diff options
author | shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2010-06-21 09:18:59 +0000 |
---|---|---|
committer | shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2010-06-21 09:18:59 +0000 |
commit | 1ae16961956c2459c0f29b676c5da9cb9cc875bf (patch) | |
tree | 37800b37cb336e24813ae4d74b26df81a361947b /test | |
parent | c9915e5b08bbb58618b2bbc2dcbc9dafd5c1ba84 (diff) |
merge revision(s) 26836:26859,26861,27921:
* ext/openssl/ossl_ssl_session.c
(ossl_ssl_session_{get,set}_time{,out}): fixed a bug introduced by
backporting. (see [ruby-dev:40573]) use long in according to
OpenSSL API. (SSL_SESSION_{get,set}_time{,out})
* ext/openssl/ossl_x509name.c: added X509::Name#hash_old as a wrapper
for X509_NAME_hash_old in OpenSSL 1.0.0.
* test/openssl/test_x509name.rb (test_hash): make test pass with
OpenSSL 1.0.0.
* test/openssl/test_x509*: make tests pass with OpenSSL 1.0.0b5.
* PKey::PKey#verify raises an exception when a given PKey does not
match with signature.
* PKey::DSA#sign accepts SHA1, SHA256 other than DSS1.
* backport the commit from trunk:
Sun Feb 28 11:49:35 2010 NARUSE, Yui <naruse@ruby-lang.org>
* openssl/ossl.c (OSSL_IMPL_SK2ARY): for OpenSSL 1.0.
patched by Jeroen van Meeuwen at [ruby-core:25210]
fixed by Nobuyoshi Nakada [ruby-core:25238],
Hongli Lai [ruby-core:27417],
and Motohiro KOSAKI [ruby-core:28063]
* ext/openssl/ossl_ssl.c (ossl_ssl_method_tab),
(ossl_ssl_cipher_to_ary): constified.
* ext/openssl/ossl_pkcs7.c (pkcs7_get_certs, pkcs7_get_crls):
split pkcs7_get_certs_or_crls.
* test/openssl/test_ec.rb: added test_dsa_sign_asn1_FIPS186_3. dgst is
truncated with ec_key.group.order.size after openssl 0.9.8m for
FIPS 186-3 compliance.
WARNING: ruby-openssl aims to wrap an OpenSSL so when you're using
openssl 0.9.8l or earlier version, EC.dsa_sign_asn1 raises
OpenSSL::PKey::ECError as before and EC.dsa_verify_asn1 just returns
false when you pass dgst longer than expected (no truncation
performed).
* ext/openssl/ossl_pkey_ec.c: rdoc typo fixed.
* ext/openssl/ossl_config.c: defined own IMPLEMENT_LHASH_DOALL_ARG_FN_098
macro according to IMPLEMENT_LHASH_DOALL_ARG_FN in OpenSSL 0.9.8m.
OpenSSL 1.0.0beta5 has a slightly different definiton so it could
be a temporal workaround for 0.9.8 and 1.0.0 dual support.
* ext/openssl/ossl_pkcs5.c (ossl_pkcs5_pbkdf2_hmac): follows function
definition in OpenSSL 1.0.0beta5. PKCS5_PBKDF2_HMAC is from 1.0.0
(0.9.8 only has PKCS5_PBKDF2_HMAC_SHA1)
* ext/openssl/ossl_ssl_session.c (ossl_ssl_session_eq): do not use
SSL_SESSION_cmp and implement equality func by ousrself. See the
comment.
* ext/openssl/extconf.rb: check some functions added at OpenSSL 1.0.0.
* ext/openssl/ossl_engine.c (ossl_engine_s_load): use engines which
exists.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_7@28367 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test')
-rw-r--r-- | test/openssl/test_ec.rb | 4 | ||||
-rw-r--r-- | test/openssl/test_x509cert.rb | 39 | ||||
-rw-r--r-- | test/openssl/test_x509crl.rb | 28 | ||||
-rw-r--r-- | test/openssl/test_x509req.rb | 38 |
4 files changed, 74 insertions, 35 deletions
diff --git a/test/openssl/test_ec.rb b/test/openssl/test_ec.rb index 671901ca36..eb1c61e1a9 100644 --- a/test/openssl/test_ec.rb +++ b/test/openssl/test_ec.rb @@ -87,9 +87,7 @@ class OpenSSL::TestEC < Test::Unit::TestCase def test_dsa_sign_verify for key in @keys sig = key.dsa_sign_asn1(@data1) - assert_equal(key.dsa_verify_asn1(@data1, sig), true) - - assert_raises(OpenSSL::PKey::ECError) { key.dsa_sign_asn1(@data2) } + assert(key.dsa_verify_asn1(@data1, sig)) end end diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb index a5a75ff1b6..cf5e6f7aab 100644 --- a/test/openssl/test_x509cert.rb +++ b/test/openssl/test_x509cert.rb @@ -129,13 +129,31 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase end + def test_sign_and_verify_wrong_key_type + cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], + nil, nil, OpenSSL::Digest::SHA1.new) + cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], + nil, nil, OpenSSL::Digest::DSS1.new) + begin + assert_equal(false, cert_rsa.verify(@dsa256)) + rescue OpenSSL::X509::CertificateError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + + begin + assert_equal(false, cert_dsa.verify(@rsa1024)) + rescue OpenSSL::X509::CertificateError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + end + def test_sign_and_verify cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], nil, nil, OpenSSL::Digest::SHA1.new) assert_equal(false, cert.verify(@rsa1024)) assert_equal(true, cert.verify(@rsa2048)) - assert_equal(false, cert.verify(@dsa256)) - assert_equal(false, cert.verify(@dsa512)) cert.serial = 2 assert_equal(false, cert.verify(@rsa2048)) @@ -143,33 +161,22 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase nil, nil, OpenSSL::Digest::MD5.new) assert_equal(false, cert.verify(@rsa1024)) assert_equal(true, cert.verify(@rsa2048)) - assert_equal(false, cert.verify(@dsa256)) - assert_equal(false, cert.verify(@dsa512)) cert.subject = @ee1 assert_equal(false, cert.verify(@rsa2048)) cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], nil, nil, OpenSSL::Digest::DSS1.new) - assert_equal(false, cert.verify(@rsa1024)) - assert_equal(false, cert.verify(@rsa2048)) assert_equal(false, cert.verify(@dsa256)) assert_equal(true, cert.verify(@dsa512)) cert.not_after = Time.now assert_equal(false, cert.verify(@dsa512)) + end + def test_dsig_algorithm_mismatch assert_raises(OpenSSL::X509::CertificateError){ cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], nil, nil, OpenSSL::Digest::DSS1.new) } - assert_raises(OpenSSL::X509::CertificateError){ - cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::MD5.new) - } - assert_raises(OpenSSL::X509::CertificateError){ - cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) - } + end end end - -end diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb index 444a00a586..c59ff52380 100644 --- a/test/openssl/test_x509crl.rb +++ b/test/openssl/test_x509crl.rb @@ -190,6 +190,30 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase assert_match((2**100).to_s, crl.extensions[0].value) end + def test_sign_and_verify_wrong_key_type + cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], + nil, nil, OpenSSL::Digest::SHA1.new) + crl_rsa = issue_crl([], 1, Time.now, Time.now+1600, [], + cert_rsa, @rsa2048, OpenSSL::Digest::SHA1.new) + cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], + nil, nil, OpenSSL::Digest::DSS1.new) + crl_dsa = issue_crl([], 1, Time.now, Time.now+1600, [], + cert_dsa, @dsa512, OpenSSL::Digest::DSS1.new) + begin + assert_equal(false, crl_rsa.verify(@dsa256)) + rescue OpenSSL::X509::CRLError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + + begin + assert_equal(false, crl_dsa.verify(@rsa1024)) + rescue OpenSSL::X509::CRLError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + end + def test_sign_and_verify cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], nil, nil, OpenSSL::Digest::SHA1.new) @@ -197,8 +221,6 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase cert, @rsa2048, OpenSSL::Digest::SHA1.new) assert_equal(false, crl.verify(@rsa1024)) assert_equal(true, crl.verify(@rsa2048)) - assert_equal(false, crl.verify(@dsa256)) - assert_equal(false, crl.verify(@dsa512)) crl.version = 0 assert_equal(false, crl.verify(@rsa2048)) @@ -206,8 +228,6 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase nil, nil, OpenSSL::Digest::DSS1.new) crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, @dsa512, OpenSSL::Digest::DSS1.new) - assert_equal(false, crl.verify(@rsa1024)) - assert_equal(false, crl.verify(@rsa2048)) assert_equal(false, crl.verify(@dsa256)) assert_equal(true, crl.verify(@dsa512)) crl.version = 0 diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb index a37ed5c5ef..6186bcea0c 100644 --- a/test/openssl/test_x509req.rb +++ b/test/openssl/test_x509req.rb @@ -103,37 +103,51 @@ class OpenSSL::TestX509Request < Test::Unit::TestCase assert_equal(exts, get_ext_req(attrs[1].value)) end + def test_sign_and_verify_wrong_key_type + req_rsa = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new) + req_dsa = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new) + begin + assert_equal(false, req_rsa.verify(@dsa256)) + rescue OpenSSL::X509::RequestError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + + begin + assert_equal(false, req_dsa.verify(@rsa1024)) + rescue OpenSSL::X509::RequestError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + end + def test_sign_and_verify req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new) assert_equal(true, req.verify(@rsa1024)) assert_equal(false, req.verify(@rsa2048)) - assert_equal(false, req.verify(@dsa256)) - assert_equal(false, req.verify(@dsa512)) req.version = 1 assert_equal(false, req.verify(@rsa1024)) req = issue_csr(0, @dn, @rsa2048, OpenSSL::Digest::MD5.new) assert_equal(false, req.verify(@rsa1024)) assert_equal(true, req.verify(@rsa2048)) - assert_equal(false, req.verify(@dsa256)) - assert_equal(false, req.verify(@dsa512)) req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar") assert_equal(false, req.verify(@rsa2048)) req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new) - assert_equal(false, req.verify(@rsa1024)) - assert_equal(false, req.verify(@rsa2048)) assert_equal(false, req.verify(@dsa256)) assert_equal(true, req.verify(@dsa512)) req.public_key = @rsa1024.public_key assert_equal(false, req.verify(@dsa512)) + end - assert_raise(OpenSSL::X509::RequestError){ - issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) } - assert_raise(OpenSSL::X509::RequestError){ - issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new) } - assert_raise(OpenSSL::X509::RequestError){ - issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) } + def test_dsig_algorithm_mismatch + assert_raise(OpenSSL::X509::RequestError) do + issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) + end + assert_raise(OpenSSL::X509::RequestError) do + issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) + end end end |