PageRenderTime 32ms CodeModel.GetById 19ms RepoModel.GetById 0ms app.codeStats 0ms

/projects/jruby-1.7.3/build.eclipse/externals/ruby1.8/openssl/test_x509crl.rb

https://gitlab.com/essere.lab.public/qualitas.class-corpus
Ruby | 253 lines | 207 code | 33 blank | 13 comment | 1 complexity | be70a1297193840c50b43c4ab2384621 MD5 | raw file
  1. begin
  2. require "openssl"
  3. require File.join(File.dirname(__FILE__), "utils.rb")
  4. rescue LoadError
  5. end
  6. require "test/unit"
  7. if defined?(OpenSSL)
  8. class OpenSSL::TestX509CRL < Test::Unit::TestCase
  9. def setup
  10. @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
  11. @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
  12. @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256
  13. @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512
  14. @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
  15. @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
  16. @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
  17. end
  18. def teardown
  19. end
  20. def issue_crl(*args)
  21. OpenSSL::TestUtils.issue_crl(*args)
  22. end
  23. def issue_cert(*args)
  24. OpenSSL::TestUtils.issue_cert(*args)
  25. end
  26. def test_basic
  27. now = Time.at(Time.now.to_i)
  28. cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
  29. nil, nil, OpenSSL::Digest::SHA1.new)
  30. crl = issue_crl([], 1, now, now+1600, [],
  31. cert, @rsa2048, OpenSSL::Digest::SHA1.new)
  32. assert_equal(1, crl.version)
  33. assert_equal(cert.issuer.to_der, crl.issuer.to_der)
  34. assert_equal(now, crl.last_update)
  35. assert_equal(now+1600, crl.next_update)
  36. crl = OpenSSL::X509::CRL.new(crl.to_der)
  37. assert_equal(1, crl.version)
  38. assert_equal(cert.issuer.to_der, crl.issuer.to_der)
  39. assert_equal(now, crl.last_update)
  40. assert_equal(now+1600, crl.next_update)
  41. end
  42. def test_revoked
  43. # CRLReason ::= ENUMERATED {
  44. # unspecified (0),
  45. # keyCompromise (1),
  46. # cACompromise (2),
  47. # affiliationChanged (3),
  48. # superseded (4),
  49. # cessationOfOperation (5),
  50. # certificateHold (6),
  51. # removeFromCRL (8),
  52. # privilegeWithdrawn (9),
  53. # aACompromise (10) }
  54. now = Time.at(Time.now.to_i)
  55. revoke_info = [
  56. [1, Time.at(0), 1],
  57. [2, Time.at(0x7fffffff), 2],
  58. [3, now, 3],
  59. [4, now, 4],
  60. [5, now, 5],
  61. ]
  62. cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
  63. nil, nil, OpenSSL::Digest::SHA1.new)
  64. crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
  65. cert, @rsa2048, OpenSSL::Digest::SHA1.new)
  66. revoked = crl.revoked
  67. assert_equal(5, revoked.size)
  68. assert_equal(1, revoked[0].serial)
  69. assert_equal(2, revoked[1].serial)
  70. assert_equal(3, revoked[2].serial)
  71. assert_equal(4, revoked[3].serial)
  72. assert_equal(5, revoked[4].serial)
  73. assert_equal(Time.at(0), revoked[0].time)
  74. assert_equal(Time.at(0x7fffffff), revoked[1].time)
  75. assert_equal(now, revoked[2].time)
  76. assert_equal(now, revoked[3].time)
  77. assert_equal(now, revoked[4].time)
  78. assert_equal("CRLReason", revoked[0].extensions[0].oid)
  79. assert_equal("CRLReason", revoked[1].extensions[0].oid)
  80. assert_equal("CRLReason", revoked[2].extensions[0].oid)
  81. assert_equal("CRLReason", revoked[3].extensions[0].oid)
  82. assert_equal("CRLReason", revoked[4].extensions[0].oid)
  83. assert_equal("Key Compromise", revoked[0].extensions[0].value)
  84. assert_equal("CA Compromise", revoked[1].extensions[0].value)
  85. assert_equal("Affiliation Changed", revoked[2].extensions[0].value)
  86. assert_equal("Superseded", revoked[3].extensions[0].value)
  87. assert_equal("Cessation Of Operation", revoked[4].extensions[0].value)
  88. assert_equal(false, revoked[0].extensions[0].critical?)
  89. assert_equal(false, revoked[1].extensions[0].critical?)
  90. assert_equal(false, revoked[2].extensions[0].critical?)
  91. assert_equal(false, revoked[3].extensions[0].critical?)
  92. assert_equal(false, revoked[4].extensions[0].critical?)
  93. crl = OpenSSL::X509::CRL.new(crl.to_der)
  94. assert_equal("Key Compromise", revoked[0].extensions[0].value)
  95. assert_equal("CA Compromise", revoked[1].extensions[0].value)
  96. assert_equal("Affiliation Changed", revoked[2].extensions[0].value)
  97. assert_equal("Superseded", revoked[3].extensions[0].value)
  98. assert_equal("Cessation Of Operation", revoked[4].extensions[0].value)
  99. revoke_info = (1..1000).collect{|i| [i, now, 0] }
  100. crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
  101. cert, @rsa2048, OpenSSL::Digest::SHA1.new)
  102. revoked = crl.revoked
  103. assert_equal(1000, revoked.size)
  104. assert_equal(1, revoked[0].serial)
  105. assert_equal(1000, revoked[999].serial)
  106. end
  107. def test_extension
  108. cert_exts = [
  109. ["basicConstraints", "CA:TRUE", true],
  110. ["subjectKeyIdentifier", "hash", false],
  111. ["authorityKeyIdentifier", "keyid:always", false],
  112. ["subjectAltName", "email:xyzzy@ruby-lang.org", false],
  113. ["keyUsage", "cRLSign, keyCertSign", true],
  114. ]
  115. crl_exts = [
  116. ["authorityKeyIdentifier", "keyid:always", false],
  117. ["issuerAltName", "issuer:copy", false],
  118. ]
  119. cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, cert_exts,
  120. nil, nil, OpenSSL::Digest::SHA1.new)
  121. crl = issue_crl([], 1, Time.now, Time.now+1600, crl_exts,
  122. cert, @rsa2048, OpenSSL::Digest::SHA1.new)
  123. exts = crl.extensions
  124. assert_equal(3, exts.size)
  125. assert_equal("1", exts[0].value)
  126. assert_equal("crlNumber", exts[0].oid)
  127. assert_equal(false, exts[0].critical?)
  128. assert_equal("authorityKeyIdentifier", exts[1].oid)
  129. keyid = OpenSSL::TestUtils.get_subject_key_id(cert)
  130. assert_match(/^keyid:#{keyid}/, exts[1].value)
  131. assert_equal(false, exts[1].critical?)
  132. assert_equal("issuerAltName", exts[2].oid)
  133. assert_equal("email:xyzzy@ruby-lang.org", exts[2].value)
  134. assert_equal(false, exts[2].critical?)
  135. crl = OpenSSL::X509::CRL.new(crl.to_der)
  136. exts = crl.extensions
  137. assert_equal(3, exts.size)
  138. assert_equal("1", exts[0].value)
  139. assert_equal("crlNumber", exts[0].oid)
  140. assert_equal(false, exts[0].critical?)
  141. assert_equal("authorityKeyIdentifier", exts[1].oid)
  142. keyid = OpenSSL::TestUtils.get_subject_key_id(cert)
  143. assert_match(/^keyid:#{keyid}/, exts[1].value)
  144. assert_equal(false, exts[1].critical?)
  145. assert_equal("issuerAltName", exts[2].oid)
  146. assert_equal("email:xyzzy@ruby-lang.org", exts[2].value)
  147. assert_equal(false, exts[2].critical?)
  148. end
  149. def test_crlnumber
  150. cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
  151. nil, nil, OpenSSL::Digest::SHA1.new)
  152. crl = issue_crl([], 1, Time.now, Time.now+1600, [],
  153. cert, @rsa2048, OpenSSL::Digest::SHA1.new)
  154. assert_match(1.to_s, crl.extensions[0].value)
  155. assert_match(/X509v3 CRL Number:\s+#{1}/m, crl.to_text)
  156. crl = issue_crl([], 2**32, Time.now, Time.now+1600, [],
  157. cert, @rsa2048, OpenSSL::Digest::SHA1.new)
  158. assert_match((2**32).to_s, crl.extensions[0].value)
  159. assert_match(/X509v3 CRL Number:\s+#{2**32}/m, crl.to_text)
  160. crl = issue_crl([], 2**100, Time.now, Time.now+1600, [],
  161. cert, @rsa2048, OpenSSL::Digest::SHA1.new)
  162. assert_match(/X509v3 CRL Number:\s+#{2**100}/m, crl.to_text)
  163. assert_match((2**100).to_s, crl.extensions[0].value)
  164. end
  165. def test_sign_and_verify_wrong_key_type
  166. cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
  167. nil, nil, OpenSSL::Digest::SHA1.new)
  168. crl_rsa = issue_crl([], 1, Time.now, Time.now+1600, [],
  169. cert_rsa, @rsa2048, OpenSSL::Digest::SHA1.new)
  170. cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
  171. nil, nil, OpenSSL::Digest::DSS1.new)
  172. crl_dsa = issue_crl([], 1, Time.now, Time.now+1600, [],
  173. cert_dsa, @dsa512, OpenSSL::Digest::DSS1.new)
  174. begin
  175. assert_equal(false, crl_rsa.verify(@dsa256))
  176. rescue OpenSSL::X509::CRLError => e
  177. # OpenSSL 1.0.0 added checks for pkey OID
  178. assert_equal('wrong public key type', e.message)
  179. end
  180. begin
  181. assert_equal(false, crl_dsa.verify(@rsa1024))
  182. rescue OpenSSL::X509::CRLError => e
  183. # OpenSSL 1.0.0 added checks for pkey OID
  184. assert_equal('wrong public key type', e.message)
  185. end
  186. end
  187. def test_sign_and_verify
  188. cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
  189. nil, nil, OpenSSL::Digest::SHA1.new)
  190. crl = issue_crl([], 1, Time.now, Time.now+1600, [],
  191. cert, @rsa2048, OpenSSL::Digest::SHA1.new)
  192. assert_equal(false, crl.verify(@rsa1024))
  193. assert_equal(true, crl.verify(@rsa2048))
  194. crl.version = 0
  195. assert_equal(false, crl.verify(@rsa2048))
  196. cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
  197. nil, nil, OpenSSL::Digest::DSS1.new)
  198. crl = issue_crl([], 1, Time.now, Time.now+1600, [],
  199. cert, @dsa512, OpenSSL::Digest::DSS1.new)
  200. assert_equal(false, crl.verify(@dsa256))
  201. assert_equal(true, crl.verify(@dsa512))
  202. crl.version = 0
  203. assert_equal(false, crl.verify(@dsa512))
  204. end
  205. def test_create_from_pem
  206. crl = <<END
  207. -----BEGIN X509 CRL-----
  208. MIHkME8CAQEwDQYJKoZIhvcNAQEFBQAwDTELMAkGA1UEAwwCY2EXDTA5MDUyMzEw
  209. MTkyM1oXDTE0MDUyMjEwMTkyM1qgDjAMMAoGA1UdFAQDAgEAMA0GCSqGSIb3DQEB
  210. BQUAA4GBAGrGXN03TQdoluA5Xjv64We9EOvmE0EviKMeaZ/n8krEwFhUK7Yq3GVD
  211. BFrb40cdFX1433buCZHG7Tq7eGv8cG1eO5RasuiedurMQXmVRDTDjGor/58Dk/Wy
  212. owO/GR8ASm6Fx6AUKEgLAaoaaptpaWtEB+N4uaGvc0LFO9WY+ZMq
  213. -----END X509 CRL-----
  214. END
  215. crl = OpenSSL::X509::CRL.new(crl)
  216. assert_equal(1, crl.version)
  217. assert_equal(OpenSSL::X509::Name.parse("/CN=ca").to_der, crl.issuer.to_der)
  218. end
  219. end
  220. end