ruby.git/test/openssl/test_pkcs7.rb, branch v4.0.4 The Ruby Programming Language [ruby/openssl] pkcs7: raise OpenSSL::PKCS7::PKCS7Error in #initialize 2025-12-14T10:46:27+00:00 Kazuki Yamaguchi k@rhe.jp 2025-12-14T10:33:16+00:00 674c3d73e0f92d730bd2e544be344585a638ab37 When d2i_PKCS7_bio() and PEM_read_bio_PKCS7() fail to decode the input, OpenSSL::PKCS7.new currently raises ArgumentError. The usual practice in ruby/openssl where an error originates from the underlying OpenSSL library is to raise OpenSSL::OpenSSLError. Raise OpenSSL::PKCS7::PKCS7Error instead for consistency with OpenSSL::PKCS7.read_smime and all other existing #initialize methods that handle DER/PEM-encoded inputs. https://github.com/ruby/openssl/commit/67a608ce53 
When d2i_PKCS7_bio() and PEM_read_bio_PKCS7() fail to decode the input,
OpenSSL::PKCS7.new currently raises ArgumentError. The usual practice
in ruby/openssl where an error originates from the underlying OpenSSL
library is to raise OpenSSL::OpenSSLError.

Raise OpenSSL::PKCS7::PKCS7Error instead for consistency with
OpenSSL::PKCS7.read_smime and all other existing #initialize methods
that handle DER/PEM-encoded inputs.

https://github.com/ruby/openssl/commit/67a608ce53
[ruby/openssl] pkcs7: make PKCS7#add_recipient actually useful 2025-08-01T12:04:06+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-31T12:02:36+00:00 497782856a6054ab6bf3c195b10146161bebcf11 Add a simple test case that creates an enveloped-data structure without using the shorthand method, and fix two issues preventing this from working correctly. First, OpenSSL::PKey::PKCS7#add_recipient currently inserts an incomplete PKCS7_RECIP_INFO object into the PKCS7 object. When duplicating an unfinalized PKCS7_RECIP_INFO, the internal X509 reference must also be copied, as it is later used by #add_data to fill the rest. A similar issue with #add_signer was fixed in commit https://github.com/ruby/openssl/commit/20ca7a27a86e (pkcs7: keep private key when duplicating PKCS7_SIGNER_INFO, 2021-03-24). Second, #add_data calls PKCS7_dataFinal(), which for enveloped-data appears to require the BIO to be flushed explicitly with BIO_flush(). Without this, the last block of the encrypted data would be missing. https://github.com/ruby/openssl/commit/9595ecf643 
Add a simple test case that creates an enveloped-data structure without
using the shorthand method, and fix two issues preventing this from
working correctly.

First, OpenSSL::PKey::PKCS7#add_recipient currently inserts an
incomplete PKCS7_RECIP_INFO object into the PKCS7 object. When
duplicating an unfinalized PKCS7_RECIP_INFO, the internal X509 reference
must also be copied, as it is later used by #add_data to fill the rest.

A similar issue with #add_signer was fixed in commit https://github.com/ruby/openssl/commit/20ca7a27a86e
(pkcs7: keep private key when duplicating PKCS7_SIGNER_INFO,
2021-03-24).

Second, #add_data calls PKCS7_dataFinal(), which for enveloped-data
appears to require the BIO to be flushed explicitly with BIO_flush().
Without this, the last block of the encrypted data would be missing.

https://github.com/ruby/openssl/commit/9595ecf643
[ruby/openssl] pkcs7: fix error queue leak in OpenSSL::PKCS7#detached 2025-08-01T12:03:39+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-31T17:40:02+00:00 3fe4ab0d23150f47e2ee6af0badbe08c070a9a95 Only call PKCS7_get_detached() if the PKCS7 object is a signed-data. This is only useful for the content type, and leaves an error entry if called on a PKCS7 object with a different content type. https://github.com/ruby/openssl/commit/8997f6d5e6 
Only call PKCS7_get_detached() if the PKCS7 object is a signed-data.
This is only useful for the content type, and leaves an error entry if
called on a PKCS7 object with a different content type.

https://github.com/ruby/openssl/commit/8997f6d5e6
[ruby/openssl] pkcs7: clean up tests 2025-07-31T17:38:36+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-24T18:14:04+00:00 865a6191d06902cebbebc41774faa947aeaea06f This includes: - Update test keys to the generic rsa-{1,2,3}.pem. - Add omissions for enveloped-data tests so that the rest can be tested in the FIPS mode. - Add tests for PKCS7#error_string and #data. - Check more error paths. - Various style fixes. https://github.com/ruby/openssl/commit/58f0022de3 
This includes:

 - Update test keys to the generic rsa-{1,2,3}.pem.
 - Add omissions for enveloped-data tests so that the rest can be
   tested in the FIPS mode.
 - Add tests for PKCS7#error_string and #data.
 - Check more error paths.
 - Various style fixes.

https://github.com/ruby/openssl/commit/58f0022de3
[ruby/openssl] AWS-LC has support for parsing ber constructed strings now 2025-05-15T16:40:42+00:00 Samuel Chiang sachiang@amazon.com 2025-05-15T00:50:04+00:00 0b9644c252483d2d677ee05b487369f5462e5693 https://github.com/ruby/openssl/commit/cdfc08db50 
https://github.com/ruby/openssl/commit/cdfc08db50
[ruby/openssl] pkcs7: fix test failure on RHEL 9 2025-04-03T17:58:30+00:00 Kazuki Yamaguchi k@rhe.jp 2025-04-03T17:20:20+00:00 6b5e187d0eb07994fee7b5f0336da388a793dcbb The test case test_split_content fails on RHEL 9 and Fedora 41 because their OpenSSL packages do not accept SHA-1 signatures. This was only caught after commit https://github.com/ruby/openssl/commit/69fd7f886313 added the missing assertion. While the example PKCS#7 structures could be simply regenerated with SHA-256, this test case could be simplified because it is checking two different things. Replace test_split_content with separate test cases: one verifying signed-data authenticatedAttributes and another for decoding BER input. Fixes https://github.com/ruby/openssl/issues/875 https://github.com/ruby/openssl/commit/b32406b0c1 
The test case test_split_content fails on RHEL 9 and Fedora 41 because
their OpenSSL packages do not accept SHA-1 signatures. This was only
caught after commit https://github.com/ruby/openssl/commit/69fd7f886313 added the missing assertion.

While the example PKCS#7 structures could be simply regenerated with
SHA-256, this test case could be simplified because it is checking two
different things.

Replace test_split_content with separate test cases: one verifying
signed-data authenticatedAttributes and another for decoding BER input.

Fixes https://github.com/ruby/openssl/issues/875

https://github.com/ruby/openssl/commit/b32406b0c1
[ruby/openssl] pkcs7: update test case test_graceful_parsing_failure 2025-04-03T17:58:29+00:00 Kazuki Yamaguchi k@rhe.jp 2025-04-03T13:02:04+00:00 3911113bc4d441d01ad888fbaaee494c9386ebe0 Using test_pkcs7.rb as an example invalid input is not reliable because we may happen to include a valid PKCS#7 PEM block in a heredoc. https://github.com/ruby/openssl/commit/76fead26d2 
Using test_pkcs7.rb as an example invalid input is not reliable because
we may happen to include a valid PKCS#7 PEM block in a heredoc.

https://github.com/ruby/openssl/commit/76fead26d2
[ruby/openssl] Skip PKCS7 with indefinite length test in AWS-LC 2025-03-30T13:46:28+00:00 Samuel Chiang sachiang@amazon.com 2025-03-19T01:33:32+00:00 6b5aa432913c8aaef96513618d0edc73cdb6141c AWS-LC had been decoding the indefinite BER to an unusable output. We should skip the test until indefinite BER decoding in AWS-LC is properly fixed. Changes: 1. AWS-LC will be looking to fix the parsing for indefinite BER constructed strings in AWS-LC soon, so I've marked the test as `pend` for now and removed the AWS-LC specific logic at the end. 2. I've added an assertion to verify that `OpenSSL::PKCS7.verify` behaves correctly before doing content comparisons. I noticed this was failing initially in AWS-LC, but that will be fixed soon as well. This shouldn't effect OpenSSL/LibreSSL builds and should improve the test. https://github.com/ruby/openssl/commit/69fd7f8863 
AWS-LC had been decoding the indefinite BER to an unusable output. We
should skip the test until indefinite BER decoding in AWS-LC is
properly fixed.

Changes:
1. AWS-LC will be looking to fix the parsing for indefinite BER
constructed strings in AWS-LC soon, so I've marked the test as `pend`
for now and removed the AWS-LC specific logic at the end.
2. I've added an assertion to verify that `OpenSSL::PKCS7.verify`
behaves correctly before doing content comparisons. I noticed this was
failing initially in AWS-LC, but that will be fixed soon as well. This
shouldn't effect OpenSSL/LibreSSL builds and should improve the test.

https://github.com/ruby/openssl/commit/69fd7f8863
[ruby/openssl] test_pkcs7.rb: skip AWS-LC's unsupported features 2025-02-22T15:11:38+00:00 Samuel Chiang sachiang@amazon.com 2025-02-12T01:38:05+00:00 6263d0d16bbe18fa210d2d67816dbd14272e109e 1. AWS-LC has no support for SMIME with PKCS7. That may change in the near future, so I've marked that with "pend" for now. 2. AWS-LC doesn't support printing of PKCS7 contents with PKCS7_print_ctx. 3. OpenSSL traditionally used indefinite-length encoding with ASN1_TFLG_NDEF in its implementation for PKCS7 EncryptedContent. AWS-LC uses explicit OCTET STRING headers to encode instead, which leads to a slight difference in serialized ASN1 contents from the two libraries. https://github.com/ruby/openssl/commit/78c585a9c2 
1. AWS-LC has no support for SMIME with PKCS7. That may change in the
   near future, so I've marked that with "pend" for now.
2. AWS-LC doesn't support printing of PKCS7 contents with
   PKCS7_print_ctx.
3. OpenSSL traditionally used indefinite-length encoding with
   ASN1_TFLG_NDEF in its implementation for PKCS7 EncryptedContent.
   AWS-LC uses explicit OCTET STRING headers to encode instead,
   which leads to a slight difference in serialized ASN1 contents
   from the two libraries.

https://github.com/ruby/openssl/commit/78c585a9c2
[ruby/openssl] pkcs7: add a test case for the data content type 2025-02-11T16:42:25+00:00 Kazuki Yamaguchi k@rhe.jp 2025-02-09T10:37:41+00:00 dedd05e9c81c210b201f5569ce83d9748f8bb2ab While it is not useful alone, it is still a valid content type. Some methods on OpenSSL::PKCS7 are only meant to work with the signed-data or enveloped-data content type. Add some assertions for their behavior with unsupported content types. The next patches will update the relevant code. https://github.com/ruby/openssl/commit/adb42b5b84 
While it is not useful alone, it is still a valid content type. Some
methods on OpenSSL::PKCS7 are only meant to work with the signed-data
or enveloped-data content type. Add some assertions for their behavior
with unsupported content types. The next patches will update the
relevant code.

https://github.com/ruby/openssl/commit/adb42b5b84