[前][次][番号順一覧][スレッド一覧]

ruby-changes:14968

From: nahi <ko1@a...>
Date: Sun, 7 Mar 2010 06:49:03 +0900 (JST)
Subject: [ruby-changes:14968] Ruby:r26839 (ruby_1_8): * test/openssl/test_x509*: make tests pass with OpenSSL 1.0.0b5.

nahi	2010-03-07 06:48:44 +0900 (Sun, 07 Mar 2010)

  New Revision: 26839

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=26839

  Log:
    * test/openssl/test_x509*: make tests pass with OpenSSL 1.0.0b5.
              * PKey::PKey#verify raises an exception when a given PKey does not
                match with signature.
              * PKey::DSA#sign accepts SHA1, SHA256 other than DSS1.

  Modified files:
    branches/ruby_1_8/ChangeLog
    branches/ruby_1_8/test/openssl/test_x509cert.rb
    branches/ruby_1_8/test/openssl/test_x509crl.rb
    branches/ruby_1_8/test/openssl/test_x509req.rb

Index: ruby_1_8/ChangeLog
===================================================================
--- ruby_1_8/ChangeLog	(revision 26838)
+++ ruby_1_8/ChangeLog	(revision 26839)
@@ -1,3 +1,10 @@
+Sun Mar  7 06:45:58 2010  NAKAMURA, Hiroshi  <nahi@r...>
+
+	* test/openssl/test_x509*: make tests pass with OpenSSL 1.0.0b5.
+	  * PKey::PKey#verify raises an exception when a given PKey does not
+	    match with signature.
+	  * PKey::DSA#sign accepts SHA1, SHA256 other than DSS1.
+
 Sun Mar  7 06:41:59 2010  NAKAMURA, Hiroshi  <nahi@r...>
 
 	* backport the commit from trunk:
Index: ruby_1_8/test/openssl/test_x509cert.rb
===================================================================
--- ruby_1_8/test/openssl/test_x509cert.rb	(revision 26838)
+++ ruby_1_8/test/openssl/test_x509cert.rb	(revision 26839)
@@ -129,13 +129,31 @@
 
   end
 
+  def test_sign_and_verify_wrong_key_type
+    cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, cert_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::CertificateError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+
+    begin
+      assert_equal(false, cert_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::CertificateError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
+
   def test_sign_and_verify
     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                       nil, nil, OpenSSL::Digest::SHA1.new)
     assert_equal(false, cert.verify(@rsa1024))
     assert_equal(true,  cert.verify(@rsa2048))
-    assert_equal(false, cert.verify(@dsa256))
-    assert_equal(false, cert.verify(@dsa512))
     cert.serial = 2
     assert_equal(false, cert.verify(@rsa2048))
 
@@ -143,34 +161,45 @@
                       nil, nil, OpenSSL::Digest::MD5.new)
     assert_equal(false, cert.verify(@rsa1024))
     assert_equal(true,  cert.verify(@rsa2048))
-    assert_equal(false, cert.verify(@dsa256))
-    assert_equal(false, cert.verify(@dsa512))
     cert.subject = @ee1
     assert_equal(false, cert.verify(@rsa2048))
 
     cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
                       nil, nil, OpenSSL::Digest::DSS1.new)
-    assert_equal(false, cert.verify(@rsa1024))
-    assert_equal(false, cert.verify(@rsa2048))
     assert_equal(false, cert.verify(@dsa256))
     assert_equal(true,  cert.verify(@dsa512))
     cert.not_after = Time.now
     assert_equal(false, cert.verify(@dsa512))
+  end
 
-    assert_raise(OpenSSL::X509::CertificateError){
+  def test_dsig_algorithm_mismatch
+    assert_raise(OpenSSL::X509::CertificateError) do
       cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                         nil, nil, OpenSSL::Digest::DSS1.new)
-    }
-    assert_raise(OpenSSL::X509::CertificateError){
+    end
+    assert_raise(OpenSSL::X509::CertificateError) do
       cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
                         nil, nil, OpenSSL::Digest::MD5.new)
-    }
-    assert_raise(OpenSSL::X509::CertificateError){
-      cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::SHA1.new)
-    }
+    end
   end
 
+  def test_dsa_with_sha2
+    begin
+      cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
+                        nil, nil, OpenSSL::Digest::SHA256.new)
+      assert_equal("dsa_with_SHA256", cert.signature_algorithm)
+    rescue OpenSSL::X509::CertificateError
+      # dsa_with_sha2 not supported. skip following test.
+      return
+    end
+    # TODO: need more tests for dsa + sha2
+
+    # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requireds DSS1)
+    cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    assert_equal("dsaWithSHA1", cert.signature_algorithm)
+  end
+
   def test_check_private_key
     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                       nil, nil, OpenSSL::Digest::SHA1.new)
Index: ruby_1_8/test/openssl/test_x509crl.rb
===================================================================
--- ruby_1_8/test/openssl/test_x509crl.rb	(revision 26838)
+++ ruby_1_8/test/openssl/test_x509crl.rb	(revision 26839)
@@ -190,6 +190,30 @@
     assert_match((2**100).to_s, crl.extensions[0].value)
   end
 
+  def test_sign_and_verify_wrong_key_type
+    cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    crl_rsa = issue_crl([], 1, Time.now, Time.now+1600, [],
+                    cert_rsa, @rsa2048, OpenSSL::Digest::SHA1.new)
+    cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::DSS1.new)
+    crl_dsa = issue_crl([], 1, Time.now, Time.now+1600, [],
+                    cert_dsa, @dsa512, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, crl_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::CRLError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+
+    begin
+      assert_equal(false, crl_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::CRLError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
+
   def test_sign_and_verify
     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                       nil, nil, OpenSSL::Digest::SHA1.new)
@@ -197,8 +221,6 @@
                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
     assert_equal(false, crl.verify(@rsa1024))
     assert_equal(true,  crl.verify(@rsa2048))
-    assert_equal(false, crl.verify(@dsa256))
-    assert_equal(false, crl.verify(@dsa512))
     crl.version = 0
     assert_equal(false, crl.verify(@rsa2048))
 
@@ -206,8 +228,6 @@
                       nil, nil, OpenSSL::Digest::DSS1.new)
     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
                     cert, @dsa512, OpenSSL::Digest::DSS1.new)
-    assert_equal(false, crl.verify(@rsa1024))
-    assert_equal(false, crl.verify(@rsa2048))
     assert_equal(false, crl.verify(@dsa256))
     assert_equal(true,  crl.verify(@dsa512))
     crl.version = 0
Index: ruby_1_8/test/openssl/test_x509req.rb
===================================================================
--- ruby_1_8/test/openssl/test_x509req.rb	(revision 26838)
+++ ruby_1_8/test/openssl/test_x509req.rb	(revision 26839)
@@ -103,37 +103,51 @@
     assert_equal(exts, get_ext_req(attrs[1].value))
   end
 
+  def test_sign_and_verify_wrong_key_type
+    req_rsa = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
+    req_dsa = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, req_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::RequestError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+
+    begin
+      assert_equal(false, req_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::RequestError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
+
   def test_sign_and_verify
     req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
     assert_equal(true,  req.verify(@rsa1024))
     assert_equal(false, req.verify(@rsa2048))
-    assert_equal(false, req.verify(@dsa256))
-    assert_equal(false, req.verify(@dsa512))
     req.version = 1
     assert_equal(false, req.verify(@rsa1024))
 
     req = issue_csr(0, @dn, @rsa2048, OpenSSL::Digest::MD5.new)
     assert_equal(false, req.verify(@rsa1024))
     assert_equal(true,  req.verify(@rsa2048))
-    assert_equal(false, req.verify(@dsa256))
-    assert_equal(false, req.verify(@dsa512))
     req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar")
     assert_equal(false, req.verify(@rsa2048))
 
     req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
-    assert_equal(false, req.verify(@rsa1024))
-    assert_equal(false, req.verify(@rsa2048))
     assert_equal(false, req.verify(@dsa256))
     assert_equal(true,  req.verify(@dsa512))
     req.public_key = @rsa1024.public_key
     assert_equal(false, req.verify(@dsa512))
+  end
 
-    assert_raise(OpenSSL::X509::RequestError){
-      issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) }
-    assert_raise(OpenSSL::X509::RequestError){
-      issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new) }
-    assert_raise(OpenSSL::X509::RequestError){
-      issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) }
+  def test_dsig_algorithm_mismatch
+    assert_raise(OpenSSL::X509::RequestError) do
+      issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new)
+    end
+    assert_raise(OpenSSL::X509::RequestError) do
+      issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new)
+    end
   end
 
   def test_create_from_pem

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]