path: root/ext/openssl/ossl_x509cert.c
AgeCommit message (Collapse)Author
2021-07-18[ruby/openssl] Strip trailing spacesKazuki Yamaguchi
2021-07-18[ruby/openssl] Implement `Certificate.load` to load certificate chain. ↵Samuel Williams
( * Add feature for loading the chained certificate into Certificate array. Co-authored-by: Sao I Kuan <>
2021-07-18[ruby/openssl] x509, ssl, pkcs7: try to parse as DER-encoding firstKazuki Yamaguchi
Methods that take both PEM-encoding and DER-encoding have not been consistent in the order in which encoding to attempt to parse. A DER-encoding may contain a valid PEM block ("\n-----BEGIN ..-----" to "-----END ...-----") embedded within it. Also, the PEM-encoding parser allows arbitrary data around the PEM block and silently skips it. As a result, attempting to parse data in DER-encoding as PEM-encoding first can incorrectly finds the embedded PEM block instead. This commit ensures that DER encoding will always be attempted before PEM encoding. OpenSSL::X509::Certificate is one of the updated classes. With this, the following will always be true: # obj is an OpenSSL::X509::Certificate obj == obj ==
2021-03-16[ruby/openssl] digest, hmac, ts, x509: use IO.binread in examples where ↵Kazuki Yamaguchi
appropriate may mangle line separator, which will corrupt binary data including DER-encoded X.509 certificates and such. Fixes: Notes: Merged:
2020-05-13[ruby/openssl] Look up digest by name instead of constantBart de Water
2017-11-25openssl: import v2.1.0.beta2rhe
Import Ruby/OpenSSL 2.1.0.beta2. The full commit log since commit e72d960db262 which was imported by r60013 can be found at: ---------------------------------------------------------------- Kazuki Yamaguchi (26): bn: use ALLOCV() macro instead of xmalloc() appveyor.yml: remove 'openssl version' line test/test_ssl_session: skip tests for session_remove_cb x509ext: implement X509::Extension#== x509attr: implement X509::Attribute#== x509cert: implement X509::Certificate#== x509revoked: add missing X509::Revoked#to_der x509crl, x509revoked: implement X509::{CRL,Revoked}#== x509req: implement X509::Request#== ssl: extract rb_intern("call") cipher: disallow setting AAD for non-AEAD ciphers test/test_cipher: fix test_non_aead_cipher_set_auth_data failure ssl: fix conflict of options in SSLContext#set_params buffering: let #write accept multiple arguments pkey: make pkey_check_public_key() non-static x509cert, x509crl, x509req, ns_spki: check sanity of public key test/envutil: port assert_warning from Ruby trunk test/utils: remove a pointless .public_key call in issue_cert ssl: add SSLContext#add_certificate test/test_ssl: fix test_security_level Drop support for LibreSSL 2.4 kdf: add HKDF support test/test_x509cert: fix flaky test test/test_x509crl: fix random failure fix a typo Ruby/OpenSSL 2.1.0.beta2 Mark Wright (1): Fix build failure against OpenSSL 1.1 built with no-deprecated Thanks rhenium for the code review and fixes. Peter Karman (1): Add RSA sign_pss() and verify_pss() methods aeris (1): TLS Fallback Signaling Cipher Suite Value kazu (1): Use caller with length to reduce unused strings git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-09-03openssl: import v2.1.0.beta1rhe
Import Ruby/OpenSSL 2.1.0.beta1. The full commit log since v2.0.5 (imported by r59567) can be found at: ---------------------------------------------------------------- Antonio Terceiro (1): test/test_ssl: explicitly accept TLS 1.1 in corresponding test Colby Swandale (1): document using secure protocol to fetch git master in Bundler Colton Jenkins (1): Add fips_mode_get to return fips_mode Kazuki Yamaguchi (85): Start preparing for 2.1.0 Remove support for OpenSSL 0.9.8 and 1.0.0 bn: refine tests bn: implement unary {plus,minus} operators for OpenSSL::BN bn: implement OpenSSL::BN#negative? Don't define main() when built with --enable-debug test: let OpenSSL::TestCase include OpenSSL::TestUtils test: prepare test PKey instances on demand Add OpenSSL.print_mem_leaks Enable OSSL_MDEBUG on CI builds ssl: move default DH parameters from OpenSSL::PKey::DH Make exceptions with the same format regardless of OpenSSL.debug ssl: show reason of 'certificate verify error' in exception message ssl: remove OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384 ssl: do not confuse different ex_data index registries ssl: assume SSL/SSL_CTX always have a valid reference to the Ruby object Fix RDoc markup ssl: suppress compiler warning ext/openssl/deprecation.rb: remove broken-apple-openssl extconf.rb: print informative message if OpenSSL can't be found Rakefile: compile the extension before test kdf: introduce OpenSSL::KDF module ossl.h: add NUM2UINT64T() macro kdf: add scrypt Expand rb_define_copy_func() macro Expand FPTR_TO_FD() macro Remove SafeGet*() macros cipher: rename GetCipherPtr() to ossl_evp_get_cipherbyname() digest: rename GetDigestPtr() to ossl_evp_get_digestbyname() Add ossl_str_new(), an exception-safe rb_str_new() bio: simplify ossl_membio2str() using ossl_str_new() Remove unused functions and macros Drop support for LibreSSL 2.3 ocsp: add OpenSSL::OCSP::Request#signed? asn1: infinite length -> indefinite length asn1: rearrange tests ssl: remove a needless NULL check in SSL::SSLContext#ciphers ssl: return nil in SSL::SSLSocket#cipher if session is not started asn1: remove an unnecessary function prototype asn1: require tag information when instantiating generic type asn1: initialize 'unused_bits' attribute of BitString with 0 asn1: check for illegal 'unused_bits' value of BitString asn1: disallow NULL to be passed to asn1time_to_time() asn1: avoid truncating OID in OpenSSL::ASN1::ObjectId#oid asn1: allow constructed encoding with definite length form asn1: prohibit indefinite length form for primitive encoding asn1: allow tag number to be >= 32 for universal tag class asn1: use ossl_asn1_tag() asn1: clean up OpenSSL::ASN1::Constructive#to_der asn1: harmonize OpenSSL::ASN1::*#to_der asn1: prevent EOC octets from being in the middle of the content asn1: do not treat EOC octets as part of content octets x509name: add 'loc' and 'set' kwargs to OpenSSL::X509::Name#add_entry ssl: do not call session_remove_cb during GC Backport "Merge branch 'topic/test-memory-leak'" to maint cipher: update the documentation for Cipher#auth_tag= Rakefile: let sync:to_ruby know about test/openssl/fixtures test: fix formatting test/utils: remove OpenSSL::TestUtils.silent test/utils: add SSLTestCase#tls12_supported? test/utils: have start_server yield only the port number test/utils: do not set ecdh_curves in start_server test/utils: let server_loop close socket test/utils: improve error handling in start_server test/utils: add OpenSSL::TestUtils.openssl? and .libressl? test/utils: do not use DSA certificates in SSL tests test/test_ssl: remove test_invalid_shutdown_by_gc test/test_ssl: move test_multibyte_read_write to test_pair test/test_ssl_session: rearrange tests test/test_pair, test/test_ssl: fix for TLS 1.3 ssl: remove useless call to rb_thread_wait_fd() ssl: fix NPN support ssl: mark OpenSSL::SSL::SSLContext::DEFAULT_{1024,2048} as private ssl: use 2048-bit group in the default tmp_dh_cb ssl: ensure that SSL option flags are non-negative ssl: update OpenSSL::SSL::OP_* flags ssl: prefer TLS_method() over SSLv23_method() ssl: add SSLContext#min_version= and #max_version= ssl: rework SSLContext#ssl_version= test/test_x509name: change script encoding to ASCII-8BIT x509name: refactor OpenSSL::X509::Name#to_s x509name: add OpenSSL::X509::Name#to_utf8 x509name: add OpenSSL::X509::Name#inspect x509name: update regexp in OpenSSL::X509::Name.parse Ruby/OpenSSL 2.1.0.beta1 Marcus Stollsteimer (1): Fix rdoc for core Integer class nobu (4): [DOC] {read,write}_nonblock with exception: false [DOC] keyword argument _exception_ [DOC] mark up literals Revert r57690 except for read_nonblock git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-08-10openssl: import v2.0.5rhe
Import Ruby/OpenSSL 2.0.5. The full commit history since v2.0.4 (imported at r59081) can be found at: This will fix the test failure on latest Debian sid and the "no OPENSSL_Applink" issue on mswin. ---------------------------------------------------------------- Kazuki Yamaguchi (11): test/test_ssl: allow 3DES cipher suites in test_sslctx_set_params bio: prevent possible GC issue in ossl_obj2bio() bio: do not use the FILE BIO method in ossl_obj2bio() Rakefile: install_dependencies: install only when needed appveyor.yml: test against Ruby 2.4 ossl_pem_passwd_cb: relax passphrase length constraint ossl_pem_passwd_cb: do not check for taintedness ossl_pem_passwd_cb: handle nil from the block explicitly ssl: remove unsupported TLS versions from SSLContext::METHODS ssl: fix compile error with OpenSSL 1.0.0 Ruby/OpenSSL 2.0.5 Lars Kanis (1): Add msys2 library dependency tag in gem metadata git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-11-30openssl: import v2.0.0rhe
Import Ruby/OpenSSL 2.0.0. The full commit history since 2.0.0 beta.2 (imported at r56098) can be found at: git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-08-29import Ruby/OpenSSL 2.0.0.beta.1rhe
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1. ext/openssl is now converted into a default gem. The full commit history since r55538 can be found at: [Feature #9612] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: adapt to OpenSSL 1.1.0 opaque structsrhe
* ext/openssl/extconf.rb: Check existence of accessor functions that don't exist in OpenSSL 0.9.8. OpenSSL 1.1.0 made most of its structures opaque and requires use of these accessor functions. [ruby-core:75225] [Feature #12324] * ext/openssl/openssl_missing.[ch]: Implement them if missing. * ext/openssl/ossl*.c: Use these accessor functions. * test/openssl/test_hmac.rb: Add missing test for HMAC#reset. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: support OpenSSL 1.1.0's new multi-threading APIrhe
* ext/openssl/extconf.rb: Check absence of CRYPTO_lock() to see if the OpenSSL has the new threading API. In OpenSSL <= 1.0.2, an application had to set locking callbacks to use OpenSSL in a multi-threaded environment. OpenSSL 1.1.0 now finds pthreads or Windows threads so we don't need to do something special. [ruby-core:75225] [Feature #12324] Also check existence of *_up_ref(). Some structures in OpenSSL have a reference counter. We used to increment it with CRYPTO_add() which is a part of the old API. * ext/openssl/openssl_missing.h: Implement *_up_ref() if missing. * ext/openssl/ossl.c: Don't set locking callbacks if unneeded. * ext/openssl/ossl_pkey.c, ext/openssl/ossl_ssl.c, ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c, ext/openssl/ossl_x509store.c: Use *_up_ref() instead of CRYPTO_add(). git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-01openssl: fix the Year 2038 problemrhe
r55219 didn't fix the entire issue. It only fixed the issue on environment with sizeof(time_t) == 8 && sizeof(long) == 4. * ext/openssl/extconf.rb: Check existence of ASN1_TIME_adj(). The old ASN1_TIME_set() is not Year 2038 ready on sizeof(time_t) == 4 environment. This function was added in OpenSSL 1.0.0. [ruby-core:45552] [Bug #6571] * ext/openssl/ossl_asn1.c (ossl_time_split): Added. Split the argument (Time) into the number of days elapsed since the epoch and the remainder seconds to conform to ASN1_TIME_adj(). (obj_to_asn1utime, obj_to_asn1gtime): Use ossl_time_split() and ASN1_*TIME_adj(). * ext/openssl/ossl_asn1.h: Add the function prototype for ossl_time_split(). * ext/openssl/ossl_x509.[ch]: Add ossl_x509_time_adjust(). Similarly to obj_to_asn1*time(), use X509_time_adj_ex() instead of X509_time_adj(). * ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c, ext/openssl/ossl_x509revoked.c: Use ossl_x509_time_adjust(). git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-23openssl: use StringValueCStr() where NUL-terminated string is expectedrhe
* ext/openssl/ossl_asn1.c, ext/openssl/ossl_bn.c, ext/openssl/ossl_cipher.c, ext/openssl/ossl_digest.c ext/openssl/ossl_engine.c, ext/openssl/ossl_ns_spki.c ext/openssl/ossl_pkcs12.c, ext/openssl/ossl_pkcs7.c ext/openssl/ossl_pkey.c, ext/openssl/ossl_pkey_ec.c ext/openssl/ossl_rand.c, ext/openssl/ossl_ssl.c ext/openssl/ossl_x509attr.c, ext/openssl/ossl_x509cert.c ext/openssl/ossl_x509ext.c, ext/openssl/ossl_x509store.c: Use StringValueCStr() where NUL-terminated string is expected. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-18openssl: clear OpenSSL error queue before return to Rubyrhe
* ext/openssl/ossl_x509cert.c (ossl_x509_verify): X509_verify() family may put errors on 0 return (0 means verification failure). Clear OpenSSL error queue before return to Ruby. Since the queue is thread global, remaining errors in the queue can cause an unexpected error in the next OpenSSL operation. [ruby-core:48284] [Bug #7215] * ext/openssl/ossl_x509crl.c (ossl_x509crl_verify): ditto. * ext/openssl/ossl_x509req.c (ossl_x509req_verify): ditto. * ext/openssl/ossl_x509store.c (ossl_x509stctx_verify): ditto. * ext/openssl/ossl_pkey_dh.c (dh_generate): clear the OpenSSL error queue before re-raising exception. * ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto. * ext/openssl/ossl_pkey_rsa.c (rsa_generate): ditto. * ext/openssl/ossl_ssl.c (ossl_start_ssl): ditto. * test/openssl: check that OpenSSL.errors is empty every time after running a test case. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-11-05ext: use RARRAY_AREFnobu
* ext/**/*.c: prefer RARRAY_AREF to indexing RARRAY_CONST_PTR. pointed out by hanmac. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-11-04ext: use RARRAY_CONST_PTRnobu
* ext/bigdecimal/bigdecimal.c: use RARRAY_CONST_PTR just fore reference instead of RARRAY_PTR, to keep the array WB-protected. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-11-04ext: adjust index typenobu
* ext: use long for index instead of int and RARRAY_LENINT. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-09-22* ext/openssl/*: Remove svn commit id macros to make sync easierzzak
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-05-29openssl: wrapper object before allocnobu
* ext/openssl: make wrapper objects before allocating structs to get rid of potential memory leaks. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-04-20* ext/openssl/*: use license instead of licence.hsbt
[fix GH-876][ci skip] Patch by @davydovanton * lib/net/https.rb: ditto. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2014-12-12ossl_x509cert.c: typed datanobu
* ext/openssl/ossl_x509cert.c (ossl_x509_type): use typed data. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2014-09-30protoize no-arguments functionsnobu
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2014-01-13ext: use rb_sprintf() and rb_vsprintf() with PRIsVALUEnobu
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2012-03-31* ext/openssl/ossl_x509cert.c: Fix doc typo.emboss
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2011-11-14* ext/openssl/ossl_pkey.c (ossl_pkey_new_from_file): set close-on-execakr
flag. * ext/openssl/ossl_x509cert.c (rb_fd_fix_cloexec): ditto. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2011-08-16* ext/openssl/ossl_x509cert.c: fixed whitespace issuesemboss
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2011-08-16* ext/openssl/ossl_x509cert.c: Add class documentation foremboss
OpenSSL::X509::Certificate. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2011-06-22* ext/openssl/ossl.h: Introduced OSSL_BIO_reset macro for PEM/DERemboss
fallback scenarios. * ext/openssl/ossl_pkey_dsa.c * ext/openssl/ossl_x509req.c * ext/openssl/ossl_pkey_rsa.c * ext/openssl/ossl_pkey_ec.c * ext/openssl/ossl_ssl_session.c * ext/openssl/ossl_x509crl.c * ext/openssl/ossl_pkey.c * ext/openssl/ossl_pkey_dh.c * ext/openssl/ossl_x509cert.c * ext/openssl/ossl_pkcs7.c: Use OSSL_BIO_reset. * ext/openssl/ossl_ssl.c * ext/openssl/ossl_cipher.c * ext/openssl/ossl_pkey_ec.c * ext/openssl/ossl_pkcs12.c * ext/openssl/ossl_ssl_session.c: Replace rb_raise occurences by ossl_raise. This automatically flushes OpenSSL's error queue. * ext/openssl/ossl_pkcs7.c: Raise error if DER fallback for parsing fails. * test/openssl/test_pkey_ec.rb * test/openssl/test_pkey_dsa.rb * test/openssl/test_pkey_rsa.rb: Add assertions that OpenSSL.errors is empty. * test/openssl/test_pkey_rsa.rb: Remove initial OpenSSL.errors call in test_new. [ Ruby 1.9 - Bug #4885 ] [ruby-core:37134] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2011-03-14* ext/openssl/ossl_x509cert.c: parenthesize macro arguments.akr
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2010-04-22* ext/**/*.[ch]: removed trailing spaces.nobu
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2010-04-22* ext/**/*.[ch]: removed trailing spaces.nobu
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2008-07-22* ext/openssl: suppress warnings.nobu
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2007-04-05* ext/openssl/ossl_{bn,x509{attr,cert,name,store}}.c:technorama
Add documentation. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2006-09-02* ruby.h (struct RArray): embed small arrays.matz
(RARRAY_LEN): defined for accessing array members. (RARRAY_PTR): ditto. * array.c: use RARRAY_LEN and RARRAY_PTR. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2006-08-31* ruby.h (struct RString): embed small strings.matz
(RSTRING_LEN): defined for accessing string members. (RSTRING_PTR): ditto. * string.c: use RSTRING_LEN and RSTRING_PTR. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2004-12-15* lib/set.rb (Set#==): [ruby-dev:25206]matz
* ext/openssl/ossl_digest.c (ossl_digest_initialize): [ruby-dev:25198] * utf8.c (utf8_is_mbc_ambiguous): [ruby-talk:123561] * utf8.c (utf8_mbc_to_normalize): ditto. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2003-09-17* ext/openssl: all files are reviewed to simplify and avoid memory leak.gotoyuzo
* ext/openssl/extconf.rb: add check for assert.h. * ext/openssl/ossl.c (ossl_buf2str): new function to convert C buffer to String and free buffer. * ext/openssl/ossl.c (ossl_x509_ary2sk): new function to convert Array of OpenSSL::X509 to STACK_OF(X509) with exception safe. * ext/openssl/ossl.c (ossl_to_der, ossl_to_der_if_possible): new functions to convert object to DER string. * ext/openssl/ossl.h: ditto. * ext/openssl/ossl_bio.c (ossl_membio2str): new function to convert BIO to String object and free BIO. * ext/openssl/ossl_bio.h: ditto. * ext/openssl/ossl_pkcs7.c (ossl_pkcs7_to_der): add for "to_der". * ext/openssl/ossl_x509name.c (ossl_x509name_to_der): ditto. * ext/openssl/ossl_x509ext.c (ossl_x509ext_to_der): ditto. * ext/openssl/ossl_x509ext.c (create_ext_from_array): removed and reimplement in openssl/x509.rb. * ext/openssl/ossl_x509attr.c: reimplemented and disable some method temporarily. this class doesn't work fine without ASN.1 data support;-) I'll rewrite in near future. * ext/openssl/lib/openssl/x509.c (X509::Attribute): get rid off unused code. * ext/openssl/lib/openssl/x509.c (X509::ExtensionFactory): refine all. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2003-09-06* ext/openssl/ruby_missing.c: rid of unnecessary backwardgotoyuzo
compatibility stuff. and remove DEFINE_ALLOC_WRAPPER from all sources. * ext/openssl/ossl_x509ext.c ( new method. * ext/openssl/ossl_x509ext.c (X509::Extension#oid=): new method. * ext/openssl/ossl_x509ext.c (X509::Extension#value=): new method. * ext/openssl/ossl_x509ext.c (X509::Extension#critical=): new method. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2003-07-23* ext/openssl: imported.gotoyuzo
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e