1begin 2 require "openssl" 3 4 # Disable FIPS mode for tests for installations 5 # where FIPS mode would be enabled by default. 6 # Has no effect on all other installations. 7 OpenSSL.fips_mode=false 8rescue LoadError 9end 10require "test/unit" 11require "digest/md5" 12require 'tempfile' 13require "rbconfig" 14require "socket" 15require_relative '../ruby/envutil' 16 17module OpenSSL::TestUtils 18 TEST_KEY_RSA1024 = OpenSSL::PKey::RSA.new <<-_end_of_pem_ 19-----BEGIN RSA PRIVATE KEY----- 20MIICXgIBAAKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7Cx 21aKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/ 22Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQAB 23AoGBAKSl/MQarye1yOysqX6P8fDFQt68VvtXkNmlSiKOGuzyho0M+UVSFcs6k1L0 24maDE25AMZUiGzuWHyaU55d7RXDgeskDMakD1v6ZejYtxJkSXbETOTLDwUWTn618T 25gnb17tU1jktUtU67xK/08i/XodlgnQhs6VoHTuCh3Hu77O6RAkEA7+gxqBuZR572 2674/akiW/SuXm0SXPEviyO1MuSRwtI87B02D0qgV8D1UHRm4AhMnJ8MCs1809kMQE 27JiQUCrp9mQJBANlt2ngBO14us6NnhuAseFDTBzCHXwUUu1YKHpMMmxpnGqaldGgX 28sOZB3lgJsT9VlGf3YGYdkLTNVbogQKlKpB8CQQDiSwkb4vyQfDe8/NpU5Not0fII 298jsDUCb+opWUTMmfbxWRR3FBNu8wnym/m19N4fFj8LqYzHX4KY0oVPu6qvJxAkEA 30wa5snNekFcqONLIE4G5cosrIrb74sqL8GbGb+KuTAprzj5z1K8Bm0UW9lTjVDjDi 31qRYgZfZSL+x1P/54+xTFSwJAY1FxA/N3QPCXCjPh5YqFxAMQs2VVYTfg+t0MEcJD 32dPMQD5JX6g5HKnHFg2mZtoXQrWmJSn7p8GJK8yNTopEErA== 33-----END RSA PRIVATE KEY----- 34 _end_of_pem_ 35 36 TEST_KEY_RSA2048 = OpenSSL::PKey::RSA.new <<-_end_of_pem_ 37-----BEGIN RSA PRIVATE KEY----- 38MIIEpAIBAAKCAQEAuV9ht9J7k4NBs38jOXvvTKY9gW8nLICSno5EETR1cuF7i4pN 39s9I1QJGAFAX0BEO4KbzXmuOvfCpD3CU+Slp1enenfzq/t/e/1IRW0wkJUJUFQign 404CtrkJL+P07yx18UjyPlBXb81ApEmAB5mrJVSrWmqbjs07JbuS4QQGGXLc+Su96D 41kYKmSNVjBiLxVVSpyZfAY3hD37d60uG+X8xdW5v68JkRFIhdGlb6JL8fllf/A/bl 42NwdJOhVr9mESHhwGjwfSeTDPfd8ZLE027E5lyAVX9KZYcU00mOX+fdxOSnGqS/8J 43DRh0EPHDL15RcJjV2J6vZjPb0rOYGDoMcH+94wIDAQABAoIBAAzsamqfYQAqwXTb 44I0CJtGg6msUgU7HVkOM+9d3hM2L791oGHV6xBAdpXW2H8LgvZHJ8eOeSghR8+dgq 45PIqAffo4x1Oma+FOg3A0fb0evyiACyrOk+EcBdbBeLo/LcvahBtqnDfiUMQTpy6V 46seSoFCwuN91TSCeGIsDpRjbG1vxZgtx+uI+oH5+ytqJOmfCksRDCkMglGkzyfcl0 47Xc5CUhIJ0my53xijEUQl19rtWdMnNnnkdbG8PT3LZlOta5Do86BElzUYka0C6dUc 48VsBDQ0Nup0P6rEQgy7tephHoRlUGTYamsajGJaAo1F3IQVIrRSuagi7+YpSpCqsW 49wORqorkCgYEA7RdX6MDVrbw7LePnhyuaqTiMK+055/R1TqhB1JvvxJ1CXk2rDL6G 500TLHQ7oGofd5LYiemg4ZVtWdJe43BPZlVgT6lvL/iGo8JnrncB9Da6L7nrq/+Rvj 51XGjf1qODCK+LmreZWEsaLPURIoR/Ewwxb9J2zd0CaMjeTwafJo1CZvcCgYEAyCgb 52aqoWvUecX8VvARfuA593Lsi50t4MEArnOXXcd1RnXoZWhbx5rgO8/ATKfXr0BK/n 53h2GF9PfKzHFm/4V6e82OL7gu/kLy2u9bXN74vOvWFL5NOrOKPM7Kg+9I131kNYOw 54Ivnr/VtHE5s0dY7JChYWE1F3vArrOw3T00a4CXUCgYEA0SqY+dS2LvIzW4cHCe9k 55IQqsT0yYm5TFsUEr4sA3xcPfe4cV8sZb9k/QEGYb1+SWWZ+AHPV3UW5fl8kTbSNb 56v4ng8i8rVVQ0ANbJO9e5CUrepein2MPL0AkOATR8M7t7dGGpvYV0cFk8ZrFx0oId 57U0PgYDotF/iueBWlbsOM430CgYEAqYI95dFyPI5/AiSkY5queeb8+mQH62sdcCCr 58vd/w/CZA/K5sbAo4SoTj8dLk4evU6HtIa0DOP63y071eaxvRpTNqLUOgmLh+D6gS 59Cc7TfLuFrD+WDBatBd5jZ+SoHccVrLR/4L8jeodo5FPW05A+9gnKXEXsTxY4LOUC 609bS4e1kCgYAqVXZh63JsMwoaxCYmQ66eJojKa47VNrOeIZDZvd2BPVf30glBOT41 61gBoDG3WMPZoQj9pb7uMcrnvs4APj2FIhMU8U15LcPAj59cD6S6rWnAxO8NFK7HQG 624Jxg3JNNf8ErQoCHb1B3oVdXJkmbJkARoDpBKmTCgKtP8ADYLmVPQw== 63-----END RSA PRIVATE KEY----- 64 _end_of_pem_ 65 66 TEST_KEY_DSA256 = OpenSSL::PKey::DSA.new <<-_end_of_pem_ 67-----BEGIN DSA PRIVATE KEY----- 68MIH3AgEAAkEAhk2libbY2a8y2Pt21+YPYGZeW6wzaW2yfj5oiClXro9XMR7XWLkE 699B7XxLNFCS2gmCCdMsMW1HulaHtLFQmB2wIVAM43JZrcgpu6ajZ01VkLc93gu/Ed 70AkAOhujZrrKV5CzBKutKLb0GVyVWmdC7InoNSMZEeGU72rT96IjM59YzoqmD0pGM 713I1o4cGqg1D1DfM1rQlnN1eSAkBq6xXfEDwJ1mLNxF6q8Zm/ugFYWR5xcX/3wFiT 72b4+EjHP/DbNh9Vm5wcfnDBJ1zKvrMEf2xqngYdrV/3CiGJeKAhRvL57QvJZcQGvn 73ISNX5cMzFHRW3Q== 74-----END DSA PRIVATE KEY----- 75 _end_of_pem_ 76 77 TEST_KEY_DSA512 = OpenSSL::PKey::DSA.new <<-_end_of_pem_ 78-----BEGIN DSA PRIVATE KEY----- 79MIH4AgEAAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgTYiEEHaOYhkIxv0Ok 80RZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB4DZGH7UyarcaGy6D 81AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR 82S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++ 83Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S 8455jreJD3Se3slps= 85-----END DSA PRIVATE KEY----- 86 _end_of_pem_ 87 88if defined?(OpenSSL::PKey::EC) 89 90 TEST_KEY_EC_P256V1 = OpenSSL::PKey::EC.new <<-_end_of_pem_ 91-----BEGIN EC PRIVATE KEY----- 92MHcCAQEEIID49FDqcf1O1eO8saTgG70UbXQw9Fqwseliit2aWhH1oAoGCCqGSM49 93AwEHoUQDQgAEFglk2c+oVUIKQ64eZG9bhLNPWB7lSZ/ArK41eGy5wAzU/0G51Xtt 94CeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg== 95-----END EC PRIVATE KEY----- 96 _end_of_pem_ 97 98end 99 100 TEST_KEY_DH512_PUB = OpenSSL::PKey::DH.new <<-_end_of_pem_ 101-----BEGIN DH PARAMETERS----- 102MEYCQQDmWXGPqk76sKw/edIOdhAQD4XzjJ+AR/PTk2qzaGs+u4oND2yU5D2NN4wr 103aPgwHyJBiK1/ebK3tYcrSKrOoRyrAgEC 104-----END DH PARAMETERS----- 105 _end_of_pem_ 106 107 TEST_KEY_DH1024 = OpenSSL::PKey::DH.new <<-_end_of_pem_ 108-----BEGIN DH PARAMETERS----- 109MIGHAoGBAKnKQ8MNK6nYZzLrrcuTsLxuiJGXoOO5gT+tljOTbHBuiktdMTITzIY0 110pFxIvjG05D7HoBZQfrR0c92NGWPkAiCkhQKB8JCbPVzwNLDy6DZ0pmofDKrEsYHG 111AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC 112-----END DH PARAMETERS----- 113 _end_of_pem_ 114 115 TEST_KEY_DH1024.priv_key = OpenSSL::BN.new("48561834C67E65FFD2A9B47F41E5E78FDC95C387428FDB1E4B0188B64D1643C3A8D3455B945B7E8C4D166010C7C2CE23BFB9BEF43D0348FE7FA5284B0225E7FE1537546D114E3D8A4411B9B9351AB451E1A358F50ED61B1F00DA29336EEBBD649980AC86D76AF8BBB065298C2052672EEF3EF13AB47A15275FC2836F3AC74CEA", 16) 116 117 DSA_SIGNATURE_DIGEST = OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000 ? 118 OpenSSL::Digest::SHA1 : 119 OpenSSL::Digest::DSS1 120 121 module_function 122 123 def issue_cert(dn, key, serial, not_before, not_after, extensions, 124 issuer, issuer_key, digest) 125 cert = OpenSSL::X509::Certificate.new 126 issuer = cert unless issuer 127 issuer_key = key unless issuer_key 128 cert.version = 2 129 cert.serial = serial 130 cert.subject = dn 131 cert.issuer = issuer.subject 132 cert.public_key = key.public_key 133 cert.not_before = not_before 134 cert.not_after = not_after 135 ef = OpenSSL::X509::ExtensionFactory.new 136 ef.subject_certificate = cert 137 ef.issuer_certificate = issuer 138 extensions.each{|oid, value, critical| 139 cert.add_extension(ef.create_extension(oid, value, critical)) 140 } 141 cert.sign(issuer_key, digest) 142 cert 143 end 144 145 def issue_crl(revoke_info, serial, lastup, nextup, extensions, 146 issuer, issuer_key, digest) 147 crl = OpenSSL::X509::CRL.new 148 crl.issuer = issuer.subject 149 crl.version = 1 150 crl.last_update = lastup 151 crl.next_update = nextup 152 revoke_info.each{|rserial, time, reason_code| 153 revoked = OpenSSL::X509::Revoked.new 154 revoked.serial = rserial 155 revoked.time = time 156 enum = OpenSSL::ASN1::Enumerated(reason_code) 157 ext = OpenSSL::X509::Extension.new("CRLReason", enum) 158 revoked.add_extension(ext) 159 crl.add_revoked(revoked) 160 } 161 ef = OpenSSL::X509::ExtensionFactory.new 162 ef.issuer_certificate = issuer 163 ef.crl = crl 164 crlnum = OpenSSL::ASN1::Integer(serial) 165 crl.add_extension(OpenSSL::X509::Extension.new("crlNumber", crlnum)) 166 extensions.each{|oid, value, critical| 167 crl.add_extension(ef.create_extension(oid, value, critical)) 168 } 169 crl.sign(issuer_key, digest) 170 crl 171 end 172 173 def get_subject_key_id(cert) 174 asn1_cert = OpenSSL::ASN1.decode(cert) 175 tbscert = asn1_cert.value[0] 176 pkinfo = tbscert.value[6] 177 publickey = pkinfo.value[1] 178 pkvalue = publickey.value 179 OpenSSL::Digest::SHA1.hexdigest(pkvalue).scan(/../).join(":").upcase 180 end 181 182 def silent 183 begin 184 back, $VERBOSE = $VERBOSE, nil 185 yield 186 ensure 187 $VERBOSE = back 188 end 189 end 190 191 class OpenSSL::SSLTestCase < Test::Unit::TestCase 192 RUBY = EnvUtil.rubybin 193 SSL_SERVER = File.join(File.dirname(__FILE__), "ssl_server.rb") 194 PORT = 20443 195 ITERATIONS = ($0 == __FILE__) ? 100 : 10 196 197 def setup 198 @ca_key = OpenSSL::TestUtils::TEST_KEY_RSA2048 199 @svr_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 200 @cli_key = OpenSSL::TestUtils::TEST_KEY_DSA256 201 @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") 202 @svr = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost") 203 @cli = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost") 204 now = Time.at(Time.now.to_i) 205 ca_exts = [ 206 ["basicConstraints","CA:TRUE",true], 207 ["keyUsage","cRLSign,keyCertSign",true], 208 ] 209 ee_exts = [ 210 ["keyUsage","keyEncipherment,digitalSignature",true], 211 ] 212 @ca_cert = issue_cert(@ca, @ca_key, 1, now, now+3600, ca_exts, nil, nil, OpenSSL::Digest::SHA1.new) 213 @svr_cert = issue_cert(@svr, @svr_key, 2, now, now+1800, ee_exts, @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new) 214 @cli_cert = issue_cert(@cli, @cli_key, 3, now, now+1800, ee_exts, @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new) 215 @server = nil 216 end 217 218 def teardown 219 end 220 221 def issue_cert(*arg) 222 OpenSSL::TestUtils.issue_cert(*arg) 223 end 224 225 def issue_crl(*arg) 226 OpenSSL::TestUtils.issue_crl(*arg) 227 end 228 229 def readwrite_loop(ctx, ssl) 230 while line = ssl.gets 231 if line =~ /^STARTTLS$/ 232 ssl.accept 233 next 234 end 235 ssl.write(line) 236 end 237 rescue OpenSSL::SSL::SSLError 238 rescue IOError 239 ensure 240 ssl.close rescue nil 241 end 242 243 def server_loop(ctx, ssls, server_proc) 244 loop do 245 ssl = nil 246 begin 247 ssl = ssls.accept 248 rescue OpenSSL::SSL::SSLError 249 retry 250 end 251 252 Thread.start do 253 Thread.current.abort_on_exception = true 254 server_proc.call(ctx, ssl) 255 end 256 end 257 rescue Errno::EBADF, IOError, Errno::EINVAL, Errno::ECONNABORTED, Errno::ENOTSOCK, Errno::ECONNRESET 258 end 259 260 def start_server(port0, verify_mode, start_immediately, args = {}, &block) 261 ctx_proc = args[:ctx_proc] 262 server_proc = args[:server_proc] 263 server_proc ||= method(:readwrite_loop) 264 265 store = OpenSSL::X509::Store.new 266 store.add_cert(@ca_cert) 267 store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT 268 ctx = OpenSSL::SSL::SSLContext.new 269 ctx.cert_store = store 270 #ctx.extra_chain_cert = [ ca_cert ] 271 ctx.cert = @svr_cert 272 ctx.key = @svr_key 273 ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } 274 ctx.verify_mode = verify_mode 275 ctx_proc.call(ctx) if ctx_proc 276 277 Socket.do_not_reverse_lookup = true 278 tcps = nil 279 port = port0 280 begin 281 tcps = TCPServer.new("127.0.0.1", port) 282 rescue Errno::EADDRINUSE 283 port += 1 284 retry 285 end 286 287 ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx) 288 ssls.start_immediately = start_immediately 289 290 begin 291 server = Thread.new do 292 Thread.current.abort_on_exception = true 293 server_loop(ctx, ssls, server_proc) 294 end 295 296 $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, $$, port) if $DEBUG 297 298 block.call(server, port.to_i) 299 ensure 300 begin 301 begin 302 tcps.shutdown 303 rescue Errno::ENOTCONN 304 # when `Errno::ENOTCONN: Socket is not connected' on some platforms, 305 # call #close instead of #shutdown. 306 tcps.close 307 tcps = nil 308 end if (tcps) 309 if (server) 310 server.join(5) 311 if server.alive? 312 server.kill 313 server.join 314 flunk("TCPServer was closed and SSLServer is still alive") unless $! 315 end 316 end 317 ensure 318 tcps.close if (tcps) 319 end 320 end 321 end 322 323 def starttls(ssl) 324 ssl.puts("STARTTLS") 325 sleep 1 # When this line is eliminated, process on Cygwin blocks 326 # forever at ssl.connect. But I don't know why it does. 327 ssl.connect 328 end 329 end 330 331end if defined?(OpenSSL) 332