diff options
author | Ben Toews <mastahyeti@gmail.com> | 2018-06-21 10:26:30 -0600 |
---|---|---|
committer | Samuel Williams <samuel.williams@oriontransfer.co.nz> | 2019-10-01 11:25:06 +1300 |
commit | 23ae5c9cbf43dec30b138b952982f6212940943d (patch) | |
tree | 3dda9dfde0f1a55854a68e7f64a0fd6c7eaacb70 | |
parent | f201e3282ec0f93cb6e199dfbed4e80c0f57714b (diff) | |
download | ruby-openssl-23ae5c9cbf43dec30b138b952982f6212940943d.tar.gz |
ts: get tests running/passing
A number of conventions seem to have changed, causing a fair bit of breakage:
- `Data_*` was deprecated in favor of `TypedData_*`
- `ossl_obj2bio` takes a `VALUE*` instead of `VALUE` now
- `time_to_time_t()` was removed
-rw-r--r-- | ext/openssl/ossl_pkcs7.c | 17 | ||||
-rw-r--r-- | ext/openssl/ossl_pkcs7.h | 16 | ||||
-rwxr-xr-x | ext/openssl/ossl_ts.c | 22 | ||||
-rwxr-xr-x | test/test_ts.rb | 927 | ||||
-rw-r--r-- | test/utils.rb | 62 |
5 files changed, 521 insertions, 523 deletions
diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c index a8148d53..ea8e92d1 100644 --- a/ext/openssl/ossl_pkcs7.c +++ b/ext/openssl/ossl_pkcs7.c @@ -9,21 +9,6 @@ */ #include "ossl.h" -#define NewPKCS7(klass) \ - TypedData_Wrap_Struct((klass), &ossl_pkcs7_type, 0) -#define SetPKCS7(obj, pkcs7) do { \ - if (!(pkcs7)) { \ - ossl_raise(rb_eRuntimeError, "PKCS7 wasn't initialized."); \ - } \ - RTYPEDDATA_DATA(obj) = (pkcs7); \ -} while (0) -#define GetPKCS7(obj, pkcs7) do { \ - TypedData_Get_Struct((obj), PKCS7, &ossl_pkcs7_type, (pkcs7)); \ - if (!(pkcs7)) { \ - ossl_raise(rb_eRuntimeError, "PKCS7 wasn't initialized."); \ - } \ -} while (0) - #define NewPKCS7si(klass) \ TypedData_Wrap_Struct((klass), &ossl_pkcs7_signer_info_type, 0) #define SetPKCS7si(obj, p7si) do { \ @@ -75,7 +60,7 @@ ossl_pkcs7_free(void *ptr) PKCS7_free(ptr); } -static const rb_data_type_t ossl_pkcs7_type = { +const rb_data_type_t ossl_pkcs7_type = { "OpenSSL/PKCS7", { 0, ossl_pkcs7_free, diff --git a/ext/openssl/ossl_pkcs7.h b/ext/openssl/ossl_pkcs7.h index 139e00d6..0d0fea7e 100644 --- a/ext/openssl/ossl_pkcs7.h +++ b/ext/openssl/ossl_pkcs7.h @@ -10,6 +10,22 @@ #if !defined(_OSSL_PKCS7_H_) #define _OSSL_PKCS7_H_ +#define NewPKCS7(klass) \ + TypedData_Wrap_Struct((klass), &ossl_pkcs7_type, 0) +#define SetPKCS7(obj, pkcs7) do { \ + if (!(pkcs7)) { \ + ossl_raise(rb_eRuntimeError, "PKCS7 wasn't initialized."); \ + } \ + RTYPEDDATA_DATA(obj) = (pkcs7); \ +} while (0) +#define GetPKCS7(obj, pkcs7) do { \ + TypedData_Get_Struct((obj), PKCS7, &ossl_pkcs7_type, (pkcs7)); \ + if (!(pkcs7)) { \ + ossl_raise(rb_eRuntimeError, "PKCS7 wasn't initialized."); \ + } \ +} while (0) + +extern const rb_data_type_t ossl_pkcs7_type; extern VALUE cPKCS7; extern VALUE cPKCS7Signer; extern VALUE cPKCS7Recipient; diff --git a/ext/openssl/ossl_ts.c b/ext/openssl/ossl_ts.c index fbb4ee1d..9b9a6db6 100755 --- a/ext/openssl/ossl_ts.c +++ b/ext/openssl/ossl_ts.c @@ -187,7 +187,7 @@ ossl_tsreq_initialize(int argc, VALUE *argv, VALUE self) } arg = ossl_to_der_if_possible(arg); - in = ossl_obj2bio(arg); + in = ossl_obj2bio(&arg); if (!d2i_TS_REQ_bio(in, &ts_req)) { ossl_raise(eTimestampError, "Error when decoding the timestamp request"); @@ -530,7 +530,7 @@ ossl_ts_initialize(VALUE self, VALUE der) BIO *in; der = ossl_to_der_if_possible(der); - in = ossl_obj2bio(der); + in = ossl_obj2bio(&der); if (!d2i_TS_RESP_bio(in, &ts_resp)) { ossl_raise(eTimestampError, "Error when decoding the timestamp response"); @@ -655,13 +655,18 @@ ossl_ts_get_pkcs7(VALUE self) { TS_RESP *resp; PKCS7 *p7; + VALUE obj; GetTS_RESP(self, resp); p7 = resp->token; if (!p7) return Qnil; - return Data_Wrap_Struct(cPKCS7, 0, PKCS7_free, PKCS7_dup(p7)); + obj = NewPKCS7(cPKCS7); + SetPKCS7(obj, PKCS7_dup(p7)); + + return obj; + // return Data_Wrap_Struct(cPKCS7, 0, PKCS7_free, PKCS7_dup(p7)); } /* @@ -957,7 +962,7 @@ static void int_ossl_init_roots(VALUE roots, X509_STORE * store) X509_STORE_add_cert(store, GetX509CertPtr(roots)); } else { - in = ossl_obj2bio(roots); + in = ossl_obj2bio(&roots); inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL); BIO_free(in); if(!inf) { @@ -1116,9 +1121,10 @@ ossl_tsfac_serial_cb(struct TS_resp_ctx *ctx, void *data) static int ossl_tsfac_time_cb(struct TS_resp_ctx *ctx, void *data, long *sec, long *usec) { - VALUE time = *((VALUE *)data); - time_t secs = time_to_time_t(time); - *sec = (long) secs; + VALUE time_v = *((VALUE *)data); + if (rb_obj_is_instance_of(time_v, rb_cTime)) + time_v = rb_funcall(time_v, rb_intern("to_i"), 0); + *sec = NUM2LONG(time_v);; *usec = 0; return 1; } @@ -1236,7 +1242,7 @@ ossl_tsfac_create_ts(VALUE self, VALUE key, VALUE certificate, VALUE request) TS_RESP_CTX_add_md(ctx, EVP_get_digestbyname(OBJ_nid2sn(NID_sha512))); str = rb_funcall(request, rb_intern("to_der"), 0); - req_bio = ossl_obj2bio(str); + req_bio = ossl_obj2bio(&str); response = TS_RESP_create_response(ctx, req_bio); if (!response) { err_msg = "Error during response generation"; diff --git a/test/test_ts.rb b/test/test_ts.rb index b369308e..71ce1964 100755 --- a/test/test_ts.rb +++ b/test/test_ts.rb @@ -2,77 +2,8 @@ require_relative "utils" if defined?(OpenSSL) && defined?(OpenSSL::Timestamp) -module OpenSSL - module Certs - include OpenSSL::TestUtils - - module_function - - def ca_cert - ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Timestamp Root CA") - - now = Time.now - ca_exts = [ - ["basicConstraints","CA:TRUE,pathlen:1",true], - ["keyUsage","keyCertSign, cRLSign",true], - ["subjectKeyIdentifier","hash",false], - ["authorityKeyIdentifier","keyid:always",false], - ] - TestUtils.issue_cert(ca, TEST_KEY_RSA2048, 1, now, now+3600, ca_exts, - nil, nil, OpenSSL::Digest::SHA1.new) - end - - def ts_cert_direct(key, ca_cert) - dn = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/OU=Timestamp/CN=Server Direct") - - now = Time.now - exts = [ - ["basicConstraints","CA:FALSE",true], - ["keyUsage","digitalSignature, nonRepudiation", true], - ["subjectKeyIdentifier", "hash",false], - ["authorityKeyIdentifier","keyid,issuer", false], - ["extendedKeyUsage", "timeStamping", true] - ] - - TestUtils.issue_cert(dn, key, 2, now, now + 3600, exts, - ca_cert, TEST_KEY_RSA2048, OpenSSL::Digest::SHA1.new) - end - - def intermediate_cert(key, ca_cert) - dn = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/OU=Timestamp/CN=Timestamp Intermediate CA") - - now = Time.now - exts = [ - ["basicConstraints","CA:TRUE,pathlen:0",true], - ["keyUsage","keyCertSign, cRLSign",true], - ["subjectKeyIdentifier","hash",false], - ["authorityKeyIdentifier","keyid:always",false], - ] - - TestUtils.issue_cert(dn, key, 2, now, now + 3600, exts, - ca_cert, TEST_KEY_RSA2048, OpenSSL::Digest::SHA1.new) - end - - def ts_cert_ee(key, intermediate, im_key) - dn = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/OU=Timestamp/CN=Server End Entity") - - now = Time.now - exts = [ - ["keyUsage","digitalSignature, nonRepudiation", true], - ["subjectKeyIdentifier", "hash",false], - ["authorityKeyIdentifier","keyid,issuer", false], - ["extendedKeyUsage", "timeStamping", true] - ] - - TestUtils.issue_cert(dn, key, 2, now, now + 3600, exts, - intermediate, im_key, OpenSSL::Digest::SHA1.new) - end - end - - class TestTimestamp < MiniTest::Unit::TestCase - include OpenSSL::TestUtils - - INTERMEDIATE_KEY = OpenSSL::PKey::RSA.new <<-_end_of_pem_ +class OpenSSL::TestTimestamp < OpenSSL::TestCase + INTERMEDIATE_KEY = OpenSSL::PKey::RSA.new <<-_end_of_pem_ -----BEGIN RSA PRIVATE KEY----- MIICWwIBAAKBgQCcyODxH+oTrr7l7MITWcGaYnnBma6vidCCJjuSzZpaRmXZHAyH 0YcY4ttC0BdJ4uV+cE05IySVC7tyvVfFb8gFQ6XJV+AEktP+XkLbcxZgj9d2NVu1 @@ -88,9 +19,9 @@ oicQqvzzgFd7GzVKpWDYd/ZzLY1PsgusuhoJQ2m9TVRAm4cTycLAKhNYPbcqe0sa X5fAffWU0u7ZwqeByQJAOUAbYET4RU3iymAvAIDFj8LiQnizG9t5Ty3HXlijKQYv y8gsvWd4CdxwOPatWpBUX9L7IXcMJmD44xXTUvpbfQ== -----END RSA PRIVATE KEY----- - _end_of_pem_ +_end_of_pem_ - EE_KEY = OpenSSL::PKey::RSA.new <<-_end_of_pem_ + EE_KEY = OpenSSL::PKey::RSA.new <<-_end_of_pem_ -----BEGIN RSA PRIVATE KEY----- MIICWwIBAAKBgQDA6eB5r2O5KOKNbKMBhzadl43lgpwqq28m+G0gH38kKCL1f3o9 P8xUZm7sZqcWEervZMSSXMGBV9DgeoSR+U6FMJywgQGx/JNRx7wZTMNym3PvgLkl @@ -106,517 +37,515 @@ UoaHQzc16iguM1cK0g+iJPb/MEgQA3sPajHmokGpxIm2T+lvvo0dJjs/Om6QyN8X EWRYkoNQ8/Q4lCeMjQJAfvDIGtyqF4PieFHYgluQAv5pGgYpakdc8SYyeRH9NKey GaL27FRs4fRWf9OmxPhUVgIyGzLGXrueemvQUDHObA== -----END RSA PRIVATE KEY----- - _end_of_pem_ - - CA_CERT = Certs.ca_cert - TS_CERT_DIRECT = Certs.ts_cert_direct(EE_KEY, CA_CERT) - INTERMEDIATE_CERT = Certs.intermediate_cert(INTERMEDIATE_KEY, CA_CERT) - TS_CERT_EE = Certs.ts_cert_ee(EE_KEY, INTERMEDIATE_CERT, INTERMEDIATE_KEY) - - def test_create_request - req = OpenSSL::Timestamp::Request.new - assert_equal(true, req.cert_requested?) - assert_equal(1, req.version) - assert_nil(req.algorithm) - assert_nil(req.message_imprint) - assert_nil(req.policy_id) - assert_nil(req.nonce) - end - - def test_request_mandatory_fields - req = OpenSSL::Timestamp::Request.new - assert_raises(OpenSSL::Timestamp::TimestampError) do - tmp = req.to_der - pp OpenSSL::ASN1.decode(tmp) - end - req.algorithm = "sha1" - assert_raises(OpenSSL::Timestamp::TimestampError) do - req.to_der - end - req.message_imprint = OpenSSL::Digest::SHA1.new.digest("data") - req.to_der - end +_end_of_pem_ + + CA_CERT = OpenSSL::Certs.ca_cert + TS_CERT_DIRECT = OpenSSL::Certs.ts_cert_direct(EE_KEY, CA_CERT) + INTERMEDIATE_CERT = OpenSSL::Certs.intermediate_cert(INTERMEDIATE_KEY, CA_CERT) + TS_CERT_EE = OpenSSL::Certs.ts_cert_ee(EE_KEY, INTERMEDIATE_CERT, INTERMEDIATE_KEY) + + def test_create_request + req = OpenSSL::Timestamp::Request.new + assert_equal(true, req.cert_requested?) + assert_equal(1, req.version) + assert_nil(req.algorithm) + assert_nil(req.message_imprint) + assert_nil(req.policy_id) + assert_nil(req.nonce) + end - def test_request_assignment - req = OpenSSL::Timestamp::Request.new - req.version = 2 - assert_equal(2, req.version) - req.algorithm = "SHA1" - assert_equal("SHA1", req.algorithm) - req.message_imprint = "test" - assert_equal("test", req.message_imprint) - req.policy_id = "1.2.3.4.5" - assert_equal("1.2.3.4.5", req.policy_id) - req.nonce = 42 - assert_equal(42, req.nonce) - req.cert_requested = false - assert_equal(false, req.cert_requested?) + def test_request_mandatory_fields + req = OpenSSL::Timestamp::Request.new + assert_raises(OpenSSL::Timestamp::TimestampError) do + tmp = req.to_der + pp OpenSSL::ASN1.decode(tmp) end - - def test_request_re_assignment - #tests whether the potential 'freeing' of previous values in C works properly - req = OpenSSL::Timestamp::Request.new - req.version = 2 - req.version = 3 - req.algorithm = "SHA1" - req.algorithm = "SHA256" - req.message_imprint = "test" - req.message_imprint = "test2" - req.policy_id = "1.2.3.4.5" - req.policy_id = "1.2.3.4.6" - req.nonce = 42 - req.nonce = 24 - req.cert_requested = false - req.cert_requested = true + req.algorithm = "sha1" + assert_raises(OpenSSL::Timestamp::TimestampError) do req.to_der end + req.message_imprint = OpenSSL::Digest::SHA1.new.digest("data") + req.to_der + end - def test_request_encode_decode - req = OpenSSL::Timestamp::Request.new - req.algorithm = "SHA1" - digest = OpenSSL::Digest::SHA1.new.digest("test") - req.message_imprint = digest - req.policy_id = "1.2.3.4.5" - req.nonce = 42 + def test_request_assignment + req = OpenSSL::Timestamp::Request.new + req.version = 2 + assert_equal(2, req.version) + req.algorithm = "SHA1" + assert_equal("SHA1", req.algorithm) + req.message_imprint = "test" + assert_equal("test", req.message_imprint) + req.policy_id = "1.2.3.4.5" + assert_equal("1.2.3.4.5", req.policy_id) + req.nonce = 42 + assert_equal(42, req.nonce) + req.cert_requested = false + assert_equal(false, req.cert_requested?) + end - qer = OpenSSL::Timestamp::Request.new(req.to_der) - assert_equal(1, qer.version) - assert_equal("SHA1", qer.algorithm) - assert_equal(digest, qer.message_imprint) - assert_equal("1.2.3.4.5", qer.policy_id) - assert_equal(42, qer.nonce) - - #put OpenSSL::ASN1.decode inbetween - qer2 = OpenSSL::Timestamp::Request.new(OpenSSL::ASN1.decode(req.to_der)) - assert_equal(1, qer2.version) - assert_equal("SHA1", qer2.algorithm) - assert_equal(digest, qer2.message_imprint) - assert_equal("1.2.3.4.5", qer2.policy_id) - assert_equal(42, qer2.nonce) - end + def test_request_re_assignment + #tests whether the potential 'freeing' of previous values in C works properly + req = OpenSSL::Timestamp::Request.new + req.version = 2 + req.version = 3 + req.algorithm = "SHA1" + req.algorithm = "SHA256" + req.message_imprint = "test" + req.message_imprint = "test2" + req.policy_id = "1.2.3.4.5" + req.policy_id = "1.2.3.4.6" + req.nonce = 42 + req.nonce = 24 + req.cert_requested = false + req.cert_requested = true + req.to_der + end - def test_response_constants - assert_equal(0, OpenSSL::Timestamp::Response::GRANTED) - assert_equal(1, OpenSSL::Timestamp::Response::GRANTED_WITH_MODS) - assert_equal(2, OpenSSL::Timestamp::Response::REJECTION) - assert_equal(3, OpenSSL::Timestamp::Response::WAITING) - assert_equal(4, OpenSSL::Timestamp::Response::REVOCATION_WARNING) - assert_equal(5, OpenSSL::Timestamp::Response::REVOCATION_NOTIFICATION) - end + def test_request_encode_decode + req = OpenSSL::Timestamp::Request.new + req.algorithm = "SHA1" + digest = OpenSSL::Digest::SHA1.new.digest("test") + req.message_imprint = digest + req.policy_id = "1.2.3.4.5" + req.nonce = 42 + + qer = OpenSSL::Timestamp::Request.new(req.to_der) + assert_equal(1, qer.version) + assert_equal("SHA1", qer.algorithm) + assert_equal(digest, qer.message_imprint) + assert_equal("1.2.3.4.5", qer.policy_id) + assert_equal(42, qer.nonce) + + #put OpenSSL::ASN1.decode inbetween + qer2 = OpenSSL::Timestamp::Request.new(OpenSSL::ASN1.decode(req.to_der)) + assert_equal(1, qer2.version) + assert_equal("SHA1", qer2.algorithm) + assert_equal(digest, qer2.message_imprint) + assert_equal("1.2.3.4.5", qer2.policy_id) + assert_equal(42, qer2.nonce) + end - def test_response_creation - req = OpenSSL::Timestamp::Request.new - req.algorithm = "SHA1" - digest = OpenSSL::Digest::SHA1.new.digest("test") - req.message_imprint = digest - req.policy_id = "1.2.3.4.5" + def test_response_constants + assert_equal(0, OpenSSL::Timestamp::Response::GRANTED) + assert_equal(1, OpenSSL::Timestamp::Response::GRANTED_WITH_MODS) + assert_equal(2, OpenSSL::Timestamp::Response::REJECTION) + assert_equal(3, OpenSSL::Timestamp::Response::WAITING) + assert_equal(4, OpenSSL::Timestamp::Response::REVOCATION_WARNING) + assert_equal(5, OpenSSL::Timestamp::Response::REVOCATION_NOTIFICATION) + end - fac = OpenSSL::Timestamp::Factory.new - time = Time.now - fac.gen_time = time - fac.serial_number = 1 + def test_response_creation + req = OpenSSL::Timestamp::Request.new + req.algorithm = "SHA1" + digest = OpenSSL::Digest::SHA1.new.digest("test") + req.message_imprint = digest + req.policy_id = "1.2.3.4.5" + + fac = OpenSSL::Timestamp::Factory.new + time = Time.now + fac.gen_time = time + fac.serial_number = 1 + + resp = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + assert_equal(OpenSSL::Timestamp::Response::GRANTED, resp.status) + assert_nil(resp.failure_info) + assert_nil(resp.status_text) + assert_equal(1, resp.version) + assert_equal("1.2.3.4.5", resp.policy_id) + assert_equal("SHA1", resp.algorithm) + assert_equal(digest, resp.message_imprint) + assert_equal(1, resp.serial_number) + assert_equal(time.to_i, resp.gen_time.to_i) + assert_equal(false, resp.ordering) + assert_nil(req.nonce) + assert_cert(TS_CERT_EE, resp.tsa_certificate) + #compare PKCS7 + pkcs7 = OpenSSL::ASN1.decode(resp.to_der).value[1] + assert_equal(pkcs7.to_der, resp.pkcs7.to_der) + end - resp = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - assert_equal(OpenSSL::Timestamp::Response::GRANTED, resp.status) - assert_nil(resp.failure_info) - assert_nil(resp.status_text) - assert_equal(1, resp.version) - assert_equal("1.2.3.4.5", resp.policy_id) - assert_equal("SHA1", resp.algorithm) - assert_equal(digest, resp.message_imprint) - assert_equal(1, resp.serial_number) - assert_equal(time.to_i, resp.gen_time.to_i) - assert_equal(false, resp.ordering) - assert_nil(req.nonce) - assert_cert(TS_CERT_EE, resp.tsa_certificate) - #compare PKCS7 - pkcs7 = OpenSSL::ASN1.decode(resp.to_der).value[1] - assert_equal(pkcs7.to_der, resp.pkcs7.to_der) + def test_response_mandatory_fields + fac = OpenSSL::Timestamp::Factory.new + req = OpenSSL::Timestamp::Request.new + assert_raises(OpenSSL::Timestamp::TimestampError) do + fac.create_timestamp(EE_KEY, TS_CERT_EE, req) end - - def test_response_mandatory_fields - fac = OpenSSL::Timestamp::Factory.new - req = OpenSSL::Timestamp::Request.new - assert_raises(OpenSSL::Timestamp::TimestampError) do - fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - end - req.algorithm = "sha1" - assert_raises(OpenSSL::Timestamp::TimestampError) do - fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - end - req.message_imprint = OpenSSL::Digest::SHA1.new.digest("data") - assert_raises(OpenSSL::Timestamp::TimestampError) do - fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - end - fac.gen_time = Time.now - assert_raises(OpenSSL::Timestamp::TimestampError) do - fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - end - fac.serial_number = 1 - assert_raises(OpenSSL::Timestamp::TimestampError) do - fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - end - fac.default_policy_id = "1.2.3.4.5" + req.algorithm = "sha1" + assert_raises(OpenSSL::Timestamp::TimestampError) do fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - fac.default_policy_id = nil - assert_raises(OpenSSL::Timestamp::TimestampError) do - fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - end - req.policy_id = "1.2.3.4.5" + end + req.message_imprint = OpenSSL::Digest::SHA1.new.digest("data") + assert_raises(OpenSSL::Timestamp::TimestampError) do + fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + end + fac.gen_time = Time.now + assert_raises(OpenSSL::Timestamp::TimestampError) do + fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + end + fac.serial_number = 1 + assert_raises(OpenSSL::Timestamp::TimestampError) do + fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + end + fac.default_policy_id = "1.2.3.4.5" + fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + fac.default_policy_id = nil + assert_raises(OpenSSL::Timestamp::TimestampError) do fac.create_timestamp(EE_KEY, TS_CERT_EE, req) end + req.policy_id = "1.2.3.4.5" + fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + end - def test_response_default_policy - req = OpenSSL::Timestamp::Request.new - req.algorithm = "SHA1" - digest = OpenSSL::Digest::SHA1.new.digest("test") - req.message_imprint = digest + def test_response_default_policy + req = OpenSSL::Timestamp::Request.new + req.algorithm = "SHA1" + digest = OpenSSL::Digest::SHA1.new.digest("test") + req.message_imprint = digest - fac = OpenSSL::Timestamp::Factory.new - fac.gen_time = Time.now - fac.serial_number = 1 - fac.default_policy_id = "1.2.3.4.6" + fac = OpenSSL::Timestamp::Factory.new + fac.gen_time = Time.now + fac.serial_number = 1 + fac.default_policy_id = "1.2.3.4.6" - resp = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - assert_equal(OpenSSL::Timestamp::Response::GRANTED, resp.status) - assert_equal("1.2.3.4.6", resp.policy_id) - end + resp = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + assert_equal(OpenSSL::Timestamp::Response::GRANTED, resp.status) + assert_equal("1.2.3.4.6", resp.policy_id) + end + + def test_no_cert_requested + req = OpenSSL::Timestamp::Request.new + req.algorithm = "SHA1" + digest = OpenSSL::Digest::SHA1.new.digest("test") + req.message_imprint = digest + req.cert_requested = false + + fac = OpenSSL::Timestamp::Factory.new + fac.gen_time = Time.now + fac.serial_number = 1 + fac.default_policy_id = "1.2.3.4.5" + + resp = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + assert_equal(OpenSSL::Timestamp::Response::GRANTED, resp.status) + assert_nil(resp.tsa_certificate) + end - def test_no_cert_requested + def test_response_no_policy_defined + assert_raises(OpenSSL::Timestamp::TimestampError) do req = OpenSSL::Timestamp::Request.new req.algorithm = "SHA1" digest = OpenSSL::Digest::SHA1.new.digest("test") req.message_imprint = digest - req.cert_requested = false fac = OpenSSL::Timestamp::Factory.new fac.gen_time = Time.now fac.serial_number = 1 - fac.default_policy_id = "1.2.3.4.5" - - resp = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - assert_equal(OpenSSL::Timestamp::Response::GRANTED, resp.status) - assert_nil(resp.tsa_certificate) - end - - def test_response_no_policy_defined - assert_raises(OpenSSL::Timestamp::TimestampError) do - req = OpenSSL::Timestamp::Request.new - req.algorithm = "SHA1" - digest = OpenSSL::Digest::SHA1.new.digest("test") - req.message_imprint = digest - - fac = OpenSSL::Timestamp::Factory.new - fac.gen_time = Time.now - fac.serial_number = 1 - - fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - end - end - def test_verify_ee_no_req - assert_raises(TypeError) do - ts, req = timestamp_ee - ts.verify(nil, CA_CERT) - end - end - - def test_verify_ee_no_root - assert_raises(TypeError) do - ts, req = timestamp_ee - ts.verify(req, nil) - end - end - - def test_verify_ee_wrong_root_no_intermediate - assert_raises(OpenSSL::Timestamp::CertificateValidationError) do - ts, req = timestamp_ee - ts.verify(req, [INTERMEDIATE_CERT]) - end + fac.create_timestamp(EE_KEY, TS_CERT_EE, req) end + end - def test_verify_ee_wrong_root_wrong_intermediate - assert_raises(OpenSSL::Timestamp::CertificateValidationError) do - ts, req = timestamp_ee - ts.verify(req, [INTERMEDIATE_CERT], CA_CERT) - end + def test_verify_ee_no_req + assert_raises(TypeError) do + ts, req = timestamp_ee + ts.verify(nil, CA_CERT) end + end - def test_verify_ee_nonce_mismatch - assert_raises(OpenSSL::Timestamp::TimestampError) do - ts, req = timestamp_ee - req.nonce = 1 - ts.verify(req, [CA_CERT], INTERMEDIATE_CERT) - end + def test_verify_ee_no_root + assert_raises(TypeError) do + ts, req = timestamp_ee + ts.verify(req, nil) end + end - def test_verify_ee_intermediate_missing - assert_raises(OpenSSL::Timestamp::CertificateValidationError) do - ts, req = timestamp_ee - ts.verify(req, [CA_CERT]) - end + def test_verify_ee_wrong_root_no_intermediate + assert_raises(OpenSSL::Timestamp::CertificateValidationError) do + ts, req = timestamp_ee + ts.verify(req, [INTERMEDIATE_CERT]) end + end - def test_verify_ee_intermediate + def test_verify_ee_wrong_root_wrong_intermediate + assert_raises(OpenSSL::Timestamp::CertificateValidationError) do ts, req = timestamp_ee - ts.verify(req, [CA_CERT], INTERMEDIATE_CERT) + ts.verify(req, [INTERMEDIATE_CERT], CA_CERT) end + end - def test_verify_ee_single_root + def test_verify_ee_nonce_mismatch + assert_raises(OpenSSL::Timestamp::TimestampError) do ts, req = timestamp_ee - ts.verify(req, CA_CERT, INTERMEDIATE_CERT) + req.nonce = 1 + ts.verify(req, [CA_CERT], INTERMEDIATE_CERT) end + end - def test_verify_ee_root_from_string + def test_verify_ee_intermediate_missing + assert_raises(OpenSSL::Timestamp::CertificateValidationError) do ts, req = timestamp_ee - pem_root = CA_CERT.to_pem - ts.verify(req, pem_root, INTERMEDIATE_CERT) + ts.verify(req, [CA_CERT]) end + end - def test_verify_ee_root_from_file - begin - ts, req = timestamp_ee - File.open('root_ca', 'wb') do |file| - file.print(CA_CERT.to_pem) - end - ts.verify(req, File.open('root_ca', 'rb'), INTERMEDIATE_CERT) - ensure - if File.exists?('root_ca') - File.delete('root_ca') - end - end - end + def test_verify_ee_intermediate + ts, req = timestamp_ee + ts.verify(req, [CA_CERT], INTERMEDIATE_CERT) + end - def test_verify_ee_def_policy - req = OpenSSL::Timestamp::Request.new - req.algorithm = "SHA1" - digest = OpenSSL::Digest::SHA1.new.digest("test") - req.message_imprint = digest - req.nonce = 42 + def test_verify_ee_single_root + ts, req = timestamp_ee + ts.verify(req, CA_CERT, INTERMEDIATE_CERT) + end - fac = OpenSSL::Timestamp::Factory.new - fac.gen_time = Time.now - fac.serial_number = 1 - fac.default_policy_id = "1.2.3.4.5" + def test_verify_ee_root_from_string + ts, req = timestamp_ee + pem_root = CA_CERT.to_pem + ts.verify(req, pem_root, INTERMEDIATE_CERT) + end - ts = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - ts.verify(req, [CA_CERT], INTERMEDIATE_CERT) + def test_verify_ee_root_from_file + begin + ts, req = timestamp_ee + File.open('root_ca', 'wb') do |file| + file.print(CA_CERT.to_pem) + end + ts.verify(req, File.open('root_ca', 'rb'), INTERMEDIATE_CERT) + ensure + if File.exists?('root_ca') + File.delete('root_ca') + end end + end - def test_verify_direct - ts, req = timestamp_direct - ts.verify(req, [CA_CERT]) - end + def test_verify_ee_def_policy + req = OpenSSL::Timestamp::Request.new + req.algorithm = "SHA1" + digest = OpenSSL::Digest::SHA1.new.digest("test") + req.message_imprint = digest + req.nonce = 42 - def test_verify_direct_redundant_untrusted - ts, req = timestamp_direct - ts.verify(req, [CA_CERT], ts.tsa_certificate, ts.tsa_certificate) - end + fac = OpenSSL::Timestamp::Factory.new + fac.gen_time = Time.now + fac.serial_number = 1 + fac.default_policy_id = "1.2.3.4.5" - def test_verify_direct_unrelated_untrusted - ts, req = timestamp_direct - ts.verify(req, [CA_CERT], INTERMEDIATE_CERT) - end + ts = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + ts.verify(req, [CA_CERT], INTERMEDIATE_CERT) + end - def test_verify_direct_wrong_root - assert_raises(OpenSSL::Timestamp::CertificateValidationError) do - ts, req = timestamp_direct - ts.verify(req, [INTERMEDIATE_CERT]) - end - end + def test_verify_direct + ts, req = timestamp_direct + ts.verify(req, [CA_CERT]) + end - def test_verify_direct_no_cert_no_intermediate - assert_raises(OpenSSL::Timestamp::TimestampError) do - ts, req = timestamp_direct_no_cert - ts.verify(req, [CA_CERT]) - end - end + def test_verify_direct_redundant_untrusted + ts, req = timestamp_direct + ts.verify(req, [CA_CERT], ts.tsa_certificate, ts.tsa_certificate) + end - def test_verify_ee_no_cert - ts, req = timestamp_ee_no_cert - ts.verify(req, [CA_CERT], TS_CERT_EE, INTERMEDIATE_CERT) - end + def test_verify_direct_unrelated_untrusted + ts, req = timestamp_direct + ts.verify(req, [CA_CERT], INTERMEDIATE_CERT) + end - def test_verify_ee_no_cert_no_intermediate - assert_raises(OpenSSL::Timestamp::CertificateValidationError) do - ts, req = timestamp_ee_no_cert - ts.verify(req, [CA_CERT], TS_CERT_EE) - end + def test_verify_direct_wrong_root + assert_raises(OpenSSL::Timestamp::CertificateValidationError) do + ts, req = timestamp_direct + ts.verify(req, [INTERMEDIATE_CERT]) end + end - def test_verity_ee_wrong_purpose - assert_raises(OpenSSL::Timestamp::TimestampError) do - req = OpenSSL::Timestamp::Request.new - req.algorithm = "SHA1" - digest = OpenSSL::Digest::SHA1.new.digest("test") - req.message_imprint = digest - req.policy_id = "1.2.3.4.5" - req.nonce = 42 - - fac = OpenSSL::Timestamp::Factory.new - fac.gen_time = Time.now - fac.serial_number = 1 - ts = fac.create_timestamp(EE_KEY, INTERMEDIATE_CERT, req) - - ts.verify(req, [CA_CERT]) - end + def test_verify_direct_no_cert_no_intermediate + assert_raises(OpenSSL::Timestamp::TimestampError) do + ts, req = timestamp_direct_no_cert + ts.verify(req, [CA_CERT]) end + end - def test_verify_ee_additional_certs_array - req = OpenSSL::Timestamp::Request.new - req.algorithm = "SHA1" - digest = OpenSSL::Digest::SHA1.new.digest("test") - req.message_imprint = digest - req.policy_id = "1.2.3.4.5" - req.nonce = 42 - fac = OpenSSL::Timestamp::Factory.new - fac.gen_time = Time.now - fac.serial_number = 1 - fac.additional_certs = [INTERMEDIATE_CERT] - ts = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - assert_equal(2, ts.pkcs7.certificates.size) - fac.additional_certs = nil - ts.verify(req, CA_CERT) - ts = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - assert_equal(1, ts.pkcs7.certificates.size) - end + def test_verify_ee_no_cert + ts, req = timestamp_ee_no_cert + ts.verify(req, [CA_CERT], TS_CERT_EE, INTERMEDIATE_CERT) + end - def test_verify_ee_additional_certs_single - req = OpenSSL::Timestamp::Request.new - req.algorithm = "SHA1" - digest = OpenSSL::Digest::SHA1.new.digest("test") - req.message_imprint = digest - req.policy_id = "1.2.3.4.5" - req.nonce = 42 - fac = OpenSSL::Timestamp::Factory.new - fac.gen_time = Time.now - fac.serial_number = 1 - fac.additional_certs = INTERMEDIATE_CERT - ts = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - assert_equal(2, ts.pkcs7.certificates.size) - ts.verify(req, CA_CERT) + def test_verify_ee_no_cert_no_intermediate + assert_raises(OpenSSL::Timestamp::CertificateValidationError) do + ts, req = timestamp_ee_no_cert + ts.verify(req, [CA_CERT], TS_CERT_EE) end + end - def test_verify_ee_additional_certs_with_root + def test_verity_ee_wrong_purpose + assert_raises(OpenSSL::Timestamp::TimestampError) do req = OpenSSL::Timestamp::Request.new req.algorithm = "SHA1" digest = OpenSSL::Digest::SHA1.new.digest("test") req.message_imprint = digest req.policy_id = "1.2.3.4.5" req.nonce = 42 - fac = OpenSSL::Timestamp::Factory.new - fac.gen_time = Time.now - fac.serial_number = 1 - fac.additional_certs = [INTERMEDIATE_CERT, CA_CERT] - ts = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - assert_equal(3, ts.pkcs7.certificates.size) - ts.verify(req, CA_CERT) - end - def test_verify_ee_cert_inclusion_not_requested - req = OpenSSL::Timestamp::Request.new - req.algorithm = "SHA1" - digest = OpenSSL::Digest::SHA1.new.digest("test") - req.message_imprint = digest - req.nonce = 42 - req.cert_requested = false fac = OpenSSL::Timestamp::Factory.new fac.gen_time = Time.now fac.serial_number = 1 - #needed because the Request contained no policy identifier - fac.default_policy_id = '1.2.3.4.5' - fac.additional_certs = [ TS_CERT_EE, INTERMEDIATE_CERT ] - ts = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - assert_nil(ts.pkcs7.certificates) #since cert_requested? == false - ts.verify(req, CA_CERT, TS_CERT_EE, INTERMEDIATE_CERT) - end - - def test_reusable - #test if req and faq are reusable, i.e. the internal - #CTX_free methods don't mess up e.g. the certificates - req = OpenSSL::Timestamp::Request.new - req.algorithm = "SHA1" - digest = OpenSSL::Digest::SHA1.new.digest("test") - req.message_imprint = digest - req.policy_id = "1.2.3.4.5" - req.nonce = 42 + ts = fac.create_timestamp(EE_KEY, INTERMEDIATE_CERT, req) - fac = OpenSSL::Timestamp::Factory.new - fac.gen_time = Time.now - fac.serial_number = 1 - fac.additional_certs = [ INTERMEDIATE_CERT ] - ts1 = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - ts1.verify(req, CA_CERT) - ts2 = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) - ts2.verify(req, CA_CERT) - refute_nil(ts1.tsa_certificate) - refute_nil(ts2.tsa_certificate) + ts.verify(req, [CA_CERT]) end + end - private + def test_verify_ee_additional_certs_array + req = OpenSSL::Timestamp::Request.new + req.algorithm = "SHA1" + digest = OpenSSL::Digest::SHA1.new.digest("test") + req.message_imprint = digest + req.policy_id = "1.2.3.4.5" + req.nonce = 42 + fac = OpenSSL::Timestamp::Factory.new + fac.gen_time = Time.now + fac.serial_number = 1 + fac.additional_certs = [INTERMEDIATE_CERT] + ts = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + assert_equal(2, ts.pkcs7.certificates.size) + fac.additional_certs = nil + ts.verify(req, CA_CERT) + ts = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + assert_equal(1, ts.pkcs7.certificates.size) + end - def assert_cert expected, actual - assert_equal expected.to_der, actual.to_der - end + def test_verify_ee_additional_certs_single + req = OpenSSL::Timestamp::Request.new + req.algorithm = "SHA1" + digest = OpenSSL::Digest::SHA1.new.digest("test") + req.message_imprint = digest + req.policy_id = "1.2.3.4.5" + req.nonce = 42 + fac = OpenSSL::Timestamp::Factory.new + fac.gen_time = Time.now + fac.serial_number = 1 + fac.additional_certs = INTERMEDIATE_CERT + ts = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + assert_equal(2, ts.pkcs7.certificates.size) + ts.verify(req, CA_CERT) + end - def timestamp_ee - req = OpenSSL::Timestamp::Request.new - req.algorithm = "SHA1" - digest = OpenSSL::Digest::SHA1.new.digest("test") - req.message_imprint = digest - req.policy_id = "1.2.3.4.5" - req.nonce = 42 + def test_verify_ee_additional_certs_with_root + req = OpenSSL::Timestamp::Request.new + req.algorithm = "SHA1" + digest = OpenSSL::Digest::SHA1.new.digest("test") + req.message_imprint = digest + req.policy_id = "1.2.3.4.5" + req.nonce = 42 + fac = OpenSSL::Timestamp::Factory.new + fac.gen_time = Time.now + fac.serial_number = 1 + fac.additional_certs = [INTERMEDIATE_CERT, CA_CERT] + ts = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + assert_equal(3, ts.pkcs7.certificates.size) + ts.verify(req, CA_CERT) + end - fac = OpenSSL::Timestamp::Factory.new - fac.gen_time = Time.now - fac.serial_number = 1 - return fac.create_timestamp(EE_KEY, TS_CERT_EE, req), req - end + def test_verify_ee_cert_inclusion_not_requested + req = OpenSSL::Timestamp::Request.new + req.algorithm = "SHA1" + digest = OpenSSL::Digest::SHA1.new.digest("test") + req.message_imprint = digest + req.nonce = 42 + req.cert_requested = false + fac = OpenSSL::Timestamp::Factory.new + fac.gen_time = Time.now + fac.serial_number = 1 + #needed because the Request contained no policy identifier + fac.default_policy_id = '1.2.3.4.5' + fac.additional_certs = [ TS_CERT_EE, INTERMEDIATE_CERT ] + ts = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + assert_nil(ts.pkcs7.certificates) #since cert_requested? == false + ts.verify(req, CA_CERT, TS_CERT_EE, INTERMEDIATE_CERT) + end - def timestamp_ee_no_cert - req = OpenSSL::Timestamp::Request.new - req.algorithm = "SHA1" - digest = OpenSSL::Digest::SHA1.new.digest("test") - req.message_imprint = digest - req.policy_id = "1.2.3.4.5" - req.nonce = 42 - req.cert_requested = false + def test_reusable + #test if req and faq are reusable, i.e. the internal + #CTX_free methods don't mess up e.g. the certificates + req = OpenSSL::Timestamp::Request.new + req.algorithm = "SHA1" + digest = OpenSSL::Digest::SHA1.new.digest("test") + req.message_imprint = digest + req.policy_id = "1.2.3.4.5" + req.nonce = 42 + + fac = OpenSSL::Timestamp::Factory.new + fac.gen_time = Time.now + fac.serial_number = 1 + fac.additional_certs = [ INTERMEDIATE_CERT ] + ts1 = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + ts1.verify(req, CA_CERT) + ts2 = fac.create_timestamp(EE_KEY, TS_CERT_EE, req) + ts2.verify(req, CA_CERT) + refute_nil(ts1.tsa_certificate) + refute_nil(ts2.tsa_certificate) + end - fac = OpenSSL::Timestamp::Factory.new - fac.gen_time = Time.now - fac.serial_number = 1 - return fac.create_timestamp(EE_KEY, TS_CERT_EE, req), req - end + private - def timestamp_direct - req = OpenSSL::Timestamp::Request.new - req.algorithm = "SHA1" - digest = OpenSSL::Digest::SHA1.new.digest("test") - req.message_imprint = digest - req.policy_id = "1.2.3.4.5" - req.nonce = 42 + def assert_cert expected, actual + assert_equal expected.to_der, actual.to_der + end - fac = OpenSSL::Timestamp::Factory.new - fac.gen_time = Time.now - fac.serial_number = 1 - return fac.create_timestamp(EE_KEY, TS_CERT_DIRECT, req), req - end + def timestamp_ee + req = OpenSSL::Timestamp::Request.new + req.algorithm = "SHA1" + digest = OpenSSL::Digest::SHA1.new.digest("test") + req.message_imprint = digest + req.policy_id = "1.2.3.4.5" + req.nonce = 42 + + fac = OpenSSL::Timestamp::Factory.new + fac.gen_time = Time.now + fac.serial_number = 1 + return fac.create_timestamp(EE_KEY, TS_CERT_EE, req), req + end - def timestamp_direct_no_cert - req = OpenSSL::Timestamp::Request.new - req.algorithm = "SHA1" - digest = OpenSSL::Digest::SHA1.new.digest("test") - req.message_imprint = digest - req.policy_id = "1.2.3.4.5" - req.nonce = 42 - req.cert_requested = false + def timestamp_ee_no_cert + req = OpenSSL::Timestamp::Request.new + req.algorithm = "SHA1" + digest = OpenSSL::Digest::SHA1.new.digest("test") + req.message_imprint = digest + req.policy_id = "1.2.3.4.5" + req.nonce = 42 + req.cert_requested = false + + fac = OpenSSL::Timestamp::Factory.new + fac.gen_time = Time.now + fac.serial_number = 1 + return fac.create_timestamp(EE_KEY, TS_CERT_EE, req), req + end - fac = OpenSSL::Timestamp::Factory.new - fac.gen_time = Time.now - fac.serial_number = 1 - return fac.create_timestamp(EE_KEY, TS_CERT_DIRECT, req), req - end + def timestamp_direct + req = OpenSSL::Timestamp::Request.new + req.algorithm = "SHA1" + digest = OpenSSL::Digest::SHA1.new.digest("test") + req.message_imprint = digest + req.policy_id = "1.2.3.4.5" + req.nonce = 42 + + fac = OpenSSL::Timestamp::Factory.new + fac.gen_time = Time.now + fac.serial_number = 1 + return fac.create_timestamp(EE_KEY, TS_CERT_DIRECT, req), req + end + def timestamp_direct_no_cert + req = OpenSSL::Timestamp::Request.new + req.algorithm = "SHA1" + digest = OpenSSL::Digest::SHA1.new.digest("test") + req.message_imprint = digest + req.policy_id = "1.2.3.4.5" + req.nonce = 42 + req.cert_requested = false + + fac = OpenSSL::Timestamp::Factory.new + fac.gen_time = Time.now + fac.serial_number = 1 + return fac.create_timestamp(EE_KEY, TS_CERT_DIRECT, req), req end end diff --git a/test/utils.rb b/test/utils.rb index 8ce59d05..87403295 100644 --- a/test/utils.rb +++ b/test/utils.rb @@ -324,4 +324,66 @@ class OpenSSL::PKeyTestCase < OpenSSL::TestCase end end +module OpenSSL::Certs + include OpenSSL::TestUtils + + module_function + + def ca_cert + ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Timestamp Root CA") + + now = Time.now + ca_exts = [ + ["basicConstraints","CA:TRUE,pathlen:1",true], + ["keyUsage","keyCertSign, cRLSign",true], + ["subjectKeyIdentifier","hash",false], + ["authorityKeyIdentifier","keyid:always",false], + ] + OpenSSL::TestUtils.issue_cert(ca, Fixtures.pkey("rsa2048"), 1, ca_exts, nil, nil) + end + + def ts_cert_direct(key, ca_cert) + dn = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/OU=Timestamp/CN=Server Direct") + + now = Time.now + exts = [ + ["basicConstraints","CA:FALSE",true], + ["keyUsage","digitalSignature, nonRepudiation", true], + ["subjectKeyIdentifier", "hash",false], + ["authorityKeyIdentifier","keyid,issuer", false], + ["extendedKeyUsage", "timeStamping", true] + ] + + OpenSSL::TestUtils.issue_cert(dn, key, 2, exts, ca_cert, Fixtures.pkey("rsa2048")) + end + + def intermediate_cert(key, ca_cert) + dn = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/OU=Timestamp/CN=Timestamp Intermediate CA") + + now = Time.now + exts = [ + ["basicConstraints","CA:TRUE,pathlen:0",true], + ["keyUsage","keyCertSign, cRLSign",true], + ["subjectKeyIdentifier","hash",false], + ["authorityKeyIdentifier","keyid:always",false], + ] + + OpenSSL::TestUtils.issue_cert(dn, key, 3, exts, ca_cert, Fixtures.pkey("rsa2048")) + end + + def ts_cert_ee(key, intermediate, im_key) + dn = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/OU=Timestamp/CN=Server End Entity") + + now = Time.now + exts = [ + ["keyUsage","digitalSignature, nonRepudiation", true], + ["subjectKeyIdentifier", "hash",false], + ["authorityKeyIdentifier","keyid,issuer", false], + ["extendedKeyUsage", "timeStamping", true] + ] + + OpenSSL::TestUtils.issue_cert(dn, key, 4, exts, intermediate, im_key) + end +end + end |