diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2021-02-25 17:28:23 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2021-03-16 19:37:06 +0900 |
commit | a3f97007bbd1012a4b7662b8166118b81b52527a (patch) | |
tree | 4a823205701e927c4650c6ca6de5127de8e35a10 /test/openssl/test_x509store.rb | |
parent | 1eb6d8aa63d7ada403adb0db12382d264dea5521 (diff) |
[ruby/openssl] test: adjust test cases for LibreSSL 3.2.4
LibreSSL 3.2.4 made the certificate verification logic back closer to
pre-3.2.2 one, which is more compatible with OpenSSL.
Part of the fixes added by commit a0e98d48c91f ("Enhance TLS 1.3 support
on LibreSSL 3.2/3.3", 2020-12-03) is required for 3.2.2 and 3.2.3 only
(and ~3.3.1, however 3.3 does not have a stable release yet). Since both
releases are security fix, it should be safe to remove those special
treatment from our test suite.
While we are at it, TestSSL#test_ecdh_curves is split into TLS 1.2 and
TLS 1.3 variants for clarity.
https://github.com/ruby/openssl/commit/a9954bac22
Notes
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
Diffstat (limited to 'test/openssl/test_x509store.rb')
-rw-r--r-- | test/openssl/test_x509store.rb | 37 |
1 files changed, 15 insertions, 22 deletions
diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb index 897f0f8b82..d6c0e707a2 100644 --- a/test/openssl/test_x509store.rb +++ b/test/openssl/test_x509store.rb @@ -32,17 +32,15 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase assert_equal true, store.verify(cert1) assert_equal true, store.verify(cert2) - unless libressl?(3, 2, 2) - # X509::Store#add_path - Dir.mktmpdir do |dir| - hash1 = "%08x.%d" % [cert1_subj.hash, 0] - File.write(File.join(dir, hash1), cert1.to_pem) - store = OpenSSL::X509::Store.new - store.add_path(dir) - - assert_equal true, store.verify(cert1) - assert_equal false, store.verify(cert2) - end + # X509::Store#add_path + Dir.mktmpdir do |dir| + hash1 = "%08x.%d" % [cert1_subj.hash, 0] + File.write(File.join(dir, hash1), cert1.to_pem) + store = OpenSSL::X509::Store.new + store.add_path(dir) + + assert_equal true, store.verify(cert1) + assert_equal false, store.verify(cert2) end # OpenSSL < 1.1.1 leaks an error on a duplicate certificate @@ -77,8 +75,8 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase # Nothing trusted store = OpenSSL::X509::Store.new assert_equal(false, store.verify(ee1_cert, [ca2_cert, ca1_cert])) - assert_include([OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY], store.error) - assert_match(/self.signed|unable to get local issuer certificate/i, store.error_string) + assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, store.error) + assert_match(/self.signed/i, store.error_string) # CA1 trusted, CA2 missing store = OpenSSL::X509::Store.new @@ -188,7 +186,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase store.purpose = OpenSSL::X509::PURPOSE_CRL_SIGN store.add_cert(ca1_cert) assert_equal(true, store.verify(ca1_cert)) - assert_equal(libressl?(3, 2, 2), store.verify(ee1_cert)) + assert_equal(false, store.verify(ee1_cert)) end def test_verify_validity_period @@ -284,7 +282,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK store.add_cert(ca1_cert) assert_equal(false, store.verify(ca2_cert)) - assert_include([OpenSSL::X509::V_ERR_UNABLE_TO_GET_CRL, OpenSSL::X509::V_ERR_UNSPECIFIED], store.error) + assert_equal(OpenSSL::X509::V_ERR_UNABLE_TO_GET_CRL, store.error) # Intermediate CA revoked EE2 store = OpenSSL::X509::Store.new @@ -324,14 +322,9 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase store.add_cert(ca2_cert) store.add_crl(ca1_crl1) store.add_crl(ca2_crl2) # issued by ca2 but expired - if libressl?(3, 2, 2) - assert_equal(false, store.verify(ca2_cert)) - assert_include([OpenSSL::X509::V_ERR_CRL_SIGNATURE_FAILURE, OpenSSL::X509::V_ERR_UNSPECIFIED], store.error) - else - assert_equal(true, store.verify(ca2_cert)) - end + assert_equal(true, store.verify(ca2_cert)) assert_equal(false, store.verify(ee1_cert)) - assert_include([OpenSSL::X509::V_ERR_CRL_HAS_EXPIRED, OpenSSL::X509::V_ERR_UNSPECIFIED], store.error) + assert_equal(OpenSSL::X509::V_ERR_CRL_HAS_EXPIRED, store.error) assert_equal(false, store.verify(ee2_cert)) end |