openssl 2.1.3 → 3.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +35 -45
- data/History.md +266 -1
- data/README.md +2 -2
- data/ext/openssl/extconf.rb +46 -38
- data/ext/openssl/openssl_missing.c +0 -66
- data/ext/openssl/openssl_missing.h +59 -43
- data/ext/openssl/ossl.c +110 -64
- data/ext/openssl/ossl.h +27 -10
- data/ext/openssl/ossl_asn1.c +41 -4
- data/ext/openssl/ossl_bn.c +251 -134
- data/ext/openssl/ossl_bn.h +2 -1
- data/ext/openssl/ossl_cipher.c +38 -29
- data/ext/openssl/ossl_config.c +412 -41
- data/ext/openssl/ossl_config.h +4 -7
- data/ext/openssl/ossl_digest.c +25 -60
- data/ext/openssl/ossl_engine.c +18 -27
- data/ext/openssl/ossl_hmac.c +60 -145
- data/ext/openssl/ossl_kdf.c +11 -19
- data/ext/openssl/ossl_ns_spki.c +1 -1
- data/ext/openssl/ossl_ocsp.c +9 -62
- data/ext/openssl/ossl_ocsp.h +3 -3
- data/ext/openssl/ossl_pkcs12.c +21 -3
- data/ext/openssl/ossl_pkcs7.c +45 -78
- data/ext/openssl/ossl_pkcs7.h +16 -0
- data/ext/openssl/ossl_pkey.c +1295 -178
- data/ext/openssl/ossl_pkey.h +35 -72
- data/ext/openssl/ossl_pkey_dh.c +124 -334
- data/ext/openssl/ossl_pkey_dsa.c +93 -398
- data/ext/openssl/ossl_pkey_ec.c +186 -329
- data/ext/openssl/ossl_pkey_rsa.c +105 -484
- data/ext/openssl/ossl_rand.c +2 -32
- data/ext/openssl/ossl_ssl.c +347 -394
- data/ext/openssl/ossl_ssl_session.c +24 -29
- data/ext/openssl/ossl_ts.c +1539 -0
- data/ext/openssl/ossl_ts.h +16 -0
- data/ext/openssl/ossl_x509.c +0 -6
- data/ext/openssl/ossl_x509cert.c +169 -13
- data/ext/openssl/ossl_x509crl.c +13 -10
- data/ext/openssl/ossl_x509ext.c +15 -2
- data/ext/openssl/ossl_x509name.c +15 -4
- data/ext/openssl/ossl_x509req.c +13 -10
- data/ext/openssl/ossl_x509revoked.c +3 -3
- data/ext/openssl/ossl_x509store.c +154 -70
- data/lib/openssl/bn.rb +1 -1
- data/lib/openssl/buffering.rb +37 -5
- data/lib/openssl/cipher.rb +1 -1
- data/lib/openssl/digest.rb +10 -12
- data/lib/openssl/hmac.rb +78 -0
- data/lib/openssl/marshal.rb +30 -0
- data/lib/openssl/pkcs5.rb +1 -1
- data/lib/openssl/pkey.rb +443 -1
- data/lib/openssl/ssl.rb +47 -9
- data/lib/openssl/version.rb +5 -0
- data/lib/openssl/x509.rb +177 -1
- data/lib/openssl.rb +24 -9
- metadata +10 -79
- data/ext/openssl/deprecation.rb +0 -27
- data/ext/openssl/ossl_version.h +0 -15
- data/ext/openssl/ruby_missing.h +0 -24
- data/lib/openssl/config.rb +0 -492
data/lib/openssl/hmac.rb
ADDED
@@ -0,0 +1,78 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module OpenSSL
|
4
|
+
class HMAC
|
5
|
+
# Securely compare with another HMAC instance in constant time.
|
6
|
+
def ==(other)
|
7
|
+
return false unless HMAC === other
|
8
|
+
return false unless self.digest.bytesize == other.digest.bytesize
|
9
|
+
|
10
|
+
OpenSSL.fixed_length_secure_compare(self.digest, other.digest)
|
11
|
+
end
|
12
|
+
|
13
|
+
# :call-seq:
|
14
|
+
# hmac.base64digest -> string
|
15
|
+
#
|
16
|
+
# Returns the authentication code an a Base64-encoded string.
|
17
|
+
def base64digest
|
18
|
+
[digest].pack("m0")
|
19
|
+
end
|
20
|
+
|
21
|
+
class << self
|
22
|
+
# :call-seq:
|
23
|
+
# HMAC.digest(digest, key, data) -> aString
|
24
|
+
#
|
25
|
+
# Returns the authentication code as a binary string. The _digest_ parameter
|
26
|
+
# specifies the digest algorithm to use. This may be a String representing
|
27
|
+
# the algorithm name or an instance of OpenSSL::Digest.
|
28
|
+
#
|
29
|
+
# === Example
|
30
|
+
# key = 'key'
|
31
|
+
# data = 'The quick brown fox jumps over the lazy dog'
|
32
|
+
#
|
33
|
+
# hmac = OpenSSL::HMAC.digest('SHA1', key, data)
|
34
|
+
# #=> "\xDE|\x9B\x85\xB8\xB7\x8A\xA6\xBC\x8Az6\xF7\n\x90p\x1C\x9D\xB4\xD9"
|
35
|
+
def digest(digest, key, data)
|
36
|
+
hmac = new(key, digest)
|
37
|
+
hmac << data
|
38
|
+
hmac.digest
|
39
|
+
end
|
40
|
+
|
41
|
+
# :call-seq:
|
42
|
+
# HMAC.hexdigest(digest, key, data) -> aString
|
43
|
+
#
|
44
|
+
# Returns the authentication code as a hex-encoded string. The _digest_
|
45
|
+
# parameter specifies the digest algorithm to use. This may be a String
|
46
|
+
# representing the algorithm name or an instance of OpenSSL::Digest.
|
47
|
+
#
|
48
|
+
# === Example
|
49
|
+
# key = 'key'
|
50
|
+
# data = 'The quick brown fox jumps over the lazy dog'
|
51
|
+
#
|
52
|
+
# hmac = OpenSSL::HMAC.hexdigest('SHA1', key, data)
|
53
|
+
# #=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"
|
54
|
+
def hexdigest(digest, key, data)
|
55
|
+
hmac = new(key, digest)
|
56
|
+
hmac << data
|
57
|
+
hmac.hexdigest
|
58
|
+
end
|
59
|
+
|
60
|
+
# :call-seq:
|
61
|
+
# HMAC.base64digest(digest, key, data) -> aString
|
62
|
+
#
|
63
|
+
# Returns the authentication code as a Base64-encoded string. The _digest_
|
64
|
+
# parameter specifies the digest algorithm to use. This may be a String
|
65
|
+
# representing the algorithm name or an instance of OpenSSL::Digest.
|
66
|
+
#
|
67
|
+
# === Example
|
68
|
+
# key = 'key'
|
69
|
+
# data = 'The quick brown fox jumps over the lazy dog'
|
70
|
+
#
|
71
|
+
# hmac = OpenSSL::HMAC.base64digest('SHA1', key, data)
|
72
|
+
# #=> "3nybhbi3iqa8ino29wqQcBydtNk="
|
73
|
+
def base64digest(digest, key, data)
|
74
|
+
[digest(digest, key, data)].pack("m0")
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#--
|
3
|
+
# = Ruby-space definitions to add DER (de)serialization to classes
|
4
|
+
#
|
5
|
+
# = Info
|
6
|
+
# 'OpenSSL for Ruby 2' project
|
7
|
+
# Copyright (C) 2002 Michal Rokos <m.rokos@sh.cvut.cz>
|
8
|
+
# All rights reserved.
|
9
|
+
#
|
10
|
+
# = Licence
|
11
|
+
# This program is licensed under the same licence as Ruby.
|
12
|
+
# (See the file 'LICENCE'.)
|
13
|
+
#++
|
14
|
+
module OpenSSL
|
15
|
+
module Marshal
|
16
|
+
def self.included(base)
|
17
|
+
base.extend(ClassMethods)
|
18
|
+
end
|
19
|
+
|
20
|
+
module ClassMethods
|
21
|
+
def _load(string)
|
22
|
+
new(string)
|
23
|
+
end
|
24
|
+
end
|
25
|
+
|
26
|
+
def _dump(_level)
|
27
|
+
to_der
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
data/lib/openssl/pkcs5.rb
CHANGED
data/lib/openssl/pkey.rb
CHANGED
@@ -1,11 +1,298 @@
|
|
1
|
-
# frozen_string_literal:
|
1
|
+
# frozen_string_literal: true
|
2
2
|
#--
|
3
3
|
# Ruby/OpenSSL Project
|
4
4
|
# Copyright (C) 2017 Ruby/OpenSSL Project Authors
|
5
5
|
#++
|
6
6
|
|
7
|
+
require_relative 'marshal'
|
8
|
+
|
7
9
|
module OpenSSL::PKey
|
10
|
+
class DH
|
11
|
+
include OpenSSL::Marshal
|
12
|
+
|
13
|
+
# :call-seq:
|
14
|
+
# dh.public_key -> dhnew
|
15
|
+
#
|
16
|
+
# Returns a new DH instance that carries just the \DH parameters.
|
17
|
+
#
|
18
|
+
# Contrary to the method name, the returned DH object contains only
|
19
|
+
# parameters and not the public key.
|
20
|
+
#
|
21
|
+
# This method is provided for backwards compatibility. In most cases, there
|
22
|
+
# is no need to call this method.
|
23
|
+
#
|
24
|
+
# For the purpose of re-generating the key pair while keeping the
|
25
|
+
# parameters, check OpenSSL::PKey.generate_key.
|
26
|
+
#
|
27
|
+
# Example:
|
28
|
+
# # OpenSSL::PKey::DH.generate by default generates a random key pair
|
29
|
+
# dh1 = OpenSSL::PKey::DH.generate(2048)
|
30
|
+
# p dh1.priv_key #=> #<OpenSSL::BN 1288347...>
|
31
|
+
# dhcopy = dh1.public_key
|
32
|
+
# p dhcopy.priv_key #=> nil
|
33
|
+
def public_key
|
34
|
+
DH.new(to_der)
|
35
|
+
end
|
36
|
+
|
37
|
+
# :call-seq:
|
38
|
+
# dh.compute_key(pub_bn) -> string
|
39
|
+
#
|
40
|
+
# Returns a String containing a shared secret computed from the other
|
41
|
+
# party's public value.
|
42
|
+
#
|
43
|
+
# This method is provided for backwards compatibility, and calls #derive
|
44
|
+
# internally.
|
45
|
+
#
|
46
|
+
# === Parameters
|
47
|
+
# * _pub_bn_ is a OpenSSL::BN, *not* the DH instance returned by
|
48
|
+
# DH#public_key as that contains the DH parameters only.
|
49
|
+
def compute_key(pub_bn)
|
50
|
+
# FIXME: This is constructing an X.509 SubjectPublicKeyInfo and is very
|
51
|
+
# inefficient
|
52
|
+
obj = OpenSSL::ASN1.Sequence([
|
53
|
+
OpenSSL::ASN1.Sequence([
|
54
|
+
OpenSSL::ASN1.ObjectId("dhKeyAgreement"),
|
55
|
+
OpenSSL::ASN1.Sequence([
|
56
|
+
OpenSSL::ASN1.Integer(p),
|
57
|
+
OpenSSL::ASN1.Integer(g),
|
58
|
+
]),
|
59
|
+
]),
|
60
|
+
OpenSSL::ASN1.BitString(OpenSSL::ASN1.Integer(pub_bn).to_der),
|
61
|
+
])
|
62
|
+
derive(OpenSSL::PKey.read(obj.to_der))
|
63
|
+
end
|
64
|
+
|
65
|
+
# :call-seq:
|
66
|
+
# dh.generate_key! -> self
|
67
|
+
#
|
68
|
+
# Generates a private and public key unless a private key already exists.
|
69
|
+
# If this DH instance was generated from public \DH parameters (e.g. by
|
70
|
+
# encoding the result of DH#public_key), then this method needs to be
|
71
|
+
# called first in order to generate the per-session keys before performing
|
72
|
+
# the actual key exchange.
|
73
|
+
#
|
74
|
+
# <b>Deprecated in version 3.0</b>. This method is incompatible with
|
75
|
+
# OpenSSL 3.0.0 or later.
|
76
|
+
#
|
77
|
+
# See also OpenSSL::PKey.generate_key.
|
78
|
+
#
|
79
|
+
# Example:
|
80
|
+
# # DEPRECATED USAGE: This will not work on OpenSSL 3.0 or later
|
81
|
+
# dh0 = OpenSSL::PKey::DH.new(2048)
|
82
|
+
# dh = dh0.public_key # #public_key only copies the DH parameters (contrary to the name)
|
83
|
+
# dh.generate_key!
|
84
|
+
# puts dh.private? # => true
|
85
|
+
# puts dh0.pub_key == dh.pub_key #=> false
|
86
|
+
#
|
87
|
+
# # With OpenSSL::PKey.generate_key
|
88
|
+
# dh0 = OpenSSL::PKey::DH.new(2048)
|
89
|
+
# dh = OpenSSL::PKey.generate_key(dh0)
|
90
|
+
# puts dh0.pub_key == dh.pub_key #=> false
|
91
|
+
def generate_key!
|
92
|
+
if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x30000000
|
93
|
+
raise DHError, "OpenSSL::PKey::DH is immutable on OpenSSL 3.0; " \
|
94
|
+
"use OpenSSL::PKey.generate_key instead"
|
95
|
+
end
|
96
|
+
|
97
|
+
unless priv_key
|
98
|
+
tmp = OpenSSL::PKey.generate_key(self)
|
99
|
+
set_key(tmp.pub_key, tmp.priv_key)
|
100
|
+
end
|
101
|
+
self
|
102
|
+
end
|
103
|
+
|
104
|
+
class << self
|
105
|
+
# :call-seq:
|
106
|
+
# DH.generate(size, generator = 2) -> dh
|
107
|
+
#
|
108
|
+
# Creates a new DH instance from scratch by generating random parameters
|
109
|
+
# and a key pair.
|
110
|
+
#
|
111
|
+
# See also OpenSSL::PKey.generate_parameters and
|
112
|
+
# OpenSSL::PKey.generate_key.
|
113
|
+
#
|
114
|
+
# +size+::
|
115
|
+
# The desired key size in bits.
|
116
|
+
# +generator+::
|
117
|
+
# The generator.
|
118
|
+
def generate(size, generator = 2, &blk)
|
119
|
+
dhparams = OpenSSL::PKey.generate_parameters("DH", {
|
120
|
+
"dh_paramgen_prime_len" => size,
|
121
|
+
"dh_paramgen_generator" => generator,
|
122
|
+
}, &blk)
|
123
|
+
OpenSSL::PKey.generate_key(dhparams)
|
124
|
+
end
|
125
|
+
|
126
|
+
# Handle DH.new(size, generator) form here; new(str) and new() forms
|
127
|
+
# are handled by #initialize
|
128
|
+
def new(*args, &blk) # :nodoc:
|
129
|
+
if args[0].is_a?(Integer)
|
130
|
+
generate(*args, &blk)
|
131
|
+
else
|
132
|
+
super
|
133
|
+
end
|
134
|
+
end
|
135
|
+
end
|
136
|
+
end
|
137
|
+
|
138
|
+
class DSA
|
139
|
+
include OpenSSL::Marshal
|
140
|
+
|
141
|
+
# :call-seq:
|
142
|
+
# dsa.public_key -> dsanew
|
143
|
+
#
|
144
|
+
# Returns a new DSA instance that carries just the \DSA parameters and the
|
145
|
+
# public key.
|
146
|
+
#
|
147
|
+
# This method is provided for backwards compatibility. In most cases, there
|
148
|
+
# is no need to call this method.
|
149
|
+
#
|
150
|
+
# For the purpose of serializing the public key, to PEM or DER encoding of
|
151
|
+
# X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and
|
152
|
+
# PKey#public_to_der.
|
153
|
+
def public_key
|
154
|
+
OpenSSL::PKey.read(public_to_der)
|
155
|
+
end
|
156
|
+
|
157
|
+
class << self
|
158
|
+
# :call-seq:
|
159
|
+
# DSA.generate(size) -> dsa
|
160
|
+
#
|
161
|
+
# Creates a new DSA instance by generating a private/public key pair
|
162
|
+
# from scratch.
|
163
|
+
#
|
164
|
+
# See also OpenSSL::PKey.generate_parameters and
|
165
|
+
# OpenSSL::PKey.generate_key.
|
166
|
+
#
|
167
|
+
# +size+::
|
168
|
+
# The desired key size in bits.
|
169
|
+
def generate(size, &blk)
|
170
|
+
# FIPS 186-4 specifies four (L,N) pairs: (1024,160), (2048,224),
|
171
|
+
# (2048,256), and (3072,256).
|
172
|
+
#
|
173
|
+
# q size is derived here with compatibility with
|
174
|
+
# DSA_generator_parameters_ex() which previous versions of ruby/openssl
|
175
|
+
# used to call.
|
176
|
+
qsize = size >= 2048 ? 256 : 160
|
177
|
+
dsaparams = OpenSSL::PKey.generate_parameters("DSA", {
|
178
|
+
"dsa_paramgen_bits" => size,
|
179
|
+
"dsa_paramgen_q_bits" => qsize,
|
180
|
+
}, &blk)
|
181
|
+
OpenSSL::PKey.generate_key(dsaparams)
|
182
|
+
end
|
183
|
+
|
184
|
+
# Handle DSA.new(size) form here; new(str) and new() forms
|
185
|
+
# are handled by #initialize
|
186
|
+
def new(*args, &blk) # :nodoc:
|
187
|
+
if args[0].is_a?(Integer)
|
188
|
+
generate(*args, &blk)
|
189
|
+
else
|
190
|
+
super
|
191
|
+
end
|
192
|
+
end
|
193
|
+
end
|
194
|
+
|
195
|
+
# :call-seq:
|
196
|
+
# dsa.syssign(string) -> string
|
197
|
+
#
|
198
|
+
# Computes and returns the \DSA signature of +string+, where +string+ is
|
199
|
+
# expected to be an already-computed message digest of the original input
|
200
|
+
# data. The signature is issued using the private key of this DSA instance.
|
201
|
+
#
|
202
|
+
# <b>Deprecated in version 3.0</b>.
|
203
|
+
# Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead.
|
204
|
+
#
|
205
|
+
# +string+::
|
206
|
+
# A message digest of the original input data to be signed.
|
207
|
+
#
|
208
|
+
# Example:
|
209
|
+
# dsa = OpenSSL::PKey::DSA.new(2048)
|
210
|
+
# doc = "Sign me"
|
211
|
+
# digest = OpenSSL::Digest.digest('SHA1', doc)
|
212
|
+
#
|
213
|
+
# # With legacy #syssign and #sysverify:
|
214
|
+
# sig = dsa.syssign(digest)
|
215
|
+
# p dsa.sysverify(digest, sig) #=> true
|
216
|
+
#
|
217
|
+
# # With #sign_raw and #verify_raw:
|
218
|
+
# sig = dsa.sign_raw(nil, digest)
|
219
|
+
# p dsa.verify_raw(nil, sig, digest) #=> true
|
220
|
+
def syssign(string)
|
221
|
+
q or raise OpenSSL::PKey::DSAError, "incomplete DSA"
|
222
|
+
private? or raise OpenSSL::PKey::DSAError, "Private DSA key needed!"
|
223
|
+
begin
|
224
|
+
sign_raw(nil, string)
|
225
|
+
rescue OpenSSL::PKey::PKeyError
|
226
|
+
raise OpenSSL::PKey::DSAError, $!.message
|
227
|
+
end
|
228
|
+
end
|
229
|
+
|
230
|
+
# :call-seq:
|
231
|
+
# dsa.sysverify(digest, sig) -> true | false
|
232
|
+
#
|
233
|
+
# Verifies whether the signature is valid given the message digest input.
|
234
|
+
# It does so by validating +sig+ using the public key of this DSA instance.
|
235
|
+
#
|
236
|
+
# <b>Deprecated in version 3.0</b>.
|
237
|
+
# Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead.
|
238
|
+
#
|
239
|
+
# +digest+::
|
240
|
+
# A message digest of the original input data to be signed.
|
241
|
+
# +sig+::
|
242
|
+
# A \DSA signature value.
|
243
|
+
def sysverify(digest, sig)
|
244
|
+
verify_raw(nil, sig, digest)
|
245
|
+
rescue OpenSSL::PKey::PKeyError
|
246
|
+
raise OpenSSL::PKey::DSAError, $!.message
|
247
|
+
end
|
248
|
+
end
|
249
|
+
|
8
250
|
if defined?(EC)
|
251
|
+
class EC
|
252
|
+
include OpenSSL::Marshal
|
253
|
+
|
254
|
+
# :call-seq:
|
255
|
+
# key.dsa_sign_asn1(data) -> String
|
256
|
+
#
|
257
|
+
# <b>Deprecated in version 3.0</b>.
|
258
|
+
# Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead.
|
259
|
+
def dsa_sign_asn1(data)
|
260
|
+
sign_raw(nil, data)
|
261
|
+
rescue OpenSSL::PKey::PKeyError
|
262
|
+
raise OpenSSL::PKey::ECError, $!.message
|
263
|
+
end
|
264
|
+
|
265
|
+
# :call-seq:
|
266
|
+
# key.dsa_verify_asn1(data, sig) -> true | false
|
267
|
+
#
|
268
|
+
# <b>Deprecated in version 3.0</b>.
|
269
|
+
# Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead.
|
270
|
+
def dsa_verify_asn1(data, sig)
|
271
|
+
verify_raw(nil, sig, data)
|
272
|
+
rescue OpenSSL::PKey::PKeyError
|
273
|
+
raise OpenSSL::PKey::ECError, $!.message
|
274
|
+
end
|
275
|
+
|
276
|
+
# :call-seq:
|
277
|
+
# ec.dh_compute_key(pubkey) -> string
|
278
|
+
#
|
279
|
+
# Derives a shared secret by ECDH. _pubkey_ must be an instance of
|
280
|
+
# OpenSSL::PKey::EC::Point and must belong to the same group.
|
281
|
+
#
|
282
|
+
# This method is provided for backwards compatibility, and calls #derive
|
283
|
+
# internally.
|
284
|
+
def dh_compute_key(pubkey)
|
285
|
+
obj = OpenSSL::ASN1.Sequence([
|
286
|
+
OpenSSL::ASN1.Sequence([
|
287
|
+
OpenSSL::ASN1.ObjectId("id-ecPublicKey"),
|
288
|
+
group.to_der,
|
289
|
+
]),
|
290
|
+
OpenSSL::ASN1.BitString(pubkey.to_octet_string(:uncompressed)),
|
291
|
+
])
|
292
|
+
derive(OpenSSL::PKey.read(obj.to_der))
|
293
|
+
end
|
294
|
+
end
|
295
|
+
|
9
296
|
class EC::Point
|
10
297
|
# :call-seq:
|
11
298
|
# point.to_bn([conversion_form]) -> OpenSSL::BN
|
@@ -22,4 +309,159 @@ module OpenSSL::PKey
|
|
22
309
|
end
|
23
310
|
end
|
24
311
|
end
|
312
|
+
|
313
|
+
class RSA
|
314
|
+
include OpenSSL::Marshal
|
315
|
+
|
316
|
+
# :call-seq:
|
317
|
+
# rsa.public_key -> rsanew
|
318
|
+
#
|
319
|
+
# Returns a new RSA instance that carries just the public key components.
|
320
|
+
#
|
321
|
+
# This method is provided for backwards compatibility. In most cases, there
|
322
|
+
# is no need to call this method.
|
323
|
+
#
|
324
|
+
# For the purpose of serializing the public key, to PEM or DER encoding of
|
325
|
+
# X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and
|
326
|
+
# PKey#public_to_der.
|
327
|
+
def public_key
|
328
|
+
OpenSSL::PKey.read(public_to_der)
|
329
|
+
end
|
330
|
+
|
331
|
+
class << self
|
332
|
+
# :call-seq:
|
333
|
+
# RSA.generate(size, exponent = 65537) -> RSA
|
334
|
+
#
|
335
|
+
# Generates an \RSA keypair.
|
336
|
+
#
|
337
|
+
# See also OpenSSL::PKey.generate_key.
|
338
|
+
#
|
339
|
+
# +size+::
|
340
|
+
# The desired key size in bits.
|
341
|
+
# +exponent+::
|
342
|
+
# An odd Integer, normally 3, 17, or 65537.
|
343
|
+
def generate(size, exp = 0x10001, &blk)
|
344
|
+
OpenSSL::PKey.generate_key("RSA", {
|
345
|
+
"rsa_keygen_bits" => size,
|
346
|
+
"rsa_keygen_pubexp" => exp,
|
347
|
+
}, &blk)
|
348
|
+
end
|
349
|
+
|
350
|
+
# Handle RSA.new(size, exponent) form here; new(str) and new() forms
|
351
|
+
# are handled by #initialize
|
352
|
+
def new(*args, &blk) # :nodoc:
|
353
|
+
if args[0].is_a?(Integer)
|
354
|
+
generate(*args, &blk)
|
355
|
+
else
|
356
|
+
super
|
357
|
+
end
|
358
|
+
end
|
359
|
+
end
|
360
|
+
|
361
|
+
# :call-seq:
|
362
|
+
# rsa.private_encrypt(string) -> String
|
363
|
+
# rsa.private_encrypt(string, padding) -> String
|
364
|
+
#
|
365
|
+
# Encrypt +string+ with the private key. +padding+ defaults to
|
366
|
+
# PKCS1_PADDING. The encrypted string output can be decrypted using
|
367
|
+
# #public_decrypt.
|
368
|
+
#
|
369
|
+
# <b>Deprecated in version 3.0</b>.
|
370
|
+
# Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw, and
|
371
|
+
# PKey::PKey#verify_recover instead.
|
372
|
+
def private_encrypt(string, padding = PKCS1_PADDING)
|
373
|
+
n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
|
374
|
+
private? or raise OpenSSL::PKey::RSAError, "private key needed."
|
375
|
+
begin
|
376
|
+
sign_raw(nil, string, {
|
377
|
+
"rsa_padding_mode" => translate_padding_mode(padding),
|
378
|
+
})
|
379
|
+
rescue OpenSSL::PKey::PKeyError
|
380
|
+
raise OpenSSL::PKey::RSAError, $!.message
|
381
|
+
end
|
382
|
+
end
|
383
|
+
|
384
|
+
# :call-seq:
|
385
|
+
# rsa.public_decrypt(string) -> String
|
386
|
+
# rsa.public_decrypt(string, padding) -> String
|
387
|
+
#
|
388
|
+
# Decrypt +string+, which has been encrypted with the private key, with the
|
389
|
+
# public key. +padding+ defaults to PKCS1_PADDING.
|
390
|
+
#
|
391
|
+
# <b>Deprecated in version 3.0</b>.
|
392
|
+
# Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw, and
|
393
|
+
# PKey::PKey#verify_recover instead.
|
394
|
+
def public_decrypt(string, padding = PKCS1_PADDING)
|
395
|
+
n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
|
396
|
+
begin
|
397
|
+
verify_recover(nil, string, {
|
398
|
+
"rsa_padding_mode" => translate_padding_mode(padding),
|
399
|
+
})
|
400
|
+
rescue OpenSSL::PKey::PKeyError
|
401
|
+
raise OpenSSL::PKey::RSAError, $!.message
|
402
|
+
end
|
403
|
+
end
|
404
|
+
|
405
|
+
# :call-seq:
|
406
|
+
# rsa.public_encrypt(string) -> String
|
407
|
+
# rsa.public_encrypt(string, padding) -> String
|
408
|
+
#
|
409
|
+
# Encrypt +string+ with the public key. +padding+ defaults to
|
410
|
+
# PKCS1_PADDING. The encrypted string output can be decrypted using
|
411
|
+
# #private_decrypt.
|
412
|
+
#
|
413
|
+
# <b>Deprecated in version 3.0</b>.
|
414
|
+
# Consider using PKey::PKey#encrypt and PKey::PKey#decrypt instead.
|
415
|
+
def public_encrypt(data, padding = PKCS1_PADDING)
|
416
|
+
n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
|
417
|
+
begin
|
418
|
+
encrypt(data, {
|
419
|
+
"rsa_padding_mode" => translate_padding_mode(padding),
|
420
|
+
})
|
421
|
+
rescue OpenSSL::PKey::PKeyError
|
422
|
+
raise OpenSSL::PKey::RSAError, $!.message
|
423
|
+
end
|
424
|
+
end
|
425
|
+
|
426
|
+
# :call-seq:
|
427
|
+
# rsa.private_decrypt(string) -> String
|
428
|
+
# rsa.private_decrypt(string, padding) -> String
|
429
|
+
#
|
430
|
+
# Decrypt +string+, which has been encrypted with the public key, with the
|
431
|
+
# private key. +padding+ defaults to PKCS1_PADDING.
|
432
|
+
#
|
433
|
+
# <b>Deprecated in version 3.0</b>.
|
434
|
+
# Consider using PKey::PKey#encrypt and PKey::PKey#decrypt instead.
|
435
|
+
def private_decrypt(data, padding = PKCS1_PADDING)
|
436
|
+
n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
|
437
|
+
private? or raise OpenSSL::PKey::RSAError, "private key needed."
|
438
|
+
begin
|
439
|
+
decrypt(data, {
|
440
|
+
"rsa_padding_mode" => translate_padding_mode(padding),
|
441
|
+
})
|
442
|
+
rescue OpenSSL::PKey::PKeyError
|
443
|
+
raise OpenSSL::PKey::RSAError, $!.message
|
444
|
+
end
|
445
|
+
end
|
446
|
+
|
447
|
+
PKCS1_PADDING = 1
|
448
|
+
SSLV23_PADDING = 2
|
449
|
+
NO_PADDING = 3
|
450
|
+
PKCS1_OAEP_PADDING = 4
|
451
|
+
|
452
|
+
private def translate_padding_mode(num)
|
453
|
+
case num
|
454
|
+
when PKCS1_PADDING
|
455
|
+
"pkcs1"
|
456
|
+
when SSLV23_PADDING
|
457
|
+
"sslv23"
|
458
|
+
when NO_PADDING
|
459
|
+
"none"
|
460
|
+
when PKCS1_OAEP_PADDING
|
461
|
+
"oaep"
|
462
|
+
else
|
463
|
+
raise OpenSSL::PKey::PKeyError, "unsupported padding mode"
|
464
|
+
end
|
465
|
+
end
|
466
|
+
end
|
25
467
|
end
|
data/lib/openssl/ssl.rb
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
# frozen_string_literal:
|
1
|
+
# frozen_string_literal: true
|
2
2
|
=begin
|
3
3
|
= Info
|
4
4
|
'OpenSSL for Ruby 2' project
|
@@ -13,6 +13,7 @@
|
|
13
13
|
require "openssl/buffering"
|
14
14
|
require "io/nonblock"
|
15
15
|
require "ipaddr"
|
16
|
+
require "socket"
|
16
17
|
|
17
18
|
module OpenSSL
|
18
19
|
module SSL
|
@@ -90,15 +91,17 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
|
90
91
|
DEFAULT_CERT_STORE.set_default_paths
|
91
92
|
DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
|
92
93
|
|
93
|
-
# A callback invoked when DH parameters are required
|
94
|
+
# A callback invoked when DH parameters are required for ephemeral DH key
|
95
|
+
# exchange.
|
94
96
|
#
|
95
|
-
# The callback is invoked with the
|
97
|
+
# The callback is invoked with the SSLSocket, a
|
96
98
|
# flag indicating the use of an export cipher and the keylength
|
97
99
|
# required.
|
98
100
|
#
|
99
101
|
# The callback must return an OpenSSL::PKey::DH instance of the correct
|
100
102
|
# key length.
|
101
|
-
|
103
|
+
#
|
104
|
+
# <b>Deprecated in version 3.0.</b> Use #tmp_dh= instead.
|
102
105
|
attr_accessor :tmp_dh_callback
|
103
106
|
|
104
107
|
# A callback invoked at connect time to distinguish between multiple
|
@@ -121,6 +124,8 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
|
121
124
|
def initialize(version = nil)
|
122
125
|
self.options |= OpenSSL::SSL::OP_ALL
|
123
126
|
self.ssl_version = version if version
|
127
|
+
self.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
128
|
+
self.verify_hostname = false
|
124
129
|
end
|
125
130
|
|
126
131
|
##
|
@@ -231,6 +236,11 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
|
231
236
|
end
|
232
237
|
|
233
238
|
module SocketForwarder
|
239
|
+
# The file descriptor for the socket.
|
240
|
+
def fileno
|
241
|
+
to_io.fileno
|
242
|
+
end
|
243
|
+
|
234
244
|
def addr
|
235
245
|
to_io.addr
|
236
246
|
end
|
@@ -424,10 +434,6 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
|
424
434
|
@context.tmp_dh_callback || OpenSSL::SSL::SSLContext::DEFAULT_TMP_DH_CALLBACK
|
425
435
|
end
|
426
436
|
|
427
|
-
def tmp_ecdh_callback
|
428
|
-
@context.tmp_ecdh_callback
|
429
|
-
end
|
430
|
-
|
431
437
|
def session_new_cb
|
432
438
|
@context.session_new_cb
|
433
439
|
end
|
@@ -435,6 +441,38 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
|
435
441
|
def session_get_cb
|
436
442
|
@context.session_get_cb
|
437
443
|
end
|
444
|
+
|
445
|
+
class << self
|
446
|
+
|
447
|
+
# call-seq:
|
448
|
+
# open(remote_host, remote_port, local_host=nil, local_port=nil, context: nil)
|
449
|
+
#
|
450
|
+
# Creates a new instance of SSLSocket.
|
451
|
+
# _remote\_host_ and _remote\_port_ are used to open TCPSocket.
|
452
|
+
# If _local\_host_ and _local\_port_ are specified,
|
453
|
+
# then those parameters are used on the local end to establish the connection.
|
454
|
+
# If _context_ is provided,
|
455
|
+
# the SSL Sockets initial params will be taken from the context.
|
456
|
+
#
|
457
|
+
# === Examples
|
458
|
+
#
|
459
|
+
# sock = OpenSSL::SSL::SSLSocket.open('localhost', 443)
|
460
|
+
# sock.connect # Initiates a connection to localhost:443
|
461
|
+
#
|
462
|
+
# with SSLContext:
|
463
|
+
#
|
464
|
+
# ctx = OpenSSL::SSL::SSLContext.new
|
465
|
+
# sock = OpenSSL::SSL::SSLSocket.open('localhost', 443, context: ctx)
|
466
|
+
# sock.connect # Initiates a connection to localhost:443 with SSLContext
|
467
|
+
def open(remote_host, remote_port, local_host=nil, local_port=nil, context: nil)
|
468
|
+
sock = ::TCPSocket.open(remote_host, remote_port, local_host, local_port)
|
469
|
+
if context.nil?
|
470
|
+
return OpenSSL::SSL::SSLSocket.new(sock)
|
471
|
+
else
|
472
|
+
return OpenSSL::SSL::SSLSocket.new(sock, context)
|
473
|
+
end
|
474
|
+
end
|
475
|
+
end
|
438
476
|
end
|
439
477
|
|
440
478
|
##
|
@@ -465,7 +503,7 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
|
465
503
|
end
|
466
504
|
|
467
505
|
# See TCPServer#listen for details.
|
468
|
-
def listen(backlog=
|
506
|
+
def listen(backlog=Socket::SOMAXCONN)
|
469
507
|
@svr.listen(backlog)
|
470
508
|
end
|
471
509
|
|