iconara/jruby-openssl-110.rb

## jruby-openssl-110.rb
# Running this script with `ruby -w` will print these warnings:
# .../lib/ruby/1.9/webrick/https.rb:26 warning: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
# .../lib/ruby/1.9/webrick/https.rb:27 warning: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

require 'webrick'
require 'webrick/https'
require 'net/https'
require 'logger'

def create_root_ca(cn)
  key = OpenSSL::PKey::RSA.new(1024)
  root_ca = OpenSSL::X509::Certificate.new
  root_ca.version = 2
  root_ca.serial = 1
  root_ca.subject = OpenSSL::X509::Name.new(cn)
  root_ca.issuer = root_ca.subject
  root_ca.public_key = key.public_key
  root_ca.not_before = Time.now
  root_ca.not_after = root_ca.not_before + 86400
  ef = OpenSSL::X509::ExtensionFactory.new
  ef.subject_certificate = root_ca
  ef.issuer_certificate = root_ca
  root_ca.add_extension(ef.create_extension('basicConstraints', 'CA:TRUE', true))
  root_ca.add_extension(ef.create_extension('keyUsage', 'keyCertSign, cRLSign', true))
  root_ca.add_extension(ef.create_extension('subjectKeyIdentifier', 'hash', false))
  root_ca.add_extension(ef.create_extension('authorityKeyIdentifier', 'keyid:always', false))
  root_ca.sign(key, OpenSSL::Digest::SHA256.new)
  [root_ca, key]
end

def create_cert(root_ca, root_key, subject)
  key = OpenSSL::PKey::RSA.new(1024)
  cert = OpenSSL::X509::Certificate.new
  cert.version = 2
  cert.serial = 2
  cert.subject = OpenSSL::X509::Name.new(subject)
  cert.issuer = root_ca.subject
  cert.public_key = key.public_key
  cert.not_before = Time.now
  cert.not_after = cert.not_before + 86400
  ef = OpenSSL::X509::ExtensionFactory.new
  ef.subject_certificate = cert
  ef.issuer_certificate = root_ca
  cert.add_extension(ef.create_extension('keyUsage', 'digitalSignature', true))
  cert.add_extension(ef.create_extension('subjectKeyIdentifier', 'hash', false))
  cert.sign(root_key, OpenSSL::Digest::SHA256.new)
  [cert, key]
end

root_ca, key = create_root_ca([['O', 'Test']])
cert, key = create_cert(root_ca, key, [['CN', WEBrick::Utils::getservername]])
cert_store = OpenSSL::X509::Store.new
cert_store.add_cert(root_ca)
port = 2**15 + rand(2**15)

server = WEBrick::HTTPServer.new(
  :Port => port,
  :SSLEnable => true,
  :SSLCertificate => cert,
  :SSLPrivateKey => key,
  :Logger => Logger.new(File.open('/dev/null', 'w')),
  :AccessLog => File.open('/dev/null', 'w'),
)
server.mount_proc '/' do |req, res|
  res.body = 'Hello, world!'
end

Thread.start { server.start }

begin
  http = Net::HTTP.new(WEBrick::Utils::getservername, port)
  http.use_ssl = true
  http.cert_store = cert_store
  http.verify_mode = OpenSSL::SSL::VERIFY_PEER
  http.request(Net::HTTP::Get.new('/'))
rescue Errno::ECONNREFUSED, Errno::ENOTCONN
  retry
end
	# Running this script with `ruby -w` will print these warnings:
	# .../lib/ruby/1.9/webrick/https.rb:26 warning: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
	# .../lib/ruby/1.9/webrick/https.rb:27 warning: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

	require 'webrick'
	require 'webrick/https'
	require 'net/https'
	require 'logger'

	def create_root_ca(cn)
	key = OpenSSL::PKey::RSA.new(1024)
	root_ca = OpenSSL::X509::Certificate.new
	root_ca.version = 2
	root_ca.serial = 1
	root_ca.subject = OpenSSL::X509::Name.new(cn)
	root_ca.issuer = root_ca.subject
	root_ca.public_key = key.public_key
	root_ca.not_before = Time.now
	root_ca.not_after = root_ca.not_before + 86400
	ef = OpenSSL::X509::ExtensionFactory.new
	ef.subject_certificate = root_ca
	ef.issuer_certificate = root_ca
	root_ca.add_extension(ef.create_extension('basicConstraints', 'CA:TRUE', true))
	root_ca.add_extension(ef.create_extension('keyUsage', 'keyCertSign, cRLSign', true))
	root_ca.add_extension(ef.create_extension('subjectKeyIdentifier', 'hash', false))
	root_ca.add_extension(ef.create_extension('authorityKeyIdentifier', 'keyid:always', false))
	root_ca.sign(key, OpenSSL::Digest::SHA256.new)
	[root_ca, key]
	end

	def create_cert(root_ca, root_key, subject)
	key = OpenSSL::PKey::RSA.new(1024)
	cert = OpenSSL::X509::Certificate.new
	cert.version = 2
	cert.serial = 2
	cert.subject = OpenSSL::X509::Name.new(subject)
	cert.issuer = root_ca.subject
	cert.public_key = key.public_key
	cert.not_before = Time.now
	cert.not_after = cert.not_before + 86400
	ef = OpenSSL::X509::ExtensionFactory.new
	ef.subject_certificate = cert
	ef.issuer_certificate = root_ca
	cert.add_extension(ef.create_extension('keyUsage', 'digitalSignature', true))
	cert.add_extension(ef.create_extension('subjectKeyIdentifier', 'hash', false))
	cert.sign(root_key, OpenSSL::Digest::SHA256.new)
	[cert, key]
	end

	root_ca, key = create_root_ca([['O', 'Test']])
	cert, key = create_cert(root_ca, key, [['CN', WEBrick::Utils::getservername]])
	cert_store = OpenSSL::X509::Store.new
	cert_store.add_cert(root_ca)
	port = 215 + rand(215)

	server = WEBrick::HTTPServer.new(
	:Port => port,
	:SSLEnable => true,
	:SSLCertificate => cert,
	:SSLPrivateKey => key,
	:Logger => Logger.new(File.open('/dev/null', 'w')),
	:AccessLog => File.open('/dev/null', 'w'),
	)
	server.mount_proc '/' do \|req, res\|
	res.body = 'Hello, world!'
	end

	Thread.start { server.start }

	begin
	http = Net::HTTP.new(WEBrick::Utils::getservername, port)
	http.use_ssl = true
	http.cert_store = cert_store
	http.verify_mode = OpenSSL::SSL::VERIFY_PEER
	http.request(Net::HTTP::Get.new('/'))
	rescue Errno::ECONNREFUSED, Errno::ENOTCONN
	retry
	end