Fix OpenSSL 3.0 compatibility.
Resolves: rhbz#2021922
This commit is contained in:
parent
78a9fbc351
commit
c4f8814a93
1004
ruby-3.1.0-Add-more-support-for-generic-pkey-types.patch
Normal file
1004
ruby-3.1.0-Add-more-support-for-generic-pkey-types.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,358 @@
|
||||
From f2cf3afc6fa1e13e960f732c0bc658ad408ee219 Mon Sep 17 00:00:00 2001
|
||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||
Date: Fri, 12 Jun 2020 14:12:59 +0900
|
||||
Subject: [PATCH 1/3] pkey: fix potential memory leak in PKey#sign
|
||||
|
||||
Fix potential leak of EVP_MD_CTX object in an error path. This path is
|
||||
normally unreachable, since the size of a signature generated by any
|
||||
supported algorithms would not be larger than LONG_MAX.
|
||||
---
|
||||
ext/openssl/ossl_pkey.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
||||
index df8b425a0f..7488190e0e 100644
|
||||
--- a/ext/openssl/ossl_pkey.c
|
||||
+++ b/ext/openssl/ossl_pkey.c
|
||||
@@ -777,8 +777,10 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
|
||||
EVP_MD_CTX_free(ctx);
|
||||
ossl_raise(ePKeyError, "EVP_DigestSign");
|
||||
}
|
||||
- if (siglen > LONG_MAX)
|
||||
+ if (siglen > LONG_MAX) {
|
||||
+ EVP_MD_CTX_free(ctx);
|
||||
rb_raise(ePKeyError, "signature would be too large");
|
||||
+ }
|
||||
sig = ossl_str_new(NULL, (long)siglen, &state);
|
||||
if (state) {
|
||||
EVP_MD_CTX_free(ctx);
|
||||
@@ -799,8 +801,10 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
|
||||
EVP_MD_CTX_free(ctx);
|
||||
ossl_raise(ePKeyError, "EVP_DigestSignFinal");
|
||||
}
|
||||
- if (siglen > LONG_MAX)
|
||||
+ if (siglen > LONG_MAX) {
|
||||
+ EVP_MD_CTX_free(ctx);
|
||||
rb_raise(ePKeyError, "signature would be too large");
|
||||
+ }
|
||||
sig = ossl_str_new(NULL, (long)siglen, &state);
|
||||
if (state) {
|
||||
EVP_MD_CTX_free(ctx);
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
||||
From 8b30ce20eb9e03180c28288e29a96308e594f860 Mon Sep 17 00:00:00 2001
|
||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||
Date: Fri, 2 Apr 2021 23:58:48 +0900
|
||||
Subject: [PATCH 2/3] pkey: prepare pkey_ctx_apply_options() for usage by other
|
||||
operations
|
||||
|
||||
The routine to apply Hash to EVP_PKEY_CTX_ctrl_str() is currently used
|
||||
by key generation, but it is useful for other operations too. Let's
|
||||
change it to a slightly more generic name.
|
||||
---
|
||||
ext/openssl/ossl_pkey.c | 22 ++++++++++++++--------
|
||||
1 file changed, 14 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
||||
index 7488190e0e..fed4a2b81f 100644
|
||||
--- a/ext/openssl/ossl_pkey.c
|
||||
+++ b/ext/openssl/ossl_pkey.c
|
||||
@@ -198,7 +198,7 @@ ossl_pkey_new_from_data(int argc, VALUE *argv, VALUE self)
|
||||
}
|
||||
|
||||
static VALUE
|
||||
-pkey_gen_apply_options_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, ctx_v))
|
||||
+pkey_ctx_apply_options_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, ctx_v))
|
||||
{
|
||||
VALUE key = rb_ary_entry(i, 0), value = rb_ary_entry(i, 1);
|
||||
EVP_PKEY_CTX *ctx = (EVP_PKEY_CTX *)ctx_v;
|
||||
@@ -214,15 +214,25 @@ pkey_gen_apply_options_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, ctx_v))
|
||||
}
|
||||
|
||||
static VALUE
|
||||
-pkey_gen_apply_options0(VALUE args_v)
|
||||
+pkey_ctx_apply_options0(VALUE args_v)
|
||||
{
|
||||
VALUE *args = (VALUE *)args_v;
|
||||
|
||||
rb_block_call(args[1], rb_intern("each"), 0, NULL,
|
||||
- pkey_gen_apply_options_i, args[0]);
|
||||
+ pkey_ctx_apply_options_i, args[0]);
|
||||
return Qnil;
|
||||
}
|
||||
|
||||
+static void
|
||||
+pkey_ctx_apply_options(EVP_PKEY_CTX *ctx, VALUE options, int *state)
|
||||
+{
|
||||
+ VALUE args[2];
|
||||
+ args[0] = (VALUE)ctx;
|
||||
+ args[1] = options;
|
||||
+
|
||||
+ rb_protect(pkey_ctx_apply_options0, (VALUE)args, state);
|
||||
+}
|
||||
+
|
||||
struct pkey_blocking_generate_arg {
|
||||
EVP_PKEY_CTX *ctx;
|
||||
EVP_PKEY *pkey;
|
||||
@@ -330,11 +340,7 @@ pkey_generate(int argc, VALUE *argv, VALUE self, int genparam)
|
||||
}
|
||||
|
||||
if (!NIL_P(options)) {
|
||||
- VALUE args[2];
|
||||
-
|
||||
- args[0] = (VALUE)ctx;
|
||||
- args[1] = options;
|
||||
- rb_protect(pkey_gen_apply_options0, (VALUE)args, &state);
|
||||
+ pkey_ctx_apply_options(ctx, options, &state);
|
||||
if (state) {
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
rb_jump_tag(state);
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
||||
From 4c7b0f91da666961d11908b94520db4e09ce4e67 Mon Sep 17 00:00:00 2001
|
||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||
Date: Sat, 18 Jul 2020 20:40:39 +0900
|
||||
Subject: [PATCH 3/3] pkey: allow setting algorithm-specific options in #sign
|
||||
and #verify
|
||||
|
||||
Similarly to OpenSSL::PKey.generate_key and .generate_parameters, let
|
||||
OpenSSL::PKey::PKey#sign and #verify take an optional parameter for
|
||||
specifying control strings for EVP_PKEY_CTX_ctrl_str().
|
||||
---
|
||||
ext/openssl/ossl_pkey.c | 113 ++++++++++++++++++++++------------
|
||||
test/openssl/test_pkey_rsa.rb | 34 +++++-----
|
||||
2 files changed, 89 insertions(+), 58 deletions(-)
|
||||
|
||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
||||
index fed4a2b81f..22e9f19982 100644
|
||||
--- a/ext/openssl/ossl_pkey.c
|
||||
+++ b/ext/openssl/ossl_pkey.c
|
||||
@@ -739,33 +739,51 @@ ossl_pkey_public_to_pem(VALUE self)
|
||||
}
|
||||
|
||||
/*
|
||||
- * call-seq:
|
||||
- * pkey.sign(digest, data) -> String
|
||||
+ * call-seq:
|
||||
+ * pkey.sign(digest, data [, options]) -> string
|
||||
*
|
||||
- * To sign the String _data_, _digest_, an instance of OpenSSL::Digest, must
|
||||
- * be provided. The return value is again a String containing the signature.
|
||||
- * A PKeyError is raised should errors occur.
|
||||
- * Any previous state of the Digest instance is irrelevant to the signature
|
||||
- * outcome, the digest instance is reset to its initial state during the
|
||||
- * operation.
|
||||
+ * Hashes and signs the +data+ using a message digest algorithm +digest+ and
|
||||
+ * a private key +pkey+.
|
||||
*
|
||||
- * == Example
|
||||
- * data = 'Sign me!'
|
||||
- * digest = OpenSSL::Digest.new('SHA256')
|
||||
- * pkey = OpenSSL::PKey::RSA.new(2048)
|
||||
- * signature = pkey.sign(digest, data)
|
||||
+ * See #verify for the verification operation.
|
||||
+ *
|
||||
+ * See also the man page EVP_DigestSign(3).
|
||||
+ *
|
||||
+ * +digest+::
|
||||
+ * A String that represents the message digest algorithm name, or +nil+
|
||||
+ * if the PKey type requires no digest algorithm.
|
||||
+ * For backwards compatibility, this can be an instance of OpenSSL::Digest.
|
||||
+ * Its state will not affect the signature.
|
||||
+ * +data+::
|
||||
+ * A String. The data to be hashed and signed.
|
||||
+ * +options+::
|
||||
+ * A Hash that contains algorithm specific control operations to \OpenSSL.
|
||||
+ * See OpenSSL's man page EVP_PKEY_CTX_ctrl_str(3) for details.
|
||||
+ * +options+ parameter was added in version 2.3.
|
||||
+ *
|
||||
+ * Example:
|
||||
+ * data = "Sign me!"
|
||||
+ * pkey = OpenSSL::PKey.generate_key("RSA", rsa_keygen_bits: 2048)
|
||||
+ * signopts = { rsa_padding_mode: "pss" }
|
||||
+ * signature = pkey.sign("SHA256", data, signopts)
|
||||
+ *
|
||||
+ * # Creates a copy of the RSA key pkey, but without the private components
|
||||
+ * pub_key = pkey.public_key
|
||||
+ * puts pub_key.verify("SHA256", signature, data, signopts) # => true
|
||||
*/
|
||||
static VALUE
|
||||
-ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
|
||||
+ossl_pkey_sign(int argc, VALUE *argv, VALUE self)
|
||||
{
|
||||
EVP_PKEY *pkey;
|
||||
+ VALUE digest, data, options, sig;
|
||||
const EVP_MD *md = NULL;
|
||||
EVP_MD_CTX *ctx;
|
||||
+ EVP_PKEY_CTX *pctx;
|
||||
size_t siglen;
|
||||
int state;
|
||||
- VALUE sig;
|
||||
|
||||
pkey = GetPrivPKeyPtr(self);
|
||||
+ rb_scan_args(argc, argv, "21", &digest, &data, &options);
|
||||
if (!NIL_P(digest))
|
||||
md = ossl_evp_get_digestbyname(digest);
|
||||
StringValue(data);
|
||||
@@ -773,10 +791,17 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
|
||||
ctx = EVP_MD_CTX_new();
|
||||
if (!ctx)
|
||||
ossl_raise(ePKeyError, "EVP_MD_CTX_new");
|
||||
- if (EVP_DigestSignInit(ctx, NULL, md, /* engine */NULL, pkey) < 1) {
|
||||
+ if (EVP_DigestSignInit(ctx, &pctx, md, /* engine */NULL, pkey) < 1) {
|
||||
EVP_MD_CTX_free(ctx);
|
||||
ossl_raise(ePKeyError, "EVP_DigestSignInit");
|
||||
}
|
||||
+ if (!NIL_P(options)) {
|
||||
+ pkey_ctx_apply_options(pctx, options, &state);
|
||||
+ if (state) {
|
||||
+ EVP_MD_CTX_free(ctx);
|
||||
+ rb_jump_tag(state);
|
||||
+ }
|
||||
+ }
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data),
|
||||
RSTRING_LEN(data)) < 1) {
|
||||
@@ -828,35 +853,40 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
|
||||
}
|
||||
|
||||
/*
|
||||
- * call-seq:
|
||||
- * pkey.verify(digest, signature, data) -> String
|
||||
+ * call-seq:
|
||||
+ * pkey.verify(digest, signature, data [, options]) -> true or false
|
||||
*
|
||||
- * To verify the String _signature_, _digest_, an instance of
|
||||
- * OpenSSL::Digest, must be provided to re-compute the message digest of the
|
||||
- * original _data_, also a String. The return value is +true+ if the
|
||||
- * signature is valid, +false+ otherwise. A PKeyError is raised should errors
|
||||
- * occur.
|
||||
- * Any previous state of the Digest instance is irrelevant to the validation
|
||||
- * outcome, the digest instance is reset to its initial state during the
|
||||
- * operation.
|
||||
+ * Verifies the +signature+ for the +data+ using a message digest algorithm
|
||||
+ * +digest+ and a public key +pkey+.
|
||||
*
|
||||
- * == Example
|
||||
- * data = 'Sign me!'
|
||||
- * digest = OpenSSL::Digest.new('SHA256')
|
||||
- * pkey = OpenSSL::PKey::RSA.new(2048)
|
||||
- * signature = pkey.sign(digest, data)
|
||||
- * pub_key = pkey.public_key
|
||||
- * puts pub_key.verify(digest, signature, data) # => true
|
||||
+ * Returns +true+ if the signature is successfully verified, +false+ otherwise.
|
||||
+ * The caller must check the return value.
|
||||
+ *
|
||||
+ * See #sign for the signing operation and an example.
|
||||
+ *
|
||||
+ * See also the man page EVP_DigestVerify(3).
|
||||
+ *
|
||||
+ * +digest+::
|
||||
+ * See #sign.
|
||||
+ * +signature+::
|
||||
+ * A String containing the signature to be verified.
|
||||
+ * +data+::
|
||||
+ * See #sign.
|
||||
+ * +options+::
|
||||
+ * See #sign. +options+ parameter was added in version 2.3.
|
||||
*/
|
||||
static VALUE
|
||||
-ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data)
|
||||
+ossl_pkey_verify(int argc, VALUE *argv, VALUE self)
|
||||
{
|
||||
EVP_PKEY *pkey;
|
||||
+ VALUE digest, sig, data, options;
|
||||
const EVP_MD *md = NULL;
|
||||
EVP_MD_CTX *ctx;
|
||||
- int ret;
|
||||
+ EVP_PKEY_CTX *pctx;
|
||||
+ int state, ret;
|
||||
|
||||
GetPKey(self, pkey);
|
||||
+ rb_scan_args(argc, argv, "31", &digest, &sig, &data, &options);
|
||||
ossl_pkey_check_public_key(pkey);
|
||||
if (!NIL_P(digest))
|
||||
md = ossl_evp_get_digestbyname(digest);
|
||||
@@ -866,10 +896,17 @@ ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data)
|
||||
ctx = EVP_MD_CTX_new();
|
||||
if (!ctx)
|
||||
ossl_raise(ePKeyError, "EVP_MD_CTX_new");
|
||||
- if (EVP_DigestVerifyInit(ctx, NULL, md, /* engine */NULL, pkey) < 1) {
|
||||
+ if (EVP_DigestVerifyInit(ctx, &pctx, md, /* engine */NULL, pkey) < 1) {
|
||||
EVP_MD_CTX_free(ctx);
|
||||
ossl_raise(ePKeyError, "EVP_DigestVerifyInit");
|
||||
}
|
||||
+ if (!NIL_P(options)) {
|
||||
+ pkey_ctx_apply_options(pctx, options, &state);
|
||||
+ if (state) {
|
||||
+ EVP_MD_CTX_free(ctx);
|
||||
+ rb_jump_tag(state);
|
||||
+ }
|
||||
+ }
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig),
|
||||
RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data),
|
||||
@@ -1042,8 +1079,8 @@ Init_ossl_pkey(void)
|
||||
rb_define_method(cPKey, "public_to_der", ossl_pkey_public_to_der, 0);
|
||||
rb_define_method(cPKey, "public_to_pem", ossl_pkey_public_to_pem, 0);
|
||||
|
||||
- rb_define_method(cPKey, "sign", ossl_pkey_sign, 2);
|
||||
- rb_define_method(cPKey, "verify", ossl_pkey_verify, 3);
|
||||
+ rb_define_method(cPKey, "sign", ossl_pkey_sign, -1);
|
||||
+ rb_define_method(cPKey, "verify", ossl_pkey_verify, -1);
|
||||
rb_define_method(cPKey, "derive", ossl_pkey_derive, -1);
|
||||
|
||||
id_private_q = rb_intern("private?");
|
||||
diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
|
||||
index 88164c3b52..d1e68dbc9f 100644
|
||||
--- a/test/openssl/test_pkey_rsa.rb
|
||||
+++ b/test/openssl/test_pkey_rsa.rb
|
||||
@@ -117,27 +117,21 @@ def test_sign_verify
|
||||
assert_equal false, rsa1024.verify("SHA256", signature1, data)
|
||||
end
|
||||
|
||||
- def test_digest_state_irrelevant_sign
|
||||
+ def test_sign_verify_options
|
||||
key = Fixtures.pkey("rsa1024")
|
||||
- digest1 = OpenSSL::Digest.new('SHA1')
|
||||
- digest2 = OpenSSL::Digest.new('SHA1')
|
||||
- data = 'Sign me!'
|
||||
- digest1 << 'Change state of digest1'
|
||||
- sig1 = key.sign(digest1, data)
|
||||
- sig2 = key.sign(digest2, data)
|
||||
- assert_equal(sig1, sig2)
|
||||
- end
|
||||
-
|
||||
- def test_digest_state_irrelevant_verify
|
||||
- key = Fixtures.pkey("rsa1024")
|
||||
- digest1 = OpenSSL::Digest.new('SHA1')
|
||||
- digest2 = OpenSSL::Digest.new('SHA1')
|
||||
- data = 'Sign me!'
|
||||
- sig = key.sign(digest1, data)
|
||||
- digest1.reset
|
||||
- digest1 << 'Change state of digest1'
|
||||
- assert(key.verify(digest1, sig, data))
|
||||
- assert(key.verify(digest2, sig, data))
|
||||
+ data = "Sign me!"
|
||||
+ pssopts = {
|
||||
+ "rsa_padding_mode" => "pss",
|
||||
+ "rsa_pss_saltlen" => 20,
|
||||
+ "rsa_mgf1_md" => "SHA1"
|
||||
+ }
|
||||
+ sig_pss = key.sign("SHA256", data, pssopts)
|
||||
+ assert_equal 128, sig_pss.bytesize
|
||||
+ assert_equal true, key.verify("SHA256", sig_pss, data, pssopts)
|
||||
+ assert_equal true, key.verify_pss("SHA256", sig_pss, data,
|
||||
+ salt_length: 20, mgf1_hash: "SHA1")
|
||||
+ # Defaults to PKCS #1 v1.5 padding => verification failure
|
||||
+ assert_equal false, key.verify("SHA256", sig_pss, data)
|
||||
end
|
||||
|
||||
def test_verify_empty_rsa
|
||||
--
|
||||
2.32.0
|
||||
|
File diff suppressed because it is too large
Load Diff
142
ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support.patch
Normal file
142
ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support.patch
Normal file
@ -0,0 +1,142 @@
|
||||
From 8f948ed68a4ed6c05ff66d822711e3b70ae4bb3f Mon Sep 17 00:00:00 2001
|
||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||
Date: Mon, 27 Sep 2021 13:32:03 +0900
|
||||
Subject: [PATCH 1/3] ext/openssl/ossl.h: add helper macros for
|
||||
OpenSSL/LibreSSL versions
|
||||
|
||||
Add following convenient macros:
|
||||
|
||||
- OSSL_IS_LIBRESSL
|
||||
- OSSL_OPENSSL_PREREQ(maj, min, pat)
|
||||
- OSSL_LIBRESSL_PREREQ(maj, min, pat)
|
||||
---
|
||||
ext/openssl/ossl.h | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
|
||||
index c20f506bda..a0cef29d74 100644
|
||||
--- a/ext/openssl/ossl.h
|
||||
+++ b/ext/openssl/ossl.h
|
||||
@@ -43,6 +43,18 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/dh.h>
|
||||
|
||||
+#ifndef LIBRESSL_VERSION_NUMBER
|
||||
+# define OSSL_IS_LIBRESSL 0
|
||||
+# define OSSL_OPENSSL_PREREQ(maj, min, pat) \
|
||||
+ (OPENSSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
|
||||
+# define OSSL_LIBRESSL_PREREQ(maj, min, pat) 0
|
||||
+#else
|
||||
+# define OSSL_IS_LIBRESSL 1
|
||||
+# define OSSL_OPENSSL_PREREQ(maj, min, pat) 0
|
||||
+# define OSSL_LIBRESSL_PREREQ(maj, min, pat) \
|
||||
+ (LIBRESSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* Common Module
|
||||
*/
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
||||
From bbf235091e49807ece8f3a3df95bbfcc9d3ab43d Mon Sep 17 00:00:00 2001
|
||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||
Date: Sat, 22 Feb 2020 05:37:01 +0900
|
||||
Subject: [PATCH 2/3] ts: use TS_VERIFY_CTX_set_certs instead of
|
||||
TS_VERIFY_CTS_set_certs
|
||||
|
||||
OpenSSL 3.0 fixed the typo in the function name and replaced the
|
||||
current 'CTS' version with a macro.
|
||||
---
|
||||
ext/openssl/extconf.rb | 5 ++++-
|
||||
ext/openssl/openssl_missing.h | 5 +++++
|
||||
ext/openssl/ossl_ts.c | 2 +-
|
||||
3 files changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
|
||||
index 17d93443fc..09cae05b72 100644
|
||||
--- a/ext/openssl/extconf.rb
|
||||
+++ b/ext/openssl/extconf.rb
|
||||
@@ -166,7 +166,7 @@ def find_openssl_library
|
||||
have_func("TS_STATUS_INFO_get0_status")
|
||||
have_func("TS_STATUS_INFO_get0_text")
|
||||
have_func("TS_STATUS_INFO_get0_failure_info")
|
||||
-have_func("TS_VERIFY_CTS_set_certs")
|
||||
+have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", "openssl/ts.h")
|
||||
have_func("TS_VERIFY_CTX_set_store")
|
||||
have_func("TS_VERIFY_CTX_add_flags")
|
||||
have_func("TS_RESP_CTX_set_time_cb")
|
||||
@@ -175,6 +175,9 @@ def find_openssl_library
|
||||
|
||||
# added in 1.1.1
|
||||
have_func("EVP_PKEY_check")
|
||||
+
|
||||
+# added in 3.0.0
|
||||
+have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
|
||||
|
||||
Logging::message "=== Checking done. ===\n"
|
||||
|
||||
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
|
||||
index e575415f49..fe486bcfcf 100644
|
||||
--- a/ext/openssl/openssl_missing.h
|
||||
+++ b/ext/openssl/openssl_missing.h
|
||||
@@ -242,4 +242,9 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
|
||||
} while (0)
|
||||
#endif
|
||||
|
||||
+/* added in 3.0.0 */
|
||||
+#if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS)
|
||||
+# define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts)
|
||||
+#endif
|
||||
+
|
||||
#endif /* _OSSL_OPENSSL_MISSING_H_ */
|
||||
diff --git a/ext/openssl/ossl_ts.c b/ext/openssl/ossl_ts.c
|
||||
index 692c0d620f..f1da7c1947 100644
|
||||
--- a/ext/openssl/ossl_ts.c
|
||||
+++ b/ext/openssl/ossl_ts.c
|
||||
@@ -816,7 +816,7 @@ ossl_ts_resp_verify(int argc, VALUE *argv, VALUE self)
|
||||
X509_up_ref(cert);
|
||||
}
|
||||
|
||||
- TS_VERIFY_CTS_set_certs(ctx, x509inter);
|
||||
+ TS_VERIFY_CTX_set_certs(ctx, x509inter);
|
||||
TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE);
|
||||
TS_VERIFY_CTX_set_store(ctx, x509st);
|
||||
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
||||
From 5fba3bc1df93ab6abc3ea53be3393480f36ea259 Mon Sep 17 00:00:00 2001
|
||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||
Date: Fri, 19 Mar 2021 19:18:25 +0900
|
||||
Subject: [PATCH 3/3] ssl: use SSL_get_rbio() to check if SSL is started or not
|
||||
|
||||
Use SSL_get_rbio() instead of SSL_get_fd(). SSL_get_fd() internally
|
||||
calls SSL_get_rbio() and it's enough for our purpose.
|
||||
|
||||
In OpenSSL 3.0, SSL_get_fd() leaves an entry in the OpenSSL error queue
|
||||
if BIO has not been set up yet, and we would have to clean it up.
|
||||
---
|
||||
ext/openssl/ossl_ssl.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
|
||||
index 4b7efa39f5..ec430bfb0c 100644
|
||||
--- a/ext/openssl/ossl_ssl.c
|
||||
+++ b/ext/openssl/ossl_ssl.c
|
||||
@@ -1522,8 +1522,8 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
|
||||
static inline int
|
||||
ssl_started(SSL *ssl)
|
||||
{
|
||||
- /* the FD is set in ossl_ssl_setup(), called by #connect or #accept */
|
||||
- return SSL_get_fd(ssl) >= 0;
|
||||
+ /* BIO is created through ossl_ssl_setup(), called by #connect or #accept */
|
||||
+ return SSL_get_rbio(ssl) != NULL;
|
||||
}
|
||||
|
||||
static void
|
||||
--
|
||||
2.32.0
|
||||
|
93
ruby-3.1.0-Properly-exclude-test-cases.patch
Normal file
93
ruby-3.1.0-Properly-exclude-test-cases.patch
Normal file
@ -0,0 +1,93 @@
|
||||
From 96684439e96aa92e10376b5be45f006772028295 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
|
||||
Date: Thu, 21 Oct 2021 13:02:38 +0200
|
||||
Subject: [PATCH] Properly exclude test cases.
|
||||
|
||||
Lets consider the following scenario:
|
||||
|
||||
~~~
|
||||
irb(#<Test::Unit::AutoRunner::Runner:0x0000560f68afc3c8>):001:0> p suite
|
||||
OpenSSL::TestEC
|
||||
=> OpenSSL::TestEC
|
||||
|
||||
irb(#<Test::Unit::AutoRunner::Runner:0x0000560f68afc3c8>):002:0> p all_test_methods
|
||||
["test_ECPrivateKey", "test_ECPrivateKey_encrypted", "test_PUBKEY", "test_check_key", "test_derive_key", "test_dh_compute_key", "test_dsa_sign_asn1_FIPS186_3", "test_ec_group", "test_ec_key", "test_ec_point", "test_ec_point_add", "test_ec_point_mul", "test_generate", "test_marshal", "test_sign_verify", "test_sign_verify_raw"]
|
||||
=>
|
||||
["test_ECPrivateKey",
|
||||
"test_ECPrivateKey_encrypted",
|
||||
"test_PUBKEY",
|
||||
"test_check_key",
|
||||
"test_derive_key",
|
||||
"test_dh_compute_key",
|
||||
"test_dsa_sign_asn1_FIPS186_3",
|
||||
"test_ec_group",
|
||||
"test_ec_key",
|
||||
"test_ec_point",
|
||||
"test_ec_point_add",
|
||||
"test_ec_point_mul",
|
||||
"test_generate",
|
||||
"test_marshal",
|
||||
"test_sign_verify",
|
||||
"test_sign_verify_raw"]
|
||||
|
||||
irb(#<Test::Unit::AutoRunner::Runner:0x0000560f68afc3c8>):003:0> p filter
|
||||
/\A(?=.*)(?!.*(?-mix:(?-mix:memory_leak)|(?-mix:OpenSSL::TestEC.test_check_key)))/
|
||||
=> /\A(?=.*)(?!.*(?-mix:(?-mix:memory_leak)|(?-mix:OpenSSL::TestEC.test_check_key)))/
|
||||
|
||||
irb(#<Test::Unit::AutoRunner::Runner:0x0000560f68afc3c8>):004:0> method = "test_check_key"
|
||||
=> "test_check_key"
|
||||
~~~
|
||||
|
||||
The intention here is to exclude the `test_check_key` test case.
|
||||
Unfortunately this does not work as expected, because the negative filter
|
||||
is never checked:
|
||||
|
||||
~~~
|
||||
|
||||
irb(#<Test::Unit::AutoRunner::Runner:0x0000560f68afc3c8>):005:0> filter === method
|
||||
=> true
|
||||
|
||||
irb(#<Test::Unit::AutoRunner::Runner:0x0000560f68afc3c8>):006:0> filter === "#{suite}##{method}"
|
||||
=> false
|
||||
|
||||
irb(#<Test::Unit::AutoRunner::Runner:0x0000560f68afc3c8>):007:0> filter === method || filter === "#{suite}##{method}"
|
||||
=> true
|
||||
~~~
|
||||
|
||||
Therefore always filter against the fully qualified method name
|
||||
`#{suite}##{method}`, which should provide the expected result.
|
||||
|
||||
However, if plain string filter is used, keep checking also only the
|
||||
method name.
|
||||
|
||||
This resolves [Bug #16936].
|
||||
---
|
||||
tool/lib/minitest/unit.rb | 12 +++++++++---
|
||||
1 file changed, 9 insertion(+), 3 deletion(-)
|
||||
|
||||
diff --git a/tool/lib/minitest/unit.rb b/tool/lib/minitest/unit.rb
|
||||
index c58a609bfa..d5af6cb906 100644
|
||||
--- a/tool/lib/minitest/unit.rb
|
||||
+++ b/tool/lib/minitest/unit.rb
|
||||
@@ -956,9 +956,15 @@ def _run_suite suite, type
|
||||
|
||||
all_test_methods = suite.send "#{type}_methods"
|
||||
|
||||
- filtered_test_methods = all_test_methods.find_all { |m|
|
||||
- filter === m || filter === "#{suite}##{m}"
|
||||
- }
|
||||
+ filtered_test_methods = if Regexp === filter
|
||||
+ all_test_methods.find_all { |m|
|
||||
+ filter === "#{suite}##{m}"
|
||||
+ }
|
||||
+ else
|
||||
+ all_test_methods.find_all {|m|
|
||||
+ filter === m || filter === "#{suite}##{m}"
|
||||
+ }
|
||||
+ end
|
||||
|
||||
leakchecker = LeakChecker.new
|
||||
|
||||
--
|
||||
2.32.0
|
||||
|
1450
ruby-3.1.0-Refactor-PEM-DER-serialization-code.patch
Normal file
1450
ruby-3.1.0-Refactor-PEM-DER-serialization-code.patch
Normal file
File diff suppressed because it is too large
Load Diff
16
ruby-3.1.0-SSL_read-EOF-handling.patch
Normal file
16
ruby-3.1.0-SSL_read-EOF-handling.patch
Normal file
@ -0,0 +1,16 @@
|
||||
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
|
||||
index 3b425ca..40e748c 100644
|
||||
--- a/ext/openssl/ossl_ssl.c
|
||||
+++ b/ext/openssl/ossl_ssl.c
|
||||
@@ -1844,6 +1844,11 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
||||
return str;
|
||||
|
||||
GetSSL(self, ssl);
|
||||
+
|
||||
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
|
||||
+ SSL_set_options(ssl, SSL_OP_IGNORE_UNEXPECTED_EOF);
|
||||
+#endif
|
||||
+
|
||||
io = rb_attr_get(self, id_i_io);
|
||||
GetOpenFile(io, fptr);
|
||||
if (ssl_started(ssl)) {
|
1101
ruby-3.1.0-Support-OpenSSL-3.0.patch
Normal file
1101
ruby-3.1.0-Support-OpenSSL-3.0.patch
Normal file
File diff suppressed because it is too large
Load Diff
831
ruby-3.1.0-Use-EVP-API-in-more-places.patch
Normal file
831
ruby-3.1.0-Use-EVP-API-in-more-places.patch
Normal file
@ -0,0 +1,831 @@
|
||||
From cf070378020088cd7e69b1cb08be68152ab8a078 Mon Sep 17 00:00:00 2001
|
||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||
Date: Sun, 17 May 2020 18:25:38 +0900
|
||||
Subject: [PATCH 1/3] pkey: implement #to_text using EVP API
|
||||
|
||||
Use EVP_PKEY_print_private() instead of the low-level API *_print()
|
||||
functions, such as RSA_print().
|
||||
|
||||
EVP_PKEY_print_*() family was added in OpenSSL 1.0.0.
|
||||
|
||||
Note that it falls back to EVP_PKEY_print_public() and
|
||||
EVP_PKEY_print_params() as necessary. This is required for EVP_PKEY_DH
|
||||
type for which _private() fails if the private component is not set in
|
||||
the pkey object.
|
||||
|
||||
Since the new API works in the same way for all key types, we now
|
||||
implement #to_text in the base class OpenSSL::PKey::PKey rather than in
|
||||
each subclass.
|
||||
---
|
||||
ext/openssl/ossl_pkey.c | 38 +++++++++++++++++++++++++++++++++++++
|
||||
ext/openssl/ossl_pkey_dh.c | 29 ----------------------------
|
||||
ext/openssl/ossl_pkey_dsa.c | 29 ----------------------------
|
||||
ext/openssl/ossl_pkey_ec.c | 27 --------------------------
|
||||
ext/openssl/ossl_pkey_rsa.c | 31 ------------------------------
|
||||
test/openssl/test_pkey.rb | 5 +++++
|
||||
6 files changed, 43 insertions(+), 116 deletions(-)
|
||||
|
||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
||||
index f9282b9417..21cd4b2cda 100644
|
||||
--- a/ext/openssl/ossl_pkey.c
|
||||
+++ b/ext/openssl/ossl_pkey.c
|
||||
@@ -539,6 +539,43 @@ ossl_pkey_inspect(VALUE self)
|
||||
OBJ_nid2sn(nid));
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * call-seq:
|
||||
+ * pkey.to_text -> string
|
||||
+ *
|
||||
+ * Dumps key parameters, public key, and private key components contained in
|
||||
+ * the key into a human-readable text.
|
||||
+ *
|
||||
+ * This is intended for debugging purpose.
|
||||
+ *
|
||||
+ * See also the man page EVP_PKEY_print_private(3).
|
||||
+ */
|
||||
+static VALUE
|
||||
+ossl_pkey_to_text(VALUE self)
|
||||
+{
|
||||
+ EVP_PKEY *pkey;
|
||||
+ BIO *bio;
|
||||
+
|
||||
+ GetPKey(self, pkey);
|
||||
+ if (!(bio = BIO_new(BIO_s_mem())))
|
||||
+ ossl_raise(ePKeyError, "BIO_new");
|
||||
+
|
||||
+ if (EVP_PKEY_print_private(bio, pkey, 0, NULL) == 1)
|
||||
+ goto out;
|
||||
+ OSSL_BIO_reset(bio);
|
||||
+ if (EVP_PKEY_print_public(bio, pkey, 0, NULL) == 1)
|
||||
+ goto out;
|
||||
+ OSSL_BIO_reset(bio);
|
||||
+ if (EVP_PKEY_print_params(bio, pkey, 0, NULL) == 1)
|
||||
+ goto out;
|
||||
+
|
||||
+ BIO_free(bio);
|
||||
+ ossl_raise(ePKeyError, "EVP_PKEY_print_params");
|
||||
+
|
||||
+ out:
|
||||
+ return ossl_membio2str(bio);
|
||||
+}
|
||||
+
|
||||
VALUE
|
||||
ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der)
|
||||
{
|
||||
@@ -1039,6 +1076,7 @@ Init_ossl_pkey(void)
|
||||
rb_define_method(cPKey, "initialize", ossl_pkey_initialize, 0);
|
||||
rb_define_method(cPKey, "oid", ossl_pkey_oid, 0);
|
||||
rb_define_method(cPKey, "inspect", ossl_pkey_inspect, 0);
|
||||
+ rb_define_method(cPKey, "to_text", ossl_pkey_to_text, 0);
|
||||
rb_define_method(cPKey, "private_to_der", ossl_pkey_private_to_der, -1);
|
||||
rb_define_method(cPKey, "private_to_pem", ossl_pkey_private_to_pem, -1);
|
||||
rb_define_method(cPKey, "public_to_der", ossl_pkey_public_to_der, 0);
|
||||
diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
|
||||
index 6b477b077c..acd3bf474e 100644
|
||||
--- a/ext/openssl/ossl_pkey_dh.c
|
||||
+++ b/ext/openssl/ossl_pkey_dh.c
|
||||
@@ -266,34 +266,6 @@ ossl_dh_get_params(VALUE self)
|
||||
return hash;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * call-seq:
|
||||
- * dh.to_text -> aString
|
||||
- *
|
||||
- * Prints all parameters of key to buffer
|
||||
- * INSECURE: PRIVATE INFORMATIONS CAN LEAK OUT!!!
|
||||
- * Don't use :-)) (I's up to you)
|
||||
- */
|
||||
-static VALUE
|
||||
-ossl_dh_to_text(VALUE self)
|
||||
-{
|
||||
- DH *dh;
|
||||
- BIO *out;
|
||||
- VALUE str;
|
||||
-
|
||||
- GetDH(self, dh);
|
||||
- if (!(out = BIO_new(BIO_s_mem()))) {
|
||||
- ossl_raise(eDHError, NULL);
|
||||
- }
|
||||
- if (!DHparams_print(out, dh)) {
|
||||
- BIO_free(out);
|
||||
- ossl_raise(eDHError, NULL);
|
||||
- }
|
||||
- str = ossl_membio2str(out);
|
||||
-
|
||||
- return str;
|
||||
-}
|
||||
-
|
||||
/*
|
||||
* call-seq:
|
||||
* dh.public_key -> aDH
|
||||
@@ -426,7 +398,6 @@ Init_ossl_dh(void)
|
||||
rb_define_method(cDH, "initialize_copy", ossl_dh_initialize_copy, 1);
|
||||
rb_define_method(cDH, "public?", ossl_dh_is_public, 0);
|
||||
rb_define_method(cDH, "private?", ossl_dh_is_private, 0);
|
||||
- rb_define_method(cDH, "to_text", ossl_dh_to_text, 0);
|
||||
rb_define_method(cDH, "export", ossl_dh_export, 0);
|
||||
rb_define_alias(cDH, "to_pem", "export");
|
||||
rb_define_alias(cDH, "to_s", "export");
|
||||
diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c
|
||||
index 1c5a8a737e..f017cceb4a 100644
|
||||
--- a/ext/openssl/ossl_pkey_dsa.c
|
||||
+++ b/ext/openssl/ossl_pkey_dsa.c
|
||||
@@ -264,34 +264,6 @@ ossl_dsa_get_params(VALUE self)
|
||||
return hash;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * call-seq:
|
||||
- * dsa.to_text -> aString
|
||||
- *
|
||||
- * Prints all parameters of key to buffer
|
||||
- * INSECURE: PRIVATE INFORMATIONS CAN LEAK OUT!!!
|
||||
- * Don't use :-)) (I's up to you)
|
||||
- */
|
||||
-static VALUE
|
||||
-ossl_dsa_to_text(VALUE self)
|
||||
-{
|
||||
- DSA *dsa;
|
||||
- BIO *out;
|
||||
- VALUE str;
|
||||
-
|
||||
- GetDSA(self, dsa);
|
||||
- if (!(out = BIO_new(BIO_s_mem()))) {
|
||||
- ossl_raise(eDSAError, NULL);
|
||||
- }
|
||||
- if (!DSA_print(out, dsa, 0)) { /* offset = 0 */
|
||||
- BIO_free(out);
|
||||
- ossl_raise(eDSAError, NULL);
|
||||
- }
|
||||
- str = ossl_membio2str(out);
|
||||
-
|
||||
- return str;
|
||||
-}
|
||||
-
|
||||
/*
|
||||
* call-seq:
|
||||
* dsa.public_key -> aDSA
|
||||
@@ -469,7 +441,6 @@ Init_ossl_dsa(void)
|
||||
|
||||
rb_define_method(cDSA, "public?", ossl_dsa_is_public, 0);
|
||||
rb_define_method(cDSA, "private?", ossl_dsa_is_private, 0);
|
||||
- rb_define_method(cDSA, "to_text", ossl_dsa_to_text, 0);
|
||||
rb_define_method(cDSA, "export", ossl_dsa_export, -1);
|
||||
rb_define_alias(cDSA, "to_pem", "export");
|
||||
rb_define_alias(cDSA, "to_s", "export");
|
||||
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
|
||||
index c2534251c3..ecb8305184 100644
|
||||
--- a/ext/openssl/ossl_pkey_ec.c
|
||||
+++ b/ext/openssl/ossl_pkey_ec.c
|
||||
@@ -417,32 +417,6 @@ ossl_ec_key_to_der(VALUE self)
|
||||
else
|
||||
return ossl_pkey_export_spki(self, 1);
|
||||
}
|
||||
-
|
||||
-/*
|
||||
- * call-seq:
|
||||
- * key.to_text => String
|
||||
- *
|
||||
- * See the OpenSSL documentation for EC_KEY_print()
|
||||
- */
|
||||
-static VALUE ossl_ec_key_to_text(VALUE self)
|
||||
-{
|
||||
- EC_KEY *ec;
|
||||
- BIO *out;
|
||||
- VALUE str;
|
||||
-
|
||||
- GetEC(self, ec);
|
||||
- if (!(out = BIO_new(BIO_s_mem()))) {
|
||||
- ossl_raise(eECError, "BIO_new(BIO_s_mem())");
|
||||
- }
|
||||
- if (!EC_KEY_print(out, ec, 0)) {
|
||||
- BIO_free(out);
|
||||
- ossl_raise(eECError, "EC_KEY_print");
|
||||
- }
|
||||
- str = ossl_membio2str(out);
|
||||
-
|
||||
- return str;
|
||||
-}
|
||||
-
|
||||
/*
|
||||
* call-seq:
|
||||
* key.generate_key! => self
|
||||
@@ -1633,7 +1607,6 @@ void Init_ossl_ec(void)
|
||||
rb_define_method(cEC, "export", ossl_ec_key_export, -1);
|
||||
rb_define_alias(cEC, "to_pem", "export");
|
||||
rb_define_method(cEC, "to_der", ossl_ec_key_to_der, 0);
|
||||
- rb_define_method(cEC, "to_text", ossl_ec_key_to_text, 0);
|
||||
|
||||
|
||||
rb_define_alloc_func(cEC_GROUP, ossl_ec_group_alloc);
|
||||
diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c
|
||||
index 43f82cb29e..7a7e66dbda 100644
|
||||
--- a/ext/openssl/ossl_pkey_rsa.c
|
||||
+++ b/ext/openssl/ossl_pkey_rsa.c
|
||||
@@ -587,36 +587,6 @@ ossl_rsa_get_params(VALUE self)
|
||||
return hash;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * call-seq:
|
||||
- * rsa.to_text => String
|
||||
- *
|
||||
- * THIS METHOD IS INSECURE, PRIVATE INFORMATION CAN LEAK OUT!!!
|
||||
- *
|
||||
- * Dumps all parameters of a keypair to a String
|
||||
- *
|
||||
- * Don't use :-)) (It's up to you)
|
||||
- */
|
||||
-static VALUE
|
||||
-ossl_rsa_to_text(VALUE self)
|
||||
-{
|
||||
- RSA *rsa;
|
||||
- BIO *out;
|
||||
- VALUE str;
|
||||
-
|
||||
- GetRSA(self, rsa);
|
||||
- if (!(out = BIO_new(BIO_s_mem()))) {
|
||||
- ossl_raise(eRSAError, NULL);
|
||||
- }
|
||||
- if (!RSA_print(out, rsa, 0)) { /* offset = 0 */
|
||||
- BIO_free(out);
|
||||
- ossl_raise(eRSAError, NULL);
|
||||
- }
|
||||
- str = ossl_membio2str(out);
|
||||
-
|
||||
- return str;
|
||||
-}
|
||||
-
|
||||
/*
|
||||
* call-seq:
|
||||
* rsa.public_key -> RSA
|
||||
@@ -738,7 +708,6 @@ Init_ossl_rsa(void)
|
||||
|
||||
rb_define_method(cRSA, "public?", ossl_rsa_is_public, 0);
|
||||
rb_define_method(cRSA, "private?", ossl_rsa_is_private, 0);
|
||||
- rb_define_method(cRSA, "to_text", ossl_rsa_to_text, 0);
|
||||
rb_define_method(cRSA, "export", ossl_rsa_export, -1);
|
||||
rb_define_alias(cRSA, "to_pem", "export");
|
||||
rb_define_alias(cRSA, "to_s", "export");
|
||||
diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb
|
||||
index 5307fe5b08..3630458b3c 100644
|
||||
--- a/test/openssl/test_pkey.rb
|
||||
+++ b/test/openssl/test_pkey.rb
|
||||
@@ -151,4 +151,9 @@ def test_x25519
|
||||
assert_equal bob_pem, bob.public_to_pem
|
||||
assert_equal [shared_secret].pack("H*"), alice.derive(bob)
|
||||
end
|
||||
+
|
||||
+ def test_to_text
|
||||
+ rsa = Fixtures.pkey("rsa1024")
|
||||
+ assert_include rsa.to_text, "publicExponent"
|
||||
+ end
|
||||
end
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
||||
From 0c45b22e485bfa62f4d704b08e3704e6444118c4 Mon Sep 17 00:00:00 2001
|
||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||
Date: Thu, 15 Apr 2021 19:11:32 +0900
|
||||
Subject: [PATCH 2/3] pkey: implement {DH,DSA,RSA}#public_key in Ruby
|
||||
|
||||
The low-level API that is used to implement #public_key is deprecated
|
||||
in OpenSSL 3.0. It is actually very simple to implement in another way,
|
||||
using existing methods only, in much shorter code. Let's do it.
|
||||
|
||||
While we are at it, the documentation is updated to recommend against
|
||||
using #public_key. Now that OpenSSL::PKey::PKey implements public_to_der
|
||||
method, there is no real use case for #public_key in newly written Ruby
|
||||
programs.
|
||||
---
|
||||
ext/openssl/lib/openssl/pkey.rb | 55 ++++++++++++++++++++++++++++
|
||||
ext/openssl/ossl_pkey_dh.c | 63 +++++++--------------------------
|
||||
ext/openssl/ossl_pkey_dsa.c | 42 ----------------------
|
||||
ext/openssl/ossl_pkey_rsa.c | 58 +-----------------------------
|
||||
test/openssl/test_pkey_rsa.rb | 37 ++++++++++---------
|
||||
5 files changed, 87 insertions(+), 168 deletions(-)
|
||||
|
||||
diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb
|
||||
index 53ee52f98b..569559e1ce 100644
|
||||
--- a/ext/openssl/lib/openssl/pkey.rb
|
||||
+++ b/ext/openssl/lib/openssl/pkey.rb
|
||||
@@ -10,6 +10,30 @@ module OpenSSL::PKey
|
||||
class DH
|
||||
include OpenSSL::Marshal
|
||||
|
||||
+ # :call-seq:
|
||||
+ # dh.public_key -> dhnew
|
||||
+ #
|
||||
+ # Returns a new DH instance that carries just the \DH parameters.
|
||||
+ #
|
||||
+ # Contrary to the method name, the returned DH object contains only
|
||||
+ # parameters and not the public key.
|
||||
+ #
|
||||
+ # This method is provided for backwards compatibility. In most cases, there
|
||||
+ # is no need to call this method.
|
||||
+ #
|
||||
+ # For the purpose of re-generating the key pair while keeping the
|
||||
+ # parameters, check OpenSSL::PKey.generate_key.
|
||||
+ #
|
||||
+ # Example:
|
||||
+ # # OpenSSL::PKey::DH.generate by default generates a random key pair
|
||||
+ # dh1 = OpenSSL::PKey::DH.generate(2048)
|
||||
+ # p dh1.priv_key #=> #<OpenSSL::BN 1288347...>
|
||||
+ # dhcopy = dh1.public_key
|
||||
+ # p dhcopy.priv_key #=> nil
|
||||
+ def public_key
|
||||
+ DH.new(to_der)
|
||||
+ end
|
||||
+
|
||||
# :call-seq:
|
||||
# dh.compute_key(pub_bn) -> string
|
||||
#
|
||||
@@ -89,6 +113,22 @@ def new(*args, &blk) # :nodoc:
|
||||
class DSA
|
||||
include OpenSSL::Marshal
|
||||
|
||||
+ # :call-seq:
|
||||
+ # dsa.public_key -> dsanew
|
||||
+ #
|
||||
+ # Returns a new DSA instance that carries just the \DSA parameters and the
|
||||
+ # public key.
|
||||
+ #
|
||||
+ # This method is provided for backwards compatibility. In most cases, there
|
||||
+ # is no need to call this method.
|
||||
+ #
|
||||
+ # For the purpose of serializing the public key, to PEM or DER encoding of
|
||||
+ # X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and
|
||||
+ # PKey#public_to_der.
|
||||
+ def public_key
|
||||
+ OpenSSL::PKey.read(public_to_der)
|
||||
+ end
|
||||
+
|
||||
class << self
|
||||
# :call-seq:
|
||||
# DSA.generate(size) -> dsa
|
||||
@@ -159,6 +199,21 @@ def to_bn(conversion_form = group.point_conversion_form)
|
||||
class RSA
|
||||
include OpenSSL::Marshal
|
||||
|
||||
+ # :call-seq:
|
||||
+ # rsa.public_key -> rsanew
|
||||
+ #
|
||||
+ # Returns a new RSA instance that carries just the public key components.
|
||||
+ #
|
||||
+ # This method is provided for backwards compatibility. In most cases, there
|
||||
+ # is no need to call this method.
|
||||
+ #
|
||||
+ # For the purpose of serializing the public key, to PEM or DER encoding of
|
||||
+ # X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and
|
||||
+ # PKey#public_to_der.
|
||||
+ def public_key
|
||||
+ OpenSSL::PKey.read(public_to_der)
|
||||
+ end
|
||||
+
|
||||
class << self
|
||||
# :call-seq:
|
||||
# RSA.generate(size, exponent = 65537) -> RSA
|
||||
diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
|
||||
index acd3bf474e..a512b209d3 100644
|
||||
--- a/ext/openssl/ossl_pkey_dh.c
|
||||
+++ b/ext/openssl/ossl_pkey_dh.c
|
||||
@@ -266,48 +266,6 @@ ossl_dh_get_params(VALUE self)
|
||||
return hash;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * call-seq:
|
||||
- * dh.public_key -> aDH
|
||||
- *
|
||||
- * Returns a new DH instance that carries just the public information, i.e.
|
||||
- * the prime _p_ and the generator _g_, but no public/private key yet. Such
|
||||
- * a pair may be generated using DH#generate_key!. The "public key" needed
|
||||
- * for a key exchange with DH#compute_key is considered as per-session
|
||||
- * information and may be retrieved with DH#pub_key once a key pair has
|
||||
- * been generated.
|
||||
- * If the current instance already contains private information (and thus a
|
||||
- * valid public/private key pair), this information will no longer be present
|
||||
- * in the new instance generated by DH#public_key. This feature is helpful for
|
||||
- * publishing the Diffie-Hellman parameters without leaking any of the private
|
||||
- * per-session information.
|
||||
- *
|
||||
- * === Example
|
||||
- * dh = OpenSSL::PKey::DH.new(2048) # has public and private key set
|
||||
- * public_key = dh.public_key # contains only prime and generator
|
||||
- * parameters = public_key.to_der # it's safe to publish this
|
||||
- */
|
||||
-static VALUE
|
||||
-ossl_dh_to_public_key(VALUE self)
|
||||
-{
|
||||
- EVP_PKEY *pkey;
|
||||
- DH *orig_dh, *dh;
|
||||
- VALUE obj;
|
||||
-
|
||||
- obj = rb_obj_alloc(rb_obj_class(self));
|
||||
- GetPKey(obj, pkey);
|
||||
-
|
||||
- GetDH(self, orig_dh);
|
||||
- dh = DHparams_dup(orig_dh);
|
||||
- if (!dh)
|
||||
- ossl_raise(eDHError, "DHparams_dup");
|
||||
- if (!EVP_PKEY_assign_DH(pkey, dh)) {
|
||||
- DH_free(dh);
|
||||
- ossl_raise(eDHError, "EVP_PKEY_assign_DH");
|
||||
- }
|
||||
- return obj;
|
||||
-}
|
||||
-
|
||||
/*
|
||||
* call-seq:
|
||||
* dh.params_ok? -> true | false
|
||||
@@ -384,14 +342,20 @@ Init_ossl_dh(void)
|
||||
* The per-session private key, an OpenSSL::BN.
|
||||
*
|
||||
* === Example of a key exchange
|
||||
- * dh1 = OpenSSL::PKey::DH.new(2048)
|
||||
- * der = dh1.public_key.to_der #you may send this publicly to the participating party
|
||||
- * dh2 = OpenSSL::PKey::DH.new(der)
|
||||
- * dh2.generate_key! #generate the per-session key pair
|
||||
- * symm_key1 = dh1.compute_key(dh2.pub_key)
|
||||
- * symm_key2 = dh2.compute_key(dh1.pub_key)
|
||||
+ * # you may send the parameters (der) and own public key (pub1) publicly
|
||||
+ * # to the participating party
|
||||
+ * dh1 = OpenSSL::PKey::DH.new(2048)
|
||||
+ * der = dh1.to_der
|
||||
+ * pub1 = dh1.pub_key
|
||||
+ *
|
||||
+ * # the other party generates its per-session key pair
|
||||
+ * dhparams = OpenSSL::PKey::DH.new(der)
|
||||
+ * dh2 = OpenSSL::PKey.generate_key(dhparams)
|
||||
+ * pub2 = dh2.pub_key
|
||||
*
|
||||
- * puts symm_key1 == symm_key2 # => true
|
||||
+ * symm_key1 = dh1.compute_key(pub2)
|
||||
+ * symm_key2 = dh2.compute_key(pub1)
|
||||
+ * puts symm_key1 == symm_key2 # => true
|
||||
*/
|
||||
cDH = rb_define_class_under(mPKey, "DH", cPKey);
|
||||
rb_define_method(cDH, "initialize", ossl_dh_initialize, -1);
|
||||
@@ -402,7 +366,6 @@ Init_ossl_dh(void)
|
||||
rb_define_alias(cDH, "to_pem", "export");
|
||||
rb_define_alias(cDH, "to_s", "export");
|
||||
rb_define_method(cDH, "to_der", ossl_dh_to_der, 0);
|
||||
- rb_define_method(cDH, "public_key", ossl_dh_to_public_key, 0);
|
||||
rb_define_method(cDH, "params_ok?", ossl_dh_check_params, 0);
|
||||
|
||||
DEF_OSSL_PKEY_BN(cDH, dh, p);
|
||||
diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c
|
||||
index f017cceb4a..ab9ac781e8 100644
|
||||
--- a/ext/openssl/ossl_pkey_dsa.c
|
||||
+++ b/ext/openssl/ossl_pkey_dsa.c
|
||||
@@ -264,47 +264,6 @@ ossl_dsa_get_params(VALUE self)
|
||||
return hash;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * call-seq:
|
||||
- * dsa.public_key -> aDSA
|
||||
- *
|
||||
- * Returns a new DSA instance that carries just the public key information.
|
||||
- * If the current instance has also private key information, this will no
|
||||
- * longer be present in the new instance. This feature is helpful for
|
||||
- * publishing the public key information without leaking any of the private
|
||||
- * information.
|
||||
- *
|
||||
- * === Example
|
||||
- * dsa = OpenSSL::PKey::DSA.new(2048) # has public and private information
|
||||
- * pub_key = dsa.public_key # has only the public part available
|
||||
- * pub_key_der = pub_key.to_der # it's safe to publish this
|
||||
- *
|
||||
- *
|
||||
- */
|
||||
-static VALUE
|
||||
-ossl_dsa_to_public_key(VALUE self)
|
||||
-{
|
||||
- EVP_PKEY *pkey, *pkey_new;
|
||||
- DSA *dsa;
|
||||
- VALUE obj;
|
||||
-
|
||||
- GetPKeyDSA(self, pkey);
|
||||
- obj = rb_obj_alloc(rb_obj_class(self));
|
||||
- GetPKey(obj, pkey_new);
|
||||
-
|
||||
-#define DSAPublicKey_dup(dsa) (DSA *)ASN1_dup( \
|
||||
- (i2d_of_void *)i2d_DSAPublicKey, (d2i_of_void *)d2i_DSAPublicKey, (char *)(dsa))
|
||||
- dsa = DSAPublicKey_dup(EVP_PKEY_get0_DSA(pkey));
|
||||
-#undef DSAPublicKey_dup
|
||||
- if (!dsa)
|
||||
- ossl_raise(eDSAError, "DSAPublicKey_dup");
|
||||
- if (!EVP_PKEY_assign_DSA(pkey_new, dsa)) {
|
||||
- DSA_free(dsa);
|
||||
- ossl_raise(eDSAError, "EVP_PKEY_assign_DSA");
|
||||
- }
|
||||
- return obj;
|
||||
-}
|
||||
-
|
||||
/*
|
||||
* call-seq:
|
||||
* dsa.syssign(string) -> aString
|
||||
@@ -445,7 +404,6 @@ Init_ossl_dsa(void)
|
||||
rb_define_alias(cDSA, "to_pem", "export");
|
||||
rb_define_alias(cDSA, "to_s", "export");
|
||||
rb_define_method(cDSA, "to_der", ossl_dsa_to_der, 0);
|
||||
- rb_define_method(cDSA, "public_key", ossl_dsa_to_public_key, 0);
|
||||
rb_define_method(cDSA, "syssign", ossl_dsa_sign, 1);
|
||||
rb_define_method(cDSA, "sysverify", ossl_dsa_verify, 2);
|
||||
|
||||
diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c
|
||||
index 7a7e66dbda..1c5476cdcd 100644
|
||||
--- a/ext/openssl/ossl_pkey_rsa.c
|
||||
+++ b/ext/openssl/ossl_pkey_rsa.c
|
||||
@@ -390,7 +390,7 @@ ossl_rsa_private_decrypt(int argc, VALUE *argv, VALUE self)
|
||||
* data = "Sign me!"
|
||||
* pkey = OpenSSL::PKey::RSA.new(2048)
|
||||
* signature = pkey.sign_pss("SHA256", data, salt_length: :max, mgf1_hash: "SHA256")
|
||||
- * pub_key = pkey.public_key
|
||||
+ * pub_key = OpenSSL::PKey.read(pkey.public_to_der)
|
||||
* puts pub_key.verify_pss("SHA256", signature, data,
|
||||
* salt_length: :auto, mgf1_hash: "SHA256") # => true
|
||||
*/
|
||||
@@ -587,61 +587,6 @@ ossl_rsa_get_params(VALUE self)
|
||||
return hash;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * call-seq:
|
||||
- * rsa.public_key -> RSA
|
||||
- *
|
||||
- * Makes new RSA instance containing the public key from the private key.
|
||||
- */
|
||||
-static VALUE
|
||||
-ossl_rsa_to_public_key(VALUE self)
|
||||
-{
|
||||
- EVP_PKEY *pkey, *pkey_new;
|
||||
- RSA *rsa;
|
||||
- VALUE obj;
|
||||
-
|
||||
- GetPKeyRSA(self, pkey);
|
||||
- obj = rb_obj_alloc(rb_obj_class(self));
|
||||
- GetPKey(obj, pkey_new);
|
||||
-
|
||||
- rsa = RSAPublicKey_dup(EVP_PKEY_get0_RSA(pkey));
|
||||
- if (!rsa)
|
||||
- ossl_raise(eRSAError, "RSAPublicKey_dup");
|
||||
- if (!EVP_PKEY_assign_RSA(pkey_new, rsa)) {
|
||||
- RSA_free(rsa);
|
||||
- ossl_raise(eRSAError, "EVP_PKEY_assign_RSA");
|
||||
- }
|
||||
- return obj;
|
||||
-}
|
||||
-
|
||||
-/*
|
||||
- * TODO: Test me
|
||||
-
|
||||
-static VALUE
|
||||
-ossl_rsa_blinding_on(VALUE self)
|
||||
-{
|
||||
- RSA *rsa;
|
||||
-
|
||||
- GetRSA(self, rsa);
|
||||
-
|
||||
- if (RSA_blinding_on(rsa, ossl_bn_ctx) != 1) {
|
||||
- ossl_raise(eRSAError, NULL);
|
||||
- }
|
||||
- return self;
|
||||
-}
|
||||
-
|
||||
-static VALUE
|
||||
-ossl_rsa_blinding_off(VALUE self)
|
||||
-{
|
||||
- RSA *rsa;
|
||||
-
|
||||
- GetRSA(self, rsa);
|
||||
- RSA_blinding_off(rsa);
|
||||
-
|
||||
- return self;
|
||||
-}
|
||||
- */
|
||||
-
|
||||
/*
|
||||
* Document-method: OpenSSL::PKey::RSA#set_key
|
||||
* call-seq:
|
||||
@@ -712,7 +657,6 @@ Init_ossl_rsa(void)
|
||||
rb_define_alias(cRSA, "to_pem", "export");
|
||||
rb_define_alias(cRSA, "to_s", "export");
|
||||
rb_define_method(cRSA, "to_der", ossl_rsa_to_der, 0);
|
||||
- rb_define_method(cRSA, "public_key", ossl_rsa_to_public_key, 0);
|
||||
rb_define_method(cRSA, "public_encrypt", ossl_rsa_public_encrypt, -1);
|
||||
rb_define_method(cRSA, "public_decrypt", ossl_rsa_public_decrypt, -1);
|
||||
rb_define_method(cRSA, "private_encrypt", ossl_rsa_private_encrypt, -1);
|
||||
diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
|
||||
index d1e68dbc9f..5f8d04e754 100644
|
||||
--- a/test/openssl/test_pkey_rsa.rb
|
||||
+++ b/test/openssl/test_pkey_rsa.rb
|
||||
@@ -69,29 +69,28 @@ def test_private
|
||||
end
|
||||
|
||||
def test_new
|
||||
- key = OpenSSL::PKey::RSA.new 512
|
||||
- pem = key.public_key.to_pem
|
||||
- OpenSSL::PKey::RSA.new pem
|
||||
- assert_equal([], OpenSSL.errors)
|
||||
- end
|
||||
+ key = OpenSSL::PKey::RSA.new(512)
|
||||
+ assert_equal 512, key.n.num_bits
|
||||
+ assert_equal 65537, key.e
|
||||
+ assert_not_nil key.d
|
||||
|
||||
- def test_new_exponent_default
|
||||
- assert_equal(65537, OpenSSL::PKey::RSA.new(512).e)
|
||||
+ # Specify public exponent
|
||||
+ key2 = OpenSSL::PKey::RSA.new(512, 3)
|
||||
+ assert_equal 512, key2.n.num_bits
|
||||
+ assert_equal 3, key2.e
|
||||
+ assert_not_nil key2.d
|
||||
end
|
||||
|
||||
- def test_new_with_exponent
|
||||
- 1.upto(30) do |idx|
|
||||
- e = (2 ** idx) + 1
|
||||
- key = OpenSSL::PKey::RSA.new(512, e)
|
||||
- assert_equal(e, key.e)
|
||||
- end
|
||||
- end
|
||||
+ def test_s_generate
|
||||
+ key1 = OpenSSL::PKey::RSA.generate(512)
|
||||
+ assert_equal 512, key1.n.num_bits
|
||||
+ assert_equal 65537, key1.e
|
||||
|
||||
- def test_generate
|
||||
- key = OpenSSL::PKey::RSA.generate(512, 17)
|
||||
- assert_equal 512, key.n.num_bits
|
||||
- assert_equal 17, key.e
|
||||
- assert_not_nil key.d
|
||||
+ # Specify public exponent
|
||||
+ key2 = OpenSSL::PKey::RSA.generate(512, 3)
|
||||
+ assert_equal 512, key2.n.num_bits
|
||||
+ assert_equal 3, key2.e
|
||||
+ assert_not_nil key2.d
|
||||
end
|
||||
|
||||
def test_new_break
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
||||
From 2150af0e55b2a25c24f62006e27e0aec3dc81b57 Mon Sep 17 00:00:00 2001
|
||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||
Date: Fri, 10 Jul 2020 14:34:51 +0900
|
||||
Subject: [PATCH 3/3] pkey/dh, pkey/ec: use EVP_PKEY_check() family
|
||||
|
||||
Use EVP_PKEY_param_check() instead of DH_check() if available. Also,
|
||||
use EVP_PKEY_public_check() instead of EC_KEY_check_key().
|
||||
|
||||
EVP_PKEY_*check() is part of the EVP API and is meant to replace those
|
||||
low-level functions. They were added by OpenSSL 1.1.1. It is currently
|
||||
not provided by LibreSSL.
|
||||
---
|
||||
ext/openssl/extconf.rb | 3 +++
|
||||
ext/openssl/ossl_pkey_dh.c | 27 +++++++++++++++++++++++----
|
||||
ext/openssl/ossl_pkey_ec.c | 23 +++++++++++++++++++----
|
||||
test/openssl/test_pkey_dh.rb | 16 ++++++++++++++++
|
||||
4 files changed, 61 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
|
||||
index b3c6647faf..17d93443fc 100644
|
||||
--- a/ext/openssl/extconf.rb
|
||||
+++ b/ext/openssl/extconf.rb
|
||||
@@ -173,6 +173,9 @@ def find_openssl_library
|
||||
have_func("EVP_PBE_scrypt")
|
||||
have_func("SSL_CTX_set_post_handshake_auth")
|
||||
|
||||
+# added in 1.1.1
|
||||
+have_func("EVP_PKEY_check")
|
||||
+
|
||||
Logging::message "=== Checking done. ===\n"
|
||||
|
||||
create_header
|
||||
diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
|
||||
index a512b209d3..ca782bbe59 100644
|
||||
--- a/ext/openssl/ossl_pkey_dh.c
|
||||
+++ b/ext/openssl/ossl_pkey_dh.c
|
||||
@@ -273,19 +273,38 @@ ossl_dh_get_params(VALUE self)
|
||||
* Validates the Diffie-Hellman parameters associated with this instance.
|
||||
* It checks whether a safe prime and a suitable generator are used. If this
|
||||
* is not the case, +false+ is returned.
|
||||
+ *
|
||||
+ * See also the man page EVP_PKEY_param_check(3).
|
||||
*/
|
||||
static VALUE
|
||||
ossl_dh_check_params(VALUE self)
|
||||
{
|
||||
+ int ret;
|
||||
+#ifdef HAVE_EVP_PKEY_CHECK
|
||||
+ EVP_PKEY *pkey;
|
||||
+ EVP_PKEY_CTX *pctx;
|
||||
+
|
||||
+ GetPKey(self, pkey);
|
||||
+ pctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL);
|
||||
+ if (!pctx)
|
||||
+ ossl_raise(eDHError, "EVP_PKEY_CTX_new");
|
||||
+ ret = EVP_PKEY_param_check(pctx);
|
||||
+ EVP_PKEY_CTX_free(pctx);
|
||||
+#else
|
||||
DH *dh;
|
||||
int codes;
|
||||
|
||||
GetDH(self, dh);
|
||||
- if (!DH_check(dh, &codes)) {
|
||||
- return Qfalse;
|
||||
- }
|
||||
+ ret = DH_check(dh, &codes) == 1 && codes == 0;
|
||||
+#endif
|
||||
|
||||
- return codes == 0 ? Qtrue : Qfalse;
|
||||
+ if (ret == 1)
|
||||
+ return Qtrue;
|
||||
+ else {
|
||||
+ /* DH_check_ex() will put error entry on failure */
|
||||
+ ossl_clear_error();
|
||||
+ return Qfalse;
|
||||
+ }
|
||||
}
|
||||
|
||||
/*
|
||||
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
|
||||
index ecb8305184..829529d4b9 100644
|
||||
--- a/ext/openssl/ossl_pkey_ec.c
|
||||
+++ b/ext/openssl/ossl_pkey_ec.c
|
||||
@@ -443,20 +443,35 @@ static VALUE ossl_ec_key_generate_key(VALUE self)
|
||||
}
|
||||
|
||||
/*
|
||||
- * call-seq:
|
||||
- * key.check_key => true
|
||||
+ * call-seq:
|
||||
+ * key.check_key => true
|
||||
*
|
||||
- * Raises an exception if the key is invalid.
|
||||
+ * Raises an exception if the key is invalid.
|
||||
*
|
||||
- * See the OpenSSL documentation for EC_KEY_check_key()
|
||||
+ * See also the man page EVP_PKEY_public_check(3).
|
||||
*/
|
||||
static VALUE ossl_ec_key_check_key(VALUE self)
|
||||
{
|
||||
+#ifdef HAVE_EVP_PKEY_CHECK
|
||||
+ EVP_PKEY *pkey;
|
||||
+ EVP_PKEY_CTX *pctx;
|
||||
+ int ret;
|
||||
+
|
||||
+ GetPKey(self, pkey);
|
||||
+ pctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL);
|
||||
+ if (!pctx)
|
||||
+ ossl_raise(eDHError, "EVP_PKEY_CTX_new");
|
||||
+ ret = EVP_PKEY_public_check(pctx);
|
||||
+ EVP_PKEY_CTX_free(pctx);
|
||||
+ if (ret != 1)
|
||||
+ ossl_raise(eECError, "EVP_PKEY_public_check");
|
||||
+#else
|
||||
EC_KEY *ec;
|
||||
|
||||
GetEC(self, ec);
|
||||
if (EC_KEY_check_key(ec) != 1)
|
||||
ossl_raise(eECError, "EC_KEY_check_key");
|
||||
+#endif
|
||||
|
||||
return Qtrue;
|
||||
}
|
||||
diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb
|
||||
index 279ce1984c..f80af8f841 100644
|
||||
--- a/test/openssl/test_pkey_dh.rb
|
||||
+++ b/test/openssl/test_pkey_dh.rb
|
||||
@@ -86,6 +86,22 @@ def test_key_exchange
|
||||
assert_equal(dh.compute_key(dh2.pub_key), dh2.compute_key(dh.pub_key))
|
||||
end
|
||||
|
||||
+ def test_params_ok?
|
||||
+ dh0 = Fixtures.pkey("dh1024")
|
||||
+
|
||||
+ dh1 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([
|
||||
+ OpenSSL::ASN1::Integer(dh0.p),
|
||||
+ OpenSSL::ASN1::Integer(dh0.g)
|
||||
+ ]))
|
||||
+ assert_equal(true, dh1.params_ok?)
|
||||
+
|
||||
+ dh2 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([
|
||||
+ OpenSSL::ASN1::Integer(dh0.p + 1),
|
||||
+ OpenSSL::ASN1::Integer(dh0.g)
|
||||
+ ]))
|
||||
+ assert_equal(false, dh2.params_ok?)
|
||||
+ end
|
||||
+
|
||||
def test_dup
|
||||
dh = Fixtures.pkey("dh1024")
|
||||
dh2 = dh.dup
|
||||
--
|
||||
2.32.0
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,29 @@
|
||||
From b4b5eab2a5fd0e9ac62c01102dd26d0a433c5683 Mon Sep 17 00:00:00 2001
|
||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||
Date: Mon, 18 May 2020 02:17:28 +0900
|
||||
Subject: [PATCH] test/openssl/test_digest: do not test constants for legacy
|
||||
algorithms
|
||||
|
||||
Remove availability test for MD4 and RIPEMD160 as they are considered
|
||||
legacy and may be missing depending on the compile-time options of
|
||||
OpenSSL. OpenSSL 3.0 by default disables them.
|
||||
---
|
||||
test/openssl/test_digest.rb | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/test/openssl/test_digest.rb b/test/openssl/test_digest.rb
|
||||
index 8d7046e831..84c128c12f 100644
|
||||
--- a/test/openssl/test_digest.rb
|
||||
+++ b/test/openssl/test_digest.rb
|
||||
@@ -54,7 +54,7 @@ def test_reset
|
||||
end
|
||||
|
||||
def test_digest_constants
|
||||
- %w{MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512}.each do |name|
|
||||
+ %w{MD5 SHA1 SHA224 SHA256 SHA384 SHA512}.each do |name|
|
||||
assert_not_nil(OpenSSL::Digest.new(name))
|
||||
klass = OpenSSL::Digest.const_get(name.tr('-', '_'))
|
||||
assert_not_nil(klass.new)
|
||||
--
|
||||
2.32.0
|
||||
|
@ -0,0 +1,439 @@
|
||||
From 9596788bdd2d061bef042485af14262e9fc4020c Mon Sep 17 00:00:00 2001
|
||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||
Date: Thu, 13 Aug 2020 23:20:55 +0900
|
||||
Subject: [PATCH] test/openssl/test_pkcs12: fix test failures with OpenSSL 3.0
|
||||
|
||||
OpenSSL's PKCS12_create() by default uses pbewithSHAAnd40BitRC2-CBC for
|
||||
encryption of the certificates. However, in OpenSSL 3.0, the algorithm
|
||||
is part of the legacy provider and is not enabled by default.
|
||||
|
||||
Specify another algorithm that is still in the default provider for
|
||||
these test cases.
|
||||
---
|
||||
test/openssl/test_pkcs12.rb | 297 ++++++++++++++++++------------------
|
||||
1 file changed, 149 insertions(+), 148 deletions(-)
|
||||
|
||||
diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb
|
||||
index fdbe753b17..ec676743bc 100644
|
||||
--- a/test/openssl/test_pkcs12.rb
|
||||
+++ b/test/openssl/test_pkcs12.rb
|
||||
@@ -5,6 +5,9 @@
|
||||
|
||||
module OpenSSL
|
||||
class TestPKCS12 < OpenSSL::TestCase
|
||||
+ DEFAULT_PBE_PKEYS = "PBE-SHA1-3DES"
|
||||
+ DEFAULT_PBE_CERTS = "PBE-SHA1-3DES"
|
||||
+
|
||||
def setup
|
||||
super
|
||||
ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
|
||||
@@ -14,47 +17,41 @@ def setup
|
||||
["subjectKeyIdentifier","hash",false],
|
||||
["authorityKeyIdentifier","keyid:always",false],
|
||||
]
|
||||
- @cacert = issue_cert(ca, Fixtures.pkey("rsa2048"), 1, ca_exts, nil, nil)
|
||||
+ ca_key = Fixtures.pkey("rsa-1")
|
||||
+ @cacert = issue_cert(ca, ca_key, 1, ca_exts, nil, nil)
|
||||
|
||||
inter_ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Intermediate CA")
|
||||
- inter_ca_key = OpenSSL::PKey.read <<-_EOS_
|
||||
------BEGIN RSA PRIVATE KEY-----
|
||||
-MIICXAIBAAKBgQDp7hIG0SFMG/VWv1dBUWziAPrNmkMXJgTCAoB7jffzRtyyN04K
|
||||
-oq/89HAszTMStZoMigQURfokzKsjpUp8OYCAEsBtt9d5zPndWMz/gHN73GrXk3LT
|
||||
-ZsxEn7Xv5Da+Y9F/Hx2QZUHarV5cdZixq2NbzWGwrToogOQMh2pxN3Z/0wIDAQAB
|
||||
-AoGBAJysUyx3olpsGzv3OMRJeahASbmsSKTXVLZvoIefxOINosBFpCIhZccAG6UV
|
||||
-5c/xCvS89xBw8aD15uUfziw3AuT8QPEtHCgfSjeT7aWzBfYswEgOW4XPuWr7EeI9
|
||||
-iNHGD6z+hCN/IQr7FiEBgTp6A+i/hffcSdR83fHWKyb4M7TRAkEA+y4BNd668HmC
|
||||
-G5MPRx25n6LixuBxrNp1umfjEI6UZgEFVpYOg4agNuimN6NqM253kcTR94QNTUs5
|
||||
-Kj3EhG1YWwJBAO5rUjiOyCNVX2WUQrOMYK/c1lU7fvrkdygXkvIGkhsPoNRzLPeA
|
||||
-HGJszKtrKD8bNihWpWNIyqKRHfKVD7yXT+kCQGCAhVCIGTRoypcDghwljHqLnysf
|
||||
-ci0h5ZdPcIqc7ODfxYhFsJ/Rql5ONgYsT5Ig/+lOQAkjf+TRYM4c2xKx2/8CQBvG
|
||||
-jv6dy70qDgIUgqzONtlmHeYyFzn9cdBO5sShdVYHvRHjFSMEXsosqK9zvW2UqvuK
|
||||
-FJx7d3f29gkzynCLJDkCQGQZlEZJC4vWmWJGRKJ24P6MyQn3VsPfErSKOg4lvyM3
|
||||
-Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
|
||||
------END RSA PRIVATE KEY-----
|
||||
- _EOS_
|
||||
- @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, Fixtures.pkey("rsa2048"))
|
||||
+ inter_ca_key = Fixtures.pkey("rsa-2")
|
||||
+ @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, ca_key)
|
||||
|
||||
exts = [
|
||||
["keyUsage","digitalSignature",true],
|
||||
["subjectKeyIdentifier","hash",false],
|
||||
]
|
||||
ee = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Ruby PKCS12 Test Certificate")
|
||||
- @mykey = Fixtures.pkey("rsa1024")
|
||||
+ @mykey = Fixtures.pkey("rsa-3")
|
||||
@mycert = issue_cert(ee, @mykey, 3, exts, @inter_cacert, inter_ca_key)
|
||||
end
|
||||
|
||||
- def test_create
|
||||
+ def test_create_single_key_single_cert
|
||||
pkcs12 = OpenSSL::PKCS12.create(
|
||||
"omg",
|
||||
"hello",
|
||||
@mykey,
|
||||
- @mycert
|
||||
+ @mycert,
|
||||
+ nil,
|
||||
+ DEFAULT_PBE_PKEYS,
|
||||
+ DEFAULT_PBE_CERTS,
|
||||
)
|
||||
- assert_equal @mycert.to_der, pkcs12.certificate.to_der
|
||||
+ assert_equal @mycert, pkcs12.certificate
|
||||
assert_equal @mykey.to_der, pkcs12.key.to_der
|
||||
assert_nil pkcs12.ca_certs
|
||||
+
|
||||
+ der = pkcs12.to_der
|
||||
+ decoded = OpenSSL::PKCS12.new(der, "omg")
|
||||
+ assert_equal @mykey.to_der, decoded.key.to_der
|
||||
+ assert_equal @mycert, decoded.certificate
|
||||
+ assert_equal [], Array(decoded.ca_certs)
|
||||
end
|
||||
|
||||
def test_create_no_pass
|
||||
@@ -62,14 +59,17 @@ def test_create_no_pass
|
||||
nil,
|
||||
"hello",
|
||||
@mykey,
|
||||
- @mycert
|
||||
+ @mycert,
|
||||
+ nil,
|
||||
+ DEFAULT_PBE_PKEYS,
|
||||
+ DEFAULT_PBE_CERTS,
|
||||
)
|
||||
- assert_equal @mycert.to_der, pkcs12.certificate.to_der
|
||||
+ assert_equal @mycert, pkcs12.certificate
|
||||
assert_equal @mykey.to_der, pkcs12.key.to_der
|
||||
assert_nil pkcs12.ca_certs
|
||||
|
||||
decoded = OpenSSL::PKCS12.new(pkcs12.to_der)
|
||||
- assert_cert @mycert, decoded.certificate
|
||||
+ assert_equal @mycert, decoded.certificate
|
||||
end
|
||||
|
||||
def test_create_with_chain
|
||||
@@ -80,7 +80,9 @@ def test_create_with_chain
|
||||
"hello",
|
||||
@mykey,
|
||||
@mycert,
|
||||
- chain
|
||||
+ chain,
|
||||
+ DEFAULT_PBE_PKEYS,
|
||||
+ DEFAULT_PBE_CERTS,
|
||||
)
|
||||
assert_equal chain, pkcs12.ca_certs
|
||||
end
|
||||
@@ -95,14 +97,16 @@ def test_create_with_chain_decode
|
||||
"hello",
|
||||
@mykey,
|
||||
@mycert,
|
||||
- chain
|
||||
+ chain,
|
||||
+ DEFAULT_PBE_PKEYS,
|
||||
+ DEFAULT_PBE_CERTS,
|
||||
)
|
||||
|
||||
decoded = OpenSSL::PKCS12.new(pkcs12.to_der, passwd)
|
||||
assert_equal chain.size, decoded.ca_certs.size
|
||||
- assert_include_cert @cacert, decoded.ca_certs
|
||||
- assert_include_cert @inter_cacert, decoded.ca_certs
|
||||
- assert_cert @mycert, decoded.certificate
|
||||
+ assert_include decoded.ca_certs, @cacert
|
||||
+ assert_include decoded.ca_certs, @inter_cacert
|
||||
+ assert_equal @mycert, decoded.certificate
|
||||
assert_equal @mykey.to_der, decoded.key.to_der
|
||||
end
|
||||
|
||||
@@ -126,8 +130,8 @@ def test_create_with_itr
|
||||
@mykey,
|
||||
@mycert,
|
||||
[],
|
||||
- nil,
|
||||
- nil,
|
||||
+ DEFAULT_PBE_PKEYS,
|
||||
+ DEFAULT_PBE_CERTS,
|
||||
2048
|
||||
)
|
||||
|
||||
@@ -138,8 +142,8 @@ def test_create_with_itr
|
||||
@mykey,
|
||||
@mycert,
|
||||
[],
|
||||
- nil,
|
||||
- nil,
|
||||
+ DEFAULT_PBE_PKEYS,
|
||||
+ DEFAULT_PBE_CERTS,
|
||||
"omg"
|
||||
)
|
||||
end
|
||||
@@ -152,7 +156,8 @@ def test_create_with_mac_itr
|
||||
@mykey,
|
||||
@mycert,
|
||||
[],
|
||||
- nil,
|
||||
+ DEFAULT_PBE_PKEYS,
|
||||
+ DEFAULT_PBE_CERTS,
|
||||
nil,
|
||||
nil,
|
||||
2048
|
||||
@@ -165,148 +170,144 @@ def test_create_with_mac_itr
|
||||
@mykey,
|
||||
@mycert,
|
||||
[],
|
||||
- nil,
|
||||
- nil,
|
||||
+ DEFAULT_PBE_PKEYS,
|
||||
+ DEFAULT_PBE_CERTS,
|
||||
nil,
|
||||
"omg"
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
- def test_new_with_one_key_and_one_cert
|
||||
- # generated with:
|
||||
- # openssl version #=> OpenSSL 1.0.2h 3 May 2016
|
||||
- # openssl pkcs12 -in <@mycert> -inkey <RSA1024> -export -out <out>
|
||||
- str = <<~EOF.unpack("m").first
|
||||
-MIIGQQIBAzCCBgcGCSqGSIb3DQEHAaCCBfgEggX0MIIF8DCCAu8GCSqGSIb3DQEH
|
||||
-BqCCAuAwggLcAgEAMIIC1QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIeZPM
|
||||
-Rh6KiXgCAggAgIICqL6O+LCZmBzdIg6mozPF3FpY0hVbWHvTNMiDHieW3CrAanhN
|
||||
-YCH2/wHqH8WpFpEWwF0qEEXAWjHsIlYB4Cfqo6b7XpuZe5eVESsjNTOTMF1JCUJj
|
||||
-A6iNefXmCFLync1JK5LUodRDhTlKLU1WPK20X9X4vuEwHn8wt5RUb8P0E+Xh6rpS
|
||||
-XC4LkZKT45zF3cJa/n5+dW65ohVGNVnF9D1bCNEKHMOllK1V9omutQ9slW88hpga
|
||||
-LGiFsJoFOb/ESGb78KO+bd6zbX1MdKdBV+WD6t1uF/cgU65y+2A4nXs1urda+MJ7
|
||||
-7iVqiB7Vnc9cANTbAkTSGNyoUDVM/NZde782/8IvddLAzUZ2EftoRDke6PvuBOVL
|
||||
-ljBhNWmdamrtBqzuzVZCRdWq44KZkF2Xoc9asepwIkdVmntzQF7f1Z+Ta5yg6HFp
|
||||
-xnr7CuM+MlHEShXkMgYtHnwAq10fDMSXIvjhi/AA5XUAusDO3D+hbtcRDcJ4uUes
|
||||
-dm5dhQE2qJ02Ysn4aH3o1F3RYNOzrxejHJwl0D2TCE8Ww2X342xib57+z9u03ufj
|
||||
-jswhiMKxy67f1LhUMq3XrT3uV6kCVXk/KUOUPcXPlPVNA5JmZeFhMp6GrtB5xJJ9
|
||||
-wwBZD8UL5A2U2Mxi2OZsdUBv8eo3jnjZ284aFpt+mCjIHrLW5O0jwY8OCwSlYUoY
|
||||
-IY00wlabX0s82kBcIQNZbC1RSV2267ro/7A0MClc8YQ/zWN0FKY6apgtUkHJI1cL
|
||||
-1dc77mhnjETjwW94iLMDFy4zQfVu7IfCBqOBzygRNnqqUG66UhTs1xFnWM0mWXl/
|
||||
-Zh9+AMpbRLIPaKCktIjl5juzzm+KEgkhD+707XRCFIGUYGP5bSHzGaz8PK9hj0u1
|
||||
-E2SpZHUvYOcawmxtA7pmpSxl5uQjMIIC+QYJKoZIhvcNAQcBoIIC6gSCAuYwggLi
|
||||
-MIIC3gYLKoZIhvcNAQwKAQKgggKmMIICojAcBgoqhkiG9w0BDAEDMA4ECKB338m8
|
||||
-qSzHAgIIAASCAoACFhJeqA3xx+s1qIH6udNQYY5hAL6oz7SXoGwFhDiceSyJjmAD
|
||||
-Dby9XWM0bPl1Gj5nqdsuI/lAM++fJeoETk+rxw8q6Ofk2zUaRRE39qgpwBwSk44o
|
||||
-0SAFJ6bzHpc5CFh6sZmDaUX5Lm9GtjnGFmmsPTSJT5an5JuJ9WczGBEd0nSBQhJq
|
||||
-xHbTGZiN8i3SXcIH531Sub+CBIFWy5lyCKgDYh/kgJFGQAaWUOjLI+7dCEESonXn
|
||||
-F3Jh2uPbnDF9MGJyAFoNgWFhgSpi1cf6AUi87GY4Oyur88ddJ1o0D0Kz2uw8/bpG
|
||||
-s3O4PYnIW5naZ8mozzbnYByEFk7PoTwM7VhoFBfYNtBoAI8+hBnPY/Y71YUojEXf
|
||||
-SeX6QbtkIANfzS1XuFNKElShC3DPQIHpKzaatEsfxHfP+8VOav6zcn4mioao7NHA
|
||||
-x7Dp6R1enFGoQOq4UNjBT8YjnkG5vW8zQHW2dAHLTJBq6x2Fzm/4Pjo/8vM1FiGl
|
||||
-BQdW5vfDeJ/l6NgQm3xR9ka2E2HaDqIcj1zWbN8jy/bHPFJYuF/HH8MBV/ngMIXE
|
||||
-vFEW/ToYv8eif0+EpUtzBsCKD4a7qYYYh87RmEVoQU96q6m+UbhpD2WztYfAPkfo
|
||||
-OSL9j2QHhVczhL7OAgqNeM95pOsjA9YMe7exTeqK31LYnTX8oH8WJD1xGbRSJYgu
|
||||
-SY6PQbumcJkc/TFPn0GeVUpiDdf83SeG50lo/i7UKQi2l1hi5Y51fQhnBnyMr68D
|
||||
-llSZEvSWqfDxBJkBpeg6PIYvkTpEwKRJpVQoM3uYvdqVSSnW6rydqIb+snfOrlhd
|
||||
-f+xCtq9xr+kHeTSqLIDRRAnMfgFRhY3IBlj6MSUwIwYJKoZIhvcNAQkVMRYEFBdb
|
||||
-8XGWehZ6oPj56Pf/uId46M9AMDEwITAJBgUrDgMCGgUABBRvSCB04/f8f13pp2PF
|
||||
-vyl2WuMdEwQIMWFFphPkIUICAggA
|
||||
- EOF
|
||||
- p12 = OpenSSL::PKCS12.new(str, "abc123")
|
||||
-
|
||||
- assert_equal @mykey.to_der, p12.key.to_der
|
||||
- assert_equal @mycert.subject.to_der, p12.certificate.subject.to_der
|
||||
- assert_equal [], Array(p12.ca_certs)
|
||||
- end
|
||||
-
|
||||
def test_new_with_no_keys
|
||||
# generated with:
|
||||
- # openssl pkcs12 -in <@mycert> -nokeys -export -out <out>
|
||||
+ # openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -nokeys -export
|
||||
str = <<~EOF.unpack("m").first
|
||||
-MIIDHAIBAzCCAuIGCSqGSIb3DQEHAaCCAtMEggLPMIICyzCCAscGCSqGSIb3DQEH
|
||||
-BqCCArgwggK0AgEAMIICrQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIX4+W
|
||||
-irqwH40CAggAgIICgOaCyo+5+6IOVoGCCL80c50bkkzAwqdXxvkKExJSdcJz2uMU
|
||||
-0gRrKnZEjL5wrUsN8RwZu8DvgQTEhNEkKsUgM7AWainmN/EnwohIdHZAHpm6WD67
|
||||
-I9kLGp0/DHrqZrV9P2dLfhXLUSQE8PI0tqZPZ8UEABhizkViw4eISTkrOUN7pGbN
|
||||
-Qtx/oqgitXDuX2polbxYYDwt9vfHZhykHoKgew26SeJyZfeMs/WZ6olEI4cQUAFr
|
||||
-mvYGuC1AxEGTo9ERmU8Pm16j9Hr9PFk50WYe+rnk9oX3wJogQ7XUWS5kYf7XRycd
|
||||
-NDkNiwV/ts94bbuaGZp1YA6I48FXpIc8b5fX7t9tY0umGaWy0bARe1L7o0Y89EPe
|
||||
-lMg25rOM7j3uPtFG8whbSfdETSy57UxzzTcJ6UwexeaK6wb2jqEmj5AOoPLWeaX0
|
||||
-LyOAszR3v7OPAcjIDYZGdrbb3MZ2f2vo2pdQfu9698BrWhXuM7Odh73RLhJVreNI
|
||||
-aezNOAtPyBlvGiBQBGTzRIYHSLL5Y5aVj2vWLAa7hjm5qTL5C5mFdDIo6TkEMr6I
|
||||
-OsexNQofEGs19kr8nARXDlcbEimk2VsPj4efQC2CEXZNzURsKca82pa62MJ8WosB
|
||||
-DTFd8X06zZZ4nED50vLopZvyW4fyW60lELwOyThAdG8UchoAaz2baqP0K4de44yM
|
||||
-Y5/yPFDu4+GoimipJfbiYviRwbzkBxYW8+958ILh0RtagLbvIGxbpaym9PqGjOzx
|
||||
-ShNXjLK2aAFZsEizQ8kd09quJHU/ogq2cUXdqqhmOqPnUWrJVi/VCoRB3Pv1/lE4
|
||||
-mrUgr2YZ11rYvBw6g5XvNvFcSc53OKyV7SLn0dwwMTAhMAkGBSsOAwIaBQAEFEWP
|
||||
-1WRQykaoD4uJCpTx/wv0SLLBBAiDKI26LJK7xgICCAA=
|
||||
+MIIGJAIBAzCCBeoGCSqGSIb3DQEHAaCCBdsEggXXMIIF0zCCBc8GCSqGSIb3
|
||||
+DQEHBqCCBcAwggW8AgEAMIIFtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMw
|
||||
+DgQIjv5c3OHvnBgCAggAgIIFiMJa8Z/w7errRvCQPXh9dGQz3eJaFq3S2gXD
|
||||
+rh6oiwsgIRJZvYAWgU6ll9NV7N5SgvS2DDNVuc3tsP8TPWjp+bIxzS9qmGUV
|
||||
+kYWuURWLMKhpF12ZRDab8jcIwBgKoSGiDJk8xHjx6L613/XcRM6ln3VeQK+C
|
||||
+hlW5kXniNAUAgTft25Fn61Xa8xnhmsz/fk1ycGnyGjKCnr7Mgy7KV0C1vs23
|
||||
+18n8+b1ktDWLZPYgpmXuMFVh0o+HJTV3O86mkIhJonMcnOMgKZ+i8KeXaocN
|
||||
+JQlAPBG4+HOip7FbQT/h6reXv8/J+hgjLfqAb5aV3m03rUX9mXx66nR1tQU0
|
||||
+Jq+XPfDh5+V4akIczLlMyyo/xZjI1/qupcMjr+giOGnGd8BA3cuXW+ueLQiA
|
||||
+PpTp+DQLVHRfz9XTZbyqOReNEtEXvO9gOlKSEY5lp65ItXVEs2Oqyf9PfU9y
|
||||
+DUltN6fCMilwPyyrsIBKXCu2ZLM5h65KVCXAYEX9lNqj9zrQ7vTqvCNN8RhS
|
||||
+ScYouTX2Eqa4Z+gTZWLHa8RCQFoyP6hd+97/Tg2Gv2UTH0myQxIVcnpdi1wy
|
||||
+cqb+er7tyKbcO96uSlUjpj/JvjlodtjJcX+oinEqGb/caj4UepbBwiG3vv70
|
||||
+63bS3jTsOLNjDRsR9if3LxIhLa6DW8zOJiGC+EvMD1o4dzHcGVpQ/pZWCHZC
|
||||
++YiNJpQOBApiZluE+UZ0m3XrtHFQYk7xblTrh+FJF91wBsok0rZXLAKd8m4p
|
||||
+OJsc7quCq3cuHRRTzJQ4nSe01uqbwGDAYwLvi6VWy3svU5qa05eDRmgzEFTG
|
||||
+e84Gp/1LQCtpQFr4txkjFchO2whWS80KoQKqmLPyGm1D9Lv53Q4ZsKMgNihs
|
||||
+rEepuaOZMKHl4yMAYFoOXZCAYzfbhN6b2phcFAHjMUHUw9e3F0QuDk9D0tsr
|
||||
+riYTrkocqlOKfK4QTomx27O0ON2J6f1rtEojGgfl9RNykN7iKGzjS3914QjW
|
||||
+W6gGiZejxHsDPEAa4gUp0WiSUSXtD5WJgoyAzLydR2dKWsQ4WlaUXi01CuGy
|
||||
++xvncSn2nO3bbot8VD5H6XU1CjREVtnIfbeRYO/uofyLUP3olK5RqN6ne6Xo
|
||||
+eXnJ/bjYphA8NGuuuvuW1SCITmINkZDLC9cGlER9+K65RR/DR3TigkexXMeN
|
||||
+aJ70ivZYAl0OuhZt3TGIlAzS64TIoyORe3z7Ta1Pp9PZQarYJpF9BBIZIFor
|
||||
+757PHHuQKRuugiRkp8B7v4eq1BQ+VeAxCKpyZ7XrgEtbY/AWDiaKcGPKPjc3
|
||||
+AqQraVeQm7kMBT163wFmZArCphzkDOI3bz2oEO8YArMgLq2Vto9jAZlqKyWr
|
||||
+pi2bSJxuoP1aoD58CHcWMrf8/j1LVdQhKgHQXSik2ID0H2Wc/XnglhzlVFuJ
|
||||
+JsNIW/EGJlZh/5WDez9U0bXqnBlu3uasPEOezdoKlcCmQlmTO5+uLHYLEtNA
|
||||
+EH9MtnGZebi9XS5meTuS6z5LILt8O9IHZxmT3JRPHYj287FEzotlLdcJ4Ee5
|
||||
+enW41UHjLrfv4OaITO1hVuoLRGdzjESx/fHMWmxroZ1nVClxECOdT42zvIYJ
|
||||
+J3xBZ0gppzQ5fjoYiKjJpxTflRxUuxshk3ih6VUoKtqj/W18tBQ3g5SOlkgT
|
||||
+yCW8r74yZlfYmNrPyDMUQYpLUPWj2n71GF0KyPfTU5yOatRgvheh262w5BG3
|
||||
+omFY7mb3tCv8/U2jdMIoukRKacpZiagofz3SxojOJq52cHnCri+gTHBMX0cO
|
||||
+j58ygfntHWRzst0pV7Ze2X3fdCAJ4DokH6bNJNthcgmolFJ/y3V1tJjgsdtQ
|
||||
+7Pjn/vE6xUV0HXE2x4yoVYNirbAMIvkN/X+atxrN0dA4AchN+zGp8TAxMCEw
|
||||
+CQYFKw4DAhoFAAQUQ+6XXkyhf6uYgtbibILN2IjKnOAECLiqoY45MPCrAgII
|
||||
+AA==
|
||||
EOF
|
||||
p12 = OpenSSL::PKCS12.new(str, "abc123")
|
||||
|
||||
assert_equal nil, p12.key
|
||||
assert_equal nil, p12.certificate
|
||||
assert_equal 1, p12.ca_certs.size
|
||||
- assert_equal @mycert.subject.to_der, p12.ca_certs[0].subject.to_der
|
||||
+ assert_equal @mycert.subject, p12.ca_certs[0].subject
|
||||
end
|
||||
|
||||
def test_new_with_no_certs
|
||||
# generated with:
|
||||
- # openssl pkcs12 -inkey <RSA1024> -nocerts -export -out <out>
|
||||
+ # openssl pkcs12 -inkey fixtures/openssl/pkey/rsa-1.pem -nocerts -export
|
||||
str = <<~EOF.unpack("m").first
|
||||
-MIIDJwIBAzCCAu0GCSqGSIb3DQEHAaCCAt4EggLaMIIC1jCCAtIGCSqGSIb3DQEH
|
||||
-AaCCAsMEggK/MIICuzCCArcGCyqGSIb3DQEMCgECoIICpjCCAqIwHAYKKoZIhvcN
|
||||
-AQwBAzAOBAg6AaYnJs84SwICCAAEggKAQzZH+fWSpcQYD1J7PsGSune85A++fLCQ
|
||||
-V7tacp2iv95GJkxwYmfTP176pJdgs00mceB9UJ/u9EX5nD0djdjjQjwo6sgKjY0q
|
||||
-cpVhZw8CMxw7kBD2dhtui0zT8z5hy03LePxsjEKsGiSbeVeeGbSfw/I6AAYbv+Uh
|
||||
-O/YPBGumeHj/D2WKnfsHJLQ9GAV3H6dv5VKYNxjciK7f/JEyZCuUQGIN64QFHDhJ
|
||||
-7fzLqd/ul3FZzJZO6a+dwvcgux09SKVXDRSeFmRCEX4b486iWhJJVspCo9P2KNne
|
||||
-ORrpybr3ZSwxyoICmjyo8gj0OSnEfdx9790Ej1takPqSA1wIdSdBLekbZqB0RBQg
|
||||
-DEuPOsXNo3QFi8ji1vu0WBRJZZSNC2hr5NL6lNR+DKxG8yzDll2j4W4BBIp22mAE
|
||||
-7QRX7kVxu17QJXQhOUac4Dd1qXmzebP8t6xkAxD9L7BWEN5OdiXWwSWGjVjMBneX
|
||||
-nYObi/3UT/aVc5WHMHK2BhCI1bwH51E6yZh06d5m0TQpYGUTWDJdWGBSrp3A+8jN
|
||||
-N2PMQkWBFrXP3smHoTEN4oZC4FWiPsIEyAkQsfKRhcV9lGKl2Xgq54ROTFLnwKoj
|
||||
-Z3zJScnq9qmNzvVZSMmDLkjLyDq0pxRxGKBvgouKkWY7VFFIwwBIJM39iDJ5NbBY
|
||||
-i1AQFTRsRSsZrNVPasCXrIq7bhMoJZb/YZOGBLNyJVqKUoYXhtwsajzSq54VlWft
|
||||
-JxsPayEd4Vi6O9EU1ahnj6qFEZiKFzsicgK2J1Rb8cYagrp0XWjHW0SBn5GVUWCg
|
||||
-GUokSFG/0JTdeYTo/sQuG4qNgJkOolRjpeI48Fciq5VUWLvVdKioXzAxMCEwCQYF
|
||||
-Kw4DAhoFAAQUYAuwVtGD1TdgbFK4Yal2XBgwUR4ECEawsN3rNaa6AgIIAA==
|
||||
+MIIJ7wIBAzCCCbUGCSqGSIb3DQEHAaCCCaYEggmiMIIJnjCCCZoGCSqGSIb3
|
||||
+DQEHAaCCCYsEggmHMIIJgzCCCX8GCyqGSIb3DQEMCgECoIIJbjCCCWowHAYK
|
||||
+KoZIhvcNAQwBAzAOBAjX5nN8jyRKwQICCAAEgglIBIRLHfiY1mNHpl3FdX6+
|
||||
+72L+ZOVXnlZ1MY9HSeg0RMkCJcm0mJ2UD7INUOGXvwpK9fr6WJUZM1IqTihQ
|
||||
+1dM0crRC2m23aP7KtAlXh2DYD3otseDtwoN/NE19RsiJzeIiy5TSW1d47weU
|
||||
++D4Ig/9FYVFPTDgMzdCxXujhvO/MTbZIjqtcS+IOyF+91KkXrHkfkGjZC7KS
|
||||
+WRmYw9BBuIPQEewdTI35sAJcxT8rK7JIiL/9mewbSE+Z28Wq1WXwmjL3oZm9
|
||||
+lw6+f515b197GYEGomr6LQqJJamSYpwQbTGHonku6Tf3ylB4NLFqOnRCKE4K
|
||||
+zRSSYIqJBlKHmQ4pDm5awoupHYxMZLZKZvXNYyYN3kV8r1iiNVlY7KBR4CsX
|
||||
+rqUkXehRmcPnuqEMW8aOpuYe/HWf8PYI93oiDZjcEZMwW2IZFFrgBbqUeNCM
|
||||
+CQTkjAYxi5FyoaoTnHrj/aRtdLOg1xIJe4KKcmOXAVMmVM9QEPNfUwiXJrE7
|
||||
+n42gl4NyzcZpxqwWBT++9TnQGZ/lEpwR6dzkZwICNQLdQ+elsdT7mumywP+1
|
||||
+WaFqg9kpurimaiBu515vJNp9Iqv1Nmke6R8Lk6WVRKPg4Akw0fkuy6HS+LyN
|
||||
+ofdCfVUkPGN6zkjAxGZP9ZBwvXUbLRC5W3N5qZuAy5WcsS75z+oVeX9ePV63
|
||||
+cue23sClu8JSJcw3HFgPaAE4sfkQ4MoihPY5kezgT7F7Lw/j86S0ebrDNp4N
|
||||
+Y685ec81NRHJ80CAM55f3kGCOEhoifD4VZrvr1TdHZY9Gm3b1RYaJCit2huF
|
||||
+nlOfzeimdcv/tkjb6UsbpXx3JKkF2NFFip0yEBERRCdWRYMUpBRcl3ad6XHy
|
||||
+w0pVTgIjTxGlbbtOCi3siqMOK0GNt6UgjoEFc1xqjsgLwU0Ta2quRu7RFPGM
|
||||
+GoEwoC6VH23p9Hr4uTFOL0uHfkKWKunNN+7YPi6LT6IKmTQwrp+fTO61N6Xh
|
||||
+KlqTpwESKsIJB2iMnc8wBkjXJtmG/e2n5oTqfhICIrxYmEb7zKDyK3eqeTj3
|
||||
+FhQh2t7cUIiqcT52AckUqniPmlE6hf82yBjhaQUPfi/ExTBtTDSmFfRPUzq+
|
||||
+Rlla4OHllPRzUXJExyansgCxZbPqlw46AtygSWRGcWoYAKUKwwoYjerqIV5g
|
||||
+JoZICV9BOU9TXco1dHXZQTs/nnTwoRmYiL/Ly5XpvUAnQOhYeCPjBeFnPSBR
|
||||
+R/hRNqrDH2MOV57v5KQIH2+mvy26tRG+tVGHmLMaOJeQkjLdxx+az8RfXIrH
|
||||
+7hpAsoBb+g9jUDY1mUVavPk1T45GMpQH8u3kkzRvChfOst6533GyIZhE7FhN
|
||||
+KanC6ACabVFDUs6P9pK9RPQMp1qJfpA0XJFx5TCbVbPkvnkZd8K5Tl/tzNM1
|
||||
+n32eRao4MKr9KDwoDL93S1yJgYTlYjy1XW/ewdedtX+B4koAoz/wSXDYO+GQ
|
||||
+Zu6ZSpKSEHTRPhchsJ4oICvpriVaJkn0/Z7H3YjNMB9U5RR9+GiIg1wY1Oa1
|
||||
+S3WfuwrrI6eqfbQwj6PDNu3IKy6srEgvJwaofQALNBPSYWbauM2brc8qsD+t
|
||||
+n8jC/aD1aMcy00+9t3H/RVCjEOb3yKfUpAldIkEA2NTTnZpoDQDXeNYU2F/W
|
||||
+yhmFjJy8A0O4QOk2xnZK9kcxSRs0v8vI8HivvgWENoVPscsDC4742SSIe6SL
|
||||
+f/T08reIX11f0K70rMtLhtFMQdHdYOTNl6JzhkHPLr/f9MEZsBEQx52depnF
|
||||
+ARb3gXGbCt7BAi0OeCEBSbLr2yWuW4r55N0wRZSOBtgqgjsiHP7CDQSkbL6p
|
||||
+FPlQS1do9gBSHiNYvsmN1LN5bG+mhcVb0UjZub4mL0EqGadjDfDdRJmWqlX0
|
||||
+r5dyMcOWQVy4O2cPqYFlcP9lk8buc5otcyVI2isrAFdlvBK29oK6jc52Aq5Q
|
||||
+0b2ESDlgX8WRgiOPPxK8dySKEeuIwngCtJyNTecP9Ug06TDsu0znZGCXJ+3P
|
||||
+8JOpykgA8EQdOZOYHbo76ZfB2SkklI5KeRA5IBjGs9G3TZ4PHLy2DIwsbWzS
|
||||
+H1g01o1x264nx1cJ+eEgUN/KIiGFIib42RS8Af4D5e+Vj54Rt3axq+ag3kI+
|
||||
+53p8uotyu+SpvvXUP7Kv4xpQ/L6k41VM0rfrd9+DrlDVvSfxP2uh6I1TKF7A
|
||||
+CT5n8zguMbng4PGjxvyPBM5k62t6hN5fuw6Af0aZFexh+IjB/5wFQ6onSz23
|
||||
+fBzMW4St7RgSs8fDg3lrM+5rwXiey1jxY1ddaxOoUsWRMvvdd7rZxRZQoN5v
|
||||
+AcI5iMkK/vvpQgC/sfzhtXtrJ2XOPZ+GVgi7VcuDLKSkdFMcPbGzO8SdxUnS
|
||||
+SLV5XTKqKND+Lrfx7DAoKi5wbDFHu5496/MHK5qP4tBe6sJ5bZc+KDJIH46e
|
||||
+wTV1oWtB5tV4q46hOb5WRcn/Wjz3HSKaGZgx5QbK1MfKTzD5CTUn+ArMockX
|
||||
+2wJhPnFK85U4rgv8iBuh9bRjyw+YaKf7Z3loXRiE1eRG6RzuPF0ZecFiDumk
|
||||
+AC/VUXynJhzePBLqzrQj0exanACdullN+pSfHiRWBxR2VFUkjoFP5X45GK3z
|
||||
+OstSH6FOkMVU4afqEmjsIwozDFIyin5EyWTtdhJe3szdJSGY23Tut+9hUatx
|
||||
+9FDFLESOd8z3tyQSNiLk/Hib+e/lbjxqbXBG/p/oyvP3N999PLUPtpKqtYkV
|
||||
+H0+18sNh9CVfojiJl44fzxe8yCnuefBjut2PxEN0EFRBPv9P2wWlmOxkPKUq
|
||||
+NrCJP0rDj5aONLrNZPrR8bZNdIShkZ/rKkoTuA0WMZ+xUlDRxAupdMkWAlrz
|
||||
+8IcwNcdDjPnkGObpN5Ctm3vK7UGSBmPeNqkXOYf3QTJ9gStJEd0F6+DzTN5C
|
||||
+KGt1IyuGwZqL2Yk51FDIIkr9ykEnBMaA39LS7GFHEDNGlW+fKC7AzA0zfoOr
|
||||
+fXZlHMBuqHtXqk3zrsHRqGGoocigg4ctrhD1UREYKj+eIj1TBiRdf7c6+COf
|
||||
+NIOmej8pX3FmZ4ui+dDA8r2ctgsWHrb4A6iiH+v1DRA61GtoaA/tNRggewXW
|
||||
+VXCZCGWyyTuyHGOqq5ozrv5MlzZLWD/KV/uDsAWmy20RAed1C4AzcXlpX25O
|
||||
+M4SNl47g5VRNJRtMqokc8j6TjZrzMDEwITAJBgUrDgMCGgUABBRrkIRuS5qg
|
||||
+BC8fv38mue8LZVcbHQQIUNrWKEnskCoCAggA
|
||||
EOF
|
||||
p12 = OpenSSL::PKCS12.new(str, "abc123")
|
||||
|
||||
- assert_equal @mykey.to_der, p12.key.to_der
|
||||
+ assert_equal Fixtures.pkey("rsa-1").to_der, p12.key.to_der
|
||||
assert_equal nil, p12.certificate
|
||||
assert_equal [], Array(p12.ca_certs)
|
||||
end
|
||||
|
||||
def test_dup
|
||||
- p12 = OpenSSL::PKCS12.create("pass", "name", @mykey, @mycert)
|
||||
+ p12 = OpenSSL::PKCS12.create(
|
||||
+ "pass",
|
||||
+ "name",
|
||||
+ @mykey,
|
||||
+ @mycert,
|
||||
+ nil,
|
||||
+ DEFAULT_PBE_PKEYS,
|
||||
+ DEFAULT_PBE_CERTS,
|
||||
+ )
|
||||
assert_equal p12.to_der, p12.dup.to_der
|
||||
end
|
||||
-
|
||||
- private
|
||||
- def assert_cert expected, actual
|
||||
- [
|
||||
- :subject,
|
||||
- :issuer,
|
||||
- :serial,
|
||||
- :not_before,
|
||||
- :not_after,
|
||||
- ].each do |attribute|
|
||||
- assert_equal expected.send(attribute), actual.send(attribute)
|
||||
- end
|
||||
- assert_equal expected.to_der, actual.to_der
|
||||
- end
|
||||
-
|
||||
- def assert_include_cert cert, ary
|
||||
- der = cert.to_der
|
||||
- ary.each do |candidate|
|
||||
- if candidate.to_der == der
|
||||
- return true
|
||||
- end
|
||||
- end
|
||||
- false
|
||||
- end
|
||||
end
|
||||
end
|
||||
|
||||
--
|
||||
2.32.0
|
||||
|
@ -0,0 +1,67 @@
|
||||
From 10d2216b2f35a31777a099d9f765b0b6ea34a63e Mon Sep 17 00:00:00 2001
|
||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||
Date: Mon, 18 May 2020 02:35:35 +0900
|
||||
Subject: [PATCH] test/openssl/test_pkey: use EC keys for
|
||||
PKey.generate_parameters tests
|
||||
|
||||
OpenSSL 3.0 refuses to generate DSA parameters shorter than 2048 bits,
|
||||
but generating 2048 bits parameters takes very long time. Let's use EC
|
||||
in these test cases instead.
|
||||
---
|
||||
test/openssl/test_pkey.rb | 27 +++++++++++----------------
|
||||
1 file changed, 11 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb
|
||||
index 3630458b3c..88a6e04581 100644
|
||||
--- a/test/openssl/test_pkey.rb
|
||||
+++ b/test/openssl/test_pkey.rb
|
||||
@@ -27,20 +27,16 @@ def test_generic_oid_inspect
|
||||
end
|
||||
|
||||
def test_s_generate_parameters
|
||||
- # 512 is non-default; 1024 is used if 'dsa_paramgen_bits' is not specified
|
||||
- # with OpenSSL 1.1.0.
|
||||
- pkey = OpenSSL::PKey.generate_parameters("DSA", {
|
||||
- "dsa_paramgen_bits" => 512,
|
||||
- "dsa_paramgen_q_bits" => 256,
|
||||
+ pkey = OpenSSL::PKey.generate_parameters("EC", {
|
||||
+ "ec_paramgen_curve" => "secp384r1",
|
||||
})
|
||||
- assert_instance_of OpenSSL::PKey::DSA, pkey
|
||||
- assert_equal 512, pkey.p.num_bits
|
||||
- assert_equal 256, pkey.q.num_bits
|
||||
- assert_equal nil, pkey.priv_key
|
||||
+ assert_instance_of OpenSSL::PKey::EC, pkey
|
||||
+ assert_equal "secp384r1", pkey.group.curve_name
|
||||
+ assert_equal nil, pkey.private_key
|
||||
|
||||
# Invalid options are checked
|
||||
assert_raise(OpenSSL::PKey::PKeyError) {
|
||||
- OpenSSL::PKey.generate_parameters("DSA", "invalid" => "option")
|
||||
+ OpenSSL::PKey.generate_parameters("EC", "invalid" => "option")
|
||||
}
|
||||
|
||||
# Parameter generation callback is called
|
||||
@@ -59,14 +55,13 @@ def test_s_generate_key
|
||||
# DSA key pair cannot be generated without parameters
|
||||
OpenSSL::PKey.generate_key("DSA")
|
||||
}
|
||||
- pkey_params = OpenSSL::PKey.generate_parameters("DSA", {
|
||||
- "dsa_paramgen_bits" => 512,
|
||||
- "dsa_paramgen_q_bits" => 256,
|
||||
+ pkey_params = OpenSSL::PKey.generate_parameters("EC", {
|
||||
+ "ec_paramgen_curve" => "secp384r1",
|
||||
})
|
||||
pkey = OpenSSL::PKey.generate_key(pkey_params)
|
||||
- assert_instance_of OpenSSL::PKey::DSA, pkey
|
||||
- assert_equal 512, pkey.p.num_bits
|
||||
- assert_not_equal nil, pkey.priv_key
|
||||
+ assert_instance_of OpenSSL::PKey::EC, pkey
|
||||
+ assert_equal "secp384r1", pkey.group.curve_name
|
||||
+ assert_not_equal nil, pkey.private_key
|
||||
end
|
||||
|
||||
def test_hmac_sign_verify
|
||||
--
|
||||
2.32.0
|
||||
|
@ -0,0 +1,31 @@
|
||||
From 05fd14aea7eff2a6911a6f529f1237276482c6e7 Mon Sep 17 00:00:00 2001
|
||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||
Date: Fri, 10 Jul 2020 13:56:38 +0900
|
||||
Subject: [PATCH] test/openssl/test_ssl: relax regex to match OpenSSL's error
|
||||
message
|
||||
|
||||
OpenSSL 3.0 slightly changed the error message for a certificate
|
||||
verification failure when an untrusted self-signed certificate is found
|
||||
in the chain.
|
||||
---
|
||||
test/openssl/test_ssl.rb | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
|
||||
index 6095d545b5..9e9b8b9b69 100644
|
||||
--- a/test/openssl/test_ssl.rb
|
||||
+++ b/test/openssl/test_ssl.rb
|
||||
@@ -955,7 +955,9 @@ def test_connect_certificate_verify_failed_exception_message
|
||||
start_server(ignore_listener_error: true) { |port|
|
||||
ctx = OpenSSL::SSL::SSLContext.new
|
||||
ctx.set_params
|
||||
- assert_raise_with_message(OpenSSL::SSL::SSLError, /self signed/) {
|
||||
+ # OpenSSL <= 1.1.0: "self signed certificate in certificate chain"
|
||||
+ # OpenSSL >= 3.0.0: "self-signed certificate in certificate chain"
|
||||
+ assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed/) {
|
||||
server_connect(port, ctx)
|
||||
}
|
||||
}
|
||||
--
|
||||
2.32.0
|
||||
|
@ -0,0 +1,265 @@
|
||||
From 2c6797bc97d7c92284dc3c0ed27f97ace4e5cfb9 Mon Sep 17 00:00:00 2001
|
||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||
Date: Mon, 31 May 2021 11:44:05 +0900
|
||||
Subject: [PATCH] test/openssl/utils: remove dup_public helper method
|
||||
|
||||
It uses deprecated PKey::{RSA,DSA,DH}#set_* methods, which will not
|
||||
work with OpenSSL 3.0. The same can easily be achieved using
|
||||
PKey#public_to_der regardless of the key kind.
|
||||
---
|
||||
test/openssl/test_pkey_dh.rb | 8 +++++---
|
||||
test/openssl/test_pkey_dsa.rb | 15 +++++++++++----
|
||||
test/openssl/test_pkey_ec.rb | 15 +++++++++++----
|
||||
test/openssl/test_pkey_rsa.rb | 31 +++++++++++++++++--------------
|
||||
test/openssl/utils.rb | 26 --------------------------
|
||||
5 files changed, 44 insertions(+), 51 deletions(-)
|
||||
|
||||
diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb
|
||||
index f80af8f841..757704caf6 100644
|
||||
--- a/test/openssl/test_pkey_dh.rb
|
||||
+++ b/test/openssl/test_pkey_dh.rb
|
||||
@@ -40,12 +40,14 @@ def test_derive_key
|
||||
|
||||
def test_DHparams
|
||||
dh1024 = Fixtures.pkey("dh1024")
|
||||
+ dh1024params = dh1024.public_key
|
||||
+
|
||||
asn1 = OpenSSL::ASN1::Sequence([
|
||||
OpenSSL::ASN1::Integer(dh1024.p),
|
||||
OpenSSL::ASN1::Integer(dh1024.g)
|
||||
])
|
||||
key = OpenSSL::PKey::DH.new(asn1.to_der)
|
||||
- assert_same_dh dup_public(dh1024), key
|
||||
+ assert_same_dh dh1024params, key
|
||||
|
||||
pem = <<~EOF
|
||||
-----BEGIN DH PARAMETERS-----
|
||||
@@ -55,9 +57,9 @@ def test_DHparams
|
||||
-----END DH PARAMETERS-----
|
||||
EOF
|
||||
key = OpenSSL::PKey::DH.new(pem)
|
||||
- assert_same_dh dup_public(dh1024), key
|
||||
+ assert_same_dh dh1024params, key
|
||||
key = OpenSSL::PKey.read(pem)
|
||||
- assert_same_dh dup_public(dh1024), key
|
||||
+ assert_same_dh dh1024params, key
|
||||
|
||||
assert_equal asn1.to_der, dh1024.to_der
|
||||
assert_equal pem, dh1024.export
|
||||
diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb
|
||||
index 147e50176b..0994607f21 100644
|
||||
--- a/test/openssl/test_pkey_dsa.rb
|
||||
+++ b/test/openssl/test_pkey_dsa.rb
|
||||
@@ -138,6 +138,8 @@ def test_DSAPrivateKey_encrypted
|
||||
|
||||
def test_PUBKEY
|
||||
dsa512 = Fixtures.pkey("dsa512")
|
||||
+ dsa512pub = OpenSSL::PKey::DSA.new(dsa512.public_to_der)
|
||||
+
|
||||
asn1 = OpenSSL::ASN1::Sequence([
|
||||
OpenSSL::ASN1::Sequence([
|
||||
OpenSSL::ASN1::ObjectId("DSA"),
|
||||
@@ -153,7 +155,7 @@ def test_PUBKEY
|
||||
])
|
||||
key = OpenSSL::PKey::DSA.new(asn1.to_der)
|
||||
assert_not_predicate key, :private?
|
||||
- assert_same_dsa dup_public(dsa512), key
|
||||
+ assert_same_dsa dsa512pub, key
|
||||
|
||||
pem = <<~EOF
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
@@ -166,10 +168,15 @@ def test_PUBKEY
|
||||
-----END PUBLIC KEY-----
|
||||
EOF
|
||||
key = OpenSSL::PKey::DSA.new(pem)
|
||||
- assert_same_dsa dup_public(dsa512), key
|
||||
+ assert_same_dsa dsa512pub, key
|
||||
+
|
||||
+ assert_equal asn1.to_der, key.to_der
|
||||
+ assert_equal pem, key.export
|
||||
|
||||
- assert_equal asn1.to_der, dup_public(dsa512).to_der
|
||||
- assert_equal pem, dup_public(dsa512).export
|
||||
+ assert_equal asn1.to_der, dsa512.public_to_der
|
||||
+ assert_equal asn1.to_der, key.public_to_der
|
||||
+ assert_equal pem, dsa512.public_to_pem
|
||||
+ assert_equal pem, key.public_to_pem
|
||||
end
|
||||
|
||||
def test_read_DSAPublicKey_pem
|
||||
diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
|
||||
index 4b6df0290f..d62f1b5eb8 100644
|
||||
--- a/test/openssl/test_pkey_ec.rb
|
||||
+++ b/test/openssl/test_pkey_ec.rb
|
||||
@@ -210,6 +210,8 @@ def test_ECPrivateKey_encrypted
|
||||
|
||||
def test_PUBKEY
|
||||
p256 = Fixtures.pkey("p256")
|
||||
+ p256pub = OpenSSL::PKey::EC.new(p256.public_to_der)
|
||||
+
|
||||
asn1 = OpenSSL::ASN1::Sequence([
|
||||
OpenSSL::ASN1::Sequence([
|
||||
OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
|
||||
@@ -221,7 +223,7 @@ def test_PUBKEY
|
||||
])
|
||||
key = OpenSSL::PKey::EC.new(asn1.to_der)
|
||||
assert_not_predicate key, :private?
|
||||
- assert_same_ec dup_public(p256), key
|
||||
+ assert_same_ec p256pub, key
|
||||
|
||||
pem = <<~EOF
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
@@ -230,10 +232,15 @@ def test_PUBKEY
|
||||
-----END PUBLIC KEY-----
|
||||
EOF
|
||||
key = OpenSSL::PKey::EC.new(pem)
|
||||
- assert_same_ec dup_public(p256), key
|
||||
+ assert_same_ec p256pub, key
|
||||
+
|
||||
+ assert_equal asn1.to_der, key.to_der
|
||||
+ assert_equal pem, key.export
|
||||
|
||||
- assert_equal asn1.to_der, dup_public(p256).to_der
|
||||
- assert_equal pem, dup_public(p256).export
|
||||
+ assert_equal asn1.to_der, p256.public_to_der
|
||||
+ assert_equal asn1.to_der, key.public_to_der
|
||||
+ assert_equal pem, p256.public_to_pem
|
||||
+ assert_equal pem, key.public_to_pem
|
||||
end
|
||||
|
||||
def test_ec_group
|
||||
diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
|
||||
index 5e127f5407..4548bdb2cf 100644
|
||||
--- a/test/openssl/test_pkey_rsa.rb
|
||||
+++ b/test/openssl/test_pkey_rsa.rb
|
||||
@@ -201,7 +201,7 @@ def test_sign_verify_pss
|
||||
|
||||
def test_encrypt_decrypt
|
||||
rsapriv = Fixtures.pkey("rsa-1")
|
||||
- rsapub = dup_public(rsapriv)
|
||||
+ rsapub = OpenSSL::PKey.read(rsapriv.public_to_der)
|
||||
|
||||
# Defaults to PKCS #1 v1.5
|
||||
raw = "data"
|
||||
@@ -216,7 +216,7 @@ def test_encrypt_decrypt
|
||||
|
||||
def test_encrypt_decrypt_legacy
|
||||
rsapriv = Fixtures.pkey("rsa-1")
|
||||
- rsapub = dup_public(rsapriv)
|
||||
+ rsapub = OpenSSL::PKey.read(rsapriv.public_to_der)
|
||||
|
||||
# Defaults to PKCS #1 v1.5
|
||||
raw = "data"
|
||||
@@ -346,13 +346,15 @@ def test_RSAPrivateKey_encrypted
|
||||
|
||||
def test_RSAPublicKey
|
||||
rsa1024 = Fixtures.pkey("rsa1024")
|
||||
+ rsa1024pub = OpenSSL::PKey::RSA.new(rsa1024.public_to_der)
|
||||
+
|
||||
asn1 = OpenSSL::ASN1::Sequence([
|
||||
OpenSSL::ASN1::Integer(rsa1024.n),
|
||||
OpenSSL::ASN1::Integer(rsa1024.e)
|
||||
])
|
||||
key = OpenSSL::PKey::RSA.new(asn1.to_der)
|
||||
assert_not_predicate key, :private?
|
||||
- assert_same_rsa dup_public(rsa1024), key
|
||||
+ assert_same_rsa rsa1024pub, key
|
||||
|
||||
pem = <<~EOF
|
||||
-----BEGIN RSA PUBLIC KEY-----
|
||||
@@ -362,11 +364,13 @@ def test_RSAPublicKey
|
||||
-----END RSA PUBLIC KEY-----
|
||||
EOF
|
||||
key = OpenSSL::PKey::RSA.new(pem)
|
||||
- assert_same_rsa dup_public(rsa1024), key
|
||||
+ assert_same_rsa rsa1024pub, key
|
||||
end
|
||||
|
||||
def test_PUBKEY
|
||||
rsa1024 = Fixtures.pkey("rsa1024")
|
||||
+ rsa1024pub = OpenSSL::PKey::RSA.new(rsa1024.public_to_der)
|
||||
+
|
||||
asn1 = OpenSSL::ASN1::Sequence([
|
||||
OpenSSL::ASN1::Sequence([
|
||||
OpenSSL::ASN1::ObjectId("rsaEncryption"),
|
||||
@@ -381,7 +385,7 @@ def test_PUBKEY
|
||||
])
|
||||
key = OpenSSL::PKey::RSA.new(asn1.to_der)
|
||||
assert_not_predicate key, :private?
|
||||
- assert_same_rsa dup_public(rsa1024), key
|
||||
+ assert_same_rsa rsa1024pub, key
|
||||
|
||||
pem = <<~EOF
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
@@ -392,10 +396,15 @@ def test_PUBKEY
|
||||
-----END PUBLIC KEY-----
|
||||
EOF
|
||||
key = OpenSSL::PKey::RSA.new(pem)
|
||||
- assert_same_rsa dup_public(rsa1024), key
|
||||
+ assert_same_rsa rsa1024pub, key
|
||||
+
|
||||
+ assert_equal asn1.to_der, key.to_der
|
||||
+ assert_equal pem, key.export
|
||||
|
||||
- assert_equal asn1.to_der, dup_public(rsa1024).to_der
|
||||
- assert_equal pem, dup_public(rsa1024).export
|
||||
+ assert_equal asn1.to_der, rsa1024.public_to_der
|
||||
+ assert_equal asn1.to_der, key.public_to_der
|
||||
+ assert_equal pem, rsa1024.public_to_pem
|
||||
+ assert_equal pem, key.public_to_pem
|
||||
end
|
||||
|
||||
def test_pem_passwd
|
||||
@@ -482,12 +491,6 @@ def test_private_encoding_encrypted
|
||||
assert_same_rsa rsa1024, OpenSSL::PKey.read(pem, "abcdef")
|
||||
end
|
||||
|
||||
- def test_public_encoding
|
||||
- rsa1024 = Fixtures.pkey("rsa1024")
|
||||
- assert_equal dup_public(rsa1024).to_der, rsa1024.public_to_der
|
||||
- assert_equal dup_public(rsa1024).to_pem, rsa1024.public_to_pem
|
||||
- end
|
||||
-
|
||||
def test_dup
|
||||
key = Fixtures.pkey("rsa1024")
|
||||
key2 = key.dup
|
||||
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
|
||||
index c1d737b2ab..f664bd3074 100644
|
||||
--- a/test/openssl/utils.rb
|
||||
+++ b/test/openssl/utils.rb
|
||||
@@ -305,32 +305,6 @@ def check_component(base, test, keys)
|
||||
assert_equal base.send(comp), test.send(comp)
|
||||
}
|
||||
end
|
||||
-
|
||||
- def dup_public(key)
|
||||
- case key
|
||||
- when OpenSSL::PKey::RSA
|
||||
- rsa = OpenSSL::PKey::RSA.new
|
||||
- rsa.set_key(key.n, key.e, nil)
|
||||
- rsa
|
||||
- when OpenSSL::PKey::DSA
|
||||
- dsa = OpenSSL::PKey::DSA.new
|
||||
- dsa.set_pqg(key.p, key.q, key.g)
|
||||
- dsa.set_key(key.pub_key, nil)
|
||||
- dsa
|
||||
- when OpenSSL::PKey::DH
|
||||
- dh = OpenSSL::PKey::DH.new
|
||||
- dh.set_pqg(key.p, nil, key.g)
|
||||
- dh
|
||||
- else
|
||||
- if defined?(OpenSSL::PKey::EC) && OpenSSL::PKey::EC === key
|
||||
- ec = OpenSSL::PKey::EC.new(key.group)
|
||||
- ec.public_key = key.public_key
|
||||
- ec
|
||||
- else
|
||||
- raise "unknown key type"
|
||||
- end
|
||||
- end
|
||||
- end
|
||||
end
|
||||
|
||||
module OpenSSL::Certs
|
||||
--
|
||||
2.32.0
|
||||
|
94
ruby.spec
94
ruby.spec
@ -167,6 +167,71 @@ Patch19: ruby-2.7.1-Timeout-the-test_bug_reporter_add-witout-raising-err.patch
|
||||
# Add AC_PROG_CC to make C++ compiler dependency optional on autoconf >= 2.70.
|
||||
# https://github.com/ruby/ruby/commit/912a8dcfc5369d840dcd6bf0f88ee0bac7d902d6
|
||||
Patch20: ruby-3.1.0-autoconf-2.70-add-ac-prog-cc.patch
|
||||
# Allow to exclude test with fully qualified name.
|
||||
# https://bugs.ruby-lang.org/issues/16936
|
||||
# https://github.com/ruby/ruby/pull/5026
|
||||
Patch21: ruby-3.1.0-Properly-exclude-test-cases.patch
|
||||
|
||||
|
||||
# OpenSSL 3.0 compatibility patches
|
||||
|
||||
# Switch from legacy DES-CBC to AES-256-CBC.
|
||||
# https://github.com/rubygems/rubygems/pull/4986
|
||||
Patch30: rubygems-3.2.30-Switch-from-DES-CBC-to-AES-256-CBC.patch
|
||||
# Fix test broken by wrongly formatted distinguished name submitted to
|
||||
# `OpenSSL::X509::Name.parse`.
|
||||
# https://github.com/ruby/openssl/issues/470
|
||||
# https://github.com/rubygems/rubygems/pull/5030
|
||||
Patch31: rubygems-3.2.30-Provide-distinguished-name-which-will-be-correctly-p.patch
|
||||
# Fix TestGemRequest#test_verify_certificate_extra_message compatibility
|
||||
# with OpenSSL 3.x.
|
||||
# https://github.com/rubygems/rubygems/pull/5040
|
||||
Patch32: rubygems-3.2.30-Use-OpenSSL-constants-for-error-codes.patch
|
||||
|
||||
# Refactor PEM/DER serialization code.
|
||||
# https://github.com/ruby/openssl/pull/328
|
||||
Patch40: ruby-3.1.0-Refactor-PEM-DER-serialization-code.patch
|
||||
# Implement more 'generic' operations using the EVP API.
|
||||
# https://github.com/ruby/openssl/pull/329
|
||||
Patch41: ruby-3.1.0-Add-more-support-for-generic-pkey-types.patch
|
||||
# Allow setting algorithm-specific options in #sign and #verify.
|
||||
# https://github.com/ruby/openssl/pull/374
|
||||
Patch42: ruby-3.1.0-Allow-setting-algorithm-specific-options-in-sign-and-verify.patch
|
||||
# Use high level EVP interface to generate parameters and keys.
|
||||
# https://github.com/ruby/openssl/pull/397
|
||||
Patch43: ruby-3.1.0-Use-high-level-EVP-interface-to-generate-parameters-and-keys.patch
|
||||
# Use EVP API in more places.
|
||||
# https://github.com/ruby/openssl/pull/436
|
||||
Patch44: ruby-3.1.0-Use-EVP-API-in-more-places.patch
|
||||
# Implement PKey#{encrypt,decrypt,sign_raw,verify_{raw,verify_recover}}.
|
||||
# https://github.com/ruby/openssl/pull/382
|
||||
Patch45: ruby-3.1.0-Implement-PKey-encrypt-decrypt-sign_raw-verify_raw-and-verify_recover.patch
|
||||
# Fix `OpenSSL::TestSSL#test_dup` test failure.
|
||||
# https://github.com/ruby/openssl/commit/7b66eaa2dbabb6570dbbbdfac24c4dcdcc6793d7
|
||||
Patch46: ruby-3.1.0-test-openssl-utils-remove-dup_public-helper-method.patch
|
||||
# Fix `OpenSSL::TestDigest#test_digest_constants` test case.
|
||||
# https://github.com/ruby/openssl/commit/a3e59f4c2e200c76ef1d93945ff8737a05715e17
|
||||
Patch47: ruby-3.1.0-test-openssl-test_digest-do-not-test-constants-for-l.patch
|
||||
# Fix `OpenSSL::TestSSL#test_connect_certificate_verify_failed_exception_message`
|
||||
# test case.
|
||||
# https://github.com/ruby/openssl/commit/b5a0a198505452c7457b192da2e5cd5dda04f23d
|
||||
Patch48: ruby-3.1.0-test-openssl-test_ssl-relax-regex-to-match-OpenSSL-s.patch
|
||||
# Fix `OpenSSL::TestPKCS12#test_{new_with_no_keys,new_with_one_key_and_one_cert}`
|
||||
# test failures.
|
||||
# https://github.com/ruby/openssl/commit/998406d18f2acf73090e9fd9d92a7b4227ac593b
|
||||
Patch49: ruby-3.1.0-test-openssl-test_pkcs12-fix-test-failures-with-Open.patch
|
||||
# Fix `OpenSSL::TestPKey#test_s_generate_key` test case.
|
||||
# https://github.com/ruby/openssl/commit/c732387ee5aaa8c5a9717e8b3ffebb3d7430e99a
|
||||
Patch50: ruby-3.1.0-test-openssl-test_pkey-use-EC-keys-for-PKey.generate.patch
|
||||
# Miscellaneous changes for OpenSSL 3.0 support.
|
||||
# https://github.com/ruby/openssl/pull/468
|
||||
Patch51: ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support.patch
|
||||
# Support OpenSSL 3.0.
|
||||
# https://github.com/ruby/openssl/pull/399
|
||||
Patch52: ruby-3.1.0-Support-OpenSSL-3.0.patch
|
||||
# Fix `TestPumaControlCli#test_control_ssl` testcase in Puma.
|
||||
# https://github.com/ruby/openssl/pull/399#issuecomment-966239736
|
||||
Patch53: ruby-3.1.0-SSL_read-EOF-handling.patch
|
||||
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Suggests: rubypick
|
||||
@ -618,6 +683,24 @@ rm -rf ext/fiddle/libffi*
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
%patch32 -p1
|
||||
%patch40 -p1
|
||||
%patch41 -p1
|
||||
%patch42 -p1
|
||||
%patch43 -p1
|
||||
%patch44 -p1
|
||||
%patch45 -p1
|
||||
%patch46 -p1
|
||||
%patch47 -p1
|
||||
%patch48 -p1
|
||||
%patch49 -p1
|
||||
%patch50 -p1
|
||||
%patch51 -p1
|
||||
%patch52 -p1
|
||||
%patch53 -p1
|
||||
|
||||
# Provide an example of usage of the tapset:
|
||||
cp -a %{SOURCE3} .
|
||||
@ -896,6 +979,13 @@ MSPECOPTS=""
|
||||
# Avoid `hostname' dependency.
|
||||
%{!?with_hostname:MSPECOPTS="-P 'Socket.gethostname returns the host name'"}
|
||||
|
||||
# Some tests are failing upstream due to OpenSSL 3.x compatibility.
|
||||
# https://github.com/ruby/openssl/pull/399/checks?check_run_id=3716152870
|
||||
DISABLE_TESTS="$DISABLE_TESTS -n !/OpenSSL::TestEC#test_check_key/"
|
||||
DISABLE_TESTS="$DISABLE_TESTS -n !/OpenSSL::TestPKeyDH#test_derive_key/"
|
||||
DISABLE_TESTS="$DISABLE_TESTS -n !/OpenSSL::TestPKeyDH#test_key_exchange/"
|
||||
DISABLE_TESTS="$DISABLE_TESTS -n !/OpenSSL::TestCipher#test_ciphers/"
|
||||
|
||||
# Give an option to increase the timeout in tests.
|
||||
# https://bugs.ruby-lang.org/issues/16921
|
||||
%{?test_timeout_scale:RUBY_TEST_TIMEOUT_SCALE="%{test_timeout_scale}"} \
|
||||
@ -1374,6 +1464,10 @@ MSPECOPTS=""
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Nov 05 2021 Vít Ondruch <vondruch@redhat.com> - 3.0.2-153
|
||||
- Fix OpenSSL 3.0 compatibility.
|
||||
Resolves: rhbz#2021922
|
||||
|
||||
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com>
|
||||
- Rebuilt with OpenSSL 3.0.0
|
||||
|
||||
|
@ -0,0 +1,44 @@
|
||||
From bb0f57aeb4de36a3b2b8b8cb01d25b32af0357d3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
|
||||
Date: Wed, 27 Oct 2021 16:28:24 +0200
|
||||
Subject: [PATCH] Provide distinguished name which will be correctly parsed.
|
||||
|
||||
It seems that since ruby openssl 2.1.0 [[1]], the distinguished name
|
||||
submitted to `OpenSSL::X509::Name.parse` is not correctly parsed if it
|
||||
does not contain the first slash:
|
||||
|
||||
~~~
|
||||
$ ruby -v
|
||||
ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux]
|
||||
|
||||
$ gem list | grep openssl
|
||||
openssl (default: 2.2.0)
|
||||
|
||||
$ irb -r openssl
|
||||
irb(main):001:0> OpenSSL::X509::Name.parse("CN=nobody/DC=example").to_s(OpenSSL::X509::Name::ONELINE)
|
||||
=> "CN = nobody/DC=example"
|
||||
irb(main):002:0> OpenSSL::X509::Name.parse("/CN=nobody/DC=example").to_s(OpenSSL::X509::Name::ONELINE)
|
||||
=> "CN = nobody, DC = example"
|
||||
~~~
|
||||
|
||||
[1]: https://github.com/ruby/openssl/commit/19c67cd10c57f3ab7b13966c36431ebc3fdd653b
|
||||
---
|
||||
lib/rubygems/security.rb | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb
|
||||
index c80639af6d..12de141f36 100644
|
||||
--- a/lib/rubygems/security.rb
|
||||
+++ b/lib/rubygems/security.rb
|
||||
@@ -476,7 +476,7 @@ def self.email_to_name(email_address)
|
||||
|
||||
dcs = dcs.split '.'
|
||||
|
||||
- name = "CN=#{cn}/#{dcs.map {|dc| "DC=#{dc}" }.join '/'}"
|
||||
+ name = "/CN=#{cn}/#{dcs.map {|dc| "DC=#{dc}" }.join '/'}"
|
||||
|
||||
OpenSSL::X509::Name.parse name
|
||||
end
|
||||
--
|
||||
2.32.0
|
||||
|
106
rubygems-3.2.30-Switch-from-DES-CBC-to-AES-256-CBC.patch
Normal file
106
rubygems-3.2.30-Switch-from-DES-CBC-to-AES-256-CBC.patch
Normal file
@ -0,0 +1,106 @@
|
||||
From 467be1c90bda755710943e9e2a42a42262dde909 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
|
||||
Date: Thu, 14 Oct 2021 09:46:03 +0200
|
||||
Subject: [PATCH] Switch from DES-CBC to AES-256-CBC.
|
||||
|
||||
DES-CBS is considered legacy and disabled in OpenSSL 3.x+ [[1], [2]].
|
||||
This cause causes Ruby test failures:
|
||||
|
||||
~~~
|
||||
ruby -v: ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux]
|
||||
/builddir/build/BUILD/ruby-3.0.2/lib/rubygems/test_case.rb:1542:in `initialize': Neither PUB key nor PRIV key (OpenSSL::PKey::RSAError)
|
||||
from /builddir/build/BUILD/ruby-3.0.2/lib/rubygems/test_case.rb:1542:in `new'
|
||||
from /builddir/build/BUILD/ruby-3.0.2/lib/rubygems/test_case.rb:1542:in `load_key'
|
||||
from /builddir/build/BUILD/ruby-3.0.2/lib/rubygems/test_case.rb:1562:in `<class:TestCase>'
|
||||
from /builddir/build/BUILD/ruby-3.0.2/lib/rubygems/test_case.rb:105:in `<top (required)>'
|
||||
from <internal:/builddir/build/BUILD/ruby-3.0.2/lib/rubygems/core_ext/kernel_require.rb>:85:in `require'
|
||||
from <internal:/builddir/build/BUILD/ruby-3.0.2/lib/rubygems/core_ext/kernel_require.rb>:85:in `require'
|
||||
from /builddir/build/BUILD/ruby-3.0.2/test/rdoc/test_rdoc_rubygems_hook.rb:2:in `<top (required)>'
|
||||
from <internal:/builddir/build/BUILD/ruby-3.0.2/lib/rubygems/core_ext/kernel_require.rb>:85:in `require'
|
||||
from <internal:/builddir/build/BUILD/ruby-3.0.2/lib/rubygems/core_ext/kernel_require.rb>:85:in `require'
|
||||
from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:1049:in `block in non_options'
|
||||
from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:1043:in `each'
|
||||
from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:1043:in `non_options'
|
||||
from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:65:in `process_args'
|
||||
from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:143:in `process_args'
|
||||
from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:1237:in `process_args'
|
||||
from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:1242:in `run'
|
||||
from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:1249:in `run'
|
||||
from /builddir/build/BUILD/ruby-3.0.2/tool/test/runner.rb:23:in `<top (required)>'
|
||||
from ./test/runner.rb:11:in `require_relative'
|
||||
from ./test/runner.rb:11:in `<main>'
|
||||
~~~
|
||||
|
||||
Therefore use AES-256-CBC instead. This is essentially revert of
|
||||
ca228b76b, which was fixing https://github.com/jruby/jruby/issues/919
|
||||
|
||||
[1]: https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#legacy-algorithms
|
||||
[2]: https://github.com/openssl/openssl/blob/master/doc/man7/OSSL_PROVIDER-legacy.pod
|
||||
---
|
||||
test/rubygems/encrypted_private_key.pem | 52 ++++++++++++-------------
|
||||
1 file changed, 26 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/test/rubygems/encrypted_private_key.pem b/test/rubygems/encrypted_private_key.pem
|
||||
index 868f332b7c..d9667689a6 100644
|
||||
--- a/test/rubygems/encrypted_private_key.pem
|
||||
+++ b/test/rubygems/encrypted_private_key.pem
|
||||
@@ -1,30 +1,30 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
-DEK-Info: DES-CBC,4E38D58B5A059DB6
|
||||
+DEK-Info: AES-256-CBC,CB6FD0B173EF450C6EE21A01DD785C1D
|
||||
|
||||
-IgWLfnHVnkErKkhysrUMoE0ubkRDtJXZv9KR02jGGFk/kGqWyTqPk08uzhwVNM+l
|
||||
-eOk0qfPykkJM3KZgqTsD6xfA1D5WqFp5mLoFXVVTn9I3acSZsqOY0FweCipwdVpI
|
||||
-x+9Fl+v62kIW06dOjyWLE1abed9hHiXesGGsD87/RJSywy4OBxOcrhR1fJLK4ElR
|
||||
-ya0UzI7rWnmZMChjaZBssfzT1DR79/dARXhon2m5EiIJDjMpc8BKGYlQy5RHCHwA
|
||||
-cnrhUTTvsggZbQtmLZ/yVx8FSJ273XpYR0pmwbw4j1R+zeXQRK5MroBnCfOGcYa7
|
||||
-rmpERmDW3VAuxXR20SUAGdo1XOMTDe1uLbaotn6e56pXghIaYROTPS+HsuOkAZGY
|
||||
-OYWEkUoyog4l4n+h/C1umFfTFGvKNATLgDugONFvTw/PLbjvl+sWMy2QfqH0MlNB
|
||||
-DIUPxhEVCFD9oB4nfB86WDAmPp1DH9/IBet/21kbQ2eTIzakTdG3XiC+xzAQRu68
|
||||
-EOCTbasFWGxlCix66gt4xWMLksEg8UhWSpjS3/HsifrKyNMB8sfUFYmZmOYMW4mf
|
||||
-NuEtpBL3AdHNObN8nQ75HfehukzNpbYVRsLzWrVgtxvXHVpnvoCCpCvQBMHeRZxK
|
||||
-6m028mhH1m6yYE/uGFiRKLrN7BKAttbUiqnGgVIg/lQQilFWwylxQ6aXqJGmNgxa
|
||||
-oihzWZRlXivIhhrM7VMnLoKAF/YfmWpP3zahGpBQGfObtPtm44R0ezXPdtsivnyu
|
||||
-CmFOPGzRNMKZtH/lwVhuIIK3AFIGDsRRP9ySN4YfjQZnTdu2sRlxBnANP9m8W9T2
|
||||
-p+C4zVkDYAbsuWq2HpHwsdL8gqIiXeptsHLqkNw+ulSSLyeBCgM9fpV3RsNGjwqu
|
||||
-k8QLb1CYp2VX46CE8UKvOd/nyFnEsD+EAc3WangEwA41m2IaXcbs9Au7xsG9oacZ
|
||||
-DrxlJVNxlxO9YyP9dNOTfP0fHIiygKQQY2aU3y3oRneu7ogYES5V2mUNH7cYUWVL
|
||||
-CHPXAoUXJErvDQ/opW2DroA9Eqv9sST6WqBf6LXRcWU0ntfzcFUbEqgmCmB7Cbu2
|
||||
-8udEn6iWilQahLyDoAShLkU7+Tk78Z1c6RuqjyY4VboZPzxrTYK8YIXzwX+jj9bG
|
||||
-KIIGS5eghK185+AjlwtzJ7MBdoL323YIik6uOZluhnJHLaxjxUXGa1VqDgsyqGi7
|
||||
-ISRMTpVTrbR+UtoEi4ZhMjobtFUr7lGkt24VkXwBKdoyryj4RPHGdp7Tf6XDJufQ
|
||||
-+KKhqt8QrpOTPiMskFN2disOSF5/YZCmtT84nkhU7Hf1lkQ2kfx1zfNk0GqYYXOW
|
||||
-zHOAczy8gWBRetDMnhRYohDzQGWn//b+2Wr2n1RD8D9kyjMRhpFMYfQGfRcuPGjW
|
||||
-91k/T0XFcjcjeZPL9s+HITmrh7zg5WxbCfTEp91j3Oy1bns196SY77TE0BzUsqR2
|
||||
-geJggcUMEfyvHiiCMtijmSSD9nf8tNIxLVL8Jaf1coA6e1CrlHnYAu2f/Q3GIcvU
|
||||
-EEEmw+cZRwsk4fffYzh5psxxGdXKBv1KcQ/CeBhZL0WJsCp2y5oxwg==
|
||||
+KqHn2Df8hSuwNE+W+60MnGtc6xpoXmF3iN25iVwcN67krYn+N6cBhjFeXwXccYwJ
|
||||
+2gHSu4iEK9Qe32vK0yuv8N9h/fmsabZl0TotnEem/pqO5T8W4LxyK+Rw0s6RB30S
|
||||
+C+mUisRADTanAxyBxsNU8xR8OAUNMAAxV1me6It0W2lfNE3t5jg/Kr0NWMoRUNRx
|
||||
+dkE6WlD5D8jBeC3QdZ6OuE7QXOCEAWAjcFMc0d1WJq2t2r3TrLVfTH7EOoRyvL1H
|
||||
+rrFRx/dEW1UJfM6P11wB5R0nhg3rDXF7oDFszjwO/3tzARke0NZuN37l301lYRl1
|
||||
+aolO6sShJLa0Ml/TgNcJw0S6rc6a1Z52gTfQKztKcL1UX4HLZg75zKmn6qfatMBC
|
||||
+iXn+pQRYNsOPQ5h4r7lBBqvuV+gBw+rN768tYpZ2/YVDaygxETHcZAFCdAw/JNbP
|
||||
+d0XPIbP79NRrCgzSo58LKQGuOQf3Hh0vp1YS+MilMtm/eogoj1enSPM+ymStHRwG
|
||||
+i+D00xCQ6blSOZ2eUUBJXt11YzP22GYnv+XTR/5kGKkTIvoRMfd+39bQyR32IEv2
|
||||
+Z+yweAGQInD94eifT9ObbIayJ47y01KP0+Vj6hz4RCFsmJKsYiai5JiKlmf7lV9w
|
||||
+7zH3TtCOx/xSyomesXVRkqvFkdyeguU72kXc5tiMPaDXGCOeV0GWyR1GU1DUX9/K
|
||||
+60E7ym0Wx77WGMKk2fkirZzBdOeliyCRUXd7ccN2rBCjTwtjAUIk27lwzdUaTUv7
|
||||
+EmjauDvSMFtir58c+zjlLmBaSQOzKcj0KXMp0Oucls9bD85WGGbGyzGhTa0AZ+/+
|
||||
+cCEJt7RAwW0kTEO/uO+BAZe/zBoi9ek+QBn54FK3E7CXfS4Oi9Qbc3fwlVyTlVmz
|
||||
+ZGrCncO0TIVGErFWK24Z7lX8rBnk8enfnamrPfKtwn4LG9aDfhSj8DtisjlRUVT5
|
||||
+chDQ+CCi9rh3wXh28lyS+nXJ3yFidCzRgcsc3PpN/c4DNRggZc+C/KDw+J2FW+8Y
|
||||
+p65OliBQHQcG0PnCa2xRyCGevytPG0rfNDgyaY33dPEo90mBLVcwLbzGiSGBHgFl
|
||||
+pr8A/rqbnFpRO39NYbACeRFCqPpzyzfARCCcjcDoFrENdIaJui0fjlBkoV3B/KiK
|
||||
+EVjDcgwt1HAtz8bV2YJ+OpQbhD7E90e2vTRMuXAH21Ygo32VOS0LRlCRc9ZyZW4z
|
||||
+PTyO/6a+FbXZ1zhVJxu/0bmBERZ14WVmWq56oxQav8knpxYeYPgpEmIZnrHnJ1Ko
|
||||
+UoXcc8Hy4NKtaBmDcaF8TCobNsRZTxO/htqpdyNsOrBSsnX2kP5D/O1l1vuVYi1/
|
||||
+RYfUqL9dvGzvfsFuuDDjDlQ/fIA6pFzJV3fy4KJHlF1r33qaE/lNMdpKljBwvUII
|
||||
+Vog4cGmzxssqK5q9kuogcuyeOuFODjBNW4qt0WylSi9bwwy3ZwaZLRqhngz6+tCV
|
||||
+Jp45Gk881XiVe3aVU0l+4DmJJ9/5vwqjH5Vo/GJqFU6gzB+Zv/0plYeNkuE0Xo2z
|
||||
+ecdxnGKVPl42q44lvczjDw2KX0ahxQrfrbcl48//zR295u9POzCL97d6zpioI2NR
|
||||
-----END RSA PRIVATE KEY-----
|
||||
--
|
||||
2.32.0
|
||||
|
75
rubygems-3.2.30-Use-OpenSSL-constants-for-error-codes.patch
Normal file
75
rubygems-3.2.30-Use-OpenSSL-constants-for-error-codes.patch
Normal file
@ -0,0 +1,75 @@
|
||||
From 8acf8e95dcaebe227f779271b8213c15eceb846f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
|
||||
Date: Mon, 1 Nov 2021 18:40:06 +0100
|
||||
Subject: [PATCH] Use OpenSSL constants for error codes.
|
||||
|
||||
This fixes the following test error testing against OpenSSL 3.x:
|
||||
|
||||
~~~
|
||||
2) Failure:
|
||||
TestGemRequest#test_verify_certificate_extra_message [/builddir/build/BUILD/ruby-3.0.2/test/rubygems/test_gem_request.rb:358]:
|
||||
<"ERROR: SSL verification error at depth 0: invalid CA certificate (24)\n" +
|
||||
"ERROR: Certificate is an invalid CA certificate\n"> expected but was
|
||||
<"ERROR: SSL verification error at depth 0: invalid CA certificate (79)\n" +
|
||||
"ERROR: Certificate is an invalid CA certificate\n">.
|
||||
~~~
|
||||
|
||||
Where the root cause is this OpenSSL commit:
|
||||
|
||||
https://github.com/openssl/openssl/commit/1e41dadfa7b9f792ed0f4714a3d3d36f070cf30e
|
||||
|
||||
It seems that OpenSSL upstream considers the constant value just an
|
||||
implementation detail and therefore this changes the test case to
|
||||
follow the suite.
|
||||
---
|
||||
test/rubygems/test_gem_request.rb | 14 ++++++++++----
|
||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/test/rubygems/test_gem_request.rb b/test/rubygems/test_gem_request.rb
|
||||
index 66477be7bc..47654f6fa4 100644
|
||||
--- a/test/rubygems/test_gem_request.rb
|
||||
+++ b/test/rubygems/test_gem_request.rb
|
||||
@@ -328,30 +328,36 @@ def test_user_agent_revision_missing
|
||||
|
||||
def test_verify_certificate
|
||||
pend if Gem.java_platform?
|
||||
+
|
||||
+ error_number = OpenSSL::X509::V_ERR_OUT_OF_MEM
|
||||
+
|
||||
store = OpenSSL::X509::Store.new
|
||||
context = OpenSSL::X509::StoreContext.new store
|
||||
- context.error = OpenSSL::X509::V_ERR_OUT_OF_MEM
|
||||
+ context.error = error_number
|
||||
|
||||
use_ui @ui do
|
||||
Gem::Request.verify_certificate context
|
||||
end
|
||||
|
||||
- assert_equal "ERROR: SSL verification error at depth 0: out of memory (17)\n",
|
||||
+ assert_equal "ERROR: SSL verification error at depth 0: out of memory (#{error_number})\n",
|
||||
@ui.error
|
||||
end
|
||||
|
||||
def test_verify_certificate_extra_message
|
||||
pend if Gem.java_platform?
|
||||
+
|
||||
+ error_number = OpenSSL::X509::V_ERR_INVALID_CA
|
||||
+
|
||||
store = OpenSSL::X509::Store.new
|
||||
context = OpenSSL::X509::StoreContext.new store
|
||||
- context.error = OpenSSL::X509::V_ERR_INVALID_CA
|
||||
+ context.error = error_number
|
||||
|
||||
use_ui @ui do
|
||||
Gem::Request.verify_certificate context
|
||||
end
|
||||
|
||||
expected = <<-ERROR
|
||||
-ERROR: SSL verification error at depth 0: invalid CA certificate (24)
|
||||
+ERROR: SSL verification error at depth 0: invalid CA certificate (#{error_number})
|
||||
ERROR: Certificate is an invalid CA certificate
|
||||
ERROR
|
||||
|
||||
--
|
||||
2.32.0
|
||||
|
Loading…
Reference in New Issue
Block a user