| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Regenerate test CA certificates with appropriate extensions
Test certificates in test/rubygems lack the basic constraints extension.
Here is the patch against rubygems' util/create_certs.rb.
ruby util/create_certs.rb &&
cp test/rubygems/*.pem /path/to/ruby/test/rubygems/ &&
ruby util/create_encrypted_key.rb &&
cp test/rubygems/encrypted_private_key.pem /path/to/ruby/test/rubygems/
------------------------ >8 ------------------------
diff --git a/util/create_certs.rb b/util/create_certs.rb
index 4f6f9ea..313a724 100644
--- a/util/create_certs.rb
+++ b/util/create_certs.rb
@@ -4,37 +4,41 @@ require 'time'
class CertificateBuilder
- attr_reader :today
+ attr_reader :start
def initialize key_size = 2048
- today = Time.now.utc
- @today = Time.utc today.year, today.month, today.day
+ @start = Time.utc 2012, 01, 01, 00, 00, 00
@end_of_time = Time.utc 9999, 12, 31, 23, 59, 59
@end_of_time_32 = Time.utc 2038, 01, 19, 03, 14, 07
+ @key_size = key_size
@serial = 0
end
- def create_certificates(key, subject, issuer_key = key, issuer = subject,
- not_before: @today, not_after: :end_of_time)
+ def create_certificates(key, subject, issuer_key = key, issuer_cert = nil,
+ not_before: @start, not_after: :end_of_time,
+ is_ca: false)
certificates = []
not_before, not_before_32 = validity_for not_before
not_after, not_after_32 = validity_for not_after
+ issuer_cert, issuer_cert_32 = issuer_cert
certificates <<
- create_certificate(key, subject, issuer_key, issuer,
- not_before, not_after)
+ create_certificate(key, subject, issuer_key, issuer_cert,
+ not_before, not_after, is_ca)
certificates <<
- create_certificate(key, subject, issuer_key, issuer,
- not_before_32, not_after_32)
+ create_certificate(key, subject, issuer_key, issuer_cert_32,
+ not_before_32, not_after_32, is_ca)
certificates
end
- def create_certificate key, subject, issuer_key, issuer, not_before, not_after
- puts "creating cert - subject: #{subject}, issuer: #{issuer}"
+ def create_certificate(key, subject, issuer_key, issuer_cert,
+ not_before, not_after, is_ca)
cert = OpenSSL::X509::Certificate.new
+ issuer_cert ||= cert # if not specified, create self signing cert
+
cert.version = 2
cert.serial = 0
@@ -45,32 +49,41 @@ class CertificateBuilder
cert.public_key = key.public_key
- cert.subject =
- OpenSSL::X509::Name.new [%W[CN #{subject}], %w[DC example]]
- cert.issuer =
- OpenSSL::X509::Name.new [%W[CN #{issuer}], %w[DC example]]
+ cert.subject = OpenSSL::X509::Name.new [%W[CN #{subject}], %w[DC example]]
+ cert.issuer = issuer_cert.subject
- ef = OpenSSL::X509::ExtensionFactory.new nil, cert
+ ef = OpenSSL::X509::ExtensionFactory.new issuer_cert, cert
cert.extensions = [
- ef.create_extension('subjectAltName', "email:#{subject}@example")
+ ef.create_extension('subjectAltName', "email:#{subject}@example"),
+ ef.create_extension('subjectKeyIdentifier', 'hash')
]
+ if cert != issuer_cert # not self-signed cert
+ cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid:always')
+ end
+
+ if is_ca
+ cert.add_extension ef.create_extension('basicConstraints', 'CA:TRUE', true)
+ cert.add_extension ef.create_extension('keyUsage', 'keyCertSign', true)
+ end
+
cert.sign issuer_key, OpenSSL::Digest::SHA1.new
+ puts "created cert - subject: #{cert.subject}, issuer: #{cert.issuer}"
cert
end
def create_key
puts "creating key"
- OpenSSL::PKey::RSA.new 2048
+ OpenSSL::PKey::RSA.new @key_size
end
def create_keys names
keys = {}
names.each do |name|
- keys[name] = create_key
+ keys[name] = OpenSSL::PKey::RSA.new File.read(File.join "test/rubygems/#{name}_key.pem")
end
keys
@@ -108,37 +121,39 @@ keys = cb.create_keys [
keys[:public] = keys[:private].public_key
-certs = {
- alternate:
- cb.create_certificates(keys[:alternate], 'alternate'),
- child:
- cb.create_certificates(keys[:child], 'child',
- keys[:private], 'nobody'),
- expired:
- cb.create_certificates(keys[:private], 'nobody',
- not_before: Time.at(0),
- not_after: Time.at(0)),
- future:
- cb.create_certificates(keys[:private], 'nobody',
- not_before: :end_of_time,
- not_after: :end_of_time),
- grandchild:
- cb.create_certificates(keys[:grandchild], 'grandchild',
- keys[:child], 'child'),
- invalid_issuer:
- cb.create_certificates(keys[:invalid], 'invalid',
- keys[:invalid], 'nobody'),
- invalid_signer:
- cb.create_certificates(keys[:invalid], 'invalid',
- keys[:private], 'invalid'),
- invalidchild:
- cb.create_certificates(keys[:invalidchild], 'invalidchild',
- keys[:invalid], 'child'),
- public:
- cb.create_certificates(keys[:private], 'nobody'),
- wrong_key:
- cb.create_certificates(keys[:alternate], 'nobody'),
-}
+certs = {}
+certs[:public] =
+ cb.create_certificates(keys[:private], 'nobody',
+ is_ca: true)
+certs[:child] =
+ cb.create_certificates(keys[:child], 'child',
+ keys[:private], certs[:public],
+ is_ca: true)
+certs[:alternate] =
+ cb.create_certificates(keys[:alternate], 'alternate')
+certs[:expired] =
+ cb.create_certificates(keys[:private], 'nobody',
+ not_before: Time.at(0),
+ not_after: Time.at(0))
+certs[:future] =
+ cb.create_certificates(keys[:private], 'nobody',
+ not_before: :end_of_time,
+ not_after: :end_of_time)
+certs[:invalid_issuer] =
+ cb.create_certificates(keys[:invalid], 'invalid',
+ keys[:invalid], certs[:public],
+ is_ca: true)
+certs[:grandchild] =
+ cb.create_certificates(keys[:grandchild], 'grandchild',
+ keys[:child], certs[:child])
+certs[:invalid_signer] =
+ cb.create_certificates(keys[:invalid], 'invalid',
+ keys[:private], certs[:invalid])
+certs[:invalidchild] =
+ cb.create_certificates(keys[:invalidchild], 'invalidchild',
+ keys[:invalid], certs[:child])
+certs[:wrong_key] =
+ cb.create_certificates(keys[:alternate], 'nobody')
base_dir = 'test/rubygems'
|
|
|
|
|
|
| |
The current CA certificate is created with basicConstraints=CA:FALSE but
it is no longer allowed in OpenSSL 1.1.0. So recreate the CA (and server
certificate).
|
|
|
|
|
|
|
|
|
|
|
| |
The default session timeout for TLSv1 is 7200 and shouldn't be 300. And
this should not be checked because the value is decided by just "the 24
hours mentioned in the TLSv1 spec is way too long for http, the cache
would over fill" (from OpenSSL's source comment).
Old OpenSSL (<= 1.0.2) set ssl_ctx->session_timeout on SSL_CTX_new(),
which we call always with SSLv23_method(), and it isn't updated with
SSL_set_ssl_method().
|
|
|
|
|
| |
SSL_CTX_remove_session() sets not_resumable to the deleted session and
OpenSSL 1.1.0 denies to resume a SSL_SESSION with not_resumable != 0.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
A temporary workaround.
EVP_CipherInit_ex() allows to specify NULL to key and/or iv, however
when we use ChaCha20-Poly1305 and set only key (this case), it does
memcpy(x, NULL, y) and this causes a segmentation fault.
|
|
|
|
|
| |
Add note to the documentation, and fix tests which rely on
Engine.cleanup. Test cases are now run in separate process.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
And deprecate #tmp_ecdh_callback.
Since SSL_CTX_set_tmp_ecdh_callback() was removed in OpenSSL 1.1.0, we
can't provide SSLContext#tmp_ecdh_callback anymore. Instead, we should
use SSL_CTX_set1_curves_list() to set the curves and
SSL_CTX_set_ecdh_auto() to make OpenSSL select automatically from the
list.
|
|
|
|
|
|
|
|
| |
OpenSSL 1.1.0 introduced "security level" and these methods deal with
it.
This patch includes many test changes: setting the level to 0.
The default security level is 1 and this prohibits aNULL ciphers.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use EVP_PKEY_get0_* instead of pkey->pkey.*
Use EVP_PKEY_base_id(pkey) instead of EVP_PKEY_type(pkey->type)
Because of this, we can no longer set the parameters/keys directly, and
the newly added functions as alternative require setting all relevant
values at the same time. So this patch contains incompatibility: the
following code no longer works (if using 1.1.0):
dh = OpenSSL::PKey::DH.new(...)
dh.priv_key = OpenSSL::BN.new(...)
...and we have to write like:
dh = OpenSSL::PKey::DH.new(...)
priv = OpenSSL::BN.new(...)
pub = <calculate (dh.g ** priv) % dh.p>
dh.set_key(pub, priv)
|
| |
|
|
|
|
| |
Replace direct struct access with getter functions.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
HMAC_CTX is made opaque in OpenSSL 1.1.0
|
|
|
|
| |
EVP_CIPHER_CTX was made opaque in OpenSSL 1.1.0
|
|
|
|
| |
These functions are made no-op.
|
|
|
|
|
|
|
|
| |
SSL_state() is removed, and the replacement, SSL_get_state(), never
returns SSL_ST_ACCEPT. I think it is used to distinguish if the SSL is a
server or not, so replacing it with SSL_is_server().
And add some `const`s.
|
|
|
|
|
| |
They emit warnings with OpenSSL 1.1.0. Instead use
SSL_CTX_set_{min,max}_proto_version().
|
| |
|
| |
|
|
|
|
|
| |
BN_generate_prime(), BN_is_prime(), BN_is_prime_fasttest() is deprecated
and the replacements are available on all versions of OpenSSL >= 0.9.8.
|
|
|
|
| |
asn1_mac.h is removed in OpenSSL 1.1.0
|
|
|
|
|
|
| |
It has not been actually supported: since ossl.h includes
openssl/hmac.h without any guards, it wouldn't compile if
OPENSSL_NO_HMAC is enabled.
|
|
|
|
|
|
|
|
|
| |
The last release of OpenSSL 0.9.7 series was over 9 years ago (!) and
even 0.9.8/1.0.0 are no longer supported (EOL was 2015-12-31).
It actually doesn't compile since r40461 (ext/openssl/ossl_bn.c
(ossl_bn_initialize): allow Fixnum and Bignum. [ruby-core:53986]
[Feature #8217], 2013-04-25, 2.1.0) and it looks like nobody noticed it.
|
|
|
|
|
| |
They have existed since ext/openssl was imported to Ruby, but since
openssl_missing.h and ossl.h are not library code, they aren't required.
|
|
|
|
|
| |
Since openssl/opensslconf.h is always included, we can check
OPENSSL_FIPS macro directly.
|
|
|
|
|
|
| |
Implement CRYPTO_memcmp() in openssl_missing.c if it is not provided.
Rename our SSL_SESSION_cmp() to ossl_SSL_SESSION_cmp().
|
|
|
|
|
| |
X509_STORE_get_ex_new_index() is required in addition to
X509_STORE_CTX_get_ex_new_index() because they are independent.
|
|
|
|
|
|
|
| |
Fix build with early versions of OpenSSL 0.9.8.
SSL_CTX_clear_options() is new in OpenSSL 0.9.8m but some Linux
distributions still uses 0.9.8e.
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54798 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54796 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* numeric.c (int_aref): {Fixnum,Bignum}#[] is unified into
Integer.
* bignum.c (rb_big_aref): Don't define Bignum#<<.
* internal.h (rb_big_aref): Declared.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54795 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54794 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54793 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
* ext/stringio/stringio.c (strio_s_new): warn if a block is given,
as well as IO.new.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54792 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
| |
* error.c (ruby_only_for_internal_use): raise fatal error when
deprecated function only for internal use is called, not just a
warning.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54791 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54790 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54789 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54788 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
the user input is wrong. only reports the error and continue process.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54787 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
| |
* ruby.c (process_options): convert -e script to the encoding
given by a command line option on Windows. assume it is the
expected encoding. [ruby-dev:49461] [Bug #11900]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54785 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54783 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* numeric.c (rb_int_lshift): {Fixnum,Bignum}#<< is unified into
Integer.
* bignum.c (rb_big_lshift): Don't define Bignum#<<.
* internal.h (rb_big_lshift): Declared.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54782 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|