1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
#!/usr/bin/env ruby
require 'spec_helper'
require 'puppet/ssl/certificate_revocation_list'
describe Puppet::SSL::CertificateRevocationList do
before do
@cert = stub 'cert', :subject => "mysubject"
@key = stub 'key', :private? => true
@class = Puppet::SSL::CertificateRevocationList
end
it "should only support the text format" do
@class.supported_formats.should == [:s]
end
describe "when converting from a string" do
it "should create a CRL instance with its name set to 'foo' and its content set to the extracted CRL" do
crl = stub 'crl'
OpenSSL::X509::CRL.expects(:new).returns(crl)
mycrl = stub 'sslcrl'
mycrl.expects(:content=).with(crl)
@class.expects(:new).with("foo").returns mycrl
@class.from_s("my crl").should == mycrl
end
end
describe "when an instance" do
before do
@class.any_instance.stubs(:read_or_generate)
@crl = @class.new("whatever")
end
it "should always use 'crl' for its name" do
@crl.name.should == "crl"
end
it "should have a content attribute" do
@crl.should respond_to(:content)
end
end
describe "when generating the crl" do
before do
@real_crl = mock 'crl'
@real_crl.stub_everything
OpenSSL::X509::CRL.stubs(:new).returns(@real_crl)
@class.any_instance.stubs(:read_or_generate)
@crl = @class.new("crl")
end
it "should set its issuer to the subject of the passed certificate" do
@real_crl.expects(:issuer=).with(@cert.subject)
@crl.generate(@cert, @key)
end
it "should set its version to 1" do
@real_crl.expects(:version=).with(1)
@crl.generate(@cert, @key)
end
it "should create an instance of OpenSSL::X509::CRL" do
OpenSSL::X509::CRL.expects(:new).returns(@real_crl)
@crl.generate(@cert, @key)
end
# The next three tests aren't good, but at least they
# specify the behaviour.
it "should add an extension for the CRL number" do
@real_crl.expects(:extensions=)
@crl.generate(@cert, @key)
end
it "should set the last update time" do
@real_crl.expects(:last_update=)
@crl.generate(@cert, @key)
end
it "should set the next update time" do
@real_crl.expects(:next_update=)
@crl.generate(@cert, @key)
end
it "should sign the CRL" do
@real_crl.expects(:sign).with { |key, digest| key == @key }
@crl.generate(@cert, @key)
end
it "should set the content to the generated crl" do
@crl.generate(@cert, @key)
@crl.content.should equal(@real_crl)
end
it "should return the generated crl" do
@crl.generate(@cert, @key).should equal(@real_crl)
end
end
# This test suite isn't exactly complete, because the
# SSL stuff is very complicated. It just hits the high points.
describe "when revoking a certificate" do
before do
@class.wrapped_class.any_instance.stubs(:issuer=)
@class.wrapped_class.any_instance.stubs(:sign)
@crl = @class.new("crl")
@crl.generate(@cert, @key)
@crl.content.stubs(:sign)
Puppet::SSL::CertificateRevocationList.indirection.stubs :save
@key = mock 'key'
end
it "should require a serial number and the CA's private key" do
lambda { @crl.revoke }.should raise_error(ArgumentError)
end
it "should default to OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE as the revocation reason" do
# This makes it a bit more of an integration test than we'd normally like, but that's life
# with openssl.
reason = OpenSSL::ASN1::Enumerated(OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE)
OpenSSL::ASN1.expects(:Enumerated).with(OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE).returns reason
@crl.revoke(1, @key)
end
it "should mark the CRL as updated" do
time = Time.now
Time.stubs(:now).returns time
@crl.content.expects(:last_update=).with(time)
@crl.revoke(1, @key)
end
it "should mark the CRL valid for five years" do
time = Time.now
Time.stubs(:now).returns time
@crl.content.expects(:next_update=).with(time + (5 * 365*24*60*60))
@crl.revoke(1, @key)
end
it "should sign the CRL with the CA's private key and a digest instance" do
@crl.content.expects(:sign).with { |key, digest| key == @key and digest.is_a?(OpenSSL::Digest::SHA1) }
@crl.revoke(1, @key)
end
it "should save the CRL" do
Puppet::SSL::CertificateRevocationList.indirection.expects(:save).with(@crl, nil)
@crl.revoke(1, @key)
end
end
end
|