mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
e0bfe3254b
* PKey::PKey#verify raises an exception when a given PKey does not
match with signature.
* PKey::DSA#sign accepts SHA1, SHA256 other than DSS1.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8@26839 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
253 lines
9.4 KiB
Ruby
253 lines
9.4 KiB
Ruby
begin
|
|
require "openssl"
|
|
require File.join(File.dirname(__FILE__), "utils.rb")
|
|
rescue LoadError
|
|
end
|
|
require "test/unit"
|
|
|
|
if defined?(OpenSSL)
|
|
|
|
class OpenSSL::TestX509CRL < Test::Unit::TestCase
|
|
def setup
|
|
@rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
|
|
@rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
|
|
@dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256
|
|
@dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512
|
|
@ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
|
|
@ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
|
|
@ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
|
|
end
|
|
|
|
def teardown
|
|
end
|
|
|
|
def issue_crl(*args)
|
|
OpenSSL::TestUtils.issue_crl(*args)
|
|
end
|
|
|
|
def issue_cert(*args)
|
|
OpenSSL::TestUtils.issue_cert(*args)
|
|
end
|
|
|
|
def test_basic
|
|
now = Time.at(Time.now.to_i)
|
|
|
|
cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
|
|
nil, nil, OpenSSL::Digest::SHA1.new)
|
|
crl = issue_crl([], 1, now, now+1600, [],
|
|
cert, @rsa2048, OpenSSL::Digest::SHA1.new)
|
|
assert_equal(1, crl.version)
|
|
assert_equal(cert.issuer.to_der, crl.issuer.to_der)
|
|
assert_equal(now, crl.last_update)
|
|
assert_equal(now+1600, crl.next_update)
|
|
|
|
crl = OpenSSL::X509::CRL.new(crl.to_der)
|
|
assert_equal(1, crl.version)
|
|
assert_equal(cert.issuer.to_der, crl.issuer.to_der)
|
|
assert_equal(now, crl.last_update)
|
|
assert_equal(now+1600, crl.next_update)
|
|
end
|
|
|
|
def test_revoked
|
|
|
|
# CRLReason ::= ENUMERATED {
|
|
# unspecified (0),
|
|
# keyCompromise (1),
|
|
# cACompromise (2),
|
|
# affiliationChanged (3),
|
|
# superseded (4),
|
|
# cessationOfOperation (5),
|
|
# certificateHold (6),
|
|
# removeFromCRL (8),
|
|
# privilegeWithdrawn (9),
|
|
# aACompromise (10) }
|
|
|
|
now = Time.at(Time.now.to_i)
|
|
revoke_info = [
|
|
[1, Time.at(0), 1],
|
|
[2, Time.at(0x7fffffff), 2],
|
|
[3, now, 3],
|
|
[4, now, 4],
|
|
[5, now, 5],
|
|
]
|
|
cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
|
|
nil, nil, OpenSSL::Digest::SHA1.new)
|
|
crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
|
|
cert, @rsa2048, OpenSSL::Digest::SHA1.new)
|
|
revoked = crl.revoked
|
|
assert_equal(5, revoked.size)
|
|
assert_equal(1, revoked[0].serial)
|
|
assert_equal(2, revoked[1].serial)
|
|
assert_equal(3, revoked[2].serial)
|
|
assert_equal(4, revoked[3].serial)
|
|
assert_equal(5, revoked[4].serial)
|
|
|
|
assert_equal(Time.at(0), revoked[0].time)
|
|
assert_equal(Time.at(0x7fffffff), revoked[1].time)
|
|
assert_equal(now, revoked[2].time)
|
|
assert_equal(now, revoked[3].time)
|
|
assert_equal(now, revoked[4].time)
|
|
|
|
assert_equal("CRLReason", revoked[0].extensions[0].oid)
|
|
assert_equal("CRLReason", revoked[1].extensions[0].oid)
|
|
assert_equal("CRLReason", revoked[2].extensions[0].oid)
|
|
assert_equal("CRLReason", revoked[3].extensions[0].oid)
|
|
assert_equal("CRLReason", revoked[4].extensions[0].oid)
|
|
|
|
assert_equal("Key Compromise", revoked[0].extensions[0].value)
|
|
assert_equal("CA Compromise", revoked[1].extensions[0].value)
|
|
assert_equal("Affiliation Changed", revoked[2].extensions[0].value)
|
|
assert_equal("Superseded", revoked[3].extensions[0].value)
|
|
assert_equal("Cessation Of Operation", revoked[4].extensions[0].value)
|
|
|
|
assert_equal(false, revoked[0].extensions[0].critical?)
|
|
assert_equal(false, revoked[1].extensions[0].critical?)
|
|
assert_equal(false, revoked[2].extensions[0].critical?)
|
|
assert_equal(false, revoked[3].extensions[0].critical?)
|
|
assert_equal(false, revoked[4].extensions[0].critical?)
|
|
|
|
crl = OpenSSL::X509::CRL.new(crl.to_der)
|
|
assert_equal("Key Compromise", revoked[0].extensions[0].value)
|
|
assert_equal("CA Compromise", revoked[1].extensions[0].value)
|
|
assert_equal("Affiliation Changed", revoked[2].extensions[0].value)
|
|
assert_equal("Superseded", revoked[3].extensions[0].value)
|
|
assert_equal("Cessation Of Operation", revoked[4].extensions[0].value)
|
|
|
|
revoke_info = (1..1000).collect{|i| [i, now, 0] }
|
|
crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
|
|
cert, @rsa2048, OpenSSL::Digest::SHA1.new)
|
|
revoked = crl.revoked
|
|
assert_equal(1000, revoked.size)
|
|
assert_equal(1, revoked[0].serial)
|
|
assert_equal(1000, revoked[999].serial)
|
|
end
|
|
|
|
def test_extension
|
|
cert_exts = [
|
|
["basicConstraints", "CA:TRUE", true],
|
|
["subjectKeyIdentifier", "hash", false],
|
|
["authorityKeyIdentifier", "keyid:always", false],
|
|
["subjectAltName", "email:xyzzy@ruby-lang.org", false],
|
|
["keyUsage", "cRLSign, keyCertSign", true],
|
|
]
|
|
crl_exts = [
|
|
["authorityKeyIdentifier", "keyid:always", false],
|
|
["issuerAltName", "issuer:copy", false],
|
|
]
|
|
|
|
cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, cert_exts,
|
|
nil, nil, OpenSSL::Digest::SHA1.new)
|
|
crl = issue_crl([], 1, Time.now, Time.now+1600, crl_exts,
|
|
cert, @rsa2048, OpenSSL::Digest::SHA1.new)
|
|
exts = crl.extensions
|
|
assert_equal(3, exts.size)
|
|
assert_equal("1", exts[0].value)
|
|
assert_equal("crlNumber", exts[0].oid)
|
|
assert_equal(false, exts[0].critical?)
|
|
|
|
assert_equal("authorityKeyIdentifier", exts[1].oid)
|
|
keyid = OpenSSL::TestUtils.get_subject_key_id(cert)
|
|
assert_match(/^keyid:#{keyid}/, exts[1].value)
|
|
assert_equal(false, exts[1].critical?)
|
|
|
|
assert_equal("issuerAltName", exts[2].oid)
|
|
assert_equal("email:xyzzy@ruby-lang.org", exts[2].value)
|
|
assert_equal(false, exts[2].critical?)
|
|
|
|
crl = OpenSSL::X509::CRL.new(crl.to_der)
|
|
exts = crl.extensions
|
|
assert_equal(3, exts.size)
|
|
assert_equal("1", exts[0].value)
|
|
assert_equal("crlNumber", exts[0].oid)
|
|
assert_equal(false, exts[0].critical?)
|
|
|
|
assert_equal("authorityKeyIdentifier", exts[1].oid)
|
|
keyid = OpenSSL::TestUtils.get_subject_key_id(cert)
|
|
assert_match(/^keyid:#{keyid}/, exts[1].value)
|
|
assert_equal(false, exts[1].critical?)
|
|
|
|
assert_equal("issuerAltName", exts[2].oid)
|
|
assert_equal("email:xyzzy@ruby-lang.org", exts[2].value)
|
|
assert_equal(false, exts[2].critical?)
|
|
end
|
|
|
|
def test_crlnumber
|
|
cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
|
|
nil, nil, OpenSSL::Digest::SHA1.new)
|
|
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
|
|
cert, @rsa2048, OpenSSL::Digest::SHA1.new)
|
|
assert_match(1.to_s, crl.extensions[0].value)
|
|
assert_match(/X509v3 CRL Number:\s+#{1}/m, crl.to_text)
|
|
|
|
crl = issue_crl([], 2**32, Time.now, Time.now+1600, [],
|
|
cert, @rsa2048, OpenSSL::Digest::SHA1.new)
|
|
assert_match((2**32).to_s, crl.extensions[0].value)
|
|
assert_match(/X509v3 CRL Number:\s+#{2**32}/m, crl.to_text)
|
|
|
|
crl = issue_crl([], 2**100, Time.now, Time.now+1600, [],
|
|
cert, @rsa2048, OpenSSL::Digest::SHA1.new)
|
|
assert_match(/X509v3 CRL Number:\s+#{2**100}/m, crl.to_text)
|
|
assert_match((2**100).to_s, crl.extensions[0].value)
|
|
end
|
|
|
|
def test_sign_and_verify_wrong_key_type
|
|
cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
|
|
nil, nil, OpenSSL::Digest::SHA1.new)
|
|
crl_rsa = issue_crl([], 1, Time.now, Time.now+1600, [],
|
|
cert_rsa, @rsa2048, OpenSSL::Digest::SHA1.new)
|
|
cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
|
|
nil, nil, OpenSSL::Digest::DSS1.new)
|
|
crl_dsa = issue_crl([], 1, Time.now, Time.now+1600, [],
|
|
cert_dsa, @dsa512, OpenSSL::Digest::DSS1.new)
|
|
begin
|
|
assert_equal(false, crl_rsa.verify(@dsa256))
|
|
rescue OpenSSL::X509::CRLError => e
|
|
# OpenSSL 1.0.0 added checks for pkey OID
|
|
assert_equal('wrong public key type', e.message)
|
|
end
|
|
|
|
begin
|
|
assert_equal(false, crl_dsa.verify(@rsa1024))
|
|
rescue OpenSSL::X509::CRLError => e
|
|
# OpenSSL 1.0.0 added checks for pkey OID
|
|
assert_equal('wrong public key type', e.message)
|
|
end
|
|
end
|
|
|
|
def test_sign_and_verify
|
|
cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
|
|
nil, nil, OpenSSL::Digest::SHA1.new)
|
|
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
|
|
cert, @rsa2048, OpenSSL::Digest::SHA1.new)
|
|
assert_equal(false, crl.verify(@rsa1024))
|
|
assert_equal(true, crl.verify(@rsa2048))
|
|
crl.version = 0
|
|
assert_equal(false, crl.verify(@rsa2048))
|
|
|
|
cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
|
|
nil, nil, OpenSSL::Digest::DSS1.new)
|
|
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
|
|
cert, @dsa512, OpenSSL::Digest::DSS1.new)
|
|
assert_equal(false, crl.verify(@dsa256))
|
|
assert_equal(true, crl.verify(@dsa512))
|
|
crl.version = 0
|
|
assert_equal(false, crl.verify(@dsa512))
|
|
end
|
|
|
|
def test_create_from_pem
|
|
crl = <<END
|
|
-----BEGIN X509 CRL-----
|
|
MIHkME8CAQEwDQYJKoZIhvcNAQEFBQAwDTELMAkGA1UEAwwCY2EXDTA5MDUyMzEw
|
|
MTkyM1oXDTE0MDUyMjEwMTkyM1qgDjAMMAoGA1UdFAQDAgEAMA0GCSqGSIb3DQEB
|
|
BQUAA4GBAGrGXN03TQdoluA5Xjv64We9EOvmE0EviKMeaZ/n8krEwFhUK7Yq3GVD
|
|
BFrb40cdFX1433buCZHG7Tq7eGv8cG1eO5RasuiedurMQXmVRDTDjGor/58Dk/Wy
|
|
owO/GR8ASm6Fx6AUKEgLAaoaaptpaWtEB+N4uaGvc0LFO9WY+ZMq
|
|
-----END X509 CRL-----
|
|
END
|
|
crl = OpenSSL::X509::CRL.new(crl)
|
|
assert_equal(1, crl.version)
|
|
assert_equal(OpenSSL::X509::Name.parse("/CN=ca").to_der, crl.issuer.to_der)
|
|
end
|
|
end
|
|
|
|
end
|