3 require File.join(File.dirname(__FILE__), "utils.rb")
10 class OpenSSL::TestX509CRL < Test::Unit::TestCase
12 @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
13 @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
14 @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256
15 @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512
16 @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
17 @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
18 @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
25 OpenSSL::TestUtils.issue_crl(*args)
29 OpenSSL::TestUtils.issue_cert(*args)
33 now = Time.at(Time.now.to_i)
35 cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
36 nil, nil, OpenSSL::Digest::SHA1.new)
37 crl = issue_crl([], 1, now, now+1600, [],
38 cert, @rsa2048, OpenSSL::Digest::SHA1.new)
39 assert_equal(1, crl.version)
40 assert_equal(cert.issuer.to_der, crl.issuer.to_der)
41 assert_equal(now, crl.last_update)
42 assert_equal(now+1600, crl.next_update)
44 crl = OpenSSL::X509::CRL.new(crl.to_der)
45 assert_equal(1, crl.version)
46 assert_equal(cert.issuer.to_der, crl.issuer.to_der)
47 assert_equal(now, crl.last_update)
48 assert_equal(now+1600, crl.next_update)
53 # CRLReason ::= ENUMERATED {
57 # affiliationChanged (3),
59 # cessationOfOperation (5),
60 # certificateHold (6),
62 # privilegeWithdrawn (9),
65 now = Time.at(Time.now.to_i)
68 [2, Time.at(0x7fffffff), 2],
73 cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
74 nil, nil, OpenSSL::Digest::SHA1.new)
75 crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
76 cert, @rsa2048, OpenSSL::Digest::SHA1.new)
78 assert_equal(5, revoked.size)
79 assert_equal(1, revoked[0].serial)
80 assert_equal(2, revoked[1].serial)
81 assert_equal(3, revoked[2].serial)
82 assert_equal(4, revoked[3].serial)
83 assert_equal(5, revoked[4].serial)
85 assert_equal(Time.at(0), revoked[0].time)
86 assert_equal(Time.at(0x7fffffff), revoked[1].time)
87 assert_equal(now, revoked[2].time)
88 assert_equal(now, revoked[3].time)
89 assert_equal(now, revoked[4].time)
91 assert_equal("CRLReason", revoked[0].extensions[0].oid)
92 assert_equal("CRLReason", revoked[1].extensions[0].oid)
93 assert_equal("CRLReason", revoked[2].extensions[0].oid)
94 assert_equal("CRLReason", revoked[3].extensions[0].oid)
95 assert_equal("CRLReason", revoked[4].extensions[0].oid)
97 assert_equal("Key Compromise", revoked[0].extensions[0].value)
98 assert_equal("CA Compromise", revoked[1].extensions[0].value)
99 assert_equal("Affiliation Changed", revoked[2].extensions[0].value)
100 assert_equal("Superseded", revoked[3].extensions[0].value)
101 assert_equal("Cessation Of Operation", revoked[4].extensions[0].value)
103 assert_equal(false, revoked[0].extensions[0].critical?)
104 assert_equal(false, revoked[1].extensions[0].critical?)
105 assert_equal(false, revoked[2].extensions[0].critical?)
106 assert_equal(false, revoked[3].extensions[0].critical?)
107 assert_equal(false, revoked[4].extensions[0].critical?)
109 crl = OpenSSL::X509::CRL.new(crl.to_der)
110 assert_equal("Key Compromise", revoked[0].extensions[0].value)
111 assert_equal("CA Compromise", revoked[1].extensions[0].value)
112 assert_equal("Affiliation Changed", revoked[2].extensions[0].value)
113 assert_equal("Superseded", revoked[3].extensions[0].value)
114 assert_equal("Cessation Of Operation", revoked[4].extensions[0].value)
116 revoke_info = (1..1000).collect{|i| [i, now, 0] }
117 crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
118 cert, @rsa2048, OpenSSL::Digest::SHA1.new)
119 revoked = crl.revoked
120 assert_equal(1000, revoked.size)
121 assert_equal(1, revoked[0].serial)
122 assert_equal(1000, revoked[999].serial)
127 ["basicConstraints", "CA:TRUE", true],
128 ["subjectKeyIdentifier", "hash", false],
129 ["authorityKeyIdentifier", "keyid:always", false],
130 ["subjectAltName", "email:xyzzy@ruby-lang.org", false],
131 ["keyUsage", "cRLSign, keyCertSign", true],
134 ["authorityKeyIdentifier", "keyid:always", false],
135 ["issuerAltName", "issuer:copy", false],
138 cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, cert_exts,
139 nil, nil, OpenSSL::Digest::SHA1.new)
140 crl = issue_crl([], 1, Time.now, Time.now+1600, crl_exts,
141 cert, @rsa2048, OpenSSL::Digest::SHA1.new)
142 exts = crl.extensions
143 assert_equal(3, exts.size)
144 assert_equal("1", exts[0].value)
145 assert_equal("crlNumber", exts[0].oid)
146 assert_equal(false, exts[0].critical?)
148 assert_equal("authorityKeyIdentifier", exts[1].oid)
149 keyid = OpenSSL::TestUtils.get_subject_key_id(cert)
150 assert_match(/^keyid:#{keyid}/, exts[1].value)
151 assert_equal(false, exts[1].critical?)
153 assert_equal("issuerAltName", exts[2].oid)
154 assert_equal("email:xyzzy@ruby-lang.org", exts[2].value)
155 assert_equal(false, exts[2].critical?)
157 crl = OpenSSL::X509::CRL.new(crl.to_der)
158 exts = crl.extensions
159 assert_equal(3, exts.size)
160 assert_equal("1", exts[0].value)
161 assert_equal("crlNumber", exts[0].oid)
162 assert_equal(false, exts[0].critical?)
164 assert_equal("authorityKeyIdentifier", exts[1].oid)
165 keyid = OpenSSL::TestUtils.get_subject_key_id(cert)
166 assert_match(/^keyid:#{keyid}/, exts[1].value)
167 assert_equal(false, exts[1].critical?)
169 assert_equal("issuerAltName", exts[2].oid)
170 assert_equal("email:xyzzy@ruby-lang.org", exts[2].value)
171 assert_equal(false, exts[2].critical?)
175 cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
176 nil, nil, OpenSSL::Digest::SHA1.new)
177 crl = issue_crl([], 1, Time.now, Time.now+1600, [],
178 cert, @rsa2048, OpenSSL::Digest::SHA1.new)
179 assert_match(1.to_s, crl.extensions[0].value)
180 assert_match(/X509v3 CRL Number:\s+#{1}/m, crl.to_text)
182 crl = issue_crl([], 2**32, Time.now, Time.now+1600, [],
183 cert, @rsa2048, OpenSSL::Digest::SHA1.new)
184 assert_match((2**32).to_s, crl.extensions[0].value)
185 assert_match(/X509v3 CRL Number:\s+#{2**32}/m, crl.to_text)
187 crl = issue_crl([], 2**100, Time.now, Time.now+1600, [],
188 cert, @rsa2048, OpenSSL::Digest::SHA1.new)
189 assert_match(/X509v3 CRL Number:\s+#{2**100}/m, crl.to_text)
190 assert_match((2**100).to_s, crl.extensions[0].value)
193 def test_sign_and_verify
194 cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
195 nil, nil, OpenSSL::Digest::SHA1.new)
196 crl = issue_crl([], 1, Time.now, Time.now+1600, [],
197 cert, @rsa2048, OpenSSL::Digest::SHA1.new)
198 assert_equal(false, crl.verify(@rsa1024))
199 assert_equal(true, crl.verify(@rsa2048))
200 assert_equal(false, crl.verify(@dsa256))
201 assert_equal(false, crl.verify(@dsa512))
203 assert_equal(false, crl.verify(@rsa2048))
205 cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
206 nil, nil, OpenSSL::Digest::DSS1.new)
207 crl = issue_crl([], 1, Time.now, Time.now+1600, [],
208 cert, @dsa512, OpenSSL::Digest::DSS1.new)
209 assert_equal(false, crl.verify(@rsa1024))
210 assert_equal(false, crl.verify(@rsa2048))
211 assert_equal(false, crl.verify(@dsa256))
212 assert_equal(true, crl.verify(@dsa512))
214 assert_equal(false, crl.verify(@dsa512))