|
@@ -1,32 +1,52 @@
|
|
1
|
+require 'faketime'
|
|
2
|
+
|
1
|
3
|
describe CryptCheck::Tls::Cert do
|
2
|
4
|
def load_chain(chain)
|
3
|
|
- chain.collect { |f| ::OpenSSL::X509::Certificate.new File.read File.join 'spec/resources', "#{f}.crt" }
|
|
5
|
+ chain.collect { |f| ::OpenSSL::X509::Certificate.new File.read "spec/resources/#{f}.crt" }
|
4
|
6
|
end
|
5
|
7
|
|
6
|
8
|
describe '::trusted?' do
|
7
|
|
- it 'must accept valid certificat' do
|
8
|
|
- cert, *chain, ca = load_chain %w(custom intermediate ca)
|
9
|
|
- trust = ::CryptCheck::Tls::Cert.trusted? cert, chain, roots: ca
|
10
|
|
- expect(trust).to eq :trusted
|
|
9
|
+ it 'must accept valid certificate' do
|
|
10
|
+ FakeTime.freeze_during Time.utc(2000, 1, 1) do
|
|
11
|
+ cert, *chain, ca = load_chain %w(ecdsa-prime256v1 intermediate ca)
|
|
12
|
+ trust = ::CryptCheck::Tls::Cert.trusted? cert, chain, roots: ca
|
|
13
|
+ expect(trust).to eq :trusted
|
|
14
|
+ end
|
11
|
15
|
end
|
12
|
16
|
|
13
|
17
|
it 'must reject self signed certificate' do
|
14
|
18
|
cert, ca = load_chain %w(self-signed ca)
|
15
|
|
- trust = ::CryptCheck::Tls::Cert.trusted? cert, [], roots: ca
|
|
19
|
+ trust = ::CryptCheck::Tls::Cert.trusted? cert, [], roots: ca
|
16
|
20
|
expect(trust).to eq 'self signed certificate'
|
17
|
21
|
end
|
18
|
22
|
|
19
|
23
|
it 'must reject unknown CA' do
|
20
|
|
- cert, *chain = load_chain %w(custom intermediate ca)
|
|
24
|
+ cert, *chain = load_chain %w(ecdsa-prime256v1 intermediate ca)
|
21
|
25
|
trust = ::CryptCheck::Tls::Cert.trusted? cert, chain, roots: []
|
22
|
26
|
expect(trust).to eq 'unable to get issuer certificate'
|
23
|
27
|
end
|
24
|
28
|
|
25
|
29
|
it 'must reject missing intermediate chain' do
|
26
|
|
- cert, ca = load_chain %w(custom ca)
|
27
|
|
- chain = []
|
28
|
|
- trust = ::CryptCheck::Tls::Cert.trusted? cert, chain, roots: ca
|
|
30
|
+ cert, ca = load_chain %w(ecdsa-prime256v1 ca)
|
|
31
|
+ chain = []
|
|
32
|
+ trust = ::CryptCheck::Tls::Cert.trusted? cert, chain, roots: ca
|
29
|
33
|
expect(trust).to eq 'unable to get local issuer certificate'
|
30
|
34
|
end
|
|
35
|
+
|
|
36
|
+ it 'must reject expired certificate' do
|
|
37
|
+ FakeTime.freeze_during Time.utc(2002, 1, 1) do
|
|
38
|
+ cert, *chain, ca = load_chain %w(ecdsa-prime256v1 intermediate ca)
|
|
39
|
+ trust = ::CryptCheck::Tls::Cert.trusted? cert, chain, roots: ca
|
|
40
|
+ expect(trust).to eq 'certificate has expired'
|
|
41
|
+ end
|
|
42
|
+ end
|
|
43
|
+
|
|
44
|
+ it 'must reject not yet valid certificate' do
|
|
45
|
+ FakeTime.freeze_during Time.utc(1999, 1, 1) do
|
|
46
|
+ cert, *chain, ca = load_chain %w(ecdsa-prime256v1 intermediate ca)
|
|
47
|
+ trust = ::CryptCheck::Tls::Cert.trusted? cert, chain, roots: ca
|
|
48
|
+ expect(trust).to eq 'certificate is not yet valid'
|
|
49
|
+ end
|
|
50
|
+ end
|
31
|
51
|
end
|
32
|
52
|
end
|