r509 0.9.2 → 0.10.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +2 -0
- data/CONTRIBUTING.mdown +21 -0
- data/LICENSE +13 -0
- data/README.mdown +548 -0
- data/Rakefile +5 -0
- data/bin/r509 +16 -17
- data/doc/R509.html +42 -26
- data/doc/R509/ASN1.html +22 -16
- data/doc/R509/ASN1/GeneralName.html +180 -173
- data/doc/R509/ASN1/GeneralNames.html +390 -62
- data/doc/R509/CRL.html +9 -7
- data/doc/R509/CRL/Administrator.html +208 -623
- data/doc/R509/CRL/FileReaderWriter.html +856 -0
- data/doc/R509/CRL/ReaderWriter.html +524 -0
- data/doc/R509/CRL/SignedList.html +29 -42
- data/doc/R509/CSR.html +248 -333
- data/doc/R509/Cert.html +364 -491
- data/doc/R509/Cert/Extensions.html +134 -43
- data/doc/R509/Cert/Extensions/AuthorityInfoAccess.html +335 -65
- data/doc/R509/Cert/Extensions/AuthorityKeyIdentifier.html +201 -102
- data/doc/R509/Cert/Extensions/BasicConstraints.html +297 -68
- data/doc/R509/Cert/Extensions/CRLDistributionPoints.html +690 -77
- data/doc/R509/Cert/Extensions/CertificatePolicies.html +293 -43
- data/doc/R509/Cert/Extensions/ExtendedKeyUsage.html +321 -173
- data/doc/R509/Cert/Extensions/GeneralNamesMixin.html +656 -0
- data/doc/R509/Cert/Extensions/InhibitAnyPolicy.html +270 -42
- data/doc/R509/Cert/Extensions/KeyUsage.html +334 -184
- data/doc/R509/Cert/Extensions/NameConstraints.html +363 -93
- data/doc/R509/{ASN1 → Cert/Extensions}/NoticeReference.html +209 -48
- data/doc/R509/Cert/Extensions/OCSPNoCheck.html +244 -17
- data/doc/R509/Cert/Extensions/PolicyConstraints.html +322 -71
- data/doc/R509/{ASN1 → Cert/Extensions}/PolicyInformation.html +204 -43
- data/doc/R509/{ASN1 → Cert/Extensions}/PolicyQualifiers.html +205 -48
- data/doc/R509/Cert/Extensions/SubjectAlternativeName.html +348 -143
- data/doc/R509/Cert/Extensions/SubjectKeyIdentifier.html +165 -13
- data/doc/R509/{ASN1 → Cert/Extensions}/UserNotice.html +204 -43
- data/doc/R509/Cert/Extensions/ValidationMixin.html +120 -0
- data/doc/R509/CertificateAuthority.html +9 -7
- data/doc/R509/CertificateAuthority/OptionsBuilder.html +475 -0
- data/doc/R509/CertificateAuthority/Signer.html +149 -198
- data/doc/R509/Config.html +10 -8
- data/doc/R509/Config/CAConfig.html +708 -625
- data/doc/R509/Config/CAConfigPool.html +179 -31
- data/doc/R509/Config/CertProfile.html +1544 -0
- data/doc/R509/Config/SubjectItemPolicy.html +437 -99
- data/doc/R509/Engine.html +14 -28
- data/doc/R509/Helpers.html +1014 -0
- data/doc/R509/MessageDigest.html +73 -25
- data/doc/R509/NameSanitizer.html +39 -39
- data/doc/R509/OCSP.html +5 -5
- data/doc/R509/OCSP/Request.html +5 -5
- data/doc/R509/OCSP/Request/Nonce.html +5 -5
- data/doc/R509/OCSP/Response.html +7 -7
- data/doc/R509/OIDMapper.html +121 -6
- data/doc/R509/PrivateKey.html +226 -227
- data/doc/R509/R509Error.html +5 -5
- data/doc/R509/SPKI.html +244 -342
- data/doc/R509/Subject.html +241 -70
- data/doc/R509/Validity.html +5 -5
- data/doc/R509/Validity/Checker.html +5 -5
- data/doc/R509/Validity/DefaultChecker.html +5 -9
- data/doc/R509/Validity/DefaultWriter.html +5 -9
- data/doc/R509/Validity/Status.html +5 -5
- data/doc/R509/Validity/Writer.html +5 -5
- data/doc/_index.html +92 -30
- data/doc/class_list.html +2 -2
- data/doc/file.CONTRIBUTING.html +96 -0
- data/doc/file.LICENSE.html +87 -0
- data/doc/file.README.html +279 -389
- data/doc/file.YAML.html +243 -0
- data/doc/file.r509.html +298 -105
- data/doc/file_list.html +11 -2
- data/doc/frames.html +1 -1
- data/doc/index.html +279 -389
- data/doc/js/full_list.js +6 -1
- data/doc/method_list.html +869 -1139
- data/doc/top-level-namespace.html +103 -5
- data/lib/r509.rb +7 -2
- data/lib/r509/asn1.rb +97 -135
- data/lib/r509/cert.rb +17 -106
- data/lib/r509/cert/extensions.rb +13 -676
- data/lib/r509/cert/extensions/authority_info_access.rb +128 -0
- data/lib/r509/cert/extensions/authority_key_identifier.rb +100 -0
- data/lib/r509/cert/extensions/base.rb +142 -0
- data/lib/r509/cert/extensions/basic_constraints.rb +119 -0
- data/lib/r509/cert/extensions/certificate_policies.rb +262 -0
- data/lib/r509/cert/extensions/crl_distribution_points.rb +98 -0
- data/lib/r509/cert/extensions/extended_key_usage.rb +189 -0
- data/lib/r509/cert/extensions/inhibit_any_policy.rb +70 -0
- data/lib/r509/cert/extensions/key_usage.rb +209 -0
- data/lib/r509/cert/extensions/name_constraints.rb +179 -0
- data/lib/r509/cert/extensions/ocsp_no_check.rb +56 -0
- data/lib/r509/cert/extensions/policy_constraints.rb +122 -0
- data/lib/r509/cert/extensions/subject_alternative_name.rb +88 -0
- data/lib/r509/cert/extensions/subject_key_identifier.rb +56 -0
- data/lib/r509/cert/extensions/validation_mixin.rb +42 -0
- data/lib/r509/certificate_authority/options_builder.rb +142 -0
- data/lib/r509/certificate_authority/signer.rb +189 -0
- data/lib/r509/config.rb +3 -600
- data/lib/r509/config/ca_config.rb +414 -0
- data/lib/r509/config/cert_profile.rb +110 -0
- data/lib/r509/config/subject_item_policy.rb +118 -0
- data/lib/r509/crl/administrator.rb +169 -0
- data/lib/r509/crl/reader_writer.rb +109 -0
- data/lib/r509/crl/signed_list.rb +135 -0
- data/lib/r509/csr.rb +35 -116
- data/lib/r509/engine.rb +21 -11
- data/lib/r509/helpers.rb +110 -0
- data/lib/r509/io_helpers.rb +18 -13
- data/lib/r509/message_digest.rb +13 -3
- data/lib/r509/oid_mapper.rb +14 -0
- data/lib/r509/private_key.rb +74 -50
- data/lib/r509/spki.rb +50 -113
- data/lib/r509/subject.rb +24 -2
- data/lib/r509/trollop.rb +788 -0
- data/lib/r509/version.rb +1 -1
- data/r509.yaml +289 -96
- data/spec/asn1_spec.rb +171 -98
- data/spec/cert/extensions/authority_info_access_spec.rb +247 -0
- data/spec/cert/extensions/authority_key_identifier_spec.rb +85 -0
- data/spec/cert/extensions/base_spec.rb +172 -0
- data/spec/cert/extensions/basic_constraints_spec.rb +185 -0
- data/spec/cert/extensions/certificate_policies_spec.rb +288 -0
- data/spec/cert/extensions/crl_distribution_points_spec.rb +149 -0
- data/spec/cert/extensions/extended_key_usage_spec.rb +174 -0
- data/spec/cert/extensions/inhibit_any_policy_spec.rb +92 -0
- data/spec/cert/extensions/key_usage_spec.rb +172 -0
- data/spec/cert/extensions/name_constraints_spec.rb +335 -0
- data/spec/cert/extensions/ocsp_no_check_spec.rb +76 -0
- data/spec/cert/extensions/policy_constraints_spec.rb +155 -0
- data/spec/cert/extensions/subject_alternative_name_spec.rb +354 -0
- data/spec/cert/extensions/subject_key_identifier_spec.rb +64 -0
- data/spec/cert_spec.rb +11 -9
- data/spec/certificate_authority/options_builder_spec.rb +307 -0
- data/spec/certificate_authority/signer_spec.rb +278 -0
- data/spec/config/ca_config_spec.rb +405 -0
- data/spec/config/cert_profile_spec.rb +88 -0
- data/spec/config/subject_item_policy_spec.rb +81 -0
- data/spec/crl/administrator_spec.rb +199 -0
- data/spec/crl/reader_writer_spec.rb +97 -0
- data/spec/crl/signed_list_spec.rb +84 -0
- data/spec/csr_spec.rb +43 -36
- data/spec/engine_spec.rb +51 -0
- data/spec/fixtures.rb +40 -40
- data/spec/fixtures/cert1.pem +1 -1
- data/spec/fixtures/config_pool_test_minimal.yaml +11 -15
- data/spec/fixtures/config_test.yaml +96 -59
- data/spec/fixtures/config_test_dsa.yaml +29 -35
- data/spec/fixtures/config_test_ec.yaml +29 -35
- data/spec/fixtures/config_test_engine_key.yaml +7 -7
- data/spec/fixtures/config_test_engine_no_key_name.yaml +6 -6
- data/spec/fixtures/config_test_minimal.yaml +3 -5
- data/spec/fixtures/config_test_password.yaml +4 -6
- data/spec/fixtures/config_test_various.yaml +147 -137
- data/spec/fixtures/crl_list_file.txt +1 -1
- data/spec/fixtures/test_ca_crl.cer +20 -0
- data/spec/fixtures/test_ca_crl.key +28 -0
- data/spec/fixtures/test_ca_crl.p12 +0 -0
- data/spec/message_digest_spec.rb +6 -0
- data/spec/oid_mapper_spec.rb +11 -0
- data/spec/private_key_spec.rb +19 -18
- data/spec/spec_helper.rb +10 -6
- data/spec/spki_spec.rb +38 -19
- data/spec/subject_spec.rb +16 -0
- metadata +108 -59
- metadata.gz.sig +0 -0
- data/README.md +0 -638
- data/doc/R509/Config/CAProfile.html +0 -1015
- data/doc/R509/IOHelpers.html +0 -564
- data/lib/r509/certificate_authority.rb +0 -407
- data/lib/r509/crl.rb +0 -351
- data/spec/cert/extensions_spec.rb +0 -1095
- data/spec/certificate_authority_spec.rb +0 -681
- data/spec/config_spec.rb +0 -562
- data/spec/crl_spec.rb +0 -226
@@ -1,1095 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
|
3
|
-
include R509::Cert::Extensions
|
4
|
-
|
5
|
-
shared_examples_for "a correctly implemented wrap_openssl_extensions" do
|
6
|
-
before :each do
|
7
|
-
@r509_extensions = R509::Cert::Extensions.wrap_openssl_extensions( @openssl_extensions )
|
8
|
-
|
9
|
-
@r509_classes = [ BasicConstraints, KeyUsage, ExtendedKeyUsage,
|
10
|
-
SubjectKeyIdentifier, AuthorityKeyIdentifier,
|
11
|
-
SubjectAlternativeName, AuthorityInfoAccess,
|
12
|
-
CRLDistributionPoints, OCSPNoCheck ]
|
13
|
-
end
|
14
|
-
|
15
|
-
it "should not have returned values that aren't R509 extensions" do
|
16
|
-
classes = @r509_extensions.values.map { |ext| ext.class }
|
17
|
-
non_r509_classes = classes.reject { |ext_class| @r509_classes.include?(ext_class) }
|
18
|
-
non_r509_classes.should == []
|
19
|
-
end
|
20
|
-
|
21
|
-
it "should have returned the right number of extensions" do
|
22
|
-
@r509_extensions.count.should == @wrappable_extensions.count
|
23
|
-
end
|
24
|
-
|
25
|
-
it "should not have returned keys improperly mapped to values" do
|
26
|
-
incorrect_mappings = @r509_extensions.select { |key_class,ext| ext.class != key_class }
|
27
|
-
incorrect_mappings = {} if incorrect_mappings == [] # compatibility for old versions of Ruby
|
28
|
-
incorrect_mappings.should == {}
|
29
|
-
end
|
30
|
-
|
31
|
-
it "should not have failed to map an implemented extension" do
|
32
|
-
missing_extensions = []
|
33
|
-
@wrappable_extensions.each do |openssl_ext|
|
34
|
-
if (@r509_extensions.select {|r509_class,r509_ext| r509_ext.oid == openssl_ext.oid}) == {}
|
35
|
-
missing_extensions << openssl_ext.oid
|
36
|
-
end
|
37
|
-
end
|
38
|
-
|
39
|
-
missing_extensions.should == []
|
40
|
-
end
|
41
|
-
end
|
42
|
-
|
43
|
-
shared_examples_for "a correctly implemented get_unknown_extensions" do
|
44
|
-
it "should not have returned values that are R509 extensions" do
|
45
|
-
R509::Cert::Extensions.get_unknown_extensions( @openssl_extensions ).should == @unknown_extensions
|
46
|
-
end
|
47
|
-
end
|
48
|
-
|
49
|
-
shared_examples_for "a correct R509 BasicConstraints object" do |critical|
|
50
|
-
before :all do
|
51
|
-
extension_name = "basicConstraints"
|
52
|
-
klass = BasicConstraints
|
53
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
54
|
-
openssl_ext = ef.create_extension( extension_name, @extension_value , critical)
|
55
|
-
@r509_ext = klass.new( openssl_ext )
|
56
|
-
end
|
57
|
-
|
58
|
-
it "is_ca? should correctly report whether it's a CA certificate (critical:#{critical})" do
|
59
|
-
@r509_ext.is_ca?.should == @is_ca
|
60
|
-
end
|
61
|
-
|
62
|
-
it "the path length should be correct (critical:#{critical})" do
|
63
|
-
@r509_ext.path_length.should == @pathlen
|
64
|
-
end
|
65
|
-
|
66
|
-
it "allows_sub_ca? should correctly report whether its path length allows it to issue CA certs (critical:#{critical})" do
|
67
|
-
@r509_ext.allows_sub_ca?.should == @allows_sub_ca
|
68
|
-
end
|
69
|
-
|
70
|
-
it "reports #critical? properly" do
|
71
|
-
@r509_ext.critical?.should == critical
|
72
|
-
end
|
73
|
-
end
|
74
|
-
|
75
|
-
shared_examples_for "a correct R509 KeyUsage object" do |critical|
|
76
|
-
before :each do
|
77
|
-
extension_name = "keyUsage"
|
78
|
-
klass = KeyUsage
|
79
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
80
|
-
openssl_ext = ef.create_extension( extension_name, @extension_value, critical )
|
81
|
-
@r509_ext = klass.new( openssl_ext )
|
82
|
-
end
|
83
|
-
|
84
|
-
it "allowed_uses should be non-nil critical:#{critical}" do
|
85
|
-
@r509_ext.allowed_uses.should_not == nil
|
86
|
-
end
|
87
|
-
|
88
|
-
it "allowed_uses should be correct critical:#{critical}" do
|
89
|
-
@r509_ext.allowed_uses.should == @allowed_uses
|
90
|
-
end
|
91
|
-
|
92
|
-
it "the individual allowed-use functions should be correct critical:#{critical}" do
|
93
|
-
@r509_ext.digital_signature?.should == @allowed_uses.include?( KeyUsage::AU_DIGITAL_SIGNATURE )
|
94
|
-
@r509_ext.non_repudiation?.should == @allowed_uses.include?( KeyUsage::AU_NON_REPUDIATION )
|
95
|
-
@r509_ext.key_encipherment?.should == @allowed_uses.include?( KeyUsage::AU_KEY_ENCIPHERMENT )
|
96
|
-
@r509_ext.data_encipherment?.should == @allowed_uses.include?( KeyUsage::AU_DATA_ENCIPHERMENT )
|
97
|
-
@r509_ext.key_agreement?.should == @allowed_uses.include?( KeyUsage::AU_KEY_AGREEMENT )
|
98
|
-
@r509_ext.key_cert_sign?.should == @allowed_uses.include?( KeyUsage::AU_KEY_CERT_SIGN )
|
99
|
-
@r509_ext.crl_sign?.should == @allowed_uses.include?( KeyUsage::AU_CRL_SIGN )
|
100
|
-
@r509_ext.encipher_only?.should == @allowed_uses.include?( KeyUsage::AU_ENCIPHER_ONLY )
|
101
|
-
@r509_ext.decipher_only?.should == @allowed_uses.include?( KeyUsage::AU_DECIPHER_ONLY )
|
102
|
-
end
|
103
|
-
|
104
|
-
it "the #allows? method should work critical:#{critical}" do
|
105
|
-
@allowed_uses.each do |au|
|
106
|
-
@r509_ext.allows?(au).should == true
|
107
|
-
end
|
108
|
-
end
|
109
|
-
|
110
|
-
it "reports #critical? properly" do
|
111
|
-
@r509_ext.critical?.should == critical
|
112
|
-
end
|
113
|
-
end
|
114
|
-
|
115
|
-
shared_examples_for "a correct R509 ExtendedKeyUsage object" do |critical|
|
116
|
-
before :all do
|
117
|
-
extension_name = "extendedKeyUsage"
|
118
|
-
klass = ExtendedKeyUsage
|
119
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
120
|
-
openssl_ext = ef.create_extension( extension_name, @extension_value , critical )
|
121
|
-
@r509_ext = klass.new( openssl_ext )
|
122
|
-
end
|
123
|
-
|
124
|
-
it "allowed_uses should be non-nil critical:#{critical}" do
|
125
|
-
@r509_ext.allowed_uses.should_not == nil
|
126
|
-
end
|
127
|
-
|
128
|
-
it "allowed_uses should be correct critical:#{critical}" do
|
129
|
-
@r509_ext.allowed_uses.should == @allowed_uses
|
130
|
-
end
|
131
|
-
|
132
|
-
it "the individual allowed-use functions should be correct critical:#{critical}" do
|
133
|
-
@r509_ext.web_server_authentication?.should == @allowed_uses.include?( ExtendedKeyUsage::AU_WEB_SERVER_AUTH )
|
134
|
-
@r509_ext.web_client_authentication?.should == @allowed_uses.include?( ExtendedKeyUsage::AU_WEB_CLIENT_AUTH )
|
135
|
-
@r509_ext.code_signing?.should == @allowed_uses.include?( ExtendedKeyUsage::AU_CODE_SIGNING )
|
136
|
-
@r509_ext.email_protection?.should == @allowed_uses.include?( ExtendedKeyUsage::AU_EMAIL_PROTECTION )
|
137
|
-
@r509_ext.ocsp_signing?.should == @allowed_uses.include?( ExtendedKeyUsage::AU_OCSP_SIGNING )
|
138
|
-
@r509_ext.time_stamping?.should == @allowed_uses.include?( ExtendedKeyUsage::AU_TIME_STAMPING )
|
139
|
-
@r509_ext.any_extended_key_usage?.should == @allowed_uses.include?( ExtendedKeyUsage::AU_ANY_EXTENDED_KEY_USAGE )
|
140
|
-
end
|
141
|
-
|
142
|
-
it "the #allows? method should work critical:#{critical}" do
|
143
|
-
@allowed_uses.each do |au|
|
144
|
-
@r509_ext.allows?(au).should == true
|
145
|
-
end
|
146
|
-
end
|
147
|
-
|
148
|
-
it "reports #critical? properly" do
|
149
|
-
@r509_ext.critical?.should == critical
|
150
|
-
end
|
151
|
-
end
|
152
|
-
|
153
|
-
shared_examples_for "a correct R509 SubjectKeyIdentifier object" do
|
154
|
-
before :all do
|
155
|
-
extension_name = "subjectKeyIdentifier"
|
156
|
-
klass = SubjectKeyIdentifier
|
157
|
-
openssl_ext = OpenSSL::X509::Extension.new( extension_name, @extension_value )
|
158
|
-
@r509_ext = klass.new( openssl_ext )
|
159
|
-
end
|
160
|
-
|
161
|
-
it "key should be correct" do
|
162
|
-
@r509_ext.key.should == @key
|
163
|
-
end
|
164
|
-
end
|
165
|
-
|
166
|
-
shared_examples_for "a correct R509 AuthorityKeyIdentifier object" do
|
167
|
-
before :all do
|
168
|
-
extension_name = "authorityKeyIdentifier"
|
169
|
-
klass = AuthorityKeyIdentifier
|
170
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
171
|
-
ef.issuer_certificate = OpenSSL::X509::Certificate.new TestFixtures::TEST_CA_CERT
|
172
|
-
openssl_ext = ef.create_extension( "authorityKeyIdentifier", @extension_value )
|
173
|
-
@r509_ext = klass.new( openssl_ext )
|
174
|
-
end
|
175
|
-
|
176
|
-
it "has the expected type" do
|
177
|
-
@r509_ext.oid.should == "authorityKeyIdentifier"
|
178
|
-
end
|
179
|
-
|
180
|
-
it "contains the key identifier" do
|
181
|
-
@r509_ext.key_identifier.should == "79:75:BB:84:3A:CB:2C:DE:7A:09:BE:31:1B:43:BC:1C:2A:4D:53:58"
|
182
|
-
end
|
183
|
-
it "parses the authority cert issuer and serial number" do
|
184
|
-
@r509_ext.authority_cert_issuer.value.to_s.should == "/C=US/ST=Illinois/L=Chicago/O=Ruby CA Project/CN=Test CA"
|
185
|
-
@r509_ext.authority_cert_serial_number.should == 'FF:D9:C7:0B:87:37:D1:94'
|
186
|
-
end
|
187
|
-
end
|
188
|
-
|
189
|
-
shared_examples_for "a correct R509 SubjectAlternativeName object" do |critical|
|
190
|
-
before :all do
|
191
|
-
extension_name = "subjectAltName"
|
192
|
-
klass = SubjectAlternativeName
|
193
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
194
|
-
ef.config = OpenSSL::Config.parse(@conf)
|
195
|
-
openssl_ext = ef.create_extension( extension_name, @extension_value , critical )
|
196
|
-
@r509_ext = klass.new( openssl_ext )
|
197
|
-
end
|
198
|
-
|
199
|
-
it "dns_names should be correct critical:#{critical}" do
|
200
|
-
@r509_ext.dns_names.should == @dns_names
|
201
|
-
end
|
202
|
-
|
203
|
-
it "ip_addresses should be correct critical:#{critical}" do
|
204
|
-
@r509_ext.ip_addresses.should == @ip_addresses
|
205
|
-
end
|
206
|
-
|
207
|
-
it "rfc_822names should be correct critical:#{critical}" do
|
208
|
-
@r509_ext.rfc_822_names.should == @rfc_822_names
|
209
|
-
end
|
210
|
-
|
211
|
-
it "uris should be correct critical:#{critical}" do
|
212
|
-
@r509_ext.uris.should == @uris
|
213
|
-
end
|
214
|
-
|
215
|
-
it "dirNames should be correct critical:#{critical}" do
|
216
|
-
@r509_ext.directory_names.size.should == @directory_names.size
|
217
|
-
end
|
218
|
-
|
219
|
-
it "ordered should be correct critical:#{critical}" do
|
220
|
-
@r509_ext.names.size.should == @dns_names.size + @ip_addresses.size + @rfc_822_names.size + @uris.size + @directory_names.size
|
221
|
-
end
|
222
|
-
|
223
|
-
it "reports #critical? properly" do
|
224
|
-
@r509_ext.critical?.should == critical
|
225
|
-
end
|
226
|
-
end
|
227
|
-
|
228
|
-
shared_examples_for "a correct R509 AuthorityInfoAccess object" do |critical|
|
229
|
-
before :all do
|
230
|
-
extension_name = "authorityInfoAccess"
|
231
|
-
klass = AuthorityInfoAccess
|
232
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
233
|
-
openssl_ext = ef.create_extension( extension_name, @extension_value, critical )
|
234
|
-
@r509_ext = klass.new( openssl_ext )
|
235
|
-
end
|
236
|
-
|
237
|
-
it "ca_issuers_uri should be correct critical:#{critical}" do
|
238
|
-
@r509_ext.ca_issuers.uris.should == @ca_issuers_uris
|
239
|
-
end
|
240
|
-
|
241
|
-
it "ocsp_uri should be correct critical:#{critical}" do
|
242
|
-
@r509_ext.ocsp.uris.should == @ocsp_uris
|
243
|
-
end
|
244
|
-
|
245
|
-
it "reports #critical? properly" do
|
246
|
-
@r509_ext.critical?.should == critical
|
247
|
-
end
|
248
|
-
end
|
249
|
-
|
250
|
-
shared_examples_for "a correct R509 CRLDistributionPoints object" do |critical|
|
251
|
-
before :all do
|
252
|
-
extension_name = "crlDistributionPoints"
|
253
|
-
klass = CRLDistributionPoints
|
254
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
255
|
-
openssl_ext = ef.create_extension( extension_name, @extension_value , critical )
|
256
|
-
@r509_ext = klass.new( openssl_ext )
|
257
|
-
end
|
258
|
-
|
259
|
-
it "crl_uri should be correct critical:#{critical}" do
|
260
|
-
@r509_ext.crl.uris.should == @crl_uris
|
261
|
-
end
|
262
|
-
|
263
|
-
it "reports #critical? properly" do
|
264
|
-
@r509_ext.critical?.should == critical
|
265
|
-
end
|
266
|
-
end
|
267
|
-
|
268
|
-
shared_examples_for "a correct R509 OCSPNoCheck object" do |critical|
|
269
|
-
before :all do
|
270
|
-
extension_name = "noCheck"
|
271
|
-
klass = OCSPNoCheck
|
272
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
273
|
-
openssl_ext = ef.create_extension( extension_name, "irrelevant", critical)
|
274
|
-
@r509_ext = klass.new( openssl_ext )
|
275
|
-
end
|
276
|
-
|
277
|
-
it "has the expected type" do
|
278
|
-
@r509_ext.oid.should == "noCheck"
|
279
|
-
end
|
280
|
-
|
281
|
-
it "reports #critical? properly" do
|
282
|
-
@r509_ext.critical?.should == critical
|
283
|
-
end
|
284
|
-
end
|
285
|
-
|
286
|
-
shared_examples_for "a correct R509 CertificatePolicies object" do
|
287
|
-
before :all do
|
288
|
-
klass = CertificatePolicies
|
289
|
-
openssl_ext = OpenSSL::X509::Extension.new @policy_data
|
290
|
-
@r509_ext = klass.new( openssl_ext )
|
291
|
-
end
|
292
|
-
|
293
|
-
it "should correctly parse the data" do
|
294
|
-
@r509_ext.policies.count.should == 1
|
295
|
-
@r509_ext.policies[0].policy_identifier.should == "2.16.840.1.12345.1.2.3.4.1"
|
296
|
-
@r509_ext.policies[0].policy_qualifiers.cps_uris.should == ["http://example.com/cps", "http://other.com/cps"]
|
297
|
-
end
|
298
|
-
end
|
299
|
-
|
300
|
-
shared_examples_for "a correct R509 InhibitAnyPolicy object" do |critical|
|
301
|
-
before :all do
|
302
|
-
extension_name = "inhibitAnyPolicy"
|
303
|
-
klass = InhibitAnyPolicy
|
304
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
305
|
-
openssl_ext = ef.create_extension( extension_name, @skip_certs.to_s,critical)
|
306
|
-
@r509_ext = klass.new( openssl_ext )
|
307
|
-
end
|
308
|
-
|
309
|
-
it "should parse the integer value out of the extension" do
|
310
|
-
@r509_ext.skip_certs.should == @skip_certs
|
311
|
-
end
|
312
|
-
|
313
|
-
it "reports #critical? properly" do
|
314
|
-
@r509_ext.critical?.should == critical
|
315
|
-
end
|
316
|
-
end
|
317
|
-
|
318
|
-
shared_examples_for "a correct R509 PolicyConstraints object" do |critical|
|
319
|
-
before :all do
|
320
|
-
extension_name = "policyConstraints"
|
321
|
-
klass = PolicyConstraints
|
322
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
323
|
-
openssl_ext = ef.create_extension( extension_name, @extension_value, critical)
|
324
|
-
@r509_ext = klass.new( openssl_ext )
|
325
|
-
end
|
326
|
-
|
327
|
-
it "should have the expected require policy" do
|
328
|
-
@r509_ext.require_explicit_policy.should == @require_explicit_policy
|
329
|
-
end
|
330
|
-
it "should have the expected inhibit mapping" do
|
331
|
-
@r509_ext.inhibit_policy_mapping.should == @inhibit_policy_mapping
|
332
|
-
end
|
333
|
-
end
|
334
|
-
|
335
|
-
shared_examples_for "a correct R509 NameConstraints object" do |critical|
|
336
|
-
before :all do
|
337
|
-
extension_name = "nameConstraints"
|
338
|
-
klass = NameConstraints
|
339
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
340
|
-
ef.config = OpenSSL::Config.parse(@conf)
|
341
|
-
openssl_ext = ef.create_extension( extension_name, @extension_value, critical)
|
342
|
-
@r509_ext = klass.new( openssl_ext )
|
343
|
-
end
|
344
|
-
|
345
|
-
it "should have the permitted names" do
|
346
|
-
@permitted_names.each_with_index do |name,index|
|
347
|
-
@r509_ext.permitted_names[index].tag.should == name[:tag]
|
348
|
-
@r509_ext.permitted_names[index].value.should == name[:value]
|
349
|
-
end
|
350
|
-
end
|
351
|
-
it "should have the excluded names" do
|
352
|
-
@excluded_names.each_with_index do |name,index|
|
353
|
-
@r509_ext.excluded_names[index].tag.should == name[:tag]
|
354
|
-
@r509_ext.excluded_names[index].value.should == name[:value]
|
355
|
-
end
|
356
|
-
end
|
357
|
-
end
|
358
|
-
|
359
|
-
describe R509::Cert::Extensions do
|
360
|
-
include R509::Cert::Extensions
|
361
|
-
|
362
|
-
context "Class functions" do
|
363
|
-
context "#wrap_openssl_extensions and #get_unknown_extensions" do
|
364
|
-
context "with no extensions" do
|
365
|
-
before :each do
|
366
|
-
@wrappable_extensions = []
|
367
|
-
@unknown_extensions = []
|
368
|
-
|
369
|
-
@openssl_extensions = @wrappable_extensions + @unknown_extensions
|
370
|
-
end
|
371
|
-
|
372
|
-
it_should_behave_like "a correctly implemented wrap_openssl_extensions"
|
373
|
-
it_should_behave_like "a correctly implemented get_unknown_extensions"
|
374
|
-
end
|
375
|
-
|
376
|
-
context "with one implemented extension" do
|
377
|
-
before :each do
|
378
|
-
@wrappable_extensions = []
|
379
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
380
|
-
@wrappable_extensions << ef.create_extension( "basicConstraints", "CA:TRUE,pathlen:0" )
|
381
|
-
|
382
|
-
@unknown_extensions = []
|
383
|
-
|
384
|
-
@openssl_extensions = @wrappable_extensions + @unknown_extensions
|
385
|
-
end
|
386
|
-
|
387
|
-
it_should_behave_like "a correctly implemented wrap_openssl_extensions"
|
388
|
-
it_should_behave_like "a correctly implemented get_unknown_extensions"
|
389
|
-
end
|
390
|
-
|
391
|
-
context "with all implemented extensions" do
|
392
|
-
before :each do
|
393
|
-
@wrappable_extensions = []
|
394
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
395
|
-
ef.issuer_certificate = OpenSSL::X509::Certificate.new TestFixtures::TEST_CA_CERT
|
396
|
-
ef.subject_certificate = OpenSSL::X509::Certificate.new TestFixtures::TEST_CA_CERT
|
397
|
-
@wrappable_extensions << ef.create_extension( "basicConstraints", "CA:TRUE,pathlen:0", true )
|
398
|
-
@wrappable_extensions << ef.create_extension( "keyUsage", KeyUsage::AU_DIGITAL_SIGNATURE )
|
399
|
-
@wrappable_extensions << ef.create_extension( "extendedKeyUsage", ExtendedKeyUsage::AU_WEB_SERVER_AUTH )
|
400
|
-
@wrappable_extensions << ef.create_extension( "subjectKeyIdentifier", "hash" )
|
401
|
-
@wrappable_extensions << ef.create_extension( "authorityKeyIdentifier", "keyid:always" )
|
402
|
-
@wrappable_extensions << ef.create_extension( "subjectAltName", "DNS:www.test.local" )
|
403
|
-
@wrappable_extensions << ef.create_extension( "authorityInfoAccess", "caIssuers;URI:http://www.test.local" )
|
404
|
-
@wrappable_extensions << ef.create_extension( "crlDistributionPoints", "URI:http://www.test.local" )
|
405
|
-
|
406
|
-
@unknown_extensions = []
|
407
|
-
|
408
|
-
@openssl_extensions = @wrappable_extensions + @unknown_extensions
|
409
|
-
end
|
410
|
-
|
411
|
-
it_should_behave_like "a correctly implemented wrap_openssl_extensions"
|
412
|
-
it_should_behave_like "a correctly implemented get_unknown_extensions"
|
413
|
-
end
|
414
|
-
|
415
|
-
context "with an unimplemented extension" do
|
416
|
-
before :each do
|
417
|
-
@wrappable_extensions = []
|
418
|
-
|
419
|
-
@unknown_extensions = []
|
420
|
-
@unknown_extensions << OpenSSL::X509::Extension.new( "issuerAltName", "DNS:www.test.local" )
|
421
|
-
|
422
|
-
@openssl_extensions = @wrappable_extensions + @unknown_extensions
|
423
|
-
end
|
424
|
-
|
425
|
-
it_should_behave_like "a correctly implemented wrap_openssl_extensions"
|
426
|
-
it_should_behave_like "a correctly implemented get_unknown_extensions"
|
427
|
-
end
|
428
|
-
|
429
|
-
context "with implemented and unimplemented extensions" do
|
430
|
-
before :each do
|
431
|
-
@wrappable_extensions = []
|
432
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
433
|
-
@wrappable_extensions << ef.create_extension( "basicConstraints", "CA:TRUE,pathlen:0" )
|
434
|
-
|
435
|
-
@unknown_extensions = []
|
436
|
-
@unknown_extensions << OpenSSL::X509::Extension.new( "issuerAltName", "DNS:www.test.local" )
|
437
|
-
|
438
|
-
@openssl_extensions = @wrappable_extensions + @unknown_extensions
|
439
|
-
end
|
440
|
-
|
441
|
-
it_should_behave_like "a correctly implemented wrap_openssl_extensions"
|
442
|
-
it_should_behave_like "a correctly implemented get_unknown_extensions"
|
443
|
-
end
|
444
|
-
|
445
|
-
context "with multiple extensions of an implemented type" do
|
446
|
-
before :each do
|
447
|
-
@wrappable_extensions = []
|
448
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
449
|
-
@wrappable_extensions << ef.create_extension( "basicConstraints", "CA:TRUE,pathlen:0" )
|
450
|
-
@wrappable_extensions << ef.create_extension( "basicConstraints", "CA:TRUE,pathlen:1" )
|
451
|
-
|
452
|
-
@unknown_extensions = []
|
453
|
-
@unknown_extensions << OpenSSL::X509::Extension.new( "issuerAltName", "DNS:www.test.local" )
|
454
|
-
|
455
|
-
@openssl_extensions = @wrappable_extensions + @unknown_extensions
|
456
|
-
end
|
457
|
-
|
458
|
-
it "should raise an ArgumentError for #wrap_openssl_extensions" do
|
459
|
-
expect {
|
460
|
-
R509::Cert::Extensions.wrap_openssl_extensions( @openssl_extensions )
|
461
|
-
}.to raise_error(ArgumentError)
|
462
|
-
end
|
463
|
-
it_should_behave_like "a correctly implemented get_unknown_extensions"
|
464
|
-
end
|
465
|
-
|
466
|
-
context "with multiple extensions of an unimplemented type" do
|
467
|
-
before :each do
|
468
|
-
@wrappable_extensions = []
|
469
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
470
|
-
@wrappable_extensions << ef.create_extension( "basicConstraints", "CA:TRUE,pathlen:0" )
|
471
|
-
|
472
|
-
@unknown_extensions = []
|
473
|
-
@unknown_extensions << OpenSSL::X509::Extension.new( "issuerAltName", "DNS:www.test.local" )
|
474
|
-
@unknown_extensions << OpenSSL::X509::Extension.new( "issuerAltName", "DNS:www2.test.local" )
|
475
|
-
|
476
|
-
@openssl_extensions = @wrappable_extensions + @unknown_extensions
|
477
|
-
end
|
478
|
-
|
479
|
-
it_should_behave_like "a correctly implemented wrap_openssl_extensions"
|
480
|
-
it_should_behave_like "a correctly implemented get_unknown_extensions"
|
481
|
-
end
|
482
|
-
end
|
483
|
-
end
|
484
|
-
|
485
|
-
context "BasicConstraints" do
|
486
|
-
context "with constraints for a CA certificate" do
|
487
|
-
before :all do
|
488
|
-
@extension_value = "CA:TRUE,pathlen:3"
|
489
|
-
@is_ca = true
|
490
|
-
@pathlen = 3
|
491
|
-
@allows_sub_ca = true
|
492
|
-
end
|
493
|
-
|
494
|
-
it_should_behave_like "a correct R509 BasicConstraints object", false
|
495
|
-
it_should_behave_like "a correct R509 BasicConstraints object", true
|
496
|
-
end
|
497
|
-
|
498
|
-
context "with constraints for a sub-CA certificate" do
|
499
|
-
before :all do
|
500
|
-
@extension_value = "CA:TRUE,pathlen:0"
|
501
|
-
@is_ca = true
|
502
|
-
@pathlen = 0
|
503
|
-
@allows_sub_ca = false
|
504
|
-
end
|
505
|
-
|
506
|
-
it_should_behave_like "a correct R509 BasicConstraints object", false
|
507
|
-
it_should_behave_like "a correct R509 BasicConstraints object", true
|
508
|
-
end
|
509
|
-
|
510
|
-
context "with constraints for a non-CA certificate" do
|
511
|
-
before :all do
|
512
|
-
@extension_value = "CA:FALSE"
|
513
|
-
@is_ca = false
|
514
|
-
@pathlen = nil
|
515
|
-
@allows_sub_ca = false
|
516
|
-
end
|
517
|
-
|
518
|
-
it_should_behave_like "a correct R509 BasicConstraints object", false
|
519
|
-
it_should_behave_like "a correct R509 BasicConstraints object", true
|
520
|
-
end
|
521
|
-
end
|
522
|
-
|
523
|
-
context "KeyUsage" do
|
524
|
-
context "with one allowed use" do
|
525
|
-
before :all do
|
526
|
-
@allowed_uses = [ KeyUsage::AU_DIGITAL_SIGNATURE ]
|
527
|
-
@extension_value = @allowed_uses.join( ", " )
|
528
|
-
end
|
529
|
-
|
530
|
-
it_should_behave_like "a correct R509 KeyUsage object", false
|
531
|
-
it_should_behave_like "a correct R509 KeyUsage object", true
|
532
|
-
end
|
533
|
-
|
534
|
-
context "with some allowed uses" do
|
535
|
-
before :all do
|
536
|
-
# this spec and the one below alternate the uses
|
537
|
-
@allowed_uses = [ KeyUsage::AU_DIGITAL_SIGNATURE, KeyUsage::AU_KEY_ENCIPHERMENT, KeyUsage::AU_KEY_AGREEMENT, KeyUsage::AU_CRL_SIGN, KeyUsage::AU_DECIPHER_ONLY ]
|
538
|
-
@extension_value = @allowed_uses.join( ", " )
|
539
|
-
end
|
540
|
-
|
541
|
-
it_should_behave_like "a correct R509 KeyUsage object", false
|
542
|
-
it_should_behave_like "a correct R509 KeyUsage object", true
|
543
|
-
end
|
544
|
-
|
545
|
-
context "with some different allowed uses" do
|
546
|
-
before :all do
|
547
|
-
@allowed_uses = [ KeyUsage::AU_NON_REPUDIATION, KeyUsage::AU_DATA_ENCIPHERMENT, KeyUsage::AU_KEY_CERT_SIGN, KeyUsage::AU_ENCIPHER_ONLY ]
|
548
|
-
@extension_value = @allowed_uses.join( ", " )
|
549
|
-
end
|
550
|
-
|
551
|
-
it_should_behave_like "a correct R509 KeyUsage object", false
|
552
|
-
it_should_behave_like "a correct R509 KeyUsage object", true
|
553
|
-
end
|
554
|
-
|
555
|
-
context "with all allowed uses" do
|
556
|
-
before :all do
|
557
|
-
@allowed_uses = [ KeyUsage::AU_DIGITAL_SIGNATURE, KeyUsage::AU_NON_REPUDIATION,
|
558
|
-
KeyUsage::AU_KEY_ENCIPHERMENT, KeyUsage::AU_DATA_ENCIPHERMENT,
|
559
|
-
KeyUsage::AU_KEY_AGREEMENT, KeyUsage::AU_KEY_CERT_SIGN,
|
560
|
-
KeyUsage::AU_CRL_SIGN, KeyUsage::AU_ENCIPHER_ONLY,
|
561
|
-
KeyUsage::AU_DECIPHER_ONLY ]
|
562
|
-
@extension_value = @allowed_uses.join( ", " )
|
563
|
-
end
|
564
|
-
|
565
|
-
it_should_behave_like "a correct R509 KeyUsage object", false
|
566
|
-
it_should_behave_like "a correct R509 KeyUsage object", true
|
567
|
-
end
|
568
|
-
end
|
569
|
-
|
570
|
-
context "ExtendedKeyUsage" do
|
571
|
-
context "with one allowed use" do
|
572
|
-
before :all do
|
573
|
-
@allowed_uses = [ ExtendedKeyUsage::AU_WEB_SERVER_AUTH ]
|
574
|
-
@extension_value = @allowed_uses.join( ", " )
|
575
|
-
end
|
576
|
-
|
577
|
-
it_should_behave_like "a correct R509 ExtendedKeyUsage object", false
|
578
|
-
it_should_behave_like "a correct R509 ExtendedKeyUsage object", true
|
579
|
-
end
|
580
|
-
|
581
|
-
context "with some allowed uses" do
|
582
|
-
before :all do
|
583
|
-
# this spec and the one below alternate the uses
|
584
|
-
@allowed_uses = [ ExtendedKeyUsage::AU_WEB_SERVER_AUTH, ExtendedKeyUsage::AU_CODE_SIGNING ]
|
585
|
-
@extension_value = @allowed_uses.join( ", " )
|
586
|
-
end
|
587
|
-
|
588
|
-
it_should_behave_like "a correct R509 ExtendedKeyUsage object", false
|
589
|
-
it_should_behave_like "a correct R509 ExtendedKeyUsage object", true
|
590
|
-
end
|
591
|
-
|
592
|
-
context "with some different allowed uses" do
|
593
|
-
before :all do
|
594
|
-
@allowed_uses = [ ExtendedKeyUsage::AU_WEB_CLIENT_AUTH, ExtendedKeyUsage::AU_EMAIL_PROTECTION ]
|
595
|
-
@extension_value = @allowed_uses.join( ", " )
|
596
|
-
end
|
597
|
-
|
598
|
-
it_should_behave_like "a correct R509 ExtendedKeyUsage object", false
|
599
|
-
it_should_behave_like "a correct R509 ExtendedKeyUsage object", true
|
600
|
-
end
|
601
|
-
|
602
|
-
context "with all allowed uses" do
|
603
|
-
before :all do
|
604
|
-
@allowed_uses = [ ExtendedKeyUsage::AU_WEB_SERVER_AUTH, ExtendedKeyUsage::AU_CODE_SIGNING,
|
605
|
-
ExtendedKeyUsage::AU_WEB_CLIENT_AUTH, ExtendedKeyUsage::AU_EMAIL_PROTECTION,
|
606
|
-
ExtendedKeyUsage::AU_TIME_STAMPING, ExtendedKeyUsage::AU_OCSP_SIGNING,
|
607
|
-
ExtendedKeyUsage::AU_ANY_EXTENDED_KEY_USAGE]
|
608
|
-
@extension_value = @allowed_uses.join( ", " )
|
609
|
-
end
|
610
|
-
|
611
|
-
it_should_behave_like "a correct R509 ExtendedKeyUsage object", false
|
612
|
-
it_should_behave_like "a correct R509 ExtendedKeyUsage object", true
|
613
|
-
end
|
614
|
-
end
|
615
|
-
|
616
|
-
context "SubjectKeyIdentifier" do
|
617
|
-
before :all do
|
618
|
-
@extension_value = "00:11:22:33:44:55:66:77:88:99:00:AA:BB:CC:DD:EE:FF:00:11:22"
|
619
|
-
@key = @extension_value
|
620
|
-
end
|
621
|
-
|
622
|
-
it_should_behave_like "a correct R509 SubjectKeyIdentifier object"
|
623
|
-
end
|
624
|
-
|
625
|
-
context "AuthorityKeyIdentifier" do
|
626
|
-
before :all do
|
627
|
-
@extension_value = "keyid:always,issuer:always"
|
628
|
-
end
|
629
|
-
|
630
|
-
it_should_behave_like "a correct R509 AuthorityKeyIdentifier object"
|
631
|
-
end
|
632
|
-
|
633
|
-
context "SubjectAlternativeName" do
|
634
|
-
context "with an unimplemented GeneralName type" do
|
635
|
-
it "errors as expected" do
|
636
|
-
ef = OpenSSL::X509::ExtensionFactory.new
|
637
|
-
ext = ef.create_extension("subjectAltName","otherName:1.2.3.4;IA5STRING:Hello World")
|
638
|
-
expect { R509::Cert::Extensions::SubjectAlternativeName.new ext }.to raise_error(R509::R509Error, 'Unimplemented GeneralName tag: 0. At this time R509 does not support GeneralName types other than rfc822Name, dNSName, uniformResourceIdentifier, iPAddress, and directoryName')
|
639
|
-
end
|
640
|
-
end
|
641
|
-
context "with a DNS alternative name only" do
|
642
|
-
before :all do
|
643
|
-
@dns_names = ["www.test.local"]
|
644
|
-
@ip_addresses = []
|
645
|
-
@uris = []
|
646
|
-
@rfc_822_names = []
|
647
|
-
@directory_names = []
|
648
|
-
total = [@dns_names,@ip_addresses,@uris,@rfc_822_names,@directory_names].flatten(1)
|
649
|
-
gns = R509::ASN1.general_name_parser(total)
|
650
|
-
serialized = gns.serialize_names
|
651
|
-
@conf = serialized[:conf]
|
652
|
-
@extension_value = serialized[:extension_string]
|
653
|
-
end
|
654
|
-
|
655
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", false
|
656
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", true
|
657
|
-
end
|
658
|
-
|
659
|
-
context "with multiple DNS alternative names only" do
|
660
|
-
before :all do
|
661
|
-
@dns_names = ["www.test.local", "www2.test.local"]
|
662
|
-
@ip_addresses = []
|
663
|
-
@uris = []
|
664
|
-
@rfc_822_names = []
|
665
|
-
@directory_names = []
|
666
|
-
total = [@dns_names,@ip_addresses,@uris,@rfc_822_names,@directory_names].flatten(1)
|
667
|
-
gns = R509::ASN1.general_name_parser(total)
|
668
|
-
serialized = gns.serialize_names
|
669
|
-
@conf = serialized[:conf]
|
670
|
-
@extension_value = serialized[:extension_string]
|
671
|
-
end
|
672
|
-
|
673
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", false
|
674
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", true
|
675
|
-
end
|
676
|
-
|
677
|
-
context "with an IP address alternative name only" do
|
678
|
-
before :all do
|
679
|
-
@dns_names = []
|
680
|
-
@ip_addresses = ["203.1.2.3"]
|
681
|
-
@rfc_822_names = []
|
682
|
-
@uris = []
|
683
|
-
@directory_names = []
|
684
|
-
total = [@dns_names,@ip_addresses,@uris,@rfc_822_names,@directory_names].flatten(1)
|
685
|
-
gns = R509::ASN1.general_name_parser(total)
|
686
|
-
serialized = gns.serialize_names
|
687
|
-
@conf = serialized[:conf]
|
688
|
-
@extension_value = serialized[:extension_string]
|
689
|
-
end
|
690
|
-
|
691
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", false
|
692
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", true
|
693
|
-
end
|
694
|
-
|
695
|
-
context "with multiple IP address alternative names only" do
|
696
|
-
before :all do
|
697
|
-
@dns_names = []
|
698
|
-
@ip_addresses = ["10.1.2.3", "10.1.2.4"]
|
699
|
-
@uris = []
|
700
|
-
@rfc_822_names = []
|
701
|
-
@directory_names = []
|
702
|
-
total = [@dns_names,@ip_addresses,@uris,@rfc_822_names,@directory_names].flatten(1)
|
703
|
-
gns = R509::ASN1.general_name_parser(total)
|
704
|
-
serialized = gns.serialize_names
|
705
|
-
@conf = serialized[:conf]
|
706
|
-
@extension_value = serialized[:extension_string]
|
707
|
-
end
|
708
|
-
|
709
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", false
|
710
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", true
|
711
|
-
end
|
712
|
-
|
713
|
-
context "with an rfc822Name alternative name only" do
|
714
|
-
before :all do
|
715
|
-
@dns_names = []
|
716
|
-
@ip_addresses = []
|
717
|
-
@rfc_822_names = ["some@guy.com"]
|
718
|
-
@uris = []
|
719
|
-
@directory_names = []
|
720
|
-
total = [@dns_names,@ip_addresses,@uris,@rfc_822_names,@directory_names].flatten(1)
|
721
|
-
gns = R509::ASN1.general_name_parser(total)
|
722
|
-
serialized = gns.serialize_names
|
723
|
-
@conf = serialized[:conf]
|
724
|
-
@extension_value = serialized[:extension_string]
|
725
|
-
end
|
726
|
-
|
727
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", false
|
728
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", true
|
729
|
-
end
|
730
|
-
|
731
|
-
context "with multiple rfc822Name alternative names only" do
|
732
|
-
before :all do
|
733
|
-
@dns_names = []
|
734
|
-
@ip_addresses = []
|
735
|
-
@rfc_822_names = ["some@guy.com","other@guy.com"]
|
736
|
-
@uris = []
|
737
|
-
@directory_names = []
|
738
|
-
total = [@dns_names,@ip_addresses,@uris,@rfc_822_names,@directory_names].flatten(1)
|
739
|
-
gns = R509::ASN1.general_name_parser(total)
|
740
|
-
serialized = gns.serialize_names
|
741
|
-
@conf = serialized[:conf]
|
742
|
-
@extension_value = serialized[:extension_string]
|
743
|
-
end
|
744
|
-
|
745
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", false
|
746
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", true
|
747
|
-
end
|
748
|
-
|
749
|
-
context "with a URI alternative name only" do
|
750
|
-
before :all do
|
751
|
-
@dns_names = []
|
752
|
-
@ip_addresses = []
|
753
|
-
@rfc_822_names = []
|
754
|
-
@uris = ["http://www.test.local"]
|
755
|
-
@directory_names = []
|
756
|
-
total = [@dns_names,@ip_addresses,@uris,@rfc_822_names,@directory_names].flatten(1)
|
757
|
-
gns = R509::ASN1.general_name_parser(total)
|
758
|
-
serialized = gns.serialize_names
|
759
|
-
@conf = serialized[:conf]
|
760
|
-
@extension_value = serialized[:extension_string]
|
761
|
-
end
|
762
|
-
|
763
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", false
|
764
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", true
|
765
|
-
end
|
766
|
-
|
767
|
-
context "with multiple URI alternative names only" do
|
768
|
-
before :all do
|
769
|
-
@dns_names = []
|
770
|
-
@ip_addresses = []
|
771
|
-
@rfc_822_names = []
|
772
|
-
@uris = ["http://www.test.local","http://www2.test.local"]
|
773
|
-
@directory_names = []
|
774
|
-
total = [@dns_names,@ip_addresses,@uris,@rfc_822_names,@directory_names].flatten(1)
|
775
|
-
gns = R509::ASN1.general_name_parser(total)
|
776
|
-
serialized = gns.serialize_names
|
777
|
-
@conf = serialized[:conf]
|
778
|
-
@extension_value = serialized[:extension_string]
|
779
|
-
end
|
780
|
-
|
781
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", false
|
782
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", true
|
783
|
-
end
|
784
|
-
|
785
|
-
context "with a directoryName alternative name only" do
|
786
|
-
before :all do
|
787
|
-
@dns_names = []
|
788
|
-
@ip_addresses = []
|
789
|
-
@rfc_822_names = []
|
790
|
-
@uris = []
|
791
|
-
@directory_names = [
|
792
|
-
[['CN','langui.sh'],['O','org'],['L','locality']]
|
793
|
-
]
|
794
|
-
total = [@dns_names,@ip_addresses,@uris,@rfc_822_names,@directory_names].flatten(1)
|
795
|
-
gns = R509::ASN1.general_name_parser(total)
|
796
|
-
serialized = gns.serialize_names
|
797
|
-
@conf = serialized[:conf]
|
798
|
-
@extension_value = serialized[:extension_string]
|
799
|
-
end
|
800
|
-
|
801
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", false
|
802
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", true
|
803
|
-
end
|
804
|
-
|
805
|
-
context "with multiple directoryName alternative names only" do
|
806
|
-
before :all do
|
807
|
-
@dns_names = []
|
808
|
-
@ip_addresses = []
|
809
|
-
@rfc_822_names = []
|
810
|
-
@uris = []
|
811
|
-
@directory_names = [
|
812
|
-
[['CN','langui.sh'],['O','org'],['L','locality']],
|
813
|
-
[['CN','otherdomain.com'],['O','org-like']]
|
814
|
-
]
|
815
|
-
total = [@dns_names,@ip_addresses,@uris,@rfc_822_names,@directory_names].flatten(1)
|
816
|
-
gns = R509::ASN1.general_name_parser(total)
|
817
|
-
serialized = gns.serialize_names
|
818
|
-
@conf = serialized[:conf]
|
819
|
-
@extension_value = serialized[:extension_string]
|
820
|
-
end
|
821
|
-
|
822
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", false
|
823
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", true
|
824
|
-
end
|
825
|
-
|
826
|
-
context "with multiple different alternative names" do
|
827
|
-
before :all do
|
828
|
-
@dns_names = ["www.test.local"]
|
829
|
-
@ip_addresses = ["10.1.2.3"]
|
830
|
-
@rfc_822_names = ["myemail@email.com"]
|
831
|
-
@uris = ["http://www.test.local"]
|
832
|
-
@directory_names = [
|
833
|
-
[['CN','langui.sh'],['O','org'],['L','locality']]
|
834
|
-
]
|
835
|
-
total = [@dns_names,@ip_addresses,@uris,@rfc_822_names,@directory_names].flatten(1)
|
836
|
-
gns = R509::ASN1.general_name_parser(total)
|
837
|
-
serialized = gns.serialize_names
|
838
|
-
@conf = serialized[:conf]
|
839
|
-
@extension_value = serialized[:extension_string]
|
840
|
-
end
|
841
|
-
|
842
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", false
|
843
|
-
it_should_behave_like "a correct R509 SubjectAlternativeName object", true
|
844
|
-
end
|
845
|
-
end
|
846
|
-
context "AuthorityInfoAccess" do
|
847
|
-
context "with a CA Issuers URI only" do
|
848
|
-
before :all do
|
849
|
-
@ca_issuers_uris = ["http://www.test.local/ca.cert"]
|
850
|
-
@ocsp_uris = []
|
851
|
-
@extension_value = "caIssuers;URI:#{@ca_issuers_uris.join(",caIssuers;URI:")}"
|
852
|
-
end
|
853
|
-
|
854
|
-
it_should_behave_like "a correct R509 AuthorityInfoAccess object", false
|
855
|
-
it_should_behave_like "a correct R509 AuthorityInfoAccess object", true
|
856
|
-
end
|
857
|
-
|
858
|
-
context "with multiple CA Issuers URIs only" do
|
859
|
-
before :all do
|
860
|
-
@ca_issuers_uris = ["http://www.test.local/ca.cert", "http://www.test.local/subca.cert"]
|
861
|
-
@ocsp_uris = []
|
862
|
-
@extension_value = "caIssuers;URI:#{@ca_issuers_uris.join(",caIssuers;URI:")}"
|
863
|
-
end
|
864
|
-
|
865
|
-
it_should_behave_like "a correct R509 AuthorityInfoAccess object", false
|
866
|
-
it_should_behave_like "a correct R509 AuthorityInfoAccess object", true
|
867
|
-
end
|
868
|
-
|
869
|
-
context "with an OCSP URI only" do
|
870
|
-
before :all do
|
871
|
-
@ca_issuers_uris = []
|
872
|
-
@ocsp_uris = ["http://www.test.local"]
|
873
|
-
@extension_value = "OCSP;URI:#{@ocsp_uris.join(",OCSP;URI:")}"
|
874
|
-
end
|
875
|
-
|
876
|
-
it_should_behave_like "a correct R509 AuthorityInfoAccess object", false
|
877
|
-
it_should_behave_like "a correct R509 AuthorityInfoAccess object", true
|
878
|
-
end
|
879
|
-
|
880
|
-
context "with multiple OCSP URIs only" do
|
881
|
-
before :all do
|
882
|
-
@ca_issuers_uris = []
|
883
|
-
@ocsp_uris = ["http://www.test.local", "http://www2.test.local"]
|
884
|
-
@extension_value = "OCSP;URI:#{@ocsp_uris.join(",OCSP;URI:")}"
|
885
|
-
end
|
886
|
-
|
887
|
-
it_should_behave_like "a correct R509 AuthorityInfoAccess object", false
|
888
|
-
it_should_behave_like "a correct R509 AuthorityInfoAccess object", true
|
889
|
-
end
|
890
|
-
|
891
|
-
context "with both a CA Issuers URI and an OCSP URI" do
|
892
|
-
before :all do
|
893
|
-
@ca_issuers_uris = ["http://www.test.local/ca.cert"]
|
894
|
-
@ocsp_uris = ["http://www.test.local"]
|
895
|
-
@extension_value = "caIssuers;URI:#{@ca_issuers_uris.join(",caIssuers;URI:")},OCSP;URI:#{@ocsp_uris.join(",OCSP;URI:")}"
|
896
|
-
end
|
897
|
-
|
898
|
-
it_should_behave_like "a correct R509 AuthorityInfoAccess object", false
|
899
|
-
it_should_behave_like "a correct R509 AuthorityInfoAccess object", true
|
900
|
-
end
|
901
|
-
end
|
902
|
-
|
903
|
-
context "CRLDistributionPoints" do
|
904
|
-
context "with a single CRL URI" do
|
905
|
-
before :all do
|
906
|
-
@crl_uris = ["http://www.test.local/ca.crl"]
|
907
|
-
@extension_value = "URI:#{@crl_uris.join(",URI:")}"
|
908
|
-
end
|
909
|
-
|
910
|
-
it_should_behave_like "a correct R509 CRLDistributionPoints object", false
|
911
|
-
it_should_behave_like "a correct R509 CRLDistributionPoints object", true
|
912
|
-
end
|
913
|
-
|
914
|
-
context "with multiple CRL URIs" do
|
915
|
-
before :all do
|
916
|
-
@crl_uris = ["http://www.test.local/ca.crl", "http://www.test.local/subca.crl"]
|
917
|
-
@extension_value = "URI:#{@crl_uris.join(",URI:")}"
|
918
|
-
end
|
919
|
-
|
920
|
-
it_should_behave_like "a correct R509 CRLDistributionPoints object", false
|
921
|
-
it_should_behave_like "a correct R509 CRLDistributionPoints object", true
|
922
|
-
end
|
923
|
-
end
|
924
|
-
|
925
|
-
context "OCSPNoCheck" do
|
926
|
-
it_should_behave_like "a correct R509 OCSPNoCheck object", false
|
927
|
-
it_should_behave_like "a correct R509 OCSPNoCheck object", true
|
928
|
-
end
|
929
|
-
|
930
|
-
context "CertificatePolicies" do
|
931
|
-
before :all do
|
932
|
-
@policy_data = "0\x81\x90\x06\x03U\x1D \x04\x81\x880\x81\x850\x81\x82\x06\v`\x86H\x01\xE09\x01\x02\x03\x04\x010s0\"\x06\b+\x06\x01\x05\x05\a\x02\x01\x16\x16http://example.com/cps0 \x06\b+\x06\x01\x05\x05\a\x02\x01\x16\x14http://other.com/cps0+\x06\b+\x06\x01\x05\x05\a\x02\x020\x1F0\x16\x16\x06my org0\f\x02\x01\x01\x02\x01\x02\x02\x01\x03\x02\x01\x04\x1A\x05thing"
|
933
|
-
end
|
934
|
-
|
935
|
-
it_should_behave_like "a correct R509 CertificatePolicies object"
|
936
|
-
end
|
937
|
-
|
938
|
-
context "InhibitAnyPolicy" do
|
939
|
-
before :all do
|
940
|
-
@skip_certs = 3
|
941
|
-
end
|
942
|
-
|
943
|
-
it_should_behave_like "a correct R509 InhibitAnyPolicy object", false
|
944
|
-
it_should_behave_like "a correct R509 InhibitAnyPolicy object", true
|
945
|
-
end
|
946
|
-
|
947
|
-
context "PolicyConstraints" do
|
948
|
-
context "with just require" do
|
949
|
-
before :all do
|
950
|
-
@require_explicit_policy = 2
|
951
|
-
@inhibit_policy_mapping = nil
|
952
|
-
@extension_value = "requireExplicitPolicy:#{@require_explicit_policy}"
|
953
|
-
end
|
954
|
-
it_should_behave_like "a correct R509 PolicyConstraints object", false
|
955
|
-
it_should_behave_like "a correct R509 PolicyConstraints object", true
|
956
|
-
end
|
957
|
-
context "with just inhibit" do
|
958
|
-
before :all do
|
959
|
-
@require_explicit_policy = nil
|
960
|
-
@inhibit_policy_mapping = 3
|
961
|
-
@extension_value = "inhibitPolicyMapping:#{@inhibit_policy_mapping}"
|
962
|
-
end
|
963
|
-
it_should_behave_like "a correct R509 PolicyConstraints object", false
|
964
|
-
it_should_behave_like "a correct R509 PolicyConstraints object", true
|
965
|
-
end
|
966
|
-
context "with both require and inhibit" do
|
967
|
-
before :all do
|
968
|
-
@require_explicit_policy = 2
|
969
|
-
@inhibit_policy_mapping = 3
|
970
|
-
@extension_value = "requireExplicitPolicy:#{@require_explicit_policy},inhibitPolicyMapping:#{@inhibit_policy_mapping}"
|
971
|
-
end
|
972
|
-
it_should_behave_like "a correct R509 PolicyConstraints object", false
|
973
|
-
it_should_behave_like "a correct R509 PolicyConstraints object", true
|
974
|
-
end
|
975
|
-
|
976
|
-
end
|
977
|
-
|
978
|
-
context "NameConstraints" do
|
979
|
-
context "with one permitted name" do
|
980
|
-
before :all do
|
981
|
-
@excluded_names = []
|
982
|
-
@permitted_names = [{:tag => 2, :value => ".whatever.com"}]
|
983
|
-
gns = R509::ASN1::GeneralNames.new
|
984
|
-
@permitted_names.each do |name|
|
985
|
-
gns.add_item(name)
|
986
|
-
end
|
987
|
-
@conf = []
|
988
|
-
permitted = gns.names.map { |name|
|
989
|
-
serialized = name.serialize_name
|
990
|
-
@conf << serialized[:conf]
|
991
|
-
"permitted;" + serialized[:extension_string]
|
992
|
-
}.join(",")
|
993
|
-
@extension_value = permitted
|
994
|
-
@conf = @conf.join("\n")
|
995
|
-
end
|
996
|
-
|
997
|
-
it_should_behave_like "a correct R509 NameConstraints object", false
|
998
|
-
it_should_behave_like "a correct R509 NameConstraints object", true
|
999
|
-
end
|
1000
|
-
context "with multiple permitted names" do
|
1001
|
-
before :all do
|
1002
|
-
@excluded_names = []
|
1003
|
-
@permitted_names = [{:tag => 2, :value => ".whatever.com"}, {:tag => 1, :value => "user@emaildomain.com" } ]
|
1004
|
-
gns = R509::ASN1::GeneralNames.new
|
1005
|
-
@permitted_names.each do |name|
|
1006
|
-
gns.add_item(name)
|
1007
|
-
end
|
1008
|
-
@conf = []
|
1009
|
-
permitted = gns.names.map { |name|
|
1010
|
-
serialized = name.serialize_name
|
1011
|
-
@conf << serialized[:conf]
|
1012
|
-
"permitted;" + serialized[:extension_string]
|
1013
|
-
}.join(",")
|
1014
|
-
@extension_value = permitted
|
1015
|
-
@conf = @conf.join("\n")
|
1016
|
-
end
|
1017
|
-
|
1018
|
-
it_should_behave_like "a correct R509 NameConstraints object", false
|
1019
|
-
it_should_behave_like "a correct R509 NameConstraints object", true
|
1020
|
-
end
|
1021
|
-
context "with one excluded name" do
|
1022
|
-
before :all do
|
1023
|
-
@permitted_names = []
|
1024
|
-
@excluded_names = [{:tag => 7, :value => "127.0.0.1/255.255.255.255"}]
|
1025
|
-
egns = R509::ASN1::GeneralNames.new
|
1026
|
-
@excluded_names.each do |name|
|
1027
|
-
egns.add_item(name)
|
1028
|
-
end
|
1029
|
-
@conf = []
|
1030
|
-
excluded = egns.names.map { |name|
|
1031
|
-
serialized = name.serialize_name
|
1032
|
-
@conf << serialized[:conf]
|
1033
|
-
"excluded;" + serialized[:extension_string]
|
1034
|
-
}.join(",")
|
1035
|
-
@extension_value = excluded
|
1036
|
-
@conf = @conf.join("\n")
|
1037
|
-
end
|
1038
|
-
|
1039
|
-
it_should_behave_like "a correct R509 NameConstraints object", false
|
1040
|
-
it_should_behave_like "a correct R509 NameConstraints object", true
|
1041
|
-
end
|
1042
|
-
context "with multiple excluded names" do
|
1043
|
-
before :all do
|
1044
|
-
@permitted_names = []
|
1045
|
-
@excluded_names = [{:tag => 7, :value => "127.0.0.1/255.255.255.255"}, {:tag => 1, :value => "emaildomain.com" } ]
|
1046
|
-
@permitted_names = []
|
1047
|
-
egns = R509::ASN1::GeneralNames.new
|
1048
|
-
@excluded_names.each do |name|
|
1049
|
-
egns.add_item(name)
|
1050
|
-
end
|
1051
|
-
@conf = []
|
1052
|
-
excluded = egns.names.map { |name|
|
1053
|
-
serialized = name.serialize_name
|
1054
|
-
@conf << serialized[:conf]
|
1055
|
-
"excluded;" + serialized[:extension_string]
|
1056
|
-
}.join(",")
|
1057
|
-
@extension_value = excluded
|
1058
|
-
@conf = @conf.join("\n")
|
1059
|
-
end
|
1060
|
-
|
1061
|
-
it_should_behave_like "a correct R509 NameConstraints object", false
|
1062
|
-
it_should_behave_like "a correct R509 NameConstraints object", true
|
1063
|
-
end
|
1064
|
-
context "with both permitted and excluded names" do
|
1065
|
-
before :all do
|
1066
|
-
@excluded_names = [{:tag => 7, :value => "127.0.0.1/255.255.255.255"}, {:tag => 1, :value => "emaildomain.com" } ]
|
1067
|
-
@permitted_names = [{:tag => 2, :value => ".whatever.com"}, {:tag => 1, :value => "user@emaildomain.com"} ]
|
1068
|
-
gns = R509::ASN1::GeneralNames.new
|
1069
|
-
@permitted_names.each do |name|
|
1070
|
-
gns.add_item(name)
|
1071
|
-
end
|
1072
|
-
@conf = []
|
1073
|
-
permitted = gns.names.map { |name|
|
1074
|
-
serialized = name.serialize_name
|
1075
|
-
@conf << serialized[:conf]
|
1076
|
-
"permitted;" + serialized[:extension_string]
|
1077
|
-
}.join(",")
|
1078
|
-
egns = R509::ASN1::GeneralNames.new
|
1079
|
-
@excluded_names.each do |name|
|
1080
|
-
egns.add_item(name)
|
1081
|
-
end
|
1082
|
-
excluded = egns.names.map { |name|
|
1083
|
-
serialized = name.serialize_name
|
1084
|
-
@conf << serialized[:conf]
|
1085
|
-
"excluded;" + serialized[:extension_string]
|
1086
|
-
}.join(",")
|
1087
|
-
@extension_value = permitted + "," + excluded
|
1088
|
-
@conf = @conf.join("\n")
|
1089
|
-
end
|
1090
|
-
|
1091
|
-
it_should_behave_like "a correct R509 NameConstraints object", false
|
1092
|
-
it_should_behave_like "a correct R509 NameConstraints object", true
|
1093
|
-
end
|
1094
|
-
end
|
1095
|
-
end
|