openssl 2.2.1 → 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +32 -44
- data/History.md +103 -1
- data/ext/openssl/extconf.rb +24 -26
- data/ext/openssl/openssl_missing.c +0 -66
- data/ext/openssl/openssl_missing.h +26 -45
- data/ext/openssl/ossl.c +59 -46
- data/ext/openssl/ossl.h +20 -6
- data/ext/openssl/ossl_asn1.c +16 -4
- data/ext/openssl/ossl_bn.c +188 -126
- data/ext/openssl/ossl_cipher.c +11 -11
- data/ext/openssl/ossl_config.c +412 -41
- data/ext/openssl/ossl_config.h +4 -7
- data/ext/openssl/ossl_digest.c +9 -9
- data/ext/openssl/ossl_engine.c +16 -15
- data/ext/openssl/ossl_hmac.c +48 -135
- data/ext/openssl/ossl_kdf.c +8 -0
- data/ext/openssl/ossl_ocsp.c +3 -51
- data/ext/openssl/ossl_pkcs12.c +21 -3
- data/ext/openssl/ossl_pkcs7.c +42 -59
- data/ext/openssl/ossl_pkey.c +1102 -191
- data/ext/openssl/ossl_pkey.h +35 -72
- data/ext/openssl/ossl_pkey_dh.c +124 -334
- data/ext/openssl/ossl_pkey_dsa.c +93 -398
- data/ext/openssl/ossl_pkey_ec.c +126 -318
- data/ext/openssl/ossl_pkey_rsa.c +100 -487
- data/ext/openssl/ossl_ssl.c +256 -355
- data/ext/openssl/ossl_ssl_session.c +24 -29
- data/ext/openssl/ossl_ts.c +35 -20
- data/ext/openssl/ossl_x509.c +0 -6
- data/ext/openssl/ossl_x509cert.c +164 -8
- data/ext/openssl/ossl_x509crl.c +10 -7
- data/ext/openssl/ossl_x509ext.c +1 -2
- data/ext/openssl/ossl_x509name.c +9 -2
- data/ext/openssl/ossl_x509req.c +10 -7
- data/ext/openssl/ossl_x509store.c +154 -70
- data/lib/openssl/buffering.rb +9 -0
- data/lib/openssl/hmac.rb +65 -0
- data/lib/openssl/pkey.rb +417 -0
- data/lib/openssl/ssl.rb +7 -7
- data/lib/openssl/version.rb +1 -1
- data/lib/openssl/x509.rb +22 -0
- data/lib/openssl.rb +0 -1
- metadata +4 -76
- data/ext/openssl/ruby_missing.h +0 -24
- data/lib/openssl/config.rb +0 -501
@@ -52,8 +52,15 @@ struct ossl_verify_cb_args {
|
|
52
52
|
};
|
53
53
|
|
54
54
|
static VALUE
|
55
|
-
|
55
|
+
ossl_x509stctx_new_i(VALUE arg)
|
56
56
|
{
|
57
|
+
return ossl_x509stctx_new((X509_STORE_CTX *)arg);
|
58
|
+
}
|
59
|
+
|
60
|
+
static VALUE
|
61
|
+
call_verify_cb_proc(VALUE arg)
|
62
|
+
{
|
63
|
+
struct ossl_verify_cb_args *args = (struct ossl_verify_cb_args *)arg;
|
57
64
|
return rb_funcall(args->proc, rb_intern("call"), 2,
|
58
65
|
args->preverify_ok, args->store_ctx);
|
59
66
|
}
|
@@ -69,7 +76,7 @@ ossl_verify_cb_call(VALUE proc, int ok, X509_STORE_CTX *ctx)
|
|
69
76
|
return ok;
|
70
77
|
|
71
78
|
ret = Qfalse;
|
72
|
-
rctx = rb_protect(
|
79
|
+
rctx = rb_protect(ossl_x509stctx_new_i, (VALUE)ctx, &state);
|
73
80
|
if (state) {
|
74
81
|
rb_set_errinfo(Qnil);
|
75
82
|
rb_warn("StoreContext initialization failure");
|
@@ -78,7 +85,7 @@ ossl_verify_cb_call(VALUE proc, int ok, X509_STORE_CTX *ctx)
|
|
78
85
|
args.proc = proc;
|
79
86
|
args.preverify_ok = ok ? Qtrue : Qfalse;
|
80
87
|
args.store_ctx = rctx;
|
81
|
-
ret = rb_protect(
|
88
|
+
ret = rb_protect(call_verify_cb_proc, (VALUE)&args, &state);
|
82
89
|
if (state) {
|
83
90
|
rb_set_errinfo(Qnil);
|
84
91
|
rb_warn("exception in verify_callback is ignored");
|
@@ -164,9 +171,8 @@ ossl_x509store_alloc(VALUE klass)
|
|
164
171
|
VALUE obj;
|
165
172
|
|
166
173
|
obj = NewX509Store(klass);
|
167
|
-
if((store = X509_STORE_new()) == NULL)
|
168
|
-
ossl_raise(eX509StoreError,
|
169
|
-
}
|
174
|
+
if ((store = X509_STORE_new()) == NULL)
|
175
|
+
ossl_raise(eX509StoreError, "X509_STORE_new");
|
170
176
|
SetX509Store(obj, store);
|
171
177
|
|
172
178
|
return obj;
|
@@ -199,8 +205,9 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
|
|
199
205
|
{
|
200
206
|
X509_STORE *store;
|
201
207
|
|
202
|
-
/* BUG: This method takes any number of arguments but appears to ignore them. */
|
203
208
|
GetX509Store(self, store);
|
209
|
+
if (argc != 0)
|
210
|
+
rb_warn("OpenSSL::X509::Store.new does not take any arguments");
|
204
211
|
#if !defined(HAVE_OPAQUE_OPENSSL)
|
205
212
|
/* [Bug #405] [Bug #1678] [Bug #3000]; already fixed? */
|
206
213
|
store->ex_data.sk = NULL;
|
@@ -221,8 +228,16 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
|
|
221
228
|
* call-seq:
|
222
229
|
* store.flags = flags
|
223
230
|
*
|
224
|
-
* Sets
|
225
|
-
*
|
231
|
+
* Sets the default flags used by certificate chain verification performed with
|
232
|
+
* the Store.
|
233
|
+
*
|
234
|
+
* _flags_ consists of zero or more of the constants defined in OpenSSL::X509
|
235
|
+
* with name V_FLAG_* or'ed together.
|
236
|
+
*
|
237
|
+
* OpenSSL::X509::StoreContext#flags= can be used to change the flags for a
|
238
|
+
* single verification operation.
|
239
|
+
*
|
240
|
+
* See also the man page X509_VERIFY_PARAM_set_flags(3).
|
226
241
|
*/
|
227
242
|
static VALUE
|
228
243
|
ossl_x509store_set_flags(VALUE self, VALUE flags)
|
@@ -240,9 +255,9 @@ ossl_x509store_set_flags(VALUE self, VALUE flags)
|
|
240
255
|
* call-seq:
|
241
256
|
* store.purpose = purpose
|
242
257
|
*
|
243
|
-
* Sets the store's
|
244
|
-
* the store will check every
|
245
|
-
* with the purpose. The purpose is specified by constants:
|
258
|
+
* Sets the store's default verification purpose. If specified,
|
259
|
+
* the verifications on the store will check every certificate's extensions are
|
260
|
+
* consistent with the purpose. The purpose is specified by constants:
|
246
261
|
*
|
247
262
|
* * X509::PURPOSE_SSL_CLIENT
|
248
263
|
* * X509::PURPOSE_SSL_SERVER
|
@@ -253,6 +268,11 @@ ossl_x509store_set_flags(VALUE self, VALUE flags)
|
|
253
268
|
* * X509::PURPOSE_ANY
|
254
269
|
* * X509::PURPOSE_OCSP_HELPER
|
255
270
|
* * X509::PURPOSE_TIMESTAMP_SIGN
|
271
|
+
*
|
272
|
+
* OpenSSL::X509::StoreContext#purpose= can be used to change the value for a
|
273
|
+
* single verification operation.
|
274
|
+
*
|
275
|
+
* See also the man page X509_VERIFY_PARAM_set_purpose(3).
|
256
276
|
*/
|
257
277
|
static VALUE
|
258
278
|
ossl_x509store_set_purpose(VALUE self, VALUE purpose)
|
@@ -269,6 +289,14 @@ ossl_x509store_set_purpose(VALUE self, VALUE purpose)
|
|
269
289
|
/*
|
270
290
|
* call-seq:
|
271
291
|
* store.trust = trust
|
292
|
+
*
|
293
|
+
* Sets the default trust settings used by the certificate verification with
|
294
|
+
* the store.
|
295
|
+
*
|
296
|
+
* OpenSSL::X509::StoreContext#trust= can be used to change the value for a
|
297
|
+
* single verification operation.
|
298
|
+
*
|
299
|
+
* See also the man page X509_VERIFY_PARAM_set_trust(3).
|
272
300
|
*/
|
273
301
|
static VALUE
|
274
302
|
ossl_x509store_set_trust(VALUE self, VALUE trust)
|
@@ -286,7 +314,13 @@ ossl_x509store_set_trust(VALUE self, VALUE trust)
|
|
286
314
|
* call-seq:
|
287
315
|
* store.time = time
|
288
316
|
*
|
289
|
-
* Sets the time to be used in verifications.
|
317
|
+
* Sets the time to be used in the certificate verifications with the store.
|
318
|
+
* By default, if not specified, the current system time is used.
|
319
|
+
*
|
320
|
+
* OpenSSL::X509::StoreContext#time= can be used to change the value for a
|
321
|
+
* single verification operation.
|
322
|
+
*
|
323
|
+
* See also the man page X509_VERIFY_PARAM_set_time(3).
|
290
324
|
*/
|
291
325
|
static VALUE
|
292
326
|
ossl_x509store_set_time(VALUE self, VALUE time)
|
@@ -302,23 +336,23 @@ ossl_x509store_set_time(VALUE self, VALUE time)
|
|
302
336
|
* Adds the certificates in _file_ to the certificate store. _file_ is the path
|
303
337
|
* to the file, and the file contains one or more certificates in PEM format
|
304
338
|
* concatenated together.
|
339
|
+
*
|
340
|
+
* See also the man page X509_LOOKUP_file(3).
|
305
341
|
*/
|
306
342
|
static VALUE
|
307
343
|
ossl_x509store_add_file(VALUE self, VALUE file)
|
308
344
|
{
|
309
345
|
X509_STORE *store;
|
310
346
|
X509_LOOKUP *lookup;
|
311
|
-
char *path
|
347
|
+
const char *path;
|
312
348
|
|
313
|
-
if(file != Qnil){
|
314
|
-
path = StringValueCStr(file);
|
315
|
-
}
|
316
349
|
GetX509Store(self, store);
|
350
|
+
path = StringValueCStr(file);
|
317
351
|
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
|
318
|
-
if(lookup
|
319
|
-
|
320
|
-
|
321
|
-
|
352
|
+
if (!lookup)
|
353
|
+
ossl_raise(eX509StoreError, "X509_STORE_add_lookup");
|
354
|
+
if (X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1)
|
355
|
+
ossl_raise(eX509StoreError, "X509_LOOKUP_load_file");
|
322
356
|
#if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER)
|
323
357
|
/*
|
324
358
|
* X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file()
|
@@ -337,23 +371,23 @@ ossl_x509store_add_file(VALUE self, VALUE file)
|
|
337
371
|
* store.add_path(path) -> self
|
338
372
|
*
|
339
373
|
* Adds _path_ as the hash dir to be looked up by the store.
|
374
|
+
*
|
375
|
+
* See also the man page X509_LOOKUP_hash_dir(3).
|
340
376
|
*/
|
341
377
|
static VALUE
|
342
378
|
ossl_x509store_add_path(VALUE self, VALUE dir)
|
343
379
|
{
|
344
380
|
X509_STORE *store;
|
345
381
|
X509_LOOKUP *lookup;
|
346
|
-
char *path
|
382
|
+
const char *path;
|
347
383
|
|
348
|
-
if(dir != Qnil){
|
349
|
-
path = StringValueCStr(dir);
|
350
|
-
}
|
351
384
|
GetX509Store(self, store);
|
385
|
+
path = StringValueCStr(dir);
|
352
386
|
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
|
353
|
-
if(lookup
|
354
|
-
|
355
|
-
|
356
|
-
|
387
|
+
if (!lookup)
|
388
|
+
ossl_raise(eX509StoreError, "X509_STORE_add_lookup");
|
389
|
+
if (X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1)
|
390
|
+
ossl_raise(eX509StoreError, "X509_LOOKUP_add_dir");
|
357
391
|
|
358
392
|
return self;
|
359
393
|
}
|
@@ -368,6 +402,8 @@ ossl_x509store_add_path(VALUE self, VALUE dir)
|
|
368
402
|
*
|
369
403
|
* * OpenSSL::X509::DEFAULT_CERT_FILE
|
370
404
|
* * OpenSSL::X509::DEFAULT_CERT_DIR
|
405
|
+
*
|
406
|
+
* See also the man page X509_STORE_set_default_paths(3).
|
371
407
|
*/
|
372
408
|
static VALUE
|
373
409
|
ossl_x509store_set_default_paths(VALUE self)
|
@@ -375,18 +411,19 @@ ossl_x509store_set_default_paths(VALUE self)
|
|
375
411
|
X509_STORE *store;
|
376
412
|
|
377
413
|
GetX509Store(self, store);
|
378
|
-
if (X509_STORE_set_default_paths(store) != 1)
|
379
|
-
ossl_raise(eX509StoreError,
|
380
|
-
}
|
414
|
+
if (X509_STORE_set_default_paths(store) != 1)
|
415
|
+
ossl_raise(eX509StoreError, "X509_STORE_set_default_paths");
|
381
416
|
|
382
417
|
return Qnil;
|
383
418
|
}
|
384
419
|
|
385
420
|
/*
|
386
421
|
* call-seq:
|
387
|
-
* store.add_cert(cert)
|
422
|
+
* store.add_cert(cert) -> self
|
388
423
|
*
|
389
424
|
* Adds the OpenSSL::X509::Certificate _cert_ to the certificate store.
|
425
|
+
*
|
426
|
+
* See also the man page X509_STORE_add_cert(3).
|
390
427
|
*/
|
391
428
|
static VALUE
|
392
429
|
ossl_x509store_add_cert(VALUE self, VALUE arg)
|
@@ -396,9 +433,8 @@ ossl_x509store_add_cert(VALUE self, VALUE arg)
|
|
396
433
|
|
397
434
|
cert = GetX509CertPtr(arg); /* NO NEED TO DUP */
|
398
435
|
GetX509Store(self, store);
|
399
|
-
if (X509_STORE_add_cert(store, cert) != 1)
|
400
|
-
ossl_raise(eX509StoreError,
|
401
|
-
}
|
436
|
+
if (X509_STORE_add_cert(store, cert) != 1)
|
437
|
+
ossl_raise(eX509StoreError, "X509_STORE_add_cert");
|
402
438
|
|
403
439
|
return self;
|
404
440
|
}
|
@@ -408,6 +444,8 @@ ossl_x509store_add_cert(VALUE self, VALUE arg)
|
|
408
444
|
* store.add_crl(crl) -> self
|
409
445
|
*
|
410
446
|
* Adds the OpenSSL::X509::CRL _crl_ to the store.
|
447
|
+
*
|
448
|
+
* See also the man page X509_STORE_add_crl(3).
|
411
449
|
*/
|
412
450
|
static VALUE
|
413
451
|
ossl_x509store_add_crl(VALUE self, VALUE arg)
|
@@ -417,9 +455,8 @@ ossl_x509store_add_crl(VALUE self, VALUE arg)
|
|
417
455
|
|
418
456
|
crl = GetX509CRLPtr(arg); /* NO NEED TO DUP */
|
419
457
|
GetX509Store(self, store);
|
420
|
-
if (X509_STORE_add_crl(store, crl) != 1)
|
421
|
-
ossl_raise(eX509StoreError,
|
422
|
-
}
|
458
|
+
if (X509_STORE_add_crl(store, crl) != 1)
|
459
|
+
ossl_raise(eX509StoreError, "X509_STORE_add_crl");
|
423
460
|
|
424
461
|
return self;
|
425
462
|
}
|
@@ -499,9 +536,8 @@ ossl_x509stctx_alloc(VALUE klass)
|
|
499
536
|
VALUE obj;
|
500
537
|
|
501
538
|
obj = NewX509StCtx(klass);
|
502
|
-
if((ctx = X509_STORE_CTX_new()) == NULL)
|
503
|
-
ossl_raise(eX509StoreError,
|
504
|
-
}
|
539
|
+
if ((ctx = X509_STORE_CTX_new()) == NULL)
|
540
|
+
ossl_raise(eX509StoreError, "X509_STORE_CTX_new");
|
505
541
|
SetX509StCtx(obj, ctx);
|
506
542
|
|
507
543
|
return obj;
|
@@ -567,6 +603,10 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
|
|
567
603
|
/*
|
568
604
|
* call-seq:
|
569
605
|
* stctx.verify -> true | false
|
606
|
+
*
|
607
|
+
* Performs the certificate verification using the parameters set to _stctx_.
|
608
|
+
*
|
609
|
+
* See also the man page X509_verify_cert(3).
|
570
610
|
*/
|
571
611
|
static VALUE
|
572
612
|
ossl_x509stctx_verify(VALUE self)
|
@@ -579,48 +619,45 @@ ossl_x509stctx_verify(VALUE self)
|
|
579
619
|
|
580
620
|
switch (X509_verify_cert(ctx)) {
|
581
621
|
case 1:
|
582
|
-
|
622
|
+
return Qtrue;
|
583
623
|
case 0:
|
584
|
-
|
585
|
-
|
624
|
+
ossl_clear_error();
|
625
|
+
return Qfalse;
|
586
626
|
default:
|
587
|
-
|
627
|
+
ossl_raise(eX509CertError, "X509_verify_cert");
|
588
628
|
}
|
589
629
|
}
|
590
630
|
|
591
631
|
/*
|
592
632
|
* call-seq:
|
593
|
-
* stctx.chain -> Array of X509::Certificate
|
633
|
+
* stctx.chain -> nil | Array of X509::Certificate
|
634
|
+
*
|
635
|
+
* Returns the verified chain.
|
636
|
+
*
|
637
|
+
* See also the man page X509_STORE_CTX_set0_verified_chain(3).
|
594
638
|
*/
|
595
639
|
static VALUE
|
596
640
|
ossl_x509stctx_get_chain(VALUE self)
|
597
641
|
{
|
598
642
|
X509_STORE_CTX *ctx;
|
599
|
-
STACK_OF(X509) *chain;
|
600
|
-
X509 *x509;
|
601
|
-
int i, num;
|
602
|
-
VALUE ary;
|
643
|
+
const STACK_OF(X509) *chain;
|
603
644
|
|
604
645
|
GetX509StCtx(self, ctx);
|
605
|
-
|
606
|
-
|
607
|
-
|
608
|
-
|
609
|
-
OSSL_Debug("certs in chain < 0???");
|
610
|
-
return rb_ary_new();
|
611
|
-
}
|
612
|
-
ary = rb_ary_new2(num);
|
613
|
-
for(i = 0; i < num; i++) {
|
614
|
-
x509 = sk_X509_value(chain, i);
|
615
|
-
rb_ary_push(ary, ossl_x509_new(x509));
|
616
|
-
}
|
617
|
-
|
618
|
-
return ary;
|
646
|
+
chain = X509_STORE_CTX_get0_chain(ctx);
|
647
|
+
if (!chain)
|
648
|
+
return Qnil; /* Could be an empty array instead? */
|
649
|
+
return ossl_x509_sk2ary(chain);
|
619
650
|
}
|
620
651
|
|
621
652
|
/*
|
622
653
|
* call-seq:
|
623
654
|
* stctx.error -> Integer
|
655
|
+
*
|
656
|
+
* Returns the error code of _stctx_. This is typically called after #verify
|
657
|
+
* is done, or from the verification callback set to
|
658
|
+
* OpenSSL::X509::Store#verify_callback=.
|
659
|
+
*
|
660
|
+
* See also the man page X509_STORE_CTX_get_error(3).
|
624
661
|
*/
|
625
662
|
static VALUE
|
626
663
|
ossl_x509stctx_get_err(VALUE self)
|
@@ -635,6 +672,11 @@ ossl_x509stctx_get_err(VALUE self)
|
|
635
672
|
/*
|
636
673
|
* call-seq:
|
637
674
|
* stctx.error = error_code
|
675
|
+
*
|
676
|
+
* Sets the error code of _stctx_. This is used by the verification callback
|
677
|
+
* set to OpenSSL::X509::Store#verify_callback=.
|
678
|
+
*
|
679
|
+
* See also the man page X509_STORE_CTX_set_error(3).
|
638
680
|
*/
|
639
681
|
static VALUE
|
640
682
|
ossl_x509stctx_set_error(VALUE self, VALUE err)
|
@@ -651,7 +693,10 @@ ossl_x509stctx_set_error(VALUE self, VALUE err)
|
|
651
693
|
* call-seq:
|
652
694
|
* stctx.error_string -> String
|
653
695
|
*
|
654
|
-
* Returns the error string corresponding to the error code
|
696
|
+
* Returns the human readable error string corresponding to the error code
|
697
|
+
* retrieved by #error.
|
698
|
+
*
|
699
|
+
* See also the man page X509_verify_cert_error_string(3).
|
655
700
|
*/
|
656
701
|
static VALUE
|
657
702
|
ossl_x509stctx_get_err_string(VALUE self)
|
@@ -668,6 +713,10 @@ ossl_x509stctx_get_err_string(VALUE self)
|
|
668
713
|
/*
|
669
714
|
* call-seq:
|
670
715
|
* stctx.error_depth -> Integer
|
716
|
+
*
|
717
|
+
* Returns the depth of the chain. This is used in combination with #error.
|
718
|
+
*
|
719
|
+
* See also the man page X509_STORE_CTX_get_error_depth(3).
|
671
720
|
*/
|
672
721
|
static VALUE
|
673
722
|
ossl_x509stctx_get_err_depth(VALUE self)
|
@@ -682,6 +731,10 @@ ossl_x509stctx_get_err_depth(VALUE self)
|
|
682
731
|
/*
|
683
732
|
* call-seq:
|
684
733
|
* stctx.current_cert -> X509::Certificate
|
734
|
+
*
|
735
|
+
* Returns the certificate which caused the error.
|
736
|
+
*
|
737
|
+
* See also the man page X509_STORE_CTX_get_current_cert(3).
|
685
738
|
*/
|
686
739
|
static VALUE
|
687
740
|
ossl_x509stctx_get_curr_cert(VALUE self)
|
@@ -696,6 +749,10 @@ ossl_x509stctx_get_curr_cert(VALUE self)
|
|
696
749
|
/*
|
697
750
|
* call-seq:
|
698
751
|
* stctx.current_crl -> X509::CRL
|
752
|
+
*
|
753
|
+
* Returns the CRL which caused the error.
|
754
|
+
*
|
755
|
+
* See also the man page X509_STORE_CTX_get_current_crl(3).
|
699
756
|
*/
|
700
757
|
static VALUE
|
701
758
|
ossl_x509stctx_get_curr_crl(VALUE self)
|
@@ -715,7 +772,10 @@ ossl_x509stctx_get_curr_crl(VALUE self)
|
|
715
772
|
* call-seq:
|
716
773
|
* stctx.flags = flags
|
717
774
|
*
|
718
|
-
* Sets the verification flags to the context.
|
775
|
+
* Sets the verification flags to the context. This overrides the default value
|
776
|
+
* set by Store#flags=.
|
777
|
+
*
|
778
|
+
* See also the man page X509_VERIFY_PARAM_set_flags(3).
|
719
779
|
*/
|
720
780
|
static VALUE
|
721
781
|
ossl_x509stctx_set_flags(VALUE self, VALUE flags)
|
@@ -733,7 +793,10 @@ ossl_x509stctx_set_flags(VALUE self, VALUE flags)
|
|
733
793
|
* call-seq:
|
734
794
|
* stctx.purpose = purpose
|
735
795
|
*
|
736
|
-
* Sets the purpose of the context.
|
796
|
+
* Sets the purpose of the context. This overrides the default value set by
|
797
|
+
* Store#purpose=.
|
798
|
+
*
|
799
|
+
* See also the man page X509_VERIFY_PARAM_set_purpose(3).
|
737
800
|
*/
|
738
801
|
static VALUE
|
739
802
|
ossl_x509stctx_set_purpose(VALUE self, VALUE purpose)
|
@@ -750,6 +813,11 @@ ossl_x509stctx_set_purpose(VALUE self, VALUE purpose)
|
|
750
813
|
/*
|
751
814
|
* call-seq:
|
752
815
|
* stctx.trust = trust
|
816
|
+
*
|
817
|
+
* Sets the trust settings of the context. This overrides the default value set
|
818
|
+
* by Store#trust=.
|
819
|
+
*
|
820
|
+
* See also the man page X509_VERIFY_PARAM_set_trust(3).
|
753
821
|
*/
|
754
822
|
static VALUE
|
755
823
|
ossl_x509stctx_set_trust(VALUE self, VALUE trust)
|
@@ -768,6 +836,8 @@ ossl_x509stctx_set_trust(VALUE self, VALUE trust)
|
|
768
836
|
* stctx.time = time
|
769
837
|
*
|
770
838
|
* Sets the time used in the verification. If not set, the current time is used.
|
839
|
+
*
|
840
|
+
* See also the man page X509_VERIFY_PARAM_set_time(3).
|
771
841
|
*/
|
772
842
|
static VALUE
|
773
843
|
ossl_x509stctx_set_time(VALUE self, VALUE time)
|
@@ -843,23 +913,37 @@ Init_ossl_x509store(void)
|
|
843
913
|
cX509Store = rb_define_class_under(mX509, "Store", rb_cObject);
|
844
914
|
/*
|
845
915
|
* The callback for additional certificate verification. It is invoked for
|
846
|
-
* each
|
916
|
+
* each certificate in the chain and can be used to implement custom
|
917
|
+
* certificate verification conditions.
|
847
918
|
*
|
848
919
|
* The callback is invoked with two values, a boolean that indicates if the
|
849
920
|
* pre-verification by OpenSSL has succeeded or not, and the StoreContext in
|
850
|
-
* use.
|
921
|
+
* use.
|
922
|
+
*
|
923
|
+
* The callback can use StoreContext#error= to change the error code as
|
924
|
+
* needed. The callback must return either true or false.
|
925
|
+
*
|
926
|
+
* NOTE: any exception raised within the callback will be ignored.
|
927
|
+
*
|
928
|
+
* See also the man page X509_STORE_CTX_set_verify_cb(3).
|
851
929
|
*/
|
852
930
|
rb_attr(cX509Store, rb_intern("verify_callback"), 1, 0, Qfalse);
|
853
931
|
/*
|
854
932
|
* The error code set by the last call of #verify.
|
933
|
+
*
|
934
|
+
* See also StoreContext#error.
|
855
935
|
*/
|
856
936
|
rb_attr(cX509Store, rb_intern("error"), 1, 0, Qfalse);
|
857
937
|
/*
|
858
938
|
* The description for the error code set by the last call of #verify.
|
939
|
+
*
|
940
|
+
* See also StoreContext#error_string.
|
859
941
|
*/
|
860
942
|
rb_attr(cX509Store, rb_intern("error_string"), 1, 0, Qfalse);
|
861
943
|
/*
|
862
944
|
* The certificate chain constructed by the last call of #verify.
|
945
|
+
*
|
946
|
+
* See also StoreContext#chain.
|
863
947
|
*/
|
864
948
|
rb_attr(cX509Store, rb_intern("chain"), 1, 0, Qfalse);
|
865
949
|
rb_define_alloc_func(cX509Store, ossl_x509store_alloc);
|
data/lib/openssl/buffering.rb
CHANGED
@@ -101,6 +101,15 @@ module OpenSSL::Buffering
|
|
101
101
|
|
102
102
|
public
|
103
103
|
|
104
|
+
# call-seq:
|
105
|
+
# ssl.getbyte => 81
|
106
|
+
#
|
107
|
+
# Get the next 8bit byte from `ssl`. Returns `nil` on EOF
|
108
|
+
def getbyte
|
109
|
+
byte = read(1)
|
110
|
+
byte && byte.unpack1("C")
|
111
|
+
end
|
112
|
+
|
104
113
|
##
|
105
114
|
# Reads _size_ bytes from the stream. If _buf_ is provided it must
|
106
115
|
# reference a string which will receive the data.
|
data/lib/openssl/hmac.rb
CHANGED
@@ -9,5 +9,70 @@ module OpenSSL
|
|
9
9
|
|
10
10
|
OpenSSL.fixed_length_secure_compare(self.digest, other.digest)
|
11
11
|
end
|
12
|
+
|
13
|
+
# :call-seq:
|
14
|
+
# hmac.base64digest -> string
|
15
|
+
#
|
16
|
+
# Returns the authentication code an a Base64-encoded string.
|
17
|
+
def base64digest
|
18
|
+
[digest].pack("m0")
|
19
|
+
end
|
20
|
+
|
21
|
+
class << self
|
22
|
+
# :call-seq:
|
23
|
+
# HMAC.digest(digest, key, data) -> aString
|
24
|
+
#
|
25
|
+
# Returns the authentication code as a binary string. The _digest_ parameter
|
26
|
+
# specifies the digest algorithm to use. This may be a String representing
|
27
|
+
# the algorithm name or an instance of OpenSSL::Digest.
|
28
|
+
#
|
29
|
+
# === Example
|
30
|
+
# key = 'key'
|
31
|
+
# data = 'The quick brown fox jumps over the lazy dog'
|
32
|
+
#
|
33
|
+
# hmac = OpenSSL::HMAC.digest('SHA1', key, data)
|
34
|
+
# #=> "\xDE|\x9B\x85\xB8\xB7\x8A\xA6\xBC\x8Az6\xF7\n\x90p\x1C\x9D\xB4\xD9"
|
35
|
+
def digest(digest, key, data)
|
36
|
+
hmac = new(key, digest)
|
37
|
+
hmac << data
|
38
|
+
hmac.digest
|
39
|
+
end
|
40
|
+
|
41
|
+
# :call-seq:
|
42
|
+
# HMAC.hexdigest(digest, key, data) -> aString
|
43
|
+
#
|
44
|
+
# Returns the authentication code as a hex-encoded string. The _digest_
|
45
|
+
# parameter specifies the digest algorithm to use. This may be a String
|
46
|
+
# representing the algorithm name or an instance of OpenSSL::Digest.
|
47
|
+
#
|
48
|
+
# === Example
|
49
|
+
# key = 'key'
|
50
|
+
# data = 'The quick brown fox jumps over the lazy dog'
|
51
|
+
#
|
52
|
+
# hmac = OpenSSL::HMAC.hexdigest('SHA1', key, data)
|
53
|
+
# #=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"
|
54
|
+
def hexdigest(digest, key, data)
|
55
|
+
hmac = new(key, digest)
|
56
|
+
hmac << data
|
57
|
+
hmac.hexdigest
|
58
|
+
end
|
59
|
+
|
60
|
+
# :call-seq:
|
61
|
+
# HMAC.base64digest(digest, key, data) -> aString
|
62
|
+
#
|
63
|
+
# Returns the authentication code as a Base64-encoded string. The _digest_
|
64
|
+
# parameter specifies the digest algorithm to use. This may be a String
|
65
|
+
# representing the algorithm name or an instance of OpenSSL::Digest.
|
66
|
+
#
|
67
|
+
# === Example
|
68
|
+
# key = 'key'
|
69
|
+
# data = 'The quick brown fox jumps over the lazy dog'
|
70
|
+
#
|
71
|
+
# hmac = OpenSSL::HMAC.base64digest('SHA1', key, data)
|
72
|
+
# #=> "3nybhbi3iqa8ino29wqQcBydtNk="
|
73
|
+
def base64digest(digest, key, data)
|
74
|
+
[digest(digest, key, data)].pack("m0")
|
75
|
+
end
|
76
|
+
end
|
12
77
|
end
|
13
78
|
end
|