ruby.git/test/openssl/test_pkey.rb, branch v4.0.4 The Ruby Programming Language [ruby/openssl] pkey: unify error classes into PKeyError 2025-11-06T13:33:15+00:00 Kazuki Yamaguchi k@rhe.jp 2024-12-02T14:23:20+00:00 16b1aa4e4ab1b81914c58eae8b2f31c963b4bd4c Remove the following subclasses of OpenSSL::PKey::PKeyError and make them aliases of it. - OpenSSL::PKey::DHError - OpenSSL::PKey::DSAError - OpenSSL::PKey::ECError - OpenSSL::PKey::RSAError Historically, methods defined on OpenSSL::PKey and OpenSSL::PKey::PKey raise OpenSSL::PKey::PKeyError, while methods on the subclasses raise their respective exception classes. However, this distinction is not particularly useful since all those exception classes represent the same kind of errors from the underlying EVP_PKEY API. I think this convention comes from the fact that OpenSSL::PKey::{DH, DSA,RSA} originally wrapped the corresponding OpenSSL structs DH, DSA, and RSA, before they were unified to wrap EVP_PKEY, way back in 2002. OpenSSL::PKey::EC::Group::Error and OpenSSL::PKey::EC::Point::Error are out of scope of this change, as they are not subclasses of OpenSSL::PKey::PKeyError and do not represent errors from the EVP_PKEY API. https://github.com/ruby/openssl/commit/e74ff3e272 
Remove the following subclasses of OpenSSL::PKey::PKeyError and make
them aliases of it.

 - OpenSSL::PKey::DHError
 - OpenSSL::PKey::DSAError
 - OpenSSL::PKey::ECError
 - OpenSSL::PKey::RSAError

Historically, methods defined on OpenSSL::PKey and OpenSSL::PKey::PKey
raise OpenSSL::PKey::PKeyError, while methods on the subclasses raise
their respective exception classes. However, this distinction is not
particularly useful since all those exception classes represent the
same kind of errors from the underlying EVP_PKEY API.

I think this convention comes from the fact that OpenSSL::PKey::{DH,
DSA,RSA} originally wrapped the corresponding OpenSSL structs DH, DSA,
and RSA, before they were unified to wrap EVP_PKEY, way back in 2002.

OpenSSL::PKey::EC::Group::Error and OpenSSL::PKey::EC::Point::Error
are out of scope of this change, as they are not subclasses of
OpenSSL::PKey::PKeyError and do not represent errors from the EVP_PKEY
API.

https://github.com/ruby/openssl/commit/e74ff3e272
[ruby/openssl] pkey: update keys used in tests 2025-10-27T06:54:45+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-25T11:12:37+00:00 a9ba78e4c29d3821d7e86e89993e30202892d851 Use generic keys whenever possible. https://github.com/ruby/openssl/commit/90d6af60b9 
Use generic keys whenever possible.

https://github.com/ruby/openssl/commit/90d6af60b9
[ruby/openssl] Revert "pkey: stop retrying after non-retryable error from OSSL_DECODER" 2025-09-17T12:18:17+00:00 Kazuki Yamaguchi k@rhe.jp 2025-09-16T10:29:08+00:00 08e7b5f2bdef276c7ea65fa3b01f53c1062acf8d This reverts commit https://github.com/ruby/openssl/commit/5347880c6eb0 and https://github.com/ruby/openssl/commit/985ba27d6339. These commits attempted to stop processing after the first relevant PEM block, whether it is successful or not, when the input contains multiple keys. It turned out that it cannot be reliably determined using the OSSL_DECODER API. There is an edge case where OSSL_DECODER_from_bio() reports "unsupported" even though the input actually contains an error: https://redirect.github.com/ruby/openssl/pull/931#discussion_r2347813807 Revert the changes for now and keep the existing behavior, as partial support does not seem worth the added complexity. https://github.com/ruby/openssl/commit/319cd4952a 
This reverts commit https://github.com/ruby/openssl/commit/5347880c6eb0 and
https://github.com/ruby/openssl/commit/985ba27d6339.

These commits attempted to stop processing after the first relevant PEM
block, whether it is successful or not, when the input contains multiple
keys.

It turned out that it cannot be reliably determined using the
OSSL_DECODER API. There is an edge case where OSSL_DECODER_from_bio()
reports "unsupported" even though the input actually contains an error:

https://redirect.github.com/ruby/openssl/pull/931#discussion_r2347813807

Revert the changes for now and keep the existing behavior, as partial
support does not seem worth the added complexity.

https://github.com/ruby/openssl/commit/319cd4952a
[ruby/openssl] pkey: stop retrying after non-retryable error from OSSL_DECODER 2025-09-12T12:26:07+00:00 Kazuki Yamaguchi k@rhe.jp 2025-08-12T18:08:22+00:00 c0820058243842d1391d896baf67914a8ea50e13 Continue processing only when OSSL_DECODER_from_bio() returns the error code ERR_R_UNSUPPORTED. Otherwise, raise an exception without retrying decoding the input in another format. This fixes another case where OpenSSL::PKey.read prompts for a passphrase multiple times when the input contains multiple passphrase-protected PEM blocks and the first one cannot be decoded. I am not entirely sure if the error code ERR_R_UNSUPPORTED is considered part of the public interface of OpenSSL, but this seems to be the only option available and is the approach used internally by the PEM_read_bio_*() functions. Fixes https://github.com/ruby/openssl/issues/927 https://github.com/ruby/openssl/commit/985ba27d63 
Continue processing only when OSSL_DECODER_from_bio() returns the error
code ERR_R_UNSUPPORTED. Otherwise, raise an exception without retrying
decoding the input in another format.

This fixes another case where OpenSSL::PKey.read prompts for a
passphrase multiple times when the input contains multiple
passphrase-protected PEM blocks and the first one cannot be decoded.

I am not entirely sure if the error code ERR_R_UNSUPPORTED is considered
part of the public interface of OpenSSL, but this seems to be the only
option available and is the approach used internally by the
PEM_read_bio_*() functions.

Fixes https://github.com/ruby/openssl/issues/927

https://github.com/ruby/openssl/commit/985ba27d63
[ruby/openssl] pkey: pass pem_password_cb to OSSL_DECODER only when it is needed 2025-09-12T12:26:07+00:00 Kazuki Yamaguchi k@rhe.jp 2025-08-03T10:50:04+00:00 8af8582d4c3baf0ba41f8b54b43839ec8ba3dc3d Specify OSSL_DECODER_CTX_set_pem_password_cb() only when we expect a passphrase-protected private key. OSSL_DECODER appears to try to decrypt every PEM block in the input even when the PEM header does not match the requested selection. This can cause repeated prompts for a passphrase in a single OpenSSL::PKey.read call. https://github.com/ruby/openssl/commit/933503f49f 
Specify OSSL_DECODER_CTX_set_pem_password_cb() only when we expect a
passphrase-protected private key.

OSSL_DECODER appears to try to decrypt every PEM block in the input even
when the PEM header does not match the requested selection. This can
cause repeated prompts for a passphrase in a single OpenSSL::PKey.read
call.

https://github.com/ruby/openssl/commit/933503f49f
[ruby/openssl] pkey: add more tests for OpenSSL::PKey.read 2025-09-12T12:26:06+00:00 Kazuki Yamaguchi k@rhe.jp 2024-07-04T14:35:27+00:00 aca0faf5fd34b1494c417bec75fe8f3baa05db0e Add tests covering edge cases in the current behavior to prevent accidental regressions. The next patches will update the OpenSSL 3.x path. https://github.com/ruby/openssl/commit/468f8ceea2 
Add tests covering edge cases in the current behavior to prevent
accidental regressions. The next patches will update the OpenSSL 3.x
path.

https://github.com/ruby/openssl/commit/468f8ceea2
[ruby/openssl] pkey: use EVP_PKEY_new_raw_{private,public}_key_ex() if available 2025-06-25T17:13:11+00:00 Kazuki Yamaguchi k@rhe.jp 2025-06-05T17:44:09+00:00 a1996b32a95c12e0c1f6fd5665ba490b4245f18c Algorithms implemented only in OpenSSL 3 providers may not have a corresponding NID. The *_ex() variants have been added in OpenSSL 3.0 to handle such algorithms, by taking algorithm names as a string. https://github.com/ruby/openssl/commit/e730e457cc 
Algorithms implemented only in OpenSSL 3 providers may not have a
corresponding NID. The *_ex() variants have been added in OpenSSL 3.0
to handle such algorithms, by taking algorithm names as a string.

https://github.com/ruby/openssl/commit/e730e457cc
[ruby/openssl] pkey: handle EVP_PKEY_KEYMGMT return by EVP_PKEY_id() 2025-06-25T17:13:11+00:00 Kazuki Yamaguchi k@rhe.jp 2025-04-29T07:34:33+00:00 0c6075bd420777b1f66a9ae88d327b7bb4c963d7 For algorithms implemented solely in an OpenSSL 3 provider, without an associated EVP_PKEY_METHOD, EVP_PKEY_id() returns a special value EVP_PKEY_KEYMGMT. Let OpenSSL::PKey::PKey#oid raise an exception as necessary. Update PKey#inspect to include the string returned by EVP_PKEY_get0_type_name(), if available. https://github.com/ruby/openssl/commit/bd3e32270e 
For algorithms implemented solely in an OpenSSL 3 provider, without an
associated EVP_PKEY_METHOD, EVP_PKEY_id() returns a special value
EVP_PKEY_KEYMGMT.

Let OpenSSL::PKey::PKey#oid raise an exception as necessary.
Update PKey#inspect to include the string returned by
EVP_PKEY_get0_type_name(), if available.

https://github.com/ruby/openssl/commit/bd3e32270e
[ruby/openssl] Require OpenSSL 1.1.1 or later 2025-01-21T18:14:14+00:00 Kazuki Yamaguchi k@rhe.jp 2025-01-20T17:08:54+00:00 43c48e3030c513c17bfcf4c37bbe533097fa1a22 Drop support for OpenSSL 1.1.0. OpenSSL 1.1.0 was a non-LTS release and it has reached upstream EOL in 2019-12 along with OpenSSL 1.0.2. Distributions that shipped with OpenSSL 1.1.0 include: - Debian 9 (EOL 2022-06) - Ubuntu 18.04 LTS (EOL 2023-04) https://github.com/ruby/openssl/commit/ba83abe920 
Drop support for OpenSSL 1.1.0. OpenSSL 1.1.0 was a non-LTS release and
it has reached upstream EOL in 2019-12 along with OpenSSL 1.0.2.
Distributions that shipped with OpenSSL 1.1.0 include:

 - Debian 9 (EOL 2022-06)
 - Ubuntu 18.04 LTS (EOL 2023-04)

https://github.com/ruby/openssl/commit/ba83abe920
[ruby/openssl] Require OpenSSL 1.1.0 or later 2025-01-20T17:12:57+00:00 Kazuki Yamaguchi k@rhe.jp 2025-01-14T12:49:12+00:00 441862dc9f11d83e9e35c3b965fe84e42e178a35 Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12. Most distributions that shipped with OpenSSL 1.0.2 have also reached EOL, or provide a newer version in the package repository: - RHEL 7 (EOL 2024-06) - Ubuntu 16.04 LTS (EOL 2021-04) - Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via the openssl11{,-devel} package) https://github.com/ruby/openssl/commit/38ec6fd50e 
Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12.

Most distributions that shipped with OpenSSL 1.0.2 have also reached
EOL, or provide a newer version in the package repository:

 - RHEL 7 (EOL 2024-06)
 - Ubuntu 16.04 LTS (EOL 2021-04)
 - Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via
   the openssl11{,-devel} package)

https://github.com/ruby/openssl/commit/38ec6fd50e