diff options
| author | Jun Aruga <jaruga@redhat.com> | 2025-04-08 15:03:06 +0200 |
|---|---|---|
| committer | git <svn-admin@ruby-lang.org> | 2025-04-08 17:46:42 +0000 |
| commit | d5f94941d87743d6563fa1a038665917dea70201 (patch) | |
| tree | 7a1db4942ef8f622761844410daa777d76752a24 /test/ruby | |
| parent | 5aa05f179c028981950cb5f40112ce058c5a40cd (diff) | |
[ruby/openssl] Fix the tests using SHA-1 Probabilistic Signature Scheme (PSS) parameters.
Fedora OpenSSL 3.5 on rawhide stopped accepting SHA-1 PSS[1] parameters.
This is different from the SHA-1 signatures which Fedora OpenSSL stopped
accepting since Fedora 41.[2]
This commit fixes the following test failures related to the SHA-1 PSS
parameters with Fedora OpenSSL 3.5.
Note these failures are the downstream Fedora OpenSSL RPM specific. The tests
pass without this commit with the upstream OpenSSL 3.5.
```
$ rpm -q openssl-libs openssl-devel
openssl-libs-3.5.0-2.fc43.x86_64
openssl-devel-3.5.0-2.fc43.x86_64
$ bundle exec rake test
...
E
===============================================================================================
Error: test_sign_verify_options(OpenSSL::TestPKeyRSA): OpenSSL::PKey::PKeyError: EVP_PKEY_CTX_ctrl_str(ctx, "rsa_mgf1_md", "SHA1"): digest not allowed (digest=SHA1)
/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:113:in 'Hash#each'
/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:113:in 'OpenSSL::PKey::PKey#sign'
/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:113:in 'OpenSSL::TestPKeyRSA#test_sign_verify_options'
110: "rsa_pss_saltlen" => 20,
111: "rsa_mgf1_md" => "SHA1"
112: }
=> 113: sig_pss = key.sign("SHA256", data, pssopts)
114: assert_equal 256, sig_pss.bytesize
115: assert_equal true, key.verify("SHA256", sig_pss, data, pssopts)
116: assert_equal true, key.verify_pss("SHA256", sig_pss, data,
===============================================================================================
E
===============================================================================================
Error: test_sign_verify_pss(OpenSSL::TestPKeyRSA): OpenSSL::PKey::RSAError: digest not allowed (digest=SHA1)
/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:191:in 'OpenSSL::PKey::RSA#sign_pss'
/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:191:in 'OpenSSL::TestPKeyRSA#test_sign_verify_pss'
188: data = "Sign me!"
189: invalid_data = "Sign me?"
190:
=> 191: signature = key.sign_pss("SHA256", data, salt_length: 20, mgf1_hash: "SHA1")
192: assert_equal 256, signature.bytesize
193: assert_equal true,
194: key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA1")
===============================================================================================
...
577 tests, 4186 assertions, 0 failures, 2 errors, 0 pendings, 3 omissions, 0 notifications
```
[1] https://en.wikipedia.org/wiki/Probabilistic_signature_scheme
[2] https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
https://github.com/ruby/openssl/commit/e0e771b76f
Diffstat (limited to 'test/ruby')
0 files changed, 0 insertions, 0 deletions