aboutsummaryrefslogtreecommitdiffstats
path: root/test/ossl_x509store.rb
blob: d70e85d5ebb012d36973a59b4bc2e1fbae31afae (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

#!/usr/bin/ruby -w

require 'openssl'
include OpenSSL
include X509

verify_cb = Proc.new {|ok, x509_store|
  puts "\t\t====begin Verify===="
  puts "\t\tOK = #{ok}"
  puts "\t\tchecking #{x509_store.cert.subject.to_s}"
  puts "\t\tstatus = #{x509_store.verify_status} - that is \"#{x509_store.verify_message}\""
  puts "\t\t==== end Verify===="
  #raise "SOME ERROR!" # Cert will be rejected
  #false # Cert will be rejected
  #true # Cert is OK
  ok # just throw 'ok' through
}
							  
p ca = Certificate.new(File.open("./cacert.pem").read)
puts "CA = #{ca.subject.to_s}, serial = #{ca.serial}"
cakey = ca.public_key

p cert = Certificate.new(File.open("./01cert.pem").read)
puts "Cert = #{cert.subject.to_s}, serial = #{cert.serial}"
key = cert.public_key

p crl = CRL.new(File.open("./01crl.pem").read)
print "Is CRL signed by CA?..."
if crl.verify cakey
  puts "Yes - OK!"
else
  puts "NO - Strange... Let's stop."
  exit
end

puts "In CRL there are serials:"
crl.revoked.each {|revoked|
  puts "> #{revoked.serial} - revoked at #{revoked.time}"
}

p store = Store.new

##
# Uncomment to see what is checked...
store.verify_callback = verify_cb

store.add_trusted ca

puts "===================="
puts "Is CERT OK?..."
if store.verify cert
  puts "Yes - we didn't add CRL to store!"
  puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")"
else
  puts "NO - HEY, this is error!"
  puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")"
end

puts "Let's add CRL..."
 store.add_crl crl #CRL does NOT have affect on validity in current OpenSSL <= 0.9.6c !!!

puts "===================="
puts "Is CERT still OK?..."
if store.verify cert
  puts "Yes - HEY, this is bug! OpenSSL <= 0.9.6c doesn't care about CRL in Store :-(((("
  puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")"
else
  puts "No - now it works!"
  puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")"
end

puts "Trusted certs:"
store.chain.each_with_index {|cert, i|
	puts "> #{i} --- #{cert.subject.to_s}"
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-15 13:09:08 +0000