Merge branch 'ky/ssl-test-assume-ec-support'

* ky/ssl-test-assume-ec-support:
  test/openssl/test_pkey_rsa: disable test_no_private_exp on OpenSSL 3.0
  test/openssl/test_pkey: use EC keys for PKey.generate_parameters tests
  test/openssl/test_ssl: fix illegal SAN extension
  test/openssl/test_pkcs12: fix test failures with OpenSSL 3.0
  test/openssl/test_ssl: relax regex to match OpenSSL's error message
  test/openssl/test_digest: do not test constants for legacy algorithms
  test/openssl/test_ssl: assume ECC support
  test/openssl/test_ssl: assume TLS 1.2 support
  test/openssl/utils: remove dup_public helper method

Author: rhenium

test/openssl/test_digest.rb

@@ -54,7 +54,7 @@ def test_reset
   end
 
   def test_digest_constants
-    %w{MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512}.each do |name|
+    %w{MD5 SHA1 SHA224 SHA256 SHA384 SHA512}.each do |name|
       assert_not_nil(OpenSSL::Digest.new(name))
       klass = OpenSSL::Digest.const_get(name.tr('-', '_'))
       assert_not_nil(klass.new)

test/openssl/test_pair.rb

@@ -23,7 +23,6 @@ def ssl_pair
       sctx = OpenSSL::SSL::SSLContext.new
       sctx.cert = @svr_cert
       sctx.key = @svr_key
-      sctx.tmp_dh_callback = proc { OpenSSL::TestUtils::Fixtures.pkey("dh-1") }
       sctx.options |= OpenSSL::SSL::OP_NO_COMPRESSION
       ssls = OpenSSL::SSL::SSLServer.new(tcps, sctx)
       ns = ssls.accept
@@ -383,7 +382,6 @@ def test_connect_accept_nonblock_no_exception
     ctx2 = OpenSSL::SSL::SSLContext.new
     ctx2.cert = @svr_cert
     ctx2.key = @svr_key
-    ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::Fixtures.pkey("dh-1") }
 
     sock1, sock2 = tcp_pair
 
@@ -431,7 +429,6 @@ def test_connect_accept_nonblock
     ctx = OpenSSL::SSL::SSLContext.new
     ctx.cert = @svr_cert
     ctx.key = @svr_key
-    ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::Fixtures.pkey("dh-1") }
 
     sock1, sock2 = tcp_pair
 

test/openssl/test_pkcs12.rb

@@ -27,20 +27,16 @@ def test_generic_oid_inspect
   end
 
   def test_s_generate_parameters
-    # 512 is non-default; 1024 is used if 'dsa_paramgen_bits' is not specified
-    # with OpenSSL 1.1.0.
-    pkey = OpenSSL::PKey.generate_parameters("DSA", {
-      "dsa_paramgen_bits" => 512,
-      "dsa_paramgen_q_bits" => 256,
+    pkey = OpenSSL::PKey.generate_parameters("EC", {
+      "ec_paramgen_curve" => "secp384r1",
     })
-    assert_instance_of OpenSSL::PKey::DSA, pkey
-    assert_equal 512, pkey.p.num_bits
-    assert_equal 256, pkey.q.num_bits
-    assert_equal nil, pkey.priv_key
+    assert_instance_of OpenSSL::PKey::EC, pkey
+    assert_equal "secp384r1", pkey.group.curve_name
+    assert_equal nil, pkey.private_key
 
     # Invalid options are checked
     assert_raise(OpenSSL::PKey::PKeyError) {
-      OpenSSL::PKey.generate_parameters("DSA", "invalid" => "option")
+      OpenSSL::PKey.generate_parameters("EC", "invalid" => "option")
     }
 
     # Parameter generation callback is called
@@ -59,14 +55,13 @@ def test_s_generate_key
       # DSA key pair cannot be generated without parameters
       OpenSSL::PKey.generate_key("DSA")
     }
-    pkey_params = OpenSSL::PKey.generate_parameters("DSA", {
-      "dsa_paramgen_bits" => 512,
-      "dsa_paramgen_q_bits" => 256,
+    pkey_params = OpenSSL::PKey.generate_parameters("EC", {
+      "ec_paramgen_curve" => "secp384r1",
     })
     pkey = OpenSSL::PKey.generate_key(pkey_params)
-    assert_instance_of OpenSSL::PKey::DSA, pkey
-    assert_equal 512, pkey.p.num_bits
-    assert_not_equal nil, pkey.priv_key
+    assert_instance_of OpenSSL::PKey::EC, pkey
+    assert_equal "secp384r1", pkey.group.curve_name
+    assert_not_equal nil, pkey.private_key
   end
 
   def test_hmac_sign_verify

test/openssl/test_pkey.rb

@@ -40,12 +40,14 @@ def test_derive_key
 
   def test_DHparams
     dh1024 = Fixtures.pkey("dh1024")
+    dh1024params = dh1024.public_key
+
     asn1 = OpenSSL::ASN1::Sequence([
       OpenSSL::ASN1::Integer(dh1024.p),
       OpenSSL::ASN1::Integer(dh1024.g)
     ])
     key = OpenSSL::PKey::DH.new(asn1.to_der)
-    assert_same_dh dup_public(dh1024), key
+    assert_same_dh dh1024params, key
 
     pem = <<~EOF
     -----BEGIN DH PARAMETERS-----
@@ -55,9 +57,9 @@ def test_DHparams
     -----END DH PARAMETERS-----
     EOF
     key = OpenSSL::PKey::DH.new(pem)
-    assert_same_dh dup_public(dh1024), key
+    assert_same_dh dh1024params, key
     key = OpenSSL::PKey.read(pem)
-    assert_same_dh dup_public(dh1024), key
+    assert_same_dh dh1024params, key
 
     assert_equal asn1.to_der, dh1024.to_der
     assert_equal pem, dh1024.export

test/openssl/test_pkey_dh.rb

@@ -138,6 +138,8 @@ def test_DSAPrivateKey_encrypted
 
   def test_PUBKEY
     dsa512 = Fixtures.pkey("dsa512")
+    dsa512pub = OpenSSL::PKey::DSA.new(dsa512.public_to_der)
+
     asn1 = OpenSSL::ASN1::Sequence([
       OpenSSL::ASN1::Sequence([
         OpenSSL::ASN1::ObjectId("DSA"),
@@ -153,7 +155,7 @@ def test_PUBKEY
     ])
     key = OpenSSL::PKey::DSA.new(asn1.to_der)
     assert_not_predicate key, :private?
-    assert_same_dsa dup_public(dsa512), key
+    assert_same_dsa dsa512pub, key
 
     pem = <<~EOF
     -----BEGIN PUBLIC KEY-----
@@ -166,10 +168,15 @@ def test_PUBKEY
     -----END PUBLIC KEY-----
     EOF
     key = OpenSSL::PKey::DSA.new(pem)
-    assert_same_dsa dup_public(dsa512), key
+    assert_same_dsa dsa512pub, key
+
+    assert_equal asn1.to_der, key.to_der
+    assert_equal pem, key.export
 
-    assert_equal asn1.to_der, dup_public(dsa512).to_der
-    assert_equal pem, dup_public(dsa512).export
+    assert_equal asn1.to_der, dsa512.public_to_der
+    assert_equal asn1.to_der, key.public_to_der
+    assert_equal pem, dsa512.public_to_pem
+    assert_equal pem, key.public_to_pem
   end
 
   def test_read_DSAPublicKey_pem

test/openssl/test_pkey_dsa.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 require_relative 'utils'
 
-if defined?(OpenSSL) && defined?(OpenSSL::PKey::EC)
+if defined?(OpenSSL)
 
 class OpenSSL::TestEC < OpenSSL::PKeyTestCase
   def test_ec_key
@@ -210,6 +210,8 @@ def test_ECPrivateKey_encrypted
 
   def test_PUBKEY
     p256 = Fixtures.pkey("p256")
+    p256pub = OpenSSL::PKey::EC.new(p256.public_to_der)
+
     asn1 = OpenSSL::ASN1::Sequence([
       OpenSSL::ASN1::Sequence([
         OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
@@ -221,7 +223,7 @@ def test_PUBKEY
     ])
     key = OpenSSL::PKey::EC.new(asn1.to_der)
     assert_not_predicate key, :private?
-    assert_same_ec dup_public(p256), key
+    assert_same_ec p256pub, key
 
     pem = <<~EOF
     -----BEGIN PUBLIC KEY-----
@@ -230,10 +232,15 @@ def test_PUBKEY
     -----END PUBLIC KEY-----
     EOF
     key = OpenSSL::PKey::EC.new(pem)
-    assert_same_ec dup_public(p256), key
+    assert_same_ec p256pub, key
+
+    assert_equal asn1.to_der, key.to_der
+    assert_equal pem, key.export
 
-    assert_equal asn1.to_der, dup_public(p256).to_der
-    assert_equal pem, dup_public(p256).export
+    assert_equal asn1.to_der, p256.public_to_der
+    assert_equal asn1.to_der, key.public_to_der
+    assert_equal pem, p256.public_to_pem
+    assert_equal pem, key.public_to_pem
   end
 
   def test_ec_group

test/openssl/test_pkey_ec.rb

@@ -11,7 +11,7 @@ def test_no_private_exp
     key.set_factors(rsa.p, rsa.q)
     assert_raise(OpenSSL::PKey::RSAError){ key.private_encrypt("foo") }
     assert_raise(OpenSSL::PKey::RSAError){ key.private_decrypt("foo") }
-  end
+  end if !openssl?(3, 0, 0) # Impossible state in OpenSSL 3.0
 
   def test_private
     # Generated by key size and public exponent
@@ -201,7 +201,7 @@ def test_sign_verify_pss
 
   def test_encrypt_decrypt
     rsapriv = Fixtures.pkey("rsa-1")
-    rsapub = dup_public(rsapriv)
+    rsapub = OpenSSL::PKey.read(rsapriv.public_to_der)
 
     # Defaults to PKCS #1 v1.5
     raw = "data"
@@ -216,7 +216,7 @@ def test_encrypt_decrypt
 
   def test_encrypt_decrypt_legacy
     rsapriv = Fixtures.pkey("rsa-1")
-    rsapub = dup_public(rsapriv)
+    rsapub = OpenSSL::PKey.read(rsapriv.public_to_der)
 
     # Defaults to PKCS #1 v1.5
     raw = "data"
@@ -346,13 +346,15 @@ def test_RSAPrivateKey_encrypted
 
   def test_RSAPublicKey
     rsa1024 = Fixtures.pkey("rsa1024")
+    rsa1024pub = OpenSSL::PKey::RSA.new(rsa1024.public_to_der)
+
     asn1 = OpenSSL::ASN1::Sequence([
       OpenSSL::ASN1::Integer(rsa1024.n),
       OpenSSL::ASN1::Integer(rsa1024.e)
     ])
     key = OpenSSL::PKey::RSA.new(asn1.to_der)
     assert_not_predicate key, :private?
-    assert_same_rsa dup_public(rsa1024), key
+    assert_same_rsa rsa1024pub, key
 
     pem = <<~EOF
     -----BEGIN RSA PUBLIC KEY-----
@@ -362,11 +364,13 @@ def test_RSAPublicKey
     -----END RSA PUBLIC KEY-----
     EOF
     key = OpenSSL::PKey::RSA.new(pem)
-    assert_same_rsa dup_public(rsa1024), key
+    assert_same_rsa rsa1024pub, key
   end
 
   def test_PUBKEY
     rsa1024 = Fixtures.pkey("rsa1024")
+    rsa1024pub = OpenSSL::PKey::RSA.new(rsa1024.public_to_der)
+
     asn1 = OpenSSL::ASN1::Sequence([
       OpenSSL::ASN1::Sequence([
         OpenSSL::ASN1::ObjectId("rsaEncryption"),
@@ -381,7 +385,7 @@ def test_PUBKEY
     ])
     key = OpenSSL::PKey::RSA.new(asn1.to_der)
     assert_not_predicate key, :private?
-    assert_same_rsa dup_public(rsa1024), key
+    assert_same_rsa rsa1024pub, key
 
     pem = <<~EOF
     -----BEGIN PUBLIC KEY-----
@@ -392,10 +396,15 @@ def test_PUBKEY
     -----END PUBLIC KEY-----
     EOF
     key = OpenSSL::PKey::RSA.new(pem)
-    assert_same_rsa dup_public(rsa1024), key
+    assert_same_rsa rsa1024pub, key
+
+    assert_equal asn1.to_der, key.to_der
+    assert_equal pem, key.export
 
-    assert_equal asn1.to_der, dup_public(rsa1024).to_der
-    assert_equal pem, dup_public(rsa1024).export
+    assert_equal asn1.to_der, rsa1024.public_to_der
+    assert_equal asn1.to_der, key.public_to_der
+    assert_equal pem, rsa1024.public_to_pem
+    assert_equal pem, key.public_to_pem
   end
 
   def test_pem_passwd
@@ -482,12 +491,6 @@ def test_private_encoding_encrypted
     assert_same_rsa rsa1024, OpenSSL::PKey.read(pem, "abcdef")
   end
 
-  def test_public_encoding
-    rsa1024 = Fixtures.pkey("rsa1024")
-    assert_equal dup_public(rsa1024).to_der, rsa1024.public_to_der
-    assert_equal dup_public(rsa1024).to_pem, rsa1024.public_to_pem
-  end
-
   def test_dup
     key = Fixtures.pkey("rsa1024")
     key2 = key.dup