summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorrhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2017-09-03 12:35:27 +0000
committerrhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2017-09-03 12:35:27 +0000
commit609103dbb5fb182eec12f052226c43e39b907682 (patch)
tree881cdacc3312e65261ebd34a807c75ee09fdb303 /test
parentb9801bb8b2f5ce91755e0076d79140a72ff94d6a (diff)
openssl: import v2.1.0.beta1
Import Ruby/OpenSSL 2.1.0.beta1. The full commit log since v2.0.5 (imported by r59567) can be found at: https://github.com/ruby/openssl/compare/v2.0.5...v2.1.0.beta1 ---------------------------------------------------------------- Antonio Terceiro (1): test/test_ssl: explicitly accept TLS 1.1 in corresponding test Colby Swandale (1): document using secure protocol to fetch git master in Bundler Colton Jenkins (1): Add fips_mode_get to return fips_mode Kazuki Yamaguchi (85): Start preparing for 2.1.0 Remove support for OpenSSL 0.9.8 and 1.0.0 bn: refine tests bn: implement unary {plus,minus} operators for OpenSSL::BN bn: implement OpenSSL::BN#negative? Don't define main() when built with --enable-debug test: let OpenSSL::TestCase include OpenSSL::TestUtils test: prepare test PKey instances on demand Add OpenSSL.print_mem_leaks Enable OSSL_MDEBUG on CI builds ssl: move default DH parameters from OpenSSL::PKey::DH Make exceptions with the same format regardless of OpenSSL.debug ssl: show reason of 'certificate verify error' in exception message ssl: remove OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384 ssl: do not confuse different ex_data index registries ssl: assume SSL/SSL_CTX always have a valid reference to the Ruby object Fix RDoc markup ssl: suppress compiler warning ext/openssl/deprecation.rb: remove broken-apple-openssl extconf.rb: print informative message if OpenSSL can't be found Rakefile: compile the extension before test kdf: introduce OpenSSL::KDF module ossl.h: add NUM2UINT64T() macro kdf: add scrypt Expand rb_define_copy_func() macro Expand FPTR_TO_FD() macro Remove SafeGet*() macros cipher: rename GetCipherPtr() to ossl_evp_get_cipherbyname() digest: rename GetDigestPtr() to ossl_evp_get_digestbyname() Add ossl_str_new(), an exception-safe rb_str_new() bio: simplify ossl_membio2str() using ossl_str_new() Remove unused functions and macros Drop support for LibreSSL 2.3 ocsp: add OpenSSL::OCSP::Request#signed? asn1: infinite length -> indefinite length asn1: rearrange tests ssl: remove a needless NULL check in SSL::SSLContext#ciphers ssl: return nil in SSL::SSLSocket#cipher if session is not started asn1: remove an unnecessary function prototype asn1: require tag information when instantiating generic type asn1: initialize 'unused_bits' attribute of BitString with 0 asn1: check for illegal 'unused_bits' value of BitString asn1: disallow NULL to be passed to asn1time_to_time() asn1: avoid truncating OID in OpenSSL::ASN1::ObjectId#oid asn1: allow constructed encoding with definite length form asn1: prohibit indefinite length form for primitive encoding asn1: allow tag number to be >= 32 for universal tag class asn1: use ossl_asn1_tag() asn1: clean up OpenSSL::ASN1::Constructive#to_der asn1: harmonize OpenSSL::ASN1::*#to_der asn1: prevent EOC octets from being in the middle of the content asn1: do not treat EOC octets as part of content octets x509name: add 'loc' and 'set' kwargs to OpenSSL::X509::Name#add_entry ssl: do not call session_remove_cb during GC Backport "Merge branch 'topic/test-memory-leak'" to maint cipher: update the documentation for Cipher#auth_tag= Rakefile: let sync:to_ruby know about test/openssl/fixtures test: fix formatting test/utils: remove OpenSSL::TestUtils.silent test/utils: add SSLTestCase#tls12_supported? test/utils: have start_server yield only the port number test/utils: do not set ecdh_curves in start_server test/utils: let server_loop close socket test/utils: improve error handling in start_server test/utils: add OpenSSL::TestUtils.openssl? and .libressl? test/utils: do not use DSA certificates in SSL tests test/test_ssl: remove test_invalid_shutdown_by_gc test/test_ssl: move test_multibyte_read_write to test_pair test/test_ssl_session: rearrange tests test/test_pair, test/test_ssl: fix for TLS 1.3 ssl: remove useless call to rb_thread_wait_fd() ssl: fix NPN support ssl: mark OpenSSL::SSL::SSLContext::DEFAULT_{1024,2048} as private ssl: use 2048-bit group in the default tmp_dh_cb ssl: ensure that SSL option flags are non-negative ssl: update OpenSSL::SSL::OP_* flags ssl: prefer TLS_method() over SSLv23_method() ssl: add SSLContext#min_version= and #max_version= ssl: rework SSLContext#ssl_version= test/test_x509name: change script encoding to ASCII-8BIT x509name: refactor OpenSSL::X509::Name#to_s x509name: add OpenSSL::X509::Name#to_utf8 x509name: add OpenSSL::X509::Name#inspect x509name: update regexp in OpenSSL::X509::Name.parse Ruby/OpenSSL 2.1.0.beta1 Marcus Stollsteimer (1): Fix rdoc for core Integer class nobu (4): [DOC] {read,write}_nonblock with exception: false [DOC] keyword argument _exception_ [DOC] mark up literals Revert r57690 except for read_nonblock git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59734 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test')
-rw-r--r--test/openssl/fixtures/pkey/dh1024.pem5
-rw-r--r--test/openssl/fixtures/pkey/dsa1024.pem12
-rw-r--r--test/openssl/fixtures/pkey/dsa256.pem8
-rw-r--r--test/openssl/fixtures/pkey/dsa512.pem8
-rw-r--r--test/openssl/fixtures/pkey/p256.pem5
-rw-r--r--test/openssl/fixtures/pkey/rsa1024.pem15
-rw-r--r--test/openssl/fixtures/pkey/rsa2048.pem27
-rw-r--r--test/openssl/test_asn1.rb636
-rw-r--r--test/openssl/test_bn.rb319
-rw-r--r--test/openssl/test_buffering.rb7
-rw-r--r--test/openssl/test_cipher.rb17
-rw-r--r--test/openssl/test_config.rb12
-rw-r--r--test/openssl/test_digest.rb67
-rw-r--r--test/openssl/test_engine.rb6
-rw-r--r--test/openssl/test_fips.rb12
-rw-r--r--test/openssl/test_hmac.rb6
-rw-r--r--test/openssl/test_kdf.rb141
-rw-r--r--test/openssl/test_ns_spki.rb6
-rw-r--r--test/openssl/test_ocsp.rb27
-rw-r--r--test/openssl/test_pair.rb133
-rw-r--r--test/openssl/test_pkcs12.rb46
-rw-r--r--test/openssl/test_pkcs5.rb98
-rw-r--r--test/openssl/test_pkcs7.rb10
-rw-r--r--test/openssl/test_pkey_dh.rb39
-rw-r--r--test/openssl/test_pkey_dsa.rb66
-rw-r--r--test/openssl/test_pkey_ec.rb61
-rw-r--r--test/openssl/test_pkey_rsa.rb78
-rw-r--r--test/openssl/test_random.rb6
-rw-r--r--test/openssl/test_ssl.rb694
-rw-r--r--test/openssl/test_ssl_session.rb405
-rw-r--r--test/openssl/test_x509attr.rb2
-rw-r--r--test/openssl/test_x509cert.rb40
-rw-r--r--test/openssl/test_x509crl.rb20
-rw-r--r--test/openssl/test_x509ext.rb2
-rw-r--r--test/openssl/test_x509name.rb111
-rw-r--r--test/openssl/test_x509req.rb26
-rw-r--r--test/openssl/test_x509store.rb34
-rw-r--r--test/openssl/ut_eof.rb4
-rw-r--r--test/openssl/utils.rb474
39 files changed, 2072 insertions, 1613 deletions
diff --git a/test/openssl/fixtures/pkey/dh1024.pem b/test/openssl/fixtures/pkey/dh1024.pem
new file mode 100644
index 00000000000..f99c757f21a
--- /dev/null
+++ b/test/openssl/fixtures/pkey/dh1024.pem
@@ -0,0 +1,5 @@
+-----BEGIN DH PARAMETERS-----
+MIGHAoGBAKnKQ8MNK6nYZzLrrcuTsLxuiJGXoOO5gT+tljOTbHBuiktdMTITzIY0
+pFxIvjG05D7HoBZQfrR0c92NGWPkAiCkhQKB8JCbPVzwNLDy6DZ0pmofDKrEsYHG
+AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
+-----END DH PARAMETERS-----
diff --git a/test/openssl/fixtures/pkey/dsa1024.pem b/test/openssl/fixtures/pkey/dsa1024.pem
new file mode 100644
index 00000000000..1bf498895e2
--- /dev/null
+++ b/test/openssl/fixtures/pkey/dsa1024.pem
@@ -0,0 +1,12 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIBugIBAAKBgQCH9aAoXvWWThIjkA6D+nI1F9ksF9iDq594rkiGNOT9sPDOdB+n
+D+qeeeeloRlj19ymCSADPI0ZLRgkchkAEnY2RnqnhHOjVf/roGgRbW+iQDMbQ9wa
+/pvc6/fAbsu1goE1hBYjm98/sZEeXavj8tR56IXnjF1b6Nx0+sgeUKFKEQIVAMiz
+4BJUFeTtddyM4uadBM7HKLPRAoGAZdLBSYNGiij7vAjesF5mGUKTIgPd+JKuBEDx
+OaBclsgfdoyoF/TMOkIty+PVlYD+//Vl2xnoUEIRaMXHwHfm0r2xUX++oeRaSScg
+YizJdUxe5jvBuBszGPRc/mGpb9YvP0sB+FL1KmuxYmdODfCe51zl8uM/CVhouJ3w
+DjmRGscCgYAuFlfC7p+e8huCKydfcv/beftqjewiOPpQ3u5uI6KPCtCJPpDhs3+4
+IihH2cPsAlqwGF4tlibW1+/z/OZ1AZinPK3y7b2jSJASEaPeEltVzB92hcd1khk2
+jTYcmSsV4VddplOPK9czytR/GbbibxsrhhgZUbd8LPbvIgaiadJ1PgIUBnJ/5vN2
+CVArsEzlPUCbohPvZnE=
+-----END DSA PRIVATE KEY-----
diff --git a/test/openssl/fixtures/pkey/dsa256.pem b/test/openssl/fixtures/pkey/dsa256.pem
new file mode 100644
index 00000000000..d9a407f7368
--- /dev/null
+++ b/test/openssl/fixtures/pkey/dsa256.pem
@@ -0,0 +1,8 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIH3AgEAAkEAhk2libbY2a8y2Pt21+YPYGZeW6wzaW2yfj5oiClXro9XMR7XWLkE
+9B7XxLNFCS2gmCCdMsMW1HulaHtLFQmB2wIVAM43JZrcgpu6ajZ01VkLc93gu/Ed
+AkAOhujZrrKV5CzBKutKLb0GVyVWmdC7InoNSMZEeGU72rT96IjM59YzoqmD0pGM
+3I1o4cGqg1D1DfM1rQlnN1eSAkBq6xXfEDwJ1mLNxF6q8Zm/ugFYWR5xcX/3wFiT
+b4+EjHP/DbNh9Vm5wcfnDBJ1zKvrMEf2xqngYdrV/3CiGJeKAhRvL57QvJZcQGvn
+ISNX5cMzFHRW3Q==
+-----END DSA PRIVATE KEY-----
diff --git a/test/openssl/fixtures/pkey/dsa512.pem b/test/openssl/fixtures/pkey/dsa512.pem
new file mode 100644
index 00000000000..962c41cc67f
--- /dev/null
+++ b/test/openssl/fixtures/pkey/dsa512.pem
@@ -0,0 +1,8 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIH4AgEAAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgTYiEEHaOYhkIxv0Ok
+RZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB4DZGH7UyarcaGy6D
+AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR
+S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++
+Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S
+55jreJD3Se3slps=
+-----END DSA PRIVATE KEY-----
diff --git a/test/openssl/fixtures/pkey/p256.pem b/test/openssl/fixtures/pkey/p256.pem
new file mode 100644
index 00000000000..97c97d9f9dd
--- /dev/null
+++ b/test/openssl/fixtures/pkey/p256.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIID49FDqcf1O1eO8saTgG70UbXQw9Fqwseliit2aWhH1oAoGCCqGSM49
+AwEHoUQDQgAEFglk2c+oVUIKQ64eZG9bhLNPWB7lSZ/ArK41eGy5wAzU/0G51Xtt
+CeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg==
+-----END EC PRIVATE KEY-----
diff --git a/test/openssl/fixtures/pkey/rsa1024.pem b/test/openssl/fixtures/pkey/rsa1024.pem
new file mode 100644
index 00000000000..464de074be8
--- /dev/null
+++ b/test/openssl/fixtures/pkey/rsa1024.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7Cx
+aKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/
+Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQAB
+AoGBAKSl/MQarye1yOysqX6P8fDFQt68VvtXkNmlSiKOGuzyho0M+UVSFcs6k1L0
+maDE25AMZUiGzuWHyaU55d7RXDgeskDMakD1v6ZejYtxJkSXbETOTLDwUWTn618T
+gnb17tU1jktUtU67xK/08i/XodlgnQhs6VoHTuCh3Hu77O6RAkEA7+gxqBuZR572
+74/akiW/SuXm0SXPEviyO1MuSRwtI87B02D0qgV8D1UHRm4AhMnJ8MCs1809kMQE
+JiQUCrp9mQJBANlt2ngBO14us6NnhuAseFDTBzCHXwUUu1YKHpMMmxpnGqaldGgX
+sOZB3lgJsT9VlGf3YGYdkLTNVbogQKlKpB8CQQDiSwkb4vyQfDe8/NpU5Not0fII
+8jsDUCb+opWUTMmfbxWRR3FBNu8wnym/m19N4fFj8LqYzHX4KY0oVPu6qvJxAkEA
+wa5snNekFcqONLIE4G5cosrIrb74sqL8GbGb+KuTAprzj5z1K8Bm0UW9lTjVDjDi
+qRYgZfZSL+x1P/54+xTFSwJAY1FxA/N3QPCXCjPh5YqFxAMQs2VVYTfg+t0MEcJD
+dPMQD5JX6g5HKnHFg2mZtoXQrWmJSn7p8GJK8yNTopEErA==
+-----END RSA PRIVATE KEY-----
diff --git a/test/openssl/fixtures/pkey/rsa2048.pem b/test/openssl/fixtures/pkey/rsa2048.pem
new file mode 100644
index 00000000000..ac89cd88ed9
--- /dev/null
+++ b/test/openssl/fixtures/pkey/rsa2048.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAuV9ht9J7k4NBs38jOXvvTKY9gW8nLICSno5EETR1cuF7i4pN
+s9I1QJGAFAX0BEO4KbzXmuOvfCpD3CU+Slp1enenfzq/t/e/1IRW0wkJUJUFQign
+4CtrkJL+P07yx18UjyPlBXb81ApEmAB5mrJVSrWmqbjs07JbuS4QQGGXLc+Su96D
+kYKmSNVjBiLxVVSpyZfAY3hD37d60uG+X8xdW5v68JkRFIhdGlb6JL8fllf/A/bl
+NwdJOhVr9mESHhwGjwfSeTDPfd8ZLE027E5lyAVX9KZYcU00mOX+fdxOSnGqS/8J
+DRh0EPHDL15RcJjV2J6vZjPb0rOYGDoMcH+94wIDAQABAoIBAAzsamqfYQAqwXTb
+I0CJtGg6msUgU7HVkOM+9d3hM2L791oGHV6xBAdpXW2H8LgvZHJ8eOeSghR8+dgq
+PIqAffo4x1Oma+FOg3A0fb0evyiACyrOk+EcBdbBeLo/LcvahBtqnDfiUMQTpy6V
+seSoFCwuN91TSCeGIsDpRjbG1vxZgtx+uI+oH5+ytqJOmfCksRDCkMglGkzyfcl0
+Xc5CUhIJ0my53xijEUQl19rtWdMnNnnkdbG8PT3LZlOta5Do86BElzUYka0C6dUc
+VsBDQ0Nup0P6rEQgy7tephHoRlUGTYamsajGJaAo1F3IQVIrRSuagi7+YpSpCqsW
+wORqorkCgYEA7RdX6MDVrbw7LePnhyuaqTiMK+055/R1TqhB1JvvxJ1CXk2rDL6G
+0TLHQ7oGofd5LYiemg4ZVtWdJe43BPZlVgT6lvL/iGo8JnrncB9Da6L7nrq/+Rvj
+XGjf1qODCK+LmreZWEsaLPURIoR/Ewwxb9J2zd0CaMjeTwafJo1CZvcCgYEAyCgb
+aqoWvUecX8VvARfuA593Lsi50t4MEArnOXXcd1RnXoZWhbx5rgO8/ATKfXr0BK/n
+h2GF9PfKzHFm/4V6e82OL7gu/kLy2u9bXN74vOvWFL5NOrOKPM7Kg+9I131kNYOw
+Ivnr/VtHE5s0dY7JChYWE1F3vArrOw3T00a4CXUCgYEA0SqY+dS2LvIzW4cHCe9k
+IQqsT0yYm5TFsUEr4sA3xcPfe4cV8sZb9k/QEGYb1+SWWZ+AHPV3UW5fl8kTbSNb
+v4ng8i8rVVQ0ANbJO9e5CUrepein2MPL0AkOATR8M7t7dGGpvYV0cFk8ZrFx0oId
+U0PgYDotF/iueBWlbsOM430CgYEAqYI95dFyPI5/AiSkY5queeb8+mQH62sdcCCr
+vd/w/CZA/K5sbAo4SoTj8dLk4evU6HtIa0DOP63y071eaxvRpTNqLUOgmLh+D6gS
+Cc7TfLuFrD+WDBatBd5jZ+SoHccVrLR/4L8jeodo5FPW05A+9gnKXEXsTxY4LOUC
+9bS4e1kCgYAqVXZh63JsMwoaxCYmQ66eJojKa47VNrOeIZDZvd2BPVf30glBOT41
+gBoDG3WMPZoQj9pb7uMcrnvs4APj2FIhMU8U15LcPAj59cD6S6rWnAxO8NFK7HQG
+4Jxg3JNNf8ErQoCHb1B3oVdXJkmbJkARoDpBKmTCgKtP8ADYLmVPQw==
+-----END RSA PRIVATE KEY-----
diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb
index 91ae2cfd0cd..3e7f8c13ce0 100644
--- a/test/openssl/test_asn1.rb
+++ b/test/openssl/test_asn1.rb
@@ -1,10 +1,12 @@
# frozen_string_literal: false
require_relative 'utils'
+if defined?(OpenSSL)
+
class OpenSSL::TestASN1 < OpenSSL::TestCase
- def test_decode
+ def test_decode_x509_certificate
subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA")
- key = OpenSSL::TestUtils::TEST_KEY_RSA1024
+ key = Fixtures.pkey("rsa1024")
now = Time.at(Time.now.to_i) # suppress usec
s = 0xdeadbeafdeadbeafdeadbeafdeadbeaf
exts = [
@@ -128,9 +130,9 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase
assert_equal(OpenSSL::ASN1::Sequence, spkey.class)
assert_equal(2, spkey.value.size)
assert_equal(OpenSSL::ASN1::Integer, spkey.value[0].class)
- assert_equal(143085709396403084580358323862163416700436550432664688288860593156058579474547937626086626045206357324274536445865308750491138538454154232826011964045825759324933943290377903384882276841880081931690695505836279972214003660451338124170055999155993192881685495391496854691199517389593073052473319331505702779271, spkey.value[0].value)
+ assert_equal(cert.public_key.n, spkey.value[0].value)
assert_equal(OpenSSL::ASN1::Integer, spkey.value[1].class)
- assert_equal(65537, spkey.value[1].value)
+ assert_equal(cert.public_key.e, spkey.value[1].value)
extensions = tbs_cert.value[7]
assert_equal(:CONTEXT_SPECIFIC, extensions.tag_class)
@@ -191,66 +193,8 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase
assert_equal(cululated_sig, sig_val.value)
end
- def test_encode_boolean
- encode_decode_test(OpenSSL::ASN1::Boolean, [true, false])
- end
-
- def test_encode_integer
- encode_decode_test(OpenSSL::ASN1::Integer, [72, -127, -128, 128, -1, 0, 1, -(2**12345), 2**12345])
- end
-
- def test_encode_nil
- m = OpenSSL::ASN1
- [
- m::Boolean, m::Integer, m::BitString, m::OctetString,
- m::ObjectId, m::Enumerated, m::UTF8String, m::UTCTime,
- m::GeneralizedTime, m::Sequence, m::Set
- ].each do |klass|
- #Primitives raise TypeError, Constructives NoMethodError
- assert_raise(TypeError, NoMethodError) { klass.send(:new, nil).to_der }
- end
- end
-
- def encode_decode_test(type, values)
- values.each do |v|
- assert_equal(v, OpenSSL::ASN1.decode(type.new(v).to_der).value)
- end
- end
-
- def test_decode_pem #should fail gracefully (cf. [ruby-dev:44542])
- pem = <<-_EOS_
------BEGIN CERTIFICATE-----
-MIIC8zCCAdugAwIBAgIBATANBgkqhkiG9w0BAQUFADA9MRMwEQYKCZImiZPyLGQB
-GRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVieS1sYW5nMQswCQYDVQQDDAJDQTAe
-Fw0xMTA5MjUxMzQ4MjZaFw0xMTA5MjUxNDQ4MjZaMD0xEzARBgoJkiaJk/IsZAEZ
-FgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5LWxhbmcxCzAJBgNVBAMMAkNBMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuV9ht9J7k4NBs38jOXvvTKY9
-gW8nLICSno5EETR1cuF7i4pNs9I1QJGAFAX0BEO4KbzXmuOvfCpD3CU+Slp1enen
-fzq/t/e/1IRW0wkJUJUFQign4CtrkJL+P07yx18UjyPlBXb81ApEmAB5mrJVSrWm
-qbjs07JbuS4QQGGXLc+Su96DkYKmSNVjBiLxVVSpyZfAY3hD37d60uG+X8xdW5v6
-8JkRFIhdGlb6JL8fllf/A/blNwdJOhVr9mESHhwGjwfSeTDPfd8ZLE027E5lyAVX
-9KZYcU00mOX+fdxOSnGqS/8JDRh0EPHDL15RcJjV2J6vZjPb0rOYGDoMcH+94wID
-AQABMA0GCSqGSIb3DQEBBQUAA4IBAQAiAtrIr1pLX4GYN5klviWKb8HC9ICYuAFI
-NfE3FwqzErEVXotuMe3yPVyB3Bv6rjYY/x5EtS5+WPTbHlvHZTkfcsnTpizcn4mW
-dJ6dDRaFCHt1YKKjUxqBt9lvvrc3nReYZN/P+s1mrDhWzGf8iPZgf8sFUHgnaK7W
-CXRVXmPFgCDRNpDDVQ0MQkr509yYfTH+dujNzqTCwSvkyZFyQ7Oe8Yj0VR6kquG3
-rEzBQ0F9dUyqQ9gyRg8KHhDfv9HzT1d/rnUZMkoombwYBRIUChGCYV0GnJcan2Zm
-/93PnPG1IvPjYNd5VlV+sXSnaxQn974HRCsMv7jA8BD6IgSaX6WK
------END CERTIFICATE-----
- _EOS_
- assert_raise(OpenSSL::ASN1::ASN1Error) { OpenSSL::ASN1.decode(pem) }
- assert_raise(OpenSSL::ASN1::ASN1Error) { OpenSSL::ASN1.decode_all(pem) }
- end
-
- def test_primitive_cannot_set_infinite_length
- prim = OpenSSL::ASN1::Integer.new(50)
- assert_equal false, prim.infinite_length
- assert_not_respond_to prim, :infinite_length=
- end
-
def test_decode_all
- expected = %w{ 02 01 01 02 01 02 02 01 03 }
- raw = [expected.join('')].pack('H*')
+ raw = B(%w{ 02 01 01 02 01 02 02 01 03 })
ary = OpenSSL::ASN1.decode_all(raw)
assert_equal(3, ary.size)
ary.each_with_index do |asn1, i|
@@ -259,288 +203,401 @@ rEzBQ0F9dUyqQ9gyRg8KHhDfv9HzT1d/rnUZMkoombwYBRIUChGCYV0GnJcan2Zm
end
end
- def test_decode_utctime
- expected = Time.at 1374535380
- assert_equal expected, OpenSSL::ASN1.decode("\x17\v1307222323Z").value
-
- expected += 17
- assert_equal expected, OpenSSL::ASN1.decode("\x17\r130722232317Z").value
- end
-
- def test_encode_utctime_2k38
- encoded = OpenSSL::ASN1::UTCTime(2 ** 31 - 1).to_der
- assert_equal 2 ** 31 - 1, OpenSSL::ASN1.decode(encoded).value.to_i
-
- encoded = OpenSSL::ASN1::UTCTime(2 ** 31).to_der
- assert_equal 2 ** 31, OpenSSL::ASN1.decode(encoded).value.to_i
+ def test_object_id_register
+ oid = "1.2.34.56789"
+ pend "OID 1.2.34.56789 is already registered" if OpenSSL::ASN1::ObjectId(oid).sn
+ assert_equal true, OpenSSL::ASN1::ObjectId.register(oid, "ossl-test-sn", "ossl-test-ln")
+ obj = OpenSSL::ASN1::ObjectId(oid)
+ assert_equal oid, obj.oid
+ assert_equal "ossl-test-sn", obj.sn
+ assert_equal "ossl-test-ln", obj.ln
+ obj = encode_decode_test B(%w{ 06 05 2A 22 83 BB 55 }), OpenSSL::ASN1::ObjectId("ossl-test-ln")
+ assert_equal "ossl-test-sn", obj.value
end
- def test_decode_generalisedtime
- expected = Time.at 1481225640
- assert_equal expected, OpenSSL::ASN1.decode("\x18\x0D201612081934Z").value
-
- expected += 29
- assert_equal expected, OpenSSL::ASN1.decode("\x18\x0F20161208193429Z").value
+ def test_end_of_content
+ encode_decode_test B(%w{ 00 00 }), OpenSSL::ASN1::EndOfContent.new
+ assert_raise(OpenSSL::ASN1::ASN1Error) {
+ OpenSSL::ASN1.decode(B(%w{ 00 01 00 }))
+ }
end
- def test_decode_enumerated
- encoded = OpenSSL::ASN1.Enumerated(0).to_der
- assert_equal "\x0a\x01\x00".b, encoded
- assert_equal encoded, OpenSSL::ASN1.decode(encoded).to_der
+ def test_boolean
+ encode_decode_test B(%w{ 01 01 00 }), OpenSSL::ASN1::Boolean.new(false)
+ encode_decode_test B(%w{ 01 01 FF }), OpenSSL::ASN1::Boolean.new(true)
+ decode_test B(%w{ 01 01 01 }), OpenSSL::ASN1::Boolean.new(true)
+ assert_raise(OpenSSL::ASN1::ASN1Error) {
+ OpenSSL::ASN1.decode(B(%w{ 01 02 00 00 }))
+ }
end
- def test_create_inf_length_primitive
- expected = %w{ 24 80 04 01 61 00 00 }
- raw = [expected.join('')].pack('H*')
- content = [OpenSSL::ASN1::OctetString.new("a"), OpenSSL::ASN1::EndOfContent.new]
- cons = OpenSSL::ASN1::Constructive.new(content, OpenSSL::ASN1::OCTET_STRING, nil, :UNIVERSAL)
- cons.infinite_length = true
- assert_equal(nil, cons.tagging)
- assert_equal(raw, cons.to_der)
- asn1 = OpenSSL::ASN1.decode(raw)
- assert(asn1.infinite_length)
- assert_equal(raw, asn1.to_der)
+ def test_integer
+ encode_decode_test B(%w{ 02 01 00 }), OpenSSL::ASN1::Integer.new(0)
+ encode_decode_test B(%w{ 02 01 48 }), OpenSSL::ASN1::Integer.new(72)
+ encode_decode_test B(%w{ 02 02 00 80 }), OpenSSL::ASN1::Integer.new(128)
+ encode_decode_test B(%w{ 02 01 81 }), OpenSSL::ASN1::Integer.new(-127)
+ encode_decode_test B(%w{ 02 01 80 }), OpenSSL::ASN1::Integer.new(-128)
+ encode_decode_test B(%w{ 02 01 FF }), OpenSSL::ASN1::Integer.new(-1)
+ encode_decode_test B(%w{ 02 09 01 00 00 00 00 00 00 00 00 }), OpenSSL::ASN1::Integer.new(2 ** 64)
+ encode_decode_test B(%w{ 02 09 FF 00 00 00 00 00 00 00 00 }), OpenSSL::ASN1::Integer.new(-(2 ** 64))
+ # FIXME: OpenSSL < 1.1.0 does not fail
+ # assert_raise(OpenSSL::ASN1::ASN1Error) {
+ # OpenSSL::ASN1.decode(B(%w{ 02 02 00 7F }))
+ # }
+ # assert_raise(OpenSSL::ASN1::ASN1Error) {
+ # OpenSSL::ASN1.decode(B(%w{ 02 02 FF 80 }))
+ # }
+ end
+
+ def test_enumerated
+ encode_decode_test B(%w{ 0A 01 00 }), OpenSSL::ASN1::Enumerated.new(0)
+ encode_decode_test B(%w{ 0A 01 48 }), OpenSSL::ASN1::Enumerated.new(72)
+ encode_decode_test B(%w{ 0A 02 00 80 }), OpenSSL::ASN1::Enumerated.new(128)
+ encode_decode_test B(%w{ 0A 09 01 00 00 00 00 00 00 00 00 }), OpenSSL::ASN1::Enumerated.new(2 ** 64)
+ end
+
+ def test_bitstring
+ encode_decode_test B(%w{ 03 01 00 }), OpenSSL::ASN1::BitString.new(B(%w{}))
+ encode_decode_test B(%w{ 03 02 00 01 }), OpenSSL::ASN1::BitString.new(B(%w{ 01 }))
+ obj = OpenSSL::ASN1::BitString.new(B(%w{ F0 }))
+ obj.unused_bits = 4
+ encode_decode_test B(%w{ 03 02 04 F0 }), obj
+ assert_raise(OpenSSL::ASN1::ASN1Error) {
+ OpenSSL::ASN1.decode(B(%w{ 03 00 }))
+ }
+ # OpenSSL < OpenSSL_1_0_1k and LibreSSL ignore the error
+ # assert_raise(OpenSSL::ASN1::ASN1Error) {
+ # OpenSSL::ASN1.decode(B(%w{ 03 03 08 FF 00 }))
+ # }
+ # OpenSSL does not seem to prohibit this, though X.690 8.6.2.3 (15/08) does
+ # assert_raise(OpenSSL::ASN1::ASN1Error) {
+ # OpenSSL::ASN1.decode(B(%w{ 03 01 04 }))
+ # }
+ assert_raise(OpenSSL::ASN1::ASN1Error) {
+ obj = OpenSSL::ASN1::BitString.new(B(%w{ FF FF }))
+ obj.unused_bits = 8
+ obj.to_der
+ }
end
- def test_cons_without_inf_length_forbidden
- assert_raise(OpenSSL::ASN1::ASN1Error) do
- val = OpenSSL::ASN1::OctetString.new('a')
- cons = OpenSSL::ASN1::Constructive.new([val], OpenSSL::ASN1::OCTET_STRING, nil, :UNIVERSAL)
- cons.to_der
- end
+ def test_string_basic
+ test = -> (tag, klass) {
+ encode_decode_test tag.chr + B(%w{ 00 }), klass.new(B(%w{}))
+ encode_decode_test tag.chr + B(%w{ 02 00 01 }), klass.new(B(%w{ 00 01 }))
+ }
+ test.(4, OpenSSL::ASN1::OctetString)
+ test.(12, OpenSSL::ASN1::UTF8String)
+ test.(18, OpenSSL::ASN1::NumericString)
+ test.(19, OpenSSL::ASN1::PrintableString)
+ test.(20, OpenSSL::ASN1::T61String)
+ test.(21, OpenSSL::ASN1::VideotexString)
+ test.(22, OpenSSL::ASN1::IA5String)
+ test.(25, OpenSSL::ASN1::GraphicString)
+ test.(26, OpenSSL::ASN1::ISO64String)
+ test.(27, OpenSSL::ASN1::GeneralString)
+ test.(28, OpenSSL::ASN1::UniversalString)
+ test.(30, OpenSSL::ASN1::BMPString)
+ end
+
+ def test_null
+ encode_decode_test B(%w{ 05 00 }), OpenSSL::ASN1::Null.new(nil)
+ assert_raise(OpenSSL::ASN1::ASN1Error) {
+ OpenSSL::ASN1.decode(B(%w{ 05 01 00 }))
+ }
end
- def test_cons_without_array_forbidden
- assert_raise(OpenSSL::ASN1::ASN1Error) do
- val = OpenSSL::ASN1::OctetString.new('a')
- cons = OpenSSL::ASN1::Constructive.new(val, OpenSSL::ASN1::OCTET_STRING, nil, :UNIVERSAL)
- cons.infinite_length = true
- cons.to_der
+ def test_object_identifier
+ encode_decode_test B(%w{ 06 01 00 }), OpenSSL::ASN1::ObjectId.new("0.0".b)
+ encode_decode_test B(%w{ 06 01 28 }), OpenSSL::ASN1::ObjectId.new("1.0".b)
+ encode_decode_test B(%w{ 06 03 88 37 03 }), OpenSSL::ASN1::ObjectId.new("2.999.3".b)
+ encode_decode_test B(%w{ 06 05 2A 22 83 BB 55 }), OpenSSL::ASN1::ObjectId.new("1.2.34.56789".b)
+ obj = encode_decode_test B(%w{ 06 09 60 86 48 01 65 03 04 02 01 }), OpenSSL::ASN1::ObjectId.new("sha256")
+ assert_equal "2.16.840.1.101.3.4.2.1", obj.oid
+ assert_equal "SHA256", obj.sn
+ assert_equal "sha256", obj.ln
+ assert_raise(OpenSSL::ASN1::ASN1Error) {
+ OpenSSL::ASN1.decode(B(%w{ 06 00 }))
+ }
+ assert_raise(OpenSSL::ASN1::ASN1Error) {
+ OpenSSL::ASN1.decode(B(%w{ 06 01 80 }))
+ }
+ assert_raise(OpenSSL::ASN1::ASN1Error) { OpenSSL::ASN1::ObjectId.new("3.0".b).to_der }
+ assert_raise(OpenSSL::ASN1::ASN1Error) { OpenSSL::ASN1::ObjectId.new("0.40".b).to_der }
+
+ begin
+ oid = (0...100).to_a.join(".").b
+ obj = OpenSSL::ASN1::ObjectId.new(oid)
+ assert_equal oid, obj.oid
+ rescue OpenSSL::ASN1::ASN1Error
+ pend "OBJ_obj2txt() not working (LibreSSL?)" if $!.message =~ /OBJ_obj2txt/
+ raise
end
end
- def test_parse_empty_sequence
- expected = %w{ A0 07 30 02 30 00 02 01 00 }
- raw = [expected.join('')].pack('H*')
- asn1 = OpenSSL::ASN1.decode(raw)
- assert_equal(raw, asn1.to_der)
- assert_equal(2, asn1.value.size)
- seq = asn1.value[0]
- assert_equal(1, seq.value.size)
- inner_seq = seq.value[0]
- assert_equal(0, inner_seq.value.size)
- end
+ def test_sequence
+ encode_decode_test B(%w{ 30 00 }), OpenSSL::ASN1::Sequence.new([])
+ encode_decode_test B(%w{ 30 07 05 00 30 00 04 01 00 }), OpenSSL::ASN1::Sequence.new([
+ OpenSSL::ASN1::Null.new(nil),
+ OpenSSL::ASN1::Sequence.new([]),
+ OpenSSL::ASN1::OctetString.new(B(%w{ 00 }))
+ ])
+
+ expected = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::OctetString.new(B(%w{ 00 }))])
+ expected.indefinite_length = true
+ encode_decode_test B(%w{ 30 80 04 01 00 00 00 }), expected
+
+ # OpenSSL::ASN1::EndOfContent can only be at the end
+ obj = OpenSSL::ASN1::Sequence.new([
+ OpenSSL::ASN1::EndOfContent.new,
+ OpenSSL::ASN1::OctetString.new(B(%w{ 00 })),
+ OpenSSL::ASN1::EndOfContent.new,
+ ])
+ obj.indefinite_length = true
+ assert_raise(OpenSSL::ASN1::ASN1Error) { obj.to_der }
+
+ # The last EOC in value is ignored if indefinite length form is used
+ expected = OpenSSL::ASN1::Sequence.new([
+ OpenSSL::ASN1::OctetString.new(B(%w{ 00 })),
+ OpenSSL::ASN1::EndOfContent.new
+ ])
+ expected.indefinite_length = true
+ encode_test B(%w{ 30 80 04 01 00 00 00 }), expected
+ end
+
+ def test_set
+ encode_decode_test B(%w{ 31 00 }), OpenSSL::ASN1::Set.new([])
+ encode_decode_test B(%w{ 31 07 05 00 30 00 04 01 00 }), OpenSSL::ASN1::Set.new([
+ OpenSSL::ASN1::Null.new(nil),
+ OpenSSL::ASN1::Sequence.new([]),
+ OpenSSL::ASN1::OctetString.new(B(%w{ 00 }))
+ ])
+ expected = OpenSSL::ASN1::Set.new([OpenSSL::ASN1::OctetString.new(B(%w{ 00 }))])
+ expected.indefinite_length = true
+ encode_decode_test B(%w{ 31 80 04 01 00 00 00 }), expected
+ end
+
+ def test_utctime
+ encode_decode_test B(%w{ 17 0D }) + "160908234339Z".b,
+ OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 39))
+ # possible range of UTCTime is 1969-2068 currently
+ encode_decode_test B(%w{ 17 0D }) + "690908234339Z".b,
+ OpenSSL::ASN1::UTCTime.new(Time.utc(1969, 9, 8, 23, 43, 39))
+ decode_test B(%w{ 17 0B }) + "6909082343Z".b,
+ OpenSSL::ASN1::UTCTime.new(Time.utc(1969, 9, 8, 23, 43, 0))
+ # not implemented
+ # decode_test B(%w{ 17 11 }) + "500908234339+0930".b,
+ # OpenSSL::ASN1::UTCTime.new(Time.new(1950, 9, 8, 23, 43, 39, "+09:30"))
+ # decode_test B(%w{ 17 0F }) + "5009082343-0930".b,
+ # OpenSSL::ASN1::UTCTime.new(Time.new(1950, 9, 8, 23, 43, 0, "-09:30"))
+ # assert_raise(OpenSSL::ASN1::ASN1Error) {
+ # OpenSSL::ASN1.decode(B(%w{ 17 0C }) + "500908234339".b)
+ # }
+ # assert_raise(OpenSSL::ASN1::ASN1Error) {
+ # OpenSSL::ASN1.decode(B(%w{ 17 0D }) + "500908234339Y".b)
+ # }
+ end
+
+ def test_generalizedtime
+ encode_decode_test B(%w{ 18 0F }) + "20161208193429Z".b,
+ OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 29))
+ encode_decode_test B(%w{ 18 0F }) + "99990908234339Z".b,
+ OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39))
+ decode_test B(%w{ 18 0D }) + "201612081934Z".b,
+ OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0))
+ # not implemented
+ # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b,
+ # OpenSSL::ASN1::GeneralizedTime.new(Time.new(2016, 12, 8, 19, 34, 39, "+09:30"))
+ # decode_test B(%w{ 18 11 }) + "201612081934-0930".b,
+ # OpenSSL::ASN1::GeneralizedTime.new(Time.new(2016, 12, 8, 19, 34, 0, "-09:30"))
+ # decode_test B(%w{ 18 11 }) + "201612081934-09".b,
+ # OpenSSL::ASN1::GeneralizedTime.new(Time.new(2016, 12, 8, 19, 34, 0, "-09:00"))
+ # decode_test B(%w{ 18 0D }) + "2016120819.5Z".b,
+ # OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 30, 0))
+ # decode_test B(%w{ 18 0D }) + "2016120819,5Z".b,
+ # OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 30, 0))
+ # decode_test B(%w{ 18 0F }) + "201612081934.5Z".b,
+ # OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 30))
+ # decode_test B(%w{ 18 11 }) + "20161208193439.5Z".b,
+ # OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 39.5))
+ # assert_raise(OpenSSL::ASN1::ASN1Error) {
+ # OpenSSL::ASN1.decode(B(%w{ 18 0D }) + "201612081934Y".b)
+ # }
+ end
+
+ def test_basic_asn1data
+ encode_test B(%w{ 00 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 0, :UNIVERSAL)
+ encode_test B(%w{ 01 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :UNIVERSAL)
+ encode_decode_test B(%w{ 41 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :APPLICATION)
+ encode_decode_test B(%w{ 81 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :CONTEXT_SPECIFIC)
+ encode_decode_test B(%w{ C1 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :PRIVATE)
+ encode_decode_test B(%w{ 1F 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 32, :UNIVERSAL)
+ encode_decode_test B(%w{ 1F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :UNIVERSAL)
+ encode_decode_test B(%w{ 41 02 AB CD }), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD }), 1, :APPLICATION)
+ encode_decode_test B(%w{ 41 81 80 } + %w{ AB CD } * 64), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 64), 1, :APPLICATION)
+ encode_decode_test B(%w{ 41 82 01 00 } + %w{ AB CD } * 128), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 128), 1, :APPLICATION)
+ encode_decode_test B(%w{ 61 00 }), OpenSSL::ASN1::ASN1Data.new([], 1, :APPLICATION)
+ obj = OpenSSL::ASN1::ASN1Data.new([OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD }), 2, :PRIVATE)], 1, :APPLICATION)
+ obj.indefinite_length = true
+ encode_decode_test B(%w{ 61 80 C2 02 AB CD 00 00 }), obj
+ obj = OpenSSL::ASN1::ASN1Data.new([
+ OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD }), 2, :PRIVATE),
+ OpenSSL::ASN1::EndOfContent.new
+ ], 1, :APPLICATION)
+ obj.indefinite_length = true
+ encode_test B(%w{ 61 80 C2 02 AB CD 00 00 }), obj
+ obj = OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD }), 1, :UNIVERSAL)
+ obj.indefinite_length = true
+ assert_raise(OpenSSL::ASN1::ASN1Error) { obj.to_der }
+ end
+
+ def test_basic_primitive
+ encode_test B(%w{ 00 00 }), OpenSSL::ASN1::Primitive.new(B(%w{}), 0)
+ encode_test B(%w{ 01 00 }), OpenSSL::ASN1::Primitive.new(B(%w{}), 1, nil, :UNIVERSAL)
+ encode_test B(%w{ 81 00 }), OpenSSL::ASN1::Primitive.new(B(%w{}), 1, nil, :CONTEXT_SPECIFIC)
+ encode_test B(%w{ 01 02 AB CD }), OpenSSL::ASN1::Primitive.new(B(%w{ AB CD }), 1)
+ assert_raise(TypeError) { OpenSSL::ASN1::Primitive.new([], 1).to_der }
- def test_parse_tagged_0_infinite
- expected = %w{ 30 80 02 01 01 80 01 02 00 00 }
- raw = [expected.join('')].pack('H*')
- asn1 = OpenSSL::ASN1.decode(raw)
- assert_equal(3, asn1.value.size)
- int = asn1.value[0]
- assert_universal(OpenSSL::ASN1::INTEGER, int)
- tagged = asn1.value[1]
- assert_equal(0, tagged.tag)
- assert_universal(OpenSSL::ASN1::EOC, asn1.value[2])
- assert_equal(raw, asn1.to_der)
- end
-
- def test_seq_infinite_length
- content = [ OpenSSL::ASN1::Null.new(nil),
- OpenSSL::ASN1::EndOfContent.new ]
- cons = OpenSSL::ASN1::Sequence.new(content)
- cons.infinite_length = true
- expected = %w{ 30 80 05 00 00 00 }
- raw = [expected.join('')].pack('H*')
- assert_equal(raw, cons.to_der)
- assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der)
- end
-
- def test_set_infinite_length
- content = [ OpenSSL::ASN1::Null.new(nil),
- OpenSSL::ASN1::EndOfContent.new() ]
- cons = OpenSSL::ASN1::Set.new(content)
- cons.infinite_length = true
- expected = %w{ 31 80 05 00 00 00 }
- raw = [expected.join('')].pack('H*')
- assert_equal(raw, cons.to_der)
- assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der)
+ prim = OpenSSL::ASN1::Integer.new(50)
+ assert_equal false, prim.indefinite_length
+ assert_not_respond_to prim, :indefinite_length=
end
- def test_octet_string_infinite_length
- octets = [ OpenSSL::ASN1::OctetString.new('aaa'),
- OpenSSL::ASN1::EndOfContent.new() ]
- cons = OpenSSL::ASN1::Constructive.new(octets, OpenSSL::ASN1::OCTET_STRING, nil, :UNIVERSAL)
- cons.infinite_length = true
- expected = %w{ 24 80 04 03 61 61 61 00 00 }
- raw = [expected.join('')].pack('H*')
- assert_equal(raw, cons.to_der)
- assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der)
+ def test_basic_constructed
+ octet_string = OpenSSL::ASN1::OctetString.new(B(%w{ AB CD }))
+ encode_test B(%w{ 20 00 }), OpenSSL::ASN1::Constructive.new([], 0)
+ encode_test B(%w{ 21 00 }), OpenSSL::ASN1::Constructive.new([], 1, nil, :UNIVERSAL)
+ encode_test B(%w{ A1 00 }), OpenSSL::ASN1::Constructive.new([], 1, nil, :CONTEXT_SPECIFIC)
+ encode_test B(%w{ 21 04 04 02 AB CD }), OpenSSL::ASN1::Constructive.new([octet_string], 1)
+ obj = OpenSSL::ASN1::Constructive.new([octet_string], 1)
+ obj.indefinite_length = true
+ encode_decode_test B(%w{ 21 80 04 02 AB CD 00 00 }), obj
+ obj = OpenSSL::ASN1::Constructive.new([octet_string, OpenSSL::ASN1::EndOfContent.new], 1)
+ obj.indefinite_length = true
+ encode_test B(%w{ 21 80 04 02 AB CD 00 00 }), obj
end
def test_prim_explicit_tagging
oct_str = OpenSSL::ASN1::OctetString.new("a", 0, :EXPLICIT)
- expected = %w{ A0 03 04 01 61 }
- raw = [expected.join('')].pack('H*')
- assert_equal(raw, oct_str.to_der)
- assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der)
- end
+ encode_test B(%w{ A0 03 04 01 61 }), oct_str
+ oct_str2 = OpenSSL::ASN1::OctetString.new("a", 1, :EXPLICIT, :APPLICATION)
+ encode_test B(%w{ 61 03 04 01 61 }), oct_str2
- def test_prim_explicit_tagging_tag_class
- oct_str = OpenSSL::ASN1::OctetString.new("a", 0, :EXPLICIT)
- oct_str2 = OpenSSL::ASN1::OctetString.new("a", 0, :EXPLICIT, :CONTEXT_SPECIFIC)
- assert_equal(oct_str.to_der, oct_str2.to_der)
+ decoded = OpenSSL::ASN1.decode(oct_str2.to_der)
+ assert_equal :APPLICATION, decoded.tag_class
+ assert_equal 1, decoded.tag
+ assert_equal 1, decoded.value.size
+ inner = decoded.value[0]
+ assert_equal OpenSSL::ASN1::OctetString, inner.class
+ assert_equal B(%w{ 61 }), inner.value
end
def test_prim_implicit_tagging
int = OpenSSL::ASN1::Integer.new(1, 0, :IMPLICIT)
- expected = %w{ 80 01 01 }
- raw = [expected.join('')].pack('H*')
- assert_equal(raw, int.to_der)
- assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der)
- end
+ encode_test B(%w{ 80 01 01 }), int
+ int2 = OpenSSL::ASN1::Integer.new(1, 1, :IMPLICIT, :APPLICATION)
+ encode_test B(%w{ 41 01 01 }), int2
+ decoded = OpenSSL::ASN1.decode(int2.to_der)
+ assert_equal :APPLICATION, decoded.tag_class
+ assert_equal 1, decoded.tag
+ assert_equal B(%w{ 01 }), decoded.value
- def test_prim_implicit_tagging_tag_class
- int = OpenSSL::ASN1::Integer.new(1, 0, :IMPLICIT)
- int2 = OpenSSL::ASN1::Integer.new(1, 0, :IMPLICIT, :CONTEXT_SPECIFIC);
- assert_equal(int.to_der, int2.to_der)
+ # Special behavior: Encoding universal types with non-default 'tag'
+ # attribute and nil tagging method.
+ int3 = OpenSSL::ASN1::Integer.new(1, 1)
+ encode_test B(%w{ 01 01 01 }), int3
end
def test_cons_explicit_tagging
content = [ OpenSSL::ASN1::PrintableString.new('abc') ]
seq = OpenSSL::ASN1::Sequence.new(content, 2, :EXPLICIT)
- expected = %w{ A2 07 30 05 13 03 61 62 63 }
- raw = [expected.join('')].pack('H*')
- assert_equal(raw, seq.to_der)
- assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der)
- end
+ encode_test B(%w{ A2 07 30 05 13 03 61 62 63 }), seq
+ seq2 = OpenSSL::ASN1::Sequence.new(content, 3, :EXPLICIT, :APPLICATION)
+ encode_test B(%w{ 63 07 30 05 13 03 61 62 63 }), seq2
- def test_cons_explicit_tagging_inf_length
- content = [ OpenSSL::ASN1::PrintableString.new('abc') ,
- OpenSSL::ASN1::EndOfContent.new() ]
- seq = OpenSSL::ASN1::Sequence.new(content, 2, :EXPLICIT)
- seq.infinite_length = true
- expected = %w{ A2 80 30 80 13 03 61 62 63 00 00 00 00 }
- raw = [expected.join('')].pack('H*')
- assert_equal(raw, seq.to_der)
- assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der)
+ content3 = [ OpenSSL::ASN1::PrintableString.new('abc'),
+ OpenSSL::ASN1::EndOfContent.new() ]
+ seq3 = OpenSSL::ASN1::Sequence.new(content3, 2, :EXPLICIT)
+ seq3.indefinite_length = true
+ encode_test B(%w{ A2 80 30 80 13 03 61 62 63 00 00 00 00 }), seq3
end
def test_cons_implicit_tagging
content = [ OpenSSL::ASN1::Null.new(nil) ]
seq = OpenSSL::ASN1::Sequence.new(content, 1, :IMPLICIT)
- expected = %w{ A1 02 05 00 }
- raw = [expected.join('')].pack('H*')
- assert_equal(raw, seq.to_der)
- assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der)
- end
+ encode_test B(%w{ A1 02 05 00 }), seq
+ seq2 = OpenSSL::ASN1::Sequence.new(content, 1, :IMPLICIT, :APPLICATION)
+ encode_test B(%w{ 61 02 05 00 }), seq2
- def test_cons_implicit_tagging_inf_length
- content = [ OpenSSL::ASN1::Null.new(nil),
- OpenSSL::ASN1::EndOfContent.new() ]
- seq = OpenSSL::ASN1::Sequence.new(content, 1, :IMPLICIT)
- seq.infinite_length = true
- expected = %w{ A1 80 05 00 00 00 }
- raw = [expected.join('')].pack('H*')
- assert_equal(raw, seq.to_der)
- assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der)
- end
+ content3 = [ OpenSSL::ASN1::Null.new(nil),
+ OpenSSL::ASN1::EndOfContent.new() ]
+ seq3 = OpenSSL::ASN1::Sequence.new(content3, 1, :IMPLICIT)
+ seq3.indefinite_length = true
+ encode_test B(%w{ A1 80 05 00 00 00 }), seq3
- def test_octet_string_infinite_length_explicit_tagging
- octets = [ OpenSSL::ASN1::OctetString.new('aaa'),
- OpenSSL::ASN1::EndOfContent.new() ]
- cons = OpenSSL::ASN1::Constructive.new(octets, 1, :EXPLICIT)
- cons.infinite_length = true
- expected = %w{ A1 80 24 80 04 03 61 61 61 00 00 00 00 }
- raw = [expected.join('')].pack('H*')
- assert_equal(raw, cons.to_der)
- assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der)
+ # Special behavior: Encoding universal types with non-default 'tag'
+ # attribute and nil tagging method.
+ seq4 = OpenSSL::ASN1::Sequence.new([], 1)
+ encode_test B(%w{ 21 00 }), seq4
end
- def test_octet_string_infinite_length_implicit_tagging
+ def test_octet_string_constructed_tagging
+ octets = [ OpenSSL::ASN1::OctetString.new('aaa') ]
+ cons = OpenSSL::ASN1::Constructive.new(octets, 0, :IMPLICIT)
+ encode_test B(%w{ A0 05 04 03 61 61 61 }), cons
+
octets = [ OpenSSL::ASN1::OctetString.new('aaa'),
OpenSSL::ASN1::EndOfContent.new() ]
cons = OpenSSL::ASN1::Constructive.new(octets, 0, :IMPLICIT)
- cons.infinite_length = true
- expected = %w{ A0 80 04 03 61 61 61 00 00 }
- raw = [expected.join('')].pack('H*')
- assert_equal(raw, cons.to_der)
- assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der)
+ cons.indefinite_length = true
+ encode_test B(%w{ A0 80 04 03 61 61 61 00 00 }), cons
end
- def test_recursive_octet_string_infinite_length
+ def test_recursive_octet_string_indefinite_length
octets_sub1 = [ OpenSSL::ASN1::OctetString.new("\x01"),
OpenSSL::ASN1::EndOfContent.new() ]
octets_sub2 = [ OpenSSL::ASN1::OctetString.new("\x02"),
OpenSSL::ASN1::EndOfContent.new() ]
container1 = OpenSSL::ASN1::Constructive.new(octets_sub1, OpenSSL::ASN1::OCTET_STRING, nil, :UNIVERSAL)
- container1.infinite_length = true
+ container1.indefinite_length = true
container2 = OpenSSL::ASN1::Constructive.new(octets_sub2, OpenSSL::ASN1::OCTET_STRING, nil, :UNIVERSAL)
- container2.infinite_length = true
+ container2.indefinite_length = true
octets3 = OpenSSL::ASN1::OctetString.new("\x03")
octets = [ container1, container2, octets3,
OpenSSL::ASN1::EndOfContent.new() ]
cons = OpenSSL::ASN1::Constructive.new(octets, OpenSSL::ASN1::OCTET_STRING, nil, :UNIVERSAL)
- cons.infinite_length = true
- expected = %w{ 24 80 24 80 04 01 01 00 00 24 80 04 01 02 00 00 04 01 03 00 00 }
- raw = [expected.join('')].pack('H*')
+ cons.indefinite_length = true
+ raw = B(%w{ 24 80 24 80 04 01 01 00 00 24 80 04 01 02 00 00 04 01 03 00 00 })
assert_equal(raw, cons.to_der)
assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der)
end
- def test_bit_string_infinite_length
- content = [ OpenSSL::ASN1::BitString.new("\x01"),
- OpenSSL::ASN1::EndOfContent.new() ]
- cons = OpenSSL::ASN1::Constructive.new(content, OpenSSL::ASN1::BIT_STRING, nil, :UNIVERSAL)
- cons.infinite_length = true
- expected = %w{ 23 80 03 02 00 01 00 00 }
- raw = [expected.join('')].pack('H*')
- assert_equal(raw, cons.to_der)
- assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der)
- end
-
- def test_primitive_inf_length
- assert_raise(OpenSSL::ASN1::ASN1Error) do
- spec = %w{ 02 80 02 01 01 00 00 }
- raw = [spec.join('')].pack('H*')
- OpenSSL::ASN1.decode(raw)
- OpenSSL::ASN1.decode_all(raw)
- end
- end
-
def test_recursive_octet_string_parse
- test = %w{ 24 80 24 80 04 01 01 00 00 24 80 04 01 02 00 00 04 01 03 00 00 }
- raw = [test.join('')].pack('H*')
+ raw = B(%w{ 24 80 24 80 04 01 01 00 00 24 80 04 01 02 00 00 04 01 03 00 00 })
asn1 = OpenSSL::ASN1.decode(raw)
assert_equal(OpenSSL::ASN1::Constructive, asn1.class)
assert_universal(OpenSSL::ASN1::OCTET_STRING, asn1)
- assert_equal(true, asn1.infinite_length)
- assert_equal(4, asn1.value.size)
+ assert_equal(true, asn1.indefinite_length)
+ assert_equal(3, asn1.value.size)
nested1 = asn1.value[0]
assert_equal(OpenSSL::ASN1::Constructive, nested1.class)
assert_universal(OpenSSL::ASN1::OCTET_STRING, nested1)
- assert_equal(true, nested1.infinite_length)
- assert_equal(2, nested1.value.size)
+ assert_equal(true, nested1.indefinite_length)
+ assert_equal(1, nested1.value.size)
oct1 = nested1.value[0]
assert_universal(OpenSSL::ASN1::OCTET_STRING, oct1)
- assert_equal(false, oct1.infinite_length)
- assert_universal(OpenSSL::ASN1::EOC, nested1.value[1])
- assert_equal(false, nested1.value[1].infinite_length)
+ assert_equal(false, oct1.indefinite_length)
nested2 = asn1.value[1]
assert_equal(OpenSSL::ASN1::Constructive, nested2.class)
assert_universal(OpenSSL::ASN1::OCTET_STRING, nested2)
- assert_equal(true, nested2.infinite_length)
- assert_equal(2, nested2.value.size)
+ assert_equal(true, nested2.indefinite_length)
+ assert_equal(1, nested2.value.size)
oct2 = nested2.value[0]
assert_universal(OpenSSL::ASN1::OCTET_STRING, oct2)
- assert_equal(false, oct2.infinite_length)
- assert_universal(OpenSSL::ASN1::EOC, nested2.value[1])
- assert_equal(false, nested2.value[1].infinite_length)
+ assert_equal(false, oct2.indefinite_length)
oct3 = asn1.value[2]
assert_universal(OpenSSL::ASN1::OCTET_STRING, oct3)
- assert_equal(false, oct3.infinite_length)
- assert_universal(OpenSSL::ASN1::EOC, asn1.value[3])
- assert_equal(false, asn1.value[3].infinite_length)
+ assert_equal(false, oct3.indefinite_length)
end
def test_decode_constructed_overread
@@ -575,6 +632,46 @@ rEzBQ0F9dUyqQ9gyRg8KHhDfv9HzT1d/rnUZMkoombwYBRIUChGCYV0GnJcan2Zm
private
+ def B(ary)
+ [ary.join].pack("H*")
+ end
+
+ def assert_asn1_equal(a, b)
+ assert_equal a.class, b.class
+ assert_equal a.tag, b.tag
+ assert_equal a.tag_class, b.tag_class
+ assert_equal a.indefinite_length, b.indefinite_length
+ assert_equal a.unused_bits, b.unused_bits if a.respond_to?(:unused_bits)
+ case a.value
+ when Array
+ a.value.each_with_index { |ai, i|
+ assert_asn1_equal ai, b.value[i]
+ }
+ else
+ if OpenSSL::ASN1::ObjectId === a
+ assert_equal a.oid, b.oid
+ else
+ assert_equal a.value, b.value
+ end
+ end
+ assert_equal a.to_der, b.to_der
+ end
+
+ def encode_test(der, obj)
+ assert_equal der, obj.to_der
+ end
+
+ def decode_test(der, obj)
+ decoded = OpenSSL::ASN1.decode(der)
+ assert_asn1_equal obj, decoded
+ decoded
+ end
+
+ def encode_decode_test(der, obj)
+ encode_test(der, obj)
+ decode_test(der, obj)
+ end
+
def assert_universal(tag, asn1)
assert_equal(tag, asn1.tag)
if asn1.respond_to?(:tagging)
@@ -582,5 +679,6 @@ rEzBQ0F9dUyqQ9gyRg8KHhDfv9HzT1d/rnUZMkoombwYBRIUChGCYV0GnJcan2Zm
end
assert_equal(:UNIVERSAL, asn1.tag_class)
end
+end
-end if defined?(OpenSSL::TestUtils)
+end
diff --git a/test/openssl/test_bn.rb b/test/openssl/test_bn.rb
index 37ba5e5595d..77390286118 100644
--- a/test/openssl/test_bn.rb
+++ b/test/openssl/test_bn.rb
@@ -1,60 +1,275 @@
+# coding: us-ascii
# frozen_string_literal: false
require_relative 'utils'
+require "prime"
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestBN < OpenSSL::TestCase
- def test_new_str
- e1 = OpenSSL::BN.new(999.to_s(16), 16) # OpenSSL::BN.new(str, 16) must be most stable
- e2 = OpenSSL::BN.new((2**107-1).to_s(16), 16)
- assert_equal(e1, OpenSSL::BN.new("999"))
- assert_equal(e2, OpenSSL::BN.new((2**107-1).to_s))
- assert_equal(e1, OpenSSL::BN.new("999", 10))
- assert_equal(e2, OpenSSL::BN.new((2**107-1).to_s, 10))
- assert_equal(e1, OpenSSL::BN.new("\x03\xE7", 2))
- assert_equal(e2, OpenSSL::BN.new("\a\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 2))
- assert_equal(e1, OpenSSL::BN.new("\x00\x00\x00\x02\x03\xE7", 0))
- assert_equal(e2, OpenSSL::BN.new("\x00\x00\x00\x0E\a\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 0))
- end
-
- def test_new_bn
- e1 = OpenSSL::BN.new(999.to_s(16), 16)
- e2 = OpenSSL::BN.new((2**107-1).to_s(16), 16)
- assert_equal(e1, OpenSSL::BN.new(e1))
- assert_equal(e2, OpenSSL::BN.new(e2))
- end
-
- def test_new_integer
- assert_equal(999.to_bn, OpenSSL::BN.new(999))
- assert_equal((2 ** 107 - 1).to_bn, OpenSSL::BN.new(2 ** 107 - 1))
- assert_equal(-999.to_bn, OpenSSL::BN.new(-999))
- assert_equal((-(2 ** 107 - 1)).to_bn, OpenSSL::BN.new(-(2 ** 107 - 1)))
- end
-
- def test_to_bn
- e1 = OpenSSL::BN.new(999.to_s(16), 16)
- e2 = OpenSSL::BN.new((2**107-1).to_s(16), 16)
- assert_equal(e1, 999.to_bn)
- assert_equal(e2, (2**107-1).to_bn)
- end
-
- def test_prime_p
- assert_equal(true, OpenSSL::BN.new((2 ** 107 - 1).to_s(16), 16).prime?)
- assert_equal(true, OpenSSL::BN.new((2 ** 127 - 1).to_s(16), 16).prime?(1))
- end
-
- def test_cmp
- bn1 = OpenSSL::BN.new('1')
- bn2 = OpenSSL::BN.new('1')
- bn3 = OpenSSL::BN.new('2')
- assert_equal(false, bn1 == nil)
- assert_equal(true, bn1 != nil)
- assert_equal(true, bn1 == bn2)
- assert_equal(false, bn1 == bn3)
- assert_equal(true, bn1.eql?(bn2))
- assert_equal(false, bn1.eql?(bn3))
- assert_equal(bn1.hash, bn2.hash)
- assert_not_equal(bn3.hash, bn1.hash)
+ def setup
+ super
+ @e1 = OpenSSL::BN.new(999.to_s(16), 16) # OpenSSL::BN.new(str, 16) must be most stable
+ @e2 = OpenSSL::BN.new("-" + 999.to_s(16), 16)
+ @e3 = OpenSSL::BN.new((2**107-1).to_s(16), 16)
+ @e4 = OpenSSL::BN.new("-" + (2**107-1).to_s(16), 16)
+ end
+
+ def test_new
+ assert_equal(@e1, OpenSSL::BN.new("999"))
+ assert_equal(@e1, OpenSSL::BN.new("999", 10))
+ assert_equal(@e1, OpenSSL::BN.new("\x03\xE7", 2))
+ assert_equal(@e1, OpenSSL::BN.new("\x00\x00\x00\x02\x03\xE7", 0))
+ assert_equal(@e2, OpenSSL::BN.new("-999"))
+ assert_equal(@e2, OpenSSL::BN.new("-999", 10))
+ assert_equal(@e2, OpenSSL::BN.new("\x00\x00\x00\x02\x83\xE7", 0))
+ assert_equal(@e3, OpenSSL::BN.new((2**107-1).to_s))
+ assert_equal(@e3, OpenSSL::BN.new((2**107-1).to_s, 10))
+ assert_equal(@e3, OpenSSL::BN.new("\a\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 2))
+ assert_equal(@e3, OpenSSL::BN.new("\x00\x00\x00\x0E\a\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 0))
+ assert_equal(@e4, OpenSSL::BN.new("-" + (2**107-1).to_s))
+ assert_equal(@e4, OpenSSL::BN.new("-" + (2**107-1).to_s, 10))
+ assert_equal(@e4, OpenSSL::BN.new("\x00\x00\x00\x0E\x87\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 0))
+
+ e1copy = OpenSSL::BN.new(@e1)
+ assert_equal(@e1, e1copy)
+ e1copy.clear_bit!(0) #=> 998
+ assert_not_equal(@e1, e1copy)
+
+ assert_equal(@e1, OpenSSL::BN.new(999))
+ assert_equal(@e2, OpenSSL::BN.new(-999))
+ assert_equal(@e3, OpenSSL::BN.new(2**107-1))
+ assert_equal(@e4, OpenSSL::BN.new(-(2**107-1)))
+
+ assert_equal(@e1, 999.to_bn)
+ assert_equal(@e2, -999.to_bn)
+ assert_equal(@e3, (2**107-1).to_bn)
+ assert_equal(@e4, (-(2**107-1)).to_bn)
+ end
+
+ def test_to_str
+ assert_equal("999", @e1.to_s(10))
+ assert_equal("-999", @e2.to_s(10))
+ assert_equal((2**107-1).to_s, @e3.to_s(10))
+ assert_equal((-(2**107-1)).to_s, @e4.to_s(10))
+ assert_equal("999", @e1.to_s)
+
+ assert_equal("03E7", @e1.to_s(16))
+ assert_equal("-03E7", @e2.to_s(16))
+ assert_equal("07FFFFFFFFFFFFFFFFFFFFFFFFFF", @e3.to_s(16))
+ assert_equal("-07FFFFFFFFFFFFFFFFFFFFFFFFFF", @e4.to_s(16))
+
+ assert_equal("\x03\xe7", @e1.to_s(2))
+ assert_equal("\x03\xe7", @e2.to_s(2))
+ assert_equal("\x07\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff", @e3.to_s(2))
+ assert_equal("\x07\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff", @e4.to_s(2))
+
+ assert_equal("\x00\x00\x00\x02\x03\xe7", @e1.to_s(0))
+ assert_equal("\x00\x00\x00\x02\x83\xe7", @e2.to_s(0))
+ assert_equal("\x00\x00\x00\x0e\x07\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff", @e3.to_s(0))
+ assert_equal("\x00\x00\x00\x0e\x87\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff", @e4.to_s(0))
+ end
+
+ def test_to_int
+ assert_equal(999, @e1.to_i)
+ assert_equal(-999, @e2.to_i)
+ assert_equal(2**107-1, @e3.to_i)
+ assert_equal(-(2**107-1), @e4.to_i)
+
+ assert_equal(999, @e1.to_int)
+ end
+
+ def test_coerce
+ assert_equal(["", "-999"], @e2.coerce(""))
+ assert_equal([1000, -999], @e2.coerce(1000))
+ assert_raise(TypeError) { @e2.coerce(Class.new.new) }
+ end
+
+ def test_zero_p
+ assert_equal(true, 0.to_bn.zero?)
+ assert_equal(false, 1.to_bn.zero?)
+ end
+
+ def test_one_p
+ assert_equal(true, 1.to_bn.one?)
+ assert_equal(false, 2.to_bn.one?)
+ end
+
+ def test_odd_p
+ assert_equal(true, 1.to_bn.odd?)
+ assert_equal(false, 2.to_bn.odd?)
+ end
+
+ def test_negative_p
+ assert_equal(false, 0.to_bn.negative?)
+ assert_equal(false, @e1.negative?)
+ assert_equal(true, @e2.negative?)
+ end
+
+ def test_sqr
+ assert_equal(1, 1.to_bn.sqr)
+ assert_equal(100, 10.to_bn.sqr)
+ end
+
+ def test_four_ops
+ assert_equal(3, 1.to_bn + 2)
+ assert_equal(-1, 1.to_bn + -2)
+ assert_equal(-1, 1.to_bn - 2)
+ assert_equal(3, 1.to_bn - -2)
+ assert_equal(2, 1.to_bn * 2)
+ assert_equal(-2, 1.to_bn * -2)
+ assert_equal([0, 1], 1.to_bn / 2)
+ assert_equal([2, 0], 2.to_bn / 1)
+ assert_raise(OpenSSL::BNError) { 1.to_bn / 0 }
+ end
+
+ def test_unary_plus_minus
+ assert_equal(999, +@e1)
+ assert_equal(-999, +@e2)
+ assert_equal(-999, -@e1)
+ assert_equal(+999, -@e2)
+ end
+
+ def test_mod
+ assert_equal(1, 1.to_bn % 2)
+ assert_equal(0, 2.to_bn % 1)
+ assert_equal(-2, -2.to_bn % 7)
+ end
+
+ def test_exp
+ assert_equal(1, 1.to_bn ** 5)
+ assert_equal(32, 2.to_bn ** 5)
+ end
+
+ def test_gcd
+ assert_equal(1, 7.to_bn.gcd(5))
+ assert_equal(8, 24.to_bn.gcd(16))
+ end
+
+ def test_mod_sqr
+ assert_equal(4, 3.to_bn.mod_sqr(5))
+ assert_equal(0, 59.to_bn.mod_sqr(59))
+ end
+
+ def test_mod_inverse
+ assert_equal(2, 3.to_bn.mod_inverse(5))
+ assert_raise(OpenSSL::BNError) { 3.to_bn.mod_inverse(6) }
+ end
+
+ def test_mod_add
+ assert_equal(1, 3.to_bn.mod_add(5, 7))
+ assert_equal(2, 3.to_bn.mod_add(5, 3))
+ assert_equal(5, 3.to_bn.mod_add(-5, 7))
+ end
+
+ def test_mod_sub
+ assert_equal(1, 11.to_bn.mod_sub(3, 7))
+ assert_equal(2, 11.to_bn.mod_sub(3, 3))
+ assert_equal(5, 3.to_bn.mod_sub(5, 7))
+ end
+
+ def test_mod_mul
+ assert_equal(1, 2.to_bn.mod_mul(4, 7))
+ assert_equal(5, 2.to_bn.mod_mul(-1, 7))
+ end
+
+ def test_mod_exp
+ assert_equal(1, 3.to_bn.mod_exp(2, 8))
+ assert_equal(4, 2.to_bn.mod_exp(5, 7))
+ end
+
+ def test_bit_operations
+ e = 0b10010010.to_bn
+ assert_equal(0b10010011, e.set_bit!(0))
+ assert_equal(0b10010011, e.set_bit!(1))
+ assert_equal(0b1010010011, e.set_bit!(9))
+
+ e = 0b10010010.to_bn
+ assert_equal(0b10010010, e.clear_bit!(0))
+ assert_equal(0b10010000, e.clear_bit!(1))
+
+ e = 0b10010010.to_bn
+ assert_equal(0b10010010, e.mask_bits!(8))
+ assert_equal(0b10, e.mask_bits!(3))
+
+ e = 0b10010010.to_bn
+ assert_equal(false, e.bit_set?(0))
+ assert_equal(true, e.bit_set?(1))
+ assert_equal(false, e.bit_set?(1000))
+
+ e = 0b10010010.to_bn
+ assert_equal(0b1001001000, e << 2)
+ assert_equal(0b10010010, e)
+ assert_equal(0b1001001000, e.lshift!(2))
+ assert_equal(0b1001001000, e)
+
+ e = 0b10010010.to_bn
+ assert_equal(0b100100, e >> 2)
+ assert_equal(0b10010010, e)
+ assert_equal(0b100100, e.rshift!(2))
+ assert_equal(0b100100, e)
+ end
+
+ def test_random
+ 10.times {
+ r1 = OpenSSL::BN.rand(8)
+ assert_include(128..255, r1)
+ r2 = OpenSSL::BN.rand(8, -1)
+ assert_include(0..255, r2)
+ r3 = OpenSSL::BN.rand(8, 1)
+ assert_include(192..255, r3)
+ r4 = OpenSSL::BN.rand(8, 1, true)
+ assert_include(192..255, r4)
+ assert_equal(true, r4.odd?)
+
+ r5 = OpenSSL::BN.rand_range(256)
+ assert_include(0..255, r5)
+ }
+ end
+
+ def test_prime
+ p1 = OpenSSL::BN.generate_prime(32)
+ assert_include(0...2**32, p1)
+ assert_equal(true, Prime.prime?(p1.to_i))
+ p2 = OpenSSL::BN.generate_prime(32, true)
+ assert_equal(true, Prime.prime?((p2.to_i - 1) / 2))
+ p3 = OpenSSL::BN.generate_prime(32, false, 4)
+ assert_equal(1, p3 % 4)
+ p4 = OpenSSL::BN.generate_prime(32, false, 4, 3)
+ assert_equal(3, p4 % 4)
+
+ assert_equal(true, p1.prime?)
+ assert_equal(true, p2.prime?)
+ assert_equal(true, p3.prime?)
+ assert_equal(true, p4.prime?)
+ assert_equal(true, @e3.prime?)
+ assert_equal(true, @e3.prime_fasttest?)
+ end
+
+ def test_num_bits_bytes
+ assert_equal(10, @e1.num_bits)
+ assert_equal(2, @e1.num_bytes)
+ assert_equal(107, @e3.num_bits)
+ assert_equal(14, @e3.num_bytes)
+ assert_equal(0, 0.to_bn.num_bits)
+ assert_equal(0, 0.to_bn.num_bytes)
+ assert_equal(9, -256.to_bn.num_bits)
+ assert_equal(2, -256.to_bn.num_bytes)
+ end
+
+ def test_comparison
+ assert_equal(false, @e1 == nil)
+ assert_equal(false, @e1 == -999)
+ assert_equal(true, @e1 == 999)
+ assert_equal(true, @e1 == 999.to_bn)
+ assert_equal(false, @e1.eql?(nil))
+ assert_equal(false, @e1.eql?(999))
+ assert_equal(true, @e1.eql?(999.to_bn))
+ assert_equal(@e1.hash, 999.to_bn.hash)
+ assert_not_equal(@e1.hash, @e3.hash)
+ assert_equal(0, @e1.cmp(999))
+ assert_equal(1, @e1.cmp(-999))
+ assert_equal(0, @e1.ucmp(999))
+ assert_equal(0, @e1.ucmp(-999))
end
end
diff --git a/test/openssl/test_buffering.rb b/test/openssl/test_buffering.rb
index f85353fc67e..c85a6f020b3 100644
--- a/test/openssl/test_buffering.rb
+++ b/test/openssl/test_buffering.rb
@@ -1,9 +1,9 @@
# frozen_string_literal: false
require_relative 'utils'
-require 'stringio'
-class OpenSSL::TestBuffering < OpenSSL::TestCase
+if defined?(OpenSSL)
+class OpenSSL::TestBuffering < OpenSSL::TestCase
class IO
include OpenSSL::Buffering
@@ -85,5 +85,6 @@ class OpenSSL::TestBuffering < OpenSSL::TestCase
end
assert_equal([97, 98, 99], res)
end
+end
-end if defined?(OpenSSL::TestUtils)
+end
diff --git a/test/openssl/test_cipher.rb b/test/openssl/test_cipher.rb
index ad0e87b441e..d87dedf73ce 100644
--- a/test/openssl/test_cipher.rb
+++ b/test/openssl/test_cipher.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: false
require_relative 'utils'
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestCipher < OpenSSL::TestCase
module Helper
@@ -129,7 +129,7 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
assert_equal ct, cipher.update(pt) << cipher.final
cipher = new_decryptor("aes-128-ctr", key: key, iv: iv, padding: 0)
assert_equal pt, cipher.update(ct) << cipher.final
- end if has_cipher?('aes-128-ctr')
+ end
def test_ciphers
OpenSSL::Cipher.ciphers.each{|name|
@@ -165,10 +165,8 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
end
def test_authenticated
- if has_cipher?('aes-128-gcm')
- cipher = OpenSSL::Cipher.new('aes-128-gcm')
- assert_predicate(cipher, :authenticated?)
- end
+ cipher = OpenSSL::Cipher.new('aes-128-gcm')
+ assert_predicate(cipher, :authenticated?)
cipher = OpenSSL::Cipher.new('aes-128-cbc')
assert_not_predicate(cipher, :authenticated?)
end
@@ -220,7 +218,7 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
cipher = new_decryptor("aes-128-gcm", key: key, iv: iv, auth_tag: tag, auth_data: aad)
cipher.update(ct2)
assert_raise(OpenSSL::Cipher::CipherError) { cipher.final }
- end if has_cipher?("aes-128-gcm")
+ end
def test_aes_gcm_variable_iv_len
# GCM spec Appendix B Test Case 5
@@ -243,7 +241,7 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
assert_equal tag, cipher.auth_tag
cipher = new_decryptor("aes-128-gcm", key: key, iv_len: 8, iv: iv, auth_tag: tag, auth_data: aad)
assert_equal pt, cipher.update(ct) << cipher.final
- end if has_cipher?("aes-128-gcm")
+ end
def test_aes_ocb_tag_len
# RFC 7253 Appendix A; the second sample
@@ -295,7 +293,7 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
assert_equal ct1, ct2
assert_equal tag1, tag2
- end if has_cipher?("aes-128-gcm")
+ end
private
@@ -312,7 +310,6 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
kwargs.each {|k, v| cipher.send(:"#{k}=", v) }
end
end
-
end
end
diff --git a/test/openssl/test_config.rb b/test/openssl/test_config.rb
index 786bce9d2f1..8096375c072 100644
--- a/test/openssl/test_config.rb
+++ b/test/openssl/test_config.rb
@@ -1,6 +1,8 @@
# frozen_string_literal: false
require_relative 'utils'
+if defined?(OpenSSL)
+
class OpenSSL::TestConfig < OpenSSL::TestCase
def setup
super
@@ -171,7 +173,7 @@ __EOC__
def test_value
# suppress deprecation warnings
- OpenSSL::TestUtils.silent do
+ EnvUtil.suppress_warning do
assert_equal('CA_default', @it.value('ca', 'default_ca'))
assert_equal(nil, @it.value('ca', 'no such key'))
assert_equal(nil, @it.value('no such section', 'no such key'))
@@ -184,7 +186,7 @@ __EOC__
end
def test_value_ENV
- OpenSSL::TestUtils.silent do
+ EnvUtil.suppress_warning do
key = ENV.keys.first
assert_not_nil(key) # make sure we have at least one ENV var.
assert_equal(ENV[key], @it.value('ENV', key))
@@ -199,7 +201,7 @@ __EOC__
end
def test_section
- OpenSSL::TestUtils.silent do
+ EnvUtil.suppress_warning do
assert_equal({'HOME' => '.'}, @it.section('default'))
assert_equal({'dir' => './demoCA', 'certs' => './certs'}, @it.section('CA_default'))
assert_equal({}, @it.section('no_such_section'))
@@ -297,4 +299,6 @@ __EOC__
@it['newsection'] = {'a' => 'b'}
assert_not_equal(@it.sections.sort, c.sections.sort)
end
-end if defined?(OpenSSL::TestUtils)
+end
+
+end
diff --git a/test/openssl/test_digest.rb b/test/openssl/test_digest.rb
index 9891d99ae3c..2cb878b6fa1 100644
--- a/test/openssl/test_digest.rb
+++ b/test/openssl/test_digest.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: false
require_relative 'utils'
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestDigest < OpenSSL::TestCase
def setup
@@ -54,13 +54,10 @@ class OpenSSL::TestDigest < OpenSSL::TestCase
end
def test_digest_constants
- algs = %w(MD4 MD5 RIPEMD160 SHA1)
- if OpenSSL::OPENSSL_VERSION_NUMBER < 0x10100000
+ algs = %w(MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512)
+ if !libressl? && !openssl?(1, 1, 0)
algs += %w(DSS1 SHA)
end
- if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00908000
- algs += %w(SHA224 SHA256 SHA384 SHA512)
- end
algs.each do |alg|
assert_not_nil(OpenSSL::Digest.new(alg))
klass = OpenSSL::Digest.const_get(alg)
@@ -73,34 +70,32 @@ class OpenSSL::TestDigest < OpenSSL::TestCase
check_digest(OpenSSL::ASN1::ObjectId.new("SHA1"))
end
- if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00908000
- def encode16(str)
- str.unpack("H*").first
- end
+ def encode16(str)
+ str.unpack("H*").first
+ end
- def test_098_features
- sha224_a = "abd37534c7d9a2efb9465de931cd7055ffdb8879563ae98078d6d6d5"
- sha256_a = "ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"
- sha384_a = "54a59b9f22b0b80880d8427e548b7c23abd873486e1f035dce9cd697e85175033caa88e6d57bc35efae0b5afd3145f31"
- sha512_a = "1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75"
-
- assert_equal(sha224_a, OpenSSL::Digest::SHA224.hexdigest("a"))
- assert_equal(sha256_a, OpenSSL::Digest::SHA256.hexdigest("a"))
- assert_equal(sha384_a, OpenSSL::Digest::SHA384.hexdigest("a"))
- assert_equal(sha512_a, OpenSSL::Digest::SHA512.hexdigest("a"))
-
- assert_equal(sha224_a, encode16(OpenSSL::Digest::SHA224.digest("a")))
- assert_equal(sha256_a, encode16(OpenSSL::Digest::SHA256.digest("a")))
- assert_equal(sha384_a, encode16(OpenSSL::Digest::SHA384.digest("a")))
- assert_equal(sha512_a, encode16(OpenSSL::Digest::SHA512.digest("a")))
- end
+ def test_sha2
+ sha224_a = "abd37534c7d9a2efb9465de931cd7055ffdb8879563ae98078d6d6d5"
+ sha256_a = "ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"
+ sha384_a = "54a59b9f22b0b80880d8427e548b7c23abd873486e1f035dce9cd697e85175033caa88e6d57bc35efae0b5afd3145f31"
+ sha512_a = "1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75"
+
+ assert_equal(sha224_a, OpenSSL::Digest::SHA224.hexdigest("a"))
+ assert_equal(sha256_a, OpenSSL::Digest::SHA256.hexdigest("a"))
+ assert_equal(sha384_a, OpenSSL::Digest::SHA384.hexdigest("a"))
+ assert_equal(sha512_a, OpenSSL::Digest::SHA512.hexdigest("a"))
+
+ assert_equal(sha224_a, encode16(OpenSSL::Digest::SHA224.digest("a")))
+ assert_equal(sha256_a, encode16(OpenSSL::Digest::SHA256.digest("a")))
+ assert_equal(sha384_a, encode16(OpenSSL::Digest::SHA384.digest("a")))
+ assert_equal(sha512_a, encode16(OpenSSL::Digest::SHA512.digest("a")))
+ end
- def test_digest_by_oid_and_name_sha2
- check_digest(OpenSSL::ASN1::ObjectId.new("SHA224"))
- check_digest(OpenSSL::ASN1::ObjectId.new("SHA256"))
- check_digest(OpenSSL::ASN1::ObjectId.new("SHA384"))
- check_digest(OpenSSL::ASN1::ObjectId.new("SHA512"))
- end
+ def test_digest_by_oid_and_name_sha2
+ check_digest(OpenSSL::ASN1::ObjectId.new("SHA224"))
+ check_digest(OpenSSL::ASN1::ObjectId.new("SHA256"))
+ check_digest(OpenSSL::ASN1::ObjectId.new("SHA384"))
+ check_digest(OpenSSL::ASN1::ObjectId.new("SHA512"))
end
def test_openssl_digest
@@ -121,14 +116,6 @@ class OpenSSL::TestDigest < OpenSSL::TestCase
d = OpenSSL::Digest.new(oid.oid)
assert_not_nil(d)
end
-
- def libressl?
- OpenSSL::OPENSSL_VERSION.include?('LibreSSL')
- end
-
- def version_since(verary)
- (OpenSSL::OPENSSL_LIBRARY_VERSION.scan(/\d+/).map(&:to_i) <=> verary) != -1
- end
end
end
diff --git a/test/openssl/test_engine.rb b/test/openssl/test_engine.rb
index 75e45eb7f0a..4f3973a7c60 100644
--- a/test/openssl/test_engine.rb
+++ b/test/openssl/test_engine.rb
@@ -1,8 +1,9 @@
# frozen_string_literal: false
require_relative 'utils'
-class OpenSSL::TestEngine < OpenSSL::TestCase
+if defined?(OpenSSL) && defined?(OpenSSL::Engine)
+class OpenSSL::TestEngine < OpenSSL::TestCase
def test_engines_free # [ruby-dev:44173]
with_openssl <<-'end;'
OpenSSL::Engine.load("openssl")
@@ -95,5 +96,6 @@ class OpenSSL::TestEngine < OpenSSL::TestCase
cipher.update(data) + cipher.final
end
end
+end
-end if defined?(OpenSSL::TestUtils) && defined?(OpenSSL::Engine)
+end
diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb
index 534dade02bd..a4ab87f3841 100644
--- a/test/openssl/test_fips.rb
+++ b/test/openssl/test_fips.rb
@@ -1,15 +1,23 @@
# frozen_string_literal: false
require_relative 'utils'
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestFIPS < OpenSSL::TestCase
-
def test_fips_mode_is_reentrant
OpenSSL.fips_mode = false
OpenSSL.fips_mode = false
end
+ def test_fips_mode_get
+ if OpenSSL::OPENSSL_FIPS
+ OpenSSL.fips_mode = true
+ assert OpenSSL.fips_mode == true, ".fips_mode returns true when .fips_mode=true"
+
+ OpenSSL.fips_mode = false
+ assert OpenSSL.fips_mode == false, ".fips_mode returns false when .fips_mode=false"
+ end
+ end
end
end
diff --git a/test/openssl/test_hmac.rb b/test/openssl/test_hmac.rb
index dbde97d9c97..831a5b6b37d 100644
--- a/test/openssl/test_hmac.rb
+++ b/test/openssl/test_hmac.rb
@@ -1,6 +1,8 @@
# frozen_string_literal: false
require_relative 'utils'
+if defined?(OpenSSL)
+
class OpenSSL::TestHMAC < OpenSSL::TestCase
def test_hmac
# RFC 2202 2. Test Cases for HMAC-MD5
@@ -37,4 +39,6 @@ class OpenSSL::TestHMAC < OpenSSL::TestCase
second = h1.update("test").hexdigest
assert_equal first, second
end
-end if defined?(OpenSSL::TestUtils)
+end
+
+end
diff --git a/test/openssl/test_kdf.rb b/test/openssl/test_kdf.rb
new file mode 100644
index 00000000000..d91fa3cf5d8
--- /dev/null
+++ b/test/openssl/test_kdf.rb
@@ -0,0 +1,141 @@
+# frozen_string_literal: false
+require_relative 'utils'
+
+if defined?(OpenSSL)
+
+class OpenSSL::TestKDF < OpenSSL::TestCase
+ def test_pkcs5_pbkdf2_hmac_compatibility
+ expected = OpenSSL::KDF.pbkdf2_hmac("password", salt: "salt", iterations: 1, length: 20, hash: "sha1")
+ assert_equal(expected, OpenSSL::PKCS5.pbkdf2_hmac("password", "salt", 1, 20, "sha1"))
+ assert_equal(expected, OpenSSL::PKCS5.pbkdf2_hmac_sha1("password", "salt", 1, 20))
+ end
+
+ def test_pbkdf2_hmac_sha1_rfc6070_c_1_len_20
+ p ="password"
+ s = "salt"
+ c = 1
+ dk_len = 20
+ raw = %w{ 0c 60 c8 0f 96 1f 0e 71
+ f3 a9 b5 24 af 60 12 06
+ 2f e0 37 a6 }
+ expected = [raw.join('')].pack('H*')
+ value = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha1")
+ assert_equal(expected, value)
+ end
+
+ def test_pbkdf2_hmac_sha1_rfc6070_c_2_len_20
+ p ="password"
+ s = "salt"
+ c = 2
+ dk_len = 20
+ raw = %w{ ea 6c 01 4d c7 2d 6f 8c
+ cd 1e d9 2a ce 1d 41 f0
+ d8 de 89 57 }
+ expected = [raw.join('')].pack('H*')
+ value = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha1")
+ assert_equal(expected, value)
+ end
+
+ def test_pbkdf2_hmac_sha1_rfc6070_c_4096_len_20
+ p ="password"
+ s = "salt"
+ c = 4096
+ dk_len = 20
+ raw = %w{ 4b 00 79 01 b7 65 48 9a
+ be ad 49 d9 26 f7 21 d0
+ 65 a4 29 c1 }
+ expected = [raw.join('')].pack('H*')
+ value = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha1")
+ assert_equal(expected, value)
+ end
+
+# takes too long!
+# def test_pbkdf2_hmac_sha1_rfc6070_c_16777216_len_20
+# p ="password"
+# s = "salt"
+# c = 16777216
+# dk_len = 20
+# raw = %w{ ee fe 3d 61 cd 4d a4 e4
+# e9 94 5b 3d 6b a2 15 8c
+# 26 34 e9 84 }
+# expected = [raw.join('')].pack('H*')
+# value = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha1")
+# assert_equal(expected, value)
+# end
+
+ def test_pbkdf2_hmac_sha1_rfc6070_c_4096_len_25
+ p ="passwordPASSWORDpassword"
+ s = "saltSALTsaltSALTsaltSALTsaltSALTsalt"
+ c = 4096
+ dk_len = 25
+
+ raw = %w{ 3d 2e ec 4f e4 1c 84 9b
+ 80 c8 d8 36 62 c0 e4 4a
+ 8b 29 1a 96 4c f2 f0 70
+ 38 }
+ expected = [raw.join('')].pack('H*')
+ value = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha1")
+ assert_equal(expected, value)
+ end
+
+ def test_pbkdf2_hmac_sha1_rfc6070_c_4096_len_16
+ p ="pass\0word"
+ s = "sa\0lt"
+ c = 4096
+ dk_len = 16
+ raw = %w{ 56 fa 6a a7 55 48 09 9d
+ cc 37 d7 f0 34 25 e0 c3 }
+ expected = [raw.join('')].pack('H*')
+ value = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha1")
+ assert_equal(expected, value)
+ end
+
+ def test_pbkdf2_hmac_sha256_c_20000_len_32
+ #unfortunately no official test vectors available yet for SHA-2
+ p ="password"
+ s = OpenSSL::Random.random_bytes(16)
+ c = 20000
+ dk_len = 32
+ value1 = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha256")
+ value2 = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha256")
+ assert_equal(value1, value2)
+ end
+
+ def test_scrypt_rfc7914_first
+ pend "scrypt is not implemented" unless OpenSSL::KDF.respond_to?(:scrypt) # OpenSSL >= 1.1.0
+ pass = ""
+ salt = ""
+ n = 16
+ r = 1
+ p = 1
+ dklen = 64
+ expected = B(%w{ 77 d6 57 62 38 65 7b 20 3b 19 ca 42 c1 8a 04 97
+ f1 6b 48 44 e3 07 4a e8 df df fa 3f ed e2 14 42
+ fc d0 06 9d ed 09 48 f8 32 6a 75 3a 0f c8 1f 17
+ e8 d3 e0 fb 2e 0d 36 28 cf 35 e2 0c 38 d1 89 06 })
+ assert_equal(expected, OpenSSL::KDF.scrypt(pass, salt: salt, N: n, r: r, p: p, length: dklen))
+ end
+
+ def test_scrypt_rfc7914_second
+ pend "scrypt is not implemented" unless OpenSSL::KDF.respond_to?(:scrypt) # OpenSSL >= 1.1.0
+ pass = "password"
+ salt = "NaCl"
+ n = 1024
+ r = 8
+ p = 16
+ dklen = 64
+ expected = B(%w{ fd ba be 1c 9d 34 72 00 78 56 e7 19 0d 01 e9 fe
+ 7c 6a d7 cb c8 23 78 30 e7 73 76 63 4b 37 31 62
+ 2e af 30 d9 2e 22 a3 88 6f f1 09 27 9d 98 30 da
+ c7 27 af b9 4a 83 ee 6d 83 60 cb df a2 cc 06 40 })
+ assert_equal(expected, OpenSSL::KDF.scrypt(pass, salt: salt, N: n, r: r, p: p, length: dklen))
+ end
+
+ private
+
+ def B(ary)
+ [Array(ary).join].pack("H*")
+ end
+end
+
+end
diff --git a/test/openssl/test_ns_spki.rb b/test/openssl/test_ns_spki.rb
index ac34613fc29..aa1e61824f7 100644
--- a/test/openssl/test_ns_spki.rb
+++ b/test/openssl/test_ns_spki.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: false
require_relative 'utils'
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestNSSPI < OpenSSL::TestCase
def setup
@@ -17,8 +17,8 @@ class OpenSSL::TestNSSPI < OpenSSL::TestCase
end
def test_build_data
- key1 = OpenSSL::TestUtils::TEST_KEY_RSA1024
- key2 = OpenSSL::TestUtils::TEST_KEY_RSA2048
+ key1 = Fixtures.pkey("rsa1024")
+ key2 = Fixtures.pkey("rsa2048")
spki = OpenSSL::Netscape::SPKI.new
spki.challenge = "RandomString"
spki.public_key = key1.public_key
diff --git a/test/openssl/test_ocsp.rb b/test/openssl/test_ocsp.rb
index 8881f25dd9a..9d48496de58 100644
--- a/test/openssl/test_ocsp.rb
+++ b/test/openssl/test_ocsp.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: false
require_relative "utils"
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestOCSP < OpenSSL::TestCase
def setup
@@ -13,7 +13,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
# @cert2 @ocsp_cert
ca_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA")
- @ca_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
+ @ca_key = Fixtures.pkey("rsa1024")
ca_exts = [
["basicConstraints", "CA:TRUE", true],
["keyUsage", "cRLSign,keyCertSign", true],
@@ -22,7 +22,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
ca_subj, @ca_key, 1, ca_exts, nil, nil)
cert_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA2")
- @cert_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
+ @cert_key = Fixtures.pkey("rsa1024")
cert_exts = [
["basicConstraints", "CA:TRUE", true],
["keyUsage", "cRLSign,keyCertSign", true],
@@ -31,14 +31,14 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
cert_subj, @cert_key, 5, cert_exts, @ca_cert, @ca_key)
cert2_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert")
- @cert2_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
+ @cert2_key = Fixtures.pkey("rsa1024")
cert2_exts = [
]
@cert2 = OpenSSL::TestUtils.issue_cert(
cert2_subj, @cert2_key, 10, cert2_exts, @cert, @cert_key)
ocsp_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCAOCSP")
- @ocsp_key = OpenSSL::TestUtils::TEST_KEY_RSA2048
+ @ocsp_key = Fixtures.pkey("rsa2048")
ocsp_exts = [
["extendedKeyUsage", "OCSPSigning", true],
]
@@ -122,7 +122,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
assert_equal true, req.verify([@cert], store, OpenSSL::OCSP::NOINTERN)
ret = req.verify([@cert], store)
- if ret || OpenSSL::OPENSSL_VERSION =~ /OpenSSL/ && OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000
+ if ret || openssl?(1, 0, 2) || libressl?(2, 4, 2)
assert_equal true, ret
else
# RT2560; OCSP_request_verify() does not find signer cert from 'certs' when
@@ -130,6 +130,21 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
# fixed by OpenSSL 1.0.1j, 1.0.2 and LibreSSL 2.4.2
pend "RT2560: ocsp_req_find_signer"
end
+
+ # not signed
+ req = OpenSSL::OCSP::Request.new.add_certid(cid)
+ assert_equal false, req.verify([], store)
+ end
+
+ def test_request_is_signed
+ cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert)
+ req = OpenSSL::OCSP::Request.new
+ req.add_certid(cid)
+ assert_equal false, req.signed?
+ assert_equal false, OpenSSL::OCSP::Request.new(req.to_der).signed?
+ req.sign(@cert, @cert_key, [])
+ assert_equal true, req.signed?
+ assert_equal true, OpenSSL::OCSP::Request.new(req.to_der).signed?
end
def test_request_nonce
diff --git a/test/openssl/test_pair.rb b/test/openssl/test_pair.rb
index 9a5205f81c4..89cf41a86b5 100644
--- a/test/openssl/test_pair.rb
+++ b/test/openssl/test_pair.rb
@@ -1,61 +1,45 @@
# frozen_string_literal: false
require_relative 'utils'
-
-if defined?(OpenSSL::TestUtils)
-
-require 'socket'
require_relative 'ut_eof'
+if defined?(OpenSSL)
+
module OpenSSL::SSLPairM
- def server
- host = "127.0.0.1"
- port = 0
- ctx = OpenSSL::SSL::SSLContext.new()
- ctx.ciphers = "ADH"
- ctx.security_level = 0
- ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
- tcps = create_tcp_server(host, port)
- ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
- return ssls
+ def setup
+ svr_dn = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
+ ee_exts = [
+ ["keyUsage", "keyEncipherment,digitalSignature", true],
+ ]
+ @svr_key = OpenSSL::TestUtils::Fixtures.pkey("rsa1024")
+ @svr_cert = issue_cert(svr_dn, @svr_key, 1, ee_exts, nil, nil)
end
- def client(port)
+ def ssl_pair
host = "127.0.0.1"
- ctx = OpenSSL::SSL::SSLContext.new()
- ctx.ciphers = "ADH"
- ctx.security_level = 0
- s = create_tcp_client(host, port)
- ssl = OpenSSL::SSL::SSLSocket.new(s, ctx)
- ssl.connect
- ssl.sync_close = true
- ssl
- end
+ tcps = create_tcp_server(host, 0)
+ port = tcps.connect_address.ip_port
- def ssl_pair
- ssls = server
th = Thread.new {
+ sctx = OpenSSL::SSL::SSLContext.new
+ sctx.cert = @svr_cert
+ sctx.key = @svr_key
+ sctx.tmp_dh_callback = proc { OpenSSL::TestUtils::Fixtures.pkey_dh("dh1024") }
+ ssls = OpenSSL::SSL::SSLServer.new(tcps, sctx)
ns = ssls.accept
ssls.close
ns
}
- port = ssls.to_io.local_address.ip_port
- c = client(port)
+
+ tcpc = create_tcp_client(host, port)
+ c = OpenSSL::SSL::SSLSocket.new(tcpc)
+ c.connect
s = th.value
- if block_given?
- begin
- yield c, s
- ensure
- c.close unless c.closed?
- s.close unless s.closed?
- end
- else
- return c, s
- end
+
+ yield c, s
ensure
- if th&.alive?
- th.kill
- th.join
- end
+ tcpc&.close
+ tcps&.close
+ s&.close
end
end
@@ -85,23 +69,27 @@ end
module OpenSSL::TestEOF1M
def open_file(content)
- s1, s2 = ssl_pair
- th = Thread.new { s2 << content; s2.close }
- yield s1
- ensure
- th.join if th
- s1.close
+ ssl_pair { |s1, s2|
+ begin
+ th = Thread.new { s2 << content; s2.close }
+ yield s1
+ ensure
+ th&.join
+ end
+ }
end
end
module OpenSSL::TestEOF2M
def open_file(content)
- s1, s2 = ssl_pair
- th = Thread.new { s1 << content; s1.close }
- yield s2
- ensure
- th.join if th
- s2.close
+ ssl_pair { |s1, s2|
+ begin
+ th = Thread.new { s1 << content; s1.close }
+ yield s2
+ ensure
+ th&.join
+ end
+ }
end
end
@@ -189,6 +177,27 @@ module OpenSSL::TestPairM
}
end
+ def test_multibyte_read_write
+ # German a umlaut
+ auml = [%w{ C3 A4 }.join('')].pack('H*')
+ auml.force_encoding(Encoding::UTF_8)
+ bsize = auml.bytesize
+
+ ssl_pair { |s1, s2|
+ assert_equal bsize, s1.write(auml)
+ read = s2.read(bsize)
+ assert_equal Encoding::ASCII_8BIT, read.encoding
+ assert_equal bsize, read.bytesize
+ assert_equal auml, read.force_encoding(Encoding::UTF_8)
+
+ s1.puts(auml)
+ read = s2.gets
+ assert_equal Encoding::ASCII_8BIT, read.encoding
+ assert_equal bsize + 1, read.bytesize
+ assert_equal auml + "\n", read.force_encoding(Encoding::UTF_8)
+ }
+ end
+
def test_read_nonblock
ssl_pair {|s1, s2|
err = nil
@@ -354,9 +363,9 @@ module OpenSSL::TestPairM
def test_connect_accept_nonblock_no_exception
ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.ciphers = "ADH"
- ctx2.security_level = 0
- ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
+ ctx2.cert = @svr_cert
+ ctx2.key = @svr_key
+ ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::Fixtures.pkey_dh("dh1024") }
sock1, sock2 = tcp_pair
@@ -365,8 +374,6 @@ module OpenSSL::TestPairM
assert_equal :wait_readable, accepted
ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "ADH"
- ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
th = Thread.new do
rets = []
@@ -404,9 +411,9 @@ module OpenSSL::TestPairM
def test_connect_accept_nonblock
ctx = OpenSSL::SSL::SSLContext.new()
- ctx.ciphers = "ADH"
- ctx.security_level = 0
- ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
+ ctx.cert = @svr_cert
+ ctx.key = @svr_key
+ ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::Fixtures.pkey_dh("dh1024") }
sock1, sock2 = tcp_pair
@@ -428,8 +435,6 @@ module OpenSSL::TestPairM
sleep 0.1
ctx = OpenSSL::SSL::SSLContext.new()
- ctx.ciphers = "ADH"
- ctx.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx)
begin
sleep 0.2
diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb
index 403718b94f0..de8e35ed79e 100644
--- a/test/openssl/test_pkcs12.rb
+++ b/test/openssl/test_pkcs12.rb
@@ -1,12 +1,10 @@
# frozen_string_literal: false
require_relative "utils"
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
module OpenSSL
class TestPKCS12 < OpenSSL::TestCase
- include OpenSSL::TestUtils
-
def setup
super
ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
@@ -16,7 +14,7 @@ module OpenSSL
["subjectKeyIdentifier","hash",false],
["authorityKeyIdentifier","keyid:always",false],
]
- @cacert = issue_cert(ca, TEST_KEY_RSA2048, 1, ca_exts, nil, nil)
+ @cacert = issue_cert(ca, Fixtures.pkey("rsa2048"), 1, ca_exts, nil, nil)
inter_ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Intermediate CA")
inter_ca_key = OpenSSL::PKey.read <<-_EOS_
@@ -36,25 +34,26 @@ FJx7d3f29gkzynCLJDkCQGQZlEZJC4vWmWJGRKJ24P6MyQn3VsPfErSKOg4lvyM3
Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
-----END RSA PRIVATE KEY-----
_EOS_
- @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, TEST_KEY_RSA2048)
+ @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, Fixtures.pkey("rsa2048"))
exts = [
["keyUsage","digitalSignature",true],
["subjectKeyIdentifier","hash",false],
]
ee = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Ruby PKCS12 Test Certificate")
- @mycert = issue_cert(ee, TEST_KEY_RSA1024, 3, exts, @inter_cacert, inter_ca_key)
+ @mykey = Fixtures.pkey("rsa1024")
+ @mycert = issue_cert(ee, @mykey, 3, exts, @inter_cacert, inter_ca_key)
end
def test_create
pkcs12 = OpenSSL::PKCS12.create(
"omg",
"hello",
- TEST_KEY_RSA1024,
+ @mykey,
@mycert
)
- assert_equal @mycert, pkcs12.certificate
- assert_equal TEST_KEY_RSA1024, pkcs12.key
+ assert_equal @mycert.to_der, pkcs12.certificate.to_der
+ assert_equal @mykey.to_der, pkcs12.key.to_der
assert_nil pkcs12.ca_certs
end
@@ -62,11 +61,11 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
pkcs12 = OpenSSL::PKCS12.create(
nil,
"hello",
- TEST_KEY_RSA1024,
+ @mykey,
@mycert
)
- assert_equal @mycert, pkcs12.certificate
- assert_equal TEST_KEY_RSA1024, pkcs12.key
+ assert_equal @mycert.to_der, pkcs12.certificate.to_der
+ assert_equal @mykey.to_der, pkcs12.key.to_der
assert_nil pkcs12.ca_certs
decoded = OpenSSL::PKCS12.new(pkcs12.to_der)
@@ -79,7 +78,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
pkcs12 = OpenSSL::PKCS12.create(
"omg",
"hello",
- TEST_KEY_RSA1024,
+ @mykey,
@mycert,
chain
)
@@ -94,7 +93,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
pkcs12 = OpenSSL::PKCS12.create(
passwd,
"hello",
- TEST_KEY_RSA1024,
+ @mykey,
@mycert,
chain
)
@@ -104,7 +103,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
assert_include_cert @cacert, decoded.ca_certs
assert_include_cert @inter_cacert, decoded.ca_certs
assert_cert @mycert, decoded.certificate
- assert_equal TEST_KEY_RSA1024.to_der, decoded.key.to_der
+ assert_equal @mykey.to_der, decoded.key.to_der
end
def test_create_with_bad_nid
@@ -112,7 +111,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
OpenSSL::PKCS12.create(
"omg",
"hello",
- TEST_KEY_RSA1024,
+ @mykey,
@mycert,
[],
"foo"
@@ -124,7 +123,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
OpenSSL::PKCS12.create(
"omg",
"hello",
- TEST_KEY_RSA1024,
+ @mykey,
@mycert,
[],
nil,
@@ -136,7 +135,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
OpenSSL::PKCS12.create(
"omg",
"hello",
- TEST_KEY_RSA1024,
+ @mykey,
@mycert,
[],
nil,
@@ -150,7 +149,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
OpenSSL::PKCS12.create(
"omg",
"hello",
- TEST_KEY_RSA1024,
+ @mykey,
@mycert,
[],
nil,
@@ -163,7 +162,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
OpenSSL::PKCS12.create(
"omg",
"hello",
- TEST_KEY_RSA1024,
+ @mykey,
@mycert,
[],
nil,
@@ -216,7 +215,7 @@ vyl2WuMdEwQIMWFFphPkIUICAggA
EOF
p12 = OpenSSL::PKCS12.new(str, "abc123")
- assert_equal TEST_KEY_RSA1024.to_der, p12.key.to_der
+ assert_equal @mykey.to_der, p12.key.to_der
assert_equal @mycert.subject.to_der, p12.certificate.subject.to_der
assert_equal [], Array(p12.ca_certs)
end
@@ -275,13 +274,13 @@ Kw4DAhoFAAQUYAuwVtGD1TdgbFK4Yal2XBgwUR4ECEawsN3rNaa6AgIIAA==
EOF
p12 = OpenSSL::PKCS12.new(str, "abc123")
- assert_equal TEST_KEY_RSA1024.to_der, p12.key.to_der
+ assert_equal @mykey.to_der, p12.key.to_der
assert_equal nil, p12.certificate
assert_equal [], Array(p12.ca_certs)
end
def test_dup
- p12 = OpenSSL::PKCS12.create("pass", "name", TEST_KEY_RSA1024, @mycert)
+ p12 = OpenSSL::PKCS12.create("pass", "name", @mykey, @mycert)
assert_equal p12.to_der, p12.dup.to_der
end
@@ -308,7 +307,6 @@ Kw4DAhoFAAQUYAuwVtGD1TdgbFK4Yal2XBgwUR4ECEawsN3rNaa6AgIIAA==
end
false
end
-
end
end
diff --git a/test/openssl/test_pkcs5.rb b/test/openssl/test_pkcs5.rb
deleted file mode 100644
index ad8132c263b..00000000000
--- a/test/openssl/test_pkcs5.rb
+++ /dev/null
@@ -1,98 +0,0 @@
-# frozen_string_literal: false
-require_relative 'utils'
-
-class OpenSSL::TestPKCS5 < OpenSSL::TestCase
-
- def test_pbkdf2_hmac_sha1_rfc6070_c_1_len_20
- p ="password"
- s = "salt"
- c = 1
- dk_len = 20
- raw = %w{ 0c 60 c8 0f 96 1f 0e 71
- f3 a9 b5 24 af 60 12 06
- 2f e0 37 a6 }
- expected = [raw.join('')].pack('H*')
- value = OpenSSL::PKCS5.pbkdf2_hmac_sha1(p, s, c, dk_len)
- assert_equal(expected, value)
- end
-
- def test_pbkdf2_hmac_sha1_rfc6070_c_2_len_20
- p ="password"
- s = "salt"
- c = 2
- dk_len = 20
- raw = %w{ ea 6c 01 4d c7 2d 6f 8c
- cd 1e d9 2a ce 1d 41 f0
- d8 de 89 57 }
- expected = [raw.join('')].pack('H*')
- value = OpenSSL::PKCS5.pbkdf2_hmac_sha1(p, s, c, dk_len)
- assert_equal(expected, value)
- end
-
- def test_pbkdf2_hmac_sha1_rfc6070_c_4096_len_20
- p ="password"
- s = "salt"
- c = 4096
- dk_len = 20
- raw = %w{ 4b 00 79 01 b7 65 48 9a
- be ad 49 d9 26 f7 21 d0
- 65 a4 29 c1 }
- expected = [raw.join('')].pack('H*')
- value = OpenSSL::PKCS5.pbkdf2_hmac_sha1(p, s, c, dk_len)
- assert_equal(expected, value)
- end
-
-# takes too long!
-# def test_pbkdf2_hmac_sha1_rfc6070_c_16777216_len_20
-# p ="password"
-# s = "salt"
-# c = 16777216
-# dk_len = 20
-# raw = %w{ ee fe 3d 61 cd 4d a4 e4
-# e9 94 5b 3d 6b a2 15 8c
-# 26 34 e9 84 }
-# expected = [raw.join('')].pack('H*')
-# value = OpenSSL::PKCS5.pbkdf2_hmac_sha1(p, s, c, dk_len)
-# assert_equal(expected, value)
-# end
-
- def test_pbkdf2_hmac_sha1_rfc6070_c_4096_len_25
- p ="passwordPASSWORDpassword"
- s = "saltSALTsaltSALTsaltSALTsaltSALTsalt"
- c = 4096
- dk_len = 25
-
- raw = %w{ 3d 2e ec 4f e4 1c 84 9b
- 80 c8 d8 36 62 c0 e4 4a
- 8b 29 1a 96 4c f2 f0 70
- 38 }
- expected = [raw.join('')].pack('H*')
- value = OpenSSL::PKCS5.pbkdf2_hmac_sha1(p, s, c, dk_len)
- assert_equal(expected, value)
- end
-
- def test_pbkdf2_hmac_sha1_rfc6070_c_4096_len_16
- p ="pass\0word"
- s = "sa\0lt"
- c = 4096
- dk_len = 16
- raw = %w{ 56 fa 6a a7 55 48 09 9d
- cc 37 d7 f0 34 25 e0 c3 }
- expected = [raw.join('')].pack('H*')
- value = OpenSSL::PKCS5.pbkdf2_hmac_sha1(p, s, c, dk_len)
- assert_equal(expected, value)
- end
-
- def test_pbkdf2_hmac_sha256_c_20000_len_32
- #unfortunately no official test vectors available yet for SHA-2
- p ="password"
- s = OpenSSL::Random.random_bytes(16)
- c = 20000
- dk_len = 32
- digest = OpenSSL::Digest::SHA256.new
- value1 = OpenSSL::PKCS5.pbkdf2_hmac(p, s, c, dk_len, digest)
- value2 = OpenSSL::PKCS5.pbkdf2_hmac(p, s, c, dk_len, digest)
- assert_equal(value1, value2)
- end if OpenSSL::PKCS5.respond_to?(:pbkdf2_hmac)
-
-end if defined?(OpenSSL::TestUtils)
diff --git a/test/openssl/test_pkcs7.rb b/test/openssl/test_pkcs7.rb
index 3219155462d..149d3b9b5df 100644
--- a/test/openssl/test_pkcs7.rb
+++ b/test/openssl/test_pkcs7.rb
@@ -1,13 +1,13 @@
# frozen_string_literal: false
require_relative 'utils'
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestPKCS7 < OpenSSL::TestCase
def setup
super
- @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
- @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
+ @rsa1024 = Fixtures.pkey("rsa1024")
+ @rsa2048 = Fixtures.pkey("rsa2048")
ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
@@ -28,10 +28,6 @@ class OpenSSL::TestPKCS7 < OpenSSL::TestCase
@ee2_cert = issue_cert(ee2, @rsa1024, 3, ee_exts, @ca_cert, @rsa2048)
end
- def issue_cert(*args)
- OpenSSL::TestUtils.issue_cert(*args)
- end
-
def test_signed
store = OpenSSL::X509::Store.new
store.add_cert(@ca_cert)
diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb
index 470c952e213..77cdb0ab84f 100644
--- a/test/openssl/test_pkey_dh.rb
+++ b/test/openssl/test_pkey_dh.rb
@@ -1,29 +1,11 @@
# frozen_string_literal: false
require_relative 'utils'
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL) && defined?(OpenSSL::PKey::DH)
class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase
- DH1024 = OpenSSL::TestUtils::TEST_KEY_DH1024
-
NEW_KEYLEN = 256
- def test_DEFAULT_parameters
- list = {
- 1024 => OpenSSL::PKey::DH::DEFAULT_1024,
- 2048 => OpenSSL::PKey::DH::DEFAULT_2048,
- }
-
- list.each do |expected_size, dh|
- assert_equal expected_size, dh.p.num_bits
- assert_predicate dh.p, :prime?
- result, remainder = (dh.p - 1) / 2
- assert_predicate result, :prime?
- assert_equal 0, remainder
- assert_no_key dh
- end
- end
-
def test_new
dh = OpenSSL::PKey::DH.new(NEW_KEYLEN)
assert_key(dh)
@@ -37,12 +19,13 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase
end
def test_DHparams
+ dh1024 = Fixtures.pkey_dh("dh1024")
asn1 = OpenSSL::ASN1::Sequence([
- OpenSSL::ASN1::Integer(DH1024.p),
- OpenSSL::ASN1::Integer(DH1024.g)
+ OpenSSL::ASN1::Integer(dh1024.p),
+ OpenSSL::ASN1::Integer(dh1024.g)
])
key = OpenSSL::PKey::DH.new(asn1.to_der)
- assert_same_dh dup_public(DH1024), key
+ assert_same_dh dup_public(dh1024), key
pem = <<~EOF
-----BEGIN DH PARAMETERS-----
@@ -52,14 +35,14 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase
-----END DH PARAMETERS-----
EOF
key = OpenSSL::PKey::DH.new(pem)
- assert_same_dh dup_public(DH1024), key
+ assert_same_dh dup_public(dh1024), key
- assert_equal asn1.to_der, DH1024.to_der
- assert_equal pem, DH1024.export
+ assert_equal asn1.to_der, dh1024.to_der
+ assert_equal pem, dh1024.export
end
def test_public_key
- dh = OpenSSL::TestUtils::TEST_KEY_DH1024
+ dh = Fixtures.pkey_dh("dh1024")
public_key = dh.public_key
assert_no_key(public_key) #implies public_key.public? is false!
assert_equal(dh.to_der, public_key.to_der)
@@ -67,14 +50,14 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase
end
def test_generate_key
- dh = OpenSSL::TestUtils::TEST_KEY_DH1024.public_key # creates a copy
+ dh = Fixtures.pkey_dh("dh1024").public_key # creates a copy
assert_no_key(dh)
dh.generate_key!
assert_key(dh)
end
def test_key_exchange
- dh = OpenSSL::TestUtils::TEST_KEY_DH1024
+ dh = Fixtures.pkey_dh("dh1024")
dh2 = dh.public_key
dh.generate_key!
dh2.generate_key!
diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb
index a4ccd1d8f95..d651949842c 100644
--- a/test/openssl/test_pkey_dsa.rb
+++ b/test/openssl/test_pkey_dsa.rb
@@ -1,12 +1,9 @@
# frozen_string_literal: false
require_relative 'utils'
-require 'base64'
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL) && defined?(OpenSSL::PKey::DSA)
class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
- DSA512 = OpenSSL::TestUtils::TEST_KEY_DSA512
-
def test_private
key = OpenSSL::PKey::DSA.new(256)
assert(key.private?)
@@ -37,27 +34,27 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
end
def test_sign_verify
+ dsa512 = Fixtures.pkey("dsa512")
data = "Sign me!"
if defined?(OpenSSL::Digest::DSS1)
- signature = DSA512.sign(OpenSSL::Digest::DSS1.new, data)
- assert_equal true, DSA512.verify(OpenSSL::Digest::DSS1.new, signature, data)
+ signature = dsa512.sign(OpenSSL::Digest::DSS1.new, data)
+ assert_equal true, dsa512.verify(OpenSSL::Digest::DSS1.new, signature, data)
end
- return if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x010000000
- signature = DSA512.sign("SHA1", data)
- assert_equal true, DSA512.verify("SHA1", signature, data)
+ signature = dsa512.sign("SHA1", data)
+ assert_equal true, dsa512.verify("SHA1", signature, data)
signature0 = (<<~'end;').unpack("m")[0]
MCwCFH5h40plgU5Fh0Z4wvEEpz0eE9SnAhRPbkRB8ggsN/vsSEYMXvJwjGg/
6g==
end;
- assert_equal true, DSA512.verify("SHA256", signature0, data)
+ assert_equal true, dsa512.verify("SHA256", signature0, data)
signature1 = signature0.succ
- assert_equal false, DSA512.verify("SHA256", signature1, data)
+ assert_equal false, dsa512.verify("SHA256", signature1, data)
end
def test_sys_sign_verify
- key = OpenSSL::TestUtils::TEST_KEY_DSA256
+ key = Fixtures.pkey("dsa256")
data = 'Sign me!'
digest = OpenSSL::Digest::SHA1.digest(data)
sig = key.syssign(digest)
@@ -66,17 +63,18 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
def test_DSAPrivateKey
# OpenSSL DSAPrivateKey format; similar to RSAPrivateKey
+ dsa512 = Fixtures.pkey("dsa512")
asn1 = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Integer(0),
- OpenSSL::ASN1::Integer(DSA512.p),
- OpenSSL::ASN1::Integer(DSA512.q),
- OpenSSL::ASN1::Integer(DSA512.g),
- OpenSSL::ASN1::Integer(DSA512.pub_key),
- OpenSSL::ASN1::Integer(DSA512.priv_key)
+ OpenSSL::ASN1::Integer(dsa512.p),
+ OpenSSL::ASN1::Integer(dsa512.q),
+ OpenSSL::ASN1::Integer(dsa512.g),
+ OpenSSL::ASN1::Integer(dsa512.pub_key),
+ OpenSSL::ASN1::Integer(dsa512.priv_key)
])
key = OpenSSL::PKey::DSA.new(asn1.to_der)
assert_predicate key, :private?
- assert_same_dsa DSA512, key
+ assert_same_dsa dsa512, key
pem = <<~EOF
-----BEGIN DSA PRIVATE KEY-----
@@ -89,14 +87,15 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
-----END DSA PRIVATE KEY-----
EOF
key = OpenSSL::PKey::DSA.new(pem)
- assert_same_dsa DSA512, key
+ assert_same_dsa dsa512, key
- assert_equal asn1.to_der, DSA512.to_der
- assert_equal pem, DSA512.export
+ assert_equal asn1.to_der, dsa512.to_der
+ assert_equal pem, dsa512.export
end
def test_DSAPrivateKey_encrypted
# key = abcdef
+ dsa512 = Fixtures.pkey("dsa512")
pem = <<~EOF
-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
@@ -111,35 +110,36 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
-----END DSA PRIVATE KEY-----
EOF
key = OpenSSL::PKey::DSA.new(pem, "abcdef")
- assert_same_dsa DSA512, key
+ assert_same_dsa dsa512, key
key = OpenSSL::PKey::DSA.new(pem) { "abcdef" }
- assert_same_dsa DSA512, key
+ assert_same_dsa dsa512, key
cipher = OpenSSL::Cipher.new("aes-128-cbc")
- exported = DSA512.to_pem(cipher, "abcdef\0\1")
- assert_same_dsa DSA512, OpenSSL::PKey::DSA.new(exported, "abcdef\0\1")
+ exported = dsa512.to_pem(cipher, "abcdef\0\1")
+ assert_same_dsa dsa512, OpenSSL::PKey::DSA.new(exported, "abcdef\0\1")
assert_raise(OpenSSL::PKey::DSAError) {
OpenSSL::PKey::DSA.new(exported, "abcdef")
}
end
def test_PUBKEY
+ dsa512 = Fixtures.pkey("dsa512")
asn1 = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::ObjectId("DSA"),
OpenSSL::ASN1::Sequence([
- OpenSSL::ASN1::Integer(DSA512.p),
- OpenSSL::ASN1::Integer(DSA512.q),
- OpenSSL::ASN1::Integer(DSA512.g)
+ OpenSSL::ASN1::Integer(dsa512.p),
+ OpenSSL::ASN1::Integer(dsa512.q),
+ OpenSSL::ASN1::Integer(dsa512.g)
])
]),
OpenSSL::ASN1::BitString(
- OpenSSL::ASN1::Integer(DSA512.pub_key).to_der
+ OpenSSL::ASN1::Integer(dsa512.pub_key).to_der
)
])
key = OpenSSL::PKey::DSA.new(asn1.to_der)
assert_not_predicate key, :private?
- assert_same_dsa dup_public(DSA512), key
+ assert_same_dsa dup_public(dsa512), key
pem = <<~EOF
-----BEGIN PUBLIC KEY-----
@@ -152,10 +152,10 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
-----END PUBLIC KEY-----
EOF
key = OpenSSL::PKey::DSA.new(pem)
- assert_same_dsa dup_public(DSA512), key
+ assert_same_dsa dup_public(dsa512), key
- assert_equal asn1.to_der, dup_public(DSA512).to_der
- assert_equal pem, dup_public(DSA512).export
+ assert_equal asn1.to_der, dup_public(dsa512).to_der
+ assert_equal pem, dup_public(dsa512).export
end
def test_read_DSAPublicKey_pem
diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
index c549d9c674f..713c649a1eb 100644
--- a/test/openssl/test_pkey_ec.rb
+++ b/test/openssl/test_pkey_ec.rb
@@ -1,11 +1,9 @@
# frozen_string_literal: false
require_relative 'utils'
-if defined?(OpenSSL::TestUtils) && defined?(OpenSSL::PKey::EC)
+if defined?(OpenSSL) && defined?(OpenSSL::PKey::EC)
class OpenSSL::TestEC < OpenSSL::PKeyTestCase
- P256 = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
-
def test_ec_key
builtin_curves = OpenSSL::PKey::EC.builtin_curves
assert_not_empty builtin_curves
@@ -74,17 +72,18 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase
end
def test_sign_verify
+ p256 = Fixtures.pkey("p256")
data = "Sign me!"
- signature = P256.sign("SHA1", data)
- assert_equal true, P256.verify("SHA1", signature, data)
+ signature = p256.sign("SHA1", data)
+ assert_equal true, p256.verify("SHA1", signature, data)
signature0 = (<<~'end;').unpack("m")[0]
MEQCIEOTY/hD7eI8a0qlzxkIt8LLZ8uwiaSfVbjX2dPAvN11AiAQdCYx56Fq
QdBp1B4sxJoA8jvODMMklMyBKVmudboA6A==
end;
- assert_equal true, P256.verify("SHA256", signature0, data)
+ assert_equal true, p256.verify("SHA256", signature0, data)
signature1 = signature0.succ
- assert_equal false, P256.verify("SHA256", signature1, data)
+ assert_equal false, p256.verify("SHA256", signature1, data)
end
def test_dsa_sign_verify
@@ -100,16 +99,9 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase
key = OpenSSL::PKey::EC.new("prime256v1").generate_key!
size = key.group.order.num_bits / 8 + 1
dgst = (1..size).to_a.pack('C*')
- begin
- sig = key.dsa_sign_asn1(dgst)
- # dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m
- assert(key.dsa_verify_asn1(dgst + "garbage", sig))
- rescue OpenSSL::PKey::ECError => e
- # just an exception for longer dgst before openssl-0.9.8m
- assert_equal('ECDSA_sign: data too large for key size', e.message)
- # no need to do following tests
- return
- end
+ sig = key.dsa_sign_asn1(dgst)
+ # dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m
+ assert(key.dsa_verify_asn1(dgst + "garbage", sig))
end
def test_dh_compute_key
@@ -124,21 +116,22 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase
end
def test_ECPrivateKey
+ p256 = Fixtures.pkey("p256")
asn1 = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Integer(1),
- OpenSSL::ASN1::OctetString(P256.private_key.to_s(2)),
+ OpenSSL::ASN1::OctetString(p256.private_key.to_s(2)),
OpenSSL::ASN1::ASN1Data.new(
[OpenSSL::ASN1::ObjectId("prime256v1")],
0, :CONTEXT_SPECIFIC
),
OpenSSL::ASN1::ASN1Data.new(
- [OpenSSL::ASN1::BitString(P256.public_key.to_bn.to_s(2))],
+ [OpenSSL::ASN1::BitString(p256.public_key.to_bn.to_s(2))],
1, :CONTEXT_SPECIFIC
)
])
key = OpenSSL::PKey::EC.new(asn1.to_der)
assert_predicate key, :private?
- assert_same_ec P256, key
+ assert_same_ec p256, key
pem = <<~EOF
-----BEGIN EC PRIVATE KEY-----
@@ -148,13 +141,14 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase
-----END EC PRIVATE KEY-----
EOF
key = OpenSSL::PKey::EC.new(pem)
- assert_same_ec P256, key
+ assert_same_ec p256, key
- assert_equal asn1.to_der, P256.to_der
- assert_equal pem, P256.export
+ assert_equal asn1.to_der, p256.to_der
+ assert_equal pem, p256.export
end
def test_ECPrivateKey_encrypted
+ p256 = Fixtures.pkey("p256")
# key = abcdef
pem = <<~EOF
-----BEGIN EC PRIVATE KEY-----
@@ -167,31 +161,32 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase
-----END EC PRIVATE KEY-----
EOF
key = OpenSSL::PKey::EC.new(pem, "abcdef")
- assert_same_ec P256, key
+ assert_same_ec p256, key
key = OpenSSL::PKey::EC.new(pem) { "abcdef" }
- assert_same_ec P256, key
+ assert_same_ec p256, key
cipher = OpenSSL::Cipher.new("aes-128-cbc")
- exported = P256.to_pem(cipher, "abcdef\0\1")
- assert_same_ec P256, OpenSSL::PKey::EC.new(exported, "abcdef\0\1")
+ exported = p256.to_pem(cipher, "abcdef\0\1")
+ assert_same_ec p256, OpenSSL::PKey::EC.new(exported, "abcdef\0\1")
assert_raise(OpenSSL::PKey::ECError) {
OpenSSL::PKey::EC.new(exported, "abcdef")
}
end
def test_PUBKEY
+ p256 = Fixtures.pkey("p256")
asn1 = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
OpenSSL::ASN1::ObjectId("prime256v1")
]),
OpenSSL::ASN1::BitString(
- P256.public_key.to_bn.to_s(2)
+ p256.public_key.to_bn.to_s(2)
)
])
key = OpenSSL::PKey::EC.new(asn1.to_der)
assert_not_predicate key, :private?
- assert_same_ec dup_public(P256), key
+ assert_same_ec dup_public(p256), key
pem = <<~EOF
-----BEGIN PUBLIC KEY-----
@@ -200,10 +195,10 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase
-----END PUBLIC KEY-----
EOF
key = OpenSSL::PKey::EC.new(pem)
- assert_same_ec dup_public(P256), key
+ assert_same_ec dup_public(p256), key
- assert_equal asn1.to_der, dup_public(P256).to_der
- assert_equal pem, dup_public(P256).export
+ assert_equal asn1.to_der, dup_public(p256).to_der
+ assert_equal pem, dup_public(p256).export
end
def test_ec_group
@@ -305,7 +300,7 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase
raise if $!.message !~ /unsupported field/
end
- p256_key = P256
+ p256_key = Fixtures.pkey("p256")
p256_g = p256_key.group
assert_equal(p256_key.public_key, p256_g.generator.mul(p256_key.private_key))
diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
index 93760f747ef..49ab379251d 100644
--- a/test/openssl/test_pkey_rsa.rb
+++ b/test/openssl/test_pkey_rsa.rb
@@ -1,12 +1,9 @@
# frozen_string_literal: false
-require_relative 'utils'
-require 'base64'
+require_relative "utils"
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
- RSA1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
-
def test_padding
key = OpenSSL::PKey::RSA.new(512, 3)
@@ -71,22 +68,23 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
end
def test_sign_verify
+ rsa1024 = Fixtures.pkey("rsa1024")
data = "Sign me!"
- signature = RSA1024.sign("SHA1", data)
- assert_equal true, RSA1024.verify("SHA1", signature, data)
+ signature = rsa1024.sign("SHA1", data)
+ assert_equal true, rsa1024.verify("SHA1", signature, data)
signature0 = (<<~'end;').unpack("m")[0]
oLCgbprPvfhM4pjFQiDTFeWI9Sk+Og7Nh9TmIZ/xSxf2CGXQrptlwo7NQ28+
WA6YQo8jPH4hSuyWIM4Gz4qRYiYRkl5TDMUYob94zm8Si1HxEiS9354tzvqS
zS8MLW2BtNPuTubMxTItHGTnOzo9sUg0LAHVFt8kHG2NfKAw/gQ=
end;
- assert_equal true, RSA1024.verify("SHA256", signature0, data)
+ assert_equal true, rsa1024.verify("SHA256", signature0, data)
signature1 = signature0.succ
- assert_equal false, RSA1024.verify("SHA256", signature1, data)
+ assert_equal false, rsa1024.verify("SHA256", signature1, data)
end
def test_digest_state_irrelevant_sign
- key = RSA1024
+ key = Fixtures.pkey("rsa1024")
digest1 = OpenSSL::Digest::SHA1.new
digest2 = OpenSSL::Digest::SHA1.new
data = 'Sign me!'
@@ -97,7 +95,7 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
end
def test_digest_state_irrelevant_verify
- key = RSA1024
+ key = Fixtures.pkey("rsa1024")
digest1 = OpenSSL::Digest::SHA1.new
digest2 = OpenSSL::Digest::SHA1.new
data = 'Sign me!'
@@ -116,20 +114,21 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
end
def test_RSAPrivateKey
+ rsa1024 = Fixtures.pkey("rsa1024")
asn1 = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Integer(0),
- OpenSSL::ASN1::Integer(RSA1024.n),
- OpenSSL::ASN1::Integer(RSA1024.e),
- OpenSSL::ASN1::Integer(RSA1024.d),
- OpenSSL::ASN1::Integer(RSA1024.p),
- OpenSSL::ASN1::Integer(RSA1024.q),
- OpenSSL::ASN1::Integer(RSA1024.dmp1),
- OpenSSL::ASN1::Integer(RSA1024.dmq1),
- OpenSSL::ASN1::Integer(RSA1024.iqmp)
+ OpenSSL::ASN1::Integer(rsa1024.n),
+ OpenSSL::ASN1::Integer(rsa1024.e),
+ OpenSSL::ASN1::Integer(rsa1024.d),
+ OpenSSL::ASN1::Integer(rsa1024.p),
+ OpenSSL::ASN1::Integer(rsa1024.q),
+ OpenSSL::ASN1::Integer(rsa1024.dmp1),
+ OpenSSL::ASN1::Integer(rsa1024.dmq1),
+ OpenSSL::ASN1::Integer(rsa1024.iqmp)
])
key = OpenSSL::PKey::RSA.new(asn1.to_der)
assert_predicate key, :private?
- assert_same_rsa RSA1024, key
+ assert_same_rsa rsa1024, key
pem = <<~EOF
-----BEGIN RSA PRIVATE KEY-----
@@ -149,13 +148,14 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
-----END RSA PRIVATE KEY-----
EOF
key = OpenSSL::PKey::RSA.new(pem)
- assert_same_rsa RSA1024, key
+ assert_same_rsa rsa1024, key
- assert_equal asn1.to_der, RSA1024.to_der
- assert_equal pem, RSA1024.export
+ assert_equal asn1.to_der, rsa1024.to_der
+ assert_equal pem, rsa1024.export
end
def test_RSAPrivateKey_encrypted
+ rsa1024 = Fixtures.pkey("rsa1024")
# key = abcdef
pem = <<~EOF
-----BEGIN RSA PRIVATE KEY-----
@@ -178,26 +178,27 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
-----END RSA PRIVATE KEY-----
EOF
key = OpenSSL::PKey::RSA.new(pem, "abcdef")
- assert_same_rsa RSA1024, key
+ assert_same_rsa rsa1024, key
key = OpenSSL::PKey::RSA.new(pem) { "abcdef" }
- assert_same_rsa RSA1024, key
+ assert_same_rsa rsa1024, key
cipher = OpenSSL::Cipher.new("aes-128-cbc")
- exported = RSA1024.to_pem(cipher, "abcdef\0\1")
- assert_same_rsa RSA1024, OpenSSL::PKey::RSA.new(exported, "abcdef\0\1")
+ exported = rsa1024.to_pem(cipher, "abcdef\0\1")
+ assert_same_rsa rsa1024, OpenSSL::PKey::RSA.new(exported, "abcdef\0\1")
assert_raise(OpenSSL::PKey::RSAError) {
OpenSSL::PKey::RSA.new(exported, "abcdef")
}
end
def test_RSAPublicKey
+ rsa1024 = Fixtures.pkey("rsa1024")
asn1 = OpenSSL::ASN1::Sequence([
- OpenSSL::ASN1::Integer(RSA1024.n),
- OpenSSL::ASN1::Integer(RSA1024.e)
+ OpenSSL::ASN1::Integer(rsa1024.n),
+ OpenSSL::ASN1::Integer(rsa1024.e)
])
key = OpenSSL::PKey::RSA.new(asn1.to_der)
assert_not_predicate key, :private?
- assert_same_rsa dup_public(RSA1024), key
+ assert_same_rsa dup_public(rsa1024), key
pem = <<~EOF
-----BEGIN RSA PUBLIC KEY-----
@@ -207,10 +208,11 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
-----END RSA PUBLIC KEY-----
EOF
key = OpenSSL::PKey::RSA.new(pem)
- assert_same_rsa dup_public(RSA1024), key
+ assert_same_rsa dup_public(rsa1024), key
end
def test_PUBKEY
+ rsa1024 = Fixtures.pkey("rsa1024")
asn1 = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::ObjectId("rsaEncryption"),
@@ -218,14 +220,14 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
]),
OpenSSL::ASN1::BitString(
OpenSSL::ASN1::Sequence([
- OpenSSL::ASN1::Integer(RSA1024.n),
- OpenSSL::ASN1::Integer(RSA1024.e)
+ OpenSSL::ASN1::Integer(rsa1024.n),
+ OpenSSL::ASN1::Integer(rsa1024.e)
]).to_der
)
])
key = OpenSSL::PKey::RSA.new(asn1.to_der)
assert_not_predicate key, :private?
- assert_same_rsa dup_public(RSA1024), key
+ assert_same_rsa dup_public(rsa1024), key
pem = <<~EOF
-----BEGIN PUBLIC KEY-----
@@ -236,14 +238,14 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
-----END PUBLIC KEY-----
EOF
key = OpenSSL::PKey::RSA.new(pem)
- assert_same_rsa dup_public(RSA1024), key
+ assert_same_rsa dup_public(rsa1024), key
- assert_equal asn1.to_der, dup_public(RSA1024).to_der
- assert_equal pem, dup_public(RSA1024).export
+ assert_equal asn1.to_der, dup_public(rsa1024).to_der
+ assert_equal pem, dup_public(rsa1024).export
end
def test_pem_passwd
- key = RSA1024
+ key = Fixtures.pkey("rsa1024")
pem3c = key.to_pem("aes-128-cbc", "key")
assert_match (/ENCRYPTED/), pem3c
assert_equal key.to_der, OpenSSL::PKey.read(pem3c, "key").to_der
diff --git a/test/openssl/test_random.rb b/test/openssl/test_random.rb
index 60794619208..d5a374540d7 100644
--- a/test/openssl/test_random.rb
+++ b/test/openssl/test_random.rb
@@ -1,6 +1,8 @@
# frozen_string_literal: false
require_relative "utils"
+if defined?(OpenSSL)
+
class OpenSSL::TestRandom < OpenSSL::TestCase
def test_random_bytes
assert_equal("", OpenSSL::Random.random_bytes(0))
@@ -12,4 +14,6 @@ class OpenSSL::TestRandom < OpenSSL::TestCase
assert_equal("", OpenSSL::Random.pseudo_bytes(0))
assert_equal(12, OpenSSL::Random.pseudo_bytes(12).bytesize)
end if OpenSSL::Random.methods.include?(:pseudo_bytes)
-end if defined?(OpenSSL::TestCase)
+end
+
+end
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 8c65df953d5..3f17ab0d385 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -1,10 +1,9 @@
# frozen_string_literal: false
require_relative "utils"
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestSSL < OpenSSL::SSLTestCase
-
def test_ctx_options
ctx = OpenSSL::SSL::SSLContext.new
@@ -35,7 +34,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
readwrite_loop(ctx, ssl)
}
- start_server(ctx_proc: ctx_proc, server_proc: server_proc) { |server, port|
+ start_server(ctx_proc: ctx_proc, server_proc: server_proc) { |port|
begin
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
@@ -56,7 +55,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_sysread_and_syswrite
- start_server { |server, port|
+ start_server { |port|
server_connect(port) { |ssl|
str = "x" * 100 + "\n"
ssl.syswrite(str)
@@ -72,7 +71,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_sync_close
- start_server { |server, port|
+ start_server { |port|
begin
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
@@ -97,7 +96,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_copy_stream
- start_server do |server, port|
+ start_server do |port|
server_connect(port) do |ssl|
IO.pipe do |r, w|
str = "hello world\n"
@@ -112,21 +111,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_client_auth_failure
vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
- start_server(verify_mode: vflag, ignore_listener_error: true) { |server, port|
- sock = TCPSocket.new("127.0.0.1", port)
- ssl = OpenSSL::SSL::SSLSocket.new(sock)
- ssl.sync_close = true
- begin
- assert_handshake_error { ssl.connect }
- ensure
- ssl.close
- end
+ start_server(verify_mode: vflag, ignore_listener_error: true) { |port|
+ assert_handshake_error {
+ server_connect(port) { |ssl| ssl.puts("abc"); ssl.gets }
+ }
}
end
def test_client_auth_success
vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
- start_server(verify_mode: vflag) { |server, port|
+ start_server(verify_mode: vflag) { |port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.key = @cli_key
ctx.cert = @cli_cert
@@ -153,19 +147,21 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_client_auth_public_key
vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
- start_server(verify_mode: vflag, ignore_listener_error: true) do |server, port|
+ start_server(verify_mode: vflag, ignore_listener_error: true) do |port|
assert_raise(ArgumentError) {
ctx = OpenSSL::SSL::SSLContext.new
ctx.key = @cli_key.public_key
ctx.cert = @cli_cert
- server_connect(port, ctx) { }
+ server_connect(port, ctx) { |ssl| ssl.puts("abc"); ssl.gets }
}
ctx = OpenSSL::SSL::SSLContext.new
ctx.client_cert_cb = Proc.new{ |ssl|
[@cli_cert, @cli_key.public_key]
}
- assert_handshake_error { server_connect(port, ctx) }
+ assert_handshake_error {
+ server_connect(port, ctx) { |ssl| ssl.puts("abc"); ssl.gets }
+ }
end
end
@@ -175,7 +171,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
- start_server(verify_mode: vflag, ctx_proc: ctx_proc) { |server, port|
+ start_server(verify_mode: vflag, ctx_proc: ctx_proc) { |port|
ctx = OpenSSL::SSL::SSLContext.new
client_ca_from_server = nil
ctx.client_cert_cb = Proc.new do |sslconn|
@@ -187,8 +183,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_read_nonblock_without_session
- OpenSSL::TestUtils.silent do
- start_server(start_immediately: false) { |server, port|
+ EnvUtil.suppress_warning do
+ start_server(start_immediately: false) { |port|
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
ssl.sync_close = true
@@ -206,26 +202,21 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_starttls
server_proc = -> (ctx, ssl) {
- begin
- while line = ssl.gets
- if line =~ /^STARTTLS$/
- ssl.write("x")
- ssl.flush
- ssl.accept
- next
- end
- ssl.write(line)
+ while line = ssl.gets
+ if line =~ /^STARTTLS$/
+ ssl.write("x")
+ ssl.flush
+ ssl.accept
+ break
end
- rescue OpenSSL::SSL::SSLError
- rescue IOError
- ensure
- ssl.close rescue nil
+ ssl.write(line)
end
+ readwrite_loop(ctx, ssl)
}
EnvUtil.suppress_warning do # read/write on not started session
start_server(start_immediately: false,
- server_proc: server_proc) { |server, port|
+ server_proc: server_proc) { |port|
begin
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
@@ -248,7 +239,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_parallel
- start_server { |server, port|
+ start_server { |port|
ssls = []
10.times{
sock = TCPSocket.new("127.0.0.1", port)
@@ -269,7 +260,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_verify_result
- start_server(ignore_listener_error: true) { |server, port|
+ start_server(ignore_listener_error: true) { |port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
@@ -283,7 +274,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
}
- start_server { |server, port|
+ start_server { |port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
@@ -301,7 +292,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
}
- start_server(ignore_listener_error: true) { |server, port|
+ start_server(ignore_listener_error: true) { |port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
@@ -321,7 +312,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_exception_in_verify_callback_is_ignored
- start_server(ignore_listener_error: true) { |server, port|
+ start_server(ignore_listener_error: true) { |port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
@@ -332,7 +323,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.sync_close = true
begin
- OpenSSL::TestUtils.silent do
+ EnvUtil.suppress_warning do
# SSLError, not RuntimeError
assert_raise(OpenSSL::SSL::SSLError) { ssl.connect }
end
@@ -352,20 +343,22 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
assert ciphers_names.all?{|v| /A(EC)?DH/ !~ v }, "anon ciphers are disabled"
assert ciphers_names.all?{|v| /(RC4|MD5|EXP|DES(?!-EDE|-CBC3))/ !~ v }, "weak ciphers are disabled"
assert_equal 0, ctx.options & OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
- if defined?(OpenSSL::SSL::OP_NO_COMPRESSION) # >= 1.0.0
- assert_equal OpenSSL::SSL::OP_NO_COMPRESSION,
- ctx.options & OpenSSL::SSL::OP_NO_COMPRESSION
- end
+ assert_equal OpenSSL::SSL::OP_NO_COMPRESSION,
+ ctx.options & OpenSSL::SSL::OP_NO_COMPRESSION
end
def test_post_connect_check_with_anon_ciphers
+ pend "TLS 1.2 is not supported" unless tls12_supported?
+
ctx_proc = -> ctx {
+ ctx.ssl_version = :TLSv1_2
ctx.ciphers = "aNULL"
ctx.security_level = 0
}
- start_server(ctx_proc: ctx_proc) { |server, port|
+ start_server(ctx_proc: ctx_proc) { |port|
ctx = OpenSSL::SSL::SSLContext.new
+ ctx.ssl_version = :TLSv1_2
ctx.ciphers = "aNULL"
ctx.security_level = 0
server_connect(port, ctx) { |ssl|
@@ -379,7 +372,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_post_connection_check
sslerr = OpenSSL::SSL::SSLError
- start_server { |server, port|
+ start_server { |port|
server_connect(port) { |ssl|
assert_raise(sslerr){ssl.post_connection_check("localhost.localdomain")}
assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
@@ -400,7 +393,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
["subjectAltName","IP:127.0.0.1",false],
]
@svr_cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key)
- start_server { |server, port|
+ start_server { |port|
server_connect(port) { |ssl|
assert(ssl.post_connection_check("localhost.localdomain"))
assert(ssl.post_connection_check("127.0.0.1"))
@@ -420,7 +413,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
["subjectAltName","DNS:*.localdomain",false],
]
@svr_cert = issue_cert(@svr, @svr_key, 5, exts, @ca_cert, @ca_key)
- start_server { |server, port|
+ start_server { |port|
server_connect(port) { |ssl|
assert(ssl.post_connection_check("localhost.localdomain"))
assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
@@ -623,48 +616,44 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_tlsext_hostname
- ctx3 = OpenSSL::SSL::SSLContext.new
- ctx3.ciphers = "ADH"
- ctx3.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
- ctx3.security_level = 0
- assert_not_predicate ctx3, :frozen?
+ fooctx = OpenSSL::SSL::SSLContext.new
+ fooctx.tmp_dh_callback = proc { Fixtures.pkey_dh("dh1024") }
+ fooctx.cert = @cli_cert
+ fooctx.key = @cli_key
- ctx_proc = -> ctx {
- ctx.ciphers = "ALL:!aNULL"
+ ctx_proc = proc { |ctx|
ctx.servername_cb = proc { |ssl, servername|
case servername
when "foo.example.com"
- ctx3
+ fooctx
when "bar.example.com"
nil
else
- raise "unknown hostname"
+ raise "unreachable"
end
}
}
- start_server(ctx_proc: ctx_proc) do |server, port|
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.ciphers = "ALL"
- ctx.security_level = 0
-
+ start_server(ctx_proc: ctx_proc) do |port|
sock = TCPSocket.new("127.0.0.1", port)
begin
- ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+ ssl = OpenSSL::SSL::SSLSocket.new(sock)
ssl.hostname = "foo.example.com"
ssl.connect
- assert_match (/^ADH-/), ssl.cipher[0], "the context returned by servername_cb is used"
- assert_predicate ctx3, :frozen?
+ assert_equal @cli_cert.serial, ssl.peer_cert.serial
+ assert_predicate fooctx, :frozen?
ensure
+ ssl&.close
sock.close
end
sock = TCPSocket.new("127.0.0.1", port)
begin
- ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+ ssl = OpenSSL::SSL::SSLSocket.new(sock)
ssl.hostname = "bar.example.com"
ssl.connect
- assert_not_match (/^A(EC)?DH-/), ssl.cipher[0], "the original context is used"
+ assert_equal @svr_cert.serial, ssl.peer_cert.serial
ensure
+ ssl&.close
sock.close
end
end
@@ -674,9 +663,9 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
hostname = 'example.org'
ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.ciphers = "aNULL"
- ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
- ctx2.security_level = 0
+ ctx2.cert = @svr_cert
+ ctx2.key = @svr_key
+ ctx2.tmp_dh_callback = proc { Fixtures.pkey_dh("dh1024") }
ctx2.servername_cb = lambda { |args| Object.new }
sock1, sock2 = socketpair
@@ -684,8 +673,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "aNULL"
- ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
s1.hostname = hostname
@@ -716,7 +703,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx.key = @svr_key
}
- start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |server, port|
+ start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_hostname = true
ctx.cert_store = OpenSSL::X509::Store.new
@@ -749,27 +736,26 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
end
- def test_multibyte_read_write
- #German a umlaut
- auml = [%w{ C3 A4 }.join('')].pack('H*')
- auml.force_encoding(Encoding::UTF_8)
-
- [10, 1000, 100000].each {|i|
- str = nil
- num_written = nil
- server_proc = Proc.new {|ctx, ssl|
- cmp = ssl.read
- raw_size = cmp.size
- cmp.force_encoding(Encoding::UTF_8)
- assert_equal(str, cmp)
- assert_equal(num_written, raw_size)
- ssl.close
+ def test_connect_certificate_verify_failed_exception_message
+ start_server(ignore_listener_error: true) { |port|
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.set_params
+ assert_raise_with_message(OpenSSL::SSL::SSLError, /self signed/) {
+ server_connect(port, ctx)
}
- start_server(server_proc: server_proc) { |server, port|
- server_connect(port) { |ssl|
- str = auml * i
- num_written = ssl.write(str)
- }
+ }
+
+ ctx_proc = proc { |ctx|
+ ctx.cert = issue_cert(@svr, @svr_key, 30, [], @ca_cert, @ca_key,
+ not_before: Time.now-100, not_after: Time.now-10)
+ }
+ start_server(ignore_listener_error: true, ctx_proc: ctx_proc) { |port|
+ store = OpenSSL::X509::Store.new
+ store.add_cert(@ca_cert)
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.set_params(cert_store: store)
+ assert_raise_with_message(OpenSSL::SSL::SSLError, /expired/) {
+ server_connect(port, ctx)
}
}
end
@@ -781,7 +767,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
# But it also degrades gracefully, so keep it
ctx.options = OpenSSL::SSL::OP_ALL
}
- start_server(ctx_proc: ctx_proc) { |server, port|
+ start_server(ctx_proc: ctx_proc) { |port|
server_connect(port) { |ssl|
ssl.puts('hello')
assert_equal("hello\n", ssl.gets)
@@ -789,112 +775,223 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
}
end
-if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1) && OpenSSL::SSL::SSLContext::METHODS.include?(:SSLv3)
+ def check_supported_protocol_versions
+ possible_versions = [
+ OpenSSL::SSL::SSL3_VERSION,
+ OpenSSL::SSL::TLS1_VERSION,
+ OpenSSL::SSL::TLS1_1_VERSION,
+ OpenSSL::SSL::TLS1_2_VERSION,
+ # OpenSSL 1.1.1
+ defined?(OpenSSL::SSL::TLS1_3_VERSION) && OpenSSL::SSL::TLS1_3_VERSION,
+ ].compact
+
+ # Prepare for testing & do sanity check
+ supported = []
+ possible_versions.each do |ver|
+ catch(:unsupported) {
+ ctx_proc = proc { |ctx|
+ begin
+ ctx.min_version = ctx.max_version = ver
+ rescue ArgumentError, OpenSSL::SSL::SSLError
+ throw :unsupported
+ end
+ }
+ start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |port|
+ begin
+ server_connect(port) { }
+ rescue OpenSSL::SSL::SSLError, Errno::ECONNRESET
+ else
+ supported << ver
+ end
+ end
+ }
+ end
+ assert_not_empty supported
- def test_forbid_ssl_v3_for_client
- ctx_proc = Proc.new { |ctx| ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv3 }
- start_server_version(:SSLv23, ctx_proc) { |server, port|
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.ssl_version = :SSLv3
- assert_handshake_error { server_connect(port, ctx) }
- }
+ supported
end
- def test_forbid_ssl_v3_from_server
- start_server_version(:SSLv3) { |server, port|
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv3
- assert_handshake_error { server_connect(port, ctx) }
+ def test_minmax_version
+ supported = check_supported_protocol_versions
+
+ # name: The string that would be returned by SSL_get_version()
+ # method: The version-specific method name (if any)
+ vmap = {
+ OpenSSL::SSL::SSL3_VERSION => { name: "SSLv3", method: "SSLv3" },
+ OpenSSL::SSL::SSL3_VERSION => { name: "SSLv3", method: "SSLv3" },
+ OpenSSL::SSL::TLS1_VERSION => { name: "TLSv1", method: "TLSv1" },
+ OpenSSL::SSL::TLS1_1_VERSION => { name: "TLSv1.1", method: "TLSv1_1" },
+ OpenSSL::SSL::TLS1_2_VERSION => { name: "TLSv1.2", method: "TLSv1_2" },
+ # OpenSSL 1.1.1
+ defined?(OpenSSL::SSL::TLS1_3_VERSION) && OpenSSL::SSL::TLS1_3_VERSION =>
+ { name: "TLSv1.3", method: nil },
}
- end
-end
+ # Server enables a single version
+ supported.each do |ver|
+ ctx_proc = proc { |ctx| ctx.min_version = ctx.max_version = ver }
+ start_server(ctx_proc: ctx_proc, ignore_listener_error: true) { |port|
+ supported.each do |cver|
+ # Client enables a single version
+ ctx1 = OpenSSL::SSL::SSLContext.new
+ ctx1.min_version = ctx1.max_version = cver
+ if ver == cver
+ server_connect(port, ctx1) { |ssl|
+ assert_equal vmap[cver][:name], ssl.ssl_version
+ }
+ else
+ assert_handshake_error { server_connect(port, ctx1) { } }
+ end
-if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_1) && OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1)
+ # There is no version-specific SSL methods for TLS 1.3
+ if cver <= OpenSSL::SSL::TLS1_2_VERSION
+ # Client enables a single version using #ssl_version=
+ ctx2 = OpenSSL::SSL::SSLContext.new
+ ctx2.ssl_version = vmap[cver][:method]
+ if ver == cver
+ server_connect(port, ctx2) { |ssl|
+ assert_equal vmap[cver][:name], ssl.ssl_version
+ }
+ else
+ assert_handshake_error { server_connect(port, ctx2) { } }
+ end
+ end
+ end
- def test_tls_v1_1
- start_server_version(:TLSv1_1) { |server, port|
- server_connect(port) { |ssl| assert_equal("TLSv1.1", ssl.ssl_version) }
- }
- end
+ # Client enables all supported versions
+ ctx3 = OpenSSL::SSL::SSLContext.new
+ ctx3.min_version = ctx3.max_version = nil
+ server_connect(port, ctx3) { |ssl|
+ assert_equal vmap[ver][:name], ssl.ssl_version
+ }
+ }
+ end
- def test_forbid_tls_v1_for_client
- ctx_proc = Proc.new { |ctx| ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1 }
- start_server_version(:SSLv23, ctx_proc) { |server, port|
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.ssl_version = :TLSv1
- assert_handshake_error { server_connect(port, ctx) }
+ if supported.size == 1
+ pend "More than one protocol version must be supported"
+ end
+
+ # Server sets min_version (earliest is disabled)
+ sver = supported[1]
+ ctx_proc = proc { |ctx| ctx.min_version = sver }
+ start_server(ctx_proc: ctx_proc, ignore_listener_error: true) { |port|
+ supported.each do |cver|
+ # Client sets min_version
+ ctx1 = OpenSSL::SSL::SSLContext.new
+ ctx1.min_version = cver
+ server_connect(port, ctx1) { |ssl|
+ assert_equal vmap[supported.last][:name], ssl.ssl_version
+ }
+
+ # Client sets max_version
+ ctx2 = OpenSSL::SSL::SSLContext.new
+ ctx2.max_version = cver
+ if cver >= sver
+ server_connect(port, ctx2) { |ssl|
+ assert_equal vmap[cver][:name], ssl.ssl_version
+ }
+ else
+ assert_handshake_error { server_connect(port, ctx2) { } }
+ end
+ end
}
- end
- def test_forbid_tls_v1_from_server
- start_server_version(:TLSv1) { |server, port|
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1
- assert_handshake_error { server_connect(port, ctx) }
+ # Server sets max_version (latest is disabled)
+ sver = supported[-2]
+ ctx_proc = proc { |ctx| ctx.max_version = sver }
+ start_server(ctx_proc: ctx_proc, ignore_listener_error: true) { |port|
+ supported.each do |cver|
+ # Client sets min_version
+ ctx1 = OpenSSL::SSL::SSLContext.new
+ ctx1.min_version = cver
+ if cver <= sver
+ server_connect(port, ctx1) { |ssl|
+ assert_equal vmap[sver][:name], ssl.ssl_version
+ }
+ else
+ assert_handshake_error { server_connect(port, ctx1) { } }
+ end
+
+ # Client sets max_version
+ ctx2 = OpenSSL::SSL::SSLContext.new
+ ctx2.max_version = cver
+ server_connect(port, ctx2) { |ssl|
+ if cver >= sver
+ assert_equal vmap[sver][:name], ssl.ssl_version
+ else
+ assert_equal vmap[cver][:name], ssl.ssl_version
+ end
+ }
+ end
}
end
-end
-
-if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_2) && OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_1)
+ def test_options_disable_versions
+ # Note: Use of these OP_* flags has been deprecated since OpenSSL 1.1.0.
+ supported = check_supported_protocol_versions
- def test_tls_v1_2
- start_server_version(:TLSv1_2) { |server, port|
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.ssl_version = :TLSv1_2_client
- server_connect(port, ctx) { |ssl| assert_equal("TLSv1.2", ssl.ssl_version) }
- }
- end if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000
+ if supported.include?(OpenSSL::SSL::TLS1_1_VERSION) &&
+ supported.include?(OpenSSL::SSL::TLS1_2_VERSION)
+ # Server disables ~ TLS 1.1
+ ctx_proc = proc { |ctx|
+ ctx.options |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 |
+ OpenSSL::SSL::OP_NO_TLSv1 | OpenSSL::SSL::OP_NO_TLSv1_1
+ }
+ start_server(ctx_proc: ctx_proc, ignore_listener_error: true) { |port|
+ # Client only supports TLS 1.1
+ ctx1 = OpenSSL::SSL::SSLContext.new
+ ctx1.min_version = ctx1.max_version = OpenSSL::SSL::TLS1_1_VERSION
+ assert_handshake_error { server_connect(port, ctx1) { } }
- def test_forbid_tls_v1_1_for_client
- ctx_proc = Proc.new { |ctx| ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_1 }
- start_server_version(:SSLv23, ctx_proc) { |server, port|
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.ssl_version = :TLSv1_1
- assert_handshake_error { server_connect(port, ctx) }
- }
- end if defined?(OpenSSL::SSL::OP_NO_TLSv1_1)
+ # Client only supports TLS 1.2
+ ctx2 = OpenSSL::SSL::SSLContext.new
+ ctx2.min_version = ctx2.max_version = OpenSSL::SSL::TLS1_2_VERSION
+ assert_nothing_raised { server_connect(port, ctx2) { } }
+ }
- def test_forbid_tls_v1_1_from_server
- start_server_version(:TLSv1_1) { |server, port|
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_1
- assert_handshake_error { server_connect(port, ctx) }
- }
- end if defined?(OpenSSL::SSL::OP_NO_TLSv1_1)
+ # Server only supports TLS 1.1
+ ctx_proc = proc { |ctx|
+ ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_1_VERSION
+ }
+ start_server(ctx_proc: ctx_proc, ignore_listener_error: true) { |port|
+ # Client disables TLS 1.1
+ ctx1 = OpenSSL::SSL::SSLContext.new
+ ctx1.options |= OpenSSL::SSL::OP_NO_TLSv1_1
+ assert_handshake_error { server_connect(port, ctx1) { } }
- def test_forbid_tls_v1_2_for_client
- ctx_proc = Proc.new { |ctx| ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_2 }
- start_server_version(:SSLv23, ctx_proc) { |server, port|
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.ssl_version = :TLSv1_2
- assert_handshake_error { server_connect(port, ctx) }
- }
- end if defined?(OpenSSL::SSL::OP_NO_TLSv1_2)
+ # Client disables TLS 1.2
+ ctx2 = OpenSSL::SSL::SSLContext.new
+ ctx2.options |= OpenSSL::SSL::OP_NO_TLSv1_2
+ assert_nothing_raised { server_connect(port, ctx2) { } }
+ }
+ else
+ pend "TLS 1.1 and TLS 1.2 must be supported; skipping"
+ end
+ end
- def test_forbid_tls_v1_2_from_server
- start_server_version(:TLSv1_2) { |server, port|
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_2
- assert_handshake_error { server_connect(port, ctx) }
+ def test_ssl_methods_constant
+ EnvUtil.suppress_warning { # Deprecated in v2.1.0
+ base = [:TLSv1_2, :TLSv1_1, :TLSv1, :SSLv3, :SSLv2, :SSLv23]
+ base.each do |name|
+ assert_include OpenSSL::SSL::SSLContext::METHODS, name
+ assert_include OpenSSL::SSL::SSLContext::METHODS, :"#{name}_client"
+ assert_include OpenSSL::SSL::SSLContext::METHODS, :"#{name}_server"
+ end
}
- end if defined?(OpenSSL::SSL::OP_NO_TLSv1_2)
-
-end
+ end
def test_renegotiation_cb
num_handshakes = 0
renegotiation_cb = Proc.new { |ssl| num_handshakes += 1 }
ctx_proc = Proc.new { |ctx| ctx.renegotiation_cb = renegotiation_cb }
- start_server_version(:SSLv23, ctx_proc) { |server, port|
+ start_server_version(:SSLv23, ctx_proc) { |port|
server_connect(port) { |ssl|
assert_equal(1, num_handshakes)
}
}
end
-if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000
+if openssl?(1, 0, 2) || libressl?
def test_alpn_protocol_selection_ary
advertised = ["http/1.1", "spdy/2"]
ctx_proc = Proc.new { |ctx|
@@ -903,7 +1000,7 @@ if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000
}
ctx.alpn_protocols = advertised
}
- start_server_version(:SSLv23, ctx_proc) { |server, port|
+ start_server_version(:SSLv23, ctx_proc) { |port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.alpn_protocols = advertised
server_connect(port, ctx) { |ssl|
@@ -916,14 +1013,12 @@ if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000
sock1, sock2 = socketpair
ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "aNULL"
- ctx1.security_level = 0
+ ctx1.cert = @svr_cert
+ ctx1.key = @svr_key
ctx1.alpn_select_cb = -> (protocols) { nil }
ssl1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.ciphers = "aNULL"
- ctx2.security_level = 0
ctx2.alpn_protocols = ["http/1.1"]
ssl2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
@@ -942,14 +1037,14 @@ if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000
end
end
-if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000 &&
- OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
- # NPN may be disabled by OpenSSL configure option
-
def test_npn_protocol_selection_ary
+ pend "TLS 1.2 is not supported" unless tls12_supported?
+ pend "NPN is not supported" unless \
+ OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
+
advertised = ["http/1.1", "spdy/2"]
- ctx_proc = Proc.new { |ctx| ctx.npn_protocols = advertised }
- start_server_version(:SSLv23, ctx_proc) { |server, port|
+ ctx_proc = proc { |ctx| ctx.npn_protocols = advertised }
+ start_server_version(:TLSv1_2, ctx_proc) { |port|
selector = lambda { |which|
ctx = OpenSSL::SSL::SSLContext.new
ctx.npn_select_cb = -> (protocols) { protocols.send(which) }
@@ -963,13 +1058,17 @@ if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000 &&
end
def test_npn_protocol_selection_enum
+ pend "TLS 1.2 is not supported" unless tls12_supported?
+ pend "NPN is not supported" unless \
+ OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
+
advertised = Object.new
def advertised.each
yield "http/1.1"
yield "spdy/2"
end
ctx_proc = Proc.new { |ctx| ctx.npn_protocols = advertised }
- start_server_version(:SSLv23, ctx_proc) { |server, port|
+ start_server_version(:TLSv1_2, ctx_proc) { |port|
selector = lambda { |selected, which|
ctx = OpenSSL::SSL::SSLContext.new
ctx.npn_select_cb = -> (protocols) { protocols.to_a.send(which) }
@@ -983,8 +1082,12 @@ if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000 &&
end
def test_npn_protocol_selection_cancel
+ pend "TLS 1.2 is not supported" unless tls12_supported?
+ pend "NPN is not supported" unless \
+ OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
+
ctx_proc = Proc.new { |ctx| ctx.npn_protocols = ["http/1.1"] }
- start_server_version(:SSLv23, ctx_proc) { |server, port|
+ start_server_version(:TLSv1_2, ctx_proc) { |port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.npn_select_cb = -> (protocols) { raise RuntimeError.new }
assert_raise(RuntimeError) { server_connect(port, ctx) }
@@ -992,8 +1095,12 @@ if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000 &&
end
def test_npn_advertised_protocol_too_long
+ pend "TLS 1.2 is not supported" unless tls12_supported?
+ pend "NPN is not supported" unless \
+ OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
+
ctx_proc = Proc.new { |ctx| ctx.npn_protocols = ["a" * 256] }
- start_server_version(:SSLv23, ctx_proc) { |server, port|
+ start_server_version(:TLSv1_2, ctx_proc) { |port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.npn_select_cb = -> (protocols) { protocols.first }
assert_handshake_error { server_connect(port, ctx) }
@@ -1001,32 +1108,23 @@ if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000 &&
end
def test_npn_selected_protocol_too_long
+ pend "TLS 1.2 is not supported" unless tls12_supported?
+ pend "NPN is not supported" unless \
+ OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
+
ctx_proc = Proc.new { |ctx| ctx.npn_protocols = ["http/1.1"] }
- start_server_version(:SSLv23, ctx_proc) { |server, port|
+ start_server_version(:TLSv1_2, ctx_proc) { |port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.npn_select_cb = -> (protocols) { "a" * 256 }
assert_handshake_error { server_connect(port, ctx) }
}
end
-end
-
- def test_invalid_shutdown_by_gc
- assert_nothing_raised {
- start_server { |server, port|
- 10.times {
- sock = TCPSocket.new("127.0.0.1", port)
- ssl = OpenSSL::SSL::SSLSocket.new(sock)
- GC.start
- ssl.connect
- sock.close
- }
- }
- }
- end
-
def test_close_after_socket_close
- start_server { |server, port|
+ server_proc = proc { |ctx, ssl|
+ # Do nothing
+ }
+ start_server(server_proc: server_proc) { |port|
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
ssl.sync_close = true
@@ -1047,84 +1145,90 @@ end
}
end
- def test_close_and_socket_close_while_connecting
- # test it doesn't cause a segmentation fault
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.ciphers = "aNULL"
- ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
- ctx.security_level = 0
-
- sock1, sock2 = socketpair
- ssl1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx)
- ssl2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx)
+ def test_get_ephemeral_key
+ # OpenSSL >= 1.0.2
+ unless OpenSSL::SSL::SSLSocket.method_defined?(:tmp_key)
+ pend "SSL_get_server_tmp_key() is not supported"
+ end
- t = Thread.new { ssl1.connect }
- ssl2.accept
+ if tls12_supported?
+ # kRSA
+ ctx_proc1 = proc { |ctx|
+ ctx.ssl_version = :TLSv1_2
+ ctx.ciphers = "kRSA"
+ }
+ start_server(ctx_proc: ctx_proc1) do |port|
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.ssl_version = :TLSv1_2
+ ctx.ciphers = "kRSA"
+ server_connect(port, ctx) { |ssl| assert_nil ssl.tmp_key }
+ end
+ end
- ssl1.close
- sock1.close
- t.value rescue nil
- ensure
- ssl1.close if ssl1
- ssl2.close if ssl2
- sock1.close if sock1
- sock2.close if sock2
- end
+ if defined?(OpenSSL::PKey::DH) && tls12_supported?
+ # DHE
+ # TODO: How to test this with TLS 1.3?
+ ctx_proc2 = proc { |ctx|
+ ctx.ssl_version = :TLSv1_2
+ ctx.ciphers = "EDH"
+ }
+ start_server(ctx_proc: ctx_proc2) do |port|
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.ssl_version = :TLSv1_2
+ ctx.ciphers = "EDH"
+ server_connect(port, ctx) { |ssl|
+ assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key
+ }
+ end
+ end
- def test_get_ephemeral_key
- return unless OpenSSL::SSL::SSLSocket.method_defined?(:tmp_key)
- pkey = OpenSSL::PKey
- ciphers = {
- 'ECDHE-RSA-AES128-SHA' => (pkey::EC if defined?(pkey::EC)),
- 'DHE-RSA-AES128-SHA' => (pkey::DH if defined?(pkey::DH)),
- 'AES128-SHA' => nil
- }
- conf_proc = Proc.new { |ctx| ctx.ciphers = 'ALL' }
- start_server(ctx_proc: conf_proc) do |server, port|
- ciphers.each do |cipher, ephemeral|
+ if defined?(OpenSSL::PKey::EC)
+ # ECDHE
+ ctx_proc3 = proc { |ctx|
+ ctx.ciphers = "DEFAULT:!kRSA:!kEDH"
+ ctx.ecdh_curves = "P-256"
+ }
+ start_server(ctx_proc: ctx_proc3) do |port|
ctx = OpenSSL::SSL::SSLContext.new
- begin
- ctx.ciphers = cipher
- rescue OpenSSL::SSL::SSLError => e
- next if /no cipher match/ =~ e.message
- raise
- end
- server_connect(port, ctx) do |ssl|
- if ephemeral
- assert_instance_of(ephemeral, ssl.tmp_key)
- else
- assert_nil(ssl.tmp_key)
- end
- end
+ ctx.ciphers = "DEFAULT:!kRSA:!kEDH"
+ server_connect(port, ctx) { |ssl|
+ assert_instance_of OpenSSL::PKey::EC, ssl.tmp_key
+ }
end
end
end
def test_dh_callback
+ pend "TLS 1.2 is not supported" unless tls12_supported?
+
called = false
ctx_proc = -> ctx {
+ ctx.ssl_version = :TLSv1_2
ctx.ciphers = "DH:!NULL"
ctx.tmp_dh_callback = ->(*args) {
called = true
- OpenSSL::TestUtils::TEST_KEY_DH1024
+ Fixtures.pkey_dh("dh1024")
}
}
- start_server(ctx_proc: ctx_proc) do |server, port|
+ start_server(ctx_proc: ctx_proc) do |port|
server_connect(port) { |ssl|
assert called, "dh callback should be called"
if ssl.respond_to?(:tmp_key)
- assert_equal OpenSSL::TestUtils::TEST_KEY_DH1024.to_der, ssl.tmp_key.to_der
+ assert_equal Fixtures.pkey_dh("dh1024").to_der, ssl.tmp_key.to_der
end
}
end
end
def test_connect_works_when_setting_dh_callback_to_nil
+ pend "TLS 1.2 is not supported" unless tls12_supported?
+
ctx_proc = -> ctx {
+ ctx.ssl_version = :TLSv1_2
ctx.ciphers = "DH:!NULL" # use DH
ctx.tmp_dh_callback = nil
}
- start_server(ctx_proc: ctx_proc) do |server, port|
+ start_server(ctx_proc: ctx_proc) do |port|
EnvUtil.suppress_warning { # uses default callback
assert_nothing_raised {
server_connect(port) { }
@@ -1133,73 +1237,53 @@ end
end
end
- def test_ecdh_callback
- return unless OpenSSL::SSL::SSLContext.instance_methods.include?(:tmp_ecdh_callback)
+ def test_tmp_ecdh_callback
+ pend "EC is disabled" unless defined?(OpenSSL::PKey::EC)
+ pend "tmp_ecdh_callback is not supported" unless \
+ OpenSSL::SSL::SSLContext.method_defined?(:tmp_ecdh_callback)
+
EnvUtil.suppress_warning do # tmp_ecdh_callback is deprecated (2016-05)
- begin
- called = false
- ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.ciphers = "ECDH"
- # OpenSSL 1.1.0 doesn't have tmp_ecdh_callback so this shouldn't be required
- ctx2.security_level = 0
- ctx2.tmp_ecdh_callback = ->(*args) {
+ called = false
+ ctx_proc = -> ctx {
+ ctx.ciphers = "DEFAULT:!kRSA:!kEDH"
+ ctx.tmp_ecdh_callback = -> (*args) {
called = true
OpenSSL::PKey::EC.new "prime256v1"
}
-
- sock1, sock2 = socketpair
-
- s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
- ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "ECDH"
- ctx1.security_level = 0
-
- s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
- th = Thread.new do
- s1.connect
- end
-
- s2.accept
- assert called, 'ecdh callback should be called'
- rescue OpenSSL::SSL::SSLError => e
- if e.message =~ /no cipher match/
- pend "ECDH cipher not supported."
- else
- raise e
- end
- ensure
- th.join if th
- s1.close if s1
- s2.close if s2
- sock1.close if sock1
- sock2.close if sock2
+ }
+ start_server(ctx_proc: ctx_proc) do |port|
+ server_connect(port) { |s|
+ assert called, "tmp_ecdh_callback should be called"
+ }
end
end
end
def test_ecdh_curves
+ pend "EC is disabled" unless defined?(OpenSSL::PKey::EC)
+
ctx_proc = -> ctx {
- begin
- ctx.ciphers = "ECDH:!NULL"
- rescue OpenSSL::SSL::SSLError
- pend "ECDH is not enabled in this OpenSSL" if $!.message =~ /no cipher match/
- raise
- end
+ # Enable both ECDHE (~ TLS 1.2) cipher suites and TLS 1.3
+ ctx.ciphers = "DEFAULT:!kRSA:!kEDH"
ctx.ecdh_curves = "P-384:P-521"
}
- start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |server, port|
+ start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.ecdh_curves = "P-256:P-384" # disable P-521 for OpenSSL >= 1.0.2
server_connect(port, ctx) { |ssl|
- assert ssl.cipher[0].start_with?("ECDH"), "ECDH should be used"
- if ssl.respond_to?(:tmp_key)
+ cs = ssl.cipher[0]
+ if /\ATLS/ =~ cs # Is TLS 1.3 is used?
assert_equal "secp384r1", ssl.tmp_key.group.curve_name
+ else
+ assert_match (/\AECDH/), cs
+ if ssl.respond_to?(:tmp_key)
+ assert_equal "secp384r1", ssl.tmp_key.group.curve_name
+ end
end
}
- if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000 &&
- !OpenSSL::OPENSSL_VERSION.include?("LibreSSL")
+ if openssl?(1, 0, 2) || libressl?(2, 5, 1)
ctx = OpenSSL::SSL::SSLContext.new
ctx.ecdh_curves = "P-256"
@@ -1226,10 +1310,10 @@ end
return
end
assert_equal(1, ctx.security_level)
- # assert_raise(OpenSSL::SSL::SSLError) { ctx.key = OpenSSL::TestUtils::TEST_KEY_DSA512 }
- # ctx.key = OpenSSL::TestUtils::TEST_KEY_RSA1024
+ # assert_raise(OpenSSL::SSL::SSLError) { ctx.key = Fixtures.pkey("dsa512") }
+ # ctx.key = Fixtures.pkey("rsa1024")
# ctx.security_level = 2
- # assert_raise(OpenSSL::SSL::SSLError) { ctx.key = OpenSSL::TestUtils::TEST_KEY_RSA1024 }
+ # assert_raise(OpenSSL::SSL::SSLError) { ctx.key = Fixtures.pkey("rsa1024") }
pend "FIXME: SSLContext#key= currently does not raise because SSL_CTX_use_certificate() is delayed"
end
@@ -1248,7 +1332,7 @@ end
def test_freeze_calls_setup
bug = "[ruby/openssl#85]"
- start_server(ignore_listener_error: true) { |server, port|
+ start_server(ignore_listener_error: true) { |port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
ctx.freeze
@@ -1274,7 +1358,7 @@ end
)
end
- def server_connect(port, ctx=nil)
+ def server_connect(port, ctx = nil)
sock = TCPSocket.new("127.0.0.1", port)
ssl = ctx ? OpenSSL::SSL::SSLSocket.new(sock, ctx) : OpenSSL::SSL::SSLSocket.new(sock)
ssl.sync_close = true
diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb
index 7a99dca5edc..199f722e8da 100644
--- a/test/openssl/test_ssl_session.rb
+++ b/test/openssl/test_ssl_session.rb
@@ -1,57 +1,15 @@
# frozen_string_literal: false
require_relative "utils"
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestSSLSession < OpenSSL::SSLTestCase
- def test_session_equals
- session = OpenSSL::SSL::Session.new <<-SESSION
------BEGIN SSL SESSION PARAMETERS-----
-MIIDFgIBAQICAwEEAgA5BCCY3pW6iTkPoD5SENuztz/gZjhvey6XnHbsxd22k0Ol
-dgQw8uaN3hCRnlhoIKPWInCFzrp/tQsDRFs9jDjc9pwpy/oKHmJdQQMQA1g8FYnO
-gpdVoQYCBE52ikKiBAICASyjggKOMIICijCCAXKgAwIBAgIBAjANBgkqhkiG9w0B
-AQUFADA9MRMwEQYKCZImiZPyLGQBGRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVi
-eS1sYW5nMQswCQYDVQQDDAJDQTAeFw0xMTA5MTkwMDE4MTBaFw0xMTA5MTkwMDQ4
-MTBaMEQxEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5
-LWxhbmcxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
-gYkCgYEAy8LEsNRApz7U/j5DoB4XBgO9Z8Atv5y/OVQRp0ag8Tqo1YewsWijxEWB
-7JOATwpBN267U4T1nPZIxxEEO7n/WNa2ws9JWsjah8ssEBFSxZqdXKSLf0N4Hi7/
-GQ/aYoaMCiQ8jA4jegK2FJmXM71uPe+jFN/peeBOpRfyXxRFOYcCAwEAAaMSMBAw
-DgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBBQUAA4IBAQARC7GP7InX1t7VEXz2
-I8RI57S0/HSJL4fDIYP3zFpitHX1PZeo+7XuzMilvPjjBo/ky9Jzo8TYiY+N+JEz
-mY/A/zPA4ZsJ7KYj6/FEdIc/vRlS0CvsbClbNjw1jl/PoB2FLr2b3uuBcZEsyZeP
-yq154ijq37Ajf8K5Mi5FgshoP41BPtRPj+VVf61rv1IcEnNWdDCS6DR4XsaNC+zt
-G6AqCqkytIXWRuDw6n6vYLF3A/tn2sldLo7/scY0PMDNbo63O/LTxkDHmPhSkD68
-8m9SsMeTR+RCiDEZWFPVcAH/8mDfi+5k8uN3qS+gOU/PPrmHGgl5ykiSFgqs4v61
-tddwpBAEDjcwMzA5NTYzMTU1MzAwpQMCARM=
------END SSL SESSION PARAMETERS-----
- SESSION
-
- start_server(ignore_listener_error: true) { |_, port|
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_CLIENT
- ctx.session_id_context = self.object_id.to_s
-
- sock = TCPSocket.new '127.0.0.1', port
- begin
- ssl = OpenSSL::SSL::SSLSocket.new sock, ctx
- ssl.session = session
-
- assert_equal session, ssl.session
- ensure
- sock.close
- end
- }
- end
-
def test_session
- Timeout.timeout(5) do
- start_server do |server, port|
- sock = TCPSocket.new("127.0.0.1", port)
- ctx = OpenSSL::SSL::SSLContext.new
- ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
- ssl.sync_close = true
- ssl.connect
+ pend "TLS 1.2 is not supported" unless tls12_supported?
+
+ ctx_proc = proc { |ctx| ctx.ssl_version = :TLSv1_2 }
+ start_server(ctx_proc: ctx_proc) do |port|
+ server_connect_with_session(port, nil, nil) { |ssl|
session = ssl.session
assert(session == OpenSSL::SSL::Session.new(session.to_pem))
assert(session == OpenSSL::SSL::Session.new(ssl))
@@ -68,8 +26,7 @@ tddwpBAEDjcwMzA5NTYzMTU1MzAwpQMCARM=
pem.gsub!(/-----(BEGIN|END) SSL SESSION PARAMETERS-----/, '').gsub!(/[\r\n]+/m, '')
assert_equal(session.to_der, pem.unpack('m*')[0])
assert_not_nil(session.to_text)
- ssl.close
- end
+ }
end
end
@@ -150,222 +107,245 @@ __EOS__
def test_session_exts_read
assert(OpenSSL::SSL::Session.new(DUMMY_SESSION))
- end if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x009080bf
-
- def test_client_session
- last_session = nil
- start_server do |server, port|
- 2.times do
- sock = TCPSocket.new("127.0.0.1", port)
- ctx = OpenSSL::SSL::SSLContext.new
- ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
- ssl.sync_close = true
- ssl.session = last_session if last_session
- ssl.connect
+ end
- session = ssl.session
- if last_session
- assert(ssl.session_reused?)
- assert_equal(session.id, last_session.id)
- assert_equal(session.to_pem, last_session.to_pem)
- assert_equal(session.to_der, last_session.to_der)
- # Older version of OpenSSL may not be consistent. Look up which versions later.
- assert_equal(session.to_text, last_session.to_text)
- else
- assert(!ssl.session_reused?)
- end
- last_session = session
+ def test_resumption
+ non_resumable = nil
+ start_server { |port|
+ server_connect_with_session(port, nil, nil) { |ssl|
+ non_resumable = ssl.session
+ }
+ }
- str = "x" * 100 + "\n"
- ssl.puts(str)
- assert_equal(str, ssl.gets)
+ ctx_proc = proc { |ctx|
+ ctx.options &= ~OpenSSL::SSL::OP_NO_TICKET
+ # Disable server-side session cache which is enabled by default
+ ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF
+ }
+ start_server(ctx_proc: ctx_proc) do |port|
+ sess1 = server_connect_with_session(port, nil, nil) { |ssl|
+ ssl.puts("abc"); assert_equal "abc\n", ssl.gets
+ assert_equal false, ssl.session_reused?
+ ssl.session
+ }
- ssl.close
- end
+ server_connect_with_session(port, nil, non_resumable) { |ssl|
+ ssl.puts("abc"); assert_equal "abc\n", ssl.gets
+ assert_equal false, ssl.session_reused?
+ }
+
+ server_connect_with_session(port, nil, sess1) { |ssl|
+ ssl.puts("abc"); assert_equal "abc\n", ssl.gets
+ assert_equal true, ssl.session_reused?
+ }
end
end
- def test_server_session
- connections = 0
- saved_session = nil
+ def test_server_session_cache
+ pend "TLS 1.2 is not supported" unless tls12_supported?
- ctx_proc = Proc.new do |ctx, ssl|
-# add test for session callbacks here
+ ctx_proc = Proc.new do |ctx|
+ ctx.ssl_version = :TLSv1_2
+ ctx.options |= OpenSSL::SSL::OP_NO_TICKET
end
+ connections = nil
+ saved_session = nil
server_proc = Proc.new do |ctx, ssl|
- session = ssl.session
stats = ctx.session_cache_stats
case connections
when 0
- assert_equal(stats[:cache_num], 1)
- assert_equal(stats[:cache_hits], 0)
- assert_equal(stats[:cache_misses], 0)
- assert(!ssl.session_reused?)
+ assert_equal false, ssl.session_reused?
+ assert_equal 1, stats[:cache_num]
+ assert_equal 0, stats[:cache_hits]
+ assert_equal 0, stats[:cache_misses]
when 1
- assert_equal(stats[:cache_num], 1)
- assert_equal(stats[:cache_hits], 1)
- assert_equal(stats[:cache_misses], 0)
- assert(ssl.session_reused?)
- ctx.session_remove(session)
- saved_session = session.to_der
+ assert_equal true, ssl.session_reused?
+ assert_equal 1, stats[:cache_num]
+ assert_equal 1, stats[:cache_hits]
+ assert_equal 0, stats[:cache_misses]
+
+ saved_session = ssl.session
+ assert_equal true, ctx.session_remove(ssl.session)
when 2
- assert_equal(stats[:cache_num], 1)
- assert_equal(stats[:cache_hits], 1)
- assert_equal(stats[:cache_misses], 1)
- assert(!ssl.session_reused?)
- ctx.session_add(OpenSSL::SSL::Session.new(saved_session))
+ assert_equal false, ssl.session_reused?
+ assert_equal 1, stats[:cache_num]
+ assert_equal 1, stats[:cache_hits]
+ assert_equal 1, stats[:cache_misses]
+
+ assert_equal true, ctx.session_add(saved_session.dup)
when 3
- assert_equal(stats[:cache_num], 2)
- assert_equal(stats[:cache_hits], 2)
- assert_equal(stats[:cache_misses], 1)
- assert(ssl.session_reused?)
+ assert_equal true, ssl.session_reused?
+ assert_equal 2, stats[:cache_num]
+ assert_equal 2, stats[:cache_hits]
+ assert_equal 1, stats[:cache_misses]
+
ctx.flush_sessions(Time.now + 10000)
when 4
- assert_equal(stats[:cache_num], 1)
- assert_equal(stats[:cache_hits], 2)
- assert_equal(stats[:cache_misses], 2)
- assert(!ssl.session_reused?)
- ctx.session_add(OpenSSL::SSL::Session.new(saved_session))
+ assert_equal false, ssl.session_reused?
+ assert_equal 1, stats[:cache_num]
+ assert_equal 2, stats[:cache_hits]
+ assert_equal 2, stats[:cache_misses]
+
+ assert_equal true, ctx.session_add(saved_session.dup)
end
- connections += 1
readwrite_loop(ctx, ssl)
end
- first_session = nil
- start_server(ctx_proc: ctx_proc, server_proc: server_proc) do |server, port|
+ start_server(ctx_proc: ctx_proc, server_proc: server_proc) do |port|
+ first_session = nil
10.times do |i|
- sock = TCPSocket.new("127.0.0.1", port)
- ctx = OpenSSL::SSL::SSLContext.new
- # disable RFC4507 support
- ctx.options = OpenSSL::SSL::OP_NO_TICKET
- ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
- ssl.sync_close = true
- ssl.session = first_session if first_session
- ssl.connect
-
- session = ssl.session
- if first_session
- case i
- when 1; assert(ssl.session_reused?)
- when 2; assert(!ssl.session_reused?)
- when 3; assert(ssl.session_reused?)
- when 4; assert(!ssl.session_reused?)
- when 5..10; assert(ssl.session_reused?)
+ connections = i
+ server_connect_with_session(port, nil, first_session) { |ssl|
+ ssl.puts("abc"); assert_equal "abc\n", ssl.gets
+ first_session ||= ssl.session
+
+ case connections
+ when 0;
+ when 1; assert_equal true, ssl.session_reused?
+ when 2; assert_equal false, ssl.session_reused?
+ when 3; assert_equal true, ssl.session_reused?
+ when 4; assert_equal false, ssl.session_reused?
+ when 5..9; assert_equal true, ssl.session_reused?
end
- end
- first_session ||= session
-
- str = "x" * 100 + "\n"
- ssl.puts(str)
- assert_equal(str, ssl.gets)
-
- ssl.close
+ }
end
end
end
def test_ctx_client_session_cb
- called = {}
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_CLIENT
-
- ctx.session_new_cb = lambda { |ary|
- sock, sess = ary
- called[:new] = [sock, sess]
- }
+ pend "TLS 1.2 is not supported" unless tls12_supported?
- ctx.session_remove_cb = lambda { |ary|
- ctx, sess = ary
- called[:remove] = [ctx, sess]
- # any resulting value is OK (ignored)
- }
+ ctx_proc = proc { |ctx| ctx.ssl_version = :TLSv1_2 }
+ start_server(ctx_proc: ctx_proc) do |port|
+ called = {}
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_CLIENT
+ ctx.session_new_cb = lambda { |ary|
+ sock, sess = ary
+ called[:new] = [sock, sess]
+ }
+ ctx.session_remove_cb = lambda { |ary|
+ ctx, sess = ary
+ called[:remove] = [ctx, sess]
+ # any resulting value is OK (ignored)
+ }
- start_server do |server, port|
- sock = TCPSocket.new("127.0.0.1", port)
- begin
- ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
- ssl.sync_close = true
- ssl.connect
+ server_connect_with_session(port, ctx, nil) { |ssl|
assert_equal(1, ctx.session_cache_stats[:cache_num])
assert_equal(1, ctx.session_cache_stats[:connect_good])
assert_equal([ssl, ssl.session], called[:new])
assert(ctx.session_remove(ssl.session))
assert(!ctx.session_remove(ssl.session))
assert_equal([ctx, ssl.session], called[:remove])
- ssl.close
- ensure
- sock.close if !sock.closed?
- end
+ }
end
end
def test_ctx_server_session_cb
- called = {}
+ pend "TLS 1.2 is not supported" unless tls12_supported?
- ctx_proc = Proc.new { |ctx, ssl|
- ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_SERVER
- ctx.options = OpenSSL::SSL::OP_NO_TICKET
- last_server_session = nil
+ connections = nil
+ called = {}
+ sctx = nil
+ ctx_proc = Proc.new { |ctx|
+ sctx = ctx
+ ctx.ssl_version = :TLSv1_2
+ ctx.options |= OpenSSL::SSL::OP_NO_TICKET
# get_cb is called whenever a client proposed to resume a session but
# the session could not be found in the internal session cache.
+ last_server_session = nil
ctx.session_get_cb = lambda { |ary|
- sess, data = ary
- if last_server_session
- called[:get2] = [sess, data]
- last_server_session
+ _sess, data = ary
+ called[:get] = data
+
+ if connections == 2
+ last_server_session.dup
else
- called[:get1] = [sess, data]
- last_server_session = sess
nil
end
}
ctx.session_new_cb = lambda { |ary|
- sock, sess = ary
- called[:new] = [sock, sess]
- # SSL server doesn't cache sessions so get_cb is called next time.
- ctx.session_remove(sess)
+ _sock, sess = ary
+ called[:new] = sess
+ last_server_session = sess
}
ctx.session_remove_cb = lambda { |ary|
- ctx, sess = ary
- called[:remove] = [ctx, sess]
+ _ctx, sess = ary
+ called[:remove] = sess
}
}
-
- server_proc = Proc.new { |c, ssl|
- ssl.session
- c.session_cache_stats
- readwrite_loop(c, ssl)
- }
- start_server(ctx_proc: ctx_proc, server_proc: server_proc) do |server, port|
- last_client_session = nil
- 3.times do
- sock = TCPSocket.new("127.0.0.1", port)
- begin
- ssl = OpenSSL::SSL::SSLSocket.new(sock, OpenSSL::SSL::SSLContext.new())
- ssl.sync_close = true
- ssl.session = last_client_session if last_client_session
- ssl.connect
- last_client_session = ssl.session
- ssl.close
- Timeout.timeout(5) do
- Thread.pass until called.key?(:new)
- assert(called.delete(:new))
- Thread.pass until called.key?(:remove)
- assert(called.delete(:remove))
- end
- ensure
- sock.close if !sock.closed?
+ start_server(ctx_proc: ctx_proc) do |port|
+ connections = 0
+ sess0 = server_connect_with_session(port, nil, nil) { |ssl|
+ ssl.puts("abc"); assert_equal "abc\n", ssl.gets
+ assert_equal false, ssl.session_reused?
+ ssl.session
+ }
+ assert_nil called[:get]
+ assert_not_nil called[:new]
+ assert_equal sess0.id, called[:new].id
+ assert_nil called[:remove]
+ called.clear
+
+ # Internal cache hit
+ connections = 1
+ server_connect_with_session(port, nil, sess0.dup) { |ssl|
+ ssl.puts("abc"); assert_equal "abc\n", ssl.gets
+ assert_equal true, ssl.session_reused?
+ ssl.session
+ }
+ assert_nil called[:get]
+ assert_nil called[:new]
+ assert_nil called[:remove]
+ called.clear
+
+ sctx.flush_sessions(Time.now + 10000)
+ assert_not_nil called[:remove]
+ assert_equal sess0.id, called[:remove].id
+ called.clear
+
+ # External cache hit
+ connections = 2
+ sess2 = server_connect_with_session(port, nil, sess0.dup) { |ssl|
+ ssl.puts("abc"); assert_equal "abc\n", ssl.gets
+ if !ssl.session_reused? && openssl?(1, 1, 0) && !openssl?(1, 1, 0, 7)
+ # OpenSSL >= 1.1.0, < 1.1.0g
+ pend "External session cache is not working; " \
+ "see https://github.com/openssl/openssl/pull/4014"
end
- end
+ assert_equal true, ssl.session_reused?
+ ssl.session
+ }
+ assert_equal sess0.id, sess2.id
+ assert_equal sess0.id, called[:get]
+ assert_nil called[:new]
+ assert_nil called[:remove]
+ called.clear
+
+ sctx.flush_sessions(Time.now + 10000)
+ assert_not_nil called[:remove]
+ assert_equal sess0.id, called[:remove].id
+ called.clear
+
+ # Cache miss
+ connections = 3
+ sess3 = server_connect_with_session(port, nil, sess0.dup) { |ssl|
+ ssl.puts("abc"); assert_equal "abc\n", ssl.gets
+ assert_equal false, ssl.session_reused?
+ ssl.session
+ }
+ assert_not_equal sess0.id, sess3.id
+ assert_equal sess0.id, called[:get]
+ assert_not_nil called[:new]
+ assert_equal sess3.id, called[:new].id
+ assert_nil called[:remove]
end
- assert(called[:get1])
- assert(called[:get2])
end
def test_dup
@@ -373,6 +353,21 @@ __EOS__
sess_dup = sess_orig.dup
assert_equal(sess_orig.to_der, sess_dup.to_der)
end
+
+ private
+
+ def server_connect_with_session(port, ctx = nil, sess = nil)
+ sock = TCPSocket.new("127.0.0.1", port)
+ ctx ||= OpenSSL::SSL::SSLContext.new
+ ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+ ssl.session = sess if sess
+ ssl.sync_close = true
+ ssl.connect
+ yield ssl if block_given?
+ ensure
+ ssl&.close
+ sock&.close
+ end
end
end
diff --git a/test/openssl/test_x509attr.rb b/test/openssl/test_x509attr.rb
index d7473f1a29f..108162f407d 100644
--- a/test/openssl/test_x509attr.rb
+++ b/test/openssl/test_x509attr.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: false
require_relative "utils"
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestX509Attribute < OpenSSL::TestCase
def test_new
diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb
index 5b2e712d2a3..289994d17bc 100644
--- a/test/openssl/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@@ -1,23 +1,19 @@
# frozen_string_literal: false
require_relative "utils"
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestX509Certificate < OpenSSL::TestCase
def setup
super
- @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
- @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
- @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256
- @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512
+ @rsa1024 = Fixtures.pkey("rsa1024")
+ @rsa2048 = Fixtures.pkey("rsa2048")
+ @dsa256 = Fixtures.pkey("dsa256")
+ @dsa512 = Fixtures.pkey("dsa512")
@ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
@ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
end
- def issue_cert(*args)
- OpenSSL::TestUtils.issue_cert(*args)
- end
-
def test_serial
[1, 2**32, 2**100].each{|s|
cert = issue_cert(@ca, @rsa2048, s, [], nil, nil)
@@ -34,13 +30,10 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
["authorityKeyIdentifier","keyid:always",false],
]
- sha1 = OpenSSL::Digest::SHA1.new
- dsa_digest = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new
-
[
- [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dsa_digest], [@dsa512, dsa_digest]
- ].each{|pk, digest|
- cert = issue_cert(@ca, pk, 1, exts, nil, nil, digest: digest)
+ @rsa1024, @rsa2048, @dsa256, @dsa512,
+ ].each{|pk|
+ cert = issue_cert(@ca, pk, 1, exts, nil, nil)
assert_equal(cert.extensions.sort_by(&:to_s)[2].value,
OpenSSL::TestUtils.get_subject_key_id(cert))
cert = OpenSSL::X509::Certificate.new(cert.to_der)
@@ -152,26 +145,15 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
}
end
- def test_dsig_algorithm_mismatch
- assert_raise(OpenSSL::X509::CertificateError) do
- issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: OpenSSL::Digest::DSS1.new)
- end if OpenSSL::OPENSSL_VERSION_NUMBER < 0x10001000 # [ruby-core:42949]
- end
-
def test_dsa_with_sha2
- begin
- cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha256")
- assert_equal("dsa_with_SHA256", cert.signature_algorithm)
- rescue OpenSSL::X509::CertificateError
- # dsa_with_sha2 not supported. skip following test.
- return
- end
+ cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha256")
+ assert_equal("dsa_with_SHA256", cert.signature_algorithm)
# TODO: need more tests for dsa + sha2
# SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requires DSS1)
cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha1")
assert_equal("dsaWithSHA1", cert.signature_algorithm)
- end if defined?(OpenSSL::Digest::SHA256)
+ end
def test_check_private_key
cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb
index 44dfffc952c..1914a651cfe 100644
--- a/test/openssl/test_x509crl.rb
+++ b/test/openssl/test_x509crl.rb
@@ -1,28 +1,20 @@
# frozen_string_literal: false
require_relative "utils"
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestX509CRL < OpenSSL::TestCase
def setup
super
- @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
- @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
- @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256
- @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512
+ @rsa1024 = Fixtures.pkey("rsa1024")
+ @rsa2048 = Fixtures.pkey("rsa2048")
+ @dsa256 = Fixtures.pkey("dsa256")
+ @dsa512 = Fixtures.pkey("dsa512")
@ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
@ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
@ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
end
- def issue_crl(*args)
- OpenSSL::TestUtils.issue_crl(*args)
- end
-
- def issue_cert(*args)
- OpenSSL::TestUtils.issue_cert(*args)
- end
-
def test_basic
now = Time.at(Time.now.to_i)
@@ -196,7 +188,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
cert = issue_cert(@ca, @dsa512, 1, [], nil, nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
- cert, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
+ cert, @dsa512, OpenSSL::Digest::SHA1.new)
assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) })
assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) })
assert_equal(false, crl.verify(@dsa256))
diff --git a/test/openssl/test_x509ext.rb b/test/openssl/test_x509ext.rb
index 58f03168bc0..f384a25e8cb 100644
--- a/test/openssl/test_x509ext.rb
+++ b/test/openssl/test_x509ext.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: false
require_relative 'utils'
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestX509Extension < OpenSSL::TestCase
def setup
diff --git a/test/openssl/test_x509name.rb b/test/openssl/test_x509name.rb
index 60e8ddb8acf..2d92e645be6 100644
--- a/test/openssl/test_x509name.rb
+++ b/test/openssl/test_x509name.rb
@@ -1,8 +1,8 @@
-# coding: US-ASCII
+# coding: ASCII-8BIT
# frozen_string_literal: false
require_relative 'utils'
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestX509Name < OpenSSL::TestCase
def setup
@@ -148,33 +148,28 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase
end
def test_s_parse
- dn = "/DC=org/DC=ruby-lang/CN=www.ruby-lang.org"
+ dn = "/DC=org/DC=ruby-lang/CN=www.ruby-lang.org/1.2.3.4.5.6=A=BCD"
name = OpenSSL::X509::Name.parse(dn)
assert_equal(dn, name.to_s)
ary = name.to_a
- assert_equal("DC", ary[0][0])
- assert_equal("DC", ary[1][0])
- assert_equal("CN", ary[2][0])
- assert_equal("org", ary[0][1])
- assert_equal("ruby-lang", ary[1][1])
- assert_equal("www.ruby-lang.org", ary[2][1])
- assert_equal(OpenSSL::ASN1::IA5STRING, ary[0][2])
- assert_equal(OpenSSL::ASN1::IA5STRING, ary[1][2])
- assert_equal(OpenSSL::ASN1::UTF8STRING, ary[2][2])
-
- dn2 = "DC=org, DC=ruby-lang, CN=www.ruby-lang.org"
+ assert_equal [
+ ["DC", "org", OpenSSL::ASN1::IA5STRING],
+ ["DC", "ruby-lang", OpenSSL::ASN1::IA5STRING],
+ ["CN", "www.ruby-lang.org", OpenSSL::ASN1::UTF8STRING],
+ ["1.2.3.4.5.6", "A=BCD", OpenSSL::ASN1::UTF8STRING],
+ ], ary
+
+ dn2 = "DC=org, DC=ruby-lang, CN=www.ruby-lang.org, 1.2.3.4.5.6=A=BCD"
name = OpenSSL::X509::Name.parse(dn2)
- ary = name.to_a
assert_equal(dn, name.to_s)
- assert_equal("org", ary[0][1])
- assert_equal("ruby-lang", ary[1][1])
- assert_equal("www.ruby-lang.org", ary[2][1])
+ assert_equal ary, name.to_a
name = OpenSSL::X509::Name.parse(dn2, @obj_type_tmpl)
ary = name.to_a
assert_equal(OpenSSL::ASN1::IA5STRING, ary[0][2])
assert_equal(OpenSSL::ASN1::IA5STRING, ary[1][2])
assert_equal(OpenSSL::ASN1::PRINTABLESTRING, ary[2][2])
+ assert_equal(OpenSSL::ASN1::PRINTABLESTRING, ary[3][2])
end
def test_s_parse_rfc2253
@@ -306,7 +301,6 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase
end
def test_add_entry_street
- return if OpenSSL::OPENSSL_VERSION_NUMBER < 0x009080df # 0.9.8m
# openssl/crypto/objects/obj_mac.h 1.83
dn = [
["DC", "org"],
@@ -323,16 +317,87 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase
assert_equal("Namiki", ary[5][1])
end
+ def test_add_entry_placing
+ der = %w{ 30 2A
+ 31 12
+ 30 10 06 03 55 04 0A 0C 09 72 75 62 79 2D 6C 61 6E 67
+ 31 14
+ 30 08 06 03 55 04 0B 0C 01 61
+ 30 08 06 03 55 04 0B 0C 01 62 }
+ orig = OpenSSL::X509::Name.new([der.join].pack("H*"))
+ assert_equal("OU=b+OU=a,O=ruby-lang", orig.to_s(OpenSSL::X509::Name::RFC2253))
+ # Skip for now; they do not work
+ #
+ # dn = orig.dup
+ # dn.add_entry("CN", "unya", loc: 0, set: 0)
+ # assert_equal("OU=b+OU=a,O=ruby-lang,CN=unya", dn.dup.to_s(OpenSSL::X509::Name::RFC2253))
+ # dn = orig.dup
+ # dn.add_entry("CN", "unya", loc: 0, set: 1)
+ # assert_equal("OU=b+OU=a,O=ruby-lang+CN=unya", dn.dup.to_s(OpenSSL::X509::Name::RFC2253))
+ dn = orig.dup
+ dn.add_entry("CN", "unya", loc: 1, set: -1)
+ assert_equal("OU=b+OU=a,O=ruby-lang+CN=unya", dn.dup.to_s(OpenSSL::X509::Name::RFC2253))
+ # dn = orig.dup
+ # dn.add_entry("CN", "unya", loc: 1, set: 0)
+ # assert_equal("OU=b+OU=a,CN=unya,O=ruby-lang", dn.dup.to_s(OpenSSL::X509::Name::RFC2253))
+ dn = orig.dup
+ dn.add_entry("CN", "unya", loc: 1, set: 1)
+ assert_equal("CN=unya+OU=b+OU=a,O=ruby-lang", dn.dup.to_s(OpenSSL::X509::Name::RFC2253))
+ dn = orig.dup
+ dn.add_entry("CN", "unya", loc: -1, set: -1)
+ assert_equal("CN=unya+OU=b+OU=a,O=ruby-lang", dn.dup.to_s(OpenSSL::X509::Name::RFC2253))
+ dn = orig.dup
+ dn.add_entry("CN", "unya", loc: -1, set: 0)
+ assert_equal("CN=unya,OU=b+OU=a,O=ruby-lang", dn.dup.to_s(OpenSSL::X509::Name::RFC2253))
+ end
+
+ def test_to_s
+ dn = [
+ ["DC", "org"],
+ ["DC", "ruby-lang"],
+ ["CN", "フー, バー"],
+ ]
+ name = OpenSSL::X509::Name.new
+ dn.each { |x| name.add_entry(*x) }
+
+ assert_equal "/DC=org/DC=ruby-lang/" \
+ "CN=\\xE3\\x83\\x95\\xE3\\x83\\xBC, \\xE3\\x83\\x90\\xE3\\x83\\xBC",
+ name.to_s
+ # OpenSSL escapes characters with MSB by default
+ assert_equal \
+ "CN=\\E3\\83\\95\\E3\\83\\BC\\, \\E3\\83\\90\\E3\\83\\BC," \
+ "DC=ruby-lang,DC=org",
+ name.to_s(OpenSSL::X509::Name::RFC2253)
+ assert_equal "DC = org, DC = ruby-lang, " \
+ "CN = \"\\E3\\83\\95\\E3\\83\\BC, \\E3\\83\\90\\E3\\83\\BC\"",
+ name.to_s(OpenSSL::X509::Name::ONELINE)
+ end
+
+ def test_to_utf8
+ dn = [
+ ["DC", "org"],
+ ["DC", "ruby-lang"],
+ ["CN", "フー, バー"],
+ ]
+ name = OpenSSL::X509::Name.new
+ dn.each { |x| name.add_entry(*x) }
+
+ str = name.to_utf8
+ expected = "CN=フー\\, バー,DC=ruby-lang,DC=org".force_encoding("UTF-8")
+ assert_equal expected, str
+ assert_equal Encoding.find("UTF-8"), str.encoding
+ end
+
def test_equals2
- n1 = OpenSSL::X509::Name.parse 'CN=a'
- n2 = OpenSSL::X509::Name.parse 'CN=a'
+ n1 = OpenSSL::X509::Name.parse_rfc2253 'CN=a'
+ n2 = OpenSSL::X509::Name.parse_rfc2253 'CN=a'
assert_equal n1, n2
end
def test_spaceship
- n1 = OpenSSL::X509::Name.parse 'CN=a'
- n2 = OpenSSL::X509::Name.parse 'CN=b'
+ n1 = OpenSSL::X509::Name.parse_rfc2253 'CN=a'
+ n2 = OpenSSL::X509::Name.parse_rfc2253 'CN=b'
assert_equal(-1, n1 <=> n2)
end
diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
index 585dda1bc6a..a21d45da197 100644
--- a/test/openssl/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@@ -1,15 +1,15 @@
# frozen_string_literal: false
require_relative "utils"
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestX509Request < OpenSSL::TestCase
def setup
super
- @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
- @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
- @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256
- @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512
+ @rsa1024 = Fixtures.pkey("rsa1024")
+ @rsa2048 = Fixtures.pkey("rsa2048")
+ @dsa256 = Fixtures.pkey("dsa256")
+ @dsa512 = Fixtures.pkey("dsa512")
@dn = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou")
end
@@ -28,7 +28,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(@rsa1024.public_key.to_der, req.public_key.to_der)
- req = issue_csr(0, @dn, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
+ req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new)
assert_equal(@dsa512.public_key.to_der, req.public_key.to_der)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(@dsa512.public_key.to_der, req.public_key.to_der)
@@ -122,7 +122,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
end
def test_sign_and_verify_dsa
- req = issue_csr(0, @dn, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
+ req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new)
assert_equal(false, request_error_returns_false { req.verify(@rsa1024) })
assert_equal(false, request_error_returns_false { req.verify(@rsa2048) })
assert_equal(false, req.verify(@dsa256))
@@ -131,18 +131,6 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
assert_equal(false, req.verify(@dsa512))
end
- def test_sign_and_verify_rsa_dss1
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new)
- assert_equal(true, req.verify(@rsa1024))
- assert_equal(false, req.verify(@rsa2048))
- assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
- assert_equal(false, request_error_returns_false { req.verify(@dsa512) })
- req.version = 1
- assert_equal(false, req.verify(@rsa1024))
- rescue OpenSSL::X509::RequestError
- pend
- end if defined?(OpenSSL::Digest::DSS1)
-
def test_sign_and_verify_dsa_md5
assert_raise(OpenSSL::X509::RequestError){
issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) }
diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb
index c45233aaecb..6412249b93e 100644
--- a/test/openssl/test_x509store.rb
+++ b/test/openssl/test_x509store.rb
@@ -1,15 +1,15 @@
# frozen_string_literal: false
require_relative "utils"
-if defined?(OpenSSL::TestUtils)
+if defined?(OpenSSL)
class OpenSSL::TestX509Store < OpenSSL::TestCase
def setup
super
- @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
- @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
- @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256
- @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512
+ @rsa1024 = Fixtures.pkey("rsa1024")
+ @rsa2048 = Fixtures.pkey("rsa2048")
+ @dsa256 = Fixtures.pkey("dsa256")
+ @dsa512 = Fixtures.pkey("dsa512")
@ca1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA1")
@ca2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA2")
@ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
@@ -26,14 +26,6 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
ctx.verify
end
- def issue_cert(*args)
- OpenSSL::TestUtils.issue_cert(*args)
- end
-
- def issue_crl(*args)
- OpenSSL::TestUtils.issue_crl(*args)
- end
-
def test_add_file
ca_exts = [
["basicConstraints", "CA:TRUE", true],
@@ -217,7 +209,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
end
def test_set_errors
- return if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000
+ return if openssl?(1, 1, 0) || libressl?
now = Time.now
ca1_cert = issue_cert(@ca1, @rsa2048, 1, [], nil, nil)
store = OpenSSL::X509::Store.new
@@ -233,17 +225,9 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
crl2 = issue_crl(revoke_info, 2, now+1800, now+3600, [],
ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
store.add_crl(crl1)
- if /0\.9\.8.*-rhel/ =~ OpenSSL::OPENSSL_VERSION
- # RedHat is distributing a patched version of OpenSSL that allows
- # multiple CRL for a key (multi-crl.patch)
- assert_nothing_raised do
- store.add_crl(crl2) # add CRL issued by same CA twice.
- end
- else
- assert_raise(OpenSSL::X509::StoreError){
- store.add_crl(crl2) # add CRL issued by same CA twice.
- }
- end
+ assert_raise(OpenSSL::X509::StoreError){
+ store.add_crl(crl2) # add CRL issued by same CA twice.
+ }
end
def test_dup
diff --git a/test/openssl/ut_eof.rb b/test/openssl/ut_eof.rb
index 6de41c4a70d..bd62fd50f9d 100644
--- a/test/openssl/ut_eof.rb
+++ b/test/openssl/ut_eof.rb
@@ -1,6 +1,8 @@
# frozen_string_literal: false
require 'test/unit'
+if defined?(OpenSSL)
+
module OpenSSL::TestEOF
def test_eof_0
open_file("") {|f|
@@ -127,3 +129,5 @@ module OpenSSL::TestEOF
end
end
end
+
+end
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index bbc9c7efc2e..f59d53b0d19 100644
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@@ -9,129 +9,57 @@ begin
rescue LoadError
end
+# Compile OpenSSL with crypto-mdebug and run this test suite with OSSL_MDEBUG=1
+# environment variable to enable memory leak check.
+if ENV["OSSL_MDEBUG"] == "1"
+ if OpenSSL.respond_to?(:print_mem_leaks)
+ OpenSSL.mem_check_start
+
+ END {
+ GC.start
+ case OpenSSL.print_mem_leaks
+ when nil
+ warn "mdebug: check what is printed"
+ when true
+ raise "mdebug: memory leaks detected"
+ end
+ }
+ else
+ warn "OSSL_MDEBUG=1 is specified but OpenSSL is not built with crypto-mdebug"
+ end
+end
+
require "test/unit"
-require 'tempfile'
-require "rbconfig"
+require "tempfile"
require "socket"
require "envutil"
-module OpenSSL::TestUtils
- TEST_KEY_RSA1024 = OpenSSL::PKey::RSA.new <<-_end_of_pem_
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7Cx
-aKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/
-Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQAB
-AoGBAKSl/MQarye1yOysqX6P8fDFQt68VvtXkNmlSiKOGuzyho0M+UVSFcs6k1L0
-maDE25AMZUiGzuWHyaU55d7RXDgeskDMakD1v6ZejYtxJkSXbETOTLDwUWTn618T
-gnb17tU1jktUtU67xK/08i/XodlgnQhs6VoHTuCh3Hu77O6RAkEA7+gxqBuZR572
-74/akiW/SuXm0SXPEviyO1MuSRwtI87B02D0qgV8D1UHRm4AhMnJ8MCs1809kMQE
-JiQUCrp9mQJBANlt2ngBO14us6NnhuAseFDTBzCHXwUUu1YKHpMMmxpnGqaldGgX
-sOZB3lgJsT9VlGf3YGYdkLTNVbogQKlKpB8CQQDiSwkb4vyQfDe8/NpU5Not0fII
-8jsDUCb+opWUTMmfbxWRR3FBNu8wnym/m19N4fFj8LqYzHX4KY0oVPu6qvJxAkEA
-wa5snNekFcqONLIE4G5cosrIrb74sqL8GbGb+KuTAprzj5z1K8Bm0UW9lTjVDjDi
-qRYgZfZSL+x1P/54+xTFSwJAY1FxA/N3QPCXCjPh5YqFxAMQs2VVYTfg+t0MEcJD
-dPMQD5JX6g5HKnHFg2mZtoXQrWmJSn7p8GJK8yNTopEErA==
------END RSA PRIVATE KEY-----
- _end_of_pem_
-
- TEST_KEY_RSA2048 = OpenSSL::PKey::RSA.new <<-_end_of_pem_
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAuV9ht9J7k4NBs38jOXvvTKY9gW8nLICSno5EETR1cuF7i4pN
-s9I1QJGAFAX0BEO4KbzXmuOvfCpD3CU+Slp1enenfzq/t/e/1IRW0wkJUJUFQign
-4CtrkJL+P07yx18UjyPlBXb81ApEmAB5mrJVSrWmqbjs07JbuS4QQGGXLc+Su96D
-kYKmSNVjBiLxVVSpyZfAY3hD37d60uG+X8xdW5v68JkRFIhdGlb6JL8fllf/A/bl
-NwdJOhVr9mESHhwGjwfSeTDPfd8ZLE027E5lyAVX9KZYcU00mOX+fdxOSnGqS/8J
-DRh0EPHDL15RcJjV2J6vZjPb0rOYGDoMcH+94wIDAQABAoIBAAzsamqfYQAqwXTb
-I0CJtGg6msUgU7HVkOM+9d3hM2L791oGHV6xBAdpXW2H8LgvZHJ8eOeSghR8+dgq
-PIqAffo4x1Oma+FOg3A0fb0evyiACyrOk+EcBdbBeLo/LcvahBtqnDfiUMQTpy6V
-seSoFCwuN91TSCeGIsDpRjbG1vxZgtx+uI+oH5+ytqJOmfCksRDCkMglGkzyfcl0
-Xc5CUhIJ0my53xijEUQl19rtWdMnNnnkdbG8PT3LZlOta5Do86BElzUYka0C6dUc
-VsBDQ0Nup0P6rEQgy7tephHoRlUGTYamsajGJaAo1F3IQVIrRSuagi7+YpSpCqsW
-wORqorkCgYEA7RdX6MDVrbw7LePnhyuaqTiMK+055/R1TqhB1JvvxJ1CXk2rDL6G
-0TLHQ7oGofd5LYiemg4ZVtWdJe43BPZlVgT6lvL/iGo8JnrncB9Da6L7nrq/+Rvj
-XGjf1qODCK+LmreZWEsaLPURIoR/Ewwxb9J2zd0CaMjeTwafJo1CZvcCgYEAyCgb
-aqoWvUecX8VvARfuA593Lsi50t4MEArnOXXcd1RnXoZWhbx5rgO8/ATKfXr0BK/n
-h2GF9PfKzHFm/4V6e82OL7gu/kLy2u9bXN74vOvWFL5NOrOKPM7Kg+9I131kNYOw
-Ivnr/VtHE5s0dY7JChYWE1F3vArrOw3T00a4CXUCgYEA0SqY+dS2LvIzW4cHCe9k
-IQqsT0yYm5TFsUEr4sA3xcPfe4cV8sZb9k/QEGYb1+SWWZ+AHPV3UW5fl8kTbSNb
-v4ng8i8rVVQ0ANbJO9e5CUrepein2MPL0AkOATR8M7t7dGGpvYV0cFk8ZrFx0oId
-U0PgYDotF/iueBWlbsOM430CgYEAqYI95dFyPI5/AiSkY5queeb8+mQH62sdcCCr
-vd/w/CZA/K5sbAo4SoTj8dLk4evU6HtIa0DOP63y071eaxvRpTNqLUOgmLh+D6gS
-Cc7TfLuFrD+WDBatBd5jZ+SoHccVrLR/4L8jeodo5FPW05A+9gnKXEXsTxY4LOUC
-9bS4e1kCgYAqVXZh63JsMwoaxCYmQ66eJojKa47VNrOeIZDZvd2BPVf30glBOT41
-gBoDG3WMPZoQj9pb7uMcrnvs4APj2FIhMU8U15LcPAj59cD6S6rWnAxO8NFK7HQG
-4Jxg3JNNf8ErQoCHb1B3oVdXJkmbJkARoDpBKmTCgKtP8ADYLmVPQw==
------END RSA PRIVATE KEY-----
- _end_of_pem_
-
- TEST_KEY_DSA256 = OpenSSL::PKey::DSA.new <<-_end_of_pem_
------BEGIN DSA PRIVATE KEY-----
-MIH3AgEAAkEAhk2libbY2a8y2Pt21+YPYGZeW6wzaW2yfj5oiClXro9XMR7XWLkE
-9B7XxLNFCS2gmCCdMsMW1HulaHtLFQmB2wIVAM43JZrcgpu6ajZ01VkLc93gu/Ed
-AkAOhujZrrKV5CzBKutKLb0GVyVWmdC7InoNSMZEeGU72rT96IjM59YzoqmD0pGM
-3I1o4cGqg1D1DfM1rQlnN1eSAkBq6xXfEDwJ1mLNxF6q8Zm/ugFYWR5xcX/3wFiT
-b4+EjHP/DbNh9Vm5wcfnDBJ1zKvrMEf2xqngYdrV/3CiGJeKAhRvL57QvJZcQGvn
-ISNX5cMzFHRW3Q==
------END DSA PRIVATE KEY-----
- _end_of_pem_
+if defined?(OpenSSL)
- TEST_KEY_DSA512 = OpenSSL::PKey::DSA.new <<-_end_of_pem_
------BEGIN DSA PRIVATE KEY-----
-MIH4AgEAAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgTYiEEHaOYhkIxv0Ok
-RZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB4DZGH7UyarcaGy6D
-AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR
-S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++
-Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S
-55jreJD3Se3slps=
------END DSA PRIVATE KEY-----
- _end_of_pem_
-
- TEST_KEY_DSA1024 = OpenSSL::PKey::DSA.new <<-_end_of_pem_
------BEGIN DSA PRIVATE KEY-----
-MIIBugIBAAKBgQCH9aAoXvWWThIjkA6D+nI1F9ksF9iDq594rkiGNOT9sPDOdB+n
-D+qeeeeloRlj19ymCSADPI0ZLRgkchkAEnY2RnqnhHOjVf/roGgRbW+iQDMbQ9wa
-/pvc6/fAbsu1goE1hBYjm98/sZEeXavj8tR56IXnjF1b6Nx0+sgeUKFKEQIVAMiz
-4BJUFeTtddyM4uadBM7HKLPRAoGAZdLBSYNGiij7vAjesF5mGUKTIgPd+JKuBEDx
-OaBclsgfdoyoF/TMOkIty+PVlYD+//Vl2xnoUEIRaMXHwHfm0r2xUX++oeRaSScg
-YizJdUxe5jvBuBszGPRc/mGpb9YvP0sB+FL1KmuxYmdODfCe51zl8uM/CVhouJ3w
-DjmRGscCgYAuFlfC7p+e8huCKydfcv/beftqjewiOPpQ3u5uI6KPCtCJPpDhs3+4
-IihH2cPsAlqwGF4tlibW1+/z/OZ1AZinPK3y7b2jSJASEaPeEltVzB92hcd1khk2
-jTYcmSsV4VddplOPK9czytR/GbbibxsrhhgZUbd8LPbvIgaiadJ1PgIUBnJ/5vN2
-CVArsEzlPUCbohPvZnE=
------END DSA PRIVATE KEY-----
- _end_of_pem_
-
-if defined?(OpenSSL::PKey::EC)
-
- TEST_KEY_EC_P256V1 = OpenSSL::PKey::EC.new <<-_end_of_pem_
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIID49FDqcf1O1eO8saTgG70UbXQw9Fqwseliit2aWhH1oAoGCCqGSM49
-AwEHoUQDQgAEFglk2c+oVUIKQ64eZG9bhLNPWB7lSZ/ArK41eGy5wAzU/0G51Xtt
-CeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg==
------END EC PRIVATE KEY-----
- _end_of_pem_
-
-end
+module OpenSSL::TestUtils
+ module Fixtures
+ module_function
- TEST_KEY_DH1024 = OpenSSL::PKey::DH.new <<-_end_of_pem_
------BEGIN DH PARAMETERS-----
-MIGHAoGBAKnKQ8MNK6nYZzLrrcuTsLxuiJGXoOO5gT+tljOTbHBuiktdMTITzIY0
-pFxIvjG05D7HoBZQfrR0c92NGWPkAiCkhQKB8JCbPVzwNLDy6DZ0pmofDKrEsYHG
-AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
------END DH PARAMETERS-----
- _end_of_pem_
+ def pkey(name)
+ OpenSSL::PKey.read(read_file("pkey", name))
+ end
- TEST_KEY_DH1024.set_key(OpenSSL::BN.new("556AF1598AE69899867CEBA9F29CE4862B884C2B43C9019EA0231908F6EFA785E3C462A6ECB16DF676866E997FFB72B487DC7967C58C3CA38CE974473BF19B2AA5DCBF102735572EBA6F353F6F0BBE7FF1DE1B07FE1381A355C275C33405004317F9491B5955F191F6615A63B30E55A027FB88A1A4B25608E09EEE68A7DF32D", 16),
- OpenSSL::BN.new("48561834C67E65FFD2A9B47F41E5E78FDC95C387428FDB1E4B0188B64D1643C3A8D3455B945B7E8C4D166010C7C2CE23BFB9BEF43D0348FE7FA5284B0225E7FE1537546D114E3D8A4411B9B9351AB451E1A358F50ED61B1F00DA29336EEBBD649980AC86D76AF8BBB065298C2052672EEF3EF13AB47A15275FC2836F3AC74CEA", 16))
+ def pkey_dh(name)
+ # DH parameters can be read by OpenSSL::PKey.read atm
+ OpenSSL::PKey::DH.new(read_file("pkey", name))
+ end
- DSA_SIGNATURE_DIGEST = OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000 ?
- OpenSSL::Digest::SHA1 :
- OpenSSL::Digest::DSS1
+ def read_file(category, name)
+ @file_cache ||= {}
+ @file_cache[[category, name]] ||=
+ File.read(File.join(__dir__, "fixtures", category, name + ".pem"))
+ end
+ end
module_function
def issue_cert(dn, key, serial, extensions, issuer, issuer_key,
- not_before: nil, not_after: nil, digest: nil)
+ not_before: nil, not_after: nil, digest: "sha256")
cert = OpenSSL::X509::Certificate.new
issuer = cert unless issuer
issuer_key = key unless issuer_key
@@ -149,7 +77,6 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
extensions.each{|oid, value, critical|
cert.add_extension(ef.create_extension(oid, value, critical))
}
- digest ||= OpenSSL::PKey::DSA === issuer_key ? DSA_SIGNATURE_DIGEST.new : "sha256"
cert.sign(issuer_key, digest)
cert
end
@@ -191,190 +118,191 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
OpenSSL::Digest::SHA1.hexdigest(pkvalue).scan(/../).join(":").upcase
end
- def silent
- begin
- back, $VERBOSE = $VERBOSE, nil
- yield
- ensure
- $VERBOSE = back
- end
+ def openssl?(major = nil, minor = nil, fix = nil, patch = 0)
+ return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL")
+ return true unless major
+ OpenSSL::OPENSSL_VERSION_NUMBER >=
+ major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10
end
- class OpenSSL::TestCase < Test::Unit::TestCase
- def setup
- if ENV["OSSL_GC_STRESS"] == "1"
- GC.stress = true
- end
- end
-
- def teardown
- if ENV["OSSL_GC_STRESS"] == "1"
- GC.stress = false
- end
- # OpenSSL error stack must be empty
- assert_equal([], OpenSSL.errors)
- end
+ def libressl?(major = nil, minor = nil, fix = nil)
+ version = OpenSSL::OPENSSL_VERSION.scan(/LibreSSL (\d+)\.(\d+)\.(\d+).*/)[0]
+ return false unless version
+ !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0
end
+end
- class OpenSSL::SSLTestCase < OpenSSL::TestCase
- RUBY = EnvUtil.rubybin
- ITERATIONS = ($0 == __FILE__) ? 100 : 10
-
- def setup
- super
- @ca_key = OpenSSL::TestUtils::TEST_KEY_RSA2048
- @svr_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
- @cli_key = OpenSSL::TestUtils::TEST_KEY_DSA1024
- @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
- @svr = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
- @cli = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
- ca_exts = [
- ["basicConstraints","CA:TRUE",true],
- ["keyUsage","cRLSign,keyCertSign",true],
- ]
- ee_exts = [
- ["keyUsage","keyEncipherment,digitalSignature",true],
- ]
- @ca_cert = issue_cert(@ca, @ca_key, 1, ca_exts, nil, nil)
- @svr_cert = issue_cert(@svr, @svr_key, 2, ee_exts, @ca_cert, @ca_key)
- @cli_cert = issue_cert(@cli, @cli_key, 3, ee_exts, @ca_cert, @ca_key)
- @server = nil
- end
+class OpenSSL::TestCase < Test::Unit::TestCase
+ include OpenSSL::TestUtils
+ extend OpenSSL::TestUtils
- def issue_cert(*arg)
- OpenSSL::TestUtils.issue_cert(*arg)
+ def setup
+ if ENV["OSSL_GC_STRESS"] == "1"
+ GC.stress = true
end
+ end
- def issue_crl(*arg)
- OpenSSL::TestUtils.issue_crl(*arg)
+ def teardown
+ if ENV["OSSL_GC_STRESS"] == "1"
+ GC.stress = false
end
+ # OpenSSL error stack must be empty
+ assert_equal([], OpenSSL.errors)
+ end
+end
- def readwrite_loop(ctx, ssl)
- while line = ssl.gets
- ssl.write(line)
- end
- rescue OpenSSL::SSL::SSLError
- rescue IOError
- ensure
- ssl.close rescue nil
- end
+class OpenSSL::SSLTestCase < OpenSSL::TestCase
+ RUBY = EnvUtil.rubybin
+ ITERATIONS = ($0 == __FILE__) ? 100 : 10
+
+ def setup
+ super
+ @ca_key = Fixtures.pkey("rsa2048")
+ @svr_key = Fixtures.pkey("rsa1024")
+ @cli_key = Fixtures.pkey("rsa2048")
+ @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
+ @svr = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
+ @cli = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
+ ca_exts = [
+ ["basicConstraints","CA:TRUE",true],
+ ["keyUsage","cRLSign,keyCertSign",true],
+ ]
+ ee_exts = [
+ ["keyUsage","keyEncipherment,digitalSignature",true],
+ ]
+ @ca_cert = issue_cert(@ca, @ca_key, 1, ca_exts, nil, nil)
+ @svr_cert = issue_cert(@svr, @svr_key, 2, ee_exts, @ca_cert, @ca_key)
+ @cli_cert = issue_cert(@cli, @cli_key, 3, ee_exts, @ca_cert, @ca_key)
+ @server = nil
+ end
- def server_loop(ctx, ssls, stop_pipe_r, ignore_listener_error, server_proc, threads)
- loop do
- ssl = nil
- begin
- readable, = IO.select([ssls, stop_pipe_r])
- if readable.include? stop_pipe_r
- return
- end
- ssl = ssls.accept
- rescue OpenSSL::SSL::SSLError, Errno::ECONNRESET
- if ignore_listener_error
- retry
- else
- raise
- end
- end
+ def tls12_supported?
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
+ true
+ rescue
+ end
- th = Thread.start do
- server_proc.call(ctx, ssl)
- end
- threads << th
- end
- rescue Errno::EBADF, IOError, Errno::EINVAL, Errno::ECONNABORTED, Errno::ENOTSOCK, Errno::ECONNRESET
- if !ignore_listener_error
- raise
- end
+ def readwrite_loop(ctx, ssl)
+ while line = ssl.gets
+ ssl.write(line)
end
+ end
- def start_server(verify_mode: OpenSSL::SSL::VERIFY_NONE, start_immediately: true,
- ctx_proc: nil, server_proc: method(:readwrite_loop),
- ignore_listener_error: false, &block)
- IO.pipe {|stop_pipe_r, stop_pipe_w|
- store = OpenSSL::X509::Store.new
- store.add_cert(@ca_cert)
- store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.cert_store = store
- ctx.cert = @svr_cert
- ctx.key = @svr_key
- ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
- begin
- ctx.ecdh_curves = "P-256"
- rescue NotImplementedError
- end
- ctx.verify_mode = verify_mode
- ctx_proc.call(ctx) if ctx_proc
-
- Socket.do_not_reverse_lookup = true
- tcps = nil
- tcps = TCPServer.new("127.0.0.1", 0)
- port = tcps.connect_address.ip_port
-
- ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
- ssls.start_immediately = start_immediately
-
- threads = []
- begin
- server = Thread.new do
- begin
- server_loop(ctx, ssls, stop_pipe_r, ignore_listener_error, server_proc, threads)
- ensure
- tcps.close
+ def start_server(verify_mode: OpenSSL::SSL::VERIFY_NONE, start_immediately: true,
+ ctx_proc: nil, server_proc: method(:readwrite_loop),
+ ignore_listener_error: false, &block)
+ IO.pipe {|stop_pipe_r, stop_pipe_w|
+ store = OpenSSL::X509::Store.new
+ store.add_cert(@ca_cert)
+ store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.cert_store = store
+ ctx.cert = @svr_cert
+ ctx.key = @svr_key
+ ctx.tmp_dh_callback = proc { Fixtures.pkey_dh("dh1024") }
+ ctx.verify_mode = verify_mode
+ ctx_proc.call(ctx) if ctx_proc
+
+ Socket.do_not_reverse_lookup = true
+ tcps = TCPServer.new("127.0.0.1", 0)
+ port = tcps.connect_address.ip_port
+
+ ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
+ ssls.start_immediately = start_immediately
+
+ threads = []
+ begin
+ server_thread = Thread.new do
+ begin
+ loop do
+ begin
+ readable, = IO.select([ssls, stop_pipe_r])
+ break if readable.include? stop_pipe_r
+ ssl = ssls.accept
+ rescue OpenSSL::SSL::SSLError, IOError, Errno::EBADF, Errno::EINVAL,
+ Errno::ECONNABORTED, Errno::ENOTSOCK, Errno::ECONNRESET
+ retry if ignore_listener_error
+ raise
+ end
+
+ th = Thread.new do
+ begin
+ server_proc.call(ctx, ssl)
+ ensure
+ ssl.close
+ end
+ true
+ end
+ threads << th
end
+ ensure
+ tcps.close
end
- threads.unshift server
-
- $stderr.printf("SSL server started: pid=%d port=%d\n", $$, port) if $DEBUG
+ end
- client = Thread.new do
- begin
- block.call(server, port.to_i)
- ensure
- stop_pipe_w.close
- end
+ client_thread = Thread.new do
+ begin
+ block.call(port)
+ ensure
+ # Stop accepting new connection
+ stop_pipe_w.close
+ server_thread.join
end
- threads.unshift client
- ensure
- assert_join_threads(threads)
end
- }
- end
+ threads.unshift client_thread
+ ensure
+ # Terminate existing connections. If a thread did 'pend', re-raise it.
+ pend = nil
+ threads.each { |th|
+ begin
+ th.join(10) or
+ th.raise(RuntimeError, "[start_server] thread did not exit in 10 secs")
+ rescue (defined?(MiniTest::Skip) ? MiniTest::Skip : Test::Unit::PendedError)
+ # MiniTest::Skip is for the Ruby tree
+ pend = $!
+ rescue Exception
+ end
+ }
+ raise pend if pend
+ assert_join_threads(threads)
+ end
+ }
end
+end
- class OpenSSL::PKeyTestCase < OpenSSL::TestCase
- def check_component(base, test, keys)
- keys.each { |comp|
- assert_equal base.send(comp), test.send(comp)
- }
- end
+class OpenSSL::PKeyTestCase < OpenSSL::TestCase
+ def check_component(base, test, keys)
+ keys.each { |comp|
+ assert_equal base.send(comp), test.send(comp)
+ }
+ end
- def dup_public(key)
- case key
- when OpenSSL::PKey::RSA
- rsa = OpenSSL::PKey::RSA.new
- rsa.set_key(key.n, key.e, nil)
- rsa
- when OpenSSL::PKey::DSA
- dsa = OpenSSL::PKey::DSA.new
- dsa.set_pqg(key.p, key.q, key.g)
- dsa.set_key(key.pub_key, nil)
- dsa
- when OpenSSL::PKey::DH
- dh = OpenSSL::PKey::DH.new
- dh.set_pqg(key.p, nil, key.g)
- dh
+ def dup_public(key)
+ case key
+ when OpenSSL::PKey::RSA
+ rsa = OpenSSL::PKey::RSA.new
+ rsa.set_key(key.n, key.e, nil)
+ rsa
+ when OpenSSL::PKey::DSA
+ dsa = OpenSSL::PKey::DSA.new
+ dsa.set_pqg(key.p, key.q, key.g)
+ dsa.set_key(key.pub_key, nil)
+ dsa
+ when OpenSSL::PKey::DH
+ dh = OpenSSL::PKey::DH.new
+ dh.set_pqg(key.p, nil, key.g)
+ dh
+ else
+ if defined?(OpenSSL::PKey::EC) && OpenSSL::PKey::EC === key
+ ec = OpenSSL::PKey::EC.new(key.group)
+ ec.public_key = key.public_key
+ ec
else
- if defined?(OpenSSL::PKey::EC) && OpenSSL::PKey::EC === key
- ec = OpenSSL::PKey::EC.new(key.group)
- ec.public_key = key.public_key
- ec
- else
- raise "unknown key type"
- end
+ raise "unknown key type"
end
end
end
+end
-end if defined?(OpenSSL::OPENSSL_LIBRARY_VERSION) and
- /\AOpenSSL +0\./ !~ OpenSSL::OPENSSL_LIBRARY_VERSION
+end