diff options
| author | rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-08-29 05:47:09 +0000 |
|---|---|---|
| committer | rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-08-29 05:47:09 +0000 |
| commit | 86048989b2460d1dd762037449f8c9a9f6d35d3a (patch) | |
| tree | 831281099f54c0be80293785761a46688a0711f3 /test | |
| parent | 796285b70303b376244d9b526113face212f230c (diff) | |
| download | ruby-86048989b2460d1dd762037449f8c9a9f6d35d3a.tar.gz | |
import Ruby/OpenSSL 2.0.0.beta.1
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1.
ext/openssl is now converted into a default gem. The full commit
history since r55538 can be found at:
https://github.com/ruby/openssl/compare/08e1881f5663...v2.0.0.beta.1
[Feature #9612]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test')
| -rw-r--r-- | test/openssl/test_cipher.rb | 90 | ||||
| -rw-r--r-- | test/openssl/test_config.rb | 2 | ||||
| -rw-r--r-- | test/openssl/test_engine.rb | 13 | ||||
| -rw-r--r-- | test/openssl/test_ocsp.rb | 159 | ||||
| -rw-r--r-- | test/openssl/test_pair.rb | 34 | ||||
| -rw-r--r-- | test/openssl/test_partial_record_read.rb | 35 | ||||
| -rw-r--r-- | test/openssl/test_pkcs12.rb | 5 | ||||
| -rw-r--r-- | test/openssl/test_pkey.rb | 49 | ||||
| -rw-r--r-- | test/openssl/test_pkey_dh.rb | 78 | ||||
| -rw-r--r-- | test/openssl/test_pkey_dsa.rb | 275 | ||||
| -rw-r--r-- | test/openssl/test_pkey_ec.rb | 419 | ||||
| -rw-r--r-- | test/openssl/test_pkey_rsa.rb | 344 | ||||
| -rw-r--r-- | test/openssl/test_ssl.rb | 267 | ||||
| -rw-r--r-- | test/openssl/test_ssl_session.rb | 6 | ||||
| -rw-r--r-- | test/openssl/test_x509attr.rb | 11 | ||||
| -rw-r--r-- | test/openssl/test_x509crl.rb | 4 | ||||
| -rw-r--r-- | test/openssl/test_x509ext.rb | 30 | ||||
| -rw-r--r-- | test/openssl/test_x509name.rb | 5 | ||||
| -rw-r--r-- | test/openssl/test_x509req.rb | 7 | ||||
| -rw-r--r-- | test/openssl/test_x509store.rb | 7 | ||||
| -rw-r--r-- | test/openssl/ut_eof.rb | 129 | ||||
| -rw-r--r-- | test/openssl/utils.rb | 38 |
22 files changed, 1159 insertions, 848 deletions
diff --git a/test/openssl/test_cipher.rb b/test/openssl/test_cipher.rb index ec14f46714..74c5394f5f 100644 --- a/test/openssl/test_cipher.rb +++ b/test/openssl/test_cipher.rb @@ -5,16 +5,12 @@ if defined?(OpenSSL::TestUtils) class OpenSSL::TestCipher < OpenSSL::TestCase + @ciphers = OpenSSL::Cipher.ciphers + class << self def has_cipher?(name) - ciphers = OpenSSL::Cipher.ciphers - # redefine method so we can use the cached ciphers value from the closure - # and need not recompute the list each time - define_singleton_method :has_cipher? do |name| - ciphers.include?(name) - end - has_cipher?(name) + @ciphers.include?(name) end def has_ciphers?(list) @@ -24,7 +20,7 @@ class OpenSSL::TestCipher < OpenSSL::TestCase end def setup - @c1 = OpenSSL::Cipher::Cipher.new("DES-EDE3-CBC") + @c1 = OpenSSL::Cipher.new("DES-EDE3-CBC") @c2 = OpenSSL::Cipher::DES.new(:EDE3, "CBC") @key = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" @iv = "\0\0\0\0\0\0\0\0" @@ -118,10 +114,9 @@ class OpenSSL::TestCipher < OpenSSL::TestCase OpenSSL::Cipher.ciphers.each{|name| next if /netbsd/ =~ RUBY_PLATFORM && /idea|rc5/i =~ name begin - assert_kind_of(OpenSSL::Cipher::Cipher, OpenSSL::Cipher::Cipher.new(name)) + assert_kind_of(OpenSSL::Cipher, OpenSSL::Cipher.new(name)) rescue OpenSSL::Cipher::CipherError => e - next if /wrap/ =~ name and e.message == 'wrap mode not allowed' - raise + raise unless /wrap/ =~ name and /wrap mode not allowed/ =~ e.message end } end @@ -247,8 +242,81 @@ class OpenSSL::TestCipher < OpenSSL::TestCase end end + def test_aes_gcm_variable_iv_len + pt = "You should all use Authenticated Encryption!" + cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt + cipher.key = "x" * 16 + assert_equal(12, cipher.iv_len) + cipher.iv = "a" * 12 + ct1 = cipher.update(pt) << cipher.final + tag1 = cipher.auth_tag + + cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt + cipher.key = "x" * 16 + cipher.iv_len = 10 + assert_equal(10, cipher.iv_len) + cipher.iv = "a" * 10 + ct2 = cipher.update(pt) << cipher.final + tag2 = cipher.auth_tag + + assert_not_equal ct1, ct2 + assert_not_equal tag1, tag2 + + decipher = OpenSSL::Cipher.new("aes-128-gcm").decrypt + decipher.auth_tag = tag1 + decipher.key = "x" * 16 + decipher.iv_len = 12 + decipher.iv = "a" * 12 + assert_equal(pt, decipher.update(ct1) << decipher.final) + + decipher.reset + decipher.auth_tag = tag2 + assert_raise(OpenSSL::Cipher::CipherError) { + decipher.update(ct2) << decipher.final + } + + decipher.reset + decipher.auth_tag = tag2 + decipher.iv_len = 10 + decipher.iv = "a" * 10 + assert_equal(pt, decipher.update(ct2) << decipher.final) + end + end + def test_aes_ocb_tag_len + pt = "You should all use Authenticated Encryption!" + cipher = OpenSSL::Cipher.new("aes-128-ocb").encrypt + cipher.auth_tag_len = 14 + cipher.iv_len = 8 + key = cipher.random_key + iv = cipher.random_iv + cipher.auth_data = "aad" + ct = cipher.update(pt) + cipher.final + tag = cipher.auth_tag + assert_equal(14, tag.size) + + decipher = OpenSSL::Cipher.new("aes-128-ocb").decrypt + decipher.auth_tag_len = 14 + decipher.auth_tag = tag + decipher.iv_len = 8 + decipher.key = key + decipher.iv = iv + decipher.auth_data = "aad" + assert_equal(pt, decipher.update(ct) + decipher.final) + + decipher = OpenSSL::Cipher.new("aes-128-ocb").decrypt + decipher.auth_tag_len = 9 + decipher.auth_tag = tag[0, 9] + decipher.iv_len = 8 + decipher.key = key + decipher.iv = iv + decipher.auth_data = "aad" + assert_raise(OpenSSL::Cipher::CipherError) { + decipher.update(ct) + decipher.final + } + end if has_cipher?("aes-128-ocb") + private def new_encryptor(algo) diff --git a/test/openssl/test_config.rb b/test/openssl/test_config.rb index bedd1d047c..3e2e1273fb 100644 --- a/test/openssl/test_config.rb +++ b/test/openssl/test_config.rb @@ -25,7 +25,7 @@ __EOD__ def test_constants assert(defined?(OpenSSL::Config::DEFAULT_CONFIG_FILE)) config_file = OpenSSL::Config::DEFAULT_CONFIG_FILE - skip "DEFAULT_CONFIG_FILE may return a wrong path on your platforms. [Bug #6830]" unless File.readable?(config_file) + pend "DEFAULT_CONFIG_FILE may return a wrong path on your platforms. [Bug #6830]" unless File.readable?(config_file) assert_nothing_raised do OpenSSL::Config.load(config_file) end diff --git a/test/openssl/test_engine.rb b/test/openssl/test_engine.rb index bbf56a1887..2d394cf797 100644 --- a/test/openssl/test_engine.rb +++ b/test/openssl/test_engine.rb @@ -14,7 +14,7 @@ class OpenSSL::TestEngine < OpenSSL::TestCase def test_openssl_engine_builtin with_openssl <<-'end;' orig = OpenSSL::Engine.engines - skip "'openssl' is already loaded" if orig.any? { |e| e.id == "openssl" } + pend "'openssl' is already loaded" if orig.any? { |e| e.id == "openssl" } engine = OpenSSL::Engine.load("openssl") assert_equal(true, engine) assert_equal(1, OpenSSL::Engine.engines.size - orig.size) @@ -24,7 +24,7 @@ class OpenSSL::TestEngine < OpenSSL::TestCase def test_openssl_engine_by_id_string with_openssl <<-'end;' orig = OpenSSL::Engine.engines - skip "'openssl' is already loaded" if orig.any? { |e| e.id == "openssl" } + pend "'openssl' is already loaded" if orig.any? { |e| e.id == "openssl" } engine = get_engine assert_not_nil(engine) assert_equal(1, OpenSSL::Engine.engines.size - orig.size) @@ -72,11 +72,18 @@ class OpenSSL::TestEngine < OpenSSL::TestCase end; end + def test_dup + with_openssl <<-'end;' + engine = get_engine + assert_raise(NoMethodError) { engine.dup } + end; + end + private # this is required because OpenSSL::Engine methods change global state def with_openssl(code) - assert_separately(["-ropenssl"], <<~"end;") + assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") require #{__FILE__.dump} include OpenSSL::TestEngine::Utils #{code} diff --git a/test/openssl/test_ocsp.rb b/test/openssl/test_ocsp.rb index f3e7c65dca..a69fd60fda 100644 --- a/test/openssl/test_ocsp.rb +++ b/test/openssl/test_ocsp.rb @@ -5,33 +5,47 @@ if defined?(OpenSSL::TestUtils) class OpenSSL::TestOCSP < OpenSSL::TestCase def setup + now = Time.at(Time.now.to_i) # suppress usec + dgst = OpenSSL::Digest::SHA1.new + + # @ca_cert + # | + # @cert + # |----------| + # @cert2 @ocsp_cert + ca_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA") - ca_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 - ca_serial = 0xabcabcabcabc + @ca_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 ca_exts = [ ["basicConstraints", "CA:TRUE", true], ["keyUsage", "cRLSign,keyCertSign", true], ] - - subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert") - @key = OpenSSL::TestUtils::TEST_KEY_RSA1024 - serial = 0xabcabcabcabd - - now = Time.at(Time.now.to_i) # suppress usec - dgst = OpenSSL::Digest::SHA1.new - @ca_cert = OpenSSL::TestUtils.issue_cert( - ca_subj, ca_key, ca_serial, now, now+3600, ca_exts, nil, nil, dgst) + ca_subj, @ca_key, 1, now, now+3600, ca_exts, nil, nil, dgst) + + cert_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA2") + @cert_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 + cert_exts = [ + ["basicConstraints", "CA:TRUE", true], + ["keyUsage", "cRLSign,keyCertSign", true], + ] @cert = OpenSSL::TestUtils.issue_cert( - subj, @key, serial, now, now+3600, [], @ca_cert, ca_key, dgst) + cert_subj, @cert_key, 5, now, now+3600, cert_exts, @ca_cert, @ca_key, dgst) - @key2 = OpenSSL::TestUtils::TEST_KEY_RSA2048 + cert2_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert") + @cert2_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 cert2_exts = [ - ["extendedKeyUsage", "OCSPSigning", true], ] @cert2 = OpenSSL::TestUtils.issue_cert( - OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert2"), - @key2, serial+1, now, now+3600, cert2_exts, @ca_cert, ca_key, "SHA256") + cert2_subj, @cert2_key, 10, now, now+3600, cert2_exts, @cert, @cert_key, dgst) + + ocsp_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCAOCSP") + @ocsp_key = OpenSSL::TestUtils::TEST_KEY_RSA2048 + ocsp_exts = [ + ["extendedKeyUsage", "OCSPSigning", true], + ] + @ocsp_cert = OpenSSL::TestUtils.issue_cert( + ocsp_subj, @ocsp_key, 100, now, now+3600, ocsp_exts, @cert, @cert_key, "SHA256") end def test_new_certificate_id @@ -63,12 +77,13 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase end def test_certificate_id_der - cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert) # hash algorithm defaults to SHA-1 + cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert) der = cid.to_der asn1 = OpenSSL::ASN1.decode(der) + # hash algorithm defaults to SHA-1 assert_equal OpenSSL::ASN1.ObjectId("SHA1").to_der, asn1.value[0].value[0].to_der - assert_equal OpenSSL::Digest::SHA1.digest(@cert.issuer.to_der), asn1.value[1].value - assert_equal OpenSSL::Digest::SHA1.digest(OpenSSL::ASN1.decode(@ca_cert.to_der).value[0].value[6].value[1].value), asn1.value[2].value + assert_equal [cid.issuer_name_hash].pack("H*"), asn1.value[1].value + assert_equal [cid.issuer_key_hash].pack("H*"), asn1.value[2].value assert_equal @cert.serial, asn1.value[3].value assert_equal der, OpenSSL::OCSP::CertificateId.new(der).to_der end @@ -82,7 +97,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase request = OpenSSL::OCSP::Request.new cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new) request.add_certid(cid) - request.sign(@cert, @key, [@ca_cert], 0) + request.sign(@cert, @cert_key, [@ca_cert], 0) asn1 = OpenSSL::ASN1.decode(request.to_der) assert_equal cid.to_der, asn1.value[0].value.find { |a| a.tag_class == :UNIVERSAL }.value[0].value[0].to_der assert_equal OpenSSL::ASN1.ObjectId("sha1WithRSAEncryption").to_der, asn1.value[1].value[0].value[0].value[0].to_der @@ -92,40 +107,51 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase end def test_request_sign_verify - request = OpenSSL::OCSP::Request.new - cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new) - request.add_certid(cid) - request.sign(@cert, @key, nil, 0, "SHA1") - assert_equal cid.to_der, request.certid.first.to_der - store1 = OpenSSL::X509::Store.new; store1.add_cert(@ca_cert) - assert_equal true, request.verify([@cert], store1) - assert_equal true, request.verify([], store1) - store2 = OpenSSL::X509::Store.new; store1.add_cert(@cert2) - assert_equal false, request.verify([], store2) - assert_equal true, request.verify([], store2, OpenSSL::OCSP::NOVERIFY) + cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert) + store = OpenSSL::X509::Store.new.add_cert(@ca_cert) + + # with signer cert + req = OpenSSL::OCSP::Request.new.add_certid(cid) + req.sign(@cert, @cert_key, []) + assert_equal true, req.verify([], store) + + # without signer cert + req = OpenSSL::OCSP::Request.new.add_certid(cid) + req.sign(@cert, @cert_key, nil) + assert_equal false, req.verify([@cert2], store) + assert_equal false, req.verify([], store) # no signer + assert_equal false, req.verify([], store, OpenSSL::OCSP::NOVERIFY) + + assert_equal true, req.verify([@cert], store, OpenSSL::OCSP::NOINTERN) + ret = req.verify([@cert], store) + if ret || OpenSSL::OPENSSL_VERSION =~ /OpenSSL/ && OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000 + assert_equal true, ret + else + # RT2560; OCSP_request_verify() does not find signer cert from 'certs' when + # OCSP_NOINTERN is not specified. + # fixed by OpenSSL 1.0.1j, 1.0.2 and LibreSSL 2.4.2 + pend "RT2560: ocsp_req_find_signer" + end end def test_request_nonce req0 = OpenSSL::OCSP::Request.new - req1 = OpenSSL::OCSP::Request.new - req1.add_nonce("NONCE") - req2 = OpenSSL::OCSP::Request.new - req2.add_nonce("NONCF") + req1 = OpenSSL::OCSP::Request.new.add_nonce("NONCE") + req2 = OpenSSL::OCSP::Request.new.add_nonce("ABCDE") bres = OpenSSL::OCSP::BasicResponse.new assert_equal 2, req0.check_nonce(bres) bres.copy_nonce(req1) + assert_equal 3, req0.check_nonce(bres) assert_equal 1, req1.check_nonce(bres) bres.add_nonce("NONCE") assert_equal 1, req1.check_nonce(bres) assert_equal 0, req2.check_nonce(bres) - assert_equal 3, req0.check_nonce(bres) end def test_request_dup request = OpenSSL::OCSP::Request.new cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new) request.add_certid(cid) - request.sign(@cert, @key, nil, 0, "SHA1") assert_equal request.to_der, request.dup.to_der end @@ -134,37 +160,49 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new) bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, []) bres.add_nonce("NONCE") - bres.sign(@cert2, @key2, [@ca_cert], 0) + bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert], 0) der = bres.to_der asn1 = OpenSSL::ASN1.decode(der) - assert_equal cid.to_der, asn1.value[0].value.find { |a| a.class == OpenSSL::ASN1::Sequence }.value[0].value[0].to_der - assert_equal OpenSSL::ASN1.Sequence([@cert2, @ca_cert]).to_der, asn1.value[3].value[0].to_der + assert_equal OpenSSL::ASN1.Sequence([@ocsp_cert, @ca_cert]).to_der, asn1.value[3].value[0].to_der assert_equal der, OpenSSL::OCSP::BasicResponse.new(der).to_der rescue TypeError if /GENERALIZEDTIME/ =~ $!.message - skip "OCSP_basic_sign() is broken" + pend "OCSP_basic_sign() is broken" else raise end end def test_basic_response_sign_verify - cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA256.new) + store = OpenSSL::X509::Store.new.add_cert(@ca_cert) + + # signed by CA + bres = OpenSSL::OCSP::BasicResponse.new + cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, "SHA256") + bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, -400, -300, 500, []) + bres.sign(@ca_cert, @ca_key, nil, 0, "SHA256") + assert_equal false, bres.verify([], store) # signer not found + assert_equal true, bres.verify([@ca_cert], store) + bres.sign(@ca_cert, @ca_key, [], 0, "SHA256") + assert_equal true, bres.verify([], store) + + # signed by OCSP signer bres = OpenSSL::OCSP::BasicResponse.new - bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, 500, []) - bres.sign(@cert2, @key2, [], 0, "SHA256") # how can I check the algorithm? - store1 = OpenSSL::X509::Store.new; store1.add_cert(@ca_cert) - assert_equal true, bres.verify([], store1) - store2 = OpenSSL::X509::Store.new; store2.add_cert(@cert) - assert_equal false, bres.verify([], store2) - assert_equal true, bres.verify([], store2, OpenSSL::OCSP::NOVERIFY) + cid = OpenSSL::OCSP::CertificateId.new(@cert2, @cert) + bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, -400, -300, 500, []) + bres.sign(@ocsp_cert, @ocsp_key, [@cert]) + assert_equal true, bres.verify([], store) + assert_equal false, bres.verify([], store, OpenSSL::OCSP::NOCHAIN) + # OpenSSL had a bug on this; test that our workaround works + bres.sign(@ocsp_cert, @ocsp_key, []) + assert_equal true, bres.verify([@cert], store) end def test_basic_response_dup bres = OpenSSL::OCSP::BasicResponse.new cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new) bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, []) - bres.sign(@cert2, @key2, [@ca_cert], 0) + bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert], 0) assert_equal bres.to_der, bres.dup.to_der end @@ -172,7 +210,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase bres = OpenSSL::OCSP::BasicResponse.new now = Time.at(Time.now.to_i) cid1 = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new) - cid2 = OpenSSL::OCSP::CertificateId.new(@cert2, @ca_cert, OpenSSL::Digest::SHA1.new) + cid2 = OpenSSL::OCSP::CertificateId.new(@ocsp_cert, @ca_cert, OpenSSL::Digest::SHA1.new) cid3 = OpenSSL::OCSP::CertificateId.new(@ca_cert, @ca_cert, OpenSSL::Digest::SHA1.new) bres.add_status(cid1, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, now - 400, -300, nil, nil) bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, nil, -300, 500, []) @@ -206,14 +244,14 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase def test_single_response_check_validity bres = OpenSSL::OCSP::BasicResponse.new cid1 = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new) - cid2 = OpenSSL::OCSP::CertificateId.new(@cert2, @ca_cert, OpenSSL::Digest::SHA1.new) + cid2 = OpenSSL::OCSP::CertificateId.new(@ocsp_cert, @ca_cert, OpenSSL::Digest::SHA1.new) bres.add_status(cid1, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, -50, []) bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, nil, []) bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, nil, Time.now + 100, nil, nil) if bres.responses[2].check_validity # thisUpdate is in future; must fail # LibreSSL bug; skip for now - skip "OCSP_check_validity() is broken" + pend "OCSP_check_validity() is broken" end single1 = bres.responses[0] @@ -226,11 +264,22 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase assert_equal false, single2.check_validity(0, 200) end + def test_response + bres = OpenSSL::OCSP::BasicResponse.new + cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new) + bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, []) + bres.sign(@ocsp_cert, @ocsp_key, []) + res = OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, bres) + + assert_equal bres.to_der, res.basic.to_der + assert_equal OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, res.status + end + def test_response_der bres = OpenSSL::OCSP::BasicResponse.new cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new) bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, []) - bres.sign(@cert2, @key2, [@ca_cert], 0) + bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert], 0) res = OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, bres) der = res.to_der asn1 = OpenSSL::ASN1.decode(der) @@ -242,7 +291,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase def test_response_dup bres = OpenSSL::OCSP::BasicResponse.new - bres.sign(@cert2, @key2, [@ca_cert], 0) + bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert], 0) res = OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, bres) assert_equal res.to_der, res.dup.to_der end diff --git a/test/openssl/test_pair.rb b/test/openssl/test_pair.rb index d611d0f965..9250222979 100644 --- a/test/openssl/test_pair.rb +++ b/test/openssl/test_pair.rb @@ -4,7 +4,7 @@ require_relative 'utils' if defined?(OpenSSL::TestUtils) require 'socket' -require_relative '../ruby/ut_eof' +require_relative 'ut_eof' module OpenSSL::SSLPairM def server @@ -322,6 +322,16 @@ module OpenSSL::TestPairM } end + def test_partial_tls_record_read_nonblock + ssl_pair { |s1, s2| + # the beginning of a TLS record + s1.io.write("\x17") + # should raise a IO::WaitReadable since a full TLS record is not available + # for reading + assert_raise(IO::WaitReadable) { s2.read_nonblock(1) } + } + end + def tcp_pair host = "127.0.0.1" serv = TCPServer.new(host, 0) @@ -341,7 +351,7 @@ module OpenSSL::TestPairM ctx2.tmp_dh_callback = nil sock1, sock2 = tcp_pair s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) - accepted = s2.accept_nonblock(exception: false) + s2.accept_nonblock(exception: false) ctx1 = OpenSSL::SSL::SSLContext.new ctx1.ciphers = "DH" @@ -350,16 +360,16 @@ module OpenSSL::TestPairM s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) t = Thread.new { s1.connect } - accept = s2.accept + EnvUtil.suppress_warning { # uses default callback + assert_nothing_raised { s2.accept } + } assert_equal s1, t.value - assert accept ensure t.join if t s1.close if s1 s2.close if s2 sock1.close if sock1 sock2.close if sock2 - accepted.close if accepted.respond_to?(:close) end def test_connect_without_setting_dh_callback @@ -368,7 +378,7 @@ module OpenSSL::TestPairM ctx2.security_level = 0 sock1, sock2 = tcp_pair s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) - accepted = s2.accept_nonblock(exception: false) + s2.accept_nonblock(exception: false) ctx1 = OpenSSL::SSL::SSLContext.new ctx1.ciphers = "DH" @@ -376,16 +386,16 @@ module OpenSSL::TestPairM s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) t = Thread.new { s1.connect } - accept = s2.accept + EnvUtil.suppress_warning { # default DH + assert_nothing_raised { s2.accept } + } assert_equal s1, t.value - assert accept ensure t.join if t s1.close if s1 s2.close if s2 sock1.close if sock1 sock2.close if sock2 - accepted.close if accepted.respond_to?(:close) end def test_ecdh_callback @@ -422,11 +432,11 @@ module OpenSSL::TestPairM end until rv == s1 end - accepted = s2.accept + s2.accept assert called, 'ecdh callback should be called' rescue OpenSSL::SSL::SSLError => e if e.message =~ /no cipher match/ - skip "ECDH cipher not supported." + pend "ECDH cipher not supported." else raise e end @@ -447,7 +457,7 @@ module OpenSSL::TestPairM begin ctx1.ciphers = "ECDH" rescue OpenSSL::SSL::SSLError - skip "ECDH is not enabled in this OpenSSL" if $!.message =~ /no cipher match/ + pend "ECDH is not enabled in this OpenSSL" if $!.message =~ /no cipher match/ raise end ctx1.ecdh_curves = "P-384:P-521" diff --git a/test/openssl/test_partial_record_read.rb b/test/openssl/test_partial_record_read.rb deleted file mode 100644 index 71e644a039..0000000000 --- a/test/openssl/test_partial_record_read.rb +++ /dev/null @@ -1,35 +0,0 @@ -# frozen_string_literal: false -require_relative "utils" - -if defined?(OpenSSL::TestUtils) - - class OpenSSL::TestPartialRecordRead < OpenSSL::SSLTestCase - def test_partial_tls_record_read_nonblock - start_server(OpenSSL::SSL::VERIFY_NONE, true, :server_proc => - Proc.new do |server_ctx, server_ssl| - begin - server_ssl.io.write("\x01") # the beginning of a TLS record - sleep 6 # do not finish prematurely before the read by the client is attempted - ensure - server_ssl.close - end - end - ) do |server, port| - sock = TCPSocket.new("127.0.0.1", port) - ssl = OpenSSL::SSL::SSLSocket.new(sock) - ssl.sync_close = true - begin - ssl.connect - sleep 3 # wait is required for the (incomplete) TLS record to arrive at the client socket - - # Should raise a IO::WaitReadable since a full TLS record is not available for reading. - assert_raise(IO::WaitReadable) { ssl.read_nonblock(1) } - ensure - ssl.close - end - end - end - - end - -end diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb index 61fb447473..7ab501c480 100644 --- a/test/openssl/test_pkcs12.rb +++ b/test/openssl/test_pkcs12.rb @@ -180,6 +180,11 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= end end + def test_dup + p12 = OpenSSL::PKCS12.create("pass", "name", TEST_KEY_RSA1024, @mycert) + assert_equal p12.to_der, p12.dup.to_der + end + private def assert_cert expected, actual [ diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb new file mode 100644 index 0000000000..79647c8f1d --- /dev/null +++ b/test/openssl/test_pkey.rb @@ -0,0 +1,49 @@ +# frozen_string_literal: false +require_relative "utils" + +if defined?(OpenSSL::TestUtils) + +class OpenSSL::TestPKey < OpenSSL::PKeyTestCase + PKEYS = { + OpenSSL::PKey::RSA => { + key: OpenSSL::TestUtils::TEST_KEY_RSA1024, + digest: OpenSSL::Digest::SHA1, + }, + OpenSSL::PKey::DSA => { + key: OpenSSL::TestUtils::TEST_KEY_DSA512, + digest: OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST, + }, + } + if defined?(OpenSSL::PKey::EC) + PKEYS[OpenSSL::PKey::EC] = { + key: OpenSSL::TestUtils::TEST_KEY_EC_P256V1, + digest: OpenSSL::Digest::SHA1, + } + end + + def test_sign_verify + data = "Sign me!" + invalid_data = "Sign me?" + PKEYS.each do |klass, prop| + key = prop[:key] + pub_key = dup_public(prop[:key]) + digest = prop[:digest].new + signature = key.sign(digest, data) + assert_equal(true, pub_key.verify(digest, signature, data)) + assert_equal(false, pub_key.verify(digest, signature, invalid_data)) + # digest state is irrelevant + digest << "unya" + assert_equal(true, pub_key.verify(digest, signature, data)) + assert_equal(false, pub_key.verify(digest, signature, invalid_data)) + + if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000 + digest = OpenSSL::Digest::SHA256.new + signature = key.sign(digest, data) + assert_equal(true, pub_key.verify(digest, signature, data)) + assert_equal(false, pub_key.verify(digest, signature, invalid_data)) + end + end + end +end + +end diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb index 4d84f7ad49..470c952e21 100644 --- a/test/openssl/test_pkey_dh.rb +++ b/test/openssl/test_pkey_dh.rb @@ -3,33 +3,25 @@ require_relative 'utils' if defined?(OpenSSL::TestUtils) -class OpenSSL::TestPKeyDH < OpenSSL::TestCase +class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase + DH1024 = OpenSSL::TestUtils::TEST_KEY_DH1024 NEW_KEYLEN = 256 - def test_DEFAULT_1024 - params = <<-eop ------BEGIN DH PARAMETERS----- -MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ -AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR -T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC ------END DH PARAMETERS----- - eop - assert_equal params, OpenSSL::PKey::DH::DEFAULT_1024.to_s - end - - def test_DEFAULT_2048 - params = <<-eop ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY -JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab -VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6 -YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 -1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD -7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg== ------END DH PARAMETERS----- - eop - assert_equal params, OpenSSL::PKey::DH::DEFAULT_2048.to_s + def test_DEFAULT_parameters + list = { + 1024 => OpenSSL::PKey::DH::DEFAULT_1024, + 2048 => OpenSSL::PKey::DH::DEFAULT_2048, + } + + list.each do |expected_size, dh| + assert_equal expected_size, dh.p.num_bits + assert_predicate dh.p, :prime? + result, remainder = (dh.p - 1) / 2 + assert_predicate result, :prime? + assert_equal 0, remainder + assert_no_key dh + end end def test_new @@ -44,20 +36,26 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 end end - def test_to_der - dh = OpenSSL::TestUtils::TEST_KEY_DH1024 - der = dh.to_der - dh2 = OpenSSL::PKey::DH.new(der) - assert_equal_params(dh, dh2) - assert_no_key(dh2) - end - - def test_to_pem - dh = OpenSSL::TestUtils::TEST_KEY_DH1024 - pem = dh.to_pem - dh2 = OpenSSL::PKey::DH.new(pem) - assert_equal_params(dh, dh2) - assert_no_key(dh2) + def test_DHparams + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(DH1024.p), + OpenSSL::ASN1::Integer(DH1024.g) + ]) + key = OpenSSL::PKey::DH.new(asn1.to_der) + assert_same_dh dup_public(DH1024), key + + pem = <<~EOF + -----BEGIN DH PARAMETERS----- + MIGHAoGBAKnKQ8MNK6nYZzLrrcuTsLxuiJGXoOO5gT+tljOTbHBuiktdMTITzIY0 + pFxIvjG05D7HoBZQfrR0c92NGWPkAiCkhQKB8JCbPVzwNLDy6DZ0pmofDKrEsYHG + AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC + -----END DH PARAMETERS----- + EOF + key = OpenSSL::PKey::DH.new(pem) + assert_same_dh dup_public(DH1024), key + + assert_equal asn1.to_der, DH1024.to_der + assert_equal pem, DH1024.export end def test_public_key @@ -113,6 +111,10 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 assert(dh.pub_key) assert(dh.priv_key) end + + def assert_same_dh(expected, key) + check_component(expected, key, [:p, :q, :g, :pub_key, :priv_key]) + end end end diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb index 9c29c034d0..d0ba8ec0f0 100644 --- a/test/openssl/test_pkey_dsa.rb +++ b/test/openssl/test_pkey_dsa.rb @@ -4,7 +4,9 @@ require 'base64' if defined?(OpenSSL::TestUtils) -class OpenSSL::TestPKeyDSA < OpenSSL::TestCase +class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase + DSA512 = OpenSSL::TestUtils::TEST_KEY_DSA512 + def test_private key = OpenSSL::PKey::DSA.new(256) assert(key.private?) @@ -20,6 +22,11 @@ class OpenSSL::TestPKeyDSA < OpenSSL::TestCase key = OpenSSL::PKey::DSA.new 256 pem = key.public_key.to_pem OpenSSL::PKey::DSA.new pem + if $0 == __FILE__ + assert_nothing_raised { + key = OpenSSL::PKey::DSA.new 2048 + } + end end def test_new_break @@ -37,55 +44,102 @@ class OpenSSL::TestPKeyDSA < OpenSSL::TestCase assert(key.sysverify(digest, sig)) end - def test_sign_verify - check_sign_verify(OpenSSL::Digest::DSS1.new) - end if defined?(OpenSSL::Digest::DSS1) - -if (OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000) - def test_sign_verify_sha1 - check_sign_verify(OpenSSL::Digest::SHA1.new) - end - - def test_sign_verify_sha256 - check_sign_verify(OpenSSL::Digest::SHA256.new) - end -end - - def test_digest_state_irrelevant_verify - key = OpenSSL::TestUtils::TEST_KEY_DSA256 - digest1 = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new - digest2 = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new - data = 'Sign me!' - sig = key.sign(digest1, data) - digest1.reset - digest1 << 'Change state of digest1' - assert(key.verify(digest1, sig, data)) - assert(key.verify(digest2, sig, data)) - end + def test_DSAPrivateKey + # OpenSSL DSAPrivateKey format; similar to RSAPrivateKey + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(0), + OpenSSL::ASN1::Integer(DSA512.p), + OpenSSL::ASN1::Integer(DSA512.q), + OpenSSL::ASN1::Integer(DSA512.g), + OpenSSL::ASN1::Integer(DSA512.pub_key), + OpenSSL::ASN1::Integer(DSA512.priv_key) + ]) + key = OpenSSL::PKey::DSA.new(asn1.to_der) + assert_predicate key, :private? + assert_same_dsa DSA512, key + + pem = <<~EOF + -----BEGIN DSA PRIVATE KEY----- + MIH4AgEAAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgTYiEEHaOYhkIxv0Ok + RZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB4DZGH7UyarcaGy6D + AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR + S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++ + Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S + 55jreJD3Se3slps= + -----END DSA PRIVATE KEY----- + EOF + key = OpenSSL::PKey::DSA.new(pem) + assert_same_dsa DSA512, key + + assert_equal asn1.to_der, DSA512.to_der + assert_equal pem, DSA512.export + end + + def test_DSAPrivateKey_encrypted + # key = abcdef + pem = <<~EOF + -----BEGIN DSA PRIVATE KEY----- + Proc-Type: 4,ENCRYPTED + DEK-Info: AES-128-CBC,F8BB7BFC7EAB9118AC2E3DA16C8DB1D9 + + D2sIzsM9MLXBtlF4RW42u2GB9gX3HQ3prtVIjWPLaKBYoToRUiv8WKsjptfZuLSB + 74ZPdMS7VITM+W1HIxo/tjS80348Cwc9ou8H/E6WGat8ZUk/igLOUEII+coQS6qw + QpuLMcCIavevX0gjdjEIkojBB81TYDofA1Bp1z1zDI/2Zhw822xapI79ZF7Rmywt + OSyWzFaGipgDpdFsGzvT6//z0jMr0AuJVcZ0VJ5lyPGQZAeVBlbYEI4T72cC5Cz7 + XvLiaUtum6/sASD2PQqdDNpgx/WA6Vs1Po2kIUQIM5TIwyJI0GdykZcYm6xIK/ta + Wgx6c8K+qBAIVrilw3EWxw== + -----END DSA PRIVATE KEY----- + EOF + key = OpenSSL::PKey::DSA.new(pem, "abcdef") + assert_same_dsa DSA512, key + key = OpenSSL::PKey::DSA.new(pem) { "abcdef" } + assert_same_dsa DSA512, key + + cipher = OpenSSL::Cipher.new("aes-128-cbc") + exported = DSA512.to_pem(cipher, "abcdef\0\1") + assert_same_dsa DSA512, OpenSSL::PKey::DSA.new(exported, "abcdef\0\1") + assert_raise(OpenSSL::PKey::DSAError) { + OpenSSL::PKey::DSA.new(exported, "abcdef") + } + end + + def test_PUBKEY + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::ObjectId("DSA"), + OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(DSA512.p), + OpenSSL::ASN1::Integer(DSA512.q), + OpenSSL::ASN1::Integer(DSA512.g) + ]) + ]), + OpenSSL::ASN1::BitString( + OpenSSL::ASN1::Integer(DSA512.pub_key).to_der + ) + ]) + key = OpenSSL::PKey::DSA.new(asn1.to_der) + assert_not_predicate key, :private? + assert_same_dsa dup_public(DSA512), key + + pem = <<~EOF + -----BEGIN PUBLIC KEY----- + MIHxMIGoBgcqhkjOOAQBMIGcAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgT + YiEEHaOYhkIxv0OkRZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB + 4DZGH7UyarcaGy6DAkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqo + ji3/lHdKoVdTQNuRS/m6DlCwhjRjiQ/lBRgCLCcaA0QAAkEAjN891JBjzpMj4bWg + sACmMggFf57DS0Ti+5++Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxX + oXi9OA== + -----END PUBLIC KEY----- + EOF + key = OpenSSL::PKey::DSA.new(pem) + assert_same_dsa dup_public(DSA512), key - def test_read_DSA_PUBKEY - p = 7188211954100152441468596248707152960171255279130004340103875772401008316444412091945435731597638374542374929457672178957081124632837356913990200866056699 - q = 957032439192465935099784319494405376402293318491 - g = 122928973717064636255205666162891733518376475981809749897454444301389338825906076467196186192907631719698166056821519884939865041993585844526937010746285 - y = 1235756183583465414789073313502727057075641172514181938731172021825149551960029708596057102104063395063907739571546165975727369183495540798749742124846271 - algo = OpenSSL::ASN1::ObjectId.new('DSA') - params = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new(p), - OpenSSL::ASN1::Integer.new(q), - OpenSSL::ASN1::Integer.new(g)]) - algo_id = OpenSSL::ASN1::Sequence.new ([algo, params]) - pub_key = OpenSSL::ASN1::Integer.new(y) - seq = OpenSSL::ASN1::Sequence.new([algo_id, OpenSSL::ASN1::BitString.new(pub_key.to_der)]) - key = OpenSSL::PKey::DSA.new(seq.to_der) - assert(key.public?) - assert(!key.private?) - assert_equal(p, key.p) - assert_equal(q, key.q) - assert_equal(g, key.g) - assert_equal(y, key.pub_key) - assert_equal(nil, key.priv_key) + assert_equal asn1.to_der, dup_public(DSA512).to_der + assert_equal pem, dup_public(DSA512).export end def test_read_DSAPublicKey_pem + # TODO: where is the standard? PKey::DSA.new can read only PEM p = 12260055936871293565827712385212529106400444521449663325576634579961635627321079536132296996623400607469624537382977152381984332395192110731059176842635699 q = 979494906553787301107832405790107343409973851677 g = 3731695366899846297271147240305742456317979984190506040697507048095553842519347835107669437969086119948785140453492839427038591924536131566350847469993845 @@ -109,127 +163,6 @@ fWLOqqkzFeRrYMDzUpl36XktY6Yq8EJYlW9pCMmBVNy/dQ== assert_equal(nil, key.priv_key) end - def test_read_DSA_PUBKEY_pem - p = 12260055936871293565827712385212529106400444521449663325576634579961635627321079536132296996623400607469624537382977152381984332395192110731059176842635699 - q = 979494906553787301107832405790107343409973851677 - g = 3731695366899846297271147240305742456317979984190506040697507048095553842519347835107669437969086119948785140453492839427038591924536131566350847469993845 - y = 10505239074982761504240823422422813362721498896040719759460296306305851824586095328615844661273887569281276387605297130014564808567159023649684010036304695 - pem = <<-EOF ------BEGIN PUBLIC KEY----- -MIHxMIGoBgcqhkjOOAQBMIGcAkEA6hXntfQXEo78+s1r8yShbOQIpX+HOESnTNsV -2yJzD6EiMntLpJ38WUOWjz0dBnYW69YnrAYszWPTSvf34XapswIVAKuSEhdIb6Kz -fuHPUhoF4S52MHYdAkBHQCWhq8G+2yeDyhuyMtvsQqcH6lJ4ev8F0hDdUft9Ys6q -qTMV5GtgwPNSmXfpeS1jpirwQliVb2kIyYFU3L91A0QAAkEAyJSJ+g+P/knVcgDw -wTzC7Pwg/pWs2EMd/r+lYlXhNfzg0biuXRul8VR4VUC/phySExY0PdcqItkR/xYA -YNMbNw== ------END PUBLIC KEY----- - EOF - key = OpenSSL::PKey::DSA.new(pem) - assert(key.public?) - assert(!key.private?) - assert_equal(p, key.p) - assert_equal(q, key.q) - assert_equal(g, key.g) - assert_equal(y, key.pub_key) - assert_equal(nil, key.priv_key) - end - - def test_export_format_is_DSA_PUBKEY_pem - key = OpenSSL::TestUtils::TEST_KEY_DSA256 - pem = key.public_key.to_pem - pem.gsub!(/^-+(\w|\s)+-+$/, "") # eliminate --------BEGIN...------- - asn1 = OpenSSL::ASN1.decode(Base64.decode64(pem)) - assert_equal(OpenSSL::ASN1::SEQUENCE, asn1.tag) - assert_equal(2, asn1.value.size) - seq = asn1.value - assert_equal(OpenSSL::ASN1::SEQUENCE, seq[0].tag) - assert_equal(2, seq[0].value.size) - algo_id = seq[0].value - assert_equal(OpenSSL::ASN1::OBJECT, algo_id[0].tag) - assert_equal('DSA', algo_id[0].value) - assert_equal(OpenSSL::ASN1::SEQUENCE, algo_id[1].tag) - assert_equal(3, algo_id[1].value.size) - params = algo_id[1].value - assert_equal(OpenSSL::ASN1::INTEGER, params[0].tag) - assert_equal(key.p, params[0].value) - assert_equal(OpenSSL::ASN1::INTEGER, params[1].tag) - assert_equal(key.q, params[1].value) - assert_equal(OpenSSL::ASN1::INTEGER, params[2].tag) - assert_equal(key.g, params[2].value) - assert_equal(OpenSSL::ASN1::BIT_STRING, seq[1].tag) - assert_equal(0, seq[1].unused_bits) - pub_key = OpenSSL::ASN1.decode(seq[1].value) - assert_equal(OpenSSL::ASN1::INTEGER, pub_key.tag) - assert_equal(key.pub_key, pub_key.value) - end - - def test_read_private_key_der - key = OpenSSL::TestUtils::TEST_KEY_DSA256 - der = key.to_der - key2 = OpenSSL::PKey.read(der) - assert(key2.private?) - assert_equal(der, key2.to_der) - end - - def test_read_private_key_pem - key = OpenSSL::TestUtils::TEST_KEY_DSA256 - pem = key.to_pem - key2 = OpenSSL::PKey.read(pem) - assert(key2.private?) - assert_equal(pem, key2.to_pem) - end - - def test_read_public_key_der - key = OpenSSL::TestUtils::TEST_KEY_DSA256.public_key - der = key.to_der - key2 = OpenSSL::PKey.read(der) - assert(!key2.private?) - assert_equal(der, key2.to_der) - end - - def test_read_public_key_pem - key = OpenSSL::TestUtils::TEST_KEY_DSA256.public_key - pem = key.to_pem - key2 = OpenSSL::PKey.read(pem) - assert(!key2.private?) - assert_equal(pem, key2.to_pem) - end - - def test_read_private_key_pem_pw - key = OpenSSL::TestUtils::TEST_KEY_DSA256 - pem = key.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret') - #callback form for password - key2 = OpenSSL::PKey.read(pem) do - 'secret' - end - assert(key2.private?) - # pass password directly - key2 = OpenSSL::PKey.read(pem, 'secret') - assert(key2.private?) - #omit pem equality check, will be different due to cipher iv - end - - def test_export_password_length - key = OpenSSL::TestUtils::TEST_KEY_DSA256 - assert_raise(OpenSSL::OpenSSLError) do - key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec') - end - pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr') - assert(pem) - end - - def test_export_password_funny - key = OpenSSL::TestUtils::TEST_KEY_DSA256 - pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), "pass\0wd") - assert_raise(ArgumentError) do - OpenSSL::PKey.read(pem, "pass") - end - key2 = OpenSSL::PKey.read(pem, "pass\0wd") - assert(key2.private?) - key3 = OpenSSL::PKey::DSA.new(pem, "pass\0wd") - assert(key3.private?) - end - def test_dup key = OpenSSL::PKey::DSA.new(256) key2 = key.dup @@ -239,12 +172,8 @@ YNMbNw== end private - - def check_sign_verify(digest) - key = OpenSSL::TestUtils::TEST_KEY_DSA256 - data = 'Sign me!' - sig = key.sign(digest, data) - assert(key.verify(digest, sig, data)) + def assert_same_dsa(expected, key) + check_component(expected, key, [:p, :q, :g, :pub_key, :priv_key]) end end diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb index 4498b2b8b3..53aa5a10f6 100644 --- a/test/openssl/test_pkey_ec.rb +++ b/test/openssl/test_pkey_ec.rb @@ -3,64 +3,46 @@ require_relative 'utils' if defined?(OpenSSL::TestUtils) && defined?(OpenSSL::PKey::EC) -class OpenSSL::TestEC < OpenSSL::TestCase - def setup - @data1 = 'foo' - @data2 = 'bar' * 1000 # data too long for DSA sig +class OpenSSL::TestEC < OpenSSL::PKeyTestCase + P256 = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - @groups = [] - @keys = [] + def test_ec_key + builtin_curves = OpenSSL::PKey::EC.builtin_curves + assert_not_empty builtin_curves - OpenSSL::PKey::EC.builtin_curves.each do |curve, comment| - group = OpenSSL::PKey::EC::Group.new(curve) + builtin_curves.each do |curve_name, comment| + # Oakley curves and X25519 are not suitable for signing and causes + # FIPS-selftest failure on some environment, so skip for now. + next if ["Oakley", "X25519"].any? { |n| curve_name.start_with?(n) } - # Oakley curves and X25519 are not suitable for signing - next if ["Oakley", "X25519"].any? { |n| curve.start_with?(n) } - - key = OpenSSL::PKey::EC.new(group) + key = OpenSSL::PKey::EC.new(curve_name) key.generate_key! - @groups << group - @keys << key + assert_predicate key, :private? + assert_predicate key, :public? + assert_nothing_raised { key.check_key } end - end - - def test_dup - key = OpenSSL::PKey::EC.new("prime256v1") - key.generate_key! - key2 = key.dup - assert_equal key.to_der, key2.to_der - key_tmp = OpenSSL::PKey::EC.new("prime256v1").generate_key! - key2.private_key = key_tmp.private_key - key2.public_key = key_tmp.public_key - assert_not_equal key.to_der, key2.to_der - group = key.group - group2 = group.dup - assert_equal group.to_der, group2.to_der - group2.asn1_flag ^= OpenSSL::PKey::EC::NAMED_CURVE - assert_not_equal group.to_der, group2.to_der + key1 = OpenSSL::PKey::EC.new("prime256v1").generate_key! - point = key.public_key - point2 = point.dup - assert_equal point.to_bn, point2.to_bn - point2.invert! - assert_not_equal point.to_bn, point2.to_bn - end + key2 = OpenSSL::PKey::EC.new + key2.group = key1.group + key2.private_key = key1.private_key + key2.public_key = key1.public_key + assert_equal key1.to_der, key2.to_der - def compare_keys(k1, k2) - assert_equal(k1.to_pem, k2.to_pem) - end + key3 = OpenSSL::PKey::EC.new(key1) + assert_equal key1.to_der, key3.to_der - def test_builtin_curves - assert(!OpenSSL::PKey::EC.builtin_curves.empty?) - end + key4 = OpenSSL::PKey::EC.new(key1.to_der) + assert_equal key1.to_der, key4.to_der - def test_curve_names - @groups.each_with_index do |group, idx| - key = @keys[idx] - assert_equal(group.curve_name, key.group.curve_name) - end + key5 = key1.dup + assert_equal key1.to_der, key5.to_der + key_tmp = OpenSSL::PKey::EC.new("prime256v1").generate_key! + key5.private_key = key_tmp.private_key + key5.public_key = key_tmp.public_key + assert_not_equal key1.to_der, key5.to_der end def test_generate @@ -73,173 +55,206 @@ class OpenSSL::TestEC < OpenSSL::TestCase end def test_check_key - for key in @keys - assert_equal(true, key.check_key) - assert_equal(true, key.private?) - assert_equal(true, key.public?) - key2 = OpenSSL::PKey::EC.new(key.group) - assert_equal(false, key2.private?) - assert_equal(false, key2.public?) - key2.public_key = key.public_key - assert_equal(false, key2.private?) - assert_equal(true, key2.public?) - key2.private_key = key.private_key - assert_equal(true, key2.private?) - assert_equal(true, key2.public?) - assert_equal(true, key2.check_key) - key2.private_key += 1 - assert_raise(OpenSSL::PKey::ECError) { key2.check_key } - end - end - - def test_group_encoding - for group in @groups - for meth in [:to_der, :to_pem] - txt = group.send(meth) - gr = OpenSSL::PKey::EC::Group.new(txt) - - assert_equal(txt, gr.send(meth)) - - assert_equal(group.generator.to_bn, gr.generator.to_bn) - assert_equal(group.cofactor, gr.cofactor) - assert_equal(group.order, gr.order) - assert_equal(group.seed, gr.seed) - assert_equal(group.degree, gr.degree) - end - end - end - - def test_key_encoding - for key in @keys - group = key.group - - for meth in [:to_der, :to_pem] - txt = key.send(meth) - assert_equal(txt, OpenSSL::PKey::EC.new(txt).send(meth)) - end - - bn = key.public_key.to_bn - assert_equal(bn, OpenSSL::PKey::EC::Point.new(group, bn).to_bn) - end - end - - def test_set_keys - for key in @keys - k = OpenSSL::PKey::EC.new - k.group = key.group - k.private_key = key.private_key - k.public_key = key.public_key - - compare_keys(key, k) - end + key = OpenSSL::PKey::EC.new("prime256v1").generate_key! + assert_equal(true, key.check_key) + assert_equal(true, key.private?) + assert_equal(true, key.public?) + key2 = OpenSSL::PKey::EC.new(key.group) + assert_equal(false, key2.private?) + assert_equal(false, key2.public?) + key2.public_key = key.public_key + assert_equal(false, key2.private?) + assert_equal(true, key2.public?) + key2.private_key = key.private_key + assert_equal(true, key2.private?) + assert_equal(true, key2.public?) + assert_equal(true, key2.check_key) + key2.private_key += 1 + assert_raise(OpenSSL::PKey::ECError) { key2.check_key } end def test_dsa_sign_verify - for key in @keys - sig = key.dsa_sign_asn1(@data1) - assert(key.dsa_verify_asn1(@data1, sig)) - end + data1 = "foo" + data2 = "bar" + key = OpenSSL::PKey::EC.new("prime256v1").generate_key! + sig = key.dsa_sign_asn1(data1) + assert_equal true, key.dsa_verify_asn1(data1, sig) + assert_equal false, key.dsa_verify_asn1(data2, sig) end def test_dsa_sign_asn1_FIPS186_3 - for key in @keys - size = key.group.order.num_bits / 8 + 1 - dgst = (1..size).to_a.pack('C*') - begin - sig = key.dsa_sign_asn1(dgst) - # dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m - assert(key.dsa_verify_asn1(dgst + "garbage", sig)) - rescue OpenSSL::PKey::ECError => e - # just an exception for longer dgst before openssl-0.9.8m - assert_equal('ECDSA_sign: data too large for key size', e.message) - # no need to do following tests - return - end + key = OpenSSL::PKey::EC.new("prime256v1").generate_key! + size = key.group.order.num_bits / 8 + 1 + dgst = (1..size).to_a.pack('C*') + begin + sig = key.dsa_sign_asn1(dgst) + # dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m + assert(key.dsa_verify_asn1(dgst + "garbage", sig)) + rescue OpenSSL::PKey::ECError => e + # just an exception for longer dgst before openssl-0.9.8m + assert_equal('ECDSA_sign: data too large for key size', e.message) + # no need to do following tests + return end end def test_dh_compute_key - for key in @keys - k = OpenSSL::PKey::EC.new(key.group) - k.generate_key! - - puba = key.public_key - pubb = k.public_key - a = key.dh_compute_key(pubb) - b = k.dh_compute_key(puba) - assert_equal(a, b) - end + key_a = OpenSSL::PKey::EC.new("prime256v1").generate_key! + key_b = OpenSSL::PKey::EC.new(key_a.group).generate_key! + + pub_a = key_a.public_key + pub_b = key_b.public_key + a = key_a.dh_compute_key(pub_b) + b = key_b.dh_compute_key(pub_a) + assert_equal a, b end - def test_read_private_key_der - ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - der = ec.to_der - ec2 = OpenSSL::PKey.read(der) - assert(ec2.private_key?) - assert_equal(der, ec2.to_der) + def test_ECPrivateKey + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(1), + OpenSSL::ASN1::OctetString(P256.private_key.to_s(2)), + OpenSSL::ASN1::ASN1Data.new( + [OpenSSL::ASN1::ObjectId("prime256v1")], + 0, :CONTEXT_SPECIFIC + ), + OpenSSL::ASN1::ASN1Data.new( + [OpenSSL::ASN1::BitString(P256.public_key.to_bn.to_s(2))], + 1, :CONTEXT_SPECIFIC + ) + ]) + key = OpenSSL::PKey::EC.new(asn1.to_der) + assert_predicate key, :private? + assert_same_ec P256, key + + pem = <<~EOF + -----BEGIN EC PRIVATE KEY----- + MHcCAQEEIID49FDqcf1O1eO8saTgG70UbXQw9Fqwseliit2aWhH1oAoGCCqGSM49 + AwEHoUQDQgAEFglk2c+oVUIKQ64eZG9bhLNPWB7lSZ/ArK41eGy5wAzU/0G51Xtt + CeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg== + -----END EC PRIVATE KEY----- + EOF + key = OpenSSL::PKey::EC.new(pem) + assert_same_ec P256, key + + assert_equal asn1.to_der, P256.to_der + assert_equal pem, P256.export end - def test_read_private_key_pem - ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - pem = ec.to_pem - ec2 = OpenSSL::PKey.read(pem) - assert(ec2.private_key?) - assert_equal(pem, ec2.to_pem) + def test_ECPrivateKey_encrypted + # key = abcdef + pem = <<~EOF + -----BEGIN EC PRIVATE KEY----- + Proc-Type: 4,ENCRYPTED + DEK-Info: AES-128-CBC,85743EB6FAC9EA76BF99D9328AFD1A66 + + nhsP1NHxb53aeZdzUe9umKKyr+OIwQq67eP0ONM6E1vFTIcjkDcFLR6PhPFufF4m + y7E2HF+9uT1KPQhlE+D63i1m1Mvez6PWfNM34iOQp2vEhaoHHKlR3c43lLyzaZDI + 0/dGSU5SzFG+iT9iFXCwCvv+bxyegkBOyALFje1NAsM= + -----END EC PRIVATE KEY----- + EOF + key = OpenSSL::PKey::EC.new(pem, "abcdef") + assert_same_ec P256, key + key = OpenSSL::PKey::EC.new(pem) { "abcdef" } + assert_same_ec P256, key + + cipher = OpenSSL::Cipher.new("aes-128-cbc") + exported = P256.to_pem(cipher, "abcdef\0\1") + assert_same_ec P256, OpenSSL::PKey::EC.new(exported, "abcdef\0\1") + assert_raise(OpenSSL::PKey::ECError) { + OpenSSL::PKey::EC.new(exported, "abcdef") + } end - def test_read_public_key_der - ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - ec2 = OpenSSL::PKey::EC.new(ec.group) - ec2.public_key = ec.public_key - der = ec2.to_der - ec3 = OpenSSL::PKey.read(der) - assert(!ec3.private_key?) - assert_equal(der, ec3.to_der) + def test_PUBKEY + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::ObjectId("id-ecPublicKey"), + OpenSSL::ASN1::ObjectId("prime256v1") + ]), + OpenSSL::ASN1::BitString( + P256.public_key.to_bn.to_s(2) + ) + ]) + key = OpenSSL::PKey::EC.new(asn1.to_der) + assert_not_predicate key, :private? + assert_same_ec dup_public(P256), key + + pem = <<~EOF + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFglk2c+oVUIKQ64eZG9bhLNPWB7l + SZ/ArK41eGy5wAzU/0G51XttCeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg== + -----END PUBLIC KEY----- + EOF + key = OpenSSL::PKey::EC.new(pem) + assert_same_ec dup_public(P256), key + + assert_equal asn1.to_der, dup_public(P256).to_der + assert_equal pem, dup_public(P256).export end - def test_read_public_key_pem - ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - ec2 = OpenSSL::PKey::EC.new(ec.group) - ec2.public_key = ec.public_key - pem = ec2.to_pem - ec3 = OpenSSL::PKey.read(pem) - assert(!ec3.private_key?) - assert_equal(pem, ec3.to_pem) + def test_ec_group + group1 = OpenSSL::PKey::EC::Group.new("prime256v1") + key1 = OpenSSL::PKey::EC.new(group1) + assert_equal group1, key1.group + + group2 = OpenSSL::PKey::EC::Group.new(group1) + assert_equal group1.to_der, group2.to_der + assert_equal group1, group2 + group2.asn1_flag ^=OpenSSL::PKey::EC::NAMED_CURVE + assert_not_equal group1.to_der, group2.to_der + assert_equal group1, group2 + + group3 = group1.dup + assert_equal group1.to_der, group3.to_der + + assert group1.asn1_flag & OpenSSL::PKey::EC::NAMED_CURVE # our default + der = group1.to_der + group4 = OpenSSL::PKey::EC::Group.new(der) + group1.point_conversion_form = group4.point_conversion_form = :uncompressed + assert_equal :uncompressed, group1.point_conversion_form + assert_equal :uncompressed, group4.point_conversion_form + assert_equal group1, group4 + assert_equal group1.curve_name, group4.curve_name + assert_equal group1.generator.to_bn, group4.generator.to_bn + assert_equal group1.order, group4.order + assert_equal group1.cofactor, group4.cofactor + assert_equal group1.seed, group4.seed + assert_equal group1.degree, group4.degree end - def test_read_private_key_pem_pw - ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - pem = ec.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret') - #callback form for password - ec2 = OpenSSL::PKey.read(pem) do - 'secret' - end - assert(ec2.private_key?) - # pass password directly - ec2 = OpenSSL::PKey.read(pem, 'secret') - assert(ec2.private_key?) - #omit pem equality check, will be different due to cipher iv - end + def test_ec_point + group = OpenSSL::PKey::EC::Group.new("prime256v1") + key = OpenSSL::PKey::EC.new(group).generate_key! + point = key.public_key - def test_export_password_length - key = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - assert_raise(OpenSSL::OpenSSLError) do - key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec') - end - pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr') - assert(pem) - end + point2 = OpenSSL::PKey::EC::Point.new(group, point.to_bn) + assert_equal point, point2 + assert_equal point.to_bn, point2.to_bn + point2.invert! + assert_not_equal point.to_bn, point2.to_bn - def test_export_password_funny - key = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), "pass\0wd") - assert_raise(ArgumentError) do - OpenSSL::PKey.read(pem, "pass") + begin + group = OpenSSL::PKey::EC::Group.new(:GFp, 17, 2, 2) + group.point_conversion_form = :uncompressed + generator = OpenSSL::PKey::EC::Point.new(group, 0x040501.to_bn) + group.set_generator(generator, 19, 1) + point = OpenSSL::PKey::EC::Point.new(group, 0x040603.to_bn) + rescue OpenSSL::PKey::EC::Group::Error + pend "Patched OpenSSL rejected curve" if /unsupported field/ =~ $!.message + raise end - key2 = OpenSSL::PKey.read(pem, "pass\0wd") - assert(key2.private_key?) - key3 = OpenSSL::PKey::EC.new(pem, "pass\0wd") - assert(key3.private_key?) + + assert_equal 0x040603.to_bn, point.to_bn + assert_equal true, point.on_curve? + point.invert! # 8.5 + assert_equal 0x04060E.to_bn, point.to_bn + assert_equal true, point.on_curve? + + assert_equal false, point.infinity? + point.set_to_infinity! + assert_equal true, point.infinity? + assert_equal 0.to_bn, point.to_bn + assert_equal true, point.on_curve? end def test_ec_point_mul @@ -247,44 +262,50 @@ class OpenSSL::TestEC < OpenSSL::TestCase # y^2 = x^3 + 2x + 2 over F_17 # generator is (5, 1) group = OpenSSL::PKey::EC::Group.new(:GFp, 17, 2, 2) + group.point_conversion_form = :uncompressed gen = OpenSSL::PKey::EC::Point.new(group, OpenSSL::BN.new("040501", 16)) group.set_generator(gen, 0, 0) # 3 * (6, 3) = (16, 13) point_a = OpenSSL::PKey::EC::Point.new(group, OpenSSL::BN.new("040603", 16)) - result_a1 = point_a.mul(3.to_bn) + result_a1 = point_a.mul(3) assert_equal("04100D", result_a1.to_bn.to_s(16)) # 3 * (6, 3) + 3 * (5, 1) = (7, 6) - result_a2 = point_a.mul(3.to_bn, 3.to_bn) + result_a2 = point_a.mul(3, 3) assert_equal("040706", result_a2.to_bn.to_s(16)) # 3 * point_a = 3 * (6, 3) = (16, 13) - result_b1 = point_a.mul([3.to_bn], []) + result_b1 = point_a.mul([3], []) assert_equal("04100D", result_b1.to_bn.to_s(16)) # 3 * point_a + 2 * point_a = 3 * (6, 3) + 2 * (6, 3) = (7, 11) - result_b1 = point_a.mul([3.to_bn, 2.to_bn], [point_a]) + result_b1 = point_a.mul([3, 2], [point_a]) assert_equal("04070B", result_b1.to_bn.to_s(16)) # 3 * point_a + 5 * point_a.group.generator = 3 * (6, 3) + 5 * (5, 1) = (13, 10) - result_b1 = point_a.mul([3.to_bn], [], 5) + result_b1 = point_a.mul([3], [], 5) assert_equal("040D0A", result_b1.to_bn.to_s(16)) rescue OpenSSL::PKey::EC::Group::Error # CentOS patches OpenSSL to reject curves defined over Fp where p < 256 bits raise if $!.message !~ /unsupported field/ end - p256_key = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 + p256_key = P256 p256_g = p256_key.group assert_equal(p256_key.public_key, p256_g.generator.mul(p256_key.private_key)) # invalid argument point = p256_key.public_key assert_raise(TypeError) { point.mul(nil) } - assert_raise(ArgumentError) { point.mul([1.to_bn], [point]) } - assert_raise(TypeError) { point.mul([1.to_bn], nil) } + assert_raise(ArgumentError) { point.mul([1], [point]) } + assert_raise(TypeError) { point.mul([1], nil) } assert_raise(TypeError) { point.mul([nil], []) } end # test Group: asn1_flag, point_conversion + private + + def assert_same_ec(expected, key) + check_component(expected, key, [:group, :public_key, :private_key]) + end end end diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb index 49e8ceacd9..e211faa63b 100644 --- a/test/openssl/test_pkey_rsa.rb +++ b/test/openssl/test_pkey_rsa.rb @@ -4,7 +4,9 @@ require 'base64' if defined?(OpenSSL::TestUtils) -class OpenSSL::TestPKeyRSA < OpenSSL::TestCase +class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase + RSA1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024 + def test_padding key = OpenSSL::PKey::RSA.new(512, 3) @@ -68,46 +70,8 @@ class OpenSSL::TestPKeyRSA < OpenSSL::TestCase end end - def test_sign_verify - key = OpenSSL::TestUtils::TEST_KEY_RSA1024 - digest = OpenSSL::Digest::SHA1.new - data = 'Sign me!' - sig = key.sign(digest, data) - assert(key.verify(digest, sig, data)) - end - - def test_sign_verify_memory_leak - bug9743 = '[ruby-core:62038] [Bug #9743]' - assert_no_memory_leak(%w[-ropenssl], <<-PREP, <<-CODE, bug9743, rss: true, timeout: 30) - data = 'Sign me!' - digest = OpenSSL::Digest::SHA512.new - pkey = OpenSSL::PKey::RSA.new(2048) - signature = pkey.sign(digest, data) - pub_key = pkey.public_key - PREP - 20_000.times { - pub_key.verify(digest, signature, data) - } - CODE - - assert_no_memory_leak(%w[-ropenssl], <<-PREP, <<-CODE, bug9743, rss: true, timeout: 30) - data = 'Sign me!' - digest = OpenSSL::Digest::SHA512.new - pkey = OpenSSL::PKey::RSA.new(2048) - signature = pkey.sign(digest, data) - pub_key = pkey.public_key - PREP - 20_000.times { - begin - pub_key.verify(digest, signature, 1) - rescue TypeError - end - } - CODE - end - def test_digest_state_irrelevant_sign - key = OpenSSL::TestUtils::TEST_KEY_RSA1024 + key = RSA1024 digest1 = OpenSSL::Digest::SHA1.new digest2 = OpenSSL::Digest::SHA1.new data = 'Sign me!' @@ -118,7 +82,7 @@ class OpenSSL::TestPKeyRSA < OpenSSL::TestCase end def test_digest_state_irrelevant_verify - key = OpenSSL::TestUtils::TEST_KEY_RSA1024 + key = RSA1024 digest1 = OpenSSL::Digest::SHA1.new digest2 = OpenSSL::Digest::SHA1.new data = 'Sign me!' @@ -129,169 +93,131 @@ class OpenSSL::TestPKeyRSA < OpenSSL::TestCase assert(key.verify(digest2, sig, data)) end - def test_read_RSAPublicKey - modulus = 10664264882656732240315063514678024569492171560814833397008094754351396057398262071307709191731289492697968568138092052265293364132872019762410446076526351 - exponent = 65537 - seq = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new(modulus), OpenSSL::ASN1::Integer.new(exponent)]) - key = OpenSSL::PKey::RSA.new(seq.to_der) - assert(key.public?) - assert(!key.private?) - assert_equal(modulus, key.n) - assert_equal(exponent, key.e) - assert_equal(nil, key.d) - assert_equal(nil, key.p) - assert_equal(nil, key.q) - assert_equal([], OpenSSL.errors) - end - - def test_read_RSA_PUBKEY - modulus = 10664264882656732240315063514678024569492171560814833397008094754351396057398262071307709191731289492697968568138092052265293364132872019762410446076526351 - exponent = 65537 - algo = OpenSSL::ASN1::ObjectId.new('rsaEncryption') - null_params = OpenSSL::ASN1::Null.new(nil) - algo_id = OpenSSL::ASN1::Sequence.new ([algo, null_params]) - pub_key = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new(modulus), OpenSSL::ASN1::Integer.new(exponent)]) - seq = OpenSSL::ASN1::Sequence.new([algo_id, OpenSSL::ASN1::BitString.new(pub_key.to_der)]) - key = OpenSSL::PKey::RSA.new(seq.to_der) - assert(key.public?) - assert(!key.private?) - assert_equal(modulus, key.n) - assert_equal(exponent, key.e) - assert_equal(nil, key.d) - assert_equal(nil, key.p) - assert_equal(nil, key.q) - assert_equal([], OpenSSL.errors) - end - - def test_read_RSAPublicKey_pem - modulus = 9416340886363418692990906464787534854462163316648195510702927337693641649864839352187127240942127674615733815606532506566068276485089353644309497938966061 - exponent = 65537 - pem = <<-EOF ------BEGIN RSA PUBLIC KEY----- -MEgCQQCzyh2RIZK62E2PbTWqUljD+K23XR9AGBKNtXjal6WD2yRGcLqzPJLNCa60 -AudJR1JobbIbDJrQu6AXnWh5k/YtAgMBAAE= ------END RSA PUBLIC KEY----- + def test_RSAPrivateKey + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(0), + OpenSSL::ASN1::Integer(RSA1024.n), + OpenSSL::ASN1::Integer(RSA1024.e), + OpenSSL::ASN1::Integer(RSA1024.d), + OpenSSL::ASN1::Integer(RSA1024.p), + OpenSSL::ASN1::Integer(RSA1024.q), + OpenSSL::ASN1::Integer(RSA1024.dmp1), + OpenSSL::ASN1::Integer(RSA1024.dmq1), + OpenSSL::ASN1::Integer(RSA1024.iqmp) + ]) + key = OpenSSL::PKey::RSA.new(asn1.to_der) + assert_predicate key, :private? + assert_same_rsa RSA1024, key + + pem = <<~EOF + -----BEGIN RSA PRIVATE KEY----- + MIICXgIBAAKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7Cx + aKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/ + Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQAB + AoGBAKSl/MQarye1yOysqX6P8fDFQt68VvtXkNmlSiKOGuzyho0M+UVSFcs6k1L0 + maDE25AMZUiGzuWHyaU55d7RXDgeskDMakD1v6ZejYtxJkSXbETOTLDwUWTn618T + gnb17tU1jktUtU67xK/08i/XodlgnQhs6VoHTuCh3Hu77O6RAkEA7+gxqBuZR572 + 74/akiW/SuXm0SXPEviyO1MuSRwtI87B02D0qgV8D1UHRm4AhMnJ8MCs1809kMQE + JiQUCrp9mQJBANlt2ngBO14us6NnhuAseFDTBzCHXwUUu1YKHpMMmxpnGqaldGgX + sOZB3lgJsT9VlGf3YGYdkLTNVbogQKlKpB8CQQDiSwkb4vyQfDe8/NpU5Not0fII + 8jsDUCb+opWUTMmfbxWRR3FBNu8wnym/m19N4fFj8LqYzHX4KY0oVPu6qvJxAkEA + wa5snNekFcqONLIE4G5cosrIrb74sqL8GbGb+KuTAprzj5z1K8Bm0UW9lTjVDjDi + qRYgZfZSL+x1P/54+xTFSwJAY1FxA/N3QPCXCjPh5YqFxAMQs2VVYTfg+t0MEcJD + dPMQD5JX6g5HKnHFg2mZtoXQrWmJSn7p8GJK8yNTopEErA== + -----END RSA PRIVATE KEY----- EOF key = OpenSSL::PKey::RSA.new(pem) - assert(key.public?) - assert(!key.private?) - assert_equal(modulus, key.n) - assert_equal(exponent, key.e) - assert_equal(nil, key.d) - assert_equal(nil, key.p) - assert_equal(nil, key.q) + assert_same_rsa RSA1024, key + + assert_equal asn1.to_der, RSA1024.to_der + assert_equal pem, RSA1024.export + end + + def test_RSAPrivateKey_encrypted + # key = abcdef + pem = <<~EOF + -----BEGIN RSA PRIVATE KEY----- + Proc-Type: 4,ENCRYPTED + DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0 + + zgJniZZQfvv8TFx3LzV6zhAQVayvQVZlAYqFq2yWbbxzF7C+IBhKQle9IhUQ9j/y + /jkvol550LS8vZ7TX5WxyDLe12cdqzEvpR6jf3NbxiNysOCxwG4ErhaZGP+krcoB + ObuL0nvls/+3myy5reKEyy22+0GvTDjaChfr+FwJjXMG+IBCLscYdgZC1LQL6oAn + 9xY5DH3W7BW4wR5ttxvtN32TkfVQh8xi3jrLrduUh+hV8DTiAiLIhv0Vykwhep2p + WZA+7qbrYaYM8GLLgLrb6LfBoxeNxAEKiTpl1quFkm+Hk1dKq0EhVnxHf92x0zVF + jRGZxAMNcrlCoE4f5XK45epVZSZvihdo1k73GPbp84aZ5P/xlO4OwZ3i4uCQXynl + jE9c+I+4rRWKyPz9gkkqo0+teJL8ifeKt/3ab6FcdA0aArynqmsKJMktxmNu83We + YVGEHZPeOlyOQqPvZqWsLnXQUfg54OkbuV4/4mWSIzxFXdFy/AekSeJugpswMXqn + oNck4qySNyfnlyelppXyWWwDfVus9CVAGZmJQaJExHMT/rQFRVchlmY0Ddr5O264 + gcjv90o1NBOc2fNcqjivuoX7ROqys4K/YdNQ1HhQ7usJghADNOtuLI8ZqMh9akXD + Eqp6Ne97wq1NiJj0nt3SJlzTnOyTjzrTe0Y+atPkVKp7SsjkATMI9JdhXwGhWd7a + qFVl0owZiDasgEhyG2K5L6r+yaJLYkPVXZYC/wtWC3NEchnDWZGQcXzB4xROCQkD + OlWNYDkPiZioeFkA3/fTMvG4moB2Pp9Q4GU5fJ6k43Ccu1up8dX/LumZb4ecg5/x + -----END RSA PRIVATE KEY----- + EOF + key = OpenSSL::PKey::RSA.new(pem, "abcdef") + assert_same_rsa RSA1024, key + key = OpenSSL::PKey::RSA.new(pem) { "abcdef" } + assert_same_rsa RSA1024, key + + cipher = OpenSSL::Cipher.new("aes-128-cbc") + exported = RSA1024.to_pem(cipher, "abcdef\0\1") + assert_same_rsa RSA1024, OpenSSL::PKey::RSA.new(exported, "abcdef\0\1") + assert_raise(OpenSSL::PKey::RSAError) { + OpenSSL::PKey::RSA.new(exported, "abcdef") + } end - def test_read_RSA_PUBKEY_pem - modulus = 9416340886363418692990906464787534854462163316648195510702927337693641649864839352187127240942127674615733815606532506566068276485089353644309497938966061 - exponent = 65537 - pem = <<-EOF ------BEGIN PUBLIC KEY----- -MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALPKHZEhkrrYTY9tNapSWMP4rbdd -H0AYEo21eNqXpYPbJEZwurM8ks0JrrQC50lHUmhtshsMmtC7oBedaHmT9i0C -AwEAAQ== ------END PUBLIC KEY----- + def test_RSAPublicKey + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(RSA1024.n), + OpenSSL::ASN1::Integer(RSA1024.e) + ]) + key = OpenSSL::PKey::RSA.new(asn1.to_der) + assert_not_predicate key, :private? + assert_same_rsa dup_public(RSA1024), key + + pem = <<~EOF + -----BEGIN RSA PUBLIC KEY----- + MIGJAoGBAMvCxLDUQKc+1P4+Q6AeFwYDvWfALb+cvzlUEadGoPE6qNWHsLFoo8RF + geyTgE8KQTduu1OE9Zz2SMcRBDu5/1jWtsLPSVrI2ofLLBARUsWanVyki39DeB4u + /xkP2mKGjAokPIwOI3oCthSZlzO9bj3voxTf6XngTqUX8l8URTmHAgMBAAE= + -----END RSA PUBLIC KEY----- EOF key = OpenSSL::PKey::RSA.new(pem) - assert(key.public?) - assert(!key.private?) - assert_equal(modulus, key.n) - assert_equal(exponent, key.e) - assert_equal(nil, key.d) - assert_equal(nil, key.p) - assert_equal(nil, key.q) - end - - def test_export_format_is_RSA_PUBKEY - key = OpenSSL::PKey::RSA.new(512) - asn1 = OpenSSL::ASN1.decode(key.public_key.to_der) - check_PUBKEY(asn1, key) - end - - def test_export_format_is_RSA_PUBKEY_pem - key = OpenSSL::PKey::RSA.new(512) - pem = key.public_key.to_pem - pem.gsub!(/^-+(\w|\s)+-+$/, "") # eliminate --------BEGIN...------- - asn1 = OpenSSL::ASN1.decode(Base64.decode64(pem)) - check_PUBKEY(asn1, key) - end - - def test_read_private_key_der - der = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_der - key = OpenSSL::PKey.read(der) - assert(key.private?) - assert_equal(der, key.to_der) - end - - def test_read_private_key_pem - pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_pem - key = OpenSSL::PKey.read(pem) - assert(key.private?) - assert_equal(pem, key.to_pem) - end - - def test_read_public_key_der - der = OpenSSL::TestUtils::TEST_KEY_RSA1024.public_key.to_der - key = OpenSSL::PKey.read(der) - assert(!key.private?) - assert_equal(der, key.to_der) - end - - def test_read_public_key_pem - pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.public_key.to_pem - key = OpenSSL::PKey.read(pem) - assert(!key.private?) - assert_equal(pem, key.to_pem) - end - - def test_read_private_key_pem_pw - pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret') - #callback form for password - key = OpenSSL::PKey.read(pem) do - 'secret' - end - assert(key.private?) - # pass password directly - key = OpenSSL::PKey.read(pem, 'secret') - assert(key.private?) - #omit pem equality check, will be different due to cipher iv - end - - def test_read_private_key_pem_pw_exception - pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret') - # it raises an ArgumentError from PEM reading. The exception raised inside are ignored for now. - assert_raise(ArgumentError) do - OpenSSL::PKey.read(pem) do - raise RuntimeError - end - end - end - - def test_export_password_length - key = OpenSSL::TestUtils::TEST_KEY_RSA1024 - assert_raise(OpenSSL::OpenSSLError) do - key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec') - end - pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr') - assert(pem) - end + assert_same_rsa dup_public(RSA1024), key + end + + def test_PUBKEY + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::ObjectId("rsaEncryption"), + OpenSSL::ASN1::Null(nil) + ]), + OpenSSL::ASN1::BitString( + OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(RSA1024.n), + OpenSSL::ASN1::Integer(RSA1024.e) + ]).to_der + ) + ]) + key = OpenSSL::PKey::RSA.new(asn1.to_der) + assert_not_predicate key, :private? + assert_same_rsa dup_public(RSA1024), key + + pem = <<~EOF + -----BEGIN PUBLIC KEY----- + MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLwsSw1ECnPtT+PkOgHhcGA71n + wC2/nL85VBGnRqDxOqjVh7CxaKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbC + z0layNqHyywQEVLFmp1cpIt/Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU + 3+l54E6lF/JfFEU5hwIDAQAB + -----END PUBLIC KEY----- + EOF + key = OpenSSL::PKey::RSA.new(pem) + assert_same_rsa dup_public(RSA1024), key - def test_export_password_funny - key = OpenSSL::TestUtils::TEST_KEY_RSA1024 - # this assertion may fail in the future because of OpenSSL change. - # the current upper limit is 1024 - assert_raise(OpenSSL::OpenSSLError) do - key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr' * 1024) - end - # password containing NUL byte - pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), "pass\0wd") - assert_raise(ArgumentError) do - OpenSSL::PKey.read(pem, "pass") - end - key2 = OpenSSL::PKey.read(pem, "pass\0wd") - assert(key2.private?) - key3 = OpenSSL::PKey::RSA.new(pem, "pass\0wd") - assert(key3.private?) + assert_equal asn1.to_der, dup_public(RSA1024).to_der + assert_equal pem, dup_public(RSA1024).export end def test_dup @@ -303,29 +229,9 @@ AwEAAQ== end private - - def check_PUBKEY(asn1, key) - assert_equal(OpenSSL::ASN1::SEQUENCE, asn1.tag) - assert_equal(2, asn1.value.size) - seq = asn1.value - assert_equal(OpenSSL::ASN1::SEQUENCE, seq[0].tag) - assert_equal(2, seq[0].value.size) - algo_id = seq[0].value - assert_equal(OpenSSL::ASN1::OBJECT, algo_id[0].tag) - assert_equal('rsaEncryption', algo_id[0].value) - assert_equal(OpenSSL::ASN1::NULL, algo_id[1].tag) - assert_equal(nil, algo_id[1].value) - assert_equal(OpenSSL::ASN1::BIT_STRING, seq[1].tag) - assert_equal(0, seq[1].unused_bits) - pub_key = OpenSSL::ASN1.decode(seq[1].value) - assert_equal(OpenSSL::ASN1::SEQUENCE, pub_key.tag) - assert_equal(2, pub_key.value.size) - assert_equal(OpenSSL::ASN1::INTEGER, pub_key.value[0].tag) - assert_equal(key.n, pub_key.value[0].value) - assert_equal(OpenSSL::ASN1::INTEGER, pub_key.value[1].tag) - assert_equal(key.e, pub_key.value[1].value) + def assert_same_rsa(expected, key) + check_component(expected, key, [:n, :e, :d, :p, :q, :dmp1, :dmq1, :iqmp]) end - end end diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index b1dc2233d6..1b9548a3e9 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -66,9 +66,9 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_not_started_session - skip "non socket argument of SSLSocket.new is not supported on this platform" if /mswin|mingw/ =~ RUBY_PLATFORM + pend "non socket argument of SSLSocket.new is not supported on this platform" if /mswin|mingw/ =~ RUBY_PLATFORM open(__FILE__) do |f| - assert_nil OpenSSL::SSL::SSLSocket.new(f).cert + assert_nil EnvUtil.suppress_warning { OpenSSL::SSL::SSLSocket.new(f).cert } end end @@ -196,16 +196,14 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase def test_client_auth_failure vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT start_server(vflag, true, :ignore_listener_error => true){|server, port| - assert_raise(OpenSSL::SSL::SSLError, Errno::ECONNRESET){ - sock = TCPSocket.new("127.0.0.1", port) - ssl = OpenSSL::SSL::SSLSocket.new(sock) - ssl.sync_close = true - begin - ssl.connect - ensure - ssl.close - end - } + sock = TCPSocket.new("127.0.0.1", port) + ssl = OpenSSL::SSL::SSLSocket.new(sock) + ssl.sync_close = true + begin + assert_handshake_error { ssl.connect } + ensure + ssl.close + end } end @@ -236,6 +234,24 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase } end + def test_client_auth_public_key + vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT + start_server(vflag, true, ignore_listener_error: true) do |server, port| + assert_raise(ArgumentError) { + ctx = OpenSSL::SSL::SSLContext.new + ctx.key = @cli_key.public_key + ctx.cert = @cli_cert + server_connect(port, ctx) { } + } + + ctx = OpenSSL::SSL::SSLContext.new + ctx.client_cert_cb = Proc.new{ |ssl| + [@cli_cert, @cli_key.public_key] + } + assert_handshake_error { server_connect(port, ctx) } + end + end + def test_client_ca ctx_proc = Proc.new do |ctx| ctx.client_ca = [@ca_cert] @@ -321,7 +337,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port| sock = TCPSocket.new("127.0.0.1", port) ctx = OpenSSL::SSL::SSLContext.new - ctx.set_params + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) ssl.sync_close = true begin @@ -335,12 +351,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase start_server(OpenSSL::SSL::VERIFY_NONE, true){|server, port| sock = TCPSocket.new("127.0.0.1", port) ctx = OpenSSL::SSL::SSLContext.new - ctx.set_params( - :verify_callback => Proc.new do |preverify_ok, store_ctx| - store_ctx.error = OpenSSL::X509::V_OK - true - end - ) + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.verify_callback = Proc.new do |preverify_ok, store_ctx| + store_ctx.error = OpenSSL::X509::V_OK + true + end ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) ssl.sync_close = true begin @@ -354,12 +369,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port| sock = TCPSocket.new("127.0.0.1", port) ctx = OpenSSL::SSL::SSLContext.new - ctx.set_params( - :verify_callback => Proc.new do |preverify_ok, store_ctx| - store_ctx.error = OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION - false - end - ) + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.verify_callback = Proc.new do |preverify_ok, store_ctx| + store_ctx.error = OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION + false + end ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) ssl.sync_close = true begin @@ -375,12 +389,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port| sock = TCPSocket.new("127.0.0.1", port) ctx = OpenSSL::SSL::SSLContext.new - ctx.set_params( - :verify_callback => Proc.new do |preverify_ok, store_ctx| - store_ctx.error = OpenSSL::X509::V_OK - raise RuntimeError - end - ) + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.verify_callback = Proc.new do |preverify_ok, store_ctx| + store_ctx.error = OpenSSL::X509::V_OK + raise RuntimeError + end ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) ssl.sync_close = true begin @@ -396,26 +409,15 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_sslctx_set_params - start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port| - sock = TCPSocket.new("127.0.0.1", port) - ctx = OpenSSL::SSL::SSLContext.new - ctx.set_params - assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode) - assert_equal(OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options], ctx.options) - ciphers = ctx.ciphers - ciphers_versions = ciphers.collect{|_, v, _, _| v } - ciphers_names = ciphers.collect{|v, _, _, _| v } - assert(ciphers_names.all?{|v| /A(EC)?DH/ !~ v }) - assert(ciphers_versions.all?{|v| /SSLv2/ !~ v }) - ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) - ssl.sync_close = true - begin - assert_raise(OpenSSL::SSL::SSLError){ ssl.connect } - assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result) - ensure - ssl.close - end - } + ctx = OpenSSL::SSL::SSLContext.new + ctx.set_params + assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode) + ciphers = ctx.ciphers + ciphers_versions = ciphers.collect{|_, v, _, _| v } + ciphers_names = ciphers.collect{|v, _, _, _| v } + assert(ciphers_names.all?{|v| /A(EC)?DH/ !~ v }) + assert(ciphers_names.all?{|v| /(RC4|MD5|EXP)/ !~ v }) + assert(ciphers_versions.all?{|v| /SSLv2/ !~ v }) end def test_post_connect_check_with_anon_ciphers @@ -426,9 +428,9 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase ctx.ciphers = "aNULL" ctx.security_level = 0 server_connect(port, ctx) { |ssl| - msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \ - "ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification." - assert_raise_with_message(sslerr,msg){ssl.post_connection_check("localhost.localdomain")} + assert_raise_with_message(sslerr, /anonymous cipher suite/i){ + ssl.post_connection_check("localhost.localdomain") + } } } end if OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384 @@ -687,11 +689,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase hostname = 'example.org' ctx3 = OpenSSL::SSL::SSLContext.new - ctx3.ciphers = "DH" + ctx3.ciphers = "aNULL" + ctx3.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } ctx3.security_level = 0 ctx2 = OpenSSL::SSL::SSLContext.new - ctx2.ciphers = "DH" ctx2.servername_cb = lambda { |args| ctx3 } sock1, sock2 = socketpair @@ -699,7 +701,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) ctx1 = OpenSSL::SSL::SSLContext.new - ctx1.ciphers = "DH" + ctx1.ciphers = "aNULL" ctx1.security_level = 0 s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) @@ -722,7 +724,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase hostname = 'example.org' ctx2 = OpenSSL::SSL::SSLContext.new - ctx2.ciphers = "DH" + ctx2.ciphers = "aNULL" + ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } ctx2.security_level = 0 ctx2.servername_cb = lambda { |args| Object.new } @@ -731,7 +734,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) ctx1 = OpenSSL::SSL::SSLContext.new - ctx1.ciphers = "DH" + ctx1.ciphers = "aNULL" ctx1.security_level = 0 s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) @@ -756,12 +759,12 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase hostname = 'example.org' ctx3 = OpenSSL::SSL::SSLContext.new - ctx3.ciphers = "DH" + ctx3.ciphers = "aNULL" + ctx3.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } ctx3.security_level = 0 assert_not_predicate ctx3, :frozen? ctx2 = OpenSSL::SSL::SSLContext.new - ctx2.ciphers = "DH" ctx2.servername_cb = lambda { |args| ctx3 } sock1, sock2 = socketpair @@ -769,7 +772,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) ctx1 = OpenSSL::SSL::SSLContext.new - ctx1.ciphers = "DH" + ctx1.ciphers = "aNULL" ctx1.security_level = 0 s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) @@ -791,7 +794,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase hostname = 'example.org' ctx2 = OpenSSL::SSL::SSLContext.new - ctx2.ciphers = "DH" + ctx2.ciphers = "aNULL" + ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } ctx2.security_level = 0 ctx2.servername_cb = lambda { |args| nil } @@ -800,7 +804,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) ctx1 = OpenSSL::SSL::SSLContext.new - ctx1.ciphers = "DH" + ctx1.ciphers = "aNULL" ctx1.security_level = 0 s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) @@ -823,7 +827,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase hostname = 'example.org' ctx2 = OpenSSL::SSL::SSLContext.new - ctx2.ciphers = "DH" + ctx2.ciphers = "aNULL" + ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } ctx2.security_level = 0 ctx2.servername_cb = lambda do |args| cb_socket = args[0] @@ -836,7 +841,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) ctx1 = OpenSSL::SSL::SSLContext.new - ctx1.ciphers = "DH" + ctx1.ciphers = "aNULL" ctx1.security_level = 0 s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) @@ -859,7 +864,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase return unless OpenSSL::SSL::SSLSocket.instance_methods.include?(:hostname) ctx_proc = Proc.new do |ctx, ssl| - foo_ctx = ctx.dup + foo_ctx = OpenSSL::SSL::SSLContext.new ctx.servername_cb = Proc.new do |ssl2, hostname| case hostname @@ -892,6 +897,53 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end + def test_verify_hostname_on_connect + ctx_proc = proc { |ctx| + now = Time.now + exts = [ + ["keyUsage", "keyEncipherment,digitalSignature", true], + ["subjectAltName", "DNS:a.example.com,DNS:*.b.example.com," \ + "DNS:c*.example.com,DNS:d.*.example.com"], + ] + ctx.cert = issue_cert(@svr, @svr_key, 4, now, now+1800, exts, + @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new) + ctx.key = @svr_key + } + + start_server(OpenSSL::SSL::VERIFY_NONE, true, ctx_proc: ctx_proc, + ignore_listener_error: true) do |svr, port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.verify_hostname = true + ctx.cert_store = OpenSSL::X509::Store.new + ctx.cert_store.add_cert(@ca_cert) + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + + [ + ["a.example.com", true], + ["A.Example.Com", true], + ["x.example.com", false], + ["b.example.com", false], + ["x.b.example.com", true], + ["cx.example.com", true], + ["d.x.example.com", false], + ].each do |name, expected_ok| + begin + sock = TCPSocket.new("127.0.0.1", port) + ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) + ssl.hostname = name + if expected_ok + assert_nothing_raised { ssl.connect } + else + assert_handshake_error { ssl.connect } + end + ensure + ssl.close if ssl + sock.close if sock + end + end + end + end + def test_multibyte_read_write #German a umlaut auml = [%w{ C3 A4 }.join('')].pack('H*') @@ -932,10 +984,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase } end - # different OpenSSL versions react differently when facing a SSL/TLS version - # that has been marked as forbidden, therefore either of these may be raised - HANDSHAKE_ERRORS = [OpenSSL::SSL::SSLError, Errno::ECONNRESET] - if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1) && OpenSSL::SSL::SSLContext::METHODS.include?(:SSLv3) def test_forbid_ssl_v3_for_client @@ -943,7 +991,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1) && OpenSSL::SSL::SSLContex start_server_version(:SSLv23, ctx_proc) { |server, port| ctx = OpenSSL::SSL::SSLContext.new ctx.ssl_version = :SSLv3 - assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) } + assert_handshake_error { server_connect(port, ctx) } } end @@ -951,7 +999,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1) && OpenSSL::SSL::SSLContex start_server_version(:SSLv3) { |server, port| ctx = OpenSSL::SSL::SSLContext.new ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv3 - assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) } + assert_handshake_error { server_connect(port, ctx) } } end @@ -970,7 +1018,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_1 start_server_version(:SSLv23, ctx_proc) { |server, port| ctx = OpenSSL::SSL::SSLContext.new ctx.ssl_version = :TLSv1 - assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) } + assert_handshake_error { server_connect(port, ctx) } } end @@ -978,7 +1026,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_1 start_server_version(:TLSv1) { |server, port| ctx = OpenSSL::SSL::SSLContext.new ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1 - assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) } + assert_handshake_error { server_connect(port, ctx) } } end @@ -999,7 +1047,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2 start_server_version(:SSLv23, ctx_proc) { |server, port| ctx = OpenSSL::SSL::SSLContext.new ctx.ssl_version = :TLSv1_1 - assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) } + assert_handshake_error { server_connect(port, ctx) } } end if defined?(OpenSSL::SSL::OP_NO_TLSv1_1) @@ -1007,7 +1055,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2 start_server_version(:TLSv1_1) { |server, port| ctx = OpenSSL::SSL::SSLContext.new ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_1 - assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) } + assert_handshake_error { server_connect(port, ctx) } } end if defined?(OpenSSL::SSL::OP_NO_TLSv1_1) @@ -1016,7 +1064,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2 start_server_version(:SSLv23, ctx_proc) { |server, port| ctx = OpenSSL::SSL::SSLContext.new ctx.ssl_version = :TLSv1_2 - assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) } + assert_handshake_error { server_connect(port, ctx) } } end if defined?(OpenSSL::SSL::OP_NO_TLSv1_2) @@ -1024,7 +1072,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2 start_server_version(:TLSv1_2) { |server, port| ctx = OpenSSL::SSL::SSLContext.new ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_2 - assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) } + assert_handshake_error { server_connect(port, ctx) } } end if defined?(OpenSSL::SSL::OP_NO_TLSv1_2) @@ -1060,16 +1108,31 @@ if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000 end def test_alpn_protocol_selection_cancel - ctx_proc = Proc.new { |ctx| - ctx.alpn_select_cb = -> (protocols) { nil } + sock1, sock2 = socketpair + + ctx1 = OpenSSL::SSL::SSLContext.new + ctx1.ciphers = "aNULL" + ctx1.security_level = 0 + ctx1.alpn_select_cb = -> (protocols) { nil } + ssl1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) + + ctx2 = OpenSSL::SSL::SSLContext.new + ctx2.ciphers = "aNULL" + ctx2.security_level = 0 + ctx2.alpn_protocols = ["http/1.1"] + ssl2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) + + t = Thread.new { + assert_handshake_error { ssl2.connect } } - assert_raise(MiniTest::Assertion) do # minitest/assertion comes from `assert_join_threads` - start_server_version(:SSLv23, ctx_proc) { |server, port| - ctx = OpenSSL::SSL::SSLContext.new - ctx.alpn_protocols = ["http/1.1"] - assert_raise(OpenSSL::SSL::SSLError) { server_connect(port, ctx) } - } - end + assert_raise(TypeError) { ssl1.accept } + ensure + sock1&.close + sock2&.close + ssl1&.close + ssl2&.close + t&.kill + t&.join end end @@ -1127,7 +1190,7 @@ if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000 && start_server_version(:SSLv23, ctx_proc) { |server, port| ctx = OpenSSL::SSL::SSLContext.new ctx.npn_select_cb = -> (protocols) { protocols.first } - assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) } + assert_handshake_error { server_connect(port, ctx) } } end @@ -1136,7 +1199,7 @@ if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000 && start_server_version(:SSLv23, ctx_proc) { |server, port| ctx = OpenSSL::SSL::SSLContext.new ctx.npn_select_cb = -> (protocols) { "a" * 256 } - assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) } + assert_handshake_error { server_connect(port, ctx) } } end @@ -1182,6 +1245,7 @@ end # test it doesn't cause a segmentation fault ctx = OpenSSL::SSL::SSLContext.new ctx.ciphers = "aNULL" + ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } ctx.security_level = 0 sock1, sock2 = socketpair @@ -1243,7 +1307,20 @@ end # ctx.key = OpenSSL::TestUtils::TEST_KEY_RSA1024 # ctx.security_level = 2 # assert_raise(OpenSSL::SSL::SSLError) { ctx.key = OpenSSL::TestUtils::TEST_KEY_RSA1024 } - skip "FIXME: SSLContext#key= currently does not raise because SSL_CTX_use_certificate() is delayed" + pend "FIXME: SSLContext#key= currently does not raise because SSL_CTX_use_certificate() is delayed" + end + + def test_dup + ctx = OpenSSL::SSL::SSLContext.new + sock1, sock2 = socketpair + ssl = OpenSSL::SSL::SSLSocket.new(sock1, ctx) + + assert_raise(NoMethodError) { ctx.dup } + assert_raise(NoMethodError) { ssl.dup } + ensure + ssl.close if ssl + sock1.close + sock2.close end private @@ -1276,6 +1353,14 @@ end sock.close end end + + def assert_handshake_error + # different OpenSSL versions react differently when facing a SSL/TLS version + # that has been marked as forbidden, therefore either of these may be raised + assert_raise(OpenSSL::SSL::SSLError, Errno::ECONNRESET) { + yield + } + end end end diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb index 84686f6b4f..9bcec10165 100644 --- a/test/openssl/test_ssl_session.rb +++ b/test/openssl/test_ssl_session.rb @@ -369,6 +369,12 @@ __EOS__ assert(called[:get1]) assert(called[:get2]) end + + def test_dup + sess_orig = OpenSSL::SSL::Session.new(DUMMY_SESSION) + sess_dup = sess_orig.dup + assert_equal(sess_orig.to_der, sess_dup.to_der) + end end end diff --git a/test/openssl/test_x509attr.rb b/test/openssl/test_x509attr.rb index 1ba8a87536..d7473f1a29 100644 --- a/test/openssl/test_x509attr.rb +++ b/test/openssl/test_x509attr.rb @@ -12,6 +12,9 @@ class OpenSSL::TestX509Attribute < OpenSSL::TestCase attr = OpenSSL::X509::Attribute.new("extReq", val) assert_equal("extReq", attr.oid) assert_equal(val.to_der, attr.value.to_der) + + attr = OpenSSL::X509::Attribute.new("1.2.840.113549.1.9.14", val) + assert_equal("extReq", attr.oid) end def test_from_der @@ -51,6 +54,14 @@ class OpenSSL::TestX509Attribute < OpenSSL::TestCase } assert_equal(test_der, attr.to_der) end + + def test_dup + val = OpenSSL::ASN1::Set([ + OpenSSL::ASN1::UTF8String("abc123") + ]) + attr = OpenSSL::X509::Attribute.new("challengePassword", val) + assert_equal(attr.to_der, attr.dup.to_der) + end end end diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb index fd66c97588..cd1ccc98ab 100644 --- a/test/openssl/test_x509crl.rb +++ b/test/openssl/test_x509crl.rb @@ -112,6 +112,10 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase assert_equal(1000, revoked.size) assert_equal(1, revoked[0].serial) assert_equal(1000, revoked[999].serial) + + crl.revoked = revoked + revoked2 = crl.revoked + assert_equal(revoked.map(&:serial), revoked2.map(&:serial)) end def test_extension diff --git a/test/openssl/test_x509ext.rb b/test/openssl/test_x509ext.rb index 99e2eda5b3..79713c0fad 100644 --- a/test/openssl/test_x509ext.rb +++ b/test/openssl/test_x509ext.rb @@ -36,15 +36,15 @@ class OpenSSL::TestX509Extension < OpenSSL::TestCase bc = ef.create_extension("basicConstraints", "CA:TRUE, pathlen:2", true) assert_equal(@basic_constraints.to_der, bc.to_der) - begin - ef.config = OpenSSL::Config.parse(<<-_end_of_cnf_) - [crlDistPts] - URI.1 = http://www.example.com/crl - URI.2 = ldap://ldap.example.com/cn=ca?certificateRevocationList;binary - _end_of_cnf_ - rescue NotImplementedError - return - end + ef.config = OpenSSL::Config.parse(<<-_end_of_cnf_) + [crlDistPts] + URI.1 = http://www.example.com/crl + URI.2 = ldap://ldap.example.com/cn=ca?certificateRevocationList;binary + + [certPolicies] + policyIdentifier = 2.23.140.1.2.1 + CPS.1 = http://cps.example.com + _end_of_cnf_ cdp = ef.create_extension("crlDistributionPoints", "@crlDistPts") assert_equal(false, cdp.critical?) @@ -61,6 +61,18 @@ class OpenSSL::TestX509Extension < OpenSSL::TestCase assert_match( %r{URI:ldap://ldap.example.com/cn=ca\?certificateRevocationList;binary}, cdp.value) + + cp = ef.create_extension("certificatePolicies", "@certPolicies") + assert_equal(false, cp.critical?) + assert_equal("certificatePolicies", cp.oid) + assert_match(%r{2.23.140.1.2.1}, cp.value) + assert_match(%r{http://cps.example.com}, cp.value) + end + + def test_dup + ext = OpenSSL::X509::Extension.new(@basic_constraints.to_der) + assert_equal(@basic_constraints.to_der, ext.to_der) + assert_equal(ext.to_der, ext.dup.to_der) end end diff --git a/test/openssl/test_x509name.rb b/test/openssl/test_x509name.rb index b87d415de2..250f1d0949 100644 --- a/test/openssl/test_x509name.rb +++ b/test/openssl/test_x509name.rb @@ -355,6 +355,11 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase expected = (d[0].ord & 0xff) | (d[1].ord & 0xff) << 8 | (d[2].ord & 0xff) << 16 | (d[3].ord & 0xff) << 24 assert_equal(expected, name_hash(name)) end + + def test_dup + name = OpenSSL::X509::Name.parse("/CN=ruby-lang.org") + assert_equal(name.to_der, name.dup.to_der) + end end end diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb index 53e5a437fc..086ccfbdb1 100644 --- a/test/openssl/test_x509req.rb +++ b/test/openssl/test_x509req.rb @@ -139,7 +139,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase req.version = 1 assert_equal(false, req.verify(@rsa1024)) rescue OpenSSL::X509::RequestError - skip + pend end if defined?(OpenSSL::Digest::DSS1) def test_sign_and_verify_dsa_md5 @@ -147,6 +147,11 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) } end + def test_dup + req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new) + assert_equal(req.to_der, req.dup.to_der) + end + private def request_error_returns_false diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb index 8dee1679f6..e0fa07ac16 100644 --- a/test/openssl/test_x509store.rb +++ b/test/openssl/test_x509store.rb @@ -222,6 +222,13 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase } end end + + def test_dup + store = OpenSSL::X509::Store.new + assert_raise(NoMethodError) { store.dup } + ctx = OpenSSL::X509::StoreContext.new(store) + assert_raise(NoMethodError) { ctx.dup } + end end end diff --git a/test/openssl/ut_eof.rb b/test/openssl/ut_eof.rb new file mode 100644 index 0000000000..fcd7a63988 --- /dev/null +++ b/test/openssl/ut_eof.rb @@ -0,0 +1,129 @@ +# frozen_string_literal: false +require 'test/unit' + +module TestEOF + def test_eof_0 + open_file("") {|f| + assert_equal("", f.read(0)) + assert_equal("", f.read(0)) + assert_equal("", f.read) + assert_equal("", f.read(0)) + assert_equal("", f.read(0)) + } + open_file("") {|f| + assert_nil(f.read(1)) + assert_equal("", f.read) + assert_nil(f.read(1)) + } + open_file("") {|f| + s = "x" + assert_equal("", f.read(nil, s)) + assert_equal("", s) + } + open_file("") {|f| + s = "x" + assert_nil(f.read(10, s)) + assert_equal("", s) + } + end + + def test_eof_0_rw + return unless respond_to? :open_file_rw + open_file_rw("") {|f| + assert_equal("", f.read) + assert_equal("", f.read) + assert_equal(0, f.syswrite("")) + assert_equal("", f.read) + } + end + + def test_eof_1 + open_file("a") {|f| + assert_equal("", f.read(0)) + assert_equal("a", f.read(1)) + assert_equal("" , f.read(0)) + assert_equal("" , f.read(0)) + assert_equal("", f.read) + assert_equal("", f.read(0)) + assert_equal("", f.read(0)) + } + open_file("a") {|f| + assert_equal("a", f.read(1)) + assert_nil(f.read(1)) + } + open_file("a") {|f| + assert_equal("a", f.read(2)) + assert_nil(f.read(1)) + assert_equal("", f.read) + assert_nil(f.read(1)) + } + open_file("a") {|f| + assert_equal("a", f.read) + assert_nil(f.read(1)) + assert_equal("", f.read) + assert_nil(f.read(1)) + } + open_file("a") {|f| + assert_equal("a", f.read(2)) + assert_equal("", f.read) + assert_equal("", f.read) + } + open_file("a") {|f| + assert_equal("a", f.read) + assert_equal("", f.read(0)) + } + open_file("a") {|f| + s = "x" + assert_equal("a", f.read(nil, s)) + assert_equal("a", s) + } + open_file("a") {|f| + s = "x" + assert_equal("a", f.read(10, s)) + assert_equal("a", s) + } + end + + def test_eof_2 + open_file("") {|f| + assert_equal("", f.read) + assert_predicate(f, :eof?) + } + end + + def test_eof_3 + open_file("") {|f| + assert_predicate(f, :eof?) + } + end + + module Seek + def open_file_seek(content, pos) + open_file(content) do |f| + f.seek(pos) + yield f + end + end + + def test_eof_0_seek + open_file_seek("", 10) {|f| + assert_equal(10, f.pos) + assert_equal("", f.read(0)) + assert_equal("", f.read) + assert_equal("", f.read(0)) + assert_equal("", f.read) + } + end + + def test_eof_1_seek + open_file_seek("a", 10) {|f| + assert_equal("", f.read) + assert_equal("", f.read) + } + open_file_seek("a", 1) {|f| + assert_equal("", f.read) + assert_equal("", f.read) + } + end + end +end diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index f306b5d3d8..2288a26035 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -8,11 +8,13 @@ begin OpenSSL.fips_mode=false rescue LoadError end + require "test/unit" require "digest/md5" require 'tempfile' require "rbconfig" require "socket" +require "envutil" module OpenSSL::TestUtils TEST_KEY_RSA1024 = OpenSSL::PKey::RSA.new <<-_end_of_pem_ @@ -260,7 +262,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC return end ssl = ssls.accept - rescue OpenSSL::SSL::SSLError + rescue OpenSSL::SSL::SSLError, Errno::ECONNRESET if ignore_listener_error retry else @@ -348,5 +350,39 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC end end + class OpenSSL::PKeyTestCase < OpenSSL::TestCase + def check_component(base, test, keys) + keys.each { |comp| + assert_equal base.send(comp), test.send(comp) + } + end + + def dup_public(key) + case key + when OpenSSL::PKey::RSA + rsa = OpenSSL::PKey::RSA.new + rsa.set_key(key.n, key.e, nil) + rsa + when OpenSSL::PKey::DSA + dsa = OpenSSL::PKey::DSA.new + dsa.set_pqg(key.p, key.q, key.g) + dsa.set_key(key.pub_key, nil) + dsa + when OpenSSL::PKey::DH + dh = OpenSSL::PKey::DH.new + dh.set_pqg(key.p, nil, key.g) + dh + else + if defined?(OpenSSL::PKey::EC) && OpenSSL::PKey::EC === key + ec = OpenSSL::PKey::EC.new(key.group) + ec.public_key = key.public_key + ec + else + raise "unknown key type" + end + end + end + end + end if defined?(OpenSSL::OPENSSL_LIBRARY_VERSION) and /\AOpenSSL +0\./ !~ OpenSSL::OPENSSL_LIBRARY_VERSION |