diff options
| author | Kazuki Yamaguchi <k@rhe.jp> | 2016-04-25 22:08:33 +0900 |
|---|---|---|
| committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-05-05 18:43:53 +0900 |
| commit | ca758422e7d97ea7b44ba1e4216ac3c03aa37e85 (patch) | |
| tree | f66a33c89e480f6a8cf38f29c70338b0846ec0b4 /test/rubygems/alternate_cert_32.pem | |
| parent | 26dea2a545e230c6eb5508b6afbcee90673dc8fc (diff) | |
| download | ruby-feature/openssl-110-v2.tar.gz | |
test/rubygems: regenerate certificatesfeature/openssl-110-v2
Regenerate test CA certificates with appropriate extensions
Test certificates in test/rubygems lack the basic constraints extension.
Here is the patch against rubygems' util/create_certs.rb.
ruby util/create_certs.rb &&
cp test/rubygems/*.pem /path/to/ruby/test/rubygems/ &&
ruby util/create_encrypted_key.rb &&
cp test/rubygems/encrypted_private_key.pem /path/to/ruby/test/rubygems/
------------------------ >8 ------------------------
diff --git a/util/create_certs.rb b/util/create_certs.rb
index 4f6f9ea..313a724 100644
--- a/util/create_certs.rb
+++ b/util/create_certs.rb
@@ -4,37 +4,41 @@ require 'time'
class CertificateBuilder
- attr_reader :today
+ attr_reader :start
def initialize key_size = 2048
- today = Time.now.utc
- @today = Time.utc today.year, today.month, today.day
+ @start = Time.utc 2012, 01, 01, 00, 00, 00
@end_of_time = Time.utc 9999, 12, 31, 23, 59, 59
@end_of_time_32 = Time.utc 2038, 01, 19, 03, 14, 07
+ @key_size = key_size
@serial = 0
end
- def create_certificates(key, subject, issuer_key = key, issuer = subject,
- not_before: @today, not_after: :end_of_time)
+ def create_certificates(key, subject, issuer_key = key, issuer_cert = nil,
+ not_before: @start, not_after: :end_of_time,
+ is_ca: false)
certificates = []
not_before, not_before_32 = validity_for not_before
not_after, not_after_32 = validity_for not_after
+ issuer_cert, issuer_cert_32 = issuer_cert
certificates <<
- create_certificate(key, subject, issuer_key, issuer,
- not_before, not_after)
+ create_certificate(key, subject, issuer_key, issuer_cert,
+ not_before, not_after, is_ca)
certificates <<
- create_certificate(key, subject, issuer_key, issuer,
- not_before_32, not_after_32)
+ create_certificate(key, subject, issuer_key, issuer_cert_32,
+ not_before_32, not_after_32, is_ca)
certificates
end
- def create_certificate key, subject, issuer_key, issuer, not_before, not_after
- puts "creating cert - subject: #{subject}, issuer: #{issuer}"
+ def create_certificate(key, subject, issuer_key, issuer_cert,
+ not_before, not_after, is_ca)
cert = OpenSSL::X509::Certificate.new
+ issuer_cert ||= cert # if not specified, create self signing cert
+
cert.version = 2
cert.serial = 0
@@ -45,32 +49,41 @@ class CertificateBuilder
cert.public_key = key.public_key
- cert.subject =
- OpenSSL::X509::Name.new [%W[CN #{subject}], %w[DC example]]
- cert.issuer =
- OpenSSL::X509::Name.new [%W[CN #{issuer}], %w[DC example]]
+ cert.subject = OpenSSL::X509::Name.new [%W[CN #{subject}], %w[DC example]]
+ cert.issuer = issuer_cert.subject
- ef = OpenSSL::X509::ExtensionFactory.new nil, cert
+ ef = OpenSSL::X509::ExtensionFactory.new issuer_cert, cert
cert.extensions = [
- ef.create_extension('subjectAltName', "email:#{subject}@example")
+ ef.create_extension('subjectAltName', "email:#{subject}@example"),
+ ef.create_extension('subjectKeyIdentifier', 'hash')
]
+ if cert != issuer_cert # not self-signed cert
+ cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid:always')
+ end
+
+ if is_ca
+ cert.add_extension ef.create_extension('basicConstraints', 'CA:TRUE', true)
+ cert.add_extension ef.create_extension('keyUsage', 'keyCertSign', true)
+ end
+
cert.sign issuer_key, OpenSSL::Digest::SHA1.new
+ puts "created cert - subject: #{cert.subject}, issuer: #{cert.issuer}"
cert
end
def create_key
puts "creating key"
- OpenSSL::PKey::RSA.new 2048
+ OpenSSL::PKey::RSA.new @key_size
end
def create_keys names
keys = {}
names.each do |name|
- keys[name] = create_key
+ keys[name] = OpenSSL::PKey::RSA.new File.read(File.join "test/rubygems/#{name}_key.pem")
end
keys
@@ -108,37 +121,39 @@ keys = cb.create_keys [
keys[:public] = keys[:private].public_key
-certs = {
- alternate:
- cb.create_certificates(keys[:alternate], 'alternate'),
- child:
- cb.create_certificates(keys[:child], 'child',
- keys[:private], 'nobody'),
- expired:
- cb.create_certificates(keys[:private], 'nobody',
- not_before: Time.at(0),
- not_after: Time.at(0)),
- future:
- cb.create_certificates(keys[:private], 'nobody',
- not_before: :end_of_time,
- not_after: :end_of_time),
- grandchild:
- cb.create_certificates(keys[:grandchild], 'grandchild',
- keys[:child], 'child'),
- invalid_issuer:
- cb.create_certificates(keys[:invalid], 'invalid',
- keys[:invalid], 'nobody'),
- invalid_signer:
- cb.create_certificates(keys[:invalid], 'invalid',
- keys[:private], 'invalid'),
- invalidchild:
- cb.create_certificates(keys[:invalidchild], 'invalidchild',
- keys[:invalid], 'child'),
- public:
- cb.create_certificates(keys[:private], 'nobody'),
- wrong_key:
- cb.create_certificates(keys[:alternate], 'nobody'),
-}
+certs = {}
+certs[:public] =
+ cb.create_certificates(keys[:private], 'nobody',
+ is_ca: true)
+certs[:child] =
+ cb.create_certificates(keys[:child], 'child',
+ keys[:private], certs[:public],
+ is_ca: true)
+certs[:alternate] =
+ cb.create_certificates(keys[:alternate], 'alternate')
+certs[:expired] =
+ cb.create_certificates(keys[:private], 'nobody',
+ not_before: Time.at(0),
+ not_after: Time.at(0))
+certs[:future] =
+ cb.create_certificates(keys[:private], 'nobody',
+ not_before: :end_of_time,
+ not_after: :end_of_time)
+certs[:invalid_issuer] =
+ cb.create_certificates(keys[:invalid], 'invalid',
+ keys[:invalid], certs[:public],
+ is_ca: true)
+certs[:grandchild] =
+ cb.create_certificates(keys[:grandchild], 'grandchild',
+ keys[:child], certs[:child])
+certs[:invalid_signer] =
+ cb.create_certificates(keys[:invalid], 'invalid',
+ keys[:private], certs[:invalid])
+certs[:invalidchild] =
+ cb.create_certificates(keys[:invalidchild], 'invalidchild',
+ keys[:invalid], certs[:child])
+certs[:wrong_key] =
+ cb.create_certificates(keys[:alternate], 'nobody')
base_dir = 'test/rubygems'
Diffstat (limited to 'test/rubygems/alternate_cert_32.pem')
| -rw-r--r-- | test/rubygems/alternate_cert_32.pem | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/test/rubygems/alternate_cert_32.pem b/test/rubygems/alternate_cert_32.pem index 6ef8999ee7..adeffda24a 100644 --- a/test/rubygems/alternate_cert_32.pem +++ b/test/rubygems/alternate_cert_32.pem @@ -1,6 +1,6 @@ -----BEGIN CERTIFICATE----- -MIIC9TCCAd2gAwIBAgIBATANBgkqhkiG9w0BAQUFADAtMRIwEAYDVQQDDAlhbHRl -cm5hdGUxFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMB4XDTEyMTIwODAwMDAwMFoX +MIIDFDCCAfygAwIBAgIBBTANBgkqhkiG9w0BAQUFADAtMRIwEAYDVQQDDAlhbHRl +cm5hdGUxFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMB4XDTEyMDEwMTAwMDAwMFoX DTM4MDExOTAzMTQwN1owLTESMBAGA1UEAwwJYWx0ZXJuYXRlMRcwFQYKCZImiZPy LGQBGRYHZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2U IqQWtcR9zPTqJ5K1GIRmXl/VBwHCYXuoyW1K/7h15IdU7thEVjZ25ZvObqagX48m @@ -8,11 +8,12 @@ RJynq+7gXMMJJL5orFYAvLgRAsprAcbhCMNK34imBJy7tAekolhWM93WD0vdmwSu 1ZLNv5Dcl1JiyxqGd4nditHiuQvwCdI/qfODqj51YcpbI62Zl3yGa4e5ZB4YAiK8 z3n4xN6TpaIv7c+n4dpLW9BWCkDH8Hk9wWtkzHn5RtdzxDlvNAA+cNEx8Q7rRhtM zzQg8gxKE+1FNWtwd0TB2LlMRJNRlBGFqvS+mukjKWSElk0qQqdFsNUAeeTzjYgg -p/qOr3CMuOoyO9XQEwECAwEAAaMgMB4wHAYDVR0RBBUwE4ERYWx0ZXJuYXRlQGV4 -YW1wbGUwDQYJKoZIhvcNAQEFBQADggEBABB+jdfwANRtIQKCvv+1VnYm+3QSfshy -TI5Kk50TphheDJ7VbYyTmOxPUTsFzn0cX8zD1jBOtdVdyy6u7qUHOw6ZrDKdgg4I -95lJJibFrVXeazTByHhe31u08lMfp/6kdYwSornHUWmEHhAT60nvSbkLblW/jgPo -i1pFY5hcGJAE6kFQLQpjgl8TbUTioA8wYOKJA5ITItBXO7fYMQKDS2jYR3JMiNLR -FxgN8SzSUB0S7deI5O9fMLYL006zHP5u0qcZjVFvFJdtt3WsqDUu8E6O4QgVwvq1 -MPNUBfuNdMek1LnIUZgr7Jek+0wvbnZCGyEaVakcV74cq8fjEgWr3C0= +p/qOr3CMuOoyO9XQEwECAwEAAaM/MD0wHAYDVR0RBBUwE4ERYWx0ZXJuYXRlQGV4 +YW1wbGUwHQYDVR0OBBYEFMr5/xcHGZwOwJMz45qKKAeP7SoHMA0GCSqGSIb3DQEB +BQUAA4IBAQA1Vs3lcPpqnbsdtFDgrzApZuNgtyCRbbSrshq37dem9wSI4aFjAPLx +QGgf3c+XZczK9FkR3VUHcK8yZFrCKpv9giZDvzCUOMB/HSBAzNiNbhgUC1S0THir +xFriDITPoY7mrdJlX41Ssqk6tIKZsYP63UVghy7f9wxqXJvyfJZSB9UeM+0baQVL +tGTKXmvzLw1Pc/LHTrt7jcZT9UbBsxNNy0Wk9FPPePCUUlegRjInd/sNevywzL/T +1DL0BefqF6iyWcu86Udo+eli1JDzeUsfHOL7oqJGlWhlZHRDJ1M89n5KwPg8SCx5 +TpemV2Wy0nRTzITnmggexlMibSJ0iOvC -----END CERTIFICATE----- |