diff --git a/Rakefile b/Rakefile index 3d94f9166..573eb794a 100644 --- a/Rakefile +++ b/Rakefile @@ -26,19 +26,12 @@ Rake::TestTask.new(:test_fips_internal) do |t| # Exclude failing test files in FIPS for this task to pass. # TODO: Fix failing test files. t.test_files = FileList['test/**/test_*.rb'] - FileList[ - 'test/openssl/test_asn1.rb', 'test/openssl/test_cipher.rb', 'test/openssl/test_digest.rb', 'test/openssl/test_hmac.rb', 'test/openssl/test_kdf.rb', - 'test/openssl/test_ns_spki.rb', - 'test/openssl/test_ocsp.rb', 'test/openssl/test_pkcs12.rb', 'test/openssl/test_ts.rb', - 'test/openssl/test_x509cert.rb', - 'test/openssl/test_x509crl.rb', - 'test/openssl/test_x509name.rb', - 'test/openssl/test_x509req.rb', ] t.warning = true end diff --git a/test/openssl/fixtures/pkey/dsa1024.pem b/test/openssl/fixtures/pkey/dsa1024.pem deleted file mode 100644 index 1bf498895..000000000 --- a/test/openssl/fixtures/pkey/dsa1024.pem +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN DSA PRIVATE KEY----- -MIIBugIBAAKBgQCH9aAoXvWWThIjkA6D+nI1F9ksF9iDq594rkiGNOT9sPDOdB+n -D+qeeeeloRlj19ymCSADPI0ZLRgkchkAEnY2RnqnhHOjVf/roGgRbW+iQDMbQ9wa -/pvc6/fAbsu1goE1hBYjm98/sZEeXavj8tR56IXnjF1b6Nx0+sgeUKFKEQIVAMiz -4BJUFeTtddyM4uadBM7HKLPRAoGAZdLBSYNGiij7vAjesF5mGUKTIgPd+JKuBEDx -OaBclsgfdoyoF/TMOkIty+PVlYD+//Vl2xnoUEIRaMXHwHfm0r2xUX++oeRaSScg -YizJdUxe5jvBuBszGPRc/mGpb9YvP0sB+FL1KmuxYmdODfCe51zl8uM/CVhouJ3w -DjmRGscCgYAuFlfC7p+e8huCKydfcv/beftqjewiOPpQ3u5uI6KPCtCJPpDhs3+4 -IihH2cPsAlqwGF4tlibW1+/z/OZ1AZinPK3y7b2jSJASEaPeEltVzB92hcd1khk2 -jTYcmSsV4VddplOPK9czytR/GbbibxsrhhgZUbd8LPbvIgaiadJ1PgIUBnJ/5vN2 -CVArsEzlPUCbohPvZnE= ------END DSA PRIVATE KEY----- diff --git a/test/openssl/fixtures/pkey/dsa256.pem b/test/openssl/fixtures/pkey/dsa256.pem deleted file mode 100644 index d9a407f73..000000000 --- a/test/openssl/fixtures/pkey/dsa256.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DSA PRIVATE KEY----- -MIH3AgEAAkEAhk2libbY2a8y2Pt21+YPYGZeW6wzaW2yfj5oiClXro9XMR7XWLkE -9B7XxLNFCS2gmCCdMsMW1HulaHtLFQmB2wIVAM43JZrcgpu6ajZ01VkLc93gu/Ed -AkAOhujZrrKV5CzBKutKLb0GVyVWmdC7InoNSMZEeGU72rT96IjM59YzoqmD0pGM -3I1o4cGqg1D1DfM1rQlnN1eSAkBq6xXfEDwJ1mLNxF6q8Zm/ugFYWR5xcX/3wFiT -b4+EjHP/DbNh9Vm5wcfnDBJ1zKvrMEf2xqngYdrV/3CiGJeKAhRvL57QvJZcQGvn -ISNX5cMzFHRW3Q== ------END DSA PRIVATE KEY----- diff --git a/test/openssl/fixtures/pkey/dsa512.pem b/test/openssl/fixtures/pkey/dsa512.pem deleted file mode 100644 index 962c41cc6..000000000 --- a/test/openssl/fixtures/pkey/dsa512.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DSA PRIVATE KEY----- -MIH4AgEAAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgTYiEEHaOYhkIxv0Ok -RZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB4DZGH7UyarcaGy6D -AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR -S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++ -Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S -55jreJD3Se3slps= ------END DSA PRIVATE KEY----- diff --git a/test/openssl/fixtures/pkey/rsa1024.pem b/test/openssl/fixtures/pkey/rsa1024.pem deleted file mode 100644 index 464de074b..000000000 --- a/test/openssl/fixtures/pkey/rsa1024.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIICXgIBAAKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7Cx -aKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/ -Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQAB -AoGBAKSl/MQarye1yOysqX6P8fDFQt68VvtXkNmlSiKOGuzyho0M+UVSFcs6k1L0 -maDE25AMZUiGzuWHyaU55d7RXDgeskDMakD1v6ZejYtxJkSXbETOTLDwUWTn618T -gnb17tU1jktUtU67xK/08i/XodlgnQhs6VoHTuCh3Hu77O6RAkEA7+gxqBuZR572 -74/akiW/SuXm0SXPEviyO1MuSRwtI87B02D0qgV8D1UHRm4AhMnJ8MCs1809kMQE -JiQUCrp9mQJBANlt2ngBO14us6NnhuAseFDTBzCHXwUUu1YKHpMMmxpnGqaldGgX -sOZB3lgJsT9VlGf3YGYdkLTNVbogQKlKpB8CQQDiSwkb4vyQfDe8/NpU5Not0fII -8jsDUCb+opWUTMmfbxWRR3FBNu8wnym/m19N4fFj8LqYzHX4KY0oVPu6qvJxAkEA -wa5snNekFcqONLIE4G5cosrIrb74sqL8GbGb+KuTAprzj5z1K8Bm0UW9lTjVDjDi -qRYgZfZSL+x1P/54+xTFSwJAY1FxA/N3QPCXCjPh5YqFxAMQs2VVYTfg+t0MEcJD -dPMQD5JX6g5HKnHFg2mZtoXQrWmJSn7p8GJK8yNTopEErA== ------END RSA PRIVATE KEY----- diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb index 1b933a78b..501e35151 100644 --- a/test/openssl/test_asn1.rb +++ b/test/openssl/test_asn1.rb @@ -6,7 +6,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase def test_decode_x509_certificate subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA") - key = Fixtures.pkey("rsa1024") + key = Fixtures.pkey("rsa-1") now = Time.at(Time.now.to_i) # suppress usec s = 0xdeadbeafdeadbeafdeadbeafdeadbeaf exts = [ diff --git a/test/openssl/test_ns_spki.rb b/test/openssl/test_ns_spki.rb index d76fc9e5c..048442928 100644 --- a/test/openssl/test_ns_spki.rb +++ b/test/openssl/test_ns_spki.rb @@ -17,8 +17,8 @@ def setup end def test_build_data - key1 = Fixtures.pkey("rsa1024") - key2 = Fixtures.pkey("rsa2048") + key1 = Fixtures.pkey("rsa-1") + key2 = Fixtures.pkey("rsa-2") spki = OpenSSL::Netscape::SPKI.new spki.challenge = "RandomString" spki.public_key = key1.public_key diff --git a/test/openssl/test_ocsp.rb b/test/openssl/test_ocsp.rb index cf96fc22e..b9b66ad37 100644 --- a/test/openssl/test_ocsp.rb +++ b/test/openssl/test_ocsp.rb @@ -13,7 +13,7 @@ def setup # @cert2 @ocsp_cert ca_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA") - @ca_key = Fixtures.pkey("rsa1024") + @ca_key = Fixtures.pkey("rsa-1") ca_exts = [ ["basicConstraints", "CA:TRUE", true], ["keyUsage", "cRLSign,keyCertSign", true], @@ -22,7 +22,7 @@ def setup ca_subj, @ca_key, 1, ca_exts, nil, nil) cert_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA2") - @cert_key = Fixtures.pkey("rsa1024") + @cert_key = Fixtures.pkey("rsa-2") cert_exts = [ ["basicConstraints", "CA:TRUE", true], ["keyUsage", "cRLSign,keyCertSign", true], @@ -31,14 +31,14 @@ def setup cert_subj, @cert_key, 5, cert_exts, @ca_cert, @ca_key) cert2_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert") - @cert2_key = Fixtures.pkey("rsa1024") + @cert2_key = Fixtures.pkey("rsa-3") cert2_exts = [ ] @cert2 = OpenSSL::TestUtils.issue_cert( cert2_subj, @cert2_key, 10, cert2_exts, @cert, @cert_key) ocsp_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCAOCSP") - @ocsp_key = Fixtures.pkey("rsa2048") + @ocsp_key = Fixtures.pkey("p256") ocsp_exts = [ ["extendedKeyUsage", "OCSPSigning", true], ] @@ -63,8 +63,10 @@ def test_certificate_id_issuer_name_hash def test_certificate_id_issuer_key_hash cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert) - assert_equal OpenSSL::Digest.hexdigest('SHA1', OpenSSL::ASN1.decode(@ca_cert.to_der).value[0].value[6].value[1].value), cid.issuer_key_hash - assert_equal "d1fef9fbf8ae1bc160cbfa03e2596dd873089213", cid.issuer_key_hash + # content of subjectPublicKey (bit string) in SubjectPublicKeyInfo + spki = OpenSSL::ASN1.decode(@ca_key.public_to_der) + assert_equal OpenSSL::Digest.hexdigest("SHA1", spki.value[1].value), + cid.issuer_key_hash end def test_certificate_id_hash_algorithm diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb index 8066c4dc1..0943a7737 100644 --- a/test/openssl/test_pkey.rb +++ b/test/openssl/test_pkey.rb @@ -293,10 +293,10 @@ def test_raw_initialize_errors end def test_compare? - key1 = Fixtures.pkey("rsa1024") - key2 = Fixtures.pkey("rsa1024") - key3 = Fixtures.pkey("rsa2048") - key4 = Fixtures.pkey("dh-1") + key1 = Fixtures.pkey("rsa-1") + key2 = Fixtures.pkey("rsa-1") + key3 = Fixtures.pkey("rsa-2") + key4 = Fixtures.pkey("p256") assert_equal(true, key1.compare?(key2)) assert_equal(true, key1.public_key.compare?(key2)) @@ -311,7 +311,7 @@ def test_compare? end def test_to_text - rsa = Fixtures.pkey("rsa1024") + rsa = Fixtures.pkey("rsa-1") assert_include rsa.to_text, "publicExponent" end end diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb index 0779483bd..ef0fdf918 100644 --- a/test/openssl/test_pkey_dsa.rb +++ b/test/openssl/test_pkey_dsa.rb @@ -10,7 +10,7 @@ def setup end def test_private - key = Fixtures.pkey("dsa1024") + key = Fixtures.pkey("dsa2048") assert_equal true, key.private? key2 = OpenSSL::PKey::DSA.new(key.to_der) assert_equal true, key2.private? @@ -114,105 +114,76 @@ def test_sign_verify_raw def test_DSAPrivateKey # OpenSSL DSAPrivateKey format; similar to RSAPrivateKey - dsa512 = Fixtures.pkey("dsa512") + orig = Fixtures.pkey("dsa2048") asn1 = OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::Integer(0), - OpenSSL::ASN1::Integer(dsa512.p), - OpenSSL::ASN1::Integer(dsa512.q), - OpenSSL::ASN1::Integer(dsa512.g), - OpenSSL::ASN1::Integer(dsa512.pub_key), - OpenSSL::ASN1::Integer(dsa512.priv_key) + OpenSSL::ASN1::Integer(orig.p), + OpenSSL::ASN1::Integer(orig.q), + OpenSSL::ASN1::Integer(orig.g), + OpenSSL::ASN1::Integer(orig.pub_key), + OpenSSL::ASN1::Integer(orig.priv_key) ]) key = OpenSSL::PKey::DSA.new(asn1.to_der) assert_predicate key, :private? - assert_same_dsa dsa512, key - - pem = <<~EOF - -----BEGIN DSA PRIVATE KEY----- - MIH4AgEAAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgTYiEEHaOYhkIxv0Ok - RZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB4DZGH7UyarcaGy6D - AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR - S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++ - Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S - 55jreJD3Se3slps= - -----END DSA PRIVATE KEY----- - EOF + assert_same_dsa orig, key + + pem = der_to_pem(asn1.to_der, "DSA PRIVATE KEY") key = OpenSSL::PKey::DSA.new(pem) - assert_same_dsa dsa512, key + assert_same_dsa orig, key - assert_equal asn1.to_der, dsa512.to_der - assert_equal pem, dsa512.export + assert_equal asn1.to_der, orig.to_der + assert_equal pem, orig.export end def test_DSAPrivateKey_encrypted - # key = abcdef - dsa512 = Fixtures.pkey("dsa512") - pem = <<~EOF - -----BEGIN DSA PRIVATE KEY----- - Proc-Type: 4,ENCRYPTED - DEK-Info: AES-128-CBC,F8BB7BFC7EAB9118AC2E3DA16C8DB1D9 - - D2sIzsM9MLXBtlF4RW42u2GB9gX3HQ3prtVIjWPLaKBYoToRUiv8WKsjptfZuLSB - 74ZPdMS7VITM+W1HIxo/tjS80348Cwc9ou8H/E6WGat8ZUk/igLOUEII+coQS6qw - QpuLMcCIavevX0gjdjEIkojBB81TYDofA1Bp1z1zDI/2Zhw822xapI79ZF7Rmywt - OSyWzFaGipgDpdFsGzvT6//z0jMr0AuJVcZ0VJ5lyPGQZAeVBlbYEI4T72cC5Cz7 - XvLiaUtum6/sASD2PQqdDNpgx/WA6Vs1Po2kIUQIM5TIwyJI0GdykZcYm6xIK/ta - Wgx6c8K+qBAIVrilw3EWxw== - -----END DSA PRIVATE KEY----- - EOF + # OpenSSL DSAPrivateKey with OpenSSL encryption + orig = Fixtures.pkey("dsa2048") + + pem = der_to_encrypted_pem(orig.to_der, "DSA PRIVATE KEY", "abcdef") key = OpenSSL::PKey::DSA.new(pem, "abcdef") - assert_same_dsa dsa512, key + assert_same_dsa orig, key key = OpenSSL::PKey::DSA.new(pem) { "abcdef" } - assert_same_dsa dsa512, key + assert_same_dsa orig, key cipher = OpenSSL::Cipher.new("aes-128-cbc") - exported = dsa512.to_pem(cipher, "abcdef\0\1") - assert_same_dsa dsa512, OpenSSL::PKey::DSA.new(exported, "abcdef\0\1") + exported = orig.to_pem(cipher, "abcdef\0\1") + assert_same_dsa orig, OpenSSL::PKey::DSA.new(exported, "abcdef\0\1") assert_raise(OpenSSL::PKey::DSAError) { OpenSSL::PKey::DSA.new(exported, "abcdef") } end def test_PUBKEY - dsa512 = Fixtures.pkey("dsa512") - dsa512pub = OpenSSL::PKey::DSA.new(dsa512.public_to_der) + orig = Fixtures.pkey("dsa2048") + pub = OpenSSL::PKey::DSA.new(orig.public_to_der) asn1 = OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::ObjectId("DSA"), OpenSSL::ASN1::Sequence([ - OpenSSL::ASN1::Integer(dsa512.p), - OpenSSL::ASN1::Integer(dsa512.q), - OpenSSL::ASN1::Integer(dsa512.g) + OpenSSL::ASN1::Integer(orig.p), + OpenSSL::ASN1::Integer(orig.q), + OpenSSL::ASN1::Integer(orig.g) ]) ]), OpenSSL::ASN1::BitString( - OpenSSL::ASN1::Integer(dsa512.pub_key).to_der + OpenSSL::ASN1::Integer(orig.pub_key).to_der ) ]) key = OpenSSL::PKey::DSA.new(asn1.to_der) assert_not_predicate key, :private? - assert_same_dsa dsa512pub, key - - pem = <<~EOF - -----BEGIN PUBLIC KEY----- - MIHxMIGoBgcqhkjOOAQBMIGcAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgT - YiEEHaOYhkIxv0OkRZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB - 4DZGH7UyarcaGy6DAkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqo - ji3/lHdKoVdTQNuRS/m6DlCwhjRjiQ/lBRgCLCcaA0QAAkEAjN891JBjzpMj4bWg - sACmMggFf57DS0Ti+5++Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxX - oXi9OA== - -----END PUBLIC KEY----- - EOF + assert_same_dsa pub, key + + pem = der_to_pem(asn1.to_der, "PUBLIC KEY") key = OpenSSL::PKey::DSA.new(pem) - assert_same_dsa dsa512pub, key + assert_same_dsa pub, key assert_equal asn1.to_der, key.to_der assert_equal pem, key.export - assert_equal asn1.to_der, dsa512.public_to_der + assert_equal asn1.to_der, orig.public_to_der assert_equal asn1.to_der, key.public_to_der - assert_equal pem, dsa512.public_to_pem + assert_equal pem, orig.public_to_pem assert_equal pem, key.public_to_pem end @@ -263,7 +234,7 @@ def test_params end def test_dup - key = Fixtures.pkey("dsa1024") + key = Fixtures.pkey("dsa2048") key2 = key.dup assert_equal key.params, key2.params @@ -275,7 +246,7 @@ def test_dup end def test_marshal - key = Fixtures.pkey("dsa1024") + key = Fixtures.pkey("dsa2048") deserialized = Marshal.load(Marshal.dump(key)) assert_equal key.to_der, deserialized.to_der diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb index 6a8768d1f..90dd0481e 100644 --- a/test/openssl/test_pkey_rsa.rb +++ b/test/openssl/test_pkey_rsa.rb @@ -6,7 +6,7 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase def test_no_private_exp key = OpenSSL::PKey::RSA.new - rsa = Fixtures.pkey("rsa2048") + rsa = Fixtures.pkey("rsa-1") key.set_key(rsa.n, rsa.e, nil) key.set_factors(rsa.p, rsa.q) assert_raise(OpenSSL::PKey::RSAError){ key.private_encrypt("foo") } @@ -14,32 +14,30 @@ def test_no_private_exp end if !openssl?(3, 0, 0) # Impossible state in OpenSSL 3.0 def test_private - key = Fixtures.pkey("rsa2048") + key = Fixtures.pkey("rsa-1") # Generated by DER key2 = OpenSSL::PKey::RSA.new(key.to_der) - assert(key2.private?) + assert_true(key2.private?) # public key key3 = key.public_key - assert(!key3.private?) + assert_false(key3.private?) # Generated by public key DER key4 = OpenSSL::PKey::RSA.new(key3.to_der) - assert(!key4.private?) - rsa1024 = Fixtures.pkey("rsa1024") + assert_false(key4.private?) if !openssl?(3, 0, 0) - key = OpenSSL::PKey::RSA.new # Generated by RSA#set_key key5 = OpenSSL::PKey::RSA.new - key5.set_key(rsa1024.n, rsa1024.e, rsa1024.d) - assert(key5.private?) + key5.set_key(key.n, key.e, key.d) + assert_true(key5.private?) # Generated by RSA#set_key, without d key6 = OpenSSL::PKey::RSA.new - key6.set_key(rsa1024.n, rsa1024.e, nil) - assert(!key6.private?) + key6.set_key(key.n, key.e, nil) + assert_false(key6.private?) end end @@ -280,57 +278,57 @@ def test_encrypt_decrypt_legacy end def test_export - rsa1024 = Fixtures.pkey("rsa1024") + orig = Fixtures.pkey("rsa-1") - pub = OpenSSL::PKey.read(rsa1024.public_to_der) - assert_not_equal rsa1024.export, pub.export - assert_equal rsa1024.public_to_pem, pub.export + pub = OpenSSL::PKey.read(orig.public_to_der) + assert_not_equal orig.export, pub.export + assert_equal orig.public_to_pem, pub.export # PKey is immutable in OpenSSL >= 3.0 if !openssl?(3, 0, 0) key = OpenSSL::PKey::RSA.new # key has only n, e and d - key.set_key(rsa1024.n, rsa1024.e, rsa1024.d) - assert_equal rsa1024.public_key.export, key.export + key.set_key(orig.n, orig.e, orig.d) + assert_equal orig.public_key.export, key.export # key has only n, e, d, p and q - key.set_factors(rsa1024.p, rsa1024.q) - assert_equal rsa1024.public_key.export, key.export + key.set_factors(orig.p, orig.q) + assert_equal orig.public_key.export, key.export # key has n, e, d, p, q, dmp1, dmq1 and iqmp - key.set_crt_params(rsa1024.dmp1, rsa1024.dmq1, rsa1024.iqmp) - assert_equal rsa1024.export, key.export + key.set_crt_params(orig.dmp1, orig.dmq1, orig.iqmp) + assert_equal orig.export, key.export end end def test_to_der - rsa1024 = Fixtures.pkey("rsa1024") + orig = Fixtures.pkey("rsa-1") - pub = OpenSSL::PKey.read(rsa1024.public_to_der) - assert_not_equal rsa1024.to_der, pub.to_der - assert_equal rsa1024.public_to_der, pub.to_der + pub = OpenSSL::PKey.read(orig.public_to_der) + assert_not_equal orig.to_der, pub.to_der + assert_equal orig.public_to_der, pub.to_der # PKey is immutable in OpenSSL >= 3.0 if !openssl?(3, 0, 0) key = OpenSSL::PKey::RSA.new # key has only n, e and d - key.set_key(rsa1024.n, rsa1024.e, rsa1024.d) - assert_equal rsa1024.public_key.to_der, key.to_der + key.set_key(orig.n, orig.e, orig.d) + assert_equal orig.public_key.to_der, key.to_der # key has only n, e, d, p and q - key.set_factors(rsa1024.p, rsa1024.q) - assert_equal rsa1024.public_key.to_der, key.to_der + key.set_factors(orig.p, orig.q) + assert_equal orig.public_key.to_der, key.to_der # key has n, e, d, p, q, dmp1, dmq1 and iqmp - key.set_crt_params(rsa1024.dmp1, rsa1024.dmq1, rsa1024.iqmp) - assert_equal rsa1024.to_der, key.to_der + key.set_crt_params(orig.dmp1, orig.dmq1, orig.iqmp) + assert_equal orig.to_der, key.to_der end end def test_RSAPrivateKey - rsa = Fixtures.pkey("rsa2048") + rsa = Fixtures.pkey("rsa-1") asn1 = OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::Integer(0), OpenSSL::ASN1::Integer(rsa.n), @@ -346,35 +344,7 @@ def test_RSAPrivateKey assert_predicate key, :private? assert_same_rsa rsa, key - pem = <<~EOF - -----BEGIN RSA PRIVATE KEY----- - MIIEpAIBAAKCAQEAuV9ht9J7k4NBs38jOXvvTKY9gW8nLICSno5EETR1cuF7i4pN - s9I1QJGAFAX0BEO4KbzXmuOvfCpD3CU+Slp1enenfzq/t/e/1IRW0wkJUJUFQign - 4CtrkJL+P07yx18UjyPlBXb81ApEmAB5mrJVSrWmqbjs07JbuS4QQGGXLc+Su96D - kYKmSNVjBiLxVVSpyZfAY3hD37d60uG+X8xdW5v68JkRFIhdGlb6JL8fllf/A/bl - NwdJOhVr9mESHhwGjwfSeTDPfd8ZLE027E5lyAVX9KZYcU00mOX+fdxOSnGqS/8J - DRh0EPHDL15RcJjV2J6vZjPb0rOYGDoMcH+94wIDAQABAoIBAAzsamqfYQAqwXTb - I0CJtGg6msUgU7HVkOM+9d3hM2L791oGHV6xBAdpXW2H8LgvZHJ8eOeSghR8+dgq - PIqAffo4x1Oma+FOg3A0fb0evyiACyrOk+EcBdbBeLo/LcvahBtqnDfiUMQTpy6V - seSoFCwuN91TSCeGIsDpRjbG1vxZgtx+uI+oH5+ytqJOmfCksRDCkMglGkzyfcl0 - Xc5CUhIJ0my53xijEUQl19rtWdMnNnnkdbG8PT3LZlOta5Do86BElzUYka0C6dUc - VsBDQ0Nup0P6rEQgy7tephHoRlUGTYamsajGJaAo1F3IQVIrRSuagi7+YpSpCqsW - wORqorkCgYEA7RdX6MDVrbw7LePnhyuaqTiMK+055/R1TqhB1JvvxJ1CXk2rDL6G - 0TLHQ7oGofd5LYiemg4ZVtWdJe43BPZlVgT6lvL/iGo8JnrncB9Da6L7nrq/+Rvj - XGjf1qODCK+LmreZWEsaLPURIoR/Ewwxb9J2zd0CaMjeTwafJo1CZvcCgYEAyCgb - aqoWvUecX8VvARfuA593Lsi50t4MEArnOXXcd1RnXoZWhbx5rgO8/ATKfXr0BK/n - h2GF9PfKzHFm/4V6e82OL7gu/kLy2u9bXN74vOvWFL5NOrOKPM7Kg+9I131kNYOw - Ivnr/VtHE5s0dY7JChYWE1F3vArrOw3T00a4CXUCgYEA0SqY+dS2LvIzW4cHCe9k - IQqsT0yYm5TFsUEr4sA3xcPfe4cV8sZb9k/QEGYb1+SWWZ+AHPV3UW5fl8kTbSNb - v4ng8i8rVVQ0ANbJO9e5CUrepein2MPL0AkOATR8M7t7dGGpvYV0cFk8ZrFx0oId - U0PgYDotF/iueBWlbsOM430CgYEAqYI95dFyPI5/AiSkY5queeb8+mQH62sdcCCr - vd/w/CZA/K5sbAo4SoTj8dLk4evU6HtIa0DOP63y071eaxvRpTNqLUOgmLh+D6gS - Cc7TfLuFrD+WDBatBd5jZ+SoHccVrLR/4L8jeodo5FPW05A+9gnKXEXsTxY4LOUC - 9bS4e1kCgYAqVXZh63JsMwoaxCYmQ66eJojKa47VNrOeIZDZvd2BPVf30glBOT41 - gBoDG3WMPZoQj9pb7uMcrnvs4APj2FIhMU8U15LcPAj59cD6S6rWnAxO8NFK7HQG - 4Jxg3JNNf8ErQoCHb1B3oVdXJkmbJkARoDpBKmTCgKtP8ADYLmVPQw== - -----END RSA PRIVATE KEY----- - EOF + pem = der_to_pem(asn1.to_der, "RSA PRIVATE KEY") key = OpenSSL::PKey::RSA.new(pem) assert_same_rsa rsa, key @@ -389,69 +359,46 @@ def test_RSAPrivateKey end def test_RSAPrivateKey_encrypted + # PKCS #1 RSAPrivateKey with OpenSSL encryption omit_on_fips - rsa1024 = Fixtures.pkey("rsa1024") - # key = abcdef - pem = <<~EOF - -----BEGIN RSA PRIVATE KEY----- - Proc-Type: 4,ENCRYPTED - DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0 - - zgJniZZQfvv8TFx3LzV6zhAQVayvQVZlAYqFq2yWbbxzF7C+IBhKQle9IhUQ9j/y - /jkvol550LS8vZ7TX5WxyDLe12cdqzEvpR6jf3NbxiNysOCxwG4ErhaZGP+krcoB - ObuL0nvls/+3myy5reKEyy22+0GvTDjaChfr+FwJjXMG+IBCLscYdgZC1LQL6oAn - 9xY5DH3W7BW4wR5ttxvtN32TkfVQh8xi3jrLrduUh+hV8DTiAiLIhv0Vykwhep2p - WZA+7qbrYaYM8GLLgLrb6LfBoxeNxAEKiTpl1quFkm+Hk1dKq0EhVnxHf92x0zVF - jRGZxAMNcrlCoE4f5XK45epVZSZvihdo1k73GPbp84aZ5P/xlO4OwZ3i4uCQXynl - jE9c+I+4rRWKyPz9gkkqo0+teJL8ifeKt/3ab6FcdA0aArynqmsKJMktxmNu83We - YVGEHZPeOlyOQqPvZqWsLnXQUfg54OkbuV4/4mWSIzxFXdFy/AekSeJugpswMXqn - oNck4qySNyfnlyelppXyWWwDfVus9CVAGZmJQaJExHMT/rQFRVchlmY0Ddr5O264 - gcjv90o1NBOc2fNcqjivuoX7ROqys4K/YdNQ1HhQ7usJghADNOtuLI8ZqMh9akXD - Eqp6Ne97wq1NiJj0nt3SJlzTnOyTjzrTe0Y+atPkVKp7SsjkATMI9JdhXwGhWd7a - qFVl0owZiDasgEhyG2K5L6r+yaJLYkPVXZYC/wtWC3NEchnDWZGQcXzB4xROCQkD - OlWNYDkPiZioeFkA3/fTMvG4moB2Pp9Q4GU5fJ6k43Ccu1up8dX/LumZb4ecg5/x - -----END RSA PRIVATE KEY----- - EOF + rsa = Fixtures.pkey("rsa2048") + + pem = der_to_encrypted_pem(rsa.to_der, "RSA PRIVATE KEY", "abcdef") key = OpenSSL::PKey::RSA.new(pem, "abcdef") - assert_same_rsa rsa1024, key + assert_same_rsa rsa, key key = OpenSSL::PKey::RSA.new(pem) { "abcdef" } - assert_same_rsa rsa1024, key + assert_same_rsa rsa, key cipher = OpenSSL::Cipher.new("aes-128-cbc") - exported = rsa1024.to_pem(cipher, "abcdef\0\1") - assert_same_rsa rsa1024, OpenSSL::PKey::RSA.new(exported, "abcdef\0\1") + exported = rsa.to_pem(cipher, "abcdef\0\1") + assert_same_rsa rsa, OpenSSL::PKey::RSA.new(exported, "abcdef\0\1") assert_raise(OpenSSL::PKey::RSAError) { OpenSSL::PKey::RSA.new(exported, "abcdef") } end def test_RSAPublicKey - rsa1024 = Fixtures.pkey("rsa1024") - rsa1024pub = OpenSSL::PKey::RSA.new(rsa1024.public_to_der) + # PKCS #1 RSAPublicKey. Only decoding is supported + orig = Fixtures.pkey("rsa-1") + pub = OpenSSL::PKey::RSA.new(orig.public_to_der) asn1 = OpenSSL::ASN1::Sequence([ - OpenSSL::ASN1::Integer(rsa1024.n), - OpenSSL::ASN1::Integer(rsa1024.e) + OpenSSL::ASN1::Integer(orig.n), + OpenSSL::ASN1::Integer(orig.e) ]) key = OpenSSL::PKey::RSA.new(asn1.to_der) assert_not_predicate key, :private? - assert_same_rsa rsa1024pub, key + assert_same_rsa pub, key - pem = <<~EOF - -----BEGIN RSA PUBLIC KEY----- - MIGJAoGBAMvCxLDUQKc+1P4+Q6AeFwYDvWfALb+cvzlUEadGoPE6qNWHsLFoo8RF - geyTgE8KQTduu1OE9Zz2SMcRBDu5/1jWtsLPSVrI2ofLLBARUsWanVyki39DeB4u - /xkP2mKGjAokPIwOI3oCthSZlzO9bj3voxTf6XngTqUX8l8URTmHAgMBAAE= - -----END RSA PUBLIC KEY----- - EOF + pem = der_to_pem(asn1.to_der, "RSA PUBLIC KEY") key = OpenSSL::PKey::RSA.new(pem) - assert_same_rsa rsa1024pub, key + assert_same_rsa pub, key end def test_PUBKEY - rsa1024 = Fixtures.pkey("rsa1024") - rsa1024pub = OpenSSL::PKey::RSA.new(rsa1024.public_to_der) + orig = Fixtures.pkey("rsa-1") + pub = OpenSSL::PKey::RSA.new(orig.public_to_der) asn1 = OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::Sequence([ @@ -460,39 +407,32 @@ def test_PUBKEY ]), OpenSSL::ASN1::BitString( OpenSSL::ASN1::Sequence([ - OpenSSL::ASN1::Integer(rsa1024.n), - OpenSSL::ASN1::Integer(rsa1024.e) + OpenSSL::ASN1::Integer(orig.n), + OpenSSL::ASN1::Integer(orig.e) ]).to_der ) ]) key = OpenSSL::PKey::RSA.new(asn1.to_der) assert_not_predicate key, :private? - assert_same_rsa rsa1024pub, key + assert_same_rsa pub, key - pem = <<~EOF - -----BEGIN PUBLIC KEY----- - MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLwsSw1ECnPtT+PkOgHhcGA71n - wC2/nL85VBGnRqDxOqjVh7CxaKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbC - z0layNqHyywQEVLFmp1cpIt/Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU - 3+l54E6lF/JfFEU5hwIDAQAB - -----END PUBLIC KEY----- - EOF + pem = der_to_pem(asn1.to_der, "PUBLIC KEY") key = OpenSSL::PKey::RSA.new(pem) - assert_same_rsa rsa1024pub, key + assert_same_rsa pub, key assert_equal asn1.to_der, key.to_der assert_equal pem, key.export - assert_equal asn1.to_der, rsa1024.public_to_der + assert_equal asn1.to_der, orig.public_to_der assert_equal asn1.to_der, key.public_to_der - assert_equal pem, rsa1024.public_to_pem + assert_equal pem, orig.public_to_pem assert_equal pem, key.public_to_pem end def test_pem_passwd omit_on_fips - key = Fixtures.pkey("rsa1024") + key = Fixtures.pkey("rsa-1") pem3c = key.to_pem("aes-128-cbc", "key") assert_match (/ENCRYPTED/), pem3c assert_equal key.to_der, OpenSSL::PKey.read(pem3c, "key").to_der @@ -503,38 +443,21 @@ def test_pem_passwd end def test_private_encoding - rsa1024 = Fixtures.pkey("rsa1024") + pkey = Fixtures.pkey("rsa-1") asn1 = OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::Integer(0), OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::ObjectId("rsaEncryption"), OpenSSL::ASN1::Null(nil) ]), - OpenSSL::ASN1::OctetString(rsa1024.to_der) + OpenSSL::ASN1::OctetString(pkey.to_der) ]) - assert_equal asn1.to_der, rsa1024.private_to_der - assert_same_rsa rsa1024, OpenSSL::PKey.read(asn1.to_der) + assert_equal asn1.to_der, pkey.private_to_der + assert_same_rsa pkey, OpenSSL::PKey.read(asn1.to_der) - pem = <<~EOF - -----BEGIN PRIVATE KEY----- - MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMvCxLDUQKc+1P4+ - Q6AeFwYDvWfALb+cvzlUEadGoPE6qNWHsLFoo8RFgeyTgE8KQTduu1OE9Zz2SMcR - BDu5/1jWtsLPSVrI2ofLLBARUsWanVyki39DeB4u/xkP2mKGjAokPIwOI3oCthSZ - lzO9bj3voxTf6XngTqUX8l8URTmHAgMBAAECgYEApKX8xBqvJ7XI7Kypfo/x8MVC - 3rxW+1eQ2aVKIo4a7PKGjQz5RVIVyzqTUvSZoMTbkAxlSIbO5YfJpTnl3tFcOB6y - QMxqQPW/pl6Ni3EmRJdsRM5MsPBRZOfrXxOCdvXu1TWOS1S1TrvEr/TyL9eh2WCd - CGzpWgdO4KHce7vs7pECQQDv6DGoG5lHnvbvj9qSJb9K5ebRJc8S+LI7Uy5JHC0j - zsHTYPSqBXwPVQdGbgCEycnwwKzXzT2QxAQmJBQKun2ZAkEA2W3aeAE7Xi6zo2eG - 4Cx4UNMHMIdfBRS7VgoekwybGmcapqV0aBew5kHeWAmxP1WUZ/dgZh2QtM1VuiBA - qUqkHwJBAOJLCRvi/JB8N7z82lTk2i3R8gjyOwNQJv6ilZRMyZ9vFZFHcUE27zCf - Kb+bX03h8WPwupjMdfgpjShU+7qq8nECQQDBrmyc16QVyo40sgTgblyiysitvviy - ovwZsZv4q5MCmvOPnPUrwGbRRb2VONUOMOKpFiBl9lIv7HU//nj7FMVLAkBjUXED - 83dA8JcKM+HlioXEAxCzZVVhN+D63QwRwkN08xAPklfqDkcqccWDaZm2hdCtaYlK - funwYkrzI1OikQSs - -----END PRIVATE KEY----- - EOF - assert_equal pem, rsa1024.private_to_pem - assert_same_rsa rsa1024, OpenSSL::PKey.read(pem) + pem = der_to_pem(asn1.to_der, "PRIVATE KEY") + assert_equal pem, pkey.private_to_pem + assert_same_rsa pkey, OpenSSL::PKey.read(pem) end def test_private_encoding_encrypted @@ -610,7 +533,7 @@ def test_params end def test_dup - key = Fixtures.pkey("rsa1024") + key = Fixtures.pkey("rsa-1") key2 = key.dup assert_equal key.params, key2.params @@ -622,7 +545,7 @@ def test_dup end def test_marshal - key = Fixtures.pkey("rsa2048") + key = Fixtures.pkey("rsa-1") deserialized = Marshal.load(Marshal.dump(key)) assert_equal key.to_der, deserialized.to_der diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 3ec1a7104..e700e53e3 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -2079,7 +2079,7 @@ def test_pqc_sigalg digest: nil) mldsa_cert = issue_cert(@svr, mldsa, 60, [], mldsa_ca_cert, mldsa_ca_key, digest: nil) - rsa = Fixtures.pkey("rsa2048") + rsa = Fixtures.pkey("rsa-1") rsa_cert = issue_cert(@svr, rsa, 61, [], @ca_cert, @ca_key) ctx_proc = -> ctx { # Unset values set by start_server @@ -2246,22 +2246,30 @@ def test_security_level end assert_equal(1, ctx.security_level) - dsa512 = Fixtures.pkey("dsa512") - dsa512_cert = issue_cert(@svr, dsa512, 50, [], @ca_cert, @ca_key) - rsa1024 = Fixtures.pkey("rsa1024") - rsa1024_cert = issue_cert(@svr, rsa1024, 51, [], @ca_cert, @ca_key) + # See SSL_CTX_set_security_level(3). Definitions of security levels may + # change in future OpenSSL versions. As of OpenSSL 1.1.0: + # - Level 1 requires 160-bit ECC keys or 1024-bit RSA keys. + # - Level 2 requires 224-bit ECC keys or 2048-bit RSA keys. + begin + ec112 = OpenSSL::PKey::EC.generate("secp112r1") + ec112_cert = issue_cert(@svr, ec112, 50, [], @ca_cert, @ca_key) + ec192 = OpenSSL::PKey::EC.generate("prime192v1") + ec192_cert = issue_cert(@svr, ec192, 51, [], @ca_cert, @ca_key) + rescue OpenSSL::PKey::PKeyError + # Distro-provided OpenSSL may refuse to generate small keys + return + end assert_raise(OpenSSL::SSL::SSLError) { - # 512 bit DSA key is rejected because it offers < 80 bits of security - ctx.add_certificate(dsa512_cert, dsa512) + ctx.add_certificate(ec112_cert, ec112) } assert_nothing_raised { - ctx.add_certificate(rsa1024_cert, rsa1024) + ctx.add_certificate(ec192_cert, ec192) } ctx.security_level = 2 assert_raise(OpenSSL::SSL::SSLError) { # < 112 bits of security - ctx.add_certificate(rsa1024_cert, rsa1024) + ctx.add_certificate(ec192_cert, ec192) } end diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb index 5fc87d9c6..55481690e 100644 --- a/test/openssl/test_x509cert.rb +++ b/test/openssl/test_x509cert.rb @@ -6,17 +6,16 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase def setup super - @rsa1024 = Fixtures.pkey("rsa1024") - @rsa2048 = Fixtures.pkey("rsa2048") - @dsa256 = Fixtures.pkey("dsa256") - @dsa512 = Fixtures.pkey("dsa512") + @rsa1 = Fixtures.pkey("rsa-1") + @rsa2 = Fixtures.pkey("rsa-2") + @ec1 = Fixtures.pkey("p256") @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1") end def test_serial [1, 2**32, 2**100].each{|s| - cert = issue_cert(@ca, @rsa2048, s, [], nil, nil) + cert = issue_cert(@ca, @rsa1, s, [], nil, nil) assert_equal(s, cert.serial) cert = OpenSSL::X509::Certificate.new(cert.to_der) assert_equal(s, cert.serial) @@ -29,40 +28,34 @@ def test_public_key ["subjectKeyIdentifier","hash",false], ["authorityKeyIdentifier","keyid:always",false], ] - - [ - @rsa1024, @rsa2048, @dsa256, @dsa512, - ].each{|pk| - cert = issue_cert(@ca, pk, 1, exts, nil, nil) - assert_equal(cert.extensions.sort_by(&:to_s)[2].value, - OpenSSL::TestUtils.get_subject_key_id(cert)) - cert = OpenSSL::X509::Certificate.new(cert.to_der) - assert_equal(cert.extensions.sort_by(&:to_s)[2].value, - OpenSSL::TestUtils.get_subject_key_id(cert)) - } + cert = issue_cert(@ca, @rsa1, 1, exts, nil, nil) + assert_kind_of(OpenSSL::PKey::RSA, cert.public_key) + assert_equal(@rsa1.public_to_der, cert.public_key.public_to_der) + cert = OpenSSL::X509::Certificate.new(cert.to_der) + assert_equal(@rsa1.public_to_der, cert.public_key.public_to_der) end def test_validity now = Time.at(Time.now.to_i + 0.9) - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, + cert = issue_cert(@ca, @rsa1, 1, [], nil, nil, not_before: now, not_after: now+3600) assert_equal(Time.at(now.to_i), cert.not_before) assert_equal(Time.at(now.to_i+3600), cert.not_after) now = Time.at(now.to_i) - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, + cert = issue_cert(@ca, @rsa1, 1, [], nil, nil, not_before: now, not_after: now+3600) assert_equal(now.getutc, cert.not_before) assert_equal((now+3600).getutc, cert.not_after) now = Time.at(0) - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, + cert = issue_cert(@ca, @rsa1, 1, [], nil, nil, not_before: now, not_after: now) assert_equal(now.getutc, cert.not_before) assert_equal(now.getutc, cert.not_after) now = Time.at(0x7fffffff) - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, + cert = issue_cert(@ca, @rsa1, 1, [], nil, nil, not_before: now, not_after: now) assert_equal(now.getutc, cert.not_before) assert_equal(now.getutc, cert.not_after) @@ -75,7 +68,7 @@ def test_extension_factory ["subjectKeyIdentifier","hash",false], ["authorityKeyIdentifier","issuer:always,keyid:always",false], ] - ca_cert = issue_cert(@ca, @rsa2048, 1, ca_exts, nil, nil) + ca_cert = issue_cert(@ca, @rsa1, 1, ca_exts, nil, nil) ca_cert.extensions.each_with_index{|ext, i| assert_equal(ca_exts[i].first, ext.oid) assert_equal(ca_exts[i].last, ext.critical?) @@ -88,7 +81,7 @@ def test_extension_factory ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false], ["subjectAltName","email:ee1@ruby-lang.org",false], ] - ee1_cert = issue_cert(@ee1, @rsa1024, 2, ee1_exts, ca_cert, @rsa2048) + ee1_cert = issue_cert(@ee1, @rsa2, 2, ee1_exts, ca_cert, @rsa1) assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der) ee1_cert.extensions.each_with_index{|ext, i| assert_equal(ee1_exts[i].first, ext.oid) @@ -97,25 +90,25 @@ def test_extension_factory end def test_akiski - ca_cert = generate_cert(@ca, @rsa2048, 4, nil) + ca_cert = generate_cert(@ca, @rsa1, 4, nil) ef = OpenSSL::X509::ExtensionFactory.new(ca_cert, ca_cert) ca_cert.add_extension( ef.create_extension("subjectKeyIdentifier", "hash", false)) ca_cert.add_extension( ef.create_extension("authorityKeyIdentifier", "issuer:always,keyid:always", false)) - ca_cert.sign(@rsa2048, "sha256") + ca_cert.sign(@rsa1, "sha256") ca_keyid = get_subject_key_id(ca_cert.to_der, hex: false) assert_equal ca_keyid, ca_cert.authority_key_identifier assert_equal ca_keyid, ca_cert.subject_key_identifier - ee_cert = generate_cert(@ee1, Fixtures.pkey("p256"), 5, ca_cert) + ee_cert = generate_cert(@ee1, @rsa2, 5, ca_cert) ef = OpenSSL::X509::ExtensionFactory.new(ca_cert, ee_cert) ee_cert.add_extension( ef.create_extension("subjectKeyIdentifier", "hash", false)) ee_cert.add_extension( ef.create_extension("authorityKeyIdentifier", "issuer:always,keyid:always", false)) - ee_cert.sign(@rsa2048, "sha256") + ee_cert.sign(@rsa1, "sha256") ee_keyid = get_subject_key_id(ee_cert.to_der, hex: false) assert_equal ca_keyid, ee_cert.authority_key_identifier @@ -123,13 +116,13 @@ def test_akiski end def test_akiski_missing - cert = issue_cert(@ee1, @rsa2048, 1, [], nil, nil) + cert = issue_cert(@ee1, @rsa1, 1, [], nil, nil) assert_nil(cert.authority_key_identifier) assert_nil(cert.subject_key_identifier) end def test_crl_uris_no_crl_distribution_points - cert = issue_cert(@ee1, @rsa2048, 1, [], nil, nil) + cert = issue_cert(@ee1, @rsa1, 1, [], nil, nil) assert_nil(cert.crl_uris) end @@ -141,10 +134,10 @@ def test_crl_uris URI.1 = http://www.example.com/crl URI.2 = ldap://ldap.example.com/cn=ca?certificateRevocationList;binary _cnf_ - cdp_cert = generate_cert(@ee1, @rsa2048, 3, nil) + cdp_cert = generate_cert(@ee1, @rsa1, 3, nil) ef.subject_certificate = cdp_cert cdp_cert.add_extension(ef.create_extension("crlDistributionPoints", "@crlDistPts")) - cdp_cert.sign(@rsa2048, "sha256") + cdp_cert.sign(@rsa1, "sha256") assert_equal( ["http://www.example.com/crl", "ldap://ldap.example.com/cn=ca?certificateRevocationList;binary"], cdp_cert.crl_uris @@ -158,10 +151,10 @@ def test_crl_uris_multiple_general_names [crlDistPts_section] fullname = URI:http://www.example.com/crl, URI:ldap://ldap.example.com/cn=ca?certificateRevocationList;binary _cnf_ - cdp_cert = generate_cert(@ee1, @rsa2048, 3, nil) + cdp_cert = generate_cert(@ee1, @rsa1, 3, nil) ef.subject_certificate = cdp_cert cdp_cert.add_extension(ef.create_extension("crlDistributionPoints", "crlDistPts_section")) - cdp_cert.sign(@rsa2048, "sha256") + cdp_cert.sign(@rsa1, "sha256") assert_equal( ["http://www.example.com/crl", "ldap://ldap.example.com/cn=ca?certificateRevocationList;binary"], cdp_cert.crl_uris @@ -177,22 +170,22 @@ def test_crl_uris_no_uris [dirname_section] CN = dirname _cnf_ - cdp_cert = generate_cert(@ee1, @rsa2048, 3, nil) + cdp_cert = generate_cert(@ee1, @rsa1, 3, nil) ef.subject_certificate = cdp_cert cdp_cert.add_extension(ef.create_extension("crlDistributionPoints", "crlDistPts_section")) - cdp_cert.sign(@rsa2048, "sha256") + cdp_cert.sign(@rsa1, "sha256") assert_nil(cdp_cert.crl_uris) end def test_aia_missing - cert = issue_cert(@ee1, @rsa2048, 1, [], nil, nil) + cert = issue_cert(@ee1, @rsa1, 1, [], nil, nil) assert_nil(cert.ca_issuer_uris) assert_nil(cert.ocsp_uris) end def test_aia ef = OpenSSL::X509::ExtensionFactory.new - aia_cert = generate_cert(@ee1, @rsa2048, 4, nil) + aia_cert = generate_cert(@ee1, @rsa1, 4, nil) ef.subject_certificate = aia_cert aia_cert.add_extension( ef.create_extension( @@ -204,7 +197,7 @@ def test_aia false ) ) - aia_cert.sign(@rsa2048, "sha256") + aia_cert.sign(@rsa1, "sha256") assert_equal( ["http://www.example.com/caIssuers", "ldap://ldap.example.com/cn=ca?authorityInfoAccessCaIssuers;binary"], aia_cert.ca_issuer_uris @@ -217,7 +210,7 @@ def test_aia def test_invalid_extension integer = OpenSSL::ASN1::Integer.new(0) - invalid_exts_cert = generate_cert(@ee1, @rsa1024, 1, nil) + invalid_exts_cert = generate_cert(@ee1, @rsa1, 1, nil) ["subjectKeyIdentifier", "authorityKeyIdentifier", "crlDistributionPoints", "authorityInfoAccess"].each do |ext| invalid_exts_cert.add_extension( OpenSSL::X509::Extension.new(ext, integer.to_der) @@ -241,57 +234,16 @@ def test_invalid_extension } end - def test_sign_and_verify_rsa_sha1 - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: "SHA1") - assert_equal(false, cert.verify(@rsa1024)) - assert_equal(true, cert.verify(@rsa2048)) - assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) }) - assert_equal(false, certificate_error_returns_false { cert.verify(@dsa512) }) + def test_sign_and_verify + cert = issue_cert(@ca, @rsa1, 1, [], nil, nil, digest: "SHA256") + assert_equal(true, cert.verify(@rsa1)) + assert_equal(false, cert.verify(@rsa2)) + assert_equal(false, certificate_error_returns_false { cert.verify(@ec1) }) cert.serial = 2 - assert_equal(false, cert.verify(@rsa2048)) - rescue OpenSSL::X509::CertificateError # RHEL 9 disables SHA1 - end - - def test_sign_and_verify_rsa_md5 - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: "md5") - assert_equal(false, cert.verify(@rsa1024)) - assert_equal(true, cert.verify(@rsa2048)) - - assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) }) - assert_equal(false, certificate_error_returns_false { cert.verify(@dsa512) }) - cert.subject = @ee1 - assert_equal(false, cert.verify(@rsa2048)) - rescue OpenSSL::X509::CertificateError # RHEL7 disables MD5 - end - - def test_sign_and_verify_dsa - cert = issue_cert(@ca, @dsa512, 1, [], nil, nil) - assert_equal(false, certificate_error_returns_false { cert.verify(@rsa1024) }) - assert_equal(false, certificate_error_returns_false { cert.verify(@rsa2048) }) - assert_equal(false, cert.verify(@dsa256)) - assert_equal(true, cert.verify(@dsa512)) - cert.not_after = Time.now - assert_equal(false, cert.verify(@dsa512)) + assert_equal(false, cert.verify(@rsa1)) end - def test_sign_and_verify_rsa_dss1 - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: OpenSSL::Digest.new('DSS1')) - assert_equal(false, cert.verify(@rsa1024)) - assert_equal(true, cert.verify(@rsa2048)) - assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) }) - assert_equal(false, certificate_error_returns_false { cert.verify(@dsa512) }) - cert.subject = @ee1 - assert_equal(false, cert.verify(@rsa2048)) - rescue OpenSSL::X509::CertificateError - end if defined?(OpenSSL::Digest::DSS1) - - def test_sign_and_verify_dsa_md5 - assert_raise(OpenSSL::X509::CertificateError){ - issue_cert(@ca, @dsa512, 1, [], nil, nil, digest: "md5") - } - end - - def test_sign_and_verify_ed25519 + def test_sign_and_verify_nil_digest # Ed25519 is not FIPS-approved. omit_on_fips ed25519 = OpenSSL::PKey::generate_key("ED25519") @@ -299,24 +251,13 @@ def test_sign_and_verify_ed25519 assert_equal(true, cert.verify(ed25519)) end - def test_dsa_with_sha2 - cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha256") - assert_equal("dsa_with_SHA256", cert.signature_algorithm) - # TODO: need more tests for dsa + sha2 - - # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requires DSS1) - cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha1") - assert_equal("dsaWithSHA1", cert.signature_algorithm) - rescue OpenSSL::X509::CertificateError # RHEL 9 disables SHA1 - end - def test_check_private_key - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) - assert_equal(true, cert.check_private_key(@rsa2048)) + cert = issue_cert(@ca, @rsa1, 1, [], nil, nil) + assert_equal(true, cert.check_private_key(@rsa1)) end def test_read_from_file - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) + cert = issue_cert(@ca, @rsa1, 1, [], nil, nil) Tempfile.create("cert") { |f| f << cert.to_pem f.rewind @@ -325,12 +266,12 @@ def test_read_from_file end def test_read_der_then_pem - cert1 = issue_cert(@ca, @rsa2048, 1, [], nil, nil) + cert1 = issue_cert(@ca, @rsa1, 1, [], nil, nil) exts = [ # A new line before PEM block ["nsComment", "Another certificate:\n" + cert1.to_pem], ] - cert2 = issue_cert(@ca, @rsa2048, 2, exts, nil, nil) + cert2 = issue_cert(@ca, @rsa1, 2, exts, nil, nil) assert_equal cert2, OpenSSL::X509::Certificate.new(cert2.to_der) assert_equal cert2, OpenSSL::X509::Certificate.new(cert2.to_pem) @@ -338,15 +279,15 @@ def test_read_der_then_pem def test_eq now = Time.now - cacert = issue_cert(@ca, @rsa1024, 1, [], nil, nil, + cacert = issue_cert(@ca, @rsa1, 1, [], nil, nil, not_before: now, not_after: now + 3600) - cert1 = issue_cert(@ee1, @rsa2048, 2, [], cacert, @rsa1024, + cert1 = issue_cert(@ee1, @rsa2, 2, [], cacert, @rsa1, not_before: now, not_after: now + 3600) - cert2 = issue_cert(@ee1, @rsa2048, 2, [], cacert, @rsa1024, + cert2 = issue_cert(@ee1, @rsa2, 2, [], cacert, @rsa1, not_before: now, not_after: now + 3600) - cert3 = issue_cert(@ee1, @rsa2048, 3, [], cacert, @rsa1024, + cert3 = issue_cert(@ee1, @rsa2, 3, [], cacert, @rsa1, not_before: now, not_after: now + 3600) - cert4 = issue_cert(@ee1, @rsa2048, 2, [], cacert, @rsa1024, + cert4 = issue_cert(@ee1, @rsa2, 2, [], cacert, @rsa1, digest: "sha512", not_before: now, not_after: now + 3600) assert_equal false, cert1 == 12345 @@ -358,9 +299,9 @@ def test_eq def test_marshal now = Time.now - cacert = issue_cert(@ca, @rsa1024, 1, [], nil, nil, + cacert = issue_cert(@ca, @rsa1, 1, [], nil, nil, not_before: now, not_after: now + 3600) - cert = issue_cert(@ee1, @rsa2048, 2, [], cacert, @rsa1024, + cert = issue_cert(@ee1, @rsa2, 2, [], cacert, @rsa1, not_before: now, not_after: now + 3600) deserialized = Marshal.load(Marshal.dump(cert)) @@ -378,8 +319,8 @@ def test_load_file_empty_pem end def test_load_file_fullchain_pem - cert1 = issue_cert(@ee1, @rsa2048, 1, [], nil, nil) - cert2 = issue_cert(@ca, @rsa2048, 1, [], nil, nil) + cert1 = issue_cert(@ee1, @rsa1, 1, [], nil, nil) + cert2 = issue_cert(@ca, @rsa2, 1, [], nil, nil) Tempfile.create("fullchain.pem") do |f| f.puts cert1.to_pem @@ -394,7 +335,7 @@ def test_load_file_fullchain_pem end def test_load_file_certificate_der - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) + cert = issue_cert(@ca, @rsa1, 1, [], nil, nil) Tempfile.create("certificate.der", binmode: true) do |f| f.write cert.to_der f.close @@ -419,7 +360,7 @@ def test_load_file_fullchain_garbage end def test_tbs_precert_bytes - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) + cert = issue_cert(@ca, @rsa1, 1, [], nil, nil) seq = OpenSSL::ASN1.decode(cert.tbs_bytes) assert_equal 7, seq.value.size diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb index 89165388d..3c364f57d 100644 --- a/test/openssl/test_x509crl.rb +++ b/test/openssl/test_x509crl.rb @@ -6,21 +6,16 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase def setup super - @rsa1024 = Fixtures.pkey("rsa1024") - @rsa2048 = Fixtures.pkey("rsa2048") - @dsa256 = Fixtures.pkey("dsa256") - @dsa512 = Fixtures.pkey("dsa512") + @rsa1 = Fixtures.pkey("rsa-1") + @rsa2 = Fixtures.pkey("rsa-2") @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") - @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1") - @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2") end def test_basic now = Time.at(Time.now.to_i) - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) - crl = issue_crl([], 1, now, now+1600, [], - cert, @rsa2048, OpenSSL::Digest.new('SHA256')) + cert = issue_cert(@ca, @rsa1, 1, [], nil, nil) + crl = issue_crl([], 1, now, now+1600, [], cert, @rsa1, "SHA256") assert_equal(1, crl.version) assert_equal(cert.issuer.to_der, crl.issuer.to_der) assert_equal(now, crl.last_update) @@ -55,9 +50,9 @@ def test_revoked [4, now, 4], [5, now, 5], ] - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) + cert = issue_cert(@ca, @rsa1, 1, [], nil, nil) crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [], - cert, @rsa2048, OpenSSL::Digest.new('SHA256')) + cert, @rsa1, "SHA256") revoked = crl.revoked assert_equal(5, revoked.size) assert_equal(1, revoked[0].serial) @@ -98,7 +93,7 @@ def test_revoked revoke_info = (1..1000).collect{|i| [i, now, 0] } crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [], - cert, @rsa2048, OpenSSL::Digest.new('SHA256')) + cert, @rsa1, "SHA256") revoked = crl.revoked assert_equal(1000, revoked.size) assert_equal(1, revoked[0].serial) @@ -122,9 +117,9 @@ def test_extension ["issuerAltName", "issuer:copy", false], ] - cert = issue_cert(@ca, @rsa2048, 1, cert_exts, nil, nil) + cert = issue_cert(@ca, @rsa1, 1, cert_exts, nil, nil) crl = issue_crl([], 1, Time.now, Time.now+1600, crl_exts, - cert, @rsa2048, OpenSSL::Digest.new('SHA256')) + cert, @rsa1, "SHA256") exts = crl.extensions assert_equal(3, exts.size) assert_equal("1", exts[0].value) @@ -160,59 +155,55 @@ def test_extension assert_equal(false, exts[2].critical?) no_ext_crl = issue_crl([], 1, Time.now, Time.now+1600, [], - cert, @rsa2048, OpenSSL::Digest.new('SHA256')) + cert, @rsa1, "SHA256") assert_equal nil, no_ext_crl.authority_key_identifier end def test_crlnumber - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) - crl = issue_crl([], 1, Time.now, Time.now+1600, [], - cert, @rsa2048, OpenSSL::Digest.new('SHA256')) + cert = issue_cert(@ca, @rsa1, 1, [], nil, nil) + crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, @rsa1, "SHA256") assert_match(1.to_s, crl.extensions[0].value) assert_match(/X509v3 CRL Number:\s+#{1}/m, crl.to_text) crl = issue_crl([], 2**32, Time.now, Time.now+1600, [], - cert, @rsa2048, OpenSSL::Digest.new('SHA256')) + cert, @rsa1, "SHA256") assert_match((2**32).to_s, crl.extensions[0].value) assert_match(/X509v3 CRL Number:\s+#{2**32}/m, crl.to_text) crl = issue_crl([], 2**100, Time.now, Time.now+1600, [], - cert, @rsa2048, OpenSSL::Digest.new('SHA256')) + cert, @rsa1, "SHA256") assert_match(/X509v3 CRL Number:\s+#{2**100}/m, crl.to_text) assert_match((2**100).to_s, crl.extensions[0].value) end def test_sign_and_verify - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) - crl = issue_crl([], 1, Time.now, Time.now+1600, [], - cert, @rsa2048, OpenSSL::Digest.new('SHA256')) - assert_equal(false, crl.verify(@rsa1024)) - assert_equal(true, crl.verify(@rsa2048)) - assert_equal(false, crl_error_returns_false { crl.verify(@dsa256) }) - assert_equal(false, crl_error_returns_false { crl.verify(@dsa512) }) + p256 = Fixtures.pkey("p256") + + cert = issue_cert(@ca, @rsa1, 1, [], nil, nil) + crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, @rsa1, "SHA256") + assert_equal(true, crl.verify(@rsa1)) + assert_equal(false, crl.verify(@rsa2)) + assert_equal(false, crl_error_returns_false { crl.verify(p256) }) crl.version = 0 - assert_equal(false, crl.verify(@rsa2048)) + assert_equal(false, crl.verify(@rsa1)) - cert = issue_cert(@ca, @dsa512, 1, [], nil, nil) - crl = issue_crl([], 1, Time.now, Time.now+1600, [], - cert, @dsa512, OpenSSL::Digest.new('SHA256')) - assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) }) - assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) }) - assert_equal(false, crl.verify(@dsa256)) - assert_equal(true, crl.verify(@dsa512)) + cert = issue_cert(@ca, p256, 1, [], nil, nil) + crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, p256, "SHA256") + assert_equal(false, crl_error_returns_false { crl.verify(@rsa1) }) + assert_equal(false, crl_error_returns_false { crl.verify(@rsa2) }) + assert_equal(true, crl.verify(p256)) crl.version = 0 - assert_equal(false, crl.verify(@dsa512)) + assert_equal(false, crl.verify(p256)) end - def test_sign_and_verify_ed25519 + def test_sign_and_verify_nil_digest # Ed25519 is not FIPS-approved. omit_on_fips ed25519 = OpenSSL::PKey::generate_key("ED25519") cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil) crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, ed25519, nil) - assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) }) - assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) }) + assert_equal(false, crl_error_returns_false { crl.verify(@rsa1) }) assert_equal(false, crl.verify(OpenSSL::PKey::generate_key("ED25519"))) assert_equal(true, crl.verify(ed25519)) crl.version = 0 @@ -245,8 +236,8 @@ def test_revoked_to_der def test_eq now = Time.now - cacert = issue_cert(@ca, @rsa1024, 1, [], nil, nil) - crl1 = issue_crl([], 1, now, now + 3600, [], cacert, @rsa1024, "sha256") + cacert = issue_cert(@ca, @rsa1, 1, [], nil, nil) + crl1 = issue_crl([], 1, now, now + 3600, [], cacert, @rsa1, "SHA256") rev1 = OpenSSL::X509::Revoked.new.tap { |rev| rev.serial = 1 rev.time = now @@ -274,8 +265,8 @@ def test_eq def test_marshal now = Time.now - cacert = issue_cert(@ca, @rsa1024, 1, [], nil, nil) - crl = issue_crl([], 1, now, now + 3600, [], cacert, @rsa1024, "sha256") + cacert = issue_cert(@ca, @rsa1, 1, [], nil, nil) + crl = issue_crl([], 1, now, now + 3600, [], cacert, @rsa1, "SHA256") rev = OpenSSL::X509::Revoked.new.tap { |rev| rev.serial = 1 rev.time = now diff --git a/test/openssl/test_x509name.rb b/test/openssl/test_x509name.rb index c6d15219f..223c575e4 100644 --- a/test/openssl/test_x509name.rb +++ b/test/openssl/test_x509name.rb @@ -423,24 +423,14 @@ def test_spaceship assert_equal(nil, n3 <=> nil) end - def name_hash(name) - # OpenSSL 1.0.0 uses SHA1 for canonical encoding (not just a der) of - # X509Name for X509_NAME_hash. - name.respond_to?(:hash_old) ? name.hash_old : name.hash - end + def test_hash_old + omit_on_fips # MD5 - def test_hash dn = "/DC=org/DC=ruby-lang/CN=www.ruby-lang.org" name = OpenSSL::X509::Name.parse(dn) d = OpenSSL::Digest.digest('MD5', name.to_der) expected = (d[0].ord & 0xff) | (d[1].ord & 0xff) << 8 | (d[2].ord & 0xff) << 16 | (d[3].ord & 0xff) << 24 - assert_equal(expected, name_hash(name)) - # - dn = "/DC=org/DC=ruby-lang/CN=baz.ruby-lang.org" - name = OpenSSL::X509::Name.parse(dn) - d = OpenSSL::Digest.digest('MD5', name.to_der) - expected = (d[0].ord & 0xff) | (d[1].ord & 0xff) << 8 | (d[2].ord & 0xff) << 16 | (d[3].ord & 0xff) << 24 - assert_equal(expected, name_hash(name)) + assert_equal(expected, name.hash_old) end def test_equality diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb index 18d3e7f8f..0a2df47bc 100644 --- a/test/openssl/test_x509req.rb +++ b/test/openssl/test_x509req.rb @@ -6,10 +6,8 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase def setup super - @rsa1024 = Fixtures.pkey("rsa1024") - @rsa2048 = Fixtures.pkey("rsa2048") - @dsa256 = Fixtures.pkey("dsa256") - @dsa512 = Fixtures.pkey("dsa512") + @rsa1 = Fixtures.pkey("rsa-1") + @rsa2 = Fixtures.pkey("rsa-2") @dn = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou") end @@ -23,26 +21,22 @@ def issue_csr(ver, dn, key, digest) end def test_public_key - req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256')) - assert_equal(@rsa1024.public_to_der, req.public_key.public_to_der) + req = issue_csr(0, @dn, @rsa1, "SHA256") + assert_kind_of(OpenSSL::PKey::RSA, req.public_key) + assert_equal(@rsa1.public_to_der, req.public_key.public_to_der) req = OpenSSL::X509::Request.new(req.to_der) - assert_equal(@rsa1024.public_to_der, req.public_key.public_to_der) - - req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('SHA256')) - assert_equal(@dsa512.public_to_der, req.public_key.public_to_der) - req = OpenSSL::X509::Request.new(req.to_der) - assert_equal(@dsa512.public_to_der, req.public_key.public_to_der) + assert_equal(@rsa1.public_to_der, req.public_key.public_to_der) end def test_version - req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256')) + req = issue_csr(0, @dn, @rsa1, "SHA256") assert_equal(0, req.version) req = OpenSSL::X509::Request.new(req.to_der) assert_equal(0, req.version) end def test_subject - req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256')) + req = issue_csr(0, @dn, @rsa1, "SHA256") assert_equal(@dn.to_der, req.subject.to_der) req = OpenSSL::X509::Request.new(req.to_der) assert_equal(@dn.to_der, req.subject.to_der) @@ -73,9 +67,9 @@ def test_attr OpenSSL::X509::Attribute.new("msExtReq", attrval), ] - req0 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256')) + req0 = issue_csr(0, @dn, @rsa1, "SHA256") attrs.each{|attr| req0.add_attribute(attr) } - req1 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256')) + req1 = issue_csr(0, @dn, @rsa1, "SHA256") req1.attributes = attrs assert_equal(req0.to_der, req1.to_der) @@ -95,65 +89,44 @@ def test_attr assert_equal(exts, get_ext_req(attrs[1].value)) end - def test_sign_and_verify_rsa_sha1 - req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1')) - assert_equal(true, req.verify(@rsa1024)) - assert_equal(false, req.verify(@rsa2048)) - assert_equal(false, request_error_returns_false { req.verify(@dsa256) }) - assert_equal(false, request_error_returns_false { req.verify(@dsa512) }) - req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBarFooBar") - assert_equal(false, req.verify(@rsa1024)) - rescue OpenSSL::X509::RequestError # RHEL 9 disables SHA1 - end - - def test_sign_and_verify_rsa_md5 - req = issue_csr(0, @dn, @rsa2048, OpenSSL::Digest.new('MD5')) - assert_equal(false, req.verify(@rsa1024)) - assert_equal(true, req.verify(@rsa2048)) - assert_equal(false, request_error_returns_false { req.verify(@dsa256) }) - assert_equal(false, request_error_returns_false { req.verify(@dsa512) }) - req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar") - assert_equal(false, req.verify(@rsa2048)) - rescue OpenSSL::X509::RequestError # RHEL7 disables MD5 - end - - def test_sign_and_verify_dsa - req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('SHA256')) - assert_equal(false, request_error_returns_false { req.verify(@rsa1024) }) - assert_equal(false, request_error_returns_false { req.verify(@rsa2048) }) - assert_equal(false, req.verify(@dsa256)) - assert_equal(true, req.verify(@dsa512)) - req.public_key = @rsa1024.public_key - assert_equal(false, req.verify(@dsa512)) + def test_sign_digest_instance + req1 = issue_csr(0, @dn, @rsa1, "SHA256") + req2 = issue_csr(0, @dn, @rsa1, OpenSSL::Digest.new("SHA256")) + assert_equal(req1.to_der, req2.to_der) end - def test_sign_and_verify_dsa_md5 - assert_raise(OpenSSL::X509::RequestError){ - issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('MD5')) } + def test_sign_and_verify + req = issue_csr(0, @dn, @rsa1, "SHA256") + assert_equal(true, req.verify(@rsa1)) + assert_equal(false, req.verify(@rsa2)) + ec = OpenSSL::PKey::EC.generate("prime256v1") + assert_equal(false, request_error_returns_false { req.verify(ec) }) + req.subject = OpenSSL::X509::Name.parse_rfc2253("CN=FooBarFooBar,C=JP") + assert_equal(false, req.verify(@rsa1)) end - def test_sign_and_verify_ed25519 + def test_sign_and_verify_nil_digest # Ed25519 is not FIPS-approved. omit_on_fips ed25519 = OpenSSL::PKey::generate_key("ED25519") req = issue_csr(0, @dn, ed25519, nil) - assert_equal(false, request_error_returns_false { req.verify(@rsa1024) }) - assert_equal(false, request_error_returns_false { req.verify(@rsa2048) }) + assert_equal(false, request_error_returns_false { req.verify(@rsa1) }) + assert_equal(false, request_error_returns_false { req.verify(@rsa2) }) assert_equal(false, req.verify(OpenSSL::PKey::generate_key("ED25519"))) assert_equal(true, req.verify(ed25519)) - req.public_key = @rsa1024.public_key + req.public_key = @rsa1 assert_equal(false, req.verify(ed25519)) end def test_dup - req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256')) + req = issue_csr(0, @dn, @rsa1, "SHA256") assert_equal(req.to_der, req.dup.to_der) end def test_eq - req1 = issue_csr(0, @dn, @rsa1024, "sha256") - req2 = issue_csr(0, @dn, @rsa1024, "sha256") - req3 = issue_csr(0, @dn, @rsa1024, "sha512") + req1 = issue_csr(0, @dn, @rsa1, "SHA256") + req2 = issue_csr(0, @dn, @rsa1, "SHA256") + req3 = issue_csr(0, @dn, @rsa1, "SHA512") assert_equal false, req1 == 12345 assert_equal true, req1 == req2 @@ -161,7 +134,7 @@ def test_eq end def test_marshal - req = issue_csr(0, @dn, @rsa1024, "sha256") + req = issue_csr(0, @dn, @rsa1, "SHA256") deserialized = Marshal.load(Marshal.dump(req)) assert_equal req.to_der, deserialized.to_der diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index 8d6261253..7e6fe8b16 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -294,6 +294,33 @@ def assert_sign_verify_false_or_error else assert_equal(false, ret) end + + def der_to_pem(der, pem_header) + # RFC 7468 + <<~EOS + -----BEGIN #{pem_header}----- + #{[der].pack("m0").scan(/.{1,64}/).join("\n")} + -----END #{pem_header}----- + EOS + end + + def der_to_encrypted_pem(der, pem_header, password) + # OpenSSL encryption, non-standard + iv = 16.times.to_a.pack("C*") + encrypted = OpenSSL::Cipher.new("aes-128-cbc").encrypt.then { |cipher| + cipher.key = OpenSSL::Digest.digest("MD5", password + iv[0, 8]) + cipher.iv = iv + cipher.update(der) << cipher.final + } + <<~EOS + -----BEGIN #{pem_header}----- + Proc-Type: 4,ENCRYPTED + DEK-Info: AES-128-CBC,#{iv.unpack1("H*").upcase} + + #{[encrypted].pack("m0").scan(/.{1,64}/).join("\n")} + -----END #{pem_header}----- + EOS + end end module OpenSSL::Certs