ruby.git/test/openssl, branch v3_2_11 The Ruby Programming Language [ruby/openssl] Only CSR version 1 (encoded as 0) is allowed by PKIX standards 2024-11-19T10:31:46+00:00 Job Snijders job@sobornost.net 2024-03-25T12:20:13+00:00 870e5b2b4fc786f8513ff91a623ef67a0d16f940 RFC 2986, section 4.1 only defines version 1 for CSRs. This version is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version to anything but 1 fails. Do not attempt to generate a CSR with invalid version (which now fails) and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its subject rather than using an invalid version. This commit fixes the following error. ``` 2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError: X509_REQ_set_version: passed invalid argument /home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version=' /home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr' /home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in `test_version' 40: req = OpenSSL::X509::Request.new(req.to_der) 41: assert_equal(0, req.version) 42: => 43: req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256')) 44: assert_equal(1, req.version) 45: req = OpenSSL::X509::Request.new(req.to_der) 46: assert_equal(1, req.version) ``` https://github.com/ruby/openssl/commit/c06fdeb091 
RFC 2986, section 4.1 only defines version 1 for CSRs. This version
is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
to anything but 1 fails.

Do not attempt to generate a CSR with invalid version (which now fails)
and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
subject rather than using an invalid version.

This commit fixes the following error.

```
 2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
X509_REQ_set_version: passed invalid argument
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
`test_version'
     40:     req = OpenSSL::X509::Request.new(req.to_der)
     41:     assert_equal(0, req.version)
     42:
  => 43:     req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
     44:     assert_equal(1, req.version)
     45:     req = OpenSSL::X509::Request.new(req.to_der)
     46:     assert_equal(1, req.version)
```

https://github.com/ruby/openssl/commit/c06fdeb091
[ruby/openssl] test_asn1.rb: Remove the assertions of the time string format without second. 2024-05-08T11:12:13+00:00 Jun Aruga jaruga@redhat.com 2024-03-12T13:39:05+00:00 8029ee41768cdc6b86cad90390f281185ab995e2 This commit fixes the following errors in the tests. Because the OpenSSL project changed the code to make the time string format without second invalid. So, we drop the assertions. ``` 1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode' /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test' /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime' 430: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39)) 431: # LibreSSL 3.6.0 requires the seconds element 432: return if libressl? => 433: decode_test B(%w{ 18 0D }) + "201612081934Z".b, 434: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0)) 435: # not implemented 436: # decode_test B(%w{ 18 13 }) + "https://github.com/ruby/openssl/commit/201612081934+0930".b, 2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode' /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test' /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime' 408: end 409: # Seconds is omitted. LibreSSL 3.6.0 requires it 410: return if libressl? => 411: decode_test B(%w{ 17 0B }) + "1609082343Z".b, 412: OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0)) 413: # not implemented 414: # decode_test B(%w{ 17 11 }) + "https://github.com/ruby/openssl/commit/500908234339+0930".b, ``` https://github.com/ruby/openssl/commit/2e826d5715 
This commit fixes the following errors in the tests.
Because the OpenSSL project changed the code to make the time string format
without second invalid. So, we drop the assertions.

```
1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime'
     430:       OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39))
     431:     # LibreSSL 3.6.0 requires the seconds element
     432:     return if libressl?
  => 433:     decode_test B(%w{ 18 0D }) + "201612081934Z".b,
     434:       OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0))
     435:     # not implemented
     436:     # decode_test B(%w{ 18 13 }) + "https://github.com/ruby/openssl/commit/201612081934+0930".b,

2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime'
     408:     end
     409:     # Seconds is omitted. LibreSSL 3.6.0 requires it
     410:     return if libressl?
  => 411:     decode_test B(%w{ 17 0B }) + "1609082343Z".b,
     412:       OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0))
     413:     # not implemented
     414:     # decode_test B(%w{ 17 11 }) + "https://github.com/ruby/openssl/commit/500908234339+0930".b,
```

https://github.com/ruby/openssl/commit/2e826d5715
[ruby/openssl] Relax error message check for OpenSSL 3.1 2023-06-13T05:01:57+00:00 Nobuyoshi Nakada nobu@ruby-lang.org 2023-03-15T11:34:21+00:00 f89101fa3610a7b977801d60b85bcc1ea2f6dee4 A tentative measures fo https://github.com/ruby/openssl/issues/606. With OpenSSL 3.1.0, the error message at connection using "self-signed certificate" seems to return `SSL_R_TLSV1_ALERT_UNKNOWN_CA` instead of `SSL_R_CERTIFICATE_VERIFY_FAILED`. https://github.com/ruby/openssl/commit/fc4629d246 
A tentative measures fo https://github.com/ruby/openssl/issues/606.

With OpenSSL 3.1.0, the error message at connection using "self-signed
certificate" seems to return `SSL_R_TLSV1_ALERT_UNKNOWN_CA` instead of
`SSL_R_CERTIFICATE_VERIFY_FAILED`.

https://github.com/ruby/openssl/commit/fc4629d246
[ruby/openssl] test/openssl/test_pkey.rb: allow failures in test_s_generate_parameters 2022-12-23T00:39:15+00:00 Kazuki Yamaguchi k@rhe.jp 2022-12-22T21:04:20+00:00 75e7b85e3ec0b9724cce585d31c2c3c5aaa6a9a0 The root cause has been fixed by OpenSSL 3.0.6, but Ubuntu 22.04's OpenSSL package has not backported the patch yet. Reference: https://github.com/ruby/openssl/issues/492 https://github.com/ruby/openssl/commit/f2e2a5e5ed 
The root cause has been fixed by OpenSSL 3.0.6, but Ubuntu 22.04's
OpenSSL package has not backported the patch yet.

Reference: https://github.com/ruby/openssl/issues/492

https://github.com/ruby/openssl/commit/f2e2a5e5ed
[ruby/openssl] pkey/ec: check private key validity with OpenSSL 3 2022-12-23T00:39:15+00:00 Joe Truba joe@bannable.net 2022-11-20T00:54:32+00:00 0e11d2c3f8a74d2310efa67179b50c12acb3fa42 The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1 and 3.0 so that it no longer validates the private key. Instead, private keys can be validated through EVP_PKEY_private_check and EVP_PKEY_pairwise_check. [ky: simplified condition to use either EVP_PKEY_check() or EVP_PKEY_public_check().] https://github.com/ruby/openssl/commit/e38a63ab3d 
The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1
and 3.0 so that it no longer validates the private key. Instead, private
keys can be validated through EVP_PKEY_private_check and
EVP_PKEY_pairwise_check.

[ky: simplified condition to use either EVP_PKEY_check() or
EVP_PKEY_public_check().]

https://github.com/ruby/openssl/commit/e38a63ab3d
[ruby/openssl] test/openssl/test_ssl.rb: do not run SSL tests if not available 2022-12-23T00:39:15+00:00 Kazuki Yamaguchi k@rhe.jp 2022-12-22T19:06:12+00:00 a4b4997c69437e9d2ba09629d72284a4fb9defc5 https://github.com/ruby/openssl/commit/a3d230d4e0 
https://github.com/ruby/openssl/commit/a3d230d4e0
[ruby/openssl] ssl: disable NPN support on LibreSSL 2022-12-23T00:39:15+00:00 Kazuki Yamaguchi k@rhe.jp 2022-10-17T08:33:37+00:00 dd6f3276e07f8f731a3bbcbdd58525ee6dd6581e As noted in commit https://github.com/ruby/openssl/commit/a2ed156cc9f1 ("test/test_ssl: do not run NPN tests for LibreSSL >= 2.6.1", 2017-08-13), NPN is known not to work properly on LibreSSL. Disable NPN support on LibreSSL, whether OPENSSL_NO_NEXTPROTONEG is defined or not. NPN is less relevant today anyway. Let's also silence test suite when it's not available. https://github.com/ruby/openssl/commit/289f6e0e1f 
As noted in commit https://github.com/ruby/openssl/commit/a2ed156cc9f1 ("test/test_ssl: do not run NPN tests
for LibreSSL >= 2.6.1", 2017-08-13), NPN is known not to work properly
on LibreSSL.

Disable NPN support on LibreSSL, whether OPENSSL_NO_NEXTPROTONEG is
defined or not.

NPN is less relevant today anyway. Let's also silence test suite when
it's not available.

https://github.com/ruby/openssl/commit/289f6e0e1f
[ruby/openssl] test/openssl/test_asn1.rb: remove pend for unsupported LibreSSL versions 2022-12-23T00:39:15+00:00 Kazuki Yamaguchi k@rhe.jp 2022-10-17T07:50:10+00:00 7c073cc11221eb85ac0c55ec38ff4c9da22ca26c Commit https://github.com/ruby/openssl/commit/af895bc5596b ("asn1: avoid truncating OID in OpenSSL::ASN1::ObjectId#oid", 2016-12-15) added this test case. The OBJ_obj2txt() issue was fixed by LibreSSL 2.5.1 (released in 2017) and is no longer relevant today. https://github.com/ruby/openssl/commit/6a188f1a29 
Commit https://github.com/ruby/openssl/commit/af895bc5596b ("asn1: avoid truncating OID in
OpenSSL::ASN1::ObjectId#oid", 2016-12-15) added this test case.

The OBJ_obj2txt() issue was fixed by LibreSSL 2.5.1 (released in 2017)
and is no longer relevant today.

https://github.com/ruby/openssl/commit/6a188f1a29
[ruby/openssl] test/openssl/test_asn1.rb: skip failing tests on LibreSSL 3.6.0 2022-12-23T00:39:15+00:00 Kazuki Yamaguchi k@rhe.jp 2022-10-17T07:50:01+00:00 5591e4935da7b606f9d3047894eeea5d7e4a8864 LibreSSL 3.6.0 expects the seconds part in UTCTime and GeneralizedTime to be always present. LibreSSL 3.6.0 release note [1] says: > - The ASN.1 time parser has been refactored and rewritten using CBS. > It has been made stricter in that it now enforces the rules from > RFC 5280. [1] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.0-relnotes.txt https://github.com/ruby/openssl/commit/bbc540fe83 
LibreSSL 3.6.0 expects the seconds part in UTCTime and GeneralizedTime
to be always present. LibreSSL 3.6.0 release note [1] says:

> - The ASN.1 time parser has been refactored and rewritten using CBS.
>   It has been made stricter in that it now enforces the rules from
>   RFC 5280.

[1] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.0-relnotes.txt

https://github.com/ruby/openssl/commit/bbc540fe83
[ruby/openssl] Allow empty string to OpenSSL::Cipher#update 2022-12-13T09:07:41+00:00 Yusuke Nakamura yusuke1994525@gmail.com 2022-11-23T12:05:49+00:00 d4dce27d894f4889f29d779c94ba2d30c231f9f8 For some reasons, plaintext may be empty string. ref https://www.rfc-editor.org/rfc/rfc9001.html#section-5.8 https://github.com/ruby/openssl/commit/953592a29e 
For some reasons, plaintext may be empty string.

ref https://www.rfc-editor.org/rfc/rfc9001.html#section-5.8

https://github.com/ruby/openssl/commit/953592a29e