| Age | Commit message (Collapse) | Author |
|---|
|
test_pkey wasn't checking for libressl as is done elsewhere.
Note the libressl version check is different when testing pkey, because
PKey#sign relies on EVP_PKey_sign, whereas signing an X509 cert/request/crl
relies on ASN1_item_sign.
https://github.com/ruby/openssl/commit/f1db5c88a2
|
|
This commit fixes the following failure on OpenSSL master FIPS case.
```
1) Failure: test_ed25519_not_approved_on_fips(OpenSSL::TestPKey): OpenSSL::PKey::PKeyError expected but nothing was raised.
/home/runner/work/openssl/openssl/vendor/bundle/ruby/3.0.0/gems/test-unit-ruby-core-1.0.6/lib/core_assertions.rb:462:in `assert_raise'
/home/runner/work/openssl/openssl/test/openssl/test_pkey.rb:174:in `test_ed25519_not_approved_on_fips'
171: MC4CAQAwBQYDK2VwBCIEIEzNCJso/5banbbDRuwRTg9bijGfNaumJNqM9u1PuKb7
172: -----END PRIVATE KEY-----
173: EOF
=> 174: assert_raise(OpenSSL::PKey::PKeyError) do
175: OpenSSL::PKey.read(priv_pem)
176: end
177: end
```
Because FIPS compliance is a continually moving target. According to the [1],
FIPS 140-3 *currently* allows ED25519. The ED25519 is allowed again with the
latest OpenSSL FIPS by the commit [2], while it is not allowed in OpenSSL stable
version 3.x FIPS.
Remove this test because we want to keep our tests stable.
[1] https://github.com/openssl/openssl/discussions/22054
[2] https://github.com/openssl/openssl/commit/5f04124aab4a477d4e58149d8f04871ff7e5ea4b
https://github.com/ruby/openssl/commit/d43904b834
|
|
DSA kengen is not FIPS-approved. The `EVP_PKEY_paramgen` in the
`OpenSSL::PKey.generate_parameters("DSA")` raises a DSA error in FIPS by the
following commit. Split the test for DSA.
https://github.com/openssl/openssl/commit/49a35f0#diff-605396c063194975af8ce31399d42690ab18186b422fb5012101cc9132660fe1R611-R614
https://github.com/ruby/openssl/commit/5ca6eb4eca
|
|
* Split the test in the FIPS case as another test.
* test/openssl/utils.rb: Add omit_on_fips and omit_on_non_fips methods.
https://github.com/ruby/openssl/commit/4d64c38ed0
|
|
Because we will add a workaround to avoid this issue.
https://github.com/ruby/openssl/commit/d157ba1d3b
|
|
https://github.com/ruby/openssl/commit/f9980d88aa
|
|
Update the `openssl?` method by adding status argument.
Note the format is below.
* OpenSSL 3: 0xMNN00PP0 (major minor 00 patch 0)
* OpenSSL 1: 0xMNNFFPPS (major minor fix patch status)
See <https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_VERSION_NUMBER.html>
for details.
https://github.com/ruby/openssl/commit/db8deaacd3
|
|
(https://github.com/ruby/openssl/pull/646)
Add OpenSSL::PKey.new_raw_private_key, #raw_private_key and public
equivalents. These methods are useful for importing and exporting keys
that support "raw private/public key". Currently, OpenSSL implements
X25519/X448 and Ed25519/Ed448 keys.
[rhe: rewrote commit message]
https://github.com/ruby/openssl/commit/3f29525618
Co-authored-by: Bart de Water <bartdewater@gmail.com>
|
|
It's to test the `OpenSSL::PKey.read` in the `test/openssl/test_pkey.rb`.
I added the pending status to the following tests failing on the FIPS mode
case in the `test/openssl/test_pkey.rb`.
* `test_ed25519`
* `test_x25519`
* `test_compare?`
https://github.com/ruby/openssl/commit/8149cdf6e8
|
|
test_s_generate_parameters
Commit https://github.com/ruby/openssl/commit/f2e2a5e5ed8e ("test/openssl/test_pkey.rb: allow failures in
test_s_generate_parameters", 2022-12-23) was completely bogus. The
problem in OpenSSL 3.0.0-3.0.5 is that errors from the callback are
sometimes silently suppressed.
https://github.com/ruby/openssl/commit/ccc1594492
Notes:
Merged: https://github.com/ruby/ruby/pull/7025
|
|
test_s_generate_parameters
The root cause has been fixed by OpenSSL 3.0.6, but Ubuntu 22.04's
OpenSSL package has not backported the patch yet.
Reference: https://github.com/ruby/openssl/issues/492
https://github.com/ruby/openssl/commit/f2e2a5e5ed
|
|
PKey.generate_parameters tests
OpenSSL 3.0 refuses to generate DSA parameters shorter than 2048 bits,
but generating 2048 bits parameters takes very long time. Let's use EC
in these test cases instead.
https://github.com/ruby/openssl/commit/c732387ee5
|
|
Use EVP_PKEY_print_private() instead of the low-level API *_print()
functions, such as RSA_print().
EVP_PKEY_print_*() family was added in OpenSSL 1.0.0.
Note that it falls back to EVP_PKEY_print_public() and
EVP_PKEY_print_params() as necessary. This is required for EVP_PKEY_DH
type for which _private() fails if the private component is not set in
the pkey object.
Since the new API works in the same way for all key types, we now
implement #to_text in the base class OpenSSL::PKey::PKey rather than in
each subclass.
https://github.com/ruby/openssl/commit/e0b4c56956
|
|
Explicitly check for type given some conflicting statements within openssl's
documentation around EVP_PKEY_cmp and EVP_PKEY_ASN1_METHOD(3).
Add documentation with an example for compare?
https://github.com/ruby/openssl/commit/0bf51da6e2
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Add OpenSSL::PKey::PKey#derive as the wrapper for EVP_PKEY_CTX_derive().
This is useful for pkey types that we don't have dedicated classes, such
as X25519.
https://github.com/ruby/openssl/commit/28f0059bea
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
OpenSSL 1.1.1 added EVP_DigestSign() and EVP_DigestVerify() functions
to the interface. Some EVP_PKEY methods such as PureEdDSA algorithms
do not support the streaming mechanism and require us to use them.
https://github.com/ruby/openssl/commit/ae19454592
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
interface
Use EVP_DigestSign*() and EVP_DigestVerify*() interface instead of the
old EVP_Sign*() and EVP_Verify*() functions. They were added in OpenSSL
1.0.0.
Also, allow the digest to be specified as nil, as certain EVP_PKEY types
don't expect a digest algorithm.
https://github.com/ruby/openssl/commit/9ff6e5143b
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Add two methods to create a PKey using the generic EVP interface. This
is useful for the PKey types we don't have a dedicated class.
https://github.com/ruby/openssl/commit/d8e8e57de9
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Implement OpenSSL::PKey::PKey#oid as a wrapper around EVP_PKEY_id().
This allows user code to check the type of a PKey object.
EVP_PKEY can have a pkey type for which we do not provide a dedicated
subclass. In other words, an EVP_PKEY that is not any of {RSA,DSA,DH,EC}
can exist. It is currently not possible to distinguish such a pkey.
Also, implement PKey#inspect to include the key type for convenience.
https://github.com/ruby/openssl/commit/dafbb1b3e6
|
|
Import Ruby/OpenSSL 2.0.1. The full commit history since 2.0.0 (imported
at r56946) can be found at:
https://github.com/ruby/openssl/compare/v2.0.0...v2.0.1
This release contains only bug fixes. Note, the first two commits since
v2.0.0 are already imported at r56953 to make Travis and RubyCI green.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57041 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1.
ext/openssl is now converted into a default gem. The full commit
history since r55538 can be found at:
https://github.com/ruby/openssl/compare/08e1881f5663...v2.0.0.beta.1
[Feature #9612]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
