https://git.ruby-lang.org/ruby.git/commit/?id=79d5abd01b

From 79d5abd01ba51b205aa7da2ec133da6230580682 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@r...>
Date: Thu, 13 Aug 2020 23:20:55 +0900
Subject: [ruby/openssl] test/openssl/test_pkcs12: fix test failures with
 OpenSSL 3.0

OpenSSL's PKCS12_create() by default uses pbewithSHAAnd40BitRC2-CBC for
encryption of the certificates. However, in OpenSSL 3.0, the algorithm
is part of the legacy provider and is not enabled by default.

Specify another algorithm that is still in the default provider for
these test cases.

https://github.com/ruby/openssl/commit/998406d18f
---
 test/openssl/test_pkcs12.rb | 297 ++++++++++++++++++++++----------------------
 1 file changed, 149 insertions(+), 148 deletions(-)

diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb
index fdbe753b17..ec676743bc 100644
--- a/test/openssl/test_pkcs12.rb
+++ b/test/openssl/test_pkcs12.rb
@@ -5,6 +5,9 @@ if defined?(OpenSSL) https://github.com/ruby/ruby/blob/trunk/test/openssl/test_pkcs12.rb#L5
 
 module OpenSSL
   class TestPKCS12 < OpenSSL::TestCase
+    DEFAULT_PBE_PKEYS = "PBE-SHA1-3DES"
+    DEFAULT_PBE_CERTS = "PBE-SHA1-3DES"
+
     def setup
       super
       ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
@@ -14,47 +17,41 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/test/openssl/test_pkcs12.rb#L17
         ["subjectKeyIdentifier","hash",false],
         ["authorityKeyIdentifier","keyid:always",false],
       ]
-      @cacert = issue_cert(ca, Fixtures.pkey("rsa2048"), 1, ca_exts, nil, nil)
+      ca_key = Fixtures.pkey("rsa-1")
+      @cacert = issue_cert(ca, ca_key, 1, ca_exts, nil, nil)
 
       inter_ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Intermediate CA")
-      inter_ca_key = OpenSSL::PKey.read <<-_EOS_
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDp7hIG0SFMG/VWv1dBUWziAPrNmkMXJgTCAoB7jffzRtyyN04K
-oq/89HAszTMStZoMigQURfokzKsjpUp8OYCAEsBtt9d5zPndWMz/gHN73GrXk3LT
-ZsxEn7Xv5Da+Y9F/Hx2QZUHarV5cdZixq2NbzWGwrToogOQMh2pxN3Z/0wIDAQAB
-AoGBAJysUyx3olpsGzv3OMRJeahASbmsSKTXVLZvoIefxOINosBFpCIhZccAG6UV
-5c/xCvS89xBw8aD15uUfziw3AuT8QPEtHCgfSjeT7aWzBfYswEgOW4XPuWr7EeI9
-iNHGD6z+hCN/IQr7FiEBgTp6A+i/hffcSdR83fHWKyb4M7TRAkEA+y4BNd668HmC
-G5MPRx25n6LixuBxrNp1umfjEI6UZgEFVpYOg4agNuimN6NqM253kcTR94QNTUs5
-Kj3EhG1YWwJBAO5rUjiOyCNVX2WUQrOMYK/c1lU7fvrkdygXkvIGkhsPoNRzLPeA
-HGJszKtrKD8bNihWpWNIyqKRHfKVD7yXT+kCQGCAhVCIGTRoypcDghwljHqLnysf
-ci0h5ZdPcIqc7ODfxYhFsJ/Rql5ONgYsT5Ig/+lOQAkjf+TRYM4c2xKx2/8CQBvG
-jv6dy70qDgIUgqzONtlmHeYyFzn9cdBO5sShdVYHvRHjFSMEXsosqK9zvW2UqvuK
-FJx7d3f29gkzynCLJDkCQGQZlEZJC4vWmWJGRKJ24P6MyQn3VsPfErSKOg4lvyM3
-Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
------END RSA PRIVATE KEY-----
-      _EOS_
-      @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, Fixtures.pkey("rsa2048"))
+      inter_ca_key = Fixtures.pkey("rsa-2")
+      @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, ca_key)
 
       exts = [
         ["keyUsage","digitalSignature",true],
         ["subjectKeyIdentifier","hash",false],
       ]
       ee = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Ruby PKCS12 Test Certificate")
-      @mykey = Fixtures.pkey("rsa1024")
+      @mykey = Fixtures.pkey("rsa-3")
       @mycert = issue_cert(ee, @mykey, 3, exts, @inter_cacert, inter_ca_key)
     end
 
-    def test_create
+    def test_create_single_key_single_cert
       pkcs12 = OpenSSL::PKCS12.create(
         "omg",
         "hello",
         @mykey,
-        @mycert
+        @mycert,
+        nil,
+        DEFAULT_PBE_PKEYS,
+        DEFAULT_PBE_CERTS,
       )
-      assert_equal @mycert.to_der, pkcs12.certificate.to_der
+      assert_equal @mycert, pkcs12.certificate
       assert_equal @mykey.to_der, pkcs12.key.to_der
       assert_nil pkcs12.ca_certs
+
+      der = pkcs12.to_der
+      decoded = OpenSSL::PKCS12.new(der, "omg")
+      assert_equal @mykey.to_der, decoded.key.to_der
+      assert_equal @mycert, decoded.certificate
+      assert_equal [], Array(decoded.ca_certs)
     end
 
     def test_create_no_pass
@@ -62,14 +59,17 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= https://github.com/ruby/ruby/blob/trunk/test/openssl/test_pkcs12.rb#L59
         nil,
         "hello",
         @mykey,
-        @mycert
+        @mycert,
+        nil,
+        DEFAULT_PBE_PKEYS,
+        DEFAULT_PBE_CERTS,
       )
-      assert_equal @mycert.to_der, pkcs12.certificate.to_der
+      assert_equal @mycert, pkcs12.certificate
       assert_equal @mykey.to_der, pkcs12.key.to_der
       assert_nil pkcs12.ca_certs
 
       decoded = OpenSSL::PKCS12.new(pkcs12.to_der)
-      assert_cert @mycert, decoded.certificate
+      assert_equal @mycert, decoded.certificate
     end
 
     def test_create_with_chain
@@ -80,7 +80,9 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= https://github.com/ruby/ruby/blob/trunk/test/openssl/test_pkcs12.rb#L80
         "hello",
         @mykey,
         @mycert,
-        chain
+        chain,
+        DEFAULT_PBE_PKEYS,
+        DEFAULT_PBE_CERTS,
       )
       assert_equal chain, pkcs12.ca_certs
     end
@@ -95,14 +97,16 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= https://github.com/ruby/ruby/blob/trunk/test/openssl/test_pkcs12.rb#L97
         "hello",
         @mykey,
         @mycert,
-        chain
+        chain,
+        DEFAULT_PBE_PKEYS,
+        DEFAULT_PBE_CERTS,
       )
 
       decoded = OpenSSL::PKCS12.new(pkcs12.to_der, passwd)
       assert_equal chain.size, decoded.ca_certs.size
-      assert_include_cert @cacert, decoded.ca_certs
-      assert_include_cert @inter_cacert, decoded.ca_certs
-      assert_cert @mycert, decoded.certificate
+      assert_include decoded.ca_certs, @cacert
+      assert_include decoded.ca_certs, @inter_cacert
+      assert_equal @mycert, decoded.certificate
       assert_equal @mykey.to_der, decoded.key.to_der
     end
 
@@ -126,8 +130,8 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= https://github.com/ruby/ruby/blob/trunk/test/openssl/test_pkcs12.rb#L130
         @mykey,
         @mycert,
         [],
-        nil,
-        nil,
+        DEFAULT_PBE_PKEYS,
+        DEFAULT_PBE_CERTS,
         2048
       )
 
@@ -138,8 +142,8 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= https://github.com/ruby/ruby/blob/trunk/test/openssl/test_pkcs12.rb#L142
           @mykey,
           @mycert,
           [],
-          nil,
-          nil,
+          DEFAULT_PBE_PKEYS,
+          DEFAULT_PBE_CERTS,
           "omg"
         )
       end
@@ -152,7 +156,8 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= https://github.com/ruby/ruby/blob/trunk/test/openssl/test_pkcs12.rb#L156
         @mykey,
         @mycert,
         [],
-        nil,
+        DEFAULT_PBE_PKEYS,
+        DEFAULT_PBE_CERTS,
         nil,
         nil,
         2048
@@ -165,148 +170,144 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= https://github.com/ruby/ruby/blob/trunk/test/openssl/test_pkcs12.rb#L170
           @mykey,
           @mycert,
           [],
-          nil,
-          nil,
+          DEFAULT_PBE_PKEYS,
+          DEFAULT_PBE_CERTS,
           nil,
           "omg"
         )
       end
     end
 
-    def test_new_with_one_key_and_one_cert
-      # generated with:
-      #   openssl version #=> OpenSSL 1.0.2h  3 May 2016
-      #   openssl pkcs12 -in <@mycert> -inkey <RSA1024> -export -out <out>
-      str = <<~EOF.unpack("m").first
-MIIGQQIBAzCCBgcGCSqGSIb3DQEHAaCCBfgEggX0MIIF8DCCAu8GCSqGSIb3DQEH
-BqCCAuAwggLcAgEAMIIC1QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIeZPM
-Rh6KiXgCAggAgIICqL6O+LCZmBzdIg6mozPF3FpY0hVbWHvTNMiDHieW3CrAanhN
-YCH2/wHqH8WpFpEWwF0qEEXAWjHsIlYB4Cfqo6b7XpuZe5eVESsjNTOTMF1JCUJj
-A6iNefXmCFLync1JK5LUodRDhTlKLU1WPK20X9X4vuEwHn8wt5RUb8P0E+Xh6rpS
-XC4LkZKT45zF3cJa/n5+dW65ohVGNVnF9D1bCNEKHMOllK1V9omutQ9slW88hpga
-LGiFsJoFOb/ESGb78KO+bd6zbX1MdKdBV+WD6t1uF/cgU65y+2A4nXs1urda+MJ7
-7iVqiB7Vnc9cANTbAkTSGNyoUDVM/NZde782/8IvddLAzUZ2EftoRDke6PvuBOVL
-ljBhNWmdamrtBqzuzVZCRdWq44KZkF2Xoc9asepwIkdVmntzQF7f1Z+Ta5yg6HFp
-xnr7CuM+MlHEShXkMgYtHnwAq10fDMSXIvjhi/AA5XUAusDO3D+hbtcRDcJ4uUes
-dm5dhQE2qJ02Ysn4aH3o1F3RYNOzrxejHJwl0D2TCE8Ww2X342xib57+z9u03ufj
-jswhiMKxy67f1LhUMq3XrT3uV6kCVXk/KUOUPcXPlPVNA5JmZeFhMp6GrtB5xJJ9
-wwBZD8UL5A2U2Mxi2OZsdUBv8eo3jnjZ284aFpt+mCjIHrLW5O0jwY8OCwSlYUoY
-IY00wlabX0s82kBcIQNZbC1RSV2267ro/7A0MClc8YQ/zWN0FKY6apgtUkHJI1cL
-1dc77mhnjETjwW94iLMDFy4zQfVu7IfCBqOBzygRNnqqUG66UhTs1xFnWM0mWXl/
-Zh9+AMpbRLIPaKCktIjl5juzzm+KEgkhD+707XRCFIGUYGP5bSHzGaz8PK9hj0u1
-E2SpZHUvYOcawmxtA7pmpSxl5uQjMIIC+QYJKoZIhvcNAQcBoIIC6gSCAuYwggLi
-MIIC3gYLKoZIhvcNAQwKAQKgggKmMIICojAcBgoqhkiG9w0BDAEDMA4ECKB338m8
-qSzHAgIIAASCAoACFhJeqA3xx+s1qIH6udNQYY5hAL6oz7SXoGwFhDiceSyJjmAD
-Dby9XWM0bPl1Gj5nqdsuI/lAM++fJeoETk+rxw8q6Ofk2zUaRRE39qgpwBwSk44o
-0SAFJ6bzHpc5CFh6sZmDaUX5Lm9GtjnGFmmsPTSJT5an5JuJ9WczGBEd0nSBQhJq
-xHbTGZiN8i3SXcIH531Sub+CBIFWy5lyCKgDYh/kgJFGQAaWUOjLI+7dCEESonXn
-F3Jh2uPbnDF9MGJyAFoNgWFhgSpi1cf6AUi87GY4Oyur88ddJ1o0D0Kz2uw8/bpG
-s3O4PYnIW5naZ8mozzbnYByEFk7PoTwM7VhoFBfYNtBoAI8+hBnPY/Y71YUojEXf
-SeX6QbtkIANfzS1XuFNKElShC3DPQIHpKzaatEsfxHfP+8VOav6zcn4mioao7NHA
-x7Dp6R1enFGoQOq4UNjBT8YjnkG5vW8zQHW2dAHLTJBq6x2Fzm/4Pjo/8vM1FiGl
-BQdW5vfDeJ/l6NgQm3xR9ka2E2HaDqIcj1zWbN8jy/bHPFJYuF/HH8MBV/ngMIXE
-vFEW/ToYv8eif0+EpUtzBsCKD4a7qYYYh87RmEVoQU96q6m+UbhpD2WztYfAPkfo
-OSL9j2QHhVczhL7OAgqNeM95pOsjA9YMe7exTeqK31LYnTX8oH8WJD1xGbRSJYgu
-SY6PQbumcJkc/TFPn0GeVUpiDdf83SeG50lo/i7UKQi2l1hi5Y51fQhnBnyMr68D
-llSZEvSWqfDxBJkBpeg6PIYvkTpEwKRJpVQoM3uYvdqVSSnW6rydqIb+snfOrlhd
-f+xCtq9xr+kHeTSqLIDRRAnMfgFRhY3IBlj6MSUwIwYJKoZIhvcNAQkVMRYEFBdb
-8XGWehZ6oPj56Pf/uId46M9AMDEwITAJBgUrDgMCGgUABBRvSCB04/f8f13pp2PF
-vyl2WuMdEwQIMWFFphPkIUICAggA
-      EOF
-      p12 = OpenSSL::PKCS12.new(str, "abc123")
-
-      assert_equal @mykey.to_der, p12.key.to_der
-      assert_equal @mycert.subject.to_der, p12.certificate.subject.to_der
-      assert_equal [], Array(p12.ca_certs)
-    end
-
     def test_new_with_no_keys
       # generated with:
-      #   openssl pkcs12 -in <@mycert> -nokeys -export -out <out>
+      #   openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -n (... truncated)

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/