r509 0.9.2 → 0.10.0

data/spec/fixtures/config_test.yaml

@@ -1,59 +1,96 @@
-test_ca: {
-  ca_cert: {
-    cert: 'test_ca.cer',
-    key: 'test_ca.key'
-  },
-  crl_list: "crl_list_file.txt",
-  crl_number: "crl_number_file.txt",
-  crl_validity_hours: 72,
-  ocsp_validity_hours: 96,
-  ocsp_start_skew_seconds: 1800,
-  message_digest: 'SHA1', #SHA1, SHA224, SHA256, SHA384, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason
-  profiles: {
-    server: {
-      basic_constraints: { "ca" : false },
-      key_usage: [digitalSignature,keyEncipherment],
-      extended_key_usage: [serverAuth],
-    },
-    ocsp_delegate_with_no_check: {
-      ocsp_no_check: true
-    },
-    inhibit_policy: {
-      inhibit_any_policy: 2
-    },
-    policy_constraints: {
-      policy_constraints: { require_explicit_policy: 1, inhibit_policy_mapping: 0 }
-    },
-    name_constraints: {
-      name_constraints: {
-        permitted: [
-          {type: "IP", value: "192.168.0.0/255.255.0.0"},
-          {type: "dirName", value: [['CN','myCN'],['O','Org']]}
-        ],
-        excluded: [
-          {type: "email", value: "domain.com"},
-          {type: "URI", value: ".net"},
-          {type: "DNS", value: "test.us"}
-        ]
-      }
-    },
-    client: {
-      basic_constraints: { "ca" : false },
-      key_usage: [digitalSignature,keyEncipherment],
-      extended_key_usage: [clientAuth],
-      ocsp_no_check: false
-    },
-    server_with_subject_item_policy: {
-      basic_constraints: { "ca" : false },
-      key_usage: [digitalSignature,keyEncipherment],
-      extended_key_usage: [serverAuth],
-      subject_item_policy: {
-        "CN" : "required",
-        "O" : "optional",
-        "ST" : "required",
-        "C" : "required",
-        "OU" : "optional" }
-    }
-  }
-}
-config_is_string: "this is bogus"
+---
+test_ca:
+  ca_cert:
+    cert: test_ca.cer
+    key: test_ca.key
+  crl_validity_hours: 72
+  crl_list_file: list_file
+  crl_number_file: number_file
+  ocsp_validity_hours: 96
+  ocsp_start_skew_seconds: 1800
+  profiles:
+    server:
+      basic_constraints:
+        :ca: false
+      key_usage:
+        :value:
+        - digitalSignature
+        - keyEncipherment
+      extended_key_usage:
+        :value:
+        - serverAuth
+    mds:
+      default_md: SHA512
+      allowed_mds:
+      - SHA512
+      - SHA1
+    aia_cdp:
+      authority_info_access:
+        :ocsp_location:
+        - :type: URI
+          :value: http://ocsp.domain.com
+        :ca_issuers_location:
+        - :type: URI
+          :value: http://www.domain.com/cert.cer
+      crl_distribution_points:
+        :value:
+        - :type: URI
+          :value: http://crl.domain.com/something.crl
+    ocsp_delegate_with_no_check:
+      ocsp_no_check:
+        :value: true
+    inhibit_policy:
+      inhibit_any_policy:
+        :value: 2
+    policy_constraints:
+      policy_constraints:
+        :require_explicit_policy: 1
+        :inhibit_policy_mapping: 0
+    name_constraints:
+      name_constraints:
+        :permitted:
+        - :type: IP
+          :value: 192.168.0.0/255.255.0.0
+        - :type: dirName
+          :value:
+            :CN: myCN
+            :O: Org
+        :excluded:
+        - :type: email
+          :value: domain.com
+        - :type: URI
+          :value: .net
+        - :type: DNS
+          :value: test.us
+    client:
+      basic_constraints:
+        :ca: false
+      key_usage:
+        :value:
+        - digitalSignature
+        - keyEncipherment
+      extended_key_usage:
+        :value:
+        - clientAuth
+    server_with_subject_item_policy:
+      basic_constraints:
+        :ca: false
+      key_usage:
+        :value:
+        - digitalSignature
+        - keyEncipherment
+      extended_key_usage:
+        :value:
+        - serverAuth
+      subject_item_policy:
+        CN:
+          :policy: required
+        O:
+          :policy: optional
+        ST:
+          :policy: required
+        C:
+          :policy: required
+        OU:
+          :policy: optional
+config_is_string: this is bogus

data/spec/fixtures/config_test_dsa.yaml

@@ -1,35 +1,29 @@
-test_ca_dsa: {
-  ca_cert: {
-    cert: 'dsa_root.cer',
-    key: 'dsa_root.key'
-  },
-  crl_list: "crl_list_file.txt",
-  crl_number: "crl_number_file.txt",
-  crl_validity_hours: 72,
-  ocsp_validity_hours: 96,
-  ocsp_start_skew_seconds: 1800,
-  message_digest: 'SHA1', #SHA1, SHA224, SHA256, SHA384, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason
-  profiles: {
-    server: {
-      basic_constraints: { "ca" : false },
-      key_usage: [digitalSignature,keyEncipherment],
-      extended_key_usage: [serverAuth],
-    },
-    client: {
-      basic_constraints: { "ca" : false },
-      key_usage: [digitalSignature,keyEncipherment],
-      extended_key_usage: [clientAuth],
-    },
-    server_with_subject_item_policy: {
-      basic_constraints: { "ca" : false },
-      key_usage: [digitalSignature,keyEncipherment],
-      extended_key_usage: [serverAuth],
-      subject_item_policy: {
-        "CN" : "required",
-        "O" : "optional",
-        "ST" : "required",
-        "C" : "required",
-        "OU" : "optional" }
-    }
-  }
-}
+---
+test_ca_dsa:
+  ca_cert:
+    cert: dsa_root.cer
+    key: dsa_root.key
+  crl_validity_hours: 72
+  ocsp_validity_hours: 96
+  ocsp_start_skew_seconds: 1800
+  profiles:
+    server:
+      basic_constraints:
+        :ca: false
+      key_usage:
+        :value:
+        - digitalSignature
+        - keyEncipherment
+      extended_key_usage:
+        :value:
+        - serverAuth
+    client:
+      basic_constraints:
+        :ca: false
+      key_usage:
+        :value:
+        - digitalSignature
+        - keyEncipherment
+      extended_key_usage:
+        :value:
+        - clientAuth

data/spec/fixtures/config_test_ec.yaml

@@ -1,35 +1,29 @@
-test_ca_ec: {
-  ca_cert: {
-    cert: 'test_ca_ec.cer',
-    key: 'test_ca_ec.key'
-  },
-  crl_list: "crl_list_file.txt",
-  crl_number: "crl_number_file.txt",
-  crl_validity_hours: 72,
-  ocsp_validity_hours: 96,
-  ocsp_start_skew_seconds: 1800,
-  message_digest: 'SHA384', #SHA1, SHA224, SHA256, SHA384, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason
-  profiles: {
-    server: {
-      basic_constraints: { "ca" : false },
-      key_usage: [digitalSignature,keyEncipherment],
-      extended_key_usage: [serverAuth],
-    },
-    client: {
-      basic_constraints: { "ca" : false },
-      key_usage: [digitalSignature,keyEncipherment],
-      extended_key_usage: [clientAuth],
-    },
-    server_with_subject_item_policy: {
-      basic_constraints: { "ca" : false },
-      key_usage: [digitalSignature,keyEncipherment],
-      extended_key_usage: [serverAuth],
-      subject_item_policy: {
-        "CN" : "required",
-        "O" : "optional",
-        "ST" : "required",
-        "C" : "required",
-        "OU" : "optional" }
-    }
-  }
-}
+---
+test_ca_ec:
+  ca_cert:
+    cert: test_ca_ec.cer
+    key: test_ca_ec.key
+  crl_validity_hours: 72
+  ocsp_validity_hours: 96
+  ocsp_start_skew_seconds: 1800
+  profiles:
+    server:
+      basic_constraints:
+        :ca: false
+      key_usage:
+        :value:
+        - digitalSignature
+        - keyEncipherment
+      extended_key_usage:
+        :value:
+        - serverAuth
+    client:
+      basic_constraints:
+        :ca: false
+      key_usage:
+        :value:
+        - digitalSignature
+        - keyEncipherment
+      extended_key_usage:
+        :value:
+        - clientAuth

data/spec/fixtures/config_test_engine_key.yaml

@@ -1,7 +1,7 @@
-engine_and_key: {
-  ca_cert: {
-    cert: 'test_ca.cer',
-    key: 'test_ca.key',
-    engine: 'chil'
-  }
-}
+engine_and_key:
+  ca_cert:
+    cert: 'test_ca.cer'
+    key: 'test_ca.key'
+    engine:
+      :so_path: '/path'
+      :id: chil

data/spec/fixtures/config_test_engine_no_key_name.yaml

@@ -1,6 +1,6 @@
-engine_no_key_name: {
-  ca_cert: {
-    cert: 'test_ca.cer',
-    engine: 'chil'
-  }
-}
+engine_no_key_name:
+  ca_cert:
+    cert: 'test_ca.cer'
+    engine:
+      :so_path: '/path'
+      :id: chil

data/spec/fixtures/config_test_minimal.yaml

@@ -1,7 +1,5 @@
-test_ca: {
-  ca_cert: {
-    cert: 'test_ca.cer',
+test_ca:
+  ca_cert:
+    cert: 'test_ca.cer'
     key: 'test_ca.key'
-  }
-}
 config_is_string: "this is bogus"

data/spec/fixtures/config_test_password.yaml

@@ -1,7 +1,5 @@
-password_ca: {
-  ca_cert: {
-    cert: 'test_ca.cer',
-    key: 'test_ca_des3.key',
+password_ca:
+  ca_cert:
+    cert: 'test_ca.cer'
+    key: 'test_ca_des3.key'
     password: 'r509'
-  }
-}

data/spec/fixtures/config_test_various.yaml

@@ -1,138 +1,148 @@
-pkcs12_ca: {
-  ca_cert: {
-    pkcs12: "test_ca.p12",
-    password: "r509"
-  }
-}
-pkcs12_key_ca: {
-  ca_cert: {
-    pkcs12: "test_ca.p12",
-    password: "r509",
-    key: "test_ca.cer"
-  }
-}
-pkcs12_cert_ca: {
-  ca_cert: {
-    pkcs12: "test_ca.p12",
-    password: "r509",
-    cert: "test_ca.cer"
-  }
-}
-pkcs12_engine_ca: {
-  ca_cert: {
-    pkcs12: "test_ca.p12",
-    password: "r509",
-    engine: "chil",
-    key_name: "r509_key"
-  }
-}
-cert_no_key_ca: {
-  ca_cert: {
-    cert: "test_ca.cer"
-  }
-}
-missing_key_identifier_ca: {
-  ca_cert: {
-    cert: 'missing_key_identifier_ca.cer',
-    key: 'missing_key_identifier_ca.key'
-  },
-  message_digest: 'SHA1',
-  profiles: {
-    server: {
-      basic_constraints: { "ca" : false },
-      key_usage: [digitalSignature,keyEncipherment],
-      extended_key_usage: [serverAuth],
-    }
-  }
-}
-multi_policy_ca: {
-  ca_cert: {
-    cert: 'test_ca.cer',
-    key: 'test_ca.key'
-  },
-  message_digest: 'SHA1',
-  profiles: {
-    server: {
-      basic_constraints: { "ca" : false },
-      key_usage: [digitalSignature,keyEncipherment],
-      extended_key_usage: [serverAuth],
-      certificate_policies: [
-        { policy_identifier: "2.16.840.1.99999.21.234",
-          cps_uris: ["http://example.com/cps","http://haha.com"],
-          user_notices: [ { explicit_text: "this is a great thing", organization: "my org", notice_numbers: "1,2,3" } ]
-        },
-        { policy_identifier: "2.16.840.1.99999.21.235",
-          cps_uris: ["http://example.com/cps2"],
-          user_notices: [ { explicit_text: "this is a bad thing", organization: "another org", notice_numbers: "3,2,1" },{ explicit_text: "another user notice"} ]
-        },
-        { policy_identifier: "2.16.840.1.99999.0" }
-      ]
-    }
-  }
-}
-ocsp_delegate_ca: {
-  ca_cert: {
-    cert: 'test_ca.cer'
-  },
-  ocsp_cert: {
-    cert: 'test_ca_ocsp.cer',
-    key: 'test_ca_ocsp.key'
-  }
-}
-ocsp_chain_ca: {
-  ca_cert: {
-    cert: 'test_ca.cer'
-  },
-  ocsp_cert: {
-    cert: 'test_ca_ocsp.cer',
-    key: 'test_ca_ocsp.key'
-  },
-  ocsp_chain: 'test_ca_ocsp_chain.txt'
-}
-ocsp_pkcs12_ca: {
-  ca_cert: {
-    cert: 'test_ca.cer'
-  },
-  ocsp_cert: {
-    pkcs12: 'test_ca_ocsp.p12',
-    password: 'r509'
-  }
-}
-ocsp_engine_ca: {
-  ca_cert: {
-    cert: 'test_ca.cer'
-  },
-  ocsp_cert: {
-    cert: 'test_ca_ocsp.cer',
-    engine: 'chil'
-  }
-}
-all_eku_ca: {
-  ca_cert: {
-    cert: 'test_ca.cer',
-    key: 'test_ca.key'
-  },
-  message_digest: 'SHA1',
-  profiles: {
-    smorgasbord: {
-      basic_constraints: { "ca" : false },
-      key_usage: [digitalSignature,keyEncipherment],
-      extended_key_usage: [serverAuth,clientAuth,codeSigning,emailProtection,OCSPSigning,timeStamping],
-    }
-  }
-}
-ocsp_no_check_ca: {
-  ca_cert: {
-    cert: 'test_ca.cer',
-    key: 'test_ca.key'
-  },
-  message_digest: 'SHA1',
-  profiles: {
-    ocsp_no_check_delegate: {
-      basic_constraints: { "ca" : false },
-      key_usage: [digitalSignature],
-      extended_key_usage: [OCSPSigning],
+---
+pkcs12_ca:
+  ca_cert:
+    pkcs12: test_ca.p12
+    password: r509
+pkcs12_key_ca:
+  ca_cert:
+    pkcs12: test_ca.p12
+    password: r509
+    key: test_ca.cer
+pkcs12_cert_ca:
+  ca_cert:
+    pkcs12: test_ca.p12
+    password: r509
+    cert: test_ca.cer
+pkcs12_engine_ca:
+  ca_cert:
+    pkcs12: test_ca.p12
+    password: r509
+    engine:
+      :so_path: '/some/path'
+      :id: chil
+    key_name: r509_key
+cert_no_key_ca:
+  ca_cert:
+    cert: test_ca.cer
+missing_key_identifier_ca:
+  ca_cert:
+    cert: missing_key_identifier_ca.cer
+    key: missing_key_identifier_ca.key
+  profiles:
+    server:
+      basic_constraints:
+        ca: false
+      key_usage:
+      - digitalSignature
+      - keyEncipherment
+      extended_key_usage:
+      - serverAuth
+multi_policy_ca:
+  ca_cert:
+    cert: test_ca.cer
+    key: test_ca.key
+  profiles:
+    server:
+      basic_constraints:
+        :ca: false
+      key_usage:
+      - digitalSignature
+      - keyEncipherment
+      extended_key_usage:
+      - serverAuth
+      certificate_policies:
+      - :policy_identifier: 2.16.840.1.99999.21.234
+        :cps_uris:
+        - http://example.com/cps
+        - http://haha.com
+        :user_notices:
+        - :explicit_text: this is a great thing
+          :organization: my org
+          :notice_numbers: '1,2,3'
+      - :policy_identifier: 2.16.840.1.99999.21.235
+        :cps_uris:
+        - http://example.com/cps2
+        :user_notices:
+        - :explicit_text: this is a bad thing
+          :organization: another org
+          :notice_numbers: '3,2,1'
+        - :explicit_text: another user notice
+      - :policy_identifier: 2.16.840.1.99999.0
+ocsp_delegate_ca:
+  ca_cert:
+    cert: test_ca.cer
+  ocsp_cert:
+    cert: test_ca_ocsp.cer
+    key: test_ca_ocsp.key
+ocsp_chain_ca:
+  ca_cert:
+    cert: test_ca.cer
+  ocsp_cert:
+    cert: test_ca_ocsp.cer
+    key: test_ca_ocsp.key
+  ocsp_chain: test_ca_ocsp_chain.txt
+ocsp_pkcs12_ca:
+  ca_cert:
+    cert: test_ca.cer
+  ocsp_cert:
+    pkcs12: test_ca_ocsp.p12
+    password: r509
+ocsp_engine_ca:
+  ca_cert:
+    cert: test_ca.cer
+  ocsp_cert:
+    cert: test_ca_ocsp.cer
+    engine:
+      :so_path: '/some/path'
+      :id: chil
+crl_delegate_ca:
+  ca_cert:
+    cert: test_ca.cer
+  crl_cert:
+    cert: test_ca_crl.cer
+    key: test_ca_crl.key
+crl_pkcs12_ca:
+  ca_cert:
+    cert: test_ca.cer
+  crl_cert:
+    pkcs12: test_ca_crl.p12
+    password: r509
+crl_engine_ca:
+  ca_cert:
+    cert: test_ca.cer
+  crl_cert:
+    cert: test_ca_crl.cer
+    engine:
+      :so_path: '/some/path'
+      :id: chil
+all_eku_ca:
+  ca_cert:
+    cert: test_ca.cer
+    key: test_ca.key
+  profiles:
+    smorgasbord:
+      basic_constraints:
+        :ca: false
+      key_usage:
+      - digitalSignature
+      - keyEncipherment
+      extended_key_usage:
+      - serverAuth
+      - clientAuth
+      - codeSigning
+      - emailProtection
+      - OCSPSigning
+      - timeStamping
+ocsp_no_check_ca:
+  ca_cert:
+    cert: test_ca.cer
+    key: test_ca.key
+  profiles:
+    ocsp_no_check_delegate:
+      basic_constraints:
+        :ca: false
+      key_usage:
+      - digitalSignature
+      extended_key_usage:
+      - OCSPSigning
       ocsp_no_check: true
-    }
-  }
-}