Merge pull request #834 from rhenium/ky/pkey-test-cleanup-20250107

Various cleanups in pkey tests
ruby · Jan 6, 2025 · b9ef9cc · b9ef9cc
2 parents 49f9fd0 + 6cb6663
commit b9ef9cc
Show file tree

Hide file tree

Showing 11 changed files with 73 additions and 135 deletions.
diff --git a/test/openssl/fixtures/pkey/certificate.der b/test/openssl/fixtures/pkey/certificate.der
diff --git a/test/openssl/fixtures/pkey/empty.der b/test/openssl/fixtures/pkey/empty.der
diff --git a/test/openssl/fixtures/pkey/empty.pem b/test/openssl/fixtures/pkey/empty.pem
diff --git a/test/openssl/fixtures/pkey/fullchain.pem b/test/openssl/fixtures/pkey/fullchain.pem
diff --git a/test/openssl/fixtures/pkey/garbage.txt b/test/openssl/fixtures/pkey/garbage.txt
diff --git a/test/openssl/fixtures/pkey/p256_too_large.pem b/test/openssl/fixtures/pkey/p256_too_large.pem
diff --git a/test/openssl/fixtures/pkey/p384_invalid.pem b/test/openssl/fixtures/pkey/p384_invalid.pem
diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb
@@ -2,25 +2,20 @@
 require_relative "utils"
 
 class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
-  def test_generic_oid_inspect
+  def test_generic_oid_inspect_rsa
     # RSA private key
     rsa = Fixtures.pkey("rsa-1")
     assert_instance_of OpenSSL::PKey::RSA, rsa
     assert_equal "rsaEncryption", rsa.oid
     assert_match %r{oid=rsaEncryption}, rsa.inspect
+  end
+
+  def test_generic_oid_inspect_x25519
+    omit "X25519 not supported" unless openssl?(1, 1, 0) || libressl?(3, 7, 0)
+    omit_on_fips
 
     # X25519 private key
-    x25519_pem = <<~EOF
-    -----BEGIN PRIVATE KEY-----
-    MC4CAQAwBQYDK2VuBCIEIHcHbQpzGKV9PBbBclGyZkXfTC+H68CZKrF3+6UduSwq
-    -----END PRIVATE KEY-----
-    EOF
-    begin
-      x25519 = OpenSSL::PKey.read(x25519_pem)
-    rescue OpenSSL::PKey::PKeyError
-      # OpenSSL < 1.1.0
-      pend "X25519 is not implemented"
-    end
+    x25519 = OpenSSL::PKey.generate_key("X25519")
     assert_instance_of OpenSSL::PKey::PKey, x25519
     assert_equal "X25519", x25519.oid
     assert_match %r{oid=X25519}, x25519.inspect
@@ -112,18 +107,14 @@ def test_ed25519
     assert_equal pub_pem, priv.public_to_pem
     assert_equal pub_pem, pub.public_to_pem
 
-    begin
-      assert_equal "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
-        priv.raw_private_key.unpack1("H*")
-      assert_equal OpenSSL::PKey.new_raw_private_key("ED25519", priv.raw_private_key).private_to_pem,
-        priv.private_to_pem
-      assert_equal "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
-        priv.raw_public_key.unpack1("H*")
-      assert_equal OpenSSL::PKey.new_raw_public_key("ED25519", priv.raw_public_key).public_to_pem,
-        pub.public_to_pem
-    rescue NoMethodError
-      pend "running OpenSSL version does not have raw public key support"
-    end
+    assert_equal "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
+      priv.raw_private_key.unpack1("H*")
+    assert_equal OpenSSL::PKey.new_raw_private_key("ED25519", priv.raw_private_key).private_to_pem,
+      priv.private_to_pem
+    assert_equal "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
+      priv.raw_public_key.unpack1("H*")
+    assert_equal OpenSSL::PKey.new_raw_public_key("ED25519", priv.raw_public_key).public_to_pem,
+      pub.public_to_pem
 
     sig = [<<~EOF.gsub(/[^0-9a-f]/, "")].pack("H*")
     92a009a9f0d4cab8720e820b5f642540
@@ -146,6 +137,9 @@ def test_ed25519
   end
 
   def test_x25519
+    omit "X25519 not supported" unless openssl?(1, 1, 0) || libressl?(3, 7, 0)
+    omit_on_fips
+
     # Test vector from RFC 7748 Section 6.1
     alice_pem = <<~EOF
     -----BEGIN PRIVATE KEY-----
@@ -158,38 +152,31 @@ def test_x25519
     -----END PUBLIC KEY-----
     EOF
     shared_secret = "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742"
-    begin
-      alice = OpenSSL::PKey.read(alice_pem)
-      bob = OpenSSL::PKey.read(bob_pem)
-    rescue OpenSSL::PKey::PKeyError
-      # OpenSSL < 1.1.0
-      pend "X25519 is not implemented"
-    end
+
+    alice = OpenSSL::PKey.read(alice_pem)
+    bob = OpenSSL::PKey.read(bob_pem)
     assert_instance_of OpenSSL::PKey::PKey, alice
     assert_equal alice_pem, alice.private_to_pem
     assert_equal bob_pem, bob.public_to_pem
     assert_equal [shared_secret].pack("H*"), alice.derive(bob)
-    begin
-      alice_private = OpenSSL::PKey.new_raw_private_key("X25519", alice.raw_private_key)
-      bob_public = OpenSSL::PKey.new_raw_public_key("X25519", bob.raw_public_key)
-      alice_private_raw = alice.raw_private_key.unpack1("H*")
-      bob_public_raw = bob.raw_public_key.unpack1("H*")
-    rescue NoMethodError
-      # OpenSSL < 1.1.1
-      pend "running OpenSSL version does not have raw public key support"
+
+    unless openssl?(1, 1, 1) || libressl?(3, 7, 0)
+      omit "running OpenSSL version does not have raw public key support"
     end
+    alice_private = OpenSSL::PKey.new_raw_private_key("X25519", alice.raw_private_key)
+    bob_public = OpenSSL::PKey.new_raw_public_key("X25519", bob.raw_public_key)
     assert_equal alice_private.private_to_pem,
       alice.private_to_pem
     assert_equal bob_public.public_to_pem,
       bob.public_to_pem
     assert_equal "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a",
-      alice_private_raw
+      alice.raw_private_key.unpack1("H*")
     assert_equal "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f",
-      bob_public_raw
+      bob.raw_public_key.unpack1("H*")
   end
 
-  def raw_initialize
-    pend "Ed25519 is not implemented" unless openssl?(1, 1, 1) # >= v1.1.1
+  def test_raw_initialize_errors
+    omit "Ed25519 not supported" unless openssl?(1, 1, 1) || libressl?(3, 7, 0)
 
     assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_private_key("foo123", "xxx") }
     assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_private_key("ED25519", "xxx") }

diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
@@ -88,12 +88,16 @@ def test_check_key
     assert_equal(true, key2.check_key)
 
     # Behavior of EVP_PKEY_public_check changes between OpenSSL 1.1.1 and 3.0
-    key4 = Fixtures.pkey("p256_too_large")
+    # The public key does not match the private key
+    key4 = OpenSSL::PKey.read(<<~EOF)
+    -----BEGIN EC PRIVATE KEY-----
+    MHcCAQEEIP+TT0V8Fndsnacji9tyf6hmhHywcOWTee9XkiBeJoVloAoGCCqGSM49
+    AwEHoUQDQgAEBkhhJIU/2/YdPSlY2I1k25xjK4trr5OXSgXvBC21PtY0HQ7lor7A
+    jzT0giJITqmcd81fwGw5+96zLcdxTF1hVQ==
+    -----END EC PRIVATE KEY-----
+    EOF
     assert_raise(OpenSSL::PKey::ECError) { key4.check_key }
 
-    key5 = Fixtures.pkey("p384_invalid")
-    assert_raise(OpenSSL::PKey::ECError) { key5.check_key }
-
     # EC#private_key= is deprecated in 3.0 and won't work on OpenSSL 3.0
     if !openssl?(3, 0, 0)
       key2.private_key += 1

diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb
@@ -370,34 +370,53 @@ def test_marshal
   end
 
   def test_load_file_empty_pem
-    empty_path = Fixtures.file_path("pkey", "empty.pem")
-    assert_raise(OpenSSL::X509::CertificateError) do
-      OpenSSL::X509::Certificate.load_file(empty_path)
+    Tempfile.create("empty.pem") do |f|
+      f.close
+
+      assert_raise(OpenSSL::X509::CertificateError) do
+        OpenSSL::X509::Certificate.load_file(f.path)
+      end
     end
   end
 
   def test_load_file_fullchain_pem
-    fullchain_path = Fixtures.file_path("pkey", "fullchain.pem")
-    certificates = OpenSSL::X509::Certificate.load_file(fullchain_path)
-    assert_equal 2, certificates.size
-    assert_equal "/CN=www.codeotaku.com", certificates[0].subject.to_s
-    assert_equal "/C=US/O=Let's Encrypt/CN=R3", certificates[1].subject.to_s
+    cert1 = issue_cert(@ee1, @rsa2048, 1, [], nil, nil)
+    cert2 = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
+
+    Tempfile.create("fullchain.pem") do |f|
+      f.puts cert1.to_pem
+      f.puts cert2.to_pem
+      f.close
+
+      certificates = OpenSSL::X509::Certificate.load_file(f.path)
+      assert_equal 2, certificates.size
+      assert_equal @ee1, certificates[0].subject
+      assert_equal @ca, certificates[1].subject
+    end
   end
 
   def test_load_file_certificate_der
-    fullchain_path = Fixtures.file_path("pkey", "certificate.der")
-    certificates = OpenSSL::X509::Certificate.load_file(fullchain_path)
+    cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
+    Tempfile.create("certificate.der", binmode: true) do |f|
+      f.write cert.to_der
+      f.close
 
-    # DER encoding can only contain one certificate:
-    assert_equal 1, certificates.size
-    assert_equal "/CN=www.codeotaku.com", certificates[0].subject.to_s
+      certificates = OpenSSL::X509::Certificate.load_file(f.path)
+
+      # DER encoding can only contain one certificate:
+      assert_equal 1, certificates.size
+      assert_equal cert.to_der, certificates[0].to_der
+    end
   end
 
   def test_load_file_fullchain_garbage
-    fullchain_path = Fixtures.file_path("pkey", "garbage.txt")
+    Tempfile.create("garbage.txt") do |f|
+      f.puts "not a certificate"
+      f.close
 
-    assert_raise(OpenSSL::X509::CertificateError) do
-      OpenSSL::X509::Certificate.load_file(fullchain_path)
+      assert_raise(OpenSSL::X509::CertificateError) do
+        OpenSSL::X509::Certificate.load_file(f.path)
+      end
     end
   end
 

diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
@@ -24,10 +24,6 @@ def read_file(category, name)
       @file_cache[[category, name]] ||=
         File.read(File.join(__dir__, "fixtures", category, name + ".pem"))
     end
-
-    def file_path(category, name)
-      File.join(__dir__, "fixtures", category, name)
-    end
   end
 
   module_function