ruby.git/test/openssl/test_pkey_dsa.rb, branch v3_4_9 The Ruby Programming Language Update openssl gem to 3.3.1 for Ruby 3.4 (#14792) 2025-10-09T14:32:47+00:00 Bo Anderson mail@boanderson.me 2025-10-09T14:32:47+00:00 fce44db5eb7baf1ddd2238254c3cf617fcfd1112 Update openssl gem to 3.3.1 [Backport #21631] 
Update openssl gem to 3.3.1

[Backport #21631]
 [ruby/openssl] test/openssl/test_pkey_dsa.rb: skip all tests in FIPS mode 2024-08-06T06:38:03+00:00 Kazuki Yamaguchi k@rhe.jp 2024-07-30T16:05:32+00:00 65e3717db7bfd957660a5b3d9c5ac4fd22e8d858 OpenSSL running in the FIPS mode will stop supporting DSA key generation and signature generation due to a FIPS 140-3 requirement. Although it appears that FIPS 186-5 still allows signature verification in some cases, there would be little point in writing such a specific test case. DSA will still be tested if OpenSSL is not running in the FIPS mode. test_generate_on_non_fips is merged to test_generate again. https://github.com/ruby/openssl/commit/3651884fd2 
OpenSSL running in the FIPS mode will stop supporting DSA key
generation and signature generation due to a FIPS 140-3 requirement.
Although it appears that FIPS 186-5 still allows signature
verification in some cases, there would be little point in writing such
a specific test case.

DSA will still be tested if OpenSSL is not running in the FIPS mode.

test_generate_on_non_fips is merged to test_generate again.

https://github.com/ruby/openssl/commit/3651884fd2
[ruby/openssl] Fix test_pkey_dsa.rb in FIPS. 2024-03-27T03:16:11+00:00 Jun Aruga jaruga@redhat.com 2024-03-12T16:12:08+00:00 8896ac0289dcd7a6c9c4a7fd6ccd4cc2dae30507 Note that I created the `dsa2048.pem` and signature text (`signature_encoded.txt`), that is used as a text to create the `signature0` in the `test_sign_verify` by the following steps with the `openssl` CLI on FIPS module. ``` $ OPENSSL_DIR="${HOME}/.local/openssl-3.3.0-dev-fips-debug-1f03d33ef5" $ export OPENSSL_CONF="${OPENSSL_DIR}/ssl/openssl_fips.cnf" $ "${OPENSSL_DIR}/bin/openssl" dsaparam -out dsaparam2048.pem 2048 $ "${OPENSSL_DIR}/bin/openssl" gendsa -out dsa2048.pem dsaparam2048.pem $ echo -n "Sign me!" > data.txt $ "${OPENSSL_DIR}/bin/openssl" dgst -sha256 -sign dsa2048.pem data.txt > signature.txt $ cat signature.txt | base64 > signature_encoded.txt ``` Skip the `test_DSAPrivateKey_encrypted` on FIPS because AES-128-CBC, the password based encryption used in the PEM format uses MD5 for deriving the encryption key from the password, and MD5 is not FIPS-approved. See also the comment on the `test/openssl/utils.rb#omit_on_fips`. https://github.com/ruby/openssl/commit/4bdcb419a9 
Note that I created the `dsa2048.pem` and signature text
(`signature_encoded.txt`), that is used as a text to create the `signature0` in
the `test_sign_verify` by the following steps with the `openssl` CLI on FIPS
module.

```
$ OPENSSL_DIR="${HOME}/.local/openssl-3.3.0-dev-fips-debug-1f03d33ef5"
$ export OPENSSL_CONF="${OPENSSL_DIR}/ssl/openssl_fips.cnf"

$ "${OPENSSL_DIR}/bin/openssl" dsaparam -out dsaparam2048.pem 2048
$ "${OPENSSL_DIR}/bin/openssl" gendsa -out dsa2048.pem dsaparam2048.pem

$ echo -n "Sign me!" > data.txt
$ "${OPENSSL_DIR}/bin/openssl" dgst -sha256 -sign dsa2048.pem data.txt > signature.txt
$ cat signature.txt | base64 > signature_encoded.txt
```

Skip the `test_DSAPrivateKey_encrypted` on FIPS because AES-128-CBC, the
password based encryption used in the PEM format uses MD5 for deriving the
encryption key from the password, and MD5 is not FIPS-approved.
See also the comment on the `test/openssl/utils.rb#omit_on_fips`.

https://github.com/ruby/openssl/commit/4bdcb419a9
[ruby/openssl] Prefer String#unpack1 2023-09-06T10:24:53+00:00 Mau Magnaguagno maumagnaguagno@gmail.com 2023-08-31T06:38:45+00:00 60a6de81a823cdb932d21fa5869c93853d3f2795 (https://github.com/ruby/openssl/pull/586) String#unpack1 avoids the intermediate array created by String#unpack for single elements, while also making a call to Array#first/[0] unnecessary. https://github.com/ruby/openssl/commit/8eb0715a42 
(https://github.com/ruby/openssl/pull/586)

String#unpack1 avoids the intermediate array created by String#unpack
for single elements, while also making a call to Array#first/[0]
unnecessary.

https://github.com/ruby/openssl/commit/8eb0715a42
[ruby/openssl] Use SHA256 instead of SHA1 where needed in tests. 2022-12-13T09:07:41+00:00 Jarek Prokop jprokop@redhat.com 2022-10-18T07:52:13+00:00 ce025a5cb4a7aea62629fcf8685e931671a0672d Systems such as RHEL 9 are moving away from SHA1 disabling it completely in default configuration. https://github.com/ruby/openssl/commit/32648da2f6 
Systems such as RHEL 9 are moving away from SHA1
disabling it completely in default configuration.

https://github.com/ruby/openssl/commit/32648da2f6
[ruby/openssl] pkey/dsa: let PKey::DSA.generate choose appropriate q size 2022-10-17T07:35:35+00:00 Kazuki Yamaguchi k@rhe.jp 2022-01-04T13:11:00+00:00 10f93a8bd787658996f08b13a0e564eaf3f41489 DSA parameters generation via EVP_PKEY_paramgen() will not automatically adjust the size of q value but uses 224 bits by default unless specified explicitly. This behavior is different from the now-deprecated DSA_generate_parameters_ex(), which PKey::DSA.generate used to call. Fixes https://github.com/ruby/openssl/issues/483 Fixes: https://github.com/ruby/openssl/commit/1800a8d5ebaf ("pkey/dsa: use high level EVP interface to generate parameters and keys", 2020-05-17) https://github.com/ruby/openssl/commit/0105975a0b 
DSA parameters generation via EVP_PKEY_paramgen() will not automatically
adjust the size of q value but uses 224 bits by default unless specified
explicitly. This behavior is different from the now-deprecated
DSA_generate_parameters_ex(), which PKey::DSA.generate used to call.

Fixes https://github.com/ruby/openssl/issues/483

Fixes: https://github.com/ruby/openssl/commit/1800a8d5ebaf ("pkey/dsa: use high level EVP interface to generate parameters and keys", 2020-05-17)

https://github.com/ruby/openssl/commit/0105975a0b
[ruby/openssl] pkey: deprecate PKey#set_* methods 2021-12-20T14:42:02+00:00 Kazuki Yamaguchi k@rhe.jp 2021-09-21T09:29:59+00:00 8ebf5978852e22358cbcdf74c0eb506f22e2c73f OpenSSL 3.0 made EVP_PKEY immutable. This means we can only have a const pointer of the low level struct and the following methods can no longer be provided when linked against OpenSSL 3.0: - OpenSSL::PKey::RSA#set_key - OpenSSL::PKey::RSA#set_factors - OpenSSL::PKey::RSA#set_crt_params - OpenSSL::PKey::DSA#set_pqg - OpenSSL::PKey::DSA#set_key - OpenSSL::PKey::DH#set_pqg - OpenSSL::PKey::DH#set_key - OpenSSL::PKey::EC#group= - OpenSSL::PKey::EC#private_key= - OpenSSL::PKey::EC#public_key= There is no direct replacement for this functionality at the moment. I plan to introduce a wrapper around EVP_PKEY_fromdata(), which takes all key components at once to construct an EVP_PKEY. https://github.com/ruby/openssl/commit/6848d2d969 
OpenSSL 3.0 made EVP_PKEY immutable. This means we can only have a const
pointer of the low level struct and the following methods can no longer
be provided when linked against OpenSSL 3.0:

 - OpenSSL::PKey::RSA#set_key
 - OpenSSL::PKey::RSA#set_factors
 - OpenSSL::PKey::RSA#set_crt_params
 - OpenSSL::PKey::DSA#set_pqg
 - OpenSSL::PKey::DSA#set_key
 - OpenSSL::PKey::DH#set_pqg
 - OpenSSL::PKey::DH#set_key
 - OpenSSL::PKey::EC#group=
 - OpenSSL::PKey::EC#private_key=
 - OpenSSL::PKey::EC#public_key=

There is no direct replacement for this functionality at the moment.
I plan to introduce a wrapper around EVP_PKEY_fromdata(), which takes
all key components at once to construct an EVP_PKEY.

https://github.com/ruby/openssl/commit/6848d2d969
[ruby/openssl] test/openssl/utils: remove dup_public helper method 2021-10-23T04:38:36+00:00 Kazuki Yamaguchi k@rhe.jp 2021-05-31T02:44:05+00:00 37632a0ac635082e4ca9ca5b1c8da6b6770ff0ed It uses deprecated PKey::{RSA,DSA,DH}#set_* methods, which will not work with OpenSSL 3.0. The same can easily be achieved using PKey#public_to_der regardless of the key kind. https://github.com/ruby/openssl/commit/7b66eaa2db 
It uses deprecated PKey::{RSA,DSA,DH}#set_* methods, which will not
work with OpenSSL 3.0. The same can easily be achieved using
PKey#public_to_der regardless of the key kind.

https://github.com/ruby/openssl/commit/7b66eaa2db
[ruby/openssl] pkey: implement PKey#sign_raw, #verify_raw, and #verify_recover 2021-07-18T08:44:58+00:00 Kazuki Yamaguchi k@rhe.jp 2020-05-22T07:10:35+00:00 4ebff35971d499f4ddd13f48bff0444f77d63421 Add a variant of PKey#sign and #verify that do not hash the data automatically. Sometimes the caller has the hashed data only, but not the plaintext to be signed. In that case, users would have to use the low-level API such as RSA#private_encrypt or #public_decrypt directly. OpenSSL 1.0.0 and later supports EVP_PKEY_sign() and EVP_PKEY_verify() which provide the same functionality as part of the EVP API. This patch adds wrappers for them. https://github.com/ruby/openssl/commit/16cca4e0c4 
Add a variant of PKey#sign and #verify that do not hash the data
automatically.

Sometimes the caller has the hashed data only, but not the plaintext
to be signed. In that case, users would have to use the low-level API
such as RSA#private_encrypt or #public_decrypt directly.

OpenSSL 1.0.0 and later supports EVP_PKEY_sign() and EVP_PKEY_verify()
which provide the same functionality as part of the EVP API. This patch
adds wrappers for them.

https://github.com/ruby/openssl/commit/16cca4e0c4
[ruby/openssl] pkey/dsa: use high level EVP interface to generate parameters and keys 2021-07-18T08:44:49+00:00 Kazuki Yamaguchi k@rhe.jp 2020-05-17T13:14:03+00:00 38436d1f5cb03520a2a4acca81f013de1c20daa5 Implement PKey::DSA.new(size) and PKey::DSA.generate using OpenSSL::PKey.generate_parameters and .generate_key instead of the low level DSA functions. https://github.com/ruby/openssl/commit/1800a8d5eb 
Implement PKey::DSA.new(size) and PKey::DSA.generate using
OpenSSL::PKey.generate_parameters and .generate_key instead of the low
level DSA functions.

https://github.com/ruby/openssl/commit/1800a8d5eb