diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2016-08-12 19:20:46 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2017-11-22 09:46:42 +0900 |
commit | 0b6ac1a13e95fb6ee65f880059afc7d779a8d39c (patch) | |
tree | 2f2630f2eaf6101ccebb624656a5f26af6f95b65 | |
parent | 6ce04c96c8ac823107b2d1560f5cedb9bc61cdb0 (diff) | |
download | ruby-openssl-0b6ac1a13e95fb6ee65f880059afc7d779a8d39c.tar.gz |
test/test_ssl: fix test_security_levelky/ssl-add-certificate
Fix test_security_level using SSLContext#add_certificate. It immediately
sets the certificate to the SSL_CTX, so it is affected by the security
level setting.
-rw-r--r-- | test/test_ssl.rb | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/test/test_ssl.rb b/test/test_ssl.rb index 1b665cc9..327501b7 100644 --- a/test/test_ssl.rb +++ b/test/test_ssl.rb @@ -1399,11 +1399,24 @@ end return end assert_equal(1, ctx.security_level) - # assert_raise(OpenSSL::SSL::SSLError) { ctx.key = Fixtures.pkey("dsa512") } - # ctx.key = Fixtures.pkey("rsa1024") - # ctx.security_level = 2 - # assert_raise(OpenSSL::SSL::SSLError) { ctx.key = Fixtures.pkey("rsa1024") } - pend "FIXME: SSLContext#key= currently does not raise because SSL_CTX_use_certificate() is delayed" + + dsa512 = Fixtures.pkey("dsa512") + dsa512_cert = issue_cert(@svr, dsa512, 50, [], @ca_cert, @ca_key) + rsa1024 = Fixtures.pkey("rsa1024") + rsa1024_cert = issue_cert(@svr, rsa1024, 51, [], @ca_cert, @ca_key) + + assert_raise(OpenSSL::SSL::SSLError) { + # 512 bit DSA key is rejected because it offers < 80 bits of security + ctx.add_certificate(dsa512_cert, dsa512) + } + assert_nothing_raised { + ctx.add_certificate(rsa1024_cert, rsa1024) + } + ctx.security_level = 2 + assert_raise(OpenSSL::SSL::SSLError) { + # < 112 bits of security + ctx.add_certificate(rsa1024_cert, rsa1024) + } end def test_dup |