test/rubygems: regenerate certificatesfeature/openssl-110-v2

Regenerate test CA certificates with appropriate extensions

Test certificates in test/rubygems lack the basic constraints extension.

Here is the patch against rubygems' util/create_certs.rb.

ruby util/create_certs.rb &&
cp test/rubygems/*.pem /path/to/ruby/test/rubygems/ &&
ruby util/create_encrypted_key.rb &&
cp test/rubygems/encrypted_private_key.pem /path/to/ruby/test/rubygems/

------------------------ >8 ------------------------
diff --git a/util/create_certs.rb b/util/create_certs.rb
index 4f6f9ea..313a724 100644
--- a/util/create_certs.rb
+++ b/util/create_certs.rb
@@ -4,37 +4,41 @@ require 'time'

 class CertificateBuilder

-  attr_reader :today
+  attr_reader :start

   def initialize key_size = 2048
-    today           = Time.now.utc
-    @today          = Time.utc today.year, today.month, today.day
+    @start          = Time.utc 2012, 01, 01, 00, 00, 00
     @end_of_time    = Time.utc 9999, 12, 31, 23, 59, 59
     @end_of_time_32 = Time.utc 2038, 01, 19, 03, 14, 07

+    @key_size = key_size
     @serial = 0
   end

-  def create_certificates(key, subject, issuer_key = key, issuer = subject,
-                          not_before: @today, not_after: :end_of_time)
+  def create_certificates(key, subject, issuer_key = key, issuer_cert = nil,
+                          not_before: @start, not_after: :end_of_time,
+                          is_ca: false)
     certificates = []

     not_before, not_before_32 = validity_for not_before
     not_after,  not_after_32  = validity_for not_after
+    issuer_cert, issuer_cert_32 = issuer_cert

     certificates <<
-      create_certificate(key, subject, issuer_key, issuer,
-                         not_before, not_after)
+      create_certificate(key, subject, issuer_key, issuer_cert,
+                         not_before, not_after, is_ca)
     certificates <<
-      create_certificate(key, subject, issuer_key, issuer,
-                         not_before_32, not_after_32)
+      create_certificate(key, subject, issuer_key, issuer_cert_32,
+                         not_before_32, not_after_32, is_ca)

     certificates
   end

-  def create_certificate key, subject, issuer_key, issuer, not_before, not_after
-    puts "creating cert - subject: #{subject}, issuer: #{issuer}"
+  def create_certificate(key, subject, issuer_key, issuer_cert,
+                         not_before, not_after, is_ca)
     cert = OpenSSL::X509::Certificate.new
+    issuer_cert ||= cert # if not specified, create self signing cert
+
     cert.version    = 2
     cert.serial     = 0

@@ -45,32 +49,41 @@ class CertificateBuilder

     cert.public_key = key.public_key

-    cert.subject =
-      OpenSSL::X509::Name.new [%W[CN #{subject}], %w[DC example]]
-    cert.issuer  =
-      OpenSSL::X509::Name.new [%W[CN #{issuer}],  %w[DC example]]
+    cert.subject = OpenSSL::X509::Name.new [%W[CN #{subject}], %w[DC example]]
+    cert.issuer  = issuer_cert.subject

-    ef = OpenSSL::X509::ExtensionFactory.new nil, cert
+    ef = OpenSSL::X509::ExtensionFactory.new issuer_cert, cert

     cert.extensions = [
-      ef.create_extension('subjectAltName', "email:#{subject}@example")
+      ef.create_extension('subjectAltName', "email:#{subject}@example"),
+      ef.create_extension('subjectKeyIdentifier', 'hash')
     ]

+    if cert != issuer_cert # not self-signed cert
+      cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid:always')
+    end
+
+    if is_ca
+      cert.add_extension ef.create_extension('basicConstraints', 'CA:TRUE', true)
+      cert.add_extension ef.create_extension('keyUsage', 'keyCertSign', true)
+    end
+
     cert.sign issuer_key, OpenSSL::Digest::SHA1.new

+    puts "created cert - subject: #{cert.subject}, issuer: #{cert.issuer}"
     cert
   end

   def create_key
     puts "creating key"
-    OpenSSL::PKey::RSA.new 2048
+    OpenSSL::PKey::RSA.new @key_size
   end

   def create_keys names
     keys = {}

     names.each do |name|
-      keys[name] = create_key
+      keys[name] = OpenSSL::PKey::RSA.new File.read(File.join "test/rubygems/#{name}_key.pem")
     end

     keys
@@ -108,37 +121,39 @@ keys = cb.create_keys [

 keys[:public] = keys[:private].public_key

-certs = {
-  alternate:
-    cb.create_certificates(keys[:alternate], 'alternate'),
-  child:
-    cb.create_certificates(keys[:child], 'child',
-                           keys[:private], 'nobody'),
-  expired:
-    cb.create_certificates(keys[:private], 'nobody',
-                           not_before: Time.at(0),
-                           not_after: Time.at(0)),
-  future:
-    cb.create_certificates(keys[:private], 'nobody',
-                           not_before: :end_of_time,
-                           not_after: :end_of_time),
-  grandchild:
-    cb.create_certificates(keys[:grandchild], 'grandchild',
-                           keys[:child], 'child'),
-  invalid_issuer:
-    cb.create_certificates(keys[:invalid], 'invalid',
-                           keys[:invalid], 'nobody'),
-  invalid_signer:
-    cb.create_certificates(keys[:invalid], 'invalid',
-                           keys[:private], 'invalid'),
-  invalidchild:
-    cb.create_certificates(keys[:invalidchild], 'invalidchild',
-                           keys[:invalid], 'child'),
-  public:
-    cb.create_certificates(keys[:private], 'nobody'),
-  wrong_key:
-    cb.create_certificates(keys[:alternate], 'nobody'),
-}
+certs = {}
+certs[:public] =
+  cb.create_certificates(keys[:private], 'nobody',
+                         is_ca: true)
+certs[:child] =
+  cb.create_certificates(keys[:child], 'child',
+                         keys[:private], certs[:public],
+                         is_ca: true)
+certs[:alternate] =
+  cb.create_certificates(keys[:alternate], 'alternate')
+certs[:expired] =
+  cb.create_certificates(keys[:private], 'nobody',
+                         not_before: Time.at(0),
+                         not_after: Time.at(0))
+certs[:future] =
+  cb.create_certificates(keys[:private], 'nobody',
+                         not_before: :end_of_time,
+                         not_after: :end_of_time)
+certs[:invalid_issuer] =
+  cb.create_certificates(keys[:invalid], 'invalid',
+                         keys[:invalid], certs[:public],
+                         is_ca: true)
+certs[:grandchild] =
+  cb.create_certificates(keys[:grandchild], 'grandchild',
+                         keys[:child], certs[:child])
+certs[:invalid_signer] =
+  cb.create_certificates(keys[:invalid], 'invalid',
+                         keys[:private], certs[:invalid])
+certs[:invalidchild] =
+  cb.create_certificates(keys[:invalidchild], 'invalidchild',
+                         keys[:invalid], certs[:child])
+certs[:wrong_key] =
+  cb.create_certificates(keys[:alternate], 'nobody')

 base_dir = 'test/rubygems'

1 files changed, 10 insertions, 9 deletions

diff --git a/test/rubygems/invalid_signer_cert_32.pem b/test/rubygems/invalid_signer_cert_32.pem
index 0f4ddcf50e..657608e503 100644
--- a/test/rubygems/invalid_signer_cert_32.pem
+++ b/test/rubygems/invalid_signer_cert_32.pem
@@ -1,6 +1,6 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCAdegAwIBAgIBDTANBgkqhkiG9w0BAQUFADArMRAwDgYDVQQDDAdpbnZh
-bGlkMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTAeFw0xMjEyMDgwMDAwMDBaFw0z
+MIIDDjCCAfagAwIBAgIBDzANBgkqhkiG9w0BAQUFADArMRAwDgYDVQQDDAdpbnZh
+bGlkMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTAeFw0xMjAxMDEwMDAwMDBaFw0z
 ODAxMTkwMzE0MDdaMCsxEDAOBgNVBAMMB2ludmFsaWQxFzAVBgoJkiaJk/IsZAEZ
 FgdleGFtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzTJw5KFI
 4oMaEOU9nf4kBbCnsoHamz9WUuEixmXS4AfMIAY80jUjjqCaVrWDsaHjb19h4nRW
@@ -8,11 +8,12 @@ B5FPEj+tFY0nQdfYj2OFomoCSI6pXlGTpGQm//SVTVVK7UgGMpGZXqpeI14FYDx2
 4Q8113rMpftSgpxiCYbcEwO4TLrsCpZSBk6Nz1ZSd3qL6bBZyIy42q6Xr28y8HmC
 jhz+uC2nVjc+EsMiuF5g/2z4HNrUw2nQVQWWs+cvmDNlOw/8hfa7uQXcISEoJldk
 9fShlz+luohLY65D1Pp+3pK1LAD70iEDIJ4n1sbIFgrvxLKJJ8QsrIYpuTvhKZEC
-qOk3Y8lfej+CTwIDAQABox4wHDAaBgNVHREEEzARgQ9pbnZhbGlkQGV4YW1wbGUw
-DQYJKoZIhvcNAQEFBQADggEBAE8RJTY1E6DBOEt5azE9wQGJ7yrWJNHLhtP0nmkd
-eaIraloJcqss86qgbH4NY81mvm7nhB6/UEcbm218b6roTDOEjvBp1sKtZ7sqt+J0
-gFqAocBStTkPucmbsDr0B6bUmeHxgpCt+QoaOh6Fwh5yizfpl9i7oMU4QLhf1eZ3
-K1PrPvUle2JFfzJ3SFDlU9C/oA9yDQGnJ7efUCFKvg9M9CzgAHFJyQNb/47tmqHF
-2uxSwEy+ADbD0fPw0r5zkejEimBHWcaTHxqQ12GhS5PkUBYm/qW9a6wyBBO2nO6u
-Tr1zrCDc728aPjN4Qh76xUy/hyCcSgXalhz1LMHgv0VDx/M=
+qOk3Y8lfej+CTwIDAQABoz0wOzAaBgNVHREEEzARgQ9pbnZhbGlkQGV4YW1wbGUw
+HQYDVR0OBBYEFJPfi7Go9+y/zD/5xz2AQKFaedlOMA0GCSqGSIb3DQEBBQUAA4IB
+AQA6WW6YyykIJmVFW8Og1R3d8fbFtQarDMGN+oZrCN3Eb9Twoy36Yr/h0bZgkCEe
+arB+VCD1DfEii5luZowUDr/BlIjIR2cNIMFpmQ8ZLIpVWQz/BYHrbw7CHO5df3mg
+HYTKlEoUMimOEWvCYnSgzKWCgSWU/jBQQ0bcUBk2HHpdT4BnLPe/7rs+TZmwd/Dz
+r80sNXQ6vqTkQS+te2hqyh62r+WeaFx7aqnFjGtwiOqMmYPr80uYOy/rX26mmfwm
+vyf8JlA4uTt795Krsc4Brc+BO0bOPfDDGhRs/2tvyHhOOqBbUxQeeV5ogiAZmA31
+ZrzbFysajMrWZ+1GV8QXOcBi
 -----END CERTIFICATE-----