Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace SHA1 in tests #511

Closed
wants to merge 9 commits into from
Closed

Replace SHA1 in tests #511

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
1e526af
TestPkeyRSA: Replace SHA1.
jackorp Apr 14, 2022
2ea74cf
TestX509CRL: Replace SHA1.
jackorp Apr 14, 2022
a631494
TestX509Req: Replace SHA1.
jackorp Apr 14, 2022
998892d
TestNS_SPKI: Replace SHA1.
jackorp Apr 14, 2022
a18b8f6
TestASN1: Replace SHA1.
jackorp Apr 14, 2022
541ddfd
TestX509Cert: Replace SHA1.
jackorp Apr 19, 2022
9c9f421
TestPKeyDSA: Replace SHA1.
jackorp Apr 19, 2022
9fde348
TestPKeyEC: Replace SHA1.
jackorp Apr 19, 2022
cfda878
trigger GitHub actions
jackorp Oct 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions test/openssl/test_asn1.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ def test_decode_x509_certificate
["keyUsage","keyCertSign, cRLSign",true],
["subjectKeyIdentifier","hash",false],
]
dgst = OpenSSL::Digest.new('SHA1')
dgst = OpenSSL::Digest.new('SHA256')
cert = OpenSSL::TestUtils.issue_cert(
subj, key, s, exts, nil, nil, digest: dgst, not_before: now, not_after: now+3600)

Expand Down Expand Up @@ -42,7 +42,7 @@ def test_decode_x509_certificate
assert_equal(OpenSSL::ASN1::Sequence, sig.class)
assert_equal(2, sig.value.size)
assert_equal(OpenSSL::ASN1::ObjectId, sig.value[0].class)
assert_equal("1.2.840.113549.1.1.5", sig.value[0].oid)
assert_equal("1.2.840.113549.1.1.11", sig.value[0].oid)
assert_equal(OpenSSL::ASN1::Null, sig.value[1].class)

dn = tbs_cert.value[3] # issuer
Expand Down Expand Up @@ -189,7 +189,7 @@ def test_decode_x509_certificate
assert_equal(OpenSSL::ASN1::Null, pkey.value[0].value[1].class)

assert_equal(OpenSSL::ASN1::BitString, sig_val.class)
cululated_sig = key.sign(OpenSSL::Digest.new('SHA1'), tbs_cert.to_der)
cululated_sig = key.sign(OpenSSL::Digest.new('SHA256'), tbs_cert.to_der)
assert_equal(cululated_sig, sig_val.value)
end

Expand Down
2 changes: 1 addition & 1 deletion test/openssl/test_ns_spki.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ def test_build_data
spki = OpenSSL::Netscape::SPKI.new
spki.challenge = "RandomString"
spki.public_key = key1.public_key
spki.sign(key1, OpenSSL::Digest.new('SHA1'))
spki.sign(key1, OpenSSL::Digest.new('SHA256'))
assert(spki.verify(spki.public_key))
assert(spki.verify(key1.public_key))
assert(!spki.verify(key2.public_key))
Expand Down
4 changes: 2 additions & 2 deletions test/openssl/test_pkey_dsa.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,8 @@ def test_sign_verify
assert_equal true, dsa512.verify(OpenSSL::Digest.new('DSS1'), signature, data)
end

signature = dsa512.sign("SHA1", data)
assert_equal true, dsa512.verify("SHA1", signature, data)
signature = dsa512.sign("SHA256", data)
assert_equal true, dsa512.verify("SHA256", signature, data)

signature0 = (<<~'end;').unpack("m")[0]
MCwCFH5h40plgU5Fh0Z4wvEEpz0eE9SnAhRPbkRB8ggsN/vsSEYMXvJwjGg/
Expand Down
4 changes: 2 additions & 2 deletions test/openssl/test_pkey_ec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,8 +98,8 @@ def test_check_key
def test_sign_verify
p256 = Fixtures.pkey("p256")
data = "Sign me!"
signature = p256.sign("SHA1", data)
assert_equal true, p256.verify("SHA1", signature, data)
signature = p256.sign("SHA256", data)
assert_equal true, p256.verify("SHA256", signature, data)

signature0 = (<<~'end;').unpack("m")[0]
MEQCIEOTY/hD7eI8a0qlzxkIt8LLZ8uwiaSfVbjX2dPAvN11AiAQdCYx56Fq
Expand Down
18 changes: 9 additions & 9 deletions test/openssl/test_pkey_rsa.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,8 @@ def test_new_break
def test_sign_verify
rsa1024 = Fixtures.pkey("rsa1024")
data = "Sign me!"
signature = rsa1024.sign("SHA1", data)
assert_equal true, rsa1024.verify("SHA1", signature, data)
signature = rsa1024.sign("SHA256", data)
assert_equal true, rsa1024.verify("SHA256", signature, data)

signature0 = (<<~'end;').unpack("m")[0]
oLCgbprPvfhM4pjFQiDTFeWI9Sk+Og7Nh9TmIZ/xSxf2CGXQrptlwo7NQ28+
Expand Down Expand Up @@ -113,10 +113,10 @@ def test_sign_verify_options
def test_sign_verify_raw
key = Fixtures.pkey("rsa-1")
data = "Sign me!"
hash = OpenSSL::Digest.digest("SHA1", data)
signature = key.sign_raw("SHA1", hash)
assert_equal true, key.verify_raw("SHA1", signature, hash)
assert_equal true, key.verify("SHA1", signature, data)
hash = OpenSSL::Digest.digest("SHA256", data)
signature = key.sign_raw("SHA256", hash)
assert_equal true, key.verify_raw("SHA256", signature, hash)
assert_equal true, key.verify("SHA256", signature, data)

# Too long data
assert_raise(OpenSSL::PKey::PKeyError) {
Expand All @@ -129,9 +129,9 @@ def test_sign_verify_raw
"rsa_pss_saltlen" => 20,
"rsa_mgf1_md" => "SHA256"
}
sig_pss = key.sign_raw("SHA1", hash, pssopts)
assert_equal true, key.verify("SHA1", sig_pss, data, pssopts)
assert_equal true, key.verify_raw("SHA1", sig_pss, hash, pssopts)
sig_pss = key.sign_raw("SHA256", hash, pssopts)
assert_equal true, key.verify("SHA256", sig_pss, data, pssopts)
assert_equal true, key.verify_raw("SHA256", sig_pss, hash, pssopts)
end

def test_sign_verify_raw_legacy
Expand Down
6 changes: 3 additions & 3 deletions test/openssl/test_x509cert.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,7 @@ def test_sign_and_verify_rsa_sha1
assert_equal(false, certificate_error_returns_false { cert.verify(@dsa512) })
cert.serial = 2
assert_equal(false, cert.verify(@rsa2048))
rescue OpenSSL::X509::CertificateError # RHEL 9 disables SHA1
end

def test_sign_and_verify_rsa_md5
Expand Down Expand Up @@ -226,9 +227,8 @@ def test_dsa_with_sha2
assert_equal("dsa_with_SHA256", cert.signature_algorithm)
# TODO: need more tests for dsa + sha2

# SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requires DSS1)
cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha1")
assert_equal("dsaWithSHA1", cert.signature_algorithm)
cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha512")
assert_equal("dsa_with_SHA512", cert.signature_algorithm)
end

def test_check_private_key
Expand Down
20 changes: 10 additions & 10 deletions test/openssl/test_x509crl.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ def test_basic

cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
crl = issue_crl([], 1, now, now+1600, [],
cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
assert_equal(1, crl.version)
assert_equal(cert.issuer.to_der, crl.issuer.to_der)
assert_equal(now, crl.last_update)
Expand Down Expand Up @@ -57,7 +57,7 @@ def test_revoked
]
cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
revoked = crl.revoked
assert_equal(5, revoked.size)
assert_equal(1, revoked[0].serial)
Expand Down Expand Up @@ -98,7 +98,7 @@ def test_revoked

revoke_info = (1..1000).collect{|i| [i, now, 0] }
crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
revoked = crl.revoked
assert_equal(1000, revoked.size)
assert_equal(1, revoked[0].serial)
Expand All @@ -124,7 +124,7 @@ def test_extension

cert = issue_cert(@ca, @rsa2048, 1, cert_exts, nil, nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, crl_exts,
cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
exts = crl.extensions
assert_equal(3, exts.size)
assert_equal("1", exts[0].value)
Expand Down Expand Up @@ -160,32 +160,32 @@ def test_extension
assert_equal(false, exts[2].critical?)

no_ext_crl = issue_crl([], 1, Time.now, Time.now+1600, [],
cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
assert_equal nil, no_ext_crl.authority_key_identifier
end

def test_crlnumber
cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
assert_match(1.to_s, crl.extensions[0].value)
assert_match(/X509v3 CRL Number:\s+#{1}/m, crl.to_text)

crl = issue_crl([], 2**32, Time.now, Time.now+1600, [],
cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
assert_match((2**32).to_s, crl.extensions[0].value)
assert_match(/X509v3 CRL Number:\s+#{2**32}/m, crl.to_text)

crl = issue_crl([], 2**100, Time.now, Time.now+1600, [],
cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
assert_match(/X509v3 CRL Number:\s+#{2**100}/m, crl.to_text)
assert_match((2**100).to_s, crl.extensions[0].value)
end

def test_sign_and_verify
cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
assert_equal(false, crl.verify(@rsa1024))
assert_equal(true, crl.verify(@rsa2048))
assert_equal(false, crl_error_returns_false { crl.verify(@dsa256) })
Expand All @@ -195,7 +195,7 @@ def test_sign_and_verify

cert = issue_cert(@ca, @dsa512, 1, [], nil, nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
cert, @dsa512, OpenSSL::Digest.new('SHA1'))
cert, @dsa512, OpenSSL::Digest.new('SHA256'))
assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) })
assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) })
assert_equal(false, crl.verify(@dsa256))
Expand Down
24 changes: 12 additions & 12 deletions test/openssl/test_x509req.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,31 +23,31 @@ def issue_csr(ver, dn, key, digest)
end

def test_public_key
req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
assert_equal(@rsa1024.public_key.to_der, req.public_key.to_der)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(@rsa1024.public_key.to_der, req.public_key.to_der)

req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('SHA1'))
req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('SHA256'))
assert_equal(@dsa512.public_key.to_der, req.public_key.to_der)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(@dsa512.public_key.to_der, req.public_key.to_der)
end

def test_version
req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
assert_equal(0, req.version)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(0, req.version)

req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
assert_equal(1, req.version)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(1, req.version)
end

def test_subject
req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
assert_equal(@dn.to_der, req.subject.to_der)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(@dn.to_der, req.subject.to_der)
Expand Down Expand Up @@ -78,9 +78,9 @@ def test_attr
OpenSSL::X509::Attribute.new("msExtReq", attrval),
]

req0 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
req0 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
attrs.each{|attr| req0.add_attribute(attr) }
req1 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
req1 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
req1.attributes = attrs
assert_equal(req0.to_der, req1.to_der)

Expand All @@ -101,7 +101,7 @@ def test_attr
end

def test_sign_and_verify_rsa_sha1
req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
assert_equal(true, req.verify(@rsa1024))
assert_equal(false, req.verify(@rsa2048))
assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
Expand All @@ -122,7 +122,7 @@ def test_sign_and_verify_rsa_md5
end

def test_sign_and_verify_dsa
req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('SHA1'))
req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('SHA256'))
assert_equal(false, request_error_returns_false { req.verify(@rsa1024) })
assert_equal(false, request_error_returns_false { req.verify(@rsa2048) })
assert_equal(false, req.verify(@dsa256))
Expand All @@ -137,13 +137,13 @@ def test_sign_and_verify_dsa_md5
end

def test_dup
req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
assert_equal(req.to_der, req.dup.to_der)
end

def test_eq
req1 = issue_csr(0, @dn, @rsa1024, "sha1")
req2 = issue_csr(0, @dn, @rsa1024, "sha1")
req1 = issue_csr(0, @dn, @rsa1024, "sha512")
req2 = issue_csr(0, @dn, @rsa1024, "sha512")
req3 = issue_csr(0, @dn, @rsa1024, "sha256")

assert_equal false, req1 == 12345
Expand Down