diff options
author | emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2012-09-03 01:14:26 +0000 |
---|---|---|
committer | emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2012-09-03 01:14:26 +0000 |
commit | e29819df6e6a644bbfadbdc706a472c413015286 (patch) | |
tree | 33b5dcd1ab6b1d96a922f1e5e48d3f7032ad8124 /test | |
parent | 9b6f66c74f367bbce13dc19bcc5e4d037ed290bf (diff) | |
download | ruby-e29819df6e6a644bbfadbdc706a472c413015286.tar.gz |
* ext/openssl/extconf.rb: Detect OpenSSL_FIPS macro
ext/openssl/ossl.c: Expose OpenSSL::OPENSSL_FIPS constant to
indicate whether OpenSSL runs in FIPS mode.
test/openssl/test_pkey_dh.rb: Generate 256 bit keys for
non-FIPS installations to improve test performance (e.g. for
rubyci).
test/openssl/utils.rb: Replace DSS1 as certificate signature
digest with SHA1 for FIPS installations when using DSA by
introducing TestUtils::DSA_SIGNATURE_DIGEST.
test/openssl/test_x509cert.rb:
test/openssl/test_x509crl.rb:
test/openssl/test_x509req.rb: Use DSA_SIGNATURE_DIGEST
NEWS: Introduce OpenSSL::OPENSSL_FIPS
These changes allow running the OpenSSL tests in FIPS mode
while keeping a high performance for non-FIPS installations.
Introduction of OpenSSL::OPENSSL_FIPS allows for applications
to react to special requirements when using OpenSSL in FIPS mode.
[Feature #6946] [ruby-core:47345]
- Diese und die folgenden Zeilen werden ignoriert --
M ext/openssl/extconf.rb
M ext/openssl/ossl.c
M NEWS
M ChangeLog
M test/openssl/utils.rb
M test/openssl/test_x509crl.rb
M test/openssl/test_x509req.rb
M test/openssl/test_x509cert.rb
M test/openssl/test_pkey_dh.rb
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36884 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test')
-rw-r--r-- | test/openssl/test_pkey_dh.rb | 10 | ||||
-rw-r--r-- | test/openssl/test_x509cert.rb | 6 | ||||
-rw-r--r-- | test/openssl/test_x509crl.rb | 4 | ||||
-rw-r--r-- | test/openssl/test_x509req.rb | 4 | ||||
-rw-r--r-- | test/openssl/utils.rb | 4 |
5 files changed, 19 insertions, 9 deletions
diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb index d261c8f215..7c7596f193 100644 --- a/test/openssl/test_pkey_dh.rb +++ b/test/openssl/test_pkey_dh.rb @@ -3,15 +3,19 @@ require_relative 'utils' if defined?(OpenSSL) class OpenSSL::TestPKeyDH < Test::Unit::TestCase + + # improve test performance for non-FIPS installations + NEW_KEYLEN = OpenSSL::OPENSSL_FIPS ? 1024 : 256 + def test_new - dh = OpenSSL::PKey::DH.new(1024) + dh = OpenSSL::PKey::DH.new(NEW_KEYLEN) assert_key(dh) end def test_new_break - assert_nil(OpenSSL::PKey::DH.new(1024) { break }) + assert_nil(OpenSSL::PKey::DH.new(NEW_KEYLEN) { break }) assert_raises(RuntimeError) do - OpenSSL::PKey::DH.new(1024) { raise } + OpenSSL::PKey::DH.new(NEW_KEYLEN) { raise } end end diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb index 80c31f4d13..1c47b2b42b 100644 --- a/test/openssl/test_x509cert.rb +++ b/test/openssl/test_x509cert.rb @@ -39,8 +39,10 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase sha1 = OpenSSL::Digest::SHA1.new dss1 = OpenSSL::Digest::DSS1.new + dsa_digest = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new + [ - [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dss1], [@dsa512, dss1], + [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dsa_digest], [@dsa512, dsa_digest] ].each{|pk, digest| cert = issue_cert(@ca, pk, 1, Time.now, Time.now+3600, exts, nil, nil, digest) @@ -145,7 +147,7 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase assert_equal(false, cert.verify(@rsa2048)) cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::DSS1.new) + nil, nil, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) assert_equal(false, certificate_error_returns_false { cert.verify(@rsa1024) }) assert_equal(false, certificate_error_returns_false { cert.verify(@rsa2048) }) assert_equal(false, cert.verify(@dsa256)) diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb index 56508e0a12..c321c00083 100644 --- a/test/openssl/test_x509crl.rb +++ b/test/openssl/test_x509crl.rb @@ -198,9 +198,9 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase assert_equal(false, crl.verify(@rsa2048)) cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::DSS1.new) + nil, nil, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) crl = issue_crl([], 1, Time.now, Time.now+1600, [], - cert, @dsa512, OpenSSL::Digest::DSS1.new) + cert, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) }) assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) }) assert_equal(false, crl.verify(@dsa256)) diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb index 882a1d7356..e6c89c5e81 100644 --- a/test/openssl/test_x509req.rb +++ b/test/openssl/test_x509req.rb @@ -26,7 +26,7 @@ class OpenSSL::TestX509Request < Test::Unit::TestCase req = OpenSSL::X509::Request.new(req.to_der) assert_equal(@rsa1024.public_key.to_der, req.public_key.to_der) - req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new) + req = issue_csr(0, @dn, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) assert_equal(@dsa512.public_key.to_der, req.public_key.to_der) req = OpenSSL::X509::Request.new(req.to_der) assert_equal(@dsa512.public_key.to_der, req.public_key.to_der) @@ -115,7 +115,7 @@ class OpenSSL::TestX509Request < Test::Unit::TestCase req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar") assert_equal(false, req.verify(@rsa2048)) - req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new) + req = issue_csr(0, @dn, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) assert_equal(false, request_error_returns_false { req.verify(@rsa1024) }) assert_equal(false, request_error_returns_false { req.verify(@rsa2048) }) assert_equal(false, req.verify(@dsa256)) diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index f95179636c..ae33aa998c 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -109,6 +109,10 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC TEST_KEY_DH1024.priv_key = OpenSSL::BN.new("48561834C67E65FFD2A9B47F41E5E78FDC95C387428FDB1E4B0188B64D1643C3A8D3455B945B7E8C4D166010C7C2CE23BFB9BEF43D0348FE7FA5284B0225E7FE1537546D114E3D8A4411B9B9351AB451E1A358F50ED61B1F00DA29336EEBBD649980AC86D76AF8BBB065298C2052672EEF3EF13AB47A15275FC2836F3AC74CEA", 16) + DSA_SIGNATURE_DIGEST = OpenSSL::OPENSSL_FIPS ? + OpenSSL::Digest::SHA1 : + OpenSSL::Digest::DSS1 + module_function def issue_cert(dn, key, serial, not_before, not_after, extensions, |