[ruby/openssl] pkey: EVP_DigestVerify doesn't return -1 in AWS-LC

EVP_DigestVerify in OpenSSL returns 0 to indicate a signature verification failure and can return -1 to indicate other failures, such as invalid ASN1 contents. ruby/openssl also reflects that by returning false with 0 and raising an error with -1. EVP_DigestVerify in AWS-LC simply returns 0 for any failure. https://github.com/ruby/openssl/commit/be8ba76dc1
author: Samuel Chiang <[email protected]> 2025-02-12 01:52:40 +0000
committer: git <[email protected]> 2025-02-22 15:11:39 +0000
commit: 841d9f259dbe70fa35b4634b5c90d2c33e51c3f9 (patch)
tree: fafe911037436e0b93cc1feea79280263be9e08b
parent: f63a123606286eadd812313a4ea42af8ea8c686f (diff)
3 files changed, 16 insertions, 8 deletions
diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb
index a8578daf55..b882476346 100644
--- a/test/openssl/test_pkey_dsa.rb
+++ b/test/openssl/test_pkey_dsa.rb
@@ -92,19 +92,19 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
     sig = key.syssign(digest)
     assert_equal true, key.sysverify(digest, sig)
     assert_equal false, key.sysverify(digest, invalid_sig)
-    assert_raise(OpenSSL::PKey::DSAError) { key.sysverify(digest, malformed_sig) }
+    assert_sign_verify_false_or_error{ key.sysverify(digest, malformed_sig) }
     assert_equal true, key.verify_raw(nil, sig, digest)
     assert_equal false, key.verify_raw(nil, invalid_sig, digest)
-    assert_raise(OpenSSL::PKey::PKeyError) { key.verify_raw(nil, malformed_sig, digest) }
+    assert_sign_verify_false_or_error { key.verify_raw(nil, malformed_sig, digest) }
 
     # Sign by #sign_raw
     sig = key.sign_raw(nil, digest)
     assert_equal true, key.sysverify(digest, sig)
     assert_equal false, key.sysverify(digest, invalid_sig)
-    assert_raise(OpenSSL::PKey::DSAError) { key.sysverify(digest, malformed_sig) }
+    assert_sign_verify_false_or_error { key.sysverify(digest, malformed_sig) }
     assert_equal true, key.verify_raw(nil, sig, digest)
     assert_equal false, key.verify_raw(nil, invalid_sig, digest)
-    assert_raise(OpenSSL::PKey::PKeyError) { key.verify_raw(nil, malformed_sig, digest) }
+    assert_sign_verify_false_or_error { key.verify_raw(nil, malformed_sig, digest) }
   end
 
   def test_DSAPrivateKey
diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
index 999ee89a9e..8810cde62c 100644
--- a/test/openssl/test_pkey_ec.rb
+++ b/test/openssl/test_pkey_ec.rb
@@ -152,19 +152,19 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase
     sig = key.dsa_sign_asn1(data1)
     assert_equal true, key.dsa_verify_asn1(data1, sig)
     assert_equal false, key.dsa_verify_asn1(data2, sig)
-    assert_raise(OpenSSL::PKey::ECError) { key.dsa_verify_asn1(data1, malformed_sig) }
+    assert_sign_verify_false_or_error { key.dsa_verify_asn1(data1, malformed_sig) }
     assert_equal true, key.verify_raw(nil, sig, data1)
     assert_equal false, key.verify_raw(nil, sig, data2)
-    assert_raise(OpenSSL::PKey::PKeyError) { key.verify_raw(nil, malformed_sig, data1) }
+    assert_sign_verify_false_or_error { key.verify_raw(nil, malformed_sig, data1) }
 
     # Sign by #sign_raw
     sig = key.sign_raw(nil, data1)
     assert_equal true, key.dsa_verify_asn1(data1, sig)
     assert_equal false, key.dsa_verify_asn1(data2, sig)
-    assert_raise(OpenSSL::PKey::ECError) { key.dsa_verify_asn1(data1, malformed_sig) }
+    assert_sign_verify_false_or_error { key.dsa_verify_asn1(data1, malformed_sig) }
     assert_equal true, key.verify_raw(nil, sig, data1)
     assert_equal false, key.verify_raw(nil, sig, data2)
-    assert_raise(OpenSSL::PKey::PKeyError) { key.verify_raw(nil, malformed_sig, data1) }
+    assert_sign_verify_false_or_error{ key.verify_raw(nil, malformed_sig, data1) }
   end
 
   def test_dsa_sign_asn1_FIPS186_3
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index e0c085b53b..ff789ff284 100644
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@@ -286,6 +286,14 @@ class OpenSSL::PKeyTestCase < OpenSSL::TestCase
       assert_equal base.send(comp), test.send(comp)
     }
   end
+
+  def assert_sign_verify_false_or_error
+    ret = yield
+  rescue => e
+    assert_kind_of(OpenSSL::PKey::PKeyError, e)
+  else
+    assert_equal(false, ret)
+  end
 end
 
 module OpenSSL::Certs
author	Samuel Chiang <[email protected]>	2025-02-12 01:52:40 +0000
committer	git <[email protected]>	2025-02-22 15:11:39 +0000
commit	841d9f259dbe70fa35b4634b5c90d2c33e51c3f9 (patch)
tree	fafe911037436e0b93cc1feea79280263be9e08b
parent	f63a123606286eadd812313a4ea42af8ea8c686f (diff)