tttls1.3 0.2.10 → 0.2.15

data/lib/tttls1.3/message/extensions.rb

@@ -44,10 +44,11 @@ module TTTLS13
       #
       # @return [TTTLS13::Message::Extensions]
       # rubocop: disable Metrics/CyclomaticComplexity
+      # rubocop: disable Metrics/PerceivedComplexity
       def self.deserialize(binary, msg_type)
         raise Error::ErrorAlerts, :internal_error if binary.nil?
 
-        extensions = []
+        exs = Extensions.new
         i = 0
         while i < binary.length
           raise Error::ErrorAlerts, :decode_error if i + 4 > binary.length
@@ -66,32 +67,41 @@ module TTTLS13
             ex = Extension::UnknownExtension.new(extension_type: extension_type,
                                                  extension_data: ex_bin)
           end
-          extensions << ex
+
+          # There MUST NOT be more than one extension of the same type in a
+          # given extension block.
+          raise Error::ErrorAlerts, :unsupported_extension \
+            if exs.include?(extension_type)
+
+          exs[extension_type] = ex
           i += ex_len
         end
         raise Error::ErrorAlerts, :decode_error unless i == binary.length
 
-        Extensions.new(extensions)
+        exs
       end
       # rubocop: enable Metrics/CyclomaticComplexity
+      # rubocop: enable Metrics/PerceivedComplexity
 
       # @param key [TTTLS13::Message::ExtensionType]
+      # @param default
       #
       # @return [TTTLS13::Message::Extension::$Object]
-      def [](key)
+      def fetch(key, default = nil)
         return nil if super_fetch(key, nil).is_a?(Extension::UnknownExtension)
 
-        super_fetch(key, nil)
+        super_fetch(key, default)
       end
 
-      # @param key [TTTLS13::Message::ExtensionType]
-      # @param default
+      def [](key)
+        fetch(key)
+      end
+
+      # @param ex [TTTLS13::Message::Extension::$Object]
       #
       # @return [TTTLS13::Message::Extension::$Object]
-      def fetch(key, default = nil)
-        return nil if super_fetch(key, nil).is_a?(Extension::UnknownExtension)
-
-        super_fetch(key, default)
+      def <<(ex)
+        store(ex.extension_type, ex)
       end
 
       class << self
@@ -110,12 +120,23 @@ module TTTLS13
         #
         # @return [TTTLS13::Message::Extension::$Object, nil]
         # rubocop: disable Metrics/CyclomaticComplexity
+        # rubocop: disable Metrics/MethodLength
         def deserialize_extension(binary, extension_type, msg_type)
           raise Error::ErrorAlerts, :internal_error if binary.nil?
 
           case extension_type
           when ExtensionType::SERVER_NAME
             Extension::ServerName.deserialize(binary)
+          when ExtensionType::STATUS_REQUEST
+            if msg_type == HandshakeType::CLIENT_HELLO
+              return Extension::OCSPStatusRequest.deserialize(binary)
+            end
+
+            if msg_type == HandshakeType::CERTIFICATE
+              return Extension::OCSPResponse.deserialize(binary)
+            end
+
+            Extension::UnknownExtension.deserialize(binary, extension_type)
           when ExtensionType::SUPPORTED_GROUPS
             Extension::SupportedGroups.deserialize(binary)
           when ExtensionType::SIGNATURE_ALGORITHMS
@@ -143,6 +164,7 @@ module TTTLS13
           end
         end
         # rubocop: enable Metrics/CyclomaticComplexity
+        # rubocop: enable Metrics/MethodLength
       end
     end
   end

data/lib/tttls1.3/server.rb

@@ -46,11 +46,13 @@ module TTTLS13
 
   DEFAULT_SERVER_SETTINGS = {
     crt_file: nil,
+    chain_files: nil,
     key_file: nil,
     cipher_suites: DEFAULT_SP_CIPHER_SUITES,
     signature_algorithms: DEFAULT_SP_SIGNATURE_ALGORITHMS,
     supported_groups: DEFAULT_SP_NAMED_GROUP_LIST,
     alpn: nil,
+    process_ocsp_response: nil,
     compatibility_mode: true,
     loglevel: Logger::WARN
   }.freeze
@@ -75,6 +77,14 @@ module TTTLS13
       klass = @crt.public_key.class
       @key = klass.new(File.read(@settings[:key_file]))
       raise Error::ConfigError unless @crt.check_private_key(@key)
+
+      @chain = @settings[:chain_files]&.map do |f|
+        OpenSSL::X509::Certificate.new(File.read(f))
+      end
+      @chain ||= []
+      ([@crt] + @chain).each_cons(2) do |cert, sign|
+        raise Error::ConfigError unless cert.verify(sign.public_key)
+      end
     end
 
     # NOTE:
@@ -227,10 +237,14 @@ module TTTLS13
 
           ch = transcript[CH]
           rsl = @send_record_size \
-            unless ch.extensions[Message::ExtensionType::RECORD_SIZE_LIMIT].nil?
+            if ch.extensions.include?(Message::ExtensionType::RECORD_SIZE_LIMIT)
           ee = transcript[EE] = gen_encrypted_extensions(ch, @alpn, rsl)
           # TODO: [Send CertificateRequest]
-          ct = transcript[CT] = gen_certificate(@crt)
+
+          # status_request
+          ocsp_response = fetch_ocsp_response \
+            if ch.extensions.include?(Message::ExtensionType::STATUS_REQUEST)
+          ct = transcript[CT] = gen_certificate(@crt, @chain, ocsp_response)
           digest = CipherSuite.digest(@cipher_suite)
           cv = transcript[CV] = gen_certificate_verify(
             @key,
@@ -341,7 +355,7 @@ module TTTLS13
     #
     # @return [TTTLS13::Message::ServerHello]
     def send_hello_retry_request(ch1, cipher_suite)
-      exs = []
+      exs = Message::Extensions.new
       # supported_versions
       exs << Message::Extension::SupportedVersions.new(
         msg_type: Message::HandshakeType::SERVER_HELLO
@@ -363,7 +377,7 @@ module TTTLS13
         random: Message::HRR_RANDOM,
         legacy_session_id_echo: ch1.legacy_session_id,
         cipher_suite: cipher_suite,
-        extensions: Message::Extensions.new(exs)
+        extensions: exs
       )
       send_handshakes(Message::ContentType::HANDSHAKE, [sh],
                       Cryptograph::Passer.new)
@@ -394,11 +408,18 @@ module TTTLS13
     end
 
     # @param crt [OpenSSL::X509::Certificate]
+    # @param chain [Array of OpenSSL::X509::Certificate]
+    # @param ocsp_response [OpenSSL::OCSP::Response]
     #
     # @return [TTTLS13::Message::Certificate, nil]
-    def gen_certificate(crt)
-      ce = Message::CertificateEntry.new(crt)
-      Message::Certificate.new(certificate_list: [ce])
+    def gen_certificate(crt, chain = [], ocsp_response = nil)
+      exs = Message::Extensions.new
+      # status_request
+      exs << Message::Extension::OCSPResponse.new(ocsp_response) \
+        unless ocsp_response.nil?
+      ces = [Message::CertificateEntry.new(crt, exs)] \
+            + (chain || []).map { |c| Message::CertificateEntry.new(c) }
+      Message::Certificate.new(certificate_list: ces)
     end
 
     # @param key [OpenSSL::PKey::PKey]
@@ -433,7 +454,7 @@ module TTTLS13
     # @return [TTTLS13::Message::Extensions]
     # @return [OpenSSL::PKey::EC.$Object]
     def gen_sh_extensions(named_group)
-      exs = []
+      exs = Message::Extensions.new
       # supported_versions: only TLS 1.3
       exs << Message::Extension::SupportedVersions.new(
         msg_type: Message::HandshakeType::SERVER_HELLO
@@ -444,7 +465,7 @@ module TTTLS13
                  = Message::Extension::KeyShare.gen_sh_key_share(named_group)
       exs << key_share
 
-      [Message::Extensions.new(exs), priv_key]
+      [exs, priv_key]
     end
 
     # @param ch [TTTLS13::Message::ClientHello]
@@ -453,15 +474,16 @@ module TTTLS13
     #
     # @return [TTTLS13::Message::Extensions]
     def gen_ee_extensions(ch, alpn, record_size_limit)
-      exs = []
+      exs = Message::Extensions.new
 
       # server_name
       exs << Message::Extension::ServerName.new('') \
         if ch.extensions.include?(Message::ExtensionType::SERVER_NAME)
 
       # supported_groups
-      exs \
-      << Message::Extension::SupportedGroups.new(@settings[:supported_groups])
+      exs << Message::Extension::SupportedGroups.new(
+        @settings[:supported_groups]
+      )
 
       # alpn
       exs << Message::Extension::Alpn.new([alpn]) unless alpn.nil?
@@ -470,7 +492,7 @@ module TTTLS13
       exs << Message::Extension::RecordSizeLimit.new(record_size_limit) \
         unless record_size_limit.nil?
 
-      Message::Extensions.new(exs)
+      exs
     end
 
     # @param key [OpenSSL::PKey::PKey]
@@ -532,6 +554,11 @@ module TTTLS13
 
       matching_san?(crt, server_name)
     end
+
+    # @return [OpenSSL::OCSP::Response, nil]
+    def fetch_ocsp_response
+      @settings[:process_ocsp_response]&.call
+    end
   end
   # rubocop: enable Metrics/ClassLength
 end

data/lib/tttls1.3/utils.rb

@@ -61,6 +61,21 @@ module TTTLS13
         length.to_uint64 + self
       end
     end
+
+    refine OpenSSL::X509::Certificate do
+      unless method_defined?(:ocsp_uris)
+        define_method(:ocsp_uris) do
+          aia = extensions.find { |ex| ex.oid == 'authorityInfoAccess' }
+          return nil if aia.nil?
+
+          ostr = OpenSSL::ASN1.decode(aia.to_der).value.last
+          ocsp = OpenSSL::ASN1.decode(ostr.value)
+                              .map(&:value)
+                              .select { |des| des.first.value == 'OCSP' }
+          ocsp&.map { |o| o[1].value }
+        end
+      end
+    end
   end
 
   module Convert

data/lib/tttls1.3/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module TTTLS13
-  VERSION = '0.2.10'
+  VERSION = '0.2.15'
 end

data/spec/extensions_spec.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require_relative 'spec_helper'
+using Refinements
 
 RSpec.describe Extensions do
   context 'empty extensions' do
@@ -167,4 +168,19 @@ RSpec.describe Extensions do
       expect(extensions).to include ExtensionType::RECORD_SIZE_LIMIT
     end
   end
+
+  context 'duplicated extension_type' do
+    let(:server_name) do
+      ServerName.new('example.com')
+    end
+
+    let(:testbinary) do
+      server_name.serialize * 2
+    end
+
+    it 'should raise error, if extension_type get duplicated' do
+      expect { Extensions.deserialize(testbinary, HandshakeType::CLIENT_HELLO) }
+        .to raise_error(ErrorAlerts)
+    end
+  end
 end

data/spec/fixtures/rsa_rsa.crt

@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC2TCCAcGgAwIBAgIJAM8aTIrMzHgzMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
-BAMMB3Rlc3QtY2EwHhcNMTkwNTI1MDEzODAyWhcNMjAwNTI0MDEzODAyWjAUMRIw
+MIIC2TCCAcGgAwIBAgIJALo0YKZBVqYnMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
+BAMMB3Rlc3QtY2EwHhcNMjAwNzE1MTU0NTE4WhcNMzAwNzEzMTU0NTE4WjAUMRIw
 EAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQDb9cGc2hOrLp3VWpxw8WgDqEL3LzZ5a6iYwibeR4AEB5FJLhS3Wvxa1xOS510C
-Kyfk/0znJvN9y+C8tFpB1BAN1OpPvaMPcYWx9CfEeoXaA5+QtU0MWJV7uYMtEUEx
-mEOvDKK1ZvHhw7xUzwcJTFRo6ZY6LqjiozlSPkTrVRIWoy7qEzXnOza36xX18xVt
-azvJBBudtTrjjBfQv2DJdF44icWqOBvAwg54BAbaH3bZ1WOg5oRnOPeVumYbPBsl
-dCDs67S1+RHKMEjRTk7gzuGog9lxJVMluU7iyreROD9+GvJEY3ra2KH96rtIgzo6
-KFHlC4Ih18zRfJZePgMGi5zVAgMBAAGjMDAuMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgWgMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAAjDs
-4PgPL2Tn8+TxFWEPjh3VUB2kNyYK4LFA/ooN81pDLmm9/qc0FcUs16YQIqYdZICc
-vE83z3RlTmSjsynaRXxYh0VGVE2g2pWiPzEGTGE5HJy2JOtidMiacskmvetbTyYd
-TLdTEFiAlXF9e24OanglmFr9QnA/Z/zQkuIb4t7KN8Dufsi3ljkoJ+puuPxrEQj0
-4BfBo381jK5WULHJ2G9pz5pvy1GZLfj1tQyG2wkI/vV2tjFN+LLO7NCY3V6RjvEZ
-bH4ZdAQz9fbbp7eCXImP+OJYt97Q3RZFJjUWhmh4qFebelkeN3RnmWSFrgjh0O67
-pyNwVv0//MYIEhMUVQ==
+AQC65xzvPQrsXXRVsQ4rcrmvOF0gdWV38JKlhHUrS50//T0S55FUSBkuVXUDCZDx
+dOf0y/5HaMb3hm68+ld5B/oNtoPlJWW6Sgc8OLERQy9qGpwR0mXND4SnZ9or7RDV
+8tAEg/Hzq5rm6Xy2WClSR+nHg2tVh2Szde39j7o8ivJpHPzfEyZh37y9oIiY2/FP
+QpbAe8n3Ses04D3jhZRoysdcuneWuG3h5DJ9X4IhZUBM54nEO5IQElyYnF6xY/Lt
+Gykf8+ydiuAZpZF5FGGfoiKB7XdIwhSlK1XRFeBbHRqyAFjpSNtqy6RPdJINLseb
+wG6DNSxcLm91C6ZJaaqu7Qp1AgMBAAGjMDAuMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgWgMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEALqaQ
+J5H9jB2VmIEDxhXAQTeqW1Hmp0oHhL1XcAvNS+JILjFfAdjMe/3Kei3hQJv8j8sE
+uck3o7iA4kcE0ydUzO7TM7efjqcksyZrmWSB0xj+NHjcybwhD4Selr1vBSCU0IHN
+Ap+zYbBX7eQawm2lIzniBvS6MmP+dgZjhy73FVQ4oSz+wTcg1iPkhulYL4iV/HSG
+fND5gUvlRbLHGTETpCdq7iJNOpNl/OYboJLPvVpx8H7Jc+L2bQl05fj/koO35xaL
+JuZGj5aVOKw45WvqERpe1RI3077dWE6bAr9DzrW13IqmFMbPD817pcB6+ILZnMAF
+RhobWRU6PA4TdDP8bg==
 -----END CERTIFICATE-----

data/spec/fixtures/rsa_rsa.key

@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA2/XBnNoTqy6d1VqccPFoA6hC9y82eWuomMIm3keABAeRSS4U
-t1r8WtcTkuddAisn5P9M5ybzfcvgvLRaQdQQDdTqT72jD3GFsfQnxHqF2gOfkLVN
-DFiVe7mDLRFBMZhDrwyitWbx4cO8VM8HCUxUaOmWOi6o4qM5Uj5E61USFqMu6hM1
-5zs2t+sV9fMVbWs7yQQbnbU644wX0L9gyXReOInFqjgbwMIOeAQG2h922dVjoOaE
-Zzj3lbpmGzwbJXQg7Ou0tfkRyjBI0U5O4M7hqIPZcSVTJblO4sq3kTg/fhryRGN6
-2tih/eq7SIM6OihR5QuCIdfM0XyWXj4DBouc1QIDAQABAoIBAA6EEGvuhF/Gqsna
-ufpGJCwhnZG8fubScQTrwy7mHw+lBDSFIv7atU61ZOhL9npfKLnXE1cp3eXOX510
-dYRkn06aX4A1rp4lSsJsr3cq8sxpcs1U+am36t2IZ5zAx8GjH8xclBxOl+XjSfl6
-1CcL74Ig8DYUwDZ8uRqxW1EAgzoVGXTMjXqEtP+X3WcFP/XNdzGWeFheowk0iwOn
-DIM6tIELbExbSK8RxhTrKQKv+rTm373ntwSrtvDLlAz1kR9p0a6XeeAn3VVkVYaE
-cu6MRuA2b24EYcEDQgbU2KsUke2vZ1i5hl5ptuc8+iubXCj2SICilBeVQNXLIr2j
-sIzd8x0CgYEA+nH5IIt9pnlqRkFm8Y4bH4cvTk7xMWKj1tuRvP0Vdmw+KsqCxWNR
-w1KuUZ0tj6lzQez0o/jpFWqtxDTV5r3vj/6nrFcLXClENe65pQMByaduoKUGn6VK
-lE7xO0JMRRIqPwRH3vyazcUuVnFtPToBfV82fSvKt9R/xb7lTA8cWk8CgYEA4Naw
-LLwIaL8Drq8BCwJUIrSuZCKcS8542AA+Qz3ivTIMbZshiSE27cLTurFQhpjC7fu3
-V3DQWbQLk3wdg3wAVA7uADlqwCY9SdKo8HstUBaM/GVgPSfxEIRohSHN6KY5NP0r
-tAWKDEcvfuiiV+YFtwz1tXVZl0OpvRpRxzYHYZsCgYEAsziqkjqgYWiTv9D/zS7n
-hAlmtgBSJAg1vQUF5xupp0RQvKiNKponocJiUq9LMnqNq4jZjRoMGrJrxXQV+njD
-neUbsn3b+EjjskCzAz4Con858KYH9mj/1OAlS0XndKpKJyx2DkHwuf44ac3j4aPH
-+yMOyEZ1XFYqVaWFS4eov4sCgYEAppvwaPXddWE2pVdhenr7RcyF/gX3s+UIf2eO
-u908C97ufroaG7fVMFLS+uEyPsssh5WjwtQCULaubVfntutIgwGdM+VYSZMMj4vf
-THS6m0Jarx2gNzFF3WuA2Ea4gtHKSo3guMHyDi8h7vUMd/4n9gFQgmq3PPQS7+J0
-/x32UkkCgYBboPnH4jVSqN0vfFtvsGhxXW4lxJQab6bMQ58DvhitKh8O1r+WCbCY
-ynhyc7ne7DCLfyH1Blv8jG+tjBNaDQgoGIuJ+Bpmwon0T2hUqCQbts12a3ZEffP9
-Wmk8MKKy7fu4RDFh0KHai1Fqa3AmVn8Jhq+kCGbueSOMkRwy0tCetg==
+MIIEowIBAAKCAQEAuucc7z0K7F10VbEOK3K5rzhdIHVld/CSpYR1K0udP/09EueR
+VEgZLlV1AwmQ8XTn9Mv+R2jG94ZuvPpXeQf6DbaD5SVlukoHPDixEUMvahqcEdJl
+zQ+Ep2faK+0Q1fLQBIPx86ua5ul8tlgpUkfpx4NrVYdks3Xt/Y+6PIryaRz83xMm
+Yd+8vaCImNvxT0KWwHvJ90nrNOA944WUaMrHXLp3lrht4eQyfV+CIWVATOeJxDuS
+EBJcmJxesWPy7RspH/PsnYrgGaWReRRhn6Iige13SMIUpStV0RXgWx0asgBY6Ujb
+asukT3SSDS7Hm8BugzUsXC5vdQumSWmqru0KdQIDAQABAoIBABPIjNaB9psIVV0Q
+rbhJn3/9jlX2NzRX4Z3lhGV9znpMet96ZXavXwL5hrY4mAAG6NqPkS3L2Guw7h3Q
+vduQzZYQAKwLplXuqg9kzNFP9D/d6zEzvRTUlK0HoB9QK50J45zmvoCVZIMWqd2/
+PTh5ZjR5I65c83rPe86AHS11Y61edr+vvGtI07kvj7EzR3jie0Lzzpj7TbmjTt5U
+v9rskcxjulQOmp8t/3ouptUhi16PRXPof0yzRGo6rrCUoQ7Cuy1dbFZ96dIBxrt4
+h9suE6MtpXdsGfI5FZPOKHqUcw8hZfUgeOYm4OTV3vBYie0xJ77i9YgqR+UwymjA
+NK4AOY0CgYEA553JtUvl8py76HjL3DxfbU38Dq22AF9sdUAs9Xwy9B8Y6R9SyrPI
+nab+3EE0gz5NnFLFCILK4A7ewe3OB3bE7/P4mc7JlUWM2LAcBz7K50seIKD3r+cj
+VzLHarOBi/VZ0pe1lDj/cuQ6cXTLHbKtk2XGCRnCBMJlog4ruFMYJ+sCgYEAzpRD
+3YtuQcT0rtvK05BcdWD3nGgsrAauLvKz80LIu4zX9nfz/H6lNRpZYJ2jrLR1ikbX
+XVWIsNlWizAuWEbGokUEYDTuhkh3591nrdPyB6/0Lm2Snl+q7mKIUFrZ08MXe7U8
+Z/qPq2VLVSzCyoGX0l4GuNymgDH6NVR/i5yQXx8CgYBNJ1OUz+aWbb1ukCagg3/q
+QksPfLAe6aqQWENhtvCmP2Gl7mg+26qdUY6eQh5DBdMGms/FqQP5pRpxEU1LUTYD
+FIsgeTDPR67GU8vSYglnCK/NgLFhaCZumpyxH4Cs5Zr5Os4ixOXbGMmbF6O9jdKi
+Qgm46FqoCTWfyQapTQzD5wKBgGQV4WuNCjZDPmkZhANMhf84o77bmgkek3WbkSPi
+z25OprN7GnLSySgZRARTW+Fo7Sm5eM53impkYlG9XjbW05X66kvSWV4l7jIgSwMl
+FLY0wZFc9RRWNXKZuoF0AuVeOBpvjHy0ILdhtEXoEdgbQXtios8d2G1zyU3dSo5R
+pIDxAoGBAIlXeI9tB0X9ywXKylI3CyHi8ex/k6o4WTj/5fH4bYp4faHBRm78Ho81
+Ih9rewMw7fMC3YUN3rcyvHRQqbJ2Wcxpyf0k45GMxTRasoVXCXgV/sMNCHh/ddZM
+Gf5ZTeq10gJPofBlPObg5VrlCLRnIFaNI4izpq2A+/FqTrEvSGlf
 -----END RSA PRIVATE KEY-----

data/spec/fixtures/rsa_rsa_ocsp.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4TCCAcmgAwIBAgIJALkL6IyOlMwWMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
+BAMMB3Rlc3QtY2EwHhcNMTkxMTI2MDczMzExWhcNMjkxMTIzMDczMzExWjAUMRIw
+EAYDVQQDDAl0ZXN0LW9jc3AwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDapLrB5S2yXQ9Wt/O9SZzoMW8IChsPgtZYC8h4Z/bcbqRb/6Bq5YfcYxq84cD/
+8xn7e8R2OCNgva8GBlMy7d0czt3ysLnNlZ+dPu7MU4yS/R40LOhMGEf71mf6PLqj
+1ecaEclgbIhyIGHlUXQIAnhhpAwzHxKVAhcgBgQFs8NgNViAE3BpjyUW0qXE5RUY
+BQ7V9/Kn/fnsfOk6jMF20V2Kxn5Sj/c+D59+vFX3FmQyqsTKoAKoUuNsFOvHGV0d
+gxLggE5wq4AodrA40MY95HgCZ2rDfEKgfc9rKhLGz6s0etGFMVtjqK6YvpQYUOaS
+8JStLrGF1eINoJJFibIf69v9AgMBAAGjODA2MAkGA1UdEwQCMAAwEwYDVR0lBAww
+CgYIKwYBBQUHAwkwFAYDVR0RBA0wC4IJdGVzdC1vY3NwMA0GCSqGSIb3DQEBCwUA
+A4IBAQBHC6jRQyZhBJIdfP9CGpNO1dNHicwpFJ61ofwgzW1jEkVfBtVpqvEaEbYE
+LVxru1s8VY281trhwRuZkDRv5hB/CUUbdPICwQlkyCdUoYURrJEm/mirK9494AGh
+f33S+bMXZGAYLYoPYlSGj8EpL1Do3nvJK8//coRJlTEBcfgIIUlRMaeOiGrg3zpM
+1KGxO3GtG1mpod7BEMv3ZGI85p8wXF4N2Z+phBoAyRGW+R4VW3tF5bbqiKlRr3Lt
+HNsuXHSQykKpxD085eeQLTZGVESrCcmNv8XvVxwGE1r0kmlwexADNvP3HDXseie+
+8QFIt+zvJb/lDy4xbCT/M4a7L9Gn
+-----END CERTIFICATE-----

data/spec/fixtures/rsa_rsa_ocsp.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA2qS6weUtsl0PVrfzvUmc6DFvCAobD4LWWAvIeGf23G6kW/+g
+auWH3GMavOHA//MZ+3vEdjgjYL2vBgZTMu3dHM7d8rC5zZWfnT7uzFOMkv0eNCzo
+TBhH+9Zn+jy6o9XnGhHJYGyIciBh5VF0CAJ4YaQMMx8SlQIXIAYEBbPDYDVYgBNw
+aY8lFtKlxOUVGAUO1ffyp/357HzpOozBdtFdisZ+Uo/3Pg+ffrxV9xZkMqrEyqAC
+qFLjbBTrxxldHYMS4IBOcKuAKHawONDGPeR4Amdqw3xCoH3PayoSxs+rNHrRhTFb
+Y6iumL6UGFDmkvCUrS6xhdXiDaCSRYmyH+vb/QIDAQABAoIBAQC/s1D/siYHzeol
++XFelI1bVARqwxmI1wmB9wrU7yqViPjYpN+M+iTNyaLm2vUyNH6ibZkKohv6tTUh
+DiiibcXBfWtCX0r5gueIomYThmmpcv6pdnpSRbPPjeRqlhZ6kZBn3hJ3VZGoptXO
+j0UxxKCx03jS1bqgJU4LSNr7+OojjeKh8D9bxwCizhGx9239QwChtQTPr4U3aeTb
+Qwx8WtNH/2zvpdylyXW/eg8MO4WPYXpxWSGQnRJG5knPa7hF+iRnszysbUPNBVUd
+TUQJHBdtukt+7hDbPyMpMu0DwpqhOqsEk2avacWuCYEEE/SWmJ/mvLokbfECSUpy
+ZqfXJPLNAoGBAPtd+m2YVmLJmjO2skv+zGG5KhHNF2cY6xLQWuHW/yChNjSzpLYm
+YygyOd4hBH39ieQkBRs0QOX9S5Dzv6ERU1cr0CVDJeb9TQ9UTxXc01paJ+aoZNr5
+uHoGO16xBR4tmidc4HmbHDFSwmRAFhkooHM9MVACUFABIdWqwEwSZa/HAoGBAN6s
+WhPrsDyRAfKFV9bwD1P5aMPu6pjWOFO3bRIisPRtVzilamCkKvXCh1SyYHaNRjjG
+fQYEZeCZTxHi7GxZltRG5DRsmm8rDz6E4OrTQMHfQNDiuw78uZZ9+YYwaIM3nt1i
+/lN2hs79zj/HPf5qX9rw+CarOL0bdW97a/Monx4bAoGAeMqXXfT3hi9E15bypQxD
+IK6/JaC9n0BdLkRLd/09ymtNxhORkipuOdGw9yo8o2Kj0arxfTol+Z83oedP7dGK
+j/gw5McYvqB4WGZ2PpZIRkHOrMu883FPEexOuVktkWvuiP3brPQ5nwYa/dvCAsMA
+H4CHYuBJwbhZjvinwaaRkN8CgYA9sQh/zmOUVCRy+Yh9jyLgBBCHgDDUyTzvzLjW
+NnBKN+TbV9DiF3mjfxKZX5YkIj3bSvqmaR+Em1Txwqn31tZX15AwCgq7U/W0P4JE
+7ORbEixV8wsaOuB8FkjEabL677T+5wdJPmRZAq5asyu0yenmsa4+oF9m3S2rBknB
+I3b6EwKBgQD1+0+xdGomMeKHg8jWuDytdlWmNXmbiV0g2yOm533jG67vGDPfgd0H
+PNC62d7r5EhIVJwQZmW/GdOfZ7tI91XN+GjNyslr9t299hoMeRMT+Db2U+mQvKuS
+Oz+MHhO8YnOz9GFbQShqiCFj4zTU/0Ga/BY8Y52lURftt/QIXo+7Vg==
+-----END RSA PRIVATE KEY-----

data/spec/server_hello_spec.rb

@@ -187,7 +187,7 @@ RSpec.describe ServerHello do
     let(:message) do
       sh = ServerHello.deserialize(TESTBINARY_SERVER_HELLO)
       extensions = sh.instance_variable_get(:@extensions)
-      extensions[ExtensionType::SUPPORTED_VERSIONS] = nil
+      extensions.delete(ExtensionType::SUPPORTED_VERSIONS)
       sh.instance_variable_set(:@extensions, extensions)
       sh
     end

data/spec/signature_algorithms_cert_spec.rb

@@ -24,6 +24,8 @@ RSpec.describe SignatureAlgorithmsCert do
     end
 
     it 'should be generated' do
+      expect(extension).to be_a(SignatureAlgorithmsCert)
+
       expect(extension.extension_type)
         .to eq ExtensionType::SIGNATURE_ALGORITHMS_CERT
       expect(extension.supported_signature_algorithms)
@@ -58,6 +60,8 @@ RSpec.describe SignatureAlgorithmsCert do
     end
 
     it 'should generate valid object' do
+      expect(extension).to be_a(SignatureAlgorithmsCert)
+
       expect(extension.extension_type)
         .to eq ExtensionType::SIGNATURE_ALGORITHMS_CERT
       expect(extension.supported_signature_algorithms)