGN,
|
163
|
+
R509::Cert::Extensions::KeyUsage::AU_CRL_SIGN, R509::Cert::Extensions::KeyUsage::AU_ENCIPHER_ONLY,
|
164
|
+
R509::Cert::Extensions::KeyUsage::AU_DECIPHER_ONLY ]
|
165
|
+
@extension_value = @allowed_uses.join( ", " )
|
166
|
+
end
|
167
|
+
|
168
|
+
it_should_behave_like "a correct R509 KeyUsage object", false
|
169
|
+
it_should_behave_like "a correct R509 KeyUsage object", true
|
170
|
+
end
|
171
|
+
end
|
172
|
+
end
|