From 9694bb8cac12969300692dac5a1cf7aa4e3a46cd Mon Sep 17 00:00:00 2001 From: drbrain Date: Thu, 29 Nov 2012 06:52:18 +0000 Subject: * lib/rubygems*: Updated to RubyGems 2.0 * test/rubygems*: ditto. * common.mk (prelude): Updated for RubyGems 2.0 source rearrangement. * tool/change_maker.rb: Allow invalid UTF-8 characters in source files. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@37976 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- test/rubygems/test_gem_security.rb | 232 ++++++++++++++++++++++++++++++------- 1 file changed, 189 insertions(+), 43 deletions(-) (limited to 'test/rubygems/test_gem_security.rb') diff --git a/test/rubygems/test_gem_security.rb b/test/rubygems/test_gem_security.rb index 625da8ae6d..7e75548c0f 100644 --- a/test/rubygems/test_gem_security.rb +++ b/test/rubygems/test_gem_security.rb @@ -4,33 +4,35 @@ require 'rubygems/fix_openssl_warnings' if RUBY_VERSION < "1.9" class TestGemSecurity < Gem::TestCase + CHILD_KEY = load_key 'child' + + ALTERNATE_CERT = load_cert 'child' + CHILD_CERT = load_cert 'child' + EXPIRED_CERT = load_cert 'expired' + def setup super - Gem::Security::OPT[:trust_dir] = File.join(Gem.user_home, '.gem', 'trust') - end - def teardown - super - Gem::Security::OPT[:trust_dir] = File.join(Gem.user_home, '.gem', 'trust') + @SEC = Gem::Security end - def test_class_build_cert - name = OpenSSL::X509::Name.parse "CN=nobody/DC=example" - key = OpenSSL::PKey::RSA.new 512 - opt = { :cert_age => 60 } + def test_class_create_cert + name = PUBLIC_CERT.subject + key = PRIVATE_KEY - cert = Gem::Security.build_cert name, key, opt + cert = @SEC.create_cert name, key, 60, Gem::Security::EXTENSIONS, 5 assert_kind_of OpenSSL::X509::Certificate, cert assert_equal 2, cert.version - assert_equal 0, cert.serial + assert_equal 5, cert.serial assert_equal key.public_key.to_pem, cert.public_key.to_pem assert_in_delta Time.now, cert.not_before, 10 assert_in_delta Time.now + 60, cert.not_after, 10 assert_equal name.to_s, cert.subject.to_s - assert_equal 3, cert.extensions.length + assert_equal 3, cert.extensions.length, + cert.extensions.map { |e| e.to_a.first } constraints = cert.extensions.find { |ext| ext.oid == 'basicConstraints' } assert_equal 'CA:FALSE', constraints.value @@ -41,60 +43,204 @@ class TestGemSecurity < Gem::TestCase key_ident = cert.extensions.find { |ext| ext.oid == 'subjectKeyIdentifier' } assert_equal 59, key_ident.value.length + assert_equal 'B0:EB:9C:A5:E5:8E:7D:94:BB:4B:3B:D6:80:CB:A5:AD:5D:12:88:90', + key_ident.value - assert_equal name.to_s, cert.issuer.to_s + assert_equal '', cert.issuer.to_s assert_equal name.to_s, cert.subject.to_s end - def test_class_build_self_signed_cert + def test_class_create_cert_self_signed + subject = PUBLIC_CERT.subject + + cert = @SEC.create_cert_self_signed subject, PRIVATE_KEY, 60 + + assert_equal '/CN=nobody/DC=example', cert.issuer.to_s + end + + def test_class_create_cert_email email = 'nobody@example' - opt = { - :cert_age => 60, - :key_size => 512, - :save_cert => false, - :save_key => false, - } + name = PUBLIC_CERT.subject + key = PRIVATE_KEY - result = Gem::Security.build_self_signed_cert email, opt + cert = @SEC.create_cert_email email, key, 60 - key = result[:key] + assert_kind_of OpenSSL::X509::Certificate, cert - assert_kind_of OpenSSL::PKey::RSA, key - # assert_equal 512, key.something_here + assert_equal 2, cert.version + assert_equal 1, cert.serial + assert_equal key.public_key.to_pem, cert.public_key.to_pem + assert_in_delta Time.now, cert.not_before, 10 + assert_in_delta Time.now + 60, cert.not_after, 10 + assert_equal name.to_s, cert.subject.to_s + assert_equal name.to_s, cert.issuer.to_s - cert = result[:cert] + assert_equal 5, cert.extensions.length, + cert.extensions.map { |e| e.to_a.first } - assert_equal '/CN=nobody/DC=example', cert.issuer.to_s - end + constraints = cert.extensions.find { |ext| ext.oid == 'subjectAltName' } + assert_equal 'email:nobody@example', constraints.value - def test_class_sign_cert - name = OpenSSL::X509::Name.parse "CN=nobody/DC=example" - key = OpenSSL::PKey::RSA.new 512 - cert = OpenSSL::X509::Certificate.new + constraints = cert.extensions.find { |ext| ext.oid == 'basicConstraints' } + assert_equal 'CA:FALSE', constraints.value - cert.subject = name - cert.public_key = key.public_key + key_usage = cert.extensions.find { |ext| ext.oid == 'keyUsage' } + assert_equal 'Digital Signature, Key Encipherment, Data Encipherment', + key_usage.value - signed = Gem::Security.sign_cert cert, key, cert + key_ident = cert.extensions.find { |ext| ext.oid == 'subjectKeyIdentifier' } + assert_equal 59, key_ident.value.length + assert_equal 'B0:EB:9C:A5:E5:8E:7D:94:BB:4B:3B:D6:80:CB:A5:AD:5D:12:88:90', + key_ident.value + end - assert cert.verify key - assert_equal name.to_s, signed.subject.to_s + def test_class_create_key + key = @SEC.create_key 256 + + assert_kind_of OpenSSL::PKey::RSA, key end def test_class_email_to_name - munger = Gem::Security::OPT[:munge_re] - assert_equal '/CN=nobody/DC=example', - Gem::Security.email_to_name('nobody@example', munger).to_s + @SEC.email_to_name('nobody@example').to_s assert_equal '/CN=nobody/DC=example/DC=com', - Gem::Security.email_to_name('nobody@example.com', munger).to_s + @SEC.email_to_name('nobody@example.com').to_s assert_equal '/CN=no.body/DC=example', - Gem::Security.email_to_name('no.body@example', munger).to_s + @SEC.email_to_name('no.body@example').to_s assert_equal '/CN=no_body/DC=example', - Gem::Security.email_to_name('no+body@example', munger).to_s + @SEC.email_to_name('no+body@example').to_s + end + + def test_class_re_sign + re_signed = Gem::Security.re_sign EXPIRED_CERT, PRIVATE_KEY, 60 + + assert_in_delta Time.now, re_signed.not_before, 10 + assert_in_delta Time.now + 60, re_signed.not_after, 10 + assert_equal 2, re_signed.serial + + assert re_signed.verify PUBLIC_KEY + end + + def test_class_re_sign_not_self_signed + e = assert_raises Gem::Security::Exception do + Gem::Security.re_sign CHILD_CERT, CHILD_KEY + end + + assert_equal "#{ALTERNATE_CERT.subject} is not self-signed, contact " \ + "#{ALTERNATE_CERT.issuer} to obtain a valid certificate", + e.message + end + + def test_class_re_sign_wrong_key + e = assert_raises Gem::Security::Exception do + Gem::Security.re_sign ALTERNATE_CERT, PRIVATE_KEY + end + + assert_equal "incorrect signing key for re-signing " \ + "#{ALTERNATE_CERT.subject}", + e.message + end + + def test_class_reset + trust_dir = @SEC.trust_dir + + @SEC.reset + + refute_equal trust_dir, @SEC.trust_dir + end + + def test_class_sign + issuer = PUBLIC_CERT.subject + signee = OpenSSL::X509::Name.parse "/CN=signee/DC=example" + + key = PRIVATE_KEY + cert = OpenSSL::X509::Certificate.new + cert.subject = signee + + cert.subject = signee + cert.public_key = key.public_key + + signed = @SEC.sign cert, key, PUBLIC_CERT, 60 + + assert_equal key.public_key.to_pem, signed.public_key.to_pem + assert_equal signee.to_s, signed.subject.to_s + assert_equal issuer.to_s, signed.issuer.to_s + + assert_in_delta Time.now, signed.not_before, 10 + assert_in_delta Time.now + 60, signed.not_after, 10 + + assert_equal 4, signed.extensions.length, + signed.extensions.map { |e| e.to_a.first } + + constraints = signed.extensions.find { |ext| ext.oid == 'issuerAltName' } + assert_equal 'email:nobody@example', constraints.value, 'issuerAltName' + + constraints = signed.extensions.find { |ext| ext.oid == 'basicConstraints' } + assert_equal 'CA:FALSE', constraints.value + + key_usage = signed.extensions.find { |ext| ext.oid == 'keyUsage' } + assert_equal 'Digital Signature, Key Encipherment, Data Encipherment', + key_usage.value + + key_ident = + signed.extensions.find { |ext| ext.oid == 'subjectKeyIdentifier' } + assert_equal 59, key_ident.value.length + assert_equal 'B0:EB:9C:A5:E5:8E:7D:94:BB:4B:3B:D6:80:CB:A5:AD:5D:12:88:90', + key_ident.value + + assert signed.verify key end -end if defined?(OpenSSL) + def test_class_sign_AltName + issuer = PUBLIC_CERT.subject + signee = OpenSSL::X509::Name.parse "/CN=signee/DC=example" + + cert = @SEC.create_cert_email 'signee@example', PRIVATE_KEY + + signed = @SEC.sign cert, PRIVATE_KEY, PUBLIC_CERT, 60 + + assert_equal PUBLIC_KEY.to_pem, signed.public_key.to_pem + assert_equal signee.to_s, signed.subject.to_s + assert_equal issuer.to_s, signed.issuer.to_s + + assert_in_delta Time.now, signed.not_before, 10 + assert_in_delta Time.now + 60, signed.not_after, 10 + + assert_equal 5, signed.extensions.length, + signed.extensions.map { |e| e.to_a.first } + + constraints = signed.extensions.find { |ext| ext.oid == 'issuerAltName' } + assert_equal 'email:nobody@example', constraints.value, 'issuerAltName' + + constraints = signed.extensions.find { |ext| ext.oid == 'subjectAltName' } + assert_equal 'email:signee@example', constraints.value, 'subjectAltName' + + constraints = signed.extensions.find { |ext| ext.oid == 'basicConstraints' } + assert_equal 'CA:FALSE', constraints.value + + key_usage = signed.extensions.find { |ext| ext.oid == 'keyUsage' } + assert_equal 'Digital Signature, Key Encipherment, Data Encipherment', + key_usage.value + + key_ident = + signed.extensions.find { |ext| ext.oid == 'subjectKeyIdentifier' } + assert_equal 59, key_ident.value.length + assert_equal 'B0:EB:9C:A5:E5:8E:7D:94:BB:4B:3B:D6:80:CB:A5:AD:5D:12:88:90', + key_ident.value + + assert signed.verify PUBLIC_KEY + end + + def test_class_trust_dir + trust_dir = @SEC.trust_dir + + expected = File.join Gem.user_home, '.gem/trust' + + assert_equal expected, trust_dir.dir + end + +end + -- cgit v1.2.3