[ruby/openssl] ssl: remove cert_store from start_server test helper

OpenSSL::SSL::SSLContext#cert_store= uses SSL_CTX_set_cert_store(). The store is used for verifying peer certificates and for building certificate chains to be sent to the peer if there is no chain explicitly provided by SSLContext#extra_chain_cert=. Do not specify it in the common test helper start_server, as most callers do not require either function. Instead, update individual test cases that use client certificates to explicitly specify it in ctx_proc. A more direct test case is added to verify the latter function. https://github.com/ruby/openssl/commit/9daecee615
2025-02-19 03:15:07 +09:00 · 2025-02-19 03:15:07 +09:00 · c515da3d74
commit c515da3d74
parent 49e229b3fc
2 changed files with 43 additions and 13 deletions
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@ -230,6 +230,34 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    end
  end

+  def test_extra_chain_cert_auto_chain
+    start_server { |port|
+      server_connect(port) { |ssl|
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+        assert_equal @svr_cert.to_der, ssl.peer_cert.to_der
+        assert_equal [@svr_cert], ssl.peer_cert_chain
+      }
+    }
+
+    # AWS-LC enables SSL_MODE_NO_AUTO_CHAIN by default
+    unless aws_lc?
+      ctx_proc = -> ctx {
+        # Sanity check: start_server won't set extra_chain_cert
+        assert_nil ctx.extra_chain_cert
+        ctx.cert_store = OpenSSL::X509::Store.new.tap { |store|
+          store.add_cert(@ca_cert)
+        }
+      }
+      start_server(ctx_proc: ctx_proc) { |port|
+        server_connect(port) { |ssl|
+          ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+          assert_equal @svr_cert.to_der, ssl.peer_cert.to_der
+          assert_equal [@svr_cert, @ca_cert], ssl.peer_cert_chain
+        }
+      }
+    end
+  end
+
  def test_sysread_and_syswrite
    start_server { |port|
      server_connect(port) { |ssl|
@ -396,11 +424,15 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase

  def test_client_auth_success
    vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
-    start_server(verify_mode: vflag,
-      ctx_proc: proc { |ctx|
-        # LibreSSL doesn't support client_cert_cb in TLS 1.3
-        ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?
-    }) { |port|
+    ctx_proc = proc { |ctx|
+      store = OpenSSL::X509::Store.new
+      store.add_cert(@ca_cert)
+      store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+      ctx.cert_store = store
+      # LibreSSL doesn't support client_cert_cb in TLS 1.3
+      ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?
+    }
+    start_server(verify_mode: vflag, ctx_proc: ctx_proc) { |port|
      ctx = OpenSSL::SSL::SSLContext.new
      ctx.key = @cli_key
      ctx.cert = @cli_cert
@ -445,6 +477,10 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    pend "LibreSSL doesn't support certificate_authorities" if libressl?

    ctx_proc = Proc.new do |ctx|
+      store = OpenSSL::X509::Store.new
+      store.add_cert(@ca_cert)
+      store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+      ctx.cert_store = store
      ctx.client_ca = [@ca_cert]
    end

@ -510,7 +546,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
      ssl.sync_close = true
      begin
        assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
-        assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result)
+        assert_equal(OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, ssl.verify_result)
      ensure
        ssl.close
      end
@ -1162,9 +1198,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    start_server(ignore_listener_error: true) { |port|
      ctx = OpenSSL::SSL::SSLContext.new
      ctx.set_params
-      # OpenSSL <= 1.1.0: "self signed certificate in certificate chain"
-      # OpenSSL >= 3.0.0: "self-signed certificate in certificate chain"
-      assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed/) {
+      assert_raise_with_message(OpenSSL::SSL::SSLError, /unable to get local issuer certificate/) {
        server_connect(port, ctx)
      }
    }
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@ -201,11 +201,7 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase
                   accept_proc: proc{},
                   ignore_listener_error: false, &block)
    IO.pipe {|stop_pipe_r, stop_pipe_w|
-      store = OpenSSL::X509::Store.new
-      store.add_cert(@ca_cert)
-      store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
      ctx = OpenSSL::SSL::SSLContext.new
-      ctx.cert_store = store
      ctx.cert = @svr_cert
      ctx.key = @svr_key
      ctx.verify_mode = verify_mode