mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
a3f97007bb
LibreSSL 3.2.4 made the certificate verification logic back closer to pre-3.2.2 one, which is more compatible with OpenSSL. Part of the fixes added by commit a0e98d48c91f ("Enhance TLS 1.3 support on LibreSSL 3.2/3.3", 2020-12-03) is required for 3.2.2 and 3.2.3 only (and ~3.3.1, however 3.3 does not have a stable release yet). Since both releases are security fix, it should be safe to remove those special treatment from our test suite. While we are at it, TestSSL#test_ecdh_curves is split into TLS 1.2 and TLS 1.3 variants for clarity. https://github.com/ruby/openssl/commit/a9954bac22
662 lines
21 KiB
Ruby
662 lines
21 KiB
Ruby
require_relative "utils"
|
|
|
|
if defined?(OpenSSL) && defined?(OpenSSL::Timestamp)
|
|
|
|
class OpenSSL::TestTimestamp < OpenSSL::TestCase
|
|
def intermediate_key
|
|
@intermediate_key ||= OpenSSL::PKey::RSA.new <<-_end_of_pem_
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
MIICWwIBAAKBgQCcyODxH+oTrr7l7MITWcGaYnnBma6vidCCJjuSzZpaRmXZHAyH
|
|
0YcY4ttC0BdJ4uV+cE05IySVC7tyvVfFb8gFQ6XJV+AEktP+XkLbcxZgj9d2NVu1
|
|
ziXdI+ldXkPnMhyWpMS5E7SD6gflv9NhUYEsmAGsUgdK6LDmm2W2/4TlewIDAQAB
|
|
AoGAYgx6KDFWONLqjW3f/Sv/mGYHUNykUyDzpcD1Npyf797gqMMSzwlo3FZa2tC6
|
|
D7n23XirwpTItvEsW9gvgMikJDPlThAeGLZ+L0UbVNNBHVxGP998Nda1kxqKvhRE
|
|
pfZCKc7PLM9ZXc6jBTmgxdcAYfVCCVUoa2mEf9Ktr3BlI4kCQQDQAM09+wHDXGKP
|
|
o2UnCwCazGtyGU2r0QCzHlh9BVY+KD2KjjhuWh86rEbdWN7hEW23Je1vXIhuM6Pa
|
|
/Ccd+XYnAkEAwPZ91PK6idEONeGQ4I3dyMKV2SbaUjfq3MDL4iIQPQPuj7QsBO/5
|
|
3Nf9ReSUUTRFCUVwoC8k4Z1KAJhR/K/ejQJANE7PTnPuGJQGETs09+GTcFpR9uqY
|
|
FspDk8fg1ufdrVnvSAXF+TJewiGK3KU5v33jinhWQngRsyz3Wt2odKhEZwJACbjh
|
|
oicQqvzzgFd7GzVKpWDYd/ZzLY1PsgusuhoJQ2m9TVRAm4cTycLAKhNYPbcqe0sa
|
|
X5fAffWU0u7ZwqeByQJAOUAbYET4RU3iymAvAIDFj8LiQnizG9t5Ty3HXlijKQYv
|
|
y8gsvWd4CdxwOPatWpBUX9L7IXcMJmD44xXTUvpbfQ==
|
|
-----END RSA PRIVATE KEY-----
|
|
_end_of_pem_
|
|
end
|
|
|
|
def ee_key
|
|
@ee_key ||= OpenSSL::PKey::RSA.new <<-_end_of_pem_
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
MIICWwIBAAKBgQDA6eB5r2O5KOKNbKMBhzadl43lgpwqq28m+G0gH38kKCL1f3o9
|
|
P8xUZm7sZqcWEervZMSSXMGBV9DgeoSR+U6FMJywgQGx/JNRx7wZTMNym3PvgLkl
|
|
xCXh6ZA0/xbtJtcNI+UUv0ENBkTIuUWBhkAf3jQclAr9aQ0ktYBuHAcRcQIDAQAB
|
|
AoGAKNhcAuezwZx6e18pFEXAtpVEIfgJgK9TlXi8AjUpAkrNPBWFmDpN1QDrM3p4
|
|
nh+lEpLPW/3vqqchPqYyM4YJraMLpS3KUG+s7+m9QIia0ri2WV5Cig7WL+Tl9p7K
|
|
b3oi2Aj/wti8GfOLFQXOQQ4Ea4GoCv2Sxe0GZR39UBxzTsECQQD1zuVIwBvqU2YR
|
|
8innsoa+j4u2hulRmQO6Zgpzj5vyRYfA9uZxQ9nKbfJvzuWwUv+UzyS9RqxarqrP
|
|
5nQw5EmVAkEAyOmJg6+AfGrgvSWfSpXEds/WA/sHziCO3rE4/sd6cnDc6XcTgeMs
|
|
mT8Z3kAYGpqFDew5orUylPfJJa+PUueJbQJAY+gkvw3+Cp69FLw1lgu0wo07fwOU
|
|
n2qu3jsNMm0DOFRUWfTAMvcd9S385L7WEnWZldUfnKK1+OGXYYrMXPbchQJAChU2
|
|
UoaHQzc16iguM1cK0g+iJPb/MEgQA3sPajHmokGpxIm2T+lvvo0dJjs/Om6QyN8X
|
|
EWRYkoNQ8/Q4lCeMjQJAfvDIGtyqF4PieFHYgluQAv5pGgYpakdc8SYyeRH9NKey
|
|
GaL27FRs4fRWf9OmxPhUVgIyGzLGXrueemvQUDHObA==
|
|
-----END RSA PRIVATE KEY-----
|
|
_end_of_pem_
|
|
end
|
|
|
|
def ca_cert
|
|
@ca_cert ||= OpenSSL::Certs.ca_cert
|
|
end
|
|
|
|
def ca_store
|
|
@ca_store ||= OpenSSL::X509::Store.new.tap { |s| s.add_cert(ca_cert) }
|
|
end
|
|
|
|
def ts_cert_direct
|
|
@ts_cert_direct ||= OpenSSL::Certs.ts_cert_direct(ee_key, ca_cert)
|
|
end
|
|
|
|
def intermediate_cert
|
|
@intermediate_cert ||= OpenSSL::Certs.intermediate_cert(intermediate_key, ca_cert)
|
|
end
|
|
|
|
def intermediate_store
|
|
@intermediate_store ||= OpenSSL::X509::Store.new.tap { |s| s.add_cert(intermediate_cert) }
|
|
end
|
|
|
|
def ts_cert_ee
|
|
@ts_cert_ee ||= OpenSSL::Certs.ts_cert_ee(ee_key, intermediate_cert, intermediate_key)
|
|
end
|
|
|
|
def test_request_mandatory_fields
|
|
req = OpenSSL::Timestamp::Request.new
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
tmp = req.to_der
|
|
pp OpenSSL::ASN1.decode(tmp)
|
|
end
|
|
req.algorithm = "sha1"
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
req.to_der
|
|
end
|
|
req.message_imprint = OpenSSL::Digest.digest('SHA1', "data")
|
|
req.to_der
|
|
end
|
|
|
|
def test_request_assignment
|
|
req = OpenSSL::Timestamp::Request.new
|
|
|
|
req.version = 2
|
|
assert_equal(2, req.version)
|
|
assert_raise(TypeError) { req.version = nil }
|
|
assert_raise(TypeError) { req.version = "foo" }
|
|
|
|
req.algorithm = "SHA1"
|
|
assert_equal("SHA1", req.algorithm)
|
|
assert_raise(TypeError) { req.algorithm = nil }
|
|
assert_raise(OpenSSL::ASN1::ASN1Error) { req.algorithm = "xxx" }
|
|
|
|
req.message_imprint = "test"
|
|
assert_equal("test", req.message_imprint)
|
|
assert_raise(TypeError) { req.message_imprint = nil }
|
|
|
|
req.policy_id = "1.2.3.4.5"
|
|
assert_equal("1.2.3.4.5", req.policy_id)
|
|
assert_raise(TypeError) { req.policy_id = 123 }
|
|
assert_raise(TypeError) { req.policy_id = nil }
|
|
|
|
req.nonce = 42
|
|
assert_equal(42, req.nonce)
|
|
assert_raise(TypeError) { req.nonce = "foo" }
|
|
assert_raise(TypeError) { req.nonce = nil }
|
|
|
|
req.cert_requested = false
|
|
assert_equal(false, req.cert_requested?)
|
|
req.cert_requested = nil
|
|
assert_equal(false, req.cert_requested?)
|
|
req.cert_requested = 123
|
|
assert_equal(true, req.cert_requested?)
|
|
req.cert_requested = "asdf"
|
|
assert_equal(true, req.cert_requested?)
|
|
end
|
|
|
|
def test_request_serialization
|
|
req = OpenSSL::Timestamp::Request.new
|
|
|
|
req.version = 2
|
|
req.algorithm = "SHA1"
|
|
req.message_imprint = "test"
|
|
req.policy_id = "1.2.3.4.5"
|
|
req.nonce = 42
|
|
req.cert_requested = true
|
|
|
|
req = OpenSSL::Timestamp::Request.new(req.to_der)
|
|
|
|
assert_equal(2, req.version)
|
|
assert_equal("SHA1", req.algorithm)
|
|
assert_equal("test", req.message_imprint)
|
|
assert_equal("1.2.3.4.5", req.policy_id)
|
|
assert_equal(42, req.nonce)
|
|
assert_equal(true, req.cert_requested?)
|
|
|
|
end
|
|
|
|
def test_request_re_assignment
|
|
#tests whether the potential 'freeing' of previous values in C works properly
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.version = 2
|
|
req.version = 3
|
|
req.algorithm = "SHA1"
|
|
req.algorithm = "SHA256"
|
|
req.message_imprint = "test"
|
|
req.message_imprint = "test2"
|
|
req.policy_id = "1.2.3.4.5"
|
|
req.policy_id = "1.2.3.4.6"
|
|
req.nonce = 42
|
|
req.nonce = 24
|
|
req.cert_requested = false
|
|
req.cert_requested = true
|
|
req.to_der
|
|
end
|
|
|
|
def test_request_encode_decode
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
req.policy_id = "1.2.3.4.5"
|
|
req.nonce = 42
|
|
|
|
qer = OpenSSL::Timestamp::Request.new(req.to_der)
|
|
assert_equal(1, qer.version)
|
|
assert_equal("SHA1", qer.algorithm)
|
|
assert_equal(digest, qer.message_imprint)
|
|
assert_equal("1.2.3.4.5", qer.policy_id)
|
|
assert_equal(42, qer.nonce)
|
|
|
|
#put OpenSSL::ASN1.decode inbetween
|
|
qer2 = OpenSSL::Timestamp::Request.new(OpenSSL::ASN1.decode(req.to_der))
|
|
assert_equal(1, qer2.version)
|
|
assert_equal("SHA1", qer2.algorithm)
|
|
assert_equal(digest, qer2.message_imprint)
|
|
assert_equal("1.2.3.4.5", qer2.policy_id)
|
|
assert_equal(42, qer2.nonce)
|
|
end
|
|
|
|
def test_response_constants
|
|
assert_equal(0, OpenSSL::Timestamp::Response::GRANTED)
|
|
assert_equal(1, OpenSSL::Timestamp::Response::GRANTED_WITH_MODS)
|
|
assert_equal(2, OpenSSL::Timestamp::Response::REJECTION)
|
|
assert_equal(3, OpenSSL::Timestamp::Response::WAITING)
|
|
assert_equal(4, OpenSSL::Timestamp::Response::REVOCATION_WARNING)
|
|
assert_equal(5, OpenSSL::Timestamp::Response::REVOCATION_NOTIFICATION)
|
|
end
|
|
|
|
def test_response_creation
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
req.policy_id = "1.2.3.4.5"
|
|
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
time = Time.now
|
|
fac.gen_time = time
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
|
|
resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
resp = OpenSSL::Timestamp::Response.new(resp)
|
|
assert_equal(OpenSSL::Timestamp::Response::GRANTED, resp.status)
|
|
assert_nil(resp.failure_info)
|
|
assert_equal([], resp.status_text)
|
|
assert_equal(1, resp.token_info.version)
|
|
assert_equal("1.2.3.4.5", resp.token_info.policy_id)
|
|
assert_equal("SHA1", resp.token_info.algorithm)
|
|
assert_equal(digest, resp.token_info.message_imprint)
|
|
assert_equal(1, resp.token_info.serial_number)
|
|
assert_equal(time.to_i, resp.token_info.gen_time.to_i)
|
|
assert_equal(false, resp.token_info.ordering)
|
|
assert_nil(resp.token_info.nonce)
|
|
assert_cert(ts_cert_ee, resp.tsa_certificate)
|
|
#compare PKCS7
|
|
token = OpenSSL::ASN1.decode(resp.to_der).value[1]
|
|
assert_equal(token.to_der, resp.token.to_der)
|
|
end
|
|
|
|
def test_response_failure_info
|
|
resp = OpenSSL::Timestamp::Response.new("0\"0 \x02\x01\x020\x17\f\x15Invalid TimeStampReq.\x03\x02\x06\x80")
|
|
assert_equal(:BAD_ALG, resp.failure_info)
|
|
end
|
|
|
|
def test_response_mandatory_fields
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
req = OpenSSL::Timestamp::Request.new
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
end
|
|
req.algorithm = "sha1"
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
end
|
|
req.message_imprint = OpenSSL::Digest.digest('SHA1', "data")
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
end
|
|
fac.gen_time = Time.now
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
end
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
end
|
|
fac.default_policy_id = "1.2.3.4.5"
|
|
assert_equal OpenSSL::Timestamp::Response::GRANTED, fac.create_timestamp(ee_key, ts_cert_ee, req).status
|
|
fac.default_policy_id = nil
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
end
|
|
req.policy_id = "1.2.3.4.5"
|
|
assert_equal OpenSSL::Timestamp::Response::GRANTED, fac.create_timestamp(ee_key, ts_cert_ee, req).status
|
|
end
|
|
|
|
def test_response_allowed_digests
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
req.message_imprint = OpenSSL::Digest.digest('SHA1', "test")
|
|
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
fac.gen_time = Time.now
|
|
fac.serial_number = 1
|
|
fac.default_policy_id = "1.2.3.4.6"
|
|
|
|
# None allowed by default
|
|
resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
assert_equal OpenSSL::Timestamp::Response::REJECTION, resp.status
|
|
|
|
# Explicitly allow SHA1 (string)
|
|
fac.allowed_digests = ["sha1"]
|
|
resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
assert_equal OpenSSL::Timestamp::Response::GRANTED, resp.status
|
|
|
|
# Explicitly allow SHA1 (object)
|
|
fac.allowed_digests = [OpenSSL::Digest.new('SHA1')]
|
|
resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
assert_equal OpenSSL::Timestamp::Response::GRANTED, resp.status
|
|
|
|
# Others not allowed
|
|
req.algorithm = "SHA256"
|
|
req.message_imprint = OpenSSL::Digest.digest('SHA256', "test")
|
|
resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
assert_equal OpenSSL::Timestamp::Response::REJECTION, resp.status
|
|
|
|
# Non-Array
|
|
fac.allowed_digests = 123
|
|
resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
assert_equal OpenSSL::Timestamp::Response::REJECTION, resp.status
|
|
|
|
# Non-String, non-Digest Array element
|
|
fac.allowed_digests = ["sha1", OpenSSL::Digest.new('SHA1'), 123]
|
|
assert_raise(TypeError) do
|
|
fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
end
|
|
end
|
|
|
|
def test_response_default_policy
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
fac.gen_time = Time.now
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
fac.default_policy_id = "1.2.3.4.6"
|
|
|
|
resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
assert_equal(OpenSSL::Timestamp::Response::GRANTED, resp.status)
|
|
assert_equal("1.2.3.4.6", resp.token_info.policy_id)
|
|
end
|
|
|
|
def test_response_bad_purpose
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
req.policy_id = "1.2.3.4.5"
|
|
req.nonce = 42
|
|
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
fac.gen_time = Time.now
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
|
|
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
fac.create_timestamp(ee_key, intermediate_cert, req)
|
|
end
|
|
end
|
|
|
|
def test_no_cert_requested
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
req.cert_requested = false
|
|
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
fac.gen_time = Time.now
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
fac.default_policy_id = "1.2.3.4.5"
|
|
|
|
resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
assert_equal(OpenSSL::Timestamp::Response::GRANTED, resp.status)
|
|
assert_nil(resp.tsa_certificate)
|
|
end
|
|
|
|
def test_response_no_policy_defined
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
fac.gen_time = Time.now
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
|
|
fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
end
|
|
end
|
|
|
|
def test_verify_ee_no_req
|
|
assert_raise(TypeError) do
|
|
ts, _ = timestamp_ee
|
|
ts.verify(nil, ca_cert)
|
|
end
|
|
end
|
|
|
|
def test_verify_ee_no_store
|
|
assert_raise(TypeError) do
|
|
ts, req = timestamp_ee
|
|
ts.verify(req, nil)
|
|
end
|
|
end
|
|
|
|
def test_verify_ee_wrong_root_no_intermediate
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
ts, req = timestamp_ee
|
|
ts.verify(req, intermediate_store)
|
|
end
|
|
end
|
|
|
|
def test_verify_ee_wrong_root_wrong_intermediate
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
ts, req = timestamp_ee
|
|
ts.verify(req, intermediate_store, [ca_cert])
|
|
end
|
|
end
|
|
|
|
def test_verify_ee_nonce_mismatch
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
ts, req = timestamp_ee
|
|
req.nonce = 1
|
|
ts.verify(req, ca_store, [intermediate_cert])
|
|
end
|
|
end
|
|
|
|
def test_verify_ee_intermediate_missing
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
ts, req = timestamp_ee
|
|
ts.verify(req, ca_store)
|
|
end
|
|
end
|
|
|
|
def test_verify_ee_intermediate
|
|
ts, req = timestamp_ee
|
|
ts.verify(req, ca_store, [intermediate_cert])
|
|
end
|
|
|
|
def test_verify_ee_intermediate_type_error
|
|
ts, req = timestamp_ee
|
|
assert_raise(TypeError) { ts.verify(req, [ca_cert], 123) }
|
|
end
|
|
|
|
def test_verify_ee_def_policy
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
req.nonce = 42
|
|
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
fac.gen_time = Time.now
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
fac.default_policy_id = "1.2.3.4.5"
|
|
|
|
ts = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
ts.verify(req, ca_store, [intermediate_cert])
|
|
end
|
|
|
|
def test_verify_direct
|
|
ts, req = timestamp_direct
|
|
ts.verify(req, ca_store)
|
|
end
|
|
|
|
def test_verify_direct_redundant_untrusted
|
|
ts, req = timestamp_direct
|
|
ts.verify(req, ca_store, [ts.tsa_certificate, ts.tsa_certificate])
|
|
end
|
|
|
|
def test_verify_direct_unrelated_untrusted
|
|
ts, req = timestamp_direct
|
|
ts.verify(req, ca_store, [intermediate_cert])
|
|
end
|
|
|
|
def test_verify_direct_wrong_root
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
ts, req = timestamp_direct
|
|
ts.verify(req, intermediate_store)
|
|
end
|
|
end
|
|
|
|
def test_verify_direct_no_cert_no_intermediate
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
ts, req = timestamp_direct_no_cert
|
|
ts.verify(req, ca_store)
|
|
end
|
|
end
|
|
|
|
def test_verify_ee_no_cert
|
|
ts, req = timestamp_ee_no_cert
|
|
ts.verify(req, ca_store, [ts_cert_ee, intermediate_cert])
|
|
end
|
|
|
|
def test_verify_ee_no_cert_no_intermediate
|
|
assert_raise(OpenSSL::Timestamp::TimestampError) do
|
|
ts, req = timestamp_ee_no_cert
|
|
ts.verify(req, ca_store, [ts_cert_ee])
|
|
end
|
|
end
|
|
|
|
def test_verify_ee_additional_certs_array
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
req.policy_id = "1.2.3.4.5"
|
|
req.nonce = 42
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
fac.gen_time = Time.now
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
fac.additional_certs = [intermediate_cert]
|
|
ts = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
assert_equal(2, ts.token.certificates.size)
|
|
fac.additional_certs = nil
|
|
ts.verify(req, ca_store)
|
|
ts = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
assert_equal(1, ts.token.certificates.size)
|
|
end
|
|
|
|
def test_verify_ee_additional_certs_with_root
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
req.policy_id = "1.2.3.4.5"
|
|
req.nonce = 42
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
fac.gen_time = Time.now
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
fac.additional_certs = [intermediate_cert, ca_cert]
|
|
ts = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
assert_equal(3, ts.token.certificates.size)
|
|
ts.verify(req, ca_store)
|
|
end
|
|
|
|
def test_verify_ee_cert_inclusion_not_requested
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
req.nonce = 42
|
|
req.cert_requested = false
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
fac.gen_time = Time.now
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
#needed because the Request contained no policy identifier
|
|
fac.default_policy_id = '1.2.3.4.5'
|
|
fac.additional_certs = [ ts_cert_ee, intermediate_cert ]
|
|
ts = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
assert_nil(ts.token.certificates) #since cert_requested? == false
|
|
ts.verify(req, ca_store, [ts_cert_ee, intermediate_cert])
|
|
end
|
|
|
|
def test_reusable
|
|
#test if req and faq are reusable, i.e. the internal
|
|
#CTX_free methods don't mess up e.g. the certificates
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
req.policy_id = "1.2.3.4.5"
|
|
req.nonce = 42
|
|
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
fac.gen_time = Time.now
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
fac.additional_certs = [ intermediate_cert ]
|
|
ts1 = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
ts1.verify(req, ca_store)
|
|
ts2 = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
ts2.verify(req, ca_store)
|
|
refute_nil(ts1.tsa_certificate)
|
|
refute_nil(ts2.tsa_certificate)
|
|
end
|
|
|
|
def test_token_info_creation
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
req.policy_id = "1.2.3.4.5"
|
|
req.nonce = OpenSSL::BN.new(123)
|
|
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
time = Time.now
|
|
fac.gen_time = time
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
|
|
resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
|
|
info = resp.token_info
|
|
info = OpenSSL::Timestamp::TokenInfo.new(info.to_der)
|
|
|
|
assert_equal(1, info.version)
|
|
assert_equal("1.2.3.4.5", info.policy_id)
|
|
assert_equal("SHA1", info.algorithm)
|
|
assert_equal(digest, info.message_imprint)
|
|
assert_equal(1, info.serial_number)
|
|
assert_equal(time.to_i, info.gen_time.to_i)
|
|
assert_equal(false, info.ordering)
|
|
assert_equal(123, info.nonce)
|
|
end
|
|
|
|
private
|
|
|
|
def assert_cert expected, actual
|
|
assert_equal expected.to_der, actual.to_der
|
|
end
|
|
|
|
def timestamp_ee
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
req.policy_id = "1.2.3.4.5"
|
|
req.nonce = 42
|
|
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
fac.gen_time = Time.now
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
return fac.create_timestamp(ee_key, ts_cert_ee, req), req
|
|
end
|
|
|
|
def timestamp_ee_no_cert
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
req.policy_id = "1.2.3.4.5"
|
|
req.nonce = 42
|
|
req.cert_requested = false
|
|
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
fac.gen_time = Time.now
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
return fac.create_timestamp(ee_key, ts_cert_ee, req), req
|
|
end
|
|
|
|
def timestamp_direct
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
req.policy_id = "1.2.3.4.5"
|
|
req.nonce = 42
|
|
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
fac.gen_time = Time.now
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
return fac.create_timestamp(ee_key, ts_cert_direct, req), req
|
|
end
|
|
|
|
def timestamp_direct_no_cert
|
|
req = OpenSSL::Timestamp::Request.new
|
|
req.algorithm = "SHA1"
|
|
digest = OpenSSL::Digest.digest('SHA1', "test")
|
|
req.message_imprint = digest
|
|
req.policy_id = "1.2.3.4.5"
|
|
req.nonce = 42
|
|
req.cert_requested = false
|
|
|
|
fac = OpenSSL::Timestamp::Factory.new
|
|
fac.gen_time = Time.now
|
|
fac.serial_number = 1
|
|
fac.allowed_digests = ["sha1"]
|
|
return fac.create_timestamp(ee_key, ts_cert_direct, req), req
|
|
end
|
|
end
|
|
|
|
end
|