RubyGems - rspec-ssltls - Versions diffs - 0.0.6 → 0.0.7 - Mend

rspec-ssltls 0.0.6 → 0.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/README.md +5 -0
data/lib/rspec_ssltls/have_certificate.rb +40 -6
data/lib/rspec_ssltls/version.rb +1 -1
data/spec/rspec_ssltls/have_certificate_spec.rb +45 -38
data/spec/spec_helper.rb +54 -0
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f53f243b2bc3862aad3ac2209d05e2c662b77210
-  data.tar.gz: 11cf15f123a76a3bf18bcd99222ac8e5ee0371a8
+  metadata.gz: 22a5bfa0f3ceeea792d4ea2afaaf3b47602062af
+  data.tar.gz: 4a321f42d84d785870a4deef599e9c05a9c78216
 SHA512:
-  metadata.gz: 14e405703da16d307ad45a5a6c83973c834e14d100e063fc6588e395fab7b904511757ebd5f864155d571f26a14340d12f1956d09e9c1d7a70d11e8378adccaa
-  data.tar.gz: b28758a21a282f4aa6b668b3bf6704e8adf7c41bd180a3932faa178c5cb328b9ea312e4d4e01e17e73035bc5a790d8347efa240d1f21a0e0b4968decf4487b02
+  metadata.gz: 324e3e06008f554cbd7386958106ce95249a48ed7db37f5cbc2ed2c05e49d42fd2a2a917c2202ff7c867d1fdb5cdd7c813add31da11f0599c8092f6731b79e5e
+  data.tar.gz: 57db920d7b9793975f26ba5b99941bdcb6efdb8b386b3d84191c94fa4fb6e5ff6ad3ea3ac44a6b8c0ce682855d4e87c19db036e09e11eab472c58d59613558e0

data/README.md CHANGED Viewed

@@ -34,6 +34,11 @@ describe 'www.example.com:443' do
     is_expected.to have_certificate
       .subject(CN: '*.example.com').signature_algorithm('sha1WithRSAEncryption')
   end
+  it { is_expected.to have_certificate.verified }
+  it do
+    is_expected.to have_certificate
+      .verified_with(File.read('example.org.cer'))
+  end
   it { is_expected.to support_protocol('TLSv1_2') }
   it { is_expected.to support_cipher('AES256-SHA').protocol('TLSv1') }
   it { is_expected.to support_cipher('DES-CBC3-SHA').protocol('SSLv3') }

data/lib/rspec_ssltls/have_certificate.rb CHANGED Viewed

@@ -4,18 +4,23 @@ require 'time'
 RSpec::Matchers.define :have_certificate do
   match do |dest|
-    @chain_string ||= ''
+    @chain_string  ||= ''
     @result_string ||= ''
-    @chain_number ||= 0
+    @chain_number  ||= 0
     uri = URI.parse('https://' + dest)
     socket = TCPSocket.open(uri.host, uri.port)
     ssl_context = OpenSSL::SSL::SSLContext.new
+    ssl_context.verify_mode = @verify_mode if @verify_mode
+    ssl_context.cert_store  = @cert_store  if @cert_store
     ssl_socket = OpenSSL::SSL::SSLSocket.new(socket, ssl_context)
     ssl_socket.sync_close = true
     ssl_socket.connect
-    @peer_cert = ssl_socket.peer_cert_chain[@chain_number]
+    if ssl_socket.peer_cert_chain
+      @peer_cert = ssl_socket.peer_cert_chain[@chain_number]
+    end
+    @verify_result = ssl_socket.verify_result
     ssl_socket.close
-    @peer_cert ? valid_cert? : false
+    @peer_cert ? valid_cert? && verified_cert? : false
   end
   chain :subject do |id|
@@ -32,16 +37,32 @@ RSpec::Matchers.define :have_certificate do
       RspecSsltls::Util.add_string(@chain_string, "chain[#{n}]")
   end
+  chain :verified do
+    @verify_mode = OpenSSL::SSL::VERIFY_PEER
+    @cert_store = OpenSSL::X509::Store.new
+    @cert_store.set_default_paths
+    @chain_string =
+      RspecSsltls::Util.add_string(@chain_string, 'verified')
+  end
+  chain :verified_with do |c|
+    @verify_mode = OpenSSL::SSL::VERIFY_PEER
+    @cert_store = OpenSSL::X509::Store.new
+    @cert_store.add_file(c)
+    @chain_string =
+      RspecSsltls::Util.add_string(@chain_string, "verified with #{c}")
+  end
   chain :valid_at do |t|
     @chain_string =
-      RspecSsltls::Util.add_string(@chain_string, "valiid at #{t}")
+      RspecSsltls::Util.add_string(@chain_string, "valid at #{t}")
     @t1 = t
     @t2 = t
   end
   chain :valid_in do |t1, t2|
     @chain_string = RspecSsltls::Util
-      .add_string(@chain_string, "valiid in #{t1} - #{t2}")
+      .add_string(@chain_string, "valid in #{t1} - #{t2}")
     @t1 = t1
     @t2 = t2
   end
@@ -91,6 +112,17 @@ RSpec::Matchers.define :have_certificate do
       RspecSsltls::Util.add_string(@chain_string, "#{key} #{kv}", ' ')
   end
+  def verified_cert?
+    return true if @verify_mode.nil?
+    @result_string += "  expected: verified\n"
+    if @verify_result == OpenSSL::X509::V_OK
+      @result_string += "  actual:   verified\n"
+    else
+      @result_string += "  actual:   unverified(errorcode: #{@verify_result})\n"
+    end
+    @verify_result == OpenSSL::X509::V_OK
+  end
   def valid_in?
     return true unless @t1 && @t2
     fail 'Input time range is incorrect' if @t2 < @t1
@@ -133,5 +165,7 @@ RSpec::Matchers.define :have_certificate do
   failure_message_when_negated do
     s = "expected not to have a certificate#{@chain_string}, but did."
     s + "\n#{@result_string}"
+      .sub(/(expected:)/, 'expected not:')
+      .sub(/(actual:)/,   'actual:    ')
   end
 end

data/lib/rspec_ssltls/version.rb CHANGED Viewed

@@ -1,4 +1,4 @@
 # Easily test your SSL/TLS with RSpec.
 module RspecSsltls
-  VERSION = '0.0.6'
+  VERSION = '0.0.7'
 end

data/spec/rspec_ssltls/have_certificate_spec.rb CHANGED Viewed

@@ -1,44 +1,7 @@
 require 'spec_helper'
 require 'rspec_ssltls'
-def stub_ssl_socket(params = nil)
-  allow(TCPSocket).to receive(:open).and_return(nil)
-  allow(OpenSSL::SSL::SSLSocket).to receive(:new) do
-    ssl_socket = double('ssl_socket')
-    allow(ssl_socket).to receive(:method_missing).and_return(nil)
-    params.each_pair do |k, v|
-      allow(ssl_socket).to receive(k).and_return(v)
-    end if params
-    ssl_socket
-  end
-end
-# See http://www.ietf.org/rfc/rfc5280.txt 4.1.2.4
-# See https://github.com/openssl/openssl/blob/master/crypto/objects/obj_xref.txt
-example_ca_cert_name =
-  OpenSSL::X509::Name.new([%w(C US),
-                           %w(O Example\ Org.),
-                           %w(OU Example\ Org.\ Div.),
-                           %w(CN ca.example.org)
-                          ])
-example_ca_cert = OpenSSL::X509::Certificate.new
-example_ca_cert.subject = example_ca_cert_name
-example_ca_cert.not_before = Time.utc(0, 0, 0, 1, 10, 2014, nil, nil, nil, nil)
-example_ca_cert.not_after  = Time.utc(0, 0, 0, 1, 10, 2022, nil, nil, nil, nil)
-example_cert_name =
-  OpenSSL::X509::Name.new([%w(C JP),
-                           %w(ST Tokyo),
-                           %w(O Example\ Co.,\ Ltd.),
-                           %w(OU Example\ Div.),
-                           %w(CN *.example.com)
-                          ])
-example_cert = OpenSSL::X509::Certificate.new
-example_cert.subject = example_cert_name
-example_cert.issuer = example_ca_cert_name
-example_cert.not_before = Time.utc(5, 0, 19, 12, 9, 2014, nil, nil, nil, nil)
-example_cert.not_after  = Time.utc(0, 0, 0, 1, 10, 2015, nil, nil, nil, nil)
+example_ca_cert, example_cert = prepare_ca_certs
 describe 'rspec-ssltls matchers' do
   describe '#have_certificate' do
@@ -49,6 +12,10 @@ describe 'rspec-ssltls matchers' do
         .and_return('sha1WithRSAEncryption')
     end
+    after :all do
+      cleanup_ca_certs
+    end
     ## Having certificate
     it 'can evalutate having certificate' do
       stub_ssl_socket(peer_cert_chain: [nil])
@@ -227,5 +194,45 @@ describe 'rspec-ssltls matchers' do
         .subject(CN: '*.example.com')
         .signature_algorithm('sha1WithRSAEncryption')
     end
+    ## Verified
+    it 'can evalutate certificate verified' do
+      stub_ssl_socket(peer_cert_chain: [example_cert, example_ca_cert],
+                      verify_result: OpenSSL::X509::V_OK)
+      expect('www.example.com:443').to have_certificate
+        .verified
+      stub_ssl_socket(peer_cert_chain: nil,
+                      verify_result: OpenSSL::X509::V_ERR_CERT_REJECTED)
+      expect('www.example.com:443').not_to have_certificate
+        .verified
+    end
+    # show default description
+    it do
+      stub_ssl_socket(peer_cert_chain: [example_cert],
+                      verify_result: OpenSSL::X509::V_OK)
+      expect('www.example.com:443').to have_certificate
+        .verified
+    end
+    ## Verified with CA certficate
+    it 'can evalutate certificate verified with CA certificate' do
+      stub_ssl_socket(peer_cert_chain: [example_cert, example_ca_cert],
+                      verify_result: OpenSSL::X509::V_OK)
+      expect('www.example.com:443').to have_certificate
+        .verified_with('tmp/ca_cert.cer')
+      stub_ssl_socket(peer_cert_chain: nil,
+                      verify_result: OpenSSL::X509::V_ERR_CERT_UNTRUSTED)
+      expect('www.example.com:443').not_to have_certificate
+        .verified_with('tmp/cert.cer')
+    end
+    # show default description
+    it do
+      stub_ssl_socket(peer_cert_chain: [example_cert],
+                      verify_result: OpenSSL::X509::V_OK)
+      expect('www.example.com:443').to have_certificate
+        .verified_with('tmp/ca_cert.cer')
+    end
   end
 end

data/spec/spec_helper.rb CHANGED Viewed

@@ -14,6 +14,8 @@ end
 $LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
 require 'rspec_ssltls'
+require 'openssl'
+require 'fileutils'
 def stub_ssl_socket(params = nil)
   allow(TCPSocket).to receive(:open).and_return(nil)
@@ -26,3 +28,55 @@ def stub_ssl_socket(params = nil)
     ssl_socket
   end
 end
+def prepare_ca_certs
+  example_ca_key = OpenSSL::PKey::RSA.new 2048 # the CA's public/private key
+  example_ca_cert = OpenSSL::X509::Certificate.new
+  example_ca_cert.version = 2 # cf. RFC 5280 - to make it a "v3" certificate
+  example_ca_cert.serial = 1
+  example_ca_cert.subject =
+    OpenSSL::X509::Name.new([%w(C US),
+                             %w(O Example\ Org.),
+                             %w(OU Example\ Org.\ Div.),
+                             %w(CN ca.example.org)
+                            ])
+  example_ca_cert.issuer = example_ca_cert.subject # self-signed
+  example_ca_cert.public_key = example_ca_key.public_key
+  example_ca_cert.not_before =
+    Time.utc(0, 0, 0, 1, 10, 2014, nil, nil, nil, nil)
+  example_ca_cert.not_after  =
+    Time.utc(0, 0, 0, 1, 10, 2022, nil, nil, nil, nil)
+  example_ca_cert.sign(example_ca_key, OpenSSL::Digest::SHA256.new)
+  example_key = OpenSSL::PKey::RSA.new 2048 # the CA's public/private key
+  example_cert = OpenSSL::X509::Certificate.new
+  example_cert.version = 2 # cf. RFC 5280 - to make it a "v3" certificate
+  example_cert.serial = 1
+  example_cert.subject =
+    OpenSSL::X509::Name.new([%w(C JP),
+                             %w(ST Tokyo),
+                             %w(O Example\ Co.,\ Ltd.),
+                             %w(OU Example\ Div.),
+                             %w(CN *.example.com)
+                            ])
+  example_cert.issuer = example_ca_cert.subject
+  example_cert.public_key = example_key.public_key
+  example_cert.not_before =
+    Time.utc(5, 0, 19, 12, 9, 2014, nil, nil, nil, nil)
+  example_cert.not_after  =
+    Time.utc(0, 0, 0, 1, 10, 2015, nil, nil, nil, nil)
+  example_cert.sign(example_ca_key, OpenSSL::Digest::SHA256.new)
+  FileUtils.mkdir_p('tmp')
+  File.open('tmp/ca_cert.key', 'wb') { |f| f.print example_ca_key.to_pem }
+  File.open('tmp/ca_cert.cer', 'wb') { |f| f.print example_ca_cert.to_pem }
+  File.open('tmp/cert.key', 'wb') { |f| f.print example_key.to_pem }
+  File.open('tmp/cert.cer', 'wb') { |f| f.print example_cert.to_pem }
+  [example_ca_cert, example_cert]
+end
+def cleanup_ca_certs
+  %w(tmp/ca_cert.key tmp/ca_cert.cer tmp/cert.key tmp/cert.cer)
+    .each { |f|  File.delete(f) if File.exist?(f) }
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rspec-ssltls
 version: !ruby/object:Gem::Version
-  version: 0.0.6
+  version: 0.0.7
 platform: ruby
 authors:
 - OTA Hiroshi
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-10-27 00:00:00.000000000 Z
+date: 2014-11-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec