Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | test/rubygems: regenerate certificatesfeature/openssl-110-v1 | Kazuki Yamaguchi | 2016-04-27 | 20 | -194/+213 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some certificates are used as CA but don't have basicConstraints=CA:TRUE. Here is the patch against rubygems' util/create_certs.rb. 1. Run ruby util/create_certs.rb && cp test/rubygems/*.pem /path/to/ruby/test/rubygems/ && ruby util/create_encrypted_key.rb && cp test/rubygems/encrypted_private_key.pem /path/to/ruby/test/rubygems/ 2. Change some tests which depends on the old keys/certificates. ---8<--- diff --git a/util/create_certs.rb b/util/create_certs.rb index 4f6f9ea..384fad8 100644 --- a/util/create_certs.rb +++ b/util/create_certs.rb @@ -4,37 +4,41 @@ require 'time' class CertificateBuilder - attr_reader :today + attr_reader :start def initialize key_size = 2048 - today = Time.now.utc - @today = Time.utc today.year, today.month, today.day + @start = Time.utc 2012, 01, 01, 00, 00, 00 @end_of_time = Time.utc 9999, 12, 31, 23, 59, 59 @end_of_time_32 = Time.utc 2038, 01, 19, 03, 14, 07 + @key_size = key_size @serial = 0 end - def create_certificates(key, subject, issuer_key = key, issuer = subject, - not_before: @today, not_after: :end_of_time) + def create_certificates(key, subject, issuer_key = key, issuer_cert = nil, + not_before: @start, not_after: :end_of_time, + is_ca: false) certificates = [] not_before, not_before_32 = validity_for not_before not_after, not_after_32 = validity_for not_after + issuer_cert, issuer_cert_32 = issuer_cert certificates << - create_certificate(key, subject, issuer_key, issuer, - not_before, not_after) + create_certificate(key, subject, issuer_key, issuer_cert, + not_before, not_after, is_ca) certificates << - create_certificate(key, subject, issuer_key, issuer, - not_before_32, not_after_32) + create_certificate(key, subject, issuer_key, issuer_cert_32, + not_before_32, not_after_32, is_ca) certificates end - def create_certificate key, subject, issuer_key, issuer, not_before, not_after - puts "creating cert - subject: #{subject}, issuer: #{issuer}" + def create_certificate(key, subject, issuer_key, issuer_cert, + not_before, not_after, is_ca) cert = OpenSSL::X509::Certificate.new + issuer_cert ||= cert # if not specified, create self signing cert + cert.version = 2 cert.serial = 0 @@ -45,25 +49,29 @@ class CertificateBuilder cert.public_key = key.public_key - cert.subject = - OpenSSL::X509::Name.new [%W[CN #{subject}], %w[DC example]] - cert.issuer = - OpenSSL::X509::Name.new [%W[CN #{issuer}], %w[DC example]] + cert.subject = OpenSSL::X509::Name.new [%W[CN #{subject}], %w[DC example]] + cert.issuer = issuer_cert.subject - ef = OpenSSL::X509::ExtensionFactory.new nil, cert + ef = OpenSSL::X509::ExtensionFactory.new issuer_cert, cert cert.extensions = [ - ef.create_extension('subjectAltName', "email:#{subject}@example") + ef.create_extension('subjectAltName', "email:#{subject}@example"), + ef.create_extension('subjectKeyIdentifier', 'hash') ] + if is_ca + cert.add_extension ef.create_extension('basicConstraints', 'CA:TRUE', true) + end + cert.sign issuer_key, OpenSSL::Digest::SHA1.new + puts "created cert - subject: #{cert.subject}, issuer: #{cert.issuer}" cert end def create_key puts "creating key" - OpenSSL::PKey::RSA.new 2048 + OpenSSL::PKey::RSA.new @key_size end def create_keys names @@ -108,37 +116,39 @@ keys = cb.create_keys [ keys[:public] = keys[:private].public_key -certs = { - alternate: - cb.create_certificates(keys[:alternate], 'alternate'), - child: - cb.create_certificates(keys[:child], 'child', - keys[:private], 'nobody'), - expired: - cb.create_certificates(keys[:private], 'nobody', - not_before: Time.at(0), - not_after: Time.at(0)), - future: - cb.create_certificates(keys[:private], 'nobody', - not_before: :end_of_time, - not_after: :end_of_time), - grandchild: - cb.create_certificates(keys[:grandchild], 'grandchild', - keys[:child], 'child'), - invalid_issuer: - cb.create_certificates(keys[:invalid], 'invalid', - keys[:invalid], 'nobody'), - invalid_signer: - cb.create_certificates(keys[:invalid], 'invalid', - keys[:private], 'invalid'), - invalidchild: - cb.create_certificates(keys[:invalidchild], 'invalidchild', - keys[:invalid], 'child'), - public: - cb.create_certificates(keys[:private], 'nobody'), - wrong_key: - cb.create_certificates(keys[:alternate], 'nobody'), -} +certs = {} +certs[:public] = + cb.create_certificates(keys[:private], 'nobody', + is_ca: true) +certs[:child] = + cb.create_certificates(keys[:child], 'child', + keys[:private], certs[:public], + is_ca: true) +certs[:alternate] = + cb.create_certificates(keys[:alternate], 'alternate') +certs[:expired] = + cb.create_certificates(keys[:private], 'nobody', + not_before: Time.at(0), + not_after: Time.at(0)) +certs[:future] = + cb.create_certificates(keys[:private], 'nobody', + not_before: :end_of_time, + not_after: :end_of_time) +certs[:invalid_issuer] = + cb.create_certificates(keys[:invalid], 'invalid', + keys[:invalid], certs[:public], + is_ca: true) +certs[:grandchild] = + cb.create_certificates(keys[:grandchild], 'grandchild', + keys[:child], certs[:child]) +certs[:invalid_signer] = + cb.create_certificates(keys[:invalid], 'invalid', + keys[:private], certs[:invalid]) +certs[:invalidchild] = + cb.create_certificates(keys[:invalidchild], 'invalidchild', + keys[:invalid], certs[:child]) +certs[:wrong_key] = + cb.create_certificates(keys[:alternate], 'nobody') base_dir = 'test/rubygems' @@ -154,4 +164,3 @@ certs.each do |name, (cert, cert_32)| dest = File.join base_dir, "#{name}_cert_32.pem" File.write dest, cert_32.to_pem end - | ||||
* | test/open-uri: regenerate test certificates | Kazuki Yamaguchi | 2016-04-27 | 1 | -80/+76 |
| | | | | | | The current CA certificate is created with basicConstraints=CA:FALSE but it is no longer allowed in OpenSSL 1.1.0. So recreate the CA (and server certificate). | ||||
* | ext/openssl: fix ex_data handling for X509_STORE | Kazuki Yamaguchi | 2016-04-27 | 7 | -28/+18 |
| | | | | | X509_STORE_get_ex_new_index() is required in addition to X509_STORE_CTX_get_ex_new_index() because they are independent. | ||||
* | ext/openssl: no need to check OPENSSL_FIPS in extconf.rb | Kazuki Yamaguchi | 2016-04-27 | 2 | -3/+2 |
| | | | | | Since openssl/opensslconf.h is always included, we can check OPENSSL_FIPS macro directly. | ||||
* | test/openssl: don't test default session timeout | Kazuki Yamaguchi | 2016-04-27 | 1 | -1/+0 |
| | | | | | | | | | | | The default session timeout for TLSv1 is 7200 and shouldn't be 300. And this should not be checked because the value is decided by just "the 24 hours mentioned in the TLSv1 spec is way too long for http, the cache would over fill" (from OpenSSL's source comment). Old OpenSSL (<= 1.0.2) set ssl_ctx->session_timeout on SSL_CTX_new(), which we call always with SSLv23_method(), and it isn't updated with SSL_set_ssl_method(). | ||||
* | test/openssl: fix test_server_session to dup the session | Kazuki Yamaguchi | 2016-04-27 | 1 | -4/+4 |
| | | | | | SSL_CTX_remove_session() sets not_resumable to the deleted session and OpenSSL 1.1.0 denies to resume a SSL_SESSION with not_resumable != 0. | ||||
* | ext/openssl: avoid SEGV on Cipher.new("ChaCha20-Poly1305") | Kazuki Yamaguchi | 2016-04-27 | 1 | -9/+13 |
| | | | | | | | | A temporary workaround. EVP_CipherInit_ex() allows to specify NULL to key and/or iv, however when we use ChaCha20-Poly1305 and set only key (this case), it does memcpy(x, NULL, y) and this causes a segmentation fault. | ||||
* | test/openssl: X25519 doesn't support signing | Kazuki Yamaguchi | 2016-04-27 | 1 | -1/+3 |
| | |||||
* | test/openssl: DSA256 is prohibited with security_level=1 | Kazuki Yamaguchi | 2016-04-27 | 1 | -1/+16 |
| | |||||
* | ext/openssl: remove SHA, DSS, DSS1 if using OpenSSL 1.1.0 | Kazuki Yamaguchi | 2016-04-27 | 7 | -9/+14 |
| | |||||
* | ext/openssl: use SSL_is_server() to check if the SSL is server or not | Kazuki Yamaguchi | 2016-04-27 | 3 | -3/+7 |
| | | | | | The state returned by SSL_get_state() doesn't become SSL_ST_ACCEPT anymore in OpenSSL 1.1.0. | ||||
* | ext/openssl: add SSLContext#set_ecdh_curves | Kazuki Yamaguchi | 2016-04-27 | 6 | -31/+172 |
| | | | | | | | | | | And deprecate #tmp_ecdh_callback. Since SSL_CTX_set_tmp_ecdh_callback() was removed in OpenSSL 1.1.0, we can't provide SSLContext#tmp_ecdh_callback anymore. Instead, we should use SSL_CTX_set1_curves_list() to set the curves and SSL_CTX_set_ecdh_auto() to make OpenSSL select automatically from the list. | ||||
* | ext/openssl: fix some compiler warnings on ossl_ssl.c | Kazuki Yamaguchi | 2016-04-27 | 1 | -5/+8 |
| | |||||
* | ext/openssl: add SSLContext#security_level, #security_level= | Kazuki Yamaguchi | 2016-04-27 | 5 | -0/+78 |
| | | | | | | | | OpenSSL 1.1.0 introduced "security level" and these methods deal with it. This patch includes many test changes: setting the level to 0. The default security level is 1 and this prohibits aNULL ciphers. | ||||
* | ext/openssl: make ENGINE.cleanup no-op if using OpenSSL 1.1.0 | Kazuki Yamaguchi | 2016-04-27 | 3 | -48/+72 |
| | |||||
* | ext/openssl: use SSL_CTX_get_ciphers() | Kazuki Yamaguchi | 2016-04-27 | 3 | -1/+6 |
| | |||||
* | ext/openssl: avoid using deprecated protocol version specific methods. | Kazuki Yamaguchi | 2016-04-27 | 2 | -35/+43 |
| | | | | | They emit warnings with OpenSSL 1.1.0. Instead use SSL_CTX_set_{min,max}_proto_version(). | ||||
* | ext/openssl: EVP_PKEY, DH, DSA, RSA, EC_KEY are made opaque | Kazuki Yamaguchi | 2016-04-27 | 13 | -158/+400 |
| | | | | | | | | | | | | | | | | | | | | Use EVP_PKEY_get0_* instead of pkey->pkey.* Use EVP_PKEY_base_id(pkey) instead of EVP_PKEY_type(pkey->type) Because of this, we can no longer set the parameters/keys directly, and the newly added functions as alternative require setting all relevant values at the same time. So this patch contains incompatibility: the following code no longer works (if using 1.1.0): dh = OpenSSL::PKey::DH.new(...) dh.priv_key = OpenSSL::BN.new(...) ...and we have to write like: dh = OpenSSL::PKey::DH.new(...) priv = OpenSSL::BN.new(...) pub = <calculate (dh.g ** priv) % dh.p> dh.set_key(pub, priv) | ||||
* | ext/openssl: use EVP_MD_CTX_new() to allocate EVP_MD_CTX | Kazuki Yamaguchi | 2016-04-27 | 3 | -12/+25 |
| | |||||
* | ext/openssl: use X509_STORE_CTX_get0_store() instead of store_ctx->ctx | Kazuki Yamaguchi | 2016-04-27 | 3 | -3/+8 |
| | |||||
* | ext/openssl: fix (mainly) opaque related compilation of ossl_x509*.c | Kazuki Yamaguchi | 2016-04-27 | 11 | -63/+173 |
| | | | | | | | | | | | | | Fix following files: - ossl_x509attr.c - ossl_x509cert.c - ossl_x509store.c - ossl_x509name.c - ossl_x509req.c - ossl_x509crl.c - ossl_x509revoked.c - ossl_x509ext.c | ||||
* | ext/openssl: use *_up_ref() functions | Kazuki Yamaguchi | 2016-04-27 | 7 | -10/+45 |
| | |||||
* | ext/openssl: support new threading API of OpenSSL 1.1.0 | Kazuki Yamaguchi | 2016-04-27 | 2 | -0/+5 |
| | | | | Setting locking callbacks is no longer needed. | ||||
* | ext/openssl: SSL_SESSION is made opaque | Kazuki Yamaguchi | 2016-04-27 | 2 | -4/+14 |
| | |||||
* | ext/openssl: the return type of HMAC_CTX_copy() is int | Kazuki Yamaguchi | 2016-04-27 | 2 | -3/+4 |
| | |||||
* | ext/openssl: BIGNUM and BN_GENCB is made opaque | Kazuki Yamaguchi | 2016-04-27 | 7 | -23/+47 |
| | |||||
* | ext/openssl: OCSP_SINGLERESP and OCSP_CERTID are also made opaque | Kazuki Yamaguchi | 2016-04-27 | 3 | -4/+11 |
| | |||||
* | ext/openssl: use HMAC_CTX_{new,free,reset} to allocate HMAC_CTX | Kazuki Yamaguchi | 2016-04-27 | 4 | -52/+107 |
| | | | | HMAC_CTX is made opaque in OpenSSL 1.1.0 | ||||
* | ext/openssl: use EVP_CIPHER_CTX_{new,free} to allocate EVP_CIPHER_CTX | Kazuki Yamaguchi | 2016-04-27 | 4 | -22/+51 |
| | | | | EVP_CIPHER_CTX was made opaque in OpenSSL 1.1.0 | ||||
* | ext/openssl: d2i_ASN1_BOOLEAN is removed | Kazuki Yamaguchi | 2016-04-27 | 1 | -6/+7 |
| | |||||
* | ext/openssl: disable OpenSSL::Random.pseudo_bytes if deprecated | Kazuki Yamaguchi | 2016-04-27 | 2 | -0/+5 |
| | |||||
* | ext/openssl: avoid deprecated BN primes functions | Kazuki Yamaguchi | 2016-04-27 | 1 | -3/+3 |
| | | | | | BN_generate_prime(), BN_is_prime(), BN_is_prime_fasttest() is deprecated and the replacements are available on all versions of OpenSSL >= 0.9.8. | ||||
* | ext/openssl: simplify extconf.rb | Kazuki Yamaguchi | 2016-04-27 | 2 | -54/+34 |
| | |||||
* | ext/openssl: include openssl/asn1.h instead of openssl/asn1_mac.h | Kazuki Yamaguchi | 2016-04-27 | 1 | -1/+1 |
| | |||||
* | ext/openssl: drop support for OPENSSL_NO_HMAC | Kazuki Yamaguchi | 2016-04-27 | 2 | -16/+1 |
| | | | | | | It has not been actually supported: since ossl.h includes openssl/hmac.h without any guards, it wouldn't compile if OPENSSL_NO_HMAC is enabled. | ||||
* | ext/openssl: drop support for OpenSSL 0.9.6/0.9.7 | Kazuki Yamaguchi | 2016-04-27 | 25 | -810/+120 |
| | | | | | | | | | The last release of OpenSSL 0.9.7 series was over 9 years ago (!) and even 0.9.8/1.0.0 are no longer supported (EOL was 2015-12-31). It actually doesn't compile since r40461 (ext/openssl/ossl_bn.c (ossl_bn_initialize): allow Fixnum and Bignum. [ruby-core:53986] [Feature #8217], 2013-04-25, 2.1.0) and it looks like nobody noticed it. | ||||
* | ext/openssl: always use our implementation of SSL_SESSION_cmp() | Kazuki Yamaguchi | 2016-04-27 | 4 | -5/+26 |
| | | | | | | | | | Implement CRYPTO_memcmp() if it is not available. Always use our SSL_SESSION_cmp() (renamed to ossl_SSL_SESSION_cmp()). SSL_SESSION_cmp() was removed in OpenSSL 1.0.0 and we have used a reimplemented one. However our implementation is better than the original (it uses CRYPTO_memcmp() instead of plain memcmp). | ||||
* | ext/openssl: check if SSL_CTX_clear_options() is available | Kazuki Yamaguchi | 2016-04-27 | 2 | -0/+6 |
| | | | | | | | Fix build with very very old versions of OpenSSL. SSL_CTX_clear_options() is new in OpenSSL 0.9.8m but some Linux distributions still uses 0.9.8e. | ||||
* | [Doc] Add Document-method: directives. | akr | 2016-04-27 | 1 | -0/+24 |
| | | | | git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54798 b2dd03c8-39d4-4d8f-98ff-823fe69b080e | ||||
* | Update rdoc of Integer#[] (fix -> int) | kazu | 2016-04-27 | 1 | -2/+2 |
| | | | | git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e | ||||
* | [DOC] move rdoc comments. | akr | 2016-04-27 | 1 | -137/+151 |
| | | | | git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54796 b2dd03c8-39d4-4d8f-98ff-823fe69b080e | ||||
* | {Fixnum,Bignum}#[] is unified into Integer. | akr | 2016-04-27 | 4 | -40/+44 |
| | | | | | | | | | | | | | * numeric.c (int_aref): {Fixnum,Bignum}#[] is unified into Integer. * bignum.c (rb_big_aref): Don't define Bignum#<<. * internal.h (rb_big_aref): Declared. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54795 b2dd03c8-39d4-4d8f-98ff-823fe69b080e | ||||
* | * tool/instruction.rb: fix to follow current implementation. | naruse | 2016-04-27 | 2 | -10/+21 |
| | | | | git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54794 b2dd03c8-39d4-4d8f-98ff-823fe69b080e | ||||
* | setdynamic is obsoleted | naruse | 2016-04-27 | 1 | -2/+0 |
| | | | | git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54793 b2dd03c8-39d4-4d8f-98ff-823fe69b080e | ||||
* | stringio.c: warn block for new | nobu | 2016-04-27 | 3 | -0/+25 |
| | | | | | | | * ext/stringio/stringio.c (strio_s_new): warn if a block is given, as well as IO.new. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54792 b2dd03c8-39d4-4d8f-98ff-823fe69b080e | ||||
* | internal.h: ONLY_FOR_INTERNAL_USE | nobu | 2016-04-27 | 6 | -9/+22 |
| | | | | | | | | * error.c (ruby_only_for_internal_use): raise fatal error when deprecated function only for internal use is called, not just a warning. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54791 b2dd03c8-39d4-4d8f-98ff-823fe69b080e | ||||
* | internal.h: adjust style | nobu | 2016-04-27 | 1 | -3/+6 |
| | | | | git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54790 b2dd03c8-39d4-4d8f-98ff-823fe69b080e | ||||
* | * 2016-04-27 | svn | 2016-04-26 | 1 | -1/+1 |
| | | | | git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54789 b2dd03c8-39d4-4d8f-98ff-823fe69b080e | ||||
* | fix typos [ci skip] | kazu | 2016-04-26 | 3 | -3/+3 |
| | | | | git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54788 b2dd03c8-39d4-4d8f-98ff-823fe69b080e | ||||
* | * tool/redmine-backporter.rb (rel): should not raise exceptions even if | usa | 2016-04-26 | 2 | -1/+6 |
| | | | | | | | the user input is wrong. only reports the error and continue process. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54787 b2dd03c8-39d4-4d8f-98ff-823fe69b080e |