mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
5bd7899b98
ext/openssl/ossl_pkey_rsa.c ext/openssl/ossl_pkey_dsa.c ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less than four characters long, as OpenSSL itself does not allow this. Issue found by Eric Hodel. * ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem, following the PKey interface contract. * test/openssl/test_pkey_dsa.rb test/openssl/test_pkey_rsa.rb test/openssl/test_pkey_ec.rb: Add tests that assert correct behaviour when dealing with passwords that are less than four characters long. [ruby-core: 42281][ruby-trunk - Bug #5951] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36001 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
240 lines
8.5 KiB
Ruby
240 lines
8.5 KiB
Ruby
require_relative 'utils'
|
|
require 'base64'
|
|
|
|
if defined?(OpenSSL)
|
|
|
|
class OpenSSL::TestPKeyDSA < Test::Unit::TestCase
|
|
def test_private
|
|
key = OpenSSL::PKey::DSA.new(256)
|
|
assert(key.private?)
|
|
key2 = OpenSSL::PKey::DSA.new(key.to_der)
|
|
assert(key2.private?)
|
|
key3 = key.public_key
|
|
assert(!key3.private?)
|
|
key4 = OpenSSL::PKey::DSA.new(key3.to_der)
|
|
assert(!key4.private?)
|
|
end
|
|
|
|
def test_new
|
|
key = OpenSSL::PKey::DSA.new 256
|
|
pem = key.public_key.to_pem
|
|
OpenSSL::PKey::DSA.new pem
|
|
assert_equal([], OpenSSL.errors)
|
|
end
|
|
|
|
def test_new_break
|
|
assert_nil(OpenSSL::PKey::DSA.new(512) { break })
|
|
assert_raise(RuntimeError) do
|
|
OpenSSL::PKey::DSA.new(512) { raise }
|
|
end
|
|
end
|
|
|
|
def test_sys_sign_verify
|
|
key = OpenSSL::TestUtils::TEST_KEY_DSA256
|
|
data = 'Sign me!'
|
|
digest = OpenSSL::Digest::SHA1.digest(data)
|
|
sig = key.syssign(digest)
|
|
assert(key.sysverify(digest, sig))
|
|
end
|
|
|
|
def test_sign_verify
|
|
check_sign_verify(OpenSSL::Digest::DSS1.new)
|
|
end
|
|
|
|
if (OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000)
|
|
def test_sign_verify_sha1
|
|
check_sign_verify(OpenSSL::Digest::SHA1.new)
|
|
end
|
|
|
|
def test_sign_verify_sha256
|
|
check_sign_verify(OpenSSL::Digest::SHA256.new)
|
|
end
|
|
end
|
|
|
|
def test_digest_state_irrelevant_verify
|
|
key = OpenSSL::TestUtils::TEST_KEY_DSA256
|
|
digest1 = OpenSSL::Digest::DSS1.new
|
|
digest2 = OpenSSL::Digest::DSS1.new
|
|
data = 'Sign me!'
|
|
sig = key.sign(digest1, data)
|
|
digest1.reset
|
|
digest1 << 'Change state of digest1'
|
|
assert(key.verify(digest1, sig, data))
|
|
assert(key.verify(digest2, sig, data))
|
|
end
|
|
|
|
def test_read_DSA_PUBKEY
|
|
p = 7188211954100152441468596248707152960171255279130004340103875772401008316444412091945435731597638374542374929457672178957081124632837356913990200866056699
|
|
q = 957032439192465935099784319494405376402293318491
|
|
g = 122928973717064636255205666162891733518376475981809749897454444301389338825906076467196186192907631719698166056821519884939865041993585844526937010746285
|
|
y = 1235756183583465414789073313502727057075641172514181938731172021825149551960029708596057102104063395063907739571546165975727369183495540798749742124846271
|
|
algo = OpenSSL::ASN1::ObjectId.new('DSA')
|
|
params = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new(p),
|
|
OpenSSL::ASN1::Integer.new(q),
|
|
OpenSSL::ASN1::Integer.new(g)])
|
|
algo_id = OpenSSL::ASN1::Sequence.new ([algo, params])
|
|
pub_key = OpenSSL::ASN1::Integer.new(y)
|
|
seq = OpenSSL::ASN1::Sequence.new([algo_id, OpenSSL::ASN1::BitString.new(pub_key.to_der)])
|
|
key = OpenSSL::PKey::DSA.new(seq.to_der)
|
|
assert(key.public?)
|
|
assert(!key.private?)
|
|
assert_equal(p, key.p)
|
|
assert_equal(q, key.q)
|
|
assert_equal(g, key.g)
|
|
assert_equal(y, key.pub_key)
|
|
assert_equal(nil, key.priv_key)
|
|
assert_equal([], OpenSSL.errors)
|
|
end
|
|
|
|
def test_read_DSAPublicKey_pem
|
|
p = 12260055936871293565827712385212529106400444521449663325576634579961635627321079536132296996623400607469624537382977152381984332395192110731059176842635699
|
|
q = 979494906553787301107832405790107343409973851677
|
|
g = 3731695366899846297271147240305742456317979984190506040697507048095553842519347835107669437969086119948785140453492839427038591924536131566350847469993845
|
|
y = 10505239074982761504240823422422813362721498896040719759460296306305851824586095328615844661273887569281276387605297130014564808567159023649684010036304695
|
|
pem = <<-EOF
|
|
-----BEGIN DSA PUBLIC KEY-----
|
|
MIHfAkEAyJSJ+g+P/knVcgDwwTzC7Pwg/pWs2EMd/r+lYlXhNfzg0biuXRul8VR4
|
|
VUC/phySExY0PdcqItkR/xYAYNMbNwJBAOoV57X0FxKO/PrNa/MkoWzkCKV/hzhE
|
|
p0zbFdsicw+hIjJ7S6Sd/FlDlo89HQZ2FuvWJ6wGLM1j00r39+F2qbMCFQCrkhIX
|
|
SG+is37hz1IaBeEudjB2HQJAR0AloavBvtsng8obsjLb7EKnB+pSeHr/BdIQ3VH7
|
|
fWLOqqkzFeRrYMDzUpl36XktY6Yq8EJYlW9pCMmBVNy/dQ==
|
|
-----END DSA PUBLIC KEY-----
|
|
EOF
|
|
key = OpenSSL::PKey::DSA.new(pem)
|
|
assert(key.public?)
|
|
assert(!key.private?)
|
|
assert_equal(p, key.p)
|
|
assert_equal(q, key.q)
|
|
assert_equal(g, key.g)
|
|
assert_equal(y, key.pub_key)
|
|
assert_equal(nil, key.priv_key)
|
|
assert_equal([], OpenSSL.errors)
|
|
end
|
|
|
|
def test_read_DSA_PUBKEY_pem
|
|
p = 12260055936871293565827712385212529106400444521449663325576634579961635627321079536132296996623400607469624537382977152381984332395192110731059176842635699
|
|
q = 979494906553787301107832405790107343409973851677
|
|
g = 3731695366899846297271147240305742456317979984190506040697507048095553842519347835107669437969086119948785140453492839427038591924536131566350847469993845
|
|
y = 10505239074982761504240823422422813362721498896040719759460296306305851824586095328615844661273887569281276387605297130014564808567159023649684010036304695
|
|
pem = <<-EOF
|
|
-----BEGIN PUBLIC KEY-----
|
|
MIHxMIGoBgcqhkjOOAQBMIGcAkEA6hXntfQXEo78+s1r8yShbOQIpX+HOESnTNsV
|
|
2yJzD6EiMntLpJ38WUOWjz0dBnYW69YnrAYszWPTSvf34XapswIVAKuSEhdIb6Kz
|
|
fuHPUhoF4S52MHYdAkBHQCWhq8G+2yeDyhuyMtvsQqcH6lJ4ev8F0hDdUft9Ys6q
|
|
qTMV5GtgwPNSmXfpeS1jpirwQliVb2kIyYFU3L91A0QAAkEAyJSJ+g+P/knVcgDw
|
|
wTzC7Pwg/pWs2EMd/r+lYlXhNfzg0biuXRul8VR4VUC/phySExY0PdcqItkR/xYA
|
|
YNMbNw==
|
|
-----END PUBLIC KEY-----
|
|
EOF
|
|
key = OpenSSL::PKey::DSA.new(pem)
|
|
assert(key.public?)
|
|
assert(!key.private?)
|
|
assert_equal(p, key.p)
|
|
assert_equal(q, key.q)
|
|
assert_equal(g, key.g)
|
|
assert_equal(y, key.pub_key)
|
|
assert_equal(nil, key.priv_key)
|
|
assert_equal([], OpenSSL.errors)
|
|
end
|
|
|
|
def test_export_format_is_DSA_PUBKEY_pem
|
|
key = OpenSSL::TestUtils::TEST_KEY_DSA256
|
|
pem = key.public_key.to_pem
|
|
pem.gsub!(/^-+(\w|\s)+-+$/, "") # eliminate --------BEGIN...-------
|
|
asn1 = OpenSSL::ASN1.decode(Base64.decode64(pem))
|
|
assert_equal(OpenSSL::ASN1::SEQUENCE, asn1.tag)
|
|
assert_equal(2, asn1.value.size)
|
|
seq = asn1.value
|
|
assert_equal(OpenSSL::ASN1::SEQUENCE, seq[0].tag)
|
|
assert_equal(2, seq[0].value.size)
|
|
algo_id = seq[0].value
|
|
assert_equal(OpenSSL::ASN1::OBJECT, algo_id[0].tag)
|
|
assert_equal('DSA', algo_id[0].value)
|
|
assert_equal(OpenSSL::ASN1::SEQUENCE, algo_id[1].tag)
|
|
assert_equal(3, algo_id[1].value.size)
|
|
params = algo_id[1].value
|
|
assert_equal(OpenSSL::ASN1::INTEGER, params[0].tag)
|
|
assert_equal(key.p, params[0].value)
|
|
assert_equal(OpenSSL::ASN1::INTEGER, params[1].tag)
|
|
assert_equal(key.q, params[1].value)
|
|
assert_equal(OpenSSL::ASN1::INTEGER, params[2].tag)
|
|
assert_equal(key.g, params[2].value)
|
|
assert_equal(OpenSSL::ASN1::BIT_STRING, seq[1].tag)
|
|
assert_equal(0, seq[1].unused_bits)
|
|
pub_key = OpenSSL::ASN1.decode(seq[1].value)
|
|
assert_equal(OpenSSL::ASN1::INTEGER, pub_key.tag)
|
|
assert_equal(key.pub_key, pub_key.value)
|
|
assert_equal([], OpenSSL.errors)
|
|
end
|
|
|
|
def test_read_private_key_der
|
|
key = OpenSSL::TestUtils::TEST_KEY_DSA256
|
|
der = key.to_der
|
|
key2 = OpenSSL::PKey.read(der)
|
|
assert(key2.private?)
|
|
assert_equal(der, key2.to_der)
|
|
assert_equal([], OpenSSL.errors)
|
|
end
|
|
|
|
def test_read_private_key_pem
|
|
key = OpenSSL::TestUtils::TEST_KEY_DSA256
|
|
pem = key.to_pem
|
|
key2 = OpenSSL::PKey.read(pem)
|
|
assert(key2.private?)
|
|
assert_equal(pem, key2.to_pem)
|
|
assert_equal([], OpenSSL.errors)
|
|
end
|
|
|
|
def test_read_public_key_der
|
|
key = OpenSSL::TestUtils::TEST_KEY_DSA256.public_key
|
|
der = key.to_der
|
|
key2 = OpenSSL::PKey.read(der)
|
|
assert(!key2.private?)
|
|
assert_equal(der, key2.to_der)
|
|
assert_equal([], OpenSSL.errors)
|
|
end
|
|
|
|
def test_read_public_key_pem
|
|
key = OpenSSL::TestUtils::TEST_KEY_DSA256.public_key
|
|
pem = key.to_pem
|
|
key2 = OpenSSL::PKey.read(pem)
|
|
assert(!key2.private?)
|
|
assert_equal(pem, key2.to_pem)
|
|
assert_equal([], OpenSSL.errors)
|
|
end
|
|
|
|
def test_read_private_key_pem_pw
|
|
key = OpenSSL::TestUtils::TEST_KEY_DSA256
|
|
pem = key.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret')
|
|
#callback form for password
|
|
key2 = OpenSSL::PKey.read(pem) do
|
|
'secret'
|
|
end
|
|
assert(key2.private?)
|
|
# pass password directly
|
|
key2 = OpenSSL::PKey.read(pem, 'secret')
|
|
assert(key2.private?)
|
|
#omit pem equality check, will be different due to cipher iv
|
|
assert_equal([], OpenSSL.errors)
|
|
end
|
|
|
|
def test_export_password_length
|
|
key = OpenSSL::TestUtils::TEST_KEY_DSA256
|
|
assert_raise(OpenSSL::OpenSSLError) do
|
|
key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec')
|
|
end
|
|
pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr')
|
|
assert(pem)
|
|
end
|
|
|
|
private
|
|
|
|
def check_sign_verify(digest)
|
|
key = OpenSSL::TestUtils::TEST_KEY_DSA256
|
|
data = 'Sign me!'
|
|
sig = key.sign(digest, data)
|
|
assert(key.verify(digest, sig, data))
|
|
end
|
|
end
|
|
|
|
end
|