openssl 2.1.4 → 2.2.0

data/lib/openssl/x509.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 #--
 # = Ruby-space definitions that completes C-space funcs for X509 and subclasses
 #
@@ -12,6 +12,8 @@
 # (See the file 'LICENCE'.)
 #++
 
+require_relative 'marshal'
+
 module OpenSSL
   module X509
     class ExtensionFactory
@@ -41,6 +43,8 @@ module OpenSSL
     end
 
     class Extension
+      include OpenSSL::Marshal
+
       def ==(other)
         return false unless Extension === other
         to_der == other.to_der
@@ -60,9 +64,146 @@ module OpenSSL
       def to_a
         [ self.oid, self.value, self.critical? ]
       end
+
+      module Helpers
+        def find_extension(oid)
+          extensions.find { |e| e.oid == oid }
+        end
+      end
+
+      module SubjectKeyIdentifier
+        include Helpers
+
+        # Get the subject's key identifier from the subjectKeyIdentifier
+        # exteension, as described in RFC5280 Section 4.2.1.2.
+        #
+        # Returns the binary String key identifier or nil or raises
+        # ASN1::ASN1Error.
+        def subject_key_identifier
+          ext = find_extension("subjectKeyIdentifier")
+          return nil if ext.nil?
+
+          ski_asn1 = ASN1.decode(ext.value_der)
+          if ext.critical? || ski_asn1.tag_class != :UNIVERSAL || ski_asn1.tag != ASN1::OCTET_STRING
+            raise ASN1::ASN1Error, "invalid extension"
+          end
+
+          ski_asn1.value
+        end
+      end
+
+      module AuthorityKeyIdentifier
+        include Helpers
+
+        # Get the issuing certificate's key identifier from the
+        # authorityKeyIdentifier extension, as described in RFC5280
+        # Section 4.2.1.1
+        #
+        # Returns the binary String keyIdentifier or nil or raises
+        # ASN1::ASN1Error.
+        def authority_key_identifier
+          ext = find_extension("authorityKeyIdentifier")
+          return nil if ext.nil?
+
+          aki_asn1 = ASN1.decode(ext.value_der)
+          if ext.critical? || aki_asn1.tag_class != :UNIVERSAL || aki_asn1.tag != ASN1::SEQUENCE
+            raise ASN1::ASN1Error, "invalid extension"
+          end
+
+          key_id = aki_asn1.value.find do |v|
+            v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
+          end
+
+          key_id.nil? ? nil : key_id.value
+        end
+      end
+
+      module CRLDistributionPoints
+        include Helpers
+
+        # Get the distributionPoint fullName URI from the certificate's CRL
+        # distribution points extension, as described in RFC5280 Section
+        # 4.2.1.13
+        #
+        # Returns an array of strings or nil or raises ASN1::ASN1Error.
+        def crl_uris
+          ext = find_extension("crlDistributionPoints")
+          return nil if ext.nil?
+
+          cdp_asn1 = ASN1.decode(ext.value_der)
+          if cdp_asn1.tag_class != :UNIVERSAL || cdp_asn1.tag != ASN1::SEQUENCE
+            raise ASN1::ASN1Error, "invalid extension"
+          end
+
+          crl_uris = cdp_asn1.map do |crl_distribution_point|
+            distribution_point = crl_distribution_point.value.find do |v|
+              v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
+            end
+            full_name = distribution_point&.value&.find do |v|
+              v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
+            end
+            full_name&.value&.find do |v|
+              v.tag_class == :CONTEXT_SPECIFIC && v.tag == 6 # uniformResourceIdentifier
+            end
+          end
+
+          crl_uris&.map(&:value)
+        end
+      end
+
+      module AuthorityInfoAccess
+        include Helpers
+
+        # Get the information and services for the issuer from the certificate's
+        # authority information access extension exteension, as described in RFC5280
+        # Section 4.2.2.1.
+        #
+        # Returns an array of strings or nil or raises ASN1::ASN1Error.
+        def ca_issuer_uris
+          aia_asn1 = parse_aia_asn1
+          return nil if aia_asn1.nil?
+
+          ca_issuer = aia_asn1.value.select do |authority_info_access|
+            authority_info_access.value.first.value == "caIssuers"
+          end
+
+          ca_issuer&.map(&:value)&.map(&:last)&.map(&:value)
+        end
+
+        # Get the URIs for OCSP from the certificate's authority information access
+        # extension exteension, as described in RFC5280 Section 4.2.2.1.
+        #
+        # Returns an array of strings or nil or raises ASN1::ASN1Error.
+        def ocsp_uris
+          aia_asn1 = parse_aia_asn1
+          return nil if aia_asn1.nil?
+
+          ocsp = aia_asn1.value.select do |authority_info_access|
+            authority_info_access.value.first.value == "OCSP"
+          end
+
+          ocsp&.map(&:value)&.map(&:last)&.map(&:value)
+        end
+
+        private
+
+          def parse_aia_asn1
+            ext = find_extension("authorityInfoAccess")
+            return nil if ext.nil?
+
+            aia_asn1 = ASN1.decode(ext.value_der)
+            if ext.critical? || aia_asn1.tag_class != :UNIVERSAL || aia_asn1.tag != ASN1::SEQUENCE
+              raise ASN1::ASN1Error, "invalid extension"
+            end
+
+            aia_asn1
+          end
+      end
     end
 
     class Name
+      include OpenSSL::Marshal
+
       module RFC2253DN
         Special = ',=+<>#;'
         HexChar = /[0-9a-fA-F]/
@@ -166,6 +307,8 @@ module OpenSSL
     end
 
     class Attribute
+      include OpenSSL::Marshal
+
       def ==(other)
         return false unless Attribute === other
         to_der == other.to_der
@@ -179,6 +322,12 @@ module OpenSSL
     end
 
     class Certificate
+      include OpenSSL::Marshal
+      include Extension::SubjectKeyIdentifier
+      include Extension::AuthorityKeyIdentifier
+      include Extension::CRLDistributionPoints
+      include Extension::AuthorityInfoAccess
+
       def pretty_print(q)
         q.object_group(self) {
           q.breakable
@@ -192,6 +341,9 @@ module OpenSSL
     end
 
     class CRL
+      include OpenSSL::Marshal
+      include Extension::AuthorityKeyIdentifier
+
       def ==(other)
         return false unless CRL === other
         to_der == other.to_der
@@ -206,6 +358,8 @@ module OpenSSL
     end
 
     class Request
+      include OpenSSL::Marshal
+
       def ==(other)
         return false unless Request === other
         to_der == other.to_der

data/lib/openssl.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 =begin
 = Info
   'OpenSSL for Ruby 2' project
@@ -12,11 +12,27 @@
 
 require 'openssl.so'
 
-require 'openssl/bn'
-require 'openssl/pkey'
-require 'openssl/cipher'
-require 'openssl/config'
-require 'openssl/digest'
-require 'openssl/x509'
-require 'openssl/ssl'
-require 'openssl/pkcs5'
+require_relative 'openssl/bn'
+require_relative 'openssl/pkey'
+require_relative 'openssl/cipher'
+require_relative 'openssl/config'
+require_relative 'openssl/digest'
+require_relative 'openssl/hmac'
+require_relative 'openssl/x509'
+require_relative 'openssl/ssl'
+require_relative 'openssl/pkcs5'
+require_relative 'openssl/version'
+
+module OpenSSL
+  # call-seq:
+  #   OpenSSL.secure_compare(string, string) -> boolean
+  #
+  # Constant time memory comparison. Inputs are hashed using SHA-256 to mask
+  # the length of the secret. Returns +true+ if the strings are identical,
+  # +false+ otherwise.
+  def self.secure_compare(a, b)
+    hashed_a = OpenSSL::Digest.digest('SHA256', a)
+    hashed_b = OpenSSL::Digest.digest('SHA256', b)
+    OpenSSL.fixed_length_secure_compare(hashed_a, hashed_b) && a == b
+  end
+end

metadata

@@ -1,46 +1,32 @@
 --- !ruby/object:Gem::Specification
 name: openssl
 version: !ruby/object:Gem::Version
-  version: 2.1.4
+  version: 2.2.0
 platform: ruby
 authors:
 - Martin Bosslet
 - SHIBATA Hiroshi
 - Zachary Scott
 - Kazuki Yamaguchi
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-09-08 00:00:00.000000000 Z
+date: 2020-05-13 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: ipaddr
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 11.2.0
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 11.2.0
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake-compiler
   requirement: !ruby/object:Gem::Requirement
@@ -99,7 +85,6 @@ files:
 - History.md
 - LICENSE.txt
 - README.md
-- ext/openssl/deprecation.rb
 - ext/openssl/extconf.rb
 - ext/openssl/openssl_missing.c
 - ext/openssl/openssl_missing.h
@@ -142,7 +127,8 @@ files:
 - ext/openssl/ossl_ssl.c
 - ext/openssl/ossl_ssl.h
 - ext/openssl/ossl_ssl_session.c
-- ext/openssl/ossl_version.h
+- ext/openssl/ossl_ts.c
+- ext/openssl/ossl_ts.h
 - ext/openssl/ossl_x509.c
 - ext/openssl/ossl_x509.h
 - ext/openssl/ossl_x509attr.c
@@ -160,16 +146,19 @@ files:
 - lib/openssl/cipher.rb
 - lib/openssl/config.rb
 - lib/openssl/digest.rb
+- lib/openssl/hmac.rb
+- lib/openssl/marshal.rb
 - lib/openssl/pkcs5.rb
 - lib/openssl/pkey.rb
 - lib/openssl/ssl.rb
+- lib/openssl/version.rb
 - lib/openssl/x509.rb
 homepage: https://github.com/ruby/openssl
 licenses:
 - Ruby
 metadata:
   msys2_mingw_dependencies: openssl
-post_install_message:
+post_install_message: 
 rdoc_options:
 - "--main"
 - README.md
@@ -186,8 +175,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.8
-signing_key:
+rubygems_version: 3.2.0.pre1
+signing_key: 
 specification_version: 4
 summary: OpenSSL provides SSL, TLS and general purpose cryptography.
 test_files: []

data/ext/openssl/deprecation.rb

@@ -1,27 +0,0 @@
-# frozen_string_literal: false
-module OpenSSL
-  def self.deprecated_warning_flag
-    unless flag = (@deprecated_warning_flag ||= nil)
-      if try_compile("", flag = "-Werror=deprecated-declarations")
-        $warnflags = "#{@warnflags = $warnflags}" #{flag}"
-      else
-        flag = ""
-      end
-      @deprecated_warning_flag = flag
-    end
-    flag
-  end
-
-  def self.restore_warning_flag
-    $warnflags = @warnflags
-  end
-
-  def self.check_func(func, header)
-    have_func(func, header, deprecated_warning_flag)
-  end
-
-  def self.check_func_or_macro(func, header)
-    check_func(func, header) or
-      have_macro(func, header) && $defs.push("-DHAVE_#{func.upcase}")
-  end
-end

data/ext/openssl/ossl_version.h

@@ -1,15 +0,0 @@
-/*
- * 'OpenSSL for Ruby' project
- * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
- * All rights reserved.
- */
-/*
- * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
- */
-#if !defined(_OSSL_VERSION_H_)
-#define _OSSL_VERSION_H_
-
-#define OSSL_VERSION "2.1.4"
-
-#endif /* _OSSL_VERSION_H_ */