diff options
| author | rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-06-15 10:52:37 +0000 |
|---|---|---|
| committer | rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-06-15 10:52:37 +0000 |
| commit | 2851f19f49783149a2ba43f7c1be743601c7cf2d (patch) | |
| tree | 3c5fc6754f9b30c40b8bf4ff3613e8d7e1b60d6b /test/openssl | |
| parent | ce19b495d19bbaf415b05b10377788cb4b87d937 (diff) | |
openssl: allow specifying hash algorithm in OCSP::*#sign
* ext/openssl/ossl_ocsp.c (ossl_ocspreq_sign, ossl_ocspbres_sign): Allow
specifying hash algorithm used in signing. They are hard coded to use
SHA-1.
Based on a patch provided by Tim Shirley <tidoublemy@gmail.com>.
[ruby-core:70915] [Feature #11552] [GH ruby/openssl#28]
* test/openssl/test_ocsp.rb: Test sign-verify works.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55422 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test/openssl')
| -rw-r--r-- | test/openssl/test_ocsp.rb | 42 |
1 files changed, 37 insertions, 5 deletions
diff --git a/test/openssl/test_ocsp.rb b/test/openssl/test_ocsp.rb index efdb7e1014..ad8e10a0ea 100644 --- a/test/openssl/test_ocsp.rb +++ b/test/openssl/test_ocsp.rb @@ -86,14 +86,34 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase assert_equal asn1.to_der, OpenSSL::OCSP::Request.new(asn1.to_der).to_der end - def test_new_ocsp_request + def test_request_sign_verify request = OpenSSL::OCSP::Request.new cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new) request.add_certid(cid) - request.sign(@cert, @key, [@cert]) - assert_kind_of OpenSSL::OCSP::Request, request - # in current implementation not same instance of certificate id, but should contain same data - assert_equal cid.serial, request.certid.first.serial + request.sign(@cert, @key, nil, 0, "SHA1") + assert_equal cid.to_der, request.certid.first.to_der + store1 = OpenSSL::X509::Store.new; store1.add_cert(@ca_cert) + assert_equal true, request.verify([@cert], store1) + assert_equal true, request.verify([], store1) + store2 = OpenSSL::X509::Store.new; store1.add_cert(@cert2) + assert_equal false, request.verify([], store2) + assert_equal true, request.verify([], store2, OpenSSL::OCSP::NOVERIFY) + end + + def test_request_nonce + req0 = OpenSSL::OCSP::Request.new + req1 = OpenSSL::OCSP::Request.new + req1.add_nonce("NONCE") + req2 = OpenSSL::OCSP::Request.new + req2.add_nonce("NONCF") + bres = OpenSSL::OCSP::BasicResponse.new + assert_equal 2, req0.check_nonce(bres) + bres.copy_nonce(req1) + assert_equal 1, req1.check_nonce(bres) + bres.add_nonce("NONCE") + assert_equal 1, req1.check_nonce(bres) + assert_equal 0, req2.check_nonce(bres) + assert_equal 3, req0.check_nonce(bres) end def test_basic_response_der @@ -109,6 +129,18 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase assert_equal der, OpenSSL::OCSP::BasicResponse.new(der).to_der end + def test_basic_response_sign_verify + cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA256.new) + bres = OpenSSL::OCSP::BasicResponse.new + bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, 500, []) + bres.sign(@cert2, @key2, [], 0, "SHA256") # how can I check the algorithm? + store1 = OpenSSL::X509::Store.new; store1.add_cert(@ca_cert) + assert_equal true, bres.verify([], store1) + store2 = OpenSSL::X509::Store.new; store2.add_cert(@cert) + assert_equal false, bres.verify([], store2) + assert_equal true, bres.verify([], store2, OpenSSL::OCSP::NOVERIFY) + end + def test_response_der bres = OpenSSL::OCSP::BasicResponse.new cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new) |