ruby.git/test/openssl/test_pkey_dh.rb, branch v4.0.3 The Ruby Programming Language [ruby/openssl] pkey: unify error classes into PKeyError 2025-11-06T13:33:15+00:00 Kazuki Yamaguchi k@rhe.jp 2024-12-02T14:23:20+00:00 16b1aa4e4ab1b81914c58eae8b2f31c963b4bd4c Remove the following subclasses of OpenSSL::PKey::PKeyError and make them aliases of it. - OpenSSL::PKey::DHError - OpenSSL::PKey::DSAError - OpenSSL::PKey::ECError - OpenSSL::PKey::RSAError Historically, methods defined on OpenSSL::PKey and OpenSSL::PKey::PKey raise OpenSSL::PKey::PKeyError, while methods on the subclasses raise their respective exception classes. However, this distinction is not particularly useful since all those exception classes represent the same kind of errors from the underlying EVP_PKEY API. I think this convention comes from the fact that OpenSSL::PKey::{DH, DSA,RSA} originally wrapped the corresponding OpenSSL structs DH, DSA, and RSA, before they were unified to wrap EVP_PKEY, way back in 2002. OpenSSL::PKey::EC::Group::Error and OpenSSL::PKey::EC::Point::Error are out of scope of this change, as they are not subclasses of OpenSSL::PKey::PKeyError and do not represent errors from the EVP_PKEY API. https://github.com/ruby/openssl/commit/e74ff3e272 
Remove the following subclasses of OpenSSL::PKey::PKeyError and make
them aliases of it.

 - OpenSSL::PKey::DHError
 - OpenSSL::PKey::DSAError
 - OpenSSL::PKey::ECError
 - OpenSSL::PKey::RSAError

Historically, methods defined on OpenSSL::PKey and OpenSSL::PKey::PKey
raise OpenSSL::PKey::PKeyError, while methods on the subclasses raise
their respective exception classes. However, this distinction is not
particularly useful since all those exception classes represent the
same kind of errors from the underlying EVP_PKEY API.

I think this convention comes from the fact that OpenSSL::PKey::{DH,
DSA,RSA} originally wrapped the corresponding OpenSSL structs DH, DSA,
and RSA, before they were unified to wrap EVP_PKEY, way back in 2002.

OpenSSL::PKey::EC::Group::Error and OpenSSL::PKey::EC::Point::Error
are out of scope of this change, as they are not subclasses of
OpenSSL::PKey::PKeyError and do not represent errors from the EVP_PKEY
API.

https://github.com/ruby/openssl/commit/e74ff3e272
[ruby/openssl] pkey/dh: refactor tests 2025-09-30T11:59:41+00:00 Kazuki Yamaguchi k@rhe.jp 2025-09-30T09:27:35+00:00 37d65e9252a4c3096325c63a876a289e03a7417c - Generate smaller parameters in test_new_generate. Generating 2048-bit parameters is slow and sometimes takes a few minutes on GitHub-hosted CI runners. Also test the DH.generate alias, not just DH.new. - Simplify test_new_break to just check exceptions raised in the block because it is redundant. - Remove unnecessary OpenSSL::PKey::DH#public_key calls. - Update bare "assert" with more appropriate methods. https://github.com/ruby/openssl/commit/8bc7442310 
 - Generate smaller parameters in test_new_generate. Generating 2048-bit
   parameters is slow and sometimes takes a few minutes on GitHub-hosted
   CI runners. Also test the DH.generate alias, not just DH.new.
 - Simplify test_new_break to just check exceptions raised in the block
   because it is redundant.
 - Remove unnecessary OpenSSL::PKey::DH#public_key calls.
 - Update bare "assert" with more appropriate methods.

https://github.com/ruby/openssl/commit/8bc7442310
[ruby/openssl] pkey: disallow {DH,DSA,EC,RSA}.new without arguments with OpenSSL 3.0 2025-09-30T11:59:28+00:00 Kazuki Yamaguchi k@rhe.jp 2025-01-29T17:26:41+00:00 ad35a4be82f9356045036875759874bfac6c483b Raise ArgumentError if this is attempted when the extension is compiled with OpenSSL 3.0 or later. The form will be fully removed when we drop support for OpenSSL 1.1.1. When OpenSSL::PKey::{DH,DSA,EC,RSA}.new is called without any arguments, it sets up an empty corresponding low-level struct and wraps it in an EVP_PKEY. This is useful when the user later fills the missing fields using low-level setter methods such as OpenSSL::PKey::RSA#set_key. Such setter methods are not compatible with OpenSSL 3.0 or later, where EVP_PKEY is immutable once created. This means that the ability to create an empty instance is useless. https://github.com/ruby/openssl/commit/affd569f78 
Raise ArgumentError if this is attempted when the extension is compiled
with OpenSSL 3.0 or later. The form will be fully removed when we drop
support for OpenSSL 1.1.1.

When OpenSSL::PKey::{DH,DSA,EC,RSA}.new is called without any arguments,
it sets up an empty corresponding low-level struct and wraps it in an
EVP_PKEY. This is useful when the user later fills the missing fields
using low-level setter methods such as OpenSSL::PKey::RSA#set_key.

Such setter methods are not compatible with OpenSSL 3.0 or later, where
EVP_PKEY is immutable once created. This means that the ability to
create an empty instance is useless.

https://github.com/ruby/openssl/commit/affd569f78
[ruby/openssl] pkey: skip tests using invalid keys in the FIPS mode 2025-08-12T18:08:37+00:00 Kazuki Yamaguchi k@rhe.jp 2025-08-12T17:36:02+00:00 507b1e4bde074bdda3083df6b4c2190a385f84bf In OpenSSL's master branch, importing/loading a key in the FIPS mode automatically performs a pair-wise consistency check. This breaks tests for OpenSSL::PKey::EC#check_key and DH#params_ok? as they use deliberately invalid keys. These methods would not be useful in the FIPS mode anyway. Fixes https://github.com/ruby/openssl/issues/926 https://github.com/ruby/openssl/commit/25ad8f4bdb 
In OpenSSL's master branch, importing/loading a key in the FIPS mode
automatically performs a pair-wise consistency check. This breaks tests
for OpenSSL::PKey::EC#check_key and DH#params_ok? as they use
deliberately invalid keys. These methods would not be useful in the
FIPS mode anyway.

Fixes https://github.com/ruby/openssl/issues/926

https://github.com/ruby/openssl/commit/25ad8f4bdb
[ruby/openssl] Move slow tests to OSSL_TEST_ALL=1 only 2025-07-21T14:31:24+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-10T12:46:36+00:00 090825f5fc9fb40cc7d27c72ec8343ddcea51cda Update GitHub Actions workflows to set OSSL_TEST_ALL=1. Exclude a few slow tests that are not critical for local development, unless OSSL_TEST_ALL=1 is set. The bindings code paths are still reached by other tests with smaller inputs, and failures in those would likely indicate an issue in OpenSSL rather than in the bindings. Newly excluded tests include generating large DSA keys and measuring CRYPTO_memcmp() timing. These tests currently take nearly half of the total runtime. https://github.com/ruby/openssl/commit/382eca2aec 
Update GitHub Actions workflows to set OSSL_TEST_ALL=1.

Exclude a few slow tests that are not critical for local development,
unless OSSL_TEST_ALL=1 is set. The bindings code paths are still reached
by other tests with smaller inputs, and failures in those would likely
indicate an issue in OpenSSL rather than in the bindings.

Newly excluded tests include generating large DSA keys and measuring
CRYPTO_memcmp() timing. These tests currently take nearly half of the
total runtime.

https://github.com/ruby/openssl/commit/382eca2aec
[ruby/openssl] test_pkey_dh.rb: Merge 2 test_new_break tests to one test. 2025-03-03T15:27:56+00:00 Jun Aruga jaruga@redhat.com 2025-03-03T13:28:12+00:00 9ccba88160c1b702a97b80817b97109cc2b9f33c Merge 2 test_new_break tests to one test because it's easy to maintain the test. https://github.com/ruby/openssl/commit/446ff3e11f 
Merge 2 test_new_break tests to one test because it's easy to maintain the test.

https://github.com/ruby/openssl/commit/446ff3e11f
[ruby/openssl] pkey/dh: tweak break tests for AWS-LC 2025-02-22T15:11:39+00:00 Samuel Chiang sachiang@amazon.com 2025-02-12T01:59:29+00:00 23465d8446fa32c7a76f0e11c4bf8f1e56e98e9e We reecently tweaked some break tests in test_pkey_dh.rb due to different behavior with OpenSSL in FIPS mode. AWS-LC does not inherit the same specific behavior, so tests have been adjusted accordingly. https://github.com/ruby/openssl/commit/3117897dbc 
We reecently tweaked some break tests in test_pkey_dh.rb due to
different behavior with OpenSSL in FIPS mode.
AWS-LC does not inherit the same specific behavior, so tests
have been adjusted accordingly.

https://github.com/ruby/openssl/commit/3117897dbc
[ruby/openssl] pkey: AWS-LC disallows parsing of invalid keys and params 2025-02-22T15:11:38+00:00 Samuel Chiang sachiang@amazon.com 2025-02-12T01:45:15+00:00 f63a123606286eadd812313a4ea42af8ea8c686f OpenSSL allows invalid EC keys or DH params to be parsed. The consuming application can then run parameter/key checks to check the validity of the parameters. We happen to run tests to verify that this behaves as expected. AWS-LC on the other hand, directly raises an error and disallows the invalid state to be parsed, rather than making it parsable and checking the validity later. Relevant tests have been adjusted accordingly to reflect this. https://github.com/ruby/openssl/commit/febe50be1b 
OpenSSL allows invalid EC keys or DH params to be parsed. The consuming
application can then run parameter/key checks to check the validity of
the parameters. We happen to run tests to verify that this behaves as
expected.
AWS-LC on the other hand, directly raises an error and disallows the
invalid state to be parsed, rather than making it parsable and checking
the validity later. Relevant tests have been adjusted accordingly to
reflect this.

https://github.com/ruby/openssl/commit/febe50be1b
[ruby/openssl] pkey: change PKey::{RSA,DSA,DH}#params to use nil for missing parameters 2025-01-22T16:45:52+00:00 Kazuki Yamaguchi k@rhe.jp 2024-06-14T05:45:56+00:00 87316d58faa2d57e9f1c1df2f76584a129a60bcc The returned Hash from these methods contain 0 in place of a missing parameter in the key, for example: pkey = OpenSSL::PKey.read(OpenSSL::PKey::RSA.new(2048).public_to_pem) pp pkey.params #=> # {"n"=>#<OpenSSL::BN https://github.com/ruby/openssl/commit/286934673421[...snip]>, # "e"=>#<OpenSSL::BN 65537>, # "d"=>#<OpenSSL::BN 0>, # "p"=>#<OpenSSL::BN 0>, # "q"=>#<OpenSSL::BN 0>, # "dmp1"=>#<OpenSSL::BN 0>, # "dmq1"=>#<OpenSSL::BN 0>, # "iqmp"=>#<OpenSSL::BN 0>} Let's use nil instead, which is more appropriate for indicating a missing value. https://github.com/ruby/openssl/commit/f247ec3dec 
The returned Hash from these methods contain 0 in place of a missing
parameter in the key, for example:

	pkey = OpenSSL::PKey.read(OpenSSL::PKey::RSA.new(2048).public_to_pem)
	pp pkey.params
	#=>
	# {"n"=>#<OpenSSL::BN https://github.com/ruby/openssl/commit/286934673421[...snip]>,
	#  "e"=>#<OpenSSL::BN 65537>,
	#  "d"=>#<OpenSSL::BN 0>,
	#  "p"=>#<OpenSSL::BN 0>,
	#  "q"=>#<OpenSSL::BN 0>,
	#  "dmp1"=>#<OpenSSL::BN 0>,
	#  "dmq1"=>#<OpenSSL::BN 0>,
	#  "iqmp"=>#<OpenSSL::BN 0>}

Let's use nil instead, which is more appropriate for indicating a
missing value.

https://github.com/ruby/openssl/commit/f247ec3dec
[ruby/openssl] pkey: add tests for PKey::{RSA,DSA,DH}#params 2025-01-22T16:45:51+00:00 Kazuki Yamaguchi k@rhe.jp 2024-06-14T05:50:21+00:00 47fe59cd8299a04dfa7af41131d0563c0e6f5b98 Add missing test cases to verify the current behavior. The next patch will rewrite those methods. https://github.com/ruby/openssl/commit/c0e0669f9b 
Add missing test cases to verify the current behavior. The next patch
will rewrite those methods.

https://github.com/ruby/openssl/commit/c0e0669f9b