jruby-openssl 0.7.1 → 0.7.2

data/test/openssl/test_ec.rb

@@ -87,9 +87,24 @@ class OpenSSL::TestEC < Test::Unit::TestCase
   def test_dsa_sign_verify
     for key in @keys
       sig = key.dsa_sign_asn1(@data1)
-      assert_equal(key.dsa_verify_asn1(@data1, sig), true)
-        
-      assert_raise(OpenSSL::PKey::ECError) { key.dsa_sign_asn1(@data2) }
+      assert(key.dsa_verify_asn1(@data1, sig))
+    end
+  end
+
+  def test_dsa_sign_asn1_FIPS186_3
+    for key in @keys
+      size = key.group.order.num_bits / 8 + 1
+      dgst = (1..size).to_a.pack('C*')
+      begin
+        sig = key.dsa_sign_asn1(dgst)
+        # dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m
+        assert(key.dsa_verify_asn1(dgst + "garbage", sig))
+      rescue OpenSSL::PKey::ECError => e
+        # just an exception for longer dgst before openssl-0.9.8m
+        assert_equal('ECDSA_sign: data too large for key size', e.message)
+        # no need to do following tests
+        return
+      end
     end
   end
 

data/test/openssl/test_hmac.rb

@@ -4,15 +4,13 @@ rescue LoadError
 end
 require "test/unit"
 
-if defined?(OpenSSL)
-
 class OpenSSL::TestHMAC < Test::Unit::TestCase
   def setup
-    @digest = OpenSSL::Digest::MD5.new
+    @digest = OpenSSL::Digest::MD5
     @key = "KEY"
     @data = "DATA"
-    @h1 = OpenSSL::HMAC.new(@key, @digest)
-    @h2 = OpenSSL::HMAC.new(@key, @digest)
+    @h1 = OpenSSL::HMAC.new(@key, @digest.new)
+    @h2 = OpenSSL::HMAC.new(@key, "MD5")
   end
 
   def teardown
@@ -20,8 +18,14 @@ class OpenSSL::TestHMAC < Test::Unit::TestCase
 
   def test_hmac
     @h1.update(@data)
-    assert_equal(OpenSSL::HMAC.digest(@digest, @key, @data), @h1.digest, "digest")
-    assert_equal(OpenSSL::HMAC.hexdigest(@digest, @key, @data), @h1.hexdigest, "hexdigest")
+    @h2.update(@data)
+    assert_equal(@h1.digest, @h2.digest)
+
+    assert_equal(OpenSSL::HMAC.digest(@digest.new, @key, @data), @h1.digest, "digest")
+    assert_equal(OpenSSL::HMAC.hexdigest(@digest.new, @key, @data), @h1.hexdigest, "hexdigest")
+
+    assert_equal(OpenSSL::HMAC.digest("MD5", @key, @data), @h2.digest, "digest")
+    assert_equal(OpenSSL::HMAC.hexdigest("MD5", @key, @data), @h2.hexdigest, "hexdigest")
   end
 
   def test_dup
@@ -40,5 +44,3 @@ class OpenSSL::TestHMAC < Test::Unit::TestCase
       OpenSSL::HMAC.hexdigest(digest256, 'blah', "blah"))
   end
 end
-
-end

data/test/openssl/test_ns_spki.rb

@@ -22,16 +22,6 @@ class OpenSSL::TestNSSPI < Test::Unit::TestCase
 
   def teardown
   end
-def pr(obj, ind=0)
-  if obj.respond_to?(:value)
-    puts((" "*ind) + obj.class.to_s + ":")
-    pr(obj.value,(ind+1))
-  elsif obj.respond_to?(:each) && !(String===obj)
-    obj.each {|v| pr(v,ind+1) }
-  else
-    puts((" "*ind) + obj.inspect)
-  end
-end
 
   def test_build_data
     key1 = OpenSSL::TestUtils::TEST_KEY_RSA1024

data/test/openssl/test_pkcs7.rb

@@ -36,7 +36,7 @@ class OpenSSL::TestPKCS7 < Test::Unit::TestCase
                            @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
   end
 
-  def issue_cert(*args)             
+  def issue_cert(*args)
     OpenSSL::TestUtils.issue_cert(*args)
   end
 
@@ -78,7 +78,7 @@ class OpenSSL::TestPKCS7 < Test::Unit::TestCase
     assert_equal(@ee1_cert.serial, signers[0].serial)
     assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
 
-    # A signed-data which have multiple signatures can be created 
+    # A signed-data which have multiple signatures can be created
     # through the following steps.
     #   1. create two signed-data
     #   2. copy signerInfo and certificate from one to another
@@ -86,7 +86,7 @@ class OpenSSL::TestPKCS7 < Test::Unit::TestCase
     tmp1 = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, [], flag)
     tmp2 = OpenSSL::PKCS7.sign(@ee2_cert, @rsa1024, data, [], flag)
     tmp1.add_signer(tmp2.signers[0])
-    tmp1.add_certificate(@ee2_cert)  
+    tmp1.add_certificate(@ee2_cert)
 
     p7 = OpenSSL::PKCS7.new(tmp1.to_der)
     certs = p7.certificates
@@ -135,6 +135,7 @@ class OpenSSL::TestPKCS7 < Test::Unit::TestCase
     certs = [@ee1_cert, @ee2_cert]
     cipher = OpenSSL::Cipher::AES.new("128-CBC")
     data = "aaaaa\nbbbbb\nccccc\n"
+
     tmp = OpenSSL::PKCS7.encrypt(certs, data, cipher, OpenSSL::PKCS7::BINARY)
     p7 = OpenSSL::PKCS7.new(tmp.to_der)
     recip = p7.recipients

data/test/openssl/test_ssl.rb

@@ -111,7 +111,7 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
         server_proc.call(ctx, ssl)
       end
     end
-  rescue Errno::EBADF, IOError
+  rescue Errno::EBADF, IOError, Errno::EINVAL, Errno::ECONNABORTED
   end
 
   def start_server(port0, verify_mode, start_immediately, args = {}, &block)
@@ -132,12 +132,6 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
 
     Socket.do_not_reverse_lookup = true
     tcps, port = choose_port(port0)
-    begin
-      tcps = TCPServer.new("127.0.0.1", port)
-    rescue Errno::EADDRINUSE
-      port += 1
-      retry
-    end
 
     ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
     ssls.start_immediately = start_immediately
@@ -954,7 +948,7 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
         ctx.session_add(saved_session)
       end
       connections += 1
-      
+
       readwrite_loop(ctx, ssl)
     end
 
@@ -999,7 +993,7 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
     ctx_proc = Proc.new do |ctx, ssl|
       foo_ctx = ctx.dup
 
-      ctx.servername_cb = Proc.new do |ssl, hostname|
+      ctx.servername_cb = Proc.new do |ssl2, hostname|
         case hostname
         when 'foo.example.com'
           foo_ctx

data/test/openssl/test_x509cert.rb

@@ -28,7 +28,7 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
   def test_serial
     [1, 2**32, 2**100].each{|s|
       cert = issue_cert(@ca, @rsa2048, s, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::SHA1.new) 
+                        nil, nil, OpenSSL::Digest::SHA1.new)
       assert_equal(s, cert.serial)
       cert = OpenSSL::X509::Certificate.new(cert.to_der)
       assert_equal(s, cert.serial)
@@ -60,25 +60,25 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
   def test_validity
     now = Time.now until now && now.usec != 0
     cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new) 
+                      nil, nil, OpenSSL::Digest::SHA1.new)
     assert_not_equal(now, cert.not_before)
     assert_not_equal(now+3600, cert.not_after)
 
     now = Time.at(now.to_i)
     cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new) 
+                      nil, nil, OpenSSL::Digest::SHA1.new)
     assert_equal(now.getutc, cert.not_before)
     assert_equal((now+3600).getutc, cert.not_after)
 
     now = Time.at(0)
     cert = issue_cert(@ca, @rsa2048, 1, now, now, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new) 
+                      nil, nil, OpenSSL::Digest::SHA1.new)
     assert_equal(now.getutc, cert.not_before)
     assert_equal(now.getutc, cert.not_after)
 
     now = Time.at(0x7fffffff)
     cert = issue_cert(@ca, @rsa2048, 1, now, now, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new) 
+                      nil, nil, OpenSSL::Digest::SHA1.new)
     assert_equal(now.getutc, cert.not_before)
     assert_equal(now.getutc, cert.not_after)
   end
@@ -91,7 +91,7 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
       ["authorityKeyIdentifier","keyid:always",false],
     ]
     ca_cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, ca_exts,
-                         nil, nil, OpenSSL::Digest::SHA1.new) 
+                         nil, nil, OpenSSL::Digest::SHA1.new)
     ca_cert.extensions.each_with_index{|ext, i|
       assert_equal(ca_exts[i].first, ext.oid)
       assert_equal(ca_exts[i].last, ext.critical?)
@@ -105,7 +105,7 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
       ["subjectAltName","email:ee1@ruby-lang.org",false],
     ]
     ee1_cert = issue_cert(@ee1, @rsa1024, 2, Time.now, Time.now+1800, ee1_exts,
-                          ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new) 
+                          ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
     assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der)
     ee1_cert.extensions.each_with_index{|ext, i|
       assert_equal(ee1_exts[i].first, ext.oid)
@@ -120,7 +120,7 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
       ["subjectAltName","email:ee2@ruby-lang.org",false],
     ]
     ee2_cert = issue_cert(@ee2, @rsa1024, 3, Time.now, Time.now+1800, ee2_exts,
-                          ca_cert, @rsa2048, OpenSSL::Digest::MD5.new) 
+                          ca_cert, @rsa2048, OpenSSL::Digest::MD5.new)
     assert_equal(ca_cert.subject.to_der, ee2_cert.issuer.to_der)
     ee2_cert.extensions.each_with_index{|ext, i|
       assert_equal(ee2_exts[i].first, ext.oid)
@@ -129,46 +129,87 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
 
   end
 
+  def test_sign_and_verify_wrong_key_type
+    cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, cert_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::CertificateError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+
+    begin
+      assert_equal(false, cert_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::CertificateError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
+
   def test_sign_and_verify
     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new) 
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    assert_equal("sha1WithRSAEncryption", cert.signature_algorithm)
     assert_equal(false, cert.verify(@rsa1024))
     assert_equal(true,  cert.verify(@rsa2048))
-    assert_equal(false, cert.verify(@dsa256))
-    assert_equal(false, cert.verify(@dsa512))
     cert.serial = 2
     assert_equal(false, cert.verify(@rsa2048))
 
     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::MD5.new) 
+                      nil, nil, OpenSSL::Digest::MD5.new)
+    assert_equal("md5WithRSAEncryption", cert.signature_algorithm)
     assert_equal(false, cert.verify(@rsa1024))
     assert_equal(true,  cert.verify(@rsa2048))
-    assert_equal(false, cert.verify(@dsa256))
-    assert_equal(false, cert.verify(@dsa512))
     cert.subject = @ee1
     assert_equal(false, cert.verify(@rsa2048))
 
     cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::DSS1.new) 
-    assert_equal(false, cert.verify(@rsa1024))
-    assert_equal(false, cert.verify(@rsa2048))
+                      nil, nil, OpenSSL::Digest::DSS1.new)
+    assert_equal("dsaWithSHA1", cert.signature_algorithm)
     assert_equal(false, cert.verify(@dsa256))
     assert_equal(true,  cert.verify(@dsa512))
-    cert.not_after = Time.now 
+    cert.not_after = Time.now
     assert_equal(false, cert.verify(@dsa512))
 
     assert_raise(OpenSSL::X509::CertificateError){
       cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::DSS1.new) 
+                        nil, nil, OpenSSL::Digest::DSS1.new)
     }
     assert_raise(OpenSSL::X509::CertificateError){
       cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::MD5.new) 
+                        nil, nil, OpenSSL::Digest::MD5.new)
     }
-    assert_raise(OpenSSL::X509::CertificateError){
+  end
+
+  def test_dsig_algorithm_mismatch
+    assert_raise(OpenSSL::X509::CertificateError) do
+      cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                        nil, nil, OpenSSL::Digest::DSS1.new)
+    end
+    assert_raise(OpenSSL::X509::CertificateError) do
       cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::SHA1.new) 
-    }
+                        nil, nil, OpenSSL::Digest::MD5.new)
+    end
+  end
+
+  def test_dsa_with_sha2
+    begin
+      cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
+                        nil, nil, OpenSSL::Digest::SHA256.new)
+      assert_equal("dsa_with_SHA256", cert.signature_algorithm)
+    rescue OpenSSL::X509::CertificateError
+      # dsa_with_sha2 not supported. skip following test.
+      return
+    end
+    # TODO: need more tests for dsa + sha2
+
+    # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requireds DSS1)
+    cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    assert_equal("dsaWithSHA1", cert.signature_algorithm)
   end
 
   def test_check_private_key

data/test/openssl/test_x509crl.rb

@@ -125,13 +125,13 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
   def test_extension
     cert_exts = [
       ["basicConstraints", "CA:TRUE", true],
-      ["subjectKeyIdentifier", "hash", false], 
-      ["authorityKeyIdentifier", "keyid:always", false], 
+      ["subjectKeyIdentifier", "hash", false],
+      ["authorityKeyIdentifier", "keyid:always", false],
       ["subjectAltName", "email:xyzzy@ruby-lang.org", false],
       ["keyUsage", "cRLSign, keyCertSign", true],
     ]
     crl_exts = [
-      ["authorityKeyIdentifier", "keyid:always", false], 
+      ["authorityKeyIdentifier", "keyid:always", false],
       ["issuerAltName", "issuer:copy", false],
     ]
 
@@ -190,6 +190,30 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
     assert_match((2**100).to_s, crl.extensions[0].value)
   end
 
+  def test_sign_and_verify_wrong_key_type
+    cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    crl_rsa = issue_crl([], 1, Time.now, Time.now+1600, [],
+                    cert_rsa, @rsa2048, OpenSSL::Digest::SHA1.new)
+    cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::DSS1.new)
+    crl_dsa = issue_crl([], 1, Time.now, Time.now+1600, [],
+                    cert_dsa, @dsa512, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, crl_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::CRLError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+
+    begin
+      assert_equal(false, crl_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::CRLError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
+
   def test_sign_and_verify
     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                       nil, nil, OpenSSL::Digest::SHA1.new)
@@ -197,8 +221,6 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
     assert_equal(false, crl.verify(@rsa1024))
     assert_equal(true,  crl.verify(@rsa2048))
-    assert_equal(false, crl.verify(@dsa256))
-    assert_equal(false, crl.verify(@dsa512))
     crl.version = 0
     assert_equal(false, crl.verify(@rsa2048))
 
@@ -206,8 +228,6 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
                       nil, nil, OpenSSL::Digest::DSS1.new)
     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
                     cert, @dsa512, OpenSSL::Digest::DSS1.new)
-    assert_equal(false, crl.verify(@rsa1024))
-    assert_equal(false, crl.verify(@rsa2048))
     assert_equal(false, crl.verify(@dsa256))
     assert_equal(true,  crl.verify(@dsa512))
     crl.version = 0

data/test/openssl/test_x509ext.rb

@@ -56,18 +56,22 @@ class OpenSSL::TestX509Extension < Test::Unit::TestCase
     cdp = ef.create_extension("crlDistributionPoints", "@crlDistPts")
     assert_equal(false, cdp.critical?)
     assert_equal("crlDistributionPoints", cdp.oid)
+=begin TODO: JRuby-OSSL does not implement some features such as config reference, DER:, etc.
     assert_match(%{URI:http://www\.example\.com/crl}, cdp.value)
     assert_match(
       %r{URI:ldap://ldap\.example\.com/cn=ca\?certificateRevocationList;binary},
       cdp.value)
+=end
 
     cdp = ef.create_extension("crlDistributionPoints", "critical, @crlDistPts")
     assert_equal(true, cdp.critical?)
     assert_equal("crlDistributionPoints", cdp.oid)
+=begin TODO: ditto
     assert_match(%{URI:http://www.example.com/crl}, cdp.value)
     assert_match(
       %r{URI:ldap://ldap.example.com/cn=ca\?certificateRevocationList;binary},
       cdp.value)
+=end
   end
 
   # JRUBY-3888
@@ -89,7 +93,7 @@ class OpenSSL::TestX509Extension < Test::Unit::TestCase
 
     assert exts["subjectKeyIdentifier"] == "B4:AC:83:5D:21:FB:D6:8A:56:7E:B2:49:6D:69:BB:E4:6F:D8:5A:AC"
   end
-  
+
 end
 
 end

data/test/openssl/test_x509name.rb

@@ -264,18 +264,26 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase
     assert_equal(OpenSSL::ASN1::PRINTABLESTRING, ary[4][2])
   end
 
+  def name_hash(name)
+    # OpenSSL 1.0.0 uses SHA1 for canonical encoding (not just a der) of
+    # X509Name for X509_NAME_hash.
+    name.respond_to?(:hash_old) ? name.hash_old : name.hash
+  end
+
+  def calc_hash(d)
+    (d[0] & 0xff) | (d[1] & 0xff) << 8 | (d[2] & 0xff) << 16 | (d[3] & 0xff) << 24
+  end
+
   def test_hash
     dn = "/DC=org/DC=ruby-lang/CN=www.ruby-lang.org"
     name = OpenSSL::X509::Name.parse(dn)
     d = Digest::MD5.digest(name.to_der)
-    expected = (d[0] & 0xff) | (d[1] & 0xff) << 8 | (d[2] & 0xff) << 16 | (d[3] & 0xff) << 24
-    assert_equal(expected, name.hash)
+    assert_equal(calc_hash(d), name_hash(name))
     #
     dn = "/DC=org/DC=ruby-lang/CN=baz.ruby-lang.org"
     name = OpenSSL::X509::Name.parse(dn)
     d = Digest::MD5.digest(name.to_der)
-    expected = (d[0] & 0xff) | (d[1] & 0xff) << 8 | (d[2] & 0xff) << 16 | (d[3] & 0xff) << 24
-    assert_equal(expected, name.hash)
+    assert_equal(calc_hash(d), name_hash(name))
   end
 end