diff options
-rw-r--r-- | ChangeLog | 75 | ||||
-rw-r--r-- | ext/openssl/extconf.rb | 9 | ||||
-rw-r--r-- | ext/openssl/ossl.c | 6 | ||||
-rw-r--r-- | ext/openssl/ossl.h | 7 | ||||
-rw-r--r-- | ext/openssl/ossl_config.c | 12 | ||||
-rw-r--r-- | ext/openssl/ossl_engine.c | 18 | ||||
-rw-r--r-- | ext/openssl/ossl_pkcs5.c | 7 | ||||
-rw-r--r-- | ext/openssl/ossl_pkcs7.c | 40 | ||||
-rw-r--r-- | ext/openssl/ossl_pkey_ec.c | 2 | ||||
-rw-r--r-- | ext/openssl/ossl_ssl.c | 4 | ||||
-rw-r--r-- | ext/openssl/ossl_ssl_session.c | 15 | ||||
-rw-r--r-- | ext/openssl/ossl_x509attr.c | 5 | ||||
-rw-r--r-- | ext/openssl/ossl_x509crl.c | 4 | ||||
-rw-r--r-- | ext/openssl/ossl_x509name.c | 24 | ||||
-rw-r--r-- | test/openssl/test_ec.rb | 4 | ||||
-rw-r--r-- | test/openssl/test_x509cert.rb | 39 | ||||
-rw-r--r-- | test/openssl/test_x509crl.rb | 28 | ||||
-rw-r--r-- | test/openssl/test_x509req.rb | 38 | ||||
-rw-r--r-- | version.h | 8 |
19 files changed, 278 insertions, 67 deletions
@@ -1,3 +1,78 @@ +Mon Jun 21 18:12:15 2010 NAKAMURA Usaku <usa@ruby-lang.org> + + * ext/openssl/extconf.rb: check some functions added at OpenSSL 1.0.0. + + * ext/openssl/ossl_engine.c (ossl_engine_s_load): use engines which + exists. + +Mon Jun 21 18:12:15 2010 NAKAMURA, Hiroshi <nahi@ruby-lang.org> + + * ext/openssl/ossl_config.c: defined own IMPLEMENT_LHASH_DOALL_ARG_FN_098 + macro according to IMPLEMENT_LHASH_DOALL_ARG_FN in OpenSSL 0.9.8m. + OpenSSL 1.0.0beta5 has a slightly different definiton so it could + be a temporal workaround for 0.9.8 and 1.0.0 dual support. + + * ext/openssl/ossl_pkcs5.c (ossl_pkcs5_pbkdf2_hmac): follows function + definition in OpenSSL 1.0.0beta5. PKCS5_PBKDF2_HMAC is from 1.0.0 + (0.9.8 only has PKCS5_PBKDF2_HMAC_SHA1) + + * ext/openssl/ossl_ssl_session.c (ossl_ssl_session_eq): do not use + SSL_SESSION_cmp and implement equality func by ousrself. See the + comment. + +Mon Jun 21 18:12:15 2010 NAKAMURA, Hiroshi <nahi@ruby-lang.org> + + * ext/openssl/ossl_ssl_session.c + (ossl_ssl_session_{get,set}_time{,out}): fixed a bug introduced by + backporting. (see [ruby-dev:40573]) use long in according to + OpenSSL API. (SSL_SESSION_{get,set}_time{,out}) + +Mon Jun 21 18:12:15 2010 NAKAMURA, Hiroshi <nahi@ruby-lang.org> + + * ext/openssl/ossl_x509name.c: added X509::Name#hash_old as a wrapper + for X509_NAME_hash_old in OpenSSL 1.0.0. + + * test/openssl/test_x509name.rb (test_hash): make test pass with + OpenSSL 1.0.0. + +Mon Jun 21 18:12:15 2010 NAKAMURA, Hiroshi <nahi@ruby-lang.org> + + * test/openssl/test_x509*: make tests pass with OpenSSL 1.0.0b5. + * PKey::PKey#verify raises an exception when a given PKey does not + match with signature. + * PKey::DSA#sign accepts SHA1, SHA256 other than DSS1. + +Mon Jun 21 18:12:15 2010 NAKAMURA, Hiroshi <nahi@ruby-lang.org> + + * backport the commit from trunk: + Sun Feb 28 11:49:35 2010 NARUSE, Yui <naruse@ruby-lang.org> + + * openssl/ossl.c (OSSL_IMPL_SK2ARY): for OpenSSL 1.0. + patched by Jeroen van Meeuwen at [ruby-core:25210] + fixed by Nobuyoshi Nakada [ruby-core:25238], + Hongli Lai [ruby-core:27417], + and Motohiro KOSAKI [ruby-core:28063] + + * ext/openssl/ossl_ssl.c (ossl_ssl_method_tab), + (ossl_ssl_cipher_to_ary): constified. + + * ext/openssl/ossl_pkcs7.c (pkcs7_get_certs, pkcs7_get_crls): + split pkcs7_get_certs_or_crls. + +Mon Jun 21 18:12:15 2010 NAKAMURA, Hiroshi <nahi@ruby-lang.org> + + * test/openssl/test_ec.rb: added test_dsa_sign_asn1_FIPS186_3. dgst is + truncated with ec_key.group.order.size after openssl 0.9.8m for + FIPS 186-3 compliance. + + WARNING: ruby-openssl aims to wrap an OpenSSL so when you're using + openssl 0.9.8l or earlier version, EC.dsa_sign_asn1 raises + OpenSSL::PKey::ECError as before and EC.dsa_verify_asn1 just returns + false when you pass dgst longer than expected (no truncation + performed). + + * ext/openssl/ossl_pkey_ec.c: rdoc typo fixed. + Wed Jun 16 16:01:42 2010 Tanaka Akira <akr@fsij.org> * lib/pathname.rb (Pathname#sub): suppress a warning. diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 63ec7f2054..6554eba653 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -91,6 +91,7 @@ have_func("X509_CRL_add0_revoked") have_func("X509_CRL_set_issuer_name") have_func("X509_CRL_set_version") have_func("X509_CRL_sort") +have_func("X509_NAME_hash_old") have_func("X509_STORE_get_ex_data") have_func("X509_STORE_set_ex_data") have_func("OBJ_NAME_do_all_sorted") @@ -106,6 +107,14 @@ if have_header("openssl/engine.h") have_func("ENGINE_get_digest") have_func("ENGINE_get_cipher") have_func("ENGINE_cleanup") + have_func("ENGINE_load_4758cca") + have_func("ENGINE_load_aep") + have_func("ENGINE_load_atalla") + have_func("ENGINE_load_chil") + have_func("ENGINE_load_cswift") + have_func("ENGINE_load_nuron") + have_func("ENGINE_load_sureware") + have_func("ENGINE_load_ubsec") end if try_compile(<<SRC) #include <openssl/opensslv.h> diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c index fd9429b170..7aa2c0d449 100644 --- a/ext/openssl/ossl.c +++ b/ext/openssl/ossl.c @@ -92,7 +92,7 @@ ossl_x509_ary2sk(VALUE ary) #define OSSL_IMPL_SK2ARY(name, type) \ VALUE \ -ossl_##name##_sk2ary(STACK *sk) \ +ossl_##name##_sk2ary(STACK_OF(type) *sk) \ { \ type *t; \ int i, num; \ @@ -102,7 +102,7 @@ ossl_##name##_sk2ary(STACK *sk) \ OSSL_Debug("empty sk!"); \ return Qnil; \ } \ - num = sk_num(sk); \ + num = sk_##type##_num(sk); \ if (num < 0) { \ OSSL_Debug("items in sk < -1???"); \ return rb_ary_new(); \ @@ -110,7 +110,7 @@ ossl_##name##_sk2ary(STACK *sk) \ ary = rb_ary_new2(num); \ \ for (i=0; i<num; i++) { \ - t = (type *)sk_value(sk, i); \ + t = sk_##type##_value(sk, i); \ rb_ary_push(ary, ossl_##name##_new(t)); \ } \ return ary; \ diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h index 31fd7d7c1b..9944a862e4 100644 --- a/ext/openssl/ossl.h +++ b/ext/openssl/ossl.h @@ -108,6 +108,13 @@ extern VALUE eOSSLError; } while (0) /* + * Compatibility + */ +#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#define STACK _STACK +#endif + +/* * String to HEXString conversion */ int string2hex(char *, int, char **, int *); diff --git a/ext/openssl/ossl_config.c b/ext/openssl/ossl_config.c index 606edfc3ad..f5e57ba1f2 100644 --- a/ext/openssl/ossl_config.c +++ b/ext/openssl/ossl_config.c @@ -313,6 +313,12 @@ ossl_config_get_section_old(VALUE self, VALUE section) } #ifdef IMPLEMENT_LHASH_DOALL_ARG_FN +#define IMPLEMENT_LHASH_DOALL_ARG_FN_098(f_name,o_type,a_type) \ + void f_name##_LHASH_DOALL_ARG(void *arg1, void *arg2) { \ + o_type a = (o_type)arg1; \ + a_type b = (a_type)arg2; \ + f_name(a,b); } + static void get_conf_section(CONF_VALUE *cv, VALUE ary) { @@ -320,7 +326,7 @@ get_conf_section(CONF_VALUE *cv, VALUE ary) rb_ary_push(ary, rb_str_new2(cv->section)); } -static IMPLEMENT_LHASH_DOALL_ARG_FN(get_conf_section, CONF_VALUE*, VALUE) +static IMPLEMENT_LHASH_DOALL_ARG_FN_098(get_conf_section, CONF_VALUE*, VALUE) static VALUE ossl_config_get_sections(VALUE self) @@ -358,7 +364,7 @@ dump_conf_value(CONF_VALUE *cv, VALUE str) rb_str_cat2(str, "\n"); } -static IMPLEMENT_LHASH_DOALL_ARG_FN(dump_conf_value, CONF_VALUE*, VALUE) +static IMPLEMENT_LHASH_DOALL_ARG_FN_098(dump_conf_value, CONF_VALUE*, VALUE) static VALUE dump_conf(CONF *conf) @@ -402,7 +408,7 @@ each_conf_value(CONF_VALUE *cv, void* dummy) } } -static IMPLEMENT_LHASH_DOALL_ARG_FN(each_conf_value, CONF_VALUE*, void*) +static IMPLEMENT_LHASH_DOALL_ARG_FN_098(each_conf_value, CONF_VALUE*, void*) static VALUE ossl_config_each(VALUE self) diff --git a/ext/openssl/ossl_engine.c b/ext/openssl/ossl_engine.c index c0eb180019..c6fc603a1e 100644 --- a/ext/openssl/ossl_engine.c +++ b/ext/openssl/ossl_engine.c @@ -61,16 +61,34 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass) } StringValue(name); #ifndef OPENSSL_NO_STATIC_ENGINE +#if HAVE_ENGINE_LOAD_DYNAMIC OSSL_ENGINE_LOAD_IF_MATCH(dynamic); +#endif +#if HAVE_ENGINE_LOAD_CSWIFT OSSL_ENGINE_LOAD_IF_MATCH(cswift); +#endif +#if HAVE_ENGINE_LOAD_CHIL OSSL_ENGINE_LOAD_IF_MATCH(chil); +#endif +#if HAVE_ENGINE_LOAD_ATALLA OSSL_ENGINE_LOAD_IF_MATCH(atalla); +#endif +#if HAVE_ENGINE_LOAD_NURON OSSL_ENGINE_LOAD_IF_MATCH(nuron); +#endif +#if HAVE_ENGINE_LOAD_UBSEC OSSL_ENGINE_LOAD_IF_MATCH(ubsec); +#endif +#if HAVE_ENGINE_LOAD_AEP OSSL_ENGINE_LOAD_IF_MATCH(aep); +#endif +#if HAVE_ENGINE_LOAD_SUREWARE OSSL_ENGINE_LOAD_IF_MATCH(sureware); +#endif +#if HAVE_ENGINE_LOAD_4758CCA OSSL_ENGINE_LOAD_IF_MATCH(4758cca); #endif +#endif #ifdef HAVE_ENGINE_LOAD_OPENBSD_DEV_CRYPTO OSSL_ENGINE_LOAD_IF_MATCH(openbsd_dev_crypto); #endif diff --git a/ext/openssl/ossl_pkcs5.c b/ext/openssl/ossl_pkcs5.c index 007889fc94..39ba013839 100644 --- a/ext/openssl/ossl_pkcs5.c +++ b/ext/openssl/ossl_pkcs5.c @@ -29,14 +29,17 @@ ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE key VALUE str; const EVP_MD *md; int len = NUM2INT(keylen); + unsigned char* salt_p; + unsigned char* str_p; StringValue(pass); StringValue(salt); md = GetDigestPtr(digest); - str = rb_str_new(0, len); + salt_p = (unsigned char*)RSTRING_PTR(salt); + str_p = (unsigned char*)RSTRING_PTR(str); - if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), RSTRING_PTR(salt), RSTRING_LEN(salt), NUM2INT(iter), md, len, RSTRING_PTR(str)) != 1) + if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), salt_p, RSTRING_LEN(salt), NUM2INT(iter), md, len, str_p) != 1) ossl_raise(ePKCS5, "PKCS5_PBKDF2_HMAC"); return str; diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c index 6918844779..5177f5c1e5 100644 --- a/ext/openssl/ossl_pkcs7.c +++ b/ext/openssl/ossl_pkcs7.c @@ -570,12 +570,11 @@ ossl_pkcs7_add_certificate(VALUE self, VALUE cert) return self; } -static STACK * -pkcs7_get_certs_or_crls(VALUE self, int want_certs) +static STACK_OF(X509) * +pkcs7_get_certs(VALUE self) { PKCS7 *pkcs7; STACK_OF(X509) *certs; - STACK_OF(X509_CRL) *crls; int i; GetPKCS7(self, pkcs7); @@ -583,17 +582,38 @@ pkcs7_get_certs_or_crls(VALUE self, int want_certs) switch(i){ case NID_pkcs7_signed: certs = pkcs7->d.sign->cert; - crls = pkcs7->d.sign->crl; break; case NID_pkcs7_signedAndEnveloped: certs = pkcs7->d.signed_and_enveloped->cert; + break; + default: + certs = NULL; + } + + return certs; +} + +static STACK_OF(X509_CRL) * +pkcs7_get_crls(VALUE self) +{ + PKCS7 *pkcs7; + STACK_OF(X509_CRL) *crls; + int i; + + GetPKCS7(self, pkcs7); + i = OBJ_obj2nid(pkcs7->type); + switch(i){ + case NID_pkcs7_signed: + crls = pkcs7->d.sign->crl; + break; + case NID_pkcs7_signedAndEnveloped: crls = pkcs7->d.signed_and_enveloped->crl; break; default: - certs = crls = NULL; + crls = NULL; } - return want_certs ? certs : crls; + return crls; } static VALUE @@ -608,7 +628,7 @@ ossl_pkcs7_set_certificates(VALUE self, VALUE ary) STACK_OF(X509) *certs; X509 *cert; - certs = pkcs7_get_certs_or_crls(self, 1); + certs = pkcs7_get_certs(self); while((cert = sk_X509_pop(certs))) X509_free(cert); rb_block_call(ary, rb_intern("each"), 0, 0, ossl_pkcs7_set_certs_i, self); @@ -618,7 +638,7 @@ ossl_pkcs7_set_certificates(VALUE self, VALUE ary) static VALUE ossl_pkcs7_get_certificates(VALUE self) { - return ossl_x509_sk2ary(pkcs7_get_certs_or_crls(self, 1)); + return ossl_x509_sk2ary(pkcs7_get_certs(self)); } static VALUE @@ -648,7 +668,7 @@ ossl_pkcs7_set_crls(VALUE self, VALUE ary) STACK_OF(X509_CRL) *crls; X509_CRL *crl; - crls = pkcs7_get_certs_or_crls(self, 0); + crls = pkcs7_get_crls(self); while((crl = sk_X509_CRL_pop(crls))) X509_CRL_free(crl); rb_block_call(ary, rb_intern("each"), 0, 0, ossl_pkcs7_set_crls_i, self); @@ -658,7 +678,7 @@ ossl_pkcs7_set_crls(VALUE self, VALUE ary) static VALUE ossl_pkcs7_get_crls(VALUE self) { - return ossl_x509crl_sk2ary(pkcs7_get_certs_or_crls(self, 0)); + return ossl_x509crl_sk2ary(pkcs7_get_crls(self)); } static VALUE diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c index f02fcd831d..cbdad3f12b 100644 --- a/ext/openssl/ossl_pkey_ec.c +++ b/ext/openssl/ossl_pkey_ec.c @@ -681,7 +681,7 @@ static VALUE ossl_ec_key_dsa_sign_asn1(VALUE self, VALUE data) /* * call-seq: - * key.dsa_verify(data, sig) => true or false + * key.dsa_verify_asn1(data, sig) => true or false * * See the OpenSSL documentation for ECDSA_verify() */ diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index fb3cf5c2ad..1ee391c794 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -1196,10 +1196,10 @@ ossl_ssl_get_peer_cert_chain(VALUE self) } chain = SSL_get_peer_cert_chain(ssl); if(!chain) return Qnil; - num = sk_num(chain); + num = sk_X509_num(chain); ary = rb_ary_new2(num); for (i = 0; i < num; i++){ - cert = (X509*)sk_value(chain, i); + cert = sk_X509_value(chain, i); rb_ary_push(ary, ossl_x509_new(cert)); } diff --git a/ext/openssl/ossl_ssl_session.c b/ext/openssl/ossl_ssl_session.c index 86f9d80cef..b416e76920 100644 --- a/ext/openssl/ossl_ssl_session.c +++ b/ext/openssl/ossl_ssl_session.c @@ -86,9 +86,18 @@ static VALUE ossl_ssl_session_eq(VALUE val1, VALUE val2) GetSSLSession(val1, ctx1); SafeGetSSLSession(val2, ctx2); - switch (SSL_SESSION_cmp(ctx1, ctx2)) { - case 0: return Qtrue; - default: return Qfalse; + /* + * OpenSSL 1.0.0betas do not have non-static SSL_SESSION_cmp. + * ssl_session_cmp (was SSL_SESSION_cmp in 0.9.8) is for lhash + * comparing so we should not depend on it. Just compare sessions + * by version and id. + */ + if ((ctx1->ssl_version == ctx2->ssl_version) && + (ctx1->session_id_length == ctx2->session_id_length) && + (memcmp(ctx1->session_id, ctx2->session_id, ctx1->session_id_length) == 0)) { + return Qtrue; + } else { + return Qfalse; } } diff --git a/ext/openssl/ossl_x509attr.c b/ext/openssl/ossl_x509attr.c index ca1c59aba9..949785a80b 100644 --- a/ext/openssl/ossl_x509attr.c +++ b/ext/openssl/ossl_x509attr.c @@ -217,8 +217,9 @@ ossl_x509attr_get_value(VALUE self) ossl_str_adjust(str, p); } else{ - length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, NULL, - i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0); + length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, + (unsigned char **) NULL, i2d_ASN1_TYPE, + V_ASN1_SET, V_ASN1_UNIVERSAL, 0); str = rb_str_new(0, length); p = RSTRING_PTR(str); i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, &p, diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c index be9ddacf48..e6d0c2eb3c 100644 --- a/ext/openssl/ossl_x509crl.c +++ b/ext/openssl/ossl_x509crl.c @@ -262,7 +262,7 @@ ossl_x509crl_get_revoked(VALUE self) VALUE ary, revoked; GetX509CRL(self, crl); - num = sk_X509_CRL_num(X509_CRL_get_REVOKED(crl)); + num = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); if (num < 0) { OSSL_Debug("num < 0???"); return rb_ary_new(); @@ -270,7 +270,7 @@ ossl_x509crl_get_revoked(VALUE self) ary = rb_ary_new2(num); for(i=0; i<num; i++) { /* NO DUP - don't free! */ - rev = (X509_REVOKED *)sk_X509_CRL_value(X509_CRL_get_REVOKED(crl), i); + rev = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); revoked = ossl_x509revoked_new(rev); rb_ary_push(ary, revoked); } diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c index 220dc069af..55f5b58d64 100644 --- a/ext/openssl/ossl_x509name.c +++ b/ext/openssl/ossl_x509name.c @@ -306,6 +306,27 @@ ossl_x509name_hash(VALUE self) return ULONG2NUM(hash); } +#ifdef HAVE_X509_NAME_HASH_OLD +/* + * call-seq: + * name.hash_old => integer + * + * hash_old returns MD5 based hash used in OpenSSL 0.9.X. + */ +static VALUE +ossl_x509name_hash_old(VALUE self) +{ + X509_NAME *name; + unsigned long hash; + + GetX509Name(self, name); + + hash = X509_NAME_hash_old(name); + + return ULONG2NUM(hash); +} +#endif + /* * call-seq: * name.to_der => string @@ -351,6 +372,9 @@ Init_ossl_x509name() rb_define_alias(cX509Name, "<=>", "cmp"); rb_define_method(cX509Name, "eql?", ossl_x509name_eql, 1); rb_define_method(cX509Name, "hash", ossl_x509name_hash, 0); +#ifdef HAVE_X509_NAME_HASH_OLD + rb_define_method(cX509Name, "hash_old", ossl_x509name_hash_old, 0); +#endif rb_define_method(cX509Name, "to_der", ossl_x509name_to_der, 0); utf8str = INT2NUM(V_ASN1_UTF8STRING); diff --git a/test/openssl/test_ec.rb b/test/openssl/test_ec.rb index 671901ca36..eb1c61e1a9 100644 --- a/test/openssl/test_ec.rb +++ b/test/openssl/test_ec.rb @@ -87,9 +87,7 @@ class OpenSSL::TestEC < Test::Unit::TestCase def test_dsa_sign_verify for key in @keys sig = key.dsa_sign_asn1(@data1) - assert_equal(key.dsa_verify_asn1(@data1, sig), true) - - assert_raises(OpenSSL::PKey::ECError) { key.dsa_sign_asn1(@data2) } + assert(key.dsa_verify_asn1(@data1, sig)) end end diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb index a5a75ff1b6..cf5e6f7aab 100644 --- a/test/openssl/test_x509cert.rb +++ b/test/openssl/test_x509cert.rb @@ -129,13 +129,31 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase end + def test_sign_and_verify_wrong_key_type + cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], + nil, nil, OpenSSL::Digest::SHA1.new) + cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], + nil, nil, OpenSSL::Digest::DSS1.new) + begin + assert_equal(false, cert_rsa.verify(@dsa256)) + rescue OpenSSL::X509::CertificateError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + + begin + assert_equal(false, cert_dsa.verify(@rsa1024)) + rescue OpenSSL::X509::CertificateError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + end + def test_sign_and_verify cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], nil, nil, OpenSSL::Digest::SHA1.new) assert_equal(false, cert.verify(@rsa1024)) assert_equal(true, cert.verify(@rsa2048)) - assert_equal(false, cert.verify(@dsa256)) - assert_equal(false, cert.verify(@dsa512)) cert.serial = 2 assert_equal(false, cert.verify(@rsa2048)) @@ -143,33 +161,22 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase nil, nil, OpenSSL::Digest::MD5.new) assert_equal(false, cert.verify(@rsa1024)) assert_equal(true, cert.verify(@rsa2048)) - assert_equal(false, cert.verify(@dsa256)) - assert_equal(false, cert.verify(@dsa512)) cert.subject = @ee1 assert_equal(false, cert.verify(@rsa2048)) cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], nil, nil, OpenSSL::Digest::DSS1.new) - assert_equal(false, cert.verify(@rsa1024)) - assert_equal(false, cert.verify(@rsa2048)) assert_equal(false, cert.verify(@dsa256)) assert_equal(true, cert.verify(@dsa512)) cert.not_after = Time.now assert_equal(false, cert.verify(@dsa512)) + end + def test_dsig_algorithm_mismatch assert_raises(OpenSSL::X509::CertificateError){ cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], nil, nil, OpenSSL::Digest::DSS1.new) } - assert_raises(OpenSSL::X509::CertificateError){ - cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::MD5.new) - } - assert_raises(OpenSSL::X509::CertificateError){ - cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) - } + end end end - -end diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb index 444a00a586..c59ff52380 100644 --- a/test/openssl/test_x509crl.rb +++ b/test/openssl/test_x509crl.rb @@ -190,6 +190,30 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase assert_match((2**100).to_s, crl.extensions[0].value) end + def test_sign_and_verify_wrong_key_type + cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], + nil, nil, OpenSSL::Digest::SHA1.new) + crl_rsa = issue_crl([], 1, Time.now, Time.now+1600, [], + cert_rsa, @rsa2048, OpenSSL::Digest::SHA1.new) + cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], + nil, nil, OpenSSL::Digest::DSS1.new) + crl_dsa = issue_crl([], 1, Time.now, Time.now+1600, [], + cert_dsa, @dsa512, OpenSSL::Digest::DSS1.new) + begin + assert_equal(false, crl_rsa.verify(@dsa256)) + rescue OpenSSL::X509::CRLError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + + begin + assert_equal(false, crl_dsa.verify(@rsa1024)) + rescue OpenSSL::X509::CRLError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + end + def test_sign_and_verify cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], nil, nil, OpenSSL::Digest::SHA1.new) @@ -197,8 +221,6 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase cert, @rsa2048, OpenSSL::Digest::SHA1.new) assert_equal(false, crl.verify(@rsa1024)) assert_equal(true, crl.verify(@rsa2048)) - assert_equal(false, crl.verify(@dsa256)) - assert_equal(false, crl.verify(@dsa512)) crl.version = 0 assert_equal(false, crl.verify(@rsa2048)) @@ -206,8 +228,6 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase nil, nil, OpenSSL::Digest::DSS1.new) crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, @dsa512, OpenSSL::Digest::DSS1.new) - assert_equal(false, crl.verify(@rsa1024)) - assert_equal(false, crl.verify(@rsa2048)) assert_equal(false, crl.verify(@dsa256)) assert_equal(true, crl.verify(@dsa512)) crl.version = 0 diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb index a37ed5c5ef..6186bcea0c 100644 --- a/test/openssl/test_x509req.rb +++ b/test/openssl/test_x509req.rb @@ -103,37 +103,51 @@ class OpenSSL::TestX509Request < Test::Unit::TestCase assert_equal(exts, get_ext_req(attrs[1].value)) end + def test_sign_and_verify_wrong_key_type + req_rsa = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new) + req_dsa = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new) + begin + assert_equal(false, req_rsa.verify(@dsa256)) + rescue OpenSSL::X509::RequestError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + + begin + assert_equal(false, req_dsa.verify(@rsa1024)) + rescue OpenSSL::X509::RequestError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + end + def test_sign_and_verify req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new) assert_equal(true, req.verify(@rsa1024)) assert_equal(false, req.verify(@rsa2048)) - assert_equal(false, req.verify(@dsa256)) - assert_equal(false, req.verify(@dsa512)) req.version = 1 assert_equal(false, req.verify(@rsa1024)) req = issue_csr(0, @dn, @rsa2048, OpenSSL::Digest::MD5.new) assert_equal(false, req.verify(@rsa1024)) assert_equal(true, req.verify(@rsa2048)) - assert_equal(false, req.verify(@dsa256)) - assert_equal(false, req.verify(@dsa512)) req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar") assert_equal(false, req.verify(@rsa2048)) req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new) - assert_equal(false, req.verify(@rsa1024)) - assert_equal(false, req.verify(@rsa2048)) assert_equal(false, req.verify(@dsa256)) assert_equal(true, req.verify(@dsa512)) req.public_key = @rsa1024.public_key assert_equal(false, req.verify(@dsa512)) + end - assert_raise(OpenSSL::X509::RequestError){ - issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) } - assert_raise(OpenSSL::X509::RequestError){ - issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new) } - assert_raise(OpenSSL::X509::RequestError){ - issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) } + def test_dsig_algorithm_mismatch + assert_raise(OpenSSL::X509::RequestError) do + issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) + end + assert_raise(OpenSSL::X509::RequestError) do + issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) + end end end @@ -1,15 +1,15 @@ #define RUBY_VERSION "1.8.7" -#define RUBY_RELEASE_DATE "2010-06-16" +#define RUBY_RELEASE_DATE "2010-06-21" #define RUBY_VERSION_CODE 187 -#define RUBY_RELEASE_CODE 20100616 -#define RUBY_PATCHLEVEL 296 +#define RUBY_RELEASE_CODE 20100621 +#define RUBY_PATCHLEVEL 297 #define RUBY_VERSION_MAJOR 1 #define RUBY_VERSION_MINOR 8 #define RUBY_VERSION_TEENY 7 #define RUBY_RELEASE_YEAR 2010 #define RUBY_RELEASE_MONTH 6 -#define RUBY_RELEASE_DAY 16 +#define RUBY_RELEASE_DAY 21 #ifdef RUBY_EXTERN RUBY_EXTERN const char ruby_version[]; |