| Age | Commit message (Collapse) | Author |
|---|
|
Remove the following subclasses of OpenSSL::PKey::PKeyError and make
them aliases of it.
- OpenSSL::PKey::DHError
- OpenSSL::PKey::DSAError
- OpenSSL::PKey::ECError
- OpenSSL::PKey::RSAError
Historically, methods defined on OpenSSL::PKey and OpenSSL::PKey::PKey
raise OpenSSL::PKey::PKeyError, while methods on the subclasses raise
their respective exception classes. However, this distinction is not
particularly useful since all those exception classes represent the
same kind of errors from the underlying EVP_PKEY API.
I think this convention comes from the fact that OpenSSL::PKey::{DH,
DSA,RSA} originally wrapped the corresponding OpenSSL structs DH, DSA,
and RSA, before they were unified to wrap EVP_PKEY, way back in 2002.
OpenSSL::PKey::EC::Group::Error and OpenSSL::PKey::EC::Point::Error
are out of scope of this change, as they are not subclasses of
OpenSSL::PKey::PKeyError and do not represent errors from the EVP_PKEY
API.
https://github.com/ruby/openssl/commit/e74ff3e272
|
|
Use generic keys whenever possible.
https://github.com/ruby/openssl/commit/90d6af60b9
|
|
OSSL_DECODER"
This reverts commit https://github.com/ruby/openssl/commit/5347880c6eb0 and
https://github.com/ruby/openssl/commit/985ba27d6339.
These commits attempted to stop processing after the first relevant PEM
block, whether it is successful or not, when the input contains multiple
keys.
It turned out that it cannot be reliably determined using the
OSSL_DECODER API. There is an edge case where OSSL_DECODER_from_bio()
reports "unsupported" even though the input actually contains an error:
https://redirect.github.com/ruby/openssl/pull/931#discussion_r2347813807
Revert the changes for now and keep the existing behavior, as partial
support does not seem worth the added complexity.
https://github.com/ruby/openssl/commit/319cd4952a
|
|
Continue processing only when OSSL_DECODER_from_bio() returns the error
code ERR_R_UNSUPPORTED. Otherwise, raise an exception without retrying
decoding the input in another format.
This fixes another case where OpenSSL::PKey.read prompts for a
passphrase multiple times when the input contains multiple
passphrase-protected PEM blocks and the first one cannot be decoded.
I am not entirely sure if the error code ERR_R_UNSUPPORTED is considered
part of the public interface of OpenSSL, but this seems to be the only
option available and is the approach used internally by the
PEM_read_bio_*() functions.
Fixes https://github.com/ruby/openssl/issues/927
https://github.com/ruby/openssl/commit/985ba27d63
|
|
Specify OSSL_DECODER_CTX_set_pem_password_cb() only when we expect a
passphrase-protected private key.
OSSL_DECODER appears to try to decrypt every PEM block in the input even
when the PEM header does not match the requested selection. This can
cause repeated prompts for a passphrase in a single OpenSSL::PKey.read
call.
https://github.com/ruby/openssl/commit/933503f49f
|
|
Add tests covering edge cases in the current behavior to prevent
accidental regressions. The next patches will update the OpenSSL 3.x
path.
https://github.com/ruby/openssl/commit/468f8ceea2
|
|
Algorithms implemented only in OpenSSL 3 providers may not have a
corresponding NID. The *_ex() variants have been added in OpenSSL 3.0
to handle such algorithms, by taking algorithm names as a string.
https://github.com/ruby/openssl/commit/e730e457cc
|
|
For algorithms implemented solely in an OpenSSL 3 provider, without an
associated EVP_PKEY_METHOD, EVP_PKEY_id() returns a special value
EVP_PKEY_KEYMGMT.
Let OpenSSL::PKey::PKey#oid raise an exception as necessary.
Update PKey#inspect to include the string returned by
EVP_PKEY_get0_type_name(), if available.
https://github.com/ruby/openssl/commit/bd3e32270e
|
|
Drop support for OpenSSL 1.1.0. OpenSSL 1.1.0 was a non-LTS release and
it has reached upstream EOL in 2019-12 along with OpenSSL 1.0.2.
Distributions that shipped with OpenSSL 1.1.0 include:
- Debian 9 (EOL 2022-06)
- Ubuntu 18.04 LTS (EOL 2023-04)
https://github.com/ruby/openssl/commit/ba83abe920
|
|
Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12.
Most distributions that shipped with OpenSSL 1.0.2 have also reached
EOL, or provide a newer version in the package repository:
- RHEL 7 (EOL 2024-06)
- Ubuntu 16.04 LTS (EOL 2021-04)
- Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via
the openssl11{,-devel} package)
https://github.com/ruby/openssl/commit/38ec6fd50e
|
|
Drop support for LibreSSL 3.1-3.8. LibreSSL 3.8 has reached its EOL in
2024-10.
https://github.com/ruby/openssl/commit/f33d611f9f
|
|
When these test cases were written, we did not know the exact OpenSSL
and LibreSSL version number in which they would be implemented. Now that
we know it, we can use that information to ensure the tests are run
whenever they should be.
- OpenSSL 1.1.0 added X25519 support
- OpenSSL 1.1.1 added Ed25519 support and
EVP_PKEY_new_raw_private_key()
- LibreSSL 3.7.0 added X25519 and Ed25519 support in EVP_PKEY and
EVP_PKEY_new_raw_private_key()
- LibreSSL 3.8.1 allowed ASN1_item_sign() to use Ed25519
https://github.com/ruby/openssl/commit/6cb6663c91
|
|
Method names must start with "test_" to run.
https://github.com/ruby/openssl/commit/fed9d09b76
|
|
test_pkey wasn't checking for libressl as is done elsewhere.
Note the libressl version check is different when testing pkey, because
PKey#sign relies on EVP_PKey_sign, whereas signing an X509 cert/request/crl
relies on ASN1_item_sign.
https://github.com/ruby/openssl/commit/f1db5c88a2
|
|
This commit fixes the following failure on OpenSSL master FIPS case.
```
1) Failure: test_ed25519_not_approved_on_fips(OpenSSL::TestPKey): OpenSSL::PKey::PKeyError expected but nothing was raised.
/home/runner/work/openssl/openssl/vendor/bundle/ruby/3.0.0/gems/test-unit-ruby-core-1.0.6/lib/core_assertions.rb:462:in `assert_raise'
/home/runner/work/openssl/openssl/test/openssl/test_pkey.rb:174:in `test_ed25519_not_approved_on_fips'
171: MC4CAQAwBQYDK2VwBCIEIEzNCJso/5banbbDRuwRTg9bijGfNaumJNqM9u1PuKb7
172: -----END PRIVATE KEY-----
173: EOF
=> 174: assert_raise(OpenSSL::PKey::PKeyError) do
175: OpenSSL::PKey.read(priv_pem)
176: end
177: end
```
Because FIPS compliance is a continually moving target. According to the [1],
FIPS 140-3 *currently* allows ED25519. The ED25519 is allowed again with the
latest OpenSSL FIPS by the commit [2], while it is not allowed in OpenSSL stable
version 3.x FIPS.
Remove this test because we want to keep our tests stable.
[1] https://github.com/openssl/openssl/discussions/22054
[2] https://github.com/openssl/openssl/commit/5f04124aab4a477d4e58149d8f04871ff7e5ea4b
https://github.com/ruby/openssl/commit/d43904b834
|
|
DSA kengen is not FIPS-approved. The `EVP_PKEY_paramgen` in the
`OpenSSL::PKey.generate_parameters("DSA")` raises a DSA error in FIPS by the
following commit. Split the test for DSA.
https://github.com/openssl/openssl/commit/49a35f0#diff-605396c063194975af8ce31399d42690ab18186b422fb5012101cc9132660fe1R611-R614
https://github.com/ruby/openssl/commit/5ca6eb4eca
|
|
* Split the test in the FIPS case as another test.
* test/openssl/utils.rb: Add omit_on_fips and omit_on_non_fips methods.
https://github.com/ruby/openssl/commit/4d64c38ed0
|
|
Because we will add a workaround to avoid this issue.
https://github.com/ruby/openssl/commit/d157ba1d3b
|
|
https://github.com/ruby/openssl/commit/f9980d88aa
|
|
Update the `openssl?` method by adding status argument.
Note the format is below.
* OpenSSL 3: 0xMNN00PP0 (major minor 00 patch 0)
* OpenSSL 1: 0xMNNFFPPS (major minor fix patch status)
See <https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_VERSION_NUMBER.html>
for details.
https://github.com/ruby/openssl/commit/db8deaacd3
|
|
(https://github.com/ruby/openssl/pull/646)
Add OpenSSL::PKey.new_raw_private_key, #raw_private_key and public
equivalents. These methods are useful for importing and exporting keys
that support "raw private/public key". Currently, OpenSSL implements
X25519/X448 and Ed25519/Ed448 keys.
[rhe: rewrote commit message]
https://github.com/ruby/openssl/commit/3f29525618
Co-authored-by: Bart de Water <bartdewater@gmail.com>
|
|
It's to test the `OpenSSL::PKey.read` in the `test/openssl/test_pkey.rb`.
I added the pending status to the following tests failing on the FIPS mode
case in the `test/openssl/test_pkey.rb`.
* `test_ed25519`
* `test_x25519`
* `test_compare?`
https://github.com/ruby/openssl/commit/8149cdf6e8
|
|
test_s_generate_parameters
Commit https://github.com/ruby/openssl/commit/f2e2a5e5ed8e ("test/openssl/test_pkey.rb: allow failures in
test_s_generate_parameters", 2022-12-23) was completely bogus. The
problem in OpenSSL 3.0.0-3.0.5 is that errors from the callback are
sometimes silently suppressed.
https://github.com/ruby/openssl/commit/ccc1594492
Notes:
Merged: https://github.com/ruby/ruby/pull/7025
|
|
test_s_generate_parameters
The root cause has been fixed by OpenSSL 3.0.6, but Ubuntu 22.04's
OpenSSL package has not backported the patch yet.
Reference: https://github.com/ruby/openssl/issues/492
https://github.com/ruby/openssl/commit/f2e2a5e5ed
|
|
PKey.generate_parameters tests
OpenSSL 3.0 refuses to generate DSA parameters shorter than 2048 bits,
but generating 2048 bits parameters takes very long time. Let's use EC
in these test cases instead.
https://github.com/ruby/openssl/commit/c732387ee5
|
|
Use EVP_PKEY_print_private() instead of the low-level API *_print()
functions, such as RSA_print().
EVP_PKEY_print_*() family was added in OpenSSL 1.0.0.
Note that it falls back to EVP_PKEY_print_public() and
EVP_PKEY_print_params() as necessary. This is required for EVP_PKEY_DH
type for which _private() fails if the private component is not set in
the pkey object.
Since the new API works in the same way for all key types, we now
implement #to_text in the base class OpenSSL::PKey::PKey rather than in
each subclass.
https://github.com/ruby/openssl/commit/e0b4c56956
|
|
Explicitly check for type given some conflicting statements within openssl's
documentation around EVP_PKEY_cmp and EVP_PKEY_ASN1_METHOD(3).
Add documentation with an example for compare?
https://github.com/ruby/openssl/commit/0bf51da6e2
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Add OpenSSL::PKey::PKey#derive as the wrapper for EVP_PKEY_CTX_derive().
This is useful for pkey types that we don't have dedicated classes, such
as X25519.
https://github.com/ruby/openssl/commit/28f0059bea
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
OpenSSL 1.1.1 added EVP_DigestSign() and EVP_DigestVerify() functions
to the interface. Some EVP_PKEY methods such as PureEdDSA algorithms
do not support the streaming mechanism and require us to use them.
https://github.com/ruby/openssl/commit/ae19454592
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
interface
Use EVP_DigestSign*() and EVP_DigestVerify*() interface instead of the
old EVP_Sign*() and EVP_Verify*() functions. They were added in OpenSSL
1.0.0.
Also, allow the digest to be specified as nil, as certain EVP_PKEY types
don't expect a digest algorithm.
https://github.com/ruby/openssl/commit/9ff6e5143b
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Add two methods to create a PKey using the generic EVP interface. This
is useful for the PKey types we don't have a dedicated class.
https://github.com/ruby/openssl/commit/d8e8e57de9
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Implement OpenSSL::PKey::PKey#oid as a wrapper around EVP_PKEY_id().
This allows user code to check the type of a PKey object.
EVP_PKEY can have a pkey type for which we do not provide a dedicated
subclass. In other words, an EVP_PKEY that is not any of {RSA,DSA,DH,EC}
can exist. It is currently not possible to distinguish such a pkey.
Also, implement PKey#inspect to include the key type for convenience.
https://github.com/ruby/openssl/commit/dafbb1b3e6
|
|
Import Ruby/OpenSSL 2.0.1. The full commit history since 2.0.0 (imported
at r56946) can be found at:
https://github.com/ruby/openssl/compare/v2.0.0...v2.0.1
This release contains only bug fixes. Note, the first two commits since
v2.0.0 are already imported at r56953 to make Travis and RubyCI green.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57041 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1.
ext/openssl is now converted into a default gem. The full commit
history since r55538 can be found at:
https://github.com/ruby/openssl/compare/08e1881f5663...v2.0.0.beta.1
[Feature #9612]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
