diff options
author | Job Snijders <job@sobornost.net> | 2024-03-25 12:20:13 +0000 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2024-05-01 01:13:01 +0900 |
commit | cf229f5b11b9ad232998c27f63b5bc94dc283c88 (patch) | |
tree | 6e717b921746d5b07b701a054a80cec66f7ee7d4 /test | |
parent | c6f82ebe641df5a48d786e3f14d20f34603b4bd9 (diff) | |
download | ruby-openssl-cf229f5b11b9ad232998c27f63b5bc94dc283c88.tar.gz |
Only CSR version 1 (encoded as 0) is allowed by PKIX standards
[ This is a backport to the 3.0 branch. ]
RFC 2986, section 4.1 only defines version 1 for CSRs. This version
is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
to anything but 1 fails.
Do not attempt to generate a CSR with invalid version (which now fails)
and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
subject rather than using an invalid version.
This commit fixes the following error.
```
2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
X509_REQ_set_version: passed invalid argument
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
`test_version'
40: req = OpenSSL::X509::Request.new(req.to_der)
41: assert_equal(0, req.version)
42:
=> 43: req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
44: assert_equal(1, req.version)
45: req = OpenSSL::X509::Request.new(req.to_der)
46: assert_equal(1, req.version)
```
(cherry picked from commit c06fdeb0912221d9a2888369bbf9c10704af021e)
Diffstat (limited to 'test')
-rw-r--r-- | test/openssl/test_x509req.rb | 7 |
1 files changed, 1 insertions, 6 deletions
diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb index ee9c678f..bac9780d 100644 --- a/test/openssl/test_x509req.rb +++ b/test/openssl/test_x509req.rb @@ -39,11 +39,6 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase assert_equal(0, req.version) req = OpenSSL::X509::Request.new(req.to_der) assert_equal(0, req.version) - - req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA1')) - assert_equal(1, req.version) - req = OpenSSL::X509::Request.new(req.to_der) - assert_equal(1, req.version) end def test_subject @@ -106,7 +101,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase assert_equal(false, req.verify(@rsa2048)) assert_equal(false, request_error_returns_false { req.verify(@dsa256) }) assert_equal(false, request_error_returns_false { req.verify(@dsa512) }) - req.version = 1 + req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBarFooBar") assert_equal(false, req.verify(@rsa1024)) end |