summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJob Snijders <[email protected]>2024-03-25 12:20:13 +0000
committergit <[email protected]>2024-04-26 16:55:15 +0000
commit6b120135afe1529a8ed1532b9da6878f1f4b1fbf (patch)
tree06d9640be0e8035689e9bddfda4185c3b0a52253
parent9aecff25304939644681b62e14b5542299e236af (diff)
[ruby/openssl] Only CSR version 1 (encoded as 0) is allowed by PKIX standards
RFC 2986, section 4.1 only defines version 1 for CSRs. This version is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version to anything but 1 fails. Do not attempt to generate a CSR with invalid version (which now fails) and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its subject rather than using an invalid version. This commit fixes the following error. ``` 2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError: X509_REQ_set_version: passed invalid argument /home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version=' /home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr' /home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in `test_version' 40: req = OpenSSL::X509::Request.new(req.to_der) 41: assert_equal(0, req.version) 42: => 43: req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256')) 44: assert_equal(1, req.version) 45: req = OpenSSL::X509::Request.new(req.to_der) 46: assert_equal(1, req.version) ``` https://github.com/ruby/openssl/commit/c06fdeb091
Diffstat
-rw-r--r--test/openssl/test_x509req.rb7
1 files changed, 1 insertions, 6 deletions
diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
index ff17c41163..b98754b8c8 100644
--- a/test/openssl/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@@ -39,11 +39,6 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
assert_equal(0, req.version)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(0, req.version)
-
- req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
- assert_equal(1, req.version)
- req = OpenSSL::X509::Request.new(req.to_der)
- assert_equal(1, req.version)
end
def test_subject
@@ -106,7 +101,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
assert_equal(false, req.verify(@rsa2048))
assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
assert_equal(false, request_error_returns_false { req.verify(@dsa512) })
- req.version = 1
+ req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBarFooBar")
assert_equal(false, req.verify(@rsa1024))
rescue OpenSSL::X509::RequestError # RHEL 9 disables SHA1
end
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-13 10:46:05 +0000