[ruby/openssl] pkey: AWS-LC disallows parsing of invalid keys and params

OpenSSL allows invalid EC keys or DH params to be parsed. The consuming application can then run parameter/key checks to check the validity of the parameters. We happen to run tests to verify that this behaves as expected. AWS-LC on the other hand, directly raises an error and disallows the invalid state to be parsed, rather than making it parsable and checking the validity later. Relevant tests have been adjusted accordingly to reflect this. https://github.com/ruby/openssl/commit/febe50be1b
2025-02-12 01:45:15 +00:00 · 2025-02-12 01:45:15 +00:00 · f63a123606
commit f63a123606
parent 6263d0d16b
2 changed files with 23 additions and 7 deletions
--- a/test/openssl/test_pkey_dh.rb
+++ b/test/openssl/test_pkey_dh.rb
@ -123,6 +123,15 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase
    ]))
    assert_equal(true, dh1.params_ok?)

+    # AWS-LC automatically does parameter checks on the parsed params.
+    if aws_lc?
+      assert_raise(OpenSSL::PKey::DHError) {
+        OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer(dh0.p + 1),
+          OpenSSL::ASN1::Integer(dh0.g)
+        ]))
+      }
+    else
      dh2 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([
        OpenSSL::ASN1::Integer(dh0.p + 1),
        OpenSSL::ASN1::Integer(dh0.g)
@ -130,6 +139,8 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase
      assert_equal(false, dh2.params_ok?)
    end

+  end
+
  def test_params
    dh = Fixtures.pkey("dh2048_ffdhe2048")
    assert_kind_of(OpenSSL::BN, dh.p)
--- a/test/openssl/test_pkey_ec.rb
+++ b/test/openssl/test_pkey_ec.rb
@ -89,14 +89,19 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase

    # Behavior of EVP_PKEY_public_check changes between OpenSSL 1.1.1 and 3.0
    # The public key does not match the private key
-    key4 = OpenSSL::PKey.read(<<~EOF)
+    ec_key_data = <<~EOF
    -----BEGIN EC PRIVATE KEY-----
    MHcCAQEEIP+TT0V8Fndsnacji9tyf6hmhHywcOWTee9XkiBeJoVloAoGCCqGSM49
    AwEHoUQDQgAEBkhhJIU/2/YdPSlY2I1k25xjK4trr5OXSgXvBC21PtY0HQ7lor7A
    jzT0giJITqmcd81fwGw5+96zLcdxTF1hVQ==
    -----END EC PRIVATE KEY-----
    EOF
+    if aws_lc? # AWS-LC automatically does key checks on the parsed key.
+      assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.read(ec_key_data) }
+    else
+      key4 = OpenSSL::PKey.read(ec_key_data)
      assert_raise(OpenSSL::PKey::ECError) { key4.check_key }
+    end

    # EC#private_key= is deprecated in 3.0 and won't work on OpenSSL 3.0
    if !openssl?(3, 0, 0)