Skip to content

Commit

Permalink
test_x509cert.rb: break up test_extension into smaller units
Browse files Browse the repository at this point in the history
test_extesion is testing too many features at once and is hard to
navigate. Let's split each chunk apart for more clarity.
  • Loading branch information
rhenium committed Jul 9, 2024
1 parent c96e666 commit 461cfcb
Showing 1 changed file with 51 additions and 15 deletions.
66 changes: 51 additions & 15 deletions test/openssl/test_x509cert.rb
Original file line number Diff line number Diff line change
Expand Up @@ -68,17 +68,14 @@ def test_validity
assert_equal(now.getutc, cert.not_after)
end

def test_extension
def test_extension_factory
ca_exts = [
["basicConstraints","CA:TRUE",true],
["keyUsage","keyCertSign, cRLSign",true],
["subjectKeyIdentifier","hash",false],
["authorityKeyIdentifier","issuer:always,keyid:always",false],
]
ca_cert = issue_cert(@ca, @rsa2048, 1, ca_exts, nil, nil)
keyid = get_subject_key_id(ca_cert.to_der, hex: false)
assert_equal keyid, ca_cert.authority_key_identifier
assert_equal keyid, ca_cert.subject_key_identifier
ca_cert.extensions.each_with_index{|ext, i|
assert_equal(ca_exts[i].first, ext.oid)
assert_equal(ca_exts[i].last, ext.critical?)
Expand All @@ -90,33 +87,79 @@ def test_extension
["authorityKeyIdentifier","issuer:always,keyid:always",false],
["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
["subjectAltName","email:[email protected]",false],
["authorityInfoAccess","caIssuers;URI:http://www.example.com/caIssuers,OCSP;URI:http://www.example.com/ocsp",false],
]
ee1_cert = issue_cert(@ee1, @rsa1024, 2, ee1_exts, ca_cert, @rsa2048)
assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der)
ee1_cert.extensions.each_with_index{|ext, i|
assert_equal(ee1_exts[i].first, ext.oid)
assert_equal(ee1_exts[i].last, ext.critical?)
}
assert_nil(ee1_cert.crl_uris)
end

def test_akiski
ca_cert = generate_cert(@ca, @rsa2048, 4, nil)
ef = OpenSSL::X509::ExtensionFactory.new(ca_cert, ca_cert)
ca_cert.add_extension(
ef.create_extension("subjectKeyIdentifier", "hash", false))
ca_cert.add_extension(
ef.create_extension("authorityKeyIdentifier", "issuer:always,keyid:always", false))
ca_cert.sign(@rsa2048, "sha256")

ca_keyid = get_subject_key_id(ca_cert.to_der, hex: false)
assert_equal ca_keyid, ca_cert.authority_key_identifier
assert_equal ca_keyid, ca_cert.subject_key_identifier

ee_cert = generate_cert(@ee1, Fixtures.pkey("p256"), 5, ca_cert)
ef = OpenSSL::X509::ExtensionFactory.new(ca_cert, ee_cert)
ee_cert.add_extension(
ef.create_extension("subjectKeyIdentifier", "hash", false))
ee_cert.add_extension(
ef.create_extension("authorityKeyIdentifier", "issuer:always,keyid:always", false))
ee_cert.sign(@rsa2048, "sha256")

ee_keyid = get_subject_key_id(ee_cert.to_der, hex: false)
assert_equal ca_keyid, ee_cert.authority_key_identifier
assert_equal ee_keyid, ee_cert.subject_key_identifier
end

def test_akiski_missing
cert = issue_cert(@ee1, @rsa2048, 1, [], nil, nil)
assert_nil(cert.authority_key_identifier)
assert_nil(cert.subject_key_identifier)
end

def test_crl_uris_no_crl_distribution_points
cert = issue_cert(@ee1, @rsa2048, 1, [], nil, nil)
assert_nil(cert.crl_uris)
end

def test_crl_uris
# Multiple DistributionPoint contains a single general name each
ef = OpenSSL::X509::ExtensionFactory.new
ef.config = OpenSSL::Config.parse(<<~_cnf_)
[crlDistPts]
URI.1 = http://www.example.com/crl
URI.2 = ldap://ldap.example.com/cn=ca?certificateRevocationList;binary
_cnf_
cdp_cert = generate_cert(@ee1, @rsa1024, 3, ca_cert)
cdp_cert = generate_cert(@ee1, @rsa2048, 3, nil)
ef.subject_certificate = cdp_cert
cdp_cert.add_extension(ef.create_extension("crlDistributionPoints", "@crlDistPts"))
cdp_cert.sign(@rsa2048, "sha256")
assert_equal(
["http://www.example.com/crl", "ldap://ldap.example.com/cn=ca?certificateRevocationList;binary"],
cdp_cert.crl_uris
)
end

def test_aia_missing
cert = issue_cert(@ee1, @rsa2048, 1, [], nil, nil)
assert_nil(cert.ca_issuer_uris)
assert_nil(cert.ocsp_uris)
end

def test_aia
ef = OpenSSL::X509::ExtensionFactory.new
aia_cert = generate_cert(@ee1, @rsa1024, 4, ca_cert)
aia_cert = generate_cert(@ee1, @rsa2048, 4, nil)
ef.subject_certificate = aia_cert
aia_cert.add_extension(
ef.create_extension(
Expand All @@ -137,13 +180,6 @@ def test_extension
["http://www.example.com/ocsp", "ldap://ldap.example.com/cn=ca?authorityInfoAccessOcsp;binary"],
aia_cert.ocsp_uris
)

no_exts_cert = issue_cert(@ca, @rsa2048, 5, [], nil, nil)
assert_equal nil, no_exts_cert.authority_key_identifier
assert_equal nil, no_exts_cert.subject_key_identifier
assert_equal nil, no_exts_cert.crl_uris
assert_equal nil, no_exts_cert.ca_issuer_uris
assert_equal nil, no_exts_cert.ocsp_uris
end

def test_invalid_extension
Expand Down

0 comments on commit 461cfcb

Please sign in to comment.