From 127c8a219f0e2eb3b4b08146bc297832da0b28dd Mon Sep 17 00:00:00 2001 From: usa Date: Fri, 30 Jun 2017 12:42:31 +0000 Subject: * ext/openssl/ossl_x509store.c: clear error queue after calling X509_LOOKUP_load_file() X509_LOOKUP_load_file(), which ends up calling X509_load_cert_crl_file() internally, may leave error entries in the queue even when it returns non-zero value (which indicates success). This will be fixed by OpenSSL 1.1.1, but can be worked around by clearing the error queue ourselves. Fixes: [Backport #11033] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59235 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- test/openssl/test_x509store.rb | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'test') diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb index 9964cc8fc4..0ae94e2c64 100644 --- a/test/openssl/test_x509store.rb +++ b/test/openssl/test_x509store.rb @@ -36,6 +36,32 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase OpenSSL::TestUtils.issue_crl(*args) end + def test_add_file + now = Time.at(Time.now.to_i) + ca_exts = [ + ["basicConstraints", "CA:TRUE", true], + ["keyUsage", "cRLSign,keyCertSign", true], + ] + cert1 = issue_cert(@ca1, @rsa1024, 1, now, now+3600, ca_exts, + nil, nil, "sha1") + cert2 = issue_cert(@ca2, @rsa2048, 1, now, now+3600, ca_exts, + nil, nil, "sha1") + tmpfile = Tempfile.open { |f| f << cert1.to_pem << cert2.to_pem; f } + + store = OpenSSL::X509::Store.new + assert_equal false, store.verify(cert1) + assert_equal false, store.verify(cert2) + store.add_file(tmpfile.path) + assert_equal true, store.verify(cert1) + assert_equal true, store.verify(cert2) + + # OpenSSL < 1.1.1 leaks an error on a duplicate certificate + assert_nothing_raised { store.add_file(tmpfile.path) } + assert_equal [], OpenSSL.errors + ensure + tmpfile and tmpfile.close! + end + def test_verify now = Time.at(Time.now.to_i) ca_exts = [ -- cgit v1.2.3