1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[ruby/openssl] ssl: remove cert_store from start_server test helper

Browse Source 
OpenSSL::SSL::SSLContext#cert_store= uses SSL_CTX_set_cert_store(). The
store is used for verifying peer certificates and for building
certificate chains to be sent to the peer if there is no chain
explicitly provided by SSLContext#extra_chain_cert=.

Do not specify it in the common test helper start_server, as most
callers do not require either function. Instead, update individual test
cases that use client certificates to explicitly specify it in ctx_proc.
A more direct test case is added to verify the latter function.

https://github.com/ruby/openssl/commit/9daecee615
This commit is contained in:
Kazuki Yamaguchi 2025-02-19 03:15:07 +09:00 committed by git
parent 49e229b3fc
commit c515da3d74
2 changed files with 43 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
test/openssl/test_ssl.rb
View File

@ -230,6 +230,34 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end end
end end
def test_extra_chain_cert_auto_chain
start_server { |port|
server_connect(port) { |ssl|
ssl.puts "abc"; assert_equal "abc\n", ssl.gets
assert_equal @svr_cert.to_der, ssl.peer_cert.to_der
assert_equal [@svr_cert], ssl.peer_cert_chain
}
}
# AWS-LC enables SSL_MODE_NO_AUTO_CHAIN by default
unless aws_lc?
ctx_proc = -> ctx {
# Sanity check: start_server won't set extra_chain_cert
assert_nil ctx.extra_chain_cert
ctx.cert_store = OpenSSL::X509::Store.new.tap { |store|
store.add_cert(@ca_cert)
}
}
start_server(ctx_proc: ctx_proc) { |port|
server_connect(port) { |ssl|
ssl.puts "abc"; assert_equal "abc\n", ssl.gets
assert_equal @svr_cert.to_der, ssl.peer_cert.to_der
assert_equal [@svr_cert, @ca_cert], ssl.peer_cert_chain
}
}
end
end
def test_sysread_and_syswrite def test_sysread_and_syswrite
start_server { |port| start_server { |port|
server_connect(port) { |ssl| server_connect(port) { |ssl|
@ -396,11 +424,15 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_client_auth_success def test_client_auth_success
vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
start_server(verify_mode: vflag, ctx_proc = proc { |ctx|
ctx_proc: proc { |ctx| store = OpenSSL::X509::Store.new
# LibreSSL doesn't support client_cert_cb in TLS 1.3 store.add_cert(@ca_cert)
ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl? store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
}) { |port| ctx.cert_store = store
# LibreSSL doesn't support client_cert_cb in TLS 1.3
ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?
}
start_server(verify_mode: vflag, ctx_proc: ctx_proc) { |port|
ctx = OpenSSL::SSL::SSLContext.new ctx = OpenSSL::SSL::SSLContext.new
ctx.key = @cli_key ctx.key = @cli_key
ctx.cert = @cli_cert ctx.cert = @cli_cert
@ -445,6 +477,10 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
pend "LibreSSL doesn't support certificate_authorities" if libressl? pend "LibreSSL doesn't support certificate_authorities" if libressl?
ctx_proc = Proc.new do |ctx| ctx_proc = Proc.new do |ctx|
store = OpenSSL::X509::Store.new
store.add_cert(@ca_cert)
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
ctx.cert_store = store
ctx.client_ca = [@ca_cert] ctx.client_ca = [@ca_cert]
end end
@ -510,7 +546,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ssl.sync_close = true ssl.sync_close = true
begin begin
assert_raise(OpenSSL::SSL::SSLError){ ssl.connect } assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result) assert_equal(OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, ssl.verify_result)
ensure ensure
ssl.close ssl.close
end end
@ -1162,9 +1198,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
start_server(ignore_listener_error: true) { |port| start_server(ignore_listener_error: true) { |port|
ctx = OpenSSL::SSL::SSLContext.new ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params ctx.set_params
# OpenSSL <= 1.1.0: "self signed certificate in certificate chain" assert_raise_with_message(OpenSSL::SSL::SSLError, /unable to get local issuer certificate/) {
# OpenSSL >= 3.0.0: "self-signed certificate in certificate chain"
assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed/) {
server_connect(port, ctx) server_connect(port, ctx)
} }
} }

4
test/openssl/utils.rb
View File

@ -201,11 +201,7 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase
accept_proc: proc{}, accept_proc: proc{},
ignore_listener_error: false, &block) ignore_listener_error: false, &block)
IO.pipe {|stop_pipe_r, stop_pipe_w| IO.pipe {|stop_pipe_r, stop_pipe_w|
store = OpenSSL::X509::Store.new
store.add_cert(@ca_cert)
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
ctx = OpenSSL::SSL::SSLContext.new ctx = OpenSSL::SSL::SSLContext.new
ctx.cert_store = store
ctx.cert = @svr_cert ctx.cert = @svr_cert
ctx.key = @svr_key ctx.key = @svr_key
ctx.verify_mode = verify_mode ctx.verify_mode = verify_mode