[fix] authority keyid extension's :always part optional

kares · kares · commit 149001d46f62 · 2020-02-17T12:02:22.000+01:00
resolves #174
diff --git a/src/main/java/org/jruby/ext/openssl/X509ExtensionFactory.java b/src/main/java/org/jruby/ext/openssl/X509ExtensionFactory.java
@@ -404,11 +404,11 @@ private ASN1Sequence parseAuthorityKeyIdentifier(final ThreadContext context, fi
         final ASN1EncodableVector vec = new ASN1EncodableVector();
 
         for ( String value : valuex.split(",") ) { // e.g. "keyid:always,issuer:always"
-            if ( value.startsWith("keyid:") ) { // keyid:always
+            if ( value.startsWith("keyid") ) { // keyid[:always]
                 ASN1Encodable publicKeyIdentifier = new DEROctetString(issuerPublicKeyIdentifier(context));
                 vec.add(new DERTaggedObject(false, 0, publicKeyIdentifier));
             }
-            else if ( value.startsWith("issuer:") ) { // issuer:always
+            else if ( value.startsWith("issuer") ) { // issuer[:always]
                 GeneralName issuerName = new GeneralName(authorityCertIssuer(context));
                 vec.add(new DERTaggedObject(false, 1, new GeneralNames(issuerName)));
 
diff --git a/src/test/ruby/x509/test_x509ext.rb b/src/test/ruby/x509/test_x509ext.rb
@@ -191,7 +191,7 @@ def test_subject_alt_name_sign_to_pem
 
     csr.sign rsa_key, OpenSSL::Digest::SHA256.new
 
-    puts csr.to_text if $VERBOSE
+    puts csr.to_text if $DEBUG
 
     csr = OpenSSL::X509::Request.new pem = csr.to_pem
     assert_equal 2, csr.attributes.length
@@ -236,6 +236,41 @@ def test_subject_alt_name_sequence
     }
   end
 
+  def test_authority_key_identifier
+    cn = [ %w[CN localhost] ]
+    # key = OpenSSL::PKey::RSA.new TEST_KEY_RSA2048
+    key = Fixtures.pkey("dsa512") # DSA
+    cert = OpenSSL::X509::Certificate.new
+    cert.version = 2
+    cert.serial = 1
+    name = OpenSSL::X509::Name.new(cn)
+    cert.subject = name
+    cert.issuer = name # self-signed
+    cert.not_before = Time.now
+    cert.not_after = Time.now + (365*24*60*60)
+    cert.public_key = key.public_key
+
+    ef = OpenSSL::X509::ExtensionFactory.new(nil, cert)
+    ef.issuer_certificate = cert
+    cert.extensions = [
+        ef.create_extension("basicConstraints","CA:FALSE"),
+        ef.create_extension("subjectKeyIdentifier", "hash"),
+        #ef.create_extension("extendedKeyUsage", "serverAuth"),
+        ef.create_extension("nsComment", __method__.to_s),
+    ]
+
+    ext = ef.create_extension("authorityKeyIdentifier", "keyid")
+    cert.add_extension(ext)
+
+    assert_equal 4, cert.extensions.size
+
+    ext = cert.extensions.last
+    assert_equal keyid = "keyid:91:0D:0C:A9:43:73:DF:8C:A9:E3:C2:0A:05:E3:CF:BE:A7:38:8D:DD\n", ext.value
+    assert !ext.critical?
+    assert_equal [ "authorityKeyIdentifier", keyid, false ], ext.to_a
+    # cert.sign(key, OpenSSL::Digest::SHA1.new)
+  end
+
   def subject_alt_name(domains)
     ef = OpenSSL::X509::ExtensionFactory.new
     ef.create_extension("subjectAltName", domains.split(',').map { |d| "DNS: #{d}" }.join(','))
