Drop support for OpenSSL 1.1.0. OpenSSL 1.1.0 was a non-LTS release and
it has reached upstream EOL in 2019-12 along with OpenSSL 1.0.2.
Distributions that shipped with OpenSSL 1.1.0 include:
- Debian 9 (EOL 2022-06)
- Ubuntu 18.04 LTS (EOL 2023-04)
ba83abe920
Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12.
Most distributions that shipped with OpenSSL 1.0.2 have also reached
EOL, or provide a newer version in the package repository:
- RHEL 7 (EOL 2024-06)
- Ubuntu 16.04 LTS (EOL 2021-04)
- Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via
the openssl11{,-devel} package)
38ec6fd50e
When these test cases were written, we did not know the exact OpenSSL
and LibreSSL version number in which they would be implemented. Now that
we know it, we can use that information to ensure the tests are run
whenever they should be.
- OpenSSL 1.1.0 added X25519 support
- OpenSSL 1.1.1 added Ed25519 support and
EVP_PKEY_new_raw_private_key()
- LibreSSL 3.7.0 added X25519 and Ed25519 support in EVP_PKEY and
EVP_PKEY_new_raw_private_key()
- LibreSSL 3.8.1 allowed ASN1_item_sign() to use Ed25519
6cb6663c91
test_pkey wasn't checking for libressl as is done elsewhere.
Note the libressl version check is different when testing pkey, because
PKey#sign relies on EVP_PKey_sign, whereas signing an X509 cert/request/crl
relies on ASN1_item_sign.
f1db5c88a2
This commit fixes the following failure on OpenSSL master FIPS case.
```
1) Failure: test_ed25519_not_approved_on_fips(OpenSSL::TestPKey): OpenSSL::PKey::PKeyError expected but nothing was raised.
/home/runner/work/openssl/openssl/vendor/bundle/ruby/3.0.0/gems/test-unit-ruby-core-1.0.6/lib/core_assertions.rb:462:in `assert_raise'
/home/runner/work/openssl/openssl/test/openssl/test_pkey.rb:174:in `test_ed25519_not_approved_on_fips'
171: MC4CAQAwBQYDK2VwBCIEIEzNCJso/5banbbDRuwRTg9bijGfNaumJNqM9u1PuKb7
172: -----END PRIVATE KEY-----
173: EOF
=> 174: assert_raise(OpenSSL::PKey::PKeyError) do
175: OpenSSL::PKey.read(priv_pem)
176: end
177: end
```
Because FIPS compliance is a continually moving target. According to the [1],
FIPS 140-3 *currently* allows ED25519. The ED25519 is allowed again with the
latest OpenSSL FIPS by the commit [2], while it is not allowed in OpenSSL stable
version 3.x FIPS.
Remove this test because we want to keep our tests stable.
[1] https://github.com/openssl/openssl/discussions/22054
[2] 5f04124aabd43904b834
(https://github.com/ruby/openssl/pull/646)
Add OpenSSL::PKey.new_raw_private_key, #raw_private_key and public
equivalents. These methods are useful for importing and exporting keys
that support "raw private/public key". Currently, OpenSSL implements
X25519/X448 and Ed25519/Ed448 keys.
[rhe: rewrote commit message]
3f29525618
Co-authored-by: Bart de Water <bartdewater@gmail.com>
It's to test the `OpenSSL::PKey.read` in the `test/openssl/test_pkey.rb`.
I added the pending status to the following tests failing on the FIPS mode
case in the `test/openssl/test_pkey.rb`.
* `test_ed25519`
* `test_x25519`
* `test_compare?`
8149cdf6e8
Commit f2e2a5e5ed ("test/openssl/test_pkey.rb: allow failures in
test_s_generate_parameters", 2022-12-23) was completely bogus. The
problem in OpenSSL 3.0.0-3.0.5 is that errors from the callback are
sometimes silently suppressed.
ccc1594492
OpenSSL 3.0 refuses to generate DSA parameters shorter than 2048 bits,
but generating 2048 bits parameters takes very long time. Let's use EC
in these test cases instead.
c732387ee5
Use EVP_PKEY_print_private() instead of the low-level API *_print()
functions, such as RSA_print().
EVP_PKEY_print_*() family was added in OpenSSL 1.0.0.
Note that it falls back to EVP_PKEY_print_public() and
EVP_PKEY_print_params() as necessary. This is required for EVP_PKEY_DH
type for which _private() fails if the private component is not set in
the pkey object.
Since the new API works in the same way for all key types, we now
implement #to_text in the base class OpenSSL::PKey::PKey rather than in
each subclass.
e0b4c56956
Explicitly check for type given some conflicting statements within openssl's
documentation around EVP_PKEY_cmp and EVP_PKEY_ASN1_METHOD(3).
Add documentation with an example for compare?
0bf51da6e2
Add OpenSSL::PKey::PKey#derive as the wrapper for EVP_PKEY_CTX_derive().
This is useful for pkey types that we don't have dedicated classes, such
as X25519.
28f0059bea
OpenSSL 1.1.1 added EVP_DigestSign() and EVP_DigestVerify() functions
to the interface. Some EVP_PKEY methods such as PureEdDSA algorithms
do not support the streaming mechanism and require us to use them.
ae19454592
Use EVP_DigestSign*() and EVP_DigestVerify*() interface instead of the
old EVP_Sign*() and EVP_Verify*() functions. They were added in OpenSSL
1.0.0.
Also, allow the digest to be specified as nil, as certain EVP_PKEY types
don't expect a digest algorithm.
9ff6e5143b
Implement OpenSSL::PKey::PKey#oid as a wrapper around EVP_PKEY_id().
This allows user code to check the type of a PKey object.
EVP_PKEY can have a pkey type for which we do not provide a dedicated
subclass. In other words, an EVP_PKEY that is not any of {RSA,DSA,DH,EC}
can exist. It is currently not possible to distinguish such a pkey.
Also, implement PKey#inspect to include the key type for convenience.
dafbb1b3e6
Import Ruby/OpenSSL 2.0.1. The full commit history since 2.0.0 (imported
at r56946) can be found at:
https://github.com/ruby/openssl/compare/v2.0.0...v2.0.1
This release contains only bug fixes. Note, the first two commits since
v2.0.0 are already imported at r56953 to make Travis and RubyCI green.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57041 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1.
ext/openssl is now converted into a default gem. The full commit
history since r55538 can be found at:
08e1881f56...v2.0.0.beta.1
[Feature #9612]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
