summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--test/openssl/test_x509cert.rb167
-rw-r--r--test/openssl/test_x509crl.rb77
-rw-r--r--test/openssl/test_x509name.rb16
-rw-r--r--test/openssl/test_x509req.rb89
4 files changed, 122 insertions, 227 deletions
diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb
index 5fc87d9c67..55481690e9 100644
--- a/test/openssl/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@@ -6,17 +6,16 @@ if defined?(OpenSSL)
class OpenSSL::TestX509Certificate < OpenSSL::TestCase
def setup
super
- @rsa1024 = Fixtures.pkey("rsa1024")
- @rsa2048 = Fixtures.pkey("rsa2048")
- @dsa256 = Fixtures.pkey("dsa256")
- @dsa512 = Fixtures.pkey("dsa512")
+ @rsa1 = Fixtures.pkey("rsa-1")
+ @rsa2 = Fixtures.pkey("rsa-2")
+ @ec1 = Fixtures.pkey("p256")
@ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
@ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
end
def test_serial
[1, 2**32, 2**100].each{|s|
- cert = issue_cert(@ca, @rsa2048, s, [], nil, nil)
+ cert = issue_cert(@ca, @rsa1, s, [], nil, nil)
assert_equal(s, cert.serial)
cert = OpenSSL::X509::Certificate.new(cert.to_der)
assert_equal(s, cert.serial)
@@ -29,40 +28,34 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
["subjectKeyIdentifier","hash",false],
["authorityKeyIdentifier","keyid:always",false],
]
-
- [
- @rsa1024, @rsa2048, @dsa256, @dsa512,
- ].each{|pk|
- cert = issue_cert(@ca, pk, 1, exts, nil, nil)
- assert_equal(cert.extensions.sort_by(&:to_s)[2].value,
- OpenSSL::TestUtils.get_subject_key_id(cert))
- cert = OpenSSL::X509::Certificate.new(cert.to_der)
- assert_equal(cert.extensions.sort_by(&:to_s)[2].value,
- OpenSSL::TestUtils.get_subject_key_id(cert))
- }
+ cert = issue_cert(@ca, @rsa1, 1, exts, nil, nil)
+ assert_kind_of(OpenSSL::PKey::RSA, cert.public_key)
+ assert_equal(@rsa1.public_to_der, cert.public_key.public_to_der)
+ cert = OpenSSL::X509::Certificate.new(cert.to_der)
+ assert_equal(@rsa1.public_to_der, cert.public_key.public_to_der)
end
def test_validity
now = Time.at(Time.now.to_i + 0.9)
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil,
+ cert = issue_cert(@ca, @rsa1, 1, [], nil, nil,
not_before: now, not_after: now+3600)
assert_equal(Time.at(now.to_i), cert.not_before)
assert_equal(Time.at(now.to_i+3600), cert.not_after)
now = Time.at(now.to_i)
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil,
+ cert = issue_cert(@ca, @rsa1, 1, [], nil, nil,
not_before: now, not_after: now+3600)
assert_equal(now.getutc, cert.not_before)
assert_equal((now+3600).getutc, cert.not_after)
now = Time.at(0)
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil,
+ cert = issue_cert(@ca, @rsa1, 1, [], nil, nil,
not_before: now, not_after: now)
assert_equal(now.getutc, cert.not_before)
assert_equal(now.getutc, cert.not_after)
now = Time.at(0x7fffffff)
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil,
+ cert = issue_cert(@ca, @rsa1, 1, [], nil, nil,
not_before: now, not_after: now)
assert_equal(now.getutc, cert.not_before)
assert_equal(now.getutc, cert.not_after)
@@ -75,7 +68,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
["subjectKeyIdentifier","hash",false],
["authorityKeyIdentifier","issuer:always,keyid:always",false],
]
- ca_cert = issue_cert(@ca, @rsa2048, 1, ca_exts, nil, nil)
+ ca_cert = issue_cert(@ca, @rsa1, 1, ca_exts, nil, nil)
ca_cert.extensions.each_with_index{|ext, i|
assert_equal(ca_exts[i].first, ext.oid)
assert_equal(ca_exts[i].last, ext.critical?)
@@ -88,7 +81,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
["subjectAltName","email:ee1@ruby-lang.org",false],
]
- ee1_cert = issue_cert(@ee1, @rsa1024, 2, ee1_exts, ca_cert, @rsa2048)
+ ee1_cert = issue_cert(@ee1, @rsa2, 2, ee1_exts, ca_cert, @rsa1)
assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der)
ee1_cert.extensions.each_with_index{|ext, i|
assert_equal(ee1_exts[i].first, ext.oid)
@@ -97,25 +90,25 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
end
def test_akiski
- ca_cert = generate_cert(@ca, @rsa2048, 4, nil)
+ ca_cert = generate_cert(@ca, @rsa1, 4, nil)
ef = OpenSSL::X509::ExtensionFactory.new(ca_cert, ca_cert)
ca_cert.add_extension(
ef.create_extension("subjectKeyIdentifier", "hash", false))
ca_cert.add_extension(
ef.create_extension("authorityKeyIdentifier", "issuer:always,keyid:always", false))
- ca_cert.sign(@rsa2048, "sha256")
+ ca_cert.sign(@rsa1, "sha256")
ca_keyid = get_subject_key_id(ca_cert.to_der, hex: false)
assert_equal ca_keyid, ca_cert.authority_key_identifier
assert_equal ca_keyid, ca_cert.subject_key_identifier
- ee_cert = generate_cert(@ee1, Fixtures.pkey("p256"), 5, ca_cert)
+ ee_cert = generate_cert(@ee1, @rsa2, 5, ca_cert)
ef = OpenSSL::X509::ExtensionFactory.new(ca_cert, ee_cert)
ee_cert.add_extension(
ef.create_extension("subjectKeyIdentifier", "hash", false))
ee_cert.add_extension(
ef.create_extension("authorityKeyIdentifier", "issuer:always,keyid:always", false))
- ee_cert.sign(@rsa2048, "sha256")
+ ee_cert.sign(@rsa1, "sha256")
ee_keyid = get_subject_key_id(ee_cert.to_der, hex: false)
assert_equal ca_keyid, ee_cert.authority_key_identifier
@@ -123,13 +116,13 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
end
def test_akiski_missing
- cert = issue_cert(@ee1, @rsa2048, 1, [], nil, nil)
+ cert = issue_cert(@ee1, @rsa1, 1, [], nil, nil)
assert_nil(cert.authority_key_identifier)
assert_nil(cert.subject_key_identifier)
end
def test_crl_uris_no_crl_distribution_points
- cert = issue_cert(@ee1, @rsa2048, 1, [], nil, nil)
+ cert = issue_cert(@ee1, @rsa1, 1, [], nil, nil)
assert_nil(cert.crl_uris)
end
@@ -141,10 +134,10 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
URI.1 = http://www.example.com/crl
URI.2 = ldap://ldap.example.com/cn=ca?certificateRevocationList;binary
_cnf_
- cdp_cert = generate_cert(@ee1, @rsa2048, 3, nil)
+ cdp_cert = generate_cert(@ee1, @rsa1, 3, nil)
ef.subject_certificate = cdp_cert
cdp_cert.add_extension(ef.create_extension("crlDistributionPoints", "@crlDistPts"))
- cdp_cert.sign(@rsa2048, "sha256")
+ cdp_cert.sign(@rsa1, "sha256")
assert_equal(
["http://www.example.com/crl", "ldap://ldap.example.com/cn=ca?certificateRevocationList;binary"],
cdp_cert.crl_uris
@@ -158,10 +151,10 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
[crlDistPts_section]
fullname = URI:http://www.example.com/crl, URI:ldap://ldap.example.com/cn=ca?certificateRevocationList;binary
_cnf_
- cdp_cert = generate_cert(@ee1, @rsa2048, 3, nil)
+ cdp_cert = generate_cert(@ee1, @rsa1, 3, nil)
ef.subject_certificate = cdp_cert
cdp_cert.add_extension(ef.create_extension("crlDistributionPoints", "crlDistPts_section"))
- cdp_cert.sign(@rsa2048, "sha256")
+ cdp_cert.sign(@rsa1, "sha256")
assert_equal(
["http://www.example.com/crl", "ldap://ldap.example.com/cn=ca?certificateRevocationList;binary"],
cdp_cert.crl_uris
@@ -177,22 +170,22 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
[dirname_section]
CN = dirname
_cnf_
- cdp_cert = generate_cert(@ee1, @rsa2048, 3, nil)
+ cdp_cert = generate_cert(@ee1, @rsa1, 3, nil)
ef.subject_certificate = cdp_cert
cdp_cert.add_extension(ef.create_extension("crlDistributionPoints", "crlDistPts_section"))
- cdp_cert.sign(@rsa2048, "sha256")
+ cdp_cert.sign(@rsa1, "sha256")
assert_nil(cdp_cert.crl_uris)
end
def test_aia_missing
- cert = issue_cert(@ee1, @rsa2048, 1, [], nil, nil)
+ cert = issue_cert(@ee1, @rsa1, 1, [], nil, nil)
assert_nil(cert.ca_issuer_uris)
assert_nil(cert.ocsp_uris)
end
def test_aia
ef = OpenSSL::X509::ExtensionFactory.new
- aia_cert = generate_cert(@ee1, @rsa2048, 4, nil)
+ aia_cert = generate_cert(@ee1, @rsa1, 4, nil)
ef.subject_certificate = aia_cert
aia_cert.add_extension(
ef.create_extension(
@@ -204,7 +197,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
false
)
)
- aia_cert.sign(@rsa2048, "sha256")
+ aia_cert.sign(@rsa1, "sha256")
assert_equal(
["http://www.example.com/caIssuers", "ldap://ldap.example.com/cn=ca?authorityInfoAccessCaIssuers;binary"],
aia_cert.ca_issuer_uris
@@ -217,7 +210,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
def test_invalid_extension
integer = OpenSSL::ASN1::Integer.new(0)
- invalid_exts_cert = generate_cert(@ee1, @rsa1024, 1, nil)
+ invalid_exts_cert = generate_cert(@ee1, @rsa1, 1, nil)
["subjectKeyIdentifier", "authorityKeyIdentifier", "crlDistributionPoints", "authorityInfoAccess"].each do |ext|
invalid_exts_cert.add_extension(
OpenSSL::X509::Extension.new(ext, integer.to_der)
@@ -241,57 +234,16 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
}
end
- def test_sign_and_verify_rsa_sha1
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: "SHA1")
- assert_equal(false, cert.verify(@rsa1024))
- assert_equal(true, cert.verify(@rsa2048))
- assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) })
- assert_equal(false, certificate_error_returns_false { cert.verify(@dsa512) })
+ def test_sign_and_verify
+ cert = issue_cert(@ca, @rsa1, 1, [], nil, nil, digest: "SHA256")
+ assert_equal(true, cert.verify(@rsa1))
+ assert_equal(false, cert.verify(@rsa2))
+ assert_equal(false, certificate_error_returns_false { cert.verify(@ec1) })
cert.serial = 2
- assert_equal(false, cert.verify(@rsa2048))
- rescue OpenSSL::X509::CertificateError # RHEL 9 disables SHA1
- end
-
- def test_sign_and_verify_rsa_md5
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: "md5")
- assert_equal(false, cert.verify(@rsa1024))
- assert_equal(true, cert.verify(@rsa2048))
-
- assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) })
- assert_equal(false, certificate_error_returns_false { cert.verify(@dsa512) })
- cert.subject = @ee1
- assert_equal(false, cert.verify(@rsa2048))
- rescue OpenSSL::X509::CertificateError # RHEL7 disables MD5
- end
-
- def test_sign_and_verify_dsa
- cert = issue_cert(@ca, @dsa512, 1, [], nil, nil)
- assert_equal(false, certificate_error_returns_false { cert.verify(@rsa1024) })
- assert_equal(false, certificate_error_returns_false { cert.verify(@rsa2048) })
- assert_equal(false, cert.verify(@dsa256))
- assert_equal(true, cert.verify(@dsa512))
- cert.not_after = Time.now
- assert_equal(false, cert.verify(@dsa512))
+ assert_equal(false, cert.verify(@rsa1))
end
- def test_sign_and_verify_rsa_dss1
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: OpenSSL::Digest.new('DSS1'))
- assert_equal(false, cert.verify(@rsa1024))
- assert_equal(true, cert.verify(@rsa2048))
- assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) })
- assert_equal(false, certificate_error_returns_false { cert.verify(@dsa512) })
- cert.subject = @ee1
- assert_equal(false, cert.verify(@rsa2048))
- rescue OpenSSL::X509::CertificateError
- end if defined?(OpenSSL::Digest::DSS1)
-
- def test_sign_and_verify_dsa_md5
- assert_raise(OpenSSL::X509::CertificateError){
- issue_cert(@ca, @dsa512, 1, [], nil, nil, digest: "md5")
- }
- end
-
- def test_sign_and_verify_ed25519
+ def test_sign_and_verify_nil_digest
# Ed25519 is not FIPS-approved.
omit_on_fips
ed25519 = OpenSSL::PKey::generate_key("ED25519")
@@ -299,24 +251,13 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
assert_equal(true, cert.verify(ed25519))
end
- def test_dsa_with_sha2
- cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha256")
- assert_equal("dsa_with_SHA256", cert.signature_algorithm)
- # TODO: need more tests for dsa + sha2
-
- # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requires DSS1)
- cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha1")
- assert_equal("dsaWithSHA1", cert.signature_algorithm)
- rescue OpenSSL::X509::CertificateError # RHEL 9 disables SHA1
- end
-
def test_check_private_key
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
- assert_equal(true, cert.check_private_key(@rsa2048))
+ cert = issue_cert(@ca, @rsa1, 1, [], nil, nil)
+ assert_equal(true, cert.check_private_key(@rsa1))
end
def test_read_from_file
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
+ cert = issue_cert(@ca, @rsa1, 1, [], nil, nil)
Tempfile.create("cert") { |f|
f << cert.to_pem
f.rewind
@@ -325,12 +266,12 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
end
def test_read_der_then_pem
- cert1 = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
+ cert1 = issue_cert(@ca, @rsa1, 1, [], nil, nil)
exts = [
# A new line before PEM block
["nsComment", "Another certificate:\n" + cert1.to_pem],
]
- cert2 = issue_cert(@ca, @rsa2048, 2, exts, nil, nil)
+ cert2 = issue_cert(@ca, @rsa1, 2, exts, nil, nil)
assert_equal cert2, OpenSSL::X509::Certificate.new(cert2.to_der)
assert_equal cert2, OpenSSL::X509::Certificate.new(cert2.to_pem)
@@ -338,15 +279,15 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
def test_eq
now = Time.now
- cacert = issue_cert(@ca, @rsa1024, 1, [], nil, nil,
+ cacert = issue_cert(@ca, @rsa1, 1, [], nil, nil,
not_before: now, not_after: now + 3600)
- cert1 = issue_cert(@ee1, @rsa2048, 2, [], cacert, @rsa1024,
+ cert1 = issue_cert(@ee1, @rsa2, 2, [], cacert, @rsa1,
not_before: now, not_after: now + 3600)
- cert2 = issue_cert(@ee1, @rsa2048, 2, [], cacert, @rsa1024,
+ cert2 = issue_cert(@ee1, @rsa2, 2, [], cacert, @rsa1,
not_before: now, not_after: now + 3600)
- cert3 = issue_cert(@ee1, @rsa2048, 3, [], cacert, @rsa1024,
+ cert3 = issue_cert(@ee1, @rsa2, 3, [], cacert, @rsa1,
not_before: now, not_after: now + 3600)
- cert4 = issue_cert(@ee1, @rsa2048, 2, [], cacert, @rsa1024,
+ cert4 = issue_cert(@ee1, @rsa2, 2, [], cacert, @rsa1,
digest: "sha512", not_before: now, not_after: now + 3600)
assert_equal false, cert1 == 12345
@@ -358,9 +299,9 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
def test_marshal
now = Time.now
- cacert = issue_cert(@ca, @rsa1024, 1, [], nil, nil,
+ cacert = issue_cert(@ca, @rsa1, 1, [], nil, nil,
not_before: now, not_after: now + 3600)
- cert = issue_cert(@ee1, @rsa2048, 2, [], cacert, @rsa1024,
+ cert = issue_cert(@ee1, @rsa2, 2, [], cacert, @rsa1,
not_before: now, not_after: now + 3600)
deserialized = Marshal.load(Marshal.dump(cert))
@@ -378,8 +319,8 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
end
def test_load_file_fullchain_pem
- cert1 = issue_cert(@ee1, @rsa2048, 1, [], nil, nil)
- cert2 = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
+ cert1 = issue_cert(@ee1, @rsa1, 1, [], nil, nil)
+ cert2 = issue_cert(@ca, @rsa2, 1, [], nil, nil)
Tempfile.create("fullchain.pem") do |f|
f.puts cert1.to_pem
@@ -394,7 +335,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
end
def test_load_file_certificate_der
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
+ cert = issue_cert(@ca, @rsa1, 1, [], nil, nil)
Tempfile.create("certificate.der", binmode: true) do |f|
f.write cert.to_der
f.close
@@ -419,7 +360,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
end
def test_tbs_precert_bytes
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
+ cert = issue_cert(@ca, @rsa1, 1, [], nil, nil)
seq = OpenSSL::ASN1.decode(cert.tbs_bytes)
assert_equal 7, seq.value.size
diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb
index 89165388db..3c364f57d5 100644
--- a/test/openssl/test_x509crl.rb
+++ b/test/openssl/test_x509crl.rb
@@ -6,21 +6,16 @@ if defined?(OpenSSL)
class OpenSSL::TestX509CRL < OpenSSL::TestCase
def setup
super
- @rsa1024 = Fixtures.pkey("rsa1024")
- @rsa2048 = Fixtures.pkey("rsa2048")
- @dsa256 = Fixtures.pkey("dsa256")
- @dsa512 = Fixtures.pkey("dsa512")
+ @rsa1 = Fixtures.pkey("rsa-1")
+ @rsa2 = Fixtures.pkey("rsa-2")
@ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
- @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
- @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
end
def test_basic
now = Time.at(Time.now.to_i)
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
- crl = issue_crl([], 1, now, now+1600, [],
- cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
+ cert = issue_cert(@ca, @rsa1, 1, [], nil, nil)
+ crl = issue_crl([], 1, now, now+1600, [], cert, @rsa1, "SHA256")
assert_equal(1, crl.version)
assert_equal(cert.issuer.to_der, crl.issuer.to_der)
assert_equal(now, crl.last_update)
@@ -55,9 +50,9 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
[4, now, 4],
[5, now, 5],
]
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
+ cert = issue_cert(@ca, @rsa1, 1, [], nil, nil)
crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
- cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
+ cert, @rsa1, "SHA256")
revoked = crl.revoked
assert_equal(5, revoked.size)
assert_equal(1, revoked[0].serial)
@@ -98,7 +93,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
revoke_info = (1..1000).collect{|i| [i, now, 0] }
crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
- cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
+ cert, @rsa1, "SHA256")
revoked = crl.revoked
assert_equal(1000, revoked.size)
assert_equal(1, revoked[0].serial)
@@ -122,9 +117,9 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
["issuerAltName", "issuer:copy", false],
]
- cert = issue_cert(@ca, @rsa2048, 1, cert_exts, nil, nil)
+ cert = issue_cert(@ca, @rsa1, 1, cert_exts, nil, nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, crl_exts,
- cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
+ cert, @rsa1, "SHA256")
exts = crl.extensions
assert_equal(3, exts.size)
assert_equal("1", exts[0].value)
@@ -160,59 +155,55 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
assert_equal(false, exts[2].critical?)
no_ext_crl = issue_crl([], 1, Time.now, Time.now+1600, [],
- cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
+ cert, @rsa1, "SHA256")
assert_equal nil, no_ext_crl.authority_key_identifier
end
def test_crlnumber
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
- crl = issue_crl([], 1, Time.now, Time.now+1600, [],
- cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
+ cert = issue_cert(@ca, @rsa1, 1, [], nil, nil)
+ crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, @rsa1, "SHA256")
assert_match(1.to_s, crl.extensions[0].value)
assert_match(/X509v3 CRL Number:\s+#{1}/m, crl.to_text)
crl = issue_crl([], 2**32, Time.now, Time.now+1600, [],
- cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
+ cert, @rsa1, "SHA256")
assert_match((2**32).to_s, crl.extensions[0].value)
assert_match(/X509v3 CRL Number:\s+#{2**32}/m, crl.to_text)
crl = issue_crl([], 2**100, Time.now, Time.now+1600, [],
- cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
+ cert, @rsa1, "SHA256")
assert_match(/X509v3 CRL Number:\s+#{2**100}/m, crl.to_text)
assert_match((2**100).to_s, crl.extensions[0].value)
end
def test_sign_and_verify
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
- crl = issue_crl([], 1, Time.now, Time.now+1600, [],
- cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
- assert_equal(false, crl.verify(@rsa1024))
- assert_equal(true, crl.verify(@rsa2048))
- assert_equal(false, crl_error_returns_false { crl.verify(@dsa256) })
- assert_equal(false, crl_error_returns_false { crl.verify(@dsa512) })
+ p256 = Fixtures.pkey("p256")
+
+ cert = issue_cert(@ca, @rsa1, 1, [], nil, nil)
+ crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, @rsa1, "SHA256")
+ assert_equal(true, crl.verify(@rsa1))
+ assert_equal(false, crl.verify(@rsa2))
+ assert_equal(false, crl_error_returns_false { crl.verify(p256) })
crl.version = 0
- assert_equal(false, crl.verify(@rsa2048))
+ assert_equal(false, crl.verify(@rsa1))
- cert = issue_cert(@ca, @dsa512, 1, [], nil, nil)
- crl = issue_crl([], 1, Time.now, Time.now+1600, [],
- cert, @dsa512, OpenSSL::Digest.new('SHA256'))
- assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) })
- assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) })
- assert_equal(false, crl.verify(@dsa256))
- assert_equal(true, crl.verify(@dsa512))
+ cert = issue_cert(@ca, p256, 1, [], nil, nil)
+ crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, p256, "SHA256")
+ assert_equal(false, crl_error_returns_false { crl.verify(@rsa1) })
+ assert_equal(false, crl_error_returns_false { crl.verify(@rsa2) })
+ assert_equal(true, crl.verify(p256))
crl.version = 0
- assert_equal(false, crl.verify(@dsa512))
+ assert_equal(false, crl.verify(p256))
end
- def test_sign_and_verify_ed25519
+ def test_sign_and_verify_nil_digest
# Ed25519 is not FIPS-approved.
omit_on_fips
ed25519 = OpenSSL::PKey::generate_key("ED25519")
cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
cert, ed25519, nil)
- assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) })
- assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) })
+ assert_equal(false, crl_error_returns_false { crl.verify(@rsa1) })
assert_equal(false, crl.verify(OpenSSL::PKey::generate_key("ED25519")))
assert_equal(true, crl.verify(ed25519))
crl.version = 0
@@ -245,8 +236,8 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
def test_eq
now = Time.now
- cacert = issue_cert(@ca, @rsa1024, 1, [], nil, nil)
- crl1 = issue_crl([], 1, now, now + 3600, [], cacert, @rsa1024, "sha256")
+ cacert = issue_cert(@ca, @rsa1, 1, [], nil, nil)
+ crl1 = issue_crl([], 1, now, now + 3600, [], cacert, @rsa1, "SHA256")
rev1 = OpenSSL::X509::Revoked.new.tap { |rev|
rev.serial = 1
rev.time = now
@@ -274,8 +265,8 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
def test_marshal
now = Time.now
- cacert = issue_cert(@ca, @rsa1024, 1, [], nil, nil)
- crl = issue_crl([], 1, now, now + 3600, [], cacert, @rsa1024, "sha256")
+ cacert = issue_cert(@ca, @rsa1, 1, [], nil, nil)
+ crl = issue_crl([], 1, now, now + 3600, [], cacert, @rsa1, "SHA256")
rev = OpenSSL::X509::Revoked.new.tap { |rev|
rev.serial = 1
rev.time = now
diff --git a/test/openssl/test_x509name.rb b/test/openssl/test_x509name.rb
index c6d15219f5..223c575e4e 100644
--- a/test/openssl/test_x509name.rb
+++ b/test/openssl/test_x509name.rb
@@ -423,24 +423,14 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase
assert_equal(nil, n3 <=> nil)
end
- def name_hash(name)
- # OpenSSL 1.0.0 uses SHA1 for canonical encoding (not just a der) of
- # X509Name for X509_NAME_hash.
- name.respond_to?(:hash_old) ? name.hash_old : name.hash
- end
+ def test_hash_old
+ omit_on_fips # MD5
- def test_hash
dn = "/DC=org/DC=ruby-lang/CN=www.ruby-lang.org"
name = OpenSSL::X509::Name.parse(dn)
d = OpenSSL::Digest.digest('MD5', name.to_der)
expected = (d[0].ord & 0xff) | (d[1].ord & 0xff) << 8 | (d[2].ord & 0xff) << 16 | (d[3].ord & 0xff) << 24
- assert_equal(expected, name_hash(name))
- #
- dn = "/DC=org/DC=ruby-lang/CN=baz.ruby-lang.org"
- name = OpenSSL::X509::Name.parse(dn)
- d = OpenSSL::Digest.digest('MD5', name.to_der)
- expected = (d[0].ord & 0xff) | (d[1].ord & 0xff) << 8 | (d[2].ord & 0xff) << 16 | (d[3].ord & 0xff) << 24
- assert_equal(expected, name_hash(name))
+ assert_equal(expected, name.hash_old)
end
def test_equality
diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
index 18d3e7f8f3..0a2df47bca 100644
--- a/test/openssl/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@@ -6,10 +6,8 @@ if defined?(OpenSSL)
class OpenSSL::TestX509Request < OpenSSL::TestCase
def setup
super
- @rsa1024 = Fixtures.pkey("rsa1024")
- @rsa2048 = Fixtures.pkey("rsa2048")
- @dsa256 = Fixtures.pkey("dsa256")
- @dsa512 = Fixtures.pkey("dsa512")
+ @rsa1 = Fixtures.pkey("rsa-1")
+ @rsa2 = Fixtures.pkey("rsa-2")
@dn = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou")
end
@@ -23,26 +21,22 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
end
def test_public_key
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
- assert_equal(@rsa1024.public_to_der, req.public_key.public_to_der)
+ req = issue_csr(0, @dn, @rsa1, "SHA256")
+ assert_kind_of(OpenSSL::PKey::RSA, req.public_key)
+ assert_equal(@rsa1.public_to_der, req.public_key.public_to_der)
req = OpenSSL::X509::Request.new(req.to_der)
- assert_equal(@rsa1024.public_to_der, req.public_key.public_to_der)
-
- req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('SHA256'))
- assert_equal(@dsa512.public_to_der, req.public_key.public_to_der)
- req = OpenSSL::X509::Request.new(req.to_der)
- assert_equal(@dsa512.public_to_der, req.public_key.public_to_der)
+ assert_equal(@rsa1.public_to_der, req.public_key.public_to_der)
end
def test_version
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
+ req = issue_csr(0, @dn, @rsa1, "SHA256")
assert_equal(0, req.version)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(0, req.version)
end
def test_subject
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
+ req = issue_csr(0, @dn, @rsa1, "SHA256")
assert_equal(@dn.to_der, req.subject.to_der)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(@dn.to_der, req.subject.to_der)
@@ -73,9 +67,9 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
OpenSSL::X509::Attribute.new("msExtReq", attrval),
]
- req0 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
+ req0 = issue_csr(0, @dn, @rsa1, "SHA256")
attrs.each{|attr| req0.add_attribute(attr) }
- req1 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
+ req1 = issue_csr(0, @dn, @rsa1, "SHA256")
req1.attributes = attrs
assert_equal(req0.to_der, req1.to_der)
@@ -95,65 +89,44 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
assert_equal(exts, get_ext_req(attrs[1].value))
end
- def test_sign_and_verify_rsa_sha1
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
- assert_equal(true, req.verify(@rsa1024))
- assert_equal(false, req.verify(@rsa2048))
- assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
- assert_equal(false, request_error_returns_false { req.verify(@dsa512) })
- req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBarFooBar")
- assert_equal(false, req.verify(@rsa1024))
- rescue OpenSSL::X509::RequestError # RHEL 9 disables SHA1
- end
-
- def test_sign_and_verify_rsa_md5
- req = issue_csr(0, @dn, @rsa2048, OpenSSL::Digest.new('MD5'))
- assert_equal(false, req.verify(@rsa1024))
- assert_equal(true, req.verify(@rsa2048))
- assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
- assert_equal(false, request_error_returns_false { req.verify(@dsa512) })
- req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar")
- assert_equal(false, req.verify(@rsa2048))
- rescue OpenSSL::X509::RequestError # RHEL7 disables MD5
- end
-
- def test_sign_and_verify_dsa
- req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('SHA256'))
- assert_equal(false, request_error_returns_false { req.verify(@rsa1024) })
- assert_equal(false, request_error_returns_false { req.verify(@rsa2048) })
- assert_equal(false, req.verify(@dsa256))
- assert_equal(true, req.verify(@dsa512))
- req.public_key = @rsa1024.public_key
- assert_equal(false, req.verify(@dsa512))
+ def test_sign_digest_instance
+ req1 = issue_csr(0, @dn, @rsa1, "SHA256")
+ req2 = issue_csr(0, @dn, @rsa1, OpenSSL::Digest.new("SHA256"))
+ assert_equal(req1.to_der, req2.to_der)
end
- def test_sign_and_verify_dsa_md5
- assert_raise(OpenSSL::X509::RequestError){
- issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('MD5')) }
+ def test_sign_and_verify
+ req = issue_csr(0, @dn, @rsa1, "SHA256")
+ assert_equal(true, req.verify(@rsa1))
+ assert_equal(false, req.verify(@rsa2))
+ ec = OpenSSL::PKey::EC.generate("prime256v1")
+ assert_equal(false, request_error_returns_false { req.verify(ec) })
+ req.subject = OpenSSL::X509::Name.parse_rfc2253("CN=FooBarFooBar,C=JP")
+ assert_equal(false, req.verify(@rsa1))
end
- def test_sign_and_verify_ed25519
+ def test_sign_and_verify_nil_digest
# Ed25519 is not FIPS-approved.
omit_on_fips
ed25519 = OpenSSL::PKey::generate_key("ED25519")
req = issue_csr(0, @dn, ed25519, nil)
- assert_equal(false, request_error_returns_false { req.verify(@rsa1024) })
- assert_equal(false, request_error_returns_false { req.verify(@rsa2048) })
+ assert_equal(false, request_error_returns_false { req.verify(@rsa1) })
+ assert_equal(false, request_error_returns_false { req.verify(@rsa2) })
assert_equal(false, req.verify(OpenSSL::PKey::generate_key("ED25519")))
assert_equal(true, req.verify(ed25519))
- req.public_key = @rsa1024.public_key
+ req.public_key = @rsa1
assert_equal(false, req.verify(ed25519))
end
def test_dup
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
+ req = issue_csr(0, @dn, @rsa1, "SHA256")
assert_equal(req.to_der, req.dup.to_der)
end
def test_eq
- req1 = issue_csr(0, @dn, @rsa1024, "sha256")
- req2 = issue_csr(0, @dn, @rsa1024, "sha256")
- req3 = issue_csr(0, @dn, @rsa1024, "sha512")
+ req1 = issue_csr(0, @dn, @rsa1, "SHA256")
+ req2 = issue_csr(0, @dn, @rsa1, "SHA256")
+ req3 = issue_csr(0, @dn, @rsa1, "SHA512")
assert_equal false, req1 == 12345
assert_equal true, req1 == req2
@@ -161,7 +134,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
end
def test_marshal
- req = issue_csr(0, @dn, @rsa1024, "sha256")
+ req = issue_csr(0, @dn, @rsa1, "SHA256")
deserialized = Marshal.load(Marshal.dump(req))
assert_equal req.to_der, deserialized.to_der
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-10 16:55:37 +0000