spec/fixtures.rb in r509-0.8.1 vs spec/fixtures.rb in r509-0.9

- old
+ new

@@ -1,233 +1,309 @@ require 'spec_helper' require 'pathname' require 'r509/io_helpers' module TestFixtures - extend R509::IOHelpers + extend R509::IOHelpers - FIXTURES_PATH = Pathname.new(__FILE__).dirname + "fixtures" + FIXTURES_PATH = Pathname.new(__FILE__).dirname + "fixtures" - def self.read_fixture(filename) - read_data((FIXTURES_PATH + filename).to_s) - end + def self.read_fixture(filename) + read_data((FIXTURES_PATH + filename).to_s) + end - #Trustwave cert for langui.sh - CERT = read_fixture('cert1.pem') + #Trustwave cert for langui.sh + CERT = read_fixture('cert1.pem') - #Trustwave root cert - STCA_CERT = read_fixture('stca.pem') + CERT_INHIBIT = read_fixture('cert_inhibit.pem') + CERT_POLICY_CONSTRAINTS = read_fixture('cert_policy_constraints.pem') + CERT_NAME_CONSTRAINTS = read_fixture('cert_name_constraints.pem') - CERT_PUBLIC_KEY_MODULUS = read_fixture('cert1_public_key_modulus.txt') + #Trustwave root cert + STCA_CERT = read_fixture('stca.pem') - # cert without key usage - CERT4 = read_fixture('cert4.pem') + CERT_PUBLIC_KEY_MODULUS = read_fixture('cert1_public_key_modulus.txt') - # cert with multiple EKU - CERT5 = read_fixture('cert5.pem') + # cert without key usage + CERT4 = read_fixture('cert4.pem') - # cert with DSA public key - CERT6 = read_fixture('cert6.pem') + # cert with multiple EKU + CERT5 = read_fixture('cert5.pem') - CERT_EXPIRED = read_fixture("cert_expired.pem") + # cert with DSA public key + CERT6 = read_fixture('cert6.pem') - CERT_NOT_YET_VALID = read_fixture("cert_not_yet_valid.pem") + CERT_EXPIRED = read_fixture("cert_expired.pem") - DSA_KEY = read_fixture('dsa_key.pem') + CERT_NOT_YET_VALID = read_fixture("cert_not_yet_valid.pem") - # this CSR has unknown OIDs, which we should successfully parse out into Subject - CSR_UNKNOWN_OID = read_fixture('unknown_oid.csr') + DSA_KEY = read_fixture('dsa_key.pem') + # this CSR has unknown OIDs, which we should successfully parse out into Subject + CSR_UNKNOWN_OID = read_fixture('unknown_oid.csr') - #san cert from self-signed CA for langui.sh - CERT_SAN = read_fixture('cert_san.pem') - #Another san cert for langui.sh, but differentiating between the CN and - # SANs. - CERT_SAN2 = read_fixture('cert_san2.pem') + #san cert from self-signed CA for langui.sh + CERT_SAN = read_fixture('cert_san.pem') - CERT_DER = read_fixture('cert1.der') + #Another san cert for langui.sh, but differentiating between the CN and + # SANs. + CERT_SAN2 = read_fixture('cert_san2.pem') - SPKI = read_fixture('spkac.txt') + CERT_DER = read_fixture('cert1.der') - SPKI_DER = read_fixture('spkac.der') + SPKI = read_fixture('spkac.txt') - SPKI_DSA = read_fixture('spkac_dsa.txt') + SPKI_DER = read_fixture('spkac.der') - CSR = read_fixture('csr1.pem') + SPKI_DSA = read_fixture('spkac_dsa.txt') - CSR_PUBLIC_KEY_MODULUS = read_fixture('csr1_public_key_modulus.txt') + SPKI_DSA_NO_VERIFY = read_fixture('spkac_dsa_no_verify.txt') - CSR_INVALID_SIGNATURE = read_fixture('csr_invalid_signature.pem') + SPKI_EC = read_fixture('spkac_ec.txt') - CSR_DER = read_fixture('csr1.der') + SPKI_RSA_NEWLINES = read_fixture('spkac_rsa_newlines.txt') - CSR_NEWLINES = read_fixture('csr1_newlines.pem') + CSR = read_fixture('csr1.pem') - CSR_NO_BEGIN_END = read_fixture('csr1_no_begin_end.pem') + CSR_PUBLIC_KEY_MODULUS = read_fixture('csr1_public_key_modulus.txt') - CSR_DSA = read_fixture('csr_dsa.pem') + CSR_INVALID_SIGNATURE = read_fixture('csr_invalid_signature.pem') - KEY_CSR = read_fixture('csr1_key.pem') + CSR_DER = read_fixture('csr1.der') - KEY_CSR_DER = read_fixture('csr1_key.der') + CSR_NEWLINES = read_fixture('csr1_newlines.pem') - KEY_CSR_ENCRYPTED = read_fixture('csr1_key_encrypted_des3.pem') + CSR_NO_BEGIN_END = read_fixture('csr1_no_begin_end.pem') - CSR2 = read_fixture('csr2.pem') + CSR_DSA = read_fixture('csr_dsa.pem') - KEY_CSR2 = read_fixture('csr2_key.pem') + KEY_CSR = read_fixture('csr1_key.pem') - CSR3 = read_fixture('csr3.pem') + KEY_CSR_DER = read_fixture('csr1_key.der') - CERT3 = read_fixture('cert3.pem') + KEY_CSR_ENCRYPTED = read_fixture('csr1_key_encrypted_des3.pem') - KEY3 = read_fixture('cert3_key.pem') + CSR2 = read_fixture('csr2.pem') - KEY3_ENCRYPTED = read_fixture('cert3_key_des3.pem') + KEY_CSR2 = read_fixture('csr2_key.pem') - CERT3_P12 = read_fixture('cert3.p12') + CSR3 = read_fixture('csr3.pem') - CSR4_MULTIPLE_ATTRS = read_fixture('csr4.pem') + CERT3 = read_fixture('cert3.pem') - KEY4_ENCRYPTED_DES3 = read_fixture('key4_encrypted_des3.pem') + KEY3 = read_fixture('cert3_key.pem') - KEY4 = read_fixture('key4.pem') + KEY3_ENCRYPTED = read_fixture('cert3_key_des3.pem') - TEST_CA_CERT = read_fixture('test_ca.cer') - TEST_CA_KEY = read_fixture('test_ca.key') + CERT3_P12 = read_fixture('cert3.p12') - TEST_CA_OCSP_CERT = read_fixture('test_ca_ocsp.cer') - TEST_CA_OCSP_KEY = read_fixture('test_ca_ocsp.key') + CSR4_MULTIPLE_ATTRS = read_fixture('csr4.pem') - TEST_CA_SUBROOT_CERT = read_fixture('test_ca_subroot.cer') - TEST_CA_SUBROOT_KEY = read_fixture('test_ca_subroot.key') + KEY4_ENCRYPTED_DES3 = read_fixture('key4_encrypted_des3.pem') - #this chain contains 2 certs. root and OCSP delegate - #in a prod environment you'd really only need the delegate - #since the root would be present in the root store of the - #client, but I wanted to test > 1 - TEST_CA_OCSP_CHAIN = read_fixture('test_ca_ocsp_chain.txt') + KEY4 = read_fixture('key4.pem') - TEST_CA_OCSP_RESPONSE = read_fixture('test_ca_ocsp_response.der') + CERT_OCSP_NO_CHECK = read_fixture('cert_ocsp_no_check.pem') - TEST_CA_SUBROOT_OCSP_RESPONSE = read_fixture('test_ca_subroot_ocsp_response.der') + EC_KEY1 = read_fixture('ec_key1.pem') + EC_KEY1_DER = read_fixture('ec_key1.der') + EC_KEY1_ENCRYPTED = read_fixture('ec_key1_encrypted.pem') - SECOND_CA_CERT = read_fixture('second_ca.cer') - SECOND_CA_KEY = read_fixture('second_ca.key') + EC_CSR2_PEM = read_fixture('ec_csr2.pem') + EC_CSR2_DER = read_fixture('ec_csr2.der') + EC_KEY2 = read_fixture('ec_key2.pem') - OCSP_TEST_CERT = read_fixture('ocsptest.r509.local.pem') - OCSP_TEST_CERT2 = read_fixture('ocsptest2.r509.local.pem') + EC_EE_CERT = read_fixture("test_ca_ec_ee.cer") + EC_EE_KEY = read_fixture("test_ca_ec_ee.key") - STCA_OCSP_REQUEST = read_fixture('stca_ocsp_request.der') - STCA_OCSP_RESPONSE = read_fixture('stca_ocsp_response.der') + DSA_CA_CERT = read_fixture('dsa_root.cer') + DSA_CA_KEY = read_fixture('dsa_root.key') - CRL_LIST_FILE = (FIXTURES_PATH+'crl_list_file.txt').to_s + TEST_CA_EC_CERT = read_fixture('test_ca_ec.cer') + TEST_CA_EC_KEY = read_fixture('test_ca_ec.key') - CRL_REASON = read_fixture("crl_with_reason.pem") + TEST_CA_CERT = read_fixture('test_ca.cer') + TEST_CA_KEY = read_fixture('test_ca.key') - def self.test_ca_cert - R509::Cert.new(:cert => TEST_CA_CERT, :key => TEST_CA_KEY) - end + TEST_CA_OCSP_CERT = read_fixture('test_ca_ocsp.cer') + TEST_CA_OCSP_KEY = read_fixture('test_ca_ocsp.key') - def self.test_ca_subroot_cert - R509::Cert.new(:cert => TEST_CA_SUBROOT_CERT, :key => TEST_CA_SUBROOT_KEY) - end + TEST_CA_SUBROOT_CERT = read_fixture('test_ca_subroot.cer') + TEST_CA_SUBROOT_KEY = read_fixture('test_ca_subroot.key') - def self.test_ca_server_profile - R509::Config::CaProfile.new( - :basic_constraints => "CA:FALSE", - :key_usage => ["digitalSignature","keyEncipherment"], - :extended_key_usage => ["serverAuth"], - :certificate_policies => [ - [ - "policyIdentifier=2.16.840.1.12345.1.2.3.4.1", - "CPS.1=http://example.com/cps" - ] - ] - ) + #this chain contains 2 certs. root and OCSP delegate + #in a prod environment you'd really only need the delegate + #since the root would be present in the root store of the + #client, but I wanted to test > 1 + TEST_CA_OCSP_CHAIN = read_fixture('test_ca_ocsp_chain.txt') - end + TEST_CA_OCSP_RESPONSE = read_fixture('test_ca_ocsp_response.der') - def self.test_ca_server_profile_with_subject_item_policy - subject_item_policy = R509::Config::SubjectItemPolicy.new( - "CN" => "required", - "O" => "optional", - "ST" => "required", - "C" => "required", - "OU" => "optional" - ) - R509::Config::CaProfile.new( - :basic_constraints => "CA:FALSE", - :key_usage => ["digitalSignature","keyEncipherment"], - :extended_key_usage => ["serverAuth"], - :certificate_policies => [ - [ - "policyIdentifier=2.16.840.1.12345.1.2.3.4.1", - "CPS.1=http://example.com/cps" - ] - ], - :subject_item_policy => subject_item_policy - ) - end + TEST_CA_SUBROOT_OCSP_RESPONSE = read_fixture('test_ca_subroot_ocsp_response.der') - def self.test_ca_subroot_profile - R509::Config::CaProfile.new( - :basic_constraints => "CA:TRUE,pathlen:0", - :key_usage => ["keyCertSign","cRLSign"], - :extended_key_usage => [], - :certificate_policies => nil) - end + SECOND_CA_CERT = read_fixture('second_ca.cer') + SECOND_CA_KEY = read_fixture('second_ca.key') - def self.test_ca_ocspsigner_profile - R509::Config::CaProfile.new( - :basic_constraints => "CA:FALSE", - :key_usage => ["digitalSignature"], - :extended_key_usage => ["OCSPSigning"], - :certificate_policies => nil) - end + OCSP_TEST_CERT = read_fixture('ocsptest.r509.local.pem') + OCSP_TEST_CERT2 = read_fixture('ocsptest2.r509.local.pem') - # @return [R509::Config::CaConfig] - def self.test_ca_config - crl_list_sio = StringIO.new - crl_list_sio.set_encoding("BINARY") if crl_list_sio.respond_to?(:set_encoding) - crl_number_sio = StringIO.new - crl_number_sio.set_encoding("BINARY") if crl_number_sio.respond_to?(:set_encoding) + STCA_OCSP_REQUEST = read_fixture('stca_ocsp_request.der') + STCA_OCSP_RESPONSE = read_fixture('stca_ocsp_response.der') - opts = { - :ca_cert => test_ca_cert(), - :cdp_location => 'URI:http://crl.domain.com/test_ca.crl', - :ocsp_location => 'URI:http://ocsp.domain.com', - :ocsp_start_skew_seconds => 3600, - :ocsp_validity_hours => 48, - :crl_list_file => crl_list_sio, - :crl_number_file => crl_number_sio - } - ret = R509::Config::CaConfig.new(opts) + CRL_LIST_FILE = (FIXTURES_PATH+'crl_list_file.txt').to_s - ret.set_profile("server", self.test_ca_server_profile) - ret.set_profile("subroot", self.test_ca_subroot_profile) - ret.set_profile("ocspsigner", self.test_ca_ocspsigner_profile) - ret.set_profile("server_with_subject_item_policy", self.test_ca_server_profile_with_subject_item_policy) + CRL_REASON = read_fixture("crl_with_reason.pem") - ret - end + HMACSHA512_SIG = read_fixture("hmacsha512.sig") + HMACSHA1_SIG = read_fixture("hmacsha1.sig") - # @return [R509::Config::CaConfig] - def self.test_ca_no_profile_config - crl_list_sio = StringIO.new - crl_list_sio.set_encoding("BINARY") if crl_list_sio.respond_to?(:set_encoding) - crl_number_sio = StringIO.new - crl_number_sio.set_encoding("BINARY") if crl_number_sio.respond_to?(:set_encoding) + def self.test_ca_cert + R509::Cert.new(:cert => TEST_CA_CERT, :key => TEST_CA_KEY) + end - opts = { - :ca_cert => test_ca_cert(), - :cdp_location => 'URI:http://crl.domain.com/test_ca.crl', - :ocsp_location => 'URI:http://ocsp.domain.com', - :ocsp_start_skew_seconds => 3600, - :ocsp_validity_hours => 48, - :crl_list_file => crl_list_sio, - :crl_number_file => crl_number_sio + def self.test_ca_ec_cert + R509::Cert.new(:cert => TEST_CA_EC_CERT, :key => TEST_CA_EC_KEY) + end + + def self.test_ca_dsa_cert + R509::Cert.new(:cert => DSA_CA_CERT, :key => DSA_CA_KEY) + end + + def self.test_ca_subroot_cert + R509::Cert.new(:cert => TEST_CA_SUBROOT_CERT, :key => TEST_CA_SUBROOT_KEY) + end + + def self.test_ca_server_profile + R509::Config::CAProfile.new( + :basic_constraints => {"ca" => false }, + :key_usage => ["digitalSignature","keyEncipherment"], + :extended_key_usage => ["serverAuth"], + :certificate_policies => [ + { "policy_identifier" => "2.16.840.1.12345.1.2.3.4.1", + "cps_uris" => ["http://example.com/cps","http://other.com/cps"], + "user_notices" => [ {"explicit_text" => "thing", "organization" => "my org", "notice_numbers" => "1,2,3,4"} ] + } + ] + ) + + end + + def self.test_ca_server_profile_with_subject_item_policy + subject_item_policy = R509::Config::SubjectItemPolicy.new( + "CN" => "required", + "O" => "optional", + "ST" => "required", + "C" => "required", + "OU" => "optional" + ) + R509::Config::CAProfile.new( + :basic_constraints => {"ca" => false }, + :key_usage => ["digitalSignature","keyEncipherment"], + :extended_key_usage => ["serverAuth"], + :certificate_policies => [ + { "policy_identifier" => "2.16.840.1.12345.1.2.3.4.1", +"cps_uris" => ["http://example.com/cps","http://other.com/cps"], +"user_notices" => [ {"explicit_text" => "thing", "organization" => "my org", "notice_numbers" => "1,2,3,4"} ] } - R509::Config::CaConfig.new(opts) - end + ], + :subject_item_policy => subject_item_policy + ) + end + + def self.test_ca_subroot_profile + R509::Config::CAProfile.new( + :basic_constraints => {"ca" => true, "path_length" => 0 }, + :key_usage => ["keyCertSign","cRLSign"], + :extended_key_usage => [], + :certificate_policies => nil) + end + + def self.test_ca_ocspsigner_profile + R509::Config::CAProfile.new( + :basic_constraints => { "ca" => false }, + :key_usage => ["digitalSignature"], + :extended_key_usage => ["OCSPSigning"], + :certificate_policies => nil) + end + + # @return [R509::Config::CAConfig] + def self.test_ca_config + crl_list_sio = StringIO.new + crl_list_sio.set_encoding("BINARY") if crl_list_sio.respond_to?(:set_encoding) + crl_number_sio = StringIO.new + crl_number_sio.set_encoding("BINARY") if crl_number_sio.respond_to?(:set_encoding) + + opts = { + :ca_cert => test_ca_cert(), + :cdp_location => ['http://crl.domain.com/test_ca.crl'], + :ocsp_location => ['http://ocsp.domain.com'], + :ocsp_start_skew_seconds => 3600, + :ocsp_validity_hours => 48, + :crl_list_file => crl_list_sio, + :crl_number_file => crl_number_sio + } + ret = R509::Config::CAConfig.new(opts) + + ret.set_profile("server", self.test_ca_server_profile) + ret.set_profile("subroot", self.test_ca_subroot_profile) + ret.set_profile("ocspsigner", self.test_ca_ocspsigner_profile) + ret.set_profile("server_with_subject_item_policy", self.test_ca_server_profile_with_subject_item_policy) + + ret + end + + # @return [R509::Config::CAConfig] + def self.test_ca_no_profile_config + crl_list_sio = StringIO.new + crl_list_sio.set_encoding("BINARY") if crl_list_sio.respond_to?(:set_encoding) + crl_number_sio = StringIO.new + crl_number_sio.set_encoding("BINARY") if crl_number_sio.respond_to?(:set_encoding) + + opts = { + :ca_cert => test_ca_cert(), + :cdp_location => ['http://crl.domain.com/test_ca.crl'], + :ocsp_location => ['http://ocsp.domain.com'], + :ocsp_start_skew_seconds => 3600, + :ocsp_validity_hours => 48, + :crl_list_file => crl_list_sio, + :crl_number_file => crl_number_sio + } + R509::Config::CAConfig.new(opts) + end + + def self.test_ca_ec_no_profile_config + crl_list_sio = StringIO.new + crl_list_sio.set_encoding("BINARY") if crl_list_sio.respond_to?(:set_encoding) + crl_number_sio = StringIO.new + crl_number_sio.set_encoding("BINARY") if crl_number_sio.respond_to?(:set_encoding) + + opts = { + :ca_cert => test_ca_ec_cert(), + :cdp_location => ['http://crl.domain.com/test_ca.crl'], + :ocsp_location => ['http://ocsp.domain.com'], + :ocsp_start_skew_seconds => 3600, + :ocsp_validity_hours => 48, + :crl_list_file => crl_list_sio, + :crl_number_file => crl_number_sio + } + R509::Config::CAConfig.new(opts) + end + + def self.test_ca_dsa_no_profile_config + crl_list_sio = StringIO.new + crl_list_sio.set_encoding("BINARY") if crl_list_sio.respond_to?(:set_encoding) + crl_number_sio = StringIO.new + crl_number_sio.set_encoding("BINARY") if crl_number_sio.respond_to?(:set_encoding) + + opts = { + :ca_cert => test_ca_dsa_cert(), + :cdp_location => ['http://crl.domain.com/test_ca.crl'], + :ocsp_location => ['http://ocsp.domain.com'], + :ocsp_start_skew_seconds => 3600, + :ocsp_validity_hours => 48, + :crl_list_file => crl_list_sio, + :crl_number_file => crl_number_sio + } + R509::Config::CAConfig.new(opts) + end end