jruby-openssl 0.7.4 → 0.7.6.1

data/test/1.9/test_pair.rb

@@ -0,0 +1,257 @@
+require_relative 'utils'
+
+if defined?(OpenSSL)
+
+require 'socket'
+require_relative '../ruby/ut_eof'
+
+module SSLPair
+  DHParam = OpenSSL::PKey::DH.new(128)
+  def server
+    host = "127.0.0.1"
+    port = 0
+    ctx = OpenSSL::SSL::SSLContext.new()
+    ctx.ciphers = "ADH"
+    ctx.tmp_dh_callback = proc { DHParam }
+    tcps = TCPServer.new(host, port)
+    ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
+    return ssls
+  end
+
+  def client(port)
+    host = "127.0.0.1"
+    ctx = OpenSSL::SSL::SSLContext.new()
+    ctx.ciphers = "ADH"
+    s = TCPSocket.new(host, port)
+    ssl = OpenSSL::SSL::SSLSocket.new(s, ctx)
+    ssl.connect
+    ssl.sync_close = true
+    ssl
+  end
+
+  def ssl_pair
+    ssls = server
+    th = Thread.new {
+      ns = ssls.accept
+      ssls.close
+      ns
+    }
+    port = ssls.to_io.addr[1]
+    c = client(port)
+    s = th.value
+    if block_given?
+      begin
+        yield c, s
+      ensure
+        c.close unless c.closed?
+        s.close unless s.closed?
+      end
+    else
+      return c, s
+    end
+  ensure
+    if th && th.alive?
+      th.kill
+      th.join
+    end
+  end
+end
+
+class OpenSSL::TestEOF1 < Test::Unit::TestCase
+  include TestEOF
+  include SSLPair
+
+  def open_file(content)
+    s1, s2 = ssl_pair
+    Thread.new { s2 << content; s2.close }
+    yield s1
+  end
+end
+
+class OpenSSL::TestEOF2 < Test::Unit::TestCase
+  include TestEOF
+  include SSLPair
+
+  def open_file(content)
+    s1, s2 = ssl_pair
+    Thread.new { s1 << content; s1.close }
+    yield s2
+  end
+end
+
+class OpenSSL::TestPair < Test::Unit::TestCase
+  include SSLPair
+
+  def test_getc
+    ssl_pair {|s1, s2|
+      s1 << "a"
+      assert_equal(?a, s2.getc)
+    }
+  end
+
+  def test_readpartial
+    ssl_pair {|s1, s2|
+      s2.write "a\nbcd"
+      assert_equal("a\n", s1.gets)
+      read = s1.readpartial(10)
+      assert_equal("bcd"[0, read.bytesize], read)
+      s1.read(read.bytesize - 3) # drop unread bytes
+      s2.write "efg"
+      read = s1.readpartial(10)
+      assert_equal("efg"[0, read.bytesize], read)
+      rest = 3 - read.bytesize
+      while rest > 0
+        rest -= s1.readpartial(rest).size
+      end
+      s2.close
+      assert_raise(EOFError) { s1.readpartial(10) }
+      assert_raise(EOFError) { s1.readpartial(10) }
+      assert_equal("", s1.readpartial(0))
+    }
+  end
+
+  def test_readall
+    ssl_pair {|s1, s2|
+      s2.close
+      assert_equal("", s1.read)
+    }
+  end
+
+  def test_readline
+    ssl_pair {|s1, s2|
+      s2.close
+      assert_raise(EOFError) { s1.readline }
+    }
+  end
+
+  def test_puts_meta
+    ssl_pair {|s1, s2|
+      begin
+        old = $/
+        $/ = '*'
+        s1.puts 'a'
+      ensure
+        $/ = old
+      end
+      s1.close
+      assert_equal("a\n", s2.read)
+    }
+  end
+
+  def test_puts_empty
+    ssl_pair {|s1, s2|
+      s1.puts
+      s1.close
+      assert_equal("\n", s2.read)
+    }
+  end
+
+  def test_read_nonblock
+    ssl_pair {|s1, s2|
+      err = nil
+      assert_raise(OpenSSL::SSL::SSLError) {
+        begin
+          s2.read_nonblock(10)
+        ensure
+          err = $!
+        end
+      }
+      assert_kind_of(IO::WaitReadable, err)
+      s1.write "abc\ndef\n"
+      IO.select([s2])
+      assert_equal("ab", s2.read_nonblock(2))
+      assert_equal("c\n", s2.gets)
+      ret = nil
+      assert_nothing_raised("[ruby-core:20298]") { ret = s2.read_nonblock(10) }
+      assert_equal("def\n", ret)
+    }
+  end
+
+  def test_write_nonblock
+    ssl_pair {|s1, s2|
+      n = 0
+      begin
+        n += s1.write_nonblock("a" * 100000)
+        n += s1.write_nonblock("b" * 100000)
+        n += s1.write_nonblock("c" * 100000)
+        n += s1.write_nonblock("d" * 100000)
+        n += s1.write_nonblock("e" * 100000)
+        n += s1.write_nonblock("f" * 100000)
+      rescue IO::WaitWritable
+      end
+      s1.close
+      assert_equal(n, s2.read.length)
+    }
+  end
+
+  def test_write_nonblock_with_buffered_data
+    ssl_pair {|s1, s2|
+      s1.write "foo"
+      s1.write_nonblock("bar")
+      s1.write "baz"
+      s1.close
+      assert_equal("foobarbaz", s2.read)
+    }
+  end
+
+  def test_connect_accept_nonblock
+    host = "127.0.0.1"
+    port = 0
+    ctx = OpenSSL::SSL::SSLContext.new()
+    ctx.ciphers = "ADH"
+    ctx.tmp_dh_callback = proc { DHParam }
+    serv = TCPServer.new(host, port)
+
+    port = serv.connect_address.ip_port
+
+    sock1 = TCPSocket.new(host, port)
+    sock2 = serv.accept
+    serv.close
+
+    th = Thread.new {
+      s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx)
+      s2.sync_close = true
+      begin
+        sleep 0.2
+        s2.accept_nonblock
+      rescue IO::WaitReadable
+        IO.select([s2])
+        retry
+      rescue IO::WaitWritable
+        IO.select(nil, [s2])
+        retry
+      end
+      s2
+    }
+
+    sleep 0.1
+    ctx = OpenSSL::SSL::SSLContext.new()
+    ctx.ciphers = "ADH"
+    s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx)
+    begin
+      sleep 0.2
+      s1.connect_nonblock
+    rescue IO::WaitReadable
+      IO.select([s1])
+      retry
+    rescue IO::WaitWritable
+      IO.select(nil, [s1])
+      retry
+    end
+    s1.sync_close = true
+
+    s2 = th.value
+
+    s1.print "a\ndef"
+    assert_equal("a\n", s2.gets)
+  ensure
+    s1.close if s1 && !s1.closed?
+    s2.close if s2 && !s2.closed?
+    serv.close if serv && !serv.closed?
+    sock1.close if sock1 && !sock1.closed?
+    sock2.close if sock2 && !sock2.closed?
+  end
+
+end
+
+end

data/test/1.9/test_pkcs12.rb

@@ -0,0 +1,209 @@
+require_relative "utils"
+
+if defined?(OpenSSL)
+
+module OpenSSL
+  class TestPKCS12 < Test::Unit::TestCase
+    include OpenSSL::TestUtils
+
+    def setup
+      ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
+
+      now = Time.now
+      ca_exts = [
+        ["basicConstraints","CA:TRUE",true],
+        ["keyUsage","keyCertSign, cRLSign",true],
+        ["subjectKeyIdentifier","hash",false],
+        ["authorityKeyIdentifier","keyid:always",false],
+      ]
+      
+      @cacert = issue_cert(ca, TEST_KEY_RSA2048, 1, now, now+3600, ca_exts,
+                            nil, nil, OpenSSL::Digest::SHA1.new)
+
+      inter_ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Intermediate CA")
+      inter_ca_key = OpenSSL::PKey.read <<-_EOS_
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDp7hIG0SFMG/VWv1dBUWziAPrNmkMXJgTCAoB7jffzRtyyN04K
+oq/89HAszTMStZoMigQURfokzKsjpUp8OYCAEsBtt9d5zPndWMz/gHN73GrXk3LT
+ZsxEn7Xv5Da+Y9F/Hx2QZUHarV5cdZixq2NbzWGwrToogOQMh2pxN3Z/0wIDAQAB
+AoGBAJysUyx3olpsGzv3OMRJeahASbmsSKTXVLZvoIefxOINosBFpCIhZccAG6UV
+5c/xCvS89xBw8aD15uUfziw3AuT8QPEtHCgfSjeT7aWzBfYswEgOW4XPuWr7EeI9
+iNHGD6z+hCN/IQr7FiEBgTp6A+i/hffcSdR83fHWKyb4M7TRAkEA+y4BNd668HmC
+G5MPRx25n6LixuBxrNp1umfjEI6UZgEFVpYOg4agNuimN6NqM253kcTR94QNTUs5
+Kj3EhG1YWwJBAO5rUjiOyCNVX2WUQrOMYK/c1lU7fvrkdygXkvIGkhsPoNRzLPeA
+HGJszKtrKD8bNihWpWNIyqKRHfKVD7yXT+kCQGCAhVCIGTRoypcDghwljHqLnysf
+ci0h5ZdPcIqc7ODfxYhFsJ/Rql5ONgYsT5Ig/+lOQAkjf+TRYM4c2xKx2/8CQBvG
+jv6dy70qDgIUgqzONtlmHeYyFzn9cdBO5sShdVYHvRHjFSMEXsosqK9zvW2UqvuK
+FJx7d3f29gkzynCLJDkCQGQZlEZJC4vWmWJGRKJ24P6MyQn3VsPfErSKOg4lvyM3
+Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
+-----END RSA PRIVATE KEY-----
+      _EOS_
+
+      @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, now, now+3600, ca_exts,
+                                 @ca_cert, TEST_KEY_RSA2048, OpenSSL::Digest::SHA1.new)
+
+      exts = [
+        ["keyUsage","digitalSignature",true],
+        ["subjectKeyIdentifier","hash",false],
+      ]
+      ee = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Ruby PKCS12 Test Certificate")
+      @mycert = issue_cert(ee, TEST_KEY_RSA1024, 3, now, now+3600, exts,
+                           @inter_cacert, inter_ca_key, OpenSSL::Digest::SHA1.new)
+    end
+
+    def test_create
+      pkcs12 = OpenSSL::PKCS12.create(
+        "omg",
+        "hello",
+        TEST_KEY_RSA1024,
+        @mycert
+      )
+      assert_equal @mycert, pkcs12.certificate
+      assert_equal TEST_KEY_RSA1024, pkcs12.key
+      assert_nil pkcs12.ca_certs
+    end
+
+    def test_create_no_pass
+      pkcs12 = OpenSSL::PKCS12.create(
+        nil,
+        "hello",
+        TEST_KEY_RSA1024,
+        @mycert
+      )
+      assert_equal @mycert, pkcs12.certificate
+      assert_equal TEST_KEY_RSA1024, pkcs12.key
+      assert_nil pkcs12.ca_certs
+
+      decoded = OpenSSL::PKCS12.new(pkcs12.to_der)
+      assert_cert @mycert, decoded.certificate
+    end
+
+    def test_create_with_chain
+      chain = [@inter_cacert, @cacert]
+
+      pkcs12 = OpenSSL::PKCS12.create(
+        "omg",
+        "hello",
+        TEST_KEY_RSA1024,
+        @mycert,
+        chain
+      )
+      assert_equal chain, pkcs12.ca_certs
+    end
+
+    def test_create_with_chain_decode
+      chain = [@cacert, @inter_cacert]
+
+      passwd = "omg"
+
+      pkcs12 = OpenSSL::PKCS12.create(
+        passwd,
+        "hello",
+        TEST_KEY_RSA1024,
+        @mycert,
+        chain
+      )
+
+      decoded = OpenSSL::PKCS12.new(pkcs12.to_der, passwd)
+      assert_equal chain.size, decoded.ca_certs.size
+      assert_include_cert @cacert, decoded.ca_certs
+      assert_include_cert @inter_cacert, decoded.ca_certs
+      assert_cert @mycert, decoded.certificate 
+      assert_equal TEST_KEY_RSA1024.to_der, decoded.key.to_der
+    end
+
+    def test_create_with_bad_nid
+      assert_raises(ArgumentError) do
+        OpenSSL::PKCS12.create(
+          "omg",
+          "hello",
+          TEST_KEY_RSA1024,
+          @mycert,
+          [],
+          "foo"
+        )
+      end
+    end
+
+    def test_create_with_itr
+      OpenSSL::PKCS12.create(
+        "omg",
+        "hello",
+        TEST_KEY_RSA1024,
+        @mycert,
+        [],
+        nil,
+        nil,
+        2048
+      )
+
+      assert_raises(TypeError) do
+        OpenSSL::PKCS12.create(
+          "omg",
+          "hello",
+          TEST_KEY_RSA1024,
+          @mycert,
+          [],
+          nil,
+          nil,
+          "omg"
+        )
+      end
+    end
+
+    def test_create_with_mac_itr
+      OpenSSL::PKCS12.create(
+        "omg",
+        "hello",
+        TEST_KEY_RSA1024,
+        @mycert,
+        [],
+        nil,
+        nil,
+        nil,
+        2048
+      )
+
+      assert_raises(TypeError) do
+        OpenSSL::PKCS12.create(
+          "omg",
+          "hello",
+          TEST_KEY_RSA1024,
+          @mycert,
+          [],
+          nil,
+          nil,
+          nil,
+          "omg"
+        )
+      end
+    end
+
+    private
+    def assert_cert expected, actual
+      [
+        :subject,
+        :issuer,
+        :serial,
+        :not_before,
+        :not_after,
+      ].each do |attribute|
+        assert_equal expected.send(attribute), actual.send(attribute)
+      end
+      assert_equal expected.to_der, actual.to_der
+    end
+
+    def assert_include_cert cert, ary
+      der = cert.to_der
+      ary.each do |candidate|
+        if candidate.to_der == der
+          return true
+        end
+      end
+      false
+    end
+
+  end
+end
+
+end

data/test/1.9/test_pkcs7.rb

@@ -0,0 +1,151 @@
+require_relative 'utils'
+
+if defined?(OpenSSL)
+
+class OpenSSL::TestPKCS7 < Test::Unit::TestCase
+  def setup
+    @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
+    @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
+    ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
+    ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
+    ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
+
+    now = Time.now
+    ca_exts = [
+      ["basicConstraints","CA:TRUE",true],
+      ["keyUsage","keyCertSign, cRLSign",true],
+      ["subjectKeyIdentifier","hash",false],
+      ["authorityKeyIdentifier","keyid:always",false],
+    ]
+    @ca_cert = issue_cert(ca, @rsa2048, 1, now, now+3600, ca_exts,
+                           nil, nil, OpenSSL::Digest::SHA1.new)
+    ee_exts = [
+      ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
+      ["authorityKeyIdentifier","keyid:always",false],
+      ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
+    ]
+    @ee1_cert = issue_cert(ee1, @rsa1024, 2, now, now+1800, ee_exts,
+                           @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+    @ee2_cert = issue_cert(ee2, @rsa1024, 3, now, now+1800, ee_exts,
+                           @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+  end
+
+  def issue_cert(*args)
+    OpenSSL::TestUtils.issue_cert(*args)
+  end
+
+  def test_signed
+    store = OpenSSL::X509::Store.new
+    store.add_cert(@ca_cert)
+    ca_certs = [@ca_cert]
+
+    data = "aaaaa\r\nbbbbb\r\nccccc\r\n"
+    tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs)
+    p7 = OpenSSL::PKCS7.new(tmp.to_der)
+    certs = p7.certificates
+    signers = p7.signers
+    assert(p7.verify([], store))
+    assert_equal(data, p7.data)
+    assert_equal(2, certs.size)
+    assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
+    assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
+    assert_equal(1, signers.size)
+    assert_equal(@ee1_cert.serial, signers[0].serial)
+    assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
+
+    # Normaly OpenSSL tries to translate the supplied content into canonical
+    # MIME format (e.g. a newline character is converted into CR+LF).
+    # If the content is a binary, PKCS7::BINARY flag should be used.
+
+    data = "aaaaa\nbbbbb\nccccc\n"
+    flag = OpenSSL::PKCS7::BINARY
+    tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs, flag)
+    p7 = OpenSSL::PKCS7.new(tmp.to_der)
+    certs = p7.certificates
+    signers = p7.signers
+    assert(p7.verify([], store))
+    assert_equal(data, p7.data)
+    assert_equal(2, certs.size)
+    assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
+    assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
+    assert_equal(1, signers.size)
+    assert_equal(@ee1_cert.serial, signers[0].serial)
+    assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
+
+    # A signed-data which have multiple signatures can be created
+    # through the following steps.
+    #   1. create two signed-data
+    #   2. copy signerInfo and certificate from one to another
+
+    tmp1 = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, [], flag)
+    tmp2 = OpenSSL::PKCS7.sign(@ee2_cert, @rsa1024, data, [], flag)
+    tmp1.add_signer(tmp2.signers[0])
+    tmp1.add_certificate(@ee2_cert)
+
+    p7 = OpenSSL::PKCS7.new(tmp1.to_der)
+    certs = p7.certificates
+    signers = p7.signers
+    assert(p7.verify([], store))
+    assert_equal(data, p7.data)
+    assert_equal(2, certs.size)
+    assert_equal(2, signers.size)
+    assert_equal(@ee1_cert.serial, signers[0].serial)
+    assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
+    assert_equal(@ee2_cert.serial, signers[1].serial)
+    assert_equal(@ee2_cert.issuer.to_s, signers[1].issuer.to_s)
+  end
+
+  def test_detached_sign
+    store = OpenSSL::X509::Store.new
+    store.add_cert(@ca_cert)
+    ca_certs = [@ca_cert]
+
+    data = "aaaaa\nbbbbb\nccccc\n"
+    flag = OpenSSL::PKCS7::BINARY|OpenSSL::PKCS7::DETACHED
+    tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs, flag)
+    p7 = OpenSSL::PKCS7.new(tmp.to_der)
+    assert_nothing_raised do
+      OpenSSL::ASN1.decode(p7)
+    end
+
+    certs = p7.certificates
+    signers = p7.signers
+    assert(!p7.verify([], store))
+    assert(p7.verify([], store, data))
+    assert_equal(data, p7.data)
+    assert_equal(2, certs.size)
+    assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
+    assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
+    assert_equal(1, signers.size)
+    assert_equal(@ee1_cert.serial, signers[0].serial)
+    assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
+  end
+
+  def test_enveloped
+    if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x0090704f
+      # PKCS7_encrypt() of OpenSSL-0.9.7d goes to SEGV.
+      # http://www.mail-archive.com/openssl-dev@openssl.org/msg17376.html
+      return
+    end
+
+    certs = [@ee1_cert, @ee2_cert]
+    cipher = OpenSSL::Cipher::AES.new("128-CBC")
+    data = "aaaaa\nbbbbb\nccccc\n"
+
+    tmp = OpenSSL::PKCS7.encrypt(certs, data, cipher, OpenSSL::PKCS7::BINARY)
+    p7 = OpenSSL::PKCS7.new(tmp.to_der)
+    recip = p7.recipients
+    assert_equal(:enveloped, p7.type)
+    assert_equal(2, recip.size)
+
+    assert_equal(@ca_cert.subject.to_s, recip[0].issuer.to_s)
+    assert_equal(2, recip[0].serial)
+    assert_equal(data, p7.decrypt(@rsa1024, @ee1_cert))
+
+    assert_equal(@ca_cert.subject.to_s, recip[1].issuer.to_s)
+    assert_equal(3, recip[1].serial)
+    assert_equal(data, p7.decrypt(@rsa1024, @ee2_cert))
+  end
+end
+
+end

data/test/1.9/test_pkey_dh.rb

@@ -0,0 +1,72 @@
+require_relative 'utils'
+
+if defined?(OpenSSL)
+
+class OpenSSL::TestPKeyDH < Test::Unit::TestCase
+  def test_new
+    dh = OpenSSL::PKey::DH.new(256)
+    assert_key(dh)
+  end
+
+  def test_to_der
+    dh = OpenSSL::PKey::DH.new(256)
+    der = dh.to_der
+    dh2 = OpenSSL::PKey::DH.new(der)
+    assert_equal_params(dh, dh2)
+    assert_no_key(dh2)
+  end
+
+  def test_to_pem
+    dh = OpenSSL::PKey::DH.new(256)
+    pem = dh.to_pem
+    dh2 = OpenSSL::PKey::DH.new(pem)
+    assert_equal_params(dh, dh2)
+    assert_no_key(dh2)
+  end
+
+  def test_public_key
+    dh = OpenSSL::PKey::DH.new(256)
+    public_key = dh.public_key
+    assert_no_key(public_key) #implies public_key.public? is false!
+    assert_equal(dh.to_der, public_key.to_der)
+    assert_equal(dh.to_pem, public_key.to_pem)
+  end
+
+  def test_generate_key
+    dh = OpenSSL::TestUtils::TEST_KEY_DH512.public_key # creates a copy
+    assert_no_key(dh)
+    dh.generate_key!
+    assert_key(dh)
+  end
+
+  def test_key_exchange
+    dh = OpenSSL::TestUtils::TEST_KEY_DH512
+    dh2 = dh.public_key
+    dh.generate_key!
+    dh2.generate_key!
+    assert_equal(dh.compute_key(dh2.pub_key), dh2.compute_key(dh.pub_key))
+  end
+
+  private
+
+  def assert_equal_params(dh1, dh2)
+    assert_equal(dh1.g, dh2.g)
+    assert_equal(dh1.p, dh2.p)
+  end
+
+  def assert_no_key(dh)
+    assert_equal(false, dh.public?)
+    assert_equal(false, dh.private?)
+    assert_equal(nil, dh.pub_key)
+    assert_equal(nil, dh.priv_key)
+  end
+
+  def assert_key(dh)
+    assert(dh.public?)
+    assert(dh.private?)
+    assert(dh.pub_key)
+    assert(dh.priv_key)
+  end
+end
+
+end