diff options
Diffstat (limited to 'OpenSSL')
41 files changed, 2603 insertions, 1854 deletions
diff --git a/OpenSSL/ASN1.html b/OpenSSL/ASN1.html index a66417e7..1f254b39 100644 --- a/OpenSSL/ASN1.html +++ b/OpenSSL/ASN1.html @@ -188,7 +188,7 @@ <h2 id="module-OpenSSL::ASN1-label-UNIVERSAL_TAG_NAME+constant"><a href="ASN1.html#UNIVERSAL_TAG_NAME"><code>UNIVERSAL_TAG_NAME</code></a> constant<span><a href="#module-OpenSSL::ASN1-label-UNIVERSAL_TAG_NAME+constant">¶</a> <a href="#top">↑</a></span></h2> -<p>An Array that stores the name of a given tag number. These names are the same as the name of the tag constant that is additionally defined, e.g. <a href="2">UNIVERSAL_TAG_NAME</a> = “INTEGER” and OpenSSL::ASN1::INTEGER = 2.</p> +<p>An Array that stores the name of a given tag number. These names are the same as the name of the tag constant that is additionally defined, e.g. +<a href="2">UNIVERSAL_TAG_NAME</a> = “INTEGER”+ and +OpenSSL::ASN1::INTEGER = 2+.</p> <h2 id="module-OpenSSL::ASN1-label-Example+usage">Example usage<span><a href="#module-OpenSSL::ASN1-label-Example+usage">¶</a> <a href="#top">↑</a></span></h2> diff --git a/OpenSSL/ASN1/ASN1Data.html b/OpenSSL/ASN1/ASN1Data.html index 879e7ba8..21aa900f 100644 --- a/OpenSSL/ASN1/ASN1Data.html +++ b/OpenSSL/ASN1/ASN1Data.html @@ -126,7 +126,7 @@ </li><li> <p><em>tag_class</em> equal to <code>:CONTEXT_SPECIFIC</code></p> </li><li> -<p><em>value</em> equal to an Array with one single element, an instance of OpenSSL::ASN1::Integer, i.e. the inner element is the non-tagged primitive value, and the tagging is represented in the outer <a href="ASN1Data.html"><code>ASN1Data</code></a></p> +<p><em>value</em> equal to an Array with one single element, an instance of <a href="../../Integer.html"><code>OpenSSL::ASN1::Integer</code></a>, i.e. the inner element is the non-tagged primitive value, and the tagging is represented in the outer <a href="ASN1Data.html"><code>ASN1Data</code></a></p> </li></ul> <h2 id="class-OpenSSL::ASN1::ASN1Data-label-Example+-+Decoding+an+implicitly+tagged+INTEGER">Example - Decoding an implicitly tagged INTEGER<span><a href="#class-OpenSSL::ASN1::ASN1Data-label-Example+-+Decoding+an+implicitly+tagged+INTEGER">¶</a> <a href="#top">↑</a></span></h2> diff --git a/OpenSSL/ASN1/Primitive.html b/OpenSSL/ASN1/Primitive.html index 81108229..62dd1e33 100644 --- a/OpenSSL/ASN1/Primitive.html +++ b/OpenSSL/ASN1/Primitive.html @@ -110,7 +110,7 @@ </li><li> <p>OpenSSL::ASN1::Boolean <=> <em>value</em> is <code>true</code> or <code>false</code></p> </li><li> -<p>OpenSSL::ASN1::Integer <=> <em>value</em> is an <a href="../BN.html"><code>OpenSSL::BN</code></a></p> +<p><a href="../../Integer.html"><code>OpenSSL::ASN1::Integer</code></a> <=> <em>value</em> is an <a href="../BN.html"><code>OpenSSL::BN</code></a></p> </li><li> <p>OpenSSL::ASN1::BitString <=> <em>value</em> is a String</p> </li><li> diff --git a/OpenSSL/BN.html b/OpenSSL/BN.html index d865d64d..1366be02 100644 --- a/OpenSSL/BN.html +++ b/OpenSSL/BN.html @@ -82,6 +82,8 @@ <ul class="link-list" role="directory"> <li ><a href="#method-c-generate_prime">::generate_prime</a> <li ><a href="#method-c-new">::new</a> + <li ><a href="#method-c-rand">::rand</a> + <li ><a href="#method-c-rand_range">::rand_range</a> <li ><a href="#method-i-25">#%</a> <li ><a href="#method-i-2A">#*</a> <li ><a href="#method-i-2A-2A">#**</a> @@ -95,6 +97,7 @@ <li ><a href="#method-i-3D-3D">#==</a> <li ><a href="#method-i-3D-3D-3D">#===</a> <li ><a href="#method-i-3E-3E">#>></a> + <li ><a href="#method-i-abs">#abs</a> <li ><a href="#method-i-bit_set-3F">#bit_set?</a> <li ><a href="#method-i-clear_bit-21">#clear_bit!</a> <li ><a href="#method-i-cmp">#cmp</a> @@ -102,6 +105,7 @@ <li ><a href="#method-i-copy">#copy</a> <li ><a href="#method-i-eql-3F">#eql?</a> <li ><a href="#method-i-gcd">#gcd</a> + <li ><a href="#method-i-get_flags">#get_flags</a> <li ><a href="#method-i-hash">#hash</a> <li ><a href="#method-i-initialize_copy">#initialize_copy</a> <li ><a href="#method-i-lshift-21">#lshift!</a> @@ -121,6 +125,7 @@ <li ><a href="#method-i-prime_fasttest-3F">#prime_fasttest?</a> <li ><a href="#method-i-rshift-21">#rshift!</a> <li ><a href="#method-i-set_bit-21">#set_bit!</a> + <li ><a href="#method-i-set_flags">#set_flags</a> <li ><a href="#method-i-sqr">#sqr</a> <li ><a href="#method-i-to_bn">#to_bn</a> <li ><a href="#method-i-to_i">#to_i</a> @@ -146,6 +151,19 @@ <section id="5Buntitled-5D" class="documentation-section"> + <section class="constants-list"> + <header> + <h3>Constants</h3> + </header> + <dl> + <dt id="CONSTTIME">CONSTTIME + <dd> + <dt id="MALLOCED">MALLOCED + <dd> + <dt id="STATIC_DATA">STATIC_DATA + <dd> + </dl> + </section> @@ -227,17 +245,32 @@ ossl_bn_s_generate_prime(int argc, VALUE *argv, VALUE klass) </div> <div class="method-heading"> <span class="method-callseq"> - OpenSSL::BN.new(string) → aBN - </span> - </div> - <div class="method-heading"> - <span class="method-callseq"> - OpenSSL::BN.new(string, 0 | 2 | 10 | 16) → aBN + OpenSSL::BN.new(string, base = 10) → aBN </span> </div> <div class="method-description"> - <p>Construct a new <a href="../OpenSSL.html"><code>OpenSSL</code></a> BIGNUM object.</p> + <p>Construct a new OpenSSL BIGNUM object.</p> + +<p>If <code>bn</code> is an <a href="../Integer.html"><code>Integer</code></a> or <a href="BN.html"><code>OpenSSL::BN</code></a>, a new instance of <a href="BN.html"><code>OpenSSL::BN</code></a> representing the same value is returned. See also <a href="../Integer.html#method-i-to_bn"><code>Integer#to_bn</code></a> for the short-hand.</p> + +<p>If a String is given, the content will be parsed according to <code>base</code>.</p> +<dl class="rdoc-list note-list"><dt><code>string</code> +<dd> +<p>The string to be parsed.</p> +</dd><dt><code>base</code> +<dd> +<p>The format. Must be one of the following:</p> +<ul><li> +<p><code>0</code> - MPI format. See the man page BN_mpi2bn(3) for details.</p> +</li><li> +<p><code>2</code> - Variable-length and big-endian binary encoding of a positive number.</p> +</li><li> +<p><code>10</code> - Decimal number representation, with a leading ‘-’ for a negative number.</p> +</li><li> +<p><code>16</code> - Hexadeciaml number representation, with a leading ‘-’ for a negative number.</p> +</li></ul> +</dd></dl> <div class="method-source-code" id="new-source"> <pre>static VALUE @@ -309,6 +342,86 @@ ossl_bn_initialize(int argc, VALUE *argv, VALUE self) </div> + <div id="method-c-rand" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + rand(bits [, fill [, odd]]) → aBN + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Generates a cryptographically strong pseudo-random number of <code>bits</code>.</p> + +<p>See also the man page BN_rand(3).</p> + + <div class="method-source-code" id="rand-source"> + <pre>static VALUE +ossl_bn_s_rand(int argc, VALUE *argv, VALUE klass) +{ + BIGNUM *result; + int bottom = 0, top = 0, b; + VALUE bits, fill, odd, obj; + + switch (rb_scan_args(argc, argv, "12", &bits, &fill, &odd)) { + case 3: + bottom = (odd == Qtrue) ? 1 : 0; + /* FALLTHROUGH */ + case 2: + top = NUM2INT(fill); + } + b = NUM2INT(bits); + obj = NewBN(klass); + if (!(result = BN_new())) { + ossl_raise(eBNError, "BN_new"); + } + if (BN_rand(result, b, top, bottom) <= 0) { + BN_free(result); + ossl_raise(eBNError, "BN_rand"); + } + SetBN(obj, result); + return obj; +}</pre> + </div> + </div> + + + </div> + + <div id="method-c-rand_range" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + rand_range(range) → aBN + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Generates a cryptographically strong pseudo-random number in the range 0…<code>range</code>.</p> + +<p>See also the man page BN_rand_range(3).</p> + + <div class="method-source-code" id="rand_range-source"> + <pre>static VALUE +ossl_bn_s_rand_range(VALUE klass, VALUE range) +{ + BIGNUM *bn = GetBNPtr(range), *result; + VALUE obj = NewBN(klass); + if (!(result = BN_new())) + ossl_raise(eBNError, "BN_new"); + if (BN_rand_range(result, bn) <= 0) { + BN_free(result); + ossl_raise(eBNError, "BN_rand_range"); + } + SetBN(obj, result); + return obj; +}</pre> + </div> + </div> + + + </div> + </section> <section id="public-instance-5Buntitled-5D-method-details" class="method-section"> @@ -391,7 +504,17 @@ ossl_bn_initialize(int argc, VALUE *argv, VALUE self) <pre>static VALUE ossl_bn_uplus(VALUE self) { - return self; + VALUE obj; + BIGNUM *bn1, *bn2; + + GetBN(self, bn1); + obj = NewBN(cBN); + bn2 = BN_dup(bn1); + if (!bn2) + ossl_raise(eBNError, "BN_dup"); + SetBN(obj, bn2); + + return obj; }</pre> </div> </div> @@ -595,6 +718,37 @@ ossl_bn_eq(VALUE self, VALUE other) </div> + <div id="method-i-abs" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + abs → aBN + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + + + <div class="method-source-code" id="abs-source"> + <pre>static VALUE +ossl_bn_abs(VALUE self) +{ + BIGNUM *bn1; + + GetBN(self, bn1); + if (BN_is_negative(bn1)) { + return ossl_bn_uminus(self); + } + else { + return ossl_bn_uplus(self); + } +}</pre> + </div> + </div> + + + </div> + <div id="method-i-bit_set-3F" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> @@ -756,6 +910,37 @@ ossl_bn_eql(VALUE self, VALUE other) </div> + <div id="method-i-get_flags" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + get_flags(flags) → flags + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Returns the flags on the <a href="BN.html"><code>BN</code></a> object. The argument is used as a bit mask.</p> + +<h3 id="method-i-get_flags-label-Parameters">Parameters<span><a href="#method-i-get_flags-label-Parameters">¶</a> <a href="#top">↑</a></span></h3> +<ul><li> +<p><em>flags</em> - integer</p> +</li></ul> + + <div class="method-source-code" id="get_flags-source"> + <pre>static VALUE +ossl_bn_get_flags(VALUE self, VALUE arg) +{ + BIGNUM *bn; + GetBN(self, bn); + + return INT2NUM(BN_get_flags(bn, NUM2INT(arg))); +}</pre> + </div> + </div> + + + </div> + <div id="method-i-hash" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> @@ -1080,35 +1265,30 @@ ossl_bn_is_negative(VALUE self) </div> <div class="method-description"> - <p>Performs a Miller-Rabin probabilistic primality test with <em>checks</em> iterations. If <em>checks</em> is not specified, a number of iterations is used that yields a false positive rate of at most 2^-80 for random input.</p> + <p>Performs a Miller-Rabin probabilistic primality test for <code>bn</code>.</p> -<h3 id="method-i-prime-3F-label-Parameters">Parameters<span><a href="#method-i-prime-3F-label-Parameters">¶</a> <a href="#top">↑</a></span></h3> -<ul><li> -<p><em>checks</em> - integer</p> -</li></ul> +<p><strong><code>checks</code> parameter is deprecated in version 3.0.</strong> It has no effect.</p> <div class="method-source-code" id="prime-3F-source"> <pre>static VALUE ossl_bn_is_prime(int argc, VALUE *argv, VALUE self) { BIGNUM *bn; - VALUE vchecks; - int checks = BN_prime_checks; + int ret; - if (rb_scan_args(argc, argv, "01", &vchecks) == 1) { - checks = NUM2INT(vchecks); - } + rb_check_arity(argc, 0, 1); GetBN(self, bn); - switch (BN_is_prime_ex(bn, checks, ossl_bn_ctx, NULL)) { - case 1: - return Qtrue; - case 0: - return Qfalse; - default: - ossl_raise(eBNError, NULL); - } - /* not reachable */ - return Qnil; + +#ifdef HAVE_BN_CHECK_PRIME + ret = BN_check_prime(bn, ossl_bn_ctx, NULL); + if (ret < 0) + ossl_raise(eBNError, "BN_check_prime"); +#else + ret = BN_is_prime_fasttest_ex(bn, BN_prime_checks, ossl_bn_ctx, 1, NULL); + if (ret < 0) + ossl_raise(eBNError, "BN_is_prime_fasttest_ex"); +#endif + return ret ? Qtrue : Qfalse; }</pre> </div> </div> @@ -1135,43 +1315,18 @@ ossl_bn_is_prime(int argc, VALUE *argv, VALUE self) </div> <div class="method-description"> - <p>Performs a Miller-Rabin primality test. This is same as <a href="BN.html#method-i-prime-3F"><code>prime?</code></a> except this first attempts trial divisions with some small primes.</p> + <p>Performs a Miller-Rabin probabilistic primality test for <code>bn</code>.</p> -<h3 id="method-i-prime_fasttest-3F-label-Parameters">Parameters<span><a href="#method-i-prime_fasttest-3F-label-Parameters">¶</a> <a href="#top">↑</a></span></h3> -<ul><li> -<p><em>checks</em> - integer</p> -</li><li> -<p><em>trial_div</em> - boolean</p> -</li></ul> +<p><strong>Deprecated in version 3.0.</strong> Use <a href="BN.html#method-i-prime-3F"><code>prime?</code></a> instead.</p> + +<p><code>checks</code> and <code>trial_div</code> parameters no longer have any effect.</p> <div class="method-source-code" id="prime_fasttest-3F-source"> <pre>static VALUE ossl_bn_is_prime_fasttest(int argc, VALUE *argv, VALUE self) { - BIGNUM *bn; - VALUE vchecks, vtrivdiv; - int checks = BN_prime_checks, do_trial_division = 1; - - rb_scan_args(argc, argv, "02", &vchecks, &vtrivdiv); - - if (!NIL_P(vchecks)) { - checks = NUM2INT(vchecks); - } - GetBN(self, bn); - /* handle true/false */ - if (vtrivdiv == Qfalse) { - do_trial_division = 0; - } - switch (BN_is_prime_fasttest_ex(bn, checks, ossl_bn_ctx, do_trial_division, NULL)) { - case 1: - return Qtrue; - case 0: - return Qfalse; - default: - ossl_raise(eBNError, NULL); - } - /* not reachable */ - return Qnil; + rb_check_arity(argc, 0, 2); + return ossl_bn_is_prime(0, argv, self); }</pre> </div> </div> @@ -1209,6 +1364,33 @@ ossl_bn_is_prime_fasttest(int argc, VALUE *argv, VALUE self) </div> + <div id="method-i-set_flags" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + set_flags(flags) → nil + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Enables the flags on the <a href="BN.html"><code>BN</code></a> object. Currently, the flags argument can contain zero of <a href="BN.html#CONSTTIME"><code>OpenSSL::BN::CONSTTIME</code></a>.</p> + + <div class="method-source-code" id="set_flags-source"> + <pre>static VALUE +ossl_bn_set_flags(VALUE self, VALUE arg) +{ + BIGNUM *bn; + GetBN(self, bn); + + BN_set_flags(bn, NUM2INT(arg)); + return Qnil; +}</pre> + </div> + </div> + + + </div> + <div id="method-i-sqr" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> @@ -1304,30 +1486,28 @@ ossl_bn_to_i(VALUE self) <div id="method-i-to_s" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - to_s → string + to_s(base = 10) → string </span> <span class="method-click-advice">click to toggle source</span> </div> - <div class="method-heading"> - <span class="method-callseq"> - to_s(base) → string - </span> - </div> <div class="method-description"> - <h3 id="method-i-to_s-label-Parameters">Parameters<span><a href="#method-i-to_s-label-Parameters">¶</a> <a href="#top">↑</a></span></h3> -<ul><li> -<p><em>base</em> - <a href="../Integer.html"><code>Integer</code></a> Valid values:</p> + <p>Returns the string representation of the bignum.</p> + +<p><a href="BN.html#method-c-new"><code>BN.new</code></a> can parse the encoded string to convert back into an <a href="BN.html"><code>OpenSSL::BN</code></a>.</p> +<dl class="rdoc-list note-list"><dt><code>base</code> +<dd> +<p>The format. Must be one of the following:</p> <ul><li> -<p>0 - MPI</p> +<p><code>0</code> - MPI format. See the man page BN_bn2mpi(3) for details.</p> </li><li> -<p>2 - binary</p> +<p><code>2</code> - Variable-length and big-endian binary encoding. The sign of the bignum is ignored.</p> </li><li> -<p>10 - the default</p> +<p><code>10</code> - Decimal number representation, with a leading ‘-’ for a negative bignum.</p> </li><li> -<p>16 - hex</p> -</li></ul> +<p><code>16</code> - Hexadeciaml number representation, with a leading ‘-’ for a negative bignum.</p> </li></ul> +</dd></dl> <div class="method-source-code" id="to_s-source"> <pre>static VALUE diff --git a/OpenSSL/Buffering.html b/OpenSSL/Buffering.html index abaa0cfa..8aa3de5d 100644 --- a/OpenSSL/Buffering.html +++ b/OpenSSL/Buffering.html @@ -83,6 +83,7 @@ <li ><a href="#method-i-eof">#eof</a> <li ><a href="#method-i-eof-3F">#eof?</a> <li ><a href="#method-i-flush">#flush</a> + <li ><a href="#method-i-getbyte">#getbyte</a> <li ><a href="#method-i-getc">#getc</a> <li ><a href="#method-i-gets">#gets</a> <li ><a href="#method-i-print">#print</a> @@ -202,7 +203,7 @@ <p>Writes <em>s</em> to the stream. <em>s</em> will be converted to a String using <code>.to_s</code> method.</p> <div class="method-source-code" id="3C-3C-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 413</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 422</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title"><<</span>(<span class="ruby-identifier">s</span>) <span class="ruby-identifier">do_write</span>(<span class="ruby-identifier">s</span>) <span class="ruby-keyword">self</span> @@ -224,7 +225,7 @@ <p>Closes the SSLSocket and flushes any unwritten data.</p> <div class="method-source-code" id="close-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 474</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 483</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">close</span> <span class="ruby-identifier">flush</span> <span class="ruby-keyword">rescue</span> <span class="ruby-keyword">nil</span> <span class="ruby-identifier">sysclose</span> @@ -248,7 +249,7 @@ <p>See also <a href="Buffering.html#method-i-gets"><code>gets</code></a></p> <div class="method-source-code" id="each-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 250</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 259</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">each</span>(<span class="ruby-identifier">eol</span>=<span class="ruby-identifier">$/</span>) <span class="ruby-keyword">while</span> <span class="ruby-identifier">line</span> = <span class="ruby-keyword">self</span>.<span class="ruby-identifier">gets</span>(<span class="ruby-identifier">eol</span>) <span class="ruby-keyword">yield</span> <span class="ruby-identifier">line</span> @@ -274,7 +275,7 @@ <p>Calls the given block once for each byte in the stream.</p> <div class="method-source-code" id="each_byte-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 291</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 300</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">each_byte</span> <span class="ruby-comment"># :yields: byte</span> <span class="ruby-keyword">while</span> <span class="ruby-identifier">c</span> = <span class="ruby-identifier">getc</span> <span class="ruby-keyword">yield</span>(<span class="ruby-identifier">c</span>.<span class="ruby-identifier">ord</span>) @@ -331,7 +332,7 @@ <p>Returns true if the stream is at file which means there is no more data to be read.</p> <div class="method-source-code" id="eof-3F-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 322</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 331</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">eof?</span> <span class="ruby-identifier">fill_rbuff</span> <span class="ruby-keyword">if</span> <span class="ruby-operator">!</span><span class="ruby-ivar">@eof</span> <span class="ruby-operator">&&</span> <span class="ruby-ivar">@rbuffer</span>.<span class="ruby-identifier">empty?</span> <span class="ruby-ivar">@eof</span> <span class="ruby-operator">&&</span> <span class="ruby-ivar">@rbuffer</span>.<span class="ruby-identifier">empty?</span> @@ -356,7 +357,7 @@ <p>Flushes buffered data to the SSLSocket.</p> <div class="method-source-code" id="flush-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 462</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 471</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">flush</span> <span class="ruby-identifier">osync</span> = <span class="ruby-ivar">@sync</span> <span class="ruby-ivar">@sync</span> = <span class="ruby-keyword">true</span> @@ -371,6 +372,29 @@ </div> + <div id="method-i-getbyte" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + getbyte → 81 + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Get the next 8bit byte from ‘ssl`. Returns `nil` on EOF</p> + + <div class="method-source-code" id="getbyte-source"> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 108</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">getbyte</span> + <span class="ruby-identifier">byte</span> = <span class="ruby-identifier">read</span>(<span class="ruby-value">1</span>) + <span class="ruby-identifier">byte</span> <span class="ruby-operator">&&</span> <span class="ruby-identifier">byte</span>.<span class="ruby-identifier">unpack1</span>(<span class="ruby-string">"C"</span>) +<span class="ruby-keyword">end</span></pre> + </div> + </div> + + + </div> + <div id="method-i-getc" class="method-detail "> <div class="method-heading"> <span class="method-name">getc</span><span @@ -382,7 +406,7 @@ <p>Reads one character from the stream. Returns nil if called at end of file.</p> <div class="method-source-code" id="getc-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 284</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 293</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">getc</span> <span class="ruby-identifier">read</span>(<span class="ruby-value">1</span>) <span class="ruby-keyword">end</span></pre> @@ -409,7 +433,7 @@ <p>Unlike IO#gets the separator must be provided if a limit is provided.</p> <div class="method-source-code" id="gets-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 226</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 235</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">gets</span>(<span class="ruby-identifier">eol</span>=<span class="ruby-identifier">$/</span>, <span class="ruby-identifier">limit</span>=<span class="ruby-keyword">nil</span>) <span class="ruby-identifier">idx</span> = <span class="ruby-ivar">@rbuffer</span>.<span class="ruby-identifier">index</span>(<span class="ruby-identifier">eol</span>) <span class="ruby-keyword">until</span> <span class="ruby-ivar">@eof</span> @@ -446,7 +470,7 @@ <p>See IO#print for full details.</p> <div class="method-source-code" id="print-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 441</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 450</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">print</span>(<span class="ruby-operator">*</span><span class="ruby-identifier">args</span>) <span class="ruby-identifier">s</span> = <span class="ruby-constant">Buffer</span>.<span class="ruby-identifier">new</span> <span class="ruby-identifier">args</span>.<span class="ruby-identifier">each</span>{ <span class="ruby-operator">|</span><span class="ruby-identifier">arg</span><span class="ruby-operator">|</span> <span class="ruby-identifier">s</span> <span class="ruby-operator"><<</span> <span class="ruby-identifier">arg</span>.<span class="ruby-identifier">to_s</span> } @@ -472,7 +496,7 @@ <p>See Kernel#sprintf for format string details.</p> <div class="method-source-code" id="printf-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 454</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 463</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">printf</span>(<span class="ruby-identifier">s</span>, <span class="ruby-operator">*</span><span class="ruby-identifier">args</span>) <span class="ruby-identifier">do_write</span>(<span class="ruby-identifier">s</span> <span class="ruby-operator">%</span> <span class="ruby-identifier">args</span>) <span class="ruby-keyword">nil</span> @@ -496,7 +520,7 @@ <p>See IO#puts for full details.</p> <div class="method-source-code" id="puts-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 423</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 432</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">puts</span>(<span class="ruby-operator">*</span><span class="ruby-identifier">args</span>) <span class="ruby-identifier">s</span> = <span class="ruby-constant">Buffer</span>.<span class="ruby-identifier">new</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">args</span>.<span class="ruby-identifier">empty?</span> @@ -528,7 +552,7 @@ <p>See IO#read for full details.</p> <div class="method-source-code" id="read-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 110</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 119</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">read</span>(<span class="ruby-identifier">size</span>=<span class="ruby-keyword">nil</span>, <span class="ruby-identifier">buf</span>=<span class="ruby-keyword">nil</span>) <span class="ruby-keyword">if</span> <span class="ruby-identifier">size</span> <span class="ruby-operator">==</span> <span class="ruby-value">0</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">buf</span> @@ -590,7 +614,7 @@ <p>By specifying a keyword argument <em>exception</em> to <code>false</code>, you can indicate that <a href="Buffering.html#method-i-read_nonblock"><code>read_nonblock</code></a> should not raise an IO::Wait*able exception, but return the symbol <code>:wait_writable</code> or <code>:wait_readable</code> instead. At EOF, it will return <code>nil</code> instead of raising EOFError.</p> <div class="method-source-code" id="read_nonblock-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 195</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 204</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">read_nonblock</span>(<span class="ruby-identifier">maxlen</span>, <span class="ruby-identifier">buf</span>=<span class="ruby-keyword">nil</span>, <span class="ruby-value">exception:</span> <span class="ruby-keyword">true</span>) <span class="ruby-keyword">if</span> <span class="ruby-identifier">maxlen</span> <span class="ruby-operator">==</span> <span class="ruby-value">0</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">buf</span> @@ -627,7 +651,7 @@ <p>Reads a one-character string from the stream. Raises an EOFError at end of file.</p> <div class="method-source-code" id="readchar-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 301</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 310</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">readchar</span> <span class="ruby-identifier">raise</span> <span class="ruby-constant">EOFError</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">eof?</span> <span class="ruby-identifier">getc</span> @@ -651,7 +675,7 @@ <p>Raises EOFError if at end of file.</p> <div class="method-source-code" id="readline-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 275</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 284</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">readline</span>(<span class="ruby-identifier">eol</span>=<span class="ruby-identifier">$/</span>) <span class="ruby-identifier">raise</span> <span class="ruby-constant">EOFError</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">eof?</span> <span class="ruby-identifier">gets</span>(<span class="ruby-identifier">eol</span>) @@ -675,7 +699,7 @@ <p>See also <a href="Buffering.html#method-i-gets"><code>gets</code></a></p> <div class="method-source-code" id="readlines-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 262</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 271</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">readlines</span>(<span class="ruby-identifier">eol</span>=<span class="ruby-identifier">$/</span>) <span class="ruby-identifier">ary</span> = [] <span class="ruby-keyword">while</span> <span class="ruby-identifier">line</span> = <span class="ruby-keyword">self</span>.<span class="ruby-identifier">gets</span>(<span class="ruby-identifier">eol</span>) @@ -702,7 +726,7 @@ <p>See IO#readpartial for full details.</p> <div class="method-source-code" id="readpartial-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 137</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 146</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">readpartial</span>(<span class="ruby-identifier">maxlen</span>, <span class="ruby-identifier">buf</span>=<span class="ruby-keyword">nil</span>) <span class="ruby-keyword">if</span> <span class="ruby-identifier">maxlen</span> <span class="ruby-operator">==</span> <span class="ruby-value">0</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">buf</span> @@ -747,7 +771,7 @@ <p>Has no effect on unbuffered reads (such as sysread).</p> <div class="method-source-code" id="ungetc-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 314</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 323</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">ungetc</span>(<span class="ruby-identifier">c</span>) <span class="ruby-ivar">@rbuffer</span>[<span class="ruby-value">0</span>,<span class="ruby-value">0</span>] = <span class="ruby-identifier">c</span>.<span class="ruby-identifier">chr</span> <span class="ruby-keyword">end</span></pre> @@ -768,7 +792,7 @@ <p>Writes <em>s</em> to the stream. If the argument is not a String it will be converted using <code>.to_s</code> method. Returns the number of bytes written.</p> <div class="method-source-code" id="write-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 360</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 369</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">write</span>(<span class="ruby-operator">*</span><span class="ruby-identifier">s</span>) <span class="ruby-identifier">s</span>.<span class="ruby-identifier">inject</span>(<span class="ruby-value">0</span>) <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">written</span>, <span class="ruby-identifier">str</span><span class="ruby-operator">|</span> <span class="ruby-identifier">do_write</span>(<span class="ruby-identifier">str</span>) @@ -820,7 +844,7 @@ <p>By specifying a keyword argument <em>exception</em> to <code>false</code>, you can indicate that <a href="Buffering.html#method-i-write_nonblock"><code>write_nonblock</code></a> should not raise an IO::Wait*able exception, but return the symbol <code>:wait_writable</code> or <code>:wait_readable</code> instead.</p> <div class="method-source-code" id="write_nonblock-source"> - <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 404</span> + <pre><span class="ruby-comment"># File lib/openssl/buffering.rb, line 413</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">write_nonblock</span>(<span class="ruby-identifier">s</span>, <span class="ruby-value">exception:</span> <span class="ruby-keyword">true</span>) <span class="ruby-identifier">flush</span> <span class="ruby-identifier">syswrite_nonblock</span>(<span class="ruby-identifier">s</span>, <span class="ruby-value">exception:</span> <span class="ruby-identifier">exception</span>) diff --git a/OpenSSL/Cipher.html b/OpenSSL/Cipher.html index 4e5b36ef..8ce2c060 100644 --- a/OpenSSL/Cipher.html +++ b/OpenSSL/Cipher.html @@ -144,7 +144,7 @@ <p>That is, a string consisting of the hyphenated concatenation of the individual components name, key length and mode. Either all uppercase or all lowercase strings may be used, for example:</p> -<pre class="ruby"><span class="ruby-identifier">cipher</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Cipher</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'AES-128-CBC'</span>) +<pre class="ruby"><span class="ruby-identifier">cipher</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Cipher</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'aes-128-cbc'</span>) </pre> <h3 id="class-OpenSSL::Cipher-label-Choosing+either+encryption+or+decryption+mode">Choosing either encryption or decryption mode<span><a href="#class-OpenSSL::Cipher-label-Choosing+either+encryption+or+decryption+mode">¶</a> <a href="#top">↑</a></span></h3> @@ -165,7 +165,7 @@ <p>Symmetric encryption requires a key that is the same for the encrypting and for the decrypting party and after initial key establishment should be kept as private information. There are a lot of ways to create insecure keys, the most notable is to simply take a password as the key without processing the password further. A simple and secure way to create a key for a particular <a href="Cipher/Cipher.html"><code>Cipher</code></a> is</p> -<pre class="ruby"><span class="ruby-identifier">cipher</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Cipher</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'AES-256-CFB'</span>) +<pre class="ruby"><span class="ruby-identifier">cipher</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Cipher</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'aes-256-cfb'</span>) <span class="ruby-identifier">cipher</span>.<span class="ruby-identifier">encrypt</span> <span class="ruby-identifier">key</span> = <span class="ruby-identifier">cipher</span>.<span class="ruby-identifier">random_key</span> <span class="ruby-comment"># also sets the generated key on the Cipher</span> </pre> @@ -204,14 +204,14 @@ <pre class="ruby"><span class="ruby-identifier">data</span> = <span class="ruby-string">"Very, very confidential data"</span> -<span class="ruby-identifier">cipher</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Cipher</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'AES-128-CBC'</span>) +<span class="ruby-identifier">cipher</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Cipher</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'aes-128-cbc'</span>) <span class="ruby-identifier">cipher</span>.<span class="ruby-identifier">encrypt</span> <span class="ruby-identifier">key</span> = <span class="ruby-identifier">cipher</span>.<span class="ruby-identifier">random_key</span> <span class="ruby-identifier">iv</span> = <span class="ruby-identifier">cipher</span>.<span class="ruby-identifier">random_iv</span> <span class="ruby-identifier">encrypted</span> = <span class="ruby-identifier">cipher</span>.<span class="ruby-identifier">update</span>(<span class="ruby-identifier">data</span>) <span class="ruby-operator">+</span> <span class="ruby-identifier">cipher</span>.<span class="ruby-identifier">final</span> <span class="ruby-operator">...</span> -<span class="ruby-identifier">decipher</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Cipher</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'AES-128-CBC'</span>) +<span class="ruby-identifier">decipher</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Cipher</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'aes-128-cbc'</span>) <span class="ruby-identifier">decipher</span>.<span class="ruby-identifier">decrypt</span> <span class="ruby-identifier">decipher</span>.<span class="ruby-identifier">key</span> = <span class="ruby-identifier">key</span> <span class="ruby-identifier">decipher</span>.<span class="ruby-identifier">iv</span> = <span class="ruby-identifier">iv</span> @@ -231,7 +231,7 @@ <p>An example using the GCM (Galois/Counter Mode). You have 16 bytes <em>key</em>, 12 bytes (96 bits) <em>nonce</em> and the associated data <em>auth_data</em>. Be sure not to reuse the <em>key</em> and <em>nonce</em> pair. Reusing an nonce ruins the security guarantees of GCM mode.</p> -<pre class="ruby"><span class="ruby-identifier">cipher</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Cipher</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'AES-128-GCM'</span>).<span class="ruby-identifier">encrypt</span> +<pre class="ruby"><span class="ruby-identifier">cipher</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Cipher</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'aes-128-gcm'</span>).<span class="ruby-identifier">encrypt</span> <span class="ruby-identifier">cipher</span>.<span class="ruby-identifier">key</span> = <span class="ruby-identifier">key</span> <span class="ruby-identifier">cipher</span>.<span class="ruby-identifier">iv</span> = <span class="ruby-identifier">nonce</span> <span class="ruby-identifier">cipher</span>.<span class="ruby-identifier">auth_data</span> = <span class="ruby-identifier">auth_data</span> @@ -243,7 +243,7 @@ <p>Now you are the receiver. You know the <em>key</em> and have received <em>nonce</em>, <em>auth_data</em>, <em>encrypted</em> and <em>tag</em> through an untrusted network. Note that GCM accepts an arbitrary length tag between 1 and 16 bytes. You may additionally need to check that the received tag has the correct length, or you allow attackers to forge a valid single byte tag for the tampered ciphertext with a probability of 1/256.</p> <pre class="ruby"><span class="ruby-identifier">raise</span> <span class="ruby-string">"tag is truncated!"</span> <span class="ruby-keyword">unless</span> <span class="ruby-identifier">tag</span>.<span class="ruby-identifier">bytesize</span> <span class="ruby-operator">==</span> <span class="ruby-value">16</span> -<span class="ruby-identifier">decipher</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Cipher</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'AES-128-GCM'</span>).<span class="ruby-identifier">decrypt</span> +<span class="ruby-identifier">decipher</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Cipher</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'aes-128-gcm'</span>).<span class="ruby-identifier">decrypt</span> <span class="ruby-identifier">decipher</span>.<span class="ruby-identifier">key</span> = <span class="ruby-identifier">key</span> <span class="ruby-identifier">decipher</span>.<span class="ruby-identifier">iv</span> = <span class="ruby-identifier">nonce</span> <span class="ruby-identifier">decipher</span>.<span class="ruby-identifier">auth_tag</span> = <span class="ruby-identifier">tag</span> @@ -286,7 +286,7 @@ ossl_s_ciphers(VALUE self) ary = rb_ary_new(); OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, - (void(*)(const OBJ_NAME*,void*))add_cipher_name_to_ary, + add_cipher_name_to_ary, (void*)ary); return ary; @@ -306,7 +306,7 @@ ossl_s_ciphers(VALUE self) </div> <div class="method-description"> - <p>The string must contain a valid cipher name like “AES-256-CBC”.</p> + <p>The string must contain a valid cipher name like “aes-256-cbc”.</p> <p>A list of cipher names is available by calling <a href="Cipher.html#method-c-ciphers"><code>OpenSSL::Cipher.ciphers</code></a>.</p> diff --git a/OpenSSL/Config.html b/OpenSSL/Config.html index 482dc11f..214c6ebf 100644 --- a/OpenSSL/Config.html +++ b/OpenSSL/Config.html @@ -84,10 +84,9 @@ <li ><a href="#method-c-parse">::parse</a> <li ><a href="#method-c-parse_config">::parse_config</a> <li ><a href="#method-i-5B-5D">#[]</a> - <li ><a href="#method-i-5B-5D-3D">#[]=</a> - <li ><a href="#method-i-add_value">#add_value</a> <li ><a href="#method-i-each">#each</a> <li ><a href="#method-i-get_value">#get_value</a> + <li ><a href="#method-i-initialize_copy">#initialize_copy</a> <li ><a href="#method-i-inspect">#inspect</a> <li ><a href="#method-i-sections">#sections</a> <li ><a href="#method-i-to_s">#to_s</a> @@ -104,8 +103,6 @@ <section class="description"> -<h1 id="class-OpenSSL::Config-label-OpenSSL-3A-3AConfig"><a href="Config.html"><code>OpenSSL::Config</code></a><span><a href="#class-OpenSSL::Config-label-OpenSSL-3A-3AConfig">¶</a> <a href="#top">↑</a></span></h1> - <p>Configuration for the openssl library.</p> <p>Many system’s installation of openssl library will depend on your system configuration. See the value of <a href="Config.html#DEFAULT_CONFIG_FILE"><code>OpenSSL::Config::DEFAULT_CONFIG_FILE</code></a> for the location of the file for your host.</p> @@ -123,13 +120,7 @@ </header> <dl> <dt id="DEFAULT_CONFIG_FILE">DEFAULT_CONFIG_FILE - <dd><p>The default system configuration file for openssl</p> - <dt id="ESCAPE_MAP">ESCAPE_MAP - <dd><p>escaped char map</p> - <dt id="QUOTE_REGEXP_DQ">QUOTE_REGEXP_DQ - <dd><p>escape with backslash and doubled dq</p> - <dt id="QUOTE_REGEXP_SQ">QUOTE_REGEXP_SQ - <dd><p>escape with backslash</p> + <dd><p>The default system configuration file for <a href="../OpenSSL.html"><code>OpenSSL</code></a>.</p> </dl> </section> @@ -142,32 +133,37 @@ <div id="method-c-new" class="method-detail "> <div class="method-heading"> - <span class="method-name">new</span><span - class="method-args">(filename = nil)</span> + <span class="method-callseq"> + new(filename) → OpenSSL::Config + </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>Creates an instance of OpenSSL’s configuration class.</p> + <p>Creates an instance of <a href="Config.html"><code>OpenSSL::Config</code></a> from the content of the file specified by <em>filename</em>.</p> <p>This can be used in contexts like <a href="X509/ExtensionFactory.html#attribute-i-config"><code>OpenSSL::X509::ExtensionFactory.config=</code></a></p> -<p>If the optional <em>filename</em> parameter is provided, then it is read in and parsed via parse_config.</p> - <p>This can raise <a href="../IO.html"><code>IO</code></a> exceptions based on the access, or availability of the file. A <a href="ConfigError.html"><code>ConfigError</code></a> exception may be raised depending on the validity of the data being configured.</p> <div class="method-source-code" id="new-source"> - <pre><span class="ruby-comment"># File lib/openssl/config.rb, line 264</span> -<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">initialize</span>(<span class="ruby-identifier">filename</span> = <span class="ruby-keyword">nil</span>) - <span class="ruby-ivar">@data</span> = {} - <span class="ruby-keyword">if</span> <span class="ruby-identifier">filename</span> - <span class="ruby-constant">File</span>.<span class="ruby-identifier">open</span>(<span class="ruby-identifier">filename</span>.<span class="ruby-identifier">to_s</span>) <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">file</span><span class="ruby-operator">|</span> - <span class="ruby-constant">Config</span>.<span class="ruby-identifier">parse_config</span>(<span class="ruby-identifier">file</span>).<span class="ruby-identifier">each</span> <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">section</span>, <span class="ruby-identifier">hash</span><span class="ruby-operator">|</span> - <span class="ruby-identifier">set_section</span>(<span class="ruby-identifier">section</span>, <span class="ruby-identifier">hash</span>) - <span class="ruby-keyword">end</span> - <span class="ruby-keyword">end</span> - <span class="ruby-keyword">end</span> -<span class="ruby-keyword">end</span></pre> + <pre>static VALUE +config_initialize(int argc, VALUE *argv, VALUE self) +{ + CONF *conf = GetConfig(self); + VALUE filename; + + /* 0-arguments call has no use-case, but is kept for compatibility */ + rb_scan_args(argc, argv, "01", &filename); + rb_check_frozen(self); + if (!NIL_P(filename)) { + BIO *bio = BIO_new_file(StringValueCStr(filename), "rb"); + if (!bio) + ossl_raise(eConfigError, "BIO_new_file"); + config_load_bio(conf, bio); /* Consumes BIO */ + } + return self; +}</pre> </div> </div> @@ -176,25 +172,27 @@ <div id="method-c-parse" class="method-detail "> <div class="method-heading"> - <span class="method-name">parse</span><span - class="method-args">(string)</span> + <span class="method-callseq"> + parse(string) → OpenSSL::Config + </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> <p>Parses a given <em>string</em> as a blob that contains configuration for <a href="../OpenSSL.html"><code>OpenSSL</code></a>.</p> -<p>If the source of the <a href="../IO.html"><code>IO</code></a> is a file, then consider using parse_config.</p> - <div class="method-source-code" id="parse-source"> - <pre><span class="ruby-comment"># File lib/openssl/config.rb, line 37</span> -<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">parse</span>(<span class="ruby-identifier">string</span>) - <span class="ruby-identifier">c</span> = <span class="ruby-identifier">new</span>() - <span class="ruby-identifier">parse_config</span>(<span class="ruby-constant">StringIO</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">string</span>)).<span class="ruby-identifier">each</span> <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">section</span>, <span class="ruby-identifier">hash</span><span class="ruby-operator">|</span> - <span class="ruby-identifier">c</span>.<span class="ruby-identifier">set_section</span>(<span class="ruby-identifier">section</span>, <span class="ruby-identifier">hash</span>) - <span class="ruby-keyword">end</span> - <span class="ruby-identifier">c</span> -<span class="ruby-keyword">end</span></pre> + <pre>static VALUE +config_s_parse(VALUE klass, VALUE str) +{ + VALUE obj = config_s_alloc(klass); + CONF *conf = GetConfig(obj); + BIO *bio; + + bio = ossl_obj2bio(&str); + config_load_bio(conf, bio); /* Consumes BIO */ + return obj; +}</pre> </div> </div> @@ -203,25 +201,31 @@ <div id="method-c-parse_config" class="method-detail "> <div class="method-heading"> - <span class="method-name">parse_config</span><span - class="method-args">(io)</span> + <span class="method-callseq"> + parse_config(io) → hash + </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>Parses the configuration data read from <em>io</em>, see also parse.</p> - -<p>Raises a <a href="ConfigError.html"><code>ConfigError</code></a> on invalid configuration data.</p> + <p>Parses the configuration data read from <em>io</em> and returns the whole content as a Hash.</p> <div class="method-source-code" id="parse_config-source"> - <pre><span class="ruby-comment"># File lib/openssl/config.rb, line 53</span> -<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">parse_config</span>(<span class="ruby-identifier">io</span>) - <span class="ruby-keyword">begin</span> - <span class="ruby-identifier">parse_config_lines</span>(<span class="ruby-identifier">io</span>) - <span class="ruby-keyword">rescue</span> <span class="ruby-operator">=></span> <span class="ruby-identifier">error</span> - <span class="ruby-identifier">raise</span> <span class="ruby-constant">ConfigError</span>, <span class="ruby-node">"error in line #{io.lineno}: "</span> <span class="ruby-operator">+</span> <span class="ruby-identifier">error</span>.<span class="ruby-identifier">message</span> - <span class="ruby-keyword">end</span> -<span class="ruby-keyword">end</span></pre> + <pre>static VALUE +config_s_parse_config(VALUE klass, VALUE io) +{ + VALUE obj, sections, ret; + long i; + + obj = config_s_parse(klass, io); + sections = config_get_sections(obj); + ret = rb_hash_new(); + for (i = 0; i < RARRAY_LEN(sections); i++) { + VALUE section = rb_ary_entry(sections, i); + rb_hash_aset(ret, section, config_get_section(obj, section)); + } + return ret; +}</pre> </div> </div> @@ -237,13 +241,14 @@ <div id="method-i-5B-5D" class="method-detail "> <div class="method-heading"> - <span class="method-name">[]</span><span - class="method-args">(section)</span> + <span class="method-callseq"> + config[section] → hash + </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>Get a specific <em>section</em> from the current configuration</p> + <p>Gets all key-value pairs in a specific <em>section</em> from the current configuration.</p> <p>Given the following configurating file being loaded:</p> @@ -261,73 +266,78 @@ </pre> <div class="method-source-code" id="5B-5D-source"> - <pre><span class="ruby-comment"># File lib/openssl/config.rb, line 360</span> -<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">[]</span>(<span class="ruby-identifier">section</span>) - <span class="ruby-ivar">@data</span>[<span class="ruby-identifier">section</span>] <span class="ruby-operator">||</span> {} -<span class="ruby-keyword">end</span></pre> + <pre>static VALUE +config_get_section(VALUE self, VALUE section) +{ + CONF *conf = GetConfig(self); + STACK_OF(CONF_VALUE) *sk; + int i, entries; + VALUE hash; + + hash = rb_hash_new(); + StringValueCStr(section); + if (!(sk = NCONF_get_section(conf, RSTRING_PTR(section)))) { + ossl_clear_error(); + return hash; + } + entries = sk_CONF_VALUE_num(sk); + for (i = 0; i < entries; i++) { + CONF_VALUE *entry = sk_CONF_VALUE_value(sk, i); + rb_hash_aset(hash, rb_str_new_cstr(entry->name), + rb_str_new_cstr(entry->value)); + } + return hash; +}</pre> </div> </div> </div> - <div id="method-i-5B-5D-3D" class="method-detail "> + <div id="method-i-each" class="method-detail "> <div class="method-heading"> - <span class="method-name">[]=</span><span - class="method-args">(section, pairs)</span> + <span class="method-callseq"> + each { |section, key, value| } + </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>*Deprecated in v2.2.0*. This method will be removed in a future release.</p> + <p>Retrieves the section and its pairs for the current configuration.</p> -<p>Sets a specific <em>section</em> name with a Hash <em>pairs</em>.</p> - -<p>Given the following configuration being created:</p> - -<pre class="ruby"><span class="ruby-identifier">config</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Config</span>.<span class="ruby-identifier">new</span> - <span class="ruby-comment">#=> #<OpenSSL::Config sections=[]></span> -<span class="ruby-identifier">config</span>[<span class="ruby-string">'default'</span>] = {<span class="ruby-string">"foo"</span><span class="ruby-operator">=></span><span class="ruby-string">"bar"</span>,<span class="ruby-string">"baz"</span><span class="ruby-operator">=></span><span class="ruby-string">"buz"</span>} - <span class="ruby-comment">#=> {"foo"=>"bar", "baz"=>"buz"}</span> -<span class="ruby-identifier">puts</span> <span class="ruby-identifier">config</span>.<span class="ruby-identifier">to_s</span> - <span class="ruby-comment">#=> [ default ]</span> - <span class="ruby-comment"># foo=bar</span> - <span class="ruby-comment"># baz=buz</span> +<pre class="ruby"><span class="ruby-identifier">config</span>.<span class="ruby-identifier">each</span> <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">section</span>, <span class="ruby-identifier">key</span>, <span class="ruby-identifier">value</span><span class="ruby-operator">|</span> + <span class="ruby-comment"># ...</span> +<span class="ruby-keyword">end</span> </pre> -<p>It’s important to note that this will essentially merge any of the keys in <em>pairs</em> with the existing <em>section</em>. For example:</p> + <div class="method-source-code" id="each-source"> + <pre>static VALUE +config_each(VALUE self) +{ + CONF *conf = GetConfig(self); -<pre class="ruby"><span class="ruby-identifier">config</span>[<span class="ruby-string">'default'</span>] - <span class="ruby-comment">#=> {"foo"=>"bar", "baz"=>"buz"}</span> -<span class="ruby-identifier">config</span>[<span class="ruby-string">'default'</span>] = {<span class="ruby-string">"foo"</span> <span class="ruby-operator">=></span> <span class="ruby-string">"changed"</span>} - <span class="ruby-comment">#=> {"foo"=>"changed"}</span> -<span class="ruby-identifier">config</span>[<span class="ruby-string">'default'</span>] - <span class="ruby-comment">#=> {"foo"=>"changed", "baz"=>"buz"}</span> -</pre> + RETURN_ENUMERATOR(self, 0, 0); - <div class="method-source-code" id="5B-5D-3D-source"> - <pre><span class="ruby-comment"># File lib/openssl/config.rb, line 399</span> -<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">[]=</span>(<span class="ruby-identifier">section</span>, <span class="ruby-identifier">pairs</span>) - <span class="ruby-identifier">check_modify</span> - <span class="ruby-identifier">set_section</span>(<span class="ruby-identifier">section</span>, <span class="ruby-identifier">pairs</span>) -<span class="ruby-keyword">end</span></pre> + lh_doall_arg((_LHASH *)conf->data, LHASH_DOALL_ARG_FN(each_conf_value), + NULL); + return self; +}</pre> </div> </div> </div> - <div id="method-i-add_value" class="method-detail "> + <div id="method-i-get_value" class="method-detail "> <div class="method-heading"> - <span class="method-name">add_value</span><span - class="method-args">(section, key, value)</span> + <span class="method-callseq"> + get_value(section, key) → string + </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>*Deprecated in v2.2.0*. This method will be removed in a future release.</p> - -<p>Set the target <em>key</em> with a given <em>value</em> under a specific <em>section</em>.</p> + <p>Gets the value of <em>key</em> from the given <em>section</em>.</p> <p>Given the following configurating file being loaded:</p> @@ -338,93 +348,60 @@ <span class="ruby-comment"># foo=bar</span> </pre> -<p>You can set the value of <em>foo</em> under the <em>default</em> section to a new value:</p> - -<pre class="ruby"><span class="ruby-identifier">config</span>.<span class="ruby-identifier">add_value</span>(<span class="ruby-string">'default'</span>, <span class="ruby-string">'foo'</span>, <span class="ruby-string">'buzz'</span>) - <span class="ruby-comment">#=> "buzz"</span> -<span class="ruby-identifier">puts</span> <span class="ruby-identifier">config</span>.<span class="ruby-identifier">to_s</span> - <span class="ruby-comment">#=> [ default ]</span> - <span class="ruby-comment"># foo=buzz</span> -</pre> - - <div class="method-source-code" id="add_value-source"> - <pre><span class="ruby-comment"># File lib/openssl/config.rb, line 339</span> -<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">add_value</span>(<span class="ruby-identifier">section</span>, <span class="ruby-identifier">key</span>, <span class="ruby-identifier">value</span>) - <span class="ruby-identifier">check_modify</span> - (<span class="ruby-ivar">@data</span>[<span class="ruby-identifier">section</span>] <span class="ruby-operator">||=</span> {})[<span class="ruby-identifier">key</span>] = <span class="ruby-identifier">value</span> -<span class="ruby-keyword">end</span></pre> - </div> - </div> - - - </div> - - <div id="method-i-each" class="method-detail "> - <div class="method-heading"> - <span class="method-name">each</span><span - class="method-args">() { |section, key, value| ... }</span> - <span class="method-click-advice">click to toggle source</span> - </div> - - <div class="method-description"> - <p>For a block.</p> - -<p>Receive the section and its pairs for the current configuration.</p> +<p>You can get a specific value from the config if you know the <em>section</em> and <em>key</em> like so:</p> -<pre class="ruby"><span class="ruby-identifier">config</span>.<span class="ruby-identifier">each</span> <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">section</span>, <span class="ruby-identifier">key</span>, <span class="ruby-identifier">value</span><span class="ruby-operator">|</span> - <span class="ruby-comment"># ...</span> -<span class="ruby-keyword">end</span> +<pre class="ruby"><span class="ruby-identifier">config</span>.<span class="ruby-identifier">get_value</span>(<span class="ruby-string">'default'</span>,<span class="ruby-string">'foo'</span>) + <span class="ruby-comment">#=> "bar"</span> </pre> - <div class="method-source-code" id="each-source"> - <pre><span class="ruby-comment"># File lib/openssl/config.rb, line 464</span> -<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">each</span> - <span class="ruby-ivar">@data</span>.<span class="ruby-identifier">each</span> <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">section</span>, <span class="ruby-identifier">hash</span><span class="ruby-operator">|</span> - <span class="ruby-identifier">hash</span>.<span class="ruby-identifier">each</span> <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">key</span>, <span class="ruby-identifier">value</span><span class="ruby-operator">|</span> - <span class="ruby-keyword">yield</span> [<span class="ruby-identifier">section</span>, <span class="ruby-identifier">key</span>, <span class="ruby-identifier">value</span>] - <span class="ruby-keyword">end</span> - <span class="ruby-keyword">end</span> -<span class="ruby-keyword">end</span></pre> + <div class="method-source-code" id="get_value-source"> + <pre>static VALUE +config_get_value(VALUE self, VALUE section, VALUE key) +{ + CONF *conf = GetConfig(self); + const char *str, *sectionp; + + StringValueCStr(section); + StringValueCStr(key); + /* For compatibility; NULL means "default". */ + sectionp = RSTRING_LEN(section) ? RSTRING_PTR(section) : NULL; + str = NCONF_get_string(conf, sectionp, RSTRING_PTR(key)); + if (!str) { + ossl_clear_error(); + return Qnil; + } + return rb_str_new_cstr(str); +}</pre> </div> </div> </div> - <div id="method-i-get_value" class="method-detail "> + <div id="method-i-initialize_copy" class="method-detail "> <div class="method-heading"> - <span class="method-name">get_value</span><span - class="method-args">(section, key)</span> + <span class="method-name">initialize_copy</span><span + class="method-args">(p1)</span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>Gets the value of <em>key</em> from the given <em>section</em></p> - -<p>Given the following configurating file being loaded:</p> - -<pre class="ruby"><span class="ruby-identifier">config</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Config</span>.<span class="ruby-identifier">load</span>(<span class="ruby-string">'foo.cnf'</span>) - <span class="ruby-comment">#=> #<OpenSSL::Config sections=["default"]></span> -<span class="ruby-identifier">puts</span> <span class="ruby-identifier">config</span>.<span class="ruby-identifier">to_s</span> - <span class="ruby-comment">#=> [ default ]</span> - <span class="ruby-comment"># foo=bar</span> -</pre> - -<p>You can get a specific value from the config if you know the <em>section</em> and <em>key</em> like so:</p> - -<pre class="ruby"><span class="ruby-identifier">config</span>.<span class="ruby-identifier">get_value</span>(<span class="ruby-string">'default'</span>,<span class="ruby-string">'foo'</span>) - <span class="ruby-comment">#=> "bar"</span> -</pre> - - <div class="method-source-code" id="get_value-source"> - <pre><span class="ruby-comment"># File lib/openssl/config.rb, line 292</span> -<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">get_value</span>(<span class="ruby-identifier">section</span>, <span class="ruby-identifier">key</span>) - <span class="ruby-keyword">if</span> <span class="ruby-identifier">section</span>.<span class="ruby-identifier">nil?</span> - <span class="ruby-identifier">raise</span> <span class="ruby-constant">TypeError</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'nil not allowed'</span>) - <span class="ruby-keyword">end</span> - <span class="ruby-identifier">section</span> = <span class="ruby-string">'default'</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">section</span>.<span class="ruby-identifier">empty?</span> - <span class="ruby-identifier">get_key_string</span>(<span class="ruby-identifier">section</span>, <span class="ruby-identifier">key</span>) -<span class="ruby-keyword">end</span></pre> + + + <div class="method-source-code" id="initialize_copy-source"> + <pre>static VALUE +config_initialize_copy(VALUE self, VALUE other) +{ + CONF *conf = GetConfig(self); + VALUE str; + BIO *bio; + + str = rb_funcall(other, rb_intern("to_s"), 0); + rb_check_frozen(self); + bio = ossl_obj2bio(&str); + config_load_bio(conf, bio); /* Consumes BIO */ + return self; +}</pre> </div> </div> @@ -433,8 +410,9 @@ <div id="method-i-inspect" class="method-detail "> <div class="method-heading"> - <span class="method-name">inspect</span><span - class="method-args">()</span> + <span class="method-callseq"> + inspect → string + </span> <span class="method-click-advice">click to toggle source</span> </div> @@ -442,10 +420,20 @@ <p>String representation of this configuration object, including the class name and its sections.</p> <div class="method-source-code" id="inspect-source"> - <pre><span class="ruby-comment"># File lib/openssl/config.rb, line 475</span> -<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">inspect</span> - <span class="ruby-node">"#<#{self.class.name} sections=#{sections.inspect}>"</span> -<span class="ruby-keyword">end</span></pre> + <pre>static VALUE +config_inspect(VALUE self) +{ + VALUE str, ary = config_get_sections(self); + const char *cname = rb_class2name(rb_obj_class(self)); + + str = rb_str_new_cstr("#<"); + rb_str_cat_cstr(str, cname); + rb_str_cat_cstr(str, " sections="); + rb_str_append(str, rb_inspect(ary)); + rb_str_cat_cstr(str, ">"); + + return str; +}</pre> </div> </div> @@ -454,19 +442,27 @@ <div id="method-i-sections" class="method-detail "> <div class="method-heading"> - <span class="method-name">sections</span><span - class="method-args">()</span> + <span class="method-callseq"> + sections → array of string + </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>Get the names of all sections in the current configuration</p> + <p>Get the names of all sections in the current configuration.</p> <div class="method-source-code" id="sections-source"> - <pre><span class="ruby-comment"># File lib/openssl/config.rb, line 413</span> -<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">sections</span> - <span class="ruby-ivar">@data</span>.<span class="ruby-identifier">keys</span> -<span class="ruby-keyword">end</span></pre> + <pre>static VALUE +config_get_sections(VALUE self) +{ + CONF *conf = GetConfig(self); + VALUE ary; + + ary = rb_ary_new(); + lh_doall_arg((_LHASH *)conf->data, LHASH_DOALL_ARG_FN(get_conf_section), + &ary); + return ary; +}</pre> </div> </div> @@ -475,13 +471,14 @@ <div id="method-i-to_s" class="method-detail "> <div class="method-heading"> - <span class="method-name">to_s</span><span - class="method-args">()</span> + <span class="method-callseq"> + to_s → string + </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>Get the parsable form of the current configuration</p> + <p>Gets the parsable form of the current configuration.</p> <p>Given the following configuration being created:</p> @@ -508,18 +505,17 @@ </pre> <div class="method-source-code" id="to_s-source"> - <pre><span class="ruby-comment"># File lib/openssl/config.rb, line 443</span> -<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">to_s</span> - <span class="ruby-identifier">ary</span> = [] - <span class="ruby-ivar">@data</span>.<span class="ruby-identifier">keys</span>.<span class="ruby-identifier">sort</span>.<span class="ruby-identifier">each</span> <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">section</span><span class="ruby-operator">|</span> - <span class="ruby-identifier">ary</span> <span class="ruby-operator"><<</span> <span class="ruby-node">"[ #{section} ]\n"</span> - <span class="ruby-ivar">@data</span>[<span class="ruby-identifier">section</span>].<span class="ruby-identifier">keys</span>.<span class="ruby-identifier">each</span> <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">key</span><span class="ruby-operator">|</span> - <span class="ruby-identifier">ary</span> <span class="ruby-operator"><<</span> <span class="ruby-node">"#{key}=#{@data[section][key]}\n"</span> - <span class="ruby-keyword">end</span> - <span class="ruby-identifier">ary</span> <span class="ruby-operator"><<</span> <span class="ruby-string">"\n"</span> - <span class="ruby-keyword">end</span> - <span class="ruby-identifier">ary</span>.<span class="ruby-identifier">join</span> -<span class="ruby-keyword">end</span></pre> + <pre>static VALUE +config_to_s(VALUE self) +{ + CONF *conf = GetConfig(self); + VALUE str; + + str = rb_str_new(NULL, 0); + lh_doall_arg((_LHASH *)conf->data, LHASH_DOALL_ARG_FN(dump_conf_value), + &str); + return str; +}</pre> </div> </div> diff --git a/OpenSSL/Digest.html b/OpenSSL/Digest.html index 27256700..f5abc344 100644 --- a/OpenSSL/Digest.html +++ b/OpenSSL/Digest.html @@ -135,16 +135,16 @@ <h3 id="class-OpenSSL::Digest-label-Hashing+a+file">Hashing a file<span><a href="#class-OpenSSL::Digest-label-Hashing+a+file">¶</a> <a href="#top">↑</a></span></h3> -<pre class="ruby"><span class="ruby-identifier">data</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-string">'document'</span>) +<pre class="ruby"><span class="ruby-identifier">data</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span>(<span class="ruby-string">'document'</span>) <span class="ruby-identifier">sha256</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'SHA256'</span>) <span class="ruby-identifier">digest</span> = <span class="ruby-identifier">sha256</span>.<span class="ruby-identifier">digest</span>(<span class="ruby-identifier">data</span>) </pre> <h3 id="class-OpenSSL::Digest-label-Hashing+several+pieces+of+data+at+once">Hashing several pieces of data at once<span><a href="#class-OpenSSL::Digest-label-Hashing+several+pieces+of+data+at+once">¶</a> <a href="#top">↑</a></span></h3> -<pre class="ruby"><span class="ruby-identifier">data1</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-string">'file1'</span>) -<span class="ruby-identifier">data2</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-string">'file2'</span>) -<span class="ruby-identifier">data3</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-string">'file3'</span>) +<pre class="ruby"><span class="ruby-identifier">data1</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span>(<span class="ruby-string">'file1'</span>) +<span class="ruby-identifier">data2</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span>(<span class="ruby-string">'file2'</span>) +<span class="ruby-identifier">data3</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span>(<span class="ruby-string">'file3'</span>) <span class="ruby-identifier">sha256</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'SHA256'</span>) <span class="ruby-identifier">sha256</span> <span class="ruby-operator"><<</span> <span class="ruby-identifier">data1</span> <span class="ruby-identifier">sha256</span> <span class="ruby-operator"><<</span> <span class="ruby-identifier">data2</span> @@ -154,11 +154,11 @@ <h3 id="class-OpenSSL::Digest-label-Reuse+a+Digest+instance">Reuse a <a href="Digest.html"><code>Digest</code></a> instance<span><a href="#class-OpenSSL::Digest-label-Reuse+a+Digest+instance">¶</a> <a href="#top">↑</a></span></h3> -<pre class="ruby"><span class="ruby-identifier">data1</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-string">'file1'</span>) +<pre class="ruby"><span class="ruby-identifier">data1</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span>(<span class="ruby-string">'file1'</span>) <span class="ruby-identifier">sha256</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'SHA256'</span>) <span class="ruby-identifier">digest1</span> = <span class="ruby-identifier">sha256</span>.<span class="ruby-identifier">digest</span>(<span class="ruby-identifier">data1</span>) -<span class="ruby-identifier">data2</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-string">'file2'</span>) +<span class="ruby-identifier">data2</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span>(<span class="ruby-string">'file2'</span>) <span class="ruby-identifier">sha256</span>.<span class="ruby-identifier">reset</span> <span class="ruby-identifier">digest2</span> = <span class="ruby-identifier">sha256</span>.<span class="ruby-identifier">digest</span>(<span class="ruby-identifier">data2</span>) </pre> @@ -425,7 +425,7 @@ ossl_digest_name(VALUE self) GetDigest(self, ctx); - return rb_str_new2(EVP_MD_name(EVP_MD_CTX_md(ctx))); + return rb_str_new_cstr(EVP_MD_name(EVP_MD_CTX_get0_md(ctx))); }</pre> </div> </div> @@ -451,7 +451,7 @@ ossl_digest_reset(VALUE self) EVP_MD_CTX *ctx; GetDigest(self, ctx); - if (EVP_DigestInit_ex(ctx, EVP_MD_CTX_md(ctx), NULL) != 1) { + if (EVP_DigestInit_ex(ctx, EVP_MD_CTX_get0_md(ctx), NULL) != 1) { ossl_raise(eDigestError, "Digest initialization failed."); } diff --git a/OpenSSL/Engine.html b/OpenSSL/Engine.html index 58662cff..0a526de7 100644 --- a/OpenSSL/Engine.html +++ b/OpenSSL/Engine.html @@ -249,48 +249,48 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass) return Qtrue; } StringValueCStr(name); -#if HAVE_ENGINE_LOAD_DYNAMIC +#ifdef HAVE_ENGINE_LOAD_DYNAMIC OSSL_ENGINE_LOAD_IF_MATCH(dynamic, DYNAMIC); #endif #ifndef OPENSSL_NO_STATIC_ENGINE -#if HAVE_ENGINE_LOAD_4758CCA +#ifdef HAVE_ENGINE_LOAD_4758CCA OSSL_ENGINE_LOAD_IF_MATCH(4758cca, 4758CCA); #endif -#if HAVE_ENGINE_LOAD_AEP +#ifdef HAVE_ENGINE_LOAD_AEP OSSL_ENGINE_LOAD_IF_MATCH(aep, AEP); #endif -#if HAVE_ENGINE_LOAD_ATALLA +#ifdef HAVE_ENGINE_LOAD_ATALLA OSSL_ENGINE_LOAD_IF_MATCH(atalla, ATALLA); #endif -#if HAVE_ENGINE_LOAD_CHIL +#ifdef HAVE_ENGINE_LOAD_CHIL OSSL_ENGINE_LOAD_IF_MATCH(chil, CHIL); #endif -#if HAVE_ENGINE_LOAD_CSWIFT +#ifdef HAVE_ENGINE_LOAD_CSWIFT OSSL_ENGINE_LOAD_IF_MATCH(cswift, CSWIFT); #endif -#if HAVE_ENGINE_LOAD_NURON +#ifdef HAVE_ENGINE_LOAD_NURON OSSL_ENGINE_LOAD_IF_MATCH(nuron, NURON); #endif -#if HAVE_ENGINE_LOAD_SUREWARE +#ifdef HAVE_ENGINE_LOAD_SUREWARE OSSL_ENGINE_LOAD_IF_MATCH(sureware, SUREWARE); #endif -#if HAVE_ENGINE_LOAD_UBSEC +#ifdef HAVE_ENGINE_LOAD_UBSEC OSSL_ENGINE_LOAD_IF_MATCH(ubsec, UBSEC); #endif -#if HAVE_ENGINE_LOAD_PADLOCK +#ifdef HAVE_ENGINE_LOAD_PADLOCK OSSL_ENGINE_LOAD_IF_MATCH(padlock, PADLOCK); #endif -#if HAVE_ENGINE_LOAD_CAPI +#ifdef HAVE_ENGINE_LOAD_CAPI OSSL_ENGINE_LOAD_IF_MATCH(capi, CAPI); #endif -#if HAVE_ENGINE_LOAD_GMP +#ifdef HAVE_ENGINE_LOAD_GMP OSSL_ENGINE_LOAD_IF_MATCH(gmp, GMP); #endif -#if HAVE_ENGINE_LOAD_GOST +#ifdef HAVE_ENGINE_LOAD_GOST OSSL_ENGINE_LOAD_IF_MATCH(gost, GOST); #endif #endif -#if HAVE_ENGINE_LOAD_CRYPTODEV +#ifdef HAVE_ENGINE_LOAD_CRYPTODEV OSSL_ENGINE_LOAD_IF_MATCH(cryptodev, CRYPTODEV); #endif OSSL_ENGINE_LOAD_IF_MATCH(openssl, OPENSSL); diff --git a/OpenSSL/HMAC.html b/OpenSSL/HMAC.html index 555dfc35..ee547071 100644 --- a/OpenSSL/HMAC.html +++ b/OpenSSL/HMAC.html @@ -81,11 +81,13 @@ <h3>Methods</h3> <ul class="link-list" role="directory"> + <li ><a href="#method-c-base64digest">::base64digest</a> <li ><a href="#method-c-digest">::digest</a> <li ><a href="#method-c-hexdigest">::hexdigest</a> <li ><a href="#method-c-new">::new</a> <li ><a href="#method-i-3C-3C">#<<</a> <li ><a href="#method-i-3D-3D">#==</a> + <li ><a href="#method-i-base64digest">#base64digest</a> <li ><a href="#method-i-digest">#digest</a> <li ><a href="#method-i-hexdigest">#hexdigest</a> <li ><a href="#method-i-initialize_copy">#initialize_copy</a> @@ -120,11 +122,10 @@ <h3 id="class-OpenSSL::HMAC-label-HMAC-SHA256+using+incremental+interface">HMAC-SHA256 using incremental interface<span><a href="#class-OpenSSL::HMAC-label-HMAC-SHA256+using+incremental+interface">¶</a> <a href="#top">↑</a></span></h3> -<pre class="ruby"><span class="ruby-identifier">data1</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-string">"file1"</span>) -<span class="ruby-identifier">data2</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-string">"file2"</span>) +<pre class="ruby"><span class="ruby-identifier">data1</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span>(<span class="ruby-string">"file1"</span>) +<span class="ruby-identifier">data2</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span>(<span class="ruby-string">"file2"</span>) <span class="ruby-identifier">key</span> = <span class="ruby-string">"key"</span> -<span class="ruby-identifier">digest</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'SHA256'</span>) -<span class="ruby-identifier">hmac</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">key</span>, <span class="ruby-identifier">digest</span>) +<span class="ruby-identifier">hmac</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">key</span>, <span class="ruby-string">'SHA256'</span>) <span class="ruby-identifier">hmac</span> <span class="ruby-operator"><<</span> <span class="ruby-identifier">data1</span> <span class="ruby-identifier">hmac</span> <span class="ruby-operator"><<</span> <span class="ruby-identifier">data2</span> <span class="ruby-identifier">mac</span> = <span class="ruby-identifier">hmac</span>.<span class="ruby-identifier">digest</span> @@ -143,6 +144,37 @@ <h3>Public Class Methods</h3> </header> + <div id="method-c-base64digest" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + base64digest(digest, key, data) → aString + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Returns the authentication code as a Base64-encoded string. The <em>digest</em> parameter specifies the digest algorithm to use. This may be a String representing the algorithm name or an instance of <a href="Digest.html"><code>OpenSSL::Digest</code></a>.</p> + +<h3 id="method-c-base64digest-label-Example">Example<span><a href="#method-c-base64digest-label-Example">¶</a> <a href="#top">↑</a></span></h3> + +<pre class="ruby"><span class="ruby-identifier">key</span> = <span class="ruby-string">'key'</span> +<span class="ruby-identifier">data</span> = <span class="ruby-string">'The quick brown fox jumps over the lazy dog'</span> + +<span class="ruby-identifier">hmac</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">base64digest</span>(<span class="ruby-string">'SHA1'</span>, <span class="ruby-identifier">key</span>, <span class="ruby-identifier">data</span>) +<span class="ruby-comment">#=> "3nybhbi3iqa8ino29wqQcBydtNk="</span> +</pre> + + <div class="method-source-code" id="base64digest-source"> + <pre><span class="ruby-comment"># File lib/openssl/hmac.rb, line 73</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">base64digest</span>(<span class="ruby-identifier">digest</span>, <span class="ruby-identifier">key</span>, <span class="ruby-identifier">data</span>) + [<span class="ruby-identifier">digest</span>(<span class="ruby-identifier">digest</span>, <span class="ruby-identifier">key</span>, <span class="ruby-identifier">data</span>)].<span class="ruby-identifier">pack</span>(<span class="ruby-string">"m0"</span>) +<span class="ruby-keyword">end</span></pre> + </div> + </div> + + + </div> + <div id="method-c-digest" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> @@ -159,25 +191,17 @@ <pre class="ruby"><span class="ruby-identifier">key</span> = <span class="ruby-string">'key'</span> <span class="ruby-identifier">data</span> = <span class="ruby-string">'The quick brown fox jumps over the lazy dog'</span> -<span class="ruby-identifier">hmac</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">digest</span>(<span class="ruby-string">'sha1'</span>, <span class="ruby-identifier">key</span>, <span class="ruby-identifier">data</span>) +<span class="ruby-identifier">hmac</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">digest</span>(<span class="ruby-string">'SHA1'</span>, <span class="ruby-identifier">key</span>, <span class="ruby-identifier">data</span>) <span class="ruby-comment">#=> "\xDE|\x9B\x85\xB8\xB7\x8A\xA6\xBC\x8Az6\xF7\n\x90p\x1C\x9D\xB4\xD9"</span> </pre> <div class="method-source-code" id="digest-source"> - <pre>static VALUE -ossl_hmac_s_digest(VALUE klass, VALUE digest, VALUE key, VALUE data) -{ - unsigned char *buf; - unsigned int buf_len; - - StringValue(key); - StringValue(data); - buf = HMAC(ossl_evp_get_digestbyname(digest), RSTRING_PTR(key), - RSTRING_LENINT(key), (unsigned char *)RSTRING_PTR(data), - RSTRING_LEN(data), NULL, &buf_len); - - return rb_str_new((const char *)buf, buf_len); -}</pre> + <pre><span class="ruby-comment"># File lib/openssl/hmac.rb, line 35</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">digest</span>(<span class="ruby-identifier">digest</span>, <span class="ruby-identifier">key</span>, <span class="ruby-identifier">data</span>) + <span class="ruby-identifier">hmac</span> = <span class="ruby-identifier">new</span>(<span class="ruby-identifier">key</span>, <span class="ruby-identifier">digest</span>) + <span class="ruby-identifier">hmac</span> <span class="ruby-operator"><<</span> <span class="ruby-identifier">data</span> + <span class="ruby-identifier">hmac</span>.<span class="ruby-identifier">digest</span> +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -200,31 +224,17 @@ ossl_hmac_s_digest(VALUE klass, VALUE digest, VALUE key, VALUE data) <pre class="ruby"><span class="ruby-identifier">key</span> = <span class="ruby-string">'key'</span> <span class="ruby-identifier">data</span> = <span class="ruby-string">'The quick brown fox jumps over the lazy dog'</span> -<span class="ruby-identifier">hmac</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">hexdigest</span>(<span class="ruby-string">'sha1'</span>, <span class="ruby-identifier">key</span>, <span class="ruby-identifier">data</span>) +<span class="ruby-identifier">hmac</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">hexdigest</span>(<span class="ruby-string">'SHA1'</span>, <span class="ruby-identifier">key</span>, <span class="ruby-identifier">data</span>) <span class="ruby-comment">#=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"</span> </pre> <div class="method-source-code" id="hexdigest-source"> - <pre>static VALUE -ossl_hmac_s_hexdigest(VALUE klass, VALUE digest, VALUE key, VALUE data) -{ - unsigned char buf[EVP_MAX_MD_SIZE]; - unsigned int buf_len; - VALUE ret; - - StringValue(key); - StringValue(data); - - if (!HMAC(ossl_evp_get_digestbyname(digest), RSTRING_PTR(key), - RSTRING_LENINT(key), (unsigned char *)RSTRING_PTR(data), - RSTRING_LEN(data), buf, &buf_len)) - ossl_raise(eHMACError, "HMAC"); - - ret = rb_str_new(NULL, buf_len * 2); - ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len); - - return ret; -}</pre> + <pre><span class="ruby-comment"># File lib/openssl/hmac.rb, line 54</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">hexdigest</span>(<span class="ruby-identifier">digest</span>, <span class="ruby-identifier">key</span>, <span class="ruby-identifier">data</span>) + <span class="ruby-identifier">hmac</span> = <span class="ruby-identifier">new</span>(<span class="ruby-identifier">key</span>, <span class="ruby-identifier">digest</span>) + <span class="ruby-identifier">hmac</span> <span class="ruby-operator"><<</span> <span class="ruby-identifier">data</span> + <span class="ruby-identifier">hmac</span>.<span class="ruby-identifier">hexdigest</span> +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -245,8 +255,7 @@ ossl_hmac_s_hexdigest(VALUE klass, VALUE digest, VALUE key, VALUE data) <h3 id="method-c-new-label-Example">Example<span><a href="#method-c-new-label-Example">¶</a> <a href="#top">↑</a></span></h3> <pre class="ruby"><span class="ruby-identifier">key</span> = <span class="ruby-string">'key'</span> -<span class="ruby-identifier">digest</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'sha1'</span>) -<span class="ruby-identifier">instance</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">key</span>, <span class="ruby-identifier">digest</span>) +<span class="ruby-identifier">instance</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">key</span>, <span class="ruby-string">'SHA1'</span>) <span class="ruby-comment">#=> f42bb0eeb018ebbd4597ae7213711ec60760843f</span> <span class="ruby-identifier">instance</span>.<span class="ruby-identifier">class</span> <span class="ruby-comment">#=> OpenSSL::HMAC</span> @@ -256,7 +265,7 @@ ossl_hmac_s_hexdigest(VALUE klass, VALUE digest, VALUE key, VALUE data) <p>Two instances can be securely compared with <a href="HMAC.html#method-i-3D-3D"><code>==</code></a> in constant time:</p> -<pre class="ruby"> <span class="ruby-identifier">other_instance</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'key'</span>, <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'sha1'</span>)) +<pre class="ruby"> <span class="ruby-identifier">other_instance</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'key'</span>, <span class="ruby-string">'SHA1'</span>) <span class="ruby-comment">#=> f42bb0eeb018ebbd4597ae7213711ec60760843f</span> <span class="ruby-identifier">instance</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">other_instance</span> <span class="ruby-comment">#=> true</span> @@ -266,12 +275,23 @@ ossl_hmac_s_hexdigest(VALUE klass, VALUE digest, VALUE key, VALUE data) <pre>static VALUE ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest) { - HMAC_CTX *ctx; + EVP_MD_CTX *ctx; + EVP_PKEY *pkey; - StringValue(key); GetHMAC(self, ctx); - HMAC_Init_ex(ctx, RSTRING_PTR(key), RSTRING_LENINT(key), - ossl_evp_get_digestbyname(digest), NULL); + StringValue(key); + pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, + (unsigned char *)RSTRING_PTR(key), + RSTRING_LENINT(key)); + if (!pkey) + ossl_raise(eHMACError, "EVP_PKEY_new_mac_key"); + if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest), + NULL, pkey) != 1) { + EVP_PKEY_free(pkey); + ossl_raise(eHMACError, "EVP_DigestSignInit"); + } + /* Decrement reference counter; EVP_MD_CTX still keeps it */ + EVP_PKEY_free(pkey); return self; }</pre> @@ -340,6 +360,28 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest) </div> + <div id="method-i-base64digest" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + base64digest → string + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Returns the authentication code an a Base64-encoded string.</p> + + <div class="method-source-code" id="base64digest-source"> + <pre><span class="ruby-comment"># File lib/openssl/hmac.rb, line 17</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">base64digest</span> + [<span class="ruby-identifier">digest</span>].<span class="ruby-identifier">pack</span>(<span class="ruby-string">"m0"</span>) +<span class="ruby-keyword">end</span></pre> + </div> + </div> + + + </div> + <div id="method-i-digest" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> @@ -353,7 +395,7 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest) <h3 id="method-i-digest-label-Example">Example<span><a href="#method-i-digest-label-Example">¶</a> <a href="#top">↑</a></span></h3> -<pre class="ruby"><span class="ruby-identifier">instance</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'key'</span>, <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'sha1'</span>)) +<pre class="ruby"><span class="ruby-identifier">instance</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'key'</span>, <span class="ruby-string">'SHA1'</span>) <span class="ruby-comment">#=> f42bb0eeb018ebbd4597ae7213711ec60760843f</span> <span class="ruby-identifier">instance</span>.<span class="ruby-identifier">digest</span> <span class="ruby-comment">#=> "\xF4+\xB0\xEE\xB0\x18\xEB\xBDE\x97\xAEr\x13q\x1E\xC6\a`\x84?"</span> @@ -363,15 +405,16 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest) <pre>static VALUE ossl_hmac_digest(VALUE self) { - HMAC_CTX *ctx; - unsigned int buf_len; + EVP_MD_CTX *ctx; + size_t buf_len = EVP_MAX_MD_SIZE; VALUE ret; GetHMAC(self, ctx); ret = rb_str_new(NULL, EVP_MAX_MD_SIZE); - hmac_final(ctx, (unsigned char *)RSTRING_PTR(ret), &buf_len); - assert(buf_len <= EVP_MAX_MD_SIZE); - rb_str_set_len(ret, buf_len); + if (EVP_DigestSignFinal(ctx, (unsigned char *)RSTRING_PTR(ret), + &buf_len) != 1) + ossl_raise(eHMACError, "EVP_DigestSignFinal"); + rb_str_set_len(ret, (long)buf_len); return ret; }</pre> @@ -396,13 +439,14 @@ ossl_hmac_digest(VALUE self) <pre>static VALUE ossl_hmac_hexdigest(VALUE self) { - HMAC_CTX *ctx; + EVP_MD_CTX *ctx; unsigned char buf[EVP_MAX_MD_SIZE]; - unsigned int buf_len; + size_t buf_len = EVP_MAX_MD_SIZE; VALUE ret; GetHMAC(self, ctx); - hmac_final(ctx, buf, &buf_len); + if (EVP_DigestSignFinal(ctx, buf, &buf_len) != 1) + ossl_raise(eHMACError, "EVP_DigestSignFinal"); ret = rb_str_new(NULL, buf_len * 2); ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len); @@ -431,16 +475,15 @@ ossl_hmac_hexdigest(VALUE self) <pre>static VALUE ossl_hmac_copy(VALUE self, VALUE other) { - HMAC_CTX *ctx1, *ctx2; + EVP_MD_CTX *ctx1, *ctx2; rb_check_frozen(self); if (self == other) return self; GetHMAC(self, ctx1); GetHMAC(other, ctx2); - - if (!HMAC_CTX_copy(ctx1, ctx2)) - ossl_raise(eHMACError, "HMAC_CTX_copy"); + if (EVP_MD_CTX_copy(ctx1, ctx2) != 1) + ossl_raise(eHMACError, "EVP_MD_CTX_copy"); return self; }</pre> </div> @@ -456,16 +499,7 @@ ossl_hmac_copy(VALUE self, VALUE other) </div> <div class="method-description"> - <p>Returns the authentication code as a hex-encoded string. The <em>digest</em> parameter specifies the digest algorithm to use. This may be a String representing the algorithm name or an instance of <a href="Digest.html"><code>OpenSSL::Digest</code></a>.</p> - -<h3 id="method-i-inspect-label-Example">Example<span><a href="#method-i-inspect-label-Example">¶</a> <a href="#top">↑</a></span></h3> - -<pre class="ruby"><span class="ruby-identifier">key</span> = <span class="ruby-string">'key'</span> -<span class="ruby-identifier">data</span> = <span class="ruby-string">'The quick brown fox jumps over the lazy dog'</span> - -<span class="ruby-identifier">hmac</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">hexdigest</span>(<span class="ruby-string">'sha1'</span>, <span class="ruby-identifier">key</span>, <span class="ruby-identifier">data</span>) -<span class="ruby-comment">#=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"</span> -</pre> + <p>Returns the authentication code an instance represents as a hex-encoded string.</p> </div> @@ -489,7 +523,7 @@ ossl_hmac_copy(VALUE self, VALUE other) <h3 id="method-i-reset-label-Example">Example<span><a href="#method-i-reset-label-Example">¶</a> <a href="#top">↑</a></span></h3> <pre class="ruby"><span class="ruby-identifier">data</span> = <span class="ruby-string">"The quick brown fox jumps over the lazy dog"</span> -<span class="ruby-identifier">instance</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'key'</span>, <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'sha1'</span>)) +<span class="ruby-identifier">instance</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'key'</span>, <span class="ruby-string">'SHA1'</span>) <span class="ruby-comment">#=> f42bb0eeb018ebbd4597ae7213711ec60760843f</span> <span class="ruby-identifier">instance</span>.<span class="ruby-identifier">update</span>(<span class="ruby-identifier">data</span>) @@ -502,10 +536,13 @@ ossl_hmac_copy(VALUE self, VALUE other) <pre>static VALUE ossl_hmac_reset(VALUE self) { - HMAC_CTX *ctx; + EVP_MD_CTX *ctx; + EVP_PKEY *pkey; GetHMAC(self, ctx); - HMAC_Init_ex(ctx, NULL, 0, NULL, NULL); + pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_get_pkey_ctx(ctx)); + if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_get0_md(ctx), NULL, pkey) != 1) + ossl_raise(eHMACError, "EVP_DigestSignInit"); return self; }</pre> @@ -522,16 +559,7 @@ ossl_hmac_reset(VALUE self) </div> <div class="method-description"> - <p>Returns the authentication code as a hex-encoded string. The <em>digest</em> parameter specifies the digest algorithm to use. This may be a String representing the algorithm name or an instance of <a href="Digest.html"><code>OpenSSL::Digest</code></a>.</p> - -<h3 id="method-i-to_s-label-Example">Example<span><a href="#method-i-to_s-label-Example">¶</a> <a href="#top">↑</a></span></h3> - -<pre class="ruby"><span class="ruby-identifier">key</span> = <span class="ruby-string">'key'</span> -<span class="ruby-identifier">data</span> = <span class="ruby-string">'The quick brown fox jumps over the lazy dog'</span> - -<span class="ruby-identifier">hmac</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">hexdigest</span>(<span class="ruby-string">'sha1'</span>, <span class="ruby-identifier">key</span>, <span class="ruby-identifier">data</span>) -<span class="ruby-comment">#=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"</span> -</pre> + <p>Returns the authentication code an instance represents as a hex-encoded string.</p> </div> @@ -567,11 +595,12 @@ ossl_hmac_reset(VALUE self) <pre>static VALUE ossl_hmac_update(VALUE self, VALUE data) { - HMAC_CTX *ctx; + EVP_MD_CTX *ctx; StringValue(data); GetHMAC(self, ctx); - HMAC_Update(ctx, (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data)); + if (EVP_DigestSignUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)) != 1) + ossl_raise(eHMACError, "EVP_DigestSignUpdate"); return self; }</pre> diff --git a/OpenSSL/HMACError.html b/OpenSSL/HMACError.html index d19bc6e2..279ae108 100644 --- a/OpenSSL/HMACError.html +++ b/OpenSSL/HMACError.html @@ -102,11 +102,10 @@ <h3 id="class-OpenSSL::HMACError-label-HMAC-SHA256+using+incremental+interface">HMAC-SHA256 using incremental interface<span><a href="#class-OpenSSL::HMACError-label-HMAC-SHA256+using+incremental+interface">¶</a> <a href="#top">↑</a></span></h3> -<pre class="ruby"><span class="ruby-identifier">data1</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-string">"file1"</span>) -<span class="ruby-identifier">data2</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-string">"file2"</span>) +<pre class="ruby"><span class="ruby-identifier">data1</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span>(<span class="ruby-string">"file1"</span>) +<span class="ruby-identifier">data2</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span>(<span class="ruby-string">"file2"</span>) <span class="ruby-identifier">key</span> = <span class="ruby-string">"key"</span> -<span class="ruby-identifier">digest</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'SHA256'</span>) -<span class="ruby-identifier">hmac</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">key</span>, <span class="ruby-identifier">digest</span>) +<span class="ruby-identifier">hmac</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">HMAC</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">key</span>, <span class="ruby-string">'SHA256'</span>) <span class="ruby-identifier">hmac</span> <span class="ruby-operator"><<</span> <span class="ruby-identifier">data1</span> <span class="ruby-identifier">hmac</span> <span class="ruby-operator"><<</span> <span class="ruby-identifier">data2</span> <span class="ruby-identifier">mac</span> = <span class="ruby-identifier">hmac</span>.<span class="ruby-identifier">digest</span> diff --git a/OpenSSL/KDF.html b/OpenSSL/KDF.html index 0df19309..03c095fd 100644 --- a/OpenSSL/KDF.html +++ b/OpenSSL/KDF.html @@ -179,6 +179,16 @@ <p>The hash function.</p> </dd></dl> +<h3 id="method-c-hkdf-label-Example">Example<span><a href="#method-c-hkdf-label-Example">¶</a> <a href="#top">↑</a></span></h3> + +<pre class="ruby"><span class="ruby-comment"># The values from https://datatracker.ietf.org/doc/html/rfc5869#appendix-A.1</span> +<span class="ruby-identifier">ikm</span> = [<span class="ruby-string">"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"</span>].<span class="ruby-identifier">pack</span>(<span class="ruby-string">"H*"</span>) +<span class="ruby-identifier">salt</span> = [<span class="ruby-string">"000102030405060708090a0b0c"</span>].<span class="ruby-identifier">pack</span>(<span class="ruby-string">"H*"</span>) +<span class="ruby-identifier">info</span> = [<span class="ruby-string">"f0f1f2f3f4f5f6f7f8f9"</span>].<span class="ruby-identifier">pack</span>(<span class="ruby-string">"H*"</span>) +<span class="ruby-identifier">p</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">KDF</span>.<span class="ruby-identifier">hkdf</span>(<span class="ruby-identifier">ikm</span>, <span class="ruby-value">salt:</span> <span class="ruby-identifier">salt</span>, <span class="ruby-value">info:</span> <span class="ruby-identifier">info</span>, <span class="ruby-value">length:</span> <span class="ruby-value">42</span>, <span class="ruby-value">hash:</span> <span class="ruby-string">"SHA256"</span>).<span class="ruby-identifier">unpack1</span>(<span class="ruby-string">"H*"</span>) +<span class="ruby-comment"># => "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"</span> +</pre> + <div class="method-source-code" id="hkdf-source"> <pre>static VALUE kdf_hkdf(int argc, VALUE *argv, VALUE self) diff --git a/OpenSSL/OCSP.html b/OpenSSL/OCSP.html index 3d3a40e9..c6a029ee 100644 --- a/OpenSSL/OCSP.html +++ b/OpenSSL/OCSP.html @@ -145,7 +145,7 @@ <pre class="ruby"><span class="ruby-identifier">single_response</span> = <span class="ruby-identifier">basic_response</span>.<span class="ruby-identifier">find_response</span>(<span class="ruby-identifier">certificate_id</span>) <span class="ruby-keyword">unless</span> <span class="ruby-identifier">single_response</span> - <span class="ruby-identifier">raise</span> <span class="ruby-string">'basic_response does not have the status for the certificiate'</span> + <span class="ruby-identifier">raise</span> <span class="ruby-string">'basic_response does not have the status for the certificate'</span> <span class="ruby-keyword">end</span> </pre> diff --git a/OpenSSL/OCSP/BasicResponse.html b/OpenSSL/OCSP/BasicResponse.html index 64237430..4c3aac19 100644 --- a/OpenSSL/OCSP/BasicResponse.html +++ b/OpenSSL/OCSP/BasicResponse.html @@ -217,7 +217,7 @@ ossl_ocspbres_add_nonce(int argc, VALUE *argv, VALUE self) <p><em>reason</em> and <em>revocation_time</em> can be given only when <em>status</em> is OpenSSL::OCSP::V_CERTSTATUS_REVOKED. <em>reason</em> describes the reason for the revocation, and must be one of OpenSSL::OCSP::REVOKED_STATUS_* constants. <em>revocation_time</em> is the time when the certificate is revoked.</p> -<p><em>this_update</em> and <em>next_update</em> indicate the time at which ths status is verified to be correct and the time at or before which newer information will be available, respectively. <em>next_update</em> is optional.</p> +<p><em>this_update</em> and <em>next_update</em> indicate the time at which the status is verified to be correct and the time at or before which newer information will be available, respectively. <em>next_update</em> is optional.</p> <p><em>extensions</em> is an Array of <a href="../X509/Extension.html"><code>OpenSSL::X509::Extension</code></a> to be included in the <a href="SingleResponse.html"><code>SingleResponse</code></a>. This is also optional.</p> @@ -632,55 +632,7 @@ ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self) x509st = GetX509StorePtr(store); flg = NIL_P(flags) ? 0 : NUM2INT(flags); x509s = ossl_x509_ary2sk(certs); -#if (OPENSSL_VERSION_NUMBER < 0x1000202fL) || defined(LIBRESSL_VERSION_NUMBER) - /* - * OpenSSL had a bug that it doesn't use the certificates in x509s for - * verifying the chain. This can be a problem when the response is signed by - * a certificate issued by an intermediate CA. - * - * root_ca - * | - * intermediate_ca - * |-------------| - * end_entity ocsp_signer - * - * When the certificate hierarchy is like this, and the response contains - * only ocsp_signer certificate, the following code wrongly fails. - * - * store = OpenSSL::X509::Store.new; store.add_cert(root_ca) - * basic_response.verify([intermediate_ca], store) - * - * So add the certificates in x509s to the embedded certificates list first. - * - * This is fixed in OpenSSL 0.9.8zg, 1.0.0s, 1.0.1n, 1.0.2b. But it still - * exists in LibreSSL 2.1.10, 2.2.9, 2.3.6, 2.4.1. - */ - if (!(flg & (OCSP_NOCHAIN | OCSP_NOVERIFY)) && - sk_X509_num(x509s) && sk_X509_num(bs->certs)) { - int i; - - bs = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs); - if (!bs) { - sk_X509_pop_free(x509s, X509_free); - ossl_raise(eOCSPError, "ASN1_item_dup"); - } - - for (i = 0; i < sk_X509_num(x509s); i++) { - if (!OCSP_basic_add1_cert(bs, sk_X509_value(x509s, i))) { - sk_X509_pop_free(x509s, X509_free); - OCSP_BASICRESP_free(bs); - ossl_raise(eOCSPError, "OCSP_basic_add1_cert"); - } - } - result = OCSP_basic_verify(bs, x509s, x509st, flg); - OCSP_BASICRESP_free(bs); - } - else { - result = OCSP_basic_verify(bs, x509s, x509st, flg); - } -#else result = OCSP_basic_verify(bs, x509s, x509st, flg); -#endif sk_X509_pop_free(x509s, X509_free); if (result <= 0) ossl_clear_error(); diff --git a/OpenSSL/PKCS12.html b/OpenSSL/PKCS12.html index efa7c490..42df932b 100644 --- a/OpenSSL/PKCS12.html +++ b/OpenSSL/PKCS12.html @@ -164,7 +164,7 @@ <p>The not_before and not_after fields must be filled in.</p> </li></ul> </li><li> -<p><em>ca</em> - An optional array of X509::Certificate’s.</p> +<p><em>ca</em> - An optional array of <a href="X509/Certificate.html"><code>X509::Certificate</code></a>‘s.</p> </li><li> <p><em>key_pbe</em> - string</p> </li><li> @@ -289,15 +289,15 @@ ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self) ossl_raise(ePKCS12Error, "PKCS12_parse"); ERR_pop_to_mark(); if (key) { - pkey = rb_protect((VALUE (*)(VALUE))ossl_pkey_new, (VALUE)key, &st); + pkey = rb_protect(ossl_pkey_new_i, (VALUE)key, &st); if (st) goto err; } if (x509) { - cert = rb_protect((VALUE (*)(VALUE))ossl_x509_new, (VALUE)x509, &st); + cert = rb_protect(ossl_x509_new_i, (VALUE)x509, &st); if (st) goto err; } if (x509s) { - ca = rb_protect((VALUE (*)(VALUE))ossl_x509_sk2ary, (VALUE)x509s, &st); + ca = rb_protect(ossl_x509_sk2ary_i, (VALUE)x509s, &st); if (st) goto err; } diff --git a/OpenSSL/PKCS7.html b/OpenSSL/PKCS7.html index fd87f715..fdfc26c5 100644 --- a/OpenSSL/PKCS7.html +++ b/OpenSSL/PKCS7.html @@ -247,7 +247,7 @@ ossl_pkcs7_s_encrypt(int argc, VALUE *argv, VALUE klass) <pre>static VALUE ossl_pkcs7_initialize(int argc, VALUE *argv, VALUE self) { - PKCS7 *p7, *pkcs = DATA_PTR(self); + PKCS7 *p7, *p7_orig = RTYPEDDATA_DATA(self); BIO *in; VALUE arg; @@ -255,19 +255,17 @@ ossl_pkcs7_initialize(int argc, VALUE *argv, VALUE self) return self; arg = ossl_to_der_if_possible(arg); in = ossl_obj2bio(&arg); - p7 = PEM_read_bio_PKCS7(in, &pkcs, NULL, NULL); + p7 = d2i_PKCS7_bio(in, NULL); if (!p7) { OSSL_BIO_reset(in); - p7 = d2i_PKCS7_bio(in, &pkcs); - if (!p7) { - BIO_free(in); - PKCS7_free(pkcs); - DATA_PTR(self) = NULL; - ossl_raise(rb_eArgError, "Could not parse the PKCS7"); - } + p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL); } - DATA_PTR(self) = pkcs; BIO_free(in); + if (!p7) + ossl_raise(rb_eArgError, "Could not parse the PKCS7"); + + RTYPEDDATA_DATA(self) = p7; + PKCS7_free(p7_orig); ossl_pkcs7_set_data(self, Qnil); ossl_pkcs7_set_err_string(self, Qnil); @@ -559,13 +557,18 @@ ossl_pkcs7_add_data(VALUE self, VALUE data) ossl_pkcs7_add_recipient(VALUE self, VALUE recip) { PKCS7 *pkcs7; - PKCS7_RECIP_INFO *ri; + PKCS7_RECIP_INFO *ri, *ri_new; - ri = DupPKCS7RecipientPtr(recip); /* NEED TO DUP */ GetPKCS7(self, pkcs7); - if (!PKCS7_add_recipient_info(pkcs7, ri)) { - PKCS7_RECIP_INFO_free(ri); - ossl_raise(ePKCS7Error, "Could not add recipient."); + GetPKCS7ri(recip, ri); + + ri_new = ossl_PKCS7_RECIP_INFO_dup(ri); + if (!ri_new) + ossl_raise(ePKCS7Error, "PKCS7_RECIP_INFO_dup"); + + if (PKCS7_add_recipient_info(pkcs7, ri_new) != 1) { + PKCS7_RECIP_INFO_free(ri_new); + ossl_raise(ePKCS7Error, "PKCS7_add_recipient_info"); } return self; @@ -591,17 +594,18 @@ ossl_pkcs7_add_recipient(VALUE self, VALUE recip) ossl_pkcs7_add_signer(VALUE self, VALUE signer) { PKCS7 *pkcs7; - PKCS7_SIGNER_INFO *p7si; + PKCS7_SIGNER_INFO *si, *si_new; - p7si = DupPKCS7SignerPtr(signer); /* NEED TO DUP */ GetPKCS7(self, pkcs7); - if (!PKCS7_add_signer(pkcs7, p7si)) { - PKCS7_SIGNER_INFO_free(p7si); - ossl_raise(ePKCS7Error, "Could not add signer."); - } - if (PKCS7_type_is_signed(pkcs7)){ - PKCS7_add_signed_attribute(p7si, NID_pkcs9_contentType, - V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)); + GetPKCS7si(signer, si); + + si_new = ossl_PKCS7_SIGNER_INFO_dup(si); + if (!si_new) + ossl_raise(ePKCS7Error, "PKCS7_SIGNER_INFO_dup"); + + if (PKCS7_add_signer(pkcs7, si_new) != 1) { + PKCS7_SIGNER_INFO_free(si_new); + ossl_raise(ePKCS7Error, "PKCS7_add_signer"); } return self; diff --git a/OpenSSL/PKey.html b/OpenSSL/PKey.html index 8f37129d..ca0bb523 100644 --- a/OpenSSL/PKey.html +++ b/OpenSSL/PKey.html @@ -75,6 +75,8 @@ <h3>Methods</h3> <ul class="link-list" role="directory"> + <li ><a href="#method-c-generate_key">::generate_key</a> + <li ><a href="#method-c-generate_parameters">::generate_parameters</a> <li ><a href="#method-c-read">::read</a> </ul> </div> @@ -125,6 +127,79 @@ <h3>Public Class Methods</h3> </header> + <div id="method-c-generate_key" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + OpenSSL::PKey.generate_key(algo_name [, options]) → pkey + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + <div class="method-heading"> + <span class="method-callseq"> + OpenSSL::PKey.generate_key(pkey [, options]) → pkey + </span> + </div> + + <div class="method-description"> + <p>Generates a new key (pair).</p> + +<p>If a String is given as the first argument, it generates a new random key for the algorithm specified by the name just as <a href="PKey.html#method-c-generate_parameters"><code>::generate_parameters</code></a> does. If an <a href="PKey/PKey.html"><code>OpenSSL::PKey::PKey</code></a> is given instead, it generates a new random key for the same algorithm as the key, using the parameters the key contains.</p> + +<p>See <a href="PKey.html#method-c-generate_parameters"><code>::generate_parameters</code></a> for the details of <em>options</em> and the given block.</p> + +<h2 id="method-c-generate_key-label-Example">Example<span><a href="#method-c-generate_key-label-Example">¶</a> <a href="#top">↑</a></span></h2> + +<pre class="ruby"><span class="ruby-identifier">pkey_params</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">generate_parameters</span>(<span class="ruby-string">"DSA"</span>, <span class="ruby-string">"dsa_paramgen_bits"</span> <span class="ruby-operator">=></span> <span class="ruby-value">2048</span>) +<span class="ruby-identifier">pkey_params</span>.<span class="ruby-identifier">priv_key</span> <span class="ruby-comment">#=> nil</span> +<span class="ruby-identifier">pkey</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">generate_key</span>(<span class="ruby-identifier">pkey_params</span>) +<span class="ruby-identifier">pkey</span>.<span class="ruby-identifier">priv_key</span> <span class="ruby-comment">#=> #<OpenSSL::BN 6277...</span> +</pre> + + <div class="method-source-code" id="generate_key-source"> + <pre>static VALUE +ossl_pkey_s_generate_key(int argc, VALUE *argv, VALUE self) +{ + return pkey_generate(argc, argv, self, 0); +}</pre> + </div> + </div> + + + </div> + + <div id="method-c-generate_parameters" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + OpenSSL::PKey.generate_parameters(algo_name [, options]) → pkey + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Generates new parameters for the algorithm. <em>algo_name</em> is a String that represents the algorithm. The optional argument <em>options</em> is a Hash that specifies the options specific to the algorithm. The order of the options can be important.</p> + +<p>A block can be passed optionally. The meaning of the arguments passed to the block varies depending on the implementation of the algorithm. The block may be called once or multiple times, or may not even be called.</p> + +<p>For the supported options, see the documentation for the ‘openssl genpkey’ utility command.</p> + +<h2 id="method-c-generate_parameters-label-Example">Example<span><a href="#method-c-generate_parameters-label-Example">¶</a> <a href="#top">↑</a></span></h2> + +<pre class="ruby"><span class="ruby-identifier">pkey</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">generate_parameters</span>(<span class="ruby-string">"DSA"</span>, <span class="ruby-string">"dsa_paramgen_bits"</span> <span class="ruby-operator">=></span> <span class="ruby-value">2048</span>) +<span class="ruby-identifier">p</span> <span class="ruby-identifier">pkey</span>.<span class="ruby-identifier">p</span>.<span class="ruby-identifier">num_bits</span> <span class="ruby-comment">#=> 2048</span> +</pre> + + <div class="method-source-code" id="generate_parameters-source"> + <pre>static VALUE +ossl_pkey_s_generate_parameters(int argc, VALUE *argv, VALUE self) +{ + return pkey_generate(argc, argv, self, 1); +}</pre> + </div> + </div> + + + </div> + <div id="method-c-read" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> @@ -143,7 +218,7 @@ <h3 id="method-c-read-label-Parameters">Parameters<span><a href="#method-c-read-label-Parameters">¶</a> <a href="#top">↑</a></span></h3> <ul><li> -<p>_string+ is a DER- or PEM-encoded string containing an arbitrary private or public key.</p> +<p><em>string</em> is a DER- or PEM-encoded string containing an arbitrary private or public key.</p> </li><li> <p><em>io</em> is an instance of <a href="../IO.html"><code>IO</code></a> containing a DER- or PEM-encoded arbitrary private or public key.</p> </li><li> @@ -159,30 +234,11 @@ ossl_pkey_new_from_data(int argc, VALUE *argv, VALUE self) VALUE data, pass; rb_scan_args(argc, argv, "11", &data, &pass); - pass = ossl_pem_passwd_value(pass); - bio = ossl_obj2bio(&data); - if ((pkey = d2i_PrivateKey_bio(bio, NULL))) - goto ok; - OSSL_BIO_reset(bio); - if ((pkey = d2i_PKCS8PrivateKey_bio(bio, NULL, ossl_pem_passwd_cb, (void *)pass))) - goto ok; - OSSL_BIO_reset(bio); - if ((pkey = d2i_PUBKEY_bio(bio, NULL))) - goto ok; - OSSL_BIO_reset(bio); - /* PEM_read_bio_PrivateKey() also parses PKCS #8 formats */ - if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, ossl_pem_passwd_cb, (void *)pass))) - goto ok; - OSSL_BIO_reset(bio); - if ((pkey = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL))) - goto ok; - - BIO_free(bio); - ossl_raise(ePKeyError, "Could not parse PKey"); - -ok: + pkey = ossl_pkey_read_generic(bio, ossl_pem_passwd_value(pass)); BIO_free(bio); + if (!pkey) + ossl_raise(ePKeyError, "Could not parse PKey"); return ossl_pkey_new(pkey); }</pre> </div> diff --git a/OpenSSL/PKey/DH.html b/OpenSSL/PKey/DH.html index fac868df..1a52a07b 100644 --- a/OpenSSL/PKey/DH.html +++ b/OpenSSL/PKey/DH.html @@ -105,7 +105,6 @@ <li ><a href="#method-i-to_der">#to_der</a> <li ><a href="#method-i-to_pem">#to_pem</a> <li ><a href="#method-i-to_s">#to_s</a> - <li ><a href="#method-i-to_text">#to_text</a> </ul> </div> @@ -138,13 +137,19 @@ <h3 id="class-OpenSSL::PKey::DH-label-Example+of+a+key+exchange">Example of a key exchange<span><a href="#class-OpenSSL::PKey::DH-label-Example+of+a+key+exchange">¶</a> <a href="#top">↑</a></span></h3> -<pre class="ruby"><span class="ruby-identifier">dh1</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">2048</span>) -<span class="ruby-identifier">der</span> = <span class="ruby-identifier">dh1</span>.<span class="ruby-identifier">public_key</span>.<span class="ruby-identifier">to_der</span> <span class="ruby-comment">#you may send this publicly to the participating party</span> -<span class="ruby-identifier">dh2</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">der</span>) -<span class="ruby-identifier">dh2</span>.<span class="ruby-identifier">generate_key!</span> <span class="ruby-comment">#generate the per-session key pair</span> -<span class="ruby-identifier">symm_key1</span> = <span class="ruby-identifier">dh1</span>.<span class="ruby-identifier">compute_key</span>(<span class="ruby-identifier">dh2</span>.<span class="ruby-identifier">pub_key</span>) -<span class="ruby-identifier">symm_key2</span> = <span class="ruby-identifier">dh2</span>.<span class="ruby-identifier">compute_key</span>(<span class="ruby-identifier">dh1</span>.<span class="ruby-identifier">pub_key</span>) +<pre class="ruby"><span class="ruby-comment"># you may send the parameters (der) and own public key (pub1) publicly</span> +<span class="ruby-comment"># to the participating party</span> +<span class="ruby-identifier">dh1</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">2048</span>) +<span class="ruby-identifier">der</span> = <span class="ruby-identifier">dh1</span>.<span class="ruby-identifier">to_der</span> +<span class="ruby-identifier">pub1</span> = <span class="ruby-identifier">dh1</span>.<span class="ruby-identifier">pub_key</span> +<span class="ruby-comment"># the other party generates its per-session key pair</span> +<span class="ruby-identifier">dhparams</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">der</span>) +<span class="ruby-identifier">dh2</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">generate_key</span>(<span class="ruby-identifier">dhparams</span>) +<span class="ruby-identifier">pub2</span> = <span class="ruby-identifier">dh2</span>.<span class="ruby-identifier">pub_key</span> + +<span class="ruby-identifier">symm_key1</span> = <span class="ruby-identifier">dh1</span>.<span class="ruby-identifier">compute_key</span>(<span class="ruby-identifier">pub2</span>) +<span class="ruby-identifier">symm_key2</span> = <span class="ruby-identifier">dh2</span>.<span class="ruby-identifier">compute_key</span>(<span class="ruby-identifier">pub1</span>) <span class="ruby-identifier">puts</span> <span class="ruby-identifier">symm_key1</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">symm_key2</span> <span class="ruby-comment"># => true</span> </pre> @@ -164,41 +169,32 @@ <div id="method-c-generate" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - generate(size [, generator]) → dh + generate(size, generator = 2) → dh </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>Creates a new <a href="DH.html"><code>DH</code></a> instance from scratch by generating the private and public components alike.</p> + <p>Creates a new <a href="DH.html"><code>DH</code></a> instance from scratch by generating random parameters and a key pair.</p> -<h3 id="method-c-generate-label-Parameters">Parameters<span><a href="#method-c-generate-label-Parameters">¶</a> <a href="#top">↑</a></span></h3> -<ul><li> -<p><em>size</em> is an integer representing the desired key size. Keys smaller than 1024 bits should be considered insecure.</p> -</li><li> -<p><em>generator</em> is a small number > 1, typically 2 or 5.</p> -</li></ul> +<p>See also <a href="../PKey.html#method-c-generate_parameters"><code>OpenSSL::PKey.generate_parameters</code></a> and <a href="../PKey.html#method-c-generate_key"><code>OpenSSL::PKey.generate_key</code></a>.</p> +<dl class="rdoc-list note-list"><dt><code>size</code> +<dd> +<p>The desired key size in bits.</p> +</dd><dt><code>generator</code> +<dd> +<p>The generator.</p> +</dd></dl> <div class="method-source-code" id="generate-source"> - <pre>static VALUE -ossl_dh_s_generate(int argc, VALUE *argv, VALUE klass) -{ - DH *dh ; - int g = 2; - VALUE size, gen, obj; - - if (rb_scan_args(argc, argv, "11", &size, &gen) == 2) { - g = NUM2INT(gen); - } - dh = dh_generate(NUM2INT(size), g); - obj = dh_instance(klass, dh); - if (obj == Qfalse) { - DH_free(dh); - ossl_raise(eDHError, NULL); - } - - return obj; -}</pre> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 118</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">generate</span>(<span class="ruby-identifier">size</span>, <span class="ruby-identifier">generator</span> = <span class="ruby-value">2</span>, <span class="ruby-operator">&</span><span class="ruby-identifier">blk</span>) + <span class="ruby-identifier">dhparams</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">generate_parameters</span>(<span class="ruby-string">"DH"</span>, { + <span class="ruby-string">"dh_paramgen_prime_len"</span> <span class="ruby-operator">=></span> <span class="ruby-identifier">size</span>, + <span class="ruby-string">"dh_paramgen_generator"</span> <span class="ruby-operator">=></span> <span class="ruby-identifier">generator</span>, + }, <span class="ruby-operator">&</span><span class="ruby-identifier">blk</span>) + <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">generate_key</span>(<span class="ruby-identifier">dhparams</span>) +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -224,25 +220,37 @@ ossl_dh_s_generate(int argc, VALUE *argv, VALUE klass) </div> <div class="method-description"> - <p>Either generates a <a href="DH.html"><code>DH</code></a> instance from scratch or by reading already existing <a href="DH.html"><code>DH</code></a> parameters from <em>string</em>. Note that when reading a <a href="DH.html"><code>DH</code></a> instance from data that was encoded from a <a href="DH.html"><code>DH</code></a> instance by using <a href="DH.html#method-i-to_pem"><code>DH#to_pem</code></a> or <a href="DH.html#method-i-to_der"><code>DH#to_der</code></a> the result will <strong>not</strong> contain a public/private key pair yet. This needs to be generated using <a href="DH.html#method-i-generate_key-21"><code>DH#generate_key!</code></a> first.</p> + <p>Creates a new instance of <a href="DH.html"><code>OpenSSL::PKey::DH</code></a>.</p> -<h3 id="method-c-new-label-Parameters">Parameters<span><a href="#method-c-new-label-Parameters">¶</a> <a href="#top">↑</a></span></h3> -<ul><li> -<p><em>size</em> is an integer representing the desired key size. Keys smaller than 1024 bits should be considered insecure.</p> -</li><li> -<p><em>generator</em> is a small number > 1, typically 2 or 5.</p> -</li><li> -<p><em>string</em> contains the DER or PEM encoded key.</p> -</li></ul> +<p>If called without arguments, an empty instance without any parameter or key components is created. Use <a href="DH.html#method-i-set_pqg"><code>set_pqg</code></a> to manually set the parameters afterwards (and optionally <a href="DH.html#method-i-set_key"><code>set_key</code></a> to set private and public key components).</p> + +<p>If a String is given, tries to parse it as a DER- or PEM- encoded parameters. See also <a href="../PKey.html#method-c-read"><code>OpenSSL::PKey.read</code></a> which can parse keys of any kinds.</p> + +<p>The <a href="DH.html#method-c-new"><code>DH.new</code></a>(size [, generator]) form is an alias of <a href="DH.html#method-c-generate"><code>DH.generate</code></a>.</p> +<dl class="rdoc-list note-list"><dt><code>string</code> +<dd> +<p>A String that contains the DER or PEM encoded key.</p> +</dd><dt><code>size</code> +<dd> +<p>See <a href="DH.html#method-c-generate"><code>DH.generate</code></a>.</p> +</dd><dt><code>generator</code> +<dd> +<p>See <a href="DH.html#method-c-generate"><code>DH.generate</code></a>.</p> +</dd></dl> + +<p>Examples:</p> -<h3 id="method-c-new-label-Examples">Examples<span><a href="#method-c-new-label-Examples">¶</a> <a href="#top">↑</a></span></h3> +<pre class="ruby"><span class="ruby-comment"># Creating an instance from scratch</span> +<span class="ruby-comment"># Note that this is deprecated and will not work on OpenSSL 3.0 or later.</span> +<span class="ruby-identifier">dh</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span> +<span class="ruby-identifier">dh</span>.<span class="ruby-identifier">set_pqg</span>(<span class="ruby-identifier">bn_p</span>, <span class="ruby-keyword">nil</span>, <span class="ruby-identifier">bn_g</span>) -<pre class="ruby"><span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span> <span class="ruby-comment"># -> dh</span> -<span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">1024</span>) <span class="ruby-comment"># -> dh</span> -<span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">1024</span>, <span class="ruby-value">5</span>) <span class="ruby-comment"># -> dh</span> -<span class="ruby-comment">#Reading DH parameters</span> -<span class="ruby-identifier">dh</span> = <span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span>(<span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-string">'parameters.pem'</span>)) <span class="ruby-comment"># -> dh, but no public/private key yet</span> -<span class="ruby-identifier">dh</span>.<span class="ruby-identifier">generate_key!</span> <span class="ruby-comment"># -> dh with public and private key</span> +<span class="ruby-comment"># Generating a parameters and a key pair</span> +<span class="ruby-identifier">dh</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">2048</span>) <span class="ruby-comment"># An alias of OpenSSL::PKey::DH.generate(2048)</span> + +<span class="ruby-comment"># Reading DH parameters</span> +<span class="ruby-identifier">dh_params</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span>(<span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-string">'parameters.pem'</span>)) <span class="ruby-comment"># loads parameters only</span> +<span class="ruby-identifier">dh</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">generate_key</span>(<span class="ruby-identifier">dh_params</span>) <span class="ruby-comment"># generates a key pair</span> </pre> <div class="method-source-code" id="new-source"> @@ -250,40 +258,57 @@ ossl_dh_s_generate(int argc, VALUE *argv, VALUE klass) ossl_dh_initialize(int argc, VALUE *argv, VALUE self) { EVP_PKEY *pkey; + int type; DH *dh; - int g = 2; - BIO *in; - VALUE arg, gen; - - GetPKey(self, pkey); - if(rb_scan_args(argc, argv, "02", &arg, &gen) == 0) { - dh = DH_new(); + BIO *in = NULL; + VALUE arg; + + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); + + /* The DH.new(size, generator) form is handled by lib/openssl/pkey.rb */ + if (rb_scan_args(argc, argv, "01", &arg) == 0) { + dh = DH_new(); + if (!dh) + ossl_raise(eDHError, "DH_new"); + goto legacy; } - else if (RB_INTEGER_TYPE_P(arg)) { - if (!NIL_P(gen)) { - g = NUM2INT(gen); - } - if (!(dh = dh_generate(NUM2INT(arg), g))) { - ossl_raise(eDHError, NULL); - } - } - else { - arg = ossl_to_der_if_possible(arg); - in = ossl_obj2bio(&arg); - dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); - if (!dh){ - OSSL_BIO_reset(in); - dh = d2i_DHparams_bio(in, NULL); - } - BIO_free(in); - if (!dh) { - ossl_raise(eDHError, NULL); - } + + arg = ossl_to_der_if_possible(arg); + in = ossl_obj2bio(&arg); + + /* + * On OpenSSL <= 1.1.1 and current versions of LibreSSL, the generic + * routine does not support DER-encoded parameters + */ + dh = d2i_DHparams_bio(in, NULL); + if (dh) + goto legacy; + OSSL_BIO_reset(in); + + pkey = ossl_pkey_read_generic(in, Qnil); + BIO_free(in); + if (!pkey) + ossl_raise(eDHError, "could not parse pkey"); + + type = EVP_PKEY_base_id(pkey); + if (type != EVP_PKEY_DH) { + EVP_PKEY_free(pkey); + rb_raise(eDHError, "incorrect pkey type: %s", OBJ_nid2sn(type)); } - if (!EVP_PKEY_assign_DH(pkey, dh)) { + RTYPEDDATA_DATA(self) = pkey; + return self; + + legacy: + BIO_free(in); + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_DH(pkey, dh) != 1) { + EVP_PKEY_free(pkey); DH_free(dh); - ossl_raise(eDHError, NULL); + ossl_raise(eDHError, "EVP_PKEY_assign_DH"); } + RTYPEDDATA_DATA(self) = pkey; return self; }</pre> </div> @@ -302,13 +327,15 @@ ossl_dh_initialize(int argc, VALUE *argv, VALUE self) <div id="method-i-compute_key" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - compute_key(pub_bn) → aString + compute_key(pub_bn) → string </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>Returns a String containing a shared secret computed from the other party’s public value. See DH_compute_key() for further information.</p> + <p>Returns a String containing a shared secret computed from the other party’s public value.</p> + +<p>This method is provided for backwards compatibility, and calls <a href="PKey.html#method-i-derive"><code>derive</code></a> internally.</p> <h3 id="method-i-compute_key-label-Parameters">Parameters<span><a href="#method-i-compute_key-label-Parameters">¶</a> <a href="#top">↑</a></span></h3> <ul><li> @@ -316,28 +343,22 @@ ossl_dh_initialize(int argc, VALUE *argv, VALUE self) </li></ul> <div class="method-source-code" id="compute_key-source"> - <pre>static VALUE -ossl_dh_compute_key(VALUE self, VALUE pub) -{ - DH *dh; - const BIGNUM *pub_key, *dh_p; - VALUE str; - int len; - - GetDH(self, dh); - DH_get0_pqg(dh, &dh_p, NULL, NULL); - if (!dh_p) - ossl_raise(eDHError, "incomplete DH"); - pub_key = GetBNPtr(pub); - len = DH_size(dh); - str = rb_str_new(0, len); - if ((len = DH_compute_key((unsigned char *)RSTRING_PTR(str), pub_key, dh)) < 0) { - ossl_raise(eDHError, NULL); - } - rb_str_set_len(str, len); - - return str; -}</pre> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 49</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">compute_key</span>(<span class="ruby-identifier">pub_bn</span>) + <span class="ruby-comment"># FIXME: This is constructing an X.509 SubjectPublicKeyInfo and is very</span> + <span class="ruby-comment"># inefficient</span> + <span class="ruby-identifier">obj</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-constant">Sequence</span>([ + <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-constant">Sequence</span>([ + <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-constant">ObjectId</span>(<span class="ruby-string">"dhKeyAgreement"</span>), + <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-constant">Sequence</span>([ + <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-constant">Integer</span>(<span class="ruby-identifier">p</span>), + <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-constant">Integer</span>(<span class="ruby-identifier">g</span>), + ]), + ]), + <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-constant">BitString</span>(<span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-constant">Integer</span>(<span class="ruby-identifier">pub_bn</span>).<span class="ruby-identifier">to_der</span>), + ]) + <span class="ruby-identifier">derive</span>(<span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">read</span>(<span class="ruby-identifier">obj</span>.<span class="ruby-identifier">to_der</span>)) +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -393,27 +414,41 @@ ossl_dh_export(VALUE self) </div> <div class="method-description"> - <p>Generates a private and public key unless a private key already exists. If this <a href="DH.html"><code>DH</code></a> instance was generated from public <a href="DH.html"><code>DH</code></a> parameters (e.g. by encoding the result of <a href="DH.html#method-i-public_key"><code>DH#public_key</code></a>), then this method needs to be called first in order to generate the per-session keys before performing the actual key exchange.</p> + <p>Generates a private and public key unless a private key already exists. If this <a href="DH.html"><code>DH</code></a> instance was generated from public DH parameters (e.g. by encoding the result of <a href="DH.html#method-i-public_key"><code>DH#public_key</code></a>), then this method needs to be called first in order to generate the per-session keys before performing the actual key exchange.</p> -<h3 id="method-i-generate_key-21-label-Example">Example<span><a href="#method-i-generate_key-21-label-Example">¶</a> <a href="#top">↑</a></span></h3> +<p><strong>Deprecated in version 3.0</strong>. This method is incompatible with <a href="../../OpenSSL.html"><code>OpenSSL</code></a> 3.0.0 or later.</p> -<pre class="ruby"><span class="ruby-identifier">dh</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">2048</span>) -<span class="ruby-identifier">public_key</span> = <span class="ruby-identifier">dh</span>.<span class="ruby-identifier">public_key</span> <span class="ruby-comment">#contains no private/public key yet</span> -<span class="ruby-identifier">public_key</span>.<span class="ruby-identifier">generate_key!</span> -<span class="ruby-identifier">puts</span> <span class="ruby-identifier">public_key</span>.<span class="ruby-identifier">private?</span> <span class="ruby-comment"># => true</span> +<p>See also <a href="../PKey.html#method-c-generate_key"><code>OpenSSL::PKey.generate_key</code></a>.</p> + +<p>Example:</p> + +<pre class="ruby"><span class="ruby-comment"># DEPRECATED USAGE: This will not work on OpenSSL 3.0 or later</span> +<span class="ruby-identifier">dh0</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">2048</span>) +<span class="ruby-identifier">dh</span> = <span class="ruby-identifier">dh0</span>.<span class="ruby-identifier">public_key</span> <span class="ruby-comment"># #public_key only copies the DH parameters (contrary to the name)</span> +<span class="ruby-identifier">dh</span>.<span class="ruby-identifier">generate_key!</span> +<span class="ruby-identifier">puts</span> <span class="ruby-identifier">dh</span>.<span class="ruby-identifier">private?</span> <span class="ruby-comment"># => true</span> +<span class="ruby-identifier">puts</span> <span class="ruby-identifier">dh0</span>.<span class="ruby-identifier">pub_key</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">dh</span>.<span class="ruby-identifier">pub_key</span> <span class="ruby-comment">#=> false</span> + +<span class="ruby-comment"># With OpenSSL::PKey.generate_key</span> +<span class="ruby-identifier">dh0</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">2048</span>) +<span class="ruby-identifier">dh</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">generate_key</span>(<span class="ruby-identifier">dh0</span>) +<span class="ruby-identifier">puts</span> <span class="ruby-identifier">dh0</span>.<span class="ruby-identifier">pub_key</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">dh</span>.<span class="ruby-identifier">pub_key</span> <span class="ruby-comment">#=> false</span> </pre> <div class="method-source-code" id="generate_key-21-source"> - <pre>static VALUE -ossl_dh_generate_key(VALUE self) -{ - DH *dh; - - GetDH(self, dh); - if (!DH_generate_key(dh)) - ossl_raise(eDHError, "Failed to generate key"); - return self; -}</pre> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 91</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">generate_key!</span> + <span class="ruby-keyword">if</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">OPENSSL_VERSION_NUMBER</span> <span class="ruby-operator">>=</span> <span class="ruby-value">0x30000000</span> + <span class="ruby-identifier">raise</span> <span class="ruby-constant">DHError</span>, <span class="ruby-string">"OpenSSL::PKey::DH is immutable on OpenSSL 3.0; "</span> \ + <span class="ruby-string">"use OpenSSL::PKey.generate_key instead"</span> + <span class="ruby-keyword">end</span> + + <span class="ruby-keyword">unless</span> <span class="ruby-identifier">priv_key</span> + <span class="ruby-identifier">tmp</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">generate_key</span>(<span class="ruby-keyword">self</span>) + <span class="ruby-identifier">set_key</span>(<span class="ruby-identifier">tmp</span>.<span class="ruby-identifier">pub_key</span>, <span class="ruby-identifier">tmp</span>.<span class="ruby-identifier">priv_key</span>) + <span class="ruby-keyword">end</span> + <span class="ruby-keyword">self</span> +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -438,15 +473,14 @@ ossl_dh_initialize_copy(VALUE self, VALUE other) DH *dh, *dh_other; const BIGNUM *pub, *priv; - GetPKey(self, pkey); - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE) - ossl_raise(eDHError, "DH already initialized"); + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); GetDH(other, dh_other); dh = DHparams_dup(dh_other); if (!dh) ossl_raise(eDHError, "DHparams_dup"); - EVP_PKEY_assign_DH(pkey, dh); DH_get0_key(dh_other, &pub, &priv); if (pub) { @@ -461,6 +495,13 @@ ossl_dh_initialize_copy(VALUE self, VALUE other) DH_set0_key(dh, pub2, priv2); } + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_DH(pkey, dh) != 1) { + EVP_PKEY_free(pkey); + DH_free(dh); + ossl_raise(eDHError, "EVP_PKEY_assign_DH"); + } + RTYPEDDATA_DATA(self) = pkey; return self; }</pre> </div> @@ -518,19 +559,38 @@ ossl_dh_get_params(VALUE self) <div class="method-description"> <p>Validates the Diffie-Hellman parameters associated with this instance. It checks whether a safe prime and a suitable generator are used. If this is not the case, <code>false</code> is returned.</p> +<p>See also the man page EVP_PKEY_param_check(3).</p> + <div class="method-source-code" id="params_ok-3F-source"> <pre>static VALUE ossl_dh_check_params(VALUE self) { + int ret; +#ifdef HAVE_EVP_PKEY_CHECK + EVP_PKEY *pkey; + EVP_PKEY_CTX *pctx; + + GetPKey(self, pkey); + pctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL); + if (!pctx) + ossl_raise(eDHError, "EVP_PKEY_CTX_new"); + ret = EVP_PKEY_param_check(pctx); + EVP_PKEY_CTX_free(pctx); +#else DH *dh; int codes; GetDH(self, dh); - if (!DH_check(dh, &codes)) { + ret = DH_check(dh, &codes) == 1 && codes == 0; +#endif + + if (ret == 1) + return Qtrue; + else { + /* DH_check_ex() will put error entry on failure */ + ossl_clear_error(); return Qfalse; } - - return codes == 0 ? Qtrue : Qfalse; }</pre> </div> </div> @@ -603,38 +663,34 @@ ossl_dh_is_public(VALUE self) <div id="method-i-public_key" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - public_key → aDH + public_key → dhnew </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>Returns a new <a href="DH.html"><code>DH</code></a> instance that carries just the public information, i.e. the prime <em>p</em> and the generator <em>g</em>, but no public/private key yet. Such a pair may be generated using <a href="DH.html#method-i-generate_key-21"><code>DH#generate_key!</code></a>. The “public key” needed for a key exchange with <a href="DH.html#method-i-compute_key"><code>DH#compute_key</code></a> is considered as per-session information and may be retrieved with DH#pub_key once a key pair has been generated. If the current instance already contains private information (and thus a valid public/private key pair), this information will no longer be present in the new instance generated by <a href="DH.html#method-i-public_key"><code>DH#public_key</code></a>. This feature is helpful for publishing the Diffie-Hellman parameters without leaking any of the private per-session information.</p> + <p>Returns a new <a href="DH.html"><code>DH</code></a> instance that carries just the DH parameters.</p> -<h3 id="method-i-public_key-label-Example">Example<span><a href="#method-i-public_key-label-Example">¶</a> <a href="#top">↑</a></span></h3> +<p>Contrary to the method name, the returned <a href="DH.html"><code>DH</code></a> object contains only parameters and not the public key.</p> -<pre class="ruby"><span class="ruby-identifier">dh</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">2048</span>) <span class="ruby-comment"># has public and private key set</span> -<span class="ruby-identifier">public_key</span> = <span class="ruby-identifier">dh</span>.<span class="ruby-identifier">public_key</span> <span class="ruby-comment"># contains only prime and generator</span> -<span class="ruby-identifier">parameters</span> = <span class="ruby-identifier">public_key</span>.<span class="ruby-identifier">to_der</span> <span class="ruby-comment"># it's safe to publish this</span> -</pre> +<p>This method is provided for backwards compatibility. In most cases, there is no need to call this method.</p> - <div class="method-source-code" id="public_key-source"> - <pre>static VALUE -ossl_dh_to_public_key(VALUE self) -{ - DH *orig_dh, *dh; - VALUE obj; +<p>For the purpose of re-generating the key pair while keeping the parameters, check <a href="../PKey.html#method-c-generate_key"><code>OpenSSL::PKey.generate_key</code></a>.</p> - GetDH(self, orig_dh); - dh = DHparams_dup(orig_dh); /* err check perfomed by dh_instance */ - obj = dh_instance(rb_obj_class(self), dh); - if (obj == Qfalse) { - DH_free(dh); - ossl_raise(eDHError, NULL); - } +<p>Example:</p> - return obj; -}</pre> +<pre class="ruby"><span class="ruby-comment"># OpenSSL::PKey::DH.generate by default generates a random key pair</span> +<span class="ruby-identifier">dh1</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DH</span>.<span class="ruby-identifier">generate</span>(<span class="ruby-value">2048</span>) +<span class="ruby-identifier">p</span> <span class="ruby-identifier">dh1</span>.<span class="ruby-identifier">priv_key</span> <span class="ruby-comment">#=> #<OpenSSL::BN 1288347...></span> +<span class="ruby-identifier">dhcopy</span> = <span class="ruby-identifier">dh1</span>.<span class="ruby-identifier">public_key</span> +<span class="ruby-identifier">p</span> <span class="ruby-identifier">dhcopy</span>.<span class="ruby-identifier">priv_key</span> <span class="ruby-comment">#=> nil</span> +</pre> + + <div class="method-source-code" id="public_key-source"> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 33</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">public_key</span> + <span class="ruby-constant">DH</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">to_der</span>) +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -744,43 +800,6 @@ ossl_dh_to_der(VALUE self) </div> </div> - <div id="method-i-to_text" class="method-detail "> - <div class="method-heading"> - <span class="method-callseq"> - to_text → aString - </span> - <span class="method-click-advice">click to toggle source</span> - </div> - - <div class="method-description"> - <p>Prints all parameters of key to buffer INSECURE: PRIVATE INFORMATIONS CAN LEAK OUT!!! Don’t use :-)) (I’s up to you)</p> - - <div class="method-source-code" id="to_text-source"> - <pre>static VALUE -ossl_dh_to_text(VALUE self) -{ - DH *dh; - BIO *out; - VALUE str; - - GetDH(self, dh); - if (!(out = BIO_new(BIO_s_mem()))) { - ossl_raise(eDHError, NULL); - } - if (!DHparams_print(out, dh)) { - BIO_free(out); - ossl_raise(eDHError, NULL); - } - str = ossl_membio2str(out); - - return str; -}</pre> - </div> - </div> - - - </div> - </section> </section> diff --git a/OpenSSL/PKey/DSA.html b/OpenSSL/PKey/DSA.html index 7a64485f..c969c747 100644 --- a/OpenSSL/PKey/DSA.html +++ b/OpenSSL/PKey/DSA.html @@ -95,7 +95,6 @@ <li ><a href="#method-i-to_der">#to_der</a> <li ><a href="#method-i-to_pem">#to_pem</a> <li ><a href="#method-i-to_s">#to_s</a> - <li ><a href="#method-i-to_text">#to_text</a> </ul> </div> @@ -135,25 +134,20 @@ <div class="method-description"> <p>Creates a new <a href="DSA.html"><code>DSA</code></a> instance by generating a private/public key pair from scratch.</p> -<h3 id="method-c-generate-label-Parameters">Parameters<span><a href="#method-c-generate-label-Parameters">¶</a> <a href="#top">↑</a></span></h3> -<ul><li> -<p><em>size</em> is an integer representing the desired key size.</p> -</li></ul> +<p>See also <a href="../PKey.html#method-c-generate_parameters"><code>OpenSSL::PKey.generate_parameters</code></a> and <a href="../PKey.html#method-c-generate_key"><code>OpenSSL::PKey.generate_key</code></a>.</p> +<dl class="rdoc-list note-list"><dt><code>size</code> +<dd> +<p>The desired key size in bits.</p> +</dd></dl> <div class="method-source-code" id="generate-source"> - <pre>static VALUE -ossl_dsa_s_generate(VALUE klass, VALUE size) -{ - DSA *dsa = dsa_generate(NUM2INT(size)); /* err handled by dsa_instance */ - VALUE obj = dsa_instance(klass, dsa); - - if (obj == Qfalse) { - DSA_free(dsa); - ossl_raise(eDSAError, NULL); - } - - return obj; -}</pre> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 169</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">generate</span>(<span class="ruby-identifier">size</span>, <span class="ruby-operator">&</span><span class="ruby-identifier">blk</span>) + <span class="ruby-identifier">dsaparams</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">generate_parameters</span>(<span class="ruby-string">"DSA"</span>, { + <span class="ruby-string">"dsa_paramgen_bits"</span> <span class="ruby-operator">=></span> <span class="ruby-identifier">size</span>, + }, <span class="ruby-operator">&</span><span class="ruby-identifier">blk</span>) + <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">generate_key</span>(<span class="ruby-identifier">dsaparams</span>) +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -169,33 +163,45 @@ ossl_dsa_s_generate(VALUE klass, VALUE size) </div> <div class="method-heading"> <span class="method-callseq"> - new(size) → dsa + new(string [, pass]) → dsa </span> </div> <div class="method-heading"> <span class="method-callseq"> - new(string [, pass]) → dsa + new(size) → dsa </span> </div> <div class="method-description"> <p>Creates a new <a href="DSA.html"><code>DSA</code></a> instance by reading an existing key from <em>string</em>.</p> -<h3 id="method-c-new-label-Parameters">Parameters<span><a href="#method-c-new-label-Parameters">¶</a> <a href="#top">↑</a></span></h3> -<ul><li> -<p><em>size</em> is an integer representing the desired key size.</p> -</li><li> -<p><em>string</em> contains a DER or PEM encoded key.</p> -</li><li> -<p><em>pass</em> is a string that contains an optional password.</p> -</li></ul> +<p>If called without arguments, creates a new instance with no key components set. They can be set individually by <a href="DSA.html#method-i-set_pqg"><code>set_pqg</code></a> and <a href="DSA.html#method-i-set_key"><code>set_key</code></a>.</p> + +<p>If called with a String, tries to parse as DER or PEM encoding of a DSA key. See also <a href="../PKey.html#method-c-read"><code>OpenSSL::PKey.read</code></a> which can parse keys of any kinds.</p> -<h3 id="method-c-new-label-Examples">Examples<span><a href="#method-c-new-label-Examples">¶</a> <a href="#top">↑</a></span></h3> +<p>If called with a number, generates random parameters and a key pair. This form works as an alias of <a href="DSA.html#method-c-generate"><code>DSA.generate</code></a>.</p> +<dl class="rdoc-list note-list"><dt><code>string</code> +<dd> +<p>A String that contains a DER or PEM encoded key.</p> +</dd><dt><code>pass</code> +<dd> +<p>A String that contains an optional password.</p> +</dd><dt><code>size</code> +<dd> +<p>See <a href="DSA.html#method-c-generate"><code>DSA.generate</code></a>.</p> +</dd></dl> -<pre>DSA.new -> dsa -DSA.new(1024) -> dsa -DSA.new(File.read('dsa.pem')) -> dsa -DSA.new(File.read('dsa.pem'), 'mypassword') -> dsa</pre> +<p>Examples:</p> + +<pre class="ruby"><span class="ruby-identifier">p</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DSA</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">1024</span>) +<span class="ruby-comment">#=> #<OpenSSL::PKey::DSA:0x000055a8d6025bf0 oid=DSA></span> + +<span class="ruby-identifier">p</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DSA</span>.<span class="ruby-identifier">new</span>(<span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-string">'dsa.pem'</span>)) +<span class="ruby-comment">#=> #<OpenSSL::PKey::DSA:0x000055555d6b8110 oid=DSA></span> + +<span class="ruby-identifier">p</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DSA</span>.<span class="ruby-identifier">new</span>(<span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span>(<span class="ruby-string">'dsa.pem'</span>), <span class="ruby-string">'mypassword'</span>) +<span class="ruby-comment">#=> #<OpenSSL::PKey::DSA:0x0000556f973c40b8 oid=DSA></span> +</pre> <div class="method-source-code" id="new-source"> <pre>static VALUE @@ -203,53 +209,57 @@ ossl_dsa_initialize(int argc, VALUE *argv, VALUE self) { EVP_PKEY *pkey; DSA *dsa; - BIO *in; + BIO *in = NULL; VALUE arg, pass; + int type; + + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); - GetPKey(self, pkey); - if(rb_scan_args(argc, argv, "02", &arg, &pass) == 0) { + /* The DSA.new(size, generator) form is handled by lib/openssl/pkey.rb */ + rb_scan_args(argc, argv, "02", &arg, &pass); + if (argc == 0) { dsa = DSA_new(); + if (!dsa) + ossl_raise(eDSAError, "DSA_new"); + goto legacy; } - else if (RB_INTEGER_TYPE_P(arg)) { - if (!(dsa = dsa_generate(NUM2INT(arg)))) { - ossl_raise(eDSAError, NULL); - } - } - else { - pass = ossl_pem_passwd_value(pass); - arg = ossl_to_der_if_possible(arg); - in = ossl_obj2bio(&arg); - dsa = PEM_read_bio_DSAPrivateKey(in, NULL, ossl_pem_passwd_cb, (void *)pass); - if (!dsa) { - OSSL_BIO_reset(in); - dsa = PEM_read_bio_DSA_PUBKEY(in, NULL, NULL, NULL); - } - if (!dsa) { - OSSL_BIO_reset(in); - dsa = d2i_DSAPrivateKey_bio(in, NULL); - } - if (!dsa) { - OSSL_BIO_reset(in); - dsa = d2i_DSA_PUBKEY_bio(in, NULL); - } - if (!dsa) { - OSSL_BIO_reset(in); -#define PEM_read_bio_DSAPublicKey(bp,x,cb,u) (DSA *)PEM_ASN1_read_bio( \ - (d2i_of_void *)d2i_DSAPublicKey, PEM_STRING_DSA_PUBLIC, (bp), (void **)(x), (cb), (u)) - dsa = PEM_read_bio_DSAPublicKey(in, NULL, NULL, NULL); -#undef PEM_read_bio_DSAPublicKey - } - BIO_free(in); - if (!dsa) { - ossl_clear_error(); - ossl_raise(eDSAError, "Neither PUB key nor PRIV key"); - } + + pass = ossl_pem_passwd_value(pass); + arg = ossl_to_der_if_possible(arg); + in = ossl_obj2bio(&arg); + + /* DER-encoded DSAPublicKey format isn't supported by the generic routine */ + dsa = (DSA *)PEM_ASN1_read_bio((d2i_of_void *)d2i_DSAPublicKey, + PEM_STRING_DSA_PUBLIC, + in, NULL, NULL, NULL); + if (dsa) + goto legacy; + OSSL_BIO_reset(in); + + pkey = ossl_pkey_read_generic(in, pass); + BIO_free(in); + if (!pkey) + ossl_raise(eDSAError, "Neither PUB key nor PRIV key"); + + type = EVP_PKEY_base_id(pkey); + if (type != EVP_PKEY_DSA) { + EVP_PKEY_free(pkey); + rb_raise(eDSAError, "incorrect pkey type: %s", OBJ_nid2sn(type)); } - if (!EVP_PKEY_assign_DSA(pkey, dsa)) { + RTYPEDDATA_DATA(self) = pkey; + return self; + + legacy: + BIO_free(in); + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_DSA(pkey, dsa) != 1) { + EVP_PKEY_free(pkey); DSA_free(dsa); - ossl_raise(eDSAError, NULL); + ossl_raise(eDSAError, "EVP_PKEY_assign_DSA"); } - + RTYPEDDATA_DATA(self) = pkey; return self; }</pre> </div> @@ -293,34 +303,12 @@ DSA.to_pem(cipher, 'mypassword') -> aString</pre> ossl_dsa_export(int argc, VALUE *argv, VALUE self) { DSA *dsa; - BIO *out; - const EVP_CIPHER *ciph = NULL; - VALUE cipher, pass, str; GetDSA(self, dsa); - rb_scan_args(argc, argv, "02", &cipher, &pass); - if (!NIL_P(cipher)) { - ciph = ossl_evp_get_cipherbyname(cipher); - pass = ossl_pem_passwd_value(pass); - } - if (!(out = BIO_new(BIO_s_mem()))) { - ossl_raise(eDSAError, NULL); - } - if (DSA_HAS_PRIVATE(dsa)) { - if (!PEM_write_bio_DSAPrivateKey(out, dsa, ciph, NULL, 0, - ossl_pem_passwd_cb, (void *)pass)){ - BIO_free(out); - ossl_raise(eDSAError, NULL); - } - } else { - if (!PEM_write_bio_DSA_PUBKEY(out, dsa)) { - BIO_free(out); - ossl_raise(eDSAError, NULL); - } - } - str = ossl_membio2str(out); - - return str; + if (DSA_HAS_PRIVATE(dsa)) + return ossl_pkey_export_traditional(argc, argv, self, 0); + else + return ossl_pkey_export_spki(self, 0); }</pre> </div> </div> @@ -348,16 +336,24 @@ ossl_dsa_initialize_copy(VALUE self, VALUE other) EVP_PKEY *pkey; DSA *dsa, *dsa_new; - GetPKey(self, pkey); - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE) - ossl_raise(eDSAError, "DSA already initialized"); + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); GetDSA(other, dsa); - dsa_new = ASN1_dup((i2d_of_void *)i2d_DSAPrivateKey, (d2i_of_void *)d2i_DSAPrivateKey, (char *)dsa); + dsa_new = (DSA *)ASN1_dup((i2d_of_void *)i2d_DSAPrivateKey, + (d2i_of_void *)d2i_DSAPrivateKey, + (char *)dsa); if (!dsa_new) ossl_raise(eDSAError, "ASN1_dup"); - EVP_PKEY_assign_DSA(pkey, dsa_new); + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_DSA(pkey, dsa_new) != 1) { + EVP_PKEY_free(pkey); + DSA_free(dsa_new); + ossl_raise(eDSAError, "EVP_PKEY_assign_DSA"); + } + RTYPEDDATA_DATA(self) = pkey; return self; }</pre> @@ -464,42 +460,23 @@ ossl_dsa_is_public(VALUE self) <div id="method-i-public_key" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - public_key → aDSA + public_key → dsanew </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>Returns a new <a href="DSA.html"><code>DSA</code></a> instance that carries just the public key information. If the current instance has also private key information, this will no longer be present in the new instance. This feature is helpful for publishing the public key information without leaking any of the private information.</p> + <p>Returns a new <a href="DSA.html"><code>DSA</code></a> instance that carries just the DSA parameters and the public key.</p> -<h3 id="method-i-public_key-label-Example">Example<span><a href="#method-i-public_key-label-Example">¶</a> <a href="#top">↑</a></span></h3> +<p>This method is provided for backwards compatibility. In most cases, there is no need to call this method.</p> -<pre class="ruby"><span class="ruby-identifier">dsa</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DSA</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">2048</span>) <span class="ruby-comment"># has public and private information</span> -<span class="ruby-identifier">pub_key</span> = <span class="ruby-identifier">dsa</span>.<span class="ruby-identifier">public_key</span> <span class="ruby-comment"># has only the public part available</span> -<span class="ruby-identifier">pub_key_der</span> = <span class="ruby-identifier">pub_key</span>.<span class="ruby-identifier">to_der</span> <span class="ruby-comment"># it's safe to publish this</span> -</pre> +<p>For the purpose of serializing the public key, to PEM or DER encoding of X.509 SubjectPublicKeyInfo format, check <a href="PKey.html#method-i-public_to_pem"><code>PKey#public_to_pem</code></a> and <a href="PKey.html#method-i-public_to_der"><code>PKey#public_to_der</code></a>.</p> <div class="method-source-code" id="public_key-source"> - <pre>static VALUE -ossl_dsa_to_public_key(VALUE self) -{ - EVP_PKEY *pkey; - DSA *dsa; - VALUE obj; - - GetPKeyDSA(self, pkey); - /* err check performed by dsa_instance */ -#define DSAPublicKey_dup(dsa) (DSA *)ASN1_dup( \ - (i2d_of_void *)i2d_DSAPublicKey, (d2i_of_void *)d2i_DSAPublicKey, (char *)(dsa)) - dsa = DSAPublicKey_dup(EVP_PKEY_get0_DSA(pkey)); -#undef DSAPublicKey_dup - obj = dsa_instance(rb_obj_class(self), dsa); - if (obj == Qfalse) { - DSA_free(dsa); - ossl_raise(eDSAError, NULL); - } - return obj; -}</pre> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 153</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">public_key</span> + <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">read</span>(<span class="ruby-identifier">public_to_der</span>) +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -539,53 +516,46 @@ ossl_dsa_to_public_key(VALUE self) <div id="method-i-syssign" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - syssign(string) → aString + syssign(string) → string </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>Computes and returns the <a href="DSA.html"><code>DSA</code></a> signature of <em>string</em>, where <em>string</em> is expected to be an already-computed message digest of the original input data. The signature is issued using the private key of this <a href="DSA.html"><code>DSA</code></a> instance.</p> + <p>Computes and returns the DSA signature of <code>string</code>, where <code>string</code> is expected to be an already-computed message digest of the original input data. The signature is issued using the private key of this <a href="DSA.html"><code>DSA</code></a> instance.</p> -<h3 id="method-i-syssign-label-Parameters">Parameters<span><a href="#method-i-syssign-label-Parameters">¶</a> <a href="#top">↑</a></span></h3> -<ul><li> -<p><em>string</em> is a message digest of the original input data to be signed.</p> -</li></ul> +<p><strong>Deprecated in version 3.0</strong>. Consider using <a href="PKey.html#method-i-sign_raw"><code>PKey::PKey#sign_raw</code></a> and <a href="PKey.html#method-i-verify_raw"><code>PKey::PKey#verify_raw</code></a> instead.</p> +<dl class="rdoc-list note-list"><dt><code>string</code> +<dd> +<p>A message digest of the original input data to be signed.</p> +</dd></dl> -<h3 id="method-i-syssign-label-Example">Example<span><a href="#method-i-syssign-label-Example">¶</a> <a href="#top">↑</a></span></h3> +<p>Example:</p> <pre class="ruby"><span class="ruby-identifier">dsa</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DSA</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">2048</span>) <span class="ruby-identifier">doc</span> = <span class="ruby-string">"Sign me"</span> <span class="ruby-identifier">digest</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">digest</span>(<span class="ruby-string">'SHA1'</span>, <span class="ruby-identifier">doc</span>) + +<span class="ruby-comment"># With legacy #syssign and #sysverify:</span> <span class="ruby-identifier">sig</span> = <span class="ruby-identifier">dsa</span>.<span class="ruby-identifier">syssign</span>(<span class="ruby-identifier">digest</span>) +<span class="ruby-identifier">p</span> <span class="ruby-identifier">dsa</span>.<span class="ruby-identifier">sysverify</span>(<span class="ruby-identifier">digest</span>, <span class="ruby-identifier">sig</span>) <span class="ruby-comment">#=> true</span> + +<span class="ruby-comment"># With #sign_raw and #verify_raw:</span> +<span class="ruby-identifier">sig</span> = <span class="ruby-identifier">dsa</span>.<span class="ruby-identifier">sign_raw</span>(<span class="ruby-keyword">nil</span>, <span class="ruby-identifier">digest</span>) +<span class="ruby-identifier">p</span> <span class="ruby-identifier">dsa</span>.<span class="ruby-identifier">verify_raw</span>(<span class="ruby-keyword">nil</span>, <span class="ruby-identifier">sig</span>, <span class="ruby-identifier">digest</span>) <span class="ruby-comment">#=> true</span> </pre> <div class="method-source-code" id="syssign-source"> - <pre>static VALUE -ossl_dsa_sign(VALUE self, VALUE data) -{ - DSA *dsa; - const BIGNUM *dsa_q; - unsigned int buf_len; - VALUE str; - - GetDSA(self, dsa); - DSA_get0_pqg(dsa, NULL, &dsa_q, NULL); - if (!dsa_q) - ossl_raise(eDSAError, "incomplete DSA"); - if (!DSA_PRIVATE(self, dsa)) - ossl_raise(eDSAError, "Private DSA key needed!"); - StringValue(data); - str = rb_str_new(0, DSA_size(dsa)); - if (!DSA_sign(0, (unsigned char *)RSTRING_PTR(data), RSTRING_LENINT(data), - (unsigned char *)RSTRING_PTR(str), - &buf_len, dsa)) { /* type is ignored (0) */ - ossl_raise(eDSAError, NULL); - } - rb_str_set_len(str, buf_len); - - return str; -}</pre> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 212</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">syssign</span>(<span class="ruby-identifier">string</span>) + <span class="ruby-identifier">q</span> <span class="ruby-keyword">or</span> <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DSAError</span>, <span class="ruby-string">"incomplete DSA"</span> + <span class="ruby-identifier">private?</span> <span class="ruby-keyword">or</span> <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DSAError</span>, <span class="ruby-string">"Private DSA key needed!"</span> + <span class="ruby-keyword">begin</span> + <span class="ruby-identifier">sign_raw</span>(<span class="ruby-keyword">nil</span>, <span class="ruby-identifier">string</span>) + <span class="ruby-keyword">rescue</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">PKeyError</span> + <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DSAError</span>, <span class="ruby-identifier">$!</span>.<span class="ruby-identifier">message</span> + <span class="ruby-keyword">end</span> +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -601,46 +571,24 @@ ossl_dsa_sign(VALUE self, VALUE data) </div> <div class="method-description"> - <p>Verifies whether the signature is valid given the message digest input. It does so by validating <em>sig</em> using the public key of this <a href="DSA.html"><code>DSA</code></a> instance.</p> + <p>Verifies whether the signature is valid given the message digest input. It does so by validating <code>sig</code> using the public key of this <a href="DSA.html"><code>DSA</code></a> instance.</p> -<h3 id="method-i-sysverify-label-Parameters">Parameters<span><a href="#method-i-sysverify-label-Parameters">¶</a> <a href="#top">↑</a></span></h3> -<ul><li> -<p><em>digest</em> is a message digest of the original input data to be signed</p> -</li><li> -<p><em>sig</em> is a <a href="DSA.html"><code>DSA</code></a> signature value</p> -</li></ul> - -<h3 id="method-i-sysverify-label-Example">Example<span><a href="#method-i-sysverify-label-Example">¶</a> <a href="#top">↑</a></span></h3> - -<pre class="ruby"><span class="ruby-identifier">dsa</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DSA</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">2048</span>) -<span class="ruby-identifier">doc</span> = <span class="ruby-string">"Sign me"</span> -<span class="ruby-identifier">digest</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">digest</span>(<span class="ruby-string">'SHA1'</span>, <span class="ruby-identifier">doc</span>) -<span class="ruby-identifier">sig</span> = <span class="ruby-identifier">dsa</span>.<span class="ruby-identifier">syssign</span>(<span class="ruby-identifier">digest</span>) -<span class="ruby-identifier">puts</span> <span class="ruby-identifier">dsa</span>.<span class="ruby-identifier">sysverify</span>(<span class="ruby-identifier">digest</span>, <span class="ruby-identifier">sig</span>) <span class="ruby-comment"># => true</span> -</pre> +<p><strong>Deprecated in version 3.0</strong>. Consider using <a href="PKey.html#method-i-sign_raw"><code>PKey::PKey#sign_raw</code></a> and <a href="PKey.html#method-i-verify_raw"><code>PKey::PKey#verify_raw</code></a> instead.</p> +<dl class="rdoc-list note-list"><dt><code>digest</code> +<dd> +<p>A message digest of the original input data to be signed.</p> +</dd><dt><code>sig</code> +<dd> +<p>A DSA signature value.</p> +</dd></dl> <div class="method-source-code" id="sysverify-source"> - <pre>static VALUE -ossl_dsa_verify(VALUE self, VALUE digest, VALUE sig) -{ - DSA *dsa; - int ret; - - GetDSA(self, dsa); - StringValue(digest); - StringValue(sig); - /* type is ignored (0) */ - ret = DSA_verify(0, (unsigned char *)RSTRING_PTR(digest), RSTRING_LENINT(digest), - (unsigned char *)RSTRING_PTR(sig), RSTRING_LENINT(sig), dsa); - if (ret < 0) { - ossl_raise(eDSAError, NULL); - } - else if (ret == 1) { - return Qtrue; - } - - return Qfalse; -}</pre> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 235</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">sysverify</span>(<span class="ruby-identifier">digest</span>, <span class="ruby-identifier">sig</span>) + <span class="ruby-identifier">verify_raw</span>(<span class="ruby-keyword">nil</span>, <span class="ruby-identifier">sig</span>, <span class="ruby-identifier">digest</span>) +<span class="ruby-keyword">rescue</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">PKeyError</span> + <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">DSAError</span>, <span class="ruby-identifier">$!</span>.<span class="ruby-identifier">message</span> +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -663,25 +611,12 @@ ossl_dsa_verify(VALUE self, VALUE digest, VALUE sig) ossl_dsa_to_der(VALUE self) { DSA *dsa; - int (*i2d_func)(DSA *, unsigned char **); - unsigned char *p; - long len; - VALUE str; GetDSA(self, dsa); - if(DSA_HAS_PRIVATE(dsa)) - i2d_func = (int (*)(DSA *,unsigned char **))i2d_DSAPrivateKey; + if (DSA_HAS_PRIVATE(dsa)) + return ossl_pkey_export_traditional(0, NULL, self, 1); else - i2d_func = i2d_DSA_PUBKEY; - if((len = i2d_func(dsa, NULL)) <= 0) - ossl_raise(eDSAError, NULL); - str = rb_str_new(0, len); - p = (unsigned char *)RSTRING_PTR(str); - if(i2d_func(dsa, &p) < 0) - ossl_raise(eDSAError, NULL); - ossl_str_adjust(str, p); - - return str; + return ossl_pkey_export_spki(self, 1); }</pre> </div> </div> @@ -749,43 +684,6 @@ DSA.to_pem(cipher, 'mypassword') -> aString</pre> </div> </div> - <div id="method-i-to_text" class="method-detail "> - <div class="method-heading"> - <span class="method-callseq"> - to_text → aString - </span> - <span class="method-click-advice">click to toggle source</span> - </div> - - <div class="method-description"> - <p>Prints all parameters of key to buffer INSECURE: PRIVATE INFORMATIONS CAN LEAK OUT!!! Don’t use :-)) (I’s up to you)</p> - - <div class="method-source-code" id="to_text-source"> - <pre>static VALUE -ossl_dsa_to_text(VALUE self) -{ - DSA *dsa; - BIO *out; - VALUE str; - - GetDSA(self, dsa); - if (!(out = BIO_new(BIO_s_mem()))) { - ossl_raise(eDSAError, NULL); - } - if (!DSA_print(out, dsa, 0)) { /* offset = 0 */ - BIO_free(out); - ossl_raise(eDSAError, NULL); - } - str = ossl_membio2str(out); - - return str; -}</pre> - </div> - </div> - - - </div> - </section> </section> diff --git a/OpenSSL/PKey/EC.html b/OpenSSL/PKey/EC.html index 4645a2da..22612699 100644 --- a/OpenSSL/PKey/EC.html +++ b/OpenSSL/PKey/EC.html @@ -103,7 +103,6 @@ <li ><a href="#method-i-public_key-3F">#public_key?</a> <li ><a href="#method-i-to_der">#to_der</a> <li ><a href="#method-i-to_pem">#to_pem</a> - <li ><a href="#method-i-to_text">#to_text</a> </ul> </div> @@ -221,16 +220,20 @@ <pre>static VALUE ossl_ec_key_s_generate(VALUE klass, VALUE arg) { + EVP_PKEY *pkey; EC_KEY *ec; VALUE obj; - ec = ec_key_new_from_group(arg); + obj = rb_obj_alloc(klass); - obj = ec_instance(klass, ec); - if (obj == Qfalse) { + ec = ec_key_new_from_group(arg); + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, ec) != 1) { + EVP_PKEY_free(pkey); EC_KEY_free(ec); - ossl_raise(eECError, NULL); + ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY"); } + RTYPEDDATA_DATA(obj) = pkey; if (!EC_KEY_generate_key(ec)) ossl_raise(eECError, "EC_KEY_generate_key"); @@ -284,57 +287,53 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg) { EVP_PKEY *pkey; EC_KEY *ec; + BIO *in; VALUE arg, pass; + int type; - GetPKey(self, pkey); - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE) - ossl_raise(eECError, "EC_KEY already initialized"); + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); rb_scan_args(argc, argv, "02", &arg, &pass); - if (NIL_P(arg)) { if (!(ec = EC_KEY_new())) - ossl_raise(eECError, NULL); - } else if (rb_obj_is_kind_of(arg, cEC)) { - EC_KEY *other_ec = NULL; - - GetEC(arg, other_ec); - if (!(ec = EC_KEY_dup(other_ec))) - ossl_raise(eECError, NULL); - } else if (rb_obj_is_kind_of(arg, cEC_GROUP)) { + ossl_raise(eECError, "EC_KEY_new"); + goto legacy; + } + else if (rb_obj_is_kind_of(arg, cEC_GROUP)) { ec = ec_key_new_from_group(arg); - } else { - BIO *in; - - pass = ossl_pem_passwd_value(pass); - in = ossl_obj2bio(&arg); - - ec = PEM_read_bio_ECPrivateKey(in, NULL, ossl_pem_passwd_cb, (void *)pass); - if (!ec) { - OSSL_BIO_reset(in); - ec = PEM_read_bio_EC_PUBKEY(in, NULL, ossl_pem_passwd_cb, (void *)pass); - } - if (!ec) { - OSSL_BIO_reset(in); - ec = d2i_ECPrivateKey_bio(in, NULL); - } - if (!ec) { - OSSL_BIO_reset(in); - ec = d2i_EC_PUBKEY_bio(in, NULL); - } - BIO_free(in); - - if (!ec) { - ossl_clear_error(); - ec = ec_key_new_from_group(arg); - } + goto legacy; } - if (!EVP_PKEY_assign_EC_KEY(pkey, ec)) { + pass = ossl_pem_passwd_value(pass); + arg = ossl_to_der_if_possible(arg); + in = ossl_obj2bio(&arg); + + pkey = ossl_pkey_read_generic(in, pass); + BIO_free(in); + if (!pkey) { + ossl_clear_error(); + ec = ec_key_new_from_group(arg); + goto legacy; + } + + type = EVP_PKEY_base_id(pkey); + if (type != EVP_PKEY_EC) { + EVP_PKEY_free(pkey); + rb_raise(eDSAError, "incorrect pkey type: %s", OBJ_nid2sn(type)); + } + RTYPEDDATA_DATA(self) = pkey; + return self; + + legacy: + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, ec) != 1) { + EVP_PKEY_free(pkey); EC_KEY_free(ec); ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY"); } - + RTYPEDDATA_DATA(self) = pkey; return self; }</pre> </div> @@ -361,16 +360,31 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg) <div class="method-description"> <p>Raises an exception if the key is invalid.</p> -<p>See the <a href="../../OpenSSL.html"><code>OpenSSL</code></a> documentation for EC_KEY_check_key()</p> +<p>See also the man page EVP_PKEY_public_check(3).</p> <div class="method-source-code" id="check_key-source"> <pre>static VALUE ossl_ec_key_check_key(VALUE self) { +#ifdef HAVE_EVP_PKEY_CHECK + EVP_PKEY *pkey; + EVP_PKEY_CTX *pctx; + int ret; + + GetPKey(self, pkey); + pctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL); + if (!pctx) + ossl_raise(eDHError, "EVP_PKEY_CTX_new"); + ret = EVP_PKEY_public_check(pctx); + EVP_PKEY_CTX_free(pctx); + if (ret != 1) + ossl_raise(eECError, "EVP_PKEY_public_check"); +#else EC_KEY *ec; GetEC(self, ec); if (EC_KEY_check_key(ec) != 1) ossl_raise(eECError, "EC_KEY_check_key"); +#endif return Qtrue; }</pre> @@ -383,37 +397,28 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg) <div id="method-i-dh_compute_key" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - dh_compute_key(pubkey) → String + dh_compute_key(pubkey) → string </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>See the <a href="../../OpenSSL.html"><code>OpenSSL</code></a> documentation for ECDH_compute_key()</p> + <p>Derives a shared secret by ECDH. <em>pubkey</em> must be an instance of <a href="EC/Point.html"><code>OpenSSL::PKey::EC::Point</code></a> and must belong to the same group.</p> - <div class="method-source-code" id="dh_compute_key-source"> - <pre>static VALUE ossl_ec_key_dh_compute_key(VALUE self, VALUE pubkey) -{ - EC_KEY *ec; - EC_POINT *point; - int buf_len; - VALUE str; - - GetEC(self, ec); - GetECPoint(pubkey, point); - -/* BUG: need a way to figure out the maximum string size */ - buf_len = 1024; - str = rb_str_new(0, buf_len); -/* BUG: take KDF as a block */ - buf_len = ECDH_compute_key(RSTRING_PTR(str), buf_len, point, ec, NULL); - if (buf_len < 0) - ossl_raise(eECError, "ECDH_compute_key"); +<p>This method is provided for backwards compatibility, and calls <a href="PKey.html#method-i-derive"><code>derive</code></a> internally.</p> - rb_str_resize(str, buf_len); - - return str; -}</pre> + <div class="method-source-code" id="dh_compute_key-source"> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 276</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">dh_compute_key</span>(<span class="ruby-identifier">pubkey</span>) + <span class="ruby-identifier">obj</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-constant">Sequence</span>([ + <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-constant">Sequence</span>([ + <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-constant">ObjectId</span>(<span class="ruby-string">"id-ecPublicKey"</span>), + <span class="ruby-identifier">group</span>.<span class="ruby-identifier">to_der</span>, + ]), + <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-constant">BitString</span>(<span class="ruby-identifier">pubkey</span>.<span class="ruby-identifier">to_octet_string</span>(<span class="ruby-value">:uncompressed</span>)), + ]) + <span class="ruby-identifier">derive</span>(<span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">read</span>(<span class="ruby-identifier">obj</span>.<span class="ruby-identifier">to_der</span>)) +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -423,34 +428,21 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg) <div id="method-i-dsa_sign_asn1" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - dsa_sign_asn1(data) → String + dsa_sign_asn1(data) → String </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>See the <a href="../../OpenSSL.html"><code>OpenSSL</code></a> documentation for ECDSA_sign()</p> + <p><strong>Deprecated in version 3.0</strong>. Consider using <a href="PKey.html#method-i-sign_raw"><code>PKey::PKey#sign_raw</code></a> and <a href="PKey.html#method-i-verify_raw"><code>PKey::PKey#verify_raw</code></a> instead.</p> <div class="method-source-code" id="dsa_sign_asn1-source"> - <pre>static VALUE ossl_ec_key_dsa_sign_asn1(VALUE self, VALUE data) -{ - EC_KEY *ec; - unsigned int buf_len; - VALUE str; - - GetEC(self, ec); - StringValue(data); - - if (EC_KEY_get0_private_key(ec) == NULL) - ossl_raise(eECError, "Private EC key needed!"); - - str = rb_str_new(0, ECDSA_size(ec)); - if (ECDSA_sign(0, (unsigned char *) RSTRING_PTR(data), RSTRING_LENINT(data), (unsigned char *) RSTRING_PTR(str), &buf_len, ec) != 1) - ossl_raise(eECError, "ECDSA_sign"); - rb_str_set_len(str, buf_len); - - return str; -}</pre> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 251</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">dsa_sign_asn1</span>(<span class="ruby-identifier">data</span>) + <span class="ruby-identifier">sign_raw</span>(<span class="ruby-keyword">nil</span>, <span class="ruby-identifier">data</span>) +<span class="ruby-keyword">rescue</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">PKeyError</span> + <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">ECError</span>, <span class="ruby-identifier">$!</span>.<span class="ruby-identifier">message</span> +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -460,33 +452,21 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg) <div id="method-i-dsa_verify_asn1" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - dsa_verify_asn1(data, sig) → true or false + dsa_verify_asn1(data, sig) → true | false </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>See the <a href="../../OpenSSL.html"><code>OpenSSL</code></a> documentation for ECDSA_verify()</p> + <p><strong>Deprecated in version 3.0</strong>. Consider using <a href="PKey.html#method-i-sign_raw"><code>PKey::PKey#sign_raw</code></a> and <a href="PKey.html#method-i-verify_raw"><code>PKey::PKey#verify_raw</code></a> instead.</p> <div class="method-source-code" id="dsa_verify_asn1-source"> - <pre>static VALUE ossl_ec_key_dsa_verify_asn1(VALUE self, VALUE data, VALUE sig) -{ - EC_KEY *ec; - - GetEC(self, ec); - StringValue(data); - StringValue(sig); - - switch (ECDSA_verify(0, (unsigned char *)RSTRING_PTR(data), RSTRING_LENINT(data), - (unsigned char *)RSTRING_PTR(sig), RSTRING_LENINT(sig), ec)) { - case 1: - return Qtrue; - case 0: - return Qfalse; - default: - ossl_raise(eECError, "ECDSA_verify"); - } -}</pre> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 262</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">dsa_verify_asn1</span>(<span class="ruby-identifier">data</span>, <span class="ruby-identifier">sig</span>) + <span class="ruby-identifier">verify_raw</span>(<span class="ruby-keyword">nil</span>, <span class="ruby-identifier">sig</span>, <span class="ruby-identifier">data</span>) +<span class="ruby-keyword">rescue</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">PKeyError</span> + <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">ECError</span>, <span class="ruby-identifier">$!</span>.<span class="ruby-identifier">message</span> +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -505,11 +485,16 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg) <p>Outputs the <a href="EC.html"><code>EC</code></a> key in PEM encoding. If <em>cipher</em> and <em>pass_phrase</em> are given they will be used to encrypt the key. <em>cipher</em> must be an <a href="../Cipher.html"><code>OpenSSL::Cipher</code></a> instance. Note that encryption will only be effective for a private key, public keys will always be encoded in plain text.</p> <div class="method-source-code" id="export-source"> - <pre>static VALUE ossl_ec_key_export(int argc, VALUE *argv, VALUE self) + <pre>static VALUE +ossl_ec_key_export(int argc, VALUE *argv, VALUE self) { - VALUE cipher, passwd; - rb_scan_args(argc, argv, "02", &cipher, &passwd); - return ossl_ec_key_to_string(self, cipher, passwd, EXPORT_PEM); + EC_KEY *ec; + + GetEC(self, ec); + if (EC_KEY_get0_private_key(ec)) + return ossl_pkey_export_traditional(argc, argv, self, 0); + else + return ossl_pkey_export_spki(self, 0); }</pre> </div> </div> @@ -570,6 +555,9 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg) <div class="method-source-code" id="generate_key-21-source"> <pre>static VALUE ossl_ec_key_generate_key(VALUE self) { +#if OSSL_OPENSSL_PREREQ(3, 0, 0) + rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0"); +#else EC_KEY *ec; GetEC(self, ec); @@ -577,6 +565,7 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg) ossl_raise(eECError, "EC_KEY_generate_key"); return self; +#endif }</pre> </div> </div> @@ -633,6 +622,9 @@ ossl_ec_key_get_group(VALUE self) <pre>static VALUE ossl_ec_key_set_group(VALUE self, VALUE group_v) { +#if OSSL_OPENSSL_PREREQ(3, 0, 0) + rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0"); +#else EC_KEY *ec; EC_GROUP *group; @@ -643,6 +635,7 @@ ossl_ec_key_set_group(VALUE self, VALUE group_v) ossl_raise(eECError, "EC_KEY_set_group"); return group_v; +#endif }</pre> </div> </div> @@ -667,18 +660,21 @@ ossl_ec_key_initialize_copy(VALUE self, VALUE other) EVP_PKEY *pkey; EC_KEY *ec, *ec_new; - GetPKey(self, pkey); - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE) - ossl_raise(eECError, "EC already initialized"); + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); GetEC(other, ec); ec_new = EC_KEY_dup(ec); if (!ec_new) ossl_raise(eECError, "EC_KEY_dup"); - if (!EVP_PKEY_assign_EC_KEY(pkey, ec_new)) { + + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, ec_new) != 1) { EC_KEY_free(ec_new); ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY"); } + RTYPEDDATA_DATA(self) = pkey; return self; }</pre> @@ -760,6 +756,9 @@ ossl_ec_key_initialize_copy(VALUE self, VALUE other) <div class="method-source-code" id="private_key-3D-source"> <pre>static VALUE ossl_ec_key_set_private_key(VALUE self, VALUE private_key) { +#if OSSL_OPENSSL_PREREQ(3, 0, 0) + rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0"); +#else EC_KEY *ec; BIGNUM *bn = NULL; @@ -773,11 +772,13 @@ ossl_ec_key_initialize_copy(VALUE self, VALUE other) case 0: if (bn == NULL) break; + /* fallthrough */ default: ossl_raise(eECError, "EC_KEY_set_private_key"); } return private_key; +#endif }</pre> </div> </div> @@ -874,6 +875,9 @@ ossl_ec_key_initialize_copy(VALUE self, VALUE other) <div class="method-source-code" id="public_key-3D-source"> <pre>static VALUE ossl_ec_key_set_public_key(VALUE self, VALUE public_key) { +#if OSSL_OPENSSL_PREREQ(3, 0, 0) + rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0"); +#else EC_KEY *ec; EC_POINT *point = NULL; @@ -887,11 +891,13 @@ ossl_ec_key_initialize_copy(VALUE self, VALUE other) case 0: if (point == NULL) break; + /* fallthrough */ default: ossl_raise(eECError, "EC_KEY_set_public_key"); } return public_key; +#endif }</pre> </div> </div> @@ -928,9 +934,16 @@ ossl_ec_key_initialize_copy(VALUE self, VALUE other) <p>See the <a href="../../OpenSSL.html"><code>OpenSSL</code></a> documentation for i2d_ECPrivateKey_bio()</p> <div class="method-source-code" id="to_der-source"> - <pre>static VALUE ossl_ec_key_to_der(VALUE self) + <pre>static VALUE +ossl_ec_key_to_der(VALUE self) { - return ossl_ec_key_to_string(self, Qnil, Qnil, EXPORT_DER); + EC_KEY *ec; + + GetEC(self, ec); + if (EC_KEY_get0_private_key(ec)) + return ossl_pkey_export_traditional(0, NULL, self, 1); + else + return ossl_pkey_export_spki(self, 1); }</pre> </div> </div> @@ -956,42 +969,6 @@ ossl_ec_key_initialize_copy(VALUE self, VALUE other) </div> </div> - <div id="method-i-to_text" class="method-detail "> - <div class="method-heading"> - <span class="method-callseq"> - to_text → String - </span> - <span class="method-click-advice">click to toggle source</span> - </div> - - <div class="method-description"> - <p>See the <a href="../../OpenSSL.html"><code>OpenSSL</code></a> documentation for EC_KEY_print()</p> - - <div class="method-source-code" id="to_text-source"> - <pre>static VALUE ossl_ec_key_to_text(VALUE self) -{ - EC_KEY *ec; - BIO *out; - VALUE str; - - GetEC(self, ec); - if (!(out = BIO_new(BIO_s_mem()))) { - ossl_raise(eECError, "BIO_new(BIO_s_mem())"); - } - if (!EC_KEY_print(out, ec, 0)) { - BIO_free(out); - ossl_raise(eECError, "EC_KEY_print"); - } - str = ossl_membio2str(out); - - return str; -}</pre> - </div> - </div> - - - </div> - </section> </section> diff --git a/OpenSSL/PKey/EC/Group.html b/OpenSSL/PKey/EC/Group.html index 42d18499..12b4d2a7 100644 --- a/OpenSSL/PKey/EC/Group.html +++ b/OpenSSL/PKey/EC/Group.html @@ -131,11 +131,6 @@ </div> <div class="method-heading"> <span class="method-callseq"> - OpenSSL::PKey::EC::Group.new(ec_method) - </span> - </div> - <div class="method-heading"> - <span class="method-callseq"> OpenSSL::PKey::EC::Group.new(:GFp, bignum_p, bignum_a, bignum_b) </span> </div> @@ -148,17 +143,6 @@ <div class="method-description"> <p>Creates a new <a href="Group.html"><code>EC::Group</code></a> object.</p> -<p><em>ec_method</em> is a symbol that represents an EC_METHOD. Currently the following are supported:</p> -<ul><li> -<p>:GFp_simple</p> -</li><li> -<p>:GFp_mont</p> -</li><li> -<p>:GFp_nist</p> -</li><li> -<p>:GF2m_simple</p> -</li></ul> - <p>If the first argument is :GFp or :GF2m, creates a new curve with given parameters.</p> <div class="method-source-code" id="new-source"> @@ -173,29 +157,7 @@ switch (rb_scan_args(argc, argv, "13", &arg1, &arg2, &arg3, &arg4)) { case 1: - if (SYMBOL_P(arg1)) { - const EC_METHOD *method = NULL; - ID id = SYM2ID(arg1); - - if (id == s_GFp_simple) { - method = EC_GFp_simple_method(); - } else if (id == s_GFp_mont) { - method = EC_GFp_mont_method(); - } else if (id == s_GFp_nist) { - method = EC_GFp_nist_method(); -#if !defined(OPENSSL_NO_EC2M) - } else if (id == s_GF2m_simple) { - method = EC_GF2m_simple_method(); -#endif - } - - if (method) { - if ((group = EC_GROUP_new(method)) == NULL) - ossl_raise(eEC_GROUP, "EC_GROUP_new"); - } else { - ossl_raise(rb_eArgError, "unknown symbol, must be :GFp_simple, :GFp_mont, :GFp_nist or :GF2m_simple"); - } - } else if (rb_obj_is_kind_of(arg1, cEC_GROUP)) { + if (rb_obj_is_kind_of(arg1, cEC_GROUP)) { const EC_GROUP *arg1_group; GetECGroup(arg1, arg1_group); @@ -259,8 +221,7 @@ ossl_raise(rb_eArgError, "wrong number of arguments"); } - if (group == NULL) - ossl_raise(eEC_GROUP, ""); + ASSUME(group); RTYPEDDATA_DATA(self) = group; return self; diff --git a/OpenSSL/PKey/EC/Point.html b/OpenSSL/PKey/EC/Point.html index 706be750..962087ce 100644 --- a/OpenSSL/PKey/EC/Point.html +++ b/OpenSSL/PKey/EC/Point.html @@ -418,7 +418,7 @@ ossl_ec_point_initialize_copy(VALUE self, VALUE other) </div> <div class="method-description"> - + <p>This method is deprecated and should not be used. This is a no-op.</p> <div class="method-source-code" id="make_affine-21-source"> <pre>static VALUE ossl_ec_point_make_affine(VALUE self) @@ -429,8 +429,11 @@ ossl_ec_point_initialize_copy(VALUE self, VALUE other) GetECPoint(self, point); GetECPointGroup(self, group); + rb_warn("OpenSSL::PKey::EC::Point#make_affine! is deprecated"); +#if !OSSL_OPENSSL_PREREQ(3, 0, 0) if (EC_POINT_make_affine(group, point, ossl_bn_ctx) != 1) ossl_raise(cEC_POINT, "EC_POINT_make_affine"); +#endif return self; }</pre> @@ -485,6 +488,10 @@ ossl_ec_point_initialize_copy(VALUE self, VALUE other) if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1) ossl_raise(eEC_POINT, NULL); } else { +#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) + rb_raise(rb_eNotImpError, "calling #mul with arrays is not" \ + "supported by this OpenSSL version"); +#else /* * bignums | arg1[0] | arg1[1] | arg1[2] | ... * points | self | arg2[0] | arg2[1] | ... @@ -499,6 +506,9 @@ ossl_ec_point_initialize_copy(VALUE self, VALUE other) if (RARRAY_LEN(arg1) != RARRAY_LEN(arg2) + 1) /* arg2 must be 1 larger */ ossl_raise(rb_eArgError, "bns must be 1 longer than points; see the documentation"); + rb_warning("OpenSSL::PKey::EC::Point#mul(ary, ary) is deprecated; " \ + "use #mul(bn) form instead"); + num = RARRAY_LEN(arg1); bns_tmp = rb_ary_tmp_new(num); bignums = ALLOCV_N(const BIGNUM *, tmp_b, num); @@ -524,6 +534,7 @@ ossl_ec_point_initialize_copy(VALUE self, VALUE other) ALLOCV_END(tmp_b); ALLOCV_END(tmp_p); +#endif } return result; @@ -615,7 +626,7 @@ ossl_ec_point_initialize_copy(VALUE self, VALUE other) <p>See <a href="Point.html#method-i-to_octet_string"><code>to_octet_string</code></a> for more information.</p> <div class="method-source-code" id="to_bn-source"> - <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 33</span> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 299</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">to_bn</span>(<span class="ruby-identifier">conversion_form</span> = <span class="ruby-identifier">group</span>.<span class="ruby-identifier">point_conversion_form</span>) <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">BN</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">to_octet_string</span>(<span class="ruby-identifier">conversion_form</span>), <span class="ruby-value">2</span>) <span class="ruby-keyword">end</span></pre> diff --git a/OpenSSL/PKey/PKey.html b/OpenSSL/PKey/PKey.html index 5f981ef2..7b3cf677 100644 --- a/OpenSSL/PKey/PKey.html +++ b/OpenSSL/PKey/PKey.html @@ -73,6 +73,11 @@ <ul class="link-list" role="directory"> <li ><a href="#method-c-new">::new</a> + <li ><a href="#method-i-compare-3F">#compare?</a> + <li ><a href="#method-i-decrypt">#decrypt</a> + <li ><a href="#method-i-derive">#derive</a> + <li ><a href="#method-i-encrypt">#encrypt</a> + <li ><a href="#method-i-initialize_copy">#initialize_copy</a> <li ><a href="#method-i-inspect">#inspect</a> <li ><a href="#method-i-oid">#oid</a> <li ><a href="#method-i-private_to_der">#private_to_der</a> @@ -80,7 +85,11 @@ <li ><a href="#method-i-public_to_der">#public_to_der</a> <li ><a href="#method-i-public_to_pem">#public_to_pem</a> <li ><a href="#method-i-sign">#sign</a> + <li ><a href="#method-i-sign_raw">#sign_raw</a> + <li ><a href="#method-i-to_text">#to_text</a> <li ><a href="#method-i-verify">#verify</a> + <li ><a href="#method-i-verify_raw">#verify_raw</a> + <li ><a href="#method-i-verify_recover">#verify_recover</a> </ul> </div> @@ -149,6 +158,316 @@ ossl_pkey_initialize(VALUE self) <h3>Public Instance Methods</h3> </header> + <div id="method-i-compare-3F" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + compare?(another_pkey) → true | false + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Used primarily to check if an <a href="../X509/Certificate.html#method-i-public_key"><code>OpenSSL::X509::Certificate#public_key</code></a> compares to its private key.</p> + +<h2 id="method-i-compare-3F-label-Example">Example<span><a href="#method-i-compare-3F-label-Example">¶</a> <a href="#top">↑</a></span></h2> + +<pre class="ruby"><span class="ruby-identifier">x509</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">X509</span><span class="ruby-operator">::</span><span class="ruby-constant">Certificate</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">pem_encoded_certificate</span>) +<span class="ruby-identifier">rsa_key</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSA</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">pem_encoded_private_key</span>) + +<span class="ruby-identifier">rsa_key</span>.<span class="ruby-identifier">compare?</span>(<span class="ruby-identifier">x509</span>.<span class="ruby-identifier">public_key</span>) <span class="ruby-operator">=></span> <span class="ruby-keyword">true</span> <span class="ruby-operator">|</span> <span class="ruby-keyword">false</span> +</pre> + + <div class="method-source-code" id="compare-3F-source"> + <pre>static VALUE +ossl_pkey_compare(VALUE self, VALUE other) +{ + int ret; + EVP_PKEY *selfPKey; + EVP_PKEY *otherPKey; + + GetPKey(self, selfPKey); + GetPKey(other, otherPKey); + + /* Explicitly check the key type given EVP_PKEY_ASN1_METHOD(3) + * docs param_cmp could return any negative number. + */ + if (EVP_PKEY_id(selfPKey) != EVP_PKEY_id(otherPKey)) + ossl_raise(rb_eTypeError, "cannot match different PKey types"); + + ret = EVP_PKEY_eq(selfPKey, otherPKey); + + if (ret == 0) + return Qfalse; + else if (ret == 1) + return Qtrue; + else + ossl_raise(ePKeyError, "EVP_PKEY_eq"); +}</pre> + </div> + </div> + + + </div> + + <div id="method-i-decrypt" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + decrypt(data [, options]) → string + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Performs a public key decryption operation using <code>pkey</code>.</p> + +<p>See <a href="PKey.html#method-i-encrypt"><code>encrypt</code></a> for a description of the parameters and an example.</p> + +<p>Added in version 3.0. See also the man page EVP_PKEY_decrypt(3).</p> + + <div class="method-source-code" id="decrypt-source"> + <pre>static VALUE +ossl_pkey_decrypt(int argc, VALUE *argv, VALUE self) +{ + EVP_PKEY *pkey; + EVP_PKEY_CTX *ctx; + VALUE data, options, str; + size_t outlen; + int state; + + GetPKey(self, pkey); + rb_scan_args(argc, argv, "11", &data, &options); + StringValue(data); + + ctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL); + if (!ctx) + ossl_raise(ePKeyError, "EVP_PKEY_CTX_new"); + if (EVP_PKEY_decrypt_init(ctx) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_decrypt_init"); + } + if (!NIL_P(options)) { + pkey_ctx_apply_options(ctx, options, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + } + if (EVP_PKEY_decrypt(ctx, NULL, &outlen, + (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_decrypt"); + } + if (outlen > LONG_MAX) { + EVP_PKEY_CTX_free(ctx); + rb_raise(ePKeyError, "decrypted data would be too large"); + } + str = ossl_str_new(NULL, (long)outlen, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + if (EVP_PKEY_decrypt(ctx, (unsigned char *)RSTRING_PTR(str), &outlen, + (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_decrypt"); + } + EVP_PKEY_CTX_free(ctx); + rb_str_set_len(str, outlen); + return str; +}</pre> + </div> + </div> + + + </div> + + <div id="method-i-derive" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + derive(peer_pkey) → string + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Derives a shared secret from <em>pkey</em> and <em>peer_pkey</em>. <em>pkey</em> must contain the private components, <em>peer_pkey</em> must contain the public components.</p> + + <div class="method-source-code" id="derive-source"> + <pre>static VALUE +ossl_pkey_derive(int argc, VALUE *argv, VALUE self) +{ + EVP_PKEY *pkey, *peer_pkey; + EVP_PKEY_CTX *ctx; + VALUE peer_pkey_obj, str; + size_t keylen; + int state; + + GetPKey(self, pkey); + rb_scan_args(argc, argv, "1", &peer_pkey_obj); + GetPKey(peer_pkey_obj, peer_pkey); + + ctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL); + if (!ctx) + ossl_raise(ePKeyError, "EVP_PKEY_CTX_new"); + if (EVP_PKEY_derive_init(ctx) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_derive_init"); + } + if (EVP_PKEY_derive_set_peer(ctx, peer_pkey) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_derive_set_peer"); + } + if (EVP_PKEY_derive(ctx, NULL, &keylen) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_derive"); + } + if (keylen > LONG_MAX) + rb_raise(ePKeyError, "derived key would be too large"); + str = ossl_str_new(NULL, (long)keylen, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + if (EVP_PKEY_derive(ctx, (unsigned char *)RSTRING_PTR(str), &keylen) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_derive"); + } + EVP_PKEY_CTX_free(ctx); + rb_str_set_len(str, keylen); + return str; +}</pre> + </div> + </div> + + + </div> + + <div id="method-i-encrypt" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + encrypt(data [, options]) → string + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Performs a public key encryption operation using <code>pkey</code>.</p> + +<p>See <a href="PKey.html#method-i-decrypt"><code>decrypt</code></a> for the reverse operation.</p> + +<p>Added in version 3.0. See also the man page EVP_PKEY_encrypt(3).</p> +<dl class="rdoc-list note-list"><dt><code>data</code> +<dd> +<p>A String to be encrypted.</p> +</dd><dt><code>options</code> +<dd> +<p>A Hash that contains algorithm specific control operations to OpenSSL. See OpenSSL’s man page EVP_PKEY_CTX_ctrl_str(3) for details.</p> +</dd></dl> + +<p>Example:</p> + +<pre class="ruby"><span class="ruby-identifier">pkey</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">generate_key</span>(<span class="ruby-string">"RSA"</span>, <span class="ruby-value">rsa_keygen_bits:</span> <span class="ruby-value">2048</span>) +<span class="ruby-identifier">data</span> = <span class="ruby-string">"secret data"</span> +<span class="ruby-identifier">encrypted</span> = <span class="ruby-identifier">pkey</span>.<span class="ruby-identifier">encrypt</span>(<span class="ruby-identifier">data</span>, <span class="ruby-value">rsa_padding_mode:</span> <span class="ruby-string">"oaep"</span>) +<span class="ruby-identifier">decrypted</span> = <span class="ruby-identifier">pkey</span>.<span class="ruby-identifier">decrypt</span>(<span class="ruby-identifier">data</span>, <span class="ruby-value">rsa_padding_mode:</span> <span class="ruby-string">"oaep"</span>) +<span class="ruby-identifier">p</span> <span class="ruby-identifier">decrypted</span> <span class="ruby-comment">#=> "secret data"</span> +</pre> + + <div class="method-source-code" id="encrypt-source"> + <pre>static VALUE +ossl_pkey_encrypt(int argc, VALUE *argv, VALUE self) +{ + EVP_PKEY *pkey; + EVP_PKEY_CTX *ctx; + VALUE data, options, str; + size_t outlen; + int state; + + GetPKey(self, pkey); + rb_scan_args(argc, argv, "11", &data, &options); + StringValue(data); + + ctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL); + if (!ctx) + ossl_raise(ePKeyError, "EVP_PKEY_CTX_new"); + if (EVP_PKEY_encrypt_init(ctx) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_encrypt_init"); + } + if (!NIL_P(options)) { + pkey_ctx_apply_options(ctx, options, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + } + if (EVP_PKEY_encrypt(ctx, NULL, &outlen, + (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_encrypt"); + } + if (outlen > LONG_MAX) { + EVP_PKEY_CTX_free(ctx); + rb_raise(ePKeyError, "encrypted data would be too large"); + } + str = ossl_str_new(NULL, (long)outlen, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + if (EVP_PKEY_encrypt(ctx, (unsigned char *)RSTRING_PTR(str), &outlen, + (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_encrypt"); + } + EVP_PKEY_CTX_free(ctx); + rb_str_set_len(str, outlen); + return str; +}</pre> + </div> + </div> + + + </div> + + <div id="method-i-initialize_copy" class="method-detail "> + <div class="method-heading"> + <span class="method-name">initialize_copy</span><span + class="method-args">(p1)</span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + + + <div class="method-source-code" id="initialize_copy-source"> + <pre>static VALUE +ossl_pkey_initialize_copy(VALUE self, VALUE other) +{ + EVP_PKEY *pkey, *pkey_other; + + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + TypedData_Get_Struct(other, EVP_PKEY, &ossl_evp_pkey_type, pkey_other); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); + if (pkey_other) { + pkey = EVP_PKEY_dup(pkey_other); + if (!pkey) + ossl_raise(ePKeyError, "EVP_PKEY_dup"); + RTYPEDDATA_DATA(self) = pkey; + } + return self; +}</pre> + </div> + </div> + + + </div> + <div id="method-i-inspect" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> @@ -278,7 +597,7 @@ ossl_pkey_private_to_pem(int argc, VALUE *argv, VALUE self) <pre>static VALUE ossl_pkey_public_to_der(VALUE self) { - return do_spki_export(self, 1); + return ossl_pkey_export_spki(self, 1); }</pre> </div> </div> @@ -301,7 +620,7 @@ ossl_pkey_public_to_der(VALUE self) <pre>static VALUE ossl_pkey_public_to_pem(VALUE self) { - return do_spki_export(self, 0); + return ossl_pkey_export_spki(self, 0); }</pre> </div> </div> @@ -312,56 +631,223 @@ ossl_pkey_public_to_pem(VALUE self) <div id="method-i-sign" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - sign(digest, data) → String + sign(digest, data [, options]) → string </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>To sign the String <em>data</em>, <em>digest</em>, an instance of <a href="../Digest.html"><code>OpenSSL::Digest</code></a>, must be provided. The return value is again a String containing the signature. A <a href="PKeyError.html"><code>PKeyError</code></a> is raised should errors occur. Any previous state of the <a href="../Digest.html"><code>Digest</code></a> instance is irrelevant to the signature outcome, the digest instance is reset to its initial state during the operation.</p> - -<h2 id="method-i-sign-label-Example">Example<span><a href="#method-i-sign-label-Example">¶</a> <a href="#top">↑</a></span></h2> - -<pre class="ruby"><span class="ruby-identifier">data</span> = <span class="ruby-string">'Sign me!'</span> -<span class="ruby-identifier">digest</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'SHA256'</span>) -<span class="ruby-identifier">pkey</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSA</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">2048</span>) -<span class="ruby-identifier">signature</span> = <span class="ruby-identifier">pkey</span>.<span class="ruby-identifier">sign</span>(<span class="ruby-identifier">digest</span>, <span class="ruby-identifier">data</span>) + <p>Hashes and signs the <code>data</code> using a message digest algorithm <code>digest</code> and a private key <code>pkey</code>.</p> + +<p>See <a href="PKey.html#method-i-verify"><code>verify</code></a> for the verification operation.</p> + +<p>See also the man page EVP_DigestSign(3).</p> +<dl class="rdoc-list note-list"><dt><code>digest</code> +<dd> +<p>A String that represents the message digest algorithm name, or <code>nil</code> if the <a href="PKey.html"><code>PKey</code></a> type requires no digest algorithm. For backwards compatibility, this can be an instance of <a href="../Digest.html"><code>OpenSSL::Digest</code></a>. Its state will not affect the signature.</p> +</dd><dt><code>data</code> +<dd> +<p>A String. The data to be hashed and signed.</p> +</dd><dt><code>options</code> +<dd> +<p>A Hash that contains algorithm specific control operations to OpenSSL. See OpenSSL’s man page EVP_PKEY_CTX_ctrl_str(3) for details. <code>options</code> parameter was added in version 3.0.</p> +</dd></dl> + +<p>Example:</p> + +<pre class="ruby"><span class="ruby-identifier">data</span> = <span class="ruby-string">"Sign me!"</span> +<span class="ruby-identifier">pkey</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">generate_key</span>(<span class="ruby-string">"RSA"</span>, <span class="ruby-value">rsa_keygen_bits:</span> <span class="ruby-value">2048</span>) +<span class="ruby-identifier">signopts</span> = { <span class="ruby-value">rsa_padding_mode:</span> <span class="ruby-string">"pss"</span> } +<span class="ruby-identifier">signature</span> = <span class="ruby-identifier">pkey</span>.<span class="ruby-identifier">sign</span>(<span class="ruby-string">"SHA256"</span>, <span class="ruby-identifier">data</span>, <span class="ruby-identifier">signopts</span>) + +<span class="ruby-comment"># Creates a copy of the RSA key pkey, but without the private components</span> +<span class="ruby-identifier">pub_key</span> = <span class="ruby-identifier">pkey</span>.<span class="ruby-identifier">public_key</span> +<span class="ruby-identifier">puts</span> <span class="ruby-identifier">pub_key</span>.<span class="ruby-identifier">verify</span>(<span class="ruby-string">"SHA256"</span>, <span class="ruby-identifier">signature</span>, <span class="ruby-identifier">data</span>, <span class="ruby-identifier">signopts</span>) <span class="ruby-comment"># => true</span> </pre> <div class="method-source-code" id="sign-source"> <pre>static VALUE -ossl_pkey_sign(VALUE self, VALUE digest, VALUE data) +ossl_pkey_sign(int argc, VALUE *argv, VALUE self) { EVP_PKEY *pkey; - const EVP_MD *md; + VALUE digest, data, options, sig; + const EVP_MD *md = NULL; EVP_MD_CTX *ctx; - unsigned int buf_len; - VALUE str; - int result; + EVP_PKEY_CTX *pctx; + size_t siglen; + int state; pkey = GetPrivPKeyPtr(self); - md = ossl_evp_get_digestbyname(digest); + rb_scan_args(argc, argv, "21", &digest, &data, &options); + if (!NIL_P(digest)) + md = ossl_evp_get_digestbyname(digest); StringValue(data); - str = rb_str_new(0, EVP_PKEY_size(pkey)); ctx = EVP_MD_CTX_new(); if (!ctx) ossl_raise(ePKeyError, "EVP_MD_CTX_new"); - if (!EVP_SignInit_ex(ctx, md, NULL)) { + if (EVP_DigestSignInit(ctx, &pctx, md, /* engine */NULL, pkey) < 1) { + EVP_MD_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_DigestSignInit"); + } + if (!NIL_P(options)) { + pkey_ctx_apply_options(pctx, options, &state); + if (state) { + EVP_MD_CTX_free(ctx); + rb_jump_tag(state); + } + } +#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) + if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)) < 1) { + EVP_MD_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_DigestSign"); + } + if (siglen > LONG_MAX) { + EVP_MD_CTX_free(ctx); + rb_raise(ePKeyError, "signature would be too large"); + } + sig = ossl_str_new(NULL, (long)siglen, &state); + if (state) { + EVP_MD_CTX_free(ctx); + rb_jump_tag(state); + } + if (EVP_DigestSign(ctx, (unsigned char *)RSTRING_PTR(sig), &siglen, + (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)) < 1) { + EVP_MD_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_DigestSign"); + } +#else + if (EVP_DigestSignUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)) < 1) { EVP_MD_CTX_free(ctx); - ossl_raise(ePKeyError, "EVP_SignInit_ex"); + ossl_raise(ePKeyError, "EVP_DigestSignUpdate"); } - if (!EVP_SignUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data))) { + if (EVP_DigestSignFinal(ctx, NULL, &siglen) < 1) { EVP_MD_CTX_free(ctx); - ossl_raise(ePKeyError, "EVP_SignUpdate"); + ossl_raise(ePKeyError, "EVP_DigestSignFinal"); } - result = EVP_SignFinal(ctx, (unsigned char *)RSTRING_PTR(str), &buf_len, pkey); + if (siglen > LONG_MAX) { + EVP_MD_CTX_free(ctx); + rb_raise(ePKeyError, "signature would be too large"); + } + sig = ossl_str_new(NULL, (long)siglen, &state); + if (state) { + EVP_MD_CTX_free(ctx); + rb_jump_tag(state); + } + if (EVP_DigestSignFinal(ctx, (unsigned char *)RSTRING_PTR(sig), + &siglen) < 1) { + EVP_MD_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_DigestSignFinal"); + } +#endif EVP_MD_CTX_free(ctx); - if (!result) - ossl_raise(ePKeyError, "EVP_SignFinal"); - rb_str_set_len(str, buf_len); + rb_str_set_len(sig, siglen); + return sig; +}</pre> + </div> + </div> - return str; + + </div> + + <div id="method-i-sign_raw" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + sign_raw(digest, data [, options]) → string + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Signs <code>data</code> using a private key <code>pkey</code>. Unlike <a href="PKey.html#method-i-sign"><code>sign</code></a>, <code>data</code> will not be hashed by <code>digest</code> automatically.</p> + +<p>See <a href="PKey.html#method-i-verify_raw"><code>verify_raw</code></a> for the verification operation.</p> + +<p>Added in version 3.0. See also the man page EVP_PKEY_sign(3).</p> +<dl class="rdoc-list note-list"><dt><code>digest</code> +<dd> +<p>A String that represents the message digest algorithm name, or <code>nil</code> if the <a href="PKey.html"><code>PKey</code></a> type requires no digest algorithm. Although this method will not hash <code>data</code> with it, this parameter may still be required depending on the signature algorithm.</p> +</dd><dt><code>data</code> +<dd> +<p>A String. The data to be signed.</p> +</dd><dt><code>options</code> +<dd> +<p>A Hash that contains algorithm specific control operations to OpenSSL. See OpenSSL’s man page EVP_PKEY_CTX_ctrl_str(3) for details.</p> +</dd></dl> + +<p>Example:</p> + +<pre class="ruby"><span class="ruby-identifier">data</span> = <span class="ruby-string">"Sign me!"</span> +<span class="ruby-identifier">hash</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">digest</span>(<span class="ruby-string">"SHA256"</span>, <span class="ruby-identifier">data</span>) +<span class="ruby-identifier">pkey</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">generate_key</span>(<span class="ruby-string">"RSA"</span>, <span class="ruby-value">rsa_keygen_bits:</span> <span class="ruby-value">2048</span>) +<span class="ruby-identifier">signopts</span> = { <span class="ruby-value">rsa_padding_mode:</span> <span class="ruby-string">"pss"</span> } +<span class="ruby-identifier">signature</span> = <span class="ruby-identifier">pkey</span>.<span class="ruby-identifier">sign_raw</span>(<span class="ruby-string">"SHA256"</span>, <span class="ruby-identifier">hash</span>, <span class="ruby-identifier">signopts</span>) + +<span class="ruby-comment"># Creates a copy of the RSA key pkey, but without the private components</span> +<span class="ruby-identifier">pub_key</span> = <span class="ruby-identifier">pkey</span>.<span class="ruby-identifier">public_key</span> +<span class="ruby-identifier">puts</span> <span class="ruby-identifier">pub_key</span>.<span class="ruby-identifier">verify_raw</span>(<span class="ruby-string">"SHA256"</span>, <span class="ruby-identifier">signature</span>, <span class="ruby-identifier">hash</span>, <span class="ruby-identifier">signopts</span>) <span class="ruby-comment"># => true</span> +</pre> + + <div class="method-source-code" id="sign_raw-source"> + <pre>static VALUE +ossl_pkey_sign_raw(int argc, VALUE *argv, VALUE self) +{ + EVP_PKEY *pkey; + VALUE digest, data, options, sig; + const EVP_MD *md = NULL; + EVP_PKEY_CTX *ctx; + size_t outlen; + int state; + + GetPKey(self, pkey); + rb_scan_args(argc, argv, "21", &digest, &data, &options); + if (!NIL_P(digest)) + md = ossl_evp_get_digestbyname(digest); + StringValue(data); + + ctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL); + if (!ctx) + ossl_raise(ePKeyError, "EVP_PKEY_CTX_new"); + if (EVP_PKEY_sign_init(ctx) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_sign_init"); + } + if (md && EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_CTX_set_signature_md"); + } + if (!NIL_P(options)) { + pkey_ctx_apply_options(ctx, options, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + } + if (EVP_PKEY_sign(ctx, NULL, &outlen, (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_sign"); + } + if (outlen > LONG_MAX) { + EVP_PKEY_CTX_free(ctx); + rb_raise(ePKeyError, "signature would be too large"); + } + sig = ossl_str_new(NULL, (long)outlen, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + if (EVP_PKEY_sign(ctx, (unsigned char *)RSTRING_PTR(sig), &outlen, + (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_sign"); + } + EVP_PKEY_CTX_free(ctx); + rb_str_set_len(sig, outlen); + return sig; }</pre> </div> </div> @@ -369,65 +855,298 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data) </div> - <div id="method-i-verify" class="method-detail "> + <div id="method-i-to_text" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - verify(digest, signature, data) → String + to_text → string </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>To verify the String <em>signature</em>, <em>digest</em>, an instance of <a href="../Digest.html"><code>OpenSSL::Digest</code></a>, must be provided to re-compute the message digest of the original <em>data</em>, also a String. The return value is <code>true</code> if the signature is valid, <code>false</code> otherwise. A <a href="PKeyError.html"><code>PKeyError</code></a> is raised should errors occur. Any previous state of the <a href="../Digest.html"><code>Digest</code></a> instance is irrelevant to the validation outcome, the digest instance is reset to its initial state during the operation.</p> + <p>Dumps key parameters, public key, and private key components contained in the key into a human-readable text.</p> -<h2 id="method-i-verify-label-Example">Example<span><a href="#method-i-verify-label-Example">¶</a> <a href="#top">↑</a></span></h2> +<p>This is intended for debugging purpose.</p> -<pre class="ruby"><span class="ruby-identifier">data</span> = <span class="ruby-string">'Sign me!'</span> -<span class="ruby-identifier">digest</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'SHA256'</span>) -<span class="ruby-identifier">pkey</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSA</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">2048</span>) -<span class="ruby-identifier">signature</span> = <span class="ruby-identifier">pkey</span>.<span class="ruby-identifier">sign</span>(<span class="ruby-identifier">digest</span>, <span class="ruby-identifier">data</span>) -<span class="ruby-identifier">pub_key</span> = <span class="ruby-identifier">pkey</span>.<span class="ruby-identifier">public_key</span> -<span class="ruby-identifier">puts</span> <span class="ruby-identifier">pub_key</span>.<span class="ruby-identifier">verify</span>(<span class="ruby-identifier">digest</span>, <span class="ruby-identifier">signature</span>, <span class="ruby-identifier">data</span>) <span class="ruby-comment"># => true</span> -</pre> +<p>See also the man page EVP_PKEY_print_private(3).</p> + + <div class="method-source-code" id="to_text-source"> + <pre>static VALUE +ossl_pkey_to_text(VALUE self) +{ + EVP_PKEY *pkey; + BIO *bio; + + GetPKey(self, pkey); + if (!(bio = BIO_new(BIO_s_mem()))) + ossl_raise(ePKeyError, "BIO_new"); + + if (EVP_PKEY_print_private(bio, pkey, 0, NULL) == 1) + goto out; + OSSL_BIO_reset(bio); + if (EVP_PKEY_print_public(bio, pkey, 0, NULL) == 1) + goto out; + OSSL_BIO_reset(bio); + if (EVP_PKEY_print_params(bio, pkey, 0, NULL) == 1) + goto out; + + BIO_free(bio); + ossl_raise(ePKeyError, "EVP_PKEY_print_params"); + + out: + return ossl_membio2str(bio); +}</pre> + </div> + </div> + + + </div> + + <div id="method-i-verify" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + verify(digest, signature, data [, options]) → true or false + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Verifies the <code>signature</code> for the <code>data</code> using a message digest algorithm <code>digest</code> and a public key <code>pkey</code>.</p> + +<p>Returns <code>true</code> if the signature is successfully verified, <code>false</code> otherwise. The caller must check the return value.</p> + +<p>See <a href="PKey.html#method-i-sign"><code>sign</code></a> for the signing operation and an example.</p> + +<p>See also the man page EVP_DigestVerify(3).</p> +<dl class="rdoc-list note-list"><dt><code>digest</code> +<dd> +<p>See <a href="PKey.html#method-i-sign"><code>sign</code></a>.</p> +</dd><dt><code>signature</code> +<dd> +<p>A String containing the signature to be verified.</p> +</dd><dt><code>data</code> +<dd> +<p>See <a href="PKey.html#method-i-sign"><code>sign</code></a>.</p> +</dd><dt><code>options</code> +<dd> +<p>See <a href="PKey.html#method-i-sign"><code>sign</code></a>. <code>options</code> parameter was added in version 3.0.</p> +</dd></dl> <div class="method-source-code" id="verify-source"> <pre>static VALUE -ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data) +ossl_pkey_verify(int argc, VALUE *argv, VALUE self) { EVP_PKEY *pkey; - const EVP_MD *md; + VALUE digest, sig, data, options; + const EVP_MD *md = NULL; EVP_MD_CTX *ctx; - int siglen, result; + EVP_PKEY_CTX *pctx; + int state, ret; GetPKey(self, pkey); + rb_scan_args(argc, argv, "31", &digest, &sig, &data, &options); ossl_pkey_check_public_key(pkey); - md = ossl_evp_get_digestbyname(digest); + if (!NIL_P(digest)) + md = ossl_evp_get_digestbyname(digest); StringValue(sig); - siglen = RSTRING_LENINT(sig); StringValue(data); ctx = EVP_MD_CTX_new(); if (!ctx) ossl_raise(ePKeyError, "EVP_MD_CTX_new"); - if (!EVP_VerifyInit_ex(ctx, md, NULL)) { + if (EVP_DigestVerifyInit(ctx, &pctx, md, /* engine */NULL, pkey) < 1) { EVP_MD_CTX_free(ctx); - ossl_raise(ePKeyError, "EVP_VerifyInit_ex"); + ossl_raise(ePKeyError, "EVP_DigestVerifyInit"); + } + if (!NIL_P(options)) { + pkey_ctx_apply_options(pctx, options, &state); + if (state) { + EVP_MD_CTX_free(ctx); + rb_jump_tag(state); + } } - if (!EVP_VerifyUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data))) { +#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) + ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig), + RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)); + EVP_MD_CTX_free(ctx); + if (ret < 0) + ossl_raise(ePKeyError, "EVP_DigestVerify"); +#else + if (EVP_DigestVerifyUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)) < 1) { EVP_MD_CTX_free(ctx); - ossl_raise(ePKeyError, "EVP_VerifyUpdate"); + ossl_raise(ePKeyError, "EVP_DigestVerifyUpdate"); } - result = EVP_VerifyFinal(ctx, (unsigned char *)RSTRING_PTR(sig), siglen, pkey); + ret = EVP_DigestVerifyFinal(ctx, (unsigned char *)RSTRING_PTR(sig), + RSTRING_LEN(sig)); EVP_MD_CTX_free(ctx); - switch (result) { - case 0: + if (ret < 0) + ossl_raise(ePKeyError, "EVP_DigestVerifyFinal"); +#endif + if (ret) + return Qtrue; + else { ossl_clear_error(); return Qfalse; - case 1: + } +}</pre> + </div> + </div> + + + </div> + + <div id="method-i-verify_raw" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + verify_raw(digest, signature, data [, options]) → true or false + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Verifies the <code>signature</code> for the <code>data</code> using a public key <code>pkey</code>. Unlike <a href="PKey.html#method-i-verify"><code>verify</code></a>, this method will not hash <code>data</code> with <code>digest</code> automatically.</p> + +<p>Returns <code>true</code> if the signature is successfully verified, <code>false</code> otherwise. The caller must check the return value.</p> + +<p>See <a href="PKey.html#method-i-sign_raw"><code>sign_raw</code></a> for the signing operation and an example code.</p> + +<p>Added in version 3.0. See also the man page EVP_PKEY_verify(3).</p> +<dl class="rdoc-list note-list"><dt><code>signature</code> +<dd> +<p>A String containing the signature to be verified.</p> +</dd></dl> + + <div class="method-source-code" id="verify_raw-source"> + <pre>static VALUE +ossl_pkey_verify_raw(int argc, VALUE *argv, VALUE self) +{ + EVP_PKEY *pkey; + VALUE digest, sig, data, options; + const EVP_MD *md = NULL; + EVP_PKEY_CTX *ctx; + int state, ret; + + GetPKey(self, pkey); + rb_scan_args(argc, argv, "31", &digest, &sig, &data, &options); + ossl_pkey_check_public_key(pkey); + if (!NIL_P(digest)) + md = ossl_evp_get_digestbyname(digest); + StringValue(sig); + StringValue(data); + + ctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL); + if (!ctx) + ossl_raise(ePKeyError, "EVP_PKEY_CTX_new"); + if (EVP_PKEY_verify_init(ctx) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_verify_init"); + } + if (md && EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_CTX_set_signature_md"); + } + if (!NIL_P(options)) { + pkey_ctx_apply_options(ctx, options, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + } + ret = EVP_PKEY_verify(ctx, (unsigned char *)RSTRING_PTR(sig), + RSTRING_LEN(sig), + (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)); + EVP_PKEY_CTX_free(ctx); + if (ret < 0) + ossl_raise(ePKeyError, "EVP_PKEY_verify"); + + if (ret) return Qtrue; - default: - ossl_raise(ePKeyError, "EVP_VerifyFinal"); + else { + ossl_clear_error(); + return Qfalse; + } +}</pre> + </div> + </div> + + + </div> + + <div id="method-i-verify_recover" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + verify_recover(digest, signature [, options]) → string + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Recovers the signed data from <code>signature</code> using a public key <code>pkey</code>. Not all signature algorithms support this operation.</p> + +<p>Added in version 3.0. See also the man page EVP_PKEY_verify_recover(3).</p> +<dl class="rdoc-list note-list"><dt><code>signature</code> +<dd> +<p>A String containing the signature to be verified.</p> +</dd></dl> + + <div class="method-source-code" id="verify_recover-source"> + <pre>static VALUE +ossl_pkey_verify_recover(int argc, VALUE *argv, VALUE self) +{ + EVP_PKEY *pkey; + VALUE digest, sig, options, out; + const EVP_MD *md = NULL; + EVP_PKEY_CTX *ctx; + int state; + size_t outlen; + + GetPKey(self, pkey); + rb_scan_args(argc, argv, "21", &digest, &sig, &options); + ossl_pkey_check_public_key(pkey); + if (!NIL_P(digest)) + md = ossl_evp_get_digestbyname(digest); + StringValue(sig); + + ctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL); + if (!ctx) + ossl_raise(ePKeyError, "EVP_PKEY_CTX_new"); + if (EVP_PKEY_verify_recover_init(ctx) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_verify_recover_init"); + } + if (md && EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_CTX_set_signature_md"); + } + if (!NIL_P(options)) { + pkey_ctx_apply_options(ctx, options, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + } + if (EVP_PKEY_verify_recover(ctx, NULL, &outlen, + (unsigned char *)RSTRING_PTR(sig), + RSTRING_LEN(sig)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_verify_recover"); + } + out = ossl_str_new(NULL, (long)outlen, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + if (EVP_PKEY_verify_recover(ctx, (unsigned char *)RSTRING_PTR(out), &outlen, + (unsigned char *)RSTRING_PTR(sig), + RSTRING_LEN(sig)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_verify_recover"); } + EVP_PKEY_CTX_free(ctx); + rb_str_set_len(out, outlen); + return out; }</pre> </div> </div> diff --git a/OpenSSL/PKey/RSA.html b/OpenSSL/PKey/RSA.html index b9e47a43..9ef3024a 100644 --- a/OpenSSL/PKey/RSA.html +++ b/OpenSSL/PKey/RSA.html @@ -82,8 +82,6 @@ <ul class="link-list" role="directory"> <li ><a href="#method-c-generate">::generate</a> <li ><a href="#method-c-new">::new</a> - <li ><a href="#method-i-blinding_off-21">#blinding_off!</a> - <li ><a href="#method-i-blinding_on-21">#blinding_on!</a> <li ><a href="#method-i-export">#export</a> <li ><a href="#method-i-initialize_copy">#initialize_copy</a> <li ><a href="#method-i-params">#params</a> @@ -101,7 +99,6 @@ <li ><a href="#method-i-to_der">#to_der</a> <li ><a href="#method-i-to_pem">#to_pem</a> <li ><a href="#method-i-to_s">#to_s</a> - <li ><a href="#method-i-to_text">#to_text</a> <li ><a href="#method-i-verify_pss">#verify_pss</a> </ul> </div> @@ -123,6 +120,21 @@ <section id="5Buntitled-5D" class="documentation-section"> + <section class="constants-list"> + <header> + <h3>Constants</h3> + </header> + <dl> + <dt id="NO_PADDING">NO_PADDING + <dd> + <dt id="PKCS1_OAEP_PADDING">PKCS1_OAEP_PADDING + <dd> + <dt id="PKCS1_PADDING">PKCS1_PADDING + <dd> + <dt id="SSLV23_PADDING">SSLV23_PADDING + <dd> + </dl> + </section> @@ -134,40 +146,31 @@ <div id="method-c-generate" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - generate(size) → RSA instance + generate(size, exponent = 65537) → RSA </span> <span class="method-click-advice">click to toggle source</span> </div> - <div class="method-heading"> - <span class="method-callseq"> - generate(size, exponent) → RSA instance - </span> - </div> <div class="method-description"> - <p>Generates an <a href="RSA.html"><code>RSA</code></a> keypair. <em>size</em> is an integer representing the desired key size. Keys smaller than 1024 should be considered insecure. <em>exponent</em> is an odd number normally 3, 17, or 65537.</p> - - <div class="method-source-code" id="generate-source"> - <pre>static VALUE -ossl_rsa_s_generate(int argc, VALUE *argv, VALUE klass) -{ -/* why does this method exist? why can't initialize take an optional exponent? */ - RSA *rsa; - VALUE size, exp; - VALUE obj; - - rb_scan_args(argc, argv, "11", &size, &exp); + <p>Generates an RSA keypair.</p> - rsa = rsa_generate(NUM2INT(size), NIL_P(exp) ? RSA_F4 : NUM2ULONG(exp)); /* err handled by rsa_instance */ - obj = rsa_instance(klass, rsa); - - if (obj == Qfalse) { - RSA_free(rsa); - ossl_raise(eRSAError, NULL); - } +<p>See also <a href="../PKey.html#method-c-generate_key"><code>OpenSSL::PKey.generate_key</code></a>.</p> +<dl class="rdoc-list note-list"><dt><code>size</code> +<dd> +<p>The desired key size in bits.</p> +</dd><dt><code>exponent</code> +<dd> +<p>An odd <a href="../../Integer.html"><code>Integer</code></a>, normally 3, 17, or 65537.</p> +</dd></dl> - return obj; -}</pre> + <div class="method-source-code" id="generate-source"> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 335</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">generate</span>(<span class="ruby-identifier">size</span>, <span class="ruby-identifier">exp</span> = <span class="ruby-value">0x10001</span>, <span class="ruby-operator">&</span><span class="ruby-identifier">blk</span>) + <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">generate_key</span>(<span class="ruby-string">"RSA"</span>, { + <span class="ruby-string">"rsa_keygen_bits"</span> <span class="ruby-operator">=></span> <span class="ruby-identifier">size</span>, + <span class="ruby-string">"rsa_keygen_pubexp"</span> <span class="ruby-operator">=></span> <span class="ruby-identifier">exp</span>, + }, <span class="ruby-operator">&</span><span class="ruby-identifier">blk</span>) +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -177,27 +180,36 @@ ossl_rsa_s_generate(int argc, VALUE *argv, VALUE klass) <div id="method-c-new" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - new(key_size) → RSA instance + new → rsa </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-heading"> <span class="method-callseq"> - new(encoded_key) → RSA instance + new(encoded_key [, passphrase]) → rsa </span> </div> <div class="method-heading"> <span class="method-callseq"> - new(encoded_key, pass_phrase) → RSA instance + new(encoded_key) { passphrase } → rsa + </span> + </div> + <div class="method-heading"> + <span class="method-callseq"> + new(size [, exponent]) → rsa </span> </div> <div class="method-description"> - <p>Generates or loads an <a href="RSA.html"><code>RSA</code></a> keypair. If an integer <em>key_size</em> is given it represents the desired key size. Keys less than 1024 bits should be considered insecure.</p> + <p>Generates or loads an RSA keypair.</p> + +<p>If called without arguments, creates a new instance with no key components set. They can be set individually by <a href="RSA.html#method-i-set_key"><code>set_key</code></a>, <a href="RSA.html#method-i-set_factors"><code>set_factors</code></a>, and <a href="RSA.html#method-i-set_crt_params"><code>set_crt_params</code></a>.</p> -<p>A key can instead be loaded from an <em>encoded_key</em> which must be PEM or DER encoded. A <em>pass_phrase</em> can be used to decrypt the key. If none is given <a href="../../OpenSSL.html"><code>OpenSSL</code></a> will prompt for the pass phrase.</p> +<p>If called with a String, tries to parse as DER or PEM encoding of an RSA key. Note that, if <em>passphrase</em> is not specified but the key is encrypted with a passphrase, OpenSSL will prompt for it. See also <a href="../PKey.html#method-c-read"><code>OpenSSL::PKey.read</code></a> which can parse keys of any kinds.</p> -<h1 id="method-c-new-label-Examples">Examples<span><a href="#method-c-new-label-Examples">¶</a> <a href="#top">↑</a></span></h1> +<p>If called with a number, generates a new key pair. This form works as an alias of <a href="RSA.html#method-c-generate"><code>RSA.generate</code></a>.</p> + +<p>Examples:</p> <pre class="ruby"><span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSA</span>.<span class="ruby-identifier">new</span> <span class="ruby-value">2048</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSA</span>.<span class="ruby-identifier">new</span> <span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span> <span class="ruby-string">'rsa.pem'</span> @@ -210,52 +222,60 @@ ossl_rsa_initialize(int argc, VALUE *argv, VALUE self) { EVP_PKEY *pkey; RSA *rsa; - BIO *in; + BIO *in = NULL; VALUE arg, pass; + int type; - GetPKey(self, pkey); - if(rb_scan_args(argc, argv, "02", &arg, &pass) == 0) { + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); + + /* The RSA.new(size, generator) form is handled by lib/openssl/pkey.rb */ + rb_scan_args(argc, argv, "02", &arg, &pass); + if (argc == 0) { rsa = RSA_new(); + if (!rsa) + ossl_raise(eRSAError, "RSA_new"); + goto legacy; } - else if (RB_INTEGER_TYPE_P(arg)) { - rsa = rsa_generate(NUM2INT(arg), NIL_P(pass) ? RSA_F4 : NUM2ULONG(pass)); - if (!rsa) ossl_raise(eRSAError, NULL); - } - else { - pass = ossl_pem_passwd_value(pass); - arg = ossl_to_der_if_possible(arg); - in = ossl_obj2bio(&arg); - rsa = PEM_read_bio_RSAPrivateKey(in, NULL, ossl_pem_passwd_cb, (void *)pass); - if (!rsa) { - OSSL_BIO_reset(in); - rsa = PEM_read_bio_RSA_PUBKEY(in, NULL, NULL, NULL); - } - if (!rsa) { - OSSL_BIO_reset(in); - rsa = d2i_RSAPrivateKey_bio(in, NULL); - } - if (!rsa) { - OSSL_BIO_reset(in); - rsa = d2i_RSA_PUBKEY_bio(in, NULL); - } - if (!rsa) { - OSSL_BIO_reset(in); - rsa = PEM_read_bio_RSAPublicKey(in, NULL, NULL, NULL); - } - if (!rsa) { - OSSL_BIO_reset(in); - rsa = d2i_RSAPublicKey_bio(in, NULL); - } - BIO_free(in); - if (!rsa) { - ossl_raise(eRSAError, "Neither PUB key nor PRIV key"); - } + + pass = ossl_pem_passwd_value(pass); + arg = ossl_to_der_if_possible(arg); + in = ossl_obj2bio(&arg); + + /* First try RSAPublicKey format */ + rsa = d2i_RSAPublicKey_bio(in, NULL); + if (rsa) + goto legacy; + OSSL_BIO_reset(in); + rsa = PEM_read_bio_RSAPublicKey(in, NULL, NULL, NULL); + if (rsa) + goto legacy; + OSSL_BIO_reset(in); + + /* Use the generic routine */ + pkey = ossl_pkey_read_generic(in, pass); + BIO_free(in); + if (!pkey) + ossl_raise(eRSAError, "Neither PUB key nor PRIV key"); + + type = EVP_PKEY_base_id(pkey); + if (type != EVP_PKEY_RSA) { + EVP_PKEY_free(pkey); + rb_raise(eRSAError, "incorrect pkey type: %s", OBJ_nid2sn(type)); } - if (!EVP_PKEY_assign_RSA(pkey, rsa)) { + RTYPEDDATA_DATA(self) = pkey; + return self; + + legacy: + BIO_free(in); + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_RSA(pkey, rsa) != 1) { + EVP_PKEY_free(pkey); RSA_free(rsa); - ossl_raise(eRSAError, NULL); + ossl_raise(eRSAError, "EVP_PKEY_assign_RSA"); } - + RTYPEDDATA_DATA(self) = pkey; return self; }</pre> </div> @@ -271,62 +291,6 @@ ossl_rsa_initialize(int argc, VALUE *argv, VALUE self) <h3>Public Instance Methods</h3> </header> - <div id="method-i-blinding_off-21" class="method-detail "> - <div class="method-heading"> - <span class="method-name">blinding_off!</span><span - class="method-args">()</span> - <span class="method-click-advice">click to toggle source</span> - </div> - - <div class="method-description"> - - - <div class="method-source-code" id="blinding_off-21-source"> - <pre>static VALUE -ossl_rsa_blinding_off(VALUE self) -{ - RSA *rsa; - - GetRSA(self, rsa); - RSA_blinding_off(rsa); - - return self; -}</pre> - </div> - </div> - - - </div> - - <div id="method-i-blinding_on-21" class="method-detail "> - <div class="method-heading"> - <span class="method-name">blinding_on!</span><span - class="method-args">()</span> - <span class="method-click-advice">click to toggle source</span> - </div> - - <div class="method-description"> - - - <div class="method-source-code" id="blinding_on-21-source"> - <pre>static VALUE -ossl_rsa_blinding_on(VALUE self) -{ - RSA *rsa; - - GetRSA(self, rsa); - - if (RSA_blinding_on(rsa, ossl_bn_ctx) != 1) { - ossl_raise(eRSAError, NULL); - } - return self; -}</pre> - </div> - </div> - - - </div> - <div id="method-i-export" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> @@ -342,41 +306,10 @@ ossl_rsa_blinding_on(VALUE self) <pre>static VALUE ossl_rsa_export(int argc, VALUE *argv, VALUE self) { - RSA *rsa; - const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp; - BIO *out; - const EVP_CIPHER *ciph = NULL; - VALUE cipher, pass, str; - - GetRSA(self, rsa); - - rb_scan_args(argc, argv, "02", &cipher, &pass); - - if (!NIL_P(cipher)) { - ciph = ossl_evp_get_cipherbyname(cipher); - pass = ossl_pem_passwd_value(pass); - } - if (!(out = BIO_new(BIO_s_mem()))) { - ossl_raise(eRSAError, NULL); - } - RSA_get0_key(rsa, &n, &e, &d); - RSA_get0_factors(rsa, &p, &q); - RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp); - if (n && e && d && p && q && dmp1 && dmq1 && iqmp) { - if (!PEM_write_bio_RSAPrivateKey(out, rsa, ciph, NULL, 0, - ossl_pem_passwd_cb, (void *)pass)) { - BIO_free(out); - ossl_raise(eRSAError, NULL); - } - } else { - if (!PEM_write_bio_RSA_PUBKEY(out, rsa)) { - BIO_free(out); - ossl_raise(eRSAError, NULL); - } - } - str = ossl_membio2str(out); - - return str; + if (can_export_rsaprivatekey(self)) + return ossl_pkey_export_traditional(argc, argv, self, 0); + else + return ossl_pkey_export_spki(self, 0); }</pre> </div> </div> @@ -404,16 +337,23 @@ ossl_rsa_initialize_copy(VALUE self, VALUE other) EVP_PKEY *pkey; RSA *rsa, *rsa_new; - GetPKey(self, pkey); - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE) - ossl_raise(eRSAError, "RSA already initialized"); + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); GetRSA(other, rsa); - rsa_new = ASN1_dup((i2d_of_void *)i2d_RSAPrivateKey, (d2i_of_void *)d2i_RSAPrivateKey, (char *)rsa); + rsa_new = (RSA *)ASN1_dup((i2d_of_void *)i2d_RSAPrivateKey, + (d2i_of_void *)d2i_RSAPrivateKey, + (char *)rsa); if (!rsa_new) ossl_raise(eRSAError, "ASN1_dup"); - EVP_PKEY_assign_RSA(pkey, rsa_new); + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_RSA(pkey, rsa_new) != 1) { + RSA_free(rsa_new); + ossl_raise(eRSAError, "EVP_PKEY_assign_RSA"); + } + RTYPEDDATA_DATA(self) = pkey; return self; }</pre> @@ -510,34 +450,23 @@ ossl_rsa_is_private(VALUE self) </div> <div class="method-description"> - <p>Decrypt <em>string</em>, which has been encrypted with the public key, with the private key. <em>padding</em> defaults to PKCS1_PADDING.</p> + <p>Decrypt <code>string</code>, which has been encrypted with the public key, with the private key. <code>padding</code> defaults to <a href="RSA.html#PKCS1_PADDING"><code>PKCS1_PADDING</code></a>.</p> - <div class="method-source-code" id="private_decrypt-source"> - <pre>static VALUE -ossl_rsa_private_decrypt(int argc, VALUE *argv, VALUE self) -{ - RSA *rsa; - const BIGNUM *rsa_n; - int buf_len, pad; - VALUE str, buffer, padding; +<p><strong>Deprecated in version 3.0</strong>. Consider using <a href="PKey.html#method-i-encrypt"><code>PKey::PKey#encrypt</code></a> and <a href="PKey.html#method-i-decrypt"><code>PKey::PKey#decrypt</code></a> instead.</p> - GetRSA(self, rsa); - RSA_get0_key(rsa, &rsa_n, NULL, NULL); - if (!rsa_n) - ossl_raise(eRSAError, "incomplete RSA"); - if (!RSA_PRIVATE(self, rsa)) - ossl_raise(eRSAError, "private key needed."); - rb_scan_args(argc, argv, "11", &buffer, &padding); - pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding); - StringValue(buffer); - str = rb_str_new(0, RSA_size(rsa)); - buf_len = RSA_private_decrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer), - (unsigned char *)RSTRING_PTR(str), rsa, pad); - if (buf_len < 0) ossl_raise(eRSAError, NULL); - rb_str_set_len(str, buf_len); - - return str; -}</pre> + <div class="method-source-code" id="private_decrypt-source"> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 427</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">private_decrypt</span>(<span class="ruby-identifier">data</span>, <span class="ruby-identifier">padding</span> = <span class="ruby-constant">PKCS1_PADDING</span>) + <span class="ruby-identifier">n</span> <span class="ruby-keyword">or</span> <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSAError</span>, <span class="ruby-string">"incomplete RSA"</span> + <span class="ruby-identifier">private?</span> <span class="ruby-keyword">or</span> <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSAError</span>, <span class="ruby-string">"private key needed."</span> + <span class="ruby-keyword">begin</span> + <span class="ruby-identifier">decrypt</span>(<span class="ruby-identifier">data</span>, { + <span class="ruby-string">"rsa_padding_mode"</span> <span class="ruby-operator">=></span> <span class="ruby-identifier">translate_padding_mode</span>(<span class="ruby-identifier">padding</span>), + }) + <span class="ruby-keyword">rescue</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">PKeyError</span> + <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSAError</span>, <span class="ruby-identifier">$!</span>.<span class="ruby-identifier">message</span> + <span class="ruby-keyword">end</span> +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -558,34 +487,23 @@ ossl_rsa_private_decrypt(int argc, VALUE *argv, VALUE self) </div> <div class="method-description"> - <p>Encrypt <em>string</em> with the private key. <em>padding</em> defaults to PKCS1_PADDING. The encrypted string output can be decrypted using <a href="RSA.html#method-i-public_decrypt"><code>public_decrypt</code></a>.</p> + <p>Encrypt <code>string</code> with the private key. <code>padding</code> defaults to <a href="RSA.html#PKCS1_PADDING"><code>PKCS1_PADDING</code></a>. The encrypted string output can be decrypted using <a href="RSA.html#method-i-public_decrypt"><code>public_decrypt</code></a>.</p> - <div class="method-source-code" id="private_encrypt-source"> - <pre>static VALUE -ossl_rsa_private_encrypt(int argc, VALUE *argv, VALUE self) -{ - RSA *rsa; - const BIGNUM *rsa_n; - int buf_len, pad; - VALUE str, buffer, padding; +<p><strong>Deprecated in version 3.0</strong>. Consider using <a href="PKey.html#method-i-sign_raw"><code>PKey::PKey#sign_raw</code></a> and <a href="PKey.html#method-i-verify_raw"><code>PKey::PKey#verify_raw</code></a>, and <a href="PKey.html#method-i-verify_recover"><code>PKey::PKey#verify_recover</code></a> instead.</p> - GetRSA(self, rsa); - RSA_get0_key(rsa, &rsa_n, NULL, NULL); - if (!rsa_n) - ossl_raise(eRSAError, "incomplete RSA"); - if (!RSA_PRIVATE(self, rsa)) - ossl_raise(eRSAError, "private key needed."); - rb_scan_args(argc, argv, "11", &buffer, &padding); - pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding); - StringValue(buffer); - str = rb_str_new(0, RSA_size(rsa)); - buf_len = RSA_private_encrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer), - (unsigned char *)RSTRING_PTR(str), rsa, pad); - if (buf_len < 0) ossl_raise(eRSAError, NULL); - rb_str_set_len(str, buf_len); - - return str; -}</pre> + <div class="method-source-code" id="private_encrypt-source"> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 364</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">private_encrypt</span>(<span class="ruby-identifier">string</span>, <span class="ruby-identifier">padding</span> = <span class="ruby-constant">PKCS1_PADDING</span>) + <span class="ruby-identifier">n</span> <span class="ruby-keyword">or</span> <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSAError</span>, <span class="ruby-string">"incomplete RSA"</span> + <span class="ruby-identifier">private?</span> <span class="ruby-keyword">or</span> <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSAError</span>, <span class="ruby-string">"private key needed."</span> + <span class="ruby-keyword">begin</span> + <span class="ruby-identifier">sign_raw</span>(<span class="ruby-keyword">nil</span>, <span class="ruby-identifier">string</span>, { + <span class="ruby-string">"rsa_padding_mode"</span> <span class="ruby-operator">=></span> <span class="ruby-identifier">translate_padding_mode</span>(<span class="ruby-identifier">padding</span>), + }) + <span class="ruby-keyword">rescue</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">PKeyError</span> + <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSAError</span>, <span class="ruby-identifier">$!</span>.<span class="ruby-identifier">message</span> + <span class="ruby-keyword">end</span> +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -636,32 +554,22 @@ ossl_rsa_is_public(VALUE self) </div> <div class="method-description"> - <p>Decrypt <em>string</em>, which has been encrypted with the private key, with the public key. <em>padding</em> defaults to PKCS1_PADDING.</p> + <p>Decrypt <code>string</code>, which has been encrypted with the private key, with the public key. <code>padding</code> defaults to <a href="RSA.html#PKCS1_PADDING"><code>PKCS1_PADDING</code></a>.</p> - <div class="method-source-code" id="public_decrypt-source"> - <pre>static VALUE -ossl_rsa_public_decrypt(int argc, VALUE *argv, VALUE self) -{ - RSA *rsa; - const BIGNUM *rsa_n; - int buf_len, pad; - VALUE str, buffer, padding; +<p><strong>Deprecated in version 3.0</strong>. Consider using <a href="PKey.html#method-i-sign_raw"><code>PKey::PKey#sign_raw</code></a> and <a href="PKey.html#method-i-verify_raw"><code>PKey::PKey#verify_raw</code></a>, and <a href="PKey.html#method-i-verify_recover"><code>PKey::PKey#verify_recover</code></a> instead.</p> - GetRSA(self, rsa); - RSA_get0_key(rsa, &rsa_n, NULL, NULL); - if (!rsa_n) - ossl_raise(eRSAError, "incomplete RSA"); - rb_scan_args(argc, argv, "11", &buffer, &padding); - pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding); - StringValue(buffer); - str = rb_str_new(0, RSA_size(rsa)); - buf_len = RSA_public_decrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer), - (unsigned char *)RSTRING_PTR(str), rsa, pad); - if (buf_len < 0) ossl_raise(eRSAError, NULL); - rb_str_set_len(str, buf_len); - - return str; -}</pre> + <div class="method-source-code" id="public_decrypt-source"> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 386</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">public_decrypt</span>(<span class="ruby-identifier">string</span>, <span class="ruby-identifier">padding</span> = <span class="ruby-constant">PKCS1_PADDING</span>) + <span class="ruby-identifier">n</span> <span class="ruby-keyword">or</span> <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSAError</span>, <span class="ruby-string">"incomplete RSA"</span> + <span class="ruby-keyword">begin</span> + <span class="ruby-identifier">verify_recover</span>(<span class="ruby-keyword">nil</span>, <span class="ruby-identifier">string</span>, { + <span class="ruby-string">"rsa_padding_mode"</span> <span class="ruby-operator">=></span> <span class="ruby-identifier">translate_padding_mode</span>(<span class="ruby-identifier">padding</span>), + }) + <span class="ruby-keyword">rescue</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">PKeyError</span> + <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSAError</span>, <span class="ruby-identifier">$!</span>.<span class="ruby-identifier">message</span> + <span class="ruby-keyword">end</span> +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -682,32 +590,22 @@ ossl_rsa_public_decrypt(int argc, VALUE *argv, VALUE self) </div> <div class="method-description"> - <p>Encrypt <em>string</em> with the public key. <em>padding</em> defaults to PKCS1_PADDING. The encrypted string output can be decrypted using <a href="RSA.html#method-i-private_decrypt"><code>private_decrypt</code></a>.</p> + <p>Encrypt <code>string</code> with the public key. <code>padding</code> defaults to <a href="RSA.html#PKCS1_PADDING"><code>PKCS1_PADDING</code></a>. The encrypted string output can be decrypted using <a href="RSA.html#method-i-private_decrypt"><code>private_decrypt</code></a>.</p> - <div class="method-source-code" id="public_encrypt-source"> - <pre>static VALUE -ossl_rsa_public_encrypt(int argc, VALUE *argv, VALUE self) -{ - RSA *rsa; - const BIGNUM *rsa_n; - int buf_len, pad; - VALUE str, buffer, padding; +<p><strong>Deprecated in version 3.0</strong>. Consider using <a href="PKey.html#method-i-encrypt"><code>PKey::PKey#encrypt</code></a> and <a href="PKey.html#method-i-decrypt"><code>PKey::PKey#decrypt</code></a> instead.</p> - GetRSA(self, rsa); - RSA_get0_key(rsa, &rsa_n, NULL, NULL); - if (!rsa_n) - ossl_raise(eRSAError, "incomplete RSA"); - rb_scan_args(argc, argv, "11", &buffer, &padding); - pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding); - StringValue(buffer); - str = rb_str_new(0, RSA_size(rsa)); - buf_len = RSA_public_encrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer), - (unsigned char *)RSTRING_PTR(str), rsa, pad); - if (buf_len < 0) ossl_raise(eRSAError, NULL); - rb_str_set_len(str, buf_len); - - return str; -}</pre> + <div class="method-source-code" id="public_encrypt-source"> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 407</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">public_encrypt</span>(<span class="ruby-identifier">data</span>, <span class="ruby-identifier">padding</span> = <span class="ruby-constant">PKCS1_PADDING</span>) + <span class="ruby-identifier">n</span> <span class="ruby-keyword">or</span> <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSAError</span>, <span class="ruby-string">"incomplete RSA"</span> + <span class="ruby-keyword">begin</span> + <span class="ruby-identifier">encrypt</span>(<span class="ruby-identifier">data</span>, { + <span class="ruby-string">"rsa_padding_mode"</span> <span class="ruby-operator">=></span> <span class="ruby-identifier">translate_padding_mode</span>(<span class="ruby-identifier">padding</span>), + }) + <span class="ruby-keyword">rescue</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">PKeyError</span> + <span class="ruby-identifier">raise</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSAError</span>, <span class="ruby-identifier">$!</span>.<span class="ruby-identifier">message</span> + <span class="ruby-keyword">end</span> +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -717,32 +615,23 @@ ossl_rsa_public_encrypt(int argc, VALUE *argv, VALUE self) <div id="method-i-public_key" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - public_key → RSA + public_key → rsanew </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - <p>Makes new <a href="RSA.html"><code>RSA</code></a> instance containing the public key from the private key.</p> + <p>Returns a new <a href="RSA.html"><code>RSA</code></a> instance that carries just the public key components.</p> - <div class="method-source-code" id="public_key-source"> - <pre>static VALUE -ossl_rsa_to_public_key(VALUE self) -{ - EVP_PKEY *pkey; - RSA *rsa; - VALUE obj; +<p>This method is provided for backwards compatibility. In most cases, there is no need to call this method.</p> - GetPKeyRSA(self, pkey); - /* err check performed by rsa_instance */ - rsa = RSAPublicKey_dup(EVP_PKEY_get0_RSA(pkey)); - obj = rsa_instance(rb_obj_class(self), rsa); - if (obj == Qfalse) { - RSA_free(rsa); - ossl_raise(eRSAError, NULL); - } - return obj; -}</pre> +<p>For the purpose of serializing the public key, to PEM or DER encoding of X.509 SubjectPublicKeyInfo format, check <a href="PKey.html#method-i-public_to_pem"><code>PKey#public_to_pem</code></a> and <a href="PKey.html#method-i-public_to_der"><code>PKey#public_to_der</code></a>.</p> + + <div class="method-source-code" id="public_key-source"> + <pre><span class="ruby-comment"># File lib/openssl/pkey.rb, line 319</span> +<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">public_key</span> + <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">read</span>(<span class="ruby-identifier">public_to_der</span>) +<span class="ruby-keyword">end</span></pre> </div> </div> @@ -829,7 +718,7 @@ ossl_rsa_to_public_key(VALUE self) <pre class="ruby"><span class="ruby-identifier">data</span> = <span class="ruby-string">"Sign me!"</span> <span class="ruby-identifier">pkey</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span><span class="ruby-operator">::</span><span class="ruby-constant">RSA</span>.<span class="ruby-identifier">new</span>(<span class="ruby-value">2048</span>) <span class="ruby-identifier">signature</span> = <span class="ruby-identifier">pkey</span>.<span class="ruby-identifier">sign_pss</span>(<span class="ruby-string">"SHA256"</span>, <span class="ruby-identifier">data</span>, <span class="ruby-value">salt_length:</span> <span class="ruby-value">:max</span>, <span class="ruby-value">mgf1_hash:</span> <span class="ruby-string">"SHA256"</span>) -<span class="ruby-identifier">pub_key</span> = <span class="ruby-identifier">pkey</span>.<span class="ruby-identifier">public_key</span> +<span class="ruby-identifier">pub_key</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKey</span>.<span class="ruby-identifier">read</span>(<span class="ruby-identifier">pkey</span>.<span class="ruby-identifier">public_to_der</span>) <span class="ruby-identifier">puts</span> <span class="ruby-identifier">pub_key</span>.<span class="ruby-identifier">verify_pss</span>(<span class="ruby-string">"SHA256"</span>, <span class="ruby-identifier">signature</span>, <span class="ruby-identifier">data</span>, <span class="ruby-value">salt_length:</span> <span class="ruby-value">:auto</span>, <span class="ruby-value">mgf1_hash:</span> <span class="ruby-string">"SHA256"</span>) <span class="ruby-comment"># => true</span> </pre> @@ -919,30 +808,10 @@ ossl_rsa_sign_pss(int argc, VALUE *argv, VALUE self) <pre>static VALUE ossl_rsa_to_der(VALUE self) { - RSA *rsa; - const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp; - int (*i2d_func)(const RSA *, unsigned char **); - unsigned char *ptr; - long len; - VALUE str; - - GetRSA(self, rsa); - RSA_get0_key(rsa, &n, &e, &d); - RSA_get0_factors(rsa, &p, &q); - RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp); - if (n && e && d && p && q && dmp1 && dmq1 && iqmp) - i2d_func = i2d_RSAPrivateKey; + if (can_export_rsaprivatekey(self)) + return ossl_pkey_export_traditional(0, NULL, self, 1); else - i2d_func = (int (*)(const RSA *, unsigned char **))i2d_RSA_PUBKEY; - if((len = i2d_func(rsa, NULL)) <= 0) - ossl_raise(eRSAError, NULL); - str = rb_str_new(0, len); - ptr = (unsigned char *)RSTRING_PTR(str); - if(i2d_func(rsa, &ptr) < 0) - ossl_raise(eRSAError, NULL); - ossl_str_adjust(str, ptr); - - return str; + return ossl_pkey_export_spki(self, 1); }</pre> </div> </div> @@ -986,47 +855,6 @@ ossl_rsa_to_der(VALUE self) </div> </div> - <div id="method-i-to_text" class="method-detail "> - <div class="method-heading"> - <span class="method-callseq"> - to_text → String - </span> - <span class="method-click-advice">click to toggle source</span> - </div> - - <div class="method-description"> - <p>THIS METHOD IS INSECURE, PRIVATE INFORMATION CAN LEAK OUT!!!</p> - -<p>Dumps all parameters of a keypair to a String</p> - -<p>Don’t use :-)) (It’s up to you)</p> - - <div class="method-source-code" id="to_text-source"> - <pre>static VALUE -ossl_rsa_to_text(VALUE self) -{ - RSA *rsa; - BIO *out; - VALUE str; - - GetRSA(self, rsa); - if (!(out = BIO_new(BIO_s_mem()))) { - ossl_raise(eRSAError, NULL); - } - if (!RSA_print(out, rsa, 0)) { /* offset = 0 */ - BIO_free(out); - ossl_raise(eRSAError, NULL); - } - str = ossl_membio2str(out); - - return str; -}</pre> - </div> - </div> - - - </div> - <div id="method-i-verify_pss" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> diff --git a/OpenSSL/SSL.html b/OpenSSL/SSL.html index 0482e0ee..f33fccea 100644 --- a/OpenSSL/SSL.html +++ b/OpenSSL/SSL.html @@ -94,6 +94,8 @@ <dl> <dt id="OP_ALL">OP_ALL <dd> + <dt id="OP_ALLOW_CLIENT_RENEGOTIATION">OP_ALLOW_CLIENT_RENEGOTIATION + <dd> <dt id="OP_ALLOW_NO_DHE_KEX">OP_ALLOW_NO_DHE_KEX <dd> <dt id="OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION">OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION @@ -102,14 +104,24 @@ <dd> <dt id="OP_CISCO_ANYCONNECT">OP_CISCO_ANYCONNECT <dd> + <dt id="OP_CLEANSE_PLAINTEXT">OP_CLEANSE_PLAINTEXT + <dd> <dt id="OP_COOKIE_EXCHANGE">OP_COOKIE_EXCHANGE <dd> <dt id="OP_CRYPTOPRO_TLSEXT_BUG">OP_CRYPTOPRO_TLSEXT_BUG <dd> + <dt id="OP_DISABLE_TLSEXT_CA_NAMES">OP_DISABLE_TLSEXT_CA_NAMES + <dd> <dt id="OP_DONT_INSERT_EMPTY_FRAGMENTS">OP_DONT_INSERT_EMPTY_FRAGMENTS <dd> + <dt id="OP_ENABLE_KTLS">OP_ENABLE_KTLS + <dd> + <dt id="OP_ENABLE_MIDDLEBOX_COMPAT">OP_ENABLE_MIDDLEBOX_COMPAT + <dd> <dt id="OP_EPHEMERAL_RSA">OP_EPHEMERAL_RSA <dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.0.1k and 1.0.2.</p> + <dt id="OP_IGNORE_UNEXPECTED_EOF">OP_IGNORE_UNEXPECTED_EOF + <dd> <dt id="OP_LEGACY_SERVER_CONNECT">OP_LEGACY_SERVER_CONNECT <dd> <dt id="OP_MICROSOFT_BIG_SSLV3_BUFFER">OP_MICROSOFT_BIG_SSLV3_BUFFER @@ -126,6 +138,8 @@ <dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.1.0.</p> <dt id="OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG">OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG <dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 0.9.8q and 1.0.0c.</p> + <dt id="OP_NO_ANTI_REPLAY">OP_NO_ANTI_REPLAY + <dd> <dt id="OP_NO_COMPRESSION">OP_NO_COMPRESSION <dd> <dt id="OP_NO_ENCRYPT_THEN_MAC">OP_NO_ENCRYPT_THEN_MAC @@ -154,6 +168,8 @@ <dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.0.1.</p> <dt id="OP_PKCS1_CHECK_2">OP_PKCS1_CHECK_2 <dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.0.1.</p> + <dt id="OP_PRIORITIZE_CHACHA">OP_PRIORITIZE_CHACHA + <dd> <dt id="OP_SAFARI_ECDHE_ECDSA_BUG">OP_SAFARI_ECDHE_ECDSA_BUG <dd> <dt id="OP_SINGLE_DH_USE">OP_SINGLE_DH_USE @@ -213,7 +229,7 @@ <div class="method-source-code" id="verify_certificate_identity-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 269</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 273</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">verify_certificate_identity</span>(<span class="ruby-identifier">cert</span>, <span class="ruby-identifier">hostname</span>) <span class="ruby-identifier">should_verify_common_name</span> = <span class="ruby-keyword">true</span> <span class="ruby-identifier">cert</span>.<span class="ruby-identifier">extensions</span>.<span class="ruby-identifier">each</span>{<span class="ruby-operator">|</span><span class="ruby-identifier">ext</span><span class="ruby-operator">|</span> diff --git a/OpenSSL/SSL/SSLContext.html b/OpenSSL/SSL/SSLContext.html index c80edeca..255b65f1 100644 --- a/OpenSSL/SSL/SSLContext.html +++ b/OpenSSL/SSL/SSLContext.html @@ -96,6 +96,7 @@ <li ><a href="#method-i-set_params">#set_params</a> <li ><a href="#method-i-setup">#setup</a> <li ><a href="#method-i-ssl_version-3D">#ssl_version=</a> + <li ><a href="#method-i-tmp_dh-3D">#tmp_dh=</a> </ul> </div> @@ -417,25 +418,13 @@ </div> <div class="method-description"> - <p>A callback invoked when DH parameters are required.</p> + <p>A callback invoked when DH parameters are required for ephemeral DH key exchange.</p> -<p>The callback is invoked with the <a href="Session.html"><code>Session</code></a> for the key exchange, an flag indicating the use of an export cipher and the keylength required.</p> +<p>The callback is invoked with the <a href="SSLSocket.html"><code>SSLSocket</code></a>, a flag indicating the use of an export cipher and the keylength required.</p> <p>The callback must return an <a href="../PKey/DH.html"><code>OpenSSL::PKey::DH</code></a> instance of the correct key length.</p> - </div> - </div> - <div id="attribute-i-tmp_ecdh_callback" class="method-detail"> - <div class="method-heading attribute-method-heading"> - <span class="method-name">tmp_ecdh_callback</span><span - class="attribute-access-type">[RW]</span> - </div> - - <div class="method-description"> - <p>A callback invoked when ECDH parameters are required.</p> - -<p>The callback is invoked with the <a href="Session.html"><code>Session</code></a> for the key exchange, an flag indicating the use of an export cipher and the keylength required.</p> -<p>The callback is deprecated. This does not work with recent versions of <a href="../../OpenSSL.html"><code>OpenSSL</code></a>. Use <a href="SSLContext.html#method-i-ecdh_curves-3D"><code>OpenSSL::SSL::SSLContext#ecdh_curves=</code></a> instead.</p> +<p><strong>Deprecated in version 3.0.</strong> Use <a href="SSLContext.html#method-i-tmp_dh-3D"><code>tmp_dh=</code></a> instead.</p> </div> </div> <div id="attribute-i-verify_callback" class="method-detail"> @@ -522,10 +511,12 @@ <p>If an argument is given, <a href="SSLContext.html#method-i-ssl_version-3D"><code>ssl_version=</code></a> is called with the value. Note that this form is deprecated. New applications should use <a href="SSLContext.html#method-i-min_version-3D"><code>min_version=</code></a> and <a href="SSLContext.html#method-i-max_version-3D"><code>max_version=</code></a> as necessary.</p> <div class="method-source-code" id="new-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 122</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 124</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">initialize</span>(<span class="ruby-identifier">version</span> = <span class="ruby-keyword">nil</span>) <span class="ruby-keyword">self</span>.<span class="ruby-identifier">options</span> <span class="ruby-operator">|=</span> <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">SSL</span><span class="ruby-operator">::</span><span class="ruby-constant">OP_ALL</span> <span class="ruby-keyword">self</span>.<span class="ruby-identifier">ssl_version</span> = <span class="ruby-identifier">version</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">version</span> + <span class="ruby-keyword">self</span>.<span class="ruby-identifier">verify_mode</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">SSL</span><span class="ruby-operator">::</span><span class="ruby-constant">VERIFY_NONE</span> + <span class="ruby-keyword">self</span>.<span class="ruby-identifier">verify_hostname</span> = <span class="ruby-keyword">false</span> <span class="ruby-keyword">end</span></pre> </div> </div> @@ -543,7 +534,7 @@ <div id="method-i-add_certificate" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - add_certificate(certiticate, pkey [, extra_certs]) → self + add_certificate(certificate, pkey [, extra_certs]) → self </span> <span class="method-click-advice">click to toggle source</span> </div> @@ -579,10 +570,6 @@ ecdsa_pkey = ... another_ca_cert = ... ctx.add_certificate(ecdsa_cert, ecdsa_pkey, [another_ca_cert])</pre> -<h3 id="method-i-add_certificate-label-Note">Note<span><a href="#method-i-add_certificate-label-Note">¶</a> <a href="#top">↑</a></span></h3> - -<p><a href="../../OpenSSL.html"><code>OpenSSL</code></a> before the version 1.0.2 could handle only one extra chain across all key types. Calling this method discards the chain set previously.</p> - <div class="method-source-code" id="add_certificate-source"> <pre>static VALUE ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self) @@ -607,7 +594,7 @@ ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self) EVP_PKEY_free(pub_pkey); if (!pub_pkey) rb_raise(rb_eArgError, "certificate does not contain public key"); - if (EVP_PKEY_cmp(pub_pkey, pkey) != 1) + if (EVP_PKEY_eq(pub_pkey, pkey) != 1) rb_raise(rb_eArgError, "public key mismatch"); if (argc >= 3) @@ -621,34 +608,9 @@ ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self) sk_X509_pop_free(extra_chain, X509_free); ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey"); } - - if (extra_chain) { -#if OPENSSL_VERSION_NUMBER >= 0x10002000 && !defined(LIBRESSL_VERSION_NUMBER) - if (!SSL_CTX_set0_chain(ctx, extra_chain)) { - sk_X509_pop_free(extra_chain, X509_free); - ossl_raise(eSSLError, "SSL_CTX_set0_chain"); - } -#else - STACK_OF(X509) *orig_extra_chain; - X509 *x509_tmp; - - /* First, clear the existing chain */ - SSL_CTX_get_extra_chain_certs(ctx, &orig_extra_chain); - if (orig_extra_chain && sk_X509_num(orig_extra_chain)) { - rb_warning("SSL_CTX_set0_chain() is not available; " \ - "clearing previously set certificate chain"); - SSL_CTX_clear_extra_chain_certs(ctx); - } - while ((x509_tmp = sk_X509_shift(extra_chain))) { - /* Transfers ownership */ - if (!SSL_CTX_add_extra_chain_cert(ctx, x509_tmp)) { - X509_free(x509_tmp); - sk_X509_pop_free(extra_chain, X509_free); - ossl_raise(eSSLError, "SSL_CTX_add_extra_chain_cert"); - } - } - sk_X509_free(extra_chain); -#endif + if (extra_chain && !SSL_CTX_set0_chain(ctx, extra_chain)) { + sk_X509_pop_free(extra_chain, X509_free); + ossl_raise(eSSLError, "SSL_CTX_set0_chain"); } return self; }</pre> @@ -770,8 +732,6 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v) <p>For a TLS client, the list is directly used in the Supported Elliptic Curves Extension. For a server, the list is used by <a href="../../OpenSSL.html"><code>OpenSSL</code></a> to determine the set of shared curves. <a href="../../OpenSSL.html"><code>OpenSSL</code></a> will pick the most appropriate one from it.</p> -<p>Note that this works differently with old <a href="../../OpenSSL.html"><code>OpenSSL</code></a> (<= 1.0.1). Only one curve can be set, and this has no effect for TLS clients.</p> - <h3 id="method-i-ecdh_curves-3D-label-Example">Example<span><a href="#method-i-ecdh_curves-3D-label-Example">¶</a> <a href="#top">↑</a></span></h3> <pre class="ruby"><span class="ruby-identifier">ctx1</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">SSL</span><span class="ruby-operator">::</span><span class="ruby-constant">SSLContext</span>.<span class="ruby-identifier">new</span> @@ -798,48 +758,8 @@ ossl_sslctx_set_ecdh_curves(VALUE self, VALUE arg) GetSSLCTX(self, ctx); StringValueCStr(arg); -#if defined(HAVE_SSL_CTX_SET1_CURVES_LIST) if (!SSL_CTX_set1_curves_list(ctx, RSTRING_PTR(arg))) ossl_raise(eSSLError, NULL); -#else - /* OpenSSL does not have SSL_CTX_set1_curves_list()... Fallback to - * SSL_CTX_set_tmp_ecdh(). So only the first curve is used. */ - { - VALUE curve, splitted; - EC_KEY *ec; - int nid; - - splitted = rb_str_split(arg, ":"); - if (!RARRAY_LEN(splitted)) - ossl_raise(eSSLError, "invalid input format"); - curve = RARRAY_AREF(splitted, 0); - StringValueCStr(curve); - - /* SSL_CTX_set1_curves_list() accepts NIST names */ - nid = EC_curve_nist2nid(RSTRING_PTR(curve)); - if (nid == NID_undef) - nid = OBJ_txt2nid(RSTRING_PTR(curve)); - if (nid == NID_undef) - ossl_raise(eSSLError, "unknown curve name"); - - ec = EC_KEY_new_by_curve_name(nid); - if (!ec) - ossl_raise(eSSLError, NULL); - EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE); - if (!SSL_CTX_set_tmp_ecdh(ctx, ec)) { - EC_KEY_free(ec); - ossl_raise(eSSLError, "SSL_CTX_set_tmp_ecdh"); - } - EC_KEY_free(ec); -# if defined(HAVE_SSL_CTX_SET_ECDH_AUTO) - /* tmp_ecdh and ecdh_auto conflict. tmp_ecdh is ignored when ecdh_auto - * is enabled. So disable ecdh_auto. */ - if (!SSL_CTX_set_ecdh_auto(ctx, 0)) - ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto"); -# endif - } -#endif - return arg; }</pre> </div> @@ -956,7 +876,7 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self) <p>Sets the upper bound of the supported SSL/TLS protocol version. See <a href="SSLContext.html#method-i-min_version-3D"><code>min_version=</code></a> for the possible values.</p> <div class="method-source-code" id="max_version-3D-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 183</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 187</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">max_version=</span>(<span class="ruby-identifier">version</span>) <span class="ruby-identifier">set_minmax_proto_version</span>(<span class="ruby-ivar">@min_proto_version</span> <span class="ruby-operator">||=</span> <span class="ruby-keyword">nil</span>, <span class="ruby-identifier">version</span>) <span class="ruby-ivar">@max_proto_version</span> = <span class="ruby-identifier">version</span> @@ -1001,7 +921,7 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self) </pre> <div class="method-source-code" id="min_version-3D-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 171</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 175</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">min_version=</span>(<span class="ruby-identifier">version</span>) <span class="ruby-identifier">set_minmax_proto_version</span>(<span class="ruby-identifier">version</span>, <span class="ruby-ivar">@max_proto_version</span> <span class="ruby-operator">||=</span> <span class="ruby-keyword">nil</span>) <span class="ruby-ivar">@min_proto_version</span> = <span class="ruby-identifier">version</span> @@ -1417,7 +1337,7 @@ ossl_sslctx_session_remove(VALUE self, VALUE arg) <p>If the <a href="SSLContext.html#attribute-i-verify_mode"><code>verify_mode</code></a> is not VERIFY_NONE and <a href="SSLContext.html#attribute-i-ca_file"><code>ca_file</code></a>, <a href="SSLContext.html#attribute-i-ca_path"><code>ca_path</code></a> and <a href="SSLContext.html#attribute-i-cert_store"><code>cert_store</code></a> are not set then the system default certificate store is used.</p> <div class="method-source-code" id="set_params-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 139</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 143</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">set_params</span>(<span class="ruby-identifier">params</span>={}) <span class="ruby-identifier">params</span> = <span class="ruby-constant">DEFAULT_PARAMS</span>.<span class="ruby-identifier">merge</span>(<span class="ruby-identifier">params</span>) <span class="ruby-keyword">self</span>.<span class="ruby-identifier">options</span> = <span class="ruby-identifier">params</span>.<span class="ruby-identifier">delete</span>(<span class="ruby-value">:options</span>) <span class="ruby-comment"># set before min_version/max_version</span> @@ -1470,26 +1390,6 @@ ossl_sslctx_setup(VALUE self) SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback); #endif -#if !defined(OPENSSL_NO_EC) - /* We added SSLContext#tmp_ecdh_callback= in Ruby 2.3.0, - * but SSL_CTX_set_tmp_ecdh_callback() was removed in OpenSSL 1.1.0. */ - if (RTEST(rb_attr_get(self, id_i_tmp_ecdh_callback))) { -# if defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK) - rb_warn("#tmp_ecdh_callback= is deprecated; use #ecdh_curves= instead"); - SSL_CTX_set_tmp_ecdh_callback(ctx, ossl_tmp_ecdh_callback); -# if defined(HAVE_SSL_CTX_SET_ECDH_AUTO) - /* tmp_ecdh_callback and ecdh_auto conflict; OpenSSL ignores - * tmp_ecdh_callback. So disable ecdh_auto. */ - if (!SSL_CTX_set_ecdh_auto(ctx, 0)) - ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto"); -# endif -# else - ossl_raise(eSSLError, "OpenSSL does not support tmp_ecdh_callback; " - "use #ecdh_curves= instead"); -# endif - } -#endif /* OPENSSL_NO_EC */ - #ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH SSL_CTX_set_post_handshake_auth(ctx, 1); #endif @@ -1498,17 +1398,7 @@ ossl_sslctx_setup(VALUE self) if (!NIL_P(val)) { X509_STORE *store = GetX509StorePtr(val); /* NO NEED TO DUP */ SSL_CTX_set_cert_store(ctx, store); -#if !defined(HAVE_X509_STORE_UP_REF) - /* - * WORKAROUND: - * X509_STORE can count references, but - * X509_STORE_free() doesn't care it. - * So we won't increment it but mark it by ex_data. - */ - SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_store_p, ctx); -#else /* Fixed in OpenSSL 1.0.2; bff9ce4db38b (master), 5b4b9ce976fc (1.0.2) */ X509_STORE_up_ref(store); -#endif } val = rb_attr_get(self, id_i_extra_chain_cert); @@ -1559,10 +1449,17 @@ ossl_sslctx_setup(VALUE self) ca_file = NIL_P(val) ? NULL : StringValueCStr(val); val = rb_attr_get(self, id_i_ca_path); ca_path = NIL_P(val) ? NULL : StringValueCStr(val); +#ifdef HAVE_SSL_CTX_LOAD_VERIFY_FILE + if (ca_file && !SSL_CTX_load_verify_file(ctx, ca_file)) + ossl_raise(eSSLError, "SSL_CTX_load_verify_file"); + if (ca_path && !SSL_CTX_load_verify_dir(ctx, ca_path)) + ossl_raise(eSSLError, "SSL_CTX_load_verify_dir"); +#else if(ca_file || ca_path){ if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path)) rb_warning("can't set verify locations"); } +#endif val = rb_attr_get(self, id_i_verify_mode); verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val); @@ -1590,7 +1487,6 @@ ossl_sslctx_setup(VALUE self) } #endif -#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB val = rb_attr_get(self, id_i_alpn_protocols); if (!NIL_P(val)) { VALUE rprotos = ssl_encode_npn_protocols(val); @@ -1605,7 +1501,6 @@ ossl_sslctx_setup(VALUE self) SSL_CTX_set_alpn_select_cb(ctx, ssl_alpn_select_cb, (void *) self); OSSL_Debug("SSL ALPN select callback added"); } -#endif rb_obj_freeze(self); @@ -1669,7 +1564,7 @@ ossl_sslctx_setup(VALUE self) <p>As the name hints, this used to call the SSL_CTX_set_ssl_version() function which sets the <a href="../SSL.html"><code>SSL</code></a> method used for connections created from the context. As of Ruby/OpenSSL 2.1, this accessor method is implemented to call <a href="SSLContext.html#method-i-min_version-3D"><code>min_version=</code></a> and <a href="SSLContext.html#method-i-max_version-3D"><code>max_version=</code></a> instead.</p> <div class="method-source-code" id="ssl_version-3D-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 202</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 206</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">ssl_version=</span>(<span class="ruby-identifier">meth</span>) <span class="ruby-identifier">meth</span> = <span class="ruby-identifier">meth</span>.<span class="ruby-identifier">to_s</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">meth</span>.<span class="ruby-identifier">is_a?</span>(<span class="ruby-constant">Symbol</span>) <span class="ruby-keyword">if</span> <span class="ruby-regexp">/(?<type>_client|_server)\z/</span> <span class="ruby-operator">=~</span> <span class="ruby-identifier">meth</span> @@ -1689,6 +1584,60 @@ ossl_sslctx_setup(VALUE self) </div> + <div id="method-i-tmp_dh-3D" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + tmp_dh = pkey + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + <p>Sets DH parameters used for ephemeral DH key exchange. This is relevant for servers only.</p> + +<p><code>pkey</code> is an instance of <a href="../PKey/DH.html"><code>OpenSSL::PKey::DH</code></a>. Note that key components contained in the key object, if any, are ignored. The server will always generate a new key pair for each handshake.</p> + +<p>Added in version 3.0. See also the man page SSL_set0_tmp_dh_pkey(3).</p> + +<p>Example:</p> + +<pre class="ruby"><span class="ruby-identifier">ctx</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">SSL</span><span class="ruby-operator">::</span><span class="ruby-constant">SSLContext</span>.<span class="ruby-identifier">new</span> +<span class="ruby-identifier">ctx</span>.<span class="ruby-identifier">tmp_dh</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">DH</span>.<span class="ruby-identifier">generate</span>(<span class="ruby-value">2048</span>) +<span class="ruby-identifier">svr</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">SSL</span><span class="ruby-operator">::</span><span class="ruby-constant">SSLServer</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">tcp_svr</span>, <span class="ruby-identifier">ctx</span>) +<span class="ruby-constant">Thread</span>.<span class="ruby-identifier">new</span> { <span class="ruby-identifier">svr</span>.<span class="ruby-identifier">accept</span> } +</pre> + + <div class="method-source-code" id="tmp_dh-3D-source"> + <pre>static VALUE +ossl_sslctx_set_tmp_dh(VALUE self, VALUE arg) +{ + SSL_CTX *ctx; + EVP_PKEY *pkey; + + rb_check_frozen(self); + GetSSLCTX(self, ctx); + pkey = GetPKeyPtr(arg); + + if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH) + rb_raise(eSSLError, "invalid pkey type %s (expected DH)", + OBJ_nid2sn(EVP_PKEY_base_id(pkey))); +#ifdef HAVE_SSL_SET0_TMP_DH_PKEY + if (!SSL_CTX_set0_tmp_dh_pkey(ctx, pkey)) + ossl_raise(eSSLError, "SSL_CTX_set0_tmp_dh_pkey"); + EVP_PKEY_up_ref(pkey); +#else + if (!SSL_CTX_set_tmp_dh(ctx, EVP_PKEY_get0_DH(pkey))) + ossl_raise(eSSLError, "SSL_CTX_set_tmp_dh"); +#endif + + return arg; +}</pre> + </div> + </div> + + + </div> + </section> </section> diff --git a/OpenSSL/SSL/SSLSocket.html b/OpenSSL/SSL/SSLSocket.html index 99610994..2f297e4f 100644 --- a/OpenSSL/SSL/SSLSocket.html +++ b/OpenSSL/SSL/SSLSocket.html @@ -233,6 +233,7 @@ ossl_ssl_initialize(int argc, VALUE *argv, VALUE self) if (rb_respond_to(io, rb_intern("nonblock="))) rb_funcall(io, rb_intern("nonblock="), 1, Qtrue); + Check_Type(io, T_FILE); rb_ivar_set(self, id_i_io, io); ssl = SSL_new(ctx); @@ -271,7 +272,7 @@ ossl_ssl_initialize(int argc, VALUE *argv, VALUE self) </div> <div class="method-description"> - <p>Waits for a SSL/TLS client to initiate a handshake. The handshake may be started after unencrypted data has been sent over the socket.</p> + <p>Waits for a SSL/TLS client to initiate a handshake.</p> <div class="method-source-code" id="accept-source"> <pre>static VALUE @@ -467,7 +468,7 @@ ossl_ssl_get_client_ca_list(VALUE self) </div> <div class="method-description"> - <p>Initiates an SSL/TLS handshake with a server. The handshake may be started after unencrypted data has been sent over the socket.</p> + <p>Initiates an SSL/TLS handshake with a server.</p> <div class="method-source-code" id="connect-source"> <pre>static VALUE @@ -783,7 +784,7 @@ ossl_ssl_pending(VALUE self) <p>This method MUST be called after calling <a href="SSLSocket.html#method-i-connect"><code>connect</code></a> to ensure that the hostname of a remote peer has been verified.</p> <div class="method-source-code" id="post_connection_check-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 390</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 394</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">post_connection_check</span>(<span class="ruby-identifier">hostname</span>) <span class="ruby-keyword">if</span> <span class="ruby-identifier">peer_cert</span>.<span class="ruby-identifier">nil?</span> <span class="ruby-identifier">msg</span> = <span class="ruby-string">"Peer verification enabled, but no certificate received."</span> @@ -817,7 +818,7 @@ ossl_ssl_pending(VALUE self) <p>Returns the SSLSession object currently used, or nil if the session is not established.</p> <div class="method-source-code" id="session-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 411</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 415</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">session</span> <span class="ruby-constant">SSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Session</span>.<span class="ruby-identifier">new</span>(<span class="ruby-keyword">self</span>) <span class="ruby-keyword">rescue</span> <span class="ruby-constant">SSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Session</span><span class="ruby-operator">::</span><span class="ruby-constant">SessionError</span> @@ -962,7 +963,7 @@ ossl_ssl_get_state(VALUE self) <p>If <a href="SSLSocket.html#attribute-i-sync_close"><code>sync_close</code></a> is set to <code>true</code>, the underlying <a href="../../IO.html"><code>IO</code></a> is also closed.</p> <div class="method-source-code" id="sysclose-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 377</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 381</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">sysclose</span> <span class="ruby-keyword">return</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">closed?</span> <span class="ruby-identifier">stop</span> diff --git a/OpenSSL/SSL/Session.html b/OpenSSL/SSL/Session.html index b593fe5b..c4770f1d 100644 --- a/OpenSSL/SSL/Session.html +++ b/OpenSSL/SSL/Session.html @@ -126,43 +126,38 @@ <p>Creates a new <a href="Session.html"><code>Session</code></a> object from an instance of <a href="SSLSocket.html"><code>SSLSocket</code></a> or DER/PEM encoded String.</p> <div class="method-source-code" id="new-source"> - <pre>static VALUE ossl_ssl_session_initialize(VALUE self, VALUE arg1) + <pre>static VALUE +ossl_ssl_session_initialize(VALUE self, VALUE arg1) { - SSL_SESSION *ctx = NULL; - - if (RDATA(self)->data) - ossl_raise(eSSLSession, "SSL Session already initialized"); - - if (rb_obj_is_instance_of(arg1, cSSLSocket)) { - SSL *ssl; - - GetSSL(arg1, ssl); + SSL_SESSION *ctx; - if ((ctx = SSL_get1_session(ssl)) == NULL) - ossl_raise(eSSLSession, "no session available"); - } else { - BIO *in = ossl_obj2bio(&arg1); + if (RTYPEDDATA_DATA(self)) + ossl_raise(eSSLSession, "SSL Session already initialized"); - ctx = PEM_read_bio_SSL_SESSION(in, NULL, NULL, NULL); + if (rb_obj_is_instance_of(arg1, cSSLSocket)) { + SSL *ssl; - if (!ctx) { - OSSL_BIO_reset(in); - ctx = d2i_SSL_SESSION_bio(in, NULL); - } + GetSSL(arg1, ssl); - BIO_free(in); + if ((ctx = SSL_get1_session(ssl)) == NULL) + ossl_raise(eSSLSession, "no session available"); + } + else { + BIO *in = ossl_obj2bio(&arg1); - if (!ctx) - ossl_raise(rb_eArgError, "unknown type"); + ctx = d2i_SSL_SESSION_bio(in, NULL); + if (!ctx) { + OSSL_BIO_reset(in); + ctx = PEM_read_bio_SSL_SESSION(in, NULL, NULL, NULL); } + BIO_free(in); + if (!ctx) + ossl_raise(rb_eArgError, "unknown type"); + } - /* should not happen */ - if (ctx == NULL) - ossl_raise(eSSLSession, "ctx not set - internal error"); - - RDATA(self)->data = ctx; + RTYPEDDATA_DATA(self) = ctx; - return self; + return self; }</pre> </div> </div> diff --git a/OpenSSL/SSL/SocketForwarder.html b/OpenSSL/SSL/SocketForwarder.html index 1ae9719e..560dd917 100644 --- a/OpenSSL/SSL/SocketForwarder.html +++ b/OpenSSL/SSL/SocketForwarder.html @@ -111,7 +111,7 @@ <div class="method-source-code" id="addr-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 240</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 244</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">addr</span> <span class="ruby-identifier">to_io</span>.<span class="ruby-identifier">addr</span> <span class="ruby-keyword">end</span></pre> @@ -132,7 +132,7 @@ <div class="method-source-code" id="closed-3F-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 260</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 264</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">closed?</span> <span class="ruby-identifier">to_io</span>.<span class="ruby-identifier">closed?</span> <span class="ruby-keyword">end</span></pre> @@ -153,7 +153,7 @@ <div class="method-source-code" id="do_not_reverse_lookup-3D-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 264</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 268</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">do_not_reverse_lookup=</span>(<span class="ruby-identifier">flag</span>) <span class="ruby-identifier">to_io</span>.<span class="ruby-identifier">do_not_reverse_lookup</span> = <span class="ruby-identifier">flag</span> <span class="ruby-keyword">end</span></pre> @@ -174,7 +174,7 @@ <div class="method-source-code" id="fcntl-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 256</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 260</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">fcntl</span>(<span class="ruby-operator">*</span><span class="ruby-identifier">args</span>) <span class="ruby-identifier">to_io</span>.<span class="ruby-identifier">fcntl</span>(<span class="ruby-operator">*</span><span class="ruby-identifier">args</span>) <span class="ruby-keyword">end</span></pre> @@ -195,7 +195,7 @@ <p>The file descriptor for the socket.</p> <div class="method-source-code" id="fileno-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 236</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 240</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">fileno</span> <span class="ruby-identifier">to_io</span>.<span class="ruby-identifier">fileno</span> <span class="ruby-keyword">end</span></pre> @@ -216,7 +216,7 @@ <div class="method-source-code" id="getsockopt-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 252</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 256</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">getsockopt</span>(<span class="ruby-identifier">level</span>, <span class="ruby-identifier">optname</span>) <span class="ruby-identifier">to_io</span>.<span class="ruby-identifier">getsockopt</span>(<span class="ruby-identifier">level</span>, <span class="ruby-identifier">optname</span>) <span class="ruby-keyword">end</span></pre> @@ -237,7 +237,7 @@ <div class="method-source-code" id="peeraddr-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 244</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 248</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">peeraddr</span> <span class="ruby-identifier">to_io</span>.<span class="ruby-identifier">peeraddr</span> <span class="ruby-keyword">end</span></pre> @@ -258,7 +258,7 @@ <div class="method-source-code" id="setsockopt-source"> - <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 248</span> + <pre><span class="ruby-comment"># File lib/openssl/ssl.rb, line 252</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">setsockopt</span>(<span class="ruby-identifier">level</span>, <span class="ruby-identifier">optname</span>, <span class="ruby-identifier">optval</span>) <span class="ruby-identifier">to_io</span>.<span class="ruby-identifier">setsockopt</span>(<span class="ruby-identifier">level</span>, <span class="ruby-identifier">optname</span>, <span class="ruby-identifier">optval</span>) <span class="ruby-keyword">end</span></pre> diff --git a/OpenSSL/Timestamp.html b/OpenSSL/Timestamp.html index 0d7815f4..7dfb7817 100644 --- a/OpenSSL/Timestamp.html +++ b/OpenSSL/Timestamp.html @@ -88,7 +88,7 @@ <pre class="ruby"><span class="ruby-comment">#Assumes ts.p12 is a PKCS#12-compatible file with a private key</span> <span class="ruby-comment">#and a certificate that has an extended key usage of 'timeStamping'</span> -<span class="ruby-identifier">p12</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKCS12</span>.<span class="ruby-identifier">new</span>(<span class="ruby-constant">File</span>.<span class="ruby-identifier">open</span>(<span class="ruby-string">'ts.p12'</span>, <span class="ruby-string">'rb'</span>), <span class="ruby-string">'pwd'</span>) +<span class="ruby-identifier">p12</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKCS12</span>.<span class="ruby-identifier">new</span>(<span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span>(<span class="ruby-string">'ts.p12'</span>), <span class="ruby-string">'pwd'</span>) <span class="ruby-identifier">md</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Digest</span>.<span class="ruby-identifier">new</span>(<span class="ruby-string">'SHA1'</span>) <span class="ruby-identifier">hash</span> = <span class="ruby-identifier">md</span>.<span class="ruby-identifier">digest</span>(<span class="ruby-identifier">data</span>) <span class="ruby-comment">#some binary data to be timestamped</span> <span class="ruby-identifier">req</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Timestamp</span><span class="ruby-operator">::</span><span class="ruby-constant">Request</span>.<span class="ruby-identifier">new</span> @@ -105,16 +105,16 @@ <h3 id="module-OpenSSL::Timestamp-label-Verify+a+timestamp+response-3A">Verify a timestamp response:<span><a href="#module-OpenSSL::Timestamp-label-Verify+a+timestamp+response-3A">¶</a> <a href="#top">↑</a></span></h3> <pre>#Assume we have a timestamp token in a file called ts.der -ts = OpenSSL::Timestamp::Response.new(File.open('ts.der', 'rb') +ts = OpenSSL::Timestamp::Response.new(File.binread('ts.der')) #Assume we have the Request for this token in a file called req.der -req = OpenSSL::Timestamp::Request.new(File.open('req.der', 'rb') +req = OpenSSL::Timestamp::Request.new(File.binread('req.der')) # Assume the associated root CA certificate is contained in a # DER-encoded file named root.cer -root = OpenSSL::X509::Certificate.new(File.open('root.cer', 'rb') +root = OpenSSL::X509::Certificate.new(File.binread('root.cer')) # get the necessary intermediate certificates, available in # DER-encoded form in inter1.cer and inter2.cer -inter1 = OpenSSL::X509::Certificate.new(File.open('inter1.cer', 'rb') -inter2 = OpenSSL::X509::Certificate.new(File.open('inter2.cer', 'rb') +inter1 = OpenSSL::X509::Certificate.new(File.binread('inter1.cer')) +inter2 = OpenSSL::X509::Certificate.new(File.binread('inter2.cer')) ts.verify(req, root, inter1, inter2) -> ts or raises an exception if validation fails</pre> </section> diff --git a/OpenSSL/Timestamp/Factory.html b/OpenSSL/Timestamp/Factory.html index ea33823f..816dd9f0 100644 --- a/OpenSSL/Timestamp/Factory.html +++ b/OpenSSL/Timestamp/Factory.html @@ -110,18 +110,19 @@ <p>Assume we received a timestamp request that has set <a href="Request.html#method-i-policy_id"><code>Request#policy_id</code></a> to <code>nil</code> and <a href="Request.html#method-i-cert_requested-3F"><code>Request#cert_requested?</code></a> to true. The raw request bytes are stored in a variable called <code>req_raw</code>. We’d still like to integrate the necessary intermediate certificates (in <code>inter1.cer</code> and <code>inter2.cer</code>) to simplify validation of the resulting <a href="Response.html"><code>Response</code></a>. <code>ts.p12</code> is a PKCS#12-compatible file including the private key and the timestamping certificate.</p> -<pre>req = OpenSSL::Timestamp::Request.new(raw_bytes) -p12 = OpenSSL::PKCS12.new(File.open('ts.p12', 'rb'), 'pwd') -inter1 = OpenSSL::X509::Certificate.new(File.open('inter1.cer', 'rb') -inter2 = OpenSSL::X509::Certificate.new(File.open('inter2.cer', 'rb') -fac = OpenSSL::Timestamp::Factory.new -fac.gen_time = Time.now -fac.serial_number = 1 -fac.allowed_digests = ["sha256", "sha384", "sha512"] -#needed because the Request contained no policy identifier -fac.default_policy_id = '1.2.3.4.5' -fac.additional_certificates = [ inter1, inter2 ] -timestamp = fac.create_timestamp(p12.key, p12.certificate, req)</pre> +<pre class="ruby"><span class="ruby-identifier">req</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Timestamp</span><span class="ruby-operator">::</span><span class="ruby-constant">Request</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">raw_bytes</span>) +<span class="ruby-identifier">p12</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">PKCS12</span>.<span class="ruby-identifier">new</span>(<span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span>(<span class="ruby-string">'ts.p12'</span>), <span class="ruby-string">'pwd'</span>) +<span class="ruby-identifier">inter1</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">X509</span><span class="ruby-operator">::</span><span class="ruby-constant">Certificate</span>.<span class="ruby-identifier">new</span>(<span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span>(<span class="ruby-string">'inter1.cer'</span>)) +<span class="ruby-identifier">inter2</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">X509</span><span class="ruby-operator">::</span><span class="ruby-constant">Certificate</span>.<span class="ruby-identifier">new</span>(<span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span>(<span class="ruby-string">'inter2.cer'</span>)) +<span class="ruby-identifier">fac</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">Timestamp</span><span class="ruby-operator">::</span><span class="ruby-constant">Factory</span>.<span class="ruby-identifier">new</span> +<span class="ruby-identifier">fac</span>.<span class="ruby-identifier">gen_time</span> = <span class="ruby-constant">Time</span>.<span class="ruby-identifier">now</span> +<span class="ruby-identifier">fac</span>.<span class="ruby-identifier">serial_number</span> = <span class="ruby-value">1</span> +<span class="ruby-identifier">fac</span>.<span class="ruby-identifier">allowed_digests</span> = [<span class="ruby-string">"sha256"</span>, <span class="ruby-string">"sha384"</span>, <span class="ruby-string">"sha512"</span>] +<span class="ruby-comment">#needed because the Request contained no policy identifier</span> +<span class="ruby-identifier">fac</span>.<span class="ruby-identifier">default_policy_id</span> = <span class="ruby-string">'1.2.3.4.5'</span> +<span class="ruby-identifier">fac</span>.<span class="ruby-identifier">additional_certificates</span> = [ <span class="ruby-identifier">inter1</span>, <span class="ruby-identifier">inter2</span> ] +<span class="ruby-identifier">timestamp</span> = <span class="ruby-identifier">fac</span>.<span class="ruby-identifier">create_timestamp</span>(<span class="ruby-identifier">p12</span>.<span class="ruby-identifier">key</span>, <span class="ruby-identifier">p12</span>.<span class="ruby-identifier">certificate</span>, <span class="ruby-identifier">req</span>) +</pre> <h2 id="class-OpenSSL::Timestamp::Factory-label-Attributes">Attributes<span><a href="#class-OpenSSL::Timestamp::Factory-label-Attributes">¶</a> <a href="#top">↑</a></span></h2> @@ -315,7 +316,7 @@ ossl_tsfac_create_ts(VALUE self, VALUE key, VALUE certificate, VALUE request) goto end; } if (!NIL_P(def_policy_id) && !TS_REQ_get_policy_id(req)) { - def_policy_id_obj = (ASN1_OBJECT*)rb_protect((VALUE (*)(VALUE))obj_to_asn1obj, (VALUE)def_policy_id, &status); + def_policy_id_obj = (ASN1_OBJECT*)rb_protect(obj_to_asn1obj_i, (VALUE)def_policy_id, &status); if (status) goto end; } @@ -357,7 +358,7 @@ ossl_tsfac_create_ts(VALUE self, VALUE key, VALUE certificate, VALUE request) for (i = 0; i < RARRAY_LEN(allowed_digests); i++) { rbmd = rb_ary_entry(allowed_digests, i); - md = (const EVP_MD *)rb_protect((VALUE (*)(VALUE))ossl_evp_get_digestbyname, rbmd, &status); + md = (const EVP_MD *)rb_protect(ossl_evp_get_digestbyname_i, rbmd, &status); if (status) goto end; TS_RESP_CTX_add_md(ctx, md); @@ -368,7 +369,7 @@ ossl_tsfac_create_ts(VALUE self, VALUE key, VALUE certificate, VALUE request) if (status) goto end; - req_bio = (BIO*)rb_protect((VALUE (*)(VALUE))ossl_obj2bio, (VALUE)&str, &status); + req_bio = (BIO*)rb_protect(ossl_obj2bio_i, (VALUE)&str, &status); if (status) goto end; @@ -392,7 +393,7 @@ end: ASN1_OBJECT_free(def_policy_id_obj); TS_RESP_CTX_free(ctx); if (err_msg) - ossl_raise(eTimestampError, err_msg); + rb_exc_raise(ossl_make_error(eTimestampError, rb_str_new_cstr(err_msg))); if (status) rb_jump_tag(status); return ret; diff --git a/OpenSSL/Timestamp/Response.html b/OpenSSL/Timestamp/Response.html index 166a9a74..ff9fd04f 100644 --- a/OpenSSL/Timestamp/Response.html +++ b/OpenSSL/Timestamp/Response.html @@ -531,17 +531,14 @@ ossl_ts_resp_verify(int argc, VALUE *argv, VALUE self) X509_up_ref(cert); } - TS_VERIFY_CTS_set_certs(ctx, x509inter); + TS_VERIFY_CTX_set_certs(ctx, x509inter); TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE); TS_VERIFY_CTX_set_store(ctx, x509st); ok = TS_RESP_verify_response(ctx, resp); - - /* WORKAROUND: - * X509_STORE can count references, but X509_STORE_free() doesn't check - * this. To prevent our X509_STORE from being freed with our - * TS_VERIFY_CTX we set the store to NULL first. - * Fixed in OpenSSL 1.0.2; bff9ce4db38b (master), 5b4b9ce976fc (1.0.2) + /* + * TS_VERIFY_CTX_set_store() call above does not increment the reference + * counter, so it must be unset before TS_VERIFY_CTX_free() is called. */ TS_VERIFY_CTX_set_store(ctx, NULL); TS_VERIFY_CTX_free(ctx); diff --git a/OpenSSL/X509/Attribute.html b/OpenSSL/X509/Attribute.html index ceefd056..4d24b5fd 100644 --- a/OpenSSL/X509/Attribute.html +++ b/OpenSSL/X509/Attribute.html @@ -174,7 +174,7 @@ ossl_x509attr_initialize(int argc, VALUE *argv, VALUE self) <div class="method-source-code" id="3D-3D-source"> - <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 312</span> + <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 330</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">==</span>(<span class="ruby-identifier">other</span>) <span class="ruby-keyword">return</span> <span class="ruby-keyword">false</span> <span class="ruby-keyword">unless</span> <span class="ruby-constant">Attribute</span> <span class="ruby-operator">===</span> <span class="ruby-identifier">other</span> <span class="ruby-identifier">to_der</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">other</span>.<span class="ruby-identifier">to_der</span> diff --git a/OpenSSL/X509/CRL.html b/OpenSSL/X509/CRL.html index 238ac89a..1e49e0e3 100644 --- a/OpenSSL/X509/CRL.html +++ b/OpenSSL/X509/CRL.html @@ -146,23 +146,26 @@ ossl_x509crl_initialize(int argc, VALUE *argv, VALUE self) { BIO *in; - X509_CRL *crl, *x = DATA_PTR(self); + X509_CRL *crl, *crl_orig = RTYPEDDATA_DATA(self); VALUE arg; + rb_check_frozen(self); if (rb_scan_args(argc, argv, "01", &arg) == 0) { return self; } arg = ossl_to_der_if_possible(arg); in = ossl_obj2bio(&arg); - crl = PEM_read_bio_X509_CRL(in, &x, NULL, NULL); - DATA_PTR(self) = x; + crl = d2i_X509_CRL_bio(in, NULL); if (!crl) { OSSL_BIO_reset(in); - crl = d2i_X509_CRL_bio(in, &x); - DATA_PTR(self) = x; + crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); } BIO_free(in); - if (!crl) ossl_raise(eX509CRLError, NULL); + if (!crl) + ossl_raise(eX509CRLError, "PEM_read_bio_X509_CRL"); + + RTYPEDDATA_DATA(self) = crl; + X509_CRL_free(crl_orig); return self; }</pre> @@ -190,7 +193,7 @@ ossl_x509crl_initialize(int argc, VALUE *argv, VALUE self) <div class="method-source-code" id="3D-3D-source"> - <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 347</span> + <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 369</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">==</span>(<span class="ruby-identifier">other</span>) <span class="ruby-keyword">return</span> <span class="ruby-keyword">false</span> <span class="ruby-keyword">unless</span> <span class="ruby-constant">CRL</span> <span class="ruby-operator">===</span> <span class="ruby-identifier">other</span> <span class="ruby-identifier">to_der</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">other</span>.<span class="ruby-identifier">to_der</span> diff --git a/OpenSSL/X509/Certificate.html b/OpenSSL/X509/Certificate.html index 6df5f9b3..5c0e16c1 100644 --- a/OpenSSL/X509/Certificate.html +++ b/OpenSSL/X509/Certificate.html @@ -94,6 +94,8 @@ <h3>Methods</h3> <ul class="link-list" role="directory"> + <li ><a href="#method-c-load">::load</a> + <li ><a href="#method-c-load_file">::load_file</a> <li ><a href="#method-c-new">::new</a> <li ><a href="#method-i-3D-3D">#==</a> <li ><a href="#method-i-add_extension">#add_extension</a> @@ -143,7 +145,7 @@ <p><a href="Certificate.html"><code>Certificate</code></a> is capable of handling DER-encoded certificates and certificates encoded in OpenSSL’s PEM format.</p> -<pre class="ruby"><span class="ruby-identifier">raw</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span> <span class="ruby-string">"cert.cer"</span> <span class="ruby-comment"># DER- or PEM-encoded</span> +<pre class="ruby"><span class="ruby-identifier">raw</span> = <span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span> <span class="ruby-string">"cert.cer"</span> <span class="ruby-comment"># DER- or PEM-encoded</span> <span class="ruby-identifier">certificate</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">X509</span><span class="ruby-operator">::</span><span class="ruby-constant">Certificate</span>.<span class="ruby-identifier">new</span> <span class="ruby-identifier">raw</span> </pre> @@ -222,6 +224,63 @@ <h3>Public Class Methods</h3> </header> + <div id="method-c-load" class="method-detail "> + <div class="method-heading"> + <span class="method-callseq"> + OpenSSL::X509::Certificate.load(string) → [certs...] + </span> + <span class="method-click-advice">click to toggle source</span> + </div> + <div class="method-heading"> + <span class="method-callseq"> + OpenSSL::X509::Certificate.load(file) → [certs...] + </span> + </div> + + <div class="method-description"> + <p>Read the chained certificates from the given input. Supports both PEM and DER encoded certificates.</p> + +<p>PEM is a text format and supports more than one certificate.</p> + +<p>DER is a binary format and only supports one certificate.</p> + +<p>If the file is empty, or contains only unrelated data, an <code>OpenSSL::X509::CertificateError</code> exception will be raised.</p> + + <div class="method-source-code" id="load-source"> + <pre>static VALUE +ossl_x509_load(VALUE klass, VALUE buffer) +{ + BIO *in = ossl_obj2bio(&buffer); + + return rb_ensure(load_chained_certificates, (VALUE)in, load_chained_certificates_ensure, (VALUE)in); +}</pre> + </div> + </div> + + + </div> + + <div id="method-c-load_file" class="method-detail "> + <div class="method-heading"> + <span class="method-name">load_file</span><span + class="method-args">(path)</span> + <span class="method-click-advice">click to toggle source</span> + </div> + + <div class="method-description"> + + + <div class="method-source-code" id="load_file-source"> + <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 360</span> +<span class="ruby-keyword">def</span> <span class="ruby-keyword">self</span>.<span class="ruby-identifier ruby-title">load_file</span>(<span class="ruby-identifier">path</span>) + <span class="ruby-identifier">load</span>(<span class="ruby-constant">File</span>.<span class="ruby-identifier">binread</span>(<span class="ruby-identifier">path</span>)) +<span class="ruby-keyword">end</span></pre> + </div> + </div> + + + </div> + <div id="method-c-new" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> @@ -243,24 +302,27 @@ ossl_x509_initialize(int argc, VALUE *argv, VALUE self) { BIO *in; - X509 *x509, *x = DATA_PTR(self); + X509 *x509, *x509_orig = RTYPEDDATA_DATA(self); VALUE arg; + rb_check_frozen(self); if (rb_scan_args(argc, argv, "01", &arg) == 0) { /* create just empty X509Cert */ return self; } arg = ossl_to_der_if_possible(arg); in = ossl_obj2bio(&arg); - x509 = PEM_read_bio_X509(in, &x, NULL, NULL); - DATA_PTR(self) = x; + x509 = d2i_X509_bio(in, NULL); if (!x509) { OSSL_BIO_reset(in); - x509 = d2i_X509_bio(in, &x); - DATA_PTR(self) = x; + x509 = PEM_read_bio_X509(in, NULL, NULL, NULL); } BIO_free(in); - if (!x509) ossl_raise(eX509CertError, NULL); + if (!x509) + ossl_raise(eX509CertError, "PEM_read_bio_X509"); + + RTYPEDDATA_DATA(self) = x509; + X509_free(x509_orig); return self; }</pre> @@ -722,7 +784,7 @@ ossl_x509_set_not_before(VALUE self, VALUE time) <div class="method-source-code" id="pretty_print-source"> - <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 331</span> + <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 349</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">pretty_print</span>(<span class="ruby-identifier">q</span>) <span class="ruby-identifier">q</span>.<span class="ruby-identifier">object_group</span>(<span class="ruby-keyword">self</span>) { <span class="ruby-identifier">q</span>.<span class="ruby-identifier">breakable</span> diff --git a/OpenSSL/X509/ExtensionFactory.html b/OpenSSL/X509/ExtensionFactory.html index 4ba70ea7..f909b568 100644 --- a/OpenSSL/X509/ExtensionFactory.html +++ b/OpenSSL/X509/ExtensionFactory.html @@ -252,11 +252,10 @@ ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self) GetX509ExtFactory(self, ctx); obj = NewX509Ext(cX509Ext); rconf = rb_iv_get(self, "@config"); - conf = NIL_P(rconf) ? NULL : DupConfigPtr(rconf); + conf = NIL_P(rconf) ? NULL : GetConfig(rconf); X509V3_set_nconf(ctx, conf); ext = X509V3_EXT_nconf_nid(conf, ctx, nid, RSTRING_PTR(valstr)); X509V3_set_ctx_nodb(ctx); - NCONF_free(conf); if (!ext){ ossl_raise(eX509ExtError, "%"PRIsVALUE" = %"PRIsVALUE, oid, valstr); } diff --git a/OpenSSL/X509/Name.html b/OpenSSL/X509/Name.html index b3bf275c..abd2d5ff 100644 --- a/OpenSSL/X509/Name.html +++ b/OpenSSL/X509/Name.html @@ -114,7 +114,7 @@ <p>You can create a <a href="Name.html"><code>Name</code></a> by parsing a distinguished name String or by supplying the distinguished name as an Array.</p> -<pre class="ruby"><span class="ruby-identifier">name</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">X509</span><span class="ruby-operator">::</span><span class="ruby-constant">Name</span>.<span class="ruby-identifier">parse</span> <span class="ruby-string">'/CN=nobody/DC=example'</span> +<pre class="ruby"><span class="ruby-identifier">name</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">X509</span><span class="ruby-operator">::</span><span class="ruby-constant">Name</span>.<span class="ruby-identifier">parse_rfc2253</span> <span class="ruby-string">'DC=example,CN=nobody'</span> <span class="ruby-identifier">name</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">X509</span><span class="ruby-operator">::</span><span class="ruby-constant">Name</span>.<span class="ruby-identifier">new</span> [[<span class="ruby-string">'CN'</span>, <span class="ruby-string">'nobody'</span>], [<span class="ruby-string">'DC'</span>, <span class="ruby-string">'example'</span>]] </pre> @@ -260,10 +260,19 @@ ossl_x509name_initialize(int argc, VALUE *argv, VALUE self) </div> <div class="method-description"> - + <p>Parses the string representation of a distinguished name. Two different forms are supported:</p> +<ul><li> +<p>OpenSSL format (<code>X509_NAME_oneline()</code>) used by <code>#to_s</code>. For example: <code>/DC=com/DC=example/CN=nobody</code></p> +</li><li> +<p>OpenSSL format (<code>X509_NAME_print()</code>) used by <code>#to_s(OpenSSL::X509::Name::COMPAT)</code>. For example: <code>DC=com, DC=example, CN=nobody</code></p> +</li></ul> + +<p>Neither of them is standardized and has quirks and inconsistencies in handling of escaped characters or multi-valued RDNs.</p> + +<p>Use of this method is discouraged in new applications. See <a href="Name.html#method-c-parse_rfc2253"><code>Name.parse_rfc2253</code></a> and <a href="Name.html#method-i-to_utf8"><code>to_utf8</code></a> for the alternative.</p> <div class="method-source-code" id="parse_openssl-source"> - <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 287</span> + <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 305</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">parse_openssl</span>(<span class="ruby-identifier">str</span>, <span class="ruby-identifier">template</span>=<span class="ruby-constant">OBJECT_TYPE_TEMPLATE</span>) <span class="ruby-keyword">if</span> <span class="ruby-identifier">str</span>.<span class="ruby-identifier">start_with?</span>(<span class="ruby-string">"/"</span>) <span class="ruby-comment"># /A=B/C=D format</span> @@ -291,10 +300,12 @@ ossl_x509name_initialize(int argc, VALUE *argv, VALUE self) </div> <div class="method-description"> - + <p>Parses the UTF-8 string representation of a distinguished name, according to RFC 2253.</p> + +<p>See also <a href="Name.html#method-i-to_utf8"><code>to_utf8</code></a> for the opposite operation.</p> <div class="method-source-code" id="parse_rfc2253-source"> - <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 282</span> + <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 286</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">parse_rfc2253</span>(<span class="ruby-identifier">str</span>, <span class="ruby-identifier">template</span>=<span class="ruby-constant">OBJECT_TYPE_TEMPLATE</span>) <span class="ruby-identifier">ary</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">X509</span><span class="ruby-operator">::</span><span class="ruby-constant">Name</span><span class="ruby-operator">::</span><span class="ruby-constant">RFC2253DN</span>.<span class="ruby-identifier">scan</span>(<span class="ruby-identifier">str</span>) <span class="ruby-keyword">self</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">ary</span>, <span class="ruby-identifier">template</span>) @@ -565,7 +576,7 @@ ossl_x509name_initialize_copy(VALUE self, VALUE other) <div class="method-source-code" id="pretty_print-source"> - <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 301</span> + <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 319</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">pretty_print</span>(<span class="ruby-identifier">q</span>) <span class="ruby-identifier">q</span>.<span class="ruby-identifier">object_group</span>(<span class="ruby-keyword">self</span>) { <span class="ruby-identifier">q</span>.<span class="ruby-identifier">text</span> <span class="ruby-string">' '</span> @@ -697,7 +708,11 @@ ossl_x509name_to_der(VALUE self) <p><a href="Name.html#MULTILINE"><code>OpenSSL::X509::Name::MULTILINE</code></a></p> </li></ul> -<p>If <em>format</em> is omitted, the largely broken and traditional <a href="../../OpenSSL.html"><code>OpenSSL</code></a> format is used.</p> +<p>If <em>format</em> is omitted, the largely broken and traditional <a href="../../OpenSSL.html"><code>OpenSSL</code></a> format (<code>X509_NAME_oneline()</code> format) is chosen.</p> + +<p><strong>Use of this method is discouraged.</strong> None of the formats other than <a href="Name.html#RFC2253"><code>OpenSSL::X509::Name::RFC2253</code></a> is standardized and may show an inconsistent behavior through OpenSSL versions.</p> + +<p>It is recommended to use <a href="Name.html#method-i-to_utf8"><code>to_utf8</code></a> instead, which is equivalent to calling <code>name.to_s(OpenSSL::X509::Name::RFC2253).force_encoding("UTF-8")</code>.</p> <div class="method-source-code" id="to_s-source"> <pre>static VALUE diff --git a/OpenSSL/X509/Request.html b/OpenSSL/X509/Request.html index b8ad3bfb..fd368bb7 100644 --- a/OpenSSL/X509/Request.html +++ b/OpenSSL/X509/Request.html @@ -140,23 +140,26 @@ ossl_x509req_initialize(int argc, VALUE *argv, VALUE self) { BIO *in; - X509_REQ *req, *x = DATA_PTR(self); + X509_REQ *req, *req_orig = RTYPEDDATA_DATA(self); VALUE arg; + rb_check_frozen(self); if (rb_scan_args(argc, argv, "01", &arg) == 0) { return self; } arg = ossl_to_der_if_possible(arg); in = ossl_obj2bio(&arg); - req = PEM_read_bio_X509_REQ(in, &x, NULL, NULL); - DATA_PTR(self) = x; + req = d2i_X509_REQ_bio(in, NULL); if (!req) { OSSL_BIO_reset(in); - req = d2i_X509_REQ_bio(in, &x); - DATA_PTR(self) = x; + req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); } BIO_free(in); - if (!req) ossl_raise(eX509ReqError, NULL); + if (!req) + ossl_raise(eX509ReqError, "PEM_read_bio_X509_REQ"); + + RTYPEDDATA_DATA(self) = req; + X509_REQ_free(req_orig); return self; }</pre> @@ -184,7 +187,7 @@ ossl_x509req_initialize(int argc, VALUE *argv, VALUE self) <div class="method-source-code" id="3D-3D-source"> - <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 363</span> + <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 385</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">==</span>(<span class="ruby-identifier">other</span>) <span class="ruby-keyword">return</span> <span class="ruby-keyword">false</span> <span class="ruby-keyword">unless</span> <span class="ruby-constant">Request</span> <span class="ruby-operator">===</span> <span class="ruby-identifier">other</span> <span class="ruby-identifier">to_der</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">other</span>.<span class="ruby-identifier">to_der</span> diff --git a/OpenSSL/X509/Revoked.html b/OpenSSL/X509/Revoked.html index 9ce99dec..b1259930 100644 --- a/OpenSSL/X509/Revoked.html +++ b/OpenSSL/X509/Revoked.html @@ -150,7 +150,7 @@ ossl_x509revoked_initialize(int argc, VALUE *argv, VALUE self) <div class="method-source-code" id="3D-3D-source"> - <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 354</span> + <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 376</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">==</span>(<span class="ruby-identifier">other</span>) <span class="ruby-keyword">return</span> <span class="ruby-keyword">false</span> <span class="ruby-keyword">unless</span> <span class="ruby-constant">Revoked</span> <span class="ruby-operator">===</span> <span class="ruby-identifier">other</span> <span class="ruby-identifier">to_der</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">other</span>.<span class="ruby-identifier">to_der</span> diff --git a/OpenSSL/X509/Store.html b/OpenSSL/X509/Store.html index 9ea6a1ce..e4d795b9 100644 --- a/OpenSSL/X509/Store.html +++ b/OpenSSL/X509/Store.html @@ -145,6 +145,8 @@ <div class="method-description"> <p>The certificate chain constructed by the last call of <a href="Store.html#method-i-verify"><code>verify</code></a>.</p> + +<p>See also <a href="StoreContext.html#method-i-chain"><code>StoreContext#chain</code></a>.</p> </div> </div> <div id="attribute-i-error" class="method-detail"> @@ -155,6 +157,8 @@ <div class="method-description"> <p>The error code set by the last call of <a href="Store.html#method-i-verify"><code>verify</code></a>.</p> + +<p>See also <a href="StoreContext.html#method-i-error"><code>StoreContext#error</code></a>.</p> </div> </div> <div id="attribute-i-error_string" class="method-detail"> @@ -165,6 +169,8 @@ <div class="method-description"> <p>The description for the error code set by the last call of <a href="Store.html#method-i-verify"><code>verify</code></a>.</p> + +<p>See also <a href="StoreContext.html#method-i-error_string"><code>StoreContext#error_string</code></a>.</p> </div> </div> <div id="attribute-i-verify_callback" class="method-detail"> @@ -174,9 +180,15 @@ </div> <div class="method-description"> - <p>The callback for additional certificate verification. It is invoked for each untrusted certificate in the chain.</p> + <p>The callback for additional certificate verification. It is invoked for each certificate in the chain and can be used to implement custom certificate verification conditions.</p> + +<p>The callback is invoked with two values, a boolean that indicates if the pre-verification by <a href="../../OpenSSL.html"><code>OpenSSL</code></a> has succeeded or not, and the <a href="StoreContext.html"><code>StoreContext</code></a> in use.</p> + +<p>The callback can use <a href="StoreContext.html#method-i-error-3D"><code>StoreContext#error=</code></a> to change the error code as needed. The callback must return either true or false.</p> -<p>The callback is invoked with two values, a boolean that indicates if the pre-verification by <a href="../../OpenSSL.html"><code>OpenSSL</code></a> has succeeded or not, and the <a href="StoreContext.html"><code>StoreContext</code></a> in use. The callback must return either true or false.</p> +<p>NOTE: any exception raised within the callback will be ignored.</p> + +<p>See also the man page X509_STORE_CTX_set_verify_cb(3).</p> </div> </div> </section> @@ -204,8 +216,9 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self) { X509_STORE *store; -/* BUG: This method takes any number of arguments but appears to ignore them. */ GetX509Store(self, store); + if (argc != 0) + rb_warn("OpenSSL::X509::Store.new does not take any arguments"); #if !defined(HAVE_OPAQUE_OPENSSL) /* [Bug #405] [Bug #1678] [Bug #3000]; already fixed? */ store->ex_data.sk = NULL; @@ -237,7 +250,7 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self) <div id="method-i-add_cert" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - add_cert(cert) + add_cert(cert) → self </span> <span class="method-click-advice">click to toggle source</span> </div> @@ -245,6 +258,8 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self) <div class="method-description"> <p>Adds the <a href="Certificate.html"><code>OpenSSL::X509::Certificate</code></a> <em>cert</em> to the certificate store.</p> +<p>See also the man page X509_STORE_add_cert(3).</p> + <div class="method-source-code" id="add_cert-source"> <pre>static VALUE ossl_x509store_add_cert(VALUE self, VALUE arg) @@ -254,9 +269,8 @@ ossl_x509store_add_cert(VALUE self, VALUE arg) cert = GetX509CertPtr(arg); /* NO NEED TO DUP */ GetX509Store(self, store); - if (X509_STORE_add_cert(store, cert) != 1){ - ossl_raise(eX509StoreError, NULL); - } + if (X509_STORE_add_cert(store, cert) != 1) + ossl_raise(eX509StoreError, "X509_STORE_add_cert"); return self; }</pre> @@ -277,6 +291,8 @@ ossl_x509store_add_cert(VALUE self, VALUE arg) <div class="method-description"> <p>Adds the <a href="CRL.html"><code>OpenSSL::X509::CRL</code></a> <em>crl</em> to the store.</p> +<p>See also the man page X509_STORE_add_crl(3).</p> + <div class="method-source-code" id="add_crl-source"> <pre>static VALUE ossl_x509store_add_crl(VALUE self, VALUE arg) @@ -286,9 +302,8 @@ ossl_x509store_add_crl(VALUE self, VALUE arg) crl = GetX509CRLPtr(arg); /* NO NEED TO DUP */ GetX509Store(self, store); - if (X509_STORE_add_crl(store, crl) != 1){ - ossl_raise(eX509StoreError, NULL); - } + if (X509_STORE_add_crl(store, crl) != 1) + ossl_raise(eX509StoreError, "X509_STORE_add_crl"); return self; }</pre> @@ -309,23 +324,23 @@ ossl_x509store_add_crl(VALUE self, VALUE arg) <div class="method-description"> <p>Adds the certificates in <em>file</em> to the certificate store. <em>file</em> is the path to the file, and the file contains one or more certificates in PEM format concatenated together.</p> +<p>See also the man page X509_LOOKUP_file(3).</p> + <div class="method-source-code" id="add_file-source"> <pre>static VALUE ossl_x509store_add_file(VALUE self, VALUE file) { X509_STORE *store; X509_LOOKUP *lookup; - char *path = NULL; + const char *path; - if(file != Qnil){ - path = StringValueCStr(file); - } GetX509Store(self, store); + path = StringValueCStr(file); lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); - if(lookup == NULL) ossl_raise(eX509StoreError, NULL); - if(X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1){ - ossl_raise(eX509StoreError, NULL); - } + if (!lookup) + ossl_raise(eX509StoreError, "X509_STORE_add_lookup"); + if (X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1) + ossl_raise(eX509StoreError, "X509_LOOKUP_load_file"); #if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER) /* * X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file() @@ -355,23 +370,23 @@ ossl_x509store_add_file(VALUE self, VALUE file) <div class="method-description"> <p>Adds <em>path</em> as the hash dir to be looked up by the store.</p> +<p>See also the man page X509_LOOKUP_hash_dir(3).</p> + <div class="method-source-code" id="add_path-source"> <pre>static VALUE ossl_x509store_add_path(VALUE self, VALUE dir) { X509_STORE *store; X509_LOOKUP *lookup; - char *path = NULL; + const char *path; - if(dir != Qnil){ - path = StringValueCStr(dir); - } GetX509Store(self, store); + path = StringValueCStr(dir); lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); - if(lookup == NULL) ossl_raise(eX509StoreError, NULL); - if(X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1){ - ossl_raise(eX509StoreError, NULL); - } + if (!lookup) + ossl_raise(eX509StoreError, "X509_STORE_add_lookup"); + if (X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1) + ossl_raise(eX509StoreError, "X509_LOOKUP_add_dir"); return self; }</pre> @@ -390,7 +405,13 @@ ossl_x509store_add_path(VALUE self, VALUE dir) </div> <div class="method-description"> - <p>Sets <em>flags</em> to the <a href="Store.html"><code>Store</code></a>. <em>flags</em> consists of zero or more of the constants defined in with name V_FLAG_* or’ed together.</p> + <p>Sets the default flags used by certificate chain verification performed with the <a href="Store.html"><code>Store</code></a>.</p> + +<p><em>flags</em> consists of zero or more of the constants defined in <a href="../X509.html"><code>OpenSSL::X509</code></a> with name V_FLAG_* or’ed together.</p> + +<p><a href="StoreContext.html#method-i-flags-3D"><code>OpenSSL::X509::StoreContext#flags=</code></a> can be used to change the flags for a single verification operation.</p> + +<p>See also the man page X509_VERIFY_PARAM_set_flags(3).</p> <div class="method-source-code" id="flags-3D-source"> <pre>static VALUE @@ -419,7 +440,7 @@ ossl_x509store_set_flags(VALUE self, VALUE flags) </div> <div class="method-description"> - <p>Sets the store’s purpose to <em>purpose</em>. If specified, the verifications on the store will check every untrusted certificate’s extensions are consistent with the purpose. The purpose is specified by constants:</p> + <p>Sets the store’s default verification purpose. If specified, the verifications on the store will check every certificate’s extensions are consistent with the purpose. The purpose is specified by constants:</p> <ul><li> <p>X509::PURPOSE_SSL_CLIENT</p> </li><li> @@ -440,6 +461,10 @@ ossl_x509store_set_flags(VALUE self, VALUE flags) <p>X509::PURPOSE_TIMESTAMP_SIGN</p> </li></ul> +<p><a href="StoreContext.html#method-i-purpose-3D"><code>OpenSSL::X509::StoreContext#purpose=</code></a> can be used to change the value for a single verification operation.</p> + +<p>See also the man page X509_VERIFY_PARAM_set_purpose(3).</p> + <div class="method-source-code" id="purpose-3D-source"> <pre>static VALUE ossl_x509store_set_purpose(VALUE self, VALUE purpose) @@ -474,6 +499,8 @@ ossl_x509store_set_purpose(VALUE self, VALUE purpose) <p>OpenSSL::X509::DEFAULT_CERT_DIR</p> </li></ul> +<p>See also the man page X509_STORE_set_default_paths(3).</p> + <div class="method-source-code" id="set_default_paths-source"> <pre>static VALUE ossl_x509store_set_default_paths(VALUE self) @@ -481,9 +508,8 @@ ossl_x509store_set_default_paths(VALUE self) X509_STORE *store; GetX509Store(self, store); - if (X509_STORE_set_default_paths(store) != 1){ - ossl_raise(eX509StoreError, NULL); - } + if (X509_STORE_set_default_paths(store) != 1) + ossl_raise(eX509StoreError, "X509_STORE_set_default_paths"); return Qnil; }</pre> @@ -502,7 +528,11 @@ ossl_x509store_set_default_paths(VALUE self) </div> <div class="method-description"> - <p>Sets the time to be used in verifications.</p> + <p>Sets the time to be used in the certificate verifications with the store. By default, if not specified, the current system time is used.</p> + +<p><a href="StoreContext.html#method-i-time-3D"><code>OpenSSL::X509::StoreContext#time=</code></a> can be used to change the value for a single verification operation.</p> + +<p>See also the man page X509_VERIFY_PARAM_set_time(3).</p> <div class="method-source-code" id="time-3D-source"> <pre>static VALUE @@ -526,7 +556,11 @@ ossl_x509store_set_time(VALUE self, VALUE time) </div> <div class="method-description"> - + <p>Sets the default trust settings used by the certificate verification with the store.</p> + +<p><a href="StoreContext.html#method-i-trust-3D"><code>OpenSSL::X509::StoreContext#trust=</code></a> can be used to change the value for a single verification operation.</p> + +<p>See also the man page X509_VERIFY_PARAM_set_trust(3).</p> <div class="method-source-code" id="trust-3D-source"> <pre>static VALUE diff --git a/OpenSSL/X509/StoreContext.html b/OpenSSL/X509/StoreContext.html index 2ed03771..e1f06bd5 100644 --- a/OpenSSL/X509/StoreContext.html +++ b/OpenSSL/X509/StoreContext.html @@ -176,39 +176,28 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self) <div id="method-i-chain" class="method-detail "> <div class="method-heading"> <span class="method-callseq"> - chain → Array of X509::Certificate + chain → nil | Array of X509::Certificate </span> <span class="method-click-advice">click to toggle source</span> </div> <div class="method-description"> - + <p>Returns the verified chain.</p> + +<p>See also the man page X509_STORE_CTX_set0_verified_chain(3).</p> <div class="method-source-code" id="chain-source"> <pre>static VALUE ossl_x509stctx_get_chain(VALUE self) { X509_STORE_CTX *ctx; - STACK_OF(X509) *chain; - X509 *x509; - int i, num; - VALUE ary; + const STACK_OF(X509) *chain; GetX509StCtx(self, ctx); - if((chain = X509_STORE_CTX_get0_chain(ctx)) == NULL){ - return Qnil; - } - if((num = sk_X509_num(chain)) < 0){ - OSSL_Debug("certs in chain < 0???"); - return rb_ary_new(); - } - ary = rb_ary_new2(num); - for(i = 0; i < num; i++) { - x509 = sk_X509_value(chain, i); - rb_ary_push(ary, ossl_x509_new(x509)); - } - - return ary; + chain = X509_STORE_CTX_get0_chain(ctx); + if (!chain) + return Qnil; /* Could be an empty array instead? */ + return ossl_x509_sk2ary(chain); }</pre> </div> </div> @@ -227,7 +216,7 @@ ossl_x509stctx_get_chain(VALUE self) <div class="method-source-code" id="cleanup-source"> - <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 319</span> + <pre><span class="ruby-comment"># File lib/openssl/x509.rb, line 337</span> <span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">cleanup</span> <span class="ruby-identifier">warn</span> <span class="ruby-node">"(#{caller.first}) OpenSSL::X509::StoreContext#cleanup is deprecated with no replacement"</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">$VERBOSE</span> <span class="ruby-keyword">end</span></pre> @@ -246,7 +235,9 @@ ossl_x509stctx_get_chain(VALUE self) </div> <div class="method-description"> - + <p>Returns the certificate which caused the error.</p> + +<p>See also the man page X509_STORE_CTX_get_current_cert(3).</p> <div class="method-source-code" id="current_cert-source"> <pre>static VALUE @@ -273,7 +264,9 @@ ossl_x509stctx_get_curr_cert(VALUE self) </div> <div class="method-description"> - + <p>Returns the <a href="CRL.html"><code>CRL</code></a> which caused the error.</p> + +<p>See also the man page X509_STORE_CTX_get_current_crl(3).</p> <div class="method-source-code" id="current_crl-source"> <pre>static VALUE @@ -304,7 +297,9 @@ ossl_x509stctx_get_curr_crl(VALUE self) </div> <div class="method-description"> - + <p>Returns the error code of <em>stctx</em>. This is typically called after <a href="StoreContext.html#method-i-verify"><code>verify</code></a> is done, or from the verification callback set to <a href="Store.html#method-i-verify_callback-3D"><code>OpenSSL::X509::Store#verify_callback=</code></a>.</p> + +<p>See also the man page X509_STORE_CTX_get_error(3).</p> <div class="method-source-code" id="error-source"> <pre>static VALUE @@ -331,7 +326,9 @@ ossl_x509stctx_get_err(VALUE self) </div> <div class="method-description"> - + <p>Sets the error code of <em>stctx</em>. This is used by the verification callback set to <a href="Store.html#method-i-verify_callback-3D"><code>OpenSSL::X509::Store#verify_callback=</code></a>.</p> + +<p>See also the man page X509_STORE_CTX_set_error(3).</p> <div class="method-source-code" id="error-3D-source"> <pre>static VALUE @@ -359,7 +356,9 @@ ossl_x509stctx_set_error(VALUE self, VALUE err) </div> <div class="method-description"> - + <p>Returns the depth of the chain. This is used in combination with <a href="StoreContext.html#method-i-error"><code>error</code></a>.</p> + +<p>See also the man page X509_STORE_CTX_get_error_depth(3).</p> <div class="method-source-code" id="error_depth-source"> <pre>static VALUE @@ -386,7 +385,9 @@ ossl_x509stctx_get_err_depth(VALUE self) </div> <div class="method-description"> - <p>Returns the error string corresponding to the error code retrieved by <a href="StoreContext.html#method-i-error"><code>error</code></a>.</p> + <p>Returns the human readable error string corresponding to the error code retrieved by <a href="StoreContext.html#method-i-error"><code>error</code></a>.</p> + +<p>See also the man page X509_verify_cert_error_string(3).</p> <div class="method-source-code" id="error_string-source"> <pre>static VALUE @@ -415,7 +416,9 @@ ossl_x509stctx_get_err_string(VALUE self) </div> <div class="method-description"> - <p>Sets the verification flags to the context. See <a href="Store.html#method-i-flags-3D"><code>Store#flags=</code></a>.</p> + <p>Sets the verification flags to the context. This overrides the default value set by <a href="Store.html#method-i-flags-3D"><code>Store#flags=</code></a>.</p> + +<p>See also the man page X509_VERIFY_PARAM_set_flags(3).</p> <div class="method-source-code" id="flags-3D-source"> <pre>static VALUE @@ -444,7 +447,9 @@ ossl_x509stctx_set_flags(VALUE self, VALUE flags) </div> <div class="method-description"> - <p>Sets the purpose of the context. See <a href="Store.html#method-i-purpose-3D"><code>Store#purpose=</code></a>.</p> + <p>Sets the purpose of the context. This overrides the default value set by <a href="Store.html#method-i-purpose-3D"><code>Store#purpose=</code></a>.</p> + +<p>See also the man page X509_VERIFY_PARAM_set_purpose(3).</p> <div class="method-source-code" id="purpose-3D-source"> <pre>static VALUE @@ -475,6 +480,8 @@ ossl_x509stctx_set_purpose(VALUE self, VALUE purpose) <div class="method-description"> <p>Sets the time used in the verification. If not set, the current time is used.</p> +<p>See also the man page X509_VERIFY_PARAM_set_time(3).</p> + <div class="method-source-code" id="time-3D-source"> <pre>static VALUE ossl_x509stctx_set_time(VALUE self, VALUE time) @@ -503,7 +510,9 @@ ossl_x509stctx_set_time(VALUE self, VALUE time) </div> <div class="method-description"> - + <p>Sets the trust settings of the context. This overrides the default value set by <a href="Store.html#method-i-trust-3D"><code>Store#trust=</code></a>.</p> + +<p>See also the man page X509_VERIFY_PARAM_set_trust(3).</p> <div class="method-source-code" id="trust-3D-source"> <pre>static VALUE @@ -532,7 +541,9 @@ ossl_x509stctx_set_trust(VALUE self, VALUE trust) </div> <div class="method-description"> - + <p>Performs the certificate verification using the parameters set to <em>stctx</em>.</p> + +<p>See also the man page X509_verify_cert(3).</p> <div class="method-source-code" id="verify-source"> <pre>static VALUE @@ -551,7 +562,7 @@ ossl_x509stctx_verify(VALUE self) ossl_clear_error(); return Qfalse; default: - ossl_raise(eX509CertError, NULL); + ossl_raise(eX509CertError, "X509_verify_cert"); } }</pre> </div> |