From 049c3927ff0692282187507e3d4914bb8112ff0a Mon Sep 17 00:00:00 2001 From: gotoyuzo Date: Sun, 19 Dec 2004 08:28:33 +0000 Subject: * ext/openssl/ossl_x509store.c (ossl_x509store_set_time): add OpenSSL::X509::Store#time=. (ossl_x509stctx_set_time): add OpenSSL::X509::StoreContext#time=. * test/openssl/ossl_x509store.rb: test certificate validity times. * ext/openssl/ossl_x509name.c (ossl_x509name_to_s): add optional second argument to specify the output format (see also X509_NAME_print_ex). * ext/openssl/ossl_x509name.c (ossl_x509name_init): new constants: OpenSSL::X509::Name::COMPAT, OpenSSL::X509::Name::RFC2253, OpenSSL::X509::ONELINE, OpenSSL::X509::MULTILINE. * ext/openssl/lib/openssl/x509.rb (OpenSSL::X509::Name::RFC2253DN): new module to provide the parse for RFC2253 DN format. * ext/openssl/lib/openssl/x509.rb (OpenSSL::X509::Name.parse_rfc2253): new method to parse RFC2253 DN format. * test/openssl/ossl_x509name.rb: add tests about RFC2253 DN. * text/openssl/ssl_server.rb: try to listen ports from 20443 to 20542 while EADDRINUSE is raised. * all changes in this entry are backport from 1.9. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8@7599 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- test/openssl/ssl_server.rb | 12 +++- test/openssl/test_ssl.rb | 32 +++++----- test/openssl/test_x509name.rb | 134 +++++++++++++++++++++++++++++++++-------- test/openssl/test_x509store.rb | 32 ++++++++++ 4 files changed, 171 insertions(+), 39 deletions(-) (limited to 'test/openssl') diff --git a/test/openssl/ssl_server.rb b/test/openssl/ssl_server.rb index 699a181256..5e1303379f 100644 --- a/test/openssl/ssl_server.rb +++ b/test/openssl/ssl_server.rb @@ -46,12 +46,22 @@ ctx.key = ssl_key ctx.verify_mode = verify_mode Socket.do_not_reverse_lookup = true -tcps = TCPServer.new("0.0.0.0", port) +tcps = nil +100.times{|i| + begin + tcps = TCPServer.new("0.0.0.0", port+i) + port = port + i + break + rescue Errno::EADDRINUSE + next + end +} ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx) ssls.start_immediately = start_immediately $stdout.sync = true $stdout.puts Process.pid +$stdout.puts port loop do ssl = ssls.accept diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 5ca981798c..699563691e 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -54,23 +54,27 @@ class OpenSSL::TestSSL < Test::Unit::TestCase OpenSSL::TestUtils.issue_crl(*arg) end - def start_server(port, verify_mode, start_immediately, &block) + def start_server(port0, verify_mode, start_immediately, &block) server = nil begin cmd = [RUBY] cmd << "-d" if $DEBUG - cmd << SSL_SERVER << port.to_s << verify_mode.to_s + cmd << SSL_SERVER << port0.to_s << verify_mode.to_s cmd << (start_immediately ? "yes" : "no") server = IO.popen(cmd.join(" "), "w+") server.write(@ca_cert.to_pem) server.write(@svr_cert.to_pem) server.write(@svr_key.to_pem) pid = Integer(server.gets) - $stderr.printf("%s started: pid=%d\n", SSL_SERVER, pid) if $DEBUG - block.call(server) + if port = server.gets + if $DEBUG + $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, pid, port) + end + block.call(server, port.to_i) + end ensure if server - Process.kill(:KILL, pid) if pid > 0 + Process.kill(:KILL, pid) server.close end end @@ -86,15 +90,15 @@ class OpenSSL::TestSSL < Test::Unit::TestCase end def test_connect_and_close - start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){ - sock = TCPSocket.new("127.0.0.1", PORT) + start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|s, p| + sock = TCPSocket.new("127.0.0.1", p) ssl = OpenSSL::SSL::SSLSocket.new(sock) assert(ssl.connect) ssl.close assert(!sock.closed?) sock.close - sock = TCPSocket.new("127.0.0.1", PORT) + sock = TCPSocket.new("127.0.0.1", p) ssl = OpenSSL::SSL::SSLSocket.new(sock) ssl.sync_close = true # !! assert(ssl.connect) @@ -104,8 +108,8 @@ class OpenSSL::TestSSL < Test::Unit::TestCase end def test_read_and_write - start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){ - sock = TCPSocket.new("127.0.0.1", PORT) + start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|s, p| + sock = TCPSocket.new("127.0.0.1", p) ssl = OpenSSL::SSL::SSLSocket.new(sock) ssl.sync_close = true ssl.connect @@ -148,8 +152,8 @@ class OpenSSL::TestSSL < Test::Unit::TestCase end def test_starttls - start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|s| - sock = TCPSocket.new("127.0.0.1", PORT) + start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|s, p| + sock = TCPSocket.new("127.0.0.1", p) ssl = OpenSSL::SSL::SSLSocket.new(sock) ssl.sync_close = true str = "x" * 1000 + "\n" @@ -171,10 +175,10 @@ class OpenSSL::TestSSL < Test::Unit::TestCase end def test_parallel - start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){ + start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|s, p| ssls = [] 10.times{ - sock = TCPSocket.new("127.0.0.1", PORT) + sock = TCPSocket.new("127.0.0.1", p) ssl = OpenSSL::SSL::SSLSocket.new(sock) ssl.connect ssl.sync_close = true diff --git a/test/openssl/test_x509name.rb b/test/openssl/test_x509name.rb index 14004a4e20..fb5a1ae4ff 100644 --- a/test/openssl/test_x509name.rb +++ b/test/openssl/test_x509name.rb @@ -7,6 +7,11 @@ require "test/unit" if defined?(OpenSSL) class OpenSSL::TestX509Name < Test::Unit::TestCase + OpenSSL::ASN1::ObjectId.register( + "1.2.840.113549.1.9.1", "emailAddress", "emailAddress") + OpenSSL::ASN1::ObjectId.register( + "2.5.4.5", "serialNumber", "serialNumber") + def setup @obj_type_tmpl = Hash.new(OpenSSL::ASN1::PRINTABLESTRING) @obj_type_tmpl.update(OpenSSL::X509::Name::OBJECT_TYPE_TEMPLATE) @@ -76,21 +81,12 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase ] name = OpenSSL::X509::Name.new(dn) ary = name.to_a - if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000 - assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/Email=gotoyuzo@ruby-lang.org/SN=123", name.to_s) - else - assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s) - end + assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s) assert_equal("DC", ary[0][0]) assert_equal("DC", ary[1][0]) assert_equal("CN", ary[2][0]) - if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000 - assert_equal("Email", ary[3][0]) - assert_equal("SN", ary[4][0]) - else - assert_equal("emailAddress", ary[3][0]) - assert_equal("serialNumber", ary[4][0]) - end + assert_equal("emailAddress", ary[3][0]) + assert_equal("serialNumber", ary[4][0]) assert_equal("org", ary[0][1]) assert_equal("ruby-lang", ary[1][1]) assert_equal("GOTOU Yuuzou", ary[2][1]) @@ -138,6 +134,105 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase assert_equal(OpenSSL::ASN1::PRINTABLESTRING, ary[2][2]) end + def test_s_parse_rfc2253 + scanner = OpenSSL::X509::Name::RFC2253DN.method(:scan) + + assert_equal([["C", "JP"]], scanner.call("C=JP")) + assert_equal([ + ["DC", "org"], + ["DC", "ruby-lang"], + ["CN", "GOTOU Yuuzou"], + ["emailAddress", "gotoyuzo@ruby-lang.org"], + ], + scanner.call( + "emailAddress=gotoyuzo@ruby-lang.org,CN=GOTOU Yuuzou,"+ + "DC=ruby-lang,DC=org") + ) + + u8 = OpenSSL::ASN1::UTF8STRING + assert_equal([ + ["DC", "org"], + ["DC", "ruby-lang"], + ["O", ",=+<>#;"], + ["O", ",=+<>#;"], + ["OU", ""], + ["OU", ""], + ["L", "aaa=\"bbb, ccc\""], + ["L", "aaa=\"bbb, ccc\""], + ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265"], + ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265"], + ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265"], + ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265", u8], + ["2.5.4.3", "GOTOU, Yuuzou"], + ["2.5.4.3", "GOTOU, Yuuzou"], + ["2.5.4.3", "GOTOU, Yuuzou"], + ["2.5.4.3", "GOTOU, Yuuzou"], + ["CN", "GOTOU \"gotoyuzo\" Yuuzou"], + ["CN", "GOTOU \"gotoyuzo\" Yuuzou"], + ["1.2.840.113549.1.9.1", "gotoyuzo@ruby-lang.org"], + ["emailAddress", "gotoyuzo@ruby-lang.org"], + ], + scanner.call( + "emailAddress=gotoyuzo@ruby-lang.org," + + "1.2.840.113549.1.9.1=gotoyuzo@ruby-lang.org," + + 'CN=GOTOU \"gotoyuzo\" Yuuzou,' + + 'CN="GOTOU \"gotoyuzo\" Yuuzou",' + + '2.5.4.3=GOTOU\,\20Yuuzou,' + + '2.5.4.3=GOTOU\, Yuuzou,' + + '2.5.4.3="GOTOU, Yuuzou",' + + '2.5.4.3="GOTOU\, Yuuzou",' + + "CN=#0C0CE5BE8CE897A4E8A395E894B5," + + 'CN=\E5\BE\8C\E8\97\A4\E8\A3\95\E8\94\B5,' + + "CN=\"\xE5\xBE\x8C\xE8\x97\xA4\xE8\xA3\x95\xE8\x94\xB5\"," + + "CN=\xE5\xBE\x8C\xE8\x97\xA4\xE8\xA3\x95\xE8\x94\xB5," + + 'L=aaa\=\"bbb\, ccc\",' + + 'L="aaa=\"bbb, ccc\"",' + + 'OU=,' + + 'OU="",' + + 'O=\,\=\+\<\>\#\;,' + + 'O=",=+<>#;",' + + "DC=ruby-lang," + + "DC=org") + ) + + [ + "DC=org+DC=jp", + "DC=org,DC=ruby-lang+DC=rubyist,DC=www" + ].each{|dn| + ex = scanner.call(dn) rescue $! + dn_r = Regexp.escape(dn) + assert_match(/^multi-valued RDN is not supported: #{dn_r}/, ex.message) + } + + [ + ["DC=org,DC=exapmle,CN", "CN"], + ["DC=org,DC=example,", ""], + ["DC=org,DC=exapmle,CN=www.example.org;", "CN=www.example.org;"], + ["DC=org,DC=exapmle,CN=#www.example.org", "CN=#www.example.org"], + ["DC=org,DC=exapmle,CN=#777777.example.org", "CN=#777777.example.org"], + ["DC=org,DC=exapmle,CN=\"www.example\".org", "CN=\"www.example\".org"], + ["DC=org,DC=exapmle,CN=www.\"example.org\"", "CN=www.\"example.org\""], + ["DC=org,DC=exapmle,CN=www.\"example\".org", "CN=www.\"example\".org"], + ].each{|dn, msg| + ex = scanner.call(dn) rescue $! + assert_match(/^malformed RDN: .*=>#{Regexp.escape(msg)}/, ex.message) + } + + dn = "CN=www.ruby-lang.org,DC=ruby-lang,DC=org" + name = OpenSSL::X509::Name.parse_rfc2253(dn) + assert_equal(dn, name.to_s(OpenSSL::X509::Name::RFC2253)) + ary = name.to_a + assert_equal("DC", ary[0][0]) + assert_equal("DC", ary[1][0]) + assert_equal("CN", ary[2][0]) + assert_equal("org", ary[0][1]) + assert_equal("ruby-lang", ary[1][1]) + assert_equal("www.ruby-lang.org", ary[2][1]) + assert_equal(OpenSSL::ASN1::IA5STRING, ary[0][2]) + assert_equal(OpenSSL::ASN1::IA5STRING, ary[1][2]) + assert_equal(OpenSSL::ASN1::UTF8STRING, ary[2][2]) + end + def test_add_entry dn = [ ["DC", "org"], @@ -149,21 +244,12 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase name = OpenSSL::X509::Name.new dn.each{|attr| name.add_entry(*attr) } ary = name.to_a - if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000 - assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/Email=gotoyuzo@ruby-lang.org/SN=123", name.to_s) - else - assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s) - end + assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s) assert_equal("DC", ary[0][0]) assert_equal("DC", ary[1][0]) assert_equal("CN", ary[2][0]) - if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000 - assert_equal("Email", ary[3][0]) - assert_equal("SN", ary[4][0]) - else - assert_equal("emailAddress", ary[3][0]) - assert_equal("serialNumber", ary[4][0]) - end + assert_equal("emailAddress", ary[3][0]) + assert_equal("serialNumber", ary[4][0]) assert_equal("org", ary[0][1]) assert_equal("ruby-lang", ary[1][1]) assert_equal("GOTOU Yuuzou", ary[2][1]) diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb index 113e81fa52..8151e5fdb6 100644 --- a/test/openssl/test_x509store.rb +++ b/test/openssl/test_x509store.rb @@ -49,6 +49,8 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) ee3_cert = issue_cert(@ee2, @dsa512, 30, now-100, now-1, ee_exts, ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) + ee4_cert = issue_cert(@ee2, @dsa512, 40, now+1000, now+2000, ee_exts, + ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) revoke_info = [] crl1 = issue_crl(revoke_info, 1, now, now+1800, [], @@ -106,6 +108,36 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase assert_equal(@ca1.to_der, chain[2].subject.to_der) assert_equal(false, store.verify(ee3_cert)) assert_match(/expire/i, store.error_string) + assert_equal(false, store.verify(ee4_cert)) + assert_match(/not yet valid/i, store.error_string) + + store = OpenSSL::X509::Store.new + store.add_cert(ca1_cert) + store.add_cert(ca2_cert) + store.time = now + 1500 + assert_equal(true, store.verify(ca1_cert)) + assert_equal(true, store.verify(ca2_cert)) + assert_equal(true, store.verify(ee4_cert)) + store.time = now + 1900 + assert_equal(true, store.verify(ca1_cert)) + assert_equal(false, store.verify(ca2_cert)) + assert_match(/expire/i, store.error_string) + assert_equal(false, store.verify(ee4_cert)) + assert_match(/expire/i, store.error_string) + store.time = now + 4000 + assert_equal(false, store.verify(ee1_cert)) + assert_match(/expire/i, store.error_string) + assert_equal(false, store.verify(ee4_cert)) + assert_match(/expire/i, store.error_string) + + # the underlying X509 struct caches the result of the last + # verification for signature and not-before. so the following code + # rebuilds new objects to avoid site effect. + store.time = Time.now - 4000 + assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ca2_cert))) + assert_match(/not yet valid/i, store.error_string) + assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ee1_cert))) + assert_match(/not yet valid/i, store.error_string) return unless defined?(OpenSSL::X509::V_FLAG_CRL_CHECK) -- cgit v1.2.3