r509 0.9.2 → 0.10.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +2 -0
- data/CONTRIBUTING.mdown +21 -0
- data/LICENSE +13 -0
- data/README.mdown +548 -0
- data/Rakefile +5 -0
- data/bin/r509 +16 -17
- data/doc/R509.html +42 -26
- data/doc/R509/ASN1.html +22 -16
- data/doc/R509/ASN1/GeneralName.html +180 -173
- data/doc/R509/ASN1/GeneralNames.html +390 -62
- data/doc/R509/CRL.html +9 -7
- data/doc/R509/CRL/Administrator.html +208 -623
- data/doc/R509/CRL/FileReaderWriter.html +856 -0
- data/doc/R509/CRL/ReaderWriter.html +524 -0
- data/doc/R509/CRL/SignedList.html +29 -42
- data/doc/R509/CSR.html +248 -333
- data/doc/R509/Cert.html +364 -491
- data/doc/R509/Cert/Extensions.html +134 -43
- data/doc/R509/Cert/Extensions/AuthorityInfoAccess.html +335 -65
- data/doc/R509/Cert/Extensions/AuthorityKeyIdentifier.html +201 -102
- data/doc/R509/Cert/Extensions/BasicConstraints.html +297 -68
- data/doc/R509/Cert/Extensions/CRLDistributionPoints.html +690 -77
- data/doc/R509/Cert/Extensions/CertificatePolicies.html +293 -43
- data/doc/R509/Cert/Extensions/ExtendedKeyUsage.html +321 -173
- data/doc/R509/Cert/Extensions/GeneralNamesMixin.html +656 -0
- data/doc/R509/Cert/Extensions/InhibitAnyPolicy.html +270 -42
- data/doc/R509/Cert/Extensions/KeyUsage.html +334 -184
- data/doc/R509/Cert/Extensions/NameConstraints.html +363 -93
- data/doc/R509/{ASN1 → Cert/Extensions}/NoticeReference.html +209 -48
- data/doc/R509/Cert/Extensions/OCSPNoCheck.html +244 -17
- data/doc/R509/Cert/Extensions/PolicyConstraints.html +322 -71
- data/doc/R509/{ASN1 → Cert/Extensions}/PolicyInformation.html +204 -43
- data/doc/R509/{ASN1 → Cert/Extensions}/PolicyQualifiers.html +205 -48
- data/doc/R509/Cert/Extensions/SubjectAlternativeName.html +348 -143
- data/doc/R509/Cert/Extensions/SubjectKeyIdentifier.html +165 -13
- data/doc/R509/{ASN1 → Cert/Extensions}/UserNotice.html +204 -43
- data/doc/R509/Cert/Extensions/ValidationMixin.html +120 -0
- data/doc/R509/CertificateAuthority.html +9 -7
- data/doc/R509/CertificateAuthority/OptionsBuilder.html +475 -0
- data/doc/R509/CertificateAuthority/Signer.html +149 -198
- data/doc/R509/Config.html +10 -8
- data/doc/R509/Config/CAConfig.html +708 -625
- data/doc/R509/Config/CAConfigPool.html +179 -31
- data/doc/R509/Config/CertProfile.html +1544 -0
- data/doc/R509/Config/SubjectItemPolicy.html +437 -99
- data/doc/R509/Engine.html +14 -28
- data/doc/R509/Helpers.html +1014 -0
- data/doc/R509/MessageDigest.html +73 -25
- data/doc/R509/NameSanitizer.html +39 -39
- data/doc/R509/OCSP.html +5 -5
- data/doc/R509/OCSP/Request.html +5 -5
- data/doc/R509/OCSP/Request/Nonce.html +5 -5
- data/doc/R509/OCSP/Response.html +7 -7
- data/doc/R509/OIDMapper.html +121 -6
- data/doc/R509/PrivateKey.html +226 -227
- data/doc/R509/R509Error.html +5 -5
- data/doc/R509/SPKI.html +244 -342
- data/doc/R509/Subject.html +241 -70
- data/doc/R509/Validity.html +5 -5
- data/doc/R509/Validity/Checker.html +5 -5
- data/doc/R509/Validity/DefaultChecker.html +5 -9
- data/doc/R509/Validity/DefaultWriter.html +5 -9
- data/doc/R509/Validity/Status.html +5 -5
- data/doc/R509/Validity/Writer.html +5 -5
- data/doc/_index.html +92 -30
- data/doc/class_list.html +2 -2
- data/doc/file.CONTRIBUTING.html +96 -0
- data/doc/file.LICENSE.html +87 -0
- data/doc/file.README.html +279 -389
- data/doc/file.YAML.html +243 -0
- data/doc/file.r509.html +298 -105
- data/doc/file_list.html +11 -2
- data/doc/frames.html +1 -1
- data/doc/index.html +279 -389
- data/doc/js/full_list.js +6 -1
- data/doc/method_list.html +869 -1139
- data/doc/top-level-namespace.html +103 -5
- data/lib/r509.rb +7 -2
- data/lib/r509/asn1.rb +97 -135
- data/lib/r509/cert.rb +17 -106
- data/lib/r509/cert/extensions.rb +13 -676
- data/lib/r509/cert/extensions/authority_info_access.rb +128 -0
- data/lib/r509/cert/extensions/authority_key_identifier.rb +100 -0
- data/lib/r509/cert/extensions/base.rb +142 -0
- data/lib/r509/cert/extensions/basic_constraints.rb +119 -0
- data/lib/r509/cert/extensions/certificate_policies.rb +262 -0
- data/lib/r509/cert/extensions/crl_distribution_points.rb +98 -0
- data/lib/r509/cert/extensions/extended_key_usage.rb +189 -0
- data/lib/r509/cert/extensions/inhibit_any_policy.rb +70 -0
- data/lib/r509/cert/extensions/key_usage.rb +209 -0
- data/lib/r509/cert/extensions/name_constraints.rb +179 -0
- data/lib/r509/cert/extensions/ocsp_no_check.rb +56 -0
- data/lib/r509/cert/extensions/policy_constraints.rb +122 -0
- data/lib/r509/cert/extensions/subject_alternative_name.rb +88 -0
- data/lib/r509/cert/extensions/subject_key_identifier.rb +56 -0
- data/lib/r509/cert/extensions/validation_mixin.rb +42 -0
- data/lib/r509/certificate_authority/options_builder.rb +142 -0
- data/lib/r509/certificate_authority/signer.rb +189 -0
- data/lib/r509/config.rb +3 -600
- data/lib/r509/config/ca_config.rb +414 -0
- data/lib/r509/config/cert_profile.rb +110 -0
- data/lib/r509/config/subject_item_policy.rb +118 -0
- data/lib/r509/crl/administrator.rb +169 -0
- data/lib/r509/crl/reader_writer.rb +109 -0
- data/lib/r509/crl/signed_list.rb +135 -0
- data/lib/r509/csr.rb +35 -116
- data/lib/r509/engine.rb +21 -11
- data/lib/r509/helpers.rb +110 -0
- data/lib/r509/io_helpers.rb +18 -13
- data/lib/r509/message_digest.rb +13 -3
- data/lib/r509/oid_mapper.rb +14 -0
- data/lib/r509/private_key.rb +74 -50
- data/lib/r509/spki.rb +50 -113
- data/lib/r509/subject.rb +24 -2
- data/lib/r509/trollop.rb +788 -0
- data/lib/r509/version.rb +1 -1
- data/r509.yaml +289 -96
- data/spec/asn1_spec.rb +171 -98
- data/spec/cert/extensions/authority_info_access_spec.rb +247 -0
- data/spec/cert/extensions/authority_key_identifier_spec.rb +85 -0
- data/spec/cert/extensions/base_spec.rb +172 -0
- data/spec/cert/extensions/basic_constraints_spec.rb +185 -0
- data/spec/cert/extensions/certificate_policies_spec.rb +288 -0
- data/spec/cert/extensions/crl_distribution_points_spec.rb +149 -0
- data/spec/cert/extensions/extended_key_usage_spec.rb +174 -0
- data/spec/cert/extensions/inhibit_any_policy_spec.rb +92 -0
- data/spec/cert/extensions/key_usage_spec.rb +172 -0
- data/spec/cert/extensions/name_constraints_spec.rb +335 -0
- data/spec/cert/extensions/ocsp_no_check_spec.rb +76 -0
- data/spec/cert/extensions/policy_constraints_spec.rb +155 -0
- data/spec/cert/extensions/subject_alternative_name_spec.rb +354 -0
- data/spec/cert/extensions/subject_key_identifier_spec.rb +64 -0
- data/spec/cert_spec.rb +11 -9
- data/spec/certificate_authority/options_builder_spec.rb +307 -0
- data/spec/certificate_authority/signer_spec.rb +278 -0
- data/spec/config/ca_config_spec.rb +405 -0
- data/spec/config/cert_profile_spec.rb +88 -0
- data/spec/config/subject_item_policy_spec.rb +81 -0
- data/spec/crl/administrator_spec.rb +199 -0
- data/spec/crl/reader_writer_spec.rb +97 -0
- data/spec/crl/signed_list_spec.rb +84 -0
- data/spec/csr_spec.rb +43 -36
- data/spec/engine_spec.rb +51 -0
- data/spec/fixtures.rb +40 -40
- data/spec/fixtures/cert1.pem +1 -1
- data/spec/fixtures/config_pool_test_minimal.yaml +11 -15
- data/spec/fixtures/config_test.yaml +96 -59
- data/spec/fixtures/config_test_dsa.yaml +29 -35
- data/spec/fixtures/config_test_ec.yaml +29 -35
- data/spec/fixtures/config_test_engine_key.yaml +7 -7
- data/spec/fixtures/config_test_engine_no_key_name.yaml +6 -6
- data/spec/fixtures/config_test_minimal.yaml +3 -5
- data/spec/fixtures/config_test_password.yaml +4 -6
- data/spec/fixtures/config_test_various.yaml +147 -137
- data/spec/fixtures/crl_list_file.txt +1 -1
- data/spec/fixtures/test_ca_crl.cer +20 -0
- data/spec/fixtures/test_ca_crl.key +28 -0
- data/spec/fixtures/test_ca_crl.p12 +0 -0
- data/spec/message_digest_spec.rb +6 -0
- data/spec/oid_mapper_spec.rb +11 -0
- data/spec/private_key_spec.rb +19 -18
- data/spec/spec_helper.rb +10 -6
- data/spec/spki_spec.rb +38 -19
- data/spec/subject_spec.rb +16 -0
- metadata +108 -59
- metadata.gz.sig +0 -0
- data/README.md +0 -638
- data/doc/R509/Config/CAProfile.html +0 -1015
- data/doc/R509/IOHelpers.html +0 -564
- data/lib/r509/certificate_authority.rb +0 -407
- data/lib/r509/crl.rb +0 -351
- data/spec/cert/extensions_spec.rb +0 -1095
- data/spec/certificate_authority_spec.rb +0 -681
- data/spec/config_spec.rb +0 -562
- data/spec/crl_spec.rb +0 -226
data/spec/config_spec.rb
DELETED
@@ -1,562 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
require 'r509/config'
|
3
|
-
require 'r509/exceptions'
|
4
|
-
|
5
|
-
describe R509::Config::CAConfigPool do
|
6
|
-
context "defined manually" do
|
7
|
-
it "has no configs" do
|
8
|
-
pool = R509::Config::CAConfigPool.new({})
|
9
|
-
|
10
|
-
pool["first"].should == nil
|
11
|
-
end
|
12
|
-
|
13
|
-
it "has one config" do
|
14
|
-
config = R509::Config::CAConfig.new(
|
15
|
-
:ca_cert => TestFixtures.test_ca_cert,
|
16
|
-
:profiles => { "first_profile" => R509::Config::CAProfile.new }
|
17
|
-
)
|
18
|
-
|
19
|
-
pool = R509::Config::CAConfigPool.new({
|
20
|
-
"first" => config
|
21
|
-
})
|
22
|
-
|
23
|
-
pool["first"].should == config
|
24
|
-
end
|
25
|
-
end
|
26
|
-
|
27
|
-
context "all configs" do
|
28
|
-
it "no configs" do
|
29
|
-
pool = R509::Config::CAConfigPool.new({})
|
30
|
-
pool.all.should == []
|
31
|
-
end
|
32
|
-
|
33
|
-
it "one config" do
|
34
|
-
config = R509::Config::CAConfig.new(
|
35
|
-
:ca_cert => TestFixtures.test_ca_cert,
|
36
|
-
:profiles => { "first_profile" => R509::Config::CAProfile.new }
|
37
|
-
)
|
38
|
-
|
39
|
-
pool = R509::Config::CAConfigPool.new({
|
40
|
-
"first" => config
|
41
|
-
})
|
42
|
-
|
43
|
-
pool.all.should == [config]
|
44
|
-
end
|
45
|
-
|
46
|
-
it "two configs" do
|
47
|
-
config1 = R509::Config::CAConfig.new(
|
48
|
-
:ca_cert => TestFixtures.test_ca_cert,
|
49
|
-
:profiles => { "first_profile" => R509::Config::CAProfile.new }
|
50
|
-
)
|
51
|
-
config2 = R509::Config::CAConfig.new(
|
52
|
-
:ca_cert => TestFixtures.test_ca_cert,
|
53
|
-
:profiles => { "first_profile" => R509::Config::CAProfile.new }
|
54
|
-
)
|
55
|
-
|
56
|
-
pool = R509::Config::CAConfigPool.new({
|
57
|
-
"first" => config1,
|
58
|
-
"second" => config2
|
59
|
-
})
|
60
|
-
|
61
|
-
pool.all.size.should == 2
|
62
|
-
pool.all.include?(config1).should == true
|
63
|
-
pool.all.include?(config2).should == true
|
64
|
-
end
|
65
|
-
end
|
66
|
-
|
67
|
-
context "loaded from YAML" do
|
68
|
-
it "should load two configs" do
|
69
|
-
pool = R509::Config::CAConfigPool.from_yaml("certificate_authorities", File.read("#{File.dirname(__FILE__)}/fixtures/config_pool_test_minimal.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
|
70
|
-
|
71
|
-
pool.names.should include("test_ca", "second_ca")
|
72
|
-
|
73
|
-
pool["test_ca"].should_not == nil
|
74
|
-
pool["test_ca"].num_profiles.should == 0
|
75
|
-
pool["second_ca"].should_not == nil
|
76
|
-
pool["second_ca"].num_profiles.should == 0
|
77
|
-
end
|
78
|
-
end
|
79
|
-
end
|
80
|
-
|
81
|
-
describe R509::Config::CAConfig do
|
82
|
-
before :each do
|
83
|
-
@config = R509::Config::CAConfig.new(
|
84
|
-
:ca_cert => TestFixtures.test_ca_cert
|
85
|
-
)
|
86
|
-
end
|
87
|
-
|
88
|
-
subject {@config}
|
89
|
-
|
90
|
-
its(:message_digest) {should == "SHA1"}
|
91
|
-
its(:crl_validity_hours) {should == 168}
|
92
|
-
its(:ocsp_validity_hours) {should == 168}
|
93
|
-
its(:ocsp_start_skew_seconds) {should == 3600}
|
94
|
-
its(:cdp_location) {should be_nil}
|
95
|
-
its(:ocsp_location) {should be_nil}
|
96
|
-
its(:num_profiles) {should == 0}
|
97
|
-
|
98
|
-
it "should have the proper CA cert" do
|
99
|
-
@config.ca_cert.to_pem.should == TestFixtures.test_ca_cert.to_pem
|
100
|
-
end
|
101
|
-
|
102
|
-
it "should have the proper CA key" do
|
103
|
-
@config.ca_cert.key.to_pem.should == TestFixtures.test_ca_cert.key.to_pem
|
104
|
-
end
|
105
|
-
|
106
|
-
context "validates data" do
|
107
|
-
it "raises an error if you don't pass :ca_cert" do
|
108
|
-
expect { R509::Config::CAConfig.new(:crl_validity_hours => 2) }.to raise_error ArgumentError, 'Config object requires that you pass :ca_cert'
|
109
|
-
end
|
110
|
-
it "raises an error if :ca_cert is not of type R509::Cert" do
|
111
|
-
expect { R509::Config::CAConfig.new(:ca_cert => 'not a cert, and not right type') }.to raise_error ArgumentError, ':ca_cert must be of type R509::Cert'
|
112
|
-
end
|
113
|
-
it "raises an error if :ocsp_cert that is not R509::Cert" do
|
114
|
-
expect { R509::Config::CAConfig.new(:ca_cert => TestFixtures.test_ca_cert, :ocsp_cert => "not a cert") }.to raise_error ArgumentError, ':ocsp_cert, if provided, must be of type R509::Cert'
|
115
|
-
end
|
116
|
-
it "raises an error if :ocsp_cert does not contain a private key" do
|
117
|
-
expect { R509::Config::CAConfig.new( :ca_cert => TestFixtures.test_ca_cert, :ocsp_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) ) }.to raise_error ArgumentError, ':ocsp_cert must contain a private key, not just a certificate'
|
118
|
-
end
|
119
|
-
it "raises an error if you pass an ocsp_location that is not an array" do
|
120
|
-
expect { R509::Config::CAConfig.new( :ca_cert => TestFixtures.test_ca_cert, :ocsp_location => "some-url" ) }.to raise_error(ArgumentError, 'ocsp_location must be an array if provided')
|
121
|
-
end
|
122
|
-
it "raises an error if you pass a ca_issuers_location that is not an array" do
|
123
|
-
expect { R509::Config::CAConfig.new( :ca_cert => TestFixtures.test_ca_cert, :ca_issuers_location => "some-url" ) }.to raise_error(ArgumentError, 'ca_issuers_location must be an array if provided')
|
124
|
-
end
|
125
|
-
it "raises an error if you pass a cdp_location that is not an array" do
|
126
|
-
expect { R509::Config::CAConfig.new( :ca_cert => TestFixtures.test_ca_cert, :cdp_location => "some-url" ) }.to raise_error(ArgumentError, 'cdp_location must be an array if provided')
|
127
|
-
end
|
128
|
-
end
|
129
|
-
it "loads the config even if :ca_cert does not contain a private key" do
|
130
|
-
config = R509::Config::CAConfig.new( :ca_cert => R509::Cert.new( :cert => TestFixtures::TEST_CA_CERT) )
|
131
|
-
config.ca_cert.subject.to_s.should_not be_nil
|
132
|
-
end
|
133
|
-
it "returns the correct cert object on #ocsp_cert if none is specified" do
|
134
|
-
@config.ocsp_cert.should == @config.ca_cert
|
135
|
-
end
|
136
|
-
it "returns the correct cert object on #ocsp_cert if an ocsp_cert was specified" do
|
137
|
-
ocsp_cert = R509::Cert.new(
|
138
|
-
:cert => TestFixtures::TEST_CA_OCSP_CERT,
|
139
|
-
:key => TestFixtures::TEST_CA_OCSP_KEY
|
140
|
-
)
|
141
|
-
config = R509::Config::CAConfig.new(
|
142
|
-
:ca_cert => TestFixtures.test_ca_cert,
|
143
|
-
:ocsp_cert => ocsp_cert
|
144
|
-
)
|
145
|
-
|
146
|
-
config.ocsp_cert.should == ocsp_cert
|
147
|
-
end
|
148
|
-
it "fails to specify a non-Config::CAProfile as the profile" do
|
149
|
-
config = R509::Config::CAConfig.new(
|
150
|
-
:ca_cert => TestFixtures.test_ca_cert
|
151
|
-
)
|
152
|
-
|
153
|
-
expect{ config.set_profile("bogus", "not a Config::CAProfile")}.to raise_error TypeError
|
154
|
-
end
|
155
|
-
|
156
|
-
it "shouldn't let you specify a profile that's not a Config::CAProfile, on instantiation" do
|
157
|
-
expect{ R509::Config::CAConfig.new(
|
158
|
-
:ca_cert => TestFixtures.test_ca_cert,
|
159
|
-
:profiles => { "first_profile" => "not a Config::CAProfile" }
|
160
|
-
) }.to raise_error TypeError
|
161
|
-
end
|
162
|
-
|
163
|
-
it "can specify a single profile" do
|
164
|
-
first_profile = R509::Config::CAProfile.new
|
165
|
-
|
166
|
-
config = R509::Config::CAConfig.new(
|
167
|
-
:ca_cert => TestFixtures.test_ca_cert,
|
168
|
-
:profiles => { "first_profile" => first_profile }
|
169
|
-
)
|
170
|
-
|
171
|
-
config.profile("first_profile").should == first_profile
|
172
|
-
end
|
173
|
-
|
174
|
-
it "raises an error if you specify an invalid profile" do
|
175
|
-
first_profile = R509::Config::CAProfile.new
|
176
|
-
|
177
|
-
config = R509::Config::CAConfig.new(
|
178
|
-
:ca_cert => TestFixtures.test_ca_cert,
|
179
|
-
:profiles => { "first_profile" => first_profile }
|
180
|
-
)
|
181
|
-
|
182
|
-
expect { config.profile("non-existent-profile") }.to raise_error(R509::R509Error, "unknown profile 'non-existent-profile'")
|
183
|
-
end
|
184
|
-
|
185
|
-
it "should load YAML" do
|
186
|
-
config = R509::Config::CAConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
|
187
|
-
config.crl_validity_hours.should == 72
|
188
|
-
config.ocsp_validity_hours.should == 96
|
189
|
-
config.message_digest.should == "SHA1"
|
190
|
-
config.num_profiles.should == 7
|
191
|
-
config.profile("ocsp_delegate_with_no_check").ocsp_no_check.should == true
|
192
|
-
config.profile("inhibit_policy").inhibit_any_policy.should == 2
|
193
|
-
config.profile("policy_constraints").policy_constraints["require_explicit_policy"].should == 1
|
194
|
-
config.profile("policy_constraints").policy_constraints["inhibit_policy_mapping"].should == 0
|
195
|
-
config.profile("name_constraints").name_constraints.should_not be_nil
|
196
|
-
end
|
197
|
-
it "loads OCSP cert/key from yaml" do
|
198
|
-
config = R509::Config::CAConfig.from_yaml("ocsp_delegate_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
|
199
|
-
config.ocsp_cert.has_private_key?.should == true
|
200
|
-
config.ocsp_cert.subject.to_s.should == "/C=US/ST=Illinois/L=Chicago/O=r509 LLC/CN=r509 OCSP Signer"
|
201
|
-
end
|
202
|
-
it "loads OCSP pkcs12 from yaml" do
|
203
|
-
config = R509::Config::CAConfig.from_yaml("ocsp_pkcs12_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
|
204
|
-
config.ocsp_cert.has_private_key?.should == true
|
205
|
-
config.ocsp_cert.subject.to_s.should == "/C=US/ST=Illinois/L=Chicago/O=r509 LLC/CN=r509 OCSP Signer"
|
206
|
-
end
|
207
|
-
it "loads OCSP cert/key in engine from yaml" do
|
208
|
-
#most of this code path is tested by loading ca_cert engine.
|
209
|
-
#look there for the extensive doubling
|
210
|
-
expect { R509::Config::CAConfig.from_yaml("ocsp_engine_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError,"You must supply a key_name with an engine")
|
211
|
-
end
|
212
|
-
it "loads OCSP chain from yaml" do
|
213
|
-
config = R509::Config::CAConfig.from_yaml("ocsp_chain_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
|
214
|
-
config.ocsp_chain.size.should == 2
|
215
|
-
config.ocsp_chain[0].kind_of?(OpenSSL::X509::Certificate).should == true
|
216
|
-
config.ocsp_chain[1].kind_of?(OpenSSL::X509::Certificate).should == true
|
217
|
-
end
|
218
|
-
it "should load subject_item_policy from yaml (if present)" do
|
219
|
-
config = R509::Config::CAConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
|
220
|
-
config.profile("server").subject_item_policy.should be_nil
|
221
|
-
config.profile("server_with_subject_item_policy").subject_item_policy.optional.should include("O","OU")
|
222
|
-
config.profile("server_with_subject_item_policy").subject_item_policy.required.should include("CN","ST","C")
|
223
|
-
end
|
224
|
-
|
225
|
-
it "should load YAML which only has a CA Cert and Key defined" do
|
226
|
-
config = R509::Config::CAConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_minimal.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
|
227
|
-
config.num_profiles.should == 0
|
228
|
-
end
|
229
|
-
|
230
|
-
it "should load YAML which has CA cert and key with password" do
|
231
|
-
expect { R509::Config::CAConfig.from_yaml("password_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_password.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to_not raise_error
|
232
|
-
end
|
233
|
-
|
234
|
-
it "should load YAML which has a PKCS12 with password" do
|
235
|
-
expect { R509::Config::CAConfig.from_yaml("pkcs12_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to_not raise_error
|
236
|
-
end
|
237
|
-
|
238
|
-
it "raises error on YAML with pkcs12 and key" do
|
239
|
-
expect { R509::Config::CAConfig.from_yaml("pkcs12_key_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError, "You can't specify both pkcs12 and key")
|
240
|
-
end
|
241
|
-
|
242
|
-
it "raises error on YAML with pkcs12 and cert" do
|
243
|
-
expect { R509::Config::CAConfig.from_yaml("pkcs12_cert_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError, "You can't specify both pkcs12 and cert")
|
244
|
-
end
|
245
|
-
|
246
|
-
it "raises error on YAML with pkcs12 and engine" do
|
247
|
-
expect { R509::Config::CAConfig.from_yaml("pkcs12_engine_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError, "You can't specify both engine and pkcs12")
|
248
|
-
end
|
249
|
-
|
250
|
-
it "loads config with cert and no key (useful in certain cases)" do
|
251
|
-
config = R509::Config::CAConfig.from_yaml("cert_no_key_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_various.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
|
252
|
-
config.ca_cert.subject.to_s.should_not be_nil
|
253
|
-
end
|
254
|
-
|
255
|
-
it "should load YAML which has an engine" do
|
256
|
-
#i can test this, it's just gonna take a whole lot of floorin' it!
|
257
|
-
conf = double("conf")
|
258
|
-
engine = double("engine")
|
259
|
-
faux_key = double("faux_key")
|
260
|
-
|
261
|
-
public_key = OpenSSL::PKey::RSA.new("-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqLfP8948QEZMMkZNHLDP\nOHZVrPdVvecD6bp8dz96LalMQiWjgMkJf7mPHXoNMQ5rIpntiUOmhupu+sty30+C\ndbZZIbZohioTSYq9ZIC/LC9ME12F78GRMKhBGA+ZiouzWvXqOEdMnanfSgKrlSIS\nssF71dfmOEQ08fn9Vl5jAgWmGe+v615iHqBNGr64kYooTrZYLaPlTScO1UZ76vnB\nHfNQU+tsEZNXxtZXKQqkxHxLShCOj6qmYRNn/upTZoWWd04+zXjYGEC3eKvi9ctN\n9FY+KJ6QCCa8H0Kt3cU5qyw6pzdljhbG6NKhod7OMqlGjmHdsCAYAqe3xH+V/8oe\ndwIDAQAB\n-----END PUBLIC KEY-----\n")
|
262
|
-
|
263
|
-
conf.should_receive(:kind_of?).with(Hash).and_return(true)
|
264
|
-
conf.should_receive(:[]).with("ca_cert").and_return(
|
265
|
-
"cert" => "#{File.dirname(__FILE__)}/fixtures/test_ca.cer",
|
266
|
-
"engine" => engine,
|
267
|
-
"key_name" => "r509_key"
|
268
|
-
)
|
269
|
-
conf.should_receive(:[]).at_least(1).times.and_return(nil)
|
270
|
-
conf.should_receive(:has_key?).at_least(1).times.and_return(false)
|
271
|
-
|
272
|
-
engine.should_receive(:respond_to?).with(:load_private_key).and_return(true)
|
273
|
-
engine.should_receive(:kind_of?).with(OpenSSL::Engine).and_return(true)
|
274
|
-
faux_key.should_receive(:public_key).and_return(public_key)
|
275
|
-
engine.should_receive(:load_private_key).twice.with("r509_key").and_return(faux_key)
|
276
|
-
|
277
|
-
config = R509::Config::CAConfig.load_from_hash(conf)
|
278
|
-
end
|
279
|
-
|
280
|
-
it "should fail if YAML for ca_cert contains engine and key" do
|
281
|
-
expect { R509::Config::CAConfig.from_yaml("engine_and_key", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_engine_key.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError, "You can't specify both key and engine")
|
282
|
-
end
|
283
|
-
|
284
|
-
it "should fail if YAML for ca_cert contains engine but no key_name" do
|
285
|
-
expect { R509::Config::CAConfig.from_yaml("engine_no_key_name", File.read("#{File.dirname(__FILE__)}/fixtures/config_test_engine_no_key_name.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError, 'You must supply a key_name with an engine')
|
286
|
-
end
|
287
|
-
|
288
|
-
it "should fail if YAML config is null" do
|
289
|
-
expect{ R509::Config::CAConfig.from_yaml("no_config_here", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError)
|
290
|
-
end
|
291
|
-
|
292
|
-
it "should fail if YAML config isn't a hash" do
|
293
|
-
expect{ R509::Config::CAConfig.from_yaml("config_is_string", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"}) }.to raise_error(ArgumentError)
|
294
|
-
end
|
295
|
-
|
296
|
-
it "should fail if YAML config doesn't give a root CA directory that's a directory" do
|
297
|
-
expect{ R509::Config::CAConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures/no_directory_here"}) }.to raise_error(R509::R509Error)
|
298
|
-
end
|
299
|
-
|
300
|
-
it "should load YAML from filename" do
|
301
|
-
config = R509::Config::CAConfig.load_yaml("test_ca", "#{File.dirname(__FILE__)}/fixtures/config_test.yaml", {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
|
302
|
-
config.crl_validity_hours.should == 72
|
303
|
-
config.ocsp_validity_hours.should == 96
|
304
|
-
config.message_digest.should == "SHA1"
|
305
|
-
end
|
306
|
-
|
307
|
-
it "can specify crl_number_file" do
|
308
|
-
config = R509::Config::CAConfig.new(
|
309
|
-
:ca_cert => TestFixtures.test_ca_cert,
|
310
|
-
:crl_number_file => "crl_number_file.txt"
|
311
|
-
)
|
312
|
-
config.crl_number_file.should == 'crl_number_file.txt'
|
313
|
-
end
|
314
|
-
|
315
|
-
it "can specify crl_list_file" do
|
316
|
-
config = R509::Config::CAConfig.new(
|
317
|
-
:ca_cert => TestFixtures.test_ca_cert,
|
318
|
-
:crl_list_file => "crl_list_file.txt"
|
319
|
-
)
|
320
|
-
config.crl_list_file.should == 'crl_list_file.txt'
|
321
|
-
end
|
322
|
-
|
323
|
-
end
|
324
|
-
|
325
|
-
describe R509::Config::SubjectItemPolicy do
|
326
|
-
it "raises an error if you supply a non-hash" do
|
327
|
-
expect { R509::Config::SubjectItemPolicy.new('string') }.to raise_error(ArgumentError, "Must supply a hash in form 'shortname'=>'required/optional'")
|
328
|
-
end
|
329
|
-
it "raises an error if a required element is missing" do
|
330
|
-
subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required")
|
331
|
-
subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
|
332
|
-
expect { subject_item_policy.validate_subject(subject) }.to raise_error(R509::R509Error, /This profile requires you supply/)
|
333
|
-
end
|
334
|
-
it "raises an error if your hash values are anything other than required or optional" do
|
335
|
-
expect { R509::Config::SubjectItemPolicy.new("CN" => "somethirdoption") }.to raise_error(ArgumentError, "Unknown subject item policy value. Allowed values are required and optional")
|
336
|
-
end
|
337
|
-
it "validates a subject with the same fields as the policy" do
|
338
|
-
subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional")
|
339
|
-
subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
|
340
|
-
validated_subject = subject_item_policy.validate_subject(subject)
|
341
|
-
validated_subject.to_s.should == subject.to_s
|
342
|
-
end
|
343
|
-
it "preserves subject order when applying policies" do
|
344
|
-
subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required", "C" => "required")
|
345
|
-
subject = R509::Subject.new [["C","US"],["L","Chicago"],["ST","Illinois"],["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
|
346
|
-
validated_subject = subject_item_policy.validate_subject(subject)
|
347
|
-
validated_subject.to_s.should == "/C=US/L=Chicago/CN=langui.sh/OU=Org Unit/O=Org"
|
348
|
-
end
|
349
|
-
it "does not match if you get case of subject_item_policy element wrong" do
|
350
|
-
subject_item_policy = R509::Config::SubjectItemPolicy.new("cn" => "required")
|
351
|
-
subject = R509::Subject.new [["CN","langui.sh"]]
|
352
|
-
expect { subject_item_policy.validate_subject(subject) }.to raise_error(R509::R509Error, 'This profile requires you supply cn')
|
353
|
-
end
|
354
|
-
it "removes subject items that are not in the policy" do
|
355
|
-
subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required")
|
356
|
-
subject = R509::Subject.new [["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
|
357
|
-
validated_subject = subject_item_policy.validate_subject(subject)
|
358
|
-
validated_subject.to_s.should == "/CN=langui.sh"
|
359
|
-
end
|
360
|
-
it "does not reorder subject items as it validates" do
|
361
|
-
subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required")
|
362
|
-
subject = R509::Subject.new [["L","Chicago"],["CN","langui.sh"],["OU","Org Unit"],["O","Org"]]
|
363
|
-
validated_subject = subject_item_policy.validate_subject(subject)
|
364
|
-
validated_subject.to_s.should == subject.to_s
|
365
|
-
end
|
366
|
-
it "loads all the required and optional elements" do
|
367
|
-
subject_item_policy = R509::Config::SubjectItemPolicy.new("CN" => "required", "O" => "required", "OU" => "optional", "L" => "required", "emailAddress" => "optional")
|
368
|
-
subject_item_policy.optional.should include("OU","emailAddress")
|
369
|
-
subject_item_policy.required.should include("CN","O","L")
|
370
|
-
end
|
371
|
-
end
|
372
|
-
|
373
|
-
describe R509::Config::CAProfile do
|
374
|
-
context "validate certificate policy structure" do
|
375
|
-
it "must be an array" do
|
376
|
-
expect { R509::Config::CAProfile.new(:certificate_policies => "whatever") }.to raise_error(ArgumentError,'Not a valid certificate policy structure. Must be an array of hashes')
|
377
|
-
end
|
378
|
-
it "require a policy identifier" do
|
379
|
-
expect { R509::Config::CAProfile.new(:certificate_policies => [{"stuff" => "thing"}]) }.to raise_error(ArgumentError,'Each policy requires a policy identifier')
|
380
|
-
end
|
381
|
-
it "the cps uri must be array of strings" do
|
382
|
-
expect { R509::Config::CAProfile.new(:certificate_policies => [{"policy_identifier" => "1.2.3.4.5", "cps_uris" => "not an array"}]) }.to raise_error(ArgumentError,'CPS URIs must be an array of strings')
|
383
|
-
end
|
384
|
-
it "user notices must be an array of hashes" do
|
385
|
-
expect { R509::Config::CAProfile.new(:certificate_policies => [{"policy_identifier" => "1.2.3.4.5", "user_notices" => "not an array"}]) }.to raise_error(ArgumentError,'User notices must be an array of hashes')
|
386
|
-
end
|
387
|
-
it "org in user notice requires notice numbers" do
|
388
|
-
expect { R509::Config::CAProfile.new(:certificate_policies => [{"policy_identifier" => "1.2.3.4.5", "user_notices" => [{"explicit_text" => "explicit", "organization" => "something"}]}]) }.to raise_error(ArgumentError,'If you provide an organization you must provide notice numbers')
|
389
|
-
end
|
390
|
-
it "notice numbers in user notice requires org" do
|
391
|
-
expect { R509::Config::CAProfile.new(:certificate_policies => [{"policy_identifier" => "1.2.3.4.5", "user_notices" => [{"explicit_text" => "explicit", "notice_numbers" => "1,2,3"}]}]) }.to raise_error(ArgumentError,'If you provide notice numbers you must provide an organization')
|
392
|
-
end
|
393
|
-
end
|
394
|
-
context "validate basic constraints structure" do
|
395
|
-
it "must be a hash with key \"ca\"" do
|
396
|
-
expect { R509::Config::CAProfile.new(:basic_constraints => 'string') }.to raise_error(ArgumentError, "You must supply a hash with a key named \"ca\" with a boolean value")
|
397
|
-
expect { R509::Config::CAProfile.new(:basic_constraints => {}) }.to raise_error(ArgumentError, "You must supply a hash with a key named \"ca\" with a boolean value")
|
398
|
-
end
|
399
|
-
it "must have true or false for the ca key value" do
|
400
|
-
expect { R509::Config::CAProfile.new(:basic_constraints => {"ca" => 'truestring'}) }.to raise_error(ArgumentError, "You must supply true/false for the ca key when specifying basic constraints")
|
401
|
-
end
|
402
|
-
it "must not pass a path_length if ca is false" do
|
403
|
-
expect { R509::Config::CAProfile.new(:basic_constraints => {"ca" => false, "path_length" => 5}) }.to raise_error(ArgumentError, "path_length is not allowed when ca is false")
|
404
|
-
end
|
405
|
-
it "must pass a non-negative integer to path_length" do
|
406
|
-
expect { R509::Config::CAProfile.new(:basic_constraints => {"ca" => true, "path_length" => -1.5}) }.to raise_error(ArgumentError, "Path length must be a non-negative integer (>= 0)")
|
407
|
-
expect { R509::Config::CAProfile.new(:basic_constraints => {"ca" => true, "path_length" => 1.5}) }.to raise_error(ArgumentError, "Path length must be a non-negative integer (>= 0)")
|
408
|
-
end
|
409
|
-
it "does not require a path_length when ca is true" do
|
410
|
-
ca_profile = R509::Config::CAProfile.new(:basic_constraints => {"ca" => true})
|
411
|
-
ca_profile.basic_constraints.should == {"ca" => true }
|
412
|
-
end
|
413
|
-
it "allows ca:false" do
|
414
|
-
ca_profile = R509::Config::CAProfile.new(:basic_constraints => {"ca" => false})
|
415
|
-
ca_profile.basic_constraints.should == {"ca" => false }
|
416
|
-
end
|
417
|
-
it "allows ca:true and a valid path length" do
|
418
|
-
ca_profile = R509::Config::CAProfile.new(:basic_constraints => {"ca" => true, "path_length" => 2})
|
419
|
-
ca_profile.basic_constraints.should == {"ca" => true, "path_length" => 2 }
|
420
|
-
end
|
421
|
-
end
|
422
|
-
context "validate key usage" do
|
423
|
-
it "errors with non-array" do
|
424
|
-
expect { R509::Config::CAProfile.new( :key_usage => 'not an array' ) }.to raise_error(ArgumentError, 'key_usage must be an array of strings (see README)')
|
425
|
-
end
|
426
|
-
it "loads properly" do
|
427
|
-
ku = ['digitalSignature']
|
428
|
-
profile = R509::Config::CAProfile.new( :key_usage => ku )
|
429
|
-
profile.key_usage.should == ku
|
430
|
-
end
|
431
|
-
end
|
432
|
-
context "validate extended key usage" do
|
433
|
-
it "errors with non-array" do
|
434
|
-
expect { R509::Config::CAProfile.new( :extended_key_usage => 'not an array' ) }.to raise_error(ArgumentError, 'extended_key_usage must be an array of strings (see README)')
|
435
|
-
end
|
436
|
-
it "loads properly" do
|
437
|
-
eku = ['serverAuth']
|
438
|
-
profile = R509::Config::CAProfile.new( :extended_key_usage => eku )
|
439
|
-
profile.extended_key_usage.should == eku
|
440
|
-
end
|
441
|
-
end
|
442
|
-
context "validate subject item policy" do
|
443
|
-
it "raises an error with an invalid subject_item_policy" do
|
444
|
-
expect { R509::Config::CAProfile.new( :subject_item_policy => "lenient!" ) }.to raise_error(ArgumentError,'subject_item_policy must be of type R509::Config::SubjectItemPolicy')
|
445
|
-
end
|
446
|
-
it "stores a valid subject_item_policy" do
|
447
|
-
policy = R509::Config::SubjectItemPolicy.new("CN" => "required")
|
448
|
-
expect { R509::Config::CAProfile.new( :subject_item_policy => policy) }.to_not raise_error
|
449
|
-
end
|
450
|
-
end
|
451
|
-
context "validate inhibit any policy" do
|
452
|
-
it "raises an error when not a number" do
|
453
|
-
expect { R509::Config::CAProfile.new( :inhibit_any_policy => "string" ) }.to raise_error(ArgumentError,'Inhibit any policy must be a non-negative integer')
|
454
|
-
end
|
455
|
-
it "raises an error when not >= 0" do
|
456
|
-
expect { R509::Config::CAProfile.new( :inhibit_any_policy => -5 ) }.to raise_error(ArgumentError,'Inhibit any policy must be a non-negative integer')
|
457
|
-
end
|
458
|
-
it "loads when providing valid data" do
|
459
|
-
profile = R509::Config::CAProfile.new(:inhibit_any_policy => 3)
|
460
|
-
profile.inhibit_any_policy.should == 3
|
461
|
-
end
|
462
|
-
end
|
463
|
-
context "validate policy constraints" do
|
464
|
-
it "raises an error when not a hash" do
|
465
|
-
expect { R509::Config::CAProfile.new( :policy_constraints => "string" ) }.to raise_error(ArgumentError,'Policy constraints must be provided as a hash with at least one of the two allowed keys: "inhibit_policy_mapping" and "require_explicit_policy"')
|
466
|
-
end
|
467
|
-
it "raises an error when no keys" do
|
468
|
-
expect { R509::Config::CAProfile.new( :policy_constraints => {} ) }.to raise_error(ArgumentError,'Policy constraints must have at least one of two keys: "inhibit_policy_mapping" and "require_explicit_policy" and the value must be non-negative')
|
469
|
-
end
|
470
|
-
it "raises an error when inhibit_policy_mapping is not valid" do
|
471
|
-
expect { R509::Config::CAProfile.new( :policy_constraints => {"inhibit_policy_mapping" => -5} ) }.to raise_error(ArgumentError,'inhibit_policy_mapping must be a non-negative integer')
|
472
|
-
end
|
473
|
-
it "raises an error when require_explicit_policy is not valid" do
|
474
|
-
expect { R509::Config::CAProfile.new( :policy_constraints => {"require_explicit_policy" => -1} ) }.to raise_error(ArgumentError,'require_explicit_policy must be a non-negative integer')
|
475
|
-
end
|
476
|
-
it "loads when provided inhibit_policy_mapping" do
|
477
|
-
profile = R509::Config::CAProfile.new( :policy_constraints => {"require_explicit_policy" => 1} )
|
478
|
-
profile.policy_constraints["require_explicit_policy"].should == 1
|
479
|
-
end
|
480
|
-
it "loads when provided require_explicit_policy" do
|
481
|
-
profile = R509::Config::CAProfile.new( :policy_constraints => {"inhibit_policy_mapping" => 0} )
|
482
|
-
profile.policy_constraints["inhibit_policy_mapping"].should == 0
|
483
|
-
end
|
484
|
-
it "loads when provided values for both keys" do
|
485
|
-
profile = R509::Config::CAProfile.new( :policy_constraints => {"require_explicit_policy" => 1, "inhibit_policy_mapping" => 4} )
|
486
|
-
profile.policy_constraints["require_explicit_policy"].should == 1
|
487
|
-
profile.policy_constraints["inhibit_policy_mapping"].should == 4
|
488
|
-
end
|
489
|
-
end
|
490
|
-
context "validate name constraints"do
|
491
|
-
it "raises an error when not a hash" do
|
492
|
-
expect { R509::Config::CAProfile.new( :name_constraints => 'a string' ) }.to raise_error(ArgumentError,'name_constraints must be provided as a hash')
|
493
|
-
end
|
494
|
-
it "raises an error when permitted and excluded are empty" do
|
495
|
-
expect { R509::Config::CAProfile.new( :name_constraints => {"permitted" => [], "excluded" => []} ) }.to raise_error(ArgumentError,'If name_constraints are supplied you must have at least one valid permitted or excluded element')
|
496
|
-
end
|
497
|
-
it "raises an error when permitted or excluded are not arrays" do
|
498
|
-
expect { R509::Config::CAProfile.new( :name_constraints => {"permitted" => 'string', "excluded" => 'string'} ) }.to raise_error(ArgumentError,'permitted must be an array')
|
499
|
-
end
|
500
|
-
it "raises an error when permitted or excluded elements are not hashes with the required values" do
|
501
|
-
expect { R509::Config::CAProfile.new( :name_constraints => {"permitted" => [{"type" => 'DNS'}]} ) }.to raise_error(ArgumentError,'Elements within the permitted array must be hashes with both type and value')
|
502
|
-
expect { R509::Config::CAProfile.new( :name_constraints => {"permitted" => [{'value' => '127'}]} ) }.to raise_error(ArgumentError,'Elements within the permitted array must be hashes with both type and value')
|
503
|
-
end
|
504
|
-
it "raises an error when an invalid type is specified" do
|
505
|
-
expect { R509::Config::CAProfile.new( :name_constraints => {"permitted" => [{'type' => 'invalid', 'value' => '127'}]} ) }.to raise_error(ArgumentError,'invalid is not an allowed type. Check R509::ASN1::GeneralName.map_type_to_tag to see a list of types')
|
506
|
-
end
|
507
|
-
it "loads a config with just permitted" do
|
508
|
-
profile = R509::Config::CAProfile.new(:name_constraints => {"permitted" => [ { 'type' => 'DNS', 'value' => 'domain.com' } ] } )
|
509
|
-
profile.name_constraints["permitted"][0]['type'] = 'DNS'
|
510
|
-
profile.name_constraints["permitted"][0]['value'] = 'domain.com'
|
511
|
-
end
|
512
|
-
it "loads a config with just excluded" do
|
513
|
-
profile = R509::Config::CAProfile.new(:name_constraints => {"excluded" => [ { 'type' => 'IP', 'value' => '127.0.0.1/255.255.255.255' } ] } )
|
514
|
-
profile.name_constraints["excluded"][0]['type'] = 'IP'
|
515
|
-
profile.name_constraints["excluded"][0]['value'] = '127.0.0.1/255.255.255.255'
|
516
|
-
end
|
517
|
-
it "loads a config with both permitted and excluded" do
|
518
|
-
profile = R509::Config::CAProfile.new(:name_constraints => {"permitted" => [ { 'type' => 'DNS', 'value' => 'domain.com' } ], "excluded" => [ { 'type' => 'IP', 'value' => '127.0.0.1/255.255.255.255' } ] } )
|
519
|
-
profile.name_constraints["permitted"][0]['type'] = 'DNS'
|
520
|
-
profile.name_constraints["permitted"][0]['value'] = 'domain.com'
|
521
|
-
profile.name_constraints["excluded"][0]['type'] = 'IP'
|
522
|
-
profile.name_constraints["excluded"][0]['value'] = '127.0.0.1/255.255.255.255'
|
523
|
-
end
|
524
|
-
end
|
525
|
-
it "initializes and stores the options provided" do
|
526
|
-
profile = R509::Config::CAProfile.new(
|
527
|
-
:basic_constraints => {"ca" => true},
|
528
|
-
:key_usage => ["digitalSignature"],
|
529
|
-
:extended_key_usage => ["serverAuth"],
|
530
|
-
:certificate_policies => [
|
531
|
-
{ "policy_identifier" => "2.16.840.1.12345.1.2.3.4.1",
|
532
|
-
"cps_uris" => ["http://example.com/cps","http://other.com/cps"],
|
533
|
-
"user_notices" => [ {"explicit_text" => "thing", "organization" => "my org", "notice_numbers" => "1,2,3,4"} ]
|
534
|
-
}
|
535
|
-
],
|
536
|
-
:ocsp_no_check => true
|
537
|
-
)
|
538
|
-
profile.basic_constraints.should == {"ca" => true}
|
539
|
-
profile.key_usage.should == ["digitalSignature"]
|
540
|
-
profile.extended_key_usage.should == ["serverAuth"]
|
541
|
-
profile.certificate_policies[0]["policy_identifier"].should == "2.16.840.1.12345.1.2.3.4.1"
|
542
|
-
profile.ocsp_no_check.should == true
|
543
|
-
end
|
544
|
-
it "initializes with expected defaults" do
|
545
|
-
profile = R509::Config::CAProfile.new
|
546
|
-
profile.basic_constraints.should == nil
|
547
|
-
profile.key_usage.should == nil
|
548
|
-
profile.extended_key_usage.should == nil
|
549
|
-
profile.certificate_policies.should == nil
|
550
|
-
profile.ocsp_no_check.should == false
|
551
|
-
profile.subject_item_policy.should == nil
|
552
|
-
end
|
553
|
-
it "loads profiles from YAML while setting expected defaults" do
|
554
|
-
config = R509::Config::CAConfig.from_yaml("test_ca", File.read("#{File.dirname(__FILE__)}/fixtures/config_test.yaml"), {:ca_root_path => "#{File.dirname(__FILE__)}/fixtures"})
|
555
|
-
server_profile = config.profile("server") # no ocsp_no_check node
|
556
|
-
server_profile.ocsp_no_check.should == false
|
557
|
-
ocsp_profile = config.profile("ocsp_delegate_with_no_check") # ocsp_no_check => true
|
558
|
-
ocsp_profile.ocsp_no_check.should == true
|
559
|
-
client_profile = config.profile("client") # ocsp_no_check => false
|
560
|
-
client_profile.ocsp_no_check.should == false
|
561
|
-
end
|
562
|
-
end
|