ruby.git/test/openssl, branch v4.0.4 The Ruby Programming Language [ruby/openssl] pkcs7: raise OpenSSL::PKCS7::PKCS7Error in #initialize 2025-12-14T10:46:27+00:00 Kazuki Yamaguchi k@rhe.jp 2025-12-14T10:33:16+00:00 674c3d73e0f92d730bd2e544be344585a638ab37 When d2i_PKCS7_bio() and PEM_read_bio_PKCS7() fail to decode the input, OpenSSL::PKCS7.new currently raises ArgumentError. The usual practice in ruby/openssl where an error originates from the underlying OpenSSL library is to raise OpenSSL::OpenSSLError. Raise OpenSSL::PKCS7::PKCS7Error instead for consistency with OpenSSL::PKCS7.read_smime and all other existing #initialize methods that handle DER/PEM-encoded inputs. https://github.com/ruby/openssl/commit/67a608ce53 
When d2i_PKCS7_bio() and PEM_read_bio_PKCS7() fail to decode the input,
OpenSSL::PKCS7.new currently raises ArgumentError. The usual practice
in ruby/openssl where an error originates from the underlying OpenSSL
library is to raise OpenSSL::OpenSSLError.

Raise OpenSSL::PKCS7::PKCS7Error instead for consistency with
OpenSSL::PKCS7.read_smime and all other existing #initialize methods
that handle DER/PEM-encoded inputs.

https://github.com/ruby/openssl/commit/67a608ce53
[ruby/openssl] ossl.c: implement OpenSSL::OpenSSLError#detailed_message 2025-12-13T16:57:53+00:00 Kazuki Yamaguchi k@rhe.jp 2025-12-04T14:15:57+00:00 e8d32dddc04b34e2454b1c37b271bc242dddb06e An OpenSSL function sometimes puts more than one error entry into the thread-local OpenSSL error queue. Currently, we use the highest-level entry for generating the exception message and discard the rest. Let ossl_make_error() capture all current OpenSSL error queue contents into OpenSSL::OpenSSLError#errors and extend OpenSSL::OpenSSLError#detailed_message to include the information. An example: $ ruby -Ilib -ropenssl -e'OpenSSL::X509::ExtensionFactory.new.create_ext("a", "b")' -e:1:in 'OpenSSL::X509::ExtensionFactory#create_ext': a = b: error in extension (name=a, value=b) (OpenSSL::X509::ExtensionError) OpenSSL error queue reported 2 errors: error:11000082:X509 V3 routines:do_ext_nconf:unknown extension name error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension (name=a, value=b) from -e:1:in '<main>' https://github.com/ruby/openssl/commit/d28f7a9a13 
An OpenSSL function sometimes puts more than one error entry into the
thread-local OpenSSL error queue. Currently, we use the highest-level
entry for generating the exception message and discard the rest.

Let ossl_make_error() capture all current OpenSSL error queue contents
into OpenSSL::OpenSSLError#errors and extend
OpenSSL::OpenSSLError#detailed_message to include the information.

An example:

    $ ruby -Ilib -ropenssl -e'OpenSSL::X509::ExtensionFactory.new.create_ext("a", "b")'
    -e:1:in 'OpenSSL::X509::ExtensionFactory#create_ext': a = b: error in extension (name=a, value=b) (OpenSSL::X509::ExtensionError)
    OpenSSL error queue reported 2 errors:
    error:11000082:X509 V3 routines:do_ext_nconf:unknown extension name
    error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension (name=a, value=b)
            from -e:1:in '<main>'

https://github.com/ruby/openssl/commit/d28f7a9a13
[ruby/openssl] x509cert: handle invalid validity periods in Certificate#inspect 2025-12-05T18:40:02+00:00 Kazuki Yamaguchi k@rhe.jp 2025-12-05T18:33:12+00:00 8c4f79d5f30fb2fe647c4f3fd262a5fdeacaeca2 In a newly allocated OpenSSL X509 object, the notBefore and notAfter fields contain an ASN1_STRING object with type V_ASN1_UNDEF rather than an ASN1_TIME. Commit https://github.com/ruby/openssl/commit/73484f67949a made asn1time_to_time() stricter and it now raises an exception if the argument is not an ASN1_TIME. Previously, it would print a verbose-mode warning and return nil. OpenSSL::X509::Certificate#inspect should work even when the certificate is invalid. Let's handle this. https://github.com/ruby/openssl/commit/18c283f2b6 
In a newly allocated OpenSSL X509 object, the notBefore and notAfter
fields contain an ASN1_STRING object with type V_ASN1_UNDEF rather than
an ASN1_TIME.

Commit https://github.com/ruby/openssl/commit/73484f67949a made asn1time_to_time() stricter and it now raises
an exception if the argument is not an ASN1_TIME. Previously, it would
print a verbose-mode warning and return nil.

OpenSSL::X509::Certificate#inspect should work even when the certificate
is invalid. Let's handle this.

https://github.com/ruby/openssl/commit/18c283f2b6
[ruby/openssl] asn1: use ASN1_TIME_to_tm() to decode UTCTime and GeneralizedTime 2025-12-05T12:24:54+00:00 Kazuki Yamaguchi k@rhe.jp 2025-02-27T18:10:35+00:00 f179885d3c454c6a98c23b2a977480657bb0f676 The current logic relies on sscanf() and error checks are almost entirely missing. It also assumes that ASN1_STRING contents are NUL terminated, which is undocumented and not guaranteed for all valid ASN1_TIME objects. Switch to using ASN1_TIME_to_tm() added in OpenSSL 1.1.1. It is also supported by LibreSSL and AWS-LC. In the long term, we may want to replace ASN1_TIME_to_tm() with a hand-rolled decoder, since the function is intended for a specific use-case. It is too permissive for strict DER, yet still does not support all valid DER inputs and silently drops information such as fractional seconds. However, it handles everything that the current sscanf() code could handle. https://github.com/ruby/openssl/commit/73484f6794 
The current logic relies on sscanf() and error checks are almost
entirely missing. It also assumes that ASN1_STRING contents are NUL
terminated, which is undocumented and not guaranteed for all valid
ASN1_TIME objects.

Switch to using ASN1_TIME_to_tm() added in OpenSSL 1.1.1. It is also
supported by LibreSSL and AWS-LC.

In the long term, we may want to replace ASN1_TIME_to_tm() with a
hand-rolled decoder, since the function is intended for a specific
use-case. It is too permissive for strict DER, yet still does not
support all valid DER inputs and silently drops information such as
fractional seconds. However, it handles everything that the current
sscanf() code could handle.

https://github.com/ruby/openssl/commit/73484f6794
[ruby/openssl] asn1: refactor converting ASN1_OBJECT to string 2025-11-22T16:48:13+00:00 Kazuki Yamaguchi k@rhe.jp 2025-11-18T16:41:35+00:00 dd489ee9c48fc8c2b499b80f3ebcd053de33bb0a ruby/openssl exposes OIDs to Ruby as strings in many places, but the conversion logic has been duplicated and the behavior is inconsistent. There are mainly two patterns: - Returns the short name associated with the OID/NID, or the dotted decimal notation if it is unknown to OpenSSL. - Returns the long name, or the dotted decimal notation. These patterns are implemented using different OpenSSL APIs and that caused subtle differences. Add helper functions ossl_asn1obj_to_string() and ossl_asn1obj_to_string_long_name() to unify the logic. Also, document the current behaviors where it is not yet done. The inconsistency was likely unintentional, but since it dates back to the original implementations, standardizing it now would cause more issues than it resolves. https://github.com/ruby/openssl/commit/2ea36c21a4 
ruby/openssl exposes OIDs to Ruby as strings in many places, but the
conversion logic has been duplicated and the behavior is inconsistent.
There are mainly two patterns:

 - Returns the short name associated with the OID/NID, or the dotted
   decimal notation if it is unknown to OpenSSL.
 - Returns the long name, or the dotted decimal notation.

These patterns are implemented using different OpenSSL APIs and that
caused subtle differences. Add helper functions ossl_asn1obj_to_string()
and ossl_asn1obj_to_string_long_name() to unify the logic.

Also, document the current behaviors where it is not yet done. The
inconsistency was likely unintentional, but since it dates back to the
original implementations, standardizing it now would cause more issues
than it resolves.

https://github.com/ruby/openssl/commit/2ea36c21a4
[ruby/openssl] pkey/ec: fix OpenSSL::PKey::EC::Group#curve_name for unknown curves 2025-11-22T14:25:15+00:00 Kazuki Yamaguchi k@rhe.jp 2025-11-22T13:11:31+00:00 f9efa0cc0468692739770e754c12edf46cdf7c8e EC_GROUP_get_curve_name() returns NID_undef when OpenSSL does not recognize the curve and there is no associated OID. Handle this case explicitly and return nil instead of the string "UNDEF", which should not be exposed outside the extension. https://github.com/ruby/openssl/commit/2c16821c07 
EC_GROUP_get_curve_name() returns NID_undef when OpenSSL does not
recognize the curve and there is no associated OID.

Handle this case explicitly and return nil instead of the string
"UNDEF", which should not be exposed outside the extension.

https://github.com/ruby/openssl/commit/2c16821c07
[ruby/openssl] ssl: fix test_pqc_sigalg on RHEL 9.7 2025-11-18T12:49:38+00:00 Kazuki Yamaguchi k@rhe.jp 2025-11-18T12:18:26+00:00 522b7d823fb00821eea8d0cf13f33a73e91c0ab7 RHEL 9.7 ships OpenSSL 3.5.1 with ML-DSA support, but it is disabled for TLS by default, according to the system configuration file: /etc/crypto-policies/back-ends/opensslcnf.config Specify SSLContext#sigalgs to override the default list. https://github.com/ruby/openssl/commit/fac3a26748 
RHEL 9.7 ships OpenSSL 3.5.1 with ML-DSA support, but it is disabled
for TLS by default, according to the system configuration file:
/etc/crypto-policies/back-ends/opensslcnf.config

Specify SSLContext#sigalgs to override the default list.

https://github.com/ruby/openssl/commit/fac3a26748
[ruby/openssl] Replace Ruby 3.5 with Ruby 4.0 2025-11-11T13:08:02+00:00 Yasuo Honda yasuo.honda@gmail.com 2025-11-11T12:49:36+00:00 ca2fffd3a7c6cf138fd60e73320cfc8a87c5ff35 This commit updates the Ruby version in the error message to follow the commit in Ruby master branch. https://github.com/ruby/ruby/commit/6d81969b475262aba251e99b518181bdf7c5a523 https://github.com/ruby/openssl/commit/5a50a4d793 
This commit updates the Ruby version in the error message to follow the commit in Ruby master branch.
https://github.com/ruby/ruby/commit/6d81969b475262aba251e99b518181bdf7c5a523

https://github.com/ruby/openssl/commit/5a50a4d793
[ruby/openssl] pkey: unify error classes into PKeyError 2025-11-06T13:33:15+00:00 Kazuki Yamaguchi k@rhe.jp 2024-12-02T14:23:20+00:00 16b1aa4e4ab1b81914c58eae8b2f31c963b4bd4c Remove the following subclasses of OpenSSL::PKey::PKeyError and make them aliases of it. - OpenSSL::PKey::DHError - OpenSSL::PKey::DSAError - OpenSSL::PKey::ECError - OpenSSL::PKey::RSAError Historically, methods defined on OpenSSL::PKey and OpenSSL::PKey::PKey raise OpenSSL::PKey::PKeyError, while methods on the subclasses raise their respective exception classes. However, this distinction is not particularly useful since all those exception classes represent the same kind of errors from the underlying EVP_PKEY API. I think this convention comes from the fact that OpenSSL::PKey::{DH, DSA,RSA} originally wrapped the corresponding OpenSSL structs DH, DSA, and RSA, before they were unified to wrap EVP_PKEY, way back in 2002. OpenSSL::PKey::EC::Group::Error and OpenSSL::PKey::EC::Point::Error are out of scope of this change, as they are not subclasses of OpenSSL::PKey::PKeyError and do not represent errors from the EVP_PKEY API. https://github.com/ruby/openssl/commit/e74ff3e272 
Remove the following subclasses of OpenSSL::PKey::PKeyError and make
them aliases of it.

 - OpenSSL::PKey::DHError
 - OpenSSL::PKey::DSAError
 - OpenSSL::PKey::ECError
 - OpenSSL::PKey::RSAError

Historically, methods defined on OpenSSL::PKey and OpenSSL::PKey::PKey
raise OpenSSL::PKey::PKeyError, while methods on the subclasses raise
their respective exception classes. However, this distinction is not
particularly useful since all those exception classes represent the
same kind of errors from the underlying EVP_PKEY API.

I think this convention comes from the fact that OpenSSL::PKey::{DH,
DSA,RSA} originally wrapped the corresponding OpenSSL structs DH, DSA,
and RSA, before they were unified to wrap EVP_PKEY, way back in 2002.

OpenSSL::PKey::EC::Group::Error and OpenSSL::PKey::EC::Point::Error
are out of scope of this change, as they are not subclasses of
OpenSSL::PKey::PKeyError and do not represent errors from the EVP_PKEY
API.

https://github.com/ruby/openssl/commit/e74ff3e272
[ruby/openssl] cipher: use EVP_CIPHER_fetch() if available 2025-11-06T13:25:09+00:00 Kazuki Yamaguchi k@rhe.jp 2025-08-09T09:36:49+00:00 57aaf86bdbdaacb66ebbd29d1e2551d87167cbfe Likewise, use EVP_MD_fetch() if it is available. This adds support for AES-GCM-SIV with OpenSSL 3.2 or later. https://github.com/ruby/openssl/commit/0e565a215e 
Likewise, use EVP_MD_fetch() if it is available.

This adds support for AES-GCM-SIV with OpenSSL 3.2 or later.

https://github.com/ruby/openssl/commit/0e565a215e