summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog29
-rw-r--r--ext/openssl/lib/openssl/x509.rb89
-rw-r--r--ext/openssl/ossl_x509name.c33
-rw-r--r--ext/openssl/ossl_x509store.c40
-rw-r--r--test/openssl/ssl_server.rb12
-rw-r--r--test/openssl/test_ssl.rb32
-rw-r--r--test/openssl/test_x509name.rb134
-rw-r--r--test/openssl/test_x509store.rb32
8 files changed, 354 insertions, 47 deletions
diff --git a/ChangeLog b/ChangeLog
index 3192fb1..42ed704 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,32 @@
+Sun Dec 19 17:19:48 2004 GOTOU Yuuzou <gotoyuzo@notwork.org>
+
+ * ext/openssl/ossl_x509store.c
+ (ossl_x509store_set_time): add OpenSSL::X509::Store#time=.
+ (ossl_x509stctx_set_time): add OpenSSL::X509::StoreContext#time=.
+
+ * test/openssl/ossl_x509store.rb: test certificate validity times.
+
+ * ext/openssl/ossl_x509name.c (ossl_x509name_to_s): add optional
+ second argument to specify the output format (see also
+ X509_NAME_print_ex).
+
+ * ext/openssl/ossl_x509name.c (ossl_x509name_init): new constants:
+ OpenSSL::X509::Name::COMPAT, OpenSSL::X509::Name::RFC2253,
+ OpenSSL::X509::ONELINE, OpenSSL::X509::MULTILINE.
+
+ * ext/openssl/lib/openssl/x509.rb (OpenSSL::X509::Name::RFC2253DN):
+ new module to provide the parse for RFC2253 DN format.
+
+ * ext/openssl/lib/openssl/x509.rb (OpenSSL::X509::Name.parse_rfc2253):
+ new method to parse RFC2253 DN format.
+
+ * test/openssl/ossl_x509name.rb: add tests about RFC2253 DN.
+
+ * text/openssl/ssl_server.rb: try to listen ports from 20443 to 20542
+ while EADDRINUSE is raised.
+
+ * all changes in this entry are backport from 1.9.
+
Sun Dec 19 17:24:59 2004 Nobuyoshi Nakada <nobu@ruby-lang.org>
* configure.in (enable_rpath): use rpath flag to embed the library
diff --git a/ext/openssl/lib/openssl/x509.rb b/ext/openssl/lib/openssl/x509.rb
index 6dd4698..e711bda 100644
--- a/ext/openssl/lib/openssl/x509.rb
+++ b/ext/openssl/lib/openssl/x509.rb
@@ -62,9 +62,92 @@ module OpenSSL
end
class Name
- def self.parse(str, template=OBJECT_TYPE_TEMPLATE)
- ary = str.scan(/\s*([^\/,]+)\s*/).collect{|i| i[0].split("=", 2) }
- self.new(ary, template)
+ module RFC2253DN
+ Special = ',=+<>#;'
+ HexChar = /[0-9a-fA-F]/
+ HexPair = /#{HexChar}#{HexChar}/
+ HexString = /#{HexPair}+/
+ Pair = /\\(?:[#{Special}]|\\|"|#{HexPair})/
+ StringChar = /[^#{Special}\\"]/
+ QuoteChar = /[^\\"]/
+ AttributeType = /[a-zA-Z][0-9a-zA-Z]*|[0-9]+(?:\.[0-9]+)*/
+ AttributeValue = /
+ (?!["#])((?:#{StringChar}|#{Pair})*)|
+ \#(#{HexString})|
+ "((?:#{QuoteChar}|#{Pair})*)"
+ /x
+ TypeAndValue = /\A(#{AttributeType})=#{AttributeValue}/
+
+ module_function
+
+ def expand_pair(str)
+ return nil unless str
+ return str.gsub(Pair){|pair|
+ case pair.size
+ when 2 then pair[1,1]
+ when 3 then Integer("0x#{pair[1,2]}").chr
+ else raise OpenSSL::X509::NameError, "invalid pair: #{str}"
+ end
+ }
+ end
+
+ def expand_hexstring(str)
+ return nil unless str
+ der = str.gsub(HexPair){|hex| Integer("0x#{hex}").chr }
+ a1 = OpenSSL::ASN1.decode(der)
+ return a1.value, a1.tag
+ end
+
+ def expand_value(str1, str2, str3)
+ value = expand_pair(str1)
+ value, tag = expand_hexstring(str2) unless value
+ value = expand_pair(str3) unless value
+ return value, tag
+ end
+
+ def scan(dn)
+ str = dn
+ ary = []
+ while true
+ if md = TypeAndValue.match(str)
+ matched = md.to_s
+ remain = md.post_match
+ type = md[1]
+ value, tag = expand_value(md[2], md[3], md[4]) rescue nil
+ if value
+ type_and_value = [type, value]
+ type_and_value.push(tag) if tag
+ ary.unshift(type_and_value)
+ if remain.length > 2 && remain[0] == ?,
+ str = remain[1..-1]
+ next
+ elsif remain.length > 2 && remain[0] == ?+
+ raise OpenSSL::X509::NameError,
+ "multi-valued RDN is not supported: #{dn}"
+ elsif remain.empty?
+ break
+ end
+ end
+ end
+ msg_dn = dn[0, dn.length - str.length] + " =>" + str
+ raise OpenSSL::X509::NameError, "malformed RDN: #{msg_dn}"
+ end
+ return ary
+ end
+ end
+
+ class <<self
+ def parse_rfc2253(str, template=OBJECT_TYPE_TEMPLATE)
+ ary = OpenSSL::X509::Name::RFC2253DN.scan(str)
+ self.new(ary, template)
+ end
+
+ def parse_openssl(str, template=OBJECT_TYPE_TEMPLATE)
+ ary = str.scan(/\s*([^\/,]+)\s*/).collect{|i| i[0].split("=", 2) }
+ self.new(ary, template)
+ end
+
+ alias parse parse_openssl
end
end
end
diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c
index fdd94da..be1f1de 100644
--- a/ext/openssl/ossl_x509name.c
+++ b/ext/openssl/ossl_x509name.c
@@ -161,7 +161,7 @@ VALUE ossl_x509name_add_entry(int argc, VALUE *argv, VALUE self)
}
static VALUE
-ossl_x509name_to_s(VALUE self)
+ossl_x509name_to_s_old(VALUE self)
{
X509_NAME *name;
char *buf;
@@ -175,6 +175,30 @@ ossl_x509name_to_s(VALUE self)
return str;
}
+static VALUE
+ossl_x509name_to_s(int argc, VALUE *argv, VALUE self)
+{
+ X509_NAME *name;
+ VALUE flag, str;
+ BIO *out;
+ unsigned long iflag;
+
+ rb_scan_args(argc, argv, "01", &flag);
+ if (NIL_P(flag))
+ return ossl_x509name_to_s_old(self);
+ else iflag = NUM2ULONG(flag);
+ if (!(out = BIO_new(BIO_s_mem())))
+ rb_raise(eX509NameError, NULL);
+ GetX509Name(self, name);
+ if (!X509_NAME_print_ex(out, name, 0, iflag)){
+ BIO_free(out);
+ rb_raise(eX509NameError, NULL);
+ }
+ str = ossl_membio2str(out);
+
+ return str;
+}
+
static VALUE
ossl_x509name_to_a(VALUE self)
{
@@ -290,7 +314,7 @@ Init_ossl_x509name()
rb_define_alloc_func(cX509Name, ossl_x509name_alloc);
rb_define_method(cX509Name, "initialize", ossl_x509name_initialize, -1);
rb_define_method(cX509Name, "add_entry", ossl_x509name_add_entry, -1);
- rb_define_method(cX509Name, "to_s", ossl_x509name_to_s, 0);
+ rb_define_method(cX509Name, "to_s", ossl_x509name_to_s, -1);
rb_define_method(cX509Name, "to_a", ossl_x509name_to_a, 0);
rb_define_method(cX509Name, "cmp", ossl_x509name_cmp, 1);
rb_define_alias(cX509Name, "<=>", "cmp");
@@ -311,4 +335,9 @@ Init_ossl_x509name()
rb_hash_aset(hash, rb_str_new2("domainComponent"), ia5str);
rb_hash_aset(hash, rb_str_new2("emailAddress"), ia5str);
rb_define_const(cX509Name, "OBJECT_TYPE_TEMPLATE", hash);
+
+ rb_define_const(cX509Name, "COMPAT", ULONG2NUM(XN_FLAG_COMPAT));
+ rb_define_const(cX509Name, "RFC2253", ULONG2NUM(XN_FLAG_RFC2253));
+ rb_define_const(cX509Name, "ONELINE", ULONG2NUM(XN_FLAG_ONELINE));
+ rb_define_const(cX509Name, "MULTILINE", ULONG2NUM(XN_FLAG_MULTILINE));
}
diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c
index 45d4aee..cf1a2cd 100644
--- a/ext/openssl/ossl_x509store.c
+++ b/ext/openssl/ossl_x509store.c
@@ -190,6 +190,13 @@ ossl_x509store_set_trust(VALUE self, VALUE trust)
}
static VALUE
+ossl_x509store_set_time(VALUE self, VALUE time)
+{
+ rb_iv_set(self, "@time", time);
+ return time;
+}
+
+static VALUE
ossl_x509store_add_file(VALUE self, VALUE file)
{
X509_STORE *store;
@@ -332,6 +339,11 @@ ossl_x509stctx_alloc(VALUE klass)
return obj;
}
+static VALUE ossl_x509stctx_set_flags(VALUE, VALUE);
+static VALUE ossl_x509stctx_set_purpose(VALUE, VALUE);
+static VALUE ossl_x509stctx_set_trust(VALUE, VALUE);
+static VALUE ossl_x509stctx_set_time(VALUE, VALUE);
+
static VALUE
ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
{
@@ -353,10 +365,11 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
}
#else
X509_STORE_CTX_init(ctx, x509st, x509, x509s);
- X509_STORE_CTX_set_flags(ctx, NUM2INT(rb_iv_get(store, "@flags")));
- X509_STORE_CTX_set_purpose(ctx, NUM2INT(rb_iv_get(store, "@purpose")));
- X509_STORE_CTX_set_trust(ctx, NUM2INT(rb_iv_get(store, "@trust")));
+ ossl_x509stctx_set_flags(self, rb_iv_get(store, "@flags"));
+ ossl_x509stctx_set_purpose(self, rb_iv_get(store, "@purpose"));
+ ossl_x509stctx_set_trust(self, rb_iv_get(store, "@trust"));
#endif
+ ossl_x509stctx_set_time(self, rb_iv_get(store, "@time"));
rb_iv_set(self, "@verify_callback", rb_iv_get(store, "@verify_callback"));
rb_iv_set(self, "@cert", cert);
@@ -518,6 +531,25 @@ ossl_x509stctx_set_trust(VALUE self, VALUE trust)
return trust;
}
+static VALUE
+ossl_x509stctx_set_time(VALUE self, VALUE time)
+{
+ X509_STORE_CTX *store;
+
+ if(NIL_P(time)) {
+ GetX509StCtx(self, store);
+ store->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
+ }
+ else {
+ long t = NUM2LONG(rb_Integer(time));
+
+ GetX509StCtx(self, store);
+ X509_STORE_CTX_set_time(store, 0, t);
+ }
+
+ return time;
+}
+
/*
* INIT
*/
@@ -539,6 +571,7 @@ Init_ossl_x509store()
rb_define_method(cX509Store, "flags=", ossl_x509store_set_flags, 1);
rb_define_method(cX509Store, "purpose=", ossl_x509store_set_purpose, 1);
rb_define_method(cX509Store, "trust=", ossl_x509store_set_trust, 1);
+ rb_define_method(cX509Store, "time=", ossl_x509store_set_time, 1);
rb_define_method(cX509Store, "add_path", ossl_x509store_add_path, 1);
rb_define_method(cX509Store, "add_file", ossl_x509store_add_file, 1);
rb_define_method(cX509Store, "add_cert", ossl_x509store_add_cert, 1);
@@ -561,5 +594,6 @@ Init_ossl_x509store()
rb_define_method(x509stctx,"flags=", ossl_x509stctx_set_flags, 1);
rb_define_method(x509stctx,"purpose=", ossl_x509stctx_set_purpose, 1);
rb_define_method(x509stctx,"trust=", ossl_x509stctx_set_trust, 1);
+ rb_define_method(x509stctx,"time=", ossl_x509stctx_set_time, 1);
}
diff --git a/test/openssl/ssl_server.rb b/test/openssl/ssl_server.rb
index 699a181..5e13033 100644
--- a/test/openssl/ssl_server.rb
+++ b/test/openssl/ssl_server.rb
@@ -46,12 +46,22 @@ ctx.key = ssl_key
ctx.verify_mode = verify_mode
Socket.do_not_reverse_lookup = true
-tcps = TCPServer.new("0.0.0.0", port)
+tcps = nil
+100.times{|i|
+ begin
+ tcps = TCPServer.new("0.0.0.0", port+i)
+ port = port + i
+ break
+ rescue Errno::EADDRINUSE
+ next
+ end
+}
ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
ssls.start_immediately = start_immediately
$stdout.sync = true
$stdout.puts Process.pid
+$stdout.puts port
loop do
ssl = ssls.accept
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 5ca9817..6995636 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -54,23 +54,27 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
OpenSSL::TestUtils.issue_crl(*arg)
end
- def start_server(port, verify_mode, start_immediately, &block)
+ def start_server(port0, verify_mode, start_immediately, &block)
server = nil
begin
cmd = [RUBY]
cmd << "-d" if $DEBUG
- cmd << SSL_SERVER << port.to_s << verify_mode.to_s
+ cmd << SSL_SERVER << port0.to_s << verify_mode.to_s
cmd << (start_immediately ? "yes" : "no")
server = IO.popen(cmd.join(" "), "w+")
server.write(@ca_cert.to_pem)
server.write(@svr_cert.to_pem)
server.write(@svr_key.to_pem)
pid = Integer(server.gets)
- $stderr.printf("%s started: pid=%d\n", SSL_SERVER, pid) if $DEBUG
- block.call(server)
+ if port = server.gets
+ if $DEBUG
+ $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, pid, port)
+ end
+ block.call(server, port.to_i)
+ end
ensure
if server
- Process.kill(:KILL, pid) if pid > 0
+ Process.kill(:KILL, pid)
server.close
end
end
@@ -86,15 +90,15 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
end
def test_connect_and_close
- start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){
- sock = TCPSocket.new("127.0.0.1", PORT)
+ start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|s, p|
+ sock = TCPSocket.new("127.0.0.1", p)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
assert(ssl.connect)
ssl.close
assert(!sock.closed?)
sock.close
- sock = TCPSocket.new("127.0.0.1", PORT)
+ sock = TCPSocket.new("127.0.0.1", p)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
ssl.sync_close = true # !!
assert(ssl.connect)
@@ -104,8 +108,8 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
end
def test_read_and_write
- start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){
- sock = TCPSocket.new("127.0.0.1", PORT)
+ start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|s, p|
+ sock = TCPSocket.new("127.0.0.1", p)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
ssl.sync_close = true
ssl.connect
@@ -148,8 +152,8 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
end
def test_starttls
- start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|s|
- sock = TCPSocket.new("127.0.0.1", PORT)
+ start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|s, p|
+ sock = TCPSocket.new("127.0.0.1", p)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
ssl.sync_close = true
str = "x" * 1000 + "\n"
@@ -171,10 +175,10 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
end
def test_parallel
- start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){
+ start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|s, p|
ssls = []
10.times{
- sock = TCPSocket.new("127.0.0.1", PORT)
+ sock = TCPSocket.new("127.0.0.1", p)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
ssl.connect
ssl.sync_close = true
diff --git a/test/openssl/test_x509name.rb b/test/openssl/test_x509name.rb
index 14004a4..fb5a1ae 100644
--- a/test/openssl/test_x509name.rb
+++ b/test/openssl/test_x509name.rb
@@ -7,6 +7,11 @@ require "test/unit"
if defined?(OpenSSL)
class OpenSSL::TestX509Name < Test::Unit::TestCase
+ OpenSSL::ASN1::ObjectId.register(
+ "1.2.840.113549.1.9.1", "emailAddress", "emailAddress")
+ OpenSSL::ASN1::ObjectId.register(
+ "2.5.4.5", "serialNumber", "serialNumber")
+
def setup
@obj_type_tmpl = Hash.new(OpenSSL::ASN1::PRINTABLESTRING)
@obj_type_tmpl.update(OpenSSL::X509::Name::OBJECT_TYPE_TEMPLATE)
@@ -76,21 +81,12 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase
]
name = OpenSSL::X509::Name.new(dn)
ary = name.to_a
- if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000
- assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/Email=gotoyuzo@ruby-lang.org/SN=123", name.to_s)
- else
- assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s)
- end
+ assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s)
assert_equal("DC", ary[0][0])
assert_equal("DC", ary[1][0])
assert_equal("CN", ary[2][0])
- if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000
- assert_equal("Email", ary[3][0])
- assert_equal("SN", ary[4][0])
- else
- assert_equal("emailAddress", ary[3][0])
- assert_equal("serialNumber", ary[4][0])
- end
+ assert_equal("emailAddress", ary[3][0])
+ assert_equal("serialNumber", ary[4][0])
assert_equal("org", ary[0][1])
assert_equal("ruby-lang", ary[1][1])
assert_equal("GOTOU Yuuzou", ary[2][1])
@@ -138,6 +134,105 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase
assert_equal(OpenSSL::ASN1::PRINTABLESTRING, ary[2][2])
end
+ def test_s_parse_rfc2253
+ scanner = OpenSSL::X509::Name::RFC2253DN.method(:scan)
+
+ assert_equal([["C", "JP"]], scanner.call("C=JP"))
+ assert_equal([
+ ["DC", "org"],
+ ["DC", "ruby-lang"],
+ ["CN", "GOTOU Yuuzou"],
+ ["emailAddress", "gotoyuzo@ruby-lang.org"],
+ ],
+ scanner.call(
+ "emailAddress=gotoyuzo@ruby-lang.org,CN=GOTOU Yuuzou,"+
+ "DC=ruby-lang,DC=org")
+ )
+
+ u8 = OpenSSL::ASN1::UTF8STRING
+ assert_equal([
+ ["DC", "org"],
+ ["DC", "ruby-lang"],
+ ["O", ",=+<>#;"],
+ ["O", ",=+<>#;"],
+ ["OU", ""],
+ ["OU", ""],
+ ["L", "aaa=\"bbb, ccc\""],
+ ["L", "aaa=\"bbb, ccc\""],
+ ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265"],
+ ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265"],
+ ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265"],
+ ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265", u8],
+ ["2.5.4.3", "GOTOU, Yuuzou"],
+ ["2.5.4.3", "GOTOU, Yuuzou"],
+ ["2.5.4.3", "GOTOU, Yuuzou"],
+ ["2.5.4.3", "GOTOU, Yuuzou"],
+ ["CN", "GOTOU \"gotoyuzo\" Yuuzou"],
+ ["CN", "GOTOU \"gotoyuzo\" Yuuzou"],
+ ["1.2.840.113549.1.9.1", "gotoyuzo@ruby-lang.org"],
+ ["emailAddress", "gotoyuzo@ruby-lang.org"],
+ ],
+ scanner.call(
+ "emailAddress=gotoyuzo@ruby-lang.org," +
+ "1.2.840.113549.1.9.1=gotoyuzo@ruby-lang.org," +
+ 'CN=GOTOU \"gotoyuzo\" Yuuzou,' +
+ 'CN="GOTOU \"gotoyuzo\" Yuuzou",' +
+ '2.5.4.3=GOTOU\,\20Yuuzou,' +
+ '2.5.4.3=GOTOU\, Yuuzou,' +
+ '2.5.4.3="GOTOU, Yuuzou",' +
+ '2.5.4.3="GOTOU\, Yuuzou",' +
+ "CN=#0C0CE5BE8CE897A4E8A395E894B5," +
+ 'CN=\E5\BE\8C\E8\97\A4\E8\A3\95\E8\94\B5,' +
+ "CN=\"\xE5\xBE\x8C\xE8\x97\xA4\xE8\xA3\x95\xE8\x94\xB5\"," +
+ "CN=\xE5\xBE\x8C\xE8\x97\xA4\xE8\xA3\x95\xE8\x94\xB5," +
+ 'L=aaa\=\"bbb\, ccc\",' +
+ 'L="aaa=\"bbb, ccc\"",' +
+ 'OU=,' +
+ 'OU="",' +
+ 'O=\,\=\+\<\>\#\;,' +
+ 'O=",=+<>#;",' +
+ "DC=ruby-lang," +
+ "DC=org")
+ )
+
+ [
+ "DC=org+DC=jp",
+ "DC=org,DC=ruby-lang+DC=rubyist,DC=www"
+ ].each{|dn|
+ ex = scanner.call(dn) rescue $!
+ dn_r = Regexp.escape(dn)
+ assert_match(/^multi-valued RDN is not supported: #{dn_r}/, ex.message)
+ }
+
+ [
+ ["DC=org,DC=exapmle,CN", "CN"],
+ ["DC=org,DC=example,", ""],
+ ["DC=org,DC=exapmle,CN=www.example.org;", "CN=www.example.org;"],
+ ["DC=org,DC=exapmle,CN=#www.example.org", "CN=#www.example.org"],
+ ["DC=org,DC=exapmle,CN=#777777.example.org", "CN=#777777.example.org"],
+ ["DC=org,DC=exapmle,CN=\"www.example\".org", "CN=\"www.example\".org"],
+ ["DC=org,DC=exapmle,CN=www.\"example.org\"", "CN=www.\"example.org\""],
+ ["DC=org,DC=exapmle,CN=www.\"example\".org", "CN=www.\"example\".org"],
+ ].each{|dn, msg|
+ ex = scanner.call(dn) rescue $!
+ assert_match(/^malformed RDN: .*=>#{Regexp.escape(msg)}/, ex.message)
+ }
+
+ dn = "CN=www.ruby-lang.org,DC=ruby-lang,DC=org"
+ name = OpenSSL::X509::Name.parse_rfc2253(dn)
+ assert_equal(dn, name.to_s(OpenSSL::X509::Name::RFC2253))
+ ary = name.to_a
+ assert_equal("DC", ary[0][0])
+ assert_equal("DC", ary[1][0])
+ assert_equal("CN", ary[2][0])
+ assert_equal("org", ary[0][1])
+ assert_equal("ruby-lang", ary[1][1])
+ assert_equal("www.ruby-lang.org", ary[2][1])
+ assert_equal(OpenSSL::ASN1::IA5STRING, ary[0][2])
+ assert_equal(OpenSSL::ASN1::IA5STRING, ary[1][2])
+ assert_equal(OpenSSL::ASN1::UTF8STRING, ary[2][2])
+ end
+
def test_add_entry
dn = [
["DC", "org"],
@@ -149,21 +244,12 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase
name = OpenSSL::X509::Name.new
dn.each{|attr| name.add_entry(*attr) }
ary = name.to_a
- if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000
- assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/Email=gotoyuzo@ruby-lang.org/SN=123", name.to_s)
- else
- assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s)
- end
+ assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s)
assert_equal("DC", ary[0][0])
assert_equal("DC", ary[1][0])
assert_equal("CN", ary[2][0])
- if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000
- assert_equal("Email", ary[3][0])
- assert_equal("SN", ary[4][0])
- else
- assert_equal("emailAddress", ary[3][0])
- assert_equal("serialNumber", ary[4][0])
- end
+ assert_equal("emailAddress", ary[3][0])
+ assert_equal("serialNumber", ary[4][0])
assert_equal("org", ary[0][1])
assert_equal("ruby-lang", ary[1][1])
assert_equal("GOTOU Yuuzou", ary[2][1])
diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb
index 113e81f..8151e5f 100644
--- a/test/openssl/test_x509store.rb
+++ b/test/openssl/test_x509store.rb
@@ -49,6 +49,8 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase
ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
ee3_cert = issue_cert(@ee2, @dsa512, 30, now-100, now-1, ee_exts,
ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
+ ee4_cert = issue_cert(@ee2, @dsa512, 40, now+1000, now+2000, ee_exts,
+ ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
revoke_info = []
crl1 = issue_crl(revoke_info, 1, now, now+1800, [],
@@ -106,6 +108,36 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase
assert_equal(@ca1.to_der, chain[2].subject.to_der)
assert_equal(false, store.verify(ee3_cert))
assert_match(/expire/i, store.error_string)
+ assert_equal(false, store.verify(ee4_cert))
+ assert_match(/not yet valid/i, store.error_string)
+
+ store = OpenSSL::X509::Store.new
+ store.add_cert(ca1_cert)
+ store.add_cert(ca2_cert)
+ store.time = now + 1500
+ assert_equal(true, store.verify(ca1_cert))
+ assert_equal(true, store.verify(ca2_cert))
+ assert_equal(true, store.verify(ee4_cert))
+ store.time = now + 1900
+ assert_equal(true, store.verify(ca1_cert))
+ assert_equal(false, store.verify(ca2_cert))
+ assert_match(/expire/i, store.error_string)
+ assert_equal(false, store.verify(ee4_cert))
+ assert_match(/expire/i, store.error_string)
+ store.time = now + 4000
+ assert_equal(false, store.verify(ee1_cert))
+ assert_match(/expire/i, store.error_string)
+ assert_equal(false, store.verify(ee4_cert))
+ assert_match(/expire/i, store.error_string)
+
+ # the underlying X509 struct caches the result of the last
+ # verification for signature and not-before. so the following code
+ # rebuilds new objects to avoid site effect.
+ store.time = Time.now - 4000
+ assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ca2_cert)))
+ assert_match(/not yet valid/i, store.error_string)
+ assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ee1_cert)))
+ assert_match(/not yet valid/i, store.error_string)
return unless defined?(OpenSSL::X509::V_FLAG_CRL_CHECK)