lib/ruby-1.9.1-rc1/test/openssl/test_x509crl.rb

   1 begin
   2   require "openssl"
   3   require File.join(File.dirname(__FILE__), "utils.rb")
   4 rescue LoadError
   5 end
   6 require "test/unit"
   7
   8 if defined?(OpenSSL)
   9
  10 class OpenSSL::TestX509CRL < Test::Unit::TestCase
  11   def setup
  12     @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
  13     @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
  14     @dsa256  = OpenSSL::TestUtils::TEST_KEY_DSA256
  15     @dsa512  = OpenSSL::TestUtils::TEST_KEY_DSA512
  16     @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
  17     @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
  18     @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
  19   end
  20
  21   def teardown
  22   end
  23
  24   def issue_crl(*args)
  25     OpenSSL::TestUtils.issue_crl(*args)
  26   end
  27
  28   def issue_cert(*args)
  29     OpenSSL::TestUtils.issue_cert(*args)
  30   end
  31
  32   def test_basic
  33     now = Time.at(Time.now.to_i)
  34
  35     cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
  36                       nil, nil, OpenSSL::Digest::SHA1.new)
  37     crl = issue_crl([], 1, now, now+1600, [],
  38                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
  39     assert_equal(1, crl.version)
  40     assert_equal(cert.issuer.to_der, crl.issuer.to_der)
  41     assert_equal(now, crl.last_update)
  42     assert_equal(now+1600, crl.next_update)
  43
  44     crl = OpenSSL::X509::CRL.new(crl.to_der)
  45     assert_equal(1, crl.version)
  46     assert_equal(cert.issuer.to_der, crl.issuer.to_der)
  47     assert_equal(now, crl.last_update)
  48     assert_equal(now+1600, crl.next_update)
  49   end
  50
  51   def test_revoked
  52
  53     # CRLReason ::= ENUMERATED {
  54     #      unspecified             (0),
  55     #      keyCompromise           (1),
  56     #      cACompromise            (2),
  57     #      affiliationChanged      (3),
  58     #      superseded              (4),
  59     #      cessationOfOperation    (5),
  60     #      certificateHold         (6),
  61     #      removeFromCRL           (8),
  62     #      privilegeWithdrawn      (9),
  63     #      aACompromise           (10) }
  64
  65     now = Time.at(Time.now.to_i)
  66     revoke_info = [
  67       [1, Time.at(0),          1],
  68       [2, Time.at(0x7fffffff), 2],
  69       [3, now,                 3],
  70       [4, now,                 4],
  71       [5, now,                 5],
  72     ]
  73     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
  74                       nil, nil, OpenSSL::Digest::SHA1.new)
  75     crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
  76                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
  77     revoked = crl.revoked
  78     assert_equal(5, revoked.size)
  79     assert_equal(1, revoked[0].serial)
  80     assert_equal(2, revoked[1].serial)
  81     assert_equal(3, revoked[2].serial)
  82     assert_equal(4, revoked[3].serial)
  83     assert_equal(5, revoked[4].serial)
  84
  85     assert_equal(Time.at(0), revoked[0].time)
  86     assert_equal(Time.at(0x7fffffff), revoked[1].time)
  87     assert_equal(now, revoked[2].time)
  88     assert_equal(now, revoked[3].time)
  89     assert_equal(now, revoked[4].time)
  90
  91     assert_equal("CRLReason", revoked[0].extensions[0].oid)
  92     assert_equal("CRLReason", revoked[1].extensions[0].oid)
  93     assert_equal("CRLReason", revoked[2].extensions[0].oid)
  94     assert_equal("CRLReason", revoked[3].extensions[0].oid)
  95     assert_equal("CRLReason", revoked[4].extensions[0].oid)
  96
  97     assert_equal("Key Compromise", revoked[0].extensions[0].value)
  98     assert_equal("CA Compromise", revoked[1].extensions[0].value)
  99     assert_equal("Affiliation Changed", revoked[2].extensions[0].value)
 100     assert_equal("Superseded", revoked[3].extensions[0].value)
 101     assert_equal("Cessation Of Operation", revoked[4].extensions[0].value)
 102
 103     assert_equal(false, revoked[0].extensions[0].critical?)
 104     assert_equal(false, revoked[1].extensions[0].critical?)
 105     assert_equal(false, revoked[2].extensions[0].critical?)
 106     assert_equal(false, revoked[3].extensions[0].critical?)
 107     assert_equal(false, revoked[4].extensions[0].critical?)
 108
 109     crl = OpenSSL::X509::CRL.new(crl.to_der)
 110     assert_equal("Key Compromise", revoked[0].extensions[0].value)
 111     assert_equal("CA Compromise", revoked[1].extensions[0].value)
 112     assert_equal("Affiliation Changed", revoked[2].extensions[0].value)
 113     assert_equal("Superseded", revoked[3].extensions[0].value)
 114     assert_equal("Cessation Of Operation", revoked[4].extensions[0].value)
 115
 116     revoke_info = (1..1000).collect{|i| [i, now, 0] }
 117     crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
 118                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
 119     revoked = crl.revoked
 120     assert_equal(1000, revoked.size)
 121     assert_equal(1, revoked[0].serial)
 122     assert_equal(1000, revoked[999].serial)
 123   end
 124
 125   def test_extension
 126     cert_exts = [
 127       ["basicConstraints", "CA:TRUE", true],
 128       ["subjectKeyIdentifier", "hash", false],
 129       ["authorityKeyIdentifier", "keyid:always", false],
 130       ["subjectAltName", "email:xyzzy@ruby-lang.org", false],
 131       ["keyUsage", "cRLSign, keyCertSign", true],
 132     ]
 133     crl_exts = [
 134       ["authorityKeyIdentifier", "keyid:always", false],
 135       ["issuerAltName", "issuer:copy", false],
 136     ]
 137
 138     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, cert_exts,
 139                       nil, nil, OpenSSL::Digest::SHA1.new)
 140     crl = issue_crl([], 1, Time.now, Time.now+1600, crl_exts,
 141                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
 142     exts = crl.extensions
 143     assert_equal(3, exts.size)
 144     assert_equal("1", exts[0].value)
 145     assert_equal("crlNumber", exts[0].oid)
 146     assert_equal(false, exts[0].critical?)
 147
 148     assert_equal("authorityKeyIdentifier", exts[1].oid)
 149     keyid = OpenSSL::TestUtils.get_subject_key_id(cert)
 150     assert_match(/^keyid:#{keyid}/, exts[1].value)
 151     assert_equal(false, exts[1].critical?)
 152
 153     assert_equal("issuerAltName", exts[2].oid)
 154     assert_equal("email:xyzzy@ruby-lang.org", exts[2].value)
 155     assert_equal(false, exts[2].critical?)
 156
 157     crl = OpenSSL::X509::CRL.new(crl.to_der)
 158     exts = crl.extensions
 159     assert_equal(3, exts.size)
 160     assert_equal("1", exts[0].value)
 161     assert_equal("crlNumber", exts[0].oid)
 162     assert_equal(false, exts[0].critical?)
 163
 164     assert_equal("authorityKeyIdentifier", exts[1].oid)
 165     keyid = OpenSSL::TestUtils.get_subject_key_id(cert)
 166     assert_match(/^keyid:#{keyid}/, exts[1].value)
 167     assert_equal(false, exts[1].critical?)
 168
 169     assert_equal("issuerAltName", exts[2].oid)
 170     assert_equal("email:xyzzy@ruby-lang.org", exts[2].value)
 171     assert_equal(false, exts[2].critical?)
 172   end
 173
 174   def test_crlnumber
 175     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
 176                       nil, nil, OpenSSL::Digest::SHA1.new)
 177     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
 178                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
 179     assert_match(1.to_s, crl.extensions[0].value)
 180     assert_match(/X509v3 CRL Number:\s+#{1}/m, crl.to_text)
 181
 182     crl = issue_crl([], 2**32, Time.now, Time.now+1600, [],
 183                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
 184     assert_match((2**32).to_s, crl.extensions[0].value)
 185     assert_match(/X509v3 CRL Number:\s+#{2**32}/m, crl.to_text)
 186
 187     crl = issue_crl([], 2**100, Time.now, Time.now+1600, [],
 188                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
 189     assert_match(/X509v3 CRL Number:\s+#{2**100}/m, crl.to_text)
 190     assert_match((2**100).to_s, crl.extensions[0].value)
 191   end
 192
 193   def test_sign_and_verify
 194     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
 195                       nil, nil, OpenSSL::Digest::SHA1.new)
 196     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
 197                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
 198     assert_equal(false, crl.verify(@rsa1024))
 199     assert_equal(true,  crl.verify(@rsa2048))
 200     assert_equal(false, crl.verify(@dsa256))
 201     assert_equal(false, crl.verify(@dsa512))
 202     crl.version = 0
 203     assert_equal(false, crl.verify(@rsa2048))
 204
 205     cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
 206                       nil, nil, OpenSSL::Digest::DSS1.new)
 207     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
 208                     cert, @dsa512, OpenSSL::Digest::DSS1.new)
 209     assert_equal(false, crl.verify(@rsa1024))
 210     assert_equal(false, crl.verify(@rsa2048))
 211     assert_equal(false, crl.verify(@dsa256))
 212     assert_equal(true,  crl.verify(@dsa512))
 213     crl.version = 0
 214     assert_equal(false, crl.verify(@dsa512))
 215   end
 216 end
 217
 218 end