ruby.git/ext/openssl/ossl_x509cert.c, branch v4.0.4 The Ruby Programming Language [ruby/openssl] x509cert: update doc for OpenSSL::X509::Certificate#== 2025-12-14T10:46:13+00:00 Kazuki Yamaguchi k@rhe.jp 2025-01-29T17:47:18+00:00 7969b654181af13f547afb88834f017694881353 Mention the underlying OpenSSL function. Add a note about the unreliable comparison when called on an incomplete object. Fixes https://github.com/ruby/openssl/issues/844 https://github.com/ruby/openssl/commit/736af5b3c7 
Mention the underlying OpenSSL function. Add a note about the unreliable
comparison when called on an incomplete object.

Fixes https://github.com/ruby/openssl/issues/844

https://github.com/ruby/openssl/commit/736af5b3c7
[ruby/openssl] x509cert: handle invalid validity periods in Certificate#inspect 2025-12-05T18:40:02+00:00 Kazuki Yamaguchi k@rhe.jp 2025-12-05T18:33:12+00:00 8c4f79d5f30fb2fe647c4f3fd262a5fdeacaeca2 In a newly allocated OpenSSL X509 object, the notBefore and notAfter fields contain an ASN1_STRING object with type V_ASN1_UNDEF rather than an ASN1_TIME. Commit https://github.com/ruby/openssl/commit/73484f67949a made asn1time_to_time() stricter and it now raises an exception if the argument is not an ASN1_TIME. Previously, it would print a verbose-mode warning and return nil. OpenSSL::X509::Certificate#inspect should work even when the certificate is invalid. Let's handle this. https://github.com/ruby/openssl/commit/18c283f2b6 
In a newly allocated OpenSSL X509 object, the notBefore and notAfter
fields contain an ASN1_STRING object with type V_ASN1_UNDEF rather than
an ASN1_TIME.

Commit https://github.com/ruby/openssl/commit/73484f67949a made asn1time_to_time() stricter and it now raises
an exception if the argument is not an ASN1_TIME. Previously, it would
print a verbose-mode warning and return nil.

OpenSSL::X509::Certificate#inspect should work even when the certificate
is invalid. Let's handle this.

https://github.com/ruby/openssl/commit/18c283f2b6
[ruby/openssl] Expand tabs in C source files 2025-12-04T17:46:59+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-29T18:40:32+00:00 5062c0c621d887367af8a054e5e5d83d7ec57dd3 Since around 2018, we have been using spaces for indentation for newly added code[1]. The mixed use of tabs and spaces has repeatedly confused new contributors who configured their editors to use a different tab size than 8. Since git blame can now skip specific commits, ruby/ruby did a mass reformatting of tabs in 2022[2]. Do the same in ruby/openssl. While at it, fix a few indentation issues, mainly in switch-case labels and in ossl_ssl_session.c, which used doubled indentation size. This patch contains white-space changes only. git diff -w output should be empty. [1] https://bugs.ruby-lang.org/issues/14246 [2] https://bugs.ruby-lang.org/issues/18891 https://github.com/ruby/openssl/commit/4d6214f507 
Since around 2018, we have been using spaces for indentation for newly
added code[1]. The mixed use of tabs and spaces has repeatedly confused
new contributors who configured their editors to use a different tab
size than 8. Since git blame can now skip specific commits, ruby/ruby
did a mass reformatting of tabs in 2022[2]. Do the same in ruby/openssl.

While at it, fix a few indentation issues, mainly in switch-case labels
and in ossl_ssl_session.c, which used doubled indentation size.

This patch contains white-space changes only. git diff -w output should
be empty.

[1] https://bugs.ruby-lang.org/issues/14246
[2] https://bugs.ruby-lang.org/issues/18891

https://github.com/ruby/openssl/commit/4d6214f507
[ruby/openssl] Remove dummy declarations for mOSSL and eOSSLError 2025-11-29T17:05:19+00:00 Kazuki Yamaguchi k@rhe.jp 2025-11-29T16:47:26+00:00 bae06ce22c5ab6a4a3085300274f258d55858e90 These declarations were added to every source file because older versions of RDoc did not resolve ancestor tree across files. Since RDoc 6.9.0 supports this, this workaround is no longer needed. https://redirect.github.com/ruby/rdoc/pull/1217 https://github.com/ruby/openssl/commit/6491ce63be 
These declarations were added to every source file because older
versions of RDoc did not resolve ancestor tree across files. Since
RDoc 6.9.0 supports this, this workaround is no longer needed.

    https://redirect.github.com/ruby/rdoc/pull/1217

https://github.com/ruby/openssl/commit/6491ce63be
[ruby/openssl] asn1: refactor converting ASN1_OBJECT to string 2025-11-22T16:48:13+00:00 Kazuki Yamaguchi k@rhe.jp 2025-11-18T16:41:35+00:00 dd489ee9c48fc8c2b499b80f3ebcd053de33bb0a ruby/openssl exposes OIDs to Ruby as strings in many places, but the conversion logic has been duplicated and the behavior is inconsistent. There are mainly two patterns: - Returns the short name associated with the OID/NID, or the dotted decimal notation if it is unknown to OpenSSL. - Returns the long name, or the dotted decimal notation. These patterns are implemented using different OpenSSL APIs and that caused subtle differences. Add helper functions ossl_asn1obj_to_string() and ossl_asn1obj_to_string_long_name() to unify the logic. Also, document the current behaviors where it is not yet done. The inconsistency was likely unintentional, but since it dates back to the original implementations, standardizing it now would cause more issues than it resolves. https://github.com/ruby/openssl/commit/2ea36c21a4 
ruby/openssl exposes OIDs to Ruby as strings in many places, but the
conversion logic has been duplicated and the behavior is inconsistent.
There are mainly two patterns:

 - Returns the short name associated with the OID/NID, or the dotted
   decimal notation if it is unknown to OpenSSL.
 - Returns the long name, or the dotted decimal notation.

These patterns are implemented using different OpenSSL APIs and that
caused subtle differences. Add helper functions ossl_asn1obj_to_string()
and ossl_asn1obj_to_string_long_name() to unify the logic.

Also, document the current behaviors where it is not yet done. The
inconsistency was likely unintentional, but since it dates back to the
original implementations, standardizing it now would cause more issues
than it resolves.

https://github.com/ruby/openssl/commit/2ea36c21a4
[ruby/openssl] digest: use EVP_MD_fetch() if available 2025-11-06T13:25:09+00:00 Kazuki Yamaguchi k@rhe.jp 2025-06-24T10:31:31+00:00 10d2311e136212549d36f90ec7cb86108e682088 With the introduction of OpenSSL 3 providers, newly implemented algorithms do not necessarily have a corresponding NID assigned. To use such an algorithm, it has to be "fetched" from providers using the new EVP_*_fetch() functions. For digest algorithms, we have to use EVP_MD_fetch() instead of the existing EVP_get_digestbyname(). However, it is not a drop-in replacement because: - EVP_MD_fetch() does not support all algorithm name aliases recognized by EVP_get_digestbyname(). - Both return an EVP_MD, but the one returned by EVP_MD_fetch() is sometimes reference counted and the user has to explicitly release it with EVP_MD_free(). So, keep using EVP_get_digestbyname() for all OpenSSL versions for now, and fall back to EVP_MD_fetch() if it fails. In the latter case, prepare a T_DATA object to manage the fetched EVP_MD's lifetime. https://github.com/ruby/openssl/commit/9fc2179403 
With the introduction of OpenSSL 3 providers, newly implemented
algorithms do not necessarily have a corresponding NID assigned. To use
such an algorithm, it has to be "fetched" from providers using the new
EVP_*_fetch() functions.

For digest algorithms, we have to use EVP_MD_fetch() instead of the
existing EVP_get_digestbyname(). However, it is not a drop-in
replacement because:

 - EVP_MD_fetch() does not support all algorithm name aliases recognized
   by EVP_get_digestbyname().

 - Both return an EVP_MD, but the one returned by EVP_MD_fetch() is
   sometimes reference counted and the user has to explicitly release
   it with EVP_MD_free().

So, keep using EVP_get_digestbyname() for all OpenSSL versions for now,
and fall back to EVP_MD_fetch() if it fails. In the latter case, prepare
a T_DATA object to manage the fetched EVP_MD's lifetime.

https://github.com/ruby/openssl/commit/9fc2179403
Reapply "[ruby/openssl] x509: disallow ossl_x509{,attr,crl,ext,revoked,name}*_new(NULL)" 2025-07-31T09:45:53+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-31T09:45:53+00:00 0d3d296b85bb3b2cc936694ead3de8a00f0d4d0a This reverts commit ec01cd9bbbaf3e6f324e0a6769b8383857d2bc07. This should no longer break the tests, now that the following changes have been applied: - RubyGems change: 32977f3869ba1c44950f484ddbf3a12889c0b20b - ruby/openssl change: e8261963c79ba61453f7f0dae281c33a1287b351 
This reverts commit ec01cd9bbbaf3e6f324e0a6769b8383857d2bc07.

This should no longer break the tests, now that the following changes
have been applied:

 - RubyGems change: 32977f3869ba1c44950f484ddbf3a12889c0b20b
 - ruby/openssl change: e8261963c79ba61453f7f0dae281c33a1287b351
Revert "[ruby/openssl] x509: disallow ossl_x509{,attr,crl,ext,revoked,name}*_new(NULL)" 2025-07-27T13:56:10+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-27T13:56:10+00:00 ec01cd9bbbaf3e6f324e0a6769b8383857d2bc07 This reverts commit 4e8bbb07dd4936b97a6b39d54a6977a107518e1f. It broke RubyGems tests: https://rubyci.s3.amazonaws.com/debian/ruby-master/log/20250727T123003Z.fail.html.gz OpenSSL::X509::StoreContext#current_cert incorrectly calls ossl_x509_new() with NULL to create a bogus Certificate object, and a test case in RubyGems relies on it. This will be reapplied when both are fixed. 
This reverts commit 4e8bbb07dd4936b97a6b39d54a6977a107518e1f.

It broke RubyGems tests:
https://rubyci.s3.amazonaws.com/debian/ruby-master/log/20250727T123003Z.fail.html.gz

OpenSSL::X509::StoreContext#current_cert incorrectly calls
ossl_x509_new() with NULL to create a bogus Certificate object, and a
test case in RubyGems relies on it. This will be reapplied when both
are fixed.
[ruby/openssl] pkey: rename ossl_pkey_new() to ossl_pkey_wrap() 2025-07-27T12:17:25+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-21T14:52:03+00:00 1c18ab81dbf4a8006222d7f10752dde362ba05a6 Among functions named ossl_*_new(), ossl_pkey_new() is now the only one that takes ownership of the passed OpenSSL object instead of making a copy or incrementing its reference counter. Rename it to make this behavior easier to understand. https://github.com/ruby/openssl/commit/54c1c26eb5 
Among functions named ossl_*_new(), ossl_pkey_new() is now the only one
that takes ownership of the passed OpenSSL object instead of making a
copy or incrementing its reference counter. Rename it to make this
behavior easier to understand.

https://github.com/ruby/openssl/commit/54c1c26eb5
[ruby/openssl] x509: disallow ossl_x509{,attr,crl,ext,revoked,name}*_new(NULL) 2025-07-27T12:17:24+00:00 Kazuki Yamaguchi k@rhe.jp 2024-05-21T14:36:12+00:00 4e8bbb07dd4936b97a6b39d54a6977a107518e1f These functions are not actually called with NULL. It also doesn't make sense to do so, so let's simplify the definitions. https://github.com/ruby/openssl/commit/ef277083ba 
These functions are not actually called with NULL. It also doesn't make
sense to do so, so let's simplify the definitions.

https://github.com/ruby/openssl/commit/ef277083ba