From 8c4f79d5f30fb2fe647c4f3fd262a5fdeacaeca2 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Sat, 6 Dec 2025 03:33:12 +0900
Subject: [ruby/openssl] x509cert: handle invalid validity periods in
 Certificate#inspect

In a newly allocated OpenSSL X509 object, the notBefore and notAfter
fields contain an ASN1_STRING object with type V_ASN1_UNDEF rather than
an ASN1_TIME.

Commit https://github.com/ruby/openssl/commit/73484f67949a made asn1time_to_time() stricter and it now raises
an exception if the argument is not an ASN1_TIME. Previously, it would
print a verbose-mode warning and return nil.

OpenSSL::X509::Certificate#inspect should work even when the certificate
is invalid. Let's handle this.

https://github.com/ruby/openssl/commit/18c283f2b6
---
 ext/openssl/lib/openssl/x509.rb |  9 +++++++++
 ext/openssl/ossl_x509cert.c     | 15 ---------------
 2 files changed, 9 insertions(+), 15 deletions(-)

(limited to 'ext')

diff --git a/ext/openssl/lib/openssl/x509.rb b/ext/openssl/lib/openssl/x509.rb
index 6459d37b12..66765ffeab 100644
--- a/ext/openssl/lib/openssl/x509.rb
+++ b/ext/openssl/lib/openssl/x509.rb
@@ -346,6 +346,15 @@ module OpenSSL
       include Extension::CRLDistributionPoints
       include Extension::AuthorityInfoAccess
 
+      def inspect
+        "#<#{self.class}: " \
+          "subject=#{subject.inspect}, " \
+          "issuer=#{issuer.inspect}, " \
+          "serial=#{serial.inspect}, " \
+          "not_before=#{not_before.inspect rescue "(error)"}, " \
+          "not_after=#{not_after.inspect rescue "(error)"}>"
+      end
+
       def pretty_print(q)
         q.object_group(self) {
           q.breakable
diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c
index b1e82a2790..4d69008fdd 100644
--- a/ext/openssl/ossl_x509cert.c
+++ b/ext/openssl/ossl_x509cert.c
@@ -665,20 +665,6 @@ ossl_x509_add_extension(VALUE self, VALUE extension)
     return extension;
 }
 
-static VALUE
-ossl_x509_inspect(VALUE self)
-{
-    return rb_sprintf("#<%"PRIsVALUE": subject=%+"PRIsVALUE", "
-                      "issuer=%+"PRIsVALUE", serial=%+"PRIsVALUE", "
-                      "not_before=%+"PRIsVALUE", not_after=%+"PRIsVALUE">",
-                      rb_obj_class(self),
-                      ossl_x509_get_subject(self),
-                      ossl_x509_get_issuer(self),
-                      ossl_x509_get_serial(self),
-                      ossl_x509_get_not_before(self),
-                      ossl_x509_get_not_after(self));
-}
-
 /*
  * call-seq:
  *    cert1 == cert2 -> true | false
@@ -1013,7 +999,6 @@ Init_ossl_x509cert(void)
     rb_define_method(cX509Cert, "extensions", ossl_x509_get_extensions, 0);
     rb_define_method(cX509Cert, "extensions=", ossl_x509_set_extensions, 1);
     rb_define_method(cX509Cert, "add_extension", ossl_x509_add_extension, 1);
-    rb_define_method(cX509Cert, "inspect", ossl_x509_inspect, 0);
     rb_define_method(cX509Cert, "==", ossl_x509_eq, 1);
     rb_define_method(cX509Cert, "tbs_bytes", ossl_x509_tbs_bytes, 0);
 }
-- 
cgit v1.2.3