* ext/openssl/ossl_x509store.c

  (ossl_x509store_set_time): add OpenSSL::X509::Store#time=.
  (ossl_x509stctx_set_time): add OpenSSL::X509::StoreContext#time=.

* test/openssl/ossl_x509store.rb: test certificate validity times.

* ext/openssl/ossl_x509name.c (ossl_x509name_to_s): add optional
  second argument to specify the output format (see also
  X509_NAME_print_ex).

* ext/openssl/ossl_x509name.c (ossl_x509name_init): new constants:
  OpenSSL::X509::Name::COMPAT, OpenSSL::X509::Name::RFC2253,
  OpenSSL::X509::ONELINE, OpenSSL::X509::MULTILINE.

* ext/openssl/lib/openssl/x509.rb (OpenSSL::X509::Name::RFC2253DN):
  new module to provide the parse for RFC2253 DN format.

* ext/openssl/lib/openssl/x509.rb (OpenSSL::X509::Name.parse_rfc2253):
  new method to parse RFC2253 DN format.

* test/openssl/ossl_x509name.rb: add tests about RFC2253 DN.

* text/openssl/ssl_server.rb: try to listen ports from 20443 to 20542
  while EADDRINUSE is raised.

* all changes in this entry are backport from 1.9.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8@7599 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

4 files changed, 171 insertions, 39 deletions

diff --git a/test/openssl/ssl_server.rb b/test/openssl/ssl_server.rb
index 699a181256..5e1303379f 100644
--- a/test/openssl/ssl_server.rb
+++ b/test/openssl/ssl_server.rb
@@ -46,12 +46,22 @@ ctx.key = ssl_key
 ctx.verify_mode = verify_mode
 
 Socket.do_not_reverse_lookup = true
-tcps = TCPServer.new("0.0.0.0", port)
+tcps = nil
+100.times{|i|
+  begin
+    tcps = TCPServer.new("0.0.0.0", port+i)
+    port = port + i
+    break
+  rescue Errno::EADDRINUSE
+    next 
+  end
+}
 ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
 ssls.start_immediately = start_immediately
 
 $stdout.sync = true
 $stdout.puts Process.pid
+$stdout.puts port
 
 loop do
   ssl = ssls.accept
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 5ca981798c..699563691e 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -54,23 +54,27 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
     OpenSSL::TestUtils.issue_crl(*arg)
   end
 
-  def start_server(port, verify_mode, start_immediately, &block)
+  def start_server(port0, verify_mode, start_immediately, &block)
     server = nil
     begin
       cmd = [RUBY]
       cmd << "-d" if $DEBUG
-      cmd << SSL_SERVER << port.to_s << verify_mode.to_s
+      cmd << SSL_SERVER << port0.to_s << verify_mode.to_s
       cmd << (start_immediately ? "yes" : "no")
       server = IO.popen(cmd.join(" "), "w+")
       server.write(@ca_cert.to_pem)
       server.write(@svr_cert.to_pem)
       server.write(@svr_key.to_pem)
       pid = Integer(server.gets)
-      $stderr.printf("%s started: pid=%d\n", SSL_SERVER, pid) if $DEBUG
-      block.call(server)
+      if port = server.gets
+        if $DEBUG
+          $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, pid, port)
+        end
+        block.call(server, port.to_i)
+      end
     ensure
       if server
-        Process.kill(:KILL, pid) if pid > 0
+        Process.kill(:KILL, pid)
         server.close
       end
     end
@@ -86,15 +90,15 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
   end
 
   def test_connect_and_close
-    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){
-      sock = TCPSocket.new("127.0.0.1", PORT)
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|s, p|
+      sock = TCPSocket.new("127.0.0.1", p)
       ssl = OpenSSL::SSL::SSLSocket.new(sock)
       assert(ssl.connect)
       ssl.close
       assert(!sock.closed?)
       sock.close
 
-      sock = TCPSocket.new("127.0.0.1", PORT)
+      sock = TCPSocket.new("127.0.0.1", p)
       ssl = OpenSSL::SSL::SSLSocket.new(sock)
       ssl.sync_close = true  # !!
       assert(ssl.connect)
@@ -104,8 +108,8 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
   end
 
   def test_read_and_write
-    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){
-      sock = TCPSocket.new("127.0.0.1", PORT)
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|s, p|
+      sock = TCPSocket.new("127.0.0.1", p)
       ssl = OpenSSL::SSL::SSLSocket.new(sock)
       ssl.sync_close = true
       ssl.connect
@@ -148,8 +152,8 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
   end
 
   def test_starttls
-    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|s|
-      sock = TCPSocket.new("127.0.0.1", PORT)
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|s, p|
+      sock = TCPSocket.new("127.0.0.1", p)
       ssl = OpenSSL::SSL::SSLSocket.new(sock)
       ssl.sync_close = true
       str = "x" * 1000 + "\n"
@@ -171,10 +175,10 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
   end
 
   def test_parallel
-    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|s, p|
       ssls = []
       10.times{
-        sock = TCPSocket.new("127.0.0.1", PORT)
+        sock = TCPSocket.new("127.0.0.1", p)
         ssl = OpenSSL::SSL::SSLSocket.new(sock)
         ssl.connect
         ssl.sync_close = true
diff --git a/test/openssl/test_x509name.rb b/test/openssl/test_x509name.rb
index 14004a4e20..fb5a1ae4ff 100644
--- a/test/openssl/test_x509name.rb
+++ b/test/openssl/test_x509name.rb
@@ -7,6 +7,11 @@ require "test/unit"
 if defined?(OpenSSL)
 
 class OpenSSL::TestX509Name < Test::Unit::TestCase
+  OpenSSL::ASN1::ObjectId.register(
+    "1.2.840.113549.1.9.1", "emailAddress", "emailAddress")
+  OpenSSL::ASN1::ObjectId.register(
+    "2.5.4.5", "serialNumber", "serialNumber")
+
   def setup
     @obj_type_tmpl = Hash.new(OpenSSL::ASN1::PRINTABLESTRING)
     @obj_type_tmpl.update(OpenSSL::X509::Name::OBJECT_TYPE_TEMPLATE)
@@ -76,21 +81,12 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase
     ]
     name = OpenSSL::X509::Name.new(dn)
     ary = name.to_a
-    if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000
-      assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/Email=gotoyuzo@ruby-lang.org/SN=123", name.to_s)
-    else
-      assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s)
-    end
+    assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s)
     assert_equal("DC", ary[0][0])
     assert_equal("DC", ary[1][0])
     assert_equal("CN", ary[2][0])
-    if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000
-      assert_equal("Email", ary[3][0])
-      assert_equal("SN", ary[4][0])
-    else
-      assert_equal("emailAddress", ary[3][0])
-      assert_equal("serialNumber", ary[4][0])
-    end
+    assert_equal("emailAddress", ary[3][0])
+    assert_equal("serialNumber", ary[4][0])
     assert_equal("org", ary[0][1])
     assert_equal("ruby-lang", ary[1][1])
     assert_equal("GOTOU Yuuzou", ary[2][1])
@@ -138,6 +134,105 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase
     assert_equal(OpenSSL::ASN1::PRINTABLESTRING, ary[2][2])
   end
 
+  def test_s_parse_rfc2253
+    scanner = OpenSSL::X509::Name::RFC2253DN.method(:scan)
+
+    assert_equal([["C", "JP"]], scanner.call("C=JP"))
+    assert_equal([
+        ["DC", "org"],
+        ["DC", "ruby-lang"],
+        ["CN", "GOTOU Yuuzou"],
+        ["emailAddress", "gotoyuzo@ruby-lang.org"],
+      ],
+      scanner.call(
+        "emailAddress=gotoyuzo@ruby-lang.org,CN=GOTOU Yuuzou,"+
+        "DC=ruby-lang,DC=org")
+    )
+
+    u8 = OpenSSL::ASN1::UTF8STRING
+    assert_equal([
+        ["DC", "org"],
+        ["DC", "ruby-lang"],
+        ["O", ",=+<>#;"],
+        ["O", ",=+<>#;"],
+        ["OU", ""],
+        ["OU", ""],
+        ["L", "aaa=\"bbb, ccc\""],
+        ["L", "aaa=\"bbb, ccc\""],
+        ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265"],
+        ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265"],
+        ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265"],
+        ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265", u8],
+        ["2.5.4.3", "GOTOU, Yuuzou"],
+        ["2.5.4.3", "GOTOU, Yuuzou"],
+        ["2.5.4.3", "GOTOU, Yuuzou"],
+        ["2.5.4.3", "GOTOU, Yuuzou"],
+        ["CN", "GOTOU \"gotoyuzo\" Yuuzou"],
+        ["CN", "GOTOU \"gotoyuzo\" Yuuzou"],
+        ["1.2.840.113549.1.9.1", "gotoyuzo@ruby-lang.org"],
+        ["emailAddress", "gotoyuzo@ruby-lang.org"],
+      ],
+      scanner.call(
+        "emailAddress=gotoyuzo@ruby-lang.org," +
+        "1.2.840.113549.1.9.1=gotoyuzo@ruby-lang.org," +
+        'CN=GOTOU \"gotoyuzo\" Yuuzou,' +
+        'CN="GOTOU \"gotoyuzo\" Yuuzou",' +
+        '2.5.4.3=GOTOU\,\20Yuuzou,' +
+        '2.5.4.3=GOTOU\, Yuuzou,' +
+        '2.5.4.3="GOTOU, Yuuzou",' +
+        '2.5.4.3="GOTOU\, Yuuzou",' +
+        "CN=#0C0CE5BE8CE897A4E8A395E894B5," +
+        'CN=\E5\BE\8C\E8\97\A4\E8\A3\95\E8\94\B5,' +
+        "CN=\"\xE5\xBE\x8C\xE8\x97\xA4\xE8\xA3\x95\xE8\x94\xB5\"," +
+        "CN=\xE5\xBE\x8C\xE8\x97\xA4\xE8\xA3\x95\xE8\x94\xB5," +
+        'L=aaa\=\"bbb\, ccc\",' +
+        'L="aaa=\"bbb, ccc\"",' +
+        'OU=,' +
+        'OU="",' +
+        'O=\,\=\+\<\>\#\;,' +
+        'O=",=+<>#;",' +
+        "DC=ruby-lang," +
+        "DC=org")
+    )
+
+    [
+      "DC=org+DC=jp",
+      "DC=org,DC=ruby-lang+DC=rubyist,DC=www"
+    ].each{|dn|
+      ex = scanner.call(dn) rescue $!
+      dn_r = Regexp.escape(dn)
+      assert_match(/^multi-valued RDN is not supported: #{dn_r}/, ex.message)
+    }
+
+    [
+      ["DC=org,DC=exapmle,CN", "CN"],
+      ["DC=org,DC=example,", ""],
+      ["DC=org,DC=exapmle,CN=www.example.org;", "CN=www.example.org;"],
+      ["DC=org,DC=exapmle,CN=#www.example.org", "CN=#www.example.org"],
+      ["DC=org,DC=exapmle,CN=#777777.example.org", "CN=#777777.example.org"],
+      ["DC=org,DC=exapmle,CN=\"www.example\".org", "CN=\"www.example\".org"],
+      ["DC=org,DC=exapmle,CN=www.\"example.org\"", "CN=www.\"example.org\""],
+      ["DC=org,DC=exapmle,CN=www.\"example\".org", "CN=www.\"example\".org"],
+    ].each{|dn, msg|
+      ex = scanner.call(dn) rescue $!
+      assert_match(/^malformed RDN: .*=>#{Regexp.escape(msg)}/, ex.message)
+    }
+
+    dn = "CN=www.ruby-lang.org,DC=ruby-lang,DC=org"
+    name = OpenSSL::X509::Name.parse_rfc2253(dn)
+    assert_equal(dn, name.to_s(OpenSSL::X509::Name::RFC2253))
+    ary = name.to_a
+    assert_equal("DC", ary[0][0])
+    assert_equal("DC", ary[1][0])
+    assert_equal("CN", ary[2][0])
+    assert_equal("org", ary[0][1])
+    assert_equal("ruby-lang", ary[1][1])
+    assert_equal("www.ruby-lang.org", ary[2][1])
+    assert_equal(OpenSSL::ASN1::IA5STRING, ary[0][2])
+    assert_equal(OpenSSL::ASN1::IA5STRING, ary[1][2])
+    assert_equal(OpenSSL::ASN1::UTF8STRING, ary[2][2])
+  end
+
   def test_add_entry
     dn = [
       ["DC", "org"],
@@ -149,21 +244,12 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase
     name = OpenSSL::X509::Name.new
     dn.each{|attr| name.add_entry(*attr) }
     ary = name.to_a
-    if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000
-      assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/Email=gotoyuzo@ruby-lang.org/SN=123", name.to_s)
-    else
-      assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s)
-    end
+    assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s)
     assert_equal("DC", ary[0][0])
     assert_equal("DC", ary[1][0])
     assert_equal("CN", ary[2][0])
-    if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000
-      assert_equal("Email", ary[3][0])
-      assert_equal("SN", ary[4][0])
-    else
-      assert_equal("emailAddress", ary[3][0])
-      assert_equal("serialNumber", ary[4][0])
-    end
+    assert_equal("emailAddress", ary[3][0])
+    assert_equal("serialNumber", ary[4][0])
     assert_equal("org", ary[0][1])
     assert_equal("ruby-lang", ary[1][1])
     assert_equal("GOTOU Yuuzou", ary[2][1])
diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb
index 113e81fa52..8151e5fdb6 100644
--- a/test/openssl/test_x509store.rb
+++ b/test/openssl/test_x509store.rb
@@ -49,6 +49,8 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase
                           ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
     ee3_cert = issue_cert(@ee2, @dsa512, 30, now-100, now-1, ee_exts,
                           ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
+    ee4_cert = issue_cert(@ee2, @dsa512, 40, now+1000, now+2000, ee_exts,
+                          ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
 
     revoke_info = []
     crl1   = issue_crl(revoke_info, 1, now, now+1800, [],
@@ -106,6 +108,36 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase
     assert_equal(@ca1.to_der, chain[2].subject.to_der)
     assert_equal(false, store.verify(ee3_cert))
     assert_match(/expire/i, store.error_string)
+    assert_equal(false, store.verify(ee4_cert))
+    assert_match(/not yet valid/i, store.error_string)
+
+    store = OpenSSL::X509::Store.new
+    store.add_cert(ca1_cert)
+    store.add_cert(ca2_cert)
+    store.time = now + 1500
+    assert_equal(true, store.verify(ca1_cert))
+    assert_equal(true, store.verify(ca2_cert))
+    assert_equal(true, store.verify(ee4_cert))
+    store.time = now + 1900
+    assert_equal(true, store.verify(ca1_cert))
+    assert_equal(false, store.verify(ca2_cert))
+    assert_match(/expire/i, store.error_string)
+    assert_equal(false, store.verify(ee4_cert))
+    assert_match(/expire/i, store.error_string)
+    store.time = now + 4000
+    assert_equal(false, store.verify(ee1_cert))
+    assert_match(/expire/i, store.error_string)
+    assert_equal(false, store.verify(ee4_cert))
+    assert_match(/expire/i, store.error_string)
+
+    # the underlying X509 struct caches the result of the last
+    # verification for signature and not-before. so the following code
+    # rebuilds new objects to avoid site effect.
+    store.time = Time.now - 4000
+    assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ca2_cert)))
+    assert_match(/not yet valid/i, store.error_string)
+    assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ee1_cert)))
+    assert_match(/not yet valid/i, store.error_string)
 
     return unless defined?(OpenSSL::X509::V_FLAG_CRL_CHECK)