ruby.git/test/openssl/fixtures, branch v4.0.3 The Ruby Programming Language [ruby/openssl] test: remove unused small test keys 2025-10-27T06:54:46+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-25T20:59:14+00:00 1b57e5574df360340cfe8511ba58d27a22226183 Previous commits removed all usages of those small keys. https://github.com/ruby/openssl/commit/f9d87d7912 
Previous commits removed all usages of those small keys.

https://github.com/ruby/openssl/commit/f9d87d7912
[ruby/openssl] ssl: add post-quantum cryptography (PQC) tests 2025-07-27T12:15:02+00:00 Jun Aruga jaruga@redhat.com 2025-07-21T20:04:55+00:00 6e0181db3ac98e8415c0b130c90ae1bbc5089ee8 The key files were created by the following commands. ``` $ ${HOME}/.local/openssl-3.6.0-dev-fips-debug-8253b58d60/bin/openssl genpkey \ -algorithm mldsa65 \ -out mldsa65-1.pem $ ${HOME}/.local/openssl-3.6.0-dev-fips-debug-8253b58d60/bin/openssl genpkey \ -algorithm mldsa65 \ -out mldsa65-2.pem ``` PQC algorithms, ML-KEM (FIPS 203) and ML-DSA (FIPS 204) used in the PQC tests are supported on OpenSSL 3.5 or later. https://openssl-library.org/post/2025-04-08-openssl-35-final-release/ https://github.com/ruby/openssl/commit/f3bb316018 
The key files were created by the following commands.

```
$ ${HOME}/.local/openssl-3.6.0-dev-fips-debug-8253b58d60/bin/openssl genpkey \
  -algorithm mldsa65 \
  -out mldsa65-1.pem
$ ${HOME}/.local/openssl-3.6.0-dev-fips-debug-8253b58d60/bin/openssl genpkey \
  -algorithm mldsa65 \
  -out mldsa65-2.pem
```

PQC algorithms, ML-KEM (FIPS 203) and ML-DSA (FIPS 204) used in the PQC tests
are supported on OpenSSL 3.5 or later.
https://openssl-library.org/post/2025-04-08-openssl-35-final-release/

https://github.com/ruby/openssl/commit/f3bb316018
[ruby/openssl] pkey/ec: use heredoc for invalid key example in test cases 2025-01-06T17:07:56+00:00 Kazuki Yamaguchi k@rhe.jp 2024-07-04T08:28:10+00:00 ff708f86fadd891869a96320f1de499dee1b1046 test/openssl/fixtures/pkey/p256_too_large.pem and p384_invalid.pem are invalid keys where the encoded public key doesn't match the private key. They are only useful for test cases for OpenSSL::PKey::EC#check_key and will not be reused elsewhere. Let's directly include the PEM encoding as a heredoc for clarity. p384_invalid.pem is dropped because it is redundant. https://github.com/ruby/openssl/commit/2f807ff30f 
test/openssl/fixtures/pkey/p256_too_large.pem and p384_invalid.pem are
invalid keys where the encoded public key doesn't match the private key.
They are only useful for test cases for OpenSSL::PKey::EC#check_key and
will not be reused elsewhere. Let's directly include the PEM encoding
as a heredoc for clarity.

p384_invalid.pem is dropped because it is redundant.

https://github.com/ruby/openssl/commit/2f807ff30f
[ruby/openssl] x509cert: simplify test cases for Certificate.load_file 2025-01-06T17:07:56+00:00 Kazuki Yamaguchi k@rhe.jp 2024-07-04T08:05:05+00:00 f0095413a520140d2ba54728d3e558d75dfda09d Remove files from test/openssl/fixtures/pkey/ which are not pkeys. The test cases for OpenSSL::X509::Certificate.load_file can simply use issue_cert and Tempfile. https://github.com/ruby/openssl/commit/11216b8bec 
Remove files from test/openssl/fixtures/pkey/ which are not pkeys.
The test cases for OpenSSL::X509::Certificate.load_file can simply use
issue_cert and Tempfile.

https://github.com/ruby/openssl/commit/11216b8bec
[ruby/openssl] Fix test_pkey_dsa.rb in FIPS. 2024-03-27T03:16:11+00:00 Jun Aruga jaruga@redhat.com 2024-03-12T16:12:08+00:00 8896ac0289dcd7a6c9c4a7fd6ccd4cc2dae30507 Note that I created the `dsa2048.pem` and signature text (`signature_encoded.txt`), that is used as a text to create the `signature0` in the `test_sign_verify` by the following steps with the `openssl` CLI on FIPS module. ``` $ OPENSSL_DIR="${HOME}/.local/openssl-3.3.0-dev-fips-debug-1f03d33ef5" $ export OPENSSL_CONF="${OPENSSL_DIR}/ssl/openssl_fips.cnf" $ "${OPENSSL_DIR}/bin/openssl" dsaparam -out dsaparam2048.pem 2048 $ "${OPENSSL_DIR}/bin/openssl" gendsa -out dsa2048.pem dsaparam2048.pem $ echo -n "Sign me!" > data.txt $ "${OPENSSL_DIR}/bin/openssl" dgst -sha256 -sign dsa2048.pem data.txt > signature.txt $ cat signature.txt | base64 > signature_encoded.txt ``` Skip the `test_DSAPrivateKey_encrypted` on FIPS because AES-128-CBC, the password based encryption used in the PEM format uses MD5 for deriving the encryption key from the password, and MD5 is not FIPS-approved. See also the comment on the `test/openssl/utils.rb#omit_on_fips`. https://github.com/ruby/openssl/commit/4bdcb419a9 
Note that I created the `dsa2048.pem` and signature text
(`signature_encoded.txt`), that is used as a text to create the `signature0` in
the `test_sign_verify` by the following steps with the `openssl` CLI on FIPS
module.

```
$ OPENSSL_DIR="${HOME}/.local/openssl-3.3.0-dev-fips-debug-1f03d33ef5"
$ export OPENSSL_CONF="${OPENSSL_DIR}/ssl/openssl_fips.cnf"

$ "${OPENSSL_DIR}/bin/openssl" dsaparam -out dsaparam2048.pem 2048
$ "${OPENSSL_DIR}/bin/openssl" gendsa -out dsa2048.pem dsaparam2048.pem

$ echo -n "Sign me!" > data.txt
$ "${OPENSSL_DIR}/bin/openssl" dgst -sha256 -sign dsa2048.pem data.txt > signature.txt
$ cat signature.txt | base64 > signature_encoded.txt
```

Skip the `test_DSAPrivateKey_encrypted` on FIPS because AES-128-CBC, the
password based encryption used in the PEM format uses MD5 for deriving the
encryption key from the password, and MD5 is not FIPS-approved.
See also the comment on the `test/openssl/utils.rb#omit_on_fips`.

https://github.com/ruby/openssl/commit/4bdcb419a9
Fix test_pkey_dh.rb in FIPS. 2023-11-25T10:12:28+00:00 Jun Aruga jaruga@redhat.com 2023-11-07T13:36:17+00:00 543dd74049f18db2f8dd9ac05b25f8dbff2edc14 We use dh2048_ffdhe2048.pem file (DH 2048 bits) instead of dh1024.pem file in both non-FIPS and FIPS cases. Because the following command fails to generate the pem file with 1024 bits. And the OpenSSL FIPS 140-2 security policy document explains the DH public keys are allowed from 2048 bits.[1] ``` $ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \ /home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \ dhparam -out dh1024.pem 1024 Generating DH parameters, 1024 bit long safe prime dhparam: Generating DH key parameters failed ``` The dh2048_ffdhe2048.pem file was created by the following command with the OpenSSL FIPS configuration file. The logic to generate the DH pem file is different between non-FIPS and FIPS cases. In FIPS, it seems that the command always returns the text defined as ffdhe2048 in the FFDHE groups in RFC 7919 unlike non-FIPS.[2] As the generated pem file is a normal and valid PKCS#3-style group parameter, we use the file for the non-FIPS case too. ``` $ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \ /home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \ dhparam -out dh2048_ffdhe2048.pem 2048 ``` Note that the hard-coded PEM-encoded string in the `test_DHparams` is intentional to avoid modifying the content unintentionally. * [1] https://www.openssl.org/source/ - OpenSSL 3.0.8 FIPS 140-2 security policy document page 25, Table 10 – Public Keys - DH Public - DH (2048/3072/4096/6144/8192) public key agreement key * [2] RFC7919 - Appendix A.1: ffdhe2048 https://www.rfc-editor.org/rfc/rfc7919#appendix-A.1 
We use dh2048_ffdhe2048.pem file (DH 2048 bits) instead of dh1024.pem file in
both non-FIPS and FIPS cases. Because the following command fails to generate
the pem file with 1024 bits. And the OpenSSL FIPS 140-2 security policy
document explains the DH public keys are allowed from 2048 bits.[1]

```
$ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \
  /home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \
  dhparam -out dh1024.pem 1024
Generating DH parameters, 1024 bit long safe prime
dhparam: Generating DH key parameters failed
```

The dh2048_ffdhe2048.pem file was created by the following command with the
OpenSSL FIPS configuration file. The logic to generate the DH pem file is
different between non-FIPS and FIPS cases. In FIPS, it seems that the command
always returns the text defined as ffdhe2048 in the FFDHE groups in RFC 7919
unlike non-FIPS.[2]

As the generated pem file is a normal and valid PKCS#3-style group parameter, we
use the file for the non-FIPS case too.

```
$ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \
  /home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \
  dhparam -out dh2048_ffdhe2048.pem 2048
```

Note that the hard-coded PEM-encoded string in the `test_DHparams` is
intentional to avoid modifying the content unintentionally.

* [1] https://www.openssl.org/source/ - OpenSSL 3.0.8 FIPS 140-2 security
  policy document page 25, Table 10 – Public Keys - DH Public
  - DH (2048/3072/4096/6144/8192) public key agreement key
* [2] RFC7919 - Appendix A.1: ffdhe2048
  https://www.rfc-editor.org/rfc/rfc7919#appendix-A.1
CI: Change the openssl_fips.cnf.tmpl and openssl_fips.cnf directories. 2023-11-08T00:25:34+00:00 Jun Aruga jaruga@redhat.com 2023-10-26T15:27:19+00:00 d30ea5831e0aedada3362a2d268e7bc836b93f27 






[ruby/openssl] CI: Add OpenSSL FIPS mode case.
2023-05-19T00:25:10+00:00

Jun Aruga
jaruga@redhat.com

2023-03-16T16:19:19+00:00

741a3bd5a547324be0d267bd77c3f5f2415c8c60

test/openssl/fixtures/ssl/openssl_fips.cnf.tmpl:

I referred to the following document for the openssl config file for FIPS mode.
<https://www.openssl.org/docs/manmaster/man7/fips_module.html>
- Making all applications use the FIPS module by default

It seems that the `.include` syntax only requires the absolute path.
So, the placeholder OPENSSL_DIR in the template file is replaced with the
actual OpenSSL directory.

.github/workflows/test.yml:

The `TEST_RUBY_OPENSSL_FIPS_ENABLED` environment variable is set
in the FIPS mode CI case. It can be used in the unit tests.

https://github.com/ruby/openssl/commit/18b017218c





test/openssl/fixtures/ssl/openssl_fips.cnf.tmpl:

I referred to the following document for the openssl config file for FIPS mode.
<https://www.openssl.org/docs/manmaster/man7/fips_module.html>
- Making all applications use the FIPS module by default

It seems that the `.include` syntax only requires the absolute path.
So, the placeholder OPENSSL_DIR in the template file is replaced with the
actual OpenSSL directory.

.github/workflows/test.yml:

The `TEST_RUBY_OPENSSL_FIPS_ENABLED` environment variable is set
in the FIPS mode CI case. It can be used in the unit tests.

https://github.com/ruby/openssl/commit/18b017218c







[ruby/openssl] pkey/ec: check private key validity with OpenSSL 3
2022-12-23T00:39:15+00:00

Joe Truba
joe@bannable.net

2022-11-20T00:54:32+00:00

0e11d2c3f8a74d2310efa67179b50c12acb3fa42

The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1
and 3.0 so that it no longer validates the private key. Instead, private
keys can be validated through EVP_PKEY_private_check and
EVP_PKEY_pairwise_check.

[ky: simplified condition to use either EVP_PKEY_check() or
EVP_PKEY_public_check().]

https://github.com/ruby/openssl/commit/e38a63ab3d





The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1
and 3.0 so that it no longer validates the private key. Instead, private
keys can be validated through EVP_PKEY_private_check and
EVP_PKEY_pairwise_check.

[ky: simplified condition to use either EVP_PKEY_check() or
EVP_PKEY_public_check().]

https://github.com/ruby/openssl/commit/e38a63ab3d







[ruby/openssl] Implement `Certificate.load` to load certificate chain. (https://github.com/ruby/openssl/pull/441)
2021-07-18T08:44:55+00:00

Samuel Williams
samuel.williams@oriontransfer.co.nz

2021-05-21T20:47:20+00:00

1146a94aeea7d2ea1ead3bfcbddd0f4de696abe6

* Add feature for loading the chained certificate into Certificate array.

https://github.com/ruby/openssl/commit/05e1c015d6

Co-authored-by: Sao I Kuan <saoikuan@gmail.com>




* Add feature for loading the chained certificate into Certificate array.

https://github.com/ruby/openssl/commit/05e1c015d6

Co-authored-by: Sao I Kuan <saoikuan@gmail.com>