ruby.git/test/openssl/test_pkey_ec.rb, branch v3_3_11 The Ruby Programming Language [ruby/openssl] Fix test_pkey_ec.rb on FIPS. 2023-09-21T18:04:56+00:00 Jun Aruga jaruga@redhat.com 2023-09-19T17:19:27+00:00 7f407e0240ebd41d9fb1ea1bbd15442ed8744b34 https://github.com/ruby/openssl/commit/d07183f639 
https://github.com/ruby/openssl/commit/d07183f639
[ruby/openssl] test/openssl/test_pkey_ec.rb: refactor tests for EC.builtin_curves 2023-09-06T10:31:11+00:00 Kazuki Yamaguchi k@rhe.jp 2023-08-29T15:02:37+00:00 3fd90c0158f8170ad11c8a99354bb3347c7cc121 Check that OpenSSL::PKey::EC.builtin_curves returns an array in the expected format. Similarly to OpenSSL::Cipher.ciphers, OpenSSL::PKey::EC.builtin_curves returns a list of known named curves rather than actually usable ones. https://github.com/ruby/openssl/issues/671 found that the list may include unapproved (and thus unusable) curves when the FIPS module is loaded. https://github.com/ruby/openssl/commit/c53cbabe00 
Check that OpenSSL::PKey::EC.builtin_curves returns an array in the
expected format.

Similarly to OpenSSL::Cipher.ciphers, OpenSSL::PKey::EC.builtin_curves
returns a list of known named curves rather than actually usable ones.

https://github.com/ruby/openssl/issues/671 found that the list may
include unapproved (and thus unusable) curves when the FIPS module is
loaded.

https://github.com/ruby/openssl/commit/c53cbabe00
[ruby/openssl] Prefer String#unpack1 2023-09-06T10:24:53+00:00 Mau Magnaguagno maumagnaguagno@gmail.com 2023-08-31T06:38:45+00:00 60a6de81a823cdb932d21fa5869c93853d3f2795 (https://github.com/ruby/openssl/pull/586) String#unpack1 avoids the intermediate array created by String#unpack for single elements, while also making a call to Array#first/[0] unnecessary. https://github.com/ruby/openssl/commit/8eb0715a42 
(https://github.com/ruby/openssl/pull/586)

String#unpack1 avoids the intermediate array created by String#unpack
for single elements, while also making a call to Array#first/[0]
unnecessary.

https://github.com/ruby/openssl/commit/8eb0715a42
[ruby/openssl] pkey/ec: check private key validity with OpenSSL 3 2022-12-23T00:39:15+00:00 Joe Truba joe@bannable.net 2022-11-20T00:54:32+00:00 0e11d2c3f8a74d2310efa67179b50c12acb3fa42 The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1 and 3.0 so that it no longer validates the private key. Instead, private keys can be validated through EVP_PKEY_private_check and EVP_PKEY_pairwise_check. [ky: simplified condition to use either EVP_PKEY_check() or EVP_PKEY_public_check().] https://github.com/ruby/openssl/commit/e38a63ab3d 
The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1
and 3.0 so that it no longer validates the private key. Instead, private
keys can be validated through EVP_PKEY_private_check and
EVP_PKEY_pairwise_check.

[ky: simplified condition to use either EVP_PKEY_check() or
EVP_PKEY_public_check().]

https://github.com/ruby/openssl/commit/e38a63ab3d
[ruby/openssl] Use SHA256 instead of SHA1 where needed in tests. 2022-12-13T09:07:41+00:00 Jarek Prokop jprokop@redhat.com 2022-10-18T07:52:13+00:00 ce025a5cb4a7aea62629fcf8685e931671a0672d Systems such as RHEL 9 are moving away from SHA1 disabling it completely in default configuration. https://github.com/ruby/openssl/commit/32648da2f6 
Systems such as RHEL 9 are moving away from SHA1
disabling it completely in default configuration.

https://github.com/ruby/openssl/commit/32648da2f6
[ruby/openssl] pkey/ec: check existence of public key component before exporting 2022-10-17T07:35:35+00:00 Kazuki Yamaguchi k@rhe.jp 2022-09-02T14:05:28+00:00 b69d41e1c433f9109b7c9237cde6ed8b4884cc06 i2d_PUBKEY_bio() against an EC_KEY without the public key component trggers a null dereference. This is a regression introduced by commit https://github.com/ruby/openssl/commit/56f0d34d63fb ("pkey: refactor #export/#to_pem and #to_der", 2017-06-14). Fixes https://github.com/ruby/openssl/pull/527#issuecomment-1220504524 Fixes https://github.com/ruby/openssl/issues/369#issuecomment-1221554057 https://github.com/ruby/openssl/commit/f6ee0fa4de 
i2d_PUBKEY_bio() against an EC_KEY without the public key component
trggers a null dereference.

This is a regression introduced by commit https://github.com/ruby/openssl/commit/56f0d34d63fb ("pkey:
refactor #export/#to_pem and #to_der", 2017-06-14).

Fixes https://github.com/ruby/openssl/pull/527#issuecomment-1220504524
Fixes https://github.com/ruby/openssl/issues/369#issuecomment-1221554057

https://github.com/ruby/openssl/commit/f6ee0fa4de
[ruby/openssl] pkey: restore support for decoding "openssl ecparam -genkey" output 2022-10-17T07:35:35+00:00 Kazuki Yamaguchi k@rhe.jp 2022-09-02T13:40:54+00:00 0677b2fb87fa4bdff64e650e5df0fd7bf684bd2e Scan through the input for a private key, then fallback to generic decoder. OpenSSL 3.0's OSSL_DECODER supports encoded key parameters. The PEM header "-----BEGIN EC PARAMETERS-----" is used by one of such encoding formats. While this is useful for OpenSSL::PKey::PKey, an edge case has been discovered. The openssl CLI command line "openssl ecparam -genkey" prints two PEM blocks in a row, one for EC parameters and another for the private key. Feeding the whole output into OSSL_DECODER results in only the first PEM block, the key parameters, being decoded. Previously, ruby/openssl did not support decoding key parameters and it would decode the private key PEM block instead. While the new behavior is technically correct, "openssl ecparam -genkey" is so widely used that ruby/openssl does not want to break existing applications. Fixes https://github.com/ruby/openssl/pull/535 https://github.com/ruby/openssl/commit/d486c82833 
Scan through the input for a private key, then fallback to generic
decoder.

OpenSSL 3.0's OSSL_DECODER supports encoded key parameters. The PEM
header "-----BEGIN EC PARAMETERS-----" is used by one of such encoding
formats. While this is useful for OpenSSL::PKey::PKey, an edge case has
been discovered.

The openssl CLI command line "openssl ecparam -genkey" prints two PEM
blocks in a row, one for EC parameters and another for the private key.
Feeding the whole output into OSSL_DECODER results in only the first PEM
block, the key parameters, being decoded. Previously, ruby/openssl did
not support decoding key parameters and it would decode the private key
PEM block instead.

While the new behavior is technically correct, "openssl ecparam -genkey"
is so widely used that ruby/openssl does not want to break existing
applications.

Fixes https://github.com/ruby/openssl/pull/535

https://github.com/ruby/openssl/commit/d486c82833
[ruby/openssl] pkey: deprecate PKey#set_* methods 2021-12-20T14:42:02+00:00 Kazuki Yamaguchi k@rhe.jp 2021-09-21T09:29:59+00:00 8ebf5978852e22358cbcdf74c0eb506f22e2c73f OpenSSL 3.0 made EVP_PKEY immutable. This means we can only have a const pointer of the low level struct and the following methods can no longer be provided when linked against OpenSSL 3.0: - OpenSSL::PKey::RSA#set_key - OpenSSL::PKey::RSA#set_factors - OpenSSL::PKey::RSA#set_crt_params - OpenSSL::PKey::DSA#set_pqg - OpenSSL::PKey::DSA#set_key - OpenSSL::PKey::DH#set_pqg - OpenSSL::PKey::DH#set_key - OpenSSL::PKey::EC#group= - OpenSSL::PKey::EC#private_key= - OpenSSL::PKey::EC#public_key= There is no direct replacement for this functionality at the moment. I plan to introduce a wrapper around EVP_PKEY_fromdata(), which takes all key components at once to construct an EVP_PKEY. https://github.com/ruby/openssl/commit/6848d2d969 
OpenSSL 3.0 made EVP_PKEY immutable. This means we can only have a const
pointer of the low level struct and the following methods can no longer
be provided when linked against OpenSSL 3.0:

 - OpenSSL::PKey::RSA#set_key
 - OpenSSL::PKey::RSA#set_factors
 - OpenSSL::PKey::RSA#set_crt_params
 - OpenSSL::PKey::DSA#set_pqg
 - OpenSSL::PKey::DSA#set_key
 - OpenSSL::PKey::DH#set_pqg
 - OpenSSL::PKey::DH#set_key
 - OpenSSL::PKey::EC#group=
 - OpenSSL::PKey::EC#private_key=
 - OpenSSL::PKey::EC#public_key=

There is no direct replacement for this functionality at the moment.
I plan to introduce a wrapper around EVP_PKEY_fromdata(), which takes
all key components at once to construct an EVP_PKEY.

https://github.com/ruby/openssl/commit/6848d2d969
[ruby/openssl] pkey/ec: deprecate OpenSSL::PKey::EC#generate_key! 2021-12-20T14:42:02+00:00 Kazuki Yamaguchi k@rhe.jp 2021-12-16T17:21:42+00:00 b93ae54258684d0c3d1501400af949c013f44fba OpenSSL::PKey::EC#generate_key! will not work on OpenSSL 3.0 because keys are made immutable. Users should use OpenSSL::PKey.generate_key instead. https://github.com/ruby/openssl/commit/5e2e66cce8 
OpenSSL::PKey::EC#generate_key! will not work on OpenSSL 3.0 because
keys are made immutable. Users should use OpenSSL::PKey.generate_key
instead.

https://github.com/ruby/openssl/commit/5e2e66cce8
[ruby/openssl] test/openssl/test_ssl: assume ECC support 2021-10-23T04:38:37+00:00 Kazuki Yamaguchi k@rhe.jp 2021-09-27T06:34:28+00:00 5a8e1c520ac71c76f6424f9ef5aef64a79527f78 Disabling ECC support of OpenSSL is impractical nowadays. We still try to have the C extension compile on no-ec builds (as well as no-dh or no-engine, etc.) as long as we can, but keeping test cases for such an extreme scenario is not worth the effort. https://github.com/ruby/openssl/commit/2cd01d4676 
Disabling ECC support of OpenSSL is impractical nowadays.

We still try to have the C extension compile on no-ec builds (as well
as no-dh or no-engine, etc.) as long as we can, but keeping test cases
for such an extreme scenario is not worth the effort.

https://github.com/ruby/openssl/commit/2cd01d4676