From c112621e8b1e25ce26dea284f99c1818002d365a Mon Sep 17 00:00:00 2001 From: rhe Date: Wed, 30 Nov 2016 14:41:46 +0000 Subject: openssl: import v2.0.0 Import Ruby/OpenSSL 2.0.0. The full commit history since 2.0.0 beta.2 (imported at r56098) can be found at: https://github.com/ruby/openssl/compare/v2.0.0.beta.2...v2.0.0 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- test/openssl/test_asn1.rb | 335 ++++++++++++---------------- test/openssl/test_cipher.rb | 482 ++++++++++++++++++++--------------------- test/openssl/test_digest.rb | 36 ++- test/openssl/test_engine.rb | 7 - test/openssl/test_hmac.rb | 44 ++-- test/openssl/test_ocsp.rb | 11 +- test/openssl/test_pair.rb | 18 +- test/openssl/test_pkcs12.rb | 13 +- test/openssl/test_pkcs7.rb | 10 +- test/openssl/test_pkey_dsa.rb | 20 ++ test/openssl/test_pkey_ec.rb | 18 ++ test/openssl/test_pkey_rsa.rb | 22 ++ test/openssl/test_ssl.rb | 28 ++- test/openssl/test_x509cert.rb | 83 ++----- test/openssl/test_x509crl.rb | 18 +- test/openssl/test_x509name.rb | 4 +- test/openssl/test_x509store.rb | 28 ++- test/openssl/utils.rb | 18 +- 18 files changed, 552 insertions(+), 643 deletions(-) (limited to 'test/openssl') diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb index f226da5c66..3a43541447 100644 --- a/test/openssl/test_asn1.rb +++ b/test/openssl/test_asn1.rb @@ -14,7 +14,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase ] dgst = OpenSSL::Digest::SHA1.new cert = OpenSSL::TestUtils.issue_cert( - subj, key, s, now, now+3600, exts, nil, nil, dgst) + subj, key, s, exts, nil, nil, digest: dgst, not_before: now, not_after: now+3600) asn1 = OpenSSL::ASN1.decode(cert) @@ -243,14 +243,9 @@ rEzBQ0F9dUyqQ9gyRg8KHhDfv9HzT1d/rnUZMkoombwYBRIUChGCYV0GnJcan2Zm end def test_primitive_cannot_set_infinite_length - begin - prim = OpenSSL::ASN1::Integer.new(50) - assert_equal(false, prim.infinite_length) - prim.infinite_length = true - flunk('Could set infinite length on primitive value') - rescue NoMethodError - #ok - end + prim = OpenSSL::ASN1::Integer.new(50) + assert_equal false, prim.infinite_length + assert_not_respond_to prim, :infinite_length= end def test_decode_all @@ -289,12 +284,8 @@ rEzBQ0F9dUyqQ9gyRg8KHhDfv9HzT1d/rnUZMkoombwYBRIUChGCYV0GnJcan2Zm def test_create_inf_length_primitive expected = %w{ 24 80 04 01 61 00 00 } raw = [expected.join('')].pack('H*') - val = OpenSSL::ASN1::OctetString.new('a') - cons = OpenSSL::ASN1::Constructive.new([val, - OpenSSL::ASN1::EndOfContent.new], - OpenSSL::ASN1::OCTET_STRING, - nil, - :UNIVERSAL) + content = [OpenSSL::ASN1::OctetString.new("a"), OpenSSL::ASN1::EndOfContent.new] + cons = OpenSSL::ASN1::Constructive.new(content, OpenSSL::ASN1::OCTET_STRING, nil, :UNIVERSAL) cons.infinite_length = true assert_equal(nil, cons.tagging) assert_equal(raw, cons.to_der) @@ -306,10 +297,7 @@ rEzBQ0F9dUyqQ9gyRg8KHhDfv9HzT1d/rnUZMkoombwYBRIUChGCYV0GnJcan2Zm def test_cons_without_inf_length_forbidden assert_raise(OpenSSL::ASN1::ASN1Error) do val = OpenSSL::ASN1::OctetString.new('a') - cons = OpenSSL::ASN1::Constructive.new([val], - OpenSSL::ASN1::OCTET_STRING, - nil, - :UNIVERSAL) + cons = OpenSSL::ASN1::Constructive.new([val], OpenSSL::ASN1::OCTET_STRING, nil, :UNIVERSAL) cons.to_der end end @@ -317,10 +305,7 @@ rEzBQ0F9dUyqQ9gyRg8KHhDfv9HzT1d/rnUZMkoombwYBRIUChGCYV0GnJcan2Zm def test_cons_without_array_forbidden assert_raise(OpenSSL::ASN1::ASN1Error) do val = OpenSSL::ASN1::OctetString.new('a') - cons = OpenSSL::ASN1::Constructive.new(val, - OpenSSL::ASN1::OCTET_STRING, - nil, - :UNIVERSAL) + cons = OpenSSL::ASN1::Constructive.new(val, OpenSSL::ASN1::OCTET_STRING, nil, :UNIVERSAL) cons.infinite_length = true cons.to_der end @@ -352,218 +337,158 @@ rEzBQ0F9dUyqQ9gyRg8KHhDfv9HzT1d/rnUZMkoombwYBRIUChGCYV0GnJcan2Zm end def test_seq_infinite_length - begin - content = [ OpenSSL::ASN1::Null.new(nil), - OpenSSL::ASN1::EndOfContent.new ] - cons = OpenSSL::ASN1::Sequence.new(content) - cons.infinite_length = true - expected = %w{ 30 80 05 00 00 00 } - raw = [expected.join('')].pack('H*') - assert_equal(raw, cons.to_der) - assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) - end + content = [ OpenSSL::ASN1::Null.new(nil), + OpenSSL::ASN1::EndOfContent.new ] + cons = OpenSSL::ASN1::Sequence.new(content) + cons.infinite_length = true + expected = %w{ 30 80 05 00 00 00 } + raw = [expected.join('')].pack('H*') + assert_equal(raw, cons.to_der) + assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) end def test_set_infinite_length - begin - content = [ OpenSSL::ASN1::Null.new(nil), - OpenSSL::ASN1::EndOfContent.new() ] - cons = OpenSSL::ASN1::Set.new(content) - cons.infinite_length = true - expected = %w{ 31 80 05 00 00 00 } - raw = [expected.join('')].pack('H*') - assert_equal(raw, cons.to_der) - assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) - end + content = [ OpenSSL::ASN1::Null.new(nil), + OpenSSL::ASN1::EndOfContent.new() ] + cons = OpenSSL::ASN1::Set.new(content) + cons.infinite_length = true + expected = %w{ 31 80 05 00 00 00 } + raw = [expected.join('')].pack('H*') + assert_equal(raw, cons.to_der) + assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) end def test_octet_string_infinite_length - begin - octets = [ OpenSSL::ASN1::OctetString.new('aaa'), - OpenSSL::ASN1::EndOfContent.new() ] - cons = OpenSSL::ASN1::Constructive.new( - octets, - OpenSSL::ASN1::OCTET_STRING, - nil, - :UNIVERSAL) - cons.infinite_length = true - expected = %w{ 24 80 04 03 61 61 61 00 00 } - raw = [expected.join('')].pack('H*') - assert_equal(raw, cons.to_der) - assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) - end + octets = [ OpenSSL::ASN1::OctetString.new('aaa'), + OpenSSL::ASN1::EndOfContent.new() ] + cons = OpenSSL::ASN1::Constructive.new(octets, OpenSSL::ASN1::OCTET_STRING, nil, :UNIVERSAL) + cons.infinite_length = true + expected = %w{ 24 80 04 03 61 61 61 00 00 } + raw = [expected.join('')].pack('H*') + assert_equal(raw, cons.to_der) + assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) end def test_prim_explicit_tagging - begin - oct_str = OpenSSL::ASN1::OctetString.new("a", 0, :EXPLICIT) - expected = %w{ A0 03 04 01 61 } - raw = [expected.join('')].pack('H*') - assert_equal(raw, oct_str.to_der) - assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) - end + oct_str = OpenSSL::ASN1::OctetString.new("a", 0, :EXPLICIT) + expected = %w{ A0 03 04 01 61 } + raw = [expected.join('')].pack('H*') + assert_equal(raw, oct_str.to_der) + assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) end def test_prim_explicit_tagging_tag_class - begin - oct_str = OpenSSL::ASN1::OctetString.new("a", 0, :EXPLICIT) - oct_str2 = OpenSSL::ASN1::OctetString.new( - "a", - 0, - :EXPLICIT, - :CONTEXT_SPECIFIC) - assert_equal(oct_str.to_der, oct_str2.to_der) - end + oct_str = OpenSSL::ASN1::OctetString.new("a", 0, :EXPLICIT) + oct_str2 = OpenSSL::ASN1::OctetString.new("a", 0, :EXPLICIT, :CONTEXT_SPECIFIC) + assert_equal(oct_str.to_der, oct_str2.to_der) end def test_prim_implicit_tagging - begin - int = OpenSSL::ASN1::Integer.new(1, 0, :IMPLICIT) - expected = %w{ 80 01 01 } - raw = [expected.join('')].pack('H*') - assert_equal(raw, int.to_der) - assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) - end + int = OpenSSL::ASN1::Integer.new(1, 0, :IMPLICIT) + expected = %w{ 80 01 01 } + raw = [expected.join('')].pack('H*') + assert_equal(raw, int.to_der) + assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) end def test_prim_implicit_tagging_tag_class - begin - int = OpenSSL::ASN1::Integer.new(1, 0, :IMPLICIT) - int2 = OpenSSL::ASN1::Integer.new(1, 0, :IMPLICIT, :CONTEXT_SPECIFIC); - assert_equal(int.to_der, int2.to_der) - end + int = OpenSSL::ASN1::Integer.new(1, 0, :IMPLICIT) + int2 = OpenSSL::ASN1::Integer.new(1, 0, :IMPLICIT, :CONTEXT_SPECIFIC); + assert_equal(int.to_der, int2.to_der) end def test_cons_explicit_tagging - begin - content = [ OpenSSL::ASN1::PrintableString.new('abc') ] - seq = OpenSSL::ASN1::Sequence.new(content, 2, :EXPLICIT) - expected = %w{ A2 07 30 05 13 03 61 62 63 } - raw = [expected.join('')].pack('H*') - assert_equal(raw, seq.to_der) - assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) - end + content = [ OpenSSL::ASN1::PrintableString.new('abc') ] + seq = OpenSSL::ASN1::Sequence.new(content, 2, :EXPLICIT) + expected = %w{ A2 07 30 05 13 03 61 62 63 } + raw = [expected.join('')].pack('H*') + assert_equal(raw, seq.to_der) + assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) end def test_cons_explicit_tagging_inf_length - begin - content = [ OpenSSL::ASN1::PrintableString.new('abc') , - OpenSSL::ASN1::EndOfContent.new() ] - seq = OpenSSL::ASN1::Sequence.new(content, 2, :EXPLICIT) - seq.infinite_length = true - expected = %w{ A2 80 30 80 13 03 61 62 63 00 00 00 00 } - raw = [expected.join('')].pack('H*') - assert_equal(raw, seq.to_der) - assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) - end + content = [ OpenSSL::ASN1::PrintableString.new('abc') , + OpenSSL::ASN1::EndOfContent.new() ] + seq = OpenSSL::ASN1::Sequence.new(content, 2, :EXPLICIT) + seq.infinite_length = true + expected = %w{ A2 80 30 80 13 03 61 62 63 00 00 00 00 } + raw = [expected.join('')].pack('H*') + assert_equal(raw, seq.to_der) + assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) end def test_cons_implicit_tagging - begin - content = [ OpenSSL::ASN1::Null.new(nil) ] - seq = OpenSSL::ASN1::Sequence.new(content, 1, :IMPLICIT) - expected = %w{ A1 02 05 00 } - raw = [expected.join('')].pack('H*') - assert_equal(raw, seq.to_der) - assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) - end + content = [ OpenSSL::ASN1::Null.new(nil) ] + seq = OpenSSL::ASN1::Sequence.new(content, 1, :IMPLICIT) + expected = %w{ A1 02 05 00 } + raw = [expected.join('')].pack('H*') + assert_equal(raw, seq.to_der) + assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) end def test_cons_implicit_tagging_inf_length - begin - content = [ OpenSSL::ASN1::Null.new(nil), - OpenSSL::ASN1::EndOfContent.new() ] - seq = OpenSSL::ASN1::Sequence.new(content, 1, :IMPLICIT) - seq.infinite_length = true - expected = %w{ A1 80 05 00 00 00 } - raw = [expected.join('')].pack('H*') - assert_equal(raw, seq.to_der) - assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) - end + content = [ OpenSSL::ASN1::Null.new(nil), + OpenSSL::ASN1::EndOfContent.new() ] + seq = OpenSSL::ASN1::Sequence.new(content, 1, :IMPLICIT) + seq.infinite_length = true + expected = %w{ A1 80 05 00 00 00 } + raw = [expected.join('')].pack('H*') + assert_equal(raw, seq.to_der) + assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) end def test_octet_string_infinite_length_explicit_tagging - begin - octets = [ OpenSSL::ASN1::OctetString.new('aaa'), - OpenSSL::ASN1::EndOfContent.new() ] - cons = OpenSSL::ASN1::Constructive.new( - octets, - 1, - :EXPLICIT) - cons.infinite_length = true - expected = %w{ A1 80 24 80 04 03 61 61 61 00 00 00 00 } - raw = [expected.join('')].pack('H*') - assert_equal(raw, cons.to_der) - assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) - end + octets = [ OpenSSL::ASN1::OctetString.new('aaa'), + OpenSSL::ASN1::EndOfContent.new() ] + cons = OpenSSL::ASN1::Constructive.new(octets, 1, :EXPLICIT) + cons.infinite_length = true + expected = %w{ A1 80 24 80 04 03 61 61 61 00 00 00 00 } + raw = [expected.join('')].pack('H*') + assert_equal(raw, cons.to_der) + assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) end def test_octet_string_infinite_length_implicit_tagging - begin - octets = [ OpenSSL::ASN1::OctetString.new('aaa'), - OpenSSL::ASN1::EndOfContent.new() ] - cons = OpenSSL::ASN1::Constructive.new( - octets, - 0, - :IMPLICIT) - cons.infinite_length = true - expected = %w{ A0 80 04 03 61 61 61 00 00 } - raw = [expected.join('')].pack('H*') - assert_equal(raw, cons.to_der) - assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) - end + octets = [ OpenSSL::ASN1::OctetString.new('aaa'), + OpenSSL::ASN1::EndOfContent.new() ] + cons = OpenSSL::ASN1::Constructive.new(octets, 0, :IMPLICIT) + cons.infinite_length = true + expected = %w{ A0 80 04 03 61 61 61 00 00 } + raw = [expected.join('')].pack('H*') + assert_equal(raw, cons.to_der) + assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) end def test_recursive_octet_string_infinite_length - begin - octets_sub1 = [ OpenSSL::ASN1::OctetString.new("\x01"), - OpenSSL::ASN1::EndOfContent.new() ] - octets_sub2 = [ OpenSSL::ASN1::OctetString.new("\x02"), - OpenSSL::ASN1::EndOfContent.new() ] - container1 = OpenSSL::ASN1::Constructive.new( - octets_sub1, - OpenSSL::ASN1::OCTET_STRING, - nil, - :UNIVERSAL) - container1.infinite_length = true - container2 = OpenSSL::ASN1::Constructive.new( - octets_sub2, - OpenSSL::ASN1::OCTET_STRING, - nil, - :UNIVERSAL) - container2.infinite_length = true - octets3 = OpenSSL::ASN1::OctetString.new("\x03") - - octets = [ container1, container2, octets3, - OpenSSL::ASN1::EndOfContent.new() ] - cons = OpenSSL::ASN1::Constructive.new( - octets, - OpenSSL::ASN1::OCTET_STRING, - nil, - :UNIVERSAL) - cons.infinite_length = true - expected = %w{ 24 80 24 80 04 01 01 00 00 24 80 04 01 02 00 00 04 01 03 00 00 } - raw = [expected.join('')].pack('H*') - assert_equal(raw, cons.to_der) - assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) - end + octets_sub1 = [ OpenSSL::ASN1::OctetString.new("\x01"), + OpenSSL::ASN1::EndOfContent.new() ] + octets_sub2 = [ OpenSSL::ASN1::OctetString.new("\x02"), + OpenSSL::ASN1::EndOfContent.new() ] + container1 = OpenSSL::ASN1::Constructive.new(octets_sub1, OpenSSL::ASN1::OCTET_STRING, nil, :UNIVERSAL) + container1.infinite_length = true + container2 = OpenSSL::ASN1::Constructive.new(octets_sub2, OpenSSL::ASN1::OCTET_STRING, nil, :UNIVERSAL) + container2.infinite_length = true + octets3 = OpenSSL::ASN1::OctetString.new("\x03") + + octets = [ container1, container2, octets3, + OpenSSL::ASN1::EndOfContent.new() ] + cons = OpenSSL::ASN1::Constructive.new(octets, OpenSSL::ASN1::OCTET_STRING, nil, :UNIVERSAL) + cons.infinite_length = true + expected = %w{ 24 80 24 80 04 01 01 00 00 24 80 04 01 02 00 00 04 01 03 00 00 } + raw = [expected.join('')].pack('H*') + assert_equal(raw, cons.to_der) + assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) end def test_bit_string_infinite_length - begin - content = [ OpenSSL::ASN1::BitString.new("\x01"), - OpenSSL::ASN1::EndOfContent.new() ] - cons = OpenSSL::ASN1::Constructive.new( - content, - OpenSSL::ASN1::BIT_STRING, - nil, - :UNIVERSAL) - cons.infinite_length = true - expected = %w{ 23 80 03 02 00 01 00 00 } - raw = [expected.join('')].pack('H*') - assert_equal(raw, cons.to_der) - assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) - end + content = [ OpenSSL::ASN1::BitString.new("\x01"), + OpenSSL::ASN1::EndOfContent.new() ] + cons = OpenSSL::ASN1::Constructive.new(content, OpenSSL::ASN1::BIT_STRING, nil, :UNIVERSAL) + cons.infinite_length = true + expected = %w{ 23 80 03 02 00 01 00 00 } + raw = [expected.join('')].pack('H*') + assert_equal(raw, cons.to_der) + assert_equal(raw, OpenSSL::ASN1.decode(raw).to_der) end def test_primitive_inf_length @@ -610,6 +535,29 @@ rEzBQ0F9dUyqQ9gyRg8KHhDfv9HzT1d/rnUZMkoombwYBRIUChGCYV0GnJcan2Zm assert_equal(false, asn1.value[3].infinite_length) end + def test_decode_constructed_overread + test = %w{ 31 06 31 02 30 02 05 00 } + # ^ <- invalid + raw = [test.join].pack("H*") + ret = [] + assert_raise(OpenSSL::ASN1::ASN1Error) { + OpenSSL::ASN1.traverse(raw) { |x| ret << x } + } + assert_equal 2, ret.size + assert_equal 17, ret[0][6] + assert_equal 17, ret[1][6] + + test = %w{ 31 80 30 03 00 00 } + # ^ <- invalid + raw = [test.join].pack("H*") + ret = [] + assert_raise(OpenSSL::ASN1::ASN1Error) { + OpenSSL::ASN1.traverse(raw) { |x| ret << x } + } + assert_equal 1, ret.size + assert_equal 17, ret[0][6] + end + private def assert_universal(tag, asn1) @@ -621,4 +569,3 @@ rEzBQ0F9dUyqQ9gyRg8KHhDfv9HzT1d/rnUZMkoombwYBRIUChGCYV0GnJcan2Zm end end if defined?(OpenSSL::TestUtils) - diff --git a/test/openssl/test_cipher.rb b/test/openssl/test_cipher.rb index 74c5394f5f..8954cb666c 100644 --- a/test/openssl/test_cipher.rb +++ b/test/openssl/test_cipher.rb @@ -4,110 +4,131 @@ require_relative 'utils' if defined?(OpenSSL::TestUtils) class OpenSSL::TestCipher < OpenSSL::TestCase - - @ciphers = OpenSSL::Cipher.ciphers - - class << self - + module Helper def has_cipher?(name) + @ciphers ||= OpenSSL::Cipher.ciphers @ciphers.include?(name) end - - def has_ciphers?(list) - list.all? { |name| has_cipher?(name) } - end - end - - def setup - @c1 = OpenSSL::Cipher.new("DES-EDE3-CBC") - @c2 = OpenSSL::Cipher::DES.new(:EDE3, "CBC") - @key = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" - @iv = "\0\0\0\0\0\0\0\0" - @hexkey = "0000000000000000000000000000000000000000000000" - @hexiv = "0000000000000000" - @data = "DATA" + include Helper + extend Helper + + def test_encrypt_decrypt + # NIST SP 800-38A F.2.1 + key = ["2b7e151628aed2a6abf7158809cf4f3c"].pack("H*") + iv = ["000102030405060708090a0b0c0d0e0f"].pack("H*") + pt = ["6bc1bee22e409f96e93d7e117393172a" \ + "ae2d8a571e03ac9c9eb76fac45af8e51"].pack("H*") + ct = ["7649abac8119b246cee98e9b12e9197d" \ + "5086cb9b507219ee95db113a917678b2"].pack("H*") + cipher = new_encryptor("aes-128-cbc", key: key, iv: iv, padding: 0) + assert_equal ct, cipher.update(pt) << cipher.final + cipher = new_decryptor("aes-128-cbc", key: key, iv: iv, padding: 0) + assert_equal pt, cipher.update(ct) << cipher.final end - def teardown - super - @c1 = @c2 = nil - end - - def test_crypt - @c1.encrypt.pkcs5_keyivgen(@key, @iv) - @c2.encrypt.pkcs5_keyivgen(@key, @iv) - s1 = @c1.update(@data) + @c1.final - s2 = @c2.update(@data) + @c2.final - assert_equal(s1, s2, "encrypt") - - @c1.decrypt.pkcs5_keyivgen(@key, @iv) - @c2.decrypt.pkcs5_keyivgen(@key, @iv) - assert_equal(@data, @c1.update(s1)+@c1.final, "decrypt") - assert_equal(@data, @c2.update(s2)+@c2.final, "decrypt") + def test_pkcs5_keyivgen + pass = "\x00" * 8 + salt = "\x01" * 8 + num = 2048 + pt = "data to be encrypted" + cipher = OpenSSL::Cipher.new("DES-EDE3-CBC").encrypt + cipher.pkcs5_keyivgen(pass, salt, num, "MD5") + s1 = cipher.update(pt) << cipher.final + + d1 = num.times.inject(pass + salt) {|out, _| OpenSSL::Digest::MD5.digest(out) } + d2 = num.times.inject(d1 + pass + salt) {|out, _| OpenSSL::Digest::MD5.digest(out) } + key = (d1 + d2)[0, 24] + iv = (d1 + d2)[24, 8] + cipher = new_encryptor("DES-EDE3-CBC", key: key, iv: iv) + s2 = cipher.update(pt) << cipher.final + + assert_equal s1, s2 end def test_info - assert_equal("DES-EDE3-CBC", @c1.name, "name") - assert_equal("DES-EDE3-CBC", @c2.name, "name") - assert_kind_of(Integer, @c1.key_len, "key_len") - assert_kind_of(Integer, @c1.iv_len, "iv_len") + cipher = OpenSSL::Cipher.new("DES-EDE3-CBC").encrypt + assert_equal "DES-EDE3-CBC", cipher.name + assert_equal 24, cipher.key_len + assert_equal 8, cipher.iv_len end def test_dup - assert_equal(@c1.name, @c1.dup.name, "dup") - assert_equal(@c1.name, @c1.clone.name, "clone") - @c1.encrypt - @c1.key = @key - @c1.iv = @iv - tmpc = @c1.dup - s1 = @c1.update(@data) + @c1.final - s2 = tmpc.update(@data) + tmpc.final + cipher = OpenSSL::Cipher.new("aes-128-cbc").encrypt + assert_equal cipher.name, cipher.dup.name + cipher.encrypt + cipher.random_key + cipher.random_iv + tmpc = cipher.dup + s1 = cipher.update("data") + cipher.final + s2 = tmpc.update("data") + tmpc.final assert_equal(s1, s2, "encrypt dup") end def test_reset - @c1.encrypt - @c1.key = @key - @c1.iv = @iv - s1 = @c1.update(@data) + @c1.final - @c1.reset - s2 = @c1.update(@data) + @c1.final + cipher = OpenSSL::Cipher.new("aes-128-cbc").encrypt + cipher.encrypt + cipher.random_key + cipher.random_iv + s1 = cipher.update("data") + cipher.final + cipher.reset + s2 = cipher.update("data") + cipher.final assert_equal(s1, s2, "encrypt reset") end def test_key_iv_set - # default value for DES-EDE3-CBC - assert_equal(24, @c1.key_len) - assert_equal(8, @c1.iv_len) - assert_raise(ArgumentError) { @c1.key = "\x01" * 23 } - @c1.key = "\x01" * 24 - assert_raise(ArgumentError) { @c1.key = "\x01" * 25 } - assert_raise(ArgumentError) { @c1.iv = "\x01" * 7 } - @c1.iv = "\x01" * 8 - assert_raise(ArgumentError) { @c1.iv = "\x01" * 9 } + cipher = OpenSSL::Cipher.new("DES-EDE3-CBC").encrypt + assert_raise(ArgumentError) { cipher.key = "\x01" * 23 } + assert_nothing_raised { cipher.key = "\x01" * 24 } + assert_raise(ArgumentError) { cipher.key = "\x01" * 25 } + assert_raise(ArgumentError) { cipher.iv = "\x01" * 7 } + assert_nothing_raised { cipher.iv = "\x01" * 8 } + assert_raise(ArgumentError) { cipher.iv = "\x01" * 9 } + end + + def test_random_key_iv + data = "data" + s1, s2 = 2.times.map do + cipher = OpenSSL::Cipher.new("aes-128-cbc").encrypt + cipher.random_key + cipher.iv = "\x01" * 16 + cipher.update(data) << cipher.final + end + assert_not_equal s1, s2 + + s1, s2 = 2.times.map do + cipher = OpenSSL::Cipher.new("aes-128-cbc").encrypt + cipher.key = "\x01" * 16 + cipher.random_iv + cipher.update(data) << cipher.final + end + assert_not_equal s1, s2 end def test_empty_data - @c1.encrypt - assert_raise(ArgumentError){ @c1.update("") } + cipher = OpenSSL::Cipher.new("DES-EDE3-CBC").encrypt + cipher.random_key + assert_raise(ArgumentError) { cipher.update("") } end def test_initialize - assert_raise(RuntimeError) {@c1.__send__(:initialize, "DES-EDE3-CBC")} - assert_raise(RuntimeError) {OpenSSL::Cipher.allocate.final} + cipher = OpenSSL::Cipher.new("DES-EDE3-CBC") + assert_raise(RuntimeError) { cipher.__send__(:initialize, "DES-EDE3-CBC") } + assert_raise(RuntimeError) { OpenSSL::Cipher.allocate.final } end def test_ctr_if_exists - begin - cipher = OpenSSL::Cipher.new('aes-128-ctr') - cipher.encrypt - cipher.pkcs5_keyivgen('password') - c = cipher.update('hello,world') + cipher.final - cipher.decrypt - cipher.pkcs5_keyivgen('password') - assert_equal('hello,world', cipher.update(c) + cipher.final) - end + # NIST SP 800-38A F.5.1 + key = ["2b7e151628aed2a6abf7158809cf4f3c"].pack("H*") + iv = ["f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"].pack("H*") + pt = ["6bc1bee22e409f96e93d7e117393172a" \ + "ae2d8a571e03ac9c9eb76fac45af8e51"].pack("H*") + ct = ["874d6191b620e3261bef6864990db6ce" \ + "9806f66b7970fdff8617187bb9fffdff"].pack("H*") + cipher = new_encryptor("aes-128-ctr", key: key, iv: iv, padding: 0) + assert_equal ct, cipher.update(pt) << cipher.final + cipher = new_decryptor("aes-128-ctr", key: key, iv: iv, padding: 0) + assert_equal pt, cipher.update(ct) << cipher.final end if has_cipher?('aes-128-ctr') def test_ciphers @@ -136,202 +157,159 @@ class OpenSSL::TestCipher < OpenSSL::TestCase } end - def test_AES_crush - 500.times do - assert_nothing_raised("[Bug #2768]") do - # it caused OpenSSL SEGV by uninitialized key - OpenSSL::Cipher::AES128.new("ECB").update "." * 17 - end + def test_update_raise_if_key_not_set + assert_raise(OpenSSL::Cipher::CipherError) do + # it caused OpenSSL SEGV by uninitialized key [Bug #2768] + OpenSSL::Cipher::AES128.new("ECB").update "." * 17 end end - if has_ciphers?(['aes-128-gcm', 'aes-192-gcm', 'aes-256-gcm']) - - def test_authenticated + def test_authenticated + if has_cipher?('aes-128-gcm') cipher = OpenSSL::Cipher.new('aes-128-gcm') assert_predicate(cipher, :authenticated?) - cipher = OpenSSL::Cipher.new('aes-128-cbc') - assert_not_predicate(cipher, :authenticated?) - end - - def test_aes_gcm - ['aes-128-gcm', 'aes-192-gcm', 'aes-256-gcm'].each do |algo| - pt = "You should all use Authenticated Encryption!" - cipher, key, iv = new_encryptor(algo) - - cipher.auth_data = "aad" - ct = cipher.update(pt) + cipher.final - tag = cipher.auth_tag - assert_equal(16, tag.size) - - decipher = new_decryptor(algo, key, iv) - decipher.auth_tag = tag - decipher.auth_data = "aad" - - assert_equal(pt, decipher.update(ct) + decipher.final) - end - end - - def test_aes_gcm_short_tag - ['aes-128-gcm', 'aes-192-gcm', 'aes-256-gcm'].each do |algo| - pt = "You should all use Authenticated Encryption!" - cipher, key, iv = new_encryptor(algo) - - cipher.auth_data = "aad" - ct = cipher.update(pt) + cipher.final - tag = cipher.auth_tag(8) - assert_equal(8, tag.size) - - decipher = new_decryptor(algo, key, iv) - decipher.auth_tag = tag - decipher.auth_data = "aad" - - assert_equal(pt, decipher.update(ct) + decipher.final) - end - end - - def test_aes_gcm_wrong_tag - pt = "You should all use Authenticated Encryption!" - cipher, key, iv = new_encryptor('aes-128-gcm') - - cipher.auth_data = "aad" - ct = cipher.update(pt) + cipher.final - tag = cipher.auth_tag - - decipher = new_decryptor('aes-128-gcm', key, iv) - tag.setbyte(-1, (tag.getbyte(-1) + 1) & 0xff) - decipher.auth_tag = tag - decipher.auth_data = "aad" - - assert_raise OpenSSL::Cipher::CipherError do - decipher.update(ct) + decipher.final - end - end - - def test_aes_gcm_wrong_auth_data - pt = "You should all use Authenticated Encryption!" - cipher, key, iv = new_encryptor('aes-128-gcm') - - cipher.auth_data = "aad" - ct = cipher.update(pt) + cipher.final - tag = cipher.auth_tag - - decipher = new_decryptor('aes-128-gcm', key, iv) - decipher.auth_tag = tag - decipher.auth_data = "daa" - - assert_raise OpenSSL::Cipher::CipherError do - decipher.update(ct) + decipher.final - end end + cipher = OpenSSL::Cipher.new('aes-128-cbc') + assert_not_predicate(cipher, :authenticated?) + end - def test_aes_gcm_wrong_ciphertext - pt = "You should all use Authenticated Encryption!" - cipher, key, iv = new_encryptor('aes-128-gcm') + def test_aes_gcm + # GCM spec Appendix B Test Case 4 + key = ["feffe9928665731c6d6a8f9467308308"].pack("H*") + iv = ["cafebabefacedbaddecaf888"].pack("H*") + aad = ["feedfacedeadbeeffeedfacedeadbeef" \ + "abaddad2"].pack("H*") + pt = ["d9313225f88406e5a55909c5aff5269a" \ + "86a7a9531534f7da2e4c303d8a318a72" \ + "1c3c0c95956809532fcf0e2449a6b525" \ + "b16aedf5aa0de657ba637b39"].pack("H*") + ct = ["42831ec2217774244b7221b784d0d49c" \ + "e3aa212f2c02a4e035c17e2329aca12e" \ + "21d514b25466931c7d8f6a5aac84aa05" \ + "1ba30b396a0aac973d58e091"].pack("H*") + tag = ["5bc94fbc3221a5db94fae95ae7121a47"].pack("H*") + + cipher = new_encryptor("aes-128-gcm", key: key, iv: iv, auth_data: aad) + assert_equal ct, cipher.update(pt) << cipher.final + assert_equal tag, cipher.auth_tag + cipher = new_decryptor("aes-128-gcm", key: key, iv: iv, auth_data: aad, auth_tag: tag) + assert_equal pt, cipher.update(ct) << cipher.final + + # truncated tag is accepted + cipher = new_encryptor("aes-128-gcm", key: key, iv: iv, auth_data: aad) + assert_equal ct, cipher.update(pt) << cipher.final + assert_equal tag[0, 8], cipher.auth_tag(8) + cipher = new_decryptor("aes-128-gcm", key: key, iv: iv, auth_data: aad, auth_tag: tag[0, 8]) + assert_equal pt, cipher.update(ct) << cipher.final + + # wrong tag is rejected + tag2 = tag.dup + tag2.setbyte(-1, (tag2.getbyte(-1) + 1) & 0xff) + cipher = new_decryptor("aes-128-gcm", key: key, iv: iv, auth_data: aad, auth_tag: tag2) + cipher.update(ct) + assert_raise(OpenSSL::Cipher::CipherError) { cipher.final } + + # wrong aad is rejected + aad2 = aad[0..-2] << aad[-1].succ + cipher = new_decryptor("aes-128-gcm", key: key, iv: iv, auth_data: aad2, auth_tag: tag) + cipher.update(ct) + assert_raise(OpenSSL::Cipher::CipherError) { cipher.final } + + # wrong ciphertext is rejected + ct2 = ct[0..-2] << ct[-1].succ + cipher = new_decryptor("aes-128-gcm", key: key, iv: iv, auth_data: aad, auth_tag: tag) + cipher.update(ct2) + assert_raise(OpenSSL::Cipher::CipherError) { cipher.final } + end if has_cipher?("aes-128-gcm") + + def test_aes_gcm_variable_iv_len + # GCM spec Appendix B Test Case 5 + key = ["feffe9928665731c6d6a8f9467308308"].pack("H*") + iv = ["cafebabefacedbad"].pack("H*") + aad = ["feedfacedeadbeeffeedfacedeadbeef" \ + "abaddad2"].pack("H*") + pt = ["d9313225f88406e5a55909c5aff5269a" \ + "86a7a9531534f7da2e4c303d8a318a72" \ + "1c3c0c95956809532fcf0e2449a6b525" \ + "b16aedf5aa0de657ba637b39"].pack("H*") + ct = ["61353b4c2806934a777ff51fa22a4755" \ + "699b2a714fcdc6f83766e5f97b6c7423" \ + "73806900e49f24b22b097544d4896b42" \ + "4989b5e1ebac0f07c23f4598"].pack("H*") + tag = ["3612d2e79e3b0785561be14aaca2fccb"].pack("H*") + + cipher = new_encryptor("aes-128-gcm", key: key, iv_len: 8, iv: iv, auth_data: aad) + assert_equal ct, cipher.update(pt) << cipher.final + assert_equal tag, cipher.auth_tag + cipher = new_decryptor("aes-128-gcm", key: key, iv_len: 8, iv: iv, auth_data: aad, auth_tag: tag) + assert_equal pt, cipher.update(ct) << cipher.final + end if has_cipher?("aes-128-gcm") - cipher.auth_data = "aad" - ct = cipher.update(pt) + cipher.final - tag = cipher.auth_tag + def test_aes_ocb_tag_len + # RFC 7253 Appendix A; the second sample + key = ["000102030405060708090A0B0C0D0E0F"].pack("H*") + iv = ["BBAA99887766554433221101"].pack("H*") + aad = ["0001020304050607"].pack("H*") + pt = ["0001020304050607"].pack("H*") + ct = ["6820B3657B6F615A"].pack("H*") + tag = ["5725BDA0D3B4EB3A257C9AF1F8F03009"].pack("H*") + + cipher = new_encryptor("aes-128-ocb", key: key, iv: iv, auth_data: aad) + assert_equal ct, cipher.update(pt) << cipher.final + assert_equal tag, cipher.auth_tag + cipher = new_decryptor("aes-128-ocb", key: key, iv: iv, auth_data: aad, auth_tag: tag) + assert_equal pt, cipher.update(ct) << cipher.final + + # RFC 7253 Appendix A; with 96 bits tag length + key = ["0F0E0D0C0B0A09080706050403020100"].pack("H*") + iv = ["BBAA9988776655443322110D"].pack("H*") + aad = ["000102030405060708090A0B0C0D0E0F1011121314151617" \ + "18191A1B1C1D1E1F2021222324252627"].pack("H*") + pt = ["000102030405060708090A0B0C0D0E0F1011121314151617" \ + "18191A1B1C1D1E1F2021222324252627"].pack("H*") + ct = ["1792A4E31E0755FB03E31B22116E6C2DDF9EFD6E33D536F1" \ + "A0124B0A55BAE884ED93481529C76B6A"].pack("H*") + tag = ["D0C515F4D1CDD4FDAC4F02AA"].pack("H*") + + cipher = new_encryptor("aes-128-ocb", auth_tag_len: 12, key: key, iv: iv, auth_data: aad) + assert_equal ct, cipher.update(pt) << cipher.final + assert_equal tag, cipher.auth_tag + cipher = new_decryptor("aes-128-ocb", auth_tag_len: 12, key: key, iv: iv, auth_data: aad, auth_tag: tag) + assert_equal pt, cipher.update(ct) << cipher.final - decipher = new_decryptor('aes-128-gcm', key, iv) - decipher.auth_tag = tag - decipher.auth_data = "aad" + end if has_cipher?("aes-128-ocb") - assert_raise OpenSSL::Cipher::CipherError do - decipher.update(ct[0..-2] << ct[-1].succ) + decipher.final - end - end + def test_aes_gcm_key_iv_order_issue + pt = "[ruby/openssl#49]" + cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt + cipher.key = "x" * 16 + cipher.iv = "a" * 12 + ct1 = cipher.update(pt) << cipher.final + tag1 = cipher.auth_tag - def test_aes_gcm_variable_iv_len - pt = "You should all use Authenticated Encryption!" - cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt - cipher.key = "x" * 16 - assert_equal(12, cipher.iv_len) - cipher.iv = "a" * 12 - ct1 = cipher.update(pt) << cipher.final - tag1 = cipher.auth_tag - - cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt - cipher.key = "x" * 16 - cipher.iv_len = 10 - assert_equal(10, cipher.iv_len) - cipher.iv = "a" * 10 - ct2 = cipher.update(pt) << cipher.final - tag2 = cipher.auth_tag - - assert_not_equal ct1, ct2 - assert_not_equal tag1, tag2 - - decipher = OpenSSL::Cipher.new("aes-128-gcm").decrypt - decipher.auth_tag = tag1 - decipher.key = "x" * 16 - decipher.iv_len = 12 - decipher.iv = "a" * 12 - assert_equal(pt, decipher.update(ct1) << decipher.final) - - decipher.reset - decipher.auth_tag = tag2 - assert_raise(OpenSSL::Cipher::CipherError) { - decipher.update(ct2) << decipher.final - } - - decipher.reset - decipher.auth_tag = tag2 - decipher.iv_len = 10 - decipher.iv = "a" * 10 - assert_equal(pt, decipher.update(ct2) << decipher.final) - end + cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt + cipher.iv = "a" * 12 + cipher.key = "x" * 16 + ct2 = cipher.update(pt) << cipher.final + tag2 = cipher.auth_tag - end - - def test_aes_ocb_tag_len - pt = "You should all use Authenticated Encryption!" - cipher = OpenSSL::Cipher.new("aes-128-ocb").encrypt - cipher.auth_tag_len = 14 - cipher.iv_len = 8 - key = cipher.random_key - iv = cipher.random_iv - cipher.auth_data = "aad" - ct = cipher.update(pt) + cipher.final - tag = cipher.auth_tag - assert_equal(14, tag.size) - - decipher = OpenSSL::Cipher.new("aes-128-ocb").decrypt - decipher.auth_tag_len = 14 - decipher.auth_tag = tag - decipher.iv_len = 8 - decipher.key = key - decipher.iv = iv - decipher.auth_data = "aad" - assert_equal(pt, decipher.update(ct) + decipher.final) - - decipher = OpenSSL::Cipher.new("aes-128-ocb").decrypt - decipher.auth_tag_len = 9 - decipher.auth_tag = tag[0, 9] - decipher.iv_len = 8 - decipher.key = key - decipher.iv = iv - decipher.auth_data = "aad" - assert_raise(OpenSSL::Cipher::CipherError) { - decipher.update(ct) + decipher.final - } - end if has_cipher?("aes-128-ocb") + assert_equal ct1, ct2 + assert_equal tag1, tag2 + end if has_cipher?("aes-128-gcm") private - def new_encryptor(algo) - cipher = OpenSSL::Cipher.new(algo) - cipher.encrypt - key = cipher.random_key - iv = cipher.random_iv - [cipher, key, iv] + def new_encryptor(algo, **kwargs) + OpenSSL::Cipher.new(algo).tap do |cipher| + cipher.encrypt + kwargs.each {|k, v| cipher.send(:"#{k}=", v) } + end end - def new_decryptor(algo, key, iv) + def new_decryptor(algo, **kwargs) OpenSSL::Cipher.new(algo).tap do |cipher| cipher.decrypt - cipher.key = key - cipher.iv = iv + kwargs.each {|k, v| cipher.send(:"#{k}=", v) } end end diff --git a/test/openssl/test_digest.rb b/test/openssl/test_digest.rb index 51fc03bb87..028889c173 100644 --- a/test/openssl/test_digest.rb +++ b/test/openssl/test_digest.rb @@ -7,27 +7,21 @@ class OpenSSL::TestDigest < OpenSSL::TestCase def setup @d1 = OpenSSL::Digest.new("MD5") @d2 = OpenSSL::Digest::MD5.new - @md = Digest::MD5.new - @data = "DATA" - end - - def teardown - super - @d1 = @d2 = @md = nil end def test_digest - assert_equal(@md.digest, @d1.digest) - assert_equal(@md.hexdigest, @d1.hexdigest) - @d1 << @data - @d2 << @data - @md << @data - assert_equal(@md.digest, @d1.digest) - assert_equal(@md.hexdigest, @d1.hexdigest) - assert_equal(@d1.digest, @d2.digest) - assert_equal(@d1.hexdigest, @d2.hexdigest) - assert_equal(@md.digest, OpenSSL::Digest::MD5.digest(@data)) - assert_equal(@md.hexdigest, OpenSSL::Digest::MD5.hexdigest(@data)) + null_hex = "d41d8cd98f00b204e9800998ecf8427e" + null_bin = [null_hex].pack("H*") + data = "DATA" + hex = "e44f9e348e41cb272efa87387728571b" + bin = [hex].pack("H*") + assert_equal(null_bin, @d1.digest) + assert_equal(null_hex, @d1.hexdigest) + @d1 << data + assert_equal(bin, @d1.digest) + assert_equal(hex, @d1.hexdigest) + assert_equal(bin, OpenSSL::Digest::MD5.digest(data)) + assert_equal(hex, OpenSSL::Digest::MD5.hexdigest(data)) end def test_eql @@ -43,17 +37,17 @@ class OpenSSL::TestDigest < OpenSSL::TestCase end def test_dup - @d1.update(@data) + @d1.update("DATA") assert_equal(@d1.name, @d1.dup.name, "dup") assert_equal(@d1.name, @d1.clone.name, "clone") assert_equal(@d1.digest, @d1.clone.digest, "clone .digest") end def test_reset - @d1.update(@data) + @d1.update("DATA") dig1 = @d1.digest @d1.reset - @d1.update(@data) + @d1.update("DATA") dig2 = @d1.digest assert_equal(dig1, dig2, "reset") end diff --git a/test/openssl/test_engine.rb b/test/openssl/test_engine.rb index 2d394cf797..75e45eb7f0 100644 --- a/test/openssl/test_engine.rb +++ b/test/openssl/test_engine.rb @@ -72,13 +72,6 @@ class OpenSSL::TestEngine < OpenSSL::TestCase end; end - def test_dup - with_openssl <<-'end;' - engine = get_engine - assert_raise(NoMethodError) { engine.dup } - end; - end - private # this is required because OpenSSL::Engine methods change global state diff --git a/test/openssl/test_hmac.rb b/test/openssl/test_hmac.rb index dd58e4ac98..dbde97d9c9 100644 --- a/test/openssl/test_hmac.rb +++ b/test/openssl/test_hmac.rb @@ -1,33 +1,26 @@ -# coding: UTF-8 # frozen_string_literal: false - require_relative 'utils' class OpenSSL::TestHMAC < OpenSSL::TestCase - def setup - @digest = OpenSSL::Digest::MD5 - @key = "KEY" - @data = "DATA" - @h1 = OpenSSL::HMAC.new(@key, @digest.new) - @h2 = OpenSSL::HMAC.new(@key, "MD5") - end - def test_hmac - @h1.update(@data) - @h2.update(@data) - assert_equal(@h1.digest, @h2.digest) - - assert_equal(OpenSSL::HMAC.digest(@digest.new, @key, @data), @h1.digest, "digest") - assert_equal(OpenSSL::HMAC.hexdigest(@digest.new, @key, @data), @h1.hexdigest, "hexdigest") - - assert_equal(OpenSSL::HMAC.digest("MD5", @key, @data), @h2.digest, "digest") - assert_equal(OpenSSL::HMAC.hexdigest("MD5", @key, @data), @h2.hexdigest, "hexdigest") + # RFC 2202 2. Test Cases for HMAC-MD5 + hmac = OpenSSL::HMAC.new(["0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"].pack("H*"), "MD5") + hmac.update("Hi There") + assert_equal ["9294727a3638bb1c13f48ef8158bfc9d"].pack("H*"), hmac.digest + assert_equal "9294727a3638bb1c13f48ef8158bfc9d", hmac.hexdigest + + # RFC 4231 4.2. Test Case 1 + hmac = OpenSSL::HMAC.new(["0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"].pack("H*"), "SHA224") + hmac.update("Hi There") + assert_equal ["896fb1128abbdf196832107cd49df33f47b4b1169912ba4f53684b22"].pack("H*"), hmac.digest + assert_equal "896fb1128abbdf196832107cd49df33f47b4b1169912ba4f53684b22", hmac.hexdigest end def test_dup - @h1.update(@data) - h = @h1.dup - assert_equal(@h1.digest, h.digest, "dup digest") + h1 = OpenSSL::HMAC.new("KEY", "MD5") + h1.update("DATA") + h = h1.dup + assert_equal(h1.digest, h.digest, "dup digest") end def test_binary_update @@ -38,9 +31,10 @@ class OpenSSL::TestHMAC < OpenSSL::TestCase end def test_reset_keep_key - first = @h1.update("test").hexdigest - @h2.reset - second = @h2.update("test").hexdigest + h1 = OpenSSL::HMAC.new("KEY", "MD5") + first = h1.update("test").hexdigest + h1.reset + second = h1.update("test").hexdigest assert_equal first, second end end if defined?(OpenSSL::TestUtils) diff --git a/test/openssl/test_ocsp.rb b/test/openssl/test_ocsp.rb index a69fd60fda..82d83d56f4 100644 --- a/test/openssl/test_ocsp.rb +++ b/test/openssl/test_ocsp.rb @@ -5,9 +5,6 @@ if defined?(OpenSSL::TestUtils) class OpenSSL::TestOCSP < OpenSSL::TestCase def setup - now = Time.at(Time.now.to_i) # suppress usec - dgst = OpenSSL::Digest::SHA1.new - # @ca_cert # | # @cert @@ -21,7 +18,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase ["keyUsage", "cRLSign,keyCertSign", true], ] @ca_cert = OpenSSL::TestUtils.issue_cert( - ca_subj, @ca_key, 1, now, now+3600, ca_exts, nil, nil, dgst) + ca_subj, @ca_key, 1, ca_exts, nil, nil) cert_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA2") @cert_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 @@ -30,14 +27,14 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase ["keyUsage", "cRLSign,keyCertSign", true], ] @cert = OpenSSL::TestUtils.issue_cert( - cert_subj, @cert_key, 5, now, now+3600, cert_exts, @ca_cert, @ca_key, dgst) + cert_subj, @cert_key, 5, cert_exts, @ca_cert, @ca_key) cert2_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert") @cert2_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 cert2_exts = [ ] @cert2 = OpenSSL::TestUtils.issue_cert( - cert2_subj, @cert2_key, 10, now, now+3600, cert2_exts, @cert, @cert_key, dgst) + cert2_subj, @cert2_key, 10, cert2_exts, @cert, @cert_key) ocsp_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCAOCSP") @ocsp_key = OpenSSL::TestUtils::TEST_KEY_RSA2048 @@ -45,7 +42,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase ["extendedKeyUsage", "OCSPSigning", true], ] @ocsp_cert = OpenSSL::TestUtils.issue_cert( - ocsp_subj, @ocsp_key, 100, now, now+3600, ocsp_exts, @cert, @cert_key, "SHA256") + ocsp_subj, @ocsp_key, 100, ocsp_exts, @cert, @cert_key) end def test_new_certificate_id diff --git a/test/openssl/test_pair.rb b/test/openssl/test_pair.rb index 721e8e370e..ad65327da0 100644 --- a/test/openssl/test_pair.rb +++ b/test/openssl/test_pair.rb @@ -259,18 +259,12 @@ module OpenSSL::TestPairM def test_write_nonblock_no_exceptions ssl_pair {|s1, s2| n = 0 - begin - n += write_nonblock_no_ex s1, "a" * 100000 - n += write_nonblock_no_ex s1, "b" * 100000 - n += write_nonblock_no_ex s1, "c" * 100000 - n += write_nonblock_no_ex s1, "d" * 100000 - n += write_nonblock_no_ex s1, "e" * 100000 - n += write_nonblock_no_ex s1, "f" * 100000 - rescue OpenSSL::SSL::SSLError => e - # on some platforms (maybe depend on OpenSSL version), writing to - # SSLSocket after SSL_ERROR_WANT_WRITE causes this error. - raise e if n == 0 - end + n += write_nonblock_no_ex s1, "a" * 100000 + n += write_nonblock_no_ex s1, "b" * 100000 + n += write_nonblock_no_ex s1, "c" * 100000 + n += write_nonblock_no_ex s1, "d" * 100000 + n += write_nonblock_no_ex s1, "e" * 100000 + n += write_nonblock_no_ex s1, "f" * 100000 s1.close assert_equal(n, s2.read.length) } diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb index 4f2544dfee..8c9147a91e 100644 --- a/test/openssl/test_pkcs12.rb +++ b/test/openssl/test_pkcs12.rb @@ -9,17 +9,13 @@ module OpenSSL def setup ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") - - now = Time.now ca_exts = [ ["basicConstraints","CA:TRUE",true], ["keyUsage","keyCertSign, cRLSign",true], ["subjectKeyIdentifier","hash",false], ["authorityKeyIdentifier","keyid:always",false], ] - - @cacert = issue_cert(ca, TEST_KEY_RSA2048, 1, now, now+3600, ca_exts, - nil, nil, OpenSSL::Digest::SHA1.new) + @cacert = issue_cert(ca, TEST_KEY_RSA2048, 1, ca_exts, nil, nil) inter_ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Intermediate CA") inter_ca_key = OpenSSL::PKey.read <<-_EOS_ @@ -39,17 +35,14 @@ FJx7d3f29gkzynCLJDkCQGQZlEZJC4vWmWJGRKJ24P6MyQn3VsPfErSKOg4lvyM3 Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= -----END RSA PRIVATE KEY----- _EOS_ - - @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, now, now+3600, ca_exts, - @cacert, TEST_KEY_RSA2048, OpenSSL::Digest::SHA1.new) + @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, TEST_KEY_RSA2048) exts = [ ["keyUsage","digitalSignature",true], ["subjectKeyIdentifier","hash",false], ] ee = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Ruby PKCS12 Test Certificate") - @mycert = issue_cert(ee, TEST_KEY_RSA1024, 3, now, now+3600, exts, - @inter_cacert, inter_ca_key, OpenSSL::Digest::SHA1.new) + @mycert = issue_cert(ee, TEST_KEY_RSA1024, 3, exts, @inter_cacert, inter_ca_key) end def test_create diff --git a/test/openssl/test_pkcs7.rb b/test/openssl/test_pkcs7.rb index def4910ccd..b7b7520220 100644 --- a/test/openssl/test_pkcs7.rb +++ b/test/openssl/test_pkcs7.rb @@ -11,24 +11,20 @@ class OpenSSL::TestPKCS7 < OpenSSL::TestCase ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1") ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2") - now = Time.now ca_exts = [ ["basicConstraints","CA:TRUE",true], ["keyUsage","keyCertSign, cRLSign",true], ["subjectKeyIdentifier","hash",false], ["authorityKeyIdentifier","keyid:always",false], ] - @ca_cert = issue_cert(ca, @rsa2048, 1, now, now+3600, ca_exts, - nil, nil, OpenSSL::Digest::SHA1.new) + @ca_cert = issue_cert(ca, @rsa2048, 1, ca_exts, nil, nil) ee_exts = [ ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true], ["authorityKeyIdentifier","keyid:always",false], ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false], ] - @ee1_cert = issue_cert(ee1, @rsa1024, 2, now, now+1800, ee_exts, - @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new) - @ee2_cert = issue_cert(ee2, @rsa1024, 3, now, now+1800, ee_exts, - @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new) + @ee1_cert = issue_cert(ee1, @rsa1024, 2, ee_exts, @ca_cert, @rsa2048) + @ee2_cert = issue_cert(ee2, @rsa1024, 3, ee_exts, @ca_cert, @rsa2048) end def issue_cert(*args) diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb index d0ba8ec0f0..a4ccd1d8f9 100644 --- a/test/openssl/test_pkey_dsa.rb +++ b/test/openssl/test_pkey_dsa.rb @@ -36,6 +36,26 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase end end + def test_sign_verify + data = "Sign me!" + if defined?(OpenSSL::Digest::DSS1) + signature = DSA512.sign(OpenSSL::Digest::DSS1.new, data) + assert_equal true, DSA512.verify(OpenSSL::Digest::DSS1.new, signature, data) + end + + return if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x010000000 + signature = DSA512.sign("SHA1", data) + assert_equal true, DSA512.verify("SHA1", signature, data) + + signature0 = (<<~'end;').unpack("m")[0] + MCwCFH5h40plgU5Fh0Z4wvEEpz0eE9SnAhRPbkRB8ggsN/vsSEYMXvJwjGg/ + 6g== + end; + assert_equal true, DSA512.verify("SHA256", signature0, data) + signature1 = signature0.succ + assert_equal false, DSA512.verify("SHA256", signature1, data) + end + def test_sys_sign_verify key = OpenSSL::TestUtils::TEST_KEY_DSA256 data = 'Sign me!' diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb index 53aa5a10f6..e281f80ca2 100644 --- a/test/openssl/test_pkey_ec.rb +++ b/test/openssl/test_pkey_ec.rb @@ -73,6 +73,20 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase assert_raise(OpenSSL::PKey::ECError) { key2.check_key } end + def test_sign_verify + data = "Sign me!" + signature = P256.sign("SHA1", data) + assert_equal true, P256.verify("SHA1", signature, data) + + signature0 = (<<~'end;').unpack("m")[0] + MEQCIEOTY/hD7eI8a0qlzxkIt8LLZ8uwiaSfVbjX2dPAvN11AiAQdCYx56Fq + QdBp1B4sxJoA8jvODMMklMyBKVmudboA6A== + end; + assert_equal true, P256.verify("SHA256", signature0, data) + signature1 = signature0.succ + assert_equal false, P256.verify("SHA256", signature1, data) + end + def test_dsa_sign_verify data1 = "foo" data2 = "bar" @@ -244,6 +258,10 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase raise end + assert_equal 0x040603.to_bn, point.to_bn(:uncompressed) + assert_equal 0x0306.to_bn, point.to_bn(:compressed) + assert_equal 0x070603.to_bn, point.to_bn(:hybrid) + assert_equal 0x040603.to_bn, point.to_bn assert_equal true, point.on_curve? point.invert! # 8.5 diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb index e211faa63b..b24f1d5509 100644 --- a/test/openssl/test_pkey_rsa.rb +++ b/test/openssl/test_pkey_rsa.rb @@ -70,6 +70,21 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase end end + def test_sign_verify + data = "Sign me!" + signature = RSA1024.sign("SHA1", data) + assert_equal true, RSA1024.verify("SHA1", signature, data) + + signature0 = (<<~'end;').unpack("m")[0] + oLCgbprPvfhM4pjFQiDTFeWI9Sk+Og7Nh9TmIZ/xSxf2CGXQrptlwo7NQ28+ + WA6YQo8jPH4hSuyWIM4Gz4qRYiYRkl5TDMUYob94zm8Si1HxEiS9354tzvqS + zS8MLW2BtNPuTubMxTItHGTnOzo9sUg0LAHVFt8kHG2NfKAw/gQ= + end; + assert_equal true, RSA1024.verify("SHA256", signature0, data) + signature1 = signature0.succ + assert_equal false, RSA1024.verify("SHA256", signature1, data) + end + def test_digest_state_irrelevant_sign key = RSA1024 digest1 = OpenSSL::Digest::SHA1.new @@ -93,6 +108,13 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase assert(key.verify(digest2, sig, data)) end + def test_verify_empty_rsa + rsa = OpenSSL::PKey::RSA.new + assert_raise(OpenSSL::PKey::PKeyError, "[Bug #12783]") { + rsa.verify("SHA1", "a", "b") + } + end + def test_RSAPrivateKey asn1 = OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::Integer(0), diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 8b4c090b5c..8d74f25f5f 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -394,14 +394,12 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase } } - now = Time.now exts = [ ["keyUsage","keyEncipherment,digitalSignature",true], ["subjectAltName","DNS:localhost.localdomain",false], ["subjectAltName","IP:127.0.0.1",false], ] - @svr_cert = issue_cert(@svr, @svr_key, 4, now, now+1800, exts, - @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new) + @svr_cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key) start_server { |server, port| server_connect(port) { |ssl| assert(ssl.post_connection_check("localhost.localdomain")) @@ -417,13 +415,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase } } - now = Time.now exts = [ ["keyUsage","keyEncipherment,digitalSignature",true], ["subjectAltName","DNS:*.localdomain",false], ] - @svr_cert = issue_cert(@svr, @svr_key, 5, now, now+1800, exts, - @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new) + @svr_cert = issue_cert(@svr, @svr_key, 5, exts, @ca_cert, @ca_key) start_server { |server, port| server_connect(port) { |ssl| assert(ssl.post_connection_check("localhost.localdomain")) @@ -656,7 +652,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) ssl.hostname = "foo.example.com" ssl.connect - assert_match /^ADH-/, ssl.cipher[0], "the context returned by servername_cb is used" + assert_match (/^ADH-/), ssl.cipher[0], "the context returned by servername_cb is used" assert_predicate ctx3, :frozen? ensure sock.close @@ -667,7 +663,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) ssl.hostname = "bar.example.com" ssl.connect - assert_not_match /^A(EC)?DH-/, ssl.cipher[0], "the original context is used" + assert_not_match (/^A(EC)?DH-/), ssl.cipher[0], "the original context is used" ensure sock.close end @@ -711,14 +707,12 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase def test_verify_hostname_on_connect ctx_proc = proc { |ctx| - now = Time.now exts = [ ["keyUsage", "keyEncipherment,digitalSignature", true], ["subjectAltName", "DNS:a.example.com,DNS:*.b.example.com," \ "DNS:c*.example.com,DNS:d.*.example.com"], ] - ctx.cert = issue_cert(@svr, @svr_key, 4, now, now+1800, exts, - @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new) + ctx.cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key) ctx.key = @svr_key } @@ -1252,6 +1246,18 @@ end sock2.close end + def test_freeze_calls_setup + bug = "[ruby/openssl#85]" + start_server(ignore_listener_error: true) { |server, port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.freeze + assert_raise(OpenSSL::SSL::SSLError, bug) { + server_connect(port, ctx) + } + } + end + private def start_server_version(version, ctx_proc = nil, diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb index 269d017298..fb757c44ec 100644 --- a/test/openssl/test_x509cert.rb +++ b/test/openssl/test_x509cert.rb @@ -11,7 +11,6 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512 @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1") - @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2") end def issue_cert(*args) @@ -20,8 +19,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase def test_serial [1, 2**32, 2**100].each{|s| - cert = issue_cert(@ca, @rsa2048, s, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, s, [], nil, nil) assert_equal(s, cert.serial) cert = OpenSSL::X509::Certificate.new(cert.to_der) assert_equal(s, cert.serial) @@ -41,8 +39,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase [ [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dsa_digest], [@dsa512, dsa_digest] ].each{|pk, digest| - cert = issue_cert(@ca, pk, 1, Time.now, Time.now+3600, exts, - nil, nil, digest) + cert = issue_cert(@ca, pk, 1, exts, nil, nil, digest: digest) assert_equal(cert.extensions.sort_by(&:to_s)[2].value, OpenSSL::TestUtils.get_subject_key_id(cert)) cert = OpenSSL::X509::Certificate.new(cert.to_der) @@ -52,27 +49,27 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase end def test_validity - now = Time.now until now && now.usec != 0 - cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) - assert_not_equal(now, cert.not_before) - assert_not_equal(now+3600, cert.not_after) + now = Time.at(Time.now.to_i + 0.9) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, + not_before: now, not_after: now+3600) + assert_equal(Time.at(now.to_i), cert.not_before) + assert_equal(Time.at(now.to_i+3600), cert.not_after) now = Time.at(now.to_i) - cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, + not_before: now, not_after: now+3600) assert_equal(now.getutc, cert.not_before) assert_equal((now+3600).getutc, cert.not_after) now = Time.at(0) - cert = issue_cert(@ca, @rsa2048, 1, now, now, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, + not_before: now, not_after: now) assert_equal(now.getutc, cert.not_before) assert_equal(now.getutc, cert.not_after) now = Time.at(0x7fffffff) - cert = issue_cert(@ca, @rsa2048, 1, now, now, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, + not_before: now, not_after: now) assert_equal(now.getutc, cert.not_before) assert_equal(now.getutc, cert.not_after) end @@ -84,8 +81,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase ["subjectKeyIdentifier","hash",false], ["authorityKeyIdentifier","keyid:always",false], ] - ca_cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, ca_exts, - nil, nil, OpenSSL::Digest::SHA1.new) + ca_cert = issue_cert(@ca, @rsa2048, 1, ca_exts, nil, nil) ca_cert.extensions.each_with_index{|ext, i| assert_equal(ca_exts[i].first, ext.oid) assert_equal(ca_exts[i].last, ext.critical?) @@ -98,34 +94,16 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false], ["subjectAltName","email:ee1@ruby-lang.org",false], ] - ee1_cert = issue_cert(@ee1, @rsa1024, 2, Time.now, Time.now+1800, ee1_exts, - ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new) + ee1_cert = issue_cert(@ee1, @rsa1024, 2, ee1_exts, ca_cert, @rsa2048) assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der) ee1_cert.extensions.each_with_index{|ext, i| assert_equal(ee1_exts[i].first, ext.oid) assert_equal(ee1_exts[i].last, ext.critical?) } - - ee2_exts = [ - ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true], - ["subjectKeyIdentifier","hash",false], - ["authorityKeyIdentifier","issuer:always",false], - ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false], - ["subjectAltName","email:ee2@ruby-lang.org",false], - ] - ee2_cert = issue_cert(@ee2, @rsa1024, 3, Time.now, Time.now+1800, ee2_exts, - ca_cert, @rsa2048, OpenSSL::Digest::MD5.new) - assert_equal(ca_cert.subject.to_der, ee2_cert.issuer.to_der) - ee2_cert.extensions.each_with_index{|ext, i| - assert_equal(ee2_exts[i].first, ext.oid) - assert_equal(ee2_exts[i].last, ext.critical?) - } - end def test_sign_and_verify_rsa_sha1 - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: "sha1") assert_equal(false, cert.verify(@rsa1024)) assert_equal(true, cert.verify(@rsa2048)) assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) }) @@ -135,8 +113,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase end def test_sign_and_verify_rsa_md5 - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::MD5.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: "md5") assert_equal(false, cert.verify(@rsa1024)) assert_equal(true, cert.verify(@rsa2048)) @@ -148,8 +125,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase end def test_sign_and_verify_dsa - cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) + cert = issue_cert(@ca, @dsa512, 1, [], nil, nil) assert_equal(false, certificate_error_returns_false { cert.verify(@rsa1024) }) assert_equal(false, certificate_error_returns_false { cert.verify(@rsa2048) }) assert_equal(false, cert.verify(@dsa256)) @@ -159,8 +135,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase end def test_sign_and_verify_rsa_dss1 - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::DSS1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: OpenSSL::Digest::DSS1.new) assert_equal(false, cert.verify(@rsa1024)) assert_equal(true, cert.verify(@rsa2048)) assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) }) @@ -172,27 +147,19 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase def test_sign_and_verify_dsa_md5 assert_raise(OpenSSL::X509::CertificateError){ - issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::MD5.new) + issue_cert(@ca, @dsa512, 1, [], nil, nil, digest: "md5") } end def test_dsig_algorithm_mismatch assert_raise(OpenSSL::X509::CertificateError) do - issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::DSS1.new) + issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: OpenSSL::Digest::DSS1.new) end if OpenSSL::OPENSSL_VERSION_NUMBER < 0x10001000 # [ruby-core:42949] - - assert_raise(OpenSSL::X509::CertificateError) do - issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::MD5.new) - end end def test_dsa_with_sha2 begin - cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA256.new) + cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha256") assert_equal("dsa_with_SHA256", cert.signature_algorithm) rescue OpenSSL::X509::CertificateError # dsa_with_sha2 not supported. skip following test. @@ -201,14 +168,12 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase # TODO: need more tests for dsa + sha2 # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requires DSS1) - cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha1") assert_equal("dsaWithSHA1", cert.signature_algorithm) end if defined?(OpenSSL::Digest::SHA256) def test_check_private_key - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) assert_equal(true, cert.check_private_key(@rsa2048)) end diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb index cd1ccc98ab..f61de97163 100644 --- a/test/openssl/test_x509crl.rb +++ b/test/openssl/test_x509crl.rb @@ -25,8 +25,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase def test_basic now = Time.at(Time.now.to_i) - cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) crl = issue_crl([], 1, now, now+1600, [], cert, @rsa2048, OpenSSL::Digest::SHA1.new) assert_equal(1, crl.version) @@ -63,8 +62,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase [4, now, 4], [5, now, 5], ] - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [], cert, @rsa2048, OpenSSL::Digest::SHA1.new) revoked = crl.revoked @@ -131,8 +129,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase ["issuerAltName", "issuer:copy", false], ] - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, cert_exts, - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, cert_exts, nil, nil) crl = issue_crl([], 1, Time.now, Time.now+1600, crl_exts, cert, @rsa2048, OpenSSL::Digest::SHA1.new) exts = crl.extensions @@ -168,8 +165,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase end def test_crlnumber - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, @rsa2048, OpenSSL::Digest::SHA1.new) assert_match(1.to_s, crl.extensions[0].value) @@ -187,8 +183,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase end def test_sign_and_verify - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, @rsa2048, OpenSSL::Digest::SHA1.new) assert_equal(false, crl.verify(@rsa1024)) @@ -198,8 +193,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase crl.version = 0 assert_equal(false, crl.verify(@rsa2048)) - cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) + cert = issue_cert(@ca, @dsa512, 1, [], nil, nil) crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) }) diff --git a/test/openssl/test_x509name.rb b/test/openssl/test_x509name.rb index 250f1d0949..78da4df140 100644 --- a/test/openssl/test_x509name.rb +++ b/test/openssl/test_x509name.rb @@ -345,13 +345,13 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase def test_hash dn = "/DC=org/DC=ruby-lang/CN=www.ruby-lang.org" name = OpenSSL::X509::Name.parse(dn) - d = Digest::MD5.digest(name.to_der) + d = OpenSSL::Digest::MD5.digest(name.to_der) expected = (d[0].ord & 0xff) | (d[1].ord & 0xff) << 8 | (d[2].ord & 0xff) << 16 | (d[3].ord & 0xff) << 24 assert_equal(expected, name_hash(name)) # dn = "/DC=org/DC=ruby-lang/CN=baz.ruby-lang.org" name = OpenSSL::X509::Name.parse(dn) - d = Digest::MD5.digest(name.to_der) + d = OpenSSL::Digest::MD5.digest(name.to_der) expected = (d[0].ord & 0xff) | (d[1].ord & 0xff) << 8 | (d[2].ord & 0xff) << 16 | (d[3].ord & 0xff) << 24 assert_equal(expected, name_hash(name)) end diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb index e0fa07ac16..6ca80c86bb 100644 --- a/test/openssl/test_x509store.rb +++ b/test/openssl/test_x509store.rb @@ -34,7 +34,9 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase end def test_verify - now = Time.at(Time.now.to_i) + # OpenSSL uses time(2) while Time.now uses clock_gettime(CLOCK_REALTIME), + # and there may be difference. + now = Time.now - 3 ca_exts = [ ["basicConstraints","CA:TRUE",true], ["keyUsage","cRLSign,keyCertSign",true], @@ -42,18 +44,15 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase ee_exts = [ ["keyUsage","keyEncipherment,digitalSignature",true], ] - ca1_cert = issue_cert(@ca1, @rsa2048, 1, now, now+3600, ca_exts, - nil, nil, OpenSSL::Digest::SHA1.new) - ca2_cert = issue_cert(@ca2, @rsa1024, 2, now, now+1800, ca_exts, - ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new) - ee1_cert = issue_cert(@ee1, @dsa256, 10, now, now+1800, ee_exts, - ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) - ee2_cert = issue_cert(@ee2, @dsa512, 20, now, now+1800, ee_exts, - ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) - ee3_cert = issue_cert(@ee2, @dsa512, 30, now-100, now-1, ee_exts, - ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) - ee4_cert = issue_cert(@ee2, @dsa512, 40, now+1000, now+2000, ee_exts, - ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) + ca1_cert = issue_cert(@ca1, @rsa2048, 1, ca_exts, nil, nil) + ca2_cert = issue_cert(@ca2, @rsa1024, 2, ca_exts, ca1_cert, @rsa2048, + not_after: now+1800) + ee1_cert = issue_cert(@ee1, @dsa256, 10, ee_exts, ca2_cert, @rsa1024) + ee2_cert = issue_cert(@ee2, @dsa512, 20, ee_exts, ca2_cert, @rsa1024) + ee3_cert = issue_cert(@ee2, @dsa512, 30, ee_exts, ca2_cert, @rsa1024, + not_before: now-100, not_after: now-1) + ee4_cert = issue_cert(@ee2, @dsa512, 40, ee_exts, ca2_cert, @rsa1024, + not_before: now+1000, not_after: now+2000,) revoke_info = [] crl1 = issue_crl(revoke_info, 1, now, now+1800, [], @@ -195,8 +194,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase def test_set_errors now = Time.now - ca1_cert = issue_cert(@ca1, @rsa2048, 1, now, now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + ca1_cert = issue_cert(@ca1, @rsa2048, 1, [], nil, nil) store = OpenSSL::X509::Store.new store.add_cert(ca1_cert) assert_raise(OpenSSL::X509::StoreError){ diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index 6f3a3c6d1c..43ecd79eca 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -10,7 +10,6 @@ rescue LoadError end require "test/unit" -require "digest/md5" require 'tempfile' require "rbconfig" require "socket" @@ -131,8 +130,8 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC module_function - def issue_cert(dn, key, serial, not_before, not_after, extensions, - issuer, issuer_key, digest) + def issue_cert(dn, key, serial, extensions, issuer, issuer_key, + not_before: nil, not_after: nil, digest: nil) cert = OpenSSL::X509::Certificate.new issuer = cert unless issuer issuer_key = key unless issuer_key @@ -141,14 +140,16 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC cert.subject = dn cert.issuer = issuer.subject cert.public_key = key.public_key - cert.not_before = not_before - cert.not_after = not_after + now = Time.now + cert.not_before = not_before || now - 3600 + cert.not_after = not_after || now + 3600 ef = OpenSSL::X509::ExtensionFactory.new ef.subject_certificate = cert ef.issuer_certificate = issuer extensions.each{|oid, value, critical| cert.add_extension(ef.create_extension(oid, value, critical)) } + digest ||= OpenSSL::PKey::DSA === issuer_key ? DSA_SIGNATURE_DIGEST.new : "sha256" cert.sign(issuer_key, digest) cert end @@ -217,7 +218,6 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") @svr = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost") @cli = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost") - now = Time.at(Time.now.to_i) ca_exts = [ ["basicConstraints","CA:TRUE",true], ["keyUsage","cRLSign,keyCertSign",true], @@ -225,9 +225,9 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC ee_exts = [ ["keyUsage","keyEncipherment,digitalSignature",true], ] - @ca_cert = issue_cert(@ca, @ca_key, 1, now, now+3600, ca_exts, nil, nil, OpenSSL::Digest::SHA1.new) - @svr_cert = issue_cert(@svr, @svr_key, 2, now, now+1800, ee_exts, @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new) - @cli_cert = issue_cert(@cli, @cli_key, 3, now, now+1800, ee_exts, @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new) + @ca_cert = issue_cert(@ca, @ca_key, 1, ca_exts, nil, nil) + @svr_cert = issue_cert(@svr, @svr_key, 2, ee_exts, @ca_cert, @ca_key) + @cli_cert = issue_cert(@cli, @cli_key, 3, ee_exts, @ca_cert, @ca_key) @server = nil end -- cgit v1.2.3