summaryrefslogtreecommitdiffstats
path: root/test
diff options
context:
space:
mode:
Diffstat (limited to 'test')
-rw-r--r--test/openssl/envutil.rb (renamed from test/envutil.rb)0
-rw-r--r--test/openssl/fixtures/pkey/dh-1.pem13
-rw-r--r--test/openssl/fixtures/pkey/dh1024.pem (renamed from test/fixtures/pkey/dh1024.pem)0
-rw-r--r--test/openssl/fixtures/pkey/dsa1024.pem (renamed from test/fixtures/pkey/dsa1024.pem)0
-rw-r--r--test/openssl/fixtures/pkey/dsa256.pem (renamed from test/fixtures/pkey/dsa256.pem)0
-rw-r--r--test/openssl/fixtures/pkey/dsa512.pem (renamed from test/fixtures/pkey/dsa512.pem)0
-rw-r--r--test/openssl/fixtures/pkey/p256.pem (renamed from test/fixtures/pkey/p256.pem)0
-rw-r--r--test/openssl/fixtures/pkey/rsa-1.pem51
-rw-r--r--test/openssl/fixtures/pkey/rsa-2.pem51
-rw-r--r--test/openssl/fixtures/pkey/rsa-3.pem51
-rw-r--r--test/openssl/fixtures/pkey/rsa1024.pem (renamed from test/fixtures/pkey/rsa1024.pem)0
-rw-r--r--test/openssl/fixtures/pkey/rsa2048.pem (renamed from test/fixtures/pkey/rsa2048.pem)0
-rw-r--r--test/openssl/test_asn1.rb (renamed from test/test_asn1.rb)41
-rw-r--r--test/openssl/test_bn.rb (renamed from test/test_bn.rb)11
-rw-r--r--test/openssl/test_buffering.rb (renamed from test/test_buffering.rb)11
-rw-r--r--test/openssl/test_cipher.rb (renamed from test/test_cipher.rb)69
-rw-r--r--test/openssl/test_config.rb (renamed from test/test_config.rb)108
-rw-r--r--test/openssl/test_digest.rb (renamed from test/test_digest.rb)64
-rw-r--r--test/openssl/test_engine.rb (renamed from test/test_engine.rb)4
-rw-r--r--test/openssl/test_fips.rb (renamed from test/test_fips.rb)2
-rw-r--r--test/openssl/test_hmac.rb (renamed from test/test_hmac.rb)12
-rw-r--r--test/openssl/test_kdf.rb (renamed from test/test_kdf.rb)2
-rw-r--r--test/openssl/test_ns_spki.rb (renamed from test/test_ns_spki.rb)6
-rw-r--r--test/openssl/test_ocsp.rb (renamed from test/test_ocsp.rb)35
-rw-r--r--test/openssl/test_ossl.rb65
-rw-r--r--test/openssl/test_pair.rb (renamed from test/test_pair.rb)87
-rw-r--r--test/openssl/test_pkcs12.rb (renamed from test/test_pkcs12.rb)2
-rw-r--r--test/openssl/test_pkcs7.rb (renamed from test/test_pkcs7.rb)26
-rw-r--r--test/openssl/test_pkey.rb28
-rw-r--r--test/openssl/test_pkey_dh.rb (renamed from test/test_pkey_dh.rb)17
-rw-r--r--test/openssl/test_pkey_dsa.rb (renamed from test/test_pkey_dsa.rb)15
-rw-r--r--test/openssl/test_pkey_ec.rb (renamed from test/test_pkey_ec.rb)30
-rw-r--r--test/openssl/test_pkey_rsa.rb (renamed from test/test_pkey_rsa.rb)157
-rw-r--r--test/openssl/test_random.rb (renamed from test/test_random.rb)2
-rw-r--r--test/openssl/test_ssl.rb (renamed from test/test_ssl.rb)147
-rw-r--r--test/openssl/test_ssl_session.rb (renamed from test/test_ssl_session.rb)2
-rw-r--r--test/openssl/test_ts.rb657
-rw-r--r--test/openssl/test_x509attr.rb (renamed from test/test_x509attr.rb)12
-rw-r--r--test/openssl/test_x509cert.rb (renamed from test/test_x509cert.rb)95
-rw-r--r--test/openssl/test_x509crl.rb (renamed from test/test_x509crl.rb)45
-rw-r--r--test/openssl/test_x509ext.rb (renamed from test/test_x509ext.rb)15
-rw-r--r--test/openssl/test_x509name.rb (renamed from test/test_x509name.rb)33
-rw-r--r--test/openssl/test_x509req.rb (renamed from test/test_x509req.rb)33
-rw-r--r--test/openssl/test_x509store.rb (renamed from test/test_x509store.rb)14
-rw-r--r--test/openssl/ut_eof.rb (renamed from test/ut_eof.rb)10
-rw-r--r--test/openssl/utils.rb (renamed from test/utils.rb)109
46 files changed, 1871 insertions, 261 deletions
diff --git a/test/envutil.rb b/test/openssl/envutil.rb
index 05d6fe27..05d6fe27 100644
--- a/test/envutil.rb
+++ b/test/openssl/envutil.rb
diff --git a/test/openssl/fixtures/pkey/dh-1.pem b/test/openssl/fixtures/pkey/dh-1.pem
new file mode 100644
index 00000000..3340a6a1
--- /dev/null
+++ b/test/openssl/fixtures/pkey/dh-1.pem
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEAvRzXYxY6L2DjeYmm1eowtMDu1it3j+VwFr6s6PRWzc1apMtztr9G
+xZ2mYndUAJLgNLO3n2fUDCYVMB6ZkcekW8Siocof3xWiMA6wqZ6uw0dsE3q7ZX+6
+TLjgSjaXeGvjutvuEwVrFeaUi83bMgfXN8ToxIQVprIF35sYFt6fpbFATKfW7qqi
+P1pQkjmCskU4tztaWvlLh0qg85wuQGnpJaQT3gS30378i0IGbA0EBvJcSpTHYbLa
+nsdI9bfN/ZVgeolVMNMU9/n8R8vRhNPcHuciFwaqS656q+HavCIyxw/LfjSwwFvR
+TngCn0wytRErkzFIXnRKckh8/BpI4S+0+l1NkOwG4WJ55KJ/9OOdZW5o/QCp2bDi
+E0JN1EP/gkSom/prq8JR/yEqtsy99uc5nUxPmzv0IgdcFHZEfiQU7iRggEbx7qfQ
+Ve55XksmmJInmpCy1bSabAEgIKp8Ckt5KLYZ0RgTXUhcEpsxEo6cuAwoSJT5o4Rp
+yG3xow2ozPcqZkvb+d2CHj1sc54w9BVFAjVANEKmRil/9WKz14bu3wxEhOPqC54n
+QojjLcoXSoT66ZUOQnYxTSiLtzoKGPy8cAVPbkBrXz2u2sj5gcvr1JjoGjdHm9/3
+qnqC8fsTz8UndKNIQC337o4K0833bQMzRGl1/qjbAPit2B7E3b6xTZMCAQI=
+-----END DH PARAMETERS-----
diff --git a/test/fixtures/pkey/dh1024.pem b/test/openssl/fixtures/pkey/dh1024.pem
index f99c757f..f99c757f 100644
--- a/test/fixtures/pkey/dh1024.pem
+++ b/test/openssl/fixtures/pkey/dh1024.pem
diff --git a/test/fixtures/pkey/dsa1024.pem b/test/openssl/fixtures/pkey/dsa1024.pem
index 1bf49889..1bf49889 100644
--- a/test/fixtures/pkey/dsa1024.pem
+++ b/test/openssl/fixtures/pkey/dsa1024.pem
diff --git a/test/fixtures/pkey/dsa256.pem b/test/openssl/fixtures/pkey/dsa256.pem
index d9a407f7..d9a407f7 100644
--- a/test/fixtures/pkey/dsa256.pem
+++ b/test/openssl/fixtures/pkey/dsa256.pem
diff --git a/test/fixtures/pkey/dsa512.pem b/test/openssl/fixtures/pkey/dsa512.pem
index 962c41cc..962c41cc 100644
--- a/test/fixtures/pkey/dsa512.pem
+++ b/test/openssl/fixtures/pkey/dsa512.pem
diff --git a/test/fixtures/pkey/p256.pem b/test/openssl/fixtures/pkey/p256.pem
index 97c97d9f..97c97d9f 100644
--- a/test/fixtures/pkey/p256.pem
+++ b/test/openssl/fixtures/pkey/p256.pem
diff --git a/test/openssl/fixtures/pkey/rsa-1.pem b/test/openssl/fixtures/pkey/rsa-1.pem
new file mode 100644
index 00000000..bd5a624f
--- /dev/null
+++ b/test/openssl/fixtures/pkey/rsa-1.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJJwIBAAKCAgEArIEJUYZrXhMfUXXdl2gLcXrRB4ciWNEeXt5UVLG0nPhygZwJ
+xis8tOrjXOJEpUXUsfgF35pQiJLD4T9/Vp3zLFtMOOQjOR3AxjIelbH9KPyGFEr9
+TcPtsJ24zhcG7RbwOGXR4iIcDaTx+bCLSAd7BjG3XHQtyeepGGRZkGyGUvXjPorH
+XP+dQjQnMd09wv0GMZSqQ06PedUUKQ4PJRfMCP+mwjFP+rB3NZuThF0CsNmpoixg
+GdoQ591Yrf5rf2Bs848JrYdqJlKlBL6rTFf2glHiC+mE5YRny7RZtv/qIkyUNotV
+ce1cE0GFrRmCpw9bqulDDcgKjFkhihTg4Voq0UYdJ6Alg7Ur4JerKTfyCaRGF27V
+fh/g2A2/6Vu8xKYYwTAwLn+Tvkx9OTVZ1t15wM7Ma8hHowNoO0g/lWkeltgHLMji
+rmeuIYQ20BQmdx2RRgWKl57D0wO/N0HIR+Bm4vcBoNPgMlk9g5WHA6idHR8TLxOr
+dMMmTiWfefB0/FzGXBv7DuuzHN3+urdCvG1QIMFQ06kHXhr4rC28KbWIxg+PJGM8
+oGNEGtGWAOvi4Ov+BVsIdbD5Sfyb4nY3L9qqPl6TxRxMWTKsYCYx11jC8civCzOu
+yL1z+wgIICJ6iGzrfYf6C2BiNV3BC1YCtp2XsG+AooIxCwjL2CP/54MuRnUCAwEA
+AQKCAgAP4+8M0HoRd2d6JIZeDRqIwIyCygLy9Yh7qrVP+/KsRwKdR9dqps73x29c
+Pgeexdj67+Lynw9uFT7v/95mBzTAUESsNO+9sizw1OsWVQgB/4kGU4YT5Ml/bHf6
+nApqSqOkPlTgJM46v4f+vTGHWBEQGAJRBO62250q/wt1D1osSDQ/rZ8BxRYiZBV8
+NWocDRzF8nDgtFrpGSS7R21DuHZ2Gb6twscgS6MfkA49sieuTM6gfr/3gavu/+fM
+V1Rlrmc65GE61++CSjijQEEdTjkJ9isBd+hjEBhTnnBpOBfEQxOgFqOvU/MYXv/G
+W0Q6yWJjUwt3OIcoOImrY5L3j0vERneA1Alweqsbws3fXXMjA+jhLxlJqjPvSAKc
+POi7xu7QCJjSSLAzHSDPdmGmfzlrbdWS1h0mrC5YZYOyToLajfnmAlXNNrytnePg
+JV9/1136ZFrJyEi1JVN3kyrC+1iVd1E+lWK0U1UQ6/25tJvKFc1I+xToaUbK10UN
+ycXib7p2Zsc/+ZMlPRgCxWmpIHmKhnwbO7vtRunnnc6wzhvlQQNHWlIvkyQukV50
+6k/bzWw0M6A98B4oCICIcxcpS3njDlHyL7NlkCD+/OfZp6X3RZF/m4grmA2doebz
+glsaNMyGHFrpHkHq19Y63Y4jtBdW/XuBv06Cnr4r3BXdjEzzwQKCAQEA5bj737Nk
+ZLA0UgzVVvY67MTserTOECIt4i37nULjRQwsSFiz0AWFOBwUCBJ5N2qDEelbf0Fa
+t4VzrphryEgzLz/95ZXi+oxw1liqCHi8iHeU2wSclDtx2jKv2q7bFvFSaH4CKC4N
+zBJNfP92kdXuAjXkbK/jWwr64fLNh/2KFWUAmrYmtGfnOjjyL+yZhPxBatztE58q
+/T61pkvP9NiLfrr7Xq8fnzrwqGERhXKueyoK6ig9ZJPZ2VTykMUUvNYJJ7OYQZru
+EYA3zkuEZifqmjgF57Bgg7dkkIh285TzH3CNf3MCMTmjlWVyHjlyeSPYgISB9Mys
+VKKQth+SvYcChQKCAQEAwDyCcolA7+bQBfECs6GXi7RYy2YSlx562S5vhjSlY9Ko
+WiwVJWviF7uSBdZRnGUKoPv4K4LV34o2lJpSSTi5Xgp7FH986VdGePe3p4hcXSIZ
+NtsKImLVLnEjrmkZExfQl7p0MkcU/LheCf/eEZVp0Z84O54WCs6GRm9wHYIUyrag
+9FREqqxTRVNhQQ2EDVGq1slREdwB+aygE76axK/qosk0RaoLzGZiMn4Sb8bpJxXO
+mee+ftq5bayVltfR0DhC8eHkcPPFeQMll1g+ML7HbINwHTr01ONm3cFUO4zOLBOO
+ws/+vtNfiv6S/lO1RQSRoiApbENBLdSc3V8Cy70PMQKCAQBOcZN4uP5gL5c+KWm0
+T1KhxUDnSdRPyAwY/xC7i7qlullovvlv4GK0XUot03kXBkUJmcEHvF5o6qYtCZlM
+g/MOgHCHtF4Upl5lo1M0n13pz8PB4lpBd+cR1lscdrcTp4Y3bkf4RnmppNpXA7kO
+ZZnnoVWGE620ShSPkWTDuj0rvxisu+SNmClqRUXWPZnSwnzoK9a86443efF3fs3d
+UxCXTuxFUdGfgvXo2XStOBMCtcGSYflM3fv27b4C13mUXhY0O2yTgn8m9LyZsknc
+xGalENpbWmwqrjYl8KOF2+gFZV68FZ67Bm6otkJ4ta80VJw6joT9/eIe6IA34KIw
+G+ktAoIBAFRuPxzvC4ZSaasyX21l25mQbC9pdWDKEkqxCmp3VOyy6R4xnlgBOhwS
+VeAacV2vQyvRfv4dSLIVkkNSRDHEqCWVlNk75TDXFCytIAyE54xAHbLqIVlY7yim
+qHVB07F/FC6PxdkPPziAAU2DA5XVedSHibslg6jbbD4jU6qiJ1+hNrAZEs+jQC+C
+n4Ri20y+Qbp0URb2+icemnARlwgr+3HjzQGL3gK4NQjYNmDBjEWOXl9aWWB90FNL
+KahGwfAhxcVW4W56opCzwR7nsujV4eDXGba83itidRuQfd5pyWOyc1E86TYGwD/b
+79OkEElv6Ea8uXTDVS075GmWATRapQECggEAd9ZAbyT+KouTfi2e6yLOosxSZfns
+eF06QAJi5n9GOtdfK5fqdmHJqJI7wbubCnd0oxPeL71lRjrOAMXufaQRdZtfXSMn
+B1TljteNrh1en5xF451rCPR/Y6tNKBvIKnhy1waO27/vA+ovXrm17iR9rRuGZ29i
+IurlKA6z/96UdrSdpqITTCyTjSOBYg34f49ueGjlpL4+8HJq2wor4Cb1Sbv8ErqA
+bsQ/Jz+KIGUiuFCfNa6d6McPRXIrGgzpprXgfimkV3nj49QyrnuCF/Pc4psGgIaN
+l3EiGXzRt/55K7DQVadtbcjo9zREac8QnDD6dS/gOfJ82L7frQfMpNWgQA==
+-----END RSA PRIVATE KEY-----
diff --git a/test/openssl/fixtures/pkey/rsa-2.pem b/test/openssl/fixtures/pkey/rsa-2.pem
new file mode 100644
index 00000000..e4fd4f43
--- /dev/null
+++ b/test/openssl/fixtures/pkey/rsa-2.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEA1HUbx825tG7+/ulC5DpDogzXqM2/KmeCwGXZY4XjiWa+Zj7b
+ECkZwQh7zxFUsPixGqQKJSyFwCogdaPzYTRNtqKKaw/IWS0um1PTn4C4/9atbIsf
+HVKu/fWg4VrZL+ixFIZxa8Z6pvTB2omMcx+uEzbXPsO01i1pHf7MaWBxUDGFyC9P
+lASJBfFZAf2Ar1H99OTS4SP+gxM9Kk5tcc22r8uFiqqbhJmQNSDApdHvT1zSZxAc
+T1BFEZqfmR0B0UegPyJc/9hW0dYpB9JjR29UaZRSta3LUMpqltoOF5bzaKVgMuBm
+Qy79xJ71LjGp8bKhgRaWXyPsDzAC0MQlOW6En0v8LK8fntivJEvw9PNOMcZ8oMTn
+no0NeVt32HiQJW8LIVo7dOLVFtguSBMWUVe8mdKbuIIULD6JlSYke9Ob6andUhzO
+U79m/aRWs2yjD6o5QAktjFBARdPgcpTdWfppc8xpJUkQgRmVhINoIMT9W6Wl898E
+P4aPx6mRV/k05ellN3zRgd9tx5dyNuj3RBaNmR47cAVvGYRQgtH9bQYs6jtf0oer
+A5yIYEKspNRlZZJKKrQdLflQFOEwjQJyZnTk7Mp0y21wOuEGgZBexew55/hUJDC2
+mQ8CqjV4ki/Mm3z6Cw3jXIMNBJkH7oveBGSX0S9bF8A/73oOCU3W/LkORxECAwEA
+AQKCAgBLK7RMmYmfQbaPUtEMF2FesNSNMV72DfHBSUgFYpYDQ4sSeiLgMOqf1fSY
+azVf+F4RYwED7iDUwRMDDKNMPUlR2WjIQKlOhCH9a0dxJAZQ3xA1W3QC2AJ6cLIf
+ihlWTip5bKgszekPsYH1ZL2A7jCVM84ssuoE7cRHjKOelTUCfsMq9TJe2MvyglZP
+0fX6EjSctWm3pxiiH+iAU4d9wJ9my8fQLFUiMYNIiPIguYrGtbzsIlMh7PDDLcZS
+UmUWOxWDwRDOpSjyzadu0Q23dLiVMpmhFoDdcQENptFdn1c4K2tCFQuZscKwEt4F
+HiVXEzD5j5hcyUT4irA0VXImQ+hAH3oSDmn7wyHvyOg0bDZpUZXEHXb83Vvo54/d
+Fb4AOUva1dwhjci8CTEMxCENMy/CLilRv46AeHbOX8KMPM7BnRSJPptvTTh/qB9C
+HI5hxfkO+EOYnu0kUlxhJfrqG86H4IS+zA8HWiSEGxQteMjUQfgJoBzJ94YChpzo
+ePpKSpjxxl1PNNWKxWM3yUvlKmI2lNl6YNC8JpF2wVg4VvYkG7iVjleeRg21ay89
+NCVMF98n3MI5jdzfDKACnuYxg7sw+gjMy8PSoFvQ5pvHuBBOpa8tho6vk7bLJixT
+QY5uXMNQaO6OwpkBssKpnuXhIJzDhO48nSjJ5nUEuadPH1nGwQKCAQEA7twrUIMi
+Vqze/X6VyfEBnX+n3ZyQHLGqUv/ww1ZOOHmSW5ceC4GxHa8EPDjoh9NEjYffwGq9
+bfQh9Gntjk5gFipT/SfPrIhbPt59HthUqVvOGgSErCmn0vhsa0+ROpVi4K2WHS7O
+7SEwnoCWd6p1omon2olVY0ODlMH4neCx/ZuKV8SRMREubABlL8/MLp37AkgKarTY
+tewd0lpaZMvsjOhr1zVCGUUBxy87Fc7OKAcoQY8//0r8VMH7Jlga7F2PKVPzqRKf
+tjeW5jMAuRxTqtEdIeclJZwvUMxvb23BbBE+mtvKpXv69TB3DK8T1YIkhW2CidZW
+lad4MESC+QFNbQKCAQEA47PtULM/0ZFdE+PDDHOa2kJ2arm94sVIqF2168ZLXR69
+NkvCWfjkUPDeejINCx7XQgk0d/+5BCvrJpcM7lE4XfnYVNtPpct1el6eTfaOcPU8
+wAMsnq5n9Mxt02U+XRPtEqGk+lt0KLPDDSG88Z7jPmfftigLyPH6i/ZJyRUETlGk
+rGnWSx/LFUxQU5aBa2jUCjKOKa+OOk2jGg50A5Cmk26v9sA/ksOHisMjfdIpZc9P
+r4R0IteDDD5awlkWTF++5u1GpgU2yav4uan0wzY8OWYFzVyceA6+wffEcoplLm82
+CPd/qJOB5HHkjoM+CJgfumFxlNtdowKvKNUxpoQNtQKCAQEAh3ugofFPp+Q0M4r6
+gWnPZbuDxsLIR05K8vszYEjy4zup1YO4ygQNJ24fM91/n5Mo/jJEqwqgWd6w58ax
+tRclj00BCMXtGMrbHqTqSXWhR9LH66AGdPTHuXWpYZDnKliTlic/z1u+iWhbAHyl
+XEj2omIeKunc4gnod5cyYrKRouz3omLfi/pX33C19FGkWgjH2HpuViowBbhhDfCr
+9yJoEWC/0njl/hlTMdzLYcpEyxWMMuuC/FZXG+hPgWdWFh3XVzTEL3Fd3+hWEkp5
+rYWwu2ITaSiHvHaDrAvZZVXW8WoynXnvzr+tECgmTq57zI4eEwSTl4VY5VfxZ0dl
+FsIzXQKCAQBC07GYd6MJPGJWzgeWhe8yk0Lxu6WRAll6oFYd5kqD/9uELePSSAup
+/actsbbGRrziMpVlinWgVctjvf0bjFbArezhqqPLgtTtnwtS0kOnvzGfIM9dms4D
+uGObISGWa5yuVSZ4G5MRxwA9wGMVfo4u6Iltin868FmZ7iRlkXd8DNYJi95KmgAe
+NhF1FrzQ6ykf/QpgDZfuYI63vPorea6JonieMHn39s622OJ3sNBZguheGL+E4j8h
+vsMgOskijQ8X8xdC7lDQC1qqEsk06ZvvNJQLW1zIl3tArhjHjPp5EEaJhym+Ldx3
+UT3E3Zu9JfhZ2PNevqrShp0lnLw/pI3pAoIBAAUMz5Lj6V9ftsl1pTa8WDFeBJW0
+Wa5AT1BZg/ip2uq2NLPnA5JWcD+v682fRSvIj1pU0DRi6VsXlzhs+1q3+sgqiXGz
+u2ArFylh8TvC1gXUctXKZz/M3Rqr6aSNoejUGLmvHre+ja/k6Zwmu6ePtB7dL50d
+6+xMTYquS4gLbrbSLcEu3iBAAnvRLreXK4KguPxaBdICB7v7epdpAKe3Z7hp/sst
+eJj1+6KRdlcmt8fh5MPkBBXa6I/9XGmX5UEo7q4wAxeM9nuFWY3watz/EO9LiO6P
+LmqUSWL65m4cX0VZPvhYEsHppKi1eoWGlHqS4Af5+aIXi2alu2iljQFeA+Q=
+-----END RSA PRIVATE KEY-----
diff --git a/test/openssl/fixtures/pkey/rsa-3.pem b/test/openssl/fixtures/pkey/rsa-3.pem
new file mode 100644
index 00000000..6c9c9ced
--- /dev/null
+++ b/test/openssl/fixtures/pkey/rsa-3.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEAzn+YCcOh7BIRzrb7TEuhQLD545+/Fx/zCYO3l+y/8ogUxMTg
+LG5HrcXlX3JP796ie90/GHIf8/lwczVhP1jk/keYjkwoTYDt477R7KRcJPyGqHRr
+qLp7AnZxtz3JLNboTgO3bAYzlvtsSKU/R3oehBbGHzEWCP2UEYj/Kky0zpcjkhZU
+jiErr9ARPq8+dOGqBf+CE2NLKYC1bu8hZe9AddvvN2SvfMN6uhJtEGZO1k8tScwf
+AyvPJ1Po/6z08pzMAgfBUCE95waAVeYJWIOlnNB4eEievzlXdPB9vEt8OOwtWfQX
+V8xyMsoKeAW05s413E0eTYx1aulFXdWwG2mWEBRtNzKF1iBudlg1a3x1zThWi1pY
+jW5vROvoWZMCbl9bYQ/LxOCVqDoUl86+NPEGeuESMzm5NvOQA2e0Ty5wphnt9M19
+Wcc8neBhb6iCGqYzxWNvUYXZWUv1+/MrPHKyJuv7MSivwtctfp8SacUGxkd6T+u6
+V6ntHf3qtN/5pAmni6nzUTgjC65MS0LEhi/RTzwafkIfifeJH7/LqFtjrursuwua
++p9lkACck/J5TpzaAfLroFQuepP8qgeq1cpD5Iii56IJ+FPSnkvesHuRUmZIkhtR
+VVsVqMaNPv/Uzc02bOaRXWP4auUY91mDKx/FDmORa9YCDQxMkKke05SWQ90CAwEA
+AQKCAgA0+B/c6VTgxGXS+7cMhB3yBTOkgva2jNh/6Uyv6Of345ZIPyQt4X/7gFbt
+G9qLcjWFxmQH9kZiA+snclrmr/vVijIE1l5EOz1KfUlGBYcpaal1DqALIQKqyA01
+buDq4pmmYWesiw6yvP2yyMipohav1VOu7p1zYvCXaufhRtneYICcWaQI7VNSfvHd
+fYBs5PIDJd6M8Jx4Ie7obOjJSAzl7qu3LtmhDFev4Ugeu8+fQ6IfWv/dhWBW+zw6
+UXhnv3bJUonw7wX8+/rxjdd54BMcXZF5cU9fR+s6MPJf2ZEc3OBpQaa3O9dTVeZH
+kVctGVpRj2qlg9EewoWro0PQVE5Mjah+mdFhPAHWoGl1xht6xJmg0uHYxMCzbUSz
+7NSS3knR0qieFvsp5ESY72i7DnQsbhbn6mTuYdVtm9bphxifAWCP3jFdft/bjtSF
+4yuPI7Qga+3m0B8QhtbWhEzPVon6NyiY7qfa6qllp0opEbw2hE22uGFFNJo2mpPa
+pe9VwARtD0IyfeklE7KrBEwV8NjTaAipZTZODw0w/dt4K3dOiePDl3pPWjmERpVg
+Lkw7XSCMtu5X87I1BbfOYbQhOXksPY+W9Asf6ETBeIZ8bD6Iypuk2ssool1lukqv
+yq1Y8gbR9B2x91ftYwXgzqBSvd8PFNsaXWLD3nrai2G1vb81lQKCAQEA6W02eZcN
+7wJfkqNokcuqhc5OKXH14gVIRV+KocG6f3vg88wrCg5J2GqNhBFuwVrafJjRenm6
+C8zWdneeyrl6cztgbaySw7kXnqFdTBiuOT8bhiG5NTPjDQ109EucaTbZU9KUXk6k
+ChPlr4G6IPrONpvi/9BvDDZLZkwR6uIg1kFWBy9kZaxFUEIug02hrbkTpPtnEUrO
+r3nG0QL/D0vf+bm4YHIVRMH2O2ZTTWexMw9XlfCe1+WjbJ+PS35QRCRDcRdWHXDb
+HnIFIAajtH5LtaJLgWUYq3B25WkQYtbHmFkm94sp/G4trb8JIJGzVO8cj9t6KeAT
+LG+tk8OqplqsYwKCAQEA4ne81KXx8VNwsKVFqwmiDIoi1q3beNa2hoXdzAMrnYdj
+iLxbfCVgrKPav9hdfXPBncHaNlGsd2G5W1a1UsOr128lTdfBsgm1RVPhVMKvo3fl
+yUnWajtAR1q3tVEUhuFlbJ/RHEtxJaGrzudYCPWQiYhydpDgSckbxD8PuElEgFBX
+O91vnWZEjMsxrABWiZNBxmtBUEv+fjUU/9USYzO4sN79UeD1+ZuBxPFwscsRcjLr
+bPgZWOwiywH6UmQ+DJTzeu0wJ6jgPoy/pgEujsbPDz1wNos6NhA/RQv31QeX33/B
+7/F5XKNmbJ2AFb/B+xTaTQPg0pjT5Exm+HrNU5OivwKCAQEAsLLVi9FG4OiBBHXi
+UItFuChljoYPxVqOTMV4Id6OmLZjoOmqouASElsGaTTxDDkEL1FXMUk4Bnq21dLT
+R06EXPpTknISX0qbkJ9CCrqcGAWnhi+9DYMLmvPW1p7t9c9pUESVv5X0IxTQx7yB
+8zkoJLp4aYGUrj/jb7qhzZYDmWy3/JRpgXWYupp+rzJy8xiowDj22mYwczDRyaJl
+BWVAVL+7zHZPl07kYC6jXHLj9mzktkIBXBkfTriyNkmV5R82VkN+Eqc9l5xkOMwN
+3DHGieYjFf47YHuv5RVVLBy91puWHckgrU+SEHYOKLNidybSDivsHArdOMQJN1Pk
+uCznVQKCAQAYY7DQbfa6eLQAMixomSb8lrvdxueGAgmyPyR93jGKS5Rqm2521ket
+EBB07MZUxmyposDvbKhYSwv9TD9G5I/TKcMouP3BQM5m4vu3dygXQMhcfzk6Q5tO
+k/SI8Gx3gjq8EhIhK/bJiLnKFJwkit3AEhPRtRSSnbgB0JDO1gUslHpwlg55MxRa
+3V9CGN84/cTtq4tjLGwCB5F1Y+sRB/byBXHeqY2UDi1Rmnb6jtYYKGe2WpnQO84b
+cuEUknskO75lFLpE6ykLU3koVaQ/+CVAjOtS1He2btWBiCJurNysU0P9pVHeqjJT
+rDqpHPe1JK/F74783zyir5+/Tuph/9pdAoIBAANPdFRQkJVH8K6iuhxQk6vFqiYB
+MUxpIVeLonD0p9TgMdezVNESht/AIutc0+5wabM45XuDWFRTuonvcE8lckv2Ux3a
+AvSsamjuesxw2YmkEtzZouVqDU0+oxppQJiwBG3MiaHX9F5IfnK6YmQ6xPwZ6MXi
+9feq1jR4KOc1ZrHtRMNgjnBWEFWroGe3FHgV7O133hpMSshRFmwcbE0nAaDr82U9
+sl8dclDjEKBxaqjAeNajOr+BU0w0AAwWXL7dt/ctG2QClcj9wqbEfsXnOR10h4AI
+rqkcvQrOLbTwcrOD/6R1rQfQXtEHKf1maThxosootAQZXdf6jxU3oonx3tU=
+-----END RSA PRIVATE KEY-----
diff --git a/test/fixtures/pkey/rsa1024.pem b/test/openssl/fixtures/pkey/rsa1024.pem
index 464de074..464de074 100644
--- a/test/fixtures/pkey/rsa1024.pem
+++ b/test/openssl/fixtures/pkey/rsa1024.pem
diff --git a/test/fixtures/pkey/rsa2048.pem b/test/openssl/fixtures/pkey/rsa2048.pem
index ac89cd88..ac89cd88 100644
--- a/test/fixtures/pkey/rsa2048.pem
+++ b/test/openssl/fixtures/pkey/rsa2048.pem
diff --git a/test/test_asn1.rb b/test/openssl/test_asn1.rb
index 11707037..af069cad 100644
--- a/test/test_asn1.rb
+++ b/test/openssl/test_asn1.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL)
@@ -14,7 +14,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase
["keyUsage","keyCertSign, cRLSign",true],
["subjectKeyIdentifier","hash",false],
]
- dgst = OpenSSL::Digest::SHA1.new
+ dgst = OpenSSL::Digest.new('SHA1')
cert = OpenSSL::TestUtils.issue_cert(
subj, key, s, exts, nil, nil, digest: dgst, not_before: now, not_after: now+3600)
@@ -167,7 +167,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase
assert_equal(OpenSSL::ASN1::OctetString, ext.value[2].class)
extv = OpenSSL::ASN1.decode(ext.value[2].value)
assert_equal(OpenSSL::ASN1::BitString, extv.class)
- str = "\000"; str[0] = 0b00000110.chr
+ str = +"\000"; str[0] = 0b00000110.chr
assert_equal(str, extv.value)
ext = extensions.value[0].value[2] # subjetKeyIdentifier
@@ -178,7 +178,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase
assert_equal(OpenSSL::ASN1::OctetString, ext.value[1].class)
extv = OpenSSL::ASN1.decode(ext.value[1].value)
assert_equal(OpenSSL::ASN1::OctetString, extv.class)
- sha1 = OpenSSL::Digest::SHA1.new
+ sha1 = OpenSSL::Digest.new('SHA1')
sha1.update(pkey.value[1].value)
assert_equal(sha1.digest, extv.value)
@@ -189,7 +189,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase
assert_equal(OpenSSL::ASN1::Null, pkey.value[0].value[1].class)
assert_equal(OpenSSL::ASN1::BitString, sig_val.class)
- cululated_sig = key.sign(OpenSSL::Digest::SHA1.new, tbs_cert.to_der)
+ cululated_sig = key.sign(OpenSSL::Digest.new('SHA1'), tbs_cert.to_der)
assert_equal(cululated_sig, sig_val.value)
end
@@ -332,6 +332,32 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase
pend "OBJ_obj2txt() not working (LibreSSL?)" if $!.message =~ /OBJ_obj2txt/
raise
end
+
+ aki = [
+ OpenSSL::ASN1::ObjectId.new("authorityKeyIdentifier"),
+ OpenSSL::ASN1::ObjectId.new("X509v3 Authority Key Identifier"),
+ OpenSSL::ASN1::ObjectId.new("2.5.29.35")
+ ]
+
+ ski = [
+ OpenSSL::ASN1::ObjectId.new("subjectKeyIdentifier"),
+ OpenSSL::ASN1::ObjectId.new("X509v3 Subject Key Identifier"),
+ OpenSSL::ASN1::ObjectId.new("2.5.29.14")
+ ]
+
+ aki.each do |a|
+ aki.each do |b|
+ assert a == b
+ end
+
+ ski.each do |b|
+ refute a == b
+ end
+ end
+
+ assert_raise(TypeError) {
+ OpenSSL::ASN1::ObjectId.new("authorityKeyIdentifier") == nil
+ }
end
def test_sequence
@@ -635,6 +661,11 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase
assert_equal data, seq.entries
end
+ # Very time consuming test.
+ # def test_gc_stress
+ # assert_ruby_status(['--disable-gems', '-eGC.stress=true', '-erequire "openssl.so"'])
+ # end
+
private
def B(ary)
diff --git a/test/test_bn.rb b/test/openssl/test_bn.rb
index 274afba3..547d334c 100644
--- a/test/test_bn.rb
+++ b/test/openssl/test_bn.rb
@@ -1,5 +1,5 @@
# coding: us-ascii
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
require "prime"
@@ -15,6 +15,10 @@ class OpenSSL::TestBN < OpenSSL::TestCase
end
def test_new
+ assert_raise(ArgumentError) { OpenSSL::BN.new }
+ assert_raise(ArgumentError) { OpenSSL::BN.new(nil) }
+ assert_raise(ArgumentError) { OpenSSL::BN.new(nil, 2) }
+
assert_equal(@e1, OpenSSL::BN.new("999"))
assert_equal(@e1, OpenSSL::BN.new("999", 10))
assert_equal(@e1, OpenSSL::BN.new("\x03\xE7", 2))
@@ -272,6 +276,11 @@ class OpenSSL::TestBN < OpenSSL::TestCase
assert_equal(0, @e1.ucmp(-999))
assert_instance_of(String, @e1.hash.to_s)
end
+
+ def test_argument_error
+ bug15760 = '[ruby-core:92231] [Bug #15760]'
+ assert_raise(ArgumentError, bug15760) { OpenSSL::BN.new(nil, 2) }
+ end
end
end
diff --git a/test/test_buffering.rb b/test/openssl/test_buffering.rb
index c85a6f02..7575c5b4 100644
--- a/test/test_buffering.rb
+++ b/test/openssl/test_buffering.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL)
@@ -10,7 +10,7 @@ class OpenSSL::TestBuffering < OpenSSL::TestCase
attr_accessor :sync
def initialize
- @io = ""
+ @io = Buffer.new
def @io.sync
true
end
@@ -41,6 +41,13 @@ class OpenSSL::TestBuffering < OpenSSL::TestCase
@io = IO.new
end
+ def test_encoding
+ @io.write '😊'
+ @io.flush
+
+ assert_equal @io.string.encoding, Encoding::BINARY
+ end
+
def test_flush
@io.write 'a'
diff --git a/test/test_cipher.rb b/test/openssl/test_cipher.rb
index d83fa4ec..65b36dd1 100644
--- a/test/test_cipher.rb
+++ b/test/openssl/test_cipher.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL)
@@ -36,8 +36,8 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
cipher.pkcs5_keyivgen(pass, salt, num, "MD5")
s1 = cipher.update(pt) << cipher.final
- d1 = num.times.inject(pass + salt) {|out, _| OpenSSL::Digest::MD5.digest(out) }
- d2 = num.times.inject(d1 + pass + salt) {|out, _| OpenSSL::Digest::MD5.digest(out) }
+ d1 = num.times.inject(pass + salt) {|out, _| OpenSSL::Digest.digest('MD5', out) }
+ d2 = num.times.inject(d1 + pass + salt) {|out, _| OpenSSL::Digest.digest('MD5', out) }
key = (d1 + d2)[0, 24]
iv = (d1 + d2)[24, 8]
cipher = new_encryptor("DES-EDE3-CBC", key: key, iv: iv)
@@ -148,12 +148,12 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
def test_AES
pt = File.read(__FILE__)
%w(ECB CBC CFB OFB).each{|mode|
- c1 = OpenSSL::Cipher::AES256.new(mode)
+ c1 = OpenSSL::Cipher.new("AES-256-#{mode}")
c1.encrypt
c1.pkcs5_keyivgen("passwd")
ct = c1.update(pt) + c1.final
- c2 = OpenSSL::Cipher::AES256.new(mode)
+ c2 = OpenSSL::Cipher.new("AES-256-#{mode}")
c2.decrypt
c2.pkcs5_keyivgen("passwd")
assert_equal(pt, c2.update(ct) + c2.final)
@@ -163,7 +163,7 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
def test_update_raise_if_key_not_set
assert_raise(OpenSSL::Cipher::CipherError) do
# it caused OpenSSL SEGV by uninitialized key [Bug #2768]
- OpenSSL::Cipher::AES128.new("ECB").update "." * 17
+ OpenSSL::Cipher.new("AES-128-ECB").update "." * 17
end
end
@@ -174,6 +174,48 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
assert_not_predicate(cipher, :authenticated?)
end
+ def test_aes_ccm
+ # RFC 3610 Section 8, Test Case 1
+ key = ["c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"].pack("H*")
+ iv = ["00000003020100a0a1a2a3a4a5"].pack("H*")
+ aad = ["0001020304050607"].pack("H*")
+ pt = ["08090a0b0c0d0e0f101112131415161718191a1b1c1d1e"].pack("H*")
+ ct = ["588c979a61c663d2f066d0c2c0f989806d5f6b61dac384"].pack("H*")
+ tag = ["17e8d12cfdf926e0"].pack("H*")
+
+ kwargs = {auth_tag_len: 8, iv_len: 13, key: key, iv: iv}
+ cipher = new_encryptor("aes-128-ccm", **kwargs, ccm_data_len: pt.length, auth_data: aad)
+ assert_equal ct, cipher.update(pt) << cipher.final
+ assert_equal tag, cipher.auth_tag
+ cipher = new_decryptor("aes-128-ccm", **kwargs, ccm_data_len: ct.length, auth_tag: tag, auth_data: aad)
+ assert_equal pt, cipher.update(ct) << cipher.final
+
+ # truncated tag is accepted
+ cipher = new_encryptor("aes-128-ccm", **kwargs, ccm_data_len: pt.length, auth_data: aad)
+ assert_equal ct, cipher.update(pt) << cipher.final
+ assert_equal tag[0, 8], cipher.auth_tag(8)
+ cipher = new_decryptor("aes-128-ccm", **kwargs, ccm_data_len: ct.length, auth_tag: tag[0, 8], auth_data: aad)
+ assert_equal pt, cipher.update(ct) << cipher.final
+
+ # wrong tag is rejected
+ tag2 = tag.dup
+ tag2.setbyte(-1, (tag2.getbyte(-1) + 1) & 0xff)
+ cipher = new_decryptor("aes-128-ccm", **kwargs, ccm_data_len: ct.length, auth_tag: tag2, auth_data: aad)
+ assert_raise(OpenSSL::Cipher::CipherError) { cipher.update(ct) }
+
+ # wrong aad is rejected
+ aad2 = aad[0..-2] << aad[-1].succ
+ cipher = new_decryptor("aes-128-ccm", **kwargs, ccm_data_len: ct.length, auth_tag: tag, auth_data: aad2)
+ assert_raise(OpenSSL::Cipher::CipherError) { cipher.update(ct) }
+
+ # wrong ciphertext is rejected
+ ct2 = ct[0..-2] << ct[-1].succ
+ cipher = new_decryptor("aes-128-ccm", **kwargs, ccm_data_len: ct2.length, auth_tag: tag, auth_data: aad)
+ assert_raise(OpenSSL::Cipher::CipherError) { cipher.update(ct2) }
+ end if has_cipher?("aes-128-ccm") &&
+ OpenSSL::Cipher.new("aes-128-ccm").authenticated? &&
+ OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10101000 # version >= v1.1.1
+
def test_aes_gcm
# GCM spec Appendix B Test Case 4
key = ["feffe9928665731c6d6a8f9467308308"].pack("H*")
@@ -305,6 +347,21 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
}
end
+ def test_crypt_after_key
+ key = ["2b7e151628aed2a6abf7158809cf4f3c"].pack("H*")
+ %w'ecb cbc cfb ctr gcm'.each do |c|
+ cipher = OpenSSL::Cipher.new("aes-128-#{c}")
+ cipher.key = key
+ cipher.encrypt
+ assert_raise(OpenSSL::Cipher::CipherError) { cipher.update("") }
+
+ cipher = OpenSSL::Cipher.new("aes-128-#{c}")
+ cipher.key = key
+ cipher.decrypt
+ assert_raise(OpenSSL::Cipher::CipherError) { cipher.update("") }
+ end
+ end
+
private
def new_encryptor(algo, **kwargs)
diff --git a/test/test_config.rb b/test/openssl/test_config.rb
index a9339d68..f65392c1 100644
--- a/test/test_config.rb
+++ b/test/openssl/test_config.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL)
@@ -254,45 +254,54 @@ __EOC__
def test_sections
assert_equal(['CA_default', 'ca', 'default'], @it.sections.sort)
- @it['new_section'] = {'foo' => 'bar'}
- assert_equal(['CA_default', 'ca', 'default', 'new_section'], @it.sections.sort)
- @it['new_section'] = {}
- assert_equal(['CA_default', 'ca', 'default', 'new_section'], @it.sections.sort)
+ # OpenSSL::Config#[]= is deprecated
+ EnvUtil.suppress_warning do
+ @it['new_section'] = {'foo' => 'bar'}
+ assert_equal(['CA_default', 'ca', 'default', 'new_section'], @it.sections.sort)
+ @it['new_section'] = {}
+ assert_equal(['CA_default', 'ca', 'default', 'new_section'], @it.sections.sort)
+ end
end
def test_add_value
- c = OpenSSL::Config.new
- assert_equal("", c.to_s)
- # add key
- c.add_value('default', 'foo', 'bar')
- assert_equal("[ default ]\nfoo=bar\n\n", c.to_s)
- # add another key
- c.add_value('default', 'baz', 'qux')
- assert_equal('bar', c['default']['foo'])
- assert_equal('qux', c['default']['baz'])
- # update the value
- c.add_value('default', 'baz', 'quxxx')
- assert_equal('bar', c['default']['foo'])
- assert_equal('quxxx', c['default']['baz'])
- # add section and key
- c.add_value('section', 'foo', 'bar')
- assert_equal('bar', c['default']['foo'])
- assert_equal('quxxx', c['default']['baz'])
- assert_equal('bar', c['section']['foo'])
+ # OpenSSL::Config#add_value is deprecated
+ EnvUtil.suppress_warning do
+ c = OpenSSL::Config.new
+ assert_equal("", c.to_s)
+ # add key
+ c.add_value('default', 'foo', 'bar')
+ assert_equal("[ default ]\nfoo=bar\n\n", c.to_s)
+ # add another key
+ c.add_value('default', 'baz', 'qux')
+ assert_equal('bar', c['default']['foo'])
+ assert_equal('qux', c['default']['baz'])
+ # update the value
+ c.add_value('default', 'baz', 'quxxx')
+ assert_equal('bar', c['default']['foo'])
+ assert_equal('quxxx', c['default']['baz'])
+ # add section and key
+ c.add_value('section', 'foo', 'bar')
+ assert_equal('bar', c['default']['foo'])
+ assert_equal('quxxx', c['default']['baz'])
+ assert_equal('bar', c['section']['foo'])
+ end
end
def test_aset
- @it['foo'] = {'bar' => 'baz'}
- assert_equal({'bar' => 'baz'}, @it['foo'])
- @it['foo'] = {'bar' => 'qux', 'baz' => 'quxx'}
- assert_equal({'bar' => 'qux', 'baz' => 'quxx'}, @it['foo'])
-
- # OpenSSL::Config is add only for now.
- @it['foo'] = {'foo' => 'foo'}
- assert_equal({'foo' => 'foo', 'bar' => 'qux', 'baz' => 'quxx'}, @it['foo'])
- # you cannot override or remove any section and key.
- @it['foo'] = {}
- assert_equal({'foo' => 'foo', 'bar' => 'qux', 'baz' => 'quxx'}, @it['foo'])
+ # OpenSSL::Config#[]= is deprecated
+ EnvUtil.suppress_warning do
+ @it['foo'] = {'bar' => 'baz'}
+ assert_equal({'bar' => 'baz'}, @it['foo'])
+ @it['foo'] = {'bar' => 'qux', 'baz' => 'quxx'}
+ assert_equal({'bar' => 'qux', 'baz' => 'quxx'}, @it['foo'])
+
+ # OpenSSL::Config is add only for now.
+ @it['foo'] = {'foo' => 'foo'}
+ assert_equal({'foo' => 'foo', 'bar' => 'qux', 'baz' => 'quxx'}, @it['foo'])
+ # you cannot override or remove any section and key.
+ @it['foo'] = {}
+ assert_equal({'foo' => 'foo', 'bar' => 'qux', 'baz' => 'quxx'}, @it['foo'])
+ end
end
def test_each
@@ -315,32 +324,39 @@ __EOC__
end
def test_freeze
- c = OpenSSL::Config.new
- c['foo'] = [['key', 'value']]
- c.freeze
+ @it.freeze
- bug = '[ruby-core:18377]'
- # RuntimeError for 1.9, TypeError for 1.8
- e = assert_raise(TypeError, bug) do
- c['foo'] = [['key', 'wrong']]
+ # Modifying OpenSSL::Config produces a warning
+ EnvUtil.suppress_warning do
+ bug = '[ruby-core:18377]'
+ # RuntimeError for 1.9, TypeError for 1.8
+ e = assert_raise(TypeError, bug) do
+ @it['foo'] = [['key', 'wrong']]
+ end
+ assert_match(/can't modify/, e.message, bug)
end
- assert_match(/can't modify/, e.message, bug)
end
def test_dup
assert(!@it.sections.empty?)
c = @it.dup
assert_equal(@it.sections.sort, c.sections.sort)
- @it['newsection'] = {'a' => 'b'}
- assert_not_equal(@it.sections.sort, c.sections.sort)
+ # OpenSSL::Config#[]= is deprecated
+ EnvUtil.suppress_warning do
+ @it['newsection'] = {'a' => 'b'}
+ assert_not_equal(@it.sections.sort, c.sections.sort)
+ end
end
def test_clone
assert(!@it.sections.empty?)
c = @it.clone
assert_equal(@it.sections.sort, c.sections.sort)
- @it['newsection'] = {'a' => 'b'}
- assert_not_equal(@it.sections.sort, c.sections.sort)
+ # OpenSSL::Config#[]= is deprecated
+ EnvUtil.suppress_warning do
+ @it['newsection'] = {'a' => 'b'}
+ assert_not_equal(@it.sections.sort, c.sections.sort)
+ end
end
private
diff --git a/test/test_digest.rb b/test/openssl/test_digest.rb
index 2cb878b6..8d7046e8 100644
--- a/test/test_digest.rb
+++ b/test/openssl/test_digest.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL)
@@ -21,8 +21,8 @@ class OpenSSL::TestDigest < OpenSSL::TestCase
@d1 << data
assert_equal(bin, @d1.digest)
assert_equal(hex, @d1.hexdigest)
- assert_equal(bin, OpenSSL::Digest::MD5.digest(data))
- assert_equal(hex, OpenSSL::Digest::MD5.hexdigest(data))
+ assert_equal(bin, OpenSSL::Digest.digest('MD5', data))
+ assert_equal(hex, OpenSSL::Digest.hexdigest('MD5', data))
end
def test_eql
@@ -54,13 +54,9 @@ class OpenSSL::TestDigest < OpenSSL::TestCase
end
def test_digest_constants
- algs = %w(MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512)
- if !libressl? && !openssl?(1, 1, 0)
- algs += %w(DSS1 SHA)
- end
- algs.each do |alg|
- assert_not_nil(OpenSSL::Digest.new(alg))
- klass = OpenSSL::Digest.const_get(alg)
+ %w{MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512}.each do |name|
+ assert_not_nil(OpenSSL::Digest.new(name))
+ klass = OpenSSL::Digest.const_get(name.tr('-', '_'))
assert_not_nil(klass.new)
end
end
@@ -80,15 +76,39 @@ class OpenSSL::TestDigest < OpenSSL::TestCase
sha384_a = "54a59b9f22b0b80880d8427e548b7c23abd873486e1f035dce9cd697e85175033caa88e6d57bc35efae0b5afd3145f31"
sha512_a = "1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75"
- assert_equal(sha224_a, OpenSSL::Digest::SHA224.hexdigest("a"))
- assert_equal(sha256_a, OpenSSL::Digest::SHA256.hexdigest("a"))
- assert_equal(sha384_a, OpenSSL::Digest::SHA384.hexdigest("a"))
- assert_equal(sha512_a, OpenSSL::Digest::SHA512.hexdigest("a"))
+ assert_equal(sha224_a, OpenSSL::Digest.hexdigest('SHA224', "a"))
+ assert_equal(sha256_a, OpenSSL::Digest.hexdigest('SHA256', "a"))
+ assert_equal(sha384_a, OpenSSL::Digest.hexdigest('SHA384', "a"))
+ assert_equal(sha512_a, OpenSSL::Digest.hexdigest('SHA512', "a"))
+
+ assert_equal(sha224_a, encode16(OpenSSL::Digest.digest('SHA224', "a")))
+ assert_equal(sha256_a, encode16(OpenSSL::Digest.digest('SHA256', "a")))
+ assert_equal(sha384_a, encode16(OpenSSL::Digest.digest('SHA384', "a")))
+ assert_equal(sha512_a, encode16(OpenSSL::Digest.digest('SHA512', "a")))
+ end
+
+ def test_sha512_truncate
+ pend "SHA512_224 is not implemented" unless digest_available?('SHA512-224')
+ sha512_224_a = "d5cdb9ccc769a5121d4175f2bfdd13d6310e0d3d361ea75d82108327"
+ sha512_256_a = "455e518824bc0601f9fb858ff5c37d417d67c2f8e0df2babe4808858aea830f8"
+
+ assert_equal(sha512_224_a, OpenSSL::Digest.hexdigest('SHA512-224', "a"))
+ assert_equal(sha512_256_a, OpenSSL::Digest.hexdigest('SHA512-256', "a"))
- assert_equal(sha224_a, encode16(OpenSSL::Digest::SHA224.digest("a")))
- assert_equal(sha256_a, encode16(OpenSSL::Digest::SHA256.digest("a")))
- assert_equal(sha384_a, encode16(OpenSSL::Digest::SHA384.digest("a")))
- assert_equal(sha512_a, encode16(OpenSSL::Digest::SHA512.digest("a")))
+ assert_equal(sha512_224_a, encode16(OpenSSL::Digest.digest('SHA512-224', "a")))
+ assert_equal(sha512_256_a, encode16(OpenSSL::Digest.digest('SHA512-256', "a")))
+ end
+
+ def test_sha3
+ pend "SHA3 is not implemented" unless digest_available?('SHA3-224')
+ s224 = '6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7'
+ s256 = 'a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a'
+ s384 = '0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3713831264adb47fb6bd1e058d5f004'
+ s512 = 'a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26'
+ assert_equal(OpenSSL::Digest.hexdigest('SHA3-224', ""), s224)
+ assert_equal(OpenSSL::Digest.hexdigest('SHA3-256', ""), s256)
+ assert_equal(OpenSSL::Digest.hexdigest('SHA3-384', ""), s384)
+ assert_equal(OpenSSL::Digest.hexdigest('SHA3-512', ""), s512)
end
def test_digest_by_oid_and_name_sha2
@@ -116,6 +136,14 @@ class OpenSSL::TestDigest < OpenSSL::TestCase
d = OpenSSL::Digest.new(oid.oid)
assert_not_nil(d)
end
+
+ def digest_available?(name)
+ begin
+ OpenSSL::Digest.new(name)
+ rescue RuntimeError
+ false
+ end
+ end
end
end
diff --git a/test/test_engine.rb b/test/openssl/test_engine.rb
index bb1123d5..1ede6ed0 100644
--- a/test/test_engine.rb
+++ b/test/openssl/test_engine.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL) && defined?(OpenSSL::Engine)
@@ -47,7 +47,7 @@ class OpenSSL::TestEngine < OpenSSL::TestCase
digest = engine.digest("SHA1")
assert_not_nil(digest)
data = "test"
- assert_equal(OpenSSL::Digest::SHA1.digest(data), digest.digest(data))
+ assert_equal(OpenSSL::Digest.digest('SHA1', data), digest.digest(data))
end;
end
diff --git a/test/test_fips.rb b/test/openssl/test_fips.rb
index a577d789..8cd474f9 100644
--- a/test/test_fips.rb
+++ b/test/openssl/test_fips.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL)
diff --git a/test/test_hmac.rb b/test/openssl/test_hmac.rb
index 831a5b6b..9cb3c5a8 100644
--- a/test/test_hmac.rb
+++ b/test/openssl/test_hmac.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL)
@@ -39,6 +39,16 @@ class OpenSSL::TestHMAC < OpenSSL::TestCase
second = h1.update("test").hexdigest
assert_equal first, second
end
+
+ def test_eq
+ h1 = OpenSSL::HMAC.new("KEY", "MD5")
+ h2 = OpenSSL::HMAC.new("KEY", OpenSSL::Digest.new("MD5"))
+ h3 = OpenSSL::HMAC.new("FOO", "MD5")
+
+ assert_equal h1, h2
+ refute_equal h1, h2.digest
+ refute_equal h1, h3
+ end
end
end
diff --git a/test/test_kdf.rb b/test/openssl/test_kdf.rb
index 5e1db80c..f4790c96 100644
--- a/test/test_kdf.rb
+++ b/test/openssl/test_kdf.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL)
diff --git a/test/test_ns_spki.rb b/test/openssl/test_ns_spki.rb
index aa1e6182..ed3be86e 100644
--- a/test/test_ns_spki.rb
+++ b/test/openssl/test_ns_spki.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL)
@@ -9,7 +9,7 @@ class OpenSSL::TestNSSPI < OpenSSL::TestCase
# This request data is adopt from the specification of
# "Netscape Extensions for User Key Generation".
# -- http://wp.netscape.com/eng/security/comm4-keygen.html
- @b64 = "MIHFMHEwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAnX0TILJrOMUue+PtwBRE6XfV"
+ @b64 = +"MIHFMHEwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAnX0TILJrOMUue+PtwBRE6XfV"
@b64 << "WtKQbsshxk5ZhcUwcwyvcnIq9b82QhJdoACdD34rqfCAIND46fXKQUnb0mvKzQID"
@b64 << "AQABFhFNb3ppbGxhSXNNeUZyaWVuZDANBgkqhkiG9w0BAQQFAANBAAKv2Eex2n/S"
@b64 << "r/7iJNroWlSzSMtTiQTEB+ADWHGj9u1xrUrOilq/o2cuQxIfZcNZkYAkWP4DubqW"
@@ -22,7 +22,7 @@ class OpenSSL::TestNSSPI < OpenSSL::TestCase
spki = OpenSSL::Netscape::SPKI.new
spki.challenge = "RandomString"
spki.public_key = key1.public_key
- spki.sign(key1, OpenSSL::Digest::SHA1.new)
+ spki.sign(key1, OpenSSL::Digest.new('SHA1'))
assert(spki.verify(spki.public_key))
assert(spki.verify(key1.public_key))
assert(!spki.verify(key2.public_key))
diff --git a/test/test_ocsp.rb b/test/openssl/test_ocsp.rb
index 50ad6c31..b3c4caf5 100644
--- a/test/test_ocsp.rb
+++ b/test/openssl/test_ocsp.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative "utils"
if defined?(OpenSSL)
@@ -50,26 +50,26 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert)
assert_kind_of OpenSSL::OCSP::CertificateId, cid
assert_equal @cert.serial, cid.serial
- cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA256.new)
+ cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest.new('SHA256'))
assert_kind_of OpenSSL::OCSP::CertificateId, cid
assert_equal @cert.serial, cid.serial
end
def test_certificate_id_issuer_name_hash
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert)
- assert_equal OpenSSL::Digest::SHA1.hexdigest(@cert.issuer.to_der), cid.issuer_name_hash
+ assert_equal OpenSSL::Digest.hexdigest('SHA1', @cert.issuer.to_der), cid.issuer_name_hash
assert_equal "d91f736ac4dc3242f0fb9b77a3149bd83c5c43d0", cid.issuer_name_hash
end
def test_certificate_id_issuer_key_hash
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert)
- assert_equal OpenSSL::Digest::SHA1.hexdigest(OpenSSL::ASN1.decode(@ca_cert.to_der).value[0].value[6].value[1].value), cid.issuer_key_hash
+ assert_equal OpenSSL::Digest.hexdigest('SHA1', OpenSSL::ASN1.decode(@ca_cert.to_der).value[0].value[6].value[1].value), cid.issuer_key_hash
assert_equal "d1fef9fbf8ae1bc160cbfa03e2596dd873089213", cid.issuer_key_hash
end
def test_certificate_id_hash_algorithm
- cid_sha1 = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
- cid_sha256 = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA256.new)
+ cid_sha1 = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest.new('SHA1'))
+ cid_sha256 = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest.new('SHA256'))
assert_equal "sha1", cid_sha1.hash_algorithm
assert_equal "sha256", cid_sha256.hash_algorithm
end
@@ -84,6 +84,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
assert_equal [cid.issuer_key_hash].pack("H*"), asn1.value[2].value
assert_equal @cert.serial, asn1.value[3].value
assert_equal der, OpenSSL::OCSP::CertificateId.new(der).to_der
+ assert_equal der, OpenSSL::OCSP::CertificateId.new(asn1).to_der
end
def test_certificate_id_dup
@@ -93,7 +94,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
def test_request_der
request = OpenSSL::OCSP::Request.new
- cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
+ cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest.new('SHA1'))
request.add_certid(cid)
request.sign(@cert, @cert_key, [@ca_cert], 0)
asn1 = OpenSSL::ASN1.decode(request.to_der)
@@ -163,14 +164,14 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
def test_request_dup
request = OpenSSL::OCSP::Request.new
- cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
+ cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest.new('SHA1'))
request.add_certid(cid)
assert_equal request.to_der, request.dup.to_der
end
def test_basic_response_der
bres = OpenSSL::OCSP::BasicResponse.new
- cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
+ cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest.new('SHA1'))
bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, [])
bres.add_nonce("NONCE")
bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert], 0)
@@ -213,7 +214,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
def test_basic_response_dup
bres = OpenSSL::OCSP::BasicResponse.new
- cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
+ cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest.new('SHA1'))
bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, [])
bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert], 0)
assert_equal bres.to_der, bres.dup.to_der
@@ -222,9 +223,9 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
def test_basic_response_response_operations
bres = OpenSSL::OCSP::BasicResponse.new
now = Time.at(Time.now.to_i)
- cid1 = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
- cid2 = OpenSSL::OCSP::CertificateId.new(@ocsp_cert, @ca_cert, OpenSSL::Digest::SHA1.new)
- cid3 = OpenSSL::OCSP::CertificateId.new(@ca_cert, @ca_cert, OpenSSL::Digest::SHA1.new)
+ cid1 = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest.new('SHA1'))
+ cid2 = OpenSSL::OCSP::CertificateId.new(@ocsp_cert, @ca_cert, OpenSSL::Digest.new('SHA1'))
+ cid3 = OpenSSL::OCSP::CertificateId.new(@ca_cert, @ca_cert, OpenSSL::Digest.new('SHA1'))
bres.add_status(cid1, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, now - 400, -300, nil, nil)
bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, nil, -300, 500, [])
@@ -256,8 +257,8 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
def test_single_response_check_validity
bres = OpenSSL::OCSP::BasicResponse.new
- cid1 = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
- cid2 = OpenSSL::OCSP::CertificateId.new(@ocsp_cert, @ca_cert, OpenSSL::Digest::SHA1.new)
+ cid1 = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest.new('SHA1'))
+ cid2 = OpenSSL::OCSP::CertificateId.new(@ocsp_cert, @ca_cert, OpenSSL::Digest.new('SHA1'))
bres.add_status(cid1, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, -50, [])
bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, nil, [])
bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, nil, Time.now + 100, nil, nil)
@@ -276,7 +277,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
def test_response
bres = OpenSSL::OCSP::BasicResponse.new
- cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
+ cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest.new('SHA1'))
bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, [])
bres.sign(@ocsp_cert, @ocsp_key, [])
res = OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, bres)
@@ -287,7 +288,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
def test_response_der
bres = OpenSSL::OCSP::BasicResponse.new
- cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
+ cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest.new('SHA1'))
bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, [])
bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert], 0)
res = OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, bres)
diff --git a/test/openssl/test_ossl.rb b/test/openssl/test_ossl.rb
new file mode 100644
index 00000000..e1d86bd4
--- /dev/null
+++ b/test/openssl/test_ossl.rb
@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+require_relative "utils"
+
+require 'benchmark'
+
+if defined?(OpenSSL)
+
+class OpenSSL::OSSL < OpenSSL::SSLTestCase
+ def test_fixed_length_secure_compare
+ assert_raise(ArgumentError) { OpenSSL.fixed_length_secure_compare("aaa", "a") }
+ assert_raise(ArgumentError) { OpenSSL.fixed_length_secure_compare("aaa", "aa") }
+
+ assert OpenSSL.fixed_length_secure_compare("aaa", "aaa")
+ assert OpenSSL.fixed_length_secure_compare(
+ OpenSSL::Digest.digest('SHA256', "aaa"), OpenSSL::Digest::SHA256.digest("aaa")
+ )
+
+ assert_raise(ArgumentError) { OpenSSL.fixed_length_secure_compare("aaa", "aaaa") }
+ refute OpenSSL.fixed_length_secure_compare("aaa", "baa")
+ refute OpenSSL.fixed_length_secure_compare("aaa", "aba")
+ refute OpenSSL.fixed_length_secure_compare("aaa", "aab")
+ assert_raise(ArgumentError) { OpenSSL.fixed_length_secure_compare("aaa", "aaab") }
+ assert_raise(ArgumentError) { OpenSSL.fixed_length_secure_compare("aaa", "b") }
+ assert_raise(ArgumentError) { OpenSSL.fixed_length_secure_compare("aaa", "bb") }
+ refute OpenSSL.fixed_length_secure_compare("aaa", "bbb")
+ assert_raise(ArgumentError) { OpenSSL.fixed_length_secure_compare("aaa", "bbbb") }
+ end
+
+ def test_secure_compare
+ refute OpenSSL.secure_compare("aaa", "a")
+ refute OpenSSL.secure_compare("aaa", "aa")
+
+ assert OpenSSL.secure_compare("aaa", "aaa")
+
+ refute OpenSSL.secure_compare("aaa", "aaaa")
+ refute OpenSSL.secure_compare("aaa", "baa")
+ refute OpenSSL.secure_compare("aaa", "aba")
+ refute OpenSSL.secure_compare("aaa", "aab")
+ refute OpenSSL.secure_compare("aaa", "aaab")
+ refute OpenSSL.secure_compare("aaa", "b")
+ refute OpenSSL.secure_compare("aaa", "bb")
+ refute OpenSSL.secure_compare("aaa", "bbb")
+ refute OpenSSL.secure_compare("aaa", "bbbb")
+ end
+
+ def test_memcmp_timing
+ # Ensure using fixed_length_secure_compare takes almost exactly the same amount of time to compare two different strings.
+ # Regular string comparison will short-circuit on the first non-matching character, failing this test.
+ # NOTE: this test may be susceptible to noise if the system running the tests is otherwise under load.
+ a = "x" * 512_000
+ b = "#{a}y"
+ c = "y#{a}"
+ a = "#{a}x"
+
+ a_b_time = a_c_time = 0
+ 100.times do
+ a_b_time += Benchmark.measure { 100.times { OpenSSL.fixed_length_secure_compare(a, b) } }.real
+ a_c_time += Benchmark.measure { 100.times { OpenSSL.fixed_length_secure_compare(a, c) } }.real
+ end
+ assert_operator(a_b_time, :<, a_c_time * 10, "fixed_length_secure_compare timing test failed")
+ assert_operator(a_c_time, :<, a_b_time * 10, "fixed_length_secure_compare timing test failed")
+ end
+end
+
+end
diff --git a/test/test_pair.rb b/test/openssl/test_pair.rb
index 29d5c9bb..8316ec2a 100644
--- a/test/test_pair.rb
+++ b/test/openssl/test_pair.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
require_relative 'ut_eof'
@@ -10,7 +10,7 @@ module OpenSSL::SSLPairM
ee_exts = [
["keyUsage", "keyEncipherment,digitalSignature", true],
]
- @svr_key = OpenSSL::TestUtils::Fixtures.pkey("rsa1024")
+ @svr_key = OpenSSL::TestUtils::Fixtures.pkey("rsa-1")
@svr_cert = issue_cert(svr_dn, @svr_key, 1, ee_exts, nil, nil)
end
@@ -23,7 +23,7 @@ module OpenSSL::SSLPairM
sctx = OpenSSL::SSL::SSLContext.new
sctx.cert = @svr_cert
sctx.key = @svr_key
- sctx.tmp_dh_callback = proc { OpenSSL::TestUtils::Fixtures.pkey_dh("dh1024") }
+ sctx.tmp_dh_callback = proc { OpenSSL::TestUtils::Fixtures.pkey("dh-1") }
sctx.options |= OpenSSL::SSL::OP_NO_COMPRESSION
ssls = OpenSSL::SSL::SSLServer.new(tcps, sctx)
ns = ssls.accept
@@ -128,11 +128,11 @@ module OpenSSL::TestPairM
ssl_pair {|s1, s2|
s2.write "a\nbcd"
assert_equal("a\n", s1.gets)
- result = ""
+ result = String.new
result << s1.readpartial(10) until result.length == 3
assert_equal("bcd", result)
s2.write "efg"
- result = ""
+ result = String.new
result << s1.readpartial(10) until result.length == 3
assert_equal("efg", result)
s2.close
@@ -156,20 +156,6 @@ module OpenSSL::TestPairM
}
end
- def test_puts_meta
- ssl_pair {|s1, s2|
- begin
- old = $/
- $/ = '*'
- s1.puts 'a'
- ensure
- $/ = old
- end
- s1.close
- assert_equal("a\n", s2.read)
- }
- end
-
def test_puts_empty
ssl_pair {|s1, s2|
s1.puts
@@ -242,22 +228,22 @@ module OpenSSL::TestPairM
def test_read_with_outbuf
ssl_pair { |s1, s2|
s1.write("abc\n")
- buf = ""
+ buf = String.new
ret = s2.read(2, buf)
assert_same ret, buf
assert_equal "ab", ret
- buf = "garbage"
+ buf = +"garbage"
ret = s2.read(2, buf)
assert_same ret, buf
assert_equal "c\n", ret
- buf = "garbage"
+ buf = +"garbage"
assert_equal :wait_readable, s2.read_nonblock(100, buf, exception: false)
assert_equal "", buf
s1.close
- buf = "garbage"
+ buf = +"garbage"
assert_equal nil, s2.read(100, buf)
assert_equal "", buf
}
@@ -397,7 +383,7 @@ module OpenSSL::TestPairM
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.cert = @svr_cert
ctx2.key = @svr_key
- ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::Fixtures.pkey_dh("dh1024") }
+ ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::Fixtures.pkey("dh-1") }
sock1, sock2 = tcp_pair
@@ -442,54 +428,47 @@ module OpenSSL::TestPairM
end
def test_connect_accept_nonblock
- ctx = OpenSSL::SSL::SSLContext.new()
+ ctx = OpenSSL::SSL::SSLContext.new
ctx.cert = @svr_cert
ctx.key = @svr_key
- ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::Fixtures.pkey_dh("dh1024") }
+ ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::Fixtures.pkey("dh-1") }
sock1, sock2 = tcp_pair
th = Thread.new {
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx)
- s2.sync_close = true
- begin
+ 5.times {
+ begin
+ break s2.accept_nonblock
+ rescue IO::WaitReadable
+ IO.select([s2], nil, nil, 1)
+ rescue IO::WaitWritable
+ IO.select(nil, [s2], nil, 1)
+ end
sleep 0.2
- s2.accept_nonblock
+ }
+ }
+
+ s1 = OpenSSL::SSL::SSLSocket.new(sock1)
+ 5.times {
+ begin
+ break s1.connect_nonblock
rescue IO::WaitReadable
- IO.select([s2])
- retry
+ IO.select([s1], nil, nil, 1)
rescue IO::WaitWritable
- IO.select(nil, [s2])
- retry
+ IO.select(nil, [s1], nil, 1)
end
- s2
- }
-
- sleep 0.1
- ctx = OpenSSL::SSL::SSLContext.new()
- s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx)
- begin
sleep 0.2
- s1.connect_nonblock
- rescue IO::WaitReadable
- IO.select([s1])
- retry
- rescue IO::WaitWritable
- IO.select(nil, [s1])
- retry
- end
- s1.sync_close = true
+ }
s2 = th.value
s1.print "a\ndef"
assert_equal("a\n", s2.gets)
ensure
- th.join if th
- s1.close if s1 && !s1.closed?
- s2.close if s2 && !s2.closed?
- sock1.close if sock1 && !sock1.closed?
- sock2.close if sock2 && !sock2.closed?
+ sock1&.close
+ sock2&.close
+ th&.join
end
end
diff --git a/test/test_pkcs12.rb b/test/openssl/test_pkcs12.rb
index de8e35ed..fdbe753b 100644
--- a/test/test_pkcs12.rb
+++ b/test/openssl/test_pkcs12.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative "utils"
if defined?(OpenSSL)
diff --git a/test/test_pkcs7.rb b/test/openssl/test_pkcs7.rb
index 149d3b9b..d0d9dcaf 100644
--- a/test/test_pkcs7.rb
+++ b/test/openssl/test_pkcs7.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL)
@@ -133,6 +133,8 @@ class OpenSSL::TestPKCS7 < OpenSSL::TestCase
assert_equal(@ca_cert.subject.to_s, recip[1].issuer.to_s)
assert_equal(3, recip[1].serial)
assert_equal(data, p7.decrypt(@rsa1024, @ee2_cert))
+
+ assert_equal(data, p7.decrypt(@rsa1024))
end
def test_graceful_parsing_failure #[ruby-core:43250]
@@ -170,6 +172,28 @@ class OpenSSL::TestPKCS7 < OpenSSL::TestCase
assert_equal(:encrypted, p7.type)
end
+ def test_smime
+ store = OpenSSL::X509::Store.new
+ store.add_cert(@ca_cert)
+ ca_certs = [@ca_cert]
+
+ data = "aaaaa\r\nbbbbb\r\nccccc\r\n"
+ tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs)
+ p7 = OpenSSL::PKCS7.new(tmp.to_der)
+ smime = OpenSSL::PKCS7.write_smime(p7)
+ assert_equal(true, smime.start_with?(<<END))
+MIME-Version: 1.0
+Content-Disposition: attachment; filename="smime.p7m"
+Content-Type: application/x-pkcs7-mime; smime-type=signed-data; name="smime.p7m"
+Content-Transfer-Encoding: base64
+
+END
+ assert_equal(p7.to_der, OpenSSL::PKCS7.read_smime(smime).to_der)
+
+ smime = OpenSSL::PKCS7.write_smime(p7, nil, 0)
+ assert_equal(p7.to_der, OpenSSL::PKCS7.read_smime(smime).to_der)
+ end
+
def test_degenerate_pkcs7
ca_cert_pem = <<END
-----BEGIN CERTIFICATE-----
diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb
new file mode 100644
index 00000000..0bdc9795
--- /dev/null
+++ b/test/openssl/test_pkey.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+require_relative "utils"
+
+class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
+ def test_generic_oid_inspect
+ # RSA private key
+ rsa = Fixtures.pkey("rsa-1")
+ assert_instance_of OpenSSL::PKey::RSA, rsa
+ assert_equal "rsaEncryption", rsa.oid
+ assert_match %r{oid=rsaEncryption}, rsa.inspect
+
+ # X25519 private key
+ x25519_pem = <<~EOF
+ -----BEGIN PRIVATE KEY-----
+ MC4CAQAwBQYDK2VuBCIEIHcHbQpzGKV9PBbBclGyZkXfTC+H68CZKrF3+6UduSwq
+ -----END PRIVATE KEY-----
+ EOF
+ begin
+ x25519 = OpenSSL::PKey.read(x25519_pem)
+ rescue OpenSSL::PKey::PKeyError
+ # OpenSSL < 1.1.0
+ pend "X25519 is not implemented"
+ end
+ assert_instance_of OpenSSL::PKey::PKey, x25519
+ assert_equal "X25519", x25519.oid
+ assert_match %r{oid=X25519}, x25519.inspect
+ end
+end
diff --git a/test/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb
index 77cdb0ab..fd2c7a66 100644
--- a/test/test_pkey_dh.rb
+++ b/test/openssl/test_pkey_dh.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL) && defined?(OpenSSL::PKey::DH)
@@ -19,7 +19,7 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase
end
def test_DHparams
- dh1024 = Fixtures.pkey_dh("dh1024")
+ dh1024 = Fixtures.pkey("dh1024")
asn1 = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Integer(dh1024.p),
OpenSSL::ASN1::Integer(dh1024.g)
@@ -42,7 +42,7 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase
end
def test_public_key
- dh = Fixtures.pkey_dh("dh1024")
+ dh = Fixtures.pkey("dh1024")
public_key = dh.public_key
assert_no_key(public_key) #implies public_key.public? is false!
assert_equal(dh.to_der, public_key.to_der)
@@ -50,14 +50,14 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase
end
def test_generate_key
- dh = Fixtures.pkey_dh("dh1024").public_key # creates a copy
+ dh = Fixtures.pkey("dh1024").public_key # creates a copy
assert_no_key(dh)
dh.generate_key!
assert_key(dh)
end
def test_key_exchange
- dh = Fixtures.pkey_dh("dh1024")
+ dh = Fixtures.pkey("dh1024")
dh2 = dh.public_key
dh.generate_key!
dh2.generate_key!
@@ -74,6 +74,13 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase
assert_equal dh2.g, dh.g
end
+ def test_marshal
+ dh = Fixtures.pkey("dh1024")
+ deserialized = Marshal.load(Marshal.dump(dh))
+
+ assert_equal dh.to_der, deserialized.to_der
+ end
+
private
def assert_equal_params(dh1, dh2)
diff --git a/test/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb
index d6519498..4bf8a7b3 100644
--- a/test/test_pkey_dsa.rb
+++ b/test/openssl/test_pkey_dsa.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL) && defined?(OpenSSL::PKey::DSA)
@@ -37,8 +37,8 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
dsa512 = Fixtures.pkey("dsa512")
data = "Sign me!"
if defined?(OpenSSL::Digest::DSS1)
- signature = dsa512.sign(OpenSSL::Digest::DSS1.new, data)
- assert_equal true, dsa512.verify(OpenSSL::Digest::DSS1.new, signature, data)
+ signature = dsa512.sign(OpenSSL::Digest.new('DSS1'), data)
+ assert_equal true, dsa512.verify(OpenSSL::Digest.new('DSS1'), signature, data)
end
signature = dsa512.sign("SHA1", data)
@@ -56,7 +56,7 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
def test_sys_sign_verify
key = Fixtures.pkey("dsa256")
data = 'Sign me!'
- digest = OpenSSL::Digest::SHA1.digest(data)
+ digest = OpenSSL::Digest.digest('SHA1', data)
sig = key.syssign(digest)
assert(key.sysverify(digest, sig))
end
@@ -191,6 +191,13 @@ fWLOqqkzFeRrYMDzUpl36XktY6Yq8EJYlW9pCMmBVNy/dQ==
assert_not_equal key.params, key2.params
end
+ def test_marshal
+ key = Fixtures.pkey("dsa1024")
+ deserialized = Marshal.load(Marshal.dump(key))
+
+ assert_equal key.to_der, deserialized.to_der
+ end
+
private
def assert_same_dsa(expected, key)
check_component(expected, key, [:p, :q, :g, :pub_key, :priv_key])
diff --git a/test/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
index 95b5a642..a0e6a23f 100644
--- a/test/test_pkey_ec.rb
+++ b/test/openssl/test_pkey_ec.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL) && defined?(OpenSSL::PKey::EC)
@@ -52,6 +52,13 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase
assert_equal(true, ec.private?)
end
+ def test_marshal
+ key = Fixtures.pkey("p256")
+ deserialized = Marshal.load(Marshal.dump(key))
+
+ assert_equal key.to_der, deserialized.to_der
+ end
+
def test_check_key
key = OpenSSL::PKey::EC.new("prime256v1").generate_key!
assert_equal(true, key.check_key)
@@ -289,6 +296,27 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase
assert_equal true, point.on_curve?
end
+ def test_ec_point_add
+ begin
+ group = OpenSSL::PKey::EC::Group.new(:GFp, 17, 2, 2)
+ group.point_conversion_form = :uncompressed
+ gen = OpenSSL::PKey::EC::Point.new(group, B(%w{ 04 05 01 }))
+ group.set_generator(gen, 19, 1)
+
+ point_a = OpenSSL::PKey::EC::Point.new(group, B(%w{ 04 06 03 }))
+ point_b = OpenSSL::PKey::EC::Point.new(group, B(%w{ 04 10 0D }))
+ rescue OpenSSL::PKey::EC::Group::Error
+ pend "Patched OpenSSL rejected curve" if /unsupported field/ =~ $!.message
+ raise
+ end
+
+ result = point_a.add(point_b)
+ assert_equal B(%w{ 04 0D 07 }), result.to_octet_string(:uncompressed)
+
+ assert_raise(TypeError) { point_a.add(nil) }
+ assert_raise(ArgumentError) { point_a.add }
+ end
+
def test_ec_point_mul
begin
# y^2 = x^3 + 2x + 2 over F_17
diff --git a/test/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
index ef02717d..88164c3b 100644
--- a/test/test_pkey_rsa.rb
+++ b/test/openssl/test_pkey_rsa.rb
@@ -1,9 +1,18 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative "utils"
if defined?(OpenSSL)
class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
+ def test_no_private_exp
+ key = OpenSSL::PKey::RSA.new
+ rsa = Fixtures.pkey("rsa2048")
+ key.set_key(rsa.n, rsa.e, nil)
+ key.set_factors(rsa.p, rsa.q)
+ assert_raise(OpenSSL::PKey::RSAError){ key.private_encrypt("foo") }
+ assert_raise(OpenSSL::PKey::RSAError){ key.private_decrypt("foo") }
+ end
+
def test_padding
key = OpenSSL::PKey::RSA.new(512, 3)
@@ -31,14 +40,32 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
end
def test_private
+ # Generated by key size and public exponent
key = OpenSSL::PKey::RSA.new(512, 3)
assert(key.private?)
+
+ # Generated by DER
key2 = OpenSSL::PKey::RSA.new(key.to_der)
assert(key2.private?)
+
+ # public key
key3 = key.public_key
assert(!key3.private?)
+
+ # Generated by public key DER
key4 = OpenSSL::PKey::RSA.new(key3.to_der)
assert(!key4.private?)
+ rsa1024 = Fixtures.pkey("rsa1024")
+
+ # Generated by RSA#set_key
+ key5 = OpenSSL::PKey::RSA.new
+ key5.set_key(rsa1024.n, rsa1024.e, rsa1024.d)
+ assert(key5.private?)
+
+ # Generated by RSA#set_key, without d
+ key6 = OpenSSL::PKey::RSA.new
+ key6.set_key(rsa1024.n, rsa1024.e, nil)
+ assert(!key6.private?)
end
def test_new
@@ -92,8 +119,8 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
def test_digest_state_irrelevant_sign
key = Fixtures.pkey("rsa1024")
- digest1 = OpenSSL::Digest::SHA1.new
- digest2 = OpenSSL::Digest::SHA1.new
+ digest1 = OpenSSL::Digest.new('SHA1')
+ digest2 = OpenSSL::Digest.new('SHA1')
data = 'Sign me!'
digest1 << 'Change state of digest1'
sig1 = key.sign(digest1, data)
@@ -103,8 +130,8 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
def test_digest_state_irrelevant_verify
key = Fixtures.pkey("rsa1024")
- digest1 = OpenSSL::Digest::SHA1.new
- digest2 = OpenSSL::Digest::SHA1.new
+ digest1 = OpenSSL::Digest.new('SHA1')
+ digest2 = OpenSSL::Digest.new('SHA1')
data = 'Sign me!'
sig = key.sign(digest1, data)
digest1.reset
@@ -153,6 +180,40 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
}
end
+ def test_export
+ rsa1024 = Fixtures.pkey("rsa1024")
+ key = OpenSSL::PKey::RSA.new
+
+ # key has only n, e and d
+ key.set_key(rsa1024.n, rsa1024.e, rsa1024.d)
+ assert_equal rsa1024.public_key.export, key.export
+
+ # key has only n, e, d, p and q
+ key.set_factors(rsa1024.p, rsa1024.q)
+ assert_equal rsa1024.public_key.export, key.export
+
+ # key has n, e, d, p, q, dmp1, dmq1 and iqmp
+ key.set_crt_params(rsa1024.dmp1, rsa1024.dmq1, rsa1024.iqmp)
+ assert_equal rsa1024.export, key.export
+ end
+
+ def test_to_der
+ rsa1024 = Fixtures.pkey("rsa1024")
+ key = OpenSSL::PKey::RSA.new
+
+ # key has only n, e and d
+ key.set_key(rsa1024.n, rsa1024.e, rsa1024.d)
+ assert_equal rsa1024.public_key.to_der, key.to_der
+
+ # key has only n, e, d, p and q
+ key.set_factors(rsa1024.p, rsa1024.q)
+ assert_equal rsa1024.public_key.to_der, key.to_der
+
+ # key has n, e, d, p, q, dmp1, dmq1 and iqmp
+ key.set_crt_params(rsa1024.dmp1, rsa1024.dmq1, rsa1024.iqmp)
+ assert_equal rsa1024.to_der, key.to_der
+ end
+
def test_RSAPrivateKey
rsa1024 = Fixtures.pkey("rsa1024")
asn1 = OpenSSL::ASN1::Sequence([
@@ -295,6 +356,85 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
}
end
+ def test_private_encoding
+ rsa1024 = Fixtures.pkey("rsa1024")
+ asn1 = OpenSSL::ASN1::Sequence([
+ OpenSSL::ASN1::Integer(0),
+ OpenSSL::ASN1::Sequence([
+ OpenSSL::ASN1::ObjectId("rsaEncryption"),
+ OpenSSL::ASN1::Null(nil)
+ ]),
+ OpenSSL::ASN1::OctetString(rsa1024.to_der)
+ ])
+ assert_equal asn1.to_der, rsa1024.private_to_der
+ assert_same_rsa rsa1024, OpenSSL::PKey.read(asn1.to_der)
+
+ pem = <<~EOF
+ -----BEGIN PRIVATE KEY-----
+ MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMvCxLDUQKc+1P4+
+ Q6AeFwYDvWfALb+cvzlUEadGoPE6qNWHsLFoo8RFgeyTgE8KQTduu1OE9Zz2SMcR
+ BDu5/1jWtsLPSVrI2ofLLBARUsWanVyki39DeB4u/xkP2mKGjAokPIwOI3oCthSZ
+ lzO9bj3voxTf6XngTqUX8l8URTmHAgMBAAECgYEApKX8xBqvJ7XI7Kypfo/x8MVC
+ 3rxW+1eQ2aVKIo4a7PKGjQz5RVIVyzqTUvSZoMTbkAxlSIbO5YfJpTnl3tFcOB6y
+ QMxqQPW/pl6Ni3EmRJdsRM5MsPBRZOfrXxOCdvXu1TWOS1S1TrvEr/TyL9eh2WCd
+ CGzpWgdO4KHce7vs7pECQQDv6DGoG5lHnvbvj9qSJb9K5ebRJc8S+LI7Uy5JHC0j
+ zsHTYPSqBXwPVQdGbgCEycnwwKzXzT2QxAQmJBQKun2ZAkEA2W3aeAE7Xi6zo2eG
+ 4Cx4UNMHMIdfBRS7VgoekwybGmcapqV0aBew5kHeWAmxP1WUZ/dgZh2QtM1VuiBA
+ qUqkHwJBAOJLCRvi/JB8N7z82lTk2i3R8gjyOwNQJv6ilZRMyZ9vFZFHcUE27zCf
+ Kb+bX03h8WPwupjMdfgpjShU+7qq8nECQQDBrmyc16QVyo40sgTgblyiysitvviy
+ ovwZsZv4q5MCmvOPnPUrwGbRRb2VONUOMOKpFiBl9lIv7HU//nj7FMVLAkBjUXED
+ 83dA8JcKM+HlioXEAxCzZVVhN+D63QwRwkN08xAPklfqDkcqccWDaZm2hdCtaYlK
+ funwYkrzI1OikQSs
+ -----END PRIVATE KEY-----
+ EOF
+ assert_equal pem, rsa1024.private_to_pem
+ assert_same_rsa rsa1024, OpenSSL::PKey.read(pem)
+ end
+
+ def test_private_encoding_encrypted
+ rsa1024 = Fixtures.pkey("rsa1024")
+ encoded = rsa1024.private_to_der("aes-128-cbc", "abcdef")
+ asn1 = OpenSSL::ASN1.decode(encoded) # PKCS #8 EncryptedPrivateKeyInfo
+ assert_kind_of OpenSSL::ASN1::Sequence, asn1
+ assert_equal 2, asn1.value.size
+ assert_not_equal rsa1024.private_to_der, encoded
+ assert_same_rsa rsa1024, OpenSSL::PKey.read(encoded, "abcdef")
+ assert_same_rsa rsa1024, OpenSSL::PKey.read(encoded) { "abcdef" }
+ assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.read(encoded, "abcxyz") }
+
+ encoded = rsa1024.private_to_pem("aes-128-cbc", "abcdef")
+ assert_match (/BEGIN ENCRYPTED PRIVATE KEY/), encoded.lines[0]
+ assert_same_rsa rsa1024, OpenSSL::PKey.read(encoded, "abcdef")
+
+ # certtool --load-privkey=test/fixtures/pkey/rsa1024.pem --to-p8 --password=abcdef
+ pem = <<~EOF
+ -----BEGIN ENCRYPTED PRIVATE KEY-----
+ MIICojAcBgoqhkiG9w0BDAEDMA4ECLqajUdSNfzwAgIEkQSCAoCDWhxr1HUrKLXA
+ FsFGGQfPT0aKH4gZipaSXXQRl0KwifHwHoDtfo/mAkJVZMnUVOm1AQ4LTFS3EdTy
+ JUwICGEQHb7QAiokIRoi0K2yHhOxVO8qgbnWuisWpiT6Ru1jCqTs/wcqlqF7z2jM
+ oXDk/vuekKst1DDXDcHrzhDkwhCQWj6jt1r2Vwaryy0FyeqsWAgBDiK2LsnCgkGD
+ 21uhNZ/iWMG6tvY9hB8MDdiBJ41YdSG/AKLulAxQ1ibJz0Tasu66TmwFvWhBlME+
+ QbqfgmkgWg5buu53SvDfCA47zXihclbtdfW+U3CJ9OJkx0535TVdZbuC1QgKXvG7
+ 4iKGFRMWYJqZvZM3GL4xbC75AxjXZsdCfV81VjZxjeU6ung/NRzCuCUcmBOQzo1D
+ Vv6COwAa6ttQWM0Ti8oIQHdu5Qi+nuOEHDLxCxD962M37H99sEO5cESjmrGVxhEo
+ 373L4+11geGSCajdp0yiAGnXQfwaKta8cL693bRObN+b1Y+vqtDKH26N9a4R3qgg
+ 2XwgQ5GH5CODoXZpi0wxncXO+3YuuhGeArtzKSXLNxHzIMlY7wZX+0e9UU03zfV/
+ aOe4/q5DpkNxgHePt0oEpamSKY5W3jzVi1dlFWsRjud1p/Grt2zjSWTYClBlJqG1
+ A/3IeDZCu+acaePJjFyv5dFffIj2l4bAYB+LFrZlSu3F/EimO/dCDWJ9JGlMK0aF
+ l9brh7786Mo+YfyklaqMMEHBbbR2Es7PR6Gt7lrcIXmzy9XSsxT6IiD1rG9KKR3i
+ CQxTup6JAx9w1q+adL+Ypikoy3gGD/ccUY6TtPoCmkQwSCS+JqQnFlCiThDJbu+V
+ eqqUNkZq
+ -----END ENCRYPTED PRIVATE KEY-----
+ EOF
+ assert_same_rsa rsa1024, OpenSSL::PKey.read(pem, "abcdef")
+ end
+
+ def test_public_encoding
+ rsa1024 = Fixtures.pkey("rsa1024")
+ assert_equal dup_public(rsa1024).to_der, rsa1024.public_to_der
+ assert_equal dup_public(rsa1024).to_pem, rsa1024.public_to_pem
+ end
+
def test_dup
key = Fixtures.pkey("rsa1024")
key2 = key.dup
@@ -303,6 +443,13 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
assert_not_equal key.params, key2.params
end
+ def test_marshal
+ key = Fixtures.pkey("rsa2048")
+ deserialized = Marshal.load(Marshal.dump(key))
+
+ assert_equal key.to_der, deserialized.to_der
+ end
+
private
def assert_same_rsa(expected, key)
check_component(expected, key, [:n, :e, :d, :p, :q, :dmp1, :dmq1, :iqmp])
diff --git a/test/test_random.rb b/test/openssl/test_random.rb
index d5a37454..33af3757 100644
--- a/test/test_random.rb
+++ b/test/openssl/test_random.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative "utils"
if defined?(OpenSSL)
diff --git a/test/test_ssl.rb b/test/openssl/test_ssl.rb
index ea98bec8..6095d545 100644
--- a/test/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative "utils"
if defined?(OpenSSL)
@@ -56,6 +56,56 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
}
end
+ def test_socket_open
+ start_server { |port|
+ begin
+ ssl = OpenSSL::SSL::SSLSocket.open("127.0.0.1", port)
+ ssl.sync_close = true
+ ssl.connect
+
+ ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+ ensure
+ ssl&.close
+ end
+ }
+ end
+
+ def test_socket_open_with_context
+ start_server { |port|
+ begin
+ ctx = OpenSSL::SSL::SSLContext.new
+ ssl = OpenSSL::SSL::SSLSocket.open("127.0.0.1", port, context: ctx)
+ ssl.sync_close = true
+ ssl.connect
+
+ assert_equal ssl.context, ctx
+ ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+ ensure
+ ssl&.close
+ end
+ }
+ end
+
+ def test_socket_open_with_local_address_port_context
+ start_server { |port|
+ begin
+ # Guess a free port number
+ random_port = rand(49152..65535)
+ ctx = OpenSSL::SSL::SSLContext.new
+ ssl = OpenSSL::SSL::SSLSocket.open("127.0.0.1", port, "127.0.0.1", random_port, context: ctx)
+ ssl.sync_close = true
+ ssl.connect
+
+ assert_equal ctx, ssl.context
+ assert_equal random_port, ssl.io.local_address.ip_port
+ ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+ rescue Errno::EADDRINUSE
+ ensure
+ ssl&.close
+ end
+ }
+ end
+
def test_add_certificate
ctx_proc = -> ctx {
# Unset values set by start_server
@@ -81,7 +131,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
add0_chain_supported = openssl?(1, 0, 2)
if add0_chain_supported
- ca2_key = Fixtures.pkey("rsa1024")
+ ca2_key = Fixtures.pkey("rsa-3")
ca2_exts = [
["basicConstraints", "CA:TRUE", true],
["keyUsage", "cRLSign, keyCertSign", true],
@@ -142,12 +192,12 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_sysread_and_syswrite
start_server { |port|
server_connect(port) { |ssl|
- str = "x" * 100 + "\n"
+ str = +("x" * 100 + "\n")
ssl.syswrite(str)
newstr = ssl.sysread(str.bytesize)
assert_equal(str, newstr)
- buf = ""
+ buf = String.new
ssl.syswrite(str)
assert_same buf, ssl.sysread(str.size, buf)
assert_equal(str, buf)
@@ -156,7 +206,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_sync_close
- start_server { |port|
+ start_server do |port|
begin
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
@@ -179,7 +229,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ensure
sock&.close
end
- }
+ end
end
def test_copy_stream
@@ -419,6 +469,31 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
}
end
+ def test_finished_messages
+ server_finished = nil
+ server_peer_finished = nil
+ client_finished = nil
+ client_peer_finished = nil
+
+ start_server(accept_proc: proc { |server|
+ server_finished = server.finished_message
+ server_peer_finished = server.peer_finished_message
+ }) { |port|
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+ server_connect(port, ctx) { |ssl|
+ ssl.puts "abc"; ssl.gets
+
+ client_finished = ssl.finished_message
+ client_peer_finished = ssl.peer_finished_message
+ }
+ }
+ assert_not_nil(server_finished)
+ assert_not_nil(client_finished)
+ assert_equal(server_finished, client_peer_finished)
+ assert_equal(server_peer_finished, client_finished)
+ end
+
def test_sslctx_set_params
ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params
@@ -526,8 +601,12 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, "www.example.com\0.evil.com"))
assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.255'))
assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.1'))
- assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17'))
+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13::17'))
+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::18'))
assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17'))
+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '44:0:0:0:0:0:0:17'))
+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '0013:0000:0000:0000:0000:0000:0000:0017'))
+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '1313:0000:0000:0000:0000:0000:0000:0017'))
end
end
@@ -708,7 +787,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_tlsext_hostname
fooctx = OpenSSL::SSL::SSLContext.new
- fooctx.tmp_dh_callback = proc { Fixtures.pkey_dh("dh1024") }
+ fooctx.tmp_dh_callback = proc { Fixtures.pkey("dh-1") }
fooctx.cert = @cli_cert
fooctx.key = @cli_key
@@ -760,7 +839,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.cert = @svr_cert
ctx2.key = @svr_key
- ctx2.tmp_dh_callback = proc { Fixtures.pkey_dh("dh1024") }
+ ctx2.tmp_dh_callback = proc { Fixtures.pkey("dh-1") }
ctx2.servername_cb = lambda { |args| Object.new }
sock1, sock2 = socketpair
@@ -1180,7 +1259,7 @@ if openssl?(1, 0, 2) || libressl?
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.cert = @svr_cert
ctx1.key = @svr_key
- ctx1.tmp_dh_callback = proc { Fixtures.pkey_dh("dh1024") }
+ ctx1.tmp_dh_callback = proc { Fixtures.pkey("dh-1") }
ctx1.alpn_select_cb = -> (protocols) { nil }
ssl1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
@@ -1291,8 +1370,13 @@ end
}
end
+ def readwrite_loop_safe(ctx, ssl)
+ readwrite_loop(ctx, ssl)
+ rescue OpenSSL::SSL::SSLError
+ end
+
def test_close_after_socket_close
- start_server { |port|
+ start_server(server_proc: method(:readwrite_loop_safe)) { |port|
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
ssl.connect
@@ -1325,11 +1409,16 @@ end
ctx.ssl_version = :TLSv1_2
ctx.ciphers = "kRSA"
}
- start_server(ctx_proc: ctx_proc1) do |port|
+ start_server(ctx_proc: ctx_proc1, ignore_listener_error: true) do |port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.ssl_version = :TLSv1_2
ctx.ciphers = "kRSA"
- server_connect(port, ctx) { |ssl| assert_nil ssl.tmp_key }
+ begin
+ server_connect(port, ctx) { |ssl| assert_nil ssl.tmp_key }
+ rescue OpenSSL::SSL::SSLError
+ # kRSA seems disabled
+ raise unless $!.message =~ /no cipher/
+ end
end
end
@@ -1368,6 +1457,10 @@ end
end
def test_fallback_scsv
+ supported = check_supported_protocol_versions
+ return unless supported.include?(OpenSSL::SSL::TLS1_1_VERSION) &&
+ supported.include?(OpenSSL::SSL::TLS1_2_VERSION)
+
pend "Fallback SCSV is not supported" unless \
OpenSSL::SSL::SSLContext.method_defined?(:enable_fallback_scsv)
@@ -1397,7 +1490,12 @@ end
# Server support better, so refuse the connection
sock1, sock2 = socketpair
begin
+ # This test is for the downgrade protection mechanism of TLS1.2.
+ # This is why ctx1 bounds max_version == TLS1.2.
+ # Otherwise, this test fails when using openssl 1.1.1 (or later) that supports TLS1.3.
+ # TODO: We may need another test for TLS1.3 because it seems to have a different mechanism.
ctx1 = OpenSSL::SSL::SSLContext.new
+ ctx1.max_version = OpenSSL::SSL::TLS1_2_VERSION
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
ctx2 = OpenSSL::SSL::SSLContext.new
@@ -1422,20 +1520,21 @@ end
def test_dh_callback
pend "TLS 1.2 is not supported" unless tls12_supported?
+ dh = Fixtures.pkey("dh-1")
called = false
ctx_proc = -> ctx {
ctx.ssl_version = :TLSv1_2
ctx.ciphers = "DH:!NULL"
ctx.tmp_dh_callback = ->(*args) {
called = true
- Fixtures.pkey_dh("dh1024")
+ dh
}
}
start_server(ctx_proc: ctx_proc) do |port|
server_connect(port) { |ssl|
assert called, "dh callback should be called"
if ssl.respond_to?(:tmp_key)
- assert_equal Fixtures.pkey_dh("dh1024").to_der, ssl.tmp_key.to_der
+ assert_equal dh.to_der, ssl.tmp_key.to_der
end
}
end
@@ -1580,6 +1679,20 @@ end
}
end
+ def test_fileno
+ ctx = OpenSSL::SSL::SSLContext.new
+ sock1, sock2 = socketpair
+
+ socket = OpenSSL::SSL::SSLSocket.new(sock1)
+ server = OpenSSL::SSL::SSLServer.new(sock2, ctx)
+
+ assert_equal socket.fileno, socket.to_io.fileno
+ assert_equal server.fileno, server.to_io.fileno
+ ensure
+ sock1.close
+ sock2.close
+ end
+
private
def start_server_version(version, ctx_proc = nil,
@@ -1612,8 +1725,8 @@ end
def assert_handshake_error
# different OpenSSL versions react differently when facing a SSL/TLS version
- # that has been marked as forbidden, therefore either of these may be raised
- assert_raise(OpenSSL::SSL::SSLError, Errno::ECONNRESET) {
+ # that has been marked as forbidden, therefore any of these may be raised
+ assert_raise(OpenSSL::SSL::SSLError, Errno::ECONNRESET, Errno::EPIPE) {
yield
}
end
diff --git a/test/test_ssl_session.rb b/test/openssl/test_ssl_session.rb
index e199f86d..89726d44 100644
--- a/test/test_ssl_session.rb
+++ b/test/openssl/test_ssl_session.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative "utils"
if defined?(OpenSSL)
diff --git a/test/openssl/test_ts.rb b/test/openssl/test_ts.rb
new file mode 100644
index 00000000..6e9c3089
--- /dev/null
+++ b/test/openssl/test_ts.rb
@@ -0,0 +1,657 @@
+require_relative "utils"
+
+if defined?(OpenSSL) && defined?(OpenSSL::Timestamp)
+
+class OpenSSL::TestTimestamp < OpenSSL::TestCase
+ def intermediate_key
+ @intermediate_key ||= OpenSSL::PKey::RSA.new <<-_end_of_pem_
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQCcyODxH+oTrr7l7MITWcGaYnnBma6vidCCJjuSzZpaRmXZHAyH
+0YcY4ttC0BdJ4uV+cE05IySVC7tyvVfFb8gFQ6XJV+AEktP+XkLbcxZgj9d2NVu1
+ziXdI+ldXkPnMhyWpMS5E7SD6gflv9NhUYEsmAGsUgdK6LDmm2W2/4TlewIDAQAB
+AoGAYgx6KDFWONLqjW3f/Sv/mGYHUNykUyDzpcD1Npyf797gqMMSzwlo3FZa2tC6
+D7n23XirwpTItvEsW9gvgMikJDPlThAeGLZ+L0UbVNNBHVxGP998Nda1kxqKvhRE
+pfZCKc7PLM9ZXc6jBTmgxdcAYfVCCVUoa2mEf9Ktr3BlI4kCQQDQAM09+wHDXGKP
+o2UnCwCazGtyGU2r0QCzHlh9BVY+KD2KjjhuWh86rEbdWN7hEW23Je1vXIhuM6Pa
+/Ccd+XYnAkEAwPZ91PK6idEONeGQ4I3dyMKV2SbaUjfq3MDL4iIQPQPuj7QsBO/5
+3Nf9ReSUUTRFCUVwoC8k4Z1KAJhR/K/ejQJANE7PTnPuGJQGETs09+GTcFpR9uqY
+FspDk8fg1ufdrVnvSAXF+TJewiGK3KU5v33jinhWQngRsyz3Wt2odKhEZwJACbjh
+oicQqvzzgFd7GzVKpWDYd/ZzLY1PsgusuhoJQ2m9TVRAm4cTycLAKhNYPbcqe0sa
+X5fAffWU0u7ZwqeByQJAOUAbYET4RU3iymAvAIDFj8LiQnizG9t5Ty3HXlijKQYv
+y8gsvWd4CdxwOPatWpBUX9L7IXcMJmD44xXTUvpbfQ==
+-----END RSA PRIVATE KEY-----
+_end_of_pem_
+ end
+
+ def ee_key
+ @ee_key ||= OpenSSL::PKey::RSA.new <<-_end_of_pem_
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQDA6eB5r2O5KOKNbKMBhzadl43lgpwqq28m+G0gH38kKCL1f3o9
+P8xUZm7sZqcWEervZMSSXMGBV9DgeoSR+U6FMJywgQGx/JNRx7wZTMNym3PvgLkl
+xCXh6ZA0/xbtJtcNI+UUv0ENBkTIuUWBhkAf3jQclAr9aQ0ktYBuHAcRcQIDAQAB
+AoGAKNhcAuezwZx6e18pFEXAtpVEIfgJgK9TlXi8AjUpAkrNPBWFmDpN1QDrM3p4
+nh+lEpLPW/3vqqchPqYyM4YJraMLpS3KUG+s7+m9QIia0ri2WV5Cig7WL+Tl9p7K
+b3oi2Aj/wti8GfOLFQXOQQ4Ea4GoCv2Sxe0GZR39UBxzTsECQQD1zuVIwBvqU2YR
+8innsoa+j4u2hulRmQO6Zgpzj5vyRYfA9uZxQ9nKbfJvzuWwUv+UzyS9RqxarqrP
+5nQw5EmVAkEAyOmJg6+AfGrgvSWfSpXEds/WA/sHziCO3rE4/sd6cnDc6XcTgeMs
+mT8Z3kAYGpqFDew5orUylPfJJa+PUueJbQJAY+gkvw3+Cp69FLw1lgu0wo07fwOU
+n2qu3jsNMm0DOFRUWfTAMvcd9S385L7WEnWZldUfnKK1+OGXYYrMXPbchQJAChU2
+UoaHQzc16iguM1cK0g+iJPb/MEgQA3sPajHmokGpxIm2T+lvvo0dJjs/Om6QyN8X
+EWRYkoNQ8/Q4lCeMjQJAfvDIGtyqF4PieFHYgluQAv5pGgYpakdc8SYyeRH9NKey
+GaL27FRs4fRWf9OmxPhUVgIyGzLGXrueemvQUDHObA==
+-----END RSA PRIVATE KEY-----
+_end_of_pem_
+ end
+
+ def ca_cert
+ @ca_cert ||= OpenSSL::Certs.ca_cert
+ end
+
+ def ca_store
+ @ca_store ||= OpenSSL::X509::Store.new.tap { |s| s.add_cert(ca_cert) }
+ end
+
+ def ts_cert_direct
+ @ts_cert_direct ||= OpenSSL::Certs.ts_cert_direct(ee_key, ca_cert)
+ end
+
+ def intermediate_cert
+ @intermediate_cert ||= OpenSSL::Certs.intermediate_cert(intermediate_key, ca_cert)
+ end
+
+ def intermediate_store
+ @intermediate_store ||= OpenSSL::X509::Store.new.tap { |s| s.add_cert(intermediate_cert) }
+ end
+
+ def ts_cert_ee
+ @ts_cert_ee ||= OpenSSL::Certs.ts_cert_ee(ee_key, intermediate_cert, intermediate_key)
+ end
+
+ def test_request_mandatory_fields
+ req = OpenSSL::Timestamp::Request.new
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ tmp = req.to_der
+ pp OpenSSL::ASN1.decode(tmp)
+ end
+ req.algorithm = "sha1"
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ req.to_der
+ end
+ req.message_imprint = OpenSSL::Digest.digest('SHA1', "data")
+ req.to_der
+ end
+
+ def test_request_assignment
+ req = OpenSSL::Timestamp::Request.new
+
+ req.version = 2
+ assert_equal(2, req.version)
+ assert_raise(TypeError) { req.version = nil }
+ assert_raise(TypeError) { req.version = "foo" }
+
+ req.algorithm = "SHA1"
+ assert_equal("SHA1", req.algorithm)
+ assert_raise(TypeError) { req.algorithm = nil }
+ assert_raise(OpenSSL::ASN1::ASN1Error) { req.algorithm = "xxx" }
+
+ req.message_imprint = "test"
+ assert_equal("test", req.message_imprint)
+ assert_raise(TypeError) { req.message_imprint = nil }
+
+ req.policy_id = "1.2.3.4.5"
+ assert_equal("1.2.3.4.5", req.policy_id)
+ assert_raise(TypeError) { req.policy_id = 123 }
+ assert_raise(TypeError) { req.policy_id = nil }
+
+ req.nonce = 42
+ assert_equal(42, req.nonce)
+ assert_raise(TypeError) { req.nonce = "foo" }
+ assert_raise(TypeError) { req.nonce = nil }
+
+ req.cert_requested = false
+ assert_equal(false, req.cert_requested?)
+ req.cert_requested = nil
+ assert_equal(false, req.cert_requested?)
+ req.cert_requested = 123
+ assert_equal(true, req.cert_requested?)
+ req.cert_requested = "asdf"
+ assert_equal(true, req.cert_requested?)
+ end
+
+ def test_request_serialization
+ req = OpenSSL::Timestamp::Request.new
+
+ req.version = 2
+ req.algorithm = "SHA1"
+ req.message_imprint = "test"
+ req.policy_id = "1.2.3.4.5"
+ req.nonce = 42
+ req.cert_requested = true
+
+ req = OpenSSL::Timestamp::Request.new(req.to_der)
+
+ assert_equal(2, req.version)
+ assert_equal("SHA1", req.algorithm)
+ assert_equal("test", req.message_imprint)
+ assert_equal("1.2.3.4.5", req.policy_id)
+ assert_equal(42, req.nonce)
+ assert_equal(true, req.cert_requested?)
+
+ end
+
+ def test_request_re_assignment
+ #tests whether the potential 'freeing' of previous values in C works properly
+ req = OpenSSL::Timestamp::Request.new
+ req.version = 2
+ req.version = 3
+ req.algorithm = "SHA1"
+ req.algorithm = "SHA256"
+ req.message_imprint = "test"
+ req.message_imprint = "test2"
+ req.policy_id = "1.2.3.4.5"
+ req.policy_id = "1.2.3.4.6"
+ req.nonce = 42
+ req.nonce = 24
+ req.cert_requested = false
+ req.cert_requested = true
+ req.to_der
+ end
+
+ def test_request_encode_decode
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+ req.policy_id = "1.2.3.4.5"
+ req.nonce = 42
+
+ qer = OpenSSL::Timestamp::Request.new(req.to_der)
+ assert_equal(1, qer.version)
+ assert_equal("SHA1", qer.algorithm)
+ assert_equal(digest, qer.message_imprint)
+ assert_equal("1.2.3.4.5", qer.policy_id)
+ assert_equal(42, qer.nonce)
+
+ #put OpenSSL::ASN1.decode inbetween
+ qer2 = OpenSSL::Timestamp::Request.new(OpenSSL::ASN1.decode(req.to_der))
+ assert_equal(1, qer2.version)
+ assert_equal("SHA1", qer2.algorithm)
+ assert_equal(digest, qer2.message_imprint)
+ assert_equal("1.2.3.4.5", qer2.policy_id)
+ assert_equal(42, qer2.nonce)
+ end
+
+ def test_response_constants
+ assert_equal(0, OpenSSL::Timestamp::Response::GRANTED)
+ assert_equal(1, OpenSSL::Timestamp::Response::GRANTED_WITH_MODS)
+ assert_equal(2, OpenSSL::Timestamp::Response::REJECTION)
+ assert_equal(3, OpenSSL::Timestamp::Response::WAITING)
+ assert_equal(4, OpenSSL::Timestamp::Response::REVOCATION_WARNING)
+ assert_equal(5, OpenSSL::Timestamp::Response::REVOCATION_NOTIFICATION)
+ end
+
+ def test_response_creation
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+ req.policy_id = "1.2.3.4.5"
+
+ fac = OpenSSL::Timestamp::Factory.new
+ time = Time.now
+ fac.gen_time = time
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+
+ resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ resp = OpenSSL::Timestamp::Response.new(resp)
+ assert_equal(OpenSSL::Timestamp::Response::GRANTED, resp.status)
+ assert_nil(resp.failure_info)
+ assert_equal([], resp.status_text)
+ assert_equal(1, resp.token_info.version)
+ assert_equal("1.2.3.4.5", resp.token_info.policy_id)
+ assert_equal("SHA1", resp.token_info.algorithm)
+ assert_equal(digest, resp.token_info.message_imprint)
+ assert_equal(1, resp.token_info.serial_number)
+ assert_equal(time.to_i, resp.token_info.gen_time.to_i)
+ assert_equal(false, resp.token_info.ordering)
+ assert_nil(resp.token_info.nonce)
+ assert_cert(ts_cert_ee, resp.tsa_certificate)
+ #compare PKCS7
+ token = OpenSSL::ASN1.decode(resp.to_der).value[1]
+ assert_equal(token.to_der, resp.token.to_der)
+ end
+
+ def test_response_mandatory_fields
+ fac = OpenSSL::Timestamp::Factory.new
+ req = OpenSSL::Timestamp::Request.new
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ fac.create_timestamp(ee_key, ts_cert_ee, req)
+ end
+ req.algorithm = "sha1"
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ fac.create_timestamp(ee_key, ts_cert_ee, req)
+ end
+ req.message_imprint = OpenSSL::Digest.digest('SHA1', "data")
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ fac.create_timestamp(ee_key, ts_cert_ee, req)
+ end
+ fac.gen_time = Time.now
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ fac.create_timestamp(ee_key, ts_cert_ee, req)
+ end
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ fac.create_timestamp(ee_key, ts_cert_ee, req)
+ end
+ fac.default_policy_id = "1.2.3.4.5"
+ assert_equal OpenSSL::Timestamp::Response::GRANTED, fac.create_timestamp(ee_key, ts_cert_ee, req).status
+ fac.default_policy_id = nil
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ fac.create_timestamp(ee_key, ts_cert_ee, req)
+ end
+ req.policy_id = "1.2.3.4.5"
+ assert_equal OpenSSL::Timestamp::Response::GRANTED, fac.create_timestamp(ee_key, ts_cert_ee, req).status
+ end
+
+ def test_response_allowed_digests
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ req.message_imprint = OpenSSL::Digest.digest('SHA1', "test")
+
+ fac = OpenSSL::Timestamp::Factory.new
+ fac.gen_time = Time.now
+ fac.serial_number = 1
+ fac.default_policy_id = "1.2.3.4.6"
+
+ # None allowed by default
+ resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ assert_equal OpenSSL::Timestamp::Response::REJECTION, resp.status
+
+ # Explicitly allow SHA1 (string)
+ fac.allowed_digests = ["sha1"]
+ resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ assert_equal OpenSSL::Timestamp::Response::GRANTED, resp.status
+
+ # Explicitly allow SHA1 (object)
+ fac.allowed_digests = [OpenSSL::Digest.new('SHA1')]
+ resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ assert_equal OpenSSL::Timestamp::Response::GRANTED, resp.status
+
+ # Others not allowed
+ req.algorithm = "SHA256"
+ req.message_imprint = OpenSSL::Digest.digest('SHA256', "test")
+ resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ assert_equal OpenSSL::Timestamp::Response::REJECTION, resp.status
+
+ # Non-Array
+ fac.allowed_digests = 123
+ resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ assert_equal OpenSSL::Timestamp::Response::REJECTION, resp.status
+
+ # Non-String, non-Digest Array element
+ fac.allowed_digests = ["sha1", OpenSSL::Digest.new('SHA1'), 123]
+ assert_raise(TypeError) do
+ fac.create_timestamp(ee_key, ts_cert_ee, req)
+ end
+ end
+
+ def test_response_default_policy
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+
+ fac = OpenSSL::Timestamp::Factory.new
+ fac.gen_time = Time.now
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+ fac.default_policy_id = "1.2.3.4.6"
+
+ resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ assert_equal(OpenSSL::Timestamp::Response::GRANTED, resp.status)
+ assert_equal("1.2.3.4.6", resp.token_info.policy_id)
+ end
+
+ def test_response_bad_purpose
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+ req.policy_id = "1.2.3.4.5"
+ req.nonce = 42
+
+ fac = OpenSSL::Timestamp::Factory.new
+ fac.gen_time = Time.now
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+
+
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ fac.create_timestamp(ee_key, intermediate_cert, req)
+ end
+ end
+
+ def test_no_cert_requested
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+ req.cert_requested = false
+
+ fac = OpenSSL::Timestamp::Factory.new
+ fac.gen_time = Time.now
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+ fac.default_policy_id = "1.2.3.4.5"
+
+ resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ assert_equal(OpenSSL::Timestamp::Response::GRANTED, resp.status)
+ assert_nil(resp.tsa_certificate)
+ end
+
+ def test_response_no_policy_defined
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+
+ fac = OpenSSL::Timestamp::Factory.new
+ fac.gen_time = Time.now
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+
+ fac.create_timestamp(ee_key, ts_cert_ee, req)
+ end
+ end
+
+ def test_verify_ee_no_req
+ assert_raise(TypeError) do
+ ts, _ = timestamp_ee
+ ts.verify(nil, ca_cert)
+ end
+ end
+
+ def test_verify_ee_no_store
+ assert_raise(TypeError) do
+ ts, req = timestamp_ee
+ ts.verify(req, nil)
+ end
+ end
+
+ def test_verify_ee_wrong_root_no_intermediate
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ ts, req = timestamp_ee
+ ts.verify(req, intermediate_store)
+ end
+ end
+
+ def test_verify_ee_wrong_root_wrong_intermediate
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ ts, req = timestamp_ee
+ ts.verify(req, intermediate_store, [ca_cert])
+ end
+ end
+
+ def test_verify_ee_nonce_mismatch
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ ts, req = timestamp_ee
+ req.nonce = 1
+ ts.verify(req, ca_store, [intermediate_cert])
+ end
+ end
+
+ def test_verify_ee_intermediate_missing
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ ts, req = timestamp_ee
+ ts.verify(req, ca_store)
+ end
+ end
+
+ def test_verify_ee_intermediate
+ ts, req = timestamp_ee
+ ts.verify(req, ca_store, [intermediate_cert])
+ end
+
+ def test_verify_ee_intermediate_type_error
+ ts, req = timestamp_ee
+ assert_raise(TypeError) { ts.verify(req, [ca_cert], 123) }
+ end
+
+ def test_verify_ee_def_policy
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+ req.nonce = 42
+
+ fac = OpenSSL::Timestamp::Factory.new
+ fac.gen_time = Time.now
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+ fac.default_policy_id = "1.2.3.4.5"
+
+ ts = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ ts.verify(req, ca_store, [intermediate_cert])
+ end
+
+ def test_verify_direct
+ ts, req = timestamp_direct
+ ts.verify(req, ca_store)
+ end
+
+ def test_verify_direct_redundant_untrusted
+ ts, req = timestamp_direct
+ ts.verify(req, ca_store, [ts.tsa_certificate, ts.tsa_certificate])
+ end
+
+ def test_verify_direct_unrelated_untrusted
+ ts, req = timestamp_direct
+ ts.verify(req, ca_store, [intermediate_cert])
+ end
+
+ def test_verify_direct_wrong_root
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ ts, req = timestamp_direct
+ ts.verify(req, intermediate_store)
+ end
+ end
+
+ def test_verify_direct_no_cert_no_intermediate
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ ts, req = timestamp_direct_no_cert
+ ts.verify(req, ca_store)
+ end
+ end
+
+ def test_verify_ee_no_cert
+ ts, req = timestamp_ee_no_cert
+ ts.verify(req, ca_store, [ts_cert_ee, intermediate_cert])
+ end
+
+ def test_verify_ee_no_cert_no_intermediate
+ assert_raise(OpenSSL::Timestamp::TimestampError) do
+ ts, req = timestamp_ee_no_cert
+ ts.verify(req, ca_store, [ts_cert_ee])
+ end
+ end
+
+ def test_verify_ee_additional_certs_array
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+ req.policy_id = "1.2.3.4.5"
+ req.nonce = 42
+ fac = OpenSSL::Timestamp::Factory.new
+ fac.gen_time = Time.now
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+ fac.additional_certs = [intermediate_cert]
+ ts = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ assert_equal(2, ts.token.certificates.size)
+ fac.additional_certs = nil
+ ts.verify(req, ca_store)
+ ts = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ assert_equal(1, ts.token.certificates.size)
+ end
+
+ def test_verify_ee_additional_certs_with_root
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+ req.policy_id = "1.2.3.4.5"
+ req.nonce = 42
+ fac = OpenSSL::Timestamp::Factory.new
+ fac.gen_time = Time.now
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+ fac.additional_certs = [intermediate_cert, ca_cert]
+ ts = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ assert_equal(3, ts.token.certificates.size)
+ ts.verify(req, ca_store)
+ end
+
+ def test_verify_ee_cert_inclusion_not_requested
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+ req.nonce = 42
+ req.cert_requested = false
+ fac = OpenSSL::Timestamp::Factory.new
+ fac.gen_time = Time.now
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+ #needed because the Request contained no policy identifier
+ fac.default_policy_id = '1.2.3.4.5'
+ fac.additional_certs = [ ts_cert_ee, intermediate_cert ]
+ ts = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ assert_nil(ts.token.certificates) #since cert_requested? == false
+ ts.verify(req, ca_store, [ts_cert_ee, intermediate_cert])
+ end
+
+ def test_reusable
+ #test if req and faq are reusable, i.e. the internal
+ #CTX_free methods don't mess up e.g. the certificates
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+ req.policy_id = "1.2.3.4.5"
+ req.nonce = 42
+
+ fac = OpenSSL::Timestamp::Factory.new
+ fac.gen_time = Time.now
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+ fac.additional_certs = [ intermediate_cert ]
+ ts1 = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ ts1.verify(req, ca_store)
+ ts2 = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ ts2.verify(req, ca_store)
+ refute_nil(ts1.tsa_certificate)
+ refute_nil(ts2.tsa_certificate)
+ end
+
+ def test_token_info_creation
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+ req.policy_id = "1.2.3.4.5"
+ req.nonce = OpenSSL::BN.new(123)
+
+ fac = OpenSSL::Timestamp::Factory.new
+ time = Time.now
+ fac.gen_time = time
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+
+ resp = fac.create_timestamp(ee_key, ts_cert_ee, req)
+ info = resp.token_info
+ info = OpenSSL::Timestamp::TokenInfo.new(info.to_der)
+
+ assert_equal(1, info.version)
+ assert_equal("1.2.3.4.5", info.policy_id)
+ assert_equal("SHA1", info.algorithm)
+ assert_equal(digest, info.message_imprint)
+ assert_equal(1, info.serial_number)
+ assert_equal(time.to_i, info.gen_time.to_i)
+ assert_equal(false, info.ordering)
+ assert_equal(123, info.nonce)
+ end
+
+ private
+
+ def assert_cert expected, actual
+ assert_equal expected.to_der, actual.to_der
+ end
+
+ def timestamp_ee
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+ req.policy_id = "1.2.3.4.5"
+ req.nonce = 42
+
+ fac = OpenSSL::Timestamp::Factory.new
+ fac.gen_time = Time.now
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+ return fac.create_timestamp(ee_key, ts_cert_ee, req), req
+ end
+
+ def timestamp_ee_no_cert
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+ req.policy_id = "1.2.3.4.5"
+ req.nonce = 42
+ req.cert_requested = false
+
+ fac = OpenSSL::Timestamp::Factory.new
+ fac.gen_time = Time.now
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+ return fac.create_timestamp(ee_key, ts_cert_ee, req), req
+ end
+
+ def timestamp_direct
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+ req.policy_id = "1.2.3.4.5"
+ req.nonce = 42
+
+ fac = OpenSSL::Timestamp::Factory.new
+ fac.gen_time = Time.now
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+ return fac.create_timestamp(ee_key, ts_cert_direct, req), req
+ end
+
+ def timestamp_direct_no_cert
+ req = OpenSSL::Timestamp::Request.new
+ req.algorithm = "SHA1"
+ digest = OpenSSL::Digest.digest('SHA1', "test")
+ req.message_imprint = digest
+ req.policy_id = "1.2.3.4.5"
+ req.nonce = 42
+ req.cert_requested = false
+
+ fac = OpenSSL::Timestamp::Factory.new
+ fac.gen_time = Time.now
+ fac.serial_number = 1
+ fac.allowed_digests = ["sha1"]
+ return fac.create_timestamp(ee_key, ts_cert_direct, req), req
+ end
+end
+
+end
diff --git a/test/test_x509attr.rb b/test/openssl/test_x509attr.rb
index c6c48e86..2919d23d 100644
--- a/test/test_x509attr.rb
+++ b/test/openssl/test_x509attr.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative "utils"
if defined?(OpenSSL)
@@ -79,6 +79,16 @@ class OpenSSL::TestX509Attribute < OpenSSL::TestCase
assert_equal true, attr1 == attr2
assert_equal false, attr1 == attr3
end
+
+ def test_marshal
+ val = OpenSSL::ASN1::Set([
+ OpenSSL::ASN1::UTF8String("abc123")
+ ])
+ attr = OpenSSL::X509::Attribute.new("challengePassword", val)
+ deserialized = Marshal.load(Marshal.dump(attr))
+
+ assert_equal attr.to_der, deserialized.to_der
+ end
end
end
diff --git a/test/test_x509cert.rb b/test/openssl/test_x509cert.rb
index 40a5b0ad..848a314c 100644
--- a/test/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative "utils"
if defined?(OpenSSL)
@@ -73,9 +73,12 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
["basicConstraints","CA:TRUE",true],
["keyUsage","keyCertSign, cRLSign",true],
["subjectKeyIdentifier","hash",false],
- ["authorityKeyIdentifier","keyid:always",false],
+ ["authorityKeyIdentifier","issuer:always,keyid:always",false],
]
ca_cert = issue_cert(@ca, @rsa2048, 1, ca_exts, nil, nil)
+ keyid = get_subject_key_id(ca_cert.to_der, hex: false)
+ assert_equal keyid, ca_cert.authority_key_identifier
+ assert_equal keyid, ca_cert.subject_key_identifier
ca_cert.extensions.each_with_index{|ext, i|
assert_equal(ca_exts[i].first, ext.oid)
assert_equal(ca_exts[i].last, ext.critical?)
@@ -84,9 +87,10 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
ee1_exts = [
["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
["subjectKeyIdentifier","hash",false],
- ["authorityKeyIdentifier","keyid:always",false],
+ ["authorityKeyIdentifier","issuer:always,keyid:always",false],
["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
["subjectAltName","email:ee1@ruby-lang.org",false],
+ ["authorityInfoAccess","caIssuers;URI:http://www.example.com/caIssuers,OCSP;URI:http://www.example.com/ocsp",false],
]
ee1_cert = issue_cert(@ee1, @rsa1024, 2, ee1_exts, ca_cert, @rsa2048)
assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der)
@@ -94,6 +98,78 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
assert_equal(ee1_exts[i].first, ext.oid)
assert_equal(ee1_exts[i].last, ext.critical?)
}
+ assert_nil(ee1_cert.crl_uris)
+
+ ef = OpenSSL::X509::ExtensionFactory.new
+ ef.config = OpenSSL::Config.parse(<<~_cnf_)
+ [crlDistPts]
+ URI.1 = http://www.example.com/crl
+ URI.2 = ldap://ldap.example.com/cn=ca?certificateRevocationList;binary
+ _cnf_
+ cdp_cert = generate_cert(@ee1, @rsa1024, 3, ca_cert)
+ ef.subject_certificate = cdp_cert
+ cdp_cert.add_extension(ef.create_extension("crlDistributionPoints", "@crlDistPts"))
+ cdp_cert.sign(@rsa2048, "sha256")
+ assert_equal(
+ ["http://www.example.com/crl", "ldap://ldap.example.com/cn=ca?certificateRevocationList;binary"],
+ cdp_cert.crl_uris
+ )
+
+ ef = OpenSSL::X509::ExtensionFactory.new
+ aia_cert = generate_cert(@ee1, @rsa1024, 4, ca_cert)
+ ef.subject_certificate = aia_cert
+ aia_cert.add_extension(
+ ef.create_extension(
+ "authorityInfoAccess",
+ "caIssuers;URI:http://www.example.com/caIssuers," \
+ "caIssuers;URI:ldap://ldap.example.com/cn=ca?authorityInfoAccessCaIssuers;binary," \
+ "OCSP;URI:http://www.example.com/ocsp," \
+ "OCSP;URI:ldap://ldap.example.com/cn=ca?authorityInfoAccessOcsp;binary",
+ false
+ )
+ )
+ aia_cert.sign(@rsa2048, "sha256")
+ assert_equal(
+ ["http://www.example.com/caIssuers", "ldap://ldap.example.com/cn=ca?authorityInfoAccessCaIssuers;binary"],
+ aia_cert.ca_issuer_uris
+ )
+ assert_equal(
+ ["http://www.example.com/ocsp", "ldap://ldap.example.com/cn=ca?authorityInfoAccessOcsp;binary"],
+ aia_cert.ocsp_uris
+ )
+
+ no_exts_cert = issue_cert(@ca, @rsa2048, 5, [], nil, nil)
+ assert_equal nil, no_exts_cert.authority_key_identifier
+ assert_equal nil, no_exts_cert.subject_key_identifier
+ assert_equal nil, no_exts_cert.crl_uris
+ assert_equal nil, no_exts_cert.ca_issuer_uris
+ assert_equal nil, no_exts_cert.ocsp_uris
+ end
+
+ def test_invalid_extension
+ integer = OpenSSL::ASN1::Integer.new(0)
+ invalid_exts_cert = generate_cert(@ee1, @rsa1024, 1, nil)
+ ["subjectKeyIdentifier", "authorityKeyIdentifier", "crlDistributionPoints", "authorityInfoAccess"].each do |ext|
+ invalid_exts_cert.add_extension(
+ OpenSSL::X509::Extension.new(ext, integer.to_der)
+ )
+ end
+
+ assert_raise(OpenSSL::ASN1::ASN1Error, "invalid extension") {
+ invalid_exts_cert.authority_key_identifier
+ }
+ assert_raise(OpenSSL::ASN1::ASN1Error, "invalid extension") {
+ invalid_exts_cert.subject_key_identifier
+ }
+ assert_raise(OpenSSL::ASN1::ASN1Error, "invalid extension") {
+ invalid_exts_cert.crl_uris
+ }
+ assert_raise(OpenSSL::ASN1::ASN1Error, "invalid extension") {
+ invalid_exts_cert.ca_issuer_uris
+ }
+ assert_raise(OpenSSL::ASN1::ASN1Error, "invalid extension") {
+ invalid_exts_cert.ocsp_uris
+ }
end
def test_sign_and_verify_rsa_sha1
@@ -129,7 +205,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
end
def test_sign_and_verify_rsa_dss1
- cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: OpenSSL::Digest::DSS1.new)
+ cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: OpenSSL::Digest.new('DSS1'))
assert_equal(false, cert.verify(@rsa1024))
assert_equal(true, cert.verify(@rsa2048))
assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) })
@@ -189,6 +265,17 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
assert_equal false, cert3 == cert4
end
+ def test_marshal
+ now = Time.now
+ cacert = issue_cert(@ca, @rsa1024, 1, [], nil, nil,
+ not_before: now, not_after: now + 3600)
+ cert = issue_cert(@ee1, @rsa2048, 2, [], cacert, @rsa1024,
+ not_before: now, not_after: now + 3600)
+ deserialized = Marshal.load(Marshal.dump(cert))
+
+ assert_equal cert.to_der, deserialized.to_der
+ end
+
private
def certificate_error_returns_false
diff --git a/test/test_x509crl.rb b/test/openssl/test_x509crl.rb
index 03fdf64d..bcdb0a69 100644
--- a/test/test_x509crl.rb
+++ b/test/openssl/test_x509crl.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative "utils"
if defined?(OpenSSL)
@@ -20,7 +20,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
crl = issue_crl([], 1, now, now+1600, [],
- cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+ cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
assert_equal(1, crl.version)
assert_equal(cert.issuer.to_der, crl.issuer.to_der)
assert_equal(now, crl.last_update)
@@ -57,7 +57,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
]
cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
- cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+ cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
revoked = crl.revoked
assert_equal(5, revoked.size)
assert_equal(1, revoked[0].serial)
@@ -98,7 +98,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
revoke_info = (1..1000).collect{|i| [i, now, 0] }
crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
- cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+ cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
revoked = crl.revoked
assert_equal(1000, revoked.size)
assert_equal(1, revoked[0].serial)
@@ -118,19 +118,22 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
["keyUsage", "cRLSign, keyCertSign", true],
]
crl_exts = [
- ["authorityKeyIdentifier", "keyid:always", false],
+ ["authorityKeyIdentifier", "issuer:always,keyid:always", false],
["issuerAltName", "issuer:copy", false],
]
cert = issue_cert(@ca, @rsa2048, 1, cert_exts, nil, nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, crl_exts,
- cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+ cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
exts = crl.extensions
assert_equal(3, exts.size)
assert_equal("1", exts[0].value)
assert_equal("crlNumber", exts[0].oid)
assert_equal(false, exts[0].critical?)
+ expected_keyid = OpenSSL::TestUtils.get_subject_key_id(cert, hex: false)
+ assert_equal expected_keyid, crl.authority_key_identifier
+
assert_equal("authorityKeyIdentifier", exts[1].oid)
keyid = OpenSSL::TestUtils.get_subject_key_id(cert)
assert_match(/^keyid:#{keyid}/, exts[1].value)
@@ -155,22 +158,26 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
assert_equal("issuerAltName", exts[2].oid)
assert_equal("email:xyzzy@ruby-lang.org", exts[2].value)
assert_equal(false, exts[2].critical?)
+
+ no_ext_crl = issue_crl([], 1, Time.now, Time.now+1600, [],
+ cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
+ assert_equal nil, no_ext_crl.authority_key_identifier
end
def test_crlnumber
cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
- cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+ cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
assert_match(1.to_s, crl.extensions[0].value)
assert_match(/X509v3 CRL Number:\s+#{1}/m, crl.to_text)
crl = issue_crl([], 2**32, Time.now, Time.now+1600, [],
- cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+ cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
assert_match((2**32).to_s, crl.extensions[0].value)
assert_match(/X509v3 CRL Number:\s+#{2**32}/m, crl.to_text)
crl = issue_crl([], 2**100, Time.now, Time.now+1600, [],
- cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+ cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
assert_match(/X509v3 CRL Number:\s+#{2**100}/m, crl.to_text)
assert_match((2**100).to_s, crl.extensions[0].value)
end
@@ -178,7 +185,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
def test_sign_and_verify
cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
- cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+ cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
assert_equal(false, crl.verify(@rsa1024))
assert_equal(true, crl.verify(@rsa2048))
assert_equal(false, crl_error_returns_false { crl.verify(@dsa256) })
@@ -188,7 +195,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
cert = issue_cert(@ca, @dsa512, 1, [], nil, nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
- cert, @dsa512, OpenSSL::Digest::SHA1.new)
+ cert, @dsa512, OpenSSL::Digest.new('SHA1'))
assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) })
assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) })
assert_equal(false, crl.verify(@dsa256))
@@ -249,6 +256,22 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
assert_equal true, rev2 == crl2.revoked[1]
end
+ def test_marshal
+ now = Time.now
+
+ cacert = issue_cert(@ca, @rsa1024, 1, [], nil, nil)
+ crl = issue_crl([], 1, now, now + 3600, [], cacert, @rsa1024, "sha256")
+ rev = OpenSSL::X509::Revoked.new.tap { |rev|
+ rev.serial = 1
+ rev.time = now
+ }
+ crl.add_revoked(rev)
+ deserialized = Marshal.load(Marshal.dump(crl))
+
+ assert_equal crl.to_der, deserialized.to_der
+ assert_equal crl.revoked[0].to_der, deserialized.revoked[0].to_der
+ end
+
private
def crl_error_returns_false
diff --git a/test/test_x509ext.rb b/test/openssl/test_x509ext.rb
index 91ce202f..7ad010d1 100644
--- a/test/test_x509ext.rb
+++ b/test/openssl/test_x509ext.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL)
@@ -86,6 +86,19 @@ class OpenSSL::TestX509Extension < OpenSSL::TestCase
assert_equal true, ext1 == ext2
assert_equal false, ext1 == ext3
end
+
+ def test_marshal
+ ef = OpenSSL::X509::ExtensionFactory.new
+ ext = ef.create_extension("basicConstraints", "critical, CA:TRUE, pathlen:2")
+ deserialized = Marshal.load(Marshal.dump(ext))
+
+ assert_equal ext.to_der, deserialized.to_der
+ end
+
+ def test_value_der
+ ext = OpenSSL::X509::Extension.new(@basic_constraints.to_der)
+ assert_equal @basic_constraints_value.to_der, ext.value_der
+ end
end
end
diff --git a/test/test_x509name.rb b/test/openssl/test_x509name.rb
index e31b5e29..c6d15219 100644
--- a/test/test_x509name.rb
+++ b/test/openssl/test_x509name.rb
@@ -1,5 +1,5 @@
# coding: ASCII-8BIT
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative 'utils'
if defined?(OpenSSL)
@@ -389,7 +389,7 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase
dn.each { |x| name.add_entry(*x) }
str = name.to_utf8
- expected = "CN=フー\\, バー,DC=ruby-lang,DC=org".force_encoding("UTF-8")
+ expected = String.new("CN=フー\\, バー,DC=ruby-lang,DC=org").force_encoding("UTF-8")
assert_equal expected, str
assert_equal Encoding.find("UTF-8"), str.encoding
@@ -402,6 +402,9 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase
n2 = OpenSSL::X509::Name.parse_rfc2253 'CN=a'
assert_equal n1, n2
+
+ assert_equal(false, n1 == 'abc')
+ assert_equal(false, n2 == nil)
end
def test_spaceship
@@ -409,12 +412,15 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase
n2 = OpenSSL::X509::Name.new([["CN", "a"]])
n3 = OpenSSL::X509::Name.new([["CN", "ab"]])
- assert_equal 0, n1 <=> n2
- assert_equal -1, n1 <=> n3
- assert_equal 0, n2 <=> n1
- assert_equal -1, n2 <=> n3
- assert_equal 1, n3 <=> n1
- assert_equal 1, n3 <=> n2
+ assert_equal(0, n1 <=> n2)
+ assert_equal(-1, n1 <=> n3)
+ assert_equal(0, n2 <=> n1)
+ assert_equal(-1, n2 <=> n3)
+ assert_equal(1, n3 <=> n1)
+ assert_equal(1, n3 <=> n2)
+ assert_equal(nil, n1 <=> 'abc')
+ assert_equal(nil, n2 <=> 123)
+ assert_equal(nil, n3 <=> nil)
end
def name_hash(name)
@@ -426,13 +432,13 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase
def test_hash
dn = "/DC=org/DC=ruby-lang/CN=www.ruby-lang.org"
name = OpenSSL::X509::Name.parse(dn)
- d = OpenSSL::Digest::MD5.digest(name.to_der)
+ d = OpenSSL::Digest.digest('MD5', name.to_der)
expected = (d[0].ord & 0xff) | (d[1].ord & 0xff) << 8 | (d[2].ord & 0xff) << 16 | (d[3].ord & 0xff) << 24
assert_equal(expected, name_hash(name))
#
dn = "/DC=org/DC=ruby-lang/CN=baz.ruby-lang.org"
name = OpenSSL::X509::Name.parse(dn)
- d = OpenSSL::Digest::MD5.digest(name.to_der)
+ d = OpenSSL::Digest.digest('MD5', name.to_der)
expected = (d[0].ord & 0xff) | (d[1].ord & 0xff) << 8 | (d[2].ord & 0xff) << 16 | (d[3].ord & 0xff) << 24
assert_equal(expected, name_hash(name))
end
@@ -447,6 +453,13 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase
assert_equal false, name0.eql?(name2)
end
+ def test_marshal
+ name = OpenSSL::X509::Name.new([["DC", "org"], ["DC", "ruby-lang"], ["CN", "bar.ruby-lang.org"]])
+ deserialized = Marshal.load(Marshal.dump(name))
+
+ assert_equal name.to_der, deserialized.to_der
+ end
+
def test_dup
name = OpenSSL::X509::Name.parse("/CN=ruby-lang.org")
assert_equal(name.to_der, name.dup.to_der)
diff --git a/test/test_x509req.rb b/test/openssl/test_x509req.rb
index 2c447ccd..ee9c678f 100644
--- a/test/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative "utils"
if defined?(OpenSSL)
@@ -23,31 +23,31 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
end
def test_public_key
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
+ req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
assert_equal(@rsa1024.public_key.to_der, req.public_key.to_der)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(@rsa1024.public_key.to_der, req.public_key.to_der)
- req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new)
+ req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('SHA1'))
assert_equal(@dsa512.public_key.to_der, req.public_key.to_der)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(@dsa512.public_key.to_der, req.public_key.to_der)
end
def test_version
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
+ req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
assert_equal(0, req.version)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(0, req.version)
- req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
+ req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
assert_equal(1, req.version)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(1, req.version)
end
def test_subject
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
+ req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
assert_equal(@dn.to_der, req.subject.to_der)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(@dn.to_der, req.subject.to_der)
@@ -78,9 +78,9 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
OpenSSL::X509::Attribute.new("msExtReq", attrval),
]
- req0 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
+ req0 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
attrs.each{|attr| req0.add_attribute(attr) }
- req1 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
+ req1 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
req1.attributes = attrs
assert_equal(req0.to_der, req1.to_der)
@@ -101,7 +101,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
end
def test_sign_and_verify_rsa_sha1
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
+ req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
assert_equal(true, req.verify(@rsa1024))
assert_equal(false, req.verify(@rsa2048))
assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
@@ -111,7 +111,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
end
def test_sign_and_verify_rsa_md5
- req = issue_csr(0, @dn, @rsa2048, OpenSSL::Digest::MD5.new)
+ req = issue_csr(0, @dn, @rsa2048, OpenSSL::Digest.new('MD5'))
assert_equal(false, req.verify(@rsa1024))
assert_equal(true, req.verify(@rsa2048))
assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
@@ -122,7 +122,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
end
def test_sign_and_verify_dsa
- req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new)
+ req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('SHA1'))
assert_equal(false, request_error_returns_false { req.verify(@rsa1024) })
assert_equal(false, request_error_returns_false { req.verify(@rsa2048) })
assert_equal(false, req.verify(@dsa256))
@@ -133,11 +133,11 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
def test_sign_and_verify_dsa_md5
assert_raise(OpenSSL::X509::RequestError){
- issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) }
+ issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('MD5')) }
end
def test_dup
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
+ req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
assert_equal(req.to_der, req.dup.to_der)
end
@@ -151,6 +151,13 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
assert_equal false, req1 == req3
end
+ def test_marshal
+ req = issue_csr(0, @dn, @rsa1024, "sha256")
+ deserialized = Marshal.load(Marshal.dump(req))
+
+ assert_equal req.to_der, deserialized.to_der
+ end
+
private
def request_error_returns_false
diff --git a/test/test_x509store.rb b/test/openssl/test_x509store.rb
index 6412249b..e9602e34 100644
--- a/test/test_x509store.rb
+++ b/test/openssl/test_x509store.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require_relative "utils"
if defined?(OpenSSL)
@@ -72,16 +72,16 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
revoke_info = []
crl1 = issue_crl(revoke_info, 1, now, now+1800, [],
- ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+ ca1_cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
revoke_info = [ [2, now, 1], ]
crl1_2 = issue_crl(revoke_info, 2, now, now+1800, [],
- ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+ ca1_cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
revoke_info = [ [20, now, 1], ]
crl2 = issue_crl(revoke_info, 1, now, now+1800, [],
- ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
+ ca2_cert, @rsa1024, OpenSSL::Digest.new('SHA1'))
revoke_info = []
crl2_2 = issue_crl(revoke_info, 2, now-100, now-1, [],
- ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
+ ca2_cert, @rsa1024, OpenSSL::Digest.new('SHA1'))
assert_equal(true, ca1_cert.verify(ca1_cert.public_key)) # self signed
assert_equal(true, ca2_cert.verify(ca1_cert.public_key)) # issued by ca1
@@ -220,10 +220,10 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
revoke_info = []
crl1 = issue_crl(revoke_info, 1, now, now+1800, [],
- ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+ ca1_cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
revoke_info = [ [2, now, 1], ]
crl2 = issue_crl(revoke_info, 2, now+1800, now+3600, [],
- ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+ ca1_cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
store.add_crl(crl1)
assert_raise(OpenSSL::X509::StoreError){
store.add_crl(crl2) # add CRL issued by same CA twice.
diff --git a/test/ut_eof.rb b/test/openssl/ut_eof.rb
index bd62fd50..cf1f2d42 100644
--- a/test/ut_eof.rb
+++ b/test/openssl/ut_eof.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
require 'test/unit'
if defined?(OpenSSL)
@@ -18,12 +18,12 @@ module OpenSSL::TestEOF
assert_nil(f.read(1))
}
open_file("") {|f|
- s = "x"
+ s = +"x"
assert_equal("", f.read(nil, s))
assert_equal("", s)
}
open_file("") {|f|
- s = "x"
+ s = +"x"
assert_nil(f.read(10, s))
assert_equal("", s)
}
@@ -75,12 +75,12 @@ module OpenSSL::TestEOF
assert_equal("", f.read(0))
}
open_file("a") {|f|
- s = "x"
+ s = +"x"
assert_equal("a", f.read(nil, s))
assert_equal("a", s)
}
open_file("a") {|f|
- s = "x"
+ s = +"x"
assert_equal("a", f.read(10, s))
assert_equal("a", s)
}
diff --git a/test/utils.rb b/test/openssl/utils.rb
index 6318246d..3776fbac 100644
--- a/test/utils.rb
+++ b/test/openssl/utils.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
begin
require "openssl"
@@ -42,10 +42,8 @@ module OpenSSL::TestUtils
def pkey(name)
OpenSSL::PKey.read(read_file("pkey", name))
- end
-
- def pkey_dh(name)
- # DH parameters can be read by OpenSSL::PKey.read atm
+ rescue OpenSSL::PKey::PKeyError
+ # TODO: DH parameters can be read by OpenSSL::PKey.read atm
OpenSSL::PKey::DH.new(read_file("pkey", name))
end
@@ -54,15 +52,18 @@ module OpenSSL::TestUtils
@file_cache[[category, name]] ||=
File.read(File.join(__dir__, "fixtures", category, name + ".pem"))
end
+
+ def file_path(category, name)
+ File.join(__dir__, "fixtures", category, name)
+ end
end
module_function
- def issue_cert(dn, key, serial, extensions, issuer, issuer_key,
- not_before: nil, not_after: nil, digest: "sha256")
+ def generate_cert(dn, key, serial, issuer,
+ not_before: nil, not_after: nil)
cert = OpenSSL::X509::Certificate.new
issuer = cert unless issuer
- issuer_key = key unless issuer_key
cert.version = 2
cert.serial = serial
cert.subject = dn
@@ -71,6 +72,16 @@ module OpenSSL::TestUtils
now = Time.now
cert.not_before = not_before || now - 3600
cert.not_after = not_after || now + 3600
+ cert
+ end
+
+
+ def issue_cert(dn, key, serial, extensions, issuer, issuer_key,
+ not_before: nil, not_after: nil, digest: "sha256")
+ cert = generate_cert(dn, key, serial, issuer,
+ not_before: not_before, not_after: not_after)
+ issuer = cert unless issuer
+ issuer_key = key unless issuer_key
ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = cert
ef.issuer_certificate = issuer
@@ -109,13 +120,18 @@ module OpenSSL::TestUtils
crl
end
- def get_subject_key_id(cert)
+ def get_subject_key_id(cert, hex: true)
asn1_cert = OpenSSL::ASN1.decode(cert)
tbscert = asn1_cert.value[0]
pkinfo = tbscert.value[6]
publickey = pkinfo.value[1]
pkvalue = publickey.value
- OpenSSL::Digest::SHA1.hexdigest(pkvalue).scan(/../).join(":").upcase
+ digest = OpenSSL::Digest.digest('SHA1', pkvalue)
+ if hex
+ digest.unpack("H2"*20).join(":").upcase
+ else
+ digest
+ end
end
def openssl?(major = nil, minor = nil, fix = nil, patch = 0)
@@ -157,9 +173,9 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase
def setup
super
- @ca_key = Fixtures.pkey("rsa2048")
- @svr_key = Fixtures.pkey("rsa1024")
- @cli_key = Fixtures.pkey("rsa2048")
+ @ca_key = Fixtures.pkey("rsa-1")
+ @svr_key = Fixtures.pkey("rsa-2")
+ @cli_key = Fixtures.pkey("rsa-3")
@ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
@svr = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
@cli = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
@@ -191,6 +207,7 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase
def start_server(verify_mode: OpenSSL::SSL::VERIFY_NONE, start_immediately: true,
ctx_proc: nil, server_proc: method(:readwrite_loop),
+ accept_proc: proc{},
ignore_listener_error: false, &block)
IO.pipe {|stop_pipe_r, stop_pipe_w|
store = OpenSSL::X509::Store.new
@@ -200,7 +217,7 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase
ctx.cert_store = store
ctx.cert = @svr_cert
ctx.key = @svr_key
- ctx.tmp_dh_callback = proc { Fixtures.pkey_dh("dh1024") }
+ ctx.tmp_dh_callback = proc { Fixtures.pkey("dh-1") }
ctx.verify_mode = verify_mode
ctx_proc.call(ctx) if ctx_proc
@@ -224,6 +241,7 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase
readable, = IO.select([ssls, stop_pipe_r])
break if readable.include? stop_pipe_r
ssl = ssls.accept
+ accept_proc.call(ssl)
rescue OpenSSL::SSL::SSLError, IOError, Errno::EBADF, Errno::EINVAL,
Errno::ECONNABORTED, Errno::ENOTSOCK, Errno::ECONNRESET
retry if ignore_listener_error
@@ -268,8 +286,9 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase
pend = nil
threads.each { |th|
begin
- th.join(10) or
- th.raise(RuntimeError, "[start_server] thread did not exit in 10 secs")
+ timeout = EnvUtil.apply_timeout_scale(30)
+ th.join(timeout) or
+ th.raise(RuntimeError, "[start_server] thread did not exit in #{timeout} secs")
rescue (defined?(MiniTest::Skip) ? MiniTest::Skip : Test::Unit::PendedError)
# MiniTest::Skip is for the Ruby tree
pend = $!
@@ -317,4 +336,62 @@ class OpenSSL::PKeyTestCase < OpenSSL::TestCase
end
end
+module OpenSSL::Certs
+ include OpenSSL::TestUtils
+
+ module_function
+
+ def ca_cert
+ ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Timestamp Root CA")
+
+ ca_exts = [
+ ["basicConstraints","CA:TRUE,pathlen:1",true],
+ ["keyUsage","keyCertSign, cRLSign",true],
+ ["subjectKeyIdentifier","hash",false],
+ ["authorityKeyIdentifier","keyid:always",false],
+ ]
+ OpenSSL::TestUtils.issue_cert(ca, Fixtures.pkey("rsa2048"), 1, ca_exts, nil, nil)
+ end
+
+ def ts_cert_direct(key, ca_cert)
+ dn = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/OU=Timestamp/CN=Server Direct")
+
+ exts = [
+ ["basicConstraints","CA:FALSE",true],
+ ["keyUsage","digitalSignature, nonRepudiation", true],
+ ["subjectKeyIdentifier", "hash",false],
+ ["authorityKeyIdentifier","keyid,issuer", false],
+ ["extendedKeyUsage", "timeStamping", true]
+ ]
+
+ OpenSSL::TestUtils.issue_cert(dn, key, 2, exts, ca_cert, Fixtures.pkey("rsa2048"))
+ end
+
+ def intermediate_cert(key, ca_cert)
+ dn = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/OU=Timestamp/CN=Timestamp Intermediate CA")
+
+ exts = [
+ ["basicConstraints","CA:TRUE,pathlen:0",true],
+ ["keyUsage","keyCertSign, cRLSign",true],
+ ["subjectKeyIdentifier","hash",false],
+ ["authorityKeyIdentifier","keyid:always",false],
+ ]
+
+ OpenSSL::TestUtils.issue_cert(dn, key, 3, exts, ca_cert, Fixtures.pkey("rsa2048"))
+ end
+
+ def ts_cert_ee(key, intermediate, im_key)
+ dn = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/OU=Timestamp/CN=Server End Entity")
+
+ exts = [
+ ["keyUsage","digitalSignature, nonRepudiation", true],
+ ["subjectKeyIdentifier", "hash",false],
+ ["authorityKeyIdentifier","keyid,issuer", false],
+ ["extendedKeyUsage", "timeStamping", true]
+ ]
+
+ OpenSSL::TestUtils.issue_cert(dn, key, 4, exts, intermediate, im_key)
+ end
+end
+
end
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-27 10:11:22 +0000