ruby.git/test/openssl/test_x509cert.rb, branch v4.0.3 The Ruby Programming Language [ruby/openssl] x509cert: handle invalid validity periods in Certificate#inspect 2025-12-05T18:40:02+00:00 Kazuki Yamaguchi k@rhe.jp 2025-12-05T18:33:12+00:00 8c4f79d5f30fb2fe647c4f3fd262a5fdeacaeca2 In a newly allocated OpenSSL X509 object, the notBefore and notAfter fields contain an ASN1_STRING object with type V_ASN1_UNDEF rather than an ASN1_TIME. Commit https://github.com/ruby/openssl/commit/73484f67949a made asn1time_to_time() stricter and it now raises an exception if the argument is not an ASN1_TIME. Previously, it would print a verbose-mode warning and return nil. OpenSSL::X509::Certificate#inspect should work even when the certificate is invalid. Let's handle this. https://github.com/ruby/openssl/commit/18c283f2b6 
In a newly allocated OpenSSL X509 object, the notBefore and notAfter
fields contain an ASN1_STRING object with type V_ASN1_UNDEF rather than
an ASN1_TIME.

Commit https://github.com/ruby/openssl/commit/73484f67949a made asn1time_to_time() stricter and it now raises
an exception if the argument is not an ASN1_TIME. Previously, it would
print a verbose-mode warning and return nil.

OpenSSL::X509::Certificate#inspect should work even when the certificate
is invalid. Let's handle this.

https://github.com/ruby/openssl/commit/18c283f2b6
[ruby/openssl] asn1: refactor converting ASN1_OBJECT to string 2025-11-22T16:48:13+00:00 Kazuki Yamaguchi k@rhe.jp 2025-11-18T16:41:35+00:00 dd489ee9c48fc8c2b499b80f3ebcd053de33bb0a ruby/openssl exposes OIDs to Ruby as strings in many places, but the conversion logic has been duplicated and the behavior is inconsistent. There are mainly two patterns: - Returns the short name associated with the OID/NID, or the dotted decimal notation if it is unknown to OpenSSL. - Returns the long name, or the dotted decimal notation. These patterns are implemented using different OpenSSL APIs and that caused subtle differences. Add helper functions ossl_asn1obj_to_string() and ossl_asn1obj_to_string_long_name() to unify the logic. Also, document the current behaviors where it is not yet done. The inconsistency was likely unintentional, but since it dates back to the original implementations, standardizing it now would cause more issues than it resolves. https://github.com/ruby/openssl/commit/2ea36c21a4 
ruby/openssl exposes OIDs to Ruby as strings in many places, but the
conversion logic has been duplicated and the behavior is inconsistent.
There are mainly two patterns:

 - Returns the short name associated with the OID/NID, or the dotted
   decimal notation if it is unknown to OpenSSL.
 - Returns the long name, or the dotted decimal notation.

These patterns are implemented using different OpenSSL APIs and that
caused subtle differences. Add helper functions ossl_asn1obj_to_string()
and ossl_asn1obj_to_string_long_name() to unify the logic.

Also, document the current behaviors where it is not yet done. The
inconsistency was likely unintentional, but since it dates back to the
original implementations, standardizing it now would cause more issues
than it resolves.

https://github.com/ruby/openssl/commit/2ea36c21a4
[ruby/openssl] x509: update keys used in tests 2025-10-27T06:54:43+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-24T17:45:26+00:00 1c709970f4e29b58cc45703d3596555767fcea2f Replace fixed-sized RSA keys with the generic rsa-{1,2,3}.pem keys. Those test cases do not depend on specific keys or key sizes, and just need several different keys. Replace DSA keys with EC keys so that we can run more tests in the FIPS mode, which do not seem to support DSA anymore. Also, clean up duplicate test cases using very small keys or obsolete hash functions. rake test_fips no longer skips those test cases. https://github.com/ruby/openssl/commit/3f3105429a 
Replace fixed-sized RSA keys with the generic rsa-{1,2,3}.pem keys.
Those test cases do not depend on specific keys or key sizes, and just
need several different keys.

Replace DSA keys with EC keys so that we can run more tests in the FIPS
mode, which do not seem to support DSA anymore.

Also, clean up duplicate test cases using very small keys or obsolete
hash functions.

rake test_fips no longer skips those test cases.

https://github.com/ruby/openssl/commit/3f3105429a
[ruby/openssl] Require OpenSSL 1.1.1 or later 2025-01-21T18:14:14+00:00 Kazuki Yamaguchi k@rhe.jp 2025-01-20T17:08:54+00:00 43c48e3030c513c17bfcf4c37bbe533097fa1a22 Drop support for OpenSSL 1.1.0. OpenSSL 1.1.0 was a non-LTS release and it has reached upstream EOL in 2019-12 along with OpenSSL 1.0.2. Distributions that shipped with OpenSSL 1.1.0 include: - Debian 9 (EOL 2022-06) - Ubuntu 18.04 LTS (EOL 2023-04) https://github.com/ruby/openssl/commit/ba83abe920 
Drop support for OpenSSL 1.1.0. OpenSSL 1.1.0 was a non-LTS release and
it has reached upstream EOL in 2019-12 along with OpenSSL 1.0.2.
Distributions that shipped with OpenSSL 1.1.0 include:

 - Debian 9 (EOL 2022-06)
 - Ubuntu 18.04 LTS (EOL 2023-04)

https://github.com/ruby/openssl/commit/ba83abe920
[ruby/openssl] Require LibreSSL 3.9 or later 2025-01-14T12:38:16+00:00 Kazuki Yamaguchi k@rhe.jp 2025-01-07T16:55:56+00:00 0fb64bda9bf16c36de3c4ca5f9d3aa8da5d39ee2 Drop support for LibreSSL 3.1-3.8. LibreSSL 3.8 has reached its EOL in 2024-10. https://github.com/ruby/openssl/commit/f33d611f9f 
Drop support for LibreSSL 3.1-3.8. LibreSSL 3.8 has reached its EOL in
2024-10.

https://github.com/ruby/openssl/commit/f33d611f9f
[ruby/openssl] x509cert: simplify test cases for Certificate.load_file 2025-01-06T17:07:56+00:00 Kazuki Yamaguchi k@rhe.jp 2024-07-04T08:05:05+00:00 f0095413a520140d2ba54728d3e558d75dfda09d Remove files from test/openssl/fixtures/pkey/ which are not pkeys. The test cases for OpenSSL::X509::Certificate.load_file can simply use issue_cert and Tempfile. https://github.com/ruby/openssl/commit/11216b8bec 
Remove files from test/openssl/fixtures/pkey/ which are not pkeys.
The test cases for OpenSSL::X509::Certificate.load_file can simply use
issue_cert and Tempfile.

https://github.com/ruby/openssl/commit/11216b8bec
[ruby/openssl] Check for compatible openssl versions earlier 2024-11-22T17:26:02+00:00 Josh Cooper joshcooper@users.noreply.github.com 2024-11-04T16:41:19+00:00 ce4906efb3e304567f67a129ab65a86e081cd2ea test_pkey wasn't checking for libressl as is done elsewhere. Note the libressl version check is different when testing pkey, because PKey#sign relies on EVP_PKey_sign, whereas signing an X509 cert/request/crl relies on ASN1_item_sign. https://github.com/ruby/openssl/commit/f1db5c88a2 
test_pkey wasn't checking for libressl as is done elsewhere.

Note the libressl version check is different when testing pkey, because
PKey#sign relies on EVP_PKey_sign, whereas signing an X509 cert/request/crl
relies on ASN1_item_sign.

https://github.com/ruby/openssl/commit/f1db5c88a2
[ruby/openssl] x509: fix handling of multiple URIs in Certificate#crl_uris 2024-11-14T02:21:39+00:00 Kazuki Yamaguchi k@rhe.jp 2024-07-09T12:15:11+00:00 419fb2f3b94d8b7ccb462177667070e13ed9df8a The implementation of OpenSSL::X509::Certificate#crl_uris makes the assumption that each DistributionPoint in the CRL distribution points extension contains a single general name of type URI. This is not guaranteed by RFC 5280. A DistributionPoint may contain zero or more than one URIs. Let's include all URIs found in the extension. If only non-URI pointers are found, return nil. Fixes: https://github.com/ruby/openssl/issues/775 https://github.com/ruby/openssl/commit/71f4fef2fa 
The implementation of OpenSSL::X509::Certificate#crl_uris makes the
assumption that each DistributionPoint in the CRL distribution points
extension contains a single general name of type URI. This is not
guaranteed by RFC 5280. A DistributionPoint may contain zero or more
than one URIs.

Let's include all URIs found in the extension. If only non-URI pointers
are found, return nil.

Fixes: https://github.com/ruby/openssl/issues/775

https://github.com/ruby/openssl/commit/71f4fef2fa
[ruby/openssl] test_x509cert.rb: break up test_extension into smaller units 2024-11-14T02:21:39+00:00 Kazuki Yamaguchi k@rhe.jp 2024-07-09T12:09:11+00:00 97be56fc62e942d882ad12ea299240415cdf404f test_extesion is testing too many features at once and is hard to navigate. Let's split each chunk apart for more clarity. https://github.com/ruby/openssl/commit/461cfcb070 
test_extesion is testing too many features at once and is hard to
navigate. Let's split each chunk apart for more clarity.

https://github.com/ruby/openssl/commit/461cfcb070
[ruby/openssl] Pass through nil as digest when signing certificates 2024-06-11T17:12:28+00:00 gartens 41197811+gartens@users.noreply.github.com 2024-06-11T17:12:23+00:00 c735f4947ee0fd770f01a64e83faabefe005e9d4 (https://github.com/ruby/openssl/pull/761) In order to sign certificates with Ed25519 keys, NULL must be passed as md to X509_sign. This NULL is then passed (via ASN1_item_sign_ex) as type to EVP_DigestSignInit. The documentation[1] of EVP_DigestSignInit states that type must be NULL for various key types, including Ed25519. [1]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html https://github.com/ruby/openssl/commit/b0fc100091 
(https://github.com/ruby/openssl/pull/761)

In order to sign certificates with Ed25519 keys, NULL must be passed
as md to X509_sign.  This NULL is then passed
(via ASN1_item_sign_ex) as type to EVP_DigestSignInit.  The
documentation[1] of EVP_DigestSignInit states that type must be NULL
for various key types, including Ed25519.

[1]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html

https://github.com/ruby/openssl/commit/b0fc100091