r509 0.9.2 → 0.10.0

data/spec/config/subject_item_policy_spec.rb

@@ -0,0 +1,81 @@
+require 'spec_helper'
+require 'r509/config/subject_item_policy'
+require 'r509/exceptions'
+
+describe R509::Config::SubjectItemPolicy do
+  it "raises an error if you supply a non-hash" do
+    expect { R509::Config::SubjectItemPolicy.new('string') }.to raise_error(ArgumentError, "Must supply a hash in form 'shortname'=>hash_with_policy_info")
+  end
+  it "raises an error if you supply values that are not hashes as well" do
+    expect { R509::Config::SubjectItemPolicy.new("CN" => "what what") }.to raise_error(ArgumentError, "Each value must be a hash with a :policy key")
+  end
+  it "raises an error if a required element is missing" do
+    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => { :policy => "required" }, "O" => { :policy => "required" }, "OU" => { :policy => "optional" }, "L" => { :policy => "required" })
+    subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
+    expect { subject_item_policy.validate_subject(subject) }.to raise_error(R509::R509Error, /This profile requires you supply/)
+  end
+  it "raises an error if your hash values are anything other than required or optional" do
+    expect { R509::Config::SubjectItemPolicy.new("CN" => { :policy => "somethirdoption" }) }.to raise_error(ArgumentError, "Unknown subject item policy value. Allowed values are required, optional, or match")
+  end
+  it "raises an error if a subject item does not match the value supplied" do
+    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => { :policy => "match", :value => "some-cn-goes-here" })
+    subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
+    expect { subject_item_policy.validate_subject(subject) }.to raise_error(R509::R509Error, 'This profile requires that CN have value: some-cn-goes-here')
+  end
+  it "errors if you get case of subject_item_policy element wrong" do
+    subject_item_policy = R509::Config::SubjectItemPolicy.new("cn" => { :policy => "required" })
+    subject = R509::Subject.new [["CN","langui.sh"]]
+    expect { subject_item_policy.validate_subject(subject) }.to raise_error(R509::R509Error, 'This profile requires you supply cn')
+  end
+  it "validates a subject with the same fields as the policy" do
+    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => { :policy => "required" }, "O" => { :policy => "required" }, "OU" => { :policy => "optional" })
+    subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
+    validated_subject = subject_item_policy.validate_subject(subject)
+    validated_subject.to_s.should == subject.to_s
+  end
+  it "allows matched fields" do
+    sip = R509::Config::SubjectItemPolicy.new("CN" => { :policy => "match", :value => "langui.sh" }, "O" => { :policy => "match", :value => "ooooor"})
+    subject = R509::Subject.new [['CN','langui.sh'],['O','ooooor']]
+    validated_subject = sip.validate_subject(subject)
+    validated_subject.to_s.should == subject.to_s
+  end
+  it "builds hash" do
+    args = { "CN" => { :policy => "match", :value => "langui.sh" }, "O" => { :policy => "match", :value => "ooooor"} }
+    sip = R509::Config::SubjectItemPolicy.new(args)
+    # this equality check works because ruby does not compare hash order (which exists in 1.9+)
+    # when doing comparison
+    sip.to_h.should == args
+  end
+  it "builds yaml" do
+    args = { "CN" => { :policy => "match", :value => "langui.sh" }, "O" => { :policy => "match", :value => "ooooor"} }
+    sip = R509::Config::SubjectItemPolicy.new(args)
+    # this equality check works because ruby does not compare hash order (which exists in 1.9+)
+    # when doing comparison
+    YAML.load(sip.to_yaml).should == args
+  end
+  it "preserves subject order when applying policies" do
+    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => { :policy => "required" }, "O" => { :policy => "required" }, "OU" => { :policy => "optional" }, "L" => { :policy => "required" }, "C" => { :policy => "required" })
+    subject = R509::Subject.new [["C","US"],["L","Chicago"],["ST","Illinois"],["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
+    validated_subject = subject_item_policy.validate_subject(subject)
+    validated_subject.to_s.should == "/C=US/L=Chicago/CN=langui.sh/OU=Org Unit/O=Org"
+  end
+  it "removes subject items that are not in the policy" do
+    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => { :policy => "required" })
+    subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
+    validated_subject = subject_item_policy.validate_subject(subject)
+    validated_subject.to_s.should == "/CN=langui.sh"
+  end
+  it "does not reorder subject items as it validates" do
+    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => { :policy => "required" }, "O" => { :policy => "required" }, "OU" => { :policy => "optional" }, "L" => { :policy => "match", :value => "Chicago" })
+    subject = R509::Subject.new [["L","Chicago"],["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
+    validated_subject = subject_item_policy.validate_subject(subject)
+    validated_subject.to_s.should == subject.to_s
+  end
+  it "loads all the required, optional, and match elements" do
+    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => { :policy => "required" }, "O" => { :policy => "required" }, "OU" => { :policy => "optional" }, "L" => { :policy => "required" }, "emailAddress" => { :policy => "match", :value => "some@emailaddress.com" })
+    subject_item_policy.optional.should include("OU")
+    subject_item_policy.match.should include("emailAddress")
+    subject_item_policy.match_values["emailAddress"].should == "some@emailaddress.com"
+    subject_item_policy.required.should include("CN","O","L")
+  end
+end

data/spec/crl/administrator_spec.rb

@@ -0,0 +1,199 @@
+require 'spec_helper'
+
+describe R509::CRL::Administrator do
+  before :each do
+    @cert = TestFixtures::CERT
+    @csr = TestFixtures::CSR
+    @csr3 = TestFixtures::CSR3
+    @test_ca_config = TestFixtures.test_ca_no_profile_config
+    @test_ca_dsa_config = TestFixtures.test_ca_dsa_no_profile_config
+  end
+
+  it "signs CRL with no delegate certificate" do
+    config = R509::Config::CAConfig.new(
+      :ca_cert => TestFixtures.test_ca_cert,
+    )
+    crl_admin = R509::CRL::Administrator.new(config)
+    crl = crl_admin.generate_crl
+    crl.issuer.to_s.should == '/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA'
+  end
+
+  it "signs CRL with delegate certificate" do
+    config = R509::Config::CAConfig.new(
+      :ca_cert => TestFixtures.test_ca_cert,
+      :crl_cert => TestFixtures.test_ca_crl_delegate,
+    )
+    crl_admin = R509::CRL::Administrator.new(config)
+    crl = crl_admin.generate_crl
+    crl.issuer.to_s.should == '/C=US/ST=Illinois/L=Chicago/O=r509 LLC/CN=r509 CRL Delegate'
+  end
+
+  it "signs CRL with non-default message digest" do
+    config = R509::Config::CAConfig.new(
+      :ca_cert => TestFixtures.test_ca_cert,
+      :crl_md => 'sha256'
+    )
+    crl_admin = R509::CRL::Administrator.new(config)
+    crl = crl_admin.generate_crl
+    crl.signature_algorithm.should == 'sha256WithRSAEncryption'
+  end
+
+  it "signs CRL with default message digest" do
+    config = R509::Config::CAConfig.new(
+      :ca_cert => TestFixtures.test_ca_cert,
+    )
+    crl_admin = R509::CRL::Administrator.new(config)
+    crl = crl_admin.generate_crl
+    crl.signature_algorithm.should == 'sha1WithRSAEncryption'
+  end
+
+  it "generates CRL with no entries in revocation list (RSA key)" do
+    crl_admin = R509::CRL::Administrator.new(@test_ca_config)
+    crl = crl_admin.generate_crl
+    crl.to_pem.should match(/BEGIN X509 CRL/)
+    crl.signature_algorithm.should == 'sha1WithRSAEncryption'
+  end
+  it "generates CRL with no entries in revocation list (DSA key)" do
+    crl_admin = R509::CRL::Administrator.new(@test_ca_dsa_config)
+    crl = crl_admin.generate_crl
+    crl.to_pem.should match(/BEGIN X509 CRL/)
+    crl.signature_algorithm.should == 'dsaWithSHA1'
+  end
+  context "elliptic curve", :ec => true do
+    before :all do
+      @test_ca_ec_config = TestFixtures.test_ca_ec_no_profile_config
+    end
+    it "generates CRL with no entries in revocation list (EC key)" do
+      crl_admin = R509::CRL::Administrator.new(@test_ca_ec_config)
+      crl = crl_admin.generate_crl
+      crl.to_pem.should match(/BEGIN X509 CRL/)
+      crl.signature_algorithm.should == 'ecdsa-with-SHA1'
+    end
+  end
+  it "raises exception when no R509::Config::CAConfig object is passed to the constructor" do
+    expect { R509::CRL::Administrator.new(['random']) }.to raise_error(R509::R509Error)
+  end
+  it "raises exception when reader/writer is passed that is not a subclass of ReaderWriter)" do
+    expect { R509::CRL::Administrator.new(@test_ca_config,{}) }.to raise_error(ArgumentError,'argument reader_writer must be a subclass of R509::CRL::ReaderWriter')
+  end
+  it "adds a cert to the revocation list" do
+    crl_admin = R509::CRL::Administrator.new(@test_ca_config)
+    crl_admin.revoked?(383834832).should == false
+    crl_admin.revoke_cert(383834832)
+    crl_admin.revoked?(383834832).should == true
+    crl_admin.revoked?('383834832').should == true
+    crl = crl_admin.generate_crl
+    crl.revoked[383834832].should_not be_nil
+    crl.crl.revoked[0].serial.should == 383834832
+  end
+  it "can revoke (with reason)" do
+    crl_admin = R509::CRL::Administrator.new(@test_ca_config)
+    crl_admin.revoked?(12345).should == false
+    crl_admin.revoke_cert(12345, 1)
+    crl_admin.revoked?(12345).should == true
+    crl_admin.revoked_cert(12345)[:reason].should == 1
+    crl = crl_admin.generate_crl
+
+    crl.crl.revoked[0].serial.should == 12345
+    crl.crl.revoked[0].extensions[0].oid.should == "CRLReason"
+    crl.crl.revoked[0].extensions[0].value.should == "Key Compromise"
+  end
+  it "can revoke (without reason)" do
+    crl_admin = R509::CRL::Administrator.new(@test_ca_config)
+    crl_admin.revoked?(12345).should == false
+    crl_admin.revoke_cert(12345)
+    crl_admin.revoked?(12345).should == true
+    crl_admin.revoked_cert(12345)[:reason].should be_nil
+    crl = crl_admin.generate_crl
+
+    crl.crl.revoked[0].serial.should == 12345
+    crl.crl.revoked[0].extensions.size.should == 0
+  end
+  it "cannot revoke the same serial twice" do
+    crl = R509::CRL::Administrator.new(@test_ca_config)
+    crl.revoked?(12345).should == false
+    crl.revoke_cert(12345, 1)
+    crl.revoked?(12345).should == true
+    crl.revoked_cert(12345)[:reason].should == 1
+    expect { crl.revoke_cert(12345, 1) }.to raise_error(R509::R509Error, "Cannot revoke a previously revoked certificate")
+    crl.revoked?(12345).should == true
+  end
+  it "adds a cert to the revocation list with an invalid reason code" do
+    crl = R509::CRL::Administrator.new(@test_ca_config)
+    expect { crl.revoke_cert(383834832,15) }.to raise_error(ArgumentError, 'Revocation reason must be integer 0-10 (excluding 7) or nil')
+    expect { crl.revoke_cert(383834832,7) }.to raise_error(ArgumentError, 'Revocation reason must be integer 0-10 (excluding 7) or nil')
+    expect { crl.revoke_cert(383834832,'string') }.to raise_error(ArgumentError, 'Revocation reason must be integer 0-10 (excluding 7) or nil')
+  end
+  it "removes a cert from the revocation list" do
+    crl_admin = R509::CRL::Administrator.new(@test_ca_config)
+    crl_admin.revoke_cert(383834832)
+    crl_admin.revoked?(383834832).should == true
+    crl = crl_admin.generate_crl
+    crl.crl.revoked[0].serial.should == 383834832
+    crl_admin.unrevoke_cert(383834832)
+    crl = crl_admin.generate_crl
+    crl_admin.revoked?(383834832).should == false
+    crl.crl.revoked.empty?.should == true
+  end
+  it "loads an existing revocation list file" do
+    config = R509::Config::CAConfig.new(
+      :ca_cert => TestFixtures.test_ca_cert,
+      :crl_list_file => TestFixtures::CRL_LIST_FILE
+    )
+    crl = R509::CRL::Administrator.new(config)
+    crl.revoked?(12345).should == true
+    crl.revoked_cert(12345)[:revoke_time].should == 1323983885
+    crl.revoked_cert(12345)[:reason].should == 0
+    crl.revoked?(12346).should == true
+    crl.revoked_cert(12346)[:revoke_time].should == 1323983885
+    crl.revoked_cert(12346)[:reason].should == nil
+  end
+  it "load when nil crl_list_file" do
+    config = R509::Config::CAConfig.new(
+      :ca_cert => TestFixtures.test_ca_cert,
+      :crl_list_file => nil
+    )
+    expect { R509::CRL::Administrator.new(config) }.to_not raise_error
+  end
+  it "sets validity via yaml" do
+    crl_admin = R509::CRL::Administrator.new(@test_ca_config)
+    t = Time.at Time.now.to_i
+    Time.should_receive(:now).twice.and_return(t)
+    crl = crl_admin.generate_crl
+    crl.next_update.should == (t.utc+168*3600) #default 168 hours (7 days)
+  end
+  it "has proper defaults for last_update and next_update" do
+    crl_admin = R509::CRL::Administrator.new(@test_ca_config)
+    now = Time.at Time.now.to_i
+    crl = crl_admin.generate_crl
+    crl.last_update.should == now-@test_ca_config.crl_start_skew_seconds
+    crl.next_update.should == now+@test_ca_config.crl_validity_hours*3600
+  end
+  it "takes custom last_update and next_update" do
+    crl_admin = R509::CRL::Administrator.new(@test_ca_config)
+    last = Time.at Time.now.to_i - 86400
+    nex = Time.at Time.now.to_i + 5
+    crl = crl_admin.generate_crl(last,nex)
+    crl.last_update.should == last
+    crl.next_update.should == nex
+  end
+  it "calls write_list_entry when revoking" do
+    rw = double("rw")
+    rw.should_receive(:kind_of?).and_return(true)
+    rw.should_receive(:write_list_entry)
+    rw.should_receive(:read_number).and_return(0)
+    rw.should_receive(:read_list).and_return(nil)
+    crl_admin = R509::CRL::Administrator.new(@test_ca_config,rw)
+    crl_admin.revoked?(383834832).should == false
+    crl_admin.revoke_cert(383834832)
+  end
+  it "calls write_number when incrementing crl_number" do
+    rw = double("rw")
+    rw.should_receive(:kind_of?).and_return(true)
+    rw.should_receive(:read_number).and_return(0)
+    rw.should_receive(:read_list).and_return(nil)
+    rw.should_receive(:write_number).with(1)
+    crl_admin = R509::CRL::Administrator.new(@test_ca_config,rw)
+    crl_admin.generate_crl
+  end
+end

data/spec/crl/reader_writer_spec.rb

@@ -0,0 +1,97 @@
+require 'spec_helper'
+require 'stringio'
+
+describe R509::CRL::ReaderWriter do
+  before :all do
+    @rw = R509::CRL::ReaderWriter.new
+  end
+
+  it "abstract base class raises error for write_list_entry" do
+    expect { @rw.write_list_entry }.to raise_error(NotImplementedError)
+  end
+
+  it "abstract base class raises error for remove_list_entry" do
+    expect { @rw.remove_list_entry }.to raise_error(NotImplementedError)
+  end
+
+  it "abstract base class raises error for write_number" do
+    expect { @rw.write_number }.to raise_error(NotImplementedError)
+  end
+
+  it "abstract base class raises error for read_list" do
+    expect { @rw.read_list }.to raise_error(NotImplementedError)
+  end
+
+  it "abstract base class raises error for read_number" do
+    expect { @rw.read_number }.to raise_error(NotImplementedError)
+  end
+end
+
+describe R509::CRL::FileReaderWriter do
+  before :each do
+    @rw = R509::CRL::FileReaderWriter.new
+  end
+
+  it "handles nil crl_list_file in read_list" do
+    @rw.crl_list_file = nil
+    @rw.read_list(nil).should == nil
+  end
+
+  it "handles nil crl_list_file in write_list_entry" do
+    @rw.crl_list_file = nil
+    @rw.write_list_entry(1,1,nil).should == nil
+  end
+
+  it "handles nil crl_number_file in read_number" do
+    @rw.crl_number_file = nil
+    @rw.read_number.should == 0
+  end
+
+  it "handles nil crl_number_file in write_number" do
+    @rw.crl_number_file = nil
+    @rw.write_number(0).should == nil
+  end
+
+  it "reads a crl list" do
+    @rw.crl_list_file = TestFixtures::CRL_LIST_FILE
+    admin = double("admin")
+    admin.should_receive(:revoke_cert).with(12345, 0, 1323983885, false)
+    admin.should_receive(:revoke_cert).with(12346, nil, 1323983885, false)
+    @rw.read_list(admin)
+  end
+
+  it "writes a crl list entry" do
+    sio = StringIO.new
+    @rw.crl_list_file = sio
+    @rw.write_list_entry(1,1,nil)
+    sio.string.should == "1,1,\n"
+    @rw.write_list_entry(2,2,1)
+    sio.string.should == "1,1,\n2,2,1\n"
+  end
+
+  it "removes a crl list entry" do
+    sio = StringIO.new
+    @rw.crl_list_file = sio
+    @rw.write_list_entry(1,1,nil)
+    sio.string.should == "1,1,\n"
+    @rw.write_list_entry(2,2,1)
+    sio.string.should == "1,1,\n2,2,1\n"
+    @rw.remove_list_entry(2)
+    sio.string.should == "1,1,\n"
+  end
+
+  it "reads a number" do
+    sio = StringIO.new
+    sio.write("500")
+    sio.rewind # rewind the pointer to the beginning so the next read catche the 500
+    @rw.crl_number_file = sio
+    @rw.read_number.should == 500
+  end
+
+  it "writes a crl number" do
+    sio = StringIO.new
+    @rw.crl_number_file = sio
+    @rw.write_number(30)
+    @rw.crl_number_file.string.should == "30"
+  end
+end

data/spec/crl/signed_list_spec.rb

@@ -0,0 +1,84 @@
+require 'spec_helper'
+require 'stringio'
+
+describe R509::CRL::SignedList do
+  before :each do
+    @crl_reason = TestFixtures::CRL_REASON
+    @crl = R509::CRL::SignedList.new(@crl_reason)
+    @test_ca_cert = TestFixtures::TEST_CA_CERT
+  end
+
+  it "loads a crl with load_from_file" do
+    path = File.dirname(__FILE__) + '/../fixtures/crl_with_reason.pem'
+    crl = R509::CRL::SignedList.load_from_file path
+    crl.revoked[12345].should_not be_nil
+  end
+
+  it "returns issuer" do
+    @crl.issuer.to_s.should == "/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA"
+  end
+
+  it "returns last_update" do
+    @crl.last_update.should == Time.at(1327446093)
+  end
+
+  it "returns next_update" do
+    @crl.next_update.should == Time.at(1328054493)
+  end
+
+  it "returns signature_algorithm" do
+    @crl.signature_algorithm.should == "sha1WithRSAEncryption"
+  end
+
+  it "verifies the CRL signature" do
+    cert = R509::Cert.new(:cert => @test_ca_cert)
+    @crl.verify(cert.public_key).should == true
+  end
+
+  it "checks if a serial is revoked?" do
+    @crl.revoked?(111111).should == false
+    @crl.revoked?('111111').should == false
+    @crl.revoked?(12345).should == true
+    @crl.revoked?('12345').should == true
+  end
+
+  it "returns a hash of all revoked certs" do
+    @crl.revoked[12345][:time].should == Time.at(1327449693)
+    @crl.revoked[12345][:reason].should == "Key Compromise"
+    @crl.revoked[123456][:time].should == Time.at(1327449693)
+    @crl.revoked[123456][:reason].should == "Unspecified"
+    @crl.revoked[1234567][:time].should == Time.at(1327449693)
+    @crl.revoked[1234567][:reason].should == "Unspecified"
+    @crl.revoked[12345678].should == nil
+  end
+
+  it "returns revocation information for a serial" do
+    @crl.revoked_cert(11111).should == nil
+    revoked_info = @crl.revoked_cert(12345)
+    revoked_info[:time].should == Time.at(1327449693)
+    revoked_info[:reason].should == "Key Compromise"
+  end
+
+  it "returns der" do
+    @crl.to_der.should_not be_nil
+  end
+  it "returns pem" do
+    @crl.to_pem.should_not be_nil
+  end
+  it "writes to pem" do
+    sio = StringIO.new
+    sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
+    @crl.write_pem(sio)
+    parsed_crl = R509::CRL::SignedList.new(sio.string)
+    parsed_crl.issuer.to_s.should == '/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA'
+    parsed_crl.issuer.CN.should == 'Test CA'
+  end
+  it "writes to der" do
+    sio = StringIO.new
+    sio.set_encoding("BINARY") if sio.respond_to?(:set_encoding)
+    @crl.write_der(sio)
+    parsed_crl = R509::CRL::SignedList.new(sio.string)
+    parsed_crl.issuer.to_s.should == '/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA'
+    parsed_crl.issuer.CN.should == 'Test CA'
+  end
+end