pkey/ec: check private key validity with OpenSSL 3ky/pkey-ec-fix-check

The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1 and 3.0 so that it no longer validates the private key. Instead, private keys can be validated through EVP_PKEY_private_check and EVP_PKEY_pairwise_check. [ky: simplified condition to use either EVP_PKEY_check() or EVP_PKEY_public_check().]
author: Joe Truba <joe@bannable.net> 2022-11-20 00:54:32 +0000
committer: Kazuki Yamaguchi <k@rhe.jp> 2022-12-23 05:55:12 +0900
commit: e38a63ab3d76dbe406a30e8fc4485e17bf7019b1 (patch)
tree: 647e041310b5a592fc24a00141d9354cacc96d57 /test
parent: e5bbd015dcb4fd2c3c31f9024ee1e476087c148d (diff)
download: ruby-openssl-e38a63ab3d76dbe406a30e8fc4485e17bf7019b1.tar.gz
3 files changed, 18 insertions, 0 deletions
diff --git a/test/openssl/fixtures/pkey/p256_too_large.pem b/test/openssl/fixtures/pkey/p256_too_large.pem
new file mode 100644
index 00000000..a73ac37f
--- /dev/null
+++ b/test/openssl/fixtures/pkey/p256_too_large.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIP+TT0V8Fndsnacji9tyf6hmhHywcOWTee9XkiBeJoVloAoGCCqGSM49
+AwEHoUQDQgAEBkhhJIU/2/YdPSlY2I1k25xjK4trr5OXSgXvBC21PtY0HQ7lor7A
+jzT0giJITqmcd81fwGw5+96zLcdxTF1hVQ==
+-----END EC PRIVATE KEY-----
diff --git a/test/openssl/fixtures/pkey/p384_invalid.pem b/test/openssl/fixtures/pkey/p384_invalid.pem
new file mode 100644
index 00000000..d5cdc9a3
--- /dev/null
+++ b/test/openssl/fixtures/pkey/p384_invalid.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDDA1Tm0m7YhkfeVpFuarAJYVlHp2tQj+1fOBiLa10t9E8TiQO/hVfxB
+vGaVEQwOheWgBwYFK4EEACKhZANiAASyGqmryZGqdpsq5gEDIfNvgC3AwSJxiBCL
+XKHBTFRp+tCezLDOK/6V8KK/vVGBJlGFW6/I7ahyXprxS7xs7hPA9iz5YiuqXlu+
+lbrIpZOz7b73hyQQCkvbBO/Avg+hPAk=
+-----END EC PRIVATE KEY-----
diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
index 9a4818de..37c1fa61 100644
--- a/test/openssl/test_pkey_ec.rb
+++ b/test/openssl/test_pkey_ec.rb
@@ -90,6 +90,13 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase
     assert_equal(true, key2.public?)
     assert_equal(true, key2.check_key)
 
+    # Behavior of EVP_PKEY_public_check changes between OpenSSL 1.1.1 and 3.0
+    key4 = Fixtures.pkey("p256_too_large")
+    assert_raise(OpenSSL::PKey::ECError) { key4.check_key }
+
+    key5 = Fixtures.pkey("p384_invalid")
+    assert_raise(OpenSSL::PKey::ECError) { key5.check_key }
+
     # EC#private_key= is deprecated in 3.0 and won't work on OpenSSL 3.0
     if !openssl?(3, 0, 0)
       key2.private_key += 1
author	Joe Truba <joe@bannable.net>	2022-11-20 00:54:32 +0000
committer	Kazuki Yamaguchi <k@rhe.jp>	2022-12-23 05:55:12 +0900
commit	e38a63ab3d76dbe406a30e8fc4485e17bf7019b1 (patch)
tree	647e041310b5a592fc24a00141d9354cacc96d57 /test
parent	e5bbd015dcb4fd2c3c31f9024ee1e476087c148d (diff)
download	ruby-openssl-e38a63ab3d76dbe406a30e8fc4485e17bf7019b1.tar.gz