* test/openssl/*: added some tests from jruby-openssl.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8@26073 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

13 files changed, 430 insertions, 24 deletions

diff --git a/ChangeLog b/ChangeLog
index a14ce74421..23df84c71f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Sun Dec 13 23:07:05 2009  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
+
+	* test/openssl/*: added some tests from jruby-openssl.
+
 Mon Dec  7 07:05:05 2009  Marc-Andre Lafortune  <ruby-core@marc-andre.ca>
 
 	* lib/bigdecimal.rb: fix comparison operators [ruby-core:26646]
diff --git a/test/openssl/test_cipher.rb b/test/openssl/test_cipher.rb
index d671908165..173e757d8c 100644
--- a/test/openssl/test_cipher.rb
+++ b/test/openssl/test_cipher.rb
@@ -1,3 +1,10 @@
+if defined?(JRUBY_VERSION)
+  require "java"
+  base = File.join(File.dirname(__FILE__), '..', '..')
+  $CLASSPATH << File.join(base, 'pkg', 'classes')
+  $CLASSPATH << File.join(base, 'lib', 'bcprov-jdk15-144.jar')
+end
+
 begin
   require "openssl"
 rescue LoadError
@@ -12,6 +19,7 @@ class OpenSSL::TestCipher < Test::Unit::TestCase
     @c2 = OpenSSL::Cipher::DES.new(:EDE3, "CBC")
     @key = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
     @iv = "\0\0\0\0\0\0\0\0"
+    @iv1 = "\1\1\1\1\1\1\1\1"
     @hexkey = "0000000000000000000000000000000000000000000000"
     @hexiv = "0000000000000000"
     @data = "DATA"
@@ -63,9 +71,80 @@ class OpenSSL::TestCipher < Test::Unit::TestCase
     assert_equal(s1, s2, "encrypt reset")
   end
 
+  def test_set_iv
+    @c1.encrypt
+    @c1.key = @key
+    @c1.iv = @iv
+    s1 = @c1.update(@data) + @c1.final
+    @c1.iv = @iv1
+    s1 += @c1.update(@data) + @c1.final
+    @c1.reset
+    @c1.iv = @iv
+    s2 = @c1.update(@data) + @c1.final
+    @c1.iv = @iv1
+    s2 += @c1.update(@data) + @c1.final
+    assert_equal(s1, s2, "encrypt reset")
+  end
+
   def test_empty_data
     @c1.encrypt
-    assert_raises(ArgumentError){ @c1.update("") }
+    assert_raise(ArgumentError){ @c1.update("") }
+  end
+
+  def test_disable_padding(padding=0)
+    # assume a padding size of 8
+    # encrypt the data with padding
+    @c1.encrypt
+    @c1.key = @key
+    @c1.iv = @iv
+    encrypted_data = @c1.update(@data) + @c1.final
+    assert_equal(8, encrypted_data.size)
+    # decrypt with padding disabled
+    @c1.decrypt
+    @c1.padding = padding
+    decrypted_data = @c1.update(encrypted_data) + @c1.final
+    # check that the result contains the padding
+    assert_equal(8, decrypted_data.size)
+    assert_equal(@data, decrypted_data[0...@data.size])
+  end
+
+  if PLATFORM =~ /java/
+    # JRuby extension - using Java padding types
+    
+    def test_disable_padding_javastyle
+      test_disable_padding('NoPadding')
+    end
+  
+    def test_iso10126_padding
+      @c1.encrypt
+      @c1.key = @key
+      @c1.iv = @iv
+      @c1.padding = 'ISO10126Padding'
+      encrypted_data = @c1.update(@data) + @c1.final
+      # decrypt with padding disabled to see the padding
+      @c1.decrypt
+      @c1.padding = 0
+      decrypted_data = @c1.update(encrypted_data) + @c1.final
+      assert_equal(@data, decrypted_data[0...@data.size])
+      # last byte should be the amount of padding
+      assert_equal(4, decrypted_data[-1])
+    end
+
+    def test_iso10126_padding_boundry
+      @data = 'HELODATA' # 8 bytes, same as padding size
+      @c1.encrypt
+      @c1.key = @key
+      @c1.iv = @iv
+      @c1.padding = 'ISO10126Padding'
+      encrypted_data = @c1.update(@data) + @c1.final
+      # decrypt with padding disabled to see the padding
+      @c1.decrypt
+      @c1.padding = 0
+      decrypted_data = @c1.update(encrypted_data) + @c1.final
+      assert_equal(@data, decrypted_data[0...@data.size])
+      # padding should be one whole block
+      assert_equal(8, decrypted_data[-1])
+    end
   end
 
   if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00907000
@@ -90,6 +169,30 @@ class OpenSSL::TestCipher < Test::Unit::TestCase
       }
     end
   end
+
+  # JRUBY-4028
+  def test_jruby_4028
+    key = "0599E113A7EE32A9"
+    data = "1234567890~5J96LC303C1D22DD~20090930005944~http%3A%2F%2Flocalhost%3A8080%2Flogin%3B0%3B1~http%3A%2F%2Fmix-stage.oracle.com%2F~00"
+    c1 = OpenSSL::Cipher::Cipher.new("DES-CBC")
+    c1.padding = 0
+    c1.iv = "0" * 8
+    c1.encrypt
+    c1.key = key
+    e = c1.update data
+    e << c1.final
+    
+    c2 = OpenSSL::Cipher::Cipher.new("DES-CBC")
+    c2.padding = 0
+    c2.iv = "0" * 8
+    c2.decrypt
+    c2.key = key
+    d = c2.update e
+    d << c2.final
+
+    assert_equal "\342\320B.\300&X\310\344\253\025\215\017*\22015\344\024D\342\213\361\336\311\271\326\016\243\214\026\2545\002\237,\017s\202\316&Ew\323\221H\376\200\304\201\365\332Im\240\361\037\246\3536\001A2\341\324o0\350\364%=\325\330\240\324u\225\304h\277\272\361f\024\324\352\336\353N\002/]C\370!\003)\212oa\225\207\333\340\245\207\024\351\037\327[\212\001{\216\f\315\345\372\v\226\r\233?\002\vJK", e
+    assert_equal data, d
+  end
 end
 
 end
diff --git a/test/openssl/test_ec.rb b/test/openssl/test_ec.rb
index 671901ca36..66dbf54b4d 100644
--- a/test/openssl/test_ec.rb
+++ b/test/openssl/test_ec.rb
@@ -89,7 +89,7 @@ class OpenSSL::TestEC < Test::Unit::TestCase
       sig = key.dsa_sign_asn1(@data1)
       assert_equal(key.dsa_verify_asn1(@data1, sig), true)
         
-      assert_raises(OpenSSL::PKey::ECError) { key.dsa_sign_asn1(@data2) }
+      assert_raise(OpenSSL::PKey::ECError) { key.dsa_sign_asn1(@data2) }
     end
   end
 
diff --git a/test/openssl/test_hmac.rb b/test/openssl/test_hmac.rb
index 2f8d6bba20..adcb6f719c 100644
--- a/test/openssl/test_hmac.rb
+++ b/test/openssl/test_hmac.rb
@@ -29,6 +29,16 @@ class OpenSSL::TestHMAC < Test::Unit::TestCase
     h = @h1.dup
     assert_equal(@h1.digest, h.digest, "dup digest")
   end
+
+  def test_sha256
+    digest256 = OpenSSL::Digest::Digest.new("sha256")
+    assert_equal(
+      "\210\236-\3270\331Yq\265\177sE\266\231hXa\332\250\026\235O&c*\307\001\227~\260n\362",
+      OpenSSL::HMAC.digest(digest256, 'blah', "blah"))
+    assert_equal(
+      "889e2dd730d95971b57f7345b699685861daa8169d4f26632ac701977eb06ef2",
+      OpenSSL::HMAC.hexdigest(digest256, 'blah', "blah"))
+  end
 end
 
 end
diff --git a/test/openssl/test_ns_spki.rb b/test/openssl/test_ns_spki.rb
index 3937132aa0..7b3806b830 100644
--- a/test/openssl/test_ns_spki.rb
+++ b/test/openssl/test_ns_spki.rb
@@ -22,6 +22,16 @@ class OpenSSL::TestNSSPI < Test::Unit::TestCase
 
   def teardown
   end
+def pr(obj, ind=0)
+  if obj.respond_to?(:value)
+    puts((" "*ind) + obj.class.to_s + ":")
+    pr(obj.value,(ind+1))
+  elsif obj.respond_to?(:each) && !(String===obj)
+    obj.each {|v| pr(v,ind+1) }
+  else
+    puts((" "*ind) + obj.inspect)
+  end
+end
 
   def test_build_data
     key1 = OpenSSL::TestUtils::TEST_KEY_RSA1024
diff --git a/test/openssl/test_pkcs7.rb b/test/openssl/test_pkcs7.rb
index 9b472c1795..cb57ddce71 100644
--- a/test/openssl/test_pkcs7.rb
+++ b/test/openssl/test_pkcs7.rb
@@ -28,6 +28,7 @@ class OpenSSL::TestPKCS7 < Test::Unit::TestCase
       ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
       ["authorityKeyIdentifier","keyid:always",false],
       ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
+      ["nsCertType","client,email",false],
     ]
     @ee1_cert = issue_cert(ee1, @rsa1024, 2, Time.now, Time.now+1800, ee_exts,
                            @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index d1cee84f4a..9c21d428bb 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -6,6 +6,8 @@ end
 require "rbconfig"
 require "socket"
 require "test/unit"
+require 'tempfile'
+
 begin
   loadpath = $:.dup
   $:.replace($: | [File.expand_path("../ruby", File.dirname(__FILE__))])
@@ -58,6 +60,20 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
     OpenSSL::TestUtils.issue_crl(*arg)
   end
 
+  def choose_port(port)
+    tcps = nil
+    100.times{ |i|
+      begin
+        tcps = TCPServer.new("127.0.0.1", port+i)
+        port = port + i
+        break
+      rescue Errno::EADDRINUSE
+        next
+      end
+    }
+    return tcps, port
+  end
+
   def readwrite_loop(ctx, ssl)
     while line = ssl.gets
       if line =~ /^STARTTLS$/
@@ -78,11 +94,11 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
       begin
         ssl = ssls.accept
       rescue OpenSSL::SSL::SSLError
-      	retry
+        retry
       end
 
       Thread.start do
-        Thread.current.abort_on_exception = true  
+        Thread.current.abort_on_exception = true
         server_proc.call(ctx, ssl)
       end
     end
@@ -93,7 +109,7 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
     ctx_proc = args[:ctx_proc]
     server_proc = args[:server_proc]
     server_proc ||= method(:readwrite_loop)
-  
+
     store = OpenSSL::X509::Store.new
     store.add_cert(@ca_cert)
     store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
@@ -106,8 +122,7 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
     ctx_proc.call(ctx) if ctx_proc
 
     Socket.do_not_reverse_lookup = true
-    tcps = nil
-    port = port0
+    tcps, port = choose_port(port0)
     begin
       tcps = TCPServer.new("127.0.0.1", port)
     rescue Errno::EADDRINUSE
@@ -120,11 +135,11 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
 
     begin
       server = Thread.new do
-        Thread.current.abort_on_exception = true  
+        Thread.current.abort_on_exception = true
         server_loop(ctx, ssls, server_proc)
       end
 
-      $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, pid, port) if $DEBUG
+      $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, $$, port) if $DEBUG
 
       block.call(server, port.to_i)
     ensure
@@ -133,7 +148,7 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
         server.join(5)
         if server.alive?
           server.kill
-          server.join
+          server.join(5)
           flunk("TCPServer was closed and SSLServer is still alive") unless $!
         end
       end
@@ -180,6 +195,8 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
       ssl.sync_close = true
       ssl.connect
 
+      assert_raise(ArgumentError) { ssl.sysread(-1) }
+
       # syswrite and sysread
       ITERATIONS.times{|i|
         str = "x" * 100 + "\n"
@@ -193,6 +210,13 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
         assert_equal(str, buf)
       }
 
+      # puts and gets
+      ITERATIONS.times{
+        str = "x" * 100 + "\n"
+        ssl.puts(str)
+        assert_equal(str, ssl.gets)
+      }
+
       # read and write
       ITERATIONS.times{|i|
         str = "x" * 100 + "\n"
@@ -213,7 +237,7 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
   def test_client_auth
     vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
     start_server(PORT, vflag, true){|server, port|
-      assert_raises(OpenSSL::SSL::SSLError){
+      assert_raise(OpenSSL::SSL::SSLError){
         sock = TCPSocket.new("127.0.0.1", port)
         ssl = OpenSSL::SSL::SSLSocket.new(sock)
         ssl.connect
@@ -247,6 +271,82 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
     }
   end
 
+  def test_client_auth_with_server_store
+    vflag = OpenSSL::SSL::VERIFY_PEER
+
+    localcacert_file = Tempfile.open("cafile")
+    localcacert_file << @ca_cert.to_pem
+    localcacert_file.close
+    localcacert_path = localcacert_file.path
+
+    ssl_store = OpenSSL::X509::Store.new
+    ssl_store.purpose = OpenSSL::X509::PURPOSE_ANY
+    ssl_store.add_file(localcacert_path)
+
+    args = {}
+    args[:ctx_proc] = proc { |server_ctx|
+      server_ctx.cert = @svr_cert
+      server_ctx.key = @svr_key
+      server_ctx.verify_mode = vflag
+      server_ctx.cert_store = ssl_store
+    }
+
+    start_server(PORT, vflag, true, args){|server, port|
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.cert = @cli_cert
+      ctx.key = @cli_key
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      ssl.sync_close = true
+      ssl.connect
+      ssl.puts("foo")
+      assert_equal("foo\n", ssl.gets)
+      ssl.close
+      localcacert_file.unlink
+    }
+  end
+
+  def test_client_crl_with_server_store
+    vflag = OpenSSL::SSL::VERIFY_PEER
+
+    localcacert_file = Tempfile.open("cafile")
+    localcacert_file << @ca_cert.to_pem
+    localcacert_file.close
+    localcacert_path = localcacert_file.path
+
+    ssl_store = OpenSSL::X509::Store.new
+    ssl_store.purpose = OpenSSL::X509::PURPOSE_ANY
+    ssl_store.add_file(localcacert_path)
+    ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+
+    crl = issue_crl([], 1, Time.now, Time.now+1600, [],
+                    @cli_cert, @ca_key, OpenSSL::Digest::SHA1.new)
+
+    ssl_store.add_crl(OpenSSL::X509::CRL.new(crl.to_pem))
+
+    args = {}
+    args[:ctx_proc] = proc { |server_ctx|
+      server_ctx.cert = @svr_cert
+      server_ctx.key = @svr_key
+      server_ctx.verify_mode = vflag
+      server_ctx.cert_store = ssl_store
+    }
+
+    start_server(PORT, vflag, true, args){|s, p|
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.cert = @cli_cert
+      ctx.key = @cli_key
+      assert_raise(OpenSSL::SSL::SSLError){
+        sock = TCPSocket.new("127.0.0.1", p)
+        ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+        ssl.sync_close = true
+        ssl.connect
+        ssl.close
+      }
+      localcacert_file.unlink
+    }
+  end
+
   def test_starttls
     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|server, port|
       sock = TCPSocket.new("127.0.0.1", port)
@@ -352,10 +452,10 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
       sock = TCPSocket.new("127.0.0.1", port)
       ssl = OpenSSL::SSL::SSLSocket.new(sock)
       ssl.connect
-      assert_raises(sslerr){ssl.post_connection_check("localhost.localdomain")}
-      assert_raises(sslerr){ssl.post_connection_check("127.0.0.1")}
+      assert_raise(sslerr){ssl.post_connection_check("localhost.localdomain")}
+      assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
       assert(ssl.post_connection_check("localhost"))
-      assert_raises(sslerr){ssl.post_connection_check("foo.example.com")}
+      assert_raise(sslerr){ssl.post_connection_check("foo.example.com")}
 
       cert = ssl.peer_cert
       assert(!OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain"))
@@ -378,8 +478,8 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
       ssl.connect
       assert(ssl.post_connection_check("localhost.localdomain"))
       assert(ssl.post_connection_check("127.0.0.1"))
-      assert_raises(sslerr){ssl.post_connection_check("localhost")}
-      assert_raises(sslerr){ssl.post_connection_check("foo.example.com")}
+      assert_raise(sslerr){ssl.post_connection_check("localhost")}
+      assert_raise(sslerr){ssl.post_connection_check("foo.example.com")}
 
       cert = ssl.peer_cert
       assert(OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain"))
@@ -400,9 +500,9 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
       ssl = OpenSSL::SSL::SSLSocket.new(sock)
       ssl.connect
       assert(ssl.post_connection_check("localhost.localdomain"))
-      assert_raises(sslerr){ssl.post_connection_check("127.0.0.1")}
-      assert_raises(sslerr){ssl.post_connection_check("localhost")}
-      assert_raises(sslerr){ssl.post_connection_check("foo.example.com")}
+      assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
+      assert_raise(sslerr){ssl.post_connection_check("localhost")}
+      assert_raise(sslerr){ssl.post_connection_check("foo.example.com")}
       cert = ssl.peer_cert
       assert(OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain"))
       assert(!OpenSSL::SSL.verify_certificate_identity(cert, "127.0.0.1"))
diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb
index a5a75ff1b6..dd52ab9644 100644
--- a/test/openssl/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@@ -157,19 +157,80 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
     cert.not_after = Time.now 
     assert_equal(false, cert.verify(@dsa512))
 
-    assert_raises(OpenSSL::X509::CertificateError){
+    assert_raise(OpenSSL::X509::CertificateError){
       cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                         nil, nil, OpenSSL::Digest::DSS1.new) 
     }
-    assert_raises(OpenSSL::X509::CertificateError){
+    assert_raise(OpenSSL::X509::CertificateError){
       cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
                         nil, nil, OpenSSL::Digest::MD5.new) 
     }
-    assert_raises(OpenSSL::X509::CertificateError){
+    assert_raise(OpenSSL::X509::CertificateError){
       cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
                         nil, nil, OpenSSL::Digest::SHA1.new) 
     }
   end
+
+  def test_check_private_key
+    cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    assert_equal(true, cert.check_private_key(@rsa2048))
+  end
+
+  def test_to_text
+    cert_pem = <<END
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIBATANBgkqhkiG9w0BAQQFADA9MRMwEQYKCZImiZPyLGQB
+GRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVieS1sYW5nMQswCQYDVQQDDAJDQTAe
+Fw0wOTA1MjMxNTAzNDNaFw0wOTA1MjMxNjAzNDNaMD0xEzARBgoJkiaJk/IsZAEZ
+FgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5LWxhbmcxCzAJBgNVBAMMAkNBMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuV9ht9J7k4NBs38jOXvvTKY9
+gW8nLICSno5EETR1cuF7i4pNs9I1QJGAFAX0BEO4KbzXmuOvfCpD3CU+Slp1enen
+fzq/t/e/1IRW0wkJUJUFQign4CtrkJL+P07yx18UjyPlBXb81ApEmAB5mrJVSrWm
+qbjs07JbuS4QQGGXLc+Su96DkYKmSNVjBiLxVVSpyZfAY3hD37d60uG+X8xdW5v6
+8JkRFIhdGlb6JL8fllf/A/blNwdJOhVr9mESHhwGjwfSeTDPfd8ZLE027E5lyAVX
+9KZYcU00mOX+fdxOSnGqS/8JDRh0EPHDL15RcJjV2J6vZjPb0rOYGDoMcH+94wID
+AQABMA0GCSqGSIb3DQEBBAUAA4IBAQB8UTw1agA9wdXxHMUACduYu6oNL7pdF0dr
+w7a4QPJyj62h4+Umxvp13q0PBw0E+mSjhXMcqUhDLjrmMcvvNGhuh5Sdjbe3GI/M
+3lCC9OwYYIzzul7omvGC3JEIGfzzdNnPPCPKEWp5X9f0MKLMR79qOf+sjHTjN2BY
+SY3YGsEFxyTXDdqrlaYaOtTAdi/C+g1WxR8fkPLefymVwIFwvyc9/bnp7iBn7Hcw
+mbxtLPbtQ9mURT0GHewZRTGJ1aiTq9Ag3xXME2FPF04eFRd3mclOQZNXKQ+LDxYf
+k0X5FeZvsWf4srFxoVxlcDdJtHh91ZRpDDJYGQlsUm9CPTnO+e4E
+-----END CERTIFICATE-----
+END
+
+    cert = OpenSSL::X509::Certificate.new(cert_pem)
+
+    cert_text = <<END
+  [0]         Version: 3
+         SerialNumber: 1
+             IssuerDN: DC=org,DC=ruby-lang,CN=CA
+           Start Date: Sat May 23 17:03:43 CEST 2009
+           Final Date: Sat May 23 18:03:43 CEST 2009
+            SubjectDN: DC=org,DC=ruby-lang,CN=CA
+           Public Key: RSA Public Key
+            modulus: b95f61b7d27b938341b37f23397bef4ca63d816f272c80929e8e4411347572e17b8b8a4db3d2354091801405f40443b829bcd79ae3af7c2a43dc253e4a5a757a77a77f3abfb7f7bfd48456d30909509505422827e02b6b9092fe3f4ef2c75f148f23e50576fcd40a449800799ab2554ab5a6a9b8ecd3b25bb92e104061972dcf92bbde839182a648d5630622f15554a9c997c0637843dfb77ad2e1be5fcc5d5b9bfaf0991114885d1a56fa24bf1f9657ff03f6e53707493a156bf661121e1c068f07d27930cf7ddf192c4d36ec4e65c80557f4a658714d3498e5fe7ddc4e4a71aa4bff090d187410f1c32f5e517098d5d89eaf6633dbd2b398183a0c707fbde3
+    public exponent: 10001
+
+  Signature Algorithm: MD5withRSA
+            Signature: 7c513c356a003dc1d5f11cc50009db98bbaa0d2f
+                       ba5d17476bc3b6b840f2728fada1e3e526c6fa75
+                       dead0f070d04fa64a385731ca948432e3ae631cb
+                       ef34686e87949d8db7b7188fccde5082f4ec1860
+                       8cf3ba5ee89af182dc910819fcf374d9cf3c23ca
+                       116a795fd7f430a2cc47bf6a39ffac8c74e33760
+                       58498dd81ac105c724d70ddaab95a61a3ad4c076
+                       2fc2fa0d56c51f1f90f2de7f2995c08170bf273d
+                       fdb9e9ee2067ec773099bc6d2cf6ed43d994453d
+                       061dec19453189d5a893abd020df15cc13614f17
+                       4e1e15177799c94e419357290f8b0f161f9345f9
+                       15e66fb167f8b2b171a15c65703749b4787dd594
+                       690c325819096c526f423d39cef9ee04
+END
+    assert_not_nil(cert.to_text)
+    # This is commented out because it doesn't take timezone into consideration; FIXME
+    #assert_equal(cert_text, cert.to_text)
+  end
 end
 
 end
diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb
index 444a00a586..b5b4229fd9 100644
--- a/test/openssl/test_x509crl.rb
+++ b/test/openssl/test_x509crl.rb
@@ -213,6 +213,21 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
     crl.version = 0
     assert_equal(false, crl.verify(@dsa512))
   end
+
+  def test_create_from_pem
+    crl = <<END
+-----BEGIN X509 CRL-----
+MIHkME8CAQEwDQYJKoZIhvcNAQEFBQAwDTELMAkGA1UEAwwCY2EXDTA5MDUyMzEw
+MTkyM1oXDTE0MDUyMjEwMTkyM1qgDjAMMAoGA1UdFAQDAgEAMA0GCSqGSIb3DQEB
+BQUAA4GBAGrGXN03TQdoluA5Xjv64We9EOvmE0EviKMeaZ/n8krEwFhUK7Yq3GVD
+BFrb40cdFX1433buCZHG7Tq7eGv8cG1eO5RasuiedurMQXmVRDTDjGor/58Dk/Wy
+owO/GR8ASm6Fx6AUKEgLAaoaaptpaWtEB+N4uaGvc0LFO9WY+ZMq
+-----END X509 CRL-----
+END
+    crl = OpenSSL::X509::CRL.new(crl)
+    assert_equal(1, crl.version)
+    assert_equal(OpenSSL::X509::Name.parse("/CN=ca").to_der, crl.issuer.to_der)
+  end
 end
 
 end
diff --git a/test/openssl/test_x509ext.rb b/test/openssl/test_x509ext.rb
index d43bbd6bd3..fc9b37690f 100644
--- a/test/openssl/test_x509ext.rb
+++ b/test/openssl/test_x509ext.rb
@@ -69,6 +69,27 @@ class OpenSSL::TestX509Extension < Test::Unit::TestCase
       %r{URI:ldap://ldap.example.com/cn=ca\?certificateRevocationList;binary},
       cdp.value)
   end
+
+  # JRUBY-3888
+  # Problems with subjectKeyIdentifier with non 20-bytes sha1 digested keys
+  def test_certificate_with_rare_extension
+    cert_file = File.expand_path('max.pem', File.dirname(__FILE__))
+    cer = OpenSSL::X509::Certificate.new(File.read(cert_file))
+    exts = Hash.new
+    cer.extensions.each{|ext| exts[ext.oid] = ext.value}
+
+    assert exts["subjectKeyIdentifier"] == "4C:B9:E1:DC:7A:AC:35:CF"
+  end
+
+  def test_extension_from_20_byte_sha1_digests
+    cert_file = File.expand_path('common.pem', File.dirname(__FILE__))
+    cer = OpenSSL::X509::Certificate.new(File.read(cert_file))
+    exts = Hash.new
+    cer.extensions.each{|ext| exts[ext.oid] = ext.value}
+
+    assert exts["subjectKeyIdentifier"] == "B4:AC:83:5D:21:FB:D6:8A:56:7E:B2:49:6D:69:BB:E4:6F:D8:5A:AC"
+  end
+  
 end
 
 end
diff --git a/test/openssl/test_x509name.rb b/test/openssl/test_x509name.rb
index fb5a1ae4ff..8e13878b56 100644
--- a/test/openssl/test_x509name.rb
+++ b/test/openssl/test_x509name.rb
@@ -6,6 +6,8 @@ require "test/unit"
 
 if defined?(OpenSSL)
 
+require 'digest/md5'
+
 class OpenSSL::TestX509Name < Test::Unit::TestCase
   OpenSSL::ASN1::ObjectId.register(
     "1.2.840.113549.1.9.1", "emailAddress", "emailAddress")
@@ -261,6 +263,20 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase
     assert_equal(OpenSSL::ASN1::IA5STRING, ary[3][2])
     assert_equal(OpenSSL::ASN1::PRINTABLESTRING, ary[4][2])
   end
+
+  def test_hash
+    dn = "/DC=org/DC=ruby-lang/CN=www.ruby-lang.org"
+    name = OpenSSL::X509::Name.parse(dn)
+    d = Digest::MD5.digest(name.to_der)
+    expected = (d[0] & 0xff) | (d[1] & 0xff) << 8 | (d[2] & 0xff) << 16 | (d[3] & 0xff) << 24
+    assert_equal(expected, name.hash)
+    #
+    dn = "/DC=org/DC=ruby-lang/CN=baz.ruby-lang.org"
+    name = OpenSSL::X509::Name.parse(dn)
+    d = Digest::MD5.digest(name.to_der)
+    expected = (d[0] & 0xff) | (d[1] & 0xff) << 8 | (d[2] & 0xff) << 16 | (d[3] & 0xff) << 24
+    assert_equal(expected, name.hash)
+  end
 end
 
 end
diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
index a37ed5c5ef..fca3af8fbb 100644
--- a/test/openssl/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@@ -135,6 +135,43 @@ class OpenSSL::TestX509Request < Test::Unit::TestCase
     assert_raise(OpenSSL::X509::RequestError){
       issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) }
   end
+
+  def test_create_from_pem
+    req = <<END
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBVTCBvwIBADAWMRQwEgYDVQQDDAsxOTIuMTY4LjAuNDCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEA0oTTzFLydOTVtBpNdYl4S0356AysVkHlqD/tNEMxQT0l
+dXdNoDKb/3TfM5WMciNxBb8rImJ51vEIf6WaWvPbaawcmhNWA9JmhMIeFCdeXyu/
+XEjiiEOL4MkWf6qfsu6VoPr2YSnR0iiWLgWcnRPuy84+PE1XPPl1qGDA0apWJ9kC
+AwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAKdlyDzVrXRLkPdukQUTTy6uwhv35SKL
+FfiKDrHtnFYd7VbynQ1sRre5CknuRrm+E7aEJEwpz6MS+6nqmQ6JwGcm/hlZM/m7
+DVD201pI3p6LIxaRyXE20RYTp0Jj6jv+tNFd0wjVlzgStmcplNo8hu6Dtp1gKETW
+qL7M4i48FXHn
+-----END CERTIFICATE REQUEST-----
+END
+    req = OpenSSL::X509::Request.new(req)
+
+    assert_equal(0, req.version)
+    assert_equal(OpenSSL::X509::Name.parse("/CN=192.168.0.4").to_der, req.subject.to_der)
+  end
+
+  def test_create_to_pem
+    req_s = <<END
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBVTCBvwIBADAWMRQwEgYDVQQDDAsxOTIuMTY4LjAuNDCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEA0oTTzFLydOTVtBpNdYl4S0356AysVkHlqD/tNEMxQT0l
+dXdNoDKb/3TfM5WMciNxBb8rImJ51vEIf6WaWvPbaawcmhNWA9JmhMIeFCdeXyu/
+XEjiiEOL4MkWf6qfsu6VoPr2YSnR0iiWLgWcnRPuy84+PE1XPPl1qGDA0apWJ9kC
+AwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAKdlyDzVrXRLkPdukQUTTy6uwhv35SKL
+FfiKDrHtnFYd7VbynQ1sRre5CknuRrm+E7aEJEwpz6MS+6nqmQ6JwGcm/hlZM/m7
+DVD201pI3p6LIxaRyXE20RYTp0Jj6jv+tNFd0wjVlzgStmcplNo8hu6Dtp1gKETW
+qL7M4i48FXHn
+-----END CERTIFICATE REQUEST-----
+END
+    req = OpenSSL::X509::Request.new(req_s)
+
+    assert_equal(req_s, req.to_pem)
+  end
 end
 
 end
diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb
index b0fe597262..40d6b64138 100644
--- a/test/openssl/test_x509store.rb
+++ b/test/openssl/test_x509store.rb
@@ -4,6 +4,7 @@ begin
 rescue LoadError
 end
 require "test/unit"
+require "tempfile"
 
 if defined?(OpenSSL)
 
@@ -198,7 +199,7 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase
                           nil, nil, OpenSSL::Digest::SHA1.new)
     store = OpenSSL::X509::Store.new
     store.add_cert(ca1_cert)
-    assert_raises(OpenSSL::X509::StoreError){
+    assert_raise(OpenSSL::X509::StoreError){
       store.add_cert(ca1_cert)  # add same certificate twice
     }
 
@@ -209,10 +210,37 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase
     crl2 = issue_crl(revoke_info, 2, now+1800, now+3600, [],
                      ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
     store.add_crl(crl1)
-    assert_raises(OpenSSL::X509::StoreError){
+    assert_raise(OpenSSL::X509::StoreError){
       store.add_crl(crl2) # add CRL issued by same CA twice.
     }
   end
+
+  def test_add_file
+    ca1_cert = <<END
+-----BEGIN CERTIFICATE-----
+MIIBzzCCATigAwIBAgIBATANBgkqhkiG9w0BAQUFADANMQswCQYDVQQDDAJjYTAe
+Fw0wOTA1MjIxMDE5MjNaFw0xNDA1MjExMDE5MjNaMA0xCzAJBgNVBAMMAmNhMIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcTL520vsbXHXPfkHKrcgWbk2zVf0y
+oK7bPg06kjCghs8KYsi9b/tT9KpkpejD0KucDBSmDILD3PvIWrNFcBRWf6ZC5vA5
+YuF6ueATuFhsXjUFuNLqyPcIX+XrOQmXgjiyO9nc5vzQwWRRhdyyT8DgCRUD/yHW
+pjD2ZEGIAVLY/wIDAQABoz8wPTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQf
+923P/SgiCcbiN20bbmuFM6SLxzALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEFBQAD
+gYEAE0CpCo8MxhfUNWMHF5GsGEG2+1LdE+aUX7gSb6d4vn1WjusrM2FoOFTomt32
+YPqJwMEbcqILq2v9Kkao4QNJRlK+z1xpRDnt1iBrHdXrYJFvYnfMqv3z7XAFPfQZ
+yMP+P2sR0jPzy4UNZfDIMmMUqQdhkz7onKWOGjXwLEtkCMs=
+-----END CERTIFICATE-----
+END
+
+    f = Tempfile.new("ca1_cert")
+    f << ca1_cert
+    f.close
+
+    store = OpenSSL::X509::Store.new
+    store.add_file(f.path)
+    assert_equal(true,  store.verify(OpenSSL::X509::Certificate.new(ca1_cert)))
+    f.unlink
+  end
+
 end
 
 end