blob: bc3a03d99e06686fa2af3bb5e02b8d64a580de88 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
#!/usr/bin/env ruby
require 'openssl'
include OpenSSL
include X509
verify_cb = Proc.new {|ok, x509_store|
puts "\t\t====begin Verify===="
puts "\t\tOK = #{ok}"
puts "\t\tchecking #{x509_store.cert.subject.to_s}"
puts "\t\tstatus = #{x509_store.verify_status} - that is \"#{x509_store.verify_message}\""
puts "\t\t==== end Verify===="
#raise "SOME ERROR!" # Cert will be rejected
#false # Cert will be rejected
#true # Cert is OK
ok # just throw 'ok' through
}
ca = Certificate.new(File.read("./cacert.pem"))
puts "CA = #{ca.subject}, serial = #{ca.serial}"
cakey = ca.public_key
cert = Certificate.new(File.read("./01cert.pem"))
puts "Cert = #{cert.subject}, serial = #{cert.serial}"
key = cert.public_key
print "Is Cert signed by CA?..."
if cert.verify cakey
puts "Yes - OK!"
else
puts "NO - Let's stop."
exit
end
crl = CRL.new(File.read("./01crl.pem"))
puts "CA = \"#{ca.issuer}\", CRL = \"#{crl.issuer}\""
print "Is CRL signed by CA?..."
if crl.verify cakey
puts "Yes - OK!"
else
puts "NO - Strange... Let's stop."
exit
end
puts "In CRL there are serials:"
crl.revoked.each {|revoked|
puts "> #{revoked.serial} - revoked at #{revoked.time}"
}
p store = Store.new
##
# Uncomment to see what is checked...
# store.verify_callback = verify_cb
store.add_trusted ca
puts "===================="
puts "Is CERT OK?..."
if store.verify cert
puts "Yes - we didn't add CRL to store!"
puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")"
else
puts "NO - HEY, this is error!"
puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")"
end
puts "Trusted certs:"
store.chain.each_with_index {|cert, i|
puts "> #{i} --- #{cert.subject.to_s}"
}
puts "Let's add CRL..."
store.add_crl crl # CRL does NOT have affect on validity in current OpenSSL <= 0.9.6c !!!
puts "===================="
puts "Is CERT OK?..."
if store.verify cert
puts "Yes - HEY, this is bug! OpenSSL <= 0.9.6c doesn't care about CRL in Store :-(((("
puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")"
else
puts "No - That's right!"
puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")"
end
puts "Trusted certs:"
store.chain.each_with_index {|cert, i|
puts "> #{i} --- #{cert.subject.to_s}"
}
|