3 require File.join(File.dirname(__FILE__), "utils.rb")
10 class OpenSSL::TestPKCS7 < Test::Unit::TestCase
12 @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
13 @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
14 ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
15 ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
16 ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
20 ["basicConstraints","CA:TRUE",true],
21 ["keyUsage","keyCertSign, cRLSign",true],
22 ["subjectKeyIdentifier","hash",false],
23 ["authorityKeyIdentifier","keyid:always",false],
25 @ca_cert = issue_cert(ca, @rsa2048, 1, Time.now, Time.now+3600, ca_exts,
26 nil, nil, OpenSSL::Digest::SHA1.new)
28 ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
29 ["authorityKeyIdentifier","keyid:always",false],
30 ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
32 @ee1_cert = issue_cert(ee1, @rsa1024, 2, Time.now, Time.now+1800, ee_exts,
33 @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
34 @ee2_cert = issue_cert(ee2, @rsa1024, 3, Time.now, Time.now+1800, ee_exts,
35 @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
39 OpenSSL::TestUtils.issue_cert(*args)
43 store = OpenSSL::X509::Store.new
44 store.add_cert(@ca_cert)
47 data = "aaaaa\r\nbbbbb\r\nccccc\r\n"
48 tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs)
49 p7 = OpenSSL::PKCS7.new(tmp.to_der)
50 certs = p7.certificates
52 assert(p7.verify([], store))
53 assert_equal(data, p7.data)
54 assert_equal(2, certs.size)
55 assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
56 assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
57 assert_equal(1, signers.size)
58 assert_equal(@ee1_cert.serial, signers[0].serial)
59 assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
61 # Normaly OpenSSL tries to translate the supplied content into canonical
62 # MIME format (e.g. a newline character is converted into CR+LF).
63 # If the content is a binary, PKCS7::BINARY flag should be used.
65 data = "aaaaa\nbbbbb\nccccc\n"
66 flag = OpenSSL::PKCS7::BINARY
67 tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs, flag)
68 p7 = OpenSSL::PKCS7.new(tmp.to_der)
69 certs = p7.certificates
71 assert(p7.verify([], store))
72 assert_equal(data, p7.data)
73 assert_equal(2, certs.size)
74 assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
75 assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
76 assert_equal(1, signers.size)
77 assert_equal(@ee1_cert.serial, signers[0].serial)
78 assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
80 # A signed-data which have multiple signatures can be created
81 # through the following steps.
82 # 1. create two signed-data
83 # 2. copy signerInfo and certificate from one to another
85 tmp1 = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, [], flag)
86 tmp2 = OpenSSL::PKCS7.sign(@ee2_cert, @rsa1024, data, [], flag)
87 tmp1.add_signer(tmp2.signers[0])
88 tmp1.add_certificate(@ee2_cert)
90 p7 = OpenSSL::PKCS7.new(tmp1.to_der)
91 certs = p7.certificates
93 assert(p7.verify([], store))
94 assert_equal(data, p7.data)
95 assert_equal(2, certs.size)
96 assert_equal(2, signers.size)
97 assert_equal(@ee1_cert.serial, signers[0].serial)
98 assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
99 assert_equal(@ee2_cert.serial, signers[1].serial)
100 assert_equal(@ee2_cert.issuer.to_s, signers[1].issuer.to_s)
103 def test_detached_sign
104 store = OpenSSL::X509::Store.new
105 store.add_cert(@ca_cert)
106 ca_certs = [@ca_cert]
108 data = "aaaaa\nbbbbb\nccccc\n"
109 flag = OpenSSL::PKCS7::BINARY|OpenSSL::PKCS7::DETACHED
110 tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs, flag)
111 p7 = OpenSSL::PKCS7.new(tmp.to_der)
112 a1 = OpenSSL::ASN1.decode(p7)
114 certs = p7.certificates
116 assert(!p7.verify([], store))
117 assert(p7.verify([], store, data))
118 assert_equal(data, p7.data)
119 assert_equal(2, certs.size)
120 assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
121 assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
122 assert_equal(1, signers.size)
123 assert_equal(@ee1_cert.serial, signers[0].serial)
124 assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
128 if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x0090704f
129 # PKCS7_encrypt() of OpenSSL-0.9.7d goes to SEGV.
130 # http://www.mail-archive.com/openssl-dev@openssl.org/msg17376.html
134 certs = [@ee1_cert, @ee2_cert]
135 cipher = OpenSSL::Cipher::AES.new("128-CBC")
136 data = "aaaaa\nbbbbb\nccccc\n"
138 tmp = OpenSSL::PKCS7.encrypt(certs, data, cipher, OpenSSL::PKCS7::BINARY)
139 p7 = OpenSSL::PKCS7.new(tmp.to_der)
140 recip = p7.recipients
141 assert_equal(:enveloped, p7.type)
142 assert_equal(2, recip.size)
144 assert_equal(@ca_cert.subject.to_s, recip[0].issuer.to_s)
145 assert_equal(2, recip[0].serial)
146 assert_equal(data, p7.decrypt(@rsa1024, @ee1_cert))
148 assert_equal(@ca_cert.subject.to_s, recip[1].issuer.to_s)
149 assert_equal(3, recip[1].serial)
150 assert_equal(data, p7.decrypt(@rsa1024, @ee2_cert))