begin
require "openssl"
require File.join(File.dirname(__FILE__), "utils.rb")
rescue LoadError
end
require "test/unit"
if defined?(OpenSSL)
class OpenSSL::TestPKCS7 < Test::Unit::TestCase
def setup
@rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
@rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
now = Time.now
ca_exts = [
["basicConstraints","CA:TRUE",true],
["keyUsage","keyCertSign, cRLSign",true],
["subjectKeyIdentifier","hash",false],
["authorityKeyIdentifier","keyid:always",false],
]
@ca_cert = issue_cert(ca, @rsa2048, 1, Time.now, Time.now+3600, ca_exts,
nil, nil, OpenSSL::Digest::SHA1.new)
ee_exts = [
["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
["authorityKeyIdentifier","keyid:always",false],
["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
]
@ee1_cert = issue_cert(ee1, @rsa1024, 2, Time.now, Time.now+1800, ee_exts,
@ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
@ee2_cert = issue_cert(ee2, @rsa1024, 3, Time.now, Time.now+1800, ee_exts,
@ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
end
def issue_cert(*args)
OpenSSL::TestUtils.issue_cert(*args)
end
def test_signed
store = OpenSSL::X509::Store.new
store.add_cert(@ca_cert)
ca_certs = [@ca_cert]
data = "aaaaa\r\nbbbbb\r\nccccc\r\n"
tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs)
p7 = OpenSSL::PKCS7::PKCS7.new(tmp.to_der)
certs = p7.certificates
signers = p7.signers
assert(p7.verify([], store))
assert_equal(data, p7.data)
assert_equal(2, certs.size)
assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
assert_equal(1, signers.size)
assert_equal(@ee1_cert.serial, signers[0].serial)
assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
# Normaly OpenSSL tries to translate the supplied content into canonical
# MIME format (e.g. a newline character is converted into CR+LF).
# If the content is a binary, PKCS7::BINARY flag should be used.
data = "aaaaa\nbbbbb\nccccc\n"
flag = OpenSSL::PKCS7::BINARY
tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs, flag)
p7 = OpenSSL::PKCS7::PKCS7.new(tmp.to_der)
certs = p7.certificates
signers = p7.signers
assert(p7.verify([], store))
assert_equal(data, p7.data)
assert_equal(2, certs.size)
assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
assert_equal(1, signers.size)
assert_equal(@ee1_cert.serial, signers[0].serial)
assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
# A signed-data which have multiple signatures can be created
# through the following steps.
# 1. create two signed-data
# 2. copy signerInfo and certificate from one to another
tmp1 = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, [], flag)
tmp2 = OpenSSL::PKCS7.sign(@ee2_cert, @rsa1024, data, [], flag)
tmp1.add_signer(tmp2.signers[0])
tmp1.add_certificate(@ee2_cert)
p7 = OpenSSL::PKCS7::PKCS7.new(tmp1.to_der)
certs = p7.certificates
signers = p7.signers
assert(p7.verify([], store))
assert_equal(data, p7.data)
assert_equal(2, certs.size)
assert_equal(2, signers.size)
assert_equal(@ee1_cert.serial, signers[0].serial)
assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
assert_equal(@ee2_cert.serial, signers[1].serial)
assert_equal(@ee2_cert.issuer.to_s, signers[1].issuer.to_s)
end
def test_detached_sign
store = OpenSSL::X509::Store.new
store.add_cert(@ca_cert)
ca_certs = [@ca_cert]
data = "aaaaa\nbbbbb\nccccc\n"
flag = OpenSSL::PKCS7::BINARY|OpenSSL::PKCS7::DETACHED
tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs, flag)
p7 = OpenSSL::PKCS7::PKCS7.new(tmp.to_der)
a1 = OpenSSL::ASN1.decode(p7)
certs = p7.certificates
signers = p7.signers
assert(!p7.verify([], store))
assert(p7.verify([], store, data))
assert_equal(data, p7.data)
assert_equal(2, certs.size)
assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
assert_equal(1, signers.size)
assert_equal(@ee1_cert.serial, signers[0].serial)
assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
end
def test_enveloped
if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x0090704f
# PKCS7_encrypt() of OpenSSL-0.9.7d goes to SEGV.
# http://www.mail-archive.com/openssl-dev@openssl.org/msg17376.html
return
end
certs = [@ee1_cert, @ee2_cert]
cipher = OpenSSL::Cipher::AES.new("128-CBC")
data = "aaaaa\nbbbbb\nccccc\n"
tmp = OpenSSL::PKCS7.encrypt(certs, data, cipher, OpenSSL::PKCS7::BINARY)
p7 = OpenSSL::PKCS7::PKCS7.new(tmp.to_der)
recip = p7.recipients
assert_equal(:enveloped, p7.type)
assert_equal(2, recip.size)
assert_equal(@ca_cert.subject.to_s, recip[0].issuer.to_s)
assert_equal(2, recip[0].serial)
assert_equal(data, p7.decrypt(@rsa1024, @ee1_cert))
assert_equal(@ca_cert.subject.to_s, recip[1].issuer.to_s)
assert_equal(3, recip[1].serial)
assert_equal(data, p7.decrypt(@rsa1024, @ee2_cert))
end
end
end