ruby.git/test/openssl/test_asn1.rb, branch v4.0.4 The Ruby Programming Language [ruby/openssl] asn1: use ASN1_TIME_to_tm() to decode UTCTime and GeneralizedTime 2025-12-05T12:24:54+00:00 Kazuki Yamaguchi k@rhe.jp 2025-02-27T18:10:35+00:00 f179885d3c454c6a98c23b2a977480657bb0f676 The current logic relies on sscanf() and error checks are almost entirely missing. It also assumes that ASN1_STRING contents are NUL terminated, which is undocumented and not guaranteed for all valid ASN1_TIME objects. Switch to using ASN1_TIME_to_tm() added in OpenSSL 1.1.1. It is also supported by LibreSSL and AWS-LC. In the long term, we may want to replace ASN1_TIME_to_tm() with a hand-rolled decoder, since the function is intended for a specific use-case. It is too permissive for strict DER, yet still does not support all valid DER inputs and silently drops information such as fractional seconds. However, it handles everything that the current sscanf() code could handle. https://github.com/ruby/openssl/commit/73484f6794 
The current logic relies on sscanf() and error checks are almost
entirely missing. It also assumes that ASN1_STRING contents are NUL
terminated, which is undocumented and not guaranteed for all valid
ASN1_TIME objects.

Switch to using ASN1_TIME_to_tm() added in OpenSSL 1.1.1. It is also
supported by LibreSSL and AWS-LC.

In the long term, we may want to replace ASN1_TIME_to_tm() with a
hand-rolled decoder, since the function is intended for a specific
use-case. It is too permissive for strict DER, yet still does not
support all valid DER inputs and silently drops information such as
fractional seconds. However, it handles everything that the current
sscanf() code could handle.

https://github.com/ruby/openssl/commit/73484f6794
[ruby/openssl] asn1: refactor converting ASN1_OBJECT to string 2025-11-22T16:48:13+00:00 Kazuki Yamaguchi k@rhe.jp 2025-11-18T16:41:35+00:00 dd489ee9c48fc8c2b499b80f3ebcd053de33bb0a ruby/openssl exposes OIDs to Ruby as strings in many places, but the conversion logic has been duplicated and the behavior is inconsistent. There are mainly two patterns: - Returns the short name associated with the OID/NID, or the dotted decimal notation if it is unknown to OpenSSL. - Returns the long name, or the dotted decimal notation. These patterns are implemented using different OpenSSL APIs and that caused subtle differences. Add helper functions ossl_asn1obj_to_string() and ossl_asn1obj_to_string_long_name() to unify the logic. Also, document the current behaviors where it is not yet done. The inconsistency was likely unintentional, but since it dates back to the original implementations, standardizing it now would cause more issues than it resolves. https://github.com/ruby/openssl/commit/2ea36c21a4 
ruby/openssl exposes OIDs to Ruby as strings in many places, but the
conversion logic has been duplicated and the behavior is inconsistent.
There are mainly two patterns:

 - Returns the short name associated with the OID/NID, or the dotted
   decimal notation if it is unknown to OpenSSL.
 - Returns the long name, or the dotted decimal notation.

These patterns are implemented using different OpenSSL APIs and that
caused subtle differences. Add helper functions ossl_asn1obj_to_string()
and ossl_asn1obj_to_string_long_name() to unify the logic.

Also, document the current behaviors where it is not yet done. The
inconsistency was likely unintentional, but since it dates back to the
original implementations, standardizing it now would cause more issues
than it resolves.

https://github.com/ruby/openssl/commit/2ea36c21a4
[ruby/openssl] asn1: update keys used in tests 2025-10-27T06:54:44+00:00 Kazuki Yamaguchi k@rhe.jp 2025-10-17T16:52:15+00:00 bf244356ea11c1cc67221de6b3cfeebe4f333df2 Use generic keys whenever possible. https://github.com/ruby/openssl/commit/689fc271b1 
Use generic keys whenever possible.

https://github.com/ruby/openssl/commit/689fc271b1
[ruby/openssl] asn1: align UTCTime year range with RFC 5280 2025-07-12T13:25:24+00:00 Kazuki Yamaguchi k@rhe.jp 2025-02-27T11:18:43+00:00 753e3b7ae352755e977228af62d24b3c7e2a9477 ASN.1 UTCTime uses two-digit years. While X.680 does not specify how to map them as far as I can tell, X.509/PKIX uses this type to represent dates between year 1950-2049. OpenSSL::ASN1.decode has used 1969-2068 since the initial implementation. Given that ASN1::UTCTime#to_der relies on OpenSSL ASN1_UTCTIME type, which assumes the 1950-2049 range, this was likely unintentional. Use the range 1950-2049 consistently, and fix decoding of X.509 certificates with dates in 1950-1968. https://github.com/ruby/openssl/commit/b8b38e1438 
ASN.1 UTCTime uses two-digit years. While X.680 does not specify how to
map them as far as I can tell, X.509/PKIX uses this type to represent
dates between year 1950-2049.

OpenSSL::ASN1.decode has used 1969-2068 since the initial
implementation. Given that ASN1::UTCTime#to_der relies on OpenSSL
ASN1_UTCTIME type, which assumes the 1950-2049 range, this was likely
unintentional.

Use the range 1950-2049 consistently, and fix decoding of X.509
certificates with dates in 1950-1968.

https://github.com/ruby/openssl/commit/b8b38e1438
[ruby/openssl] asn1: check for missing EOC in indefinite length encoding 2025-04-20T07:41:15+00:00 Kazuki Yamaguchi k@rhe.jp 2025-02-22T15:18:38+00:00 93afcfcde36581e6f94b69c3f40fd0021f382d70 EOC octets are required at the end of contents of a constructed encoding that uses the indefinite length form. This cannot be assumed from the end of the input. Raise an exception when necessary. https://github.com/ruby/openssl/commit/bc20c13a7c 
EOC octets are required at the end of contents of a constructed encoding
that uses the indefinite length form. This cannot be assumed from the
end of the input. Raise an exception when necessary.

https://github.com/ruby/openssl/commit/bc20c13a7c
[ruby/openssl] asn1: adjusting an ASN1 test to use CONTEXT_SPECIFIC 2025-02-22T15:11:38+00:00 Samuel Chiang sachiang@amazon.com 2025-02-12T01:37:17+00:00 b995eee81183c793c36ad87715e23d2e96bd8f5f AWS-LC's ASN1 parsing capabilities led to us examine some of our ASN1 tests. One test in test_asn1.rb happens to use a tag number of 8224. There are concerns with larger UNIVERSAL tags being ambiguous with negative ASN1 Integers, so I've adjusted the test to use CONTEXT_SPECIFIC instead with the same tag number (8224). https://github.com/ruby/openssl/commit/c73d9985ab 
AWS-LC's ASN1 parsing capabilities led to us examine some of our
ASN1 tests. One test in test_asn1.rb happens to use a tag number
of 8224. There are concerns with larger UNIVERSAL tags being
ambiguous with negative ASN1 Integers, so I've adjusted the test
to use CONTEXT_SPECIFIC instead with the same tag number (8224).

https://github.com/ruby/openssl/commit/c73d9985ab
asn1: fix ObjectId#== 2024-11-14T02:21:39+00:00 Kazuki Yamaguchi k@rhe.jp 2024-08-24T04:29:50+00:00 a0f1f161452e9a8c3d017ffbfce5744c775b668f Compare by the dotted decimal notation rather than the NID. OpenSSL::ASN1::ObjectId can store OIDs that are not registered in OpenSSL's internal table. NID is not defined for such an OID, but it is not an error. The == method also should not raise TypeError if the other object is not an instance of OpenSSL::ASN1::ObjectId. Fixes: https://github.com/ruby/openssl/issues/791 
Compare by the dotted decimal notation rather than the NID.

OpenSSL::ASN1::ObjectId can store OIDs that are not registered in
OpenSSL's internal table. NID is not defined for such an OID, but it is
not an error.

The == method also should not raise TypeError if the other object is
not an instance of OpenSSL::ASN1::ObjectId.

Fixes: https://github.com/ruby/openssl/issues/791
[ruby/openssl] test_asn1.rb: Remove the assertions of the time string format without second. 2024-03-13T15:19:40+00:00 Jun Aruga jaruga@redhat.com 2024-03-12T13:39:05+00:00 dd5e625d7bcb7dc849fdbc2ad8053f9c2724efb4 This commit fixes the following errors in the tests. Because the OpenSSL project changed the code to make the time string format without second invalid. So, we drop the assertions. ``` 1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode' /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test' /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime' 430: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39)) 431: # LibreSSL 3.6.0 requires the seconds element 432: return if libressl? => 433: decode_test B(%w{ 18 0D }) + "201612081934Z".b, 434: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0)) 435: # not implemented 436: # decode_test B(%w{ 18 13 }) + "https://github.com/ruby/openssl/commit/201612081934+0930".b, 2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode' /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test' /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime' 408: end 409: # Seconds is omitted. LibreSSL 3.6.0 requires it 410: return if libressl? => 411: decode_test B(%w{ 17 0B }) + "1609082343Z".b, 412: OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0)) 413: # not implemented 414: # decode_test B(%w{ 17 11 }) + "https://github.com/ruby/openssl/commit/500908234339+0930".b, ``` https://github.com/ruby/openssl/commit/2e826d5715 
This commit fixes the following errors in the tests.
Because the OpenSSL project changed the code to make the time string format
without second invalid. So, we drop the assertions.

```
1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime'
     430:       OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39))
     431:     # LibreSSL 3.6.0 requires the seconds element
     432:     return if libressl?
  => 433:     decode_test B(%w{ 18 0D }) + "201612081934Z".b,
     434:       OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0))
     435:     # not implemented
     436:     # decode_test B(%w{ 18 13 }) + "https://github.com/ruby/openssl/commit/201612081934+0930".b,

2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime'
     408:     end
     409:     # Seconds is omitted. LibreSSL 3.6.0 requires it
     410:     return if libressl?
  => 411:     decode_test B(%w{ 17 0B }) + "1609082343Z".b,
     412:       OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0))
     413:     # not implemented
     414:     # decode_test B(%w{ 17 11 }) + "https://github.com/ruby/openssl/commit/500908234339+0930".b,
```

https://github.com/ruby/openssl/commit/2e826d5715
[ruby/openssl] test/openssl/test_asn1.rb: remove pend for unsupported LibreSSL versions 2022-12-23T00:39:15+00:00 Kazuki Yamaguchi k@rhe.jp 2022-10-17T07:50:10+00:00 7c073cc11221eb85ac0c55ec38ff4c9da22ca26c Commit https://github.com/ruby/openssl/commit/af895bc5596b ("asn1: avoid truncating OID in OpenSSL::ASN1::ObjectId#oid", 2016-12-15) added this test case. The OBJ_obj2txt() issue was fixed by LibreSSL 2.5.1 (released in 2017) and is no longer relevant today. https://github.com/ruby/openssl/commit/6a188f1a29 
Commit https://github.com/ruby/openssl/commit/af895bc5596b ("asn1: avoid truncating OID in
OpenSSL::ASN1::ObjectId#oid", 2016-12-15) added this test case.

The OBJ_obj2txt() issue was fixed by LibreSSL 2.5.1 (released in 2017)
and is no longer relevant today.

https://github.com/ruby/openssl/commit/6a188f1a29
[ruby/openssl] test/openssl/test_asn1.rb: skip failing tests on LibreSSL 3.6.0 2022-12-23T00:39:15+00:00 Kazuki Yamaguchi k@rhe.jp 2022-10-17T07:50:01+00:00 5591e4935da7b606f9d3047894eeea5d7e4a8864 LibreSSL 3.6.0 expects the seconds part in UTCTime and GeneralizedTime to be always present. LibreSSL 3.6.0 release note [1] says: > - The ASN.1 time parser has been refactored and rewritten using CBS. > It has been made stricter in that it now enforces the rules from > RFC 5280. [1] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.0-relnotes.txt https://github.com/ruby/openssl/commit/bbc540fe83 
LibreSSL 3.6.0 expects the seconds part in UTCTime and GeneralizedTime
to be always present. LibreSSL 3.6.0 release note [1] says:

> - The ASN.1 time parser has been refactored and rewritten using CBS.
>   It has been made stricter in that it now enforces the rules from
>   RFC 5280.

[1] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.0-relnotes.txt

https://github.com/ruby/openssl/commit/bbc540fe83