r509 0.9.2 → 0.10.0

data/spec/config_spec.rb

@@ -1,562 +0,0 @@
-require 'spec_helper'
-require 'r509/config'
-require 'r509/exceptions'
-
-describe R509::Config::CAConfigPool do
-  context "defined manually" do
-    it "has no configs" do
-      pool = R509::Config::CAConfigPool.new({})
-
-      pool["first"].should == nil
-    end
-
-    it "has one config" do
-      config = R509::Config::CAConfig.new(
-        :ca_cert => TestFixtures.test_ca_cert,
-        :profiles => { "first_profile" => R509::Config::CAProfile.new }
-      )
-
-      pool = R509::Config::CAConfigPool.new({
-        "first" => config
-      })
-
-      pool["first"].should == config
-    end
-  end
-
-  context "all configs" do
-    it "no configs" do
-      pool = R509::Config::CAConfigPool.new({})
-      pool.all.should == []
-    end
-
-    it "one config" do
-      config = R509::Config::CAConfig.new(
-        :ca_cert => TestFixtures.test_ca_cert,
-        :profiles => { "first_profile" => R509::Config::CAProfile.new }
-      )
-
-      pool = R509::Config::CAConfigPool.new({
-        "first" => config
-      })
-
-      pool.all.should == [config]
-    end
-
-    it "two configs" do
-      config1 = R509::Config::CAConfig.new(
-        :ca_cert => TestFixtures.test_ca_cert,
-        :profiles => { "first_profile" => R509::Config::CAProfile.new }
-      )
-      config2 = R509::Config::CAConfig.new(
-        :ca_cert => TestFixtures.test_ca_cert,
-        :profiles => { "first_profile" => R509::Config::CAProfile.new }
-      )
-
-      pool = R509::Config::CAConfigPool.new({
-        "first" => config1,
-        "second" => config2
-      })
-
-      pool.all.size.should == 2
-      pool.all.include?(config1).should == true
-      pool.all.include?(config2).should == true
-    end
-  end
-
-  context "loaded from YAML" do
-    it "should load two configs" do
-      pool = R509::Config::CAConfigPool.from_yaml("certificate_authorities", File.read("#{File.dirname(__FILE__)}/fixtures/config_pool_test_minimal.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-
-      pool.names.should include("test_ca", "second_ca")
-
-      pool["test_ca"].should_not == nil
-      pool["test_ca"].num_profiles.should == 0
-      pool["second_ca"].should_not == nil
-      pool["second_ca"].num_profiles.should == 0
-    end
-  end
-end
-
-describe R509::Config::CAConfig do
-  before :each do
-    @config = R509::Config::CAConfig.new(
-      :ca_cert => TestFixtures.test_ca_cert
-    )
-  end
-
-  subject {@config}
-
-  its(:message_digest) {should == "SHA1"}
-  its(:crl_validity_hours) {should == 168}
-  its(:ocsp_validity_hours) {should == 168}
-  its(:ocsp_start_skew_seconds) {should == 3600}
-  its(:cdp_location) {should be_nil}
-  its(:ocsp_location) {should be_nil}
-  its(:num_profiles) {should == 0}
-
-  it "should have the proper CA cert" do
-    @config.ca_cert.to_pem.should == TestFixtures.test_ca_cert.to_pem
-  end
-
-  it "should have the proper CA key" do
-    @config.ca_cert.key.to_pem.should == TestFixtures.test_ca_cert.key.to_pem
-  end
-
-  context "validates data" do
-    it "raises an error if you don't pass :ca_cert" do
-      expect { R509::Config::CAConfig.new(:crl_validity_hours => 2) }.to raise_error ArgumentError, 'Config object requires that you pass :ca_cert'
-    end
-    it "raises an error if :ca_cert is not of type R509::Cert" do
-      expect { R509::Config::CAConfig.new(:ca_cert => 'not a cert, and not right type') }.to raise_error ArgumentError, ':ca_cert must be of type R509::Cert'
-    end
-    it "raises an error if :ocsp_cert that is not R509::Cert" do
-      expect { R509::Config::CAConfig.new(:ca_cert => TestFixtures.test_ca_cert, :ocsp_cert => "not a cert") }.to raise_error ArgumentError, ':ocsp_cert, if provided, must be of type R509::Cert'
-    end
-    it "raises an error if :ocsp_cert does not contain a private key" do
-      expect { R509::Config::CAConfig.new( :ca_cert => TestFixtures.test_ca_cert, :ocsp_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) ) }.to raise_error ArgumentError, ':ocsp_cert must contain a private key, not just a certificate'
-    end
-    it "raises an error if you pass an ocsp_location that is not an array" do
-      expect { R509::Config::CAConfig.new( :ca_cert => TestFixtures.test_ca_cert, :ocsp_location => "some-url" ) }.to raise_error(ArgumentError, 'ocsp_location must be an array if provided')
-    end
-    it "raises an error if you pass a ca_issuers_location that is not an array" do
-      expect { R509::Config::CAConfig.new( :ca_cert => TestFixtures.test_ca_cert, :ca_issuers_location => "some-url" ) }.to raise_error(ArgumentError, 'ca_issuers_location must be an array if provided')
-    end
-    it "raises an error if you pass a cdp_location that is not an array" do
-      expect { R509::Config::CAConfig.new( :ca_cert => TestFixtures.test_ca_cert, :cdp_location => "some-url" ) }.to raise_error(ArgumentError, 'cdp_location must be an array if provided')
-    end
-  end
-  it "loads the config even if :ca_cert does not contain a private key" do
-    config = R509::Config::CAConfig.new( :ca_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) )
-    config.ca_cert.subject.to_s.should_not be_nil
-  end
-  it "returns the correct cert object on #ocsp_cert if none is specified" do
-    @config.ocsp_cert.should == @config.ca_cert
-  end
-  it "returns the correct cert object on #ocsp_cert if an ocsp_cert was specified" do
-    ocsp_cert = R509::Cert.new(
-      :cert => TestFixtures::TEST_CA_OCSP_CERT,
-      :key => TestFixtures::TEST_CA_OCSP_KEY
-    )
-    config = R509::Config::CAConfig.new(
-      :ca_cert => TestFixtures.test_ca_cert,
-      :ocsp_cert => ocsp_cert
-    )
-
-    config.ocsp_cert.should == ocsp_cert
-  end
-  it "fails to specify a non-Config::CAProfile as the profile" do
-    config = R509::Config::CAConfig.new(
-      :ca_cert => TestFixtures.test_ca_cert
-    )
-
-    expect{ config.set_profile("bogus", "not a Config::CAProfile")}.to raise_error TypeError
-  end
-
-  it "shouldn't let you specify a profile that's not a Config::CAProfile, on instantiation" do
-    expect{ R509::Config::CAConfig.new(
-      :ca_cert => TestFixtures.test_ca_cert,
-      :profiles => { "first_profile" => "not a Config::CAProfile" }
-    ) }.to raise_error TypeError
-  end
-
-  it "can specify a single profile" do
-    first_profile = R509::Config::CAProfile.new
-
-    config = R509::Config::CAConfig.new(
-      :ca_cert => TestFixtures.test_ca_cert,
-      :profiles => { "first_profile" => first_profile }
-    )
-
-    config.profile("first_profile").should == first_profile
-  end
-
-  it "raises an error if you specify an invalid profile" do
-    first_profile = R509::Config::CAProfile.new
-
-    config = R509::Config::CAConfig.new(
-      :ca_cert => TestFixtures.test_ca_cert,
-      :profiles => { "first_profile" => first_profile }
-    )
-
-    expect { config.profile("non-existent-profile") }.to raise_error(R509::R509Error, "unknown profile 'non-existent-profile'")
-  end
-
-  it "should load YAML" do
-    config = R509::Config::CAConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-    config.crl_validity_hours.should == 72
-    config.ocsp_validity_hours.should == 96
-    config.message_digest.should == "SHA1"
-    config.num_profiles.should == 7
-    config.profile("ocsp_delegate_with_no_check").ocsp_no_check.should == true
-    config.profile("inhibit_policy").inhibit_any_policy.should == 2
-    config.profile("policy_constraints").policy_constraints["require_explicit_policy"].should == 1
-    config.profile("policy_constraints").policy_constraints["inhibit_policy_mapping"].should == 0
-    config.profile("name_constraints").name_constraints.should_not be_nil
-  end
-  it "loads OCSP cert/key from yaml" do
-    config = R509::Config::CAConfig.from_yaml("ocsp_delegate_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-    config.ocsp_cert.has_private_key?.should == true
-    config.ocsp_cert.subject.to_s.should == "/C=US/ST=Illinois/L=Chicago/O=r509 LLC/CN=r509 OCSP Signer"
-  end
-  it "loads OCSP pkcs12 from yaml" do
-    config = R509::Config::CAConfig.from_yaml("ocsp_pkcs12_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-    config.ocsp_cert.has_private_key?.should == true
-    config.ocsp_cert.subject.to_s.should == "/C=US/ST=Illinois/L=Chicago/O=r509 LLC/CN=r509 OCSP Signer"
-  end
-  it "loads OCSP cert/key in engine from yaml" do
-    #most of this code path is tested by loading ca_cert engine.
-    #look there for the extensive doubling
-    expect { R509::Config::CAConfig.from_yaml("ocsp_engine_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError,"You must supply a key_name with an engine")
-  end
-  it "loads OCSP chain from yaml" do
-    config = R509::Config::CAConfig.from_yaml("ocsp_chain_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-    config.ocsp_chain.size.should == 2
-    config.ocsp_chain[0].kind_of?(OpenSSL::X509::Certificate).should == true
-    config.ocsp_chain[1].kind_of?(OpenSSL::X509::Certificate).should == true
-  end
-  it "should load subject_item_policy from yaml (if present)" do
-    config = R509::Config::CAConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-    config.profile("server").subject_item_policy.should be_nil
-    config.profile("server_with_subject_item_policy").subject_item_policy.optional.should include("O","OU")
-    config.profile("server_with_subject_item_policy").subject_item_policy.required.should include("CN","ST","C")
-  end
-
-  it "should load YAML which only has a CA Cert and Key defined" do
-    config = R509::Config::CAConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_minimal.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-    config.num_profiles.should == 0
-  end
-
-  it "should load YAML which has CA cert and key with password" do
-    expect { R509::Config::CAConfig.from_yaml("password_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_password.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to_not raise_error
-  end
-
-  it "should load YAML which has a PKCS12 with password" do
-    expect { R509::Config::CAConfig.from_yaml("pkcs12_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to_not raise_error
-  end
-
-  it "raises error on YAML with pkcs12 and key" do
-    expect { R509::Config::CAConfig.from_yaml("pkcs12_key_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError, "You can't specify both pkcs12 and key")
-  end
-
-  it "raises error on YAML with pkcs12 and cert" do
-    expect { R509::Config::CAConfig.from_yaml("pkcs12_cert_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError, "You can't specify both pkcs12 and cert")
-  end
-
-  it "raises error on YAML with pkcs12 and engine" do
-    expect { R509::Config::CAConfig.from_yaml("pkcs12_engine_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError, "You can't specify both engine and pkcs12")
-  end
-
-  it "loads config with cert and no key (useful in certain cases)" do
-    config = R509::Config::CAConfig.from_yaml("cert_no_key_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-    config.ca_cert.subject.to_s.should_not be_nil
-  end
-
-  it "should load YAML which has an engine" do
-    #i can test this, it's just gonna take a whole lot of floorin' it!
-    conf = double("conf")
-    engine = double("engine")
-    faux_key = double("faux_key")
-
-    public_key = OpenSSL::PKey::RSA.new("-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqLfP8948QEZMMkZNHLDP\nOHZVrPdVvecD6bp8dz96LalMQiWjgMkJf7mPHXoNMQ5rIpntiUOmhupu+sty30+C\ndbZZIbZohioTSYq9ZIC/LC9ME12F78GRMKhBGA+ZiouzWvXqOEdMnanfSgKrlSIS\nssF71dfmOEQ08fn9Vl5jAgWmGe+v615iHqBNGr64kYooTrZYLaPlTScO1UZ76vnB\nHfNQU+tsEZNXxtZXKQqkxHxLShCOj6qmYRNn/upTZoWWd04+zXjYGEC3eKvi9ctN\n9FY+KJ6QCCa8H0Kt3cU5qyw6pzdljhbG6NKhod7OMqlGjmHdsCAYAqe3xH+V/8oe\ndwIDAQAB\n-----END PUBLIC KEY-----\n")
-
-    conf.should_receive(:kind_of?).with(Hash).and_return(true)
-    conf.should_receive(:[]).with("ca_cert").and_return(
-      "cert" => "#{File.dirname(__FILE__)}/fixtures/test_ca.cer",
-      "engine" => engine,
-      "key_name" => "r509_key"
-    )
-    conf.should_receive(:[]).at_least(1).times.and_return(nil)
-    conf.should_receive(:has_key?).at_least(1).times.and_return(false)
-
-    engine.should_receive(:respond_to?).with(:load_private_key).and_return(true)
-    engine.should_receive(:kind_of?).with(OpenSSL::Engine).and_return(true)
-    faux_key.should_receive(:public_key).and_return(public_key)
-    engine.should_receive(:load_private_key).twice.with("r509_key").and_return(faux_key)
-
-    config = R509::Config::CAConfig.load_from_hash(conf)
-  end
-
-  it "should fail if YAML for ca_cert contains engine and key" do
-    expect { R509::Config::CAConfig.from_yaml("engine_and_key", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_engine_key.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError, "You can't specify both key and engine")
-  end
-
-  it "should fail if YAML for ca_cert contains engine but no key_name" do
-    expect { R509::Config::CAConfig.from_yaml("engine_no_key_name", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_engine_no_key_name.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError, 'You must supply a key_name with an engine')
-  end
-
-  it "should fail if YAML config is null" do
-    expect{ R509::Config::CAConfig.from_yaml("no_config_here", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError)
-  end
-
-  it "should fail if YAML config isn't a hash" do
-    expect{ R509::Config::CAConfig.from_yaml("config_is_string", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError)
-  end
-
-  it "should fail if YAML config doesn't give a root CA directory that's a directory" do
-    expect{ R509::Config::CAConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures/no_directory_here"}) }.to raise_error(R509::R509Error)
-  end
-
-  it "should load YAML from filename" do
-    config = R509::Config::CAConfig.load_yaml("test_ca", "#{File.dirname(__FILE__)}/fixtures/config_test.yaml", {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-    config.crl_validity_hours.should == 72
-    config.ocsp_validity_hours.should == 96
-    config.message_digest.should == "SHA1"
-  end
-
-  it "can specify crl_number_file" do
-    config = R509::Config::CAConfig.new(
-      :ca_cert => TestFixtures.test_ca_cert,
-      :crl_number_file => "crl_number_file.txt"
-    )
-    config.crl_number_file.should == 'crl_number_file.txt'
-  end
-
-  it "can specify crl_list_file" do
-    config = R509::Config::CAConfig.new(
-      :ca_cert => TestFixtures.test_ca_cert,
-      :crl_list_file => "crl_list_file.txt"
-    )
-    config.crl_list_file.should == 'crl_list_file.txt'
-  end
-
-end
-
-describe R509::Config::SubjectItemPolicy do
-  it "raises an error if you supply a non-hash" do
-    expect { R509::Config::SubjectItemPolicy.new('string') }.to raise_error(ArgumentError, "Must supply a hash in form 'shortname'=>'required/optional'")
-  end
-  it "raises an error if a required element is missing" do
-    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required")
-    subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
-    expect { subject_item_policy.validate_subject(subject) }.to raise_error(R509::R509Error, /This profile requires you supply/)
-  end
-  it "raises an error if your hash values are anything other than required or optional" do
-    expect { R509::Config::SubjectItemPolicy.new("CN" => "somethirdoption") }.to raise_error(ArgumentError, "Unknown subject item policy value. Allowed values are required and optional")
-  end
-  it "validates a subject with the same fields as the policy" do
-    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional")
-    subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
-    validated_subject = subject_item_policy.validate_subject(subject)
-    validated_subject.to_s.should == subject.to_s
-  end
-  it "preserves subject order when applying policies" do
-    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required", "C" => "required")
-    subject = R509::Subject.new [["C","US"],["L","Chicago"],["ST","Illinois"],["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
-    validated_subject = subject_item_policy.validate_subject(subject)
-    validated_subject.to_s.should == "/C=US/L=Chicago/CN=langui.sh/OU=Org Unit/O=Org"
-  end
-  it "does not match if you get case of subject_item_policy element wrong" do
-    subject_item_policy = R509::Config::SubjectItemPolicy.new("cn" => "required")
-    subject = R509::Subject.new [["CN","langui.sh"]]
-    expect { subject_item_policy.validate_subject(subject) }.to raise_error(R509::R509Error, 'This profile requires you supply cn')
-  end
-  it "removes subject items that are not in the policy" do
-    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required")
-    subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
-    validated_subject = subject_item_policy.validate_subject(subject)
-    validated_subject.to_s.should == "/CN=langui.sh"
-  end
-  it "does not reorder subject items as it validates" do
-    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required")
-    subject = R509::Subject.new [["L","Chicago"],["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
-    validated_subject = subject_item_policy.validate_subject(subject)
-    validated_subject.to_s.should == subject.to_s
-  end
-  it "loads all the required and optional elements" do
-    subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required", "emailAddress" => "optional")
-    subject_item_policy.optional.should include("OU","emailAddress")
-    subject_item_policy.required.should include("CN","O","L")
-  end
-end
-
-describe R509::Config::CAProfile do
-  context "validate certificate policy structure" do
-    it "must be an array" do
-      expect { R509::Config::CAProfile.new(:certificate_policies => "whatever") }.to raise_error(ArgumentError,'Not a valid certificate policy structure. Must be an array of hashes')
-    end
-    it "require a policy identifier" do
-      expect { R509::Config::CAProfile.new(:certificate_policies => [{"stuff" => "thing"}]) }.to raise_error(ArgumentError,'Each policy requires a policy identifier')
-    end
-    it "the cps uri must be array of strings" do
-      expect { R509::Config::CAProfile.new(:certificate_policies => [{"policy_identifier" => "1.2.3.4.5", "cps_uris" => "not an array"}]) }.to raise_error(ArgumentError,'CPS URIs must be an array of strings')
-    end
-    it "user notices must be an array of hashes" do
-      expect { R509::Config::CAProfile.new(:certificate_policies => [{"policy_identifier" => "1.2.3.4.5", "user_notices" => "not an array"}]) }.to raise_error(ArgumentError,'User notices must be an array of hashes')
-    end
-    it "org in user notice requires notice numbers" do
-      expect { R509::Config::CAProfile.new(:certificate_policies => [{"policy_identifier" => "1.2.3.4.5", "user_notices" => [{"explicit_text" => "explicit", "organization" => "something"}]}]) }.to raise_error(ArgumentError,'If you provide an organization you must provide notice numbers')
-    end
-    it "notice numbers in user notice requires org" do
-      expect { R509::Config::CAProfile.new(:certificate_policies => [{"policy_identifier" => "1.2.3.4.5", "user_notices" => [{"explicit_text" => "explicit", "notice_numbers" => "1,2,3"}]}]) }.to raise_error(ArgumentError,'If you provide notice numbers you must provide an organization')
-    end
-  end
-  context "validate basic constraints structure" do
-    it "must be a hash with key \"ca\"" do
-      expect { R509::Config::CAProfile.new(:basic_constraints => 'string') }.to raise_error(ArgumentError, "You must supply a hash with a key named \"ca\" with a boolean value")
-      expect { R509::Config::CAProfile.new(:basic_constraints => {}) }.to raise_error(ArgumentError, "You must supply a hash with a key named \"ca\" with a boolean value")
-    end
-    it "must have true or false for the ca key value" do
-      expect { R509::Config::CAProfile.new(:basic_constraints => {"ca" => 'truestring'}) }.to raise_error(ArgumentError, "You must supply true/false for the ca key when specifying basic constraints")
-    end
-    it "must not pass a path_length if ca is false" do
-      expect { R509::Config::CAProfile.new(:basic_constraints => {"ca" => false, "path_length" => 5}) }.to raise_error(ArgumentError, "path_length is not allowed when ca is false")
-    end
-    it "must pass a non-negative integer to path_length" do
-      expect { R509::Config::CAProfile.new(:basic_constraints => {"ca" => true, "path_length" => -1.5}) }.to raise_error(ArgumentError, "Path length must be a non-negative integer (>= 0)")
-      expect { R509::Config::CAProfile.new(:basic_constraints => {"ca" => true, "path_length" => 1.5}) }.to raise_error(ArgumentError, "Path length must be a non-negative integer (>= 0)")
-    end
-    it "does not require a path_length when ca is true" do
-      ca_profile = R509::Config::CAProfile.new(:basic_constraints => {"ca" => true})
-      ca_profile.basic_constraints.should == {"ca" => true }
-    end
-    it "allows ca:false" do
-      ca_profile = R509::Config::CAProfile.new(:basic_constraints => {"ca" => false})
-      ca_profile.basic_constraints.should == {"ca" => false }
-    end
-    it "allows ca:true and a valid path length" do
-      ca_profile = R509::Config::CAProfile.new(:basic_constraints => {"ca" => true, "path_length" => 2})
-      ca_profile.basic_constraints.should == {"ca" => true, "path_length" => 2 }
-    end
-  end
-  context "validate key usage" do
-    it "errors with non-array" do
-      expect { R509::Config::CAProfile.new( :key_usage => 'not an array' ) }.to raise_error(ArgumentError, 'key_usage must be an array of strings (see README)')
-    end
-    it "loads properly" do
-      ku = ['digitalSignature']
-      profile = R509::Config::CAProfile.new( :key_usage => ku )
-      profile.key_usage.should == ku
-    end
-  end
-  context "validate extended key usage" do
-    it "errors with non-array" do
-      expect { R509::Config::CAProfile.new( :extended_key_usage => 'not an array' ) }.to raise_error(ArgumentError, 'extended_key_usage must be an array of strings (see README)')
-    end
-    it "loads properly" do
-      eku = ['serverAuth']
-      profile = R509::Config::CAProfile.new( :extended_key_usage => eku )
-      profile.extended_key_usage.should == eku
-    end
-  end
-  context "validate subject item policy" do
-    it "raises an error with an invalid subject_item_policy" do
-      expect { R509::Config::CAProfile.new( :subject_item_policy => "lenient!" ) }.to raise_error(ArgumentError,'subject_item_policy must be of type R509::Config::SubjectItemPolicy')
-    end
-    it "stores a valid subject_item_policy" do
-      policy = R509::Config::SubjectItemPolicy.new("CN" => "required")
-      expect { R509::Config::CAProfile.new( :subject_item_policy => policy) }.to_not raise_error
-    end
-  end
-  context "validate inhibit any policy" do
-    it "raises an error when not a number" do
-      expect { R509::Config::CAProfile.new( :inhibit_any_policy => "string" ) }.to raise_error(ArgumentError,'Inhibit any policy must be a non-negative integer')
-    end
-    it "raises an error when not >= 0" do
-      expect { R509::Config::CAProfile.new( :inhibit_any_policy => -5 ) }.to raise_error(ArgumentError,'Inhibit any policy must be a non-negative integer')
-    end
-    it "loads when providing valid data" do
-      profile = R509::Config::CAProfile.new(:inhibit_any_policy => 3)
-      profile.inhibit_any_policy.should == 3
-    end
-  end
-  context "validate policy constraints" do
-    it "raises an error when not a hash" do
-      expect { R509::Config::CAProfile.new( :policy_constraints => "string" ) }.to raise_error(ArgumentError,'Policy constraints must be provided as a hash with at least one of the two allowed keys: "inhibit_policy_mapping" and "require_explicit_policy"')
-    end
-    it "raises an error when no keys" do
-      expect { R509::Config::CAProfile.new( :policy_constraints => {} ) }.to raise_error(ArgumentError,'Policy constraints must have at least one of two keys: "inhibit_policy_mapping" and "require_explicit_policy" and the value must be non-negative')
-    end
-    it "raises an error when inhibit_policy_mapping is not valid" do
-      expect { R509::Config::CAProfile.new( :policy_constraints => {"inhibit_policy_mapping" => -5} ) }.to raise_error(ArgumentError,'inhibit_policy_mapping must be a non-negative integer')
-    end
-    it "raises an error when require_explicit_policy is not valid" do
-      expect { R509::Config::CAProfile.new( :policy_constraints => {"require_explicit_policy" => -1} ) }.to raise_error(ArgumentError,'require_explicit_policy must be a non-negative integer')
-    end
-    it "loads when provided inhibit_policy_mapping" do
-      profile = R509::Config::CAProfile.new( :policy_constraints => {"require_explicit_policy" => 1} )
-      profile.policy_constraints["require_explicit_policy"].should == 1
-    end
-    it "loads when provided require_explicit_policy" do
-      profile = R509::Config::CAProfile.new( :policy_constraints => {"inhibit_policy_mapping" => 0} )
-      profile.policy_constraints["inhibit_policy_mapping"].should == 0
-    end
-    it "loads when provided values for both keys" do
-      profile = R509::Config::CAProfile.new( :policy_constraints => {"require_explicit_policy" => 1, "inhibit_policy_mapping" => 4} )
-      profile.policy_constraints["require_explicit_policy"].should == 1
-      profile.policy_constraints["inhibit_policy_mapping"].should == 4
-    end
-  end
-  context "validate name constraints"do
-    it "raises an error when not a hash" do
-      expect { R509::Config::CAProfile.new( :name_constraints => 'a string' ) }.to raise_error(ArgumentError,'name_constraints must be provided as a hash')
-    end
-    it "raises an error when permitted and excluded are empty" do
-      expect { R509::Config::CAProfile.new( :name_constraints => {"permitted" => [], "excluded" => []} ) }.to raise_error(ArgumentError,'If name_constraints are supplied you must have at least one valid permitted or excluded element')
-    end
-    it "raises an error when permitted or excluded are not arrays" do
-      expect { R509::Config::CAProfile.new( :name_constraints => {"permitted" => 'string', "excluded" => 'string'} ) }.to raise_error(ArgumentError,'permitted must be an array')
-    end
-    it "raises an error when permitted or excluded elements are not hashes with the required values" do
-      expect { R509::Config::CAProfile.new( :name_constraints => {"permitted" => [{"type" => 'DNS'}]} ) }.to raise_error(ArgumentError,'Elements within the permitted array must be hashes with both type and value')
-      expect { R509::Config::CAProfile.new( :name_constraints => {"permitted" => [{'value' => '127'}]} ) }.to raise_error(ArgumentError,'Elements within the permitted array must be hashes with both type and value')
-    end
-    it "raises an error when an invalid type is specified" do
-      expect { R509::Config::CAProfile.new( :name_constraints => {"permitted" => [{'type' => 'invalid', 'value' => '127'}]} ) }.to raise_error(ArgumentError,'invalid is not an allowed type. Check R509::ASN1::GeneralName.map_type_to_tag to see a list of types')
-    end
-    it "loads a config with just permitted" do
-      profile = R509::Config::CAProfile.new(:name_constraints => {"permitted" => [ { 'type' => 'DNS', 'value' => 'domain.com' } ] } )
-      profile.name_constraints["permitted"][0]['type'] = 'DNS'
-      profile.name_constraints["permitted"][0]['value'] = 'domain.com'
-    end
-    it "loads a config with just excluded" do
-      profile = R509::Config::CAProfile.new(:name_constraints => {"excluded" => [ { 'type' => 'IP', 'value' => '127.0.0.1/255.255.255.255' } ] } )
-      profile.name_constraints["excluded"][0]['type'] = 'IP'
-      profile.name_constraints["excluded"][0]['value'] = '127.0.0.1/255.255.255.255'
-    end
-    it "loads a config with both permitted and excluded" do
-      profile = R509::Config::CAProfile.new(:name_constraints => {"permitted" => [ { 'type' => 'DNS', 'value' => 'domain.com' } ], "excluded" => [ { 'type' => 'IP', 'value' => '127.0.0.1/255.255.255.255' } ] } )
-      profile.name_constraints["permitted"][0]['type'] = 'DNS'
-      profile.name_constraints["permitted"][0]['value'] = 'domain.com'
-      profile.name_constraints["excluded"][0]['type'] = 'IP'
-      profile.name_constraints["excluded"][0]['value'] = '127.0.0.1/255.255.255.255'
-    end
-  end
-  it "initializes and stores the options provided" do
-    profile = R509::Config::CAProfile.new(
-      :basic_constraints => {"ca" => true},
-      :key_usage => ["digitalSignature"],
-      :extended_key_usage => ["serverAuth"],
-      :certificate_policies => [
-          { "policy_identifier" => "2.16.840.1.12345.1.2.3.4.1",
-  "cps_uris" => ["http://example.com/cps","http://other.com/cps"],
-  "user_notices" => [ {"explicit_text" => "thing", "organization" => "my org", "notice_numbers" => "1,2,3,4"} ]
-          }
-      ],
-      :ocsp_no_check => true
-    )
-    profile.basic_constraints.should == {"ca" => true}
-    profile.key_usage.should == ["digitalSignature"]
-    profile.extended_key_usage.should == ["serverAuth"]
-    profile.certificate_policies[0]["policy_identifier"].should == "2.16.840.1.12345.1.2.3.4.1"
-    profile.ocsp_no_check.should == true
-  end
-  it "initializes with expected defaults" do
-    profile = R509::Config::CAProfile.new
-    profile.basic_constraints.should == nil
-    profile.key_usage.should == nil
-    profile.extended_key_usage.should == nil
-    profile.certificate_policies.should == nil
-    profile.ocsp_no_check.should == false
-    profile.subject_item_policy.should == nil
-  end
-  it "loads profiles from YAML while setting expected defaults" do
-    config = R509::Config::CAConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
-    server_profile = config.profile("server") # no ocsp_no_check node
-    server_profile.ocsp_no_check.should == false
-    ocsp_profile = config.profile("ocsp_delegate_with_no_check") # ocsp_no_check => true
-    ocsp_profile.ocsp_no_check.should == true
-    client_profile = config.profile("client") # ocsp_no_check => false
-    client_profile.ocsp_no_check.should == false
-  end
-end