ruby.git/test/openssl, branch v3_3_11 The Ruby Programming Language Update openssl gem to 3.2.2 2025-10-11T07:53:43+00:00 Bo Anderson mail@boanderson.me 2025-10-09T03:24:27+00:00 ce7aa23f97273fa181be26aec33d3c6998e203c5 






[ruby/openssl] Only CSR version 1 (encoded as 0) is allowed by PKIX standards
2024-11-20T01:18:27+00:00

Job Snijders
job@sobornost.net

2024-03-25T12:20:13+00:00

c78721f718d1004182b36a6610d32b1a158808be

RFC 2986, section 4.1 only defines version 1 for CSRs. This version
is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
to anything but 1 fails.

Do not attempt to generate a CSR with invalid version (which now fails)
and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
subject rather than using an invalid version.

This commit fixes the following error.

```
 2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
X509_REQ_set_version: passed invalid argument
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
`test_version'
     40:     req = OpenSSL::X509::Request.new(req.to_der)
     41:     assert_equal(0, req.version)
     42:
  => 43:     req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
     44:     assert_equal(1, req.version)
     45:     req = OpenSSL::X509::Request.new(req.to_der)
     46:     assert_equal(1, req.version)
```

https://github.com/ruby/openssl/commit/c06fdeb091





RFC 2986, section 4.1 only defines version 1 for CSRs. This version
is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
to anything but 1 fails.

Do not attempt to generate a CSR with invalid version (which now fails)
and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
subject rather than using an invalid version.

This commit fixes the following error.

```
 2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
X509_REQ_set_version: passed invalid argument
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
`test_version'
     40:     req = OpenSSL::X509::Request.new(req.to_der)
     41:     assert_equal(0, req.version)
     42:
  => 43:     req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
     44:     assert_equal(1, req.version)
     45:     req = OpenSSL::X509::Request.new(req.to_der)
     46:     assert_equal(1, req.version)
```

https://github.com/ruby/openssl/commit/c06fdeb091







Skip tests that suddenly started failing for MinGW
2024-11-05T00:00:11+00:00

Takashi Kokubun
takashikkbn@gmail.com

2024-11-05T00:00:11+00:00

f72eb702f29574b85889d3ea6447efa29c8a8789

These test failures first appeared on irrelevant changes. It probably
came from changes in GitHub Actions instead of CRuby's.

Until we figure out how to fix these tests, let's skip them to make the
CI usable.





These test failures first appeared on irrelevant changes. It probably
came from changes in GitHub Actions instead of CRuby's.

Until we figure out how to fix these tests, let's skip them to make the
CI usable.







Skip broken SSL provider tests for freebsd
2024-05-29T16:59:52+00:00

Takashi Kokubun
takashikkbn@gmail.com

2024-05-29T16:59:52+00:00

6aaf673e4d3fa1f8a90e6006aadefddcb87fe1de












[ruby/openssl] test_asn1.rb: Remove the assertions of the time string format without second.
2024-04-30T05:02:50+00:00

Jun Aruga
jaruga@redhat.com

2024-03-12T13:39:05+00:00

1c991f3bf40c2e506a819732dd0c4afe5d3c5f46

This commit fixes the following errors in the tests.
Because the OpenSSL project changed the code to make the time string format
without second invalid. So, we drop the assertions.

```
1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime'
     430:       OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39))
     431:     # LibreSSL 3.6.0 requires the seconds element
     432:     return if libressl?
  => 433:     decode_test B(%w{ 18 0D }) + "201612081934Z".b,
     434:       OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0))
     435:     # not implemented
     436:     # decode_test B(%w{ 18 13 }) + "https://github.com/ruby/openssl/commit/201612081934+0930".b,

2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime'
     408:     end
     409:     # Seconds is omitted. LibreSSL 3.6.0 requires it
     410:     return if libressl?
  => 411:     decode_test B(%w{ 17 0B }) + "1609082343Z".b,
     412:       OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0))
     413:     # not implemented
     414:     # decode_test B(%w{ 17 11 }) + "https://github.com/ruby/openssl/commit/500908234339+0930".b,
```

https://github.com/ruby/openssl/commit/2e826d5715





This commit fixes the following errors in the tests.
Because the OpenSSL project changed the code to make the time string format
without second invalid. So, we drop the assertions.

```
1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime'
     430:       OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39))
     431:     # LibreSSL 3.6.0 requires the seconds element
     432:     return if libressl?
  => 433:     decode_test B(%w{ 18 0D }) + "201612081934Z".b,
     434:       OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0))
     435:     # not implemented
     436:     # decode_test B(%w{ 18 13 }) + "https://github.com/ruby/openssl/commit/201612081934+0930".b,

2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime'
     408:     end
     409:     # Seconds is omitted. LibreSSL 3.6.0 requires it
     410:     return if libressl?
  => 411:     decode_test B(%w{ 17 0B }) + "1609082343Z".b,
     412:       OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0))
     413:     # not implemented
     414:     # decode_test B(%w{ 17 11 }) + "https://github.com/ruby/openssl/commit/500908234339+0930".b,
```

https://github.com/ruby/openssl/commit/2e826d5715







Fix test_pkey_dh.rb in FIPS.
2023-11-25T10:12:28+00:00

Jun Aruga
jaruga@redhat.com

2023-11-07T13:36:17+00:00

543dd74049f18db2f8dd9ac05b25f8dbff2edc14

We use dh2048_ffdhe2048.pem file (DH 2048 bits) instead of dh1024.pem file in
both non-FIPS and FIPS cases. Because the following command fails to generate
the pem file with 1024 bits. And the OpenSSL FIPS 140-2 security policy
document explains the DH public keys are allowed from 2048 bits.[1]

```
$ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \
  /home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \
  dhparam -out dh1024.pem 1024
Generating DH parameters, 1024 bit long safe prime
dhparam: Generating DH key parameters failed
```

The dh2048_ffdhe2048.pem file was created by the following command with the
OpenSSL FIPS configuration file. The logic to generate the DH pem file is
different between non-FIPS and FIPS cases. In FIPS, it seems that the command
always returns the text defined as ffdhe2048 in the FFDHE groups in RFC 7919
unlike non-FIPS.[2]

As the generated pem file is a normal and valid PKCS#3-style group parameter, we
use the file for the non-FIPS case too.

```
$ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \
  /home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \
  dhparam -out dh2048_ffdhe2048.pem 2048
```

Note that the hard-coded PEM-encoded string in the `test_DHparams` is
intentional to avoid modifying the content unintentionally.

* [1] https://www.openssl.org/source/ - OpenSSL 3.0.8 FIPS 140-2 security
  policy document page 25, Table 10 – Public Keys - DH Public
  - DH (2048/3072/4096/6144/8192) public key agreement key
* [2] RFC7919 - Appendix A.1: ffdhe2048
  https://www.rfc-editor.org/rfc/rfc7919#appendix-A.1





We use dh2048_ffdhe2048.pem file (DH 2048 bits) instead of dh1024.pem file in
both non-FIPS and FIPS cases. Because the following command fails to generate
the pem file with 1024 bits. And the OpenSSL FIPS 140-2 security policy
document explains the DH public keys are allowed from 2048 bits.[1]

```
$ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \
  /home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \
  dhparam -out dh1024.pem 1024
Generating DH parameters, 1024 bit long safe prime
dhparam: Generating DH key parameters failed
```

The dh2048_ffdhe2048.pem file was created by the following command with the
OpenSSL FIPS configuration file. The logic to generate the DH pem file is
different between non-FIPS and FIPS cases. In FIPS, it seems that the command
always returns the text defined as ffdhe2048 in the FFDHE groups in RFC 7919
unlike non-FIPS.[2]

As the generated pem file is a normal and valid PKCS#3-style group parameter, we
use the file for the non-FIPS case too.

```
$ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \
  /home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \
  dhparam -out dh2048_ffdhe2048.pem 2048
```

Note that the hard-coded PEM-encoded string in the `test_DHparams` is
intentional to avoid modifying the content unintentionally.

* [1] https://www.openssl.org/source/ - OpenSSL 3.0.8 FIPS 140-2 security
  policy document page 25, Table 10 – Public Keys - DH Public
  - DH (2048/3072/4096/6144/8192) public key agreement key
* [2] RFC7919 - Appendix A.1: ffdhe2048
  https://www.rfc-editor.org/rfc/rfc7919#appendix-A.1







CI: Change the openssl_fips.cnf.tmpl and openssl_fips.cnf directories.
2023-11-08T00:25:34+00:00

Jun Aruga
jaruga@redhat.com

2023-10-26T15:27:19+00:00

d30ea5831e0aedada3362a2d268e7bc836b93f27












[ruby/openssl] Exact checks with `assert_include`
2023-10-06T09:45:20+00:00

Nobuyoshi Nakada
nobu@ruby-lang.org

2023-10-06T08:38:56+00:00

723318f5d7a6475f69fc0d095a4149547b6050a3

Where `assert_match` converts string matcher argument to regexp first
with escaping, `assert_include` does the same thing simpler.

https://github.com/ruby/openssl/commit/81007e0a49





Where `assert_match` converts string matcher argument to regexp first
with escaping, `assert_include` does the same thing simpler.

https://github.com/ruby/openssl/commit/81007e0a49







[ruby/openssl] Exact checks with `assert_include`
2023-10-06T07:37:52+00:00

Nobuyoshi Nakada
nobu@ruby-lang.org

2023-10-06T07:02:43+00:00

95ced6d8d2b6639f3e29fe3d2de6e326d0a62718

https://github.com/ruby/openssl/commit/9a6e24daaf





https://github.com/ruby/openssl/commit/9a6e24daaf







[ruby/openssl] Fix test_pkey_ec.rb on FIPS.
2023-09-21T18:04:56+00:00

Jun Aruga
jaruga@redhat.com

2023-09-19T17:19:27+00:00

7f407e0240ebd41d9fb1ea1bbd15442ed8744b34

https://github.com/ruby/openssl/commit/d07183f639





https://github.com/ruby/openssl/commit/d07183f639