From 55c9ea106138b8be4e292b2e4af6991f09176ea9 Mon Sep 17 00:00:00 2001 From: Josh Cooper Date: Tue, 29 Oct 2024 14:27:30 -0700 Subject: [PATCH] Refactor ed25519 key generation and checks in tests --- test/openssl/test_x509cert.rb | 19 +------------------ test/openssl/test_x509crl.rb | 19 +------------------ test/openssl/test_x509req.rb | 19 +------------------ test/openssl/utils.rb | 20 ++++++++++++++++++++ 4 files changed, 23 insertions(+), 54 deletions(-) diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb index 85c978f02..8f278bae0 100644 --- a/test/openssl/test_x509cert.rb +++ b/test/openssl/test_x509cert.rb @@ -223,24 +223,7 @@ def test_sign_and_verify_dsa_md5 end def test_sign_and_verify_ed25519 - # See test_ed25519 in test_pkey.rb - - # Ed25519 is not FIPS-approved. - omit_on_fips - - begin - ed25519 = OpenSSL::PKey::generate_key("ED25519") - rescue OpenSSL::PKey::PKeyError => e - # OpenSSL < 1.1.1 - # - pend "Ed25519 is not implemented" unless openssl?(1, 1, 1) - - raise e - end - - # See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog - pend 'ASN1 signing with Ed25519 not yet working' unless openssl? or libressl?(3, 8, 1) - + ed25519 = generate_ed25519 cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil) assert_equal(true, cert.verify(ed25519)) end diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb index 294aa195b..eff08d700 100644 --- a/test/openssl/test_x509crl.rb +++ b/test/openssl/test_x509crl.rb @@ -205,24 +205,7 @@ def test_sign_and_verify end def test_sign_and_verify_ed25519 - # See test_ed25519 in test_pkey.rb - - # Ed25519 is not FIPS-approved. - omit_on_fips - - begin - ed25519 = OpenSSL::PKey::generate_key("ED25519") - rescue OpenSSL::PKey::PKeyError => e - # OpenSSL < 1.1.1 - # - pend "Ed25519 is not implemented" unless openssl?(1, 1, 1) - - raise e - end - - # See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog - pend 'ASN1 signing with Ed25519 not yet working' unless openssl? or libressl?(3, 8, 1) - + ed25519 = generate_ed25519 cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil) crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, ed25519, nil) diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb index 89f348907..7e2855c7b 100644 --- a/test/openssl/test_x509req.rb +++ b/test/openssl/test_x509req.rb @@ -137,24 +137,7 @@ def test_sign_and_verify_dsa_md5 end def test_sign_and_verify_ed25519 - # See test_ed25519 in test_pkey.rb - - # Ed25519 is not FIPS-approved. - omit_on_fips - - begin - ed25519 = OpenSSL::PKey::generate_key("ED25519") - rescue OpenSSL::PKey::PKeyError => e - # OpenSSL < 1.1.1 - # - pend "Ed25519 is not implemented" unless openssl?(1, 1, 1) - - raise e - end - - # See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog - pend 'ASN1 signing with Ed25519 not yet working' unless openssl? or libressl?(3, 8, 1) - + ed25519 = generate_ed25519 req = issue_csr(0, @dn, ed25519, nil) assert_equal(true, req.verify(ed25519)) end diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index f6c84eef6..4e70e2079 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -106,6 +106,26 @@ def get_subject_key_id(cert, hex: true) end end + def generate_ed25519 + # Ed25519 is not FIPS-approved. + omit_on_fips + + begin + ed25519 = OpenSSL::PKey::generate_key("ED25519") + rescue OpenSSL::PKey::PKeyError => e + # OpenSSL < 1.1.1 + # + pend "Ed25519 is not implemented" unless openssl?(1, 1, 1) + + raise e + end + + # See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog + pend 'ASN1 signing with Ed25519 not yet working' unless openssl? or libressl?(3, 8, 1) + + ed25519 + end + def openssl?(major = nil, minor = nil, fix = nil, patch = 0, status = 0) return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") return true unless major