ruby.git/ext/openssl/ossl_pkcs7.c, branch v3_4_9 The Ruby Programming Language [ruby/openssl] ts: avoid using OpenSSL::PKCS7's internals 2024-12-07T07:55:46+00:00 Kazuki Yamaguchi k@rhe.jp 2024-10-29T18:53:53+00:00 f8e9302e66e336d4e174182ebebc6a05a47ac28b Internals of OpenSSL::PKCS7 should be kept within ossl_pkcs7.c. Add a new ossl_pkcs7_new() function for duplicating and wrapping an OpenSSL PKCS7 object in OpenSSL::PKCS7. This follows the convention used by other ossl_*_new() functions. https://github.com/ruby/openssl/commit/b5f79f771e 
Internals of OpenSSL::PKCS7 should be kept within ossl_pkcs7.c.

Add a new ossl_pkcs7_new() function for duplicating and wrapping an
OpenSSL PKCS7 object in OpenSSL::PKCS7. This follows the convention
used by other ossl_*_new() functions.

https://github.com/ruby/openssl/commit/b5f79f771e
[ruby/openssl] pkcs7: fix memory leak in error path of PKCS7.new and .read_smime 2024-11-14T02:21:39+00:00 Kazuki Yamaguchi k@rhe.jp 2024-11-01T09:54:26+00:00 4e7e2e9e8914e1fcbe8410634393525a183b491c A follow-up to commit https://github.com/ruby/openssl/commit/27e11f2d1dcd and https://github.com/ruby/openssl/commit/07eceb7f6326. The PKCS7 object must be freed before raising an exception. https://github.com/ruby/openssl/commit/172eee4665 
A follow-up to commit https://github.com/ruby/openssl/commit/27e11f2d1dcd and https://github.com/ruby/openssl/commit/07eceb7f6326. The PKCS7 object
must be freed before raising an exception.

https://github.com/ruby/openssl/commit/172eee4665
[ruby/openssl] pkcs7: remove default cipher from PKCS7.encrypt 2024-10-31T08:31:16+00:00 Kazuki Yamaguchi k@rhe.jp 2024-09-05T10:45:31+00:00 27d77a9c73009c94864214c684faac38278398c2 Require that users explicitly specify the desired algorithm. In my opinion, we are not in a position to specify the default cipher. When OpenSSL::PKCS7.encrypt is given only two arguments, it uses "RC2-40-CBC" as the symmetric cipher algorithm. 40-bit RC2 is a US export-grade cipher and considered insecure. Although this is technically a breaking change, the impact should be minimal. Even when OpenSSL is compiled with RC2 support and the macro OPENSSL_NO_RC2 is not defined, it will not actually work on modern systems because RC2 is part of the legacy provider. https://github.com/ruby/openssl/commit/439f456bfa 
Require that users explicitly specify the desired algorithm. In my
opinion, we are not in a position to specify the default cipher.

When OpenSSL::PKCS7.encrypt is given only two arguments, it uses
"RC2-40-CBC" as the symmetric cipher algorithm. 40-bit RC2 is a US
export-grade cipher and considered insecure.

Although this is technically a breaking change, the impact should be
minimal. Even when OpenSSL is compiled with RC2 support and the macro
OPENSSL_NO_RC2 is not defined, it will not actually work on modern
systems because RC2 is part of the legacy provider.

https://github.com/ruby/openssl/commit/439f456bfa
[ruby/openssl] Fix references to the license text 2024-06-08T10:59:17+00:00 Kazuki Yamaguchi k@rhe.jp 2024-05-01T08:10:44+00:00 69c0b1438a45938e79e63407035f116de4634dcb Update the references to the file "LICENCE" with "COPYING". The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has been always the case since OpenSSL for Ruby 2 was merged to the ruby tree as a standard library in 2003. In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained an old version of the Ruby License, identical to the COPYING file that was in Ruby's tree at that time (r4128[2]). [1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup [2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING https://github.com/ruby/openssl/commit/5bccf07d04 
Update the references to the file "LICENCE" with "COPYING".

The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has
been always the case since OpenSSL for Ruby 2 was merged to the ruby
tree as a standard library in 2003.

In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained
an old version of the Ruby License, identical to the COPYING file that
was in Ruby's tree at that time (r4128[2]).

[1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup
[2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING

https://github.com/ruby/openssl/commit/5bccf07d04
[ruby/openssl] Add to_text for PKCS7 and Timestamp::Response 2024-05-08T09:39:13+00:00 Samuel Giddins segiddins@segiddins.me 2024-05-05T07:22:30+00:00 841b45a4421a7f103b0312f84c14ece522833617 https://github.com/ruby/openssl/commit/71cd1e3f5c 
https://github.com/ruby/openssl/commit/71cd1e3f5c
[ruby/openssl] pkcs7: raise PKCS7Error for PKCS7 without content in PKCS7.read_smime 2024-05-02T07:26:11+00:00 Jeremy Evans code@jeremyevans.net 2023-11-12T00:36:39+00:00 55720f372d65aaa14bf6925730f0c715f0179dc5 [pkuzco: expanded the fix for other content types] [ky: adjusted formatting and the exception type] https://github.com/ruby/openssl/commit/07eceb7f63 Co-authored-by: pkuzco <b.naamneh@gmail.com> Co-authored-by: Kazuki Yamaguchi <k@rhe.jp> 
[pkuzco: expanded the fix for other content types]
[ky: adjusted formatting and the exception type]

https://github.com/ruby/openssl/commit/07eceb7f63

Co-authored-by: pkuzco <b.naamneh@gmail.com>
Co-authored-by: Kazuki Yamaguchi <k@rhe.jp>
[ruby/openssl] pkcs7: raise ArgumentError for PKCS7 with no content in PKCS7.new 2024-05-02T07:26:11+00:00 Jeremy Evans code@jeremyevans.net 2023-10-27T16:08:11+00:00 c9aa63a9e06c21566c6fadda5945f04f341e4891 Fixes [Bug #19974] [pkuzco: expanded the fix for other content types] [ky: adjusted formatting and the exception type] https://github.com/ruby/openssl/commit/27e11f2d1d Co-authored-by: pkuzco <b.naamneh@gmail.com> Co-authored-by: Kazuki Yamaguchi <k@rhe.jp> 
Fixes [Bug #19974]

[pkuzco: expanded the fix for other content types]
[ky: adjusted formatting and the exception type]

https://github.com/ruby/openssl/commit/27e11f2d1d

Co-authored-by: pkuzco <b.naamneh@gmail.com>
Co-authored-by: Kazuki Yamaguchi <k@rhe.jp>
[ruby/openssl] Implement Write Barrier for all OpenSSL types 2023-06-18T16:57:09+00:00 Jean Boussier jean.boussier@gmail.com 2023-03-13T08:51:53+00:00 1965c09ee50b5202d45462cd8bc6224ca6e45ae9 The vast majority have no reference so it's just a matter of setting the flags. For the couple exception, they have very little references so it's easy. https://github.com/ruby/openssl/commit/2c7c6de69e 
The vast majority have no reference so it's just a matter of setting the flags.

For the couple exception, they have very little references so it's
easy.

https://github.com/ruby/openssl/commit/2c7c6de69e
[ruby/openssl] x509, ssl, pkcs7: try to parse as DER-encoding first 2021-07-18T08:44:54+00:00 Kazuki Yamaguchi k@rhe.jp 2021-05-19T08:58:18+00:00 a01daab656a3d32b52bd236503e3d9aebaf39483 Methods that take both PEM-encoding and DER-encoding have not been consistent in the order in which encoding to attempt to parse. A DER-encoding may contain a valid PEM block ("\n-----BEGIN ..-----" to "-----END ...-----") embedded within it. Also, the PEM-encoding parser allows arbitrary data around the PEM block and silently skips it. As a result, attempting to parse data in DER-encoding as PEM-encoding first can incorrectly finds the embedded PEM block instead. This commit ensures that DER encoding will always be attempted before PEM encoding. OpenSSL::X509::Certificate is one of the updated classes. With this, the following will always be true: # obj is an OpenSSL::X509::Certificate obj == OpenSSL::X509::Certificate.new(obj.to_der) obj == OpenSSL::X509::Certificate.new(obj.to_pem) https://github.com/ruby/openssl/commit/b280eb1fd0 
Methods that take both PEM-encoding and DER-encoding have not been
consistent in the order in which encoding to attempt to parse.

A DER-encoding may contain a valid PEM block ("\n-----BEGIN ..-----" to
"-----END ...-----") embedded within it. Also, the PEM-encoding parser
allows arbitrary data around the PEM block and silently skips it. As a
result, attempting to parse data in DER-encoding as PEM-encoding first
can incorrectly finds the embedded PEM block instead.

This commit ensures that DER encoding will always be attempted before
PEM encoding. OpenSSL::X509::Certificate is one of the updated classes.
With this, the following will always be true:

    # obj is an OpenSSL::X509::Certificate
    obj == OpenSSL::X509::Certificate.new(obj.to_der)
    obj == OpenSSL::X509::Certificate.new(obj.to_pem)

https://github.com/ruby/openssl/commit/b280eb1fd0
[ruby/openssl] pkcs7: keep private key when duplicating PKCS7_SIGNER_INFO 2021-03-31T09:05:07+00:00 Kazuki Yamaguchi k@rhe.jp 2021-03-24T04:23:09+00:00 e2bf3659e184088d00d099a49e3263724f43ece2 ASN1_dup() will not copy the 'pkey' field of a PKCS7_SIGNER_INFO object by design; it is a temporary field kept until the PKCS7 structure is finalized. Let's bump reference counter of the pkey in the original object and use it in the new object, too. This commit also removes PKCS7#add_signer's routine to add the content-type attribute as a signed attribute automatically. This behavior was not documented or tested. This change should not break any working user code since the method was completely useless without the change above. https://github.com/ruby/openssl/commit/20ca7a27a8 
ASN1_dup() will not copy the 'pkey' field of a PKCS7_SIGNER_INFO object
by design; it is a temporary field kept until the PKCS7 structure is
finalized. Let's bump reference counter of the pkey in the original
object and use it in the new object, too.

This commit also removes PKCS7#add_signer's routine to add the
content-type attribute as a signed attribute automatically. This
behavior was not documented or tested. This change should not break any
working user code since the method was completely useless without the
change above.

https://github.com/ruby/openssl/commit/20ca7a27a8