openssl 2.1.3 → 3.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +35 -45
- data/History.md +266 -1
- data/README.md +2 -2
- data/ext/openssl/extconf.rb +46 -38
- data/ext/openssl/openssl_missing.c +0 -66
- data/ext/openssl/openssl_missing.h +59 -43
- data/ext/openssl/ossl.c +110 -64
- data/ext/openssl/ossl.h +27 -10
- data/ext/openssl/ossl_asn1.c +41 -4
- data/ext/openssl/ossl_bn.c +251 -134
- data/ext/openssl/ossl_bn.h +2 -1
- data/ext/openssl/ossl_cipher.c +38 -29
- data/ext/openssl/ossl_config.c +412 -41
- data/ext/openssl/ossl_config.h +4 -7
- data/ext/openssl/ossl_digest.c +25 -60
- data/ext/openssl/ossl_engine.c +18 -27
- data/ext/openssl/ossl_hmac.c +60 -145
- data/ext/openssl/ossl_kdf.c +11 -19
- data/ext/openssl/ossl_ns_spki.c +1 -1
- data/ext/openssl/ossl_ocsp.c +9 -62
- data/ext/openssl/ossl_ocsp.h +3 -3
- data/ext/openssl/ossl_pkcs12.c +21 -3
- data/ext/openssl/ossl_pkcs7.c +45 -78
- data/ext/openssl/ossl_pkcs7.h +16 -0
- data/ext/openssl/ossl_pkey.c +1295 -178
- data/ext/openssl/ossl_pkey.h +35 -72
- data/ext/openssl/ossl_pkey_dh.c +124 -334
- data/ext/openssl/ossl_pkey_dsa.c +93 -398
- data/ext/openssl/ossl_pkey_ec.c +186 -329
- data/ext/openssl/ossl_pkey_rsa.c +105 -484
- data/ext/openssl/ossl_rand.c +2 -32
- data/ext/openssl/ossl_ssl.c +347 -394
- data/ext/openssl/ossl_ssl_session.c +24 -29
- data/ext/openssl/ossl_ts.c +1539 -0
- data/ext/openssl/ossl_ts.h +16 -0
- data/ext/openssl/ossl_x509.c +0 -6
- data/ext/openssl/ossl_x509cert.c +169 -13
- data/ext/openssl/ossl_x509crl.c +13 -10
- data/ext/openssl/ossl_x509ext.c +15 -2
- data/ext/openssl/ossl_x509name.c +15 -4
- data/ext/openssl/ossl_x509req.c +13 -10
- data/ext/openssl/ossl_x509revoked.c +3 -3
- data/ext/openssl/ossl_x509store.c +154 -70
- data/lib/openssl/bn.rb +1 -1
- data/lib/openssl/buffering.rb +37 -5
- data/lib/openssl/cipher.rb +1 -1
- data/lib/openssl/digest.rb +10 -12
- data/lib/openssl/hmac.rb +78 -0
- data/lib/openssl/marshal.rb +30 -0
- data/lib/openssl/pkcs5.rb +1 -1
- data/lib/openssl/pkey.rb +443 -1
- data/lib/openssl/ssl.rb +47 -9
- data/lib/openssl/version.rb +5 -0
- data/lib/openssl/x509.rb +177 -1
- data/lib/openssl.rb +24 -9
- metadata +10 -79
- data/ext/openssl/deprecation.rb +0 -27
- data/ext/openssl/ossl_version.h +0 -15
- data/ext/openssl/ruby_missing.h +0 -24
- data/lib/openssl/config.rb +0 -492
@@ -0,0 +1,16 @@
|
|
1
|
+
/*
|
2
|
+
*
|
3
|
+
* Copyright (C) 2010 Martin Bosslet <Martin.Bosslet@googlemail.com>
|
4
|
+
* All rights reserved.
|
5
|
+
*/
|
6
|
+
/*
|
7
|
+
* This program is licenced under the same licence as Ruby.
|
8
|
+
* (See the file 'LICENCE'.)
|
9
|
+
*/
|
10
|
+
|
11
|
+
#if !defined(_OSSL_TS_H_)
|
12
|
+
#define _OSSL_TS_H_
|
13
|
+
|
14
|
+
void Init_ossl_ts(void);
|
15
|
+
|
16
|
+
#endif
|
data/ext/openssl/ossl_x509.c
CHANGED
@@ -115,11 +115,9 @@ Init_ossl_x509(void)
|
|
115
115
|
DefX509Const(V_ERR_SUITE_B_LOS_NOT_ALLOWED);
|
116
116
|
DefX509Const(V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256);
|
117
117
|
#endif
|
118
|
-
#if defined(X509_V_ERR_HOSTNAME_MISMATCH)
|
119
118
|
DefX509Const(V_ERR_HOSTNAME_MISMATCH);
|
120
119
|
DefX509Const(V_ERR_EMAIL_MISMATCH);
|
121
120
|
DefX509Const(V_ERR_IP_ADDRESS_MISMATCH);
|
122
|
-
#endif
|
123
121
|
#if defined(X509_V_ERR_DANE_NO_MATCH)
|
124
122
|
DefX509Const(V_ERR_DANE_NO_MATCH);
|
125
123
|
#endif
|
@@ -187,12 +185,10 @@ Init_ossl_x509(void)
|
|
187
185
|
/* Set by Store#flags= and StoreContext#flags=. Enables checking of the
|
188
186
|
* signature of the root self-signed CA. */
|
189
187
|
DefX509Const(V_FLAG_CHECK_SS_SIGNATURE);
|
190
|
-
#if defined(X509_V_FLAG_TRUSTED_FIRST)
|
191
188
|
/* Set by Store#flags= and StoreContext#flags=. When constructing a
|
192
189
|
* certificate chain, search the Store first for the issuer certificate.
|
193
190
|
* Enabled by default in OpenSSL >= 1.1.0. */
|
194
191
|
DefX509Const(V_FLAG_TRUSTED_FIRST);
|
195
|
-
#endif
|
196
192
|
#if defined(X509_V_FLAG_SUITEB_128_LOS_ONLY)
|
197
193
|
/* Set by Store#flags= and StoreContext#flags=.
|
198
194
|
* Enables Suite B 128 bit only mode. */
|
@@ -208,11 +204,9 @@ Init_ossl_x509(void)
|
|
208
204
|
* Enables Suite B 128 bit mode allowing 192 bit algorithms. */
|
209
205
|
DefX509Const(V_FLAG_SUITEB_128_LOS);
|
210
206
|
#endif
|
211
|
-
#if defined(X509_V_FLAG_PARTIAL_CHAIN)
|
212
207
|
/* Set by Store#flags= and StoreContext#flags=.
|
213
208
|
* Allows partial chains if at least one certificate is in trusted store. */
|
214
209
|
DefX509Const(V_FLAG_PARTIAL_CHAIN);
|
215
|
-
#endif
|
216
210
|
#if defined(X509_V_FLAG_NO_ALT_CHAINS)
|
217
211
|
/* Set by Store#flags= and StoreContext#flags=. Suppresses searching for
|
218
212
|
* a alternative chain. No effect in OpenSSL >= 1.1.0. */
|
data/ext/openssl/ossl_x509cert.c
CHANGED
@@ -115,24 +115,27 @@ static VALUE
|
|
115
115
|
ossl_x509_initialize(int argc, VALUE *argv, VALUE self)
|
116
116
|
{
|
117
117
|
BIO *in;
|
118
|
-
X509 *x509, *
|
118
|
+
X509 *x509, *x509_orig = RTYPEDDATA_DATA(self);
|
119
119
|
VALUE arg;
|
120
120
|
|
121
|
+
rb_check_frozen(self);
|
121
122
|
if (rb_scan_args(argc, argv, "01", &arg) == 0) {
|
122
123
|
/* create just empty X509Cert */
|
123
124
|
return self;
|
124
125
|
}
|
125
126
|
arg = ossl_to_der_if_possible(arg);
|
126
127
|
in = ossl_obj2bio(&arg);
|
127
|
-
x509 =
|
128
|
-
DATA_PTR(self) = x;
|
128
|
+
x509 = d2i_X509_bio(in, NULL);
|
129
129
|
if (!x509) {
|
130
|
-
|
131
|
-
|
132
|
-
DATA_PTR(self) = x;
|
130
|
+
OSSL_BIO_reset(in);
|
131
|
+
x509 = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
133
132
|
}
|
134
133
|
BIO_free(in);
|
135
|
-
if (!x509)
|
134
|
+
if (!x509)
|
135
|
+
ossl_raise(eX509CertError, "PEM_read_bio_X509");
|
136
|
+
|
137
|
+
RTYPEDDATA_DATA(self) = x509;
|
138
|
+
X509_free(x509_orig);
|
136
139
|
|
137
140
|
return self;
|
138
141
|
}
|
@@ -639,12 +642,12 @@ ossl_x509_set_extensions(VALUE self, VALUE ary)
|
|
639
642
|
OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
|
640
643
|
}
|
641
644
|
GetX509(self, x509);
|
642
|
-
|
643
|
-
|
645
|
+
for (i = X509_get_ext_count(x509); i > 0; i--)
|
646
|
+
X509_EXTENSION_free(X509_delete_ext(x509, 0));
|
644
647
|
for (i=0; i<RARRAY_LEN(ary); i++) {
|
645
648
|
ext = GetX509ExtPtr(RARRAY_AREF(ary, i));
|
646
649
|
if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext */
|
647
|
-
ossl_raise(eX509CertError,
|
650
|
+
ossl_raise(eX509CertError, "X509_add_ext");
|
648
651
|
}
|
649
652
|
}
|
650
653
|
|
@@ -704,6 +707,157 @@ ossl_x509_eq(VALUE self, VALUE other)
|
|
704
707
|
return !X509_cmp(a, b) ? Qtrue : Qfalse;
|
705
708
|
}
|
706
709
|
|
710
|
+
struct load_chained_certificates_arguments {
|
711
|
+
VALUE certificates;
|
712
|
+
X509 *certificate;
|
713
|
+
};
|
714
|
+
|
715
|
+
static VALUE
|
716
|
+
load_chained_certificates_append_push(VALUE _arguments) {
|
717
|
+
struct load_chained_certificates_arguments *arguments = (struct load_chained_certificates_arguments*)_arguments;
|
718
|
+
|
719
|
+
if (arguments->certificates == Qnil) {
|
720
|
+
arguments->certificates = rb_ary_new();
|
721
|
+
}
|
722
|
+
|
723
|
+
rb_ary_push(arguments->certificates, ossl_x509_new(arguments->certificate));
|
724
|
+
|
725
|
+
return Qnil;
|
726
|
+
}
|
727
|
+
|
728
|
+
static VALUE
|
729
|
+
load_chained_certificate_append_ensure(VALUE _arguments) {
|
730
|
+
struct load_chained_certificates_arguments *arguments = (struct load_chained_certificates_arguments*)_arguments;
|
731
|
+
|
732
|
+
X509_free(arguments->certificate);
|
733
|
+
|
734
|
+
return Qnil;
|
735
|
+
}
|
736
|
+
|
737
|
+
inline static VALUE
|
738
|
+
load_chained_certificates_append(VALUE certificates, X509 *certificate) {
|
739
|
+
struct load_chained_certificates_arguments arguments;
|
740
|
+
arguments.certificates = certificates;
|
741
|
+
arguments.certificate = certificate;
|
742
|
+
|
743
|
+
rb_ensure(load_chained_certificates_append_push, (VALUE)&arguments, load_chained_certificate_append_ensure, (VALUE)&arguments);
|
744
|
+
|
745
|
+
return arguments.certificates;
|
746
|
+
}
|
747
|
+
|
748
|
+
static VALUE
|
749
|
+
load_chained_certificates_PEM(BIO *in) {
|
750
|
+
VALUE certificates = Qnil;
|
751
|
+
X509 *certificate = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
752
|
+
|
753
|
+
/* If we cannot read even one certificate: */
|
754
|
+
if (certificate == NULL) {
|
755
|
+
/* If we cannot read one certificate because we could not read the PEM encoding: */
|
756
|
+
if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) {
|
757
|
+
ossl_clear_error();
|
758
|
+
}
|
759
|
+
|
760
|
+
if (ERR_peek_last_error())
|
761
|
+
ossl_raise(eX509CertError, NULL);
|
762
|
+
else
|
763
|
+
return Qnil;
|
764
|
+
}
|
765
|
+
|
766
|
+
certificates = load_chained_certificates_append(Qnil, certificate);
|
767
|
+
|
768
|
+
while ((certificate = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
|
769
|
+
load_chained_certificates_append(certificates, certificate);
|
770
|
+
}
|
771
|
+
|
772
|
+
/* We tried to read one more certificate but could not read start line: */
|
773
|
+
if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) {
|
774
|
+
/* This is not an error, it means we are finished: */
|
775
|
+
ossl_clear_error();
|
776
|
+
|
777
|
+
return certificates;
|
778
|
+
}
|
779
|
+
|
780
|
+
/* Alternatively, if we reached the end of the file and there was no error: */
|
781
|
+
if (BIO_eof(in) && !ERR_peek_last_error()) {
|
782
|
+
return certificates;
|
783
|
+
} else {
|
784
|
+
/* Otherwise, we tried to read a certificate but failed somewhere: */
|
785
|
+
ossl_raise(eX509CertError, NULL);
|
786
|
+
}
|
787
|
+
}
|
788
|
+
|
789
|
+
static VALUE
|
790
|
+
load_chained_certificates_DER(BIO *in) {
|
791
|
+
X509 *certificate = d2i_X509_bio(in, NULL);
|
792
|
+
|
793
|
+
/* If we cannot read one certificate: */
|
794
|
+
if (certificate == NULL) {
|
795
|
+
/* Ignore error. We could not load. */
|
796
|
+
ossl_clear_error();
|
797
|
+
|
798
|
+
return Qnil;
|
799
|
+
}
|
800
|
+
|
801
|
+
return load_chained_certificates_append(Qnil, certificate);
|
802
|
+
}
|
803
|
+
|
804
|
+
static VALUE
|
805
|
+
load_chained_certificates(VALUE _io) {
|
806
|
+
BIO *in = (BIO*)_io;
|
807
|
+
VALUE certificates = Qnil;
|
808
|
+
|
809
|
+
/*
|
810
|
+
DER is a binary format and it may contain octets within it that look like
|
811
|
+
PEM encoded certificates. So we need to check DER first.
|
812
|
+
*/
|
813
|
+
certificates = load_chained_certificates_DER(in);
|
814
|
+
|
815
|
+
if (certificates != Qnil)
|
816
|
+
return certificates;
|
817
|
+
|
818
|
+
OSSL_BIO_reset(in);
|
819
|
+
|
820
|
+
certificates = load_chained_certificates_PEM(in);
|
821
|
+
|
822
|
+
if (certificates != Qnil)
|
823
|
+
return certificates;
|
824
|
+
|
825
|
+
/* Otherwise we couldn't read the output correctly so fail: */
|
826
|
+
ossl_raise(eX509CertError, "Could not detect format of certificate data!");
|
827
|
+
}
|
828
|
+
|
829
|
+
static VALUE
|
830
|
+
load_chained_certificates_ensure(VALUE _io) {
|
831
|
+
BIO *in = (BIO*)_io;
|
832
|
+
|
833
|
+
BIO_free(in);
|
834
|
+
|
835
|
+
return Qnil;
|
836
|
+
}
|
837
|
+
|
838
|
+
/*
|
839
|
+
* call-seq:
|
840
|
+
* OpenSSL::X509::Certificate.load(string) -> [certs...]
|
841
|
+
* OpenSSL::X509::Certificate.load(file) -> [certs...]
|
842
|
+
*
|
843
|
+
* Read the chained certificates from the given input. Supports both PEM
|
844
|
+
* and DER encoded certificates.
|
845
|
+
*
|
846
|
+
* PEM is a text format and supports more than one certificate.
|
847
|
+
*
|
848
|
+
* DER is a binary format and only supports one certificate.
|
849
|
+
*
|
850
|
+
* If the file is empty, or contains only unrelated data, an
|
851
|
+
* +OpenSSL::X509::CertificateError+ exception will be raised.
|
852
|
+
*/
|
853
|
+
static VALUE
|
854
|
+
ossl_x509_load(VALUE klass, VALUE buffer)
|
855
|
+
{
|
856
|
+
BIO *in = ossl_obj2bio(&buffer);
|
857
|
+
|
858
|
+
return rb_ensure(load_chained_certificates, (VALUE)in, load_chained_certificates_ensure, (VALUE)in);
|
859
|
+
}
|
860
|
+
|
707
861
|
/*
|
708
862
|
* INIT
|
709
863
|
*/
|
@@ -730,7 +884,7 @@ Init_ossl_x509cert(void)
|
|
730
884
|
* Certificate is capable of handling DER-encoded certificates and
|
731
885
|
* certificates encoded in OpenSSL's PEM format.
|
732
886
|
*
|
733
|
-
* raw = File.
|
887
|
+
* raw = File.binread "cert.cer" # DER- or PEM-encoded
|
734
888
|
* certificate = OpenSSL::X509::Certificate.new raw
|
735
889
|
*
|
736
890
|
* === Saving a certificate to a file
|
@@ -788,7 +942,7 @@ Init_ossl_x509cert(void)
|
|
788
942
|
* root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
|
789
943
|
* root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
|
790
944
|
* root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
|
791
|
-
* root_ca.sign(root_key, OpenSSL::Digest
|
945
|
+
* root_ca.sign(root_key, OpenSSL::Digest.new('SHA256'))
|
792
946
|
*
|
793
947
|
* The next step is to create the end-entity certificate using the root CA
|
794
948
|
* certificate.
|
@@ -807,11 +961,13 @@ Init_ossl_x509cert(void)
|
|
807
961
|
* ef.issuer_certificate = root_ca
|
808
962
|
* cert.add_extension(ef.create_extension("keyUsage","digitalSignature", true))
|
809
963
|
* cert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
|
810
|
-
* cert.sign(root_key, OpenSSL::Digest
|
964
|
+
* cert.sign(root_key, OpenSSL::Digest.new('SHA256'))
|
811
965
|
*
|
812
966
|
*/
|
813
967
|
cX509Cert = rb_define_class_under(mX509, "Certificate", rb_cObject);
|
814
968
|
|
969
|
+
rb_define_singleton_method(cX509Cert, "load", ossl_x509_load, 1);
|
970
|
+
|
815
971
|
rb_define_alloc_func(cX509Cert, ossl_x509_alloc);
|
816
972
|
rb_define_method(cX509Cert, "initialize", ossl_x509_initialize, -1);
|
817
973
|
rb_define_method(cX509Cert, "initialize_copy", ossl_x509_copy, 1);
|
data/ext/openssl/ossl_x509crl.c
CHANGED
@@ -93,23 +93,26 @@ static VALUE
|
|
93
93
|
ossl_x509crl_initialize(int argc, VALUE *argv, VALUE self)
|
94
94
|
{
|
95
95
|
BIO *in;
|
96
|
-
X509_CRL *crl, *
|
96
|
+
X509_CRL *crl, *crl_orig = RTYPEDDATA_DATA(self);
|
97
97
|
VALUE arg;
|
98
98
|
|
99
|
+
rb_check_frozen(self);
|
99
100
|
if (rb_scan_args(argc, argv, "01", &arg) == 0) {
|
100
101
|
return self;
|
101
102
|
}
|
102
103
|
arg = ossl_to_der_if_possible(arg);
|
103
104
|
in = ossl_obj2bio(&arg);
|
104
|
-
crl =
|
105
|
-
DATA_PTR(self) = x;
|
105
|
+
crl = d2i_X509_CRL_bio(in, NULL);
|
106
106
|
if (!crl) {
|
107
|
-
|
108
|
-
|
109
|
-
DATA_PTR(self) = x;
|
107
|
+
OSSL_BIO_reset(in);
|
108
|
+
crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
|
110
109
|
}
|
111
110
|
BIO_free(in);
|
112
|
-
if (!crl)
|
111
|
+
if (!crl)
|
112
|
+
ossl_raise(eX509CRLError, "PEM_read_bio_X509_CRL");
|
113
|
+
|
114
|
+
RTYPEDDATA_DATA(self) = crl;
|
115
|
+
X509_CRL_free(crl_orig);
|
113
116
|
|
114
117
|
return self;
|
115
118
|
}
|
@@ -471,12 +474,12 @@ ossl_x509crl_set_extensions(VALUE self, VALUE ary)
|
|
471
474
|
OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
|
472
475
|
}
|
473
476
|
GetX509CRL(self, crl);
|
474
|
-
|
475
|
-
|
477
|
+
for (i = X509_CRL_get_ext_count(crl); i > 0; i--)
|
478
|
+
X509_EXTENSION_free(X509_CRL_delete_ext(crl, 0));
|
476
479
|
for (i=0; i<RARRAY_LEN(ary); i++) {
|
477
480
|
ext = GetX509ExtPtr(RARRAY_AREF(ary, i)); /* NO NEED TO DUP */
|
478
481
|
if (!X509_CRL_add_ext(crl, ext, -1)) {
|
479
|
-
ossl_raise(eX509CRLError,
|
482
|
+
ossl_raise(eX509CRLError, "X509_CRL_add_ext");
|
480
483
|
}
|
481
484
|
}
|
482
485
|
|
data/ext/openssl/ossl_x509ext.c
CHANGED
@@ -226,11 +226,10 @@ ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self)
|
|
226
226
|
GetX509ExtFactory(self, ctx);
|
227
227
|
obj = NewX509Ext(cX509Ext);
|
228
228
|
rconf = rb_iv_get(self, "@config");
|
229
|
-
conf = NIL_P(rconf) ? NULL :
|
229
|
+
conf = NIL_P(rconf) ? NULL : GetConfig(rconf);
|
230
230
|
X509V3_set_nconf(ctx, conf);
|
231
231
|
ext = X509V3_EXT_nconf_nid(conf, ctx, nid, RSTRING_PTR(valstr));
|
232
232
|
X509V3_set_ctx_nodb(ctx);
|
233
|
-
NCONF_free(conf);
|
234
233
|
if (!ext){
|
235
234
|
ossl_raise(eX509ExtError, "%"PRIsVALUE" = %"PRIsVALUE, oid, valstr);
|
236
235
|
}
|
@@ -402,6 +401,19 @@ ossl_x509ext_get_value(VALUE obj)
|
|
402
401
|
return ret;
|
403
402
|
}
|
404
403
|
|
404
|
+
static VALUE
|
405
|
+
ossl_x509ext_get_value_der(VALUE obj)
|
406
|
+
{
|
407
|
+
X509_EXTENSION *ext;
|
408
|
+
ASN1_OCTET_STRING *value;
|
409
|
+
|
410
|
+
GetX509Ext(obj, ext);
|
411
|
+
if ((value = X509_EXTENSION_get_data(ext)) == NULL)
|
412
|
+
ossl_raise(eX509ExtError, NULL);
|
413
|
+
|
414
|
+
return rb_str_new((const char *)value->data, value->length);
|
415
|
+
}
|
416
|
+
|
405
417
|
static VALUE
|
406
418
|
ossl_x509ext_get_critical(VALUE obj)
|
407
419
|
{
|
@@ -472,6 +484,7 @@ Init_ossl_x509ext(void)
|
|
472
484
|
rb_define_method(cX509Ext, "critical=", ossl_x509ext_set_critical, 1);
|
473
485
|
rb_define_method(cX509Ext, "oid", ossl_x509ext_get_oid, 0);
|
474
486
|
rb_define_method(cX509Ext, "value", ossl_x509ext_get_value, 0);
|
487
|
+
rb_define_method(cX509Ext, "value_der", ossl_x509ext_get_value_der, 0);
|
475
488
|
rb_define_method(cX509Ext, "critical?", ossl_x509ext_get_critical, 0);
|
476
489
|
rb_define_method(cX509Ext, "to_der", ossl_x509ext_to_der, 0);
|
477
490
|
}
|
data/ext/openssl/ossl_x509name.c
CHANGED
@@ -291,7 +291,14 @@ x509name_print(VALUE self, unsigned long iflag)
|
|
291
291
|
* * OpenSSL::X509::Name::MULTILINE
|
292
292
|
*
|
293
293
|
* If _format_ is omitted, the largely broken and traditional OpenSSL format
|
294
|
-
* is
|
294
|
+
* (<tt>X509_NAME_oneline()</tt> format) is chosen.
|
295
|
+
*
|
296
|
+
* <b>Use of this method is discouraged.</b> None of the formats other than
|
297
|
+
* OpenSSL::X509::Name::RFC2253 is standardized and may show an inconsistent
|
298
|
+
* behavior through \OpenSSL versions.
|
299
|
+
*
|
300
|
+
* It is recommended to use #to_utf8 instead, which is equivalent to calling
|
301
|
+
* <tt>name.to_s(OpenSSL::X509::Name::RFC2253).force_encoding("UTF-8")</tt>.
|
295
302
|
*/
|
296
303
|
static VALUE
|
297
304
|
ossl_x509name_to_s(int argc, VALUE *argv, VALUE self)
|
@@ -387,17 +394,21 @@ ossl_x509name_cmp0(VALUE self, VALUE other)
|
|
387
394
|
|
388
395
|
/*
|
389
396
|
* call-seq:
|
390
|
-
* name.cmp(other) -> -1 | 0 | 1
|
391
|
-
* name <=> other -> -1 | 0 | 1
|
397
|
+
* name.cmp(other) -> -1 | 0 | 1 | nil
|
398
|
+
* name <=> other -> -1 | 0 | 1 | nil
|
392
399
|
*
|
393
400
|
* Compares this Name with _other_ and returns +0+ if they are the same and +-1+
|
394
401
|
* or ++1+ if they are greater or less than each other respectively.
|
402
|
+
* Returns +nil+ if they are not comparable (i.e. different types).
|
395
403
|
*/
|
396
404
|
static VALUE
|
397
405
|
ossl_x509name_cmp(VALUE self, VALUE other)
|
398
406
|
{
|
399
407
|
int result;
|
400
408
|
|
409
|
+
if (!rb_obj_is_kind_of(other, cX509Name))
|
410
|
+
return Qnil;
|
411
|
+
|
401
412
|
result = ossl_x509name_cmp0(self, other);
|
402
413
|
if (result < 0) return INT2FIX(-1);
|
403
414
|
if (result > 0) return INT2FIX(1);
|
@@ -494,7 +505,7 @@ ossl_x509name_to_der(VALUE self)
|
|
494
505
|
* You can create a Name by parsing a distinguished name String or by
|
495
506
|
* supplying the distinguished name as an Array.
|
496
507
|
*
|
497
|
-
* name = OpenSSL::X509::Name.
|
508
|
+
* name = OpenSSL::X509::Name.parse_rfc2253 'DC=example,CN=nobody'
|
498
509
|
*
|
499
510
|
* name = OpenSSL::X509::Name.new [['CN', 'nobody'], ['DC', 'example']]
|
500
511
|
*/
|
data/ext/openssl/ossl_x509req.c
CHANGED
@@ -79,23 +79,26 @@ static VALUE
|
|
79
79
|
ossl_x509req_initialize(int argc, VALUE *argv, VALUE self)
|
80
80
|
{
|
81
81
|
BIO *in;
|
82
|
-
X509_REQ *req, *
|
82
|
+
X509_REQ *req, *req_orig = RTYPEDDATA_DATA(self);
|
83
83
|
VALUE arg;
|
84
84
|
|
85
|
+
rb_check_frozen(self);
|
85
86
|
if (rb_scan_args(argc, argv, "01", &arg) == 0) {
|
86
87
|
return self;
|
87
88
|
}
|
88
89
|
arg = ossl_to_der_if_possible(arg);
|
89
90
|
in = ossl_obj2bio(&arg);
|
90
|
-
req =
|
91
|
-
DATA_PTR(self) = x;
|
91
|
+
req = d2i_X509_REQ_bio(in, NULL);
|
92
92
|
if (!req) {
|
93
|
-
|
94
|
-
|
95
|
-
DATA_PTR(self) = x;
|
93
|
+
OSSL_BIO_reset(in);
|
94
|
+
req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
|
96
95
|
}
|
97
96
|
BIO_free(in);
|
98
|
-
if (!req)
|
97
|
+
if (!req)
|
98
|
+
ossl_raise(eX509ReqError, "PEM_read_bio_X509_REQ");
|
99
|
+
|
100
|
+
RTYPEDDATA_DATA(self) = req;
|
101
|
+
X509_REQ_free(req_orig);
|
99
102
|
|
100
103
|
return self;
|
101
104
|
}
|
@@ -377,13 +380,13 @@ ossl_x509req_set_attributes(VALUE self, VALUE ary)
|
|
377
380
|
OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Attr);
|
378
381
|
}
|
379
382
|
GetX509Req(self, req);
|
380
|
-
|
381
|
-
|
383
|
+
for (i = X509_REQ_get_attr_count(req); i > 0; i--)
|
384
|
+
X509_ATTRIBUTE_free(X509_REQ_delete_attr(req, 0));
|
382
385
|
for (i=0;i<RARRAY_LEN(ary); i++) {
|
383
386
|
item = RARRAY_AREF(ary, i);
|
384
387
|
attr = GetX509AttrPtr(item);
|
385
388
|
if (!X509_REQ_add1_attr(req, attr)) {
|
386
|
-
ossl_raise(eX509ReqError,
|
389
|
+
ossl_raise(eX509ReqError, "X509_REQ_add1_attr");
|
387
390
|
}
|
388
391
|
}
|
389
392
|
return ary;
|
@@ -223,13 +223,13 @@ ossl_x509revoked_set_extensions(VALUE self, VALUE ary)
|
|
223
223
|
OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
|
224
224
|
}
|
225
225
|
GetX509Rev(self, rev);
|
226
|
-
|
227
|
-
|
226
|
+
for (i = X509_REVOKED_get_ext_count(rev); i > 0; i--)
|
227
|
+
X509_EXTENSION_free(X509_REVOKED_delete_ext(rev, 0));
|
228
228
|
for (i=0; i<RARRAY_LEN(ary); i++) {
|
229
229
|
item = RARRAY_AREF(ary, i);
|
230
230
|
ext = GetX509ExtPtr(item);
|
231
231
|
if(!X509_REVOKED_add_ext(rev, ext, -1)) {
|
232
|
-
ossl_raise(eX509RevError,
|
232
|
+
ossl_raise(eX509RevError, "X509_REVOKED_add_ext");
|
233
233
|
}
|
234
234
|
}
|
235
235
|
|