From dacd08937ccda99c77a0458548169e9b06b54465 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Mon, 9 Mar 2020 16:17:38 +0900 Subject: ssl: suppress test failure with SSLContext#add_certificate_chain_file The feature is currently premature and will be rewritten. However, it is causing test failures on RubyCI. Make it happy for now. Reference: https://github.com/ruby/openssl/issues/334 --- ext/openssl/ossl_ssl.c | 10 +++++++--- test/openssl/fixtures/chain/dh512.pem | 4 ---- test/openssl/fixtures/chain/server.crt | 13 ------------- test/openssl/fixtures/chain/server.csr | 11 ----------- test/openssl/fixtures/chain/server.key | 15 --------------- test/openssl/test_ssl.rb | 27 +++++++++++++++++++++++++-- 6 files changed, 32 insertions(+), 48 deletions(-) delete mode 100644 test/openssl/fixtures/chain/dh512.pem delete mode 100644 test/openssl/fixtures/chain/server.crt delete mode 100644 test/openssl/fixtures/chain/server.csr delete mode 100644 test/openssl/fixtures/chain/server.key diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index 2ecd7ddc..718f25d8 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -1325,12 +1325,16 @@ ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self) static VALUE ossl_sslctx_add_certificate_chain_file(VALUE self, VALUE path) { - StringValue(path); - SSL_CTX *ctx = NULL; + SSL_CTX *ctx; + int ret; GetSSLCTX(self, ctx); + StringValueCStr(path); + ret = SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(path)); + if (ret != 1) + ossl_raise(eSSLError, "SSL_CTX_use_certificate_chain_file"); - return SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(path)) == 1 ? Qtrue : Qfalse; + return Qtrue; } /* diff --git a/test/openssl/fixtures/chain/dh512.pem b/test/openssl/fixtures/chain/dh512.pem deleted file mode 100644 index fec138c7..00000000 --- a/test/openssl/fixtures/chain/dh512.pem +++ /dev/null @@ -1,4 +0,0 @@ ------BEGIN DH PARAMETERS----- -MEYCQQCjDVzTg9C4u43MV0TKDGsBuYdChrPMczr4IYjy+jHQvXm2DDadNNWBIDau -4zNtwfLCg2gMwOc7t18m4Ten/NOLAgEC ------END DH PARAMETERS----- diff --git a/test/openssl/fixtures/chain/server.crt b/test/openssl/fixtures/chain/server.crt deleted file mode 100644 index d6b814f4..00000000 --- a/test/openssl/fixtures/chain/server.crt +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICATCCAWoCCQDbxIRGgXeWaDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJO -WjETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 -cyBQdHkgTHRkMB4XDTE5MDYxMzA1MDU0MloXDTI5MDYxMDA1MDU0MlowRTELMAkG -A1UEBhMCTloxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 -IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA29Vu -Y6m8pRrsXxUhlK2BX48CDChr8D53SqZozcQI26BCm+05TBnQxKAHOknR3y/ige2U -2zftSwbSoK/zKUC8o5pKVL+l36anDEnZ6RWc9Z9CvmaCFjlcP4nXZO+yD1Is/jCy -KqGGC8lQ920VXOCFflJj6AWg88+4C3GLjxJe6bMCAwEAATANBgkqhkiG9w0BAQsF -AAOBgQCDaqKGBkYxNxnv37vEKp7zi/cov8LvEsZaAD1pcSU+ysBiBes/B7a/Qjcj -PTZsH/hedn9mVynLkjc7LrztUWngTeW9gk5EB9YSwJdPhwLntV1TdaBlf/tu0n/c -s7QxaZhFMUyo1Eof28zXVHhs1OEhlSjwJ8lxuC3vBE4F1BjSNQ== ------END CERTIFICATE----- diff --git a/test/openssl/fixtures/chain/server.csr b/test/openssl/fixtures/chain/server.csr deleted file mode 100644 index 51b38e33..00000000 --- a/test/openssl/fixtures/chain/server.csr +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIBhDCB7gIBADBFMQswCQYDVQQGEwJOWjETMBEGA1UECAwKU29tZS1TdGF0ZTEh -MB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEB -AQUAA4GNADCBiQKBgQDb1W5jqbylGuxfFSGUrYFfjwIMKGvwPndKpmjNxAjboEKb -7TlMGdDEoAc6SdHfL+KB7ZTbN+1LBtKgr/MpQLyjmkpUv6XfpqcMSdnpFZz1n0K+ -ZoIWOVw/iddk77IPUiz+MLIqoYYLyVD3bRVc4IV+UmPoBaDzz7gLcYuPEl7pswID -AQABoAAwDQYJKoZIhvcNAQELBQADgYEAONaTWYVfyMmd8irCtognRoM4tFF4xvDg -PTcnHjVb/6oPPMU+mtQVD9qNf8SOdhNuYVTZ61mDLQGeq45CLM5qWjZkqFPHnngf -ajfZRE7Y3vA8ZaWFvsTJYcU+R3/FRS0XnFYj99+q9Yi3JExSY+arElyAW3tFYlcs -RWOCk1pT2Yc= ------END CERTIFICATE REQUEST----- diff --git a/test/openssl/fixtures/chain/server.key b/test/openssl/fixtures/chain/server.key deleted file mode 100644 index 9590235d..00000000 --- a/test/openssl/fixtures/chain/server.key +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQDb1W5jqbylGuxfFSGUrYFfjwIMKGvwPndKpmjNxAjboEKb7TlM -GdDEoAc6SdHfL+KB7ZTbN+1LBtKgr/MpQLyjmkpUv6XfpqcMSdnpFZz1n0K+ZoIW -OVw/iddk77IPUiz+MLIqoYYLyVD3bRVc4IV+UmPoBaDzz7gLcYuPEl7pswIDAQAB -AoGAGO+q5+83ENtu+JIjDwRnanmEV/C13biYO4WI2d5kytTw+VL9bt52yfcFGt2I -yvJZlTdn7T340svhVIzg3ksTmp1xQk3zh6zR00zQy45kYwY8uyd8Xfh2IsnpByoc -h2jWVX6LSqi1Iy3RxanHmMYPSMy15otsjwlwnnTAHLnnvzECQQDvw3TL90DucQSD -S0h6DWAGakaiOMhY/PpFbTsjzw+uG+Up65tpz4QqPbsXfoReeK0CQIuyE/LlYoJl -VOlIsL6HAkEA6rh4zsWi6KVTGa7qd5x70TEgxeMMAW1qUbak1THxeZTFYnyvucBz -i+VQvHEVnCadhVpHIwbBNUeOyS5DXjj6dQJAA0Caf/3Noq5jykgmJomx6MReSusM -RLDB0FlH+Rdg9hKozCXHCOtoto350LrFnuZyKlqnynWc0OHCNQ+uzm6fVwJAbtyW -YsNCQLPlXhoZsEj+yj10B0NH5lyxfMrRa8jdDtnPqMbPkOJvMMIssfSPimNKvzN2 -qfqEww97R1ZMh3JOCQJBAIIwGHBN5rDGIb4CgR+PLsh8bve1X+gO8UnOYJXa/Uzx -gAXE0uzHNH6rNSG0V/IQnFYlSHpNJGgcdSl+MZNLldQ= ------END RSA PRIVATE KEY----- diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index d31ccacc..95232239 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -190,8 +190,31 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_add_certificate_chain_file - ctx = OpenSSL::SSL::SSLContext.new - assert ctx.add_certificate_chain_file(Fixtures.file_path("chain", "server.crt")) + # Create chain certificates file + certs = Tempfile.open { |f| f << @svr_cert.to_pem << @ca_cert.to_pem; f } + pkey = Tempfile.open { |f| f << @svr_key.to_pem; f } + + ctx_proc = -> ctx { + # FIXME: This is a temporary test case written just to match the current + # state. ctx.add_certificate_chain_file should take two arguments. + ctx.add_certificate_chain_file(certs.path) + # # Unset values set by start_server + # ctx.cert = ctx.key = ctx.extra_chain_cert = nil + # assert_nothing_raised { ctx.add_certificate_chain_file(certs.path, pkey.path) } + } + + start_server(ctx_proc: ctx_proc) { |port| + server_connect(port) { |ssl| + assert_equal @svr_cert.subject, ssl.peer_cert.subject + assert_equal [@svr_cert.subject, @ca_cert.subject], + ssl.peer_cert_chain.map(&:subject) + + ssl.puts "abc"; assert_equal "abc\n", ssl.gets + } + } + ensure + certs&.unlink + pkey&.unlink end def test_sysread_and_syswrite -- cgit v1.2.3