scep 0.0.1

data/lib/scep/pki_operation/proxy.rb

@@ -0,0 +1,117 @@
+module SCEP
+
+  module PKIOperation
+    # Enables proxying a PKI SCEP request from the DSL to another SCEP server
+    # @example
+    #   def pkioperation
+    #     server = SCEP::Endpoint.new
+    #     proxy = SCEP::Proxy.new(server, @ra_cert, @ra_pk)
+    #     proxy.add_verification_certificate @some_cert  # For decrypting the request - this way not "anyone" can decrypt
+    #     response = proxy.forward_pki_request(request.raw_post)
+    #     send_data response.p7enc_response.to_der
+    #   end
+    class Proxy
+      attr_accessor :server
+
+      attr_accessor :ra_keypair
+
+      # Whether we should verify certificates when decrypting
+      # @return [Boolean]
+      attr_accessor :verify_request
+
+      attr_accessor :verify_response
+
+      # X509 certificates to verify against the request
+      # @return [Array<OpenSSL::X509::Certificate>] a list of certs
+      attr_accessor :request_verification_certificates
+
+      attr_accessor :response_verification_certificates
+
+      # @param [SCEP::Endpoint] server
+      # @param [Keypair] ra_keypair
+      def initialize(server, ra_keypair)
+        @server     = server
+        @ra_keypair = ra_keypair
+        @verify_request = true
+        @verify_response = true
+        @request_verification_certificates = []
+        @response_verification_certificates = []
+      end
+
+      # Add certificates to verify when decrypting a request
+      # @param [OpenSSL::X509::Certificate]
+      def add_response_verification_certificate(cert)
+        @response_verification_certificates << cert
+      end
+
+      def add_request_verification_certificate(cert)
+        @request_verification_certificates << cert
+      end
+
+      # Don't verify certificates (possibly dangerous)
+      def no_verify!
+        no_verify_response!
+        no_verify_request!
+      end
+
+      def no_verify_response!
+        @verify_response = false
+      end
+
+      def no_verify_request!
+        @verify_request = false
+      end
+
+      # Proxies the raw post request to another SCEP server. Extracts CSR andpublic keys along the way
+      # @param [String] raw_post the raw post data. Should be a PKCS#7 der encoded message
+      # @return [SCEP::Proxy::Result] the results of
+      def forward_pki_request(raw_post)
+        # Decrypt the request and re-encrypt for the target SCEP server
+        request = SCEP::PKIOperation::Request.new(ra_keypair)
+        request_verification_certificates.each do |cert|
+          request.verify_against(cert)
+        end
+        reencrypted = request.proxy(raw_post, server.ra_certificate, verify_request).to_der
+
+        # Forward to SCEP server
+        http_response_body = server.pki_operation(reencrypted, true)
+
+        # Decrypt response and re-encrypt for the device
+        response = SCEP::PKIOperation::Response.new(ra_keypair)
+        response_verification_certificates.each do |cert|
+          response.verify_against(cert)
+        end
+        response_reencrypted = response.proxy(http_response_body, request.p7sign.certificates, verify_response)
+
+        # Package relevant information
+        return Result.new(request.csr, response.signed_certificates, response_reencrypted)
+      end
+
+      # Contains useful data from the results of proxying a SCEP request. Includes unencrypted
+      # CSRs, Signed certificates and encrypted response
+      class Result
+
+        # The CSR sent to us
+        # @return [OpenSSL::X509::Request]
+        attr_accessor :csr
+
+        # The signed certificates from the scep server
+        # @return [Array<OpenSSL::X509::Certificate>]
+        attr_accessor :signed_certificates
+
+        # The resulting encrypted result. Should be sent back to client as DER
+        # @return [OpenSSL::PKCS7]
+        attr_accessor :p7enc_response
+
+        # @param [OpenSSL::X509::Request] csr
+        # @param [Array<OpenSSL::X509::Certificate>] signed_certificates
+        # @param [OpenSSL::PKCS7] p7enc_response
+        def initialize(csr, signed_certificates, p7enc_response)
+          @csr = csr
+          @signed_certificates= signed_certificates
+          @p7enc_response = p7enc_response
+        end
+      end
+    end
+  end
+end

data/lib/scep/pki_operation/request.rb

@@ -0,0 +1,70 @@
+module SCEP
+
+  module PKIOperation
+
+    # Handles decoding or creation of a scep CSR request.
+    #
+    # @example Get Certificates Ready
+    #   ra_cert = SCEP::DEFAULT_RA_CERTIFICATE
+    #   ra_key  = SCEP::DEFAULT_RA_PRIVATE_KEY
+    #
+    # @example Decrypt SCEP Request
+    #   # Get the encrypted and signed scep request (der format) somehow
+    #   encrypted_scep_request = foo
+    #
+    #   # Make request & decrypt
+    #   request = SCEP::PKIOperation::Request.new(ra_cert, ra_key)
+    #   request.x509_store.add_certificate some_cert  # Add cert to verify
+    #   csr = decrypt(encrypted_scep_request)  # OpenSSL::X509::Request
+    #
+    # @example Encrypt SCEP Request
+    #   # Get a CSR object, usually from an earlier step
+    #   some_csr = foo
+    #
+    #   # This is the target OpenSSL::X509::Certificate that we should encrypt this for.
+    #   # This will usually be the RA certificate of another SCEP server
+    #   target_encryption_cert  = bar
+    #
+    #   request = SCEP::PKIOperation::request.new(ra_cert, ra_key)
+    #   request.csr = some_csr
+    #
+    #   # Finally, encrypt it in der format
+    #   request.encrypt(target_encryption_cert)
+    #
+    class Request < Base
+
+      # The certificate request
+      # @return [OpenSSL::X509::Request]
+      attr_accessor :csr
+
+      # Decrypts a signed and encrypted csr. Sets {#csr} to the decrypted value
+      # @param [String] signed_and_encrypted_csr the raw and encrypted
+      # @param [Boolean] verify if TRUE, verifies against {#x509_store}. If FALSE, skips verification
+      # @raise [SCEP::PKIOperation::VerificationFailed] if `verify` is TRUE and the signed payload
+      #   was *not* verified against the {#x509_store}.
+      # @return [OpenSSL::X509::Request] the raw CSR
+      def decrypt(signed_and_encrypted_csr, verify = true)
+        raw_csr = unsign_and_unencrypt_raw(signed_and_encrypted_csr, verify)
+        @csr = OpenSSL::X509::Request.new(raw_csr)
+      end
+
+      # Encrypt and sign the CSR
+      # @param [OpenSSL::X509::Certificate] target_encryption_certs the certificat(s) we should encrypt this for
+      # @return [OpenSSL::PKCS7]
+      def encrypt(target_encryption_certs)
+        raise ArgumentError, '#csr must be an OpenSSL::X509::Request' unless
+          csr.is_a?(OpenSSL::X509::Request)
+        sign_and_encrypt_raw(csr.to_der, target_encryption_certs)
+      end
+
+      # Decrypts a signed and encrypted payload and then re-encrypts it. {#csr} will contain the CSR object
+      # @param [String] signed_and_encrypted_csr
+      # @param [OpenSSL::X509::Certificate] target_encryption_certs
+      # @return [OpenSSL::PKCS7]
+      def proxy(signed_and_encrypted_csr, target_encryption_certs, verify = true)
+        decrypt(signed_and_encrypted_csr, verify)
+        encrypt(target_encryption_certs)
+      end
+    end
+  end
+end

data/lib/scep/pki_operation/response.rb

@@ -0,0 +1,86 @@
+module SCEP
+  module PKIOperation
+
+    # Represents a SCEP response from the PKIOperation, which can do two of the following:
+    #
+    # * Parse a response form another SCEP server (useful for proxying)
+    # * Create our own SCEP response
+    #
+    # @example Get Certificates Ready
+    #   ra_cert = SCEP::DEFAULT_RA_CERTIFICATE
+    #   ra_key  = SCEP::DEFAULT_RA_PRIVATE_KEY
+    #
+    # @example Decrypt a SCEP Response
+    #   # get encrypted and signed scep response somehow
+    #   encrypted_scep_response = foo
+    #
+    #   # Make response & decrypt
+    #   response = SCEP::PKIOperation::Response.new(ra_cert, ra_key)
+    #   certs  = response.decrypt(encrypted_scep_response)  # Array of OpenSSL::X509::Certificate
+    #
+    # @example Create an Encrypted and Signed Response
+    #   # This should be an OpenSSL::X509::Certificate signed by a CA.
+    #   # This will be from an earlier part of the scep flow
+    #   recently_signed_x509_cert = foo
+    #
+    #   # This is the target OpenSSL::X509::Certificate that we should encrypt this for.
+    #   # This will usually be the certificate of whomever signed the initial scep request
+    #   target_encryption_cert  = bar
+    #
+    #   # Make the response objects and attach certs
+    #   response = SCEP::PKIOperation::Response.new(ra_cert, ra_key)
+    #   response.signed_certificates = recently_signed_x509_cert
+    #
+    #   # Finally, encrypt it in a der format
+    #   encrypted_binary_string = response.encrypt(target_encryption_cert)
+    #
+    class Response < Base
+
+
+      # Adds a single, or many certificates to encrypt and sign further
+      # @param [Array<OpenSSL::X509::Certificate>] certs
+      def signed_certificates=(certs)
+        @signed_certificates = wrap_array(certs)
+      end
+
+      # Gets any signed certificates that will be encrypted and signed in a SCEP format
+      # @return [Array<OpenSSL::X509::Certificate>]
+      def signed_certificates
+        @signed_certificates ||= []
+      end
+
+      # Decrypts a raw response and assigns {#signed_certificates}
+      # @param [String] raw_string the raw response
+      # @return [Array<OpenSSL::X509::Certificates>] the certificates that were contained
+      #   in `raw_string`.
+      def decrypt(raw_string, verify = true)
+        p7raw = unsign_and_unencrypt_raw(raw_string, verify)
+        p7certs = OpenSSL::PKCS7.new(p7raw)
+        @signed_certificates = p7certs.certificates
+      end
+
+      # Takes the {#signed_certificates} attached to this object and return them in a format
+      # defined by SCEP.
+      # @param [Array<OpenSSL::X509::Certificate>] target_encryption_certs only those who possess a
+      #   private key of one of the `target_encryption_certs` will be able to decrypt the resulting
+      #   payload.
+      # @return [String] the signed and encrypted payload in binary (DER) format
+      def encrypt(target_encryption_certs)
+        raise ArgumentError, 'Must contain at least one of #signed_certificates' unless
+          signed_certificates.any?
+        p7certs = PKCS7CertOnly.new(signed_certificates)
+        sign_and_encrypt_raw(p7certs.to_der, target_encryption_certs)
+      end
+
+      # Decrypts a signed and encrypted response, gets the certificates ({#signed_certificates}) and then
+      # re-encrypts and signs it.
+      # @param [String] signed_and_encrypted_certs
+      # @param [OpenSSL::X509::Certificate] target_encryption_certs
+      # @return [OpenSSL::PKCS7]
+      def proxy(signed_and_encrypted_certs, target_encryption_certs, verify = true)
+        decrypt(signed_and_encrypted_certs, verify)
+        encrypt(target_encryption_certs)
+      end
+    end
+  end
+end

data/lib/scep/pki_operation.rb

@@ -0,0 +1,10 @@
+module SCEP
+  module PKIOperation
+    class VerificationFailed < StandardError; end
+
+    autoload :Base,     'scep/pki_operation/base'
+    autoload :Proxy,    'scep/pki_operation/proxy'
+    autoload :Request,  'scep/pki_operation/request'
+    autoload :Response, 'scep/pki_operation/response'
+  end
+end

data/lib/scep/version.rb

@@ -0,0 +1,3 @@
+module SCEP
+  VERSION = '0.0.1'
+end

data/lib/scep.rb

@@ -0,0 +1,41 @@
+require 'logger'
+require 'openssl'
+
+require 'scep/version'
+
+module SCEP
+  autoload :Endpoint,       'scep/endpoint'
+  autoload :PKIOperation,   'scep/pki_operation'
+  autoload :PKCS7CertOnly,  'scep/pkcs7_cert_only'
+  autoload :Keypair,        'scep/keypair'
+
+  # Allows backwards-compatibility between ruby 1.8.7 and newer versions
+  # @return [OpenSSL::PKCS7]
+  PKCS7 = defined?(OpenSSL::PKCS7::PKCS7) ? OpenSSL::PKCS7::PKCS7 : OpenSSL::PKCS7
+
+  class << self
+
+    # Allows you to set the SCEP logger
+    # @example
+    #   SCEP.logger = Rails.logger
+    attr_writer :logger
+
+    # Gets the logger that the SCEP library will use
+    # @return [Logger]
+    def logger
+      @logger ||= default_logger
+    end
+
+    protected
+
+    def default_logger
+      defined?(Rails) ? Rails.logger : Logger.new(STDOUT)
+    end
+  end
+
+  module Loggable
+    def logger
+      SCEP.logger
+    end
+  end
+end

data/scep.gemspec

@@ -0,0 +1,32 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'scep/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'scep'
+  spec.version       = SCEP::VERSION
+  spec.authors       = ['Christopher Thornton']
+  spec.email         = ['christopher.thornton@onelogin.com']
+  spec.summary       = %q{SCEP libraries}
+  spec.description   = %q{Makes development of SCEP services easier}
+  spec.homepage      = 'https://github.com/onelogin/scep-gem'
+  spec.license       = 'Proprietary'
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  if RUBY_VERSION < '1.9'
+    spec.add_dependency 'httparty', '<= 0.11'
+  else
+    spec.add_dependency 'httparty'
+  end
+
+  spec.add_development_dependency 'bundler', '~> 1.7'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'pry', '~> 0.9.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'webmock'
+end

data/spec/console

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+require 'bundler'
+Bundler.require :default
+require 'scep'
+require 'pry'
+
+pry

data/spec/fixtures/self-signed.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAlgCCQDmERYwZBL3OzANBgkqhkiG9w0BAQUFADCBuzELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
+HDAaBgNVBAoTE09uZUxvZ2luIFRlc3QgU3VpdGUxEzARBgNVBAsTClRlc3QgU3Vp
+dGUxGjAYBgNVBAMTEW9uZWxvZ2luLXRlc3QuY29tMTAwLgYJKoZIhvcNAQkBFiFj
+aHJpc3RvcGhlci50aG9ybnRvbkBvbmVsb2dpbi5jb20wHhcNMTUwMzA2MjEzOTEy
+WhcNMTYwMzA1MjEzOTEyWjCBuzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlm
+b3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xHDAaBgNVBAoTE09uZUxvZ2lu
+IFRlc3QgU3VpdGUxEzARBgNVBAsTClRlc3QgU3VpdGUxGjAYBgNVBAMTEW9uZWxv
+Z2luLXRlc3QuY29tMTAwLgYJKoZIhvcNAQkBFiFjaHJpc3RvcGhlci50aG9ybnRv
+bkBvbmVsb2dpbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK5t7qT9
+CJJ6KA2+BRCxAY7kyufZlCAUSs0c2pJ/WlT+JKA+B8/toUU7ymqri2CffgOdAazJ
+Wk3o9isZGV2SFIag5cFBkoVH6xUS9VtoaGofJFa6GfLmhr7DOoUZm6VAwKJ9944M
+hxvL901KjV8/UGI2jqk5RFoiRdiF1ItjlDGTAgMBAAEwDQYJKoZIhvcNAQEFBQAD
+gYEAMQMOtDWkQqLfm41gSSXRNqjhT21jk0EpGdPFmHcyrNXPIkO+98jJxWYG9Wrf
++RO2Ov05RhgXyIk0OXvDf3QDikZIH4oLVKj4ospWAeLQN79KjWFVFnalbmnG6LDf
+ApMWNzv5J9iMy9bRTQnV/E5vTW8iEKYqp7+EwVSJvnzZXLs=
+-----END CERTIFICATE-----

data/spec/fixtures/self-signed.csr

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICMDCCAZkCAQAwgbsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
+MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRwwGgYDVQQKExNPbmVMb2dpbiBUZXN0
+IFN1aXRlMRMwEQYDVQQLEwpUZXN0IFN1aXRlMRowGAYDVQQDExFvbmVsb2dpbi10
+ZXN0LmNvbTEwMC4GCSqGSIb3DQEJARYhY2hyaXN0b3BoZXIudGhvcm50b25Ab25l
+bG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCube6k/QiSeigN
+vgUQsQGO5Mrn2ZQgFErNHNqSf1pU/iSgPgfP7aFFO8pqq4tgn34DnQGsyVpN6PYr
+GRldkhSGoOXBQZKFR+sVEvVbaGhqHyRWuhny5oa+wzqFGZulQMCiffeODIcby/dN
+So1fP1BiNo6pOURaIkXYhdSLY5QxkwIDAQABoDQwFQYJKoZIhvcNAQkHMQgTBmZv
+b2JhcjAbBgkqhkiG9w0BCQIxDhMMT25lTG9naW4gSU5DMA0GCSqGSIb3DQEBBQUA
+A4GBAFo8Jpl/kjSY7vmI3e40wuwbj1ttMydGV7e5iVuUA5vtOSoxPwZ2T4xpeq6U
+fe3iaJ43G0pBdmAZhNh2mb/Rk6rCeZHPKJxt987yzPD2fvOv6HPWUqj0gqy2nl8b
+/moA7meHhbWTBh2hhiYCJwu1jS97zWHY0pWA3moVT38HiLcb
+-----END CERTIFICATE REQUEST-----

data/spec/fixtures/self-signed.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCube6k/QiSeigNvgUQsQGO5Mrn2ZQgFErNHNqSf1pU/iSgPgfP
+7aFFO8pqq4tgn34DnQGsyVpN6PYrGRldkhSGoOXBQZKFR+sVEvVbaGhqHyRWuhny
+5oa+wzqFGZulQMCiffeODIcby/dNSo1fP1BiNo6pOURaIkXYhdSLY5QxkwIDAQAB
+AoGABzcm8w5Ah4akF4VvwjQAQ3/1YMfgV79fJML3y62W+AMXUsWeHxzOWgXSJr13
+44RVeyLIifQ+VxC29itwoC1FygZerxsN6JnnbzYpqcF4XbgjYaVFiHI05PMWPGnv
+Tv4cSmi4/BdTSXzC06FWFqxm2vejNd5S4dTTWrKUt3pLJGkCQQDkb6h7ZcQh2QUX
+OV+7+xyM8WTC8eTGwOQ3MPrskBfIvmfAisUcmO6AesWS0eC9uoH2sxj/2Wcm+ve+
+DZDONVKFAkEAw3oElz3g/UX88k2aHVqWhJdwcKvP0yhsiaiznVlGgx/tBdDN0Xz5
+EgsVKJpZKPXIN7hLDQ8mAF/KyMbg/fDLNwJAEaFUfYGTK5GWRP6WlumAgJg40Jre
+r0A/3MqY8x0D2OhpFYEgSV68OYpAKV6tW7dDRIj6CvT6cxW3fSGK5X9UCQJAW2YL
+DXh2YZY+7kCQpdb8d+SjQ1tiYhYNodQKn7DlglwEJGr8QU5Q2znpW8HHnJpHUp5O
+IT4LA7PGilhLTREwwwJBANvaRo0WdMyokz6LBYJxJqu/ZQO+Tyr7I9Yx3xMoluCO
+nhzDimCUTwe5FcIZUohlhxMuQchJrnXIf9nsxnFC5e4=
+-----END RSA PRIVATE KEY-----

data/spec/lib/scep/endpoint_spec.rb

@@ -0,0 +1,131 @@
+require 'spec_helper'
+
+describe SCEP::Endpoint do
+
+  # The CA and RA of our SCEP server
+  let(:ca_keypair) { generate_keypair }
+  let(:ra_keypair) { generate_keypair(ca_keypair)}
+
+  # Not signed by CA!
+  let(:invalid_ra_keypair) { generate_keypair }
+
+  let(:base_url) { 'http://scep.server' }
+  let(:p7certs_ca_ra) { SCEP::PKCS7CertOnly.new([ca_keypair.cert, ra_keypair.cert])}
+
+  let(:capabilities) { ['POSTPKIOperation', 'DES3' ]}
+
+  subject { SCEP::Endpoint.new(base_url) }
+
+  # General-purpose stubs
+  before do
+    stub_request(:get, "http://scep.server/?operation=GetCACert").
+      to_return(:status => 200, :body => p7certs_ca_ra.to_der, :headers => { 'Content-Type' => 'application/x-x509-ca-ra-cert'})
+
+    stub_request(:get, "http://scep.server/?operation=GetCACaps").
+      to_return(:status => 200, :body => capabilities.join("\n"), :headers => {})
+  end
+
+  describe '#ca_certificate' do
+    it 'calls #download_certificate when not previously called' do
+      expect(subject).to receive(:download_certificates)
+      subject.ca_certificate
+    end
+  end
+
+  describe '#ra_certificate' do
+    it 'calls #ca_certificate when not previously called' do
+      expect(subject).to receive(:ca_certificate)
+      subject.ra_certificate
+    end
+  end
+
+  describe '#supports_ra_certificate?' do
+    context 'when it does support an RA certificate' do
+      it 'returns true' do
+        expect(subject.supports_ra_certificate?).to eql(true)
+      end
+    end
+  end
+
+  describe '#capabilities' do
+    it 'gets a list of capabilities from the server' do
+      caps = subject.capabilities
+      expect(caps.to_a.sort).to eql(capabilities.sort)
+    end
+  end
+
+  describe '#post_pki_operation?' do
+    context 'when it supports the POSTPKIOperation' do
+      it 'returns true' do
+        expect(subject.post_pki_operation?).to eql(true)
+      end
+    end
+
+    context 'when it does not support the POSTPKIOperation' do
+      let(:capabilities) { ['Foo'] }
+      it 'returns false' do
+        expect(subject.post_pki_operation?).to eql(false)
+      end
+    end
+  end
+
+  describe '#download_certificates' do
+    context 'with a valid response' do
+
+      context 'with both an CA and RA certificate' do
+        it 'successfully assigns #ca_certificate and #ra_certificate' do
+          subject.download_certificates
+          expect(subject.ca_certificate.to_s).to eql(ca_keypair.cert.to_s)
+          expect(subject.ra_certificate.to_s).to eql(ra_keypair.cert.to_s)
+        end
+      end
+
+      context 'with only a CA certificate' do
+        before do
+          stub_request(:get, "http://scep.server/?operation=GetCACert").
+            to_return(:status => 200, :body => ca_keypair.cert.to_der, :headers => { 'Content-Type' => 'application/x-x509-ca-cert'})
+        end
+
+        it 'successfully assigns #ca_certificate' do
+          subject.download_certificates
+          expect(subject.ca_certificate.to_s).to eql(ca_keypair.cert.to_s)
+        end
+
+        it 'assigns #ca_certificate and #ra_certificate to be the same' do
+          subject.download_certificates
+          expect(subject.ca_certificate).to eql(subject.ra_certificate)
+        end
+      end
+
+    end
+
+    context 'with an invalid response' do
+      context 'when RA cert is not signed by the CA cert' do
+        let(:p7certs_ca_ra) { SCEP::PKCS7CertOnly.new([ca_keypair.cert, invalid_ra_keypair.cert])}
+
+        it 'raises a SCEP::ProtocolError' do
+          expect {
+            subject.download_certificates
+          }.to raise_error(SCEP::Endpoint::ProtocolError, 'RA certificate must be signed by CA certificate when using RA/CA cert combination')
+        end
+      end
+
+      context 'when the content type is not correct' do
+        before do
+          stub_request(:get, "http://scep.server/?operation=GetCACert").
+            to_return(:status => 200, :body => ca_keypair.cert.to_der, :headers => { 'Content-Type' => 'application/octet-stream'})
+        end
+
+        it 'raises a ProtocolError' do
+          expect {
+            subject.download_certificates
+          }.to raise_error(SCEP::Endpoint::ProtocolError, 'SCEP server returned invalid content type of application/octet-stream')
+        end
+      end
+
+
+    end
+
+  end
+
+end

data/spec/lib/scep/keypair_spec.rb

@@ -0,0 +1,30 @@
+require 'spec_helper'
+
+describe SCEP::Keypair do
+  let(:certificate) { OpenSSL::X509::Certificate.new read_fixture('self-signed.crt') }
+  let(:private_key) { OpenSSL::PKey::RSA.new read_fixture('self-signed.key') }
+
+  describe '#initialize' do
+    it 'creates a keypair with valid parameters' do
+      SCEP::Keypair.new(certificate, private_key)
+    end
+
+    it 'fails with invalid arguments' do
+      expect {
+        SCEP::Keypair.new(private_key, private_key)
+      }.to raise_error(ArgumentError)
+    end
+  end
+
+  describe '.read' do
+    it 'reads from the correct files' do
+      keypair = SCEP::Keypair.read(
+        fixture_path('self-signed.crt'),
+        fixture_path('self-signed.key')
+      )
+
+      expect(keypair.certificate.to_pem).to eql(certificate.to_pem)
+      expect(keypair.private_key.to_pem).to eql(private_key.to_pem)
+    end
+  end
+end

data/spec/lib/scep/pkcs7_cert_only_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+
+describe SCEP::PKCS7CertOnly do
+  let(:certificate1) { generate_keypair.certificate }
+  let(:certificate2) { generate_keypair.certificate }
+  let(:certs)    { [certificate1, certificate2] }
+  let(:p7certs)  { SCEP::PKCS7CertOnly.new(certs) }
+
+  describe '#initialize' do
+    it 'creates an object with certificates' do
+      p7certs = SCEP::PKCS7CertOnly.new(certs)
+      expect(p7certs.certificates).to eql(certs)
+    end
+  end
+
+  # Sufficiently tests #to_asn1
+  describe '#to_der' do
+    it 'encodes correctly such that it can be read by OpenSSL' do
+      expect {
+        der = p7certs.to_der
+        OpenSSL::PKCS7.new(der)
+      }.to_not raise_error
+    end
+
+    it 'encodes certificates in the correct order' do
+      der = p7certs.to_der
+      decoded_certs = OpenSSL::PKCS7.new(der).certificates
+      expect(decoded_certs[0].serial).to eql(certificate1.serial)
+      expect(decoded_certs[1].serial).to eql(certificate2.serial)
+    end
+  end
+
+  describe '#decode' do
+    it 'takes a PKCS7 cert-only der and creates a new PKCS7CertOnly' do
+      der = p7certs.to_der
+      decoded_p7certs = SCEP::PKCS7CertOnly.decode(der)
+      decoded_certs   = decoded_p7certs.certificates
+      expect(decoded_certs[0].serial).to eql(certificate1.serial)
+      expect(decoded_certs[1].serial).to eql(certificate2.serial)
+    end
+  end
+end