diff options
| author | Samuel Chiang <[email protected]> | 2025-02-12 01:45:15 +0000 |
|---|---|---|
| committer | git <[email protected]> | 2025-02-22 15:11:38 +0000 |
| commit | f63a123606286eadd812313a4ea42af8ea8c686f (patch) | |
| tree | aab0cf140275bf7437af6b39ea05a4e21f586cab | |
| parent | 6263d0d16bbe18fa210d2d67816dbd14272e109e (diff) | |
[ruby/openssl] pkey: AWS-LC disallows parsing of invalid keys and params
OpenSSL allows invalid EC keys or DH params to be parsed. The consuming
application can then run parameter/key checks to check the validity of
the parameters. We happen to run tests to verify that this behaves as
expected.
AWS-LC on the other hand, directly raises an error and disallows the
invalid state to be parsed, rather than making it parsable and checking
the validity later. Relevant tests have been adjusted accordingly to
reflect this.
https://github.com/ruby/openssl/commit/febe50be1b
| -rw-r--r-- | test/openssl/test_pkey_dh.rb | 21 | ||||
| -rw-r--r-- | test/openssl/test_pkey_ec.rb | 9 |
2 files changed, 23 insertions, 7 deletions
diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb index 686c9b97d0..6e1cad9dff 100644 --- a/test/openssl/test_pkey_dh.rb +++ b/test/openssl/test_pkey_dh.rb @@ -123,11 +123,22 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase ])) assert_equal(true, dh1.params_ok?) - dh2 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([ - OpenSSL::ASN1::Integer(dh0.p + 1), - OpenSSL::ASN1::Integer(dh0.g) - ])) - assert_equal(false, dh2.params_ok?) + # AWS-LC automatically does parameter checks on the parsed params. + if aws_lc? + assert_raise(OpenSSL::PKey::DHError) { + OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(dh0.p + 1), + OpenSSL::ASN1::Integer(dh0.g) + ])) + } + else + dh2 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(dh0.p + 1), + OpenSSL::ASN1::Integer(dh0.g) + ])) + assert_equal(false, dh2.params_ok?) + end + end def test_params diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb index 891c8601d7..999ee89a9e 100644 --- a/test/openssl/test_pkey_ec.rb +++ b/test/openssl/test_pkey_ec.rb @@ -89,14 +89,19 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase # Behavior of EVP_PKEY_public_check changes between OpenSSL 1.1.1 and 3.0 # The public key does not match the private key - key4 = OpenSSL::PKey.read(<<~EOF) + ec_key_data = <<~EOF -----BEGIN EC PRIVATE KEY----- MHcCAQEEIP+TT0V8Fndsnacji9tyf6hmhHywcOWTee9XkiBeJoVloAoGCCqGSM49 AwEHoUQDQgAEBkhhJIU/2/YdPSlY2I1k25xjK4trr5OXSgXvBC21PtY0HQ7lor7A jzT0giJITqmcd81fwGw5+96zLcdxTF1hVQ== -----END EC PRIVATE KEY----- EOF - assert_raise(OpenSSL::PKey::ECError) { key4.check_key } + if aws_lc? # AWS-LC automatically does key checks on the parsed key. + assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.read(ec_key_data) } + else + key4 = OpenSSL::PKey.read(ec_key_data) + assert_raise(OpenSSL::PKey::ECError) { key4.check_key } + end # EC#private_key= is deprecated in 3.0 and won't work on OpenSSL 3.0 if !openssl?(3, 0, 0) |