spec/ocsp_spec.rb in r509-0.8.1 vs spec/ocsp_spec.rb in r509-0.9
- old
+ new
@@ -1,111 +1,111 @@
require 'spec_helper'
require 'r509/ocsp'
require 'openssl'
-describe R509::Ocsp::Response do
- before :all do
- @ocsp_test_cert = TestFixtures::OCSP_TEST_CERT
- @test_ca_config = TestFixtures.test_ca_config
- @test_ca_ocsp_response = TestFixtures::TEST_CA_OCSP_RESPONSE
- @test_ca_subroot_ocsp_response = TestFixtures::TEST_CA_SUBROOT_OCSP_RESPONSE
- @ocsp_response_der = TestFixtures::STCA_OCSP_RESPONSE
- @stca_cert = TestFixtures::STCA_CERT
- end
- it "raises an exception if you try to pass the wrong type to the constructor" do
- expect { R509::Ocsp::Response.new(@ocsp_response_der) }.to raise_error(R509::R509Error, 'You must pass an OpenSSL::OCSP::Response object to the constructor. See R509::Ocsp::Response.parse if you are trying to parse')
- end
- it "raises an exception if you pass nil to #parse" do
- expect { R509::Ocsp::Response.parse(nil) }.to raise_error(R509::R509Error, 'You must pass a DER encoded OCSP response to this method')
- end
- it "parses a response der and returns the right object on #parse" do
- ocsp_response = R509::Ocsp::Response.parse(@ocsp_response_der)
- ocsp_response.kind_of?(R509::Ocsp::Response).should == true
- ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
- end
- it "returns data on to_der" do
- ocsp_response = R509::Ocsp::Response.parse(@ocsp_response_der)
- ocsp_response.to_der.should_not == nil
- end
- it "returns a BasicResponse object on #basic" do
- ocsp_response = R509::Ocsp::Response.parse(@ocsp_response_der)
- ocsp_response.basic.kind_of?(OpenSSL::OCSP::BasicResponse).should == true
- end
- it "returns true if response verifies (in validity period, chain builds to trusted root that's provided)" do
- ocsp_response = R509::Ocsp::Response.parse(@test_ca_ocsp_response)
- ocsp_response.verify(TestFixtures.test_ca_config.ca_cert.cert).should == true
- end
- it "verify supports an single certificate and uses it to validate" do
- ocsp_response = R509::Ocsp::Response.parse(@test_ca_ocsp_response)
- ocsp_response.verify(TestFixtures.test_ca_config.ca_cert.cert).should == true
- end
- it "verify supports an array of certificates and uses all of them to validate a chain" do
- ocsp_response = R509::Ocsp::Response.parse(@test_ca_subroot_ocsp_response)
- ocsp_response.verify([TestFixtures.test_ca_config.ca_cert.cert,TestFixtures.test_ca_subroot_cert.cert]).should == true
- end
- it "verify returns false if you don't give it enough certs to build a chain to a trusted root" do
- ocsp_response = R509::Ocsp::Response.parse(@test_ca_subroot_ocsp_response)
- ocsp_response.verify([TestFixtures.test_ca_config.ca_cert.cert]).should == false
- end
- it "returns false if response does not verify" do
- #expired response
- ocsp_response = R509::Ocsp::Response.parse(@ocsp_response_der)
- ocsp_response.verify(OpenSSL::X509::Certificate.new(@stca_cert)).should == false
- end
- it "nonce is present and equal" do
- ocsp_request = OpenSSL::OCSP::Request.new
- ocsp_request.add_nonce
- basic_response = OpenSSL::OCSP::BasicResponse.new
- basic_response.copy_nonce(ocsp_request)
- response_double = double("ocsp_response")
- response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
- response_double.should_receive(:basic).and_return(basic_response)
- ocsp_response = R509::Ocsp::Response.new(response_double)
- ocsp_response.check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::PRESENT_AND_EQUAL
- end
- it "no nonce" do
- ocsp_request = OpenSSL::OCSP::Request.new
- basic_response = OpenSSL::OCSP::BasicResponse.new
- basic_response.copy_nonce(ocsp_request)
- response_double = double("ocsp_response")
- response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
- response_double.should_receive(:basic).and_return(basic_response)
- ocsp_response = R509::Ocsp::Response.new(response_double)
- ocsp_response.check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::BOTH_ABSENT
- end
- it "has a nonce in the response only" do
- ocsp_request = OpenSSL::OCSP::Request.new
- nonce_request = OpenSSL::OCSP::Request.new
- nonce_request.add_nonce
- basic_response = OpenSSL::OCSP::BasicResponse.new
- basic_response.copy_nonce(nonce_request)
- response_double = double("ocsp_response")
- response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
- response_double.should_receive(:basic).and_return(basic_response)
- ocsp_response = R509::Ocsp::Response.new(response_double)
- ocsp_response.check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::RESPONSE_ONLY
- end
- it "nonce in request and response is not equal" do
- ocsp_request = OpenSSL::OCSP::Request.new
- ocsp_request.add_nonce
- second_request = OpenSSL::OCSP::Request.new
- second_request.add_nonce
- basic_response = OpenSSL::OCSP::BasicResponse.new
- basic_response.copy_nonce(ocsp_request)
- response_double = double("ocsp_response")
- response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
- response_double.should_receive(:basic).and_return(basic_response)
- ocsp_response = R509::Ocsp::Response.new(response_double)
- ocsp_response.check_nonce(second_request).should == R509::Ocsp::Request::Nonce::NOT_EQUAL
- end
- it "nonce in request only" do
- ocsp_request = OpenSSL::OCSP::Request.new
- ocsp_request.add_nonce
- basic_response = OpenSSL::OCSP::BasicResponse.new
- response_double = double("ocsp_response")
- response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
- response_double.should_receive(:basic).and_return(basic_response)
- ocsp_response = R509::Ocsp::Response.new(response_double)
- ocsp_response.check_nonce(ocsp_request).should == R509::Ocsp::Request::Nonce::REQUEST_ONLY
- end
+describe R509::OCSP::Response do
+ before :all do
+ @ocsp_test_cert = TestFixtures::OCSP_TEST_CERT
+ @test_ca_config = TestFixtures.test_ca_config
+ @test_ca_ocsp_response = TestFixtures::TEST_CA_OCSP_RESPONSE
+ @test_ca_subroot_ocsp_response = TestFixtures::TEST_CA_SUBROOT_OCSP_RESPONSE
+ @ocsp_response_der = TestFixtures::STCA_OCSP_RESPONSE
+ @stca_cert = TestFixtures::STCA_CERT
+ end
+ it "raises an exception if you try to pass the wrong type to the constructor" do
+ expect { R509::OCSP::Response.new(@ocsp_response_der) }.to raise_error(R509::R509Error, 'You must pass an OpenSSL::OCSP::Response object to the constructor. See R509::OCSP::Response.parse if you are trying to parse')
+ end
+ it "raises an exception if you pass nil to #parse" do
+ expect { R509::OCSP::Response.parse(nil) }.to raise_error(R509::R509Error, 'You must pass a DER encoded OCSP response to this method')
+ end
+ it "parses a response der and returns the right object on #parse" do
+ ocsp_response = R509::OCSP::Response.parse(@ocsp_response_der)
+ ocsp_response.kind_of?(R509::OCSP::Response).should == true
+ ocsp_response.status.should == OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+ end
+ it "returns data on to_der" do
+ ocsp_response = R509::OCSP::Response.parse(@ocsp_response_der)
+ ocsp_response.to_der.should_not == nil
+ end
+ it "returns a BasicResponse object on #basic" do
+ ocsp_response = R509::OCSP::Response.parse(@ocsp_response_der)
+ ocsp_response.basic.kind_of?(OpenSSL::OCSP::BasicResponse).should == true
+ end
+ it "returns true if response verifies (in validity period, chain builds to trusted root that's provided)" do
+ ocsp_response = R509::OCSP::Response.parse(@test_ca_ocsp_response)
+ ocsp_response.verify(TestFixtures.test_ca_config.ca_cert.cert).should == true
+ end
+ it "verify supports an single certificate and uses it to validate" do
+ ocsp_response = R509::OCSP::Response.parse(@test_ca_ocsp_response)
+ ocsp_response.verify(TestFixtures.test_ca_config.ca_cert.cert).should == true
+ end
+ it "verify supports an array of certificates and uses all of them to validate a chain" do
+ ocsp_response = R509::OCSP::Response.parse(@test_ca_subroot_ocsp_response)
+ ocsp_response.verify([TestFixtures.test_ca_config.ca_cert.cert,TestFixtures.test_ca_subroot_cert.cert]).should == true
+ end
+ it "verify returns false if you don't give it enough certs to build a chain to a trusted root" do
+ ocsp_response = R509::OCSP::Response.parse(@test_ca_subroot_ocsp_response)
+ ocsp_response.verify([TestFixtures.test_ca_config.ca_cert.cert]).should == false
+ end
+ it "returns false if response does not verify" do
+ #expired response
+ ocsp_response = R509::OCSP::Response.parse(@ocsp_response_der)
+ ocsp_response.verify(OpenSSL::X509::Certificate.new(@stca_cert)).should == false
+ end
+ it "nonce is present and equal" do
+ ocsp_request = OpenSSL::OCSP::Request.new
+ ocsp_request.add_nonce
+ basic_response = OpenSSL::OCSP::BasicResponse.new
+ basic_response.copy_nonce(ocsp_request)
+ response_double = double("ocsp_response")
+ response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
+ response_double.should_receive(:basic).and_return(basic_response)
+ ocsp_response = R509::OCSP::Response.new(response_double)
+ ocsp_response.check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::PRESENT_AND_EQUAL
+ end
+ it "no nonce" do
+ ocsp_request = OpenSSL::OCSP::Request.new
+ basic_response = OpenSSL::OCSP::BasicResponse.new
+ basic_response.copy_nonce(ocsp_request)
+ response_double = double("ocsp_response")
+ response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
+ response_double.should_receive(:basic).and_return(basic_response)
+ ocsp_response = R509::OCSP::Response.new(response_double)
+ ocsp_response.check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::BOTH_ABSENT
+ end
+ it "has a nonce in the response only" do
+ ocsp_request = OpenSSL::OCSP::Request.new
+ nonce_request = OpenSSL::OCSP::Request.new
+ nonce_request.add_nonce
+ basic_response = OpenSSL::OCSP::BasicResponse.new
+ basic_response.copy_nonce(nonce_request)
+ response_double = double("ocsp_response")
+ response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
+ response_double.should_receive(:basic).and_return(basic_response)
+ ocsp_response = R509::OCSP::Response.new(response_double)
+ ocsp_response.check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::RESPONSE_ONLY
+ end
+ it "nonce in request and response is not equal" do
+ ocsp_request = OpenSSL::OCSP::Request.new
+ ocsp_request.add_nonce
+ second_request = OpenSSL::OCSP::Request.new
+ second_request.add_nonce
+ basic_response = OpenSSL::OCSP::BasicResponse.new
+ basic_response.copy_nonce(ocsp_request)
+ response_double = double("ocsp_response")
+ response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
+ response_double.should_receive(:basic).and_return(basic_response)
+ ocsp_response = R509::OCSP::Response.new(response_double)
+ ocsp_response.check_nonce(second_request).should == R509::OCSP::Request::Nonce::NOT_EQUAL
+ end
+ it "nonce in request only" do
+ ocsp_request = OpenSSL::OCSP::Request.new
+ ocsp_request.add_nonce
+ basic_response = OpenSSL::OCSP::BasicResponse.new
+ response_double = double("ocsp_response")
+ response_double.should_receive(:kind_of?).and_return('OpenSSL::OCSP::Response')
+ response_double.should_receive(:basic).and_return(basic_response)
+ ocsp_response = R509::OCSP::Response.new(response_double)
+ ocsp_response.check_nonce(ocsp_request).should == R509::OCSP::Request::Nonce::REQUEST_ONLY
+ end
end