4 files changed, 100 insertions, 30 deletions

diff --git a/ChangeLog b/ChangeLog
index 91de881a1d..8aff7b0015 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+Sun Mar  7 06:45:58 2010  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
+
+	* test/openssl/test_x509*: make tests pass with OpenSSL 1.0.0b5.
+	  * PKey::PKey#verify raises an exception when a given PKey does not
+	    match with signature.
+	  * PKey::DSA#sign accepts SHA1, SHA256 other than DSS1.
+
 Sun Mar  7 06:41:59 2010  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
 
 	* backport the commit from trunk:
diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb
index 91dd95e956..a29844ff2b 100644
--- a/test/openssl/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@@ -129,13 +129,31 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
 
   end
 
+  def test_sign_and_verify_wrong_key_type
+    cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, cert_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::CertificateError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+
+    begin
+      assert_equal(false, cert_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::CertificateError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
+
   def test_sign_and_verify
     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                       nil, nil, OpenSSL::Digest::SHA1.new)
     assert_equal(false, cert.verify(@rsa1024))
     assert_equal(true,  cert.verify(@rsa2048))
-    assert_equal(false, cert.verify(@dsa256))
-    assert_equal(false, cert.verify(@dsa512))
     cert.serial = 2
     assert_equal(false, cert.verify(@rsa2048))
 
@@ -143,32 +161,43 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
                       nil, nil, OpenSSL::Digest::MD5.new)
     assert_equal(false, cert.verify(@rsa1024))
     assert_equal(true,  cert.verify(@rsa2048))
-    assert_equal(false, cert.verify(@dsa256))
-    assert_equal(false, cert.verify(@dsa512))
     cert.subject = @ee1
     assert_equal(false, cert.verify(@rsa2048))
 
     cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
                       nil, nil, OpenSSL::Digest::DSS1.new)
-    assert_equal(false, cert.verify(@rsa1024))
-    assert_equal(false, cert.verify(@rsa2048))
     assert_equal(false, cert.verify(@dsa256))
     assert_equal(true,  cert.verify(@dsa512))
     cert.not_after = Time.now
     assert_equal(false, cert.verify(@dsa512))
+  end
 
-    assert_raise(OpenSSL::X509::CertificateError){
+  def test_dsig_algorithm_mismatch
+    assert_raise(OpenSSL::X509::CertificateError) do
       cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                         nil, nil, OpenSSL::Digest::DSS1.new)
-    }
-    assert_raise(OpenSSL::X509::CertificateError){
+    end
+    assert_raise(OpenSSL::X509::CertificateError) do
       cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
                         nil, nil, OpenSSL::Digest::MD5.new)
-    }
-    assert_raise(OpenSSL::X509::CertificateError){
-      cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::SHA1.new)
-    }
+    end
+  end
+
+  def test_dsa_with_sha2
+    begin
+      cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
+                        nil, nil, OpenSSL::Digest::SHA256.new)
+      assert_equal("dsa_with_SHA256", cert.signature_algorithm)
+    rescue OpenSSL::X509::CertificateError
+      # dsa_with_sha2 not supported. skip following test.
+      return
+    end
+    # TODO: need more tests for dsa + sha2
+
+    # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requireds DSS1)
+    cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    assert_equal("dsaWithSHA1", cert.signature_algorithm)
   end
 
   def test_check_private_key
diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb
index d9b2ef0c03..e42e923984 100644
--- a/test/openssl/test_x509crl.rb
+++ b/test/openssl/test_x509crl.rb
@@ -190,6 +190,30 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
     assert_match((2**100).to_s, crl.extensions[0].value)
   end
 
+  def test_sign_and_verify_wrong_key_type
+    cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    crl_rsa = issue_crl([], 1, Time.now, Time.now+1600, [],
+                    cert_rsa, @rsa2048, OpenSSL::Digest::SHA1.new)
+    cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::DSS1.new)
+    crl_dsa = issue_crl([], 1, Time.now, Time.now+1600, [],
+                    cert_dsa, @dsa512, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, crl_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::CRLError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+
+    begin
+      assert_equal(false, crl_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::CRLError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
+
   def test_sign_and_verify
     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                       nil, nil, OpenSSL::Digest::SHA1.new)
@@ -197,8 +221,6 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
     assert_equal(false, crl.verify(@rsa1024))
     assert_equal(true,  crl.verify(@rsa2048))
-    assert_equal(false, crl.verify(@dsa256))
-    assert_equal(false, crl.verify(@dsa512))
     crl.version = 0
     assert_equal(false, crl.verify(@rsa2048))
 
@@ -206,8 +228,6 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
                       nil, nil, OpenSSL::Digest::DSS1.new)
     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
                     cert, @dsa512, OpenSSL::Digest::DSS1.new)
-    assert_equal(false, crl.verify(@rsa1024))
-    assert_equal(false, crl.verify(@rsa2048))
     assert_equal(false, crl.verify(@dsa256))
     assert_equal(true,  crl.verify(@dsa512))
     crl.version = 0
diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
index fca3af8fbb..97ccccf275 100644
--- a/test/openssl/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@@ -103,37 +103,51 @@ class OpenSSL::TestX509Request < Test::Unit::TestCase
     assert_equal(exts, get_ext_req(attrs[1].value))
   end
 
+  def test_sign_and_verify_wrong_key_type
+    req_rsa = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
+    req_dsa = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, req_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::RequestError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+
+    begin
+      assert_equal(false, req_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::RequestError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
+
   def test_sign_and_verify
     req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
     assert_equal(true,  req.verify(@rsa1024))
     assert_equal(false, req.verify(@rsa2048))
-    assert_equal(false, req.verify(@dsa256))
-    assert_equal(false, req.verify(@dsa512))
     req.version = 1
     assert_equal(false, req.verify(@rsa1024))
 
     req = issue_csr(0, @dn, @rsa2048, OpenSSL::Digest::MD5.new)
     assert_equal(false, req.verify(@rsa1024))
     assert_equal(true,  req.verify(@rsa2048))
-    assert_equal(false, req.verify(@dsa256))
-    assert_equal(false, req.verify(@dsa512))
     req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar")
     assert_equal(false, req.verify(@rsa2048))
 
     req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
-    assert_equal(false, req.verify(@rsa1024))
-    assert_equal(false, req.verify(@rsa2048))
     assert_equal(false, req.verify(@dsa256))
     assert_equal(true,  req.verify(@dsa512))
     req.public_key = @rsa1024.public_key
     assert_equal(false, req.verify(@dsa512))
+  end
 
-    assert_raise(OpenSSL::X509::RequestError){
-      issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) }
-    assert_raise(OpenSSL::X509::RequestError){
-      issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new) }
-    assert_raise(OpenSSL::X509::RequestError){
-      issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) }
+  def test_dsig_algorithm_mismatch
+    assert_raise(OpenSSL::X509::RequestError) do
+      issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new)
+    end
+    assert_raise(OpenSSL::X509::RequestError) do
+      issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new)
+    end
   end
 
   def test_create_from_pem