Created
December 28, 2022 14:26
-
-
Save jimmynguyc/1b499826e824fe70683f85ecb2ba44bb to your computer and use it in GitHub Desktop.
Test case for OpenSSL3 PKCS7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require "openssl" | |
| require "minitest/autorun" | |
| require "pry" | |
| class OpenSSL3Test < Minitest::Test | |
| def ca_key | |
| @ca_key ||= OpenSSL::PKey::RSA.new(2048) | |
| end | |
| def ca_cert | |
| @ca ||= OpenSSL::X509::Certificate.new.tap do |cert| | |
| cert.public_key = ca_key.public_key | |
| cert.subject = OpenSSL::X509::Name.parse("/CN=Trusted CA") | |
| cert.sign(ca_key, OpenSSL::Digest.new("SHA256")) | |
| end | |
| end | |
| def random_key | |
| @random_key ||= OpenSSL::PKey::RSA.new(2048) | |
| end | |
| def random_cert | |
| @random_cert ||= OpenSSL::X509::Certificate.new.tap do |cert| | |
| cert.public_key = random_key.public_key | |
| cert.subject = OpenSSL::X509::Name.parse("/CN=Random Cert") | |
| cert.issuer = ca_cert.subject | |
| cert.not_before = Time.now | |
| cert.not_after = cert.not_before + 1 * 365 * 24 * 60 * 60 # 1 years validity | |
| cert.sign(ca_key, OpenSSL::Digest.new("SHA256")) | |
| end | |
| end | |
| def their_key | |
| @their_key ||= OpenSSL::PKey::RSA.new(2048) | |
| end | |
| def their_cert | |
| @their_cert ||= OpenSSL::X509::Certificate.new.tap do |cert| | |
| cert.public_key = their_key.public_key | |
| cert.subject = OpenSSL::X509::Name.parse("/CN=Their Cert") | |
| cert.issuer = ca_cert.subject | |
| cert.not_before = Time.now | |
| cert.not_after = cert.not_before + 1 * 365 * 24 * 60 * 60 # 1 years validity | |
| ef = OpenSSL::X509::ExtensionFactory.new | |
| ef.subject_certificate = cert | |
| ef.issuer_certificate = ca_cert | |
| cert.add_extension(ef.create_extension("keyUsage", "digitalSignature", true)) | |
| cert.add_extension(ef.create_extension("subjectKeyIdentifier", "hash", false)) | |
| cert.sign(ca_key, OpenSSL::Digest.new("SHA256")) | |
| end | |
| end | |
| def our_key | |
| @our_key ||= OpenSSL::PKey::RSA.new(2048) | |
| end | |
| def our_cert | |
| @our_cert ||= OpenSSL::X509::Certificate.new.tap do |cert| | |
| cert.public_key = our_key.public_key | |
| cert.subject = OpenSSL::X509::Name.parse("/CN=Our Cert") | |
| cert.issuer = ca_cert.subject | |
| cert.not_before = Time.now | |
| cert.not_after = cert.not_before + 1 * 365 * 24 * 60 * 60 # 1 years validity | |
| ef = OpenSSL::X509::ExtensionFactory.new | |
| ef.subject_certificate = cert | |
| ef.issuer_certificate = ca_cert | |
| cert.add_extension(ef.create_extension("keyUsage", "digitalSignature", true)) | |
| cert.add_extension(ef.create_extension("subjectKeyIdentifier", "hash", false)) | |
| cert.sign(ca_key, OpenSSL::Digest.new("SHA256")) | |
| end | |
| end | |
| def cipher | |
| @cipher ||= OpenSSL::Cipher.new("AES-128-CBC") | |
| end | |
| def decrypt(p7, key, cert) | |
| p7.decrypt(key, cert) | |
| rescue OpenSSL::PKCS7::PKCS7Error | |
| nil | |
| end | |
| ### | |
| def test_stuff | |
| puts "OpenSSL::VERSION = #{OpenSSL::VERSION}" | |
| OpenSSL.debug = true | |
| File.write("ca_key.pem", our_key.to_pem) | |
| File.write("ca_cert.pem", our_cert.to_pem) | |
| File.write("random_key.pem", our_key.to_pem) | |
| File.write("random_cert.pem", our_cert.to_pem) | |
| File.write("their_key.pem", our_key.to_pem) | |
| File.write("their_cert.pem", our_cert.to_pem) | |
| File.write("our_key.pem", our_key.to_pem) | |
| File.write("our_cert.pem", our_cert.to_pem) | |
| data = "foo" | |
| encrypted = OpenSSL::PKCS7.encrypt([our_cert], data, cipher, OpenSSL::PKCS7::BINARY) | |
| File.write("encrypted.pk7", encrypted) | |
| assert_equal(data, decrypt(encrypted, our_key, our_cert)) | |
| assert_nil(decrypt(encrypted, random_key, random_cert)) | |
| p7 = OpenSSL::PKCS7.new(encrypted.to_pem) | |
| File.write("recreated.pk7", p7.to_pem) | |
| assert_equal(encrypted.to_pem, p7.to_pem) | |
| assert_equal(data, decrypt(p7, our_key, our_cert)) | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment