8000 [ruby/openssl] Only CSR version 1 (encoded as 0) is allowed by PKIX s… · ruby/ruby@bcc3ad7 · GitHub
[go: up one dir, main page]
Skip to content

Commit bcc3ad7

Browse files
jobhsbt
job
authored and
hsbt
committed
[ruby/openssl] Only CSR version 1 (encoded as 0) is allowed by PKIX standards
RFC 2986, section 4.1 only defines version 1 for CSRs. This version is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version to anything but 1 fails. Do not attempt to generate a CSR with invalid version (which now fails) and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its subject rather than using an invalid version. This commit fixes the following error. ``` 2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError: X509_REQ_set_version: passed invalid argument /home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version=' /home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr' /home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in `test_version' 40: req = OpenSSL::X509::Request.new(req.to_der) 41: assert_equal(0, req.version) 42: => 43: req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256')) 44: assert_equal(1, req.version) 45: req = OpenSSL::X509::Request.new(req.to_der) 46: assert_equal(1, req.version) ``` ruby/openssl@c06fdeb091
1 parent 5d10d1f commit bcc3ad7

File tree

1 file changed

+1
-6
lines changed

1 file changed

+1
-6
lines changed

test/openssl/test_x509req.rb

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -40,11 +40,6 @@ def test_version
4040
assert_equal(0, req.version)
4141
req = OpenSSL::X509::Request.new(req.to_der)
4242
assert_equal(0, req.version)
43-
44-
req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
45-
assert_equal(1, req.version)
46-
req = OpenSSL::X509::Request.new(req.to_der)
47-
assert_equal(1, req.version)
4843
end
4944

5045
def test_subject
@@ -108,7 +103,7 @@ def test_sign_and_verify_rsa_sha1
108103
assert_equal(false, req.verify(@rsa2048))
109104
assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
110105
assert_equal(false, request_error_returns_false { req.verify(@dsa512) })
111-
req.version = 1
106+
req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBarFooBar")
112107
assert_equal(false, req.verify(@rsa1024))
113108
end
114109

0 commit comments

Comments
 (0)
0