openssl 2.2.0 → 3.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +33 -45
- data/History.md +260 -0
- data/ext/openssl/extconf.rb +85 -72
- data/ext/openssl/openssl_missing.c +0 -66
- data/ext/openssl/openssl_missing.h +26 -45
- data/ext/openssl/ossl.c +67 -47
- data/ext/openssl/ossl.h +26 -6
- data/ext/openssl/ossl_asn1.c +26 -13
- data/ext/openssl/ossl_bn.c +278 -142
- data/ext/openssl/ossl_bn.h +2 -1
- data/ext/openssl/ossl_cipher.c +12 -13
- data/ext/openssl/ossl_config.c +412 -41
- data/ext/openssl/ossl_config.h +4 -7
- data/ext/openssl/ossl_digest.c +15 -11
- data/ext/openssl/ossl_engine.c +16 -15
- data/ext/openssl/ossl_hmac.c +56 -135
- data/ext/openssl/ossl_kdf.c +11 -3
- data/ext/openssl/ossl_ocsp.c +5 -53
- data/ext/openssl/ossl_pkcs12.c +21 -3
- data/ext/openssl/ossl_pkcs7.c +42 -59
- data/ext/openssl/ossl_pkey.c +1142 -191
- data/ext/openssl/ossl_pkey.h +36 -73
- data/ext/openssl/ossl_pkey_dh.c +130 -340
- data/ext/openssl/ossl_pkey_dsa.c +100 -405
- data/ext/openssl/ossl_pkey_ec.c +163 -335
- data/ext/openssl/ossl_pkey_rsa.c +106 -493
- data/ext/openssl/ossl_ssl.c +529 -421
- data/ext/openssl/ossl_ssl_session.c +28 -29
- data/ext/openssl/ossl_ts.c +64 -39
- data/ext/openssl/ossl_x509.c +0 -6
- data/ext/openssl/ossl_x509cert.c +167 -11
- data/ext/openssl/ossl_x509crl.c +13 -10
- data/ext/openssl/ossl_x509ext.c +1 -2
- data/ext/openssl/ossl_x509name.c +9 -2
- data/ext/openssl/ossl_x509req.c +13 -10
- data/ext/openssl/ossl_x509revoked.c +3 -3
- data/ext/openssl/ossl_x509store.c +193 -90
- data/lib/openssl/buffering.rb +10 -1
- data/lib/openssl/hmac.rb +65 -0
- data/lib/openssl/pkey.rb +429 -0
- data/lib/openssl/ssl.rb +13 -8
- data/lib/openssl/version.rb +1 -1
- data/lib/openssl/x509.rb +22 -0
- data/lib/openssl.rb +0 -1
- metadata +8 -66
- data/ext/openssl/ruby_missing.h +0 -24
- data/lib/openssl/config.rb +0 -501
data/lib/openssl/buffering.rb
CHANGED
@@ -31,7 +31,7 @@ module OpenSSL::Buffering
|
|
31
31
|
|
32
32
|
force_encoding(BINARY)
|
33
33
|
end
|
34
|
-
|
34
|
+
|
35
35
|
def << string
|
36
36
|
if string.encoding == BINARY
|
37
37
|
super(string)
|
@@ -101,6 +101,15 @@ module OpenSSL::Buffering
|
|
101
101
|
|
102
102
|
public
|
103
103
|
|
104
|
+
# call-seq:
|
105
|
+
# ssl.getbyte => 81
|
106
|
+
#
|
107
|
+
# Get the next 8bit byte from `ssl`. Returns `nil` on EOF
|
108
|
+
def getbyte
|
109
|
+
byte = read(1)
|
110
|
+
byte && byte.unpack1("C")
|
111
|
+
end
|
112
|
+
|
104
113
|
##
|
105
114
|
# Reads _size_ bytes from the stream. If _buf_ is provided it must
|
106
115
|
# reference a string which will receive the data.
|
data/lib/openssl/hmac.rb
CHANGED
@@ -9,5 +9,70 @@ module OpenSSL
|
|
9
9
|
|
10
10
|
OpenSSL.fixed_length_secure_compare(self.digest, other.digest)
|
11
11
|
end
|
12
|
+
|
13
|
+
# :call-seq:
|
14
|
+
# hmac.base64digest -> string
|
15
|
+
#
|
16
|
+
# Returns the authentication code an a Base64-encoded string.
|
17
|
+
def base64digest
|
18
|
+
[digest].pack("m0")
|
19
|
+
end
|
20
|
+
|
21
|
+
class << self
|
22
|
+
# :call-seq:
|
23
|
+
# HMAC.digest(digest, key, data) -> aString
|
24
|
+
#
|
25
|
+
# Returns the authentication code as a binary string. The _digest_ parameter
|
26
|
+
# specifies the digest algorithm to use. This may be a String representing
|
27
|
+
# the algorithm name or an instance of OpenSSL::Digest.
|
28
|
+
#
|
29
|
+
# === Example
|
30
|
+
# key = 'key'
|
31
|
+
# data = 'The quick brown fox jumps over the lazy dog'
|
32
|
+
#
|
33
|
+
# hmac = OpenSSL::HMAC.digest('SHA1', key, data)
|
34
|
+
# #=> "\xDE|\x9B\x85\xB8\xB7\x8A\xA6\xBC\x8Az6\xF7\n\x90p\x1C\x9D\xB4\xD9"
|
35
|
+
def digest(digest, key, data)
|
36
|
+
hmac = new(key, digest)
|
37
|
+
hmac << data
|
38
|
+
hmac.digest
|
39
|
+
end
|
40
|
+
|
41
|
+
# :call-seq:
|
42
|
+
# HMAC.hexdigest(digest, key, data) -> aString
|
43
|
+
#
|
44
|
+
# Returns the authentication code as a hex-encoded string. The _digest_
|
45
|
+
# parameter specifies the digest algorithm to use. This may be a String
|
46
|
+
# representing the algorithm name or an instance of OpenSSL::Digest.
|
47
|
+
#
|
48
|
+
# === Example
|
49
|
+
# key = 'key'
|
50
|
+
# data = 'The quick brown fox jumps over the lazy dog'
|
51
|
+
#
|
52
|
+
# hmac = OpenSSL::HMAC.hexdigest('SHA1', key, data)
|
53
|
+
# #=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"
|
54
|
+
def hexdigest(digest, key, data)
|
55
|
+
hmac = new(key, digest)
|
56
|
+
hmac << data
|
57
|
+
hmac.hexdigest
|
58
|
+
end
|
59
|
+
|
60
|
+
# :call-seq:
|
61
|
+
# HMAC.base64digest(digest, key, data) -> aString
|
62
|
+
#
|
63
|
+
# Returns the authentication code as a Base64-encoded string. The _digest_
|
64
|
+
# parameter specifies the digest algorithm to use. This may be a String
|
65
|
+
# representing the algorithm name or an instance of OpenSSL::Digest.
|
66
|
+
#
|
67
|
+
# === Example
|
68
|
+
# key = 'key'
|
69
|
+
# data = 'The quick brown fox jumps over the lazy dog'
|
70
|
+
#
|
71
|
+
# hmac = OpenSSL::HMAC.base64digest('SHA1', key, data)
|
72
|
+
# #=> "3nybhbi3iqa8ino29wqQcBydtNk="
|
73
|
+
def base64digest(digest, key, data)
|
74
|
+
[digest(digest, key, data)].pack("m0")
|
75
|
+
end
|
76
|
+
end
|
12
77
|
end
|
13
78
|
end
|
data/lib/openssl/pkey.rb
CHANGED
@@ -9,16 +9,290 @@ require_relative 'marshal'
|
|
9
9
|
module OpenSSL::PKey
|
10
10
|
class DH
|
11
11
|
include OpenSSL::Marshal
|
12
|
+
|
13
|
+
# :call-seq:
|
14
|
+
# dh.public_key -> dhnew
|
15
|
+
#
|
16
|
+
# Returns a new DH instance that carries just the \DH parameters.
|
17
|
+
#
|
18
|
+
# Contrary to the method name, the returned DH object contains only
|
19
|
+
# parameters and not the public key.
|
20
|
+
#
|
21
|
+
# This method is provided for backwards compatibility. In most cases, there
|
22
|
+
# is no need to call this method.
|
23
|
+
#
|
24
|
+
# For the purpose of re-generating the key pair while keeping the
|
25
|
+
# parameters, check OpenSSL::PKey.generate_key.
|
26
|
+
#
|
27
|
+
# Example:
|
28
|
+
# # OpenSSL::PKey::DH.generate by default generates a random key pair
|
29
|
+
# dh1 = OpenSSL::PKey::DH.generate(2048)
|
30
|
+
# p dh1.priv_key #=> #<OpenSSL::BN 1288347...>
|
31
|
+
# dhcopy = dh1.public_key
|
32
|
+
# p dhcopy.priv_key #=> nil
|
33
|
+
def public_key
|
34
|
+
DH.new(to_der)
|
35
|
+
end
|
36
|
+
|
37
|
+
# :call-seq:
|
38
|
+
# dh.compute_key(pub_bn) -> string
|
39
|
+
#
|
40
|
+
# Returns a String containing a shared secret computed from the other
|
41
|
+
# party's public value.
|
42
|
+
#
|
43
|
+
# This method is provided for backwards compatibility, and calls #derive
|
44
|
+
# internally.
|
45
|
+
#
|
46
|
+
# === Parameters
|
47
|
+
# * _pub_bn_ is a OpenSSL::BN, *not* the DH instance returned by
|
48
|
+
# DH#public_key as that contains the DH parameters only.
|
49
|
+
def compute_key(pub_bn)
|
50
|
+
# FIXME: This is constructing an X.509 SubjectPublicKeyInfo and is very
|
51
|
+
# inefficient
|
52
|
+
obj = OpenSSL::ASN1.Sequence([
|
53
|
+
OpenSSL::ASN1.Sequence([
|
54
|
+
OpenSSL::ASN1.ObjectId("dhKeyAgreement"),
|
55
|
+
OpenSSL::ASN1.Sequence([
|
56
|
+
OpenSSL::ASN1.Integer(p),
|
57
|
+
OpenSSL::ASN1.Integer(g),
|
58
|
+
]),
|
59
|
+
]),
|
60
|
+
OpenSSL::ASN1.BitString(OpenSSL::ASN1.Integer(pub_bn).to_der),
|
61
|
+
])
|
62
|
+
derive(OpenSSL::PKey.read(obj.to_der))
|
63
|
+
end
|
64
|
+
|
65
|
+
# :call-seq:
|
66
|
+
# dh.generate_key! -> self
|
67
|
+
#
|
68
|
+
# Generates a private and public key unless a private key already exists.
|
69
|
+
# If this DH instance was generated from public \DH parameters (e.g. by
|
70
|
+
# encoding the result of DH#public_key), then this method needs to be
|
71
|
+
# called first in order to generate the per-session keys before performing
|
72
|
+
# the actual key exchange.
|
73
|
+
#
|
74
|
+
# <b>Deprecated in version 3.0</b>. This method is incompatible with
|
75
|
+
# OpenSSL 3.0.0 or later.
|
76
|
+
#
|
77
|
+
# See also OpenSSL::PKey.generate_key.
|
78
|
+
#
|
79
|
+
# Example:
|
80
|
+
# # DEPRECATED USAGE: This will not work on OpenSSL 3.0 or later
|
81
|
+
# dh0 = OpenSSL::PKey::DH.new(2048)
|
82
|
+
# dh = dh0.public_key # #public_key only copies the DH parameters (contrary to the name)
|
83
|
+
# dh.generate_key!
|
84
|
+
# puts dh.private? # => true
|
85
|
+
# puts dh0.pub_key == dh.pub_key #=> false
|
86
|
+
#
|
87
|
+
# # With OpenSSL::PKey.generate_key
|
88
|
+
# dh0 = OpenSSL::PKey::DH.new(2048)
|
89
|
+
# dh = OpenSSL::PKey.generate_key(dh0)
|
90
|
+
# puts dh0.pub_key == dh.pub_key #=> false
|
91
|
+
def generate_key!
|
92
|
+
if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x30000000
|
93
|
+
raise DHError, "OpenSSL::PKey::DH is immutable on OpenSSL 3.0; " \
|
94
|
+
"use OpenSSL::PKey.generate_key instead"
|
95
|
+
end
|
96
|
+
|
97
|
+
unless priv_key
|
98
|
+
tmp = OpenSSL::PKey.generate_key(self)
|
99
|
+
set_key(tmp.pub_key, tmp.priv_key)
|
100
|
+
end
|
101
|
+
self
|
102
|
+
end
|
103
|
+
|
104
|
+
class << self
|
105
|
+
# :call-seq:
|
106
|
+
# DH.generate(size, generator = 2) -> dh
|
107
|
+
#
|
108
|
+
# Creates a new DH instance from scratch by generating random parameters
|
109
|
+
# and a key pair.
|
110
|
+
#
|
111
|
+
# See also OpenSSL::PKey.generate_parameters and
|
112
|
+
# OpenSSL::PKey.generate_key.
|
113
|
+
#
|
114
|
+
# +size+::
|
115
|
+
# The desired key size in bits.
|
116
|
+
# +generator+::
|
117
|
+
# The generator.
|
118
|
+
def generate(size, generator = 2, &blk)
|
119
|
+
dhparams = OpenSSL::PKey.generate_parameters("DH", {
|
120
|
+
"dh_paramgen_prime_len" => size,
|
121
|
+
"dh_paramgen_generator" => generator,
|
122
|
+
}, &blk)
|
123
|
+
OpenSSL::PKey.generate_key(dhparams)
|
124
|
+
end
|
125
|
+
|
126
|
+
# Handle DH.new(size, generator) form here; new(str) and new() forms
|
127
|
+
# are handled by #initialize
|
128
|
+
def new(*args, &blk) # :nodoc:
|
129
|
+
if args[0].is_a?(Integer)
|
130
|
+
generate(*args, &blk)
|
131
|
+
else
|
132
|
+
super
|
133
|
+
end
|
134
|
+
end
|
135
|
+
end
|
12
136
|
end
|
13
137
|
|
14
138
|
class DSA
|
15
139
|
include OpenSSL::Marshal
|
140
|
+
|
141
|
+
# :call-seq:
|
142
|
+
# dsa.public_key -> dsanew
|
143
|
+
#
|
144
|
+
# Returns a new DSA instance that carries just the \DSA parameters and the
|
145
|
+
# public key.
|
146
|
+
#
|
147
|
+
# This method is provided for backwards compatibility. In most cases, there
|
148
|
+
# is no need to call this method.
|
149
|
+
#
|
150
|
+
# For the purpose of serializing the public key, to PEM or DER encoding of
|
151
|
+
# X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and
|
152
|
+
# PKey#public_to_der.
|
153
|
+
def public_key
|
154
|
+
OpenSSL::PKey.read(public_to_der)
|
155
|
+
end
|
156
|
+
|
157
|
+
class << self
|
158
|
+
# :call-seq:
|
159
|
+
# DSA.generate(size) -> dsa
|
160
|
+
#
|
161
|
+
# Creates a new DSA instance by generating a private/public key pair
|
162
|
+
# from scratch.
|
163
|
+
#
|
164
|
+
# See also OpenSSL::PKey.generate_parameters and
|
165
|
+
# OpenSSL::PKey.generate_key.
|
166
|
+
#
|
167
|
+
# +size+::
|
168
|
+
# The desired key size in bits.
|
169
|
+
def generate(size, &blk)
|
170
|
+
# FIPS 186-4 specifies four (L,N) pairs: (1024,160), (2048,224),
|
171
|
+
# (2048,256), and (3072,256).
|
172
|
+
#
|
173
|
+
# q size is derived here with compatibility with
|
174
|
+
# DSA_generator_parameters_ex() which previous versions of ruby/openssl
|
175
|
+
# used to call.
|
176
|
+
qsize = size >= 2048 ? 256 : 160
|
177
|
+
dsaparams = OpenSSL::PKey.generate_parameters("DSA", {
|
178
|
+
"dsa_paramgen_bits" => size,
|
179
|
+
"dsa_paramgen_q_bits" => qsize,
|
180
|
+
}, &blk)
|
181
|
+
OpenSSL::PKey.generate_key(dsaparams)
|
182
|
+
end
|
183
|
+
|
184
|
+
# Handle DSA.new(size) form here; new(str) and new() forms
|
185
|
+
# are handled by #initialize
|
186
|
+
def new(*args, &blk) # :nodoc:
|
187
|
+
if args[0].is_a?(Integer)
|
188
|
+
generate(*args, &blk)
|
189
|
+
else
|
190
|
+
super
|
191
|
+
end
|
192
|
+
end
|
193
|
+
end
|
194
|
+
|
195
|
+
# :call-seq:
|
196
|
+
# dsa.syssign(string) -> string
|
197
|
+
#
|
198
|
+
# Computes and returns the \DSA signature of +string+, where +string+ is
|
199
|
+
# expected to be an already-computed message digest of the original input
|
200
|
+
# data. The signature is issued using the private key of this DSA instance.
|
201
|
+
#
|
202
|
+
# <b>Deprecated in version 3.0</b>.
|
203
|
+
# Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead.
|
204
|
+
#
|
205
|
+
# +string+::
|
206
|
+
# A message digest of the original input data to be signed.
|
207
|
+
#
|
208
|
+
# Example:
|
209
|
+
# dsa = OpenSSL::PKey::DSA.new(2048)
|
210
|
+
# doc = "Sign me"
|
211
|
+
# digest = OpenSSL::Digest.digest('SHA1', doc)
|
212
|
+
#
|
213
|
+
# # With legacy #syssign and #sysverify:
|
214
|
+
# sig = dsa.syssign(digest)
|
215
|
+
# p dsa.sysverify(digest, sig) #=> true
|
216
|
+
#
|
217
|
+
# # With #sign_raw and #verify_raw:
|
218
|
+
# sig = dsa.sign_raw(nil, digest)
|
219
|
+
# p dsa.verify_raw(nil, sig, digest) #=> true
|
220
|
+
def syssign(string)
|
221
|
+
q or raise OpenSSL::PKey::DSAError, "incomplete DSA"
|
222
|
+
private? or raise OpenSSL::PKey::DSAError, "Private DSA key needed!"
|
223
|
+
begin
|
224
|
+
sign_raw(nil, string)
|
225
|
+
rescue OpenSSL::PKey::PKeyError
|
226
|
+
raise OpenSSL::PKey::DSAError, $!.message
|
227
|
+
end
|
228
|
+
end
|
229
|
+
|
230
|
+
# :call-seq:
|
231
|
+
# dsa.sysverify(digest, sig) -> true | false
|
232
|
+
#
|
233
|
+
# Verifies whether the signature is valid given the message digest input.
|
234
|
+
# It does so by validating +sig+ using the public key of this DSA instance.
|
235
|
+
#
|
236
|
+
# <b>Deprecated in version 3.0</b>.
|
237
|
+
# Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead.
|
238
|
+
#
|
239
|
+
# +digest+::
|
240
|
+
# A message digest of the original input data to be signed.
|
241
|
+
# +sig+::
|
242
|
+
# A \DSA signature value.
|
243
|
+
def sysverify(digest, sig)
|
244
|
+
verify_raw(nil, sig, digest)
|
245
|
+
rescue OpenSSL::PKey::PKeyError
|
246
|
+
raise OpenSSL::PKey::DSAError, $!.message
|
247
|
+
end
|
16
248
|
end
|
17
249
|
|
18
250
|
if defined?(EC)
|
19
251
|
class EC
|
20
252
|
include OpenSSL::Marshal
|
253
|
+
|
254
|
+
# :call-seq:
|
255
|
+
# key.dsa_sign_asn1(data) -> String
|
256
|
+
#
|
257
|
+
# <b>Deprecated in version 3.0</b>.
|
258
|
+
# Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead.
|
259
|
+
def dsa_sign_asn1(data)
|
260
|
+
sign_raw(nil, data)
|
261
|
+
rescue OpenSSL::PKey::PKeyError
|
262
|
+
raise OpenSSL::PKey::ECError, $!.message
|
263
|
+
end
|
264
|
+
|
265
|
+
# :call-seq:
|
266
|
+
# key.dsa_verify_asn1(data, sig) -> true | false
|
267
|
+
#
|
268
|
+
# <b>Deprecated in version 3.0</b>.
|
269
|
+
# Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead.
|
270
|
+
def dsa_verify_asn1(data, sig)
|
271
|
+
verify_raw(nil, sig, data)
|
272
|
+
rescue OpenSSL::PKey::PKeyError
|
273
|
+
raise OpenSSL::PKey::ECError, $!.message
|
274
|
+
end
|
275
|
+
|
276
|
+
# :call-seq:
|
277
|
+
# ec.dh_compute_key(pubkey) -> string
|
278
|
+
#
|
279
|
+
# Derives a shared secret by ECDH. _pubkey_ must be an instance of
|
280
|
+
# OpenSSL::PKey::EC::Point and must belong to the same group.
|
281
|
+
#
|
282
|
+
# This method is provided for backwards compatibility, and calls #derive
|
283
|
+
# internally.
|
284
|
+
def dh_compute_key(pubkey)
|
285
|
+
obj = OpenSSL::ASN1.Sequence([
|
286
|
+
OpenSSL::ASN1.Sequence([
|
287
|
+
OpenSSL::ASN1.ObjectId("id-ecPublicKey"),
|
288
|
+
group.to_der,
|
289
|
+
]),
|
290
|
+
OpenSSL::ASN1.BitString(pubkey.to_octet_string(:uncompressed)),
|
291
|
+
])
|
292
|
+
derive(OpenSSL::PKey.read(obj.to_der))
|
293
|
+
end
|
21
294
|
end
|
295
|
+
|
22
296
|
class EC::Point
|
23
297
|
# :call-seq:
|
24
298
|
# point.to_bn([conversion_form]) -> OpenSSL::BN
|
@@ -38,5 +312,160 @@ module OpenSSL::PKey
|
|
38
312
|
|
39
313
|
class RSA
|
40
314
|
include OpenSSL::Marshal
|
315
|
+
|
316
|
+
# :call-seq:
|
317
|
+
# rsa.public_key -> rsanew
|
318
|
+
#
|
319
|
+
# Returns a new RSA instance that carries just the public key components.
|
320
|
+
#
|
321
|
+
# This method is provided for backwards compatibility. In most cases, there
|
322
|
+
# is no need to call this method.
|
323
|
+
#
|
324
|
+
# For the purpose of serializing the public key, to PEM or DER encoding of
|
325
|
+
# X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and
|
326
|
+
# PKey#public_to_der.
|
327
|
+
def public_key
|
328
|
+
OpenSSL::PKey.read(public_to_der)
|
329
|
+
end
|
330
|
+
|
331
|
+
class << self
|
332
|
+
# :call-seq:
|
333
|
+
# RSA.generate(size, exponent = 65537) -> RSA
|
334
|
+
#
|
335
|
+
# Generates an \RSA keypair.
|
336
|
+
#
|
337
|
+
# See also OpenSSL::PKey.generate_key.
|
338
|
+
#
|
339
|
+
# +size+::
|
340
|
+
# The desired key size in bits.
|
341
|
+
# +exponent+::
|
342
|
+
# An odd Integer, normally 3, 17, or 65537.
|
343
|
+
def generate(size, exp = 0x10001, &blk)
|
344
|
+
OpenSSL::PKey.generate_key("RSA", {
|
345
|
+
"rsa_keygen_bits" => size,
|
346
|
+
"rsa_keygen_pubexp" => exp,
|
347
|
+
}, &blk)
|
348
|
+
end
|
349
|
+
|
350
|
+
# Handle RSA.new(size, exponent) form here; new(str) and new() forms
|
351
|
+
# are handled by #initialize
|
352
|
+
def new(*args, &blk) # :nodoc:
|
353
|
+
if args[0].is_a?(Integer)
|
354
|
+
generate(*args, &blk)
|
355
|
+
else
|
356
|
+
super
|
357
|
+
end
|
358
|
+
end
|
359
|
+
end
|
360
|
+
|
361
|
+
# :call-seq:
|
362
|
+
# rsa.private_encrypt(string) -> String
|
363
|
+
# rsa.private_encrypt(string, padding) -> String
|
364
|
+
#
|
365
|
+
# Encrypt +string+ with the private key. +padding+ defaults to
|
366
|
+
# PKCS1_PADDING, which is known to be insecure but is kept for backwards
|
367
|
+
# compatibility. The encrypted string output can be decrypted using
|
368
|
+
# #public_decrypt.
|
369
|
+
#
|
370
|
+
# <b>Deprecated in version 3.0</b>.
|
371
|
+
# Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw, and
|
372
|
+
# PKey::PKey#verify_recover instead.
|
373
|
+
def private_encrypt(string, padding = PKCS1_PADDING)
|
374
|
+
n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
|
375
|
+
private? or raise OpenSSL::PKey::RSAError, "private key needed."
|
376
|
+
begin
|
377
|
+
sign_raw(nil, string, {
|
378
|
+
"rsa_padding_mode" => translate_padding_mode(padding),
|
379
|
+
})
|
380
|
+
rescue OpenSSL::PKey::PKeyError
|
381
|
+
raise OpenSSL::PKey::RSAError, $!.message
|
382
|
+
end
|
383
|
+
end
|
384
|
+
|
385
|
+
# :call-seq:
|
386
|
+
# rsa.public_decrypt(string) -> String
|
387
|
+
# rsa.public_decrypt(string, padding) -> String
|
388
|
+
#
|
389
|
+
# Decrypt +string+, which has been encrypted with the private key, with the
|
390
|
+
# public key. +padding+ defaults to PKCS1_PADDING which is known to be
|
391
|
+
# insecure but is kept for backwards compatibility.
|
392
|
+
#
|
393
|
+
# <b>Deprecated in version 3.0</b>.
|
394
|
+
# Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw, and
|
395
|
+
# PKey::PKey#verify_recover instead.
|
396
|
+
def public_decrypt(string, padding = PKCS1_PADDING)
|
397
|
+
n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
|
398
|
+
begin
|
399
|
+
verify_recover(nil, string, {
|
400
|
+
"rsa_padding_mode" => translate_padding_mode(padding),
|
401
|
+
})
|
402
|
+
rescue OpenSSL::PKey::PKeyError
|
403
|
+
raise OpenSSL::PKey::RSAError, $!.message
|
404
|
+
end
|
405
|
+
end
|
406
|
+
|
407
|
+
# :call-seq:
|
408
|
+
# rsa.public_encrypt(string) -> String
|
409
|
+
# rsa.public_encrypt(string, padding) -> String
|
410
|
+
#
|
411
|
+
# Encrypt +string+ with the public key. +padding+ defaults to
|
412
|
+
# PKCS1_PADDING, which is known to be insecure but is kept for backwards
|
413
|
+
# compatibility. The encrypted string output can be decrypted using
|
414
|
+
# #private_decrypt.
|
415
|
+
#
|
416
|
+
# <b>Deprecated in version 3.0</b>.
|
417
|
+
# Consider using PKey::PKey#encrypt and PKey::PKey#decrypt instead.
|
418
|
+
def public_encrypt(data, padding = PKCS1_PADDING)
|
419
|
+
n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
|
420
|
+
begin
|
421
|
+
encrypt(data, {
|
422
|
+
"rsa_padding_mode" => translate_padding_mode(padding),
|
423
|
+
})
|
424
|
+
rescue OpenSSL::PKey::PKeyError
|
425
|
+
raise OpenSSL::PKey::RSAError, $!.message
|
426
|
+
end
|
427
|
+
end
|
428
|
+
|
429
|
+
# :call-seq:
|
430
|
+
# rsa.private_decrypt(string) -> String
|
431
|
+
# rsa.private_decrypt(string, padding) -> String
|
432
|
+
#
|
433
|
+
# Decrypt +string+, which has been encrypted with the public key, with the
|
434
|
+
# private key. +padding+ defaults to PKCS1_PADDING, which is known to be
|
435
|
+
# insecure but is kept for backwards compatibility.
|
436
|
+
#
|
437
|
+
# <b>Deprecated in version 3.0</b>.
|
438
|
+
# Consider using PKey::PKey#encrypt and PKey::PKey#decrypt instead.
|
439
|
+
def private_decrypt(data, padding = PKCS1_PADDING)
|
440
|
+
n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
|
441
|
+
private? or raise OpenSSL::PKey::RSAError, "private key needed."
|
442
|
+
begin
|
443
|
+
decrypt(data, {
|
444
|
+
"rsa_padding_mode" => translate_padding_mode(padding),
|
445
|
+
})
|
446
|
+
rescue OpenSSL::PKey::PKeyError
|
447
|
+
raise OpenSSL::PKey::RSAError, $!.message
|
448
|
+
end
|
449
|
+
end
|
450
|
+
|
451
|
+
PKCS1_PADDING = 1
|
452
|
+
SSLV23_PADDING = 2
|
453
|
+
NO_PADDING = 3
|
454
|
+
PKCS1_OAEP_PADDING = 4
|
455
|
+
|
456
|
+
private def translate_padding_mode(num)
|
457
|
+
case num
|
458
|
+
when PKCS1_PADDING
|
459
|
+
"pkcs1"
|
460
|
+
when SSLV23_PADDING
|
461
|
+
"sslv23"
|
462
|
+
when NO_PADDING
|
463
|
+
"none"
|
464
|
+
when PKCS1_OAEP_PADDING
|
465
|
+
"oaep"
|
466
|
+
else
|
467
|
+
raise OpenSSL::PKey::PKeyError, "unsupported padding mode"
|
468
|
+
end
|
469
|
+
end
|
41
470
|
end
|
42
471
|
end
|
data/lib/openssl/ssl.rb
CHANGED
@@ -11,6 +11,9 @@
|
|
11
11
|
=end
|
12
12
|
|
13
13
|
require "openssl/buffering"
|
14
|
+
|
15
|
+
if defined?(OpenSSL::SSL)
|
16
|
+
|
14
17
|
require "io/nonblock"
|
15
18
|
require "ipaddr"
|
16
19
|
require "socket"
|
@@ -91,15 +94,17 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
|
91
94
|
DEFAULT_CERT_STORE.set_default_paths
|
92
95
|
DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
|
93
96
|
|
94
|
-
# A callback invoked when DH parameters are required
|
97
|
+
# A callback invoked when DH parameters are required for ephemeral DH key
|
98
|
+
# exchange.
|
95
99
|
#
|
96
|
-
# The callback is invoked with the
|
100
|
+
# The callback is invoked with the SSLSocket, a
|
97
101
|
# flag indicating the use of an export cipher and the keylength
|
98
102
|
# required.
|
99
103
|
#
|
100
104
|
# The callback must return an OpenSSL::PKey::DH instance of the correct
|
101
105
|
# key length.
|
102
|
-
|
106
|
+
#
|
107
|
+
# <b>Deprecated in version 3.0.</b> Use #tmp_dh= instead.
|
103
108
|
attr_accessor :tmp_dh_callback
|
104
109
|
|
105
110
|
# A callback invoked at connect time to distinguish between multiple
|
@@ -122,6 +127,8 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
|
122
127
|
def initialize(version = nil)
|
123
128
|
self.options |= OpenSSL::SSL::OP_ALL
|
124
129
|
self.ssl_version = version if version
|
130
|
+
self.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
131
|
+
self.verify_hostname = false
|
125
132
|
end
|
126
133
|
|
127
134
|
##
|
@@ -236,7 +243,7 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
|
236
243
|
def fileno
|
237
244
|
to_io.fileno
|
238
245
|
end
|
239
|
-
|
246
|
+
|
240
247
|
def addr
|
241
248
|
to_io.addr
|
242
249
|
end
|
@@ -430,10 +437,6 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
|
430
437
|
@context.tmp_dh_callback || OpenSSL::SSL::SSLContext::DEFAULT_TMP_DH_CALLBACK
|
431
438
|
end
|
432
439
|
|
433
|
-
def tmp_ecdh_callback
|
434
|
-
@context.tmp_ecdh_callback
|
435
|
-
end
|
436
|
-
|
437
440
|
def session_new_cb
|
438
441
|
@context.session_new_cb
|
439
442
|
end
|
@@ -540,3 +543,5 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
|
540
543
|
end
|
541
544
|
end
|
542
545
|
end
|
546
|
+
|
547
|
+
end
|
data/lib/openssl/version.rb
CHANGED
data/lib/openssl/x509.rb
CHANGED
@@ -279,11 +279,29 @@ module OpenSSL
|
|
279
279
|
end
|
280
280
|
|
281
281
|
class << self
|
282
|
+
# Parses the UTF-8 string representation of a distinguished name,
|
283
|
+
# according to RFC 2253.
|
284
|
+
#
|
285
|
+
# See also #to_utf8 for the opposite operation.
|
282
286
|
def parse_rfc2253(str, template=OBJECT_TYPE_TEMPLATE)
|
283
287
|
ary = OpenSSL::X509::Name::RFC2253DN.scan(str)
|
284
288
|
self.new(ary, template)
|
285
289
|
end
|
286
290
|
|
291
|
+
# Parses the string representation of a distinguished name. Two
|
292
|
+
# different forms are supported:
|
293
|
+
#
|
294
|
+
# - \OpenSSL format (<tt>X509_NAME_oneline()</tt>) used by
|
295
|
+
# <tt>#to_s</tt>. For example: <tt>/DC=com/DC=example/CN=nobody</tt>
|
296
|
+
# - \OpenSSL format (<tt>X509_NAME_print()</tt>)
|
297
|
+
# used by <tt>#to_s(OpenSSL::X509::Name::COMPAT)</tt>. For example:
|
298
|
+
# <tt>DC=com, DC=example, CN=nobody</tt>
|
299
|
+
#
|
300
|
+
# Neither of them is standardized and has quirks and inconsistencies
|
301
|
+
# in handling of escaped characters or multi-valued RDNs.
|
302
|
+
#
|
303
|
+
# Use of this method is discouraged in new applications. See
|
304
|
+
# Name.parse_rfc2253 and #to_utf8 for the alternative.
|
287
305
|
def parse_openssl(str, template=OBJECT_TYPE_TEMPLATE)
|
288
306
|
if str.start_with?("/")
|
289
307
|
# /A=B/C=D format
|
@@ -338,6 +356,10 @@ module OpenSSL
|
|
338
356
|
q.text 'not_after='; q.pp self.not_after
|
339
357
|
}
|
340
358
|
end
|
359
|
+
|
360
|
+
def self.load_file(path)
|
361
|
+
load(File.binread(path))
|
362
|
+
end
|
341
363
|
end
|
342
364
|
|
343
365
|
class CRL
|
data/lib/openssl.rb
CHANGED
@@ -15,7 +15,6 @@ require 'openssl.so'
|
|
15
15
|
require_relative 'openssl/bn'
|
16
16
|
require_relative 'openssl/pkey'
|
17
17
|
require_relative 'openssl/cipher'
|
18
|
-
require_relative 'openssl/config'
|
19
18
|
require_relative 'openssl/digest'
|
20
19
|
require_relative 'openssl/hmac'
|
21
20
|
require_relative 'openssl/x509'
|