Skip to content

Commit

Permalink
[ruby/openssl] Only CSR version 1 (encoded as 0) is allowed by PKIX s…
Browse files Browse the repository at this point in the history
…tandards

RFC 2986, section 4.1 only defines version 1 for CSRs. This version
is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
to anything but 1 fails.

Do not attempt to generate a CSR with invalid version (which now fails)
and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
subject rather than using an invalid version.

This commit fixes the following error.

```
 2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
X509_REQ_set_version: passed invalid argument
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
`test_version'
     40:     req = OpenSSL::X509::Request.new(req.to_der)
     41:     assert_equal(0, req.version)
     42:
  => 43:     req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
     44:     assert_equal(1, req.version)
     45:     req = OpenSSL::X509::Request.new(req.to_der)
     46:     assert_equal(1, req.version)
```

ruby/openssl@c06fdeb091
  • Loading branch information
job authored and hsbt committed Nov 11, 2024
1 parent 5d10d1f commit e992a8f
Showing 1 changed file with 1 addition and 7 deletions.
8 changes: 1 addition & 7 deletions test/openssl/test_x509req.rb
Original file line number Diff line number Diff line change
Expand Up @@ -35,16 +35,10 @@ def test_public_key
end

def test_version
omit "not working on MinGW" if /mingw/ =~ RUBY_PLATFORM
req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
assert_equal(0, req.version)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(0, req.version)

req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
assert_equal(1, req.version)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(1, req.version)
end

def test_subject
Expand Down Expand Up @@ -108,7 +102,7 @@ def test_sign_and_verify_rsa_sha1
assert_equal(false, req.verify(@rsa2048))
assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
assert_equal(false, request_error_returns_false { req.verify(@dsa512) })
req.version = 1
req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBarFooBar")
assert_equal(false, req.verify(@rsa1024))
end

Expand Down

0 comments on commit e992a8f

Please sign in to comment.