*** empty log message ***

3 files changed, 30 insertions, 16 deletions

diff --git a/examples/gen_ca_cert.rb b/examples/gen_ca_cert.rb
index 1e1b8db..02a0417 100755
--- a/examples/gen_ca_cert.rb
+++ b/examples/gen_ca_cert.rb
@@ -34,15 +34,19 @@ cert.public_key = key
 cert.serial = 0
 cert.version = 2 # X509v3
 
+key_usage = [ "cRLSign", "keyCertSign" ]
+ext = []
 ef = X509::ExtensionFactory.new
 ef.subject_certificate = cert
-ext1 = ef.create_extension("basicConstraints", "CA:TRUE")
-ext2 = ef.create_extension("nsComment","Generated by OpenSSL for Ruby.")
-ext3 = ef.create_extension("subjectKeyIdentifier", "hash")
-cert.extensions = [ext1, ext2, ext3]
+ext << ef.create_extension("basicConstraints", "CA:TRUE", true)
+ext << ef.create_extension("keyUsage", key_usage.join(","), true)
+ext << ef.create_extension("nsComment","Generated by OpenSSL for Ruby.")
+ext << ef.create_extension("subjectKeyIdentifier", "hash")
+cert.extensions = ext
 ef.issuer_certificate = cert # we needed subjectKeyInfo inside, now we have it
-ext4 = ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
-cert.add_extension(ext4)
+ext_auth_key_id =
+  ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
+cert.add_extension(ext_auth_key_id)
 cert.sign(key, Digest::SHA1.new)
 
 cert_file = "./#{cert.serial}cert.pem"
diff --git a/examples/gen_cert.rb b/examples/gen_cert.rb
index 4706b7a..c9a6c42 100755
--- a/examples/gen_cert.rb
+++ b/examples/gen_cert.rb
@@ -71,14 +71,11 @@ when "oscp"
   basic_constraint = "CA:FALSE"
   key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment"
   key_usage << "dataEncipherment"
-  ext_key_usage << "serverAuth"
-  ext_key_usage << "OCSPSigning"
+  ext_key_usage << "serverAuth" << "OCSPSigning"
 when "user"
   basic_constraint = "CA:FALSE"
   key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment"
-  ext_key_usage << "clientAuth"
-  ext_key_usage << "codeSigning"
-  ext_key_usage << "emailProtection"
+  ext_key_usage << "clientAuth" << "codeSigning" << "emailProtection"
 else
   raise "unknonw cert type \"#{cert_type}\" is specified."
 end
@@ -90,7 +87,7 @@ ef.issuer_certificate = ca
 ext << ef.create_extension("basicConstraints", basic_constraint, true)
 ext << ef.create_extension("keyUsage", key_usage.join(","), true)
 if ext_key_usage.size > 0
-  ext << ef.create_extension("extendedKeyUsage", ext_key_usage.join(","), true)
+  ext << ef.create_extension("extendedKeyUsage", ext_key_usage.join(","), false)
 end
 ext << ef.create_extension("nsComment","Generated by OpenSSL for Ruby.")
 ext << ef.create_extension("subjectKeyIdentifier", "hash")
diff --git a/examples/ossl_x509store.rb b/examples/ossl_x509store.rb
index a569298..86160ef 100755
--- a/examples/ossl_x509store.rb
+++ b/examples/ossl_x509store.rb
@@ -61,15 +61,28 @@ certfiles = ARGV
 certs = certfiles.collect{|file| X509::Certificate.new(File.read(file)) }
 certs.each{|cert|
   puts "Cert = #{cert.subject}, serial = #{cert.serial}"
-  cert.extensions.each{|ext| p ext.to_a }
+  #cert.extensions.each{|ext| p ext.to_a }
   print "Is Cert signed by CA?..."
-  puts cert.verify(ca.public_key) ? "Yes" : "No"
+  puts cert.verify(ca.public_key) ? "OK" : "NG"
 }
 
 puts "========== Create Cert Store and Verify Certs =========="
 store = X509::Store.new
-store.purpose = X509::PURPOSE_SSL_CLIENT
-store.verify_callback = verify_cb if $VERBOSE
+#store.purpose = X509::PURPOSE_SSL_CLIENT
+#store.purpose = X509::PURPOSE_SSL_SERVER
+#store.purpose = X509::PURPOSE_NS_SSL_SERVER
+store.purpose = X509::PURPOSE_SMIME_SIGN
+#store.purpose = X509::PURPOSE_SMIME_ENCRYPT
+#store.purpose = X509::PURPOSE_CRL_SIGN
+#store.purpose = X509::PURPOSE_ANY
+#store.purpose = X509::PURPOSE_OCSP_HELPER
+#store.trust = X509::TRUST_COMPAT
+#store.trust = X509::TRUST_SSL_CLIENT
+#store.trust = X509::TRUST_SSL_SERVER
+#store.trust = X509::TRUST_EMAIL
+#store.trust = X509::TRUST_OBJECT_SIGN
+#store.trust = X509::TRUST_OCSP_SIGN
+#store.trust = X509::TRUST_OCSP_REQUEST
 store.add_cert(ca)
 #store.add_path("./cert")
 #store.add_file("./0cert.pem")