Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1
ruby
ruby-1.8.x_openssl-1.0-tests.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ruby-1.8.x_openssl-1.0-tests.patch of Package ruby
Index: test/openssl/test_x509store.rb =================================================================== --- test/openssl/test_x509store.rb (.../ruby_1_8_7/test/openssl) (revision 27451) +++ test/openssl/test_x509store.rb (.../ruby_1_8/test/openssl) (revision 27451) @@ -4,6 +4,7 @@ rescue LoadError end require "test/unit" +require "tempfile" if defined?(OpenSSL) @@ -198,7 +199,7 @@ nil, nil, OpenSSL::Digest::SHA1.new) store = OpenSSL::X509::Store.new store.add_cert(ca1_cert) - assert_raises(OpenSSL::X509::StoreError){ + assert_raise(OpenSSL::X509::StoreError){ store.add_cert(ca1_cert) # add same certificate twice } @@ -209,10 +210,37 @@ crl2 = issue_crl(revoke_info, 2, now+1800, now+3600, [], ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new) store.add_crl(crl1) - assert_raises(OpenSSL::X509::StoreError){ + assert_raise(OpenSSL::X509::StoreError){ store.add_crl(crl2) # add CRL issued by same CA twice. } end + + def test_add_file + ca1_cert = <<END +-----BEGIN CERTIFICATE----- +MIIBzzCCATigAwIBAgIBATANBgkqhkiG9w0BAQUFADANMQswCQYDVQQDDAJjYTAe +Fw0wOTA1MjIxMDE5MjNaFw0xNDA1MjExMDE5MjNaMA0xCzAJBgNVBAMMAmNhMIGf +MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcTL520vsbXHXPfkHKrcgWbk2zVf0y +oK7bPg06kjCghs8KYsi9b/tT9KpkpejD0KucDBSmDILD3PvIWrNFcBRWf6ZC5vA5 +YuF6ueATuFhsXjUFuNLqyPcIX+XrOQmXgjiyO9nc5vzQwWRRhdyyT8DgCRUD/yHW +pjD2ZEGIAVLY/wIDAQABoz8wPTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQf +923P/SgiCcbiN20bbmuFM6SLxzALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEFBQAD +gYEAE0CpCo8MxhfUNWMHF5GsGEG2+1LdE+aUX7gSb6d4vn1WjusrM2FoOFTomt32 +YPqJwMEbcqILq2v9Kkao4QNJRlK+z1xpRDnt1iBrHdXrYJFvYnfMqv3z7XAFPfQZ +yMP+P2sR0jPzy4UNZfDIMmMUqQdhkz7onKWOGjXwLEtkCMs= +-----END CERTIFICATE----- +END + + f = Tempfile.new("ca1_cert") + f << ca1_cert + f.close + + store = OpenSSL::X509::Store.new + store.add_file(f.path) + assert_equal(true, store.verify(OpenSSL::X509::Certificate.new(ca1_cert))) + f.unlink + end + end end Index: test/openssl/test_x509cert.rb =================================================================== --- test/openssl/test_x509cert.rb (.../ruby_1_8_7/test/openssl) (revision 27451) +++ test/openssl/test_x509cert.rb (.../ruby_1_8/test/openssl) (revision 27451) @@ -28,7 +28,7 @@ def test_serial [1, 2**32, 2**100].each{|s| cert = issue_cert(@ca, @rsa2048, s, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + nil, nil, OpenSSL::Digest::SHA1.new) assert_equal(s, cert.serial) cert = OpenSSL::X509::Certificate.new(cert.to_der) assert_equal(s, cert.serial) @@ -60,25 +60,25 @@ def test_validity now = Time.now until now && now.usec != 0 cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + nil, nil, OpenSSL::Digest::SHA1.new) assert_not_equal(now, cert.not_before) assert_not_equal(now+3600, cert.not_after) now = Time.at(now.to_i) cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + nil, nil, OpenSSL::Digest::SHA1.new) assert_equal(now.getutc, cert.not_before) assert_equal((now+3600).getutc, cert.not_after) now = Time.at(0) cert = issue_cert(@ca, @rsa2048, 1, now, now, [], - nil, nil, OpenSSL::Digest::SHA1.new) + nil, nil, OpenSSL::Digest::SHA1.new) assert_equal(now.getutc, cert.not_before) assert_equal(now.getutc, cert.not_after) now = Time.at(0x7fffffff) cert = issue_cert(@ca, @rsa2048, 1, now, now, [], - nil, nil, OpenSSL::Digest::SHA1.new) + nil, nil, OpenSSL::Digest::SHA1.new) assert_equal(now.getutc, cert.not_before) assert_equal(now.getutc, cert.not_after) end @@ -91,7 +91,7 @@ ["authorityKeyIdentifier","keyid:always",false], ] ca_cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, ca_exts, - nil, nil, OpenSSL::Digest::SHA1.new) + nil, nil, OpenSSL::Digest::SHA1.new) ca_cert.extensions.each_with_index{|ext, i| assert_equal(ca_exts[i].first, ext.oid) assert_equal(ca_exts[i].last, ext.critical?) @@ -105,7 +105,7 @@ ["subjectAltName","email:ee1@ruby-lang.org",false], ] ee1_cert = issue_cert(@ee1, @rsa1024, 2, Time.now, Time.now+1800, ee1_exts, - ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new) + ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new) assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der) ee1_cert.extensions.each_with_index{|ext, i| assert_equal(ee1_exts[i].first, ext.oid) @@ -120,7 +120,7 @@ ["subjectAltName","email:ee2@ruby-lang.org",false], ] ee2_cert = issue_cert(@ee2, @rsa1024, 3, Time.now, Time.now+1800, ee2_exts, - ca_cert, @rsa2048, OpenSSL::Digest::MD5.new) + ca_cert, @rsa2048, OpenSSL::Digest::MD5.new) assert_equal(ca_cert.subject.to_der, ee2_cert.issuer.to_der) ee2_cert.extensions.each_with_index{|ext, i| assert_equal(ee2_exts[i].first, ext.oid) @@ -129,47 +129,137 @@ end + def test_sign_and_verify_wrong_key_type + cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], + nil, nil, OpenSSL::Digest::SHA1.new) + cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], + nil, nil, OpenSSL::Digest::DSS1.new) + begin + assert_equal(false, cert_rsa.verify(@dsa256)) + rescue OpenSSL::X509::CertificateError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + + begin + assert_equal(false, cert_dsa.verify(@rsa1024)) + rescue OpenSSL::X509::CertificateError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + end + def test_sign_and_verify cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + nil, nil, OpenSSL::Digest::SHA1.new) assert_equal(false, cert.verify(@rsa1024)) assert_equal(true, cert.verify(@rsa2048)) - assert_equal(false, cert.verify(@dsa256)) - assert_equal(false, cert.verify(@dsa512)) cert.serial = 2 assert_equal(false, cert.verify(@rsa2048)) cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::MD5.new) + nil, nil, OpenSSL::Digest::MD5.new) assert_equal(false, cert.verify(@rsa1024)) assert_equal(true, cert.verify(@rsa2048)) - assert_equal(false, cert.verify(@dsa256)) - assert_equal(false, cert.verify(@dsa512)) cert.subject = @ee1 assert_equal(false, cert.verify(@rsa2048)) cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::DSS1.new) - assert_equal(false, cert.verify(@rsa1024)) - assert_equal(false, cert.verify(@rsa2048)) + nil, nil, OpenSSL::Digest::DSS1.new) assert_equal(false, cert.verify(@dsa256)) assert_equal(true, cert.verify(@dsa512)) - cert.not_after = Time.now + cert.not_after = Time.now assert_equal(false, cert.verify(@dsa512)) + end - assert_raises(OpenSSL::X509::CertificateError){ + def test_dsig_algorithm_mismatch + assert_raise(OpenSSL::X509::CertificateError) do cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::DSS1.new) - } - assert_raises(OpenSSL::X509::CertificateError){ + nil, nil, OpenSSL::Digest::DSS1.new) + end + assert_raise(OpenSSL::X509::CertificateError) do cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::MD5.new) - } - assert_raises(OpenSSL::X509::CertificateError){ - cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) - } + nil, nil, OpenSSL::Digest::MD5.new) + end end + + def test_dsa_with_sha2 + begin + cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [], + nil, nil, OpenSSL::Digest::SHA256.new) + assert_equal("dsa_with_SHA256", cert.signature_algorithm) + rescue OpenSSL::X509::CertificateError + # dsa_with_sha2 not supported. skip following test. + return + end + # TODO: need more tests for dsa + sha2 + + # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requireds DSS1) + cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [], + nil, nil, OpenSSL::Digest::SHA1.new) + assert_equal("dsaWithSHA1", cert.signature_algorithm) + end + + def test_check_private_key + cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], + nil, nil, OpenSSL::Digest::SHA1.new) + assert_equal(true, cert.check_private_key(@rsa2048)) + end + + def test_to_text + cert_pem = <<END +-----BEGIN CERTIFICATE----- +MIIC8zCCAdugAwIBAgIBATANBgkqhkiG9w0BAQQFADA9MRMwEQYKCZImiZPyLGQB +GRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVieS1sYW5nMQswCQYDVQQDDAJDQTAe +Fw0wOTA1MjMxNTAzNDNaFw0wOTA1MjMxNjAzNDNaMD0xEzARBgoJkiaJk/IsZAEZ +FgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5LWxhbmcxCzAJBgNVBAMMAkNBMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuV9ht9J7k4NBs38jOXvvTKY9 +gW8nLICSno5EETR1cuF7i4pNs9I1QJGAFAX0BEO4KbzXmuOvfCpD3CU+Slp1enen +fzq/t/e/1IRW0wkJUJUFQign4CtrkJL+P07yx18UjyPlBXb81ApEmAB5mrJVSrWm +qbjs07JbuS4QQGGXLc+Su96DkYKmSNVjBiLxVVSpyZfAY3hD37d60uG+X8xdW5v6 +8JkRFIhdGlb6JL8fllf/A/blNwdJOhVr9mESHhwGjwfSeTDPfd8ZLE027E5lyAVX +9KZYcU00mOX+fdxOSnGqS/8JDRh0EPHDL15RcJjV2J6vZjPb0rOYGDoMcH+94wID +AQABMA0GCSqGSIb3DQEBBAUAA4IBAQB8UTw1agA9wdXxHMUACduYu6oNL7pdF0dr +w7a4QPJyj62h4+Umxvp13q0PBw0E+mSjhXMcqUhDLjrmMcvvNGhuh5Sdjbe3GI/M +3lCC9OwYYIzzul7omvGC3JEIGfzzdNnPPCPKEWp5X9f0MKLMR79qOf+sjHTjN2BY +SY3YGsEFxyTXDdqrlaYaOtTAdi/C+g1WxR8fkPLefymVwIFwvyc9/bnp7iBn7Hcw +mbxtLPbtQ9mURT0GHewZRTGJ1aiTq9Ag3xXME2FPF04eFRd3mclOQZNXKQ+LDxYf +k0X5FeZvsWf4srFxoVxlcDdJtHh91ZRpDDJYGQlsUm9CPTnO+e4E +-----END CERTIFICATE----- +END + + cert = OpenSSL::X509::Certificate.new(cert_pem) + + cert_text = <<END + [0] Version: 3 + SerialNumber: 1 + IssuerDN: DC=org,DC=ruby-lang,CN=CA + Start Date: Sat May 23 17:03:43 CEST 2009 + Final Date: Sat May 23 18:03:43 CEST 2009 + SubjectDN: DC=org,DC=ruby-lang,CN=CA + Public Key: RSA Public Key + modulus: b95f61b7d27b938341b37f23397bef4ca63d816f272c80929e8e4411347572e17b8b8a4db3d2354091801405f40443b829bcd79ae3af7c2a43dc253e4a5a757a77a77f3abfb7f7bfd48456d30909509505422827e02b6b9092fe3f4ef2c75f148f23e50576fcd40a449800799ab2554ab5a6a9b8ecd3b25bb92e104061972dcf92bbde839182a648d5630622f15554a9c997c0637843dfb77ad2e1be5fcc5d5b9bfaf0991114885d1a56fa24bf1f9657ff03f6e53707493a156bf661121e1c068f07d27930cf7ddf192c4d36ec4e65c80557f4a658714d3498e5fe7ddc4e4a71aa4bff090d187410f1c32f5e517098d5d89eaf6633dbd2b398183a0c707fbde3 + public exponent: 10001 + + Signature Algorithm: MD5withRSA + Signature: 7c513c356a003dc1d5f11cc50009db98bbaa0d2f + ba5d17476bc3b6b840f2728fada1e3e526c6fa75 + dead0f070d04fa64a385731ca948432e3ae631cb + ef34686e87949d8db7b7188fccde5082f4ec1860 + 8cf3ba5ee89af182dc910819fcf374d9cf3c23ca + 116a795fd7f430a2cc47bf6a39ffac8c74e33760 + 58498dd81ac105c724d70ddaab95a61a3ad4c076 + 2fc2fa0d56c51f1f90f2de7f2995c08170bf273d + fdb9e9ee2067ec773099bc6d2cf6ed43d994453d + 061dec19453189d5a893abd020df15cc13614f17 + 4e1e15177799c94e419357290f8b0f161f9345f9 + 15e66fb167f8b2b171a15c65703749b4787dd594 + 690c325819096c526f423d39cef9ee04 +END + assert_not_nil(cert.to_text) + # This is commented out because it doesn't take timezone into consideration; FIXME + #assert_equal(cert_text, cert.to_text) + end end end Index: test/openssl/test_x509ext.rb =================================================================== --- test/openssl/test_x509ext.rb (.../ruby_1_8_7/test/openssl) (revision 27451) +++ test/openssl/test_x509ext.rb (.../ruby_1_8/test/openssl) (revision 27451) @@ -69,6 +69,27 @@ %r{URI:ldap://ldap.example.com/cn=ca\?certificateRevocationList;binary}, cdp.value) end + + # JRUBY-3888 + # Problems with subjectKeyIdentifier with non 20-bytes sha1 digested keys + def test_certificate_with_rare_extension + cert_file = File.expand_path('max.pem', File.dirname(__FILE__)) + cer = OpenSSL::X509::Certificate.new(File.read(cert_file)) + exts = Hash.new + cer.extensions.each{|ext| exts[ext.oid] = ext.value} + + assert exts["subjectKeyIdentifier"] == "4C:B9:E1:DC:7A:AC:35:CF" + end + + def test_extension_from_20_byte_sha1_digests + cert_file = File.expand_path('common.pem', File.dirname(__FILE__)) + cer = OpenSSL::X509::Certificate.new(File.read(cert_file)) + exts = Hash.new + cer.extensions.each{|ext| exts[ext.oid] = ext.value} + + assert exts["subjectKeyIdentifier"] == "B4:AC:83:5D:21:FB:D6:8A:56:7E:B2:49:6D:69:BB:E4:6F:D8:5A:AC" + end + end end Index: test/openssl/test_ec.rb =================================================================== --- test/openssl/test_ec.rb (.../ruby_1_8_7/test/openssl) (revision 27451) +++ test/openssl/test_ec.rb (.../ruby_1_8/test/openssl) (revision 27451) @@ -87,12 +87,27 @@ def test_dsa_sign_verify for key in @keys sig = key.dsa_sign_asn1(@data1) - assert_equal(key.dsa_verify_asn1(@data1, sig), true) - - assert_raises(OpenSSL::PKey::ECError) { key.dsa_sign_asn1(@data2) } + assert(key.dsa_verify_asn1(@data1, sig)) end end + def test_dsa_sign_asn1_FIPS186_3 + for key in @keys + size = key.group.order.num_bits / 8 + 1 + dgst = (1..size).to_a.pack('C*') + begin + sig = key.dsa_sign_asn1(dgst) + # dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m + assert(key.dsa_verify_asn1(dgst + "garbage", sig)) + rescue OpenSSL::PKey::ECError => e + # just an exception for longer dgst before openssl-0.9.8m + assert_equal('ECDSA_sign: data too large for key size', e.message) + # no need to do following tests + return + end + end + end + def test_dh_compute_key for key in @keys k = OpenSSL::PKey::EC.new(key.group) Index: test/openssl/test_pkcs7.rb =================================================================== --- test/openssl/test_pkcs7.rb (.../ruby_1_8_7/test/openssl) (revision 27451) +++ test/openssl/test_pkcs7.rb (.../ruby_1_8/test/openssl) (revision 27451) @@ -28,6 +28,7 @@ ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true], ["authorityKeyIdentifier","keyid:always",false], ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false], + ["nsCertType","client,email",false], ] @ee1_cert = issue_cert(ee1, @rsa1024, 2, Time.now, Time.now+1800, ee_exts, @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new) @@ -35,7 +36,7 @@ @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new) end - def issue_cert(*args) + def issue_cert(*args) OpenSSL::TestUtils.issue_cert(*args) end @@ -46,6 +47,127 @@ data = "aaaaa\r\nbbbbb\r\nccccc\r\n" tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs) + p7 = OpenSSL::PKCS7.new(tmp.to_der) + certs = p7.certificates + signers = p7.signers + assert(p7.verify([], store)) + assert_equal(data, p7.data) + assert_equal(2, certs.size) + assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s) + assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s) + assert_equal(1, signers.size) + assert_equal(@ee1_cert.serial, signers[0].serial) + assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s) + + # Normaly OpenSSL tries to translate the supplied content into canonical + # MIME format (e.g. a newline character is converted into CR+LF). + # If the content is a binary, PKCS7::BINARY flag should be used. + + data = "aaaaa\nbbbbb\nccccc\n" + flag = OpenSSL::PKCS7::BINARY + tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs, flag) + p7 = OpenSSL::PKCS7.new(tmp.to_der) + certs = p7.certificates + signers = p7.signers + assert(p7.verify([], store)) + assert_equal(data, p7.data) + assert_equal(2, certs.size) + assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s) + assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s) + assert_equal(1, signers.size) + assert_equal(@ee1_cert.serial, signers[0].serial) + assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s) + + # A signed-data which have multiple signatures can be created + # through the following steps. + # 1. create two signed-data + # 2. copy signerInfo and certificate from one to another + + tmp1 = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, [], flag) + tmp2 = OpenSSL::PKCS7.sign(@ee2_cert, @rsa1024, data, [], flag) + tmp1.add_signer(tmp2.signers[0]) + tmp1.add_certificate(@ee2_cert) + + p7 = OpenSSL::PKCS7.new(tmp1.to_der) + certs = p7.certificates + signers = p7.signers + assert(p7.verify([], store)) + assert_equal(data, p7.data) + assert_equal(2, certs.size) + assert_equal(2, signers.size) + assert_equal(@ee1_cert.serial, signers[0].serial) + assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s) + assert_equal(@ee2_cert.serial, signers[1].serial) + assert_equal(@ee2_cert.issuer.to_s, signers[1].issuer.to_s) + end + + def test_detached_sign + store = OpenSSL::X509::Store.new + store.add_cert(@ca_cert) + ca_certs = [@ca_cert] + + data = "aaaaa\nbbbbb\nccccc\n" + flag = OpenSSL::PKCS7::BINARY|OpenSSL::PKCS7::DETACHED + tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs, flag) + p7 = OpenSSL::PKCS7.new(tmp.to_der) + a1 = OpenSSL::ASN1.decode(p7) + + certs = p7.certificates + signers = p7.signers + assert(!p7.verify([], store)) + assert(p7.verify([], store, data)) + assert_equal(data, p7.data) + assert_equal(2, certs.size) + assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s) + assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s) + assert_equal(1, signers.size) + assert_equal(@ee1_cert.serial, signers[0].serial) + assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s) + end + + def test_enveloped + if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x0090704f + # PKCS7_encrypt() of OpenSSL-0.9.7d goes to SEGV. + # http://www.mail-archive.com/openssl-dev@openssl.org/msg17376.html + return + end + + certs = [@ee1_cert, @ee2_cert] + cipher = OpenSSL::Cipher::AES.new("128-CBC") + data = "aaaaa\nbbbbb\nccccc\n" + + tmp = OpenSSL::PKCS7.encrypt(certs, data, cipher, OpenSSL::PKCS7::BINARY) + p7 = OpenSSL::PKCS7.new(tmp.to_der) + recip = p7.recipients + assert_equal(:enveloped, p7.type) + assert_equal(2, recip.size) + + assert_equal(@ca_cert.subject.to_s, recip[0].issuer.to_s) + assert_equal(2, recip[0].serial) + assert_equal(data, p7.decrypt(@rsa1024, @ee1_cert)) + + assert_equal(@ca_cert.subject.to_s, recip[1].issuer.to_s) + assert_equal(3, recip[1].serial) + assert_equal(data, p7.decrypt(@rsa1024, @ee2_cert)) + end + + def silent + begin + back, $VERBOSE = $VERBOSE, nil + yield + ensure + $VERBOSE = back if back + end + end + + def test_signed_pkcs7_pkcs7 + silent do + store = OpenSSL::X509::Store.new + store.add_cert(@ca_cert) + ca_certs = [@ca_cert] + + data = "aaaaa\r\nbbbbb\r\nccccc\r\n" + tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs) p7 = OpenSSL::PKCS7::PKCS7.new(tmp.to_der) certs = p7.certificates signers = p7.signers @@ -77,7 +199,7 @@ assert_equal(@ee1_cert.serial, signers[0].serial) assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s) - # A signed-data which have multiple signatures can be created + # A signed-data which have multiple signatures can be created # through the following steps. # 1. create two signed-data # 2. copy signerInfo and certificate from one to another @@ -85,7 +207,7 @@ tmp1 = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, [], flag) tmp2 = OpenSSL::PKCS7.sign(@ee2_cert, @rsa1024, data, [], flag) tmp1.add_signer(tmp2.signers[0]) - tmp1.add_certificate(@ee2_cert) + tmp1.add_certificate(@ee2_cert) p7 = OpenSSL::PKCS7::PKCS7.new(tmp1.to_der) certs = p7.certificates @@ -99,8 +221,10 @@ assert_equal(@ee2_cert.serial, signers[1].serial) assert_equal(@ee2_cert.issuer.to_s, signers[1].issuer.to_s) end + end - def test_detached_sign + def test_detached_sign_pkcs7_pkcs7 + silent do store = OpenSSL::X509::Store.new store.add_cert(@ca_cert) ca_certs = [@ca_cert] @@ -123,8 +247,10 @@ assert_equal(@ee1_cert.serial, signers[0].serial) assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s) end + end - def test_enveloped + def test_enveloped_pkcs7_pkcs7 + silent do if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x0090704f # PKCS7_encrypt() of OpenSSL-0.9.7d goes to SEGV. # http://www.mail-archive.com/openssl-dev@openssl.org/msg17376.html @@ -149,6 +275,7 @@ assert_equal(3, recip[1].serial) assert_equal(data, p7.decrypt(@rsa1024, @ee2_cert)) end + end end end Index: test/openssl/ssl_server.rb =================================================================== --- test/openssl/ssl_server.rb (.../ruby_1_8_7/test/openssl) (revision 27451) +++ test/openssl/ssl_server.rb (.../ruby_1_8/test/openssl) (revision 27451) @@ -53,7 +53,7 @@ port = port + i break rescue Errno::EADDRINUSE - next + next end } ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx) Index: test/openssl/utils.rb =================================================================== --- test/openssl/utils.rb (.../ruby_1_8_7/test/openssl) (revision 27451) +++ test/openssl/utils.rb (.../ruby_1_8/test/openssl) (revision 27451) @@ -96,16 +96,16 @@ cert end - def issue_crl(revoke_info, serial, lastup, nextup, extensions, + def issue_crl(revoke_info, serial, lastup, nextup, extensions, issuer, issuer_key, digest) crl = OpenSSL::X509::CRL.new crl.issuer = issuer.subject crl.version = 1 crl.last_update = lastup crl.next_update = nextup - revoke_info.each{|serial, time, reason_code| + revoke_info.each{|rserial, time, reason_code| revoked = OpenSSL::X509::Revoked.new - revoked.serial = serial + revoked.serial = rserial revoked.time = time enum = OpenSSL::ASN1::Enumerated(reason_code) ext = OpenSSL::X509::Extension.new("CRLReason", enum) Index: test/openssl/test_ssl.rb =================================================================== --- test/openssl/test_ssl.rb (.../ruby_1_8_7/test/openssl) (revision 27451) +++ test/openssl/test_ssl.rb (.../ruby_1_8/test/openssl) (revision 27451) @@ -6,6 +6,8 @@ require "rbconfig" require "socket" require "test/unit" +require 'tempfile' + begin loadpath = $:.dup $:.replace($: | [File.expand_path("../ruby", File.dirname(__FILE__))]) @@ -58,6 +60,20 @@ OpenSSL::TestUtils.issue_crl(*arg) end + def choose_port(port) + tcps = nil + 100.times{ |i| + begin + tcps = TCPServer.new("127.0.0.1", port+i) + port = port + i + break + rescue Errno::EADDRINUSE + next + end + } + return tcps, port + end + def readwrite_loop(ctx, ssl) while line = ssl.gets if line =~ /^STARTTLS$/ @@ -78,22 +94,22 @@ begin ssl = ssls.accept rescue OpenSSL::SSL::SSLError - retry + retry end Thread.start do - Thread.current.abort_on_exception = true + Thread.current.abort_on_exception = true server_proc.call(ctx, ssl) end end - rescue Errno::EBADF, IOError + rescue Errno::EBADF, IOError, Errno::EINVAL, Errno::ECONNABORTED end def start_server(port0, verify_mode, start_immediately, args = {}, &block) ctx_proc = args[:ctx_proc] server_proc = args[:server_proc] server_proc ||= method(:readwrite_loop) - + store = OpenSSL::X509::Store.new store.add_cert(@ca_cert) store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT @@ -106,8 +122,7 @@ ctx_proc.call(ctx) if ctx_proc Socket.do_not_reverse_lookup = true - tcps = nil - port = port0 + tcps, port = choose_port(port0) begin tcps = TCPServer.new("127.0.0.1", port) rescue Errno::EADDRINUSE @@ -120,22 +135,33 @@ begin server = Thread.new do - Thread.current.abort_on_exception = true + Thread.current.abort_on_exception = true server_loop(ctx, ssls, server_proc) end - $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, pid, port) if $DEBUG + $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, $$, port) if $DEBUG block.call(server, port.to_i) ensure - tcps.close if (tcps) - if (server) - server.join(5) - if server.alive? - server.kill - server.join - flunk("TCPServer was closed and SSLServer is still alive") unless $! + begin + begin + tcps.shutdown + rescue Errno::ENOTCONN + # when `Errno::ENOTCONN: Socket is not connected' on some platforms, + # call #close instead of #shutdown. + tcps.close + tcps = nil + end if (tcps) + if (server) + server.join(5) + if server.alive? + server.kill + server.join + flunk("TCPServer was closed and SSLServer is still alive") unless $! + end end + ensure + tcps.close if (tcps) end end end @@ -180,6 +206,8 @@ ssl.sync_close = true ssl.connect + assert_raise(ArgumentError) { ssl.sysread(-1) } + # syswrite and sysread ITERATIONS.times{|i| str = "x" * 100 + "\n" @@ -193,6 +221,13 @@ assert_equal(str, buf) } + # puts and gets + ITERATIONS.times{ + str = "x" * 100 + "\n" + ssl.puts(str) + assert_equal(str, ssl.gets) + } + # read and write ITERATIONS.times{|i| str = "x" * 100 + "\n" @@ -213,7 +248,7 @@ def test_client_auth vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT start_server(PORT, vflag, true){|server, port| - assert_raises(OpenSSL::SSL::SSLError){ + assert_raise(OpenSSL::SSL::SSLError){ sock = TCPSocket.new("127.0.0.1", port) ssl = OpenSSL::SSL::SSLSocket.new(sock) ssl.connect @@ -247,6 +282,82 @@ } end + def test_client_auth_with_server_store + vflag = OpenSSL::SSL::VERIFY_PEER + + localcacert_file = Tempfile.open("cafile") + localcacert_file << @ca_cert.to_pem + localcacert_file.close + localcacert_path = localcacert_file.path + + ssl_store = OpenSSL::X509::Store.new + ssl_store.purpose = OpenSSL::X509::PURPOSE_ANY + ssl_store.add_file(localcacert_path) + + args = {} + args[:ctx_proc] = proc { |server_ctx| + server_ctx.cert = @svr_cert + server_ctx.key = @svr_key + server_ctx.verify_mode = vflag + server_ctx.cert_store = ssl_store + } + + start_server(PORT, vflag, true, args){|server, port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.cert = @cli_cert + ctx.key = @cli_key + sock = TCPSocket.new("127.0.0.1", port) + ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) + ssl.sync_close = true + ssl.connect + ssl.puts("foo") + assert_equal("foo\n", ssl.gets) + ssl.close + localcacert_file.unlink + } + end + + def test_client_crl_with_server_store + vflag = OpenSSL::SSL::VERIFY_PEER + + localcacert_file = Tempfile.open("cafile") + localcacert_file << @ca_cert.to_pem + localcacert_file.close + localcacert_path = localcacert_file.path + + ssl_store = OpenSSL::X509::Store.new + ssl_store.purpose = OpenSSL::X509::PURPOSE_ANY + ssl_store.add_file(localcacert_path) + ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK + + crl = issue_crl([], 1, Time.now, Time.now+1600, [], + @cli_cert, @ca_key, OpenSSL::Digest::SHA1.new) + + ssl_store.add_crl(OpenSSL::X509::CRL.new(crl.to_pem)) + + args = {} + args[:ctx_proc] = proc { |server_ctx| + server_ctx.cert = @svr_cert + server_ctx.key = @svr_key + server_ctx.verify_mode = vflag + server_ctx.cert_store = ssl_store + } + + start_server(PORT, vflag, true, args){|s, p| + ctx = OpenSSL::SSL::SSLContext.new + ctx.cert = @cli_cert + ctx.key = @cli_key + assert_raise(OpenSSL::SSL::SSLError){ + sock = TCPSocket.new("127.0.0.1", p) + ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) + ssl.sync_close = true + ssl.connect + ssl.close + } + localcacert_file.unlink + } + end + def test_starttls start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|server, port| sock = TCPSocket.new("127.0.0.1", port) @@ -352,10 +463,10 @@ sock = TCPSocket.new("127.0.0.1", port) ssl = OpenSSL::SSL::SSLSocket.new(sock) ssl.connect - assert_raises(sslerr){ssl.post_connection_check("localhost.localdomain")} - assert_raises(sslerr){ssl.post_connection_check("127.0.0.1")} + assert_raise(sslerr){ssl.post_connection_check("localhost.localdomain")} + assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")} assert(ssl.post_connection_check("localhost")) - assert_raises(sslerr){ssl.post_connection_check("foo.example.com")} + assert_raise(sslerr){ssl.post_connection_check("foo.example.com")} cert = ssl.peer_cert assert(!OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain")) @@ -378,8 +489,8 @@ ssl.connect assert(ssl.post_connection_check("localhost.localdomain")) assert(ssl.post_connection_check("127.0.0.1")) - assert_raises(sslerr){ssl.post_connection_check("localhost")} - assert_raises(sslerr){ssl.post_connection_check("foo.example.com")} + assert_raise(sslerr){ssl.post_connection_check("localhost")} + assert_raise(sslerr){ssl.post_connection_check("foo.example.com")} cert = ssl.peer_cert assert(OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain")) @@ -400,9 +511,9 @@ ssl = OpenSSL::SSL::SSLSocket.new(sock) ssl.connect assert(ssl.post_connection_check("localhost.localdomain")) - assert_raises(sslerr){ssl.post_connection_check("127.0.0.1")} - assert_raises(sslerr){ssl.post_connection_check("localhost")} - assert_raises(sslerr){ssl.post_connection_check("foo.example.com")} + assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")} + assert_raise(sslerr){ssl.post_connection_check("localhost")} + assert_raise(sslerr){ssl.post_connection_check("foo.example.com")} cert = ssl.peer_cert assert(OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain")) assert(!OpenSSL::SSL.verify_certificate_identity(cert, "127.0.0.1")) @@ -494,7 +605,7 @@ ctx.session_add(saved_session) end connections += 1 - + readwrite_loop(ctx, ssl) end @@ -532,6 +643,50 @@ end end end + + def test_tlsext_hostname + return unless OpenSSL::SSL::SSLSocket.instance_methods.include?("hostname") + + ctx_proc = Proc.new do |ctx, ssl| + foo_ctx = ctx.dup + + ctx.servername_cb = Proc.new do |ssl2, hostname| + case hostname + when 'foo.example.com' + foo_ctx + when 'bar.example.com' + nil + else + raise "unknown hostname #{hostname.inspect}" + end + end + end + + server_proc = Proc.new do |ctx, ssl| + readwrite_loop(ctx, ssl) + end + + start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc, :server_proc => server_proc) do |server, port| + 2.times do |i| + sock = TCPSocket.new("127.0.0.1", port) + ctx = OpenSSL::SSL::SSLContext.new + if defined?(OpenSSL::SSL::OP_NO_TICKET) + # disable RFC4507 support + ctx.options = OpenSSL::SSL::OP_NO_TICKET + end + ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) + ssl.sync_close = true + ssl.hostname = (i & 1 == 0) ? 'foo.example.com' : 'bar.example.com' + ssl.connect + + str = "x" * 100 + "\n" + ssl.puts(str) + assert_equal(str, ssl.gets) + + ssl.close + end + end + end end end Index: test/openssl/max.pem =================================================================== --- test/openssl/max.pem (.../ruby_1_8_7/test/openssl) (revision 0) +++ test/openssl/max.pem (.../ruby_1_8/test/openssl) (revision 27451) @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE4zCCA8ugAwIBAgIDBbhlMA0GCSqGSIb3DQEBBQUAMIGXMQswCQYDVQQGEwJB +VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp +bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMR4wHAYDVQQLDBVhLXNpZ24tUHJl +bWl1bS1FbmMtMDIxHjAcBgNVBAMMFWEtc2lnbi1QcmVtaXVtLUVuYy0wMjAeFw0w +OTA2MjYwOTExMzZaFw0xNDA2MjYwOTExMzZaMGAxCzAJBgNVBAYTAkFUMRcwFQYD +VQQDDA5NYXggTXVzdGVybWFubjETMBEGA1UEBAwKTXVzdGVybWFubjEMMAoGA1UE +KgwDTWF4MRUwEwYDVQQFEww3NTkzNjIxNTE2MTYwgd8wDQYJKoZIhvcNAQEBBQAD +gc0AMIHJAoHBAO+1eEcrMoYJ2S2iybcqUEzIxKQ9yJJL0XRNQSrKo/bDOBibfQ3H +E/TExiivgdXG2p0UjuPO1NEFgxhT5gtdaLthV2Kuokb+vbp3mWoUGz+uHIILT2zJ +TG6Yz6sooi/ppNIagFx3qAdFes8QMAereZQp0zzphK/a21FTLk0GVHpw+DWn7NRn +ynDVY0XgFkHXS4uHSfZDhzMGXVef3+SJLQzsV8R1ThMYQeoizA7tj6hT3YeBID2E +lh86V1Z8XuznUQIDAQABo4IBsDCCAawwEwYDVR0jBAwwCoAIRyFHjpdh4x4wewYI +KwYBBQUHAQEEbzBtMEIGCCsGAQUFBzAChjZodHRwOi8vd3d3LmEtdHJ1c3QuYXQv +Y2VydHMvYS1zaWduLVByZW1pdW0tRW5jLTAyYS5jcnQwJwYIKwYBBQUHMAGGG2h0 +dHA6Ly9vY3NwLmEtdHJ1c3QuYXQvb2NzcDBNBgNVHSAERjBEMEIGBiooABEBDDA4 +MDYGCCsGAQUFBwIBFipodHRwOi8vd3d3LmEtdHJ1c3QuYXQvZG9jcy9jcC9hLXNp +Z24tdG9rZW4wgZoGA1UdHwSBkjCBjzCBjKCBiaCBhoaBg2xkYXA6Ly9sZGFwLmEt +dHJ1c3QuYXQvb3U9YS1zaWduLVByZW1pdW0tRW5jLTAyLG89QS1UcnVzdCxjPUFU +P2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3Q/YmFzZT9vYmplY3RjbGFzcz1laWRD +ZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MBEGA1UdDgQKBAhMueHceqw1zzAOBgNVHQ8B +Af8EBAMCBLAwCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEASLyAbafKFN5h +0Mkk0QQoUl4Uvl+yy2ECe/QWNmDQpd7UCw1UAKrMvR8p6OcBiTnvbvg1HnbWI3Hy +BaEhGAhb1tziWkbV93z1NQCIt8hmdqE7GEp58ptYSuzwev6rgO/RZIxI9FCQn9kJ +ruGTM8hOIkh3QEy7Mq6utquMOEO0hQSUOvZkJdaSqHAoh2I3SzsxGr3juAa61x+0 +K8kW1ZgIsc0jhhb3NOyso48AqDK6oqwfiC6fp/HzSB5gycLllWrgUnMeae6Axbag +dImyOtaoxhIwZCr1tjTaQmaNK49kpvDGlIuDIQHf8uZgAoyduQfAvwiQ0llu5Ns2 +AOs41se+Gg== +-----END CERTIFICATE----- Property changes on: max.pem ___________________________________________________________________ Added: svn:eol-style + LF Index: test/openssl/test_config.rb =================================================================== --- test/openssl/test_config.rb (.../ruby_1_8_7/test/openssl) (revision 0) +++ test/openssl/test_config.rb (.../ruby_1_8/test/openssl) (revision 27451) @@ -0,0 +1,16 @@ +require 'openssl' +require "test/unit" + +class OpenSSL::TestConfig < Test::Unit::TestCase + def test_freeze + c = OpenSSL::Config.new + c['foo'] = [['key', 'value']] + c.freeze + + # [ruby-core:18377] + # RuntimeError for 1.9, TypeError for 1.8 + assert_raise(TypeError, /frozen/) do + c['foo'] = [['key', 'wrong']] + end + end +end Property changes on: test_config.rb ___________________________________________________________________ Added: svn:eol-style + LF Index: test/openssl/test_x509name.rb =================================================================== --- test/openssl/test_x509name.rb (.../ruby_1_8_7/test/openssl) (revision 27451) +++ test/openssl/test_x509name.rb (.../ruby_1_8/test/openssl) (revision 27451) @@ -6,6 +6,8 @@ if defined?(OpenSSL) +require 'digest/md5' + class OpenSSL::TestX509Name < Test::Unit::TestCase OpenSSL::ASN1::ObjectId.register( "1.2.840.113549.1.9.1", "emailAddress", "emailAddress") @@ -261,6 +263,28 @@ assert_equal(OpenSSL::ASN1::IA5STRING, ary[3][2]) assert_equal(OpenSSL::ASN1::PRINTABLESTRING, ary[4][2]) end + + def name_hash(name) + # OpenSSL 1.0.0 uses SHA1 for canonical encoding (not just a der) of + # X509Name for X509_NAME_hash. + name.respond_to?(:hash_old) ? name.hash_old : name.hash + end + + def calc_hash(d) + (d[0] & 0xff) | (d[1] & 0xff) << 8 | (d[2] & 0xff) << 16 | (d[3] & 0xff) << 24 + end + + def test_hash + dn = "/DC=org/DC=ruby-lang/CN=www.ruby-lang.org" + name = OpenSSL::X509::Name.parse(dn) + d = Digest::MD5.digest(name.to_der) + assert_equal(calc_hash(d), name_hash(name)) + # + dn = "/DC=org/DC=ruby-lang/CN=baz.ruby-lang.org" + name = OpenSSL::X509::Name.parse(dn) + d = Digest::MD5.digest(name.to_der) + assert_equal(calc_hash(d), name_hash(name)) + end end end Index: test/openssl/test_x509crl.rb =================================================================== --- test/openssl/test_x509crl.rb (.../ruby_1_8_7/test/openssl) (revision 27451) +++ test/openssl/test_x509crl.rb (.../ruby_1_8/test/openssl) (revision 27451) @@ -125,13 +125,13 @@ def test_extension cert_exts = [ ["basicConstraints", "CA:TRUE", true], - ["subjectKeyIdentifier", "hash", false], - ["authorityKeyIdentifier", "keyid:always", false], + ["subjectKeyIdentifier", "hash", false], + ["authorityKeyIdentifier", "keyid:always", false], ["subjectAltName", "email:xyzzy@ruby-lang.org", false], ["keyUsage", "cRLSign, keyCertSign", true], ] crl_exts = [ - ["authorityKeyIdentifier", "keyid:always", false], + ["authorityKeyIdentifier", "keyid:always", false], ["issuerAltName", "issuer:copy", false], ] @@ -190,6 +190,30 @@ assert_match((2**100).to_s, crl.extensions[0].value) end + def test_sign_and_verify_wrong_key_type + cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], + nil, nil, OpenSSL::Digest::SHA1.new) + crl_rsa = issue_crl([], 1, Time.now, Time.now+1600, [], + cert_rsa, @rsa2048, OpenSSL::Digest::SHA1.new) + cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], + nil, nil, OpenSSL::Digest::DSS1.new) + crl_dsa = issue_crl([], 1, Time.now, Time.now+1600, [], + cert_dsa, @dsa512, OpenSSL::Digest::DSS1.new) + begin + assert_equal(false, crl_rsa.verify(@dsa256)) + rescue OpenSSL::X509::CRLError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + + begin + assert_equal(false, crl_dsa.verify(@rsa1024)) + rescue OpenSSL::X509::CRLError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + end + def test_sign_and_verify cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], nil, nil, OpenSSL::Digest::SHA1.new) @@ -197,8 +221,6 @@ cert, @rsa2048, OpenSSL::Digest::SHA1.new) assert_equal(false, crl.verify(@rsa1024)) assert_equal(true, crl.verify(@rsa2048)) - assert_equal(false, crl.verify(@dsa256)) - assert_equal(false, crl.verify(@dsa512)) crl.version = 0 assert_equal(false, crl.verify(@rsa2048)) @@ -206,13 +228,26 @@ nil, nil, OpenSSL::Digest::DSS1.new) crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, @dsa512, OpenSSL::Digest::DSS1.new) - assert_equal(false, crl.verify(@rsa1024)) - assert_equal(false, crl.verify(@rsa2048)) assert_equal(false, crl.verify(@dsa256)) assert_equal(true, crl.verify(@dsa512)) crl.version = 0 assert_equal(false, crl.verify(@dsa512)) end + + def test_create_from_pem + crl = <<END +-----BEGIN X509 CRL----- +MIHkME8CAQEwDQYJKoZIhvcNAQEFBQAwDTELMAkGA1UEAwwCY2EXDTA5MDUyMzEw +MTkyM1oXDTE0MDUyMjEwMTkyM1qgDjAMMAoGA1UdFAQDAgEAMA0GCSqGSIb3DQEB +BQUAA4GBAGrGXN03TQdoluA5Xjv64We9EOvmE0EviKMeaZ/n8krEwFhUK7Yq3GVD +BFrb40cdFX1433buCZHG7Tq7eGv8cG1eO5RasuiedurMQXmVRDTDjGor/58Dk/Wy +owO/GR8ASm6Fx6AUKEgLAaoaaptpaWtEB+N4uaGvc0LFO9WY+ZMq +-----END X509 CRL----- +END + crl = OpenSSL::X509::CRL.new(crl) + assert_equal(1, crl.version) + assert_equal(OpenSSL::X509::Name.parse("/CN=ca").to_der, crl.issuer.to_der) + end end end Index: test/openssl/common.pem =================================================================== --- test/openssl/common.pem (.../ruby_1_8_7/test/openssl) (revision 0) +++ test/openssl/common.pem (.../ruby_1_8/test/openssl) (revision 27451) @@ -0,0 +1,48 @@ +-----BEGIN CERTIFICATE----- +MIIIgTCCB2mgAwIBAgICGuwwDQYJKoZIhvcNAQEFBQAwgeAxCzAJBgNVBAYTAkVT +MS4wLAYJKoZIhvcNAQkBFh9hY19jYW1lcmZpcm1hX2NjQGNhbWVyZmlybWEuY29t +MUMwQQYDVQQHEzpNYWRyaWQgKHNlZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNh +bWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQFEwlBODI3NDMyODcxGTAXBgNV +BAoTEEFDIENhbWVyZmlybWEgU0ExLTArBgNVBAMTJEFDIENhbWVyZmlybWEgQ2Vy +dGlmaWNhZG9zIENhbWVyYWxlczAeFw0wNTA0MDgxMDUxMDBaFw0wOTA0MDcxMDUx +MDBaMIIBsDELMAkGA1UEBhMCRVMxHzAdBgNVBAMTFkNlcnRpZmljYWRvIGRlIFBy +dWViYXMxIjAgBgkqhkiG9w0BCQEWE2luZm9AY2FtZXJmaXJtYS5jb20xEjAQBgNV +BAUTCTEyMzQ1Njc4WjETMBEGA1UEBBMKZGUgUHJ1ZWJhczEUMBIGA1UEKhMLQ2Vy +dGlmaWNhZG8xTjBMBgorBgEEAYGHLh4CEz5DSUYgSVZBIChWQVQgbnVtYmVyIGFz +IGJ5IGFydGljbGUgMjhoIG9mIERpcmVjdGl2ZSA3Ny8zODgvRUVDKTEbMBkGCisG +AQQBgYcuHgMTC0VTQTAwMTIzNDU2MR0wGwYDVQQKExRPIERFTU8gQUMgQ2FtZXJm +aXJtYTEeMBwGA1UECxMVT1UgREVNTyBBQyBDYW1lcmZpcm1hMR0wGwYDVQQMExRU +IERFTU8gQUMgQ2FtZXJmaXJtYTFSMFAGA1UEDRNJQ2hhbWJlcnMgb2YgQ29tbWVy +Y2UgUXVhbGlmaWVkIENlcnRpZmljYXRlOiBOYXR1cmFsIFBlcnNvbiBDQU0tUEYt +U1ctS1BTQzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwmt+Ul58DwnCmPvZ +NiLJ7nXSIGBfb5hFEph7sP4NRFCVzLDOGpzIYTJ9CR+m0LVaUVTXgeLANjw1DEPC +kplWfpQejO4/nPVfRalg2GosrmqnaN3Y1lurnpQGdCz7nLOYJdS1ME52mzau8OFZ +1fSuM+/jHfLvABuwaLXb0OvWlVMCAwEAAaOCA/QwggPwMAwGA1UdEwEB/wQCMAAw +DgYDVR0PAQH/BAQDAgO4MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAR +BglghkgBhvhCAQEEBAMCBaAwQgYJYIZIAYb4QgEDBDUWM1VSSTpodHRwOi8vY3Js +LmNhbWVyZmlybWEuY29tL2FjX2NhbWVyZmlybWFfY2MuY2dpPzBGBglghkgBhvhC +AQgEORY3VVJJOmh0dHA6Ly9jcHMuY2FtZXJmaXJtYS5jb20vY3BzL2FjX2NhbWVy +ZmlybWFfY2MuaHRtbDA5BglghkgBhvhCAQ0ELBYqQ2VydGlmaWNhZG8gZGUgcHJ1 +ZWJhcyBzaW4gcmVzcG9uc2FiaWxpZGFkMB0GA1UdDgQWBBS0rINdIfvWilZ+sklt +abvkb9harDB4BggrBgEFBQcBAQRsMGowQAYIKwYBBQUHMAKGNGh0dHA6Ly93d3cu +Y2FtZXJmaXJtYS5jb20vY2VydHMvYWNfY2FtZXJmaXJtYV9jYy5jcnQwJgYIKwYB +BQUHMAGGGmh0dHA6Ly9vY3NwLmNhbWVyZmlybWEuY29tMIGrBgNVHSMEgaMwgaCA +FLYfTp0caJEuN3Jg4UaPWqUqMTG5oYGEpIGBMH8xCzAJBgNVBAYTAkVVMScwJQYD +VQQKEx5BQyBDYW1lcmZpcm1hIFNBIENJRiBBODI3NDMyODcxIzAhBgNVBAsTGmh0 +dHA6Ly93d3cuY2hhbWJlcnNpZ24ub3JnMSIwIAYDVQQDExlDaGFtYmVycyBvZiBD +b21tZXJjZSBSb290ggEFMHYGA1UdHwRvMG0wNKAyoDCGLmh0dHA6Ly9jcmwuY2Ft +ZXJmaXJtYS5jb20vYWNfY2FtZXJmaXJtYV9jYy5jcmwwNaAzoDGGL2h0dHA6Ly9j +cmwxLmNhbWVyZmlybWEuY29tL2FjX2NhbWVyZmlybWFfY2MuY3JsMB4GA1UdEQQX +MBWBE2luZm9AY2FtZXJmaXJtYS5jb20wKgYDVR0SBCMwIYEfYWNfY2FtZXJmaXJt +YV9jY0BjYW1lcmZpcm1hLmNvbTCBmgYDVR0gBIGSMIGPMIGMBg0rBgEEAYGHLgoJ +AgEBMHswPwYIKwYBBQUHAgEWM2h0dHA6Ly9jcHMuY2FtZXJmaXJtYS5jb20vY3Bz +L2FjX2NhbWVyZmlybWFfY2MuaHRtbDA4BggrBgEFBQcCAjAsGipDZXJ0aWZpY2Fk +byBkZSBwcnVlYmFzIHNpbiByZXNwb25zYWJpbGlkYWQwLwYIKwYBBQUHAQMEIzAh +MAgGBgQAjkYBATAVBgYEAI5GAQIwCxMDRVVSAgEAAgEBMA0GCSqGSIb3DQEBBQUA +A4IBAQBBfXUkreSi+Zr696+HxCpZmwhko/JmF25C3rECXvZ7L2OXEBELxiygOBpm +hs3EgRRTVA6tdWliPbI9m0Vp61qOYD566ilQspBS7MeGvNQoyyuk43EQakSCNZcl +dE6mqjXl3OT4At57vvJOnlzeidqmrPM2ULfFMBD2K6oce3PelRdOvM8stYEwqpCu +7/jC/F+Y8ZKJTroqOYv5saHozKSooq4QP9Xd1YOFrZlh5oP7B5lpfUmphQwi/+M5 +dUJywr3f+s5aaHlhkoPhNEmuhDK834PT6OekkSFCt3P/MBs71ERvSWgf1GcG+Vcm +f9cJTANAF/i6XDLRAJPsvFkNpMfc +-----END CERTIFICATE----- Property changes on: common.pem ___________________________________________________________________ Added: svn:eol-style + LF Index: test/openssl/test_hmac.rb =================================================================== --- test/openssl/test_hmac.rb (.../ruby_1_8_7/test/openssl) (revision 27451) +++ test/openssl/test_hmac.rb (.../ruby_1_8/test/openssl) (revision 27451) @@ -4,15 +4,13 @@ end require "test/unit" -if defined?(OpenSSL) - class OpenSSL::TestHMAC < Test::Unit::TestCase def setup - @digest = OpenSSL::Digest::MD5.new + @digest = OpenSSL::Digest::MD5 @key = "KEY" @data = "DATA" - @h1 = OpenSSL::HMAC.new(@key, @digest) - @h2 = OpenSSL::HMAC.new(@key, @digest) + @h1 = OpenSSL::HMAC.new(@key, @digest.new) + @h2 = OpenSSL::HMAC.new(@key, "MD5") end def teardown @@ -20,8 +18,14 @@ def test_hmac @h1.update(@data) - assert_equal(OpenSSL::HMAC.digest(@digest, @key, @data), @h1.digest, "digest") - assert_equal(OpenSSL::HMAC.hexdigest(@digest, @key, @data), @h1.hexdigest, "hexdigest") + @h2.update(@data) + assert_equal(@h1.digest, @h2.digest) + + assert_equal(OpenSSL::HMAC.digest(@digest.new, @key, @data), @h1.digest, "digest") + assert_equal(OpenSSL::HMAC.hexdigest(@digest.new, @key, @data), @h1.hexdigest, "hexdigest") + + assert_equal(OpenSSL::HMAC.digest("MD5", @key, @data), @h2.digest, "digest") + assert_equal(OpenSSL::HMAC.hexdigest("MD5", @key, @data), @h2.hexdigest, "hexdigest") end def test_dup @@ -29,6 +33,14 @@ h = @h1.dup assert_equal(@h1.digest, h.digest, "dup digest") end -end + def test_sha256 + digest256 = OpenSSL::Digest::Digest.new("sha256") + assert_equal( + "\210\236-\3270\331Yq\265\177sE\266\231hXa\332\250\026\235O&c*\307\001\227~\260n\362", + OpenSSL::HMAC.digest(digest256, 'blah', "blah")) + assert_equal( + "889e2dd730d95971b57f7345b699685861daa8169d4f26632ac701977eb06ef2", + OpenSSL::HMAC.hexdigest(digest256, 'blah', "blah")) + end end Index: test/openssl/test_cipher.rb =================================================================== --- test/openssl/test_cipher.rb (.../ruby_1_8_7/test/openssl) (revision 27451) +++ test/openssl/test_cipher.rb (.../ruby_1_8/test/openssl) (revision 27451) @@ -12,6 +12,7 @@ @c2 = OpenSSL::Cipher::DES.new(:EDE3, "CBC") @key = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" @iv = "\0\0\0\0\0\0\0\0" + @iv1 = "\1\1\1\1\1\1\1\1" @hexkey = "0000000000000000000000000000000000000000000000" @hexiv = "0000000000000000" @data = "DATA" @@ -63,11 +64,82 @@ assert_equal(s1, s2, "encrypt reset") end + def test_set_iv + @c1.encrypt + @c1.key = @key + @c1.iv = @iv + s1 = @c1.update(@data) + @c1.final + @c1.iv = @iv1 + s1 += @c1.update(@data) + @c1.final + @c1.reset + @c1.iv = @iv + s2 = @c1.update(@data) + @c1.final + @c1.iv = @iv1 + s2 += @c1.update(@data) + @c1.final + assert_equal(s1, s2, "encrypt reset") + end + def test_empty_data @c1.encrypt - assert_raises(ArgumentError){ @c1.update("") } + assert_raise(ArgumentError){ @c1.update("") } end + def test_disable_padding(padding=0) + # assume a padding size of 8 + # encrypt the data with padding + @c1.encrypt + @c1.key = @key + @c1.iv = @iv + encrypted_data = @c1.update(@data) + @c1.final + assert_equal(8, encrypted_data.size) + # decrypt with padding disabled + @c1.decrypt + @c1.padding = padding + decrypted_data = @c1.update(encrypted_data) + @c1.final + # check that the result contains the padding + assert_equal(8, decrypted_data.size) + assert_equal(@data, decrypted_data[0...@data.size]) + end + + if RUBY_PLATFORM =~ /java/ + # JRuby extension - using Java padding types + + def test_disable_padding_javastyle + test_disable_padding('NoPadding') + end + + def test_iso10126_padding + @c1.encrypt + @c1.key = @key + @c1.iv = @iv + @c1.padding = 'ISO10126Padding' + encrypted_data = @c1.update(@data) + @c1.final + # decrypt with padding disabled to see the padding + @c1.decrypt + @c1.padding = 0 + decrypted_data = @c1.update(encrypted_data) + @c1.final + assert_equal(@data, decrypted_data[0...@data.size]) + # last byte should be the amount of padding + assert_equal(4, decrypted_data[-1]) + end + + def test_iso10126_padding_boundry + @data = 'HELODATA' # 8 bytes, same as padding size + @c1.encrypt + @c1.key = @key + @c1.iv = @iv + @c1.padding = 'ISO10126Padding' + encrypted_data = @c1.update(@data) + @c1.final + # decrypt with padding disabled to see the padding + @c1.decrypt + @c1.padding = 0 + decrypted_data = @c1.update(encrypted_data) + @c1.final + assert_equal(@data, decrypted_data[0...@data.size]) + # padding should be one whole block + assert_equal(8, decrypted_data[-1]) + end + end + if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00907000 def test_ciphers OpenSSL::Cipher.ciphers.each{|name| @@ -90,6 +162,30 @@ } end end + + # JRUBY-4028 + def test_jruby_4028 + key = "0599E113A7EE32A9" + data = "1234567890~5J96LC303C1D22DD~20090930005944~http%3A%2F%2Flocalhost%3A8080%2Flogin%3B0%3B1~http%3A%2F%2Fmix-stage.oracle.com%2F~00" + c1 = OpenSSL::Cipher::Cipher.new("DES-CBC") + c1.padding = 0 + c1.iv = "0" * 8 + c1.encrypt + c1.key = key + e = c1.update data + e << c1.final + + c2 = OpenSSL::Cipher::Cipher.new("DES-CBC") + c2.padding = 0 + c2.iv = "0" * 8 + c2.decrypt + c2.key = key + d = c2.update e + d << c2.final + + assert_equal "\342\320B.\300&X\310\344\253\025\215\017*\22015\344\024D\342\213\361\336\311\271\326\016\243\214\026\2545\002\237,\017s\202\316&Ew\323\221H\376\200\304\201\365\332Im\240\361\037\246\3536\001A2\341\324o0\350\364%=\325\330\240\324u\225\304h\277\272\361f\024\324\352\336\353N\002/]C\370!\003)\212oa\225\207\333\340\245\207\024\351\037\327[\212\001{\216\f\315\345\372\v\226\r\233?\002\vJK", e + assert_equal data, d + end end end Index: test/openssl/test_x509req.rb =================================================================== --- test/openssl/test_x509req.rb (.../ruby_1_8_7/test/openssl) (revision 27451) +++ test/openssl/test_x509req.rb (.../ruby_1_8/test/openssl) (revision 27451) @@ -103,38 +103,89 @@ assert_equal(exts, get_ext_req(attrs[1].value)) end + def test_sign_and_verify_wrong_key_type + req_rsa = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new) + req_dsa = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new) + begin + assert_equal(false, req_rsa.verify(@dsa256)) + rescue OpenSSL::X509::RequestError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + + begin + assert_equal(false, req_dsa.verify(@rsa1024)) + rescue OpenSSL::X509::RequestError => e + # OpenSSL 1.0.0 added checks for pkey OID + assert_equal('wrong public key type', e.message) + end + end + def test_sign_and_verify req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new) assert_equal(true, req.verify(@rsa1024)) assert_equal(false, req.verify(@rsa2048)) - assert_equal(false, req.verify(@dsa256)) - assert_equal(false, req.verify(@dsa512)) req.version = 1 assert_equal(false, req.verify(@rsa1024)) req = issue_csr(0, @dn, @rsa2048, OpenSSL::Digest::MD5.new) assert_equal(false, req.verify(@rsa1024)) assert_equal(true, req.verify(@rsa2048)) - assert_equal(false, req.verify(@dsa256)) - assert_equal(false, req.verify(@dsa512)) req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar") assert_equal(false, req.verify(@rsa2048)) req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new) - assert_equal(false, req.verify(@rsa1024)) - assert_equal(false, req.verify(@rsa2048)) assert_equal(false, req.verify(@dsa256)) assert_equal(true, req.verify(@dsa512)) req.public_key = @rsa1024.public_key assert_equal(false, req.verify(@dsa512)) + end - assert_raise(OpenSSL::X509::RequestError){ - issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) } - assert_raise(OpenSSL::X509::RequestError){ - issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new) } - assert_raise(OpenSSL::X509::RequestError){ - issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) } + def test_dsig_algorithm_mismatch + assert_raise(OpenSSL::X509::RequestError) do + issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) + end + assert_raise(OpenSSL::X509::RequestError) do + issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) + end end + + def test_create_from_pem + req = <<END +-----BEGIN CERTIFICATE REQUEST----- +MIIBVTCBvwIBADAWMRQwEgYDVQQDDAsxOTIuMTY4LjAuNDCBnzANBgkqhkiG9w0B +AQEFAAOBjQAwgYkCgYEA0oTTzFLydOTVtBpNdYl4S0356AysVkHlqD/tNEMxQT0l +dXdNoDKb/3TfM5WMciNxBb8rImJ51vEIf6WaWvPbaawcmhNWA9JmhMIeFCdeXyu/ +XEjiiEOL4MkWf6qfsu6VoPr2YSnR0iiWLgWcnRPuy84+PE1XPPl1qGDA0apWJ9kC +AwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAKdlyDzVrXRLkPdukQUTTy6uwhv35SKL +FfiKDrHtnFYd7VbynQ1sRre5CknuRrm+E7aEJEwpz6MS+6nqmQ6JwGcm/hlZM/m7 +DVD201pI3p6LIxaRyXE20RYTp0Jj6jv+tNFd0wjVlzgStmcplNo8hu6Dtp1gKETW +qL7M4i48FXHn +-----END CERTIFICATE REQUEST----- +END + req = OpenSSL::X509::Request.new(req) + + assert_equal(0, req.version) + assert_equal(OpenSSL::X509::Name.parse("/CN=192.168.0.4").to_der, req.subject.to_der) + end + + def test_create_to_pem + req_s = <<END +-----BEGIN CERTIFICATE REQUEST----- +MIIBVTCBvwIBADAWMRQwEgYDVQQDDAsxOTIuMTY4LjAuNDCBnzANBgkqhkiG9w0B +AQEFAAOBjQAwgYkCgYEA0oTTzFLydOTVtBpNdYl4S0356AysVkHlqD/tNEMxQT0l +dXdNoDKb/3TfM5WMciNxBb8rImJ51vEIf6WaWvPbaawcmhNWA9JmhMIeFCdeXyu/ +XEjiiEOL4MkWf6qfsu6VoPr2YSnR0iiWLgWcnRPuy84+PE1XPPl1qGDA0apWJ9kC +AwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAKdlyDzVrXRLkPdukQUTTy6uwhv35SKL +FfiKDrHtnFYd7VbynQ1sRre5CknuRrm+E7aEJEwpz6MS+6nqmQ6JwGcm/hlZM/m7 +DVD201pI3p6LIxaRyXE20RYTp0Jj6jv+tNFd0wjVlzgStmcplNo8hu6Dtp1gKETW +qL7M4i48FXHn +-----END CERTIFICATE REQUEST----- +END + req = OpenSSL::X509::Request.new(req_s) + + assert_equal(req_s, req.to_pem) + end end end
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
