RubyGems - jruby-openssl - Versions diffs - 0.7.1 → 0.7.2 - Mend

jruby-openssl 0.7.1 → 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

data/History.txt +16 -0
data/Manifest.txt +2 -0
data/Rakefile +1 -0
data/lib/jopenssl.jar +0 -0
data/lib/jopenssl/version.rb +1 -1
data/lib/openssl.rb +1 -0
data/lib/openssl/config.rb +316 -0
data/test/openssl/test_cipher.rb +4 -4
data/test/openssl/test_config.rb +290 -0
data/test/openssl/test_ec.rb +18 -3
data/test/openssl/test_hmac.rb +11 -9
data/test/openssl/test_ns_spki.rb +0 -10
data/test/openssl/test_pkcs7.rb +4 -3
data/test/openssl/test_ssl.rb +3 -9
data/test/openssl/test_x509cert.rb +64 -23
data/test/openssl/test_x509crl.rb +27 -7
data/test/openssl/test_x509ext.rb +5 -1
data/test/openssl/test_x509name.rb +12 -4
data/test/openssl/test_x509req.rb +27 -8
data/test/openssl/utils.rb +12 -3
data/test/test_certificate.rb +32 -0
data/test/test_cipher.rb +24 -0
data/test/test_integration.rb +9 -5
data/test/test_x509store.rb +13 -9
metadata +5 -3

data/test/openssl/test_ec.rb CHANGED

@@ -87,9 +87,24 @@ class OpenSSL::TestEC < Test::Unit::TestCase
   def test_dsa_sign_verify
     for key in @keys
       sig = key.dsa_sign_asn1(@data1)
-      assert_equal(key.dsa_verify_asn1(@data1, sig), true)
-      assert_raise(OpenSSL::PKey::ECError) { key.dsa_sign_asn1(@data2) }
+      assert(key.dsa_verify_asn1(@data1, sig))
+    end
+  end
+  def test_dsa_sign_asn1_FIPS186_3
+    for key in @keys
+      size = key.group.order.num_bits / 8 + 1
+      dgst = (1..size).to_a.pack('C*')
+      begin
+        sig = key.dsa_sign_asn1(dgst)
+        # dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m
+        assert(key.dsa_verify_asn1(dgst + "garbage", sig))
+      rescue OpenSSL::PKey::ECError => e
+        # just an exception for longer dgst before openssl-0.9.8m
+        assert_equal('ECDSA_sign: data too large for key size', e.message)
+        # no need to do following tests
+        return
+      end
     end
   end

data/test/openssl/test_hmac.rb CHANGED

@@ -4,15 +4,13 @@ rescue LoadError
 end
 require "test/unit"
-if defined?(OpenSSL)
 class OpenSSL::TestHMAC < Test::Unit::TestCase
   def setup
-    @digest = OpenSSL::Digest::MD5.new
+    @digest = OpenSSL::Digest::MD5
     @key = "KEY"
     @data = "DATA"
-    @h1 = OpenSSL::HMAC.new(@key, @digest)
-    @h2 = OpenSSL::HMAC.new(@key, @digest)
+    @h1 = OpenSSL::HMAC.new(@key, @digest.new)
+    @h2 = OpenSSL::HMAC.new(@key, "MD5")
   end
   def teardown
@@ -20,8 +18,14 @@ class OpenSSL::TestHMAC < Test::Unit::TestCase
   def test_hmac
     @h1.update(@data)
-    assert_equal(OpenSSL::HMAC.digest(@digest, @key, @data), @h1.digest, "digest")
-    assert_equal(OpenSSL::HMAC.hexdigest(@digest, @key, @data), @h1.hexdigest, "hexdigest")
+    @h2.update(@data)
+    assert_equal(@h1.digest, @h2.digest)
+    assert_equal(OpenSSL::HMAC.digest(@digest.new, @key, @data), @h1.digest, "digest")
+    assert_equal(OpenSSL::HMAC.hexdigest(@digest.new, @key, @data), @h1.hexdigest, "hexdigest")
+    assert_equal(OpenSSL::HMAC.digest("MD5", @key, @data), @h2.digest, "digest")
+    assert_equal(OpenSSL::HMAC.hexdigest("MD5", @key, @data), @h2.hexdigest, "hexdigest")
   end
   def test_dup
@@ -40,5 +44,3 @@ class OpenSSL::TestHMAC < Test::Unit::TestCase
       OpenSSL::HMAC.hexdigest(digest256, 'blah', "blah"))
   end
 end
-end

data/test/openssl/test_ns_spki.rb CHANGED

@@ -22,16 +22,6 @@ class OpenSSL::TestNSSPI < Test::Unit::TestCase
   def teardown
   end
-def pr(obj, ind=0)
-  if obj.respond_to?(:value)
-    puts((" "*ind) + obj.class.to_s + ":")
-    pr(obj.value,(ind+1))
-  elsif obj.respond_to?(:each) && !(String===obj)
-    obj.each {|v| pr(v,ind+1) }
-  else
-    puts((" "*ind) + obj.inspect)
-  end
-end
   def test_build_data
     key1 = OpenSSL::TestUtils::TEST_KEY_RSA1024

data/test/openssl/test_pkcs7.rb CHANGED

@@ -36,7 +36,7 @@ class OpenSSL::TestPKCS7 < Test::Unit::TestCase
                            @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
   end
-  def issue_cert(*args)
+  def issue_cert(*args)
     OpenSSL::TestUtils.issue_cert(*args)
   end
@@ -78,7 +78,7 @@ class OpenSSL::TestPKCS7 < Test::Unit::TestCase
     assert_equal(@ee1_cert.serial, signers[0].serial)
     assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
-    # A signed-data which have multiple signatures can be created
+    # A signed-data which have multiple signatures can be created
     # through the following steps.
     #   1. create two signed-data
     #   2. copy signerInfo and certificate from one to another
@@ -86,7 +86,7 @@ class OpenSSL::TestPKCS7 < Test::Unit::TestCase
     tmp1 = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, [], flag)
     tmp2 = OpenSSL::PKCS7.sign(@ee2_cert, @rsa1024, data, [], flag)
     tmp1.add_signer(tmp2.signers[0])
-    tmp1.add_certificate(@ee2_cert)
+    tmp1.add_certificate(@ee2_cert)
     p7 = OpenSSL::PKCS7.new(tmp1.to_der)
     certs = p7.certificates
@@ -135,6 +135,7 @@ class OpenSSL::TestPKCS7 < Test::Unit::TestCase
     certs = [@ee1_cert, @ee2_cert]
     cipher = OpenSSL::Cipher::AES.new("128-CBC")
     data = "aaaaa\nbbbbb\nccccc\n"
     tmp = OpenSSL::PKCS7.encrypt(certs, data, cipher, OpenSSL::PKCS7::BINARY)
     p7 = OpenSSL::PKCS7.new(tmp.to_der)
     recip = p7.recipients

data/test/openssl/test_ssl.rb CHANGED

@@ -111,7 +111,7 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
         server_proc.call(ctx, ssl)
       end
     end
-  rescue Errno::EBADF, IOError
+  rescue Errno::EBADF, IOError, Errno::EINVAL, Errno::ECONNABORTED
   end
   def start_server(port0, verify_mode, start_immediately, args = {}, &block)
@@ -132,12 +132,6 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
     Socket.do_not_reverse_lookup = true
     tcps, port = choose_port(port0)
-    begin
-      tcps = TCPServer.new("127.0.0.1", port)
-    rescue Errno::EADDRINUSE
-      port += 1
-      retry
-    end
     ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
     ssls.start_immediately = start_immediately
@@ -954,7 +948,7 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
         ctx.session_add(saved_session)
       end
       connections += 1
       readwrite_loop(ctx, ssl)
     end
@@ -999,7 +993,7 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
     ctx_proc = Proc.new do |ctx, ssl|
       foo_ctx = ctx.dup
-      ctx.servername_cb = Proc.new do |ssl, hostname|
+      ctx.servername_cb = Proc.new do |ssl2, hostname|
         case hostname
         when 'foo.example.com'
           foo_ctx

data/test/openssl/test_x509cert.rb CHANGED

@@ -28,7 +28,7 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
   def test_serial
     [1, 2**32, 2**100].each{|s|
       cert = issue_cert(@ca, @rsa2048, s, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::SHA1.new)
+                        nil, nil, OpenSSL::Digest::SHA1.new)
       assert_equal(s, cert.serial)
       cert = OpenSSL::X509::Certificate.new(cert.to_der)
       assert_equal(s, cert.serial)
@@ -60,25 +60,25 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
   def test_validity
     now = Time.now until now && now.usec != 0
     cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+                      nil, nil, OpenSSL::Digest::SHA1.new)
     assert_not_equal(now, cert.not_before)
     assert_not_equal(now+3600, cert.not_after)
     now = Time.at(now.to_i)
     cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+                      nil, nil, OpenSSL::Digest::SHA1.new)
     assert_equal(now.getutc, cert.not_before)
     assert_equal((now+3600).getutc, cert.not_after)
     now = Time.at(0)
     cert = issue_cert(@ca, @rsa2048, 1, now, now, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+                      nil, nil, OpenSSL::Digest::SHA1.new)
     assert_equal(now.getutc, cert.not_before)
     assert_equal(now.getutc, cert.not_after)
     now = Time.at(0x7fffffff)
     cert = issue_cert(@ca, @rsa2048, 1, now, now, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+                      nil, nil, OpenSSL::Digest::SHA1.new)
     assert_equal(now.getutc, cert.not_before)
     assert_equal(now.getutc, cert.not_after)
   end
@@ -91,7 +91,7 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
       ["authorityKeyIdentifier","keyid:always",false],
     ]
     ca_cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, ca_exts,
-                         nil, nil, OpenSSL::Digest::SHA1.new)
+                         nil, nil, OpenSSL::Digest::SHA1.new)
     ca_cert.extensions.each_with_index{|ext, i|
       assert_equal(ca_exts[i].first, ext.oid)
       assert_equal(ca_exts[i].last, ext.critical?)
@@ -105,7 +105,7 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
       ["subjectAltName","email:ee1@ruby-lang.org",false],
     ]
     ee1_cert = issue_cert(@ee1, @rsa1024, 2, Time.now, Time.now+1800, ee1_exts,
-                          ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+                          ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
     assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der)
     ee1_cert.extensions.each_with_index{|ext, i|
       assert_equal(ee1_exts[i].first, ext.oid)
@@ -120,7 +120,7 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
       ["subjectAltName","email:ee2@ruby-lang.org",false],
     ]
     ee2_cert = issue_cert(@ee2, @rsa1024, 3, Time.now, Time.now+1800, ee2_exts,
-                          ca_cert, @rsa2048, OpenSSL::Digest::MD5.new)
+                          ca_cert, @rsa2048, OpenSSL::Digest::MD5.new)
     assert_equal(ca_cert.subject.to_der, ee2_cert.issuer.to_der)
     ee2_cert.extensions.each_with_index{|ext, i|
       assert_equal(ee2_exts[i].first, ext.oid)
@@ -129,46 +129,87 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
   end
+  def test_sign_and_verify_wrong_key_type
+    cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, cert_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::CertificateError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+    begin
+      assert_equal(false, cert_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::CertificateError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
   def test_sign_and_verify
     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    assert_equal("sha1WithRSAEncryption", cert.signature_algorithm)
     assert_equal(false, cert.verify(@rsa1024))
     assert_equal(true,  cert.verify(@rsa2048))
-    assert_equal(false, cert.verify(@dsa256))
-    assert_equal(false, cert.verify(@dsa512))
     cert.serial = 2
     assert_equal(false, cert.verify(@rsa2048))
     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::MD5.new)
+                      nil, nil, OpenSSL::Digest::MD5.new)
+    assert_equal("md5WithRSAEncryption", cert.signature_algorithm)
     assert_equal(false, cert.verify(@rsa1024))
     assert_equal(true,  cert.verify(@rsa2048))
-    assert_equal(false, cert.verify(@dsa256))
-    assert_equal(false, cert.verify(@dsa512))
     cert.subject = @ee1
     assert_equal(false, cert.verify(@rsa2048))
     cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::DSS1.new)
-    assert_equal(false, cert.verify(@rsa1024))
-    assert_equal(false, cert.verify(@rsa2048))
+                      nil, nil, OpenSSL::Digest::DSS1.new)
+    assert_equal("dsaWithSHA1", cert.signature_algorithm)
     assert_equal(false, cert.verify(@dsa256))
     assert_equal(true,  cert.verify(@dsa512))
-    cert.not_after = Time.now
+    cert.not_after = Time.now
     assert_equal(false, cert.verify(@dsa512))
     assert_raise(OpenSSL::X509::CertificateError){
       cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::DSS1.new)
+                        nil, nil, OpenSSL::Digest::DSS1.new)
     }
     assert_raise(OpenSSL::X509::CertificateError){
       cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::MD5.new)
+                        nil, nil, OpenSSL::Digest::MD5.new)
     }
-    assert_raise(OpenSSL::X509::CertificateError){
+  end
+  def test_dsig_algorithm_mismatch
+    assert_raise(OpenSSL::X509::CertificateError) do
+      cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                        nil, nil, OpenSSL::Digest::DSS1.new)
+    end
+    assert_raise(OpenSSL::X509::CertificateError) do
       cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::SHA1.new)
-    }
+                        nil, nil, OpenSSL::Digest::MD5.new)
+    end
+  end
+  def test_dsa_with_sha2
+    begin
+      cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
+                        nil, nil, OpenSSL::Digest::SHA256.new)
+      assert_equal("dsa_with_SHA256", cert.signature_algorithm)
+    rescue OpenSSL::X509::CertificateError
+      # dsa_with_sha2 not supported. skip following test.
+      return
+    end
+    # TODO: need more tests for dsa + sha2
+    # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requireds DSS1)
+    cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    assert_equal("dsaWithSHA1", cert.signature_algorithm)
   end
   def test_check_private_key

data/test/openssl/test_x509crl.rb CHANGED

@@ -125,13 +125,13 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
   def test_extension
     cert_exts = [
       ["basicConstraints", "CA:TRUE", true],
-      ["subjectKeyIdentifier", "hash", false],
-      ["authorityKeyIdentifier", "keyid:always", false],
+      ["subjectKeyIdentifier", "hash", false],
+      ["authorityKeyIdentifier", "keyid:always", false],
       ["subjectAltName", "email:xyzzy@ruby-lang.org", false],
       ["keyUsage", "cRLSign, keyCertSign", true],
     ]
     crl_exts = [
-      ["authorityKeyIdentifier", "keyid:always", false],
+      ["authorityKeyIdentifier", "keyid:always", false],
       ["issuerAltName", "issuer:copy", false],
     ]
@@ -190,6 +190,30 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
     assert_match((2**100).to_s, crl.extensions[0].value)
   end
+  def test_sign_and_verify_wrong_key_type
+    cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    crl_rsa = issue_crl([], 1, Time.now, Time.now+1600, [],
+                    cert_rsa, @rsa2048, OpenSSL::Digest::SHA1.new)
+    cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::DSS1.new)
+    crl_dsa = issue_crl([], 1, Time.now, Time.now+1600, [],
+                    cert_dsa, @dsa512, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, crl_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::CRLError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+    begin
+      assert_equal(false, crl_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::CRLError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
   def test_sign_and_verify
     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                       nil, nil, OpenSSL::Digest::SHA1.new)
@@ -197,8 +221,6 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
     assert_equal(false, crl.verify(@rsa1024))
     assert_equal(true,  crl.verify(@rsa2048))
-    assert_equal(false, crl.verify(@dsa256))
-    assert_equal(false, crl.verify(@dsa512))
     crl.version = 0
     assert_equal(false, crl.verify(@rsa2048))
@@ -206,8 +228,6 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
                       nil, nil, OpenSSL::Digest::DSS1.new)
     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
                     cert, @dsa512, OpenSSL::Digest::DSS1.new)
-    assert_equal(false, crl.verify(@rsa1024))
-    assert_equal(false, crl.verify(@rsa2048))
     assert_equal(false, crl.verify(@dsa256))
     assert_equal(true,  crl.verify(@dsa512))
     crl.version = 0

data/test/openssl/test_x509ext.rb CHANGED

@@ -56,18 +56,22 @@ class OpenSSL::TestX509Extension < Test::Unit::TestCase
     cdp = ef.create_extension("crlDistributionPoints", "@crlDistPts")
     assert_equal(false, cdp.critical?)
     assert_equal("crlDistributionPoints", cdp.oid)
+=begin TODO: JRuby-OSSL does not implement some features such as config reference, DER:, etc.
     assert_match(%{URI:http://www\.example\.com/crl}, cdp.value)
     assert_match(
       %r{URI:ldap://ldap\.example\.com/cn=ca\?certificateRevocationList;binary},
       cdp.value)
+=end
     cdp = ef.create_extension("crlDistributionPoints", "critical, @crlDistPts")
     assert_equal(true, cdp.critical?)
     assert_equal("crlDistributionPoints", cdp.oid)
+=begin TODO: ditto
     assert_match(%{URI:http://www.example.com/crl}, cdp.value)
     assert_match(
       %r{URI:ldap://ldap.example.com/cn=ca\?certificateRevocationList;binary},
       cdp.value)
+=end
   end
   # JRUBY-3888
@@ -89,7 +93,7 @@ class OpenSSL::TestX509Extension < Test::Unit::TestCase
     assert exts["subjectKeyIdentifier"] == "B4:AC:83:5D:21:FB:D6:8A:56:7E:B2:49:6D:69:BB:E4:6F:D8:5A:AC"
   end
 end
 end

data/test/openssl/test_x509name.rb CHANGED

@@ -264,18 +264,26 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase
     assert_equal(OpenSSL::ASN1::PRINTABLESTRING, ary[4][2])
   end
+  def name_hash(name)
+    # OpenSSL 1.0.0 uses SHA1 for canonical encoding (not just a der) of
+    # X509Name for X509_NAME_hash.
+    name.respond_to?(:hash_old) ? name.hash_old : name.hash
+  end
+  def calc_hash(d)
+    (d[0] & 0xff) | (d[1] & 0xff) << 8 | (d[2] & 0xff) << 16 | (d[3] & 0xff) << 24
+  end
   def test_hash
     dn = "/DC=org/DC=ruby-lang/CN=www.ruby-lang.org"
     name = OpenSSL::X509::Name.parse(dn)
     d = Digest::MD5.digest(name.to_der)
-    expected = (d[0] & 0xff) | (d[1] & 0xff) << 8 | (d[2] & 0xff) << 16 | (d[3] & 0xff) << 24
-    assert_equal(expected, name.hash)
+    assert_equal(calc_hash(d), name_hash(name))
     #
     dn = "/DC=org/DC=ruby-lang/CN=baz.ruby-lang.org"
     name = OpenSSL::X509::Name.parse(dn)
     d = Digest::MD5.digest(name.to_der)
-    expected = (d[0] & 0xff) | (d[1] & 0xff) << 8 | (d[2] & 0xff) << 16 | (d[3] & 0xff) << 24
-    assert_equal(expected, name.hash)
+    assert_equal(calc_hash(d), name_hash(name))
   end
 end