tlspretense 0.6.2 → 0.7.0

data/lib/tlspretense/test_harness/input_handler.rb

@@ -8,12 +8,16 @@ module TestHarness
       @actions = {}
 
       # Set the term to accept keystrokes immediately.
-      @stdin.enable_raw_chars
+      if @stdin.tty?
+        @stdin.enable_raw_chars
+      end
     end
 
     def unbind
       # Clean up by resotring the old termios
-      @stdin.disable_raw_chars
+      if @stdin.tty?
+        @stdin.disable_raw_chars
+      end
     end
 
     # Receives one character at a time.

data/lib/tlspretense/test_harness/runner.rb

@@ -20,6 +20,7 @@ module TestHarness
       @logger.formatter = proc do |severity, datetime, progname, msg|
           "#{datetime}:#{severity}: #{msg}\n"
       end
+      PacketThief.logger = @logger
       @app_context = AppContext.new(@config, cert_manager, @logger)
 
       @report = SSLTestReport.new
@@ -46,18 +47,24 @@ module TestHarness
         stop_packetthief
 
         @report.print_results(@stdout)
+
+        if @report.fail?
+          @stdout.puts 'FAIL'
+        else
+          @stdout.puts 'PASS'
+        end
+        !@report.fail?
       else
         raise "Unknown action: #{opts[:action]}"
       end
     end
 
     def run_tests(testlist)
-      test_manager = TestManager.new(@app_context, testlist, @report, @logger)
+      test_manager = TestManager.new(@app_context, testlist, @report)
       EM.run do
         # @listener handles the initial server socket, not the accepted connections.
         # h in the code block is for each accepted connection.
         @listener = TestListener.start('', @config.listener_port, test_manager)
-        @listener.logger = @logger
         @keyboard = EM.open_keyboard InputHandler do |h|
           h.on(' ') { test_manager.test_completed(test_manager.current_test, :skipped) }
           h.on('q') { test_manager.stop_testing }
@@ -72,7 +79,6 @@ module TestHarness
     # preconfigured destination, and external for when PT does not manage the
     # firewall rules but still needs to know how to discover the destination.
     def init_packetthief
-      PacketThief.logger = @logger
       if @config.packetthief.has_key? 'implementation'
         impl = @config.packetthief['implementation']
         case impl

data/lib/tlspretense/test_harness/ssl_test_case.rb

@@ -29,18 +29,11 @@ module TestHarness
       @description = @raw['name']
       @certchainalias = @raw['certchain']
       @expected_result = @raw['expected_result']
-    end
-
-    def certchain
+      # ensure that the certificate exists
       @certchain ||= @appctx.cert_manager.get_chain(@certchainalias)
-    end
-
-    def keychain
       @keychain ||= @appctx.cert_manager.get_keychain(@certchainalias)
-    end
-
-    def hosttotest
       @hosttotest ||= @appctx.config.hosttotest
+      nil
     end
 
   end

data/lib/tlspretense/test_harness/ssl_test_report.rb

@@ -21,6 +21,9 @@ module TestHarness
 
     end
 
+    def fail?
+      @results.any? {|r| !r.passed?}
+    end
   end
 end
 end

data/lib/tlspretense/test_harness/test_listener.rb

@@ -25,7 +25,7 @@ module TestHarness
     #   present when the client attempts to connect to hostname.
     # * _keytotest_   [OpenSSL::PKey::PKey] The key corresponding to the leaf
     #   node in _chaintotest_.
-    def initialize(tcpsocket, test_manager, logger=nil)
+    def initialize(tcpsocket, test_manager)
       @test_manager = test_manager
 
       if @test_manager.paused?
@@ -40,7 +40,7 @@ module TestHarness
         @extrachain = chain
       end
       # Use the goodca for hosts we don't care to test against.
-      super(tcpsocket, @test_manager.goodcacert, @test_manager.goodcakey, logger)
+      super(tcpsocket, @test_manager.goodcacert, @test_manager.goodcakey)
 
       @test_status = :running
       @testing_host = false

data/lib/tlspretense/test_harness/test_manager.rb

@@ -12,11 +12,10 @@ module TestHarness
     attr_accessor :goodcacert
     attr_accessor :goodcakey
 
-    def initialize(context, testlist, report, logger=nil)
+    def initialize(context, testlist, report)
       @appctx = context
       @testlist = testlist
       @report = report
-      @logger = logger
       @remaining_tests = @testlist.dup
 
       @goodcacert = @appctx.cert_manager.get_cert("goodca")

data/lib/tlspretense/version.rb

@@ -1,3 +1,3 @@
 module TLSPretense
-  VERSION = '0.6.2'
+  VERSION = '0.7.0'
 end

data/packetthief_examples/ssl_client_simple.rb

@@ -11,6 +11,13 @@ require 'rubygems'
 require 'eventmachine'
 require 'packetthief' # needs root
 
+Signal.trap('ABRT') do
+  puts 'catching abort'
+end
+
+log = Logger.new(STDOUT)
+log.level = Logger::DEBUG
+PacketThief.logger = log
 
 EM.run do
 

data/spec/packetthief/impl/ipfw_spec.rb

@@ -77,7 +77,8 @@ module Impl
       context "when passed an object that implements Socket's #getsockname" do
         it "returns the destination socket's details" do
           @socket = double("socket")
-          @socket.stub(:getsockname).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+          # @socket.stub(:getsockname).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+          @socket.stub(:getsockname).and_return(Socket.pack_sockaddr_in(16178, "10.101.96.97"))
 
           Ipfw.original_dest(@socket).should == [16178, "10.101.96.97"]
         end
@@ -86,7 +87,8 @@ module Impl
       context "when passed an object that implements EM::Connection's #getsockname" do
         it "returns the destination connection's details" do
           @socket = double("EM::Connection")
-          @socket.stub(:get_sockname).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+          # @socket.stub(:get_sockname).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+          @socket.stub(:get_sockname).and_return(Socket.pack_sockaddr_in(16178, "10.101.96.97"))
 
           Ipfw.original_dest(@socket).should == [16178, "10.101.96.97"]
         end

data/spec/packetthief/impl/netfilter_spec.rb

@@ -44,7 +44,8 @@ module Impl
       context "when passed an object that implements Socket's #getsockopt" do
         it "returns the destination socket's details" do
           @socket = double("socket")
-          @socket.should_receive(:getsockopt).with(Socket::IPPROTO_IP, Netfilter::SO_ORIGINAL_DST).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+          # @socket.should_receive(:getsockopt).with(Socket::IPPROTO_IP, Netfilter::SO_ORIGINAL_DST).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+          @socket.should_receive(:getsockopt).with(Socket::IPPROTO_IP, Netfilter::SO_ORIGINAL_DST).and_return(Socket.pack_sockaddr_in(16178, "10.101.96.97"))
 
           Netfilter.original_dest(@socket).should == [16178, "10.101.96.97"]
         end
@@ -53,7 +54,8 @@ module Impl
       context "when passed an object that implements EM::Connection's #get_sock_opt" do
         it "returns the destination connection's details" do
           @socket = double("EM::Connection")
-          @socket.should_receive(:get_sock_opt).with(Socket::IPPROTO_IP, Netfilter::SO_ORIGINAL_DST).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+          # @socket.should_receive(:get_sock_opt).with(Socket::IPPROTO_IP, Netfilter::SO_ORIGINAL_DST).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+          @socket.should_receive(:get_sock_opt).with(Socket::IPPROTO_IP, Netfilter::SO_ORIGINAL_DST).and_return(Socket.pack_sockaddr_in(16178, "10.101.96.97"))
 
           Netfilter.original_dest(@socket).should == [16178, "10.101.96.97"]
         end

data/spec/packetthief/impl/pf_divert_spec.rb

@@ -61,7 +61,8 @@ module Impl
       context "when passed an object that implements Socket's #getsockname" do
         it "returns the destination socket's details" do
           @socket = double("socket")
-          @socket.stub(:getsockname).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+          # @socket.stub(:getsockname).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+          @socket.stub(:getsockname).and_return(Socket.pack_sockaddr_in(16178, "10.101.96.97"))
 
           subject.original_dest(@socket).should == [16178, "10.101.96.97"]
         end
@@ -70,7 +71,8 @@ module Impl
       context "when passed an object that implements EM::Connection's #getsockname" do
         it "returns the destination connection's details" do
           @socket = double("EM::Connection")
-          @socket.stub(:get_sockname).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+          # @socket.stub(:get_sockname).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+          @socket.stub(:get_sockname).and_return(Socket.pack_sockaddr_in(16178, "10.101.96.97"))
 
           subject.original_dest(@socket).should == [16178, "10.101.96.97"]
         end

data/spec/packetthief/logging_spec.rb

@@ -6,37 +6,39 @@ module PacketThief
       include Logging
     end
 
-    subject { LoggingObj.new }
-
     let(:logger) { Logger.new(nil) }
+    before(:each) { Logging.logger = logger }
 
-    it "does not expose its log methods" do
-      expect { subject.logdebug("some message") }.to raise_error NoMethodError
-    end
+    describe "an object that has included PacketThief::Logging" do
+      subject { LoggingObj.new }
 
-    context "when logger is unset" do
-      before(:each) { subject.logger = nil }
+      it "does not expose its log methods" do
+        expect { subject.logdebug("some message") }.to raise_error NoMethodError
+      end
 
-      it { expect { subject.send(:logdebug, "some message")}.to_not raise_error }
-    end
+      context "when Logging.logger is unset" do
+        before(:each) { Logging.logger = nil }
 
-    context "when logger is set" do
-      before(:each) { subject.logger = logger }
+        it { expect { subject.send(:logdebug, "some message")}.to_not raise_error }
+      end
 
-      it "sends a message with the classname to the logger" do
-        logger.should_receive(:log).with(Logger::DEBUG, subject.class.to_s + ": hello world!")
+      context "when Logging.logger is set" do
 
-        subject.send(:logdebug, 'hello world!')
-      end
-      it "prints an optional argument to the logger" do
-        logger.should_receive(:log).with(Logger::DEBUG, subject.class.to_s + ": a message: data: 12345")
+        it "sends a message with the classname to the logger" do
+          logger.should_receive(:log).with(Logger::DEBUG, subject.class.to_s + ": hello world!")
 
-        subject.send(:logdebug, 'a message', :data => 12345)
-      end
-      it "prints multiple optional arguments to the logger in sorted order" do
-        logger.should_receive(:log).with(Logger::DEBUG, /#{subject.class.to_s}: a message: astring: ['"]inspect this['"], data: 12345/)
+          subject.send(:logdebug, 'hello world!')
+        end
+        it "prints an optional argument to the logger" do
+          logger.should_receive(:log).with(Logger::DEBUG, subject.class.to_s + ": a message: data: 12345")
+
+          subject.send(:logdebug, 'a message', :data => 12345)
+        end
+        it "prints multiple optional arguments to the logger in sorted order" do
+          logger.should_receive(:log).with(Logger::DEBUG, /#{subject.class.to_s}: a message: astring: ['"]inspect this['"], data: 12345/)
 
-        subject.send(:logdebug, 'a message', :data => 12345, :astring => "inspect this")
+          subject.send(:logdebug, 'a message', :data => 12345, :astring => "inspect this")
+        end
       end
     end
 
@@ -49,8 +51,6 @@ module PacketThief
 
       subject { ClassToTest }
 
-      before(:each) { subject.logger = logger }
-
       it "sets component to the class name" do
         logger.should_receive(:log).with(Logger::DEBUG, "#{subject.name}: a message")
 
@@ -66,8 +66,6 @@ module PacketThief
 
       subject { ModToTest }
 
-      before(:each) { subject.logger = logger }
-
       it "sets component to the module name" do
         logger.should_receive(:log).with(Logger::DEBUG, "#{subject.name}: a message")
 

data/spec/spec_helper.rb

@@ -17,15 +17,14 @@ require 'tlspretense'
 Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
 
 RSpec.configure do |config|
-  config.backtrace_clean_patterns = [
-    /\/lib\d*\/ruby\//,
-    /bin\//,
-#    /gems/,
-    /spec\/spec_helper\.rb/,
-    /lib\/rspec\/(core|expectations|matchers|mocks)/
-  ]
-
+  config.expect_with :rspec do |expectations|
+    expectations.syntax = [:should, :expect]
+  end
+  config.mock_with :rspec do |mocks|
+    mocks.syntax = :should
+  end
 end
+RSpec::Expectations.configuration.on_potential_false_positives = :nothing
 
 def with_constants(constants, &block)
   saved_constants = {}

data/spec/tlspretense/cert_maker/subject_alt_name_factory_spec.rb

@@ -0,0 +1,75 @@
+require File.expand_path(File.join(File.dirname(__FILE__),'..','..','spec_helper'))
+
+module TLSPretense
+  module CertMaker
+    describe SubjectAltNameFactory do
+
+      describe "the created extension" do
+        subject { SubjectAltNameFactory.new.create_san_with_dns(arg) }
+
+        context "when created with www.isecpartners.com" do
+          let(:arg) { 'www.isecpartners.com' }
+          it "is a subjectAltName Extension" do
+            subject.oid.should == 'subjectAltName'
+          end
+          it "its der encoding contains www.isecpartners.com" do
+            subject.to_der.should match /www\.isecpartners\.com/
+          end
+        end
+
+        context 'when passed "www.isecpartners.com\0foo.com"' do
+          let(:arg) { "www.isecpartners.com\0foo.com" }
+          it 'its der encoding contains www.isecpartners.com\0foo.com' do
+            subject.to_der.should match /www\.isecpartners\.com\0foo\.com/
+          end
+        end
+      end
+
+      describe "the created extension" do
+        subject { SubjectAltNameFactory.new.create_san_ext(arg) }
+
+        context 'when the descriptor is "subjectAltName=DNS:www.isecpartners.com"' do
+          let(:arg) { "subjectAltName=DNS:www.isecpartners.com" }
+          it "the oid is 'subjectAltName'" do
+            subject.oid.should == 'subjectAltName'
+          end
+          it "the der encoding contains www.isecpartners.com" do
+            subject.to_der.should match /www\.isecpartners\.com/
+          end
+        end
+
+        context 'when the descriptor is "subjectAltName=DNS:www.isecpartners.com, DNS:foo.com"' do
+          let(:arg) { "subjectAltName=DNS:www.isecpartners.com, DNS:foo.com" }
+          it "the der encoding contains www.isecpartners.com" do
+            subject.to_der.should match /www\.isecpartners\.com/
+          end
+          it "the der encoding contains foo.com" do
+            subject.to_der.should match /foo\.com/
+          end
+        end
+
+        context 'when the descriptor is "subjectAltName=DNS:www.isecpartners.com\0foo.com, DNS:bar.com"' do
+          let(:arg) { "subjectAltName=DNS:www.isecpartners.com\0foo.com, DNS:bar.com" }
+          it 'the der encoding contains www.isecpartners.com\0foo.com' do
+            subject.to_der.should match /www\.isecpartners\.com\0foo\.com/
+          end
+          it "the der encoding contains bar.com" do
+            subject.to_der.should match /bar\.com/
+          end
+        end
+
+        context 'when the descriptor is "subjectAltName=DNS:www.isecpartners.com\0.foo.com, DNS:bar.com\0.foo.com"' do
+          let(:arg) { "subjectAltName=DNS:www.isecpartners.com\0.foo.com, DNS:bar.com\0.foo.com" }
+          it 'the der encoding contains www.isecpartners.com\0.foo.com' do
+            subject.to_der.should match /www\.isecpartners\.com\0\.foo\.com/
+          end
+          it "the der encoding contains bar.com\0.foo.com" do
+            subject.to_der.should match /bar\.com\0\.foo\.com/
+          end
+        end
+
+      end
+
+    end
+  end
+end

data/spec/tlspretense/ext_compat/openssl_pkey_read_spec.rb

@@ -0,0 +1,126 @@
+require File.expand_path(File.join(File.dirname(__FILE__),'..','..','spec_helper'))
+require 'tlspretense/ext_compat/openssl_pkey_read'
+
+module TLSPretense
+  module ExtCompat
+    describe OpenSSLPKeyRead do
+      subject { a = Object.new ; a.extend(OpenSSLPKeyRead) ; a }
+
+      describe "#read" do
+        context "when given a PEM-encoded RSA key" do
+          let(:pkey) do (<<-QUOTE).gsub(/^\s*/,'')
+              -----BEGIN RSA PRIVATE KEY-----
+              MIIEpAIBAAKCAQEAzRehpS5qO9LuW2dqm/Pc2YyPTOE3LMzoZSukguefwFuZqi8K
+              VWpn+4Tk5xACaZYnAKMQEHb3F9aC4REU3p3L6WiuEmarxvnfxAFahEIlsmJSSiE6
+              TaAxg3mXL3C5QiQxK/N9zjPGXW8QPlCCCs7CKQQ4RIQTIkoOn4OvSDbpRWrPZ1H4
+              ZBiCrAfqDQOSqzmHMTchUfhvezSWwDcFUQCfYGBdBkjzFEcrtEG6lFjx3aVHZfZm
+              uTKfki0fCEQCRsSd2l+/ZFJHIIphL0M2L/6VvCCDiaziHMwxVitnsQ5JURvje7QR
+              AXTKjArIgUl9h/IdfrIT9pbLKDNsDQMx2txfkQIDAQABAoIBAQC49fbx4Uotaa1N
+              AZdDzkn+aKVT0EjSPnnXw+Q5qmqIMBQFRycqoSvlyZQmTmnej2vdRzHVp3RwKyUd
+              lSodGnIrrhxOvAlvCSqkuhPH81/L4KAV+qF6IF6HE8ElJ6Pr4nf2C0IKFOdwnBkq
+              GbEtzgmMtCGKqRIYenF1qm0J03vM/Ugn3Xvq9qIUJjLEoX32z0m1x3+QQKmG4k2U
+              AZK2Ngs3J3dHNmCjAOzWhJ7yeIEiPPAznP6MV9JCvv3+dAZGMZmQUbNkrXuEy+LG
+              tQh7C5GMSj1wrB3q7o+1V2MGdZUu8uNkxaPlCnc3MnjbCHw3WydAJHW1lgurqlv5
+              cwDd2BgBAoGBAPh4IdffVxlIRx2CR7++9O1D2UED+zXJjMFHok3sPhrONb/qOzaQ
+              ectQFxzznObz4zUEnb9TLCVhkfMyFQ3L/CabLHPa21+ucMigObk8HdZ7nPtf7Xo0
+              v54vISFhH7rlpBi73fOf69+bzd7ECEPOvfI639ltfJRv8LgSW6GdoaR5AoGBANNO
+              8DbvicZ7+Qq6U05QJLhl4HyLziCS+Rr0Arz5KnbKxjPYoiV3Ujpzec3DAazTCRho
+              OCRgzNMO2dEQCp7ZEYK+HK/J6UA2DYExYHcPyfYskrxwQVo5N20oiLa6jLisk5Jf
+              vsq6Lbuq5PgYcykXfcX3ZnB6XAt32nC9dzcu2F3ZAoGAbYa/HGKWCU4EEyzvpcVu
+              P/yNkwxHOzGKO1TxZboCslw980g0K9xJ4+Z9GcUFYAUYHbHYO5NVPXEiHfrwrvFB
+              SF9UnAlYdHf3vWhrqYyndnls/J4Pl7QS147c4tLmYsOBr2l48ECJgDs058KwBfvn
+              XRS4wiZyKRijGvD0tWw/6bkCgYEAv1crjZM6XtDDokM2TCOmHJOjwyOVc0mi6BUs
+              pZG6MfdLoob3zJVPkD4gfYGncqdmBQPaUpaU4kkAU58C/vPwN0OPFl7vJ4XKlMHx
+              Z96UMqYJ+Ths9RX6ao3Zvh0Ob+tVdaXdThVodBc7XqxFG2B6M1jjGdayom/VDWGD
+              IiT5J4ECgYBhEHnaEepaK+Z++yMdGD4oZCtrKkY+2FiR3yK4scldzkKp+FLLBSD0
+              nD0rF9hlhvpzlWa8HASrHHt2IB+rhKkljNpBuHSk1pK1q2KVYLCePOIunai9O/Mo
+              JWJnWLSeS/Fd3rXB9jnNhiudElJRXzkof0jKSm0xnDbxWvWztBUnkA==
+              -----END RSA PRIVATE KEY-----
+          QUOTE
+          end
+
+          it "returns an RSA key" do
+            subject.read(pkey).should be_a OpenSSL::PKey::RSA
+          end
+        end
+        context "when given a PEM-encoded DSA key" do
+          let(:pkey) do (<<-QUOTE).gsub(/^\s*/,'')
+            -----BEGIN DSA PRIVATE KEY-----
+            MIIDVgIBAAKCAQEA1nTwWYrSmUNZalLgB7hW5F/K7GLpc+8GyNJ+F7XVY6lbrKlY
+            4xylX/kOUHvYgq/3C4Mn0lkME7lrvLKkh7rPybCNe1p40olQXB9JPfYc6QiiGLGL
+            WlbD1K4MNf1kftpBFB6x/Rs76NE6f8C3Wopp0TnbQhmlZskKo41mD+/MQl0j+d2w
+            fKsbLAo+kkW/znMqC2PLWNlOFE3bFrRzGQkU1Bu8HrBYrJT35bCtqbSJoyBkHPgI
+            SkYYdn/OuOD8swPO8xlgTxHBIZpwjqkyF3bzkroYOsCyAodu+xqHuTVzn+n/FWpf
+            vR3Lx5GRxBdEBqotpfxNBfF11B0fRWsAMUSQJQIhAO8V8dLdD/SYRsKUKUHD8eGC
+            ex6/ado7HluBizTjMI/NAoIBAC79cQQwFXb+ODfXTdG5QVYa9Q7fQ9oQZ1yDO1ab
+            eZu+awH2E5/PbwVqJEBVOWCF7Suq3CXGrINaInu4zsM6Seo/V61hBTZpWkdt+Xr4
+            ILlqQIw0UwaAwtE7Ynymk8Vx9MTFfekChi+Xu/4ReUDqRGKxzO89biZbd9XTOUVb
+            W4T4nNE/ONQJ4CKa10E+g7w9Af4quV88JDVfwaTKhC9N5It8N52Pze8cxDYKQPFs
+            5LUCjtfACxK6YBplkeF0nWdRkIz97dhMQgvfF70YKPikX5JymLbxLiBqUZkWc3Jv
+            JzqOyvn08imGBZJmf6dEYhHDChKJ4OVALL4MpeStLQ01U5MCggEBALwAH7EnbbC/
+            G2GziHq0XvhfmDQKCYBcAO5Mmwl7qsyMeECQ639MKcNJmX9rmC4JFC/TB4TQA80d
+            YEwbFwlYJkUbJyM20oh7NMP0bsrn0Jzt8nYosRRfVZKman7tIE24QnVnZuEwOTQY
+            0C4QLoq+m4jUumm6QsqclipuMzVUH1n0ngJYbx9nyvDU4nxd6j4MfmqHrQRUXIPH
+            5namqyq/xELwpRy0i5kOh5Hs/KuyrMSesRzYcty8NwcYOcM1/whspsYAdX/psDjG
+            FNdknGUPM5ioDR2in6CA5z6iPDEAuFFQIUHt34Ujv+F4FNFXqnfiCa95BrjaCKNd
+            3bRVzJDprc4CICImpd+oInjzy7PeCkbpUxwa4P3A4fHhRp0arIbId6jj
+            -----END DSA PRIVATE KEY-----
+            QUOTE
+          end
+
+          it "returns a DSA key" do
+            subject.read(pkey).should be_a OpenSSL::PKey::DSA
+          end
+        end
+        context "when given a PEM-encoded EC key" do
+
+          let(:pkey) do (<<-QUOTE).gsub(/^\s*/,'')
+            -----BEGIN EC PRIVATE KEY-----
+            MF8CAQEEGFpS6x8iOTNWBDNTO9nrqvyQjUvoaO7uaqAKBggqhkjOPQMBAaE0AzIA
+            BLOLCjnMg4a1++NZS5/XTeT2vv8JEANpctfJMjsoG12Uv7fwe8lldQwFFl0XQQZk
+            kg==
+            -----END EC PRIVATE KEY-----
+            QUOTE
+          end
+
+          it "returns an EC key" do
+            subject.read(pkey).should be_a OpenSSL::PKey::EC
+          end
+        end
+        context "when given a PEM-encoded ENCRYPTED key" do
+          let(:pkey) do (<<-QUOTE).gsub(/^\s*/,'')
+            -----BEGIN ENCRYPTED PRIVATE KEY-----
+            MIICzzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIBjDVSsSRDgwCAggA
+            MB0GCWCGSAFlAwQBAgQQp6si6kZjtBV0mh+IfcThUQSCAoB6djj/BwG1lHkYw9o1
+            AS4pDo+wF3VCDca26OCrMRK41lxsQ52Kdg1mDgkuLdBeAxx3uyuD4ZoytWhgv+st
+            oLPypCl85xA7yvYsw3UiR4HaS27KiLIsLu4ex2bkS+wOLOw4t9tjPHLvmZJgVneA
+            QFFdRH03woJfQaMHueseI6ok+p58Qs8xNbUetPJC47kwNtzD4tirrbGIsSPC0Mw9
+            THsP/UPMYYbfgBi9hOzoznzpDie7Siv/VM5UCFHJuA9JKisliX8Gc9elmZMc5iD8
+            QUo5XfquJCTGgdKpz3dLHsHK85kfXX+CpYzDLshIM8Qucf2Zx+fsW5h/1VrAR+H7
+            Oft7zeyP01fGxwi1jVXdLpi5emvd1/tVUF/wasXisvQRsicNxE2nmPVrdFYRCisp
+            6hIAqgkMUMbz5LGwGSfCqVLLezsC20lk4oVhszG+Jyx64bx5pUVupkuTghm8wZgJ
+            ZnLKQIz+Bge+ZbNk3TzN1Z4O/Lpfs0wKbUaI+/glM10zl6s/tG0F+kNDRCp1xhWy
+            m1Dq6AE9H+Q8BBYrwR//p9vP6xvFXo3Ie5b3zx1am2WWmgQqlnI4C+W1ThUdf68+
+            eh1Qc/P8c5xwfS15kATbZT6lL6eBzkEFJYEN/5b1y2Bipsqn1Rjpcvu9VUOmFKyo
+            AsFK2e6QvvhCngRxgLT1O4kNlDACJx65e20qMFXMLWqdXGOzy7VXattEzSs4sV7W
+            3c/u+bv0rqaIYn+JcZ9hqukH3i3eyKLHfmbYxERUgQIh6cZjds+46sODsi/7J3R4
+            ytZbBGZPeoS23Go6cfA2NEdN4hPH9k2CM0hol4W4ztWmPNoLmkhlFEhZHrdVoMR0
+            Tw07
+            -----END ENCRYPTED PRIVATE KEY-----
+            QUOTE
+          end
+          context "when given the right password" do
+            it "decrypts the key" do
+              subject.read(pkey, 'hello').should be_a OpenSSL::PKey::RSA
+            end
+          end
+          context "when given the wrong password" do
+            it "raises a generic error" do
+              expect { subject.read(pkey, 'hell') }.to raise_error
+            end
+          end
+        end
+      end
+    end
+  end
+end