Tree - rpms/ruby - CentOS Git server

rpms / ruby

Blame SOURCES/ruby-3.0-support-openssl-3.0-pr399.patch

Blob History Raw

		b7242a	`From d963d4e276658d110bcb796722d76efa7fb68efa Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Tue, 13 Jun 2017 23:39:41 +0900`
		b7242a	`Subject: [PATCH] pkey: refactor DER/PEM-encoded string parsing code`
		b7242a
		b7242a	`Export the flow used by OpenSSL::PKey.read and let the subclasses call`
		b7242a	`it before attempting other formats.`
		b7242a	`---`
		b7242a
		b7242a
		b7242a	`diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c`
		b7242a	`index 7ba7b37..3982b9c 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey.c`
		b7242a	`@@ -140,6 +140,35 @@ ossl_pkey_new(EVP_PKEY *pkey)`
		b7242a	`return obj;`
		b7242a	`}`
		b7242a
		b7242a	`+EVP_PKEY *`
		b7242a	`+ossl_pkey_read_generic(BIO *bio, VALUE pass)`
		b7242a	`+{`
		b7242a	`+ void ppass = (void )pass;`
		b7242a	`+ EVP_PKEY *pkey;`
		b7242a	`+`
		b7242a	`+ if ((pkey = d2i_PrivateKey_bio(bio, NULL)))`
		b7242a	`+ goto out;`
		b7242a	`+ OSSL_BIO_reset(bio);`
		b7242a	`+ if ((pkey = d2i_PKCS8PrivateKey_bio(bio, NULL, ossl_pem_passwd_cb, ppass)))`
		b7242a	`+ goto out;`
		b7242a	`+ OSSL_BIO_reset(bio);`
		b7242a	`+ if ((pkey = d2i_PUBKEY_bio(bio, NULL)))`
		b7242a	`+ goto out;`
		b7242a	`+ OSSL_BIO_reset(bio);`
		b7242a	`+ /* PEM_read_bio_PrivateKey() also parses PKCS #8 formats */`
		b7242a	`+ if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, ossl_pem_passwd_cb, ppass)))`
		b7242a	`+ goto out;`
		b7242a	`+ OSSL_BIO_reset(bio);`
		b7242a	`+ if ((pkey = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL)))`
		b7242a	`+ goto out;`
		b7242a	`+ OSSL_BIO_reset(bio);`
		b7242a	`+ if ((pkey = PEM_read_bio_Parameters(bio, NULL)))`
		b7242a	`+ goto out;`
		b7242a	`+`
		b7242a	`+ out:`
		b7242a	`+ return pkey;`
		b7242a	`+}`
		b7242a	`+`
		b7242a	`/*`
		b7242a	`* call-seq:`
		b7242a	`* OpenSSL::PKey.read(string [, pwd ]) -> PKey`
		b7242a	`@@ -164,29 +193,14 @@ ossl_pkey_new_from_data(int argc, VALUE *argv, VALUE self)`
		b7242a	`VALUE data, pass;`
		b7242a
		b7242a	`rb_scan_args(argc, argv, "11", &data, &pass);`
		b7242a	`- pass = ossl_pem_passwd_value(pass);`
		b7242a
		b7242a	`bio = ossl_obj2bio(&data);`
		b7242a	`- if ((pkey = d2i_PrivateKey_bio(bio, NULL)))`
		b7242a	`- goto ok;`
		b7242a	`- OSSL_BIO_reset(bio);`
		b7242a	`- if ((pkey = d2i_PKCS8PrivateKey_bio(bio, NULL, ossl_pem_passwd_cb, (void *)pass)))`
		b7242a	`- goto ok;`
		b7242a	`- OSSL_BIO_reset(bio);`
		b7242a	`- if ((pkey = d2i_PUBKEY_bio(bio, NULL)))`
		b7242a	`- goto ok;`
		b7242a	`- OSSL_BIO_reset(bio);`
		b7242a	`- /* PEM_read_bio_PrivateKey() also parses PKCS #8 formats */`
		b7242a	`- if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, ossl_pem_passwd_cb, (void *)pass)))`
		b7242a	`- goto ok;`
		b7242a	`- OSSL_BIO_reset(bio);`
		b7242a	`- if ((pkey = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL)))`
		b7242a	`- goto ok;`
		b7242a
		b7242a	`+ pkey = ossl_pkey_read_generic(bio, ossl_pem_passwd_value(pass));`
		b7242a	`BIO_free(bio);`
		b7242a	`- ossl_raise(ePKeyError, "Could not parse PKey");`
		b7242a	`+ if (!pkey)`
		b7242a	`+ ossl_raise(ePKeyError, "Could not parse PKey");`
		b7242a
		b7242a	`-ok:`
		b7242a	`BIO_free(bio);`
		b7242a	`return ossl_pkey_new(pkey);`
		b7242a	`}`
		b7242a	`diff --git a/ext/openssl/ossl_pkey.h b/ext/openssl/ossl_pkey.h`
		b7242a	`index e363a261..895927e3 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey.h`
		b7242a	`+++ b/ext/openssl/ossl_pkey.h`
		b7242a	`@@ -45,6 +45,7 @@ void ossl_generate_cb_stop(void *ptr);`
		b7242a
		b7242a	`VALUE ossl_pkey_new(EVP_PKEY *);`
		b7242a	`void ossl_pkey_check_public_key(const EVP_PKEY *);`
		b7242a	`+EVP_PKEY ossl_pkey_read_generic(BIO , VALUE);`
		b7242a	`EVP_PKEY *GetPKeyPtr(VALUE);`
		b7242a	`EVP_PKEY *DupPKeyPtr(VALUE);`
		b7242a	`EVP_PKEY *GetPrivPKeyPtr(VALUE);`
		b7242a	`diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c`
		b7242a	`index 431c20e..faa3dd6 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_dsa.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_dsa.c`
		b7242a	`@@ -213,24 +213,24 @@ static VALUE`
		b7242a	`ossl_dsa_initialize(int argc, VALUE *argv, VALUE self)`
		b7242a	`{`
		b7242a	`EVP_PKEY *pkey;`
		b7242a	`- DSA *dsa;`
		b7242a	`+ DSA *dsa = NULL;`
		b7242a	`BIO *in;`
		b7242a	`VALUE arg, pass;`
		b7242a
		b7242a	`GetPKey(self, pkey);`
		b7242a	`- if(rb_scan_args(argc, argv, "02", &arg, &pass) == 0) {`
		b7242a	`+ rb_scan_args(argc, argv, "02", &arg, &pass);`
		b7242a	`+ if (argc == 0) {`
		b7242a	`dsa = DSA_new();`
		b7242a	`+ if (!dsa)`
		b7242a	`+ ossl_raise(eDSAError, "DSA_new");`
		b7242a	`}`
		b7242a	`- else if (RB_INTEGER_TYPE_P(arg)) {`
		b7242a	`- if (!(dsa = dsa_generate(NUM2INT(arg)))) {`
		b7242a	`- ossl_raise(eDSAError, NULL);`
		b7242a	`- }`
		b7242a	`+ else if (argc == 1 && RB_INTEGER_TYPE_P(arg)) {`
		b7242a	`+ dsa = dsa_generate(NUM2INT(arg));`
		b7242a	`}`
		b7242a	`else {`
		b7242a	`pass = ossl_pem_passwd_value(pass);`
		b7242a	`arg = ossl_to_der_if_possible(arg);`
		b7242a	`in = ossl_obj2bio(&arg;;`
		b7242a	`- dsa = PEM_read_bio_DSAPrivateKey(in, NULL, ossl_pem_passwd_cb, (void *)pass);`
		b7242a	`if (!dsa) {`
		b7242a	`OSSL_BIO_reset(in);`
		b7242a	`dsa = PEM_read_bio_DSA_PUBKEY(in, NULL, NULL, NULL);`
		b7242a	`diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c`
		b7242a	`index aec9d1e6..ca8f5c6e 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_ec.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_ec.c`
		b7242a	`@@ -202,24 +202,17 @@ static VALUE ossl_ec_key_initialize(int argc, VALUE *argv, VALUE self)`
		b7242a	`} else if (rb_obj_is_kind_of(arg, cEC_GROUP)) {`
		b7242a	`ec = ec_key_new_from_group(arg);`
		b7242a	`} else {`
		b7242a	`- BIO *in;`
		b7242a	`-`
		b7242a	`- pass = ossl_pem_passwd_value(pass);`
		b7242a	`- in = ossl_obj2bio(&arg;;`
		b7242a	`-`
		b7242a	`- ec = PEM_read_bio_ECPrivateKey(in, NULL, ossl_pem_passwd_cb, (void *)pass);`
		b7242a	`- if (!ec) {`
		b7242a	`- OSSL_BIO_reset(in);`
		b7242a	`- ec = PEM_read_bio_EC_PUBKEY(in, NULL, ossl_pem_passwd_cb, (void *)pass);`
		b7242a	`- }`
		b7242a	`- if (!ec) {`
		b7242a	`- OSSL_BIO_reset(in);`
		b7242a	`- ec = d2i_ECPrivateKey_bio(in, NULL);`
		b7242a	`- }`
		b7242a	`- if (!ec) {`
		b7242a	`- OSSL_BIO_reset(in);`
		b7242a	`- ec = d2i_EC_PUBKEY_bio(in, NULL);`
		b7242a	`- }`
		b7242a	`+ BIO *in = ossl_obj2bio(&arg;;`
		b7242a	`+ EVP_PKEY *tmp;`
		b7242a	`+ pass = ossl_pem_passwd_value(pass);`
		b7242a	`+ tmp = ossl_pkey_read_generic(in, pass);`
		b7242a	`+ if (tmp) {`
		b7242a	`+ if (EVP_PKEY_base_id(tmp) != EVP_PKEY_EC)`
		b7242a	`+ rb_raise(eECError, "incorrect pkey type: %s",`
		b7242a	`+ OBJ_nid2sn(EVP_PKEY_base_id(tmp)));`
		b7242a	`+ ec = EVP_PKEY_get1_EC_KEY(tmp);`
		b7242a	`+ EVP_PKEY_free(tmp);`
		b7242a	`+ }`
		b7242a	`BIO_free(in);`
		b7242a
		b7242a	`if (!ec) {`
		b7242a	`diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c`
		b7242a	`index 6a57238..41844e5 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_rsa.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_rsa.c`
		b7242a	`@@ -226,7 +226,8 @@ ossl_rsa_initialize(int argc, VALUE *argv, VALUE self)`
		b7242a	`VALUE arg, pass;`
		b7242a
		b7242a	`GetPKey(self, pkey);`
		b7242a	`- if(rb_scan_args(argc, argv, "02", &arg, &pass) == 0) {`
		b7242a	`+ rb_scan_args(argc, argv, "02", &arg, &pass);`
		b7242a	`+ if (argc == 0) {`
		b7242a	`rsa = RSA_new();`
		b7242a	`}`
		b7242a	`else if (RB_INTEGER_TYPE_P(arg)) {`
		b7242a	`@@ -265,6 +266,7 @@ ossl_rsa_initialize(int argc, VALUE *argv, VALUE self)`
		b7242a	`}`
		b7242a	`if (!EVP_PKEY_assign_RSA(pkey, rsa)) {`
		b7242a	`RSA_free(rsa);`
		b7242a	`+ ossl_clear_error();`
		b7242a	`ossl_raise(eRSAError, NULL);`
		b7242a	`}`
		b7242a
		b7242a	`From c2bb3f5411441b0dbe3085e1825d8479baef6ee4 Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Sat, 22 Feb 2020 05:37:01 +0900`
		b7242a	`Subject: [PATCH 01/21] ts: use TS_VERIFY_CTX_set_certs instead of`
		b7242a	`TS_VERIFY_CTS_set_certs`
		b7242a
		b7242a	`OpenSSL 3.0 fixed the typo in the function name and replaced the`
		b7242a	`current 'CTS' version with a macro.`
		b7242a	`---`
		b7242a	`ext/openssl/extconf.rb \| 5 ++++-`
		b7242a	`ext/openssl/openssl_missing.h \| 5 +++++`
		b7242a	`ext/openssl/ossl_ts.c \| 2 +-`
		b7242a	`3 files changed, 10 insertions(+), 2 deletions(-)`
		b7242a
		b7242a	`diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb`
		b7242a	`index 5cb28f30..ea384fe9 100644`
		b7242a	`--- a/ext/openssl/extconf.rb`
		b7242a	`+++ b/ext/openssl/extconf.rb`
		b7242a	`@@ -169,13 +169,16 @@ def find_openssl_library`
		b7242a	`have_func("TS_STATUS_INFO_get0_status")`
		b7242a	`have_func("TS_STATUS_INFO_get0_text")`
		b7242a	`have_func("TS_STATUS_INFO_get0_failure_info")`
		b7242a	`-have_func("TS_VERIFY_CTS_set_certs")`
		b7242a	`+have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", "openssl/ts.h") # became a macro in 3.0.0`
		b7242a	`have_func("TS_VERIFY_CTX_set_store")`
		b7242a	`have_func("TS_VERIFY_CTX_add_flags")`
		b7242a	`have_func("TS_RESP_CTX_set_time_cb")`
		b7242a	`have_func("EVP_PBE_scrypt")`
		b7242a	`have_func("SSL_CTX_set_post_handshake_auth")`
		b7242a
		b7242a	`+# added in 3.0.0`
		b7242a	`+have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")`
		b7242a	`+`
		b7242a	`Logging::message "=== Checking done. ===\n"`
		b7242a
		b7242a	`create_header`
		b7242a	`diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h`
		b7242a	`index 4d9b8801..1b1a54a8 100644`
		b7242a	`--- a/ext/openssl/openssl_missing.h`
		b7242a	`+++ b/ext/openssl/openssl_missing.h`
		b7242a	`@@ -254,4 +254,9 @@ IMPL_PKEY_GETTER(EC_KEY, ec)`
		b7242a	`} while (0)`
		b7242a	`#endif`
		b7242a
		b7242a	`+/* added in 3.0.0 */`
		b7242a	`+#if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS)`
		b7242a	`+# define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts)`
		b7242a	`+#endif`
		b7242a	`+`
		b7242a	`#endif /* _OSSL_OPENSSL_MISSING_H_ */`
		b7242a	`diff --git a/ext/openssl/ossl_ts.c b/ext/openssl/ossl_ts.c`
		b7242a	`index 4654babf..9d91710a 100644`
		b7242a	`--- a/ext/openssl/ossl_ts.c`
		b7242a	`+++ b/ext/openssl/ossl_ts.c`
		b7242a	`@@ -816,7 +816,7 @@ ossl_ts_resp_verify(int argc, VALUE *argv, VALUE self)`
		b7242a	`X509_up_ref(cert);`
		b7242a	`}`
		b7242a
		b7242a	`- TS_VERIFY_CTS_set_certs(ctx, x509inter);`
		b7242a	`+ TS_VERIFY_CTX_set_certs(ctx, x509inter);`
		b7242a	`TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE);`
		b7242a	`TS_VERIFY_CTX_set_store(ctx, x509st);`
		b7242a
		b7242a
		b7242a	`From 5780e43ceda843c38dc1493a81d8ef8615b2a42b Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Sat, 22 Feb 2020 05:47:58 +0900`
		b7242a	`Subject: [PATCH 02/21] ssl: use SSL_CTX_load_verify_{file,dir}() if available`
		b7242a
		b7242a	`SSL_CTX_load_verify_locations() is deprecated in OpenSSL 3.0 and`
		b7242a	`replaced with those two separate functions. Use them if they exist.`
		b7242a	`---`
		b7242a	`ext/openssl/extconf.rb \| 1 +`
		b7242a	`ext/openssl/ossl_ssl.c \| 7 +++++++`
		b7242a	`2 files changed, 8 insertions(+)`
		b7242a
		b7242a	`diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb`
		b7242a	`index ea384fe9..4b5ffd67 100644`
		b7242a	`--- a/ext/openssl/extconf.rb`
		b7242a	`+++ b/ext/openssl/extconf.rb`
		b7242a	`@@ -178,6 +178,7 @@ def find_openssl_library`
		b7242a
		b7242a	`# added in 3.0.0`
		b7242a	`have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")`
		b7242a	`+have_func("SSL_CTX_load_verify_file")`
		b7242a
		b7242a	`Logging::message "=== Checking done. ===\n"`
		b7242a
		b7242a	`diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c`
		b7242a	`index 76db821e..c80c939e 100644`
		b7242a	`--- a/ext/openssl/ossl_ssl.c`
		b7242a	`+++ b/ext/openssl/ossl_ssl.c`
		b7242a	`@@ -886,10 +886,17 @@ ossl_sslctx_setup(VALUE self)`
		b7242a	`ca_file = NIL_P(val) ? NULL : StringValueCStr(val);`
		b7242a	`val = rb_attr_get(self, id_i_ca_path);`
		b7242a	`ca_path = NIL_P(val) ? NULL : StringValueCStr(val);`
		b7242a	`+#if defined(HAVE_SSL_CTX_LOAD_VERIFY_FILE)`
		b7242a	`+ if (ca_file && !SSL_CTX_load_verify_file(ctx, ca_file))`
		b7242a	`+ ossl_raise(eSSLError, "SSL_CTX_load_verify_file");`
		b7242a	`+ if (ca_path && !SSL_CTX_load_verify_dir(ctx, ca_path))`
		b7242a	`+ ossl_raise(eSSLError, "SSL_CTX_load_verify_dir");`
		b7242a	`+#else`
		b7242a	`if(ca_file \|\| ca_path){`
		b7242a	`if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path))`
		b7242a	`rb_warning("can't set verify locations");`
		b7242a	`}`
		b7242a	`+#endif`
		b7242a
		b7242a	`val = rb_attr_get(self, id_i_verify_mode);`
		b7242a	`verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val);`
		b7242a
		b7242a	`From c26272113074bfe3ebbc698741974fce86b1c25a Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Sat, 22 Feb 2020 06:37:00 +0900`
		b7242a	`Subject: [PATCH 03/21] bn: use BN_check_prime() in`
		b7242a	`OpenSSL::BN#prime{,_fasttest}?`
		b7242a
		b7242a	`BN_is_prime_ex() and BN_is_prime_fasttest_ex() are deprecated in OpenSSL`
		b7242a	`3.0. Instead, BN_check_prime() is added. This is equivalent to`
		b7242a	`BN_is_prime_fasttest_ex(bn, 0, bn_ctx, 1, cb), which is what`
		b7242a	`OpenSSL::BN#prime_fasttest? has called.`
		b7242a
		b7242a	`Let's make both OpenSSL::BN#prime? and #prime_fasttest? use`
		b7242a	`BN_check_prime() if available. Note that this implies that the`
		b7242a	`parameters of those two methods are now ignored, which could be used to`
		b7242a	`tune them to give up the test earlier.`
		b7242a	`---`
		b7242a	`ext/openssl/extconf.rb \| 1 +`
		b7242a	`ext/openssl/ossl_bn.c \| 71 +++++++++++++-----------------------------`
		b7242a	`2 files changed, 23 insertions(+), 49 deletions(-)`
		b7242a
		b7242a	`diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb`
		b7242a	`index 4b5ffd67..9fa092f5 100644`
		b7242a	`--- a/ext/openssl/extconf.rb`
		b7242a	`+++ b/ext/openssl/extconf.rb`
		b7242a	`@@ -179,6 +179,7 @@ def find_openssl_library`
		b7242a	`# added in 3.0.0`
		b7242a	`have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")`
		b7242a	`have_func("SSL_CTX_load_verify_file")`
		b7242a	`+have_func("BN_check_prime")`
		b7242a
		b7242a	`Logging::message "=== Checking done. ===\n"`
		b7242a
		b7242a	`diff --git a/ext/openssl/ossl_bn.c b/ext/openssl/ossl_bn.c`
		b7242a	`index 02530789..e0eef4cd 100644`
		b7242a	`--- a/ext/openssl/ossl_bn.c`
		b7242a	`+++ b/ext/openssl/ossl_bn.c`
		b7242a	`@@ -1058,34 +1058,29 @@ ossl_bn_hash(VALUE self)`
		b7242a	`* bn.prime? => true \| false`
		b7242a	`* bn.prime?(checks) => true \| false`
		b7242a	`*`
		b7242a	`- * Performs a Miller-Rabin probabilistic primality test with _checks_`
		b7242a	`- * iterations. If _checks_ is not specified, a number of iterations is used`
		b7242a	`- * that yields a false positive rate of at most 2^-80 for random input.`
		b7242a	`+ * Performs Miller-Rabin primality test for _bn_.`
		b7242a	`*`
		b7242a	`- * === Parameters`
		b7242a	`- * * _checks_ - integer`
		b7242a	`+ * As of Ruby/OpenSSL 2.3.0, the argument _checks_ is ignored.`
		b7242a	`*/`
		b7242a	`static VALUE`
		b7242a	`ossl_bn_is_prime(int argc, VALUE *argv, VALUE self)`
		b7242a	`{`
		b7242a	`BIGNUM *bn;`
		b7242a	`- VALUE vchecks;`
		b7242a	`- int checks = BN_prime_checks;`
		b7242a	`+ int ret;`
		b7242a
		b7242a	`- if (rb_scan_args(argc, argv, "01", &vchecks) == 1) {`
		b7242a	`- checks = NUM2INT(vchecks);`
		b7242a	`- }`
		b7242a	`+ rb_check_arity(argc, 0, 1);`
		b7242a	`GetBN(self, bn);`
		b7242a	`- switch (BN_is_prime_ex(bn, checks, ossl_bn_ctx, NULL)) {`
		b7242a	`- case 1:`
		b7242a	`- return Qtrue;`
		b7242a	`- case 0:`
		b7242a	`- return Qfalse;`
		b7242a	`- default:`
		b7242a	`- ossl_raise(eBNError, NULL);`
		b7242a	`- }`
		b7242a	`- /* not reachable */`
		b7242a	`- return Qnil;`
		b7242a	`+`
		b7242a	`+#if defined(HAVE_BN_CHECK_PRIME)`
		b7242a	`+ ret = BN_check_prime(bn, ossl_bn_ctx, NULL);`
		b7242a	`+ if (ret < 0)`
		b7242a	`+ ossl_raise(eBNError, "BN_check_prime");`
		b7242a	`+#else`
		b7242a	`+ ret = BN_is_prime_fasttest_ex(bn, BN_prime_checks, ossl_bn_ctx, 1, NULL);`
		b7242a	`+ if (ret < 0)`
		b7242a	`+ ossl_raise(eBNError, "BN_is_prime_fasttest_ex");`
		b7242a	`+#endif`
		b7242a	`+ return ret ? Qtrue : Qfalse;`
		b7242a	`}`
		b7242a
		b7242a	`/*`
		b7242a	`@@ -1094,40 +1089,18 @@ ossl_bn_is_prime(int argc, VALUE *argv, VALUE self)`
		b7242a	`* bn.prime_fasttest?(checks) => true \| false`
		b7242a	`* bn.prime_fasttest?(checks, trial_div) => true \| false`
		b7242a	`*`
		b7242a	`- * Performs a Miller-Rabin primality test. This is same as #prime? except this`
		b7242a	`- * first attempts trial divisions with some small primes.`
		b7242a	`+ * Performs Miller-Rabin primality test for _bn_. This is an alias of #prime?.`
		b7242a	`*`
		b7242a	`- * === Parameters`
		b7242a	`- * * _checks_ - integer`
		b7242a	`- * * _trial_div_ - boolean`
		b7242a	`+ * This method is deprecated. Use #prime? instead.`
		b7242a	`+ *`
		b7242a	`+ * As of Ruby/OpenSSL 2.3.0, the arguments _checks_ and _trial\_div_ are`
		b7242a	`+ * ignored.`
		b7242a	`*/`
		b7242a	`static VALUE`
		b7242a	`ossl_bn_is_prime_fasttest(int argc, VALUE *argv, VALUE self)`
		b7242a	`{`
		b7242a	`- BIGNUM *bn;`
		b7242a	`- VALUE vchecks, vtrivdiv;`
		b7242a	`- int checks = BN_prime_checks, do_trial_division = 1;`
		b7242a	`-`
		b7242a	`- rb_scan_args(argc, argv, "02", &vchecks, &vtrivdiv);`
		b7242a	`-`
		b7242a	`- if (!NIL_P(vchecks)) {`
		b7242a	`- checks = NUM2INT(vchecks);`
		b7242a	`- }`
		b7242a	`- GetBN(self, bn);`
		b7242a	`- /* handle true/false */`
		b7242a	`- if (vtrivdiv == Qfalse) {`
		b7242a	`- do_trial_division = 0;`
		b7242a	`- }`
		b7242a	`- switch (BN_is_prime_fasttest_ex(bn, checks, ossl_bn_ctx, do_trial_division, NULL)) {`
		b7242a	`- case 1:`
		b7242a	`- return Qtrue;`
		b7242a	`- case 0:`
		b7242a	`- return Qfalse;`
		b7242a	`- default:`
		b7242a	`- ossl_raise(eBNError, NULL);`
		b7242a	`- }`
		b7242a	`- /* not reachable */`
		b7242a	`- return Qnil;`
		b7242a	`+ rb_check_arity(argc, 0, 2);`
		b7242a	`+ return ossl_bn_is_prime(0, argv, self);`
		b7242a	`}`
		b7242a
		b7242a	`/*`
		b7242a
		b7242a	`From 1fdea13743e5ee70befdfc79f22473b88ffe2eef Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Sat, 22 Feb 2020 18:58:29 +0900`
		b7242a	`Subject: [PATCH 04/21] ossl.c: use ERR_get_error_all() if available`
		b7242a
		b7242a	`OpenSSL 3.0 deprecated ERR_get_error_line_data() in favor of`
		b7242a	`ERR_get_error_all(), as part of the error queue structure changes.`
		b7242a	`---`
		b7242a	`ext/openssl/extconf.rb \| 1 +`
		b7242a	`ext/openssl/ossl.c \| 40 +++++++++++++++++++++-------------------`
		b7242a	`2 files changed, 22 insertions(+), 19 deletions(-)`
		b7242a
		b7242a	`diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb`
		b7242a	`index 9fa092f5..14e599ca 100644`
		b7242a	`--- a/ext/openssl/extconf.rb`
		b7242a	`+++ b/ext/openssl/extconf.rb`
		b7242a	`@@ -180,6 +180,7 @@ def find_openssl_library`
		b7242a	`have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")`
		b7242a	`have_func("SSL_CTX_load_verify_file")`
		b7242a	`have_func("BN_check_prime")`
		b7242a	`+have_func("ERR_get_error_all")`
		b7242a
		b7242a	`Logging::message "=== Checking done. ===\n"`
		b7242a
		b7242a	`diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c`
		b7242a	`index 358b3b29..a040deae 100644`
		b7242a	`--- a/ext/openssl/ossl.c`
		b7242a	`+++ b/ext/openssl/ossl.c`
		b7242a	`@@ -304,27 +304,29 @@ void`
		b7242a	`ossl_clear_error(void)`
		b7242a	`{`
		b7242a	`if (dOSSL == Qtrue) {`
		b7242a	`- unsigned long e;`
		b7242a	`- const char file, data, *errstr;`
		b7242a	`- int line, flags;`
		b7242a	`-`
		b7242a	`- while ((e = ERR_get_error_line_data(&file, &line, &data, &flags))) {`
		b7242a	`- errstr = ERR_error_string(e, NULL);`
		b7242a	`- if (!errstr)`
		b7242a	`- errstr = "(null)";`
		b7242a	`-`
		b7242a	`- if (flags & ERR_TXT_STRING) {`
		b7242a	`- if (!data)`
		b7242a	`- data = "(null)";`
		b7242a	`- rb_warn("error on stack: %s (%s)", errstr, data);`
		b7242a	`- }`
		b7242a	`- else {`
		b7242a	`- rb_warn("error on stack: %s", errstr);`
		b7242a	`- }`
		b7242a	`- }`
		b7242a	`+ unsigned long e;`
		b7242a	`+ const char file, data;`
		b7242a	`+ int line, flags;`
		b7242a	`+`
		b7242a	`+#if defined(HAVE_ERR_GET_ERROR_ALL)`
		b7242a	`+ const char *func;`
		b7242a	`+ while ((e = ERR_get_error_all(&file, &line, &func, &data, &flags))) {`
		b7242a	`+#else`
		b7242a	`+ while ((e = ERR_get_error_line_data(&file, &line, &data, &flags))) {`
		b7242a	`+ const char *func = ERR_func_error_string(e);`
		b7242a	`+#endif`
		b7242a	`+ const char *lib = ERR_lib_error_string(e),`
		b7242a	`+ *reason = ERR_reason_error_string(e);`
		b7242a	`+ char append[256] = "";`
		b7242a	`+`
		b7242a	`+ if (flags & ERR_TXT_STRING && data && strlen(data))`
		b7242a	`+ snprintf(append, sizeof(append), " (%s)", data);`
		b7242a	`+ rb_warn("error on stack: error:%08lX:%s:%s:%s%s", e, lib ? lib : "",`
		b7242a	`+ func ? func : "", reason ? reason : "", append);`
		b7242a	`+ }`
		b7242a	`}`
		b7242a	`else {`
		b7242a	`- ERR_clear_error();`
		b7242a	`+ ERR_clear_error();`
		b7242a	`}`
		b7242a	`}`
		b7242a
		b7242a
		b7242a	`From ce0bf33dd0c5a2ba3d445ccf00175db91d78b5a7 Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Sun, 17 May 2020 18:25:38 +0900`
		b7242a	`Subject: [PATCH 05/21] pkey: implement #to_text using EVP API`
		b7242a
		b7242a	`Use EVP_PKEY_print_private() instead of the low level *_print()`
		b7242a	`functions. Those low level functions are deprecated in OpenSSL 3.0.`
		b7242a
		b7242a	`Note that it falls back to EVP_PKEY_print_public() and`
		b7242a	`EVP_PKEY_print_params() as necessary. This is required for EVP_PKEY_DH`
		b7242a	`type - _private() fails if the private component is not set.`
		b7242a
		b7242a	`Since the new API works in the same way for all key types, we now`
		b7242a	`implement #to_text in the base class OpenSSL::PKey::PKey rather than in`
		b7242a	`each subclass.`
		b7242a	`---`
		b7242a
		b7242a	`diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c`
		b7242a	`index 0540cd2..e02c84b 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey.c`
		b7242a	`@@ -349,6 +349,42 @@ ossl_pkey_inspect(VALUE self)`
		b7242a	`OBJ_nid2sn(nid));`
		b7242a	`}`
		b7242a
		b7242a	`+/*`
		b7242a	`+ * call-seq:`
		b7242a	`+ * pkey.to_text -> string`
		b7242a	`+ *`
		b7242a	`+ * THIS METHOD IS INSECURE, PRIVATE INFORMATION CAN LEAK OUT!!!`
		b7242a	`+ *`
		b7242a	`+ * Dumps all private, public, and parameter components of the key to a String`
		b7242a	`+ * in a human readable format.`
		b7242a	`+ */`
		b7242a	`+static VALUE`
		b7242a	`+ossl_pkey_to_text(VALUE self)`
		b7242a	`+{`
		b7242a	`+ EVP_PKEY *pkey;`
		b7242a	`+ BIO *bio;`
		b7242a	`+`
		b7242a	`+ GetPKey(self, pkey);`
		b7242a	`+ if (!(bio = BIO_new(BIO_s_mem())))`
		b7242a	`+ ossl_raise(ePKeyError, "BIO_new");`
		b7242a	`+`
		b7242a	`+ if (EVP_PKEY_print_private(bio, pkey, 0, NULL) == 1)`
		b7242a	`+ goto out;`
		b7242a	`+ OSSL_BIO_reset(bio);`
		b7242a	`+ if (EVP_PKEY_print_public(bio, pkey, 0, NULL) == 1)`
		b7242a	`+ goto out;`
		b7242a	`+ OSSL_BIO_reset(bio);`
		b7242a	`+ if (EVP_PKEY_print_params(bio, pkey, 0, NULL) == 1)`
		b7242a	`+ goto out;`
		b7242a	`+`
		b7242a	`+ BIO_free(bio);`
		b7242a	`+ ossl_raise(ePKeyError, "EVP_PKEY_print_params");`
		b7242a	`+`
		b7242a	`+ out:`
		b7242a	`+ return ossl_membio2str(bio);`
		b7242a	`+}`
		b7242a	`+`
		b7242a	`+`
		b7242a	`static VALUE`
		b7242a	`do_pkcs8_export(int argc, VALUE *argv, VALUE self, int to_der)`
		b7242a	`{`
		b7242a	`diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c`
		b7242a	`index 6b477b07..acd3bf47 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_dh.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_dh.c`
		b7242a	`@@ -403,34 +403,6 @@ ossl_dh_get_params(VALUE self)`
		b7242a	`return hash;`
		b7242a	`}`
		b7242a
		b7242a	`-/*`
		b7242a	`- * call-seq:`
		b7242a	`- * dh.to_text -> aString`
		b7242a	`- *`
		b7242a	`- * Prints all parameters of key to buffer`
		b7242a	`- * INSECURE: PRIVATE INFORMATIONS CAN LEAK OUT!!!`
		b7242a	`- * Don't use :-)) (I's up to you)`
		b7242a	`- */`
		b7242a	`-static VALUE`
		b7242a	`-ossl_dh_to_text(VALUE self)`
		b7242a	`-{`
		b7242a	`- DH *dh;`
		b7242a	`- BIO *out;`
		b7242a	`- VALUE str;`
		b7242a	`-`
		b7242a	`- GetDH(self, dh);`
		b7242a	`- if (!(out = BIO_new(BIO_s_mem()))) {`
		b7242a	`- ossl_raise(eDHError, NULL);`
		b7242a	`- }`
		b7242a	`- if (!DHparams_print(out, dh)) {`
		b7242a	`- BIO_free(out);`
		b7242a	`- ossl_raise(eDHError, NULL);`
		b7242a	`- }`
		b7242a	`- str = ossl_membio2str(out);`
		b7242a	`-`
		b7242a	`- return str;`
		b7242a	`-}`
		b7242a	`-`
		b7242a	`/*`
		b7242a	`* call-seq:`
		b7242a	`* dh.public_key -> aDH`
		b7242a	`@@ -621,7 +593,6 @@ Init_ossl_dh(void)`
		b7242a	`rb_define_method(cDH, "initialize_copy", ossl_dh_initialize_copy, 1);`
		b7242a	`rb_define_method(cDH, "public?", ossl_dh_is_public, 0);`
		b7242a	`rb_define_method(cDH, "private?", ossl_dh_is_private, 0);`
		b7242a	`- rb_define_method(cDH, "to_text", ossl_dh_to_text, 0);`
		b7242a	`rb_define_method(cDH, "export", ossl_dh_export, 0);`
		b7242a	`rb_define_alias(cDH, "to_pem", "export");`
		b7242a	`rb_define_alias(cDH, "to_s", "export");`
		b7242a	`diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c`
		b7242a	`index c2b68c32..640a243d 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_dsa.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_dsa.c`
		b7242a	`@@ -433,34 +433,6 @@ ossl_dsa_get_params(VALUE self)`
		b7242a	`return hash;`
		b7242a	`}`
		b7242a
		b7242a	`-/*`
		b7242a	`- * call-seq:`
		b7242a	`- * dsa.to_text -> aString`
		b7242a	`- *`
		b7242a	`- * Prints all parameters of key to buffer`
		b7242a	`- * INSECURE: PRIVATE INFORMATIONS CAN LEAK OUT!!!`
		b7242a	`- * Don't use :-)) (I's up to you)`
		b7242a	`- */`
		b7242a	`-static VALUE`
		b7242a	`-ossl_dsa_to_text(VALUE self)`
		b7242a	`-{`
		b7242a	`- DSA *dsa;`
		b7242a	`- BIO *out;`
		b7242a	`- VALUE str;`
		b7242a	`-`
		b7242a	`- GetDSA(self, dsa);`
		b7242a	`- if (!(out = BIO_new(BIO_s_mem()))) {`
		b7242a	`- ossl_raise(eDSAError, NULL);`
		b7242a	`- }`
		b7242a	`- if (!DSA_print(out, dsa, 0)) { /* offset = 0 */`
		b7242a	`- BIO_free(out);`
		b7242a	`- ossl_raise(eDSAError, NULL);`
		b7242a	`- }`
		b7242a	`- str = ossl_membio2str(out);`
		b7242a	`-`
		b7242a	`- return str;`
		b7242a	`-}`
		b7242a	`-`
		b7242a	`/*`
		b7242a	`* call-seq:`
		b7242a	`* dsa.public_key -> aDSA`
		b7242a	`@@ -636,7 +608,6 @@ Init_ossl_dsa(void)`
		b7242a
		b7242a	`rb_define_method(cDSA, "public?", ossl_dsa_is_public, 0);`
		b7242a	`rb_define_method(cDSA, "private?", ossl_dsa_is_private, 0);`
		b7242a	`- rb_define_method(cDSA, "to_text", ossl_dsa_to_text, 0);`
		b7242a	`rb_define_method(cDSA, "export", ossl_dsa_export, -1);`
		b7242a	`rb_define_alias(cDSA, "to_pem", "export");`
		b7242a	`rb_define_alias(cDSA, "to_s", "export");`
		b7242a	`diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c`
		b7242a	`index 511e728..aa59c68 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_ec.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_ec.c`
		b7242a	`@@ -506,31 +506,6 @@ static VALUE ossl_ec_key_to_der(VALUE self)`
		b7242a	`return ossl_ec_key_to_string(self, Qnil, Qnil, EXPORT_DER);`
		b7242a	`}`
		b7242a
		b7242a	`-/*`
		b7242a	`- * call-seq:`
		b7242a	`- * key.to_text => String`
		b7242a	`- *`
		b7242a	`- * See the OpenSSL documentation for EC_KEY_print()`
		b7242a	`- */`
		b7242a	`-static VALUE ossl_ec_key_to_text(VALUE self)`
		b7242a	`-{`
		b7242a	`- EC_KEY *ec;`
		b7242a	`- BIO *out;`
		b7242a	`- VALUE str;`
		b7242a	`-`
		b7242a	`- GetEC(self, ec);`
		b7242a	`- if (!(out = BIO_new(BIO_s_mem()))) {`
		b7242a	`- ossl_raise(eECError, "BIO_new(BIO_s_mem())");`
		b7242a	`- }`
		b7242a	`- if (!EC_KEY_print(out, ec, 0)) {`
		b7242a	`- BIO_free(out);`
		b7242a	`- ossl_raise(eECError, "EC_KEY_print");`
		b7242a	`- }`
		b7242a	`- str = ossl_membio2str(out);`
		b7242a	`-`
		b7242a	`- return str;`
		b7242a	`-}`
		b7242a	`-`
		b7242a	`/*`
		b7242a	`* call-seq:`
		b7242a	`* key.generate_key! => self`
		b7242a	`diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c`
		b7242a	`index aa59c68..1689200 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_ec.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_ec.c`
		b7242a	`@@ -1728,8 +1728,6 @@ void Init_ossl_ec(void)`
		b7242a	`rb_define_method(cEC, "export", ossl_ec_key_export, -1);`
		b7242a	`rb_define_alias(cEC, "to_pem", "export");`
		b7242a	`rb_define_method(cEC, "to_der", ossl_ec_key_to_der, 0);`
		b7242a	`- rb_define_method(cEC, "to_text", ossl_ec_key_to_text, 0);`
		b7242a	`-`
		b7242a
		b7242a	`rb_define_alloc_func(cEC_GROUP, ossl_ec_group_alloc);`
		b7242a	`rb_define_method(cEC_GROUP, "initialize", ossl_ec_group_initialize, -1);`
		b7242a	`diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c`
		b7242a	`index 6d337fe7..a522b819 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_rsa.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_rsa.c`
		b7242a	`@@ -772,36 +772,6 @@ ossl_rsa_get_params(VALUE self)`
		b7242a	`return hash;`
		b7242a	`}`
		b7242a
		b7242a	`-/*`
		b7242a	`- * call-seq:`
		b7242a	`- * rsa.to_text => String`
		b7242a	`- *`
		b7242a	`- * THIS METHOD IS INSECURE, PRIVATE INFORMATION CAN LEAK OUT!!!`
		b7242a	`- *`
		b7242a	`- * Dumps all parameters of a keypair to a String`
		b7242a	`- *`
		b7242a	`- * Don't use :-)) (It's up to you)`
		b7242a	`- */`
		b7242a	`-static VALUE`
		b7242a	`-ossl_rsa_to_text(VALUE self)`
		b7242a	`-{`
		b7242a	`- RSA *rsa;`
		b7242a	`- BIO *out;`
		b7242a	`- VALUE str;`
		b7242a	`-`
		b7242a	`- GetRSA(self, rsa);`
		b7242a	`- if (!(out = BIO_new(BIO_s_mem()))) {`
		b7242a	`- ossl_raise(eRSAError, NULL);`
		b7242a	`- }`
		b7242a	`- if (!RSA_print(out, rsa, 0)) { /* offset = 0 */`
		b7242a	`- BIO_free(out);`
		b7242a	`- ossl_raise(eRSAError, NULL);`
		b7242a	`- }`
		b7242a	`- str = ossl_membio2str(out);`
		b7242a	`-`
		b7242a	`- return str;`
		b7242a	`-}`
		b7242a	`-`
		b7242a	`/*`
		b7242a	`* call-seq:`
		b7242a	`* rsa.public_key -> RSA`
		b7242a	`@@ -921,7 +891,6 @@ Init_ossl_rsa(void)`
		b7242a
		b7242a	`rb_define_method(cRSA, "public?", ossl_rsa_is_public, 0);`
		b7242a	`rb_define_method(cRSA, "private?", ossl_rsa_is_private, 0);`
		b7242a	`- rb_define_method(cRSA, "to_text", ossl_rsa_to_text, 0);`
		b7242a	`rb_define_method(cRSA, "export", ossl_rsa_export, -1);`
		b7242a	`rb_define_alias(cRSA, "to_pem", "export");`
		b7242a	`rb_define_alias(cRSA, "to_s", "export");`
		b7242a
		b7242a	`From 73116c78c715a7277cbace7d8595c823d5ef1934 Mon Sep 17 00:00:00 2001`
		b7242a	`From: Pavel Valena <pvalena@redhat.com>`
		b7242a	`Date: Thu, 20 May 2021 19:10:20 +0200`
		b7242a	`Subject: [PATCH] Compatibiblity with gem version 2.2.0`
		b7242a
		b7242a	`---`
		b7242a	`ext/openssl/ossl_pkey_rsa.c \| 1 -`
		b7242a	`1 file changed, 1 deletion(-)`
		b7242a
		b7242a	`diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c`
		b7242a	`index a928e92..6a57238 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_rsa.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_rsa.c`
		b7242a	`@@ -918,7 +918,6 @@ Init_ossl_rsa(void)`
		b7242a	`rb_define_method(cRSA, "params", ossl_rsa_get_params, 0);`
		b7242a
		b7242a	`DefRSAConst(PKCS1_PADDING);`
		b7242a	`- DefRSAConst(SSLV23_PADDING);`
		b7242a	`DefRSAConst(NO_PADDING);`
		b7242a	`DefRSAConst(PKCS1_OAEP_PADDING);`
		b7242a
		b7242a	`--`
		b7242a	`2.31.1`
		b7242a
		b7242a	`From b2e3ddab1c5dcda2003bfa9c06c424ac74e3e198 Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Sun, 17 May 2020 21:29:48 +0900`
		b7242a	`Subject: [PATCH 06/21] [WIP] pkey: try to parse algorithm-specific formats`
		b7242a	`first`
		b7242a
		b7242a	`FIXME: NON-RSA NEEDS THIS TOO`
		b7242a
		b7242a	`RSAPublicKey and DHParameters share the same structure: two INTEGERs in`
		b7242a	`a SEQUENCE. When parsing a DER- encoded data they are indistinguishable.`
		b7242a
		b7242a	`With OpenSSL 3.0, OpenSSL::PKey.read will parse DER-encoded`
		b7242a	`DHParameters. However, OpenSSL::PKey::RSA.new naturally wants the data`
		b7242a	`to be parsed as RSAPublicKey instead when such a structure is given.`
		b7242a
		b7242a	`So, try PEM_read_bio_RSAPublicKey() and d2i_RSAPublicKey_bio() before`
		b7242a	`falling back to ossl_pkey_read_generic().`
		b7242a	`---`
		b7242a	`ext/openssl/ossl_pkey_dsa.c \| 27 +++++++++++++--------------`
		b7242a	`ext/openssl/ossl_pkey_rsa.c \| 32 ++++++++++++++++----------------`
		b7242a
		b7242a	`diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c`
		b7242a	`index 29df5b3..60ded1c 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_dh.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_dh.c`
		b7242a	`@@ -202,7 +202,7 @@ ossl_dh_s_generate(int argc, VALUE *argv, VALUE klass)`
		b7242a	`static VALUE`
		b7242a	`ossl_dh_initialize(int argc, VALUE *argv, VALUE self)`
		b7242a	`{`
		b7242a	`- EVP_PKEY *pkey;`
		b7242a	`+ EVP_PKEY pkey, tmp;`
		b7242a	`DH *dh;`
		b7242a	`int g = 2;`
		b7242a	`BIO *in;`
		b7242a	`@@ -221,14 +221,22 @@ ossl_dh_initialize(int argc, VALUE *argv, VALUE self)`
		b7242a	`}`
		b7242a	`}`
		b7242a	`else {`
		b7242a	`- arg = ossl_to_der_if_possible(arg);`
		b7242a	`- in = ossl_obj2bio(&arg;;`
		b7242a	`- dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);`
		b7242a	`- if (!dh){`
		b7242a	`- OSSL_BIO_reset(in);`
		b7242a	`- dh = d2i_DHparams_bio(in, NULL);`
		b7242a	`- }`
		b7242a	`- BIO_free(in);`
		b7242a	`+ arg = ossl_to_der_if_possible(arg);`
		b7242a	`+ in = ossl_obj2bio(&arg;;`
		b7242a	`+`
		b7242a	`+ dh = d2i_DHparams_bio(in, NULL);`
		b7242a	`+ if (!dh) {`
		b7242a	`+ OSSL_BIO_reset(in);`
		b7242a	`+ tmp = ossl_pkey_read_generic(in, Qnil);`
		b7242a	`+ if (tmp) {`
		b7242a	`+ if (EVP_PKEY_base_id(tmp) != EVP_PKEY_DH)`
		b7242a	`+ rb_raise(eDHError, "incorrect pkey type: %s",`
		b7242a	`+ OBJ_nid2sn(EVP_PKEY_base_id(tmp)));`
		b7242a	`+ dh = EVP_PKEY_get1_DH(tmp);`
		b7242a	`+ EVP_PKEY_free(tmp);`
		b7242a	`+ }`
		b7242a	`+ }`
		b7242a	`+ BIO_free(in);`
		b7242a	`if (!dh) {`
		b7242a	`ossl_raise(eDHError, NULL);`
		b7242a	`}`
		b7242a	`diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c`
		b7242a	`index e5a1f04..da58717 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_dsa.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_dsa.c`
		b7242a	`@@ -212,7 +212,7 @@ ossl_dsa_s_generate(VALUE klass, VALUE size)`
		b7242a	`static VALUE`
		b7242a	`ossl_dsa_initialize(int argc, VALUE *argv, VALUE self)`
		b7242a	`{`
		b7242a	`- EVP_PKEY *pkey;`
		b7242a	`+ EVP_PKEY pkey, tmp;`
		b7242a	`DSA *dsa = NULL;`
		b7242a	`BIO *in;`
		b7242a	`VALUE arg, pass;`
		b7242a	`diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c`
		b7242a	`index b19441c..804b652 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_dsa.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_dsa.c`
		b7242a	`@@ -231,25 +231,20 @@ ossl_dsa_initialize(int argc, VALUE *argv, VALUE self)`
		b7242a	`pass = ossl_pem_passwd_value(pass);`
		b7242a	`arg = ossl_to_der_if_possible(arg);`
		b7242a	`in = ossl_obj2bio(&arg;;`
		b7242a	`- if (!dsa) {`
		b7242a	`- OSSL_BIO_reset(in);`
		b7242a	`- dsa = PEM_read_bio_DSA_PUBKEY(in, NULL, NULL, NULL);`
		b7242a	`- }`
		b7242a	`- if (!dsa) {`
		b7242a	`- OSSL_BIO_reset(in);`
		b7242a	`- dsa = d2i_DSAPrivateKey_bio(in, NULL);`
		b7242a	`- }`
		b7242a	`- if (!dsa) {`
		b7242a	`- OSSL_BIO_reset(in);`
		b7242a	`- dsa = d2i_DSA_PUBKEY_bio(in, NULL);`
		b7242a	`- }`
		b7242a	`- if (!dsa) {`
		b7242a	`- OSSL_BIO_reset(in);`
		b7242a	`-#define PEM_read_bio_DSAPublicKey(bp,x,cb,u) (DSA *)PEM_ASN1_read_bio( \`
		b7242a	`- (d2i_of_void )d2i_DSAPublicKey, PEM_STRING_DSA_PUBLIC, (bp), (void *)(x), (cb), (u))`
		b7242a	`- dsa = PEM_read_bio_DSAPublicKey(in, NULL, NULL, NULL);`
		b7242a	`-#undef PEM_read_bio_DSAPublicKey`
		b7242a	`- }`
		b7242a	`+ dsa = (DSA )PEM_ASN1_read_bio((d2i_of_void )d2i_DSAPublicKey,`
		b7242a	`+ PEM_STRING_DSA_PUBLIC, in,`
		b7242a	`+ NULL, NULL, NULL);`
		b7242a	`+ if (!dsa) {`
		b7242a	`+ OSSL_BIO_reset(in);`
		b7242a	`+ tmp = ossl_pkey_read_generic(in, pass);`
		b7242a	`+ if (tmp) {`
		b7242a	`+ if (EVP_PKEY_base_id(tmp) != EVP_PKEY_DSA)`
		b7242a	`+ rb_raise(eDSAError, "incorrect pkey type: %s",`
		b7242a	`+ OBJ_nid2sn(EVP_PKEY_base_id(tmp)));`
		b7242a	`+ dsa = EVP_PKEY_get1_DSA(tmp);`
		b7242a	`+ EVP_PKEY_free(tmp);`
		b7242a	`+ }`
		b7242a	`+ }`
		b7242a	`BIO_free(in);`
		b7242a	`if (!dsa) {`
		b7242a	`ossl_clear_error();`
		b7242a	`diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c`
		b7242a	`index 1a82f22..a928e92 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_rsa.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_rsa.c`
		b7242a	`@@ -220,7 +220,7 @@ ossl_rsa_s_generate(int argc, VALUE *argv, VALUE klass)`
		b7242a	`static VALUE`
		b7242a	`ossl_rsa_initialize(int argc, VALUE *argv, VALUE self)`
		b7242a	`{`
		b7242a	`- EVP_PKEY *pkey;`
		b7242a	`+ EVP_PKEY pkey, tmp;`
		b7242a	`RSA *rsa;`
		b7242a	`BIO *in;`
		b7242a	`VALUE arg, pass;`
		b7242a	`@@ -238,28 +238,24 @@ ossl_rsa_initialize(int argc, VALUE *argv, VALUE self)`
		b7242a	`pass = ossl_pem_passwd_value(pass);`
		b7242a	`arg = ossl_to_der_if_possible(arg);`
		b7242a	`in = ossl_obj2bio(&arg;;`
		b7242a	`- rsa = PEM_read_bio_RSAPrivateKey(in, NULL, ossl_pem_passwd_cb, (void *)pass);`
		b7242a	`- if (!rsa) {`
		b7242a	`- OSSL_BIO_reset(in);`
		b7242a	`- rsa = PEM_read_bio_RSA_PUBKEY(in, NULL, NULL, NULL);`
		b7242a	`- }`
		b7242a	`- if (!rsa) {`
		b7242a	`- OSSL_BIO_reset(in);`
		b7242a	`- rsa = d2i_RSAPrivateKey_bio(in, NULL);`
		b7242a	`- }`
		b7242a	`- if (!rsa) {`
		b7242a	`- OSSL_BIO_reset(in);`
		b7242a	`- rsa = d2i_RSA_PUBKEY_bio(in, NULL);`
		b7242a	`- }`
		b7242a	`- if (!rsa) {`
		b7242a	`- OSSL_BIO_reset(in);`
		b7242a	`- rsa = PEM_read_bio_RSAPublicKey(in, NULL, NULL, NULL);`
		b7242a	`- }`
		b7242a	`- if (!rsa) {`
		b7242a	`- OSSL_BIO_reset(in);`
		b7242a	`- rsa = d2i_RSAPublicKey_bio(in, NULL);`
		b7242a	`- }`
		b7242a	`- BIO_free(in);`
		b7242a	`+`
		b7242a	`+ rsa = PEM_read_bio_RSAPublicKey(in, NULL, NULL, NULL);`
		b7242a	`+ if (!rsa) {`
		b7242a	`+ OSSL_BIO_reset(in);`
		b7242a	`+ rsa = d2i_RSAPublicKey_bio(in, NULL);`
		b7242a	`+ }`
		b7242a	`+ if (!rsa) {`
		b7242a	`+ OSSL_BIO_reset(in);`
		b7242a	`+ tmp = ossl_pkey_read_generic(in, pass);`
		b7242a	`+ if (tmp) {`
		b7242a	`+ if (EVP_PKEY_base_id(tmp) != EVP_PKEY_RSA)`
		b7242a	`+ rb_raise(eRSAError, "incorrect pkey type: %s",`
		b7242a	`+ OBJ_nid2sn(EVP_PKEY_base_id(tmp)));`
		b7242a	`+ rsa = EVP_PKEY_get1_RSA(tmp);`
		b7242a	`+ EVP_PKEY_free(tmp);`
		b7242a	`+ }`
		b7242a	`+ }`
		b7242a	`+ BIO_free(in);`
		b7242a	`if (!rsa) {`
		b7242a	`ossl_raise(eRSAError, "Neither PUB key nor PRIV key");`
		b7242a	`}`
		b7242a
		b7242a	`From 9f81a082e9aea407f722388397fd87ca75712ff1 Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Tue, 30 Jun 2020 16:12:14 +0900`
		b7242a	`Subject: [PATCH 07/21] pkey/ec: deprecate PKey::EC::Point#make_affine! and`
		b7242a	`make it no-op`
		b7242a
		b7242a	`It forces the internal representation of the point object to the affine`
		b7242a	`coordinate system. However, as the difference of the internal`
		b7242a	`representation is not visible from Ruby/OpenSSL at all, it had no real`
		b7242a	`use case.`
		b7242a
		b7242a	`EC_POINT_make_affine() is marked as deprecated in OpenSSL 3.0.`
		b7242a	`---`
		b7242a	`ext/openssl/ossl_pkey_ec.c \| 6 ++++++`
		b7242a	`1 file changed, 6 insertions(+)`
		b7242a
		b7242a	`diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c`
		b7242a	`index c3ed21e0..4ab872ee 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_ec.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_ec.c`
		b7242a	`@@ -1443,6 +1443,8 @@ static VALUE ossl_ec_point_is_on_curve(VALUE self)`
		b7242a	`/*`
		b7242a	`* call-seq:`
		b7242a	`* point.make_affine! => self`
		b7242a	`+ *`
		b7242a	`+ * This method is deprecated and should not be used.`
		b7242a	`*/`
		b7242a	`static VALUE ossl_ec_point_make_affine(VALUE self)`
		b7242a	`{`
		b7242a	`@@ -1452,8 +1454,12 @@ static VALUE ossl_ec_point_make_affine(VALUE self)`
		b7242a	`GetECPoint(self, point);`
		b7242a	`GetECPointGroup(self, group);`
		b7242a
		b7242a	`+ rb_warn("OpenSSL::PKey::EC::Point#make_affine! is deprecated; " \`
		b7242a	`+ "the conversion is automatically performed when necessary");`
		b7242a	`+#if !(OPENSSL_VERSION_MAJOR+0 >= 3)`
		b7242a	`if (EC_POINT_make_affine(group, point, ossl_bn_ctx) != 1)`
		b7242a	`ossl_raise(cEC_POINT, "EC_POINT_make_affine");`
		b7242a	`+#endif`
		b7242a
		b7242a	`return self;`
		b7242a	`}`
		b7242a
		b7242a	`From 9b2009868c523c02a4d695afcaaedad61f9eaba9 Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Sat, 22 Feb 2020 05:52:01 +0900`
		b7242a	`Subject: [PATCH 08/21] pkey/ec: use EC_GROUP_free() instead of`
		b7242a	`EC_GROUP_clear_free()`
		b7242a
		b7242a	`EC_GROUP_clear_free() is deprecated in OpenSSL 3.0.`
		b7242a
		b7242a	`The EC_GROUP does not include any sensitive data, so we can safely use`
		b7242a	`EC_GROUP_free() instead.`
		b7242a	`---`
		b7242a	`ext/openssl/ossl_pkey_ec.c \| 2 +-`
		b7242a	`1 file changed, 1 insertion(+), 1 deletion(-)`
		b7242a
		b7242a	`diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c`
		b7242a	`index 4ab872ee..e4e4141c 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_ec.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_ec.c`
		b7242a	`@@ -638,7 +638,7 @@ static VALUE ossl_ec_key_check_key(VALUE self)`
		b7242a	`static void`
		b7242a	`ossl_ec_group_free(void *ptr)`
		b7242a	`{`
		b7242a	`- EC_GROUP_clear_free(ptr);`
		b7242a	`+ EC_GROUP_free(ptr);`
		b7242a	`}`
		b7242a
		b7242a	`static const rb_data_type_t ossl_ec_group_type = {`
		b7242a
		b7242a	`From 92a5cdd545d32cd66c61614c5975afac620de5f9 Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Fri, 10 Jul 2020 14:34:51 +0900`
		b7242a	`Subject: [PATCH 09/21] pkey/dh: let PKey::DH#params_ok? use`
		b7242a	`EVP_PKEY_param_check()`
		b7242a
		b7242a	`Use EVP_PKEY_param_check() instead of DH_check() if available. It is`
		b7242a	`part of the EVP API and is preferred over the lower level API.`
		b7242a
		b7242a	`EVP_PKEY_param_check() was added by OpenSSL 1.1.1. It is currently not`
		b7242a	`provided by LibreSSL.`
		b7242a	`---`
		b7242a	`ext/openssl/extconf.rb \| 3 +++`
		b7242a	`ext/openssl/ossl_pkey_dh.c \| 27 +++++++++++++++++++++++----`
		b7242a
		b7242a	`diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb`
		b7242a	`index 14e599ca..e5b0fb65 100644`
		b7242a	`--- a/ext/openssl/extconf.rb`
		b7242a	`+++ b/ext/openssl/extconf.rb`
		b7242a	`@@ -176,6 +176,9 @@ def find_openssl_library`
		b7242a	`have_func("EVP_PBE_scrypt")`
		b7242a	`have_func("SSL_CTX_set_post_handshake_auth")`
		b7242a
		b7242a	`+# added in 1.1.1`
		b7242a	`+have_func("EVP_PKEY_param_check")`
		b7242a	`+`
		b7242a	`# added in 3.0.0`
		b7242a	`have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")`
		b7242a	`have_func("SSL_CTX_load_verify_file")`
		b7242a	`diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c`
		b7242a	`index 458721e2..a3628572 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey_dh.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey_dh.c`
		b7242a	`@@ -456,19 +456,38 @@ ossl_dh_to_public_key(VALUE self)`
		b7242a	`* Validates the Diffie-Hellman parameters associated with this instance.`
		b7242a	`* It checks whether a safe prime and a suitable generator are used. If this`
		b7242a	`* is not the case, +false+ is returned.`
		b7242a	`+ *`
		b7242a	`+ * See also the man page EVP_PKEY_param_check(3).`
		b7242a	`*/`
		b7242a	`static VALUE`
		b7242a	`ossl_dh_check_params(VALUE self)`
		b7242a	`{`
		b7242a	`+ int ret;`
		b7242a	`+#ifdef HAVE_EVP_PKEY_PARAM_CHECK`
		b7242a	`+ EVP_PKEY *pkey;`
		b7242a	`+ EVP_PKEY_CTX *pctx;`
		b7242a	`+`
		b7242a	`+ GetPKey(self, pkey);`
		b7242a	`+ pctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL);`
		b7242a	`+ if (!pctx)`
		b7242a	`+ ossl_raise(eDHError, "EVP_PKEY_CTX_new");`
		b7242a	`+ ret = EVP_PKEY_param_check(pctx);`
		b7242a	`+ EVP_PKEY_CTX_free(pctx);`
		b7242a	`+#else`
		b7242a	`DH *dh;`
		b7242a	`int codes;`
		b7242a
		b7242a	`GetDH(self, dh);`
		b7242a	`- if (!DH_check(dh, &codes)) {`
		b7242a	`- return Qfalse;`
		b7242a	`- }`
		b7242a	`+ ret = DH_check(dh, &codes) == 1 && codes == 0;`
		b7242a	`+#endif`
		b7242a
		b7242a	`- return codes == 0 ? Qtrue : Qfalse;`
		b7242a	`+ if (ret == 1)`
		b7242a	`+ return Qtrue;`
		b7242a	`+ else {`
		b7242a	`+ /* DH_check_ex() will put error entry on failure */`
		b7242a	`+ ossl_clear_error();`
		b7242a	`+ return Qfalse;`
		b7242a	`+ }`
		b7242a	`}`
		b7242a
		b7242a	`/*`
		b7242a	`diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb`
		b7242a	`index fd2c7a6..21a6dbc 100644`
		b7242a	`--- a/test/openssl/test_pkey_dh.rb`
		b7242a	`+++ b/test/openssl/test_pkey_dh.rb`
		b7242a	`@@ -64,6 +64,14 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase`
		b7242a	`assert_equal(dh.compute_key(dh2.pub_key), dh2.compute_key(dh.pub_key))`
		b7242a	`end`
		b7242a
		b7242a	`+ def test_params_ok?`
		b7242a	`+ dh1 = Fixtures.pkey("dh1024")`
		b7242a	`+ assert_equal(true, dh1.params_ok?)`
		b7242a	`+`
		b7242a	`+ dh2 = Fixtures.pkey("dh1024").tap { \|p\| p.set_pqg(p.p + 1, p.q, p.g) }`
		b7242a	`+ assert_equal(false, dh2.params_ok?)`
		b7242a	`+ end`
		b7242a	`+`
		b7242a	`def test_dup`
		b7242a	`dh = OpenSSL::PKey::DH.new(NEW_KEYLEN)`
		b7242a	`dh2 = dh.dup`
		b7242a
		b7242a	`From af7aba5955685987409298e7b351d1dc7588b24e Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Mon, 18 May 2020 02:17:28 +0900`
		b7242a	`Subject: [PATCH 10/21] test/openssl/test_digest: do not test constants for`
		b7242a	`legacy algorithms`
		b7242a
		b7242a	`Do not test availability of MD4 and RIPEMD160 as they are considered`
		b7242a	`legacy and can be missing. OpenSSL 3.0 by default does not enable it.`
		b7242a	`---`
		b7242a	`test/openssl/test_digest.rb \| 2 +-`
		b7242a	`1 file changed, 1 insertion(+), 1 deletion(-)`
		b7242a
		b7242a	`diff --git a/test/openssl/test_digest.rb b/test/openssl/test_digest.rb`
		b7242a	`index 8d7046e8..84c128c1 100644`
		b7242a	`--- a/test/openssl/test_digest.rb`
		b7242a	`+++ b/test/openssl/test_digest.rb`
		b7242a	`@@ -54,7 +54,7 @@ def test_reset`
		b7242a	`end`
		b7242a
		b7242a	`def test_digest_constants`
		b7242a	`- %w{MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512}.each do \|name\|`
		b7242a	`+ %w{MD5 SHA1 SHA224 SHA256 SHA384 SHA512}.each do \|name\|`
		b7242a	`assert_not_nil(OpenSSL::Digest.new(name))`
		b7242a	`klass = OpenSSL::Digest.const_get(name.tr('-', '_'))`
		b7242a	`assert_not_nil(klass.new)`
		b7242a
		b7242a	`From 5b7a1bd78278d6f0527501e34b6453fa004aa281 Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Fri, 10 Jul 2020 13:56:38 +0900`
		b7242a	`Subject: [PATCH 11/21] test/openssl/test_ssl: relax regex to match OpenSSL's`
		b7242a	`error message`
		b7242a
		b7242a	`OpenSSL 3.0 has slightly changed the error message for a certificate`
		b7242a	`verification failure when an untrusted self-signed certificate is found.`
		b7242a	`---`
		b7242a	`test/openssl/test_ssl.rb \| 4 +++-`
		b7242a	`1 file changed, 3 insertions(+), 1 deletion(-)`
		b7242a
		b7242a	`diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb`
		b7242a	`index f24aabe7..6c9547dc 100644`
		b7242a	`--- a/test/openssl/test_ssl.rb`
		b7242a	`+++ b/test/openssl/test_ssl.rb`
		b7242a	`@@ -955,7 +955,9 @@ def test_connect_certificate_verify_failed_exception_message`
		b7242a	`start_server(ignore_listener_error: true) { \|port\|`
		b7242a	`ctx = OpenSSL::SSL::SSLContext.new`
		b7242a	`ctx.set_params`
		b7242a	`- assert_raise_with_message(OpenSSL::SSL::SSLError, /self signed/) {`
		b7242a	`+ # OpenSSL <= 1.1.0: "self signed certificate in certificate chain"`
		b7242a	`+ # OpenSSL >= 3.0.0: "self-signed certificate in certificate chain"`
		b7242a	`+ assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed/) {`
		b7242a	`server_connect(port, ctx)`
		b7242a	`}`
		b7242a	`}`
		b7242a
		b7242a	`From 9b5d8f9698c2cf5c6ac28d3ccf51557a7cd6aa56 Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Fri, 10 Jul 2020 14:06:04 +0900`
		b7242a	`Subject: [PATCH 12/21] test/openssl/test_engine: relax assertions for the`
		b7242a	`number of engines`
		b7242a
		b7242a	`It seems loading a specific engine with ENGINE_by_id() can load another`
		b7242a	`engine too. Just check that OpenSSL::Engine.load call increases the`
		b7242a	`counter for the engines which are currently loaded.`
		b7242a	`---`
		b7242a	`test/openssl/test_engine.rb \| 4 ++--`
		b7242a	`1 file changed, 2 insertions(+), 2 deletions(-)`
		b7242a
		b7242a	`diff --git a/test/openssl/test_engine.rb b/test/openssl/test_engine.rb`
		b7242a	`index 1ede6ed0..3caf1fb8 100644`
		b7242a	`--- a/test/openssl/test_engine.rb`
		b7242a	`+++ b/test/openssl/test_engine.rb`
		b7242a	`@@ -18,7 +18,7 @@ def test_openssl_engine_builtin`
		b7242a	`pend "'openssl' is already loaded" if orig.any? { \|e\| e.id == "openssl" }`
		b7242a	`engine = OpenSSL::Engine.load("openssl")`
		b7242a	`assert_equal(true, engine)`
		b7242a	`- assert_equal(1, OpenSSL::Engine.engines.size - orig.size)`
		b7242a	`+ assert_operator(OpenSSL::Engine.engines.size, :>, orig.size)`
		b7242a	`end;`
		b7242a	`end`
		b7242a
		b7242a	`@@ -28,7 +28,7 @@ def test_openssl_engine_by_id_string`
		b7242a	`pend "'openssl' is already loaded" if orig.any? { \|e\| e.id == "openssl" }`
		b7242a	`engine = get_engine`
		b7242a	`assert_not_nil(engine)`
		b7242a	`- assert_equal(1, OpenSSL::Engine.engines.size - orig.size)`
		b7242a	`+ assert_operator(OpenSSL::Engine.engines.size, :>, orig.size)`
		b7242a	`end;`
		b7242a	`end`
		b7242a
		b7242a
		b7242a	`From 74e5ed30f9bae21240e5e2209346fa91ef463393 Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Mon, 18 May 2020 02:35:35 +0900`
		b7242a	`Subject: [PATCH 13/21] test/openssl/test_pkey: use EC keys for testing`
		b7242a	`PKey.generate_parameters`
		b7242a
		b7242a	`OpenSSL 3.0 refuses to generate DSA parameters shorter than 2048 bits,`
		b7242a	`but generating 2048 bits parameters takes very long. Let's use EC in`
		b7242a	`those test cases instead.`
		b7242a	`---`
		b7242a	`test/openssl/test_pkey.rb \| 143 ++++++++++++++++++++++++++++++++++++++`
		b7242a	`1 file changed, 143 insertions(+)`
		b7242a
		b7242a	`diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb`
		b7242a	`index 0bdc979..b4ddcfb 100644`
		b7242a	`--- a/test/openssl/test_pkey.rb`
		b7242a	`+++ b/test/openssl/test_pkey.rb`
		b7242a	`@@ -25,4 +25,147 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase`
		b7242a	`assert_equal "X25519", x25519.oid`
		b7242a	`assert_match %r{oid=X25519}, x25519.inspect`
		b7242a	`end`
		b7242a	`+`
		b7242a	`+ def test_s_generate_parameters`
		b7242a	`+ pend "EC is disabled" unless defined?(OpenSSL::PKey::EC)`
		b7242a	`+`
		b7242a	`+ pkey = OpenSSL::PKey.generate_parameters("EC", {`
		b7242a	`+ "ec_paramgen_curve" => "secp384r1",`
		b7242a	`+ })`
		b7242a	`+ assert_instance_of OpenSSL::PKey::EC, pkey`
		b7242a	`+ assert_equal "secp384r1", pkey.group.curve_name`
		b7242a	`+ assert_equal nil, pkey.private_key`
		b7242a	`+`
		b7242a	`+ # Invalid options are checked`
		b7242a	`+ assert_raise(OpenSSL::PKey::PKeyError) {`
		b7242a	`+ OpenSSL::PKey.generate_parameters("EC", "invalid" => "option")`
		b7242a	`+ }`
		b7242a	`+`
		b7242a	`+ # Parameter generation callback is called`
		b7242a	`+ cb_called = []`
		b7242a	`+ assert_raise(RuntimeError) {`
		b7242a	`+ OpenSSL::PKey.generate_parameters("DSA") { \|*args\|`
		b7242a	`+ cb_called << args`
		b7242a	`+ raise "exit!" if cb_called.size == 3`
		b7242a	`+ }`
		b7242a	`+ }`
		b7242a	`+ assert_not_empty cb_called`
		b7242a	`+ end`
		b7242a	`+`
		b7242a	`+ def test_s_generate_key`
		b7242a	`+ pend "EC is disabled" unless defined?(OpenSSL::PKey::EC)`
		b7242a	`+`
		b7242a	`+ assert_raise(OpenSSL::PKey::PKeyError) {`
		b7242a	`+ # DSA key pair cannot be generated without parameters`
		b7242a	`+ OpenSSL::PKey.generate_key("DSA")`
		b7242a	`+ }`
		b7242a	`+ pkey_params = OpenSSL::PKey.generate_parameters("EC", {`
		b7242a	`+ "ec_paramgen_curve" => "secp384r1",`
		b7242a	`+ })`
		b7242a	`+ pkey = OpenSSL::PKey.generate_key(pkey_params)`
		b7242a	`+ assert_instance_of OpenSSL::PKey::EC, pkey`
		b7242a	`+ assert_equal "secp384r1", pkey.group.curve_name`
		b7242a	`+ assert_not_equal nil, pkey.private_key`
		b7242a	`+ end`
		b7242a	`+`
		b7242a	`+ def test_hmac_sign_verify`
		b7242a	`+ pkey = OpenSSL::PKey.generate_key("HMAC", { "key" => "abcd" })`
		b7242a	`+`
		b7242a	`+ hmac = OpenSSL::HMAC.new("abcd", "SHA256").update("data").digest`
		b7242a	`+ assert_equal hmac, pkey.sign("SHA256", "data")`
		b7242a	`+`
		b7242a	`+ # EVP_PKEY_HMAC does not support verify`
		b7242a	`+ assert_raise(OpenSSL::PKey::PKeyError) {`
		b7242a	`+ pkey.verify("SHA256", "data", hmac)`
		b7242a	`+ }`
		b7242a	`+ end`
		b7242a	`+`
		b7242a	`+ def test_ed25519`
		b7242a	`+ # Test vector from RFC 8032 Section 7.1 TEST 2`
		b7242a	`+ priv_pem = <<~EOF`
		b7242a	`+ -----BEGIN PRIVATE KEY-----`
		b7242a	`+ MC4CAQAwBQYDK2VwBCIEIEzNCJso/5banbbDRuwRTg9bijGfNaumJNqM9u1PuKb7`
		b7242a	`+ -----END PRIVATE KEY-----`
		b7242a	`+ EOF`
		b7242a	`+ pub_pem = <<~EOF`
		b7242a	`+ -----BEGIN PUBLIC KEY-----`
		b7242a	`+ MCowBQYDK2VwAyEAPUAXw+hDiVqStwqnTRt+vJyYLM8uxJaMwM1V8Sr0Zgw=`
		b7242a	`+ -----END PUBLIC KEY-----`
		b7242a	`+ EOF`
		b7242a	`+ begin`
		b7242a	`+ priv = OpenSSL::PKey.read(priv_pem)`
		b7242a	`+ pub = OpenSSL::PKey.read(pub_pem)`
		b7242a	`+ rescue OpenSSL::PKey::PKeyError`
		b7242a	`+ # OpenSSL < 1.1.1`
		b7242a	`+ pend "Ed25519 is not implemented"`
		b7242a	`+ end`
		b7242a	`+ assert_instance_of OpenSSL::PKey::PKey, priv`
		b7242a	`+ assert_instance_of OpenSSL::PKey::PKey, pub`
		b7242a	`+ assert_equal priv_pem, priv.private_to_pem`
		b7242a	`+ assert_equal pub_pem, priv.public_to_pem`
		b7242a	`+ assert_equal pub_pem, pub.public_to_pem`
		b7242a	`+`
		b7242a	`+ sig = [<<~EOF.gsub(/[^0-9a-f]/, "")].pack("H*")`
		b7242a	`+ 92a009a9f0d4cab8720e820b5f642540`
		b7242a	`+ a2b27b5416503f8fb3762223ebdb69da`
		b7242a	`+ 085ac1e43e15996e458f3613d0f11d8c`
		b7242a	`+ 387b2eaeb4302aeeb00d291612bb0c00`
		b7242a	`+ EOF`
		b7242a	`+ data = ["72"].pack("H*")`
		b7242a	`+ assert_equal sig, priv.sign(nil, data)`
		b7242a	`+ assert_equal true, priv.verify(nil, sig, data)`
		b7242a	`+ assert_equal true, pub.verify(nil, sig, data)`
		b7242a	`+ assert_equal false, pub.verify(nil, sig, data.succ)`
		b7242a	`+`
		b7242a	`+ # PureEdDSA wants nil as the message digest`
		b7242a	`+ assert_raise(OpenSSL::PKey::PKeyError) { priv.sign("SHA512", data) }`
		b7242a	`+ assert_raise(OpenSSL::PKey::PKeyError) { pub.verify("SHA512", sig, data) }`
		b7242a	`+`
		b7242a	`+ # Ed25519 pkey type does not support key derivation`
		b7242a	`+ assert_raise(OpenSSL::PKey::PKeyError) { priv.derive(pub) }`
		b7242a	`+ end`
		b7242a	`+`
		b7242a	`+ def test_x25519`
		b7242a	`+ # Test vector from RFC 7748 Section 6.1`
		b7242a	`+ alice_pem = <<~EOF`
		b7242a	`+ -----BEGIN PRIVATE KEY-----`
		b7242a	`+ MC4CAQAwBQYDK2VuBCIEIHcHbQpzGKV9PBbBclGyZkXfTC+H68CZKrF3+6UduSwq`
		b7242a	`+ -----END PRIVATE KEY-----`
		b7242a	`+ EOF`
		b7242a	`+ bob_pem = <<~EOF`
		b7242a	`+ -----BEGIN PUBLIC KEY-----`
		b7242a	`+ MCowBQYDK2VuAyEA3p7bfXt9wbTTW2HC7OQ1Nz+DQ8hbeGdNrfx+FG+IK08=`
		b7242a	`+ -----END PUBLIC KEY-----`
		b7242a	`+ EOF`
		b7242a	`+ shared_secret = "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742"`
		b7242a	`+ begin`
		b7242a	`+ alice = OpenSSL::PKey.read(alice_pem)`
		b7242a	`+ bob = OpenSSL::PKey.read(bob_pem)`
		b7242a	`+ rescue OpenSSL::PKey::PKeyError`
		b7242a	`+ # OpenSSL < 1.1.0`
		b7242a	`+ pend "X25519 is not implemented"`
		b7242a	`+ end`
		b7242a	`+ assert_instance_of OpenSSL::PKey::PKey, alice`
		b7242a	`+ assert_equal alice_pem, alice.private_to_pem`
		b7242a	`+ assert_equal bob_pem, bob.public_to_pem`
		b7242a	`+ assert_equal [shared_secret].pack("H*"), alice.derive(bob)`
		b7242a	`+ end`
		b7242a	`+`
		b7242a	`+ def test_compare?`
		b7242a	`+ key1 = Fixtures.pkey("rsa1024")`
		b7242a	`+ key2 = Fixtures.pkey("rsa1024")`
		b7242a	`+ key3 = Fixtures.pkey("rsa2048")`
		b7242a	`+ key4 = Fixtures.pkey("dh-1")`
		b7242a	`+`
		b7242a	`+ assert_equal(true, key1.compare?(key2))`
		b7242a	`+ assert_equal(true, key1.public_key.compare?(key2))`
		b7242a	`+ assert_equal(true, key2.compare?(key1))`
		b7242a	`+ assert_equal(true, key2.public_key.compare?(key1))`
		b7242a	`+`
		b7242a	`+ assert_equal(false, key1.compare?(key3))`
		b7242a	`+`
		b7242a	`+ assert_raise(TypeError) do`
		b7242a	`+ key1.compare?(key4)`
		b7242a	`+ end`
		b7242a	`+ end`
		b7242a	`end`
		b7242a
		b7242a	`From 3376d11a39295b67086da4ebc4e5530e780a398d Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Thu, 13 Aug 2020 19:36:31 +0900`
		b7242a	`Subject: [PATCH 14/21] test/openssl/test_pkey_rsa: fix RSA key generation test`
		b7242a
		b7242a	`OpenSSL 3.0 checks the public exponent value in a stricter manner and`
		b7242a	`does no longer allow values less than 65537, with the exception of 3.`
		b7242a	`---`
		b7242a	`test/openssl/test_pkey_rsa.rb \| 40 +++++++++++++++++------------------`
		b7242a	`1 file changed, 19 insertions(+), 21 deletions(-)`
		b7242a
		b7242a	`diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb`
		b7242a	`index 9dac06e2..544d28dc 100644`
		b7242a	`--- a/test/openssl/test_pkey_rsa.rb`
		b7242a	`+++ b/test/openssl/test_pkey_rsa.rb`
		b7242a	`@@ -68,30 +68,28 @@ def test_private`
		b7242a	`assert(!key6.private?)`
		b7242a	`end`
		b7242a
		b7242a	`- def test_new`
		b7242a	`- key = OpenSSL::PKey::RSA.new 512`
		b7242a	`- pem = key.public_key.to_pem`
		b7242a	`- OpenSSL::PKey::RSA.new pem`
		b7242a	`- assert_equal([], OpenSSL.errors)`
		b7242a	`+ def test_new_generate`
		b7242a	`+ key1 = OpenSSL::PKey::RSA.new(512)`
		b7242a	`+ assert_equal 512, key1.n.num_bits`
		b7242a	`+ assert_equal 65537, key1.e`
		b7242a	`+`
		b7242a	`+ # Specify public exponent`
		b7242a	`+ key2 = OpenSSL::PKey::RSA.new(512, 3)`
		b7242a	`+ assert_equal 512, key2.n.num_bits`
		b7242a	`+ assert_equal 3, key2.e`
		b7242a	`+ assert_not_equal 0, key2.d`
		b7242a	`end`
		b7242a
		b7242a	`- def test_new_exponent_default`
		b7242a	`- assert_equal(65537, OpenSSL::PKey::RSA.new(512).e)`
		b7242a	`- end`
		b7242a	`-`
		b7242a	`- def test_new_with_exponent`
		b7242a	`- 1.upto(30) do \|idx\|`
		b7242a	`- e = (2 ** idx) + 1`
		b7242a	`- key = OpenSSL::PKey::RSA.new(512, e)`
		b7242a	`- assert_equal(e, key.e)`
		b7242a	`- end`
		b7242a	`- end`
		b7242a	`+ def test_s_generate`
		b7242a	`+ key1 = OpenSSL::PKey::RSA.generate(512)`
		b7242a	`+ assert_equal 512, key1.n.num_bits`
		b7242a	`+ assert_equal 65537, key1.e`
		b7242a
		b7242a	`- def test_generate`
		b7242a	`- key = OpenSSL::PKey::RSA.generate(512, 17)`
		b7242a	`- assert_equal 512, key.n.num_bits`
		b7242a	`- assert_equal 17, key.e`
		b7242a	`- assert_not_nil key.d`
		b7242a	`+ # Specify public exponent`
		b7242a	`+ key2 = OpenSSL::PKey::RSA.generate(512, 3)`
		b7242a	`+ assert_equal 512, key2.n.num_bits`
		b7242a	`+ assert_equal 3, key2.e`
		b7242a	`+ assert_not_equal 0, key2.d`
		b7242a	`end`
		b7242a
		b7242a	`def test_new_break`
		b7242a
		b7242a	`From 050760bb700a274cb5efe3211dae8f8e078f2f1a Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Thu, 13 Aug 2020 23:20:55 +0900`
		b7242a	`Subject: [PATCH 15/21] test/openssl/test_pkcs12: fix test failures with`
		b7242a	`OpenSSL 3.0`
		b7242a
		b7242a	`OpenSSL's PKCS12_create() by default uses pbewithSHAAnd40BitRC2-CBC for`
		b7242a	`encryption of the certificates. However, in OpenSSL 3.0, the algorithm`
		b7242a	`is part of the legacy provider and is not enabled by default.`
		b7242a
		b7242a	`Specify another algorithm that is still in the default provider in the`
		b7242a	`test cases.`
		b7242a	`---`
		b7242a	`test/openssl/test_pkcs12.rb \| 297 ++++++++++++++++++------------------`
		b7242a	`1 file changed, 149 insertions(+), 148 deletions(-)`
		b7242a
		b7242a	`diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb`
		b7242a	`index fdbe753b..ec676743 100644`
		b7242a	`--- a/test/openssl/test_pkcs12.rb`
		b7242a	`+++ b/test/openssl/test_pkcs12.rb`
		b7242a	`@@ -5,6 +5,9 @@`
		b7242a
		b7242a	`module OpenSSL`
		b7242a	`class TestPKCS12 < OpenSSL::TestCase`
		b7242a	`+ DEFAULT_PBE_PKEYS = "PBE-SHA1-3DES"`
		b7242a	`+ DEFAULT_PBE_CERTS = "PBE-SHA1-3DES"`
		b7242a	`+`
		b7242a	`def setup`
		b7242a	`super`
		b7242a	`ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")`
		b7242a	`@@ -14,47 +17,41 @@ def setup`
		b7242a	`["subjectKeyIdentifier","hash",false],`
		b7242a	`["authorityKeyIdentifier","keyid:always",false],`
		b7242a	`]`
		b7242a	`- @cacert = issue_cert(ca, Fixtures.pkey("rsa2048"), 1, ca_exts, nil, nil)`
		b7242a	`+ ca_key = Fixtures.pkey("rsa-1")`
		b7242a	`+ @cacert = issue_cert(ca, ca_key, 1, ca_exts, nil, nil)`
		b7242a
		b7242a	`inter_ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Intermediate CA")`
		b7242a	`- inter_ca_key = OpenSSL::PKey.read <<-_EOS_`
		b7242a	`------BEGIN RSA PRIVATE KEY-----`
		b7242a	`-MIICXAIBAAKBgQDp7hIG0SFMG/VWv1dBUWziAPrNmkMXJgTCAoB7jffzRtyyN04K`
		b7242a	`-oq/89HAszTMStZoMigQURfokzKsjpUp8OYCAEsBtt9d5zPndWMz/gHN73GrXk3LT`
		b7242a	`-ZsxEn7Xv5Da+Y9F/Hx2QZUHarV5cdZixq2NbzWGwrToogOQMh2pxN3Z/0wIDAQAB`
		b7242a	`-AoGBAJysUyx3olpsGzv3OMRJeahASbmsSKTXVLZvoIefxOINosBFpCIhZccAG6UV`
		b7242a	`-5c/xCvS89xBw8aD15uUfziw3AuT8QPEtHCgfSjeT7aWzBfYswEgOW4XPuWr7EeI9`
		b7242a	`-iNHGD6z+hCN/IQr7FiEBgTp6A+i/hffcSdR83fHWKyb4M7TRAkEA+y4BNd668HmC`
		b7242a	`-G5MPRx25n6LixuBxrNp1umfjEI6UZgEFVpYOg4agNuimN6NqM253kcTR94QNTUs5`
		b7242a	`-Kj3EhG1YWwJBAO5rUjiOyCNVX2WUQrOMYK/c1lU7fvrkdygXkvIGkhsPoNRzLPeA`
		b7242a	`-HGJszKtrKD8bNihWpWNIyqKRHfKVD7yXT+kCQGCAhVCIGTRoypcDghwljHqLnysf`
		b7242a	`-ci0h5ZdPcIqc7ODfxYhFsJ/Rql5ONgYsT5Ig/+lOQAkjf+TRYM4c2xKx2/8CQBvG`
		b7242a	`-jv6dy70qDgIUgqzONtlmHeYyFzn9cdBO5sShdVYHvRHjFSMEXsosqK9zvW2UqvuK`
		b7242a	`-FJx7d3f29gkzynCLJDkCQGQZlEZJC4vWmWJGRKJ24P6MyQn3VsPfErSKOg4lvyM3`
		b7242a	`-Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=`
		b7242a	`------END RSA PRIVATE KEY-----`
		b7242a	`- _EOS_`
		b7242a	`- @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, Fixtures.pkey("rsa2048"))`
		b7242a	`+ inter_ca_key = Fixtures.pkey("rsa-2")`
		b7242a	`+ @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, ca_key)`
		b7242a
		b7242a	`exts = [`
		b7242a	`["keyUsage","digitalSignature",true],`
		b7242a	`["subjectKeyIdentifier","hash",false],`
		b7242a	`]`
		b7242a	`ee = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Ruby PKCS12 Test Certificate")`
		b7242a	`- @mykey = Fixtures.pkey("rsa1024")`
		b7242a	`+ @mykey = Fixtures.pkey("rsa-3")`
		b7242a	`@mycert = issue_cert(ee, @mykey, 3, exts, @inter_cacert, inter_ca_key)`
		b7242a	`end`
		b7242a
		b7242a	`- def test_create`
		b7242a	`+ def test_create_single_key_single_cert`
		b7242a	`pkcs12 = OpenSSL::PKCS12.create(`
		b7242a	`"omg",`
		b7242a	`"hello",`
		b7242a	`@mykey,`
		b7242a	`- @mycert`
		b7242a	`+ @mycert,`
		b7242a	`+ nil,`
		b7242a	`+ DEFAULT_PBE_PKEYS,`
		b7242a	`+ DEFAULT_PBE_CERTS,`
		b7242a	`)`
		b7242a	`- assert_equal @mycert.to_der, pkcs12.certificate.to_der`
		b7242a	`+ assert_equal @mycert, pkcs12.certificate`
		b7242a	`assert_equal @mykey.to_der, pkcs12.key.to_der`
		b7242a	`assert_nil pkcs12.ca_certs`
		b7242a	`+`
		b7242a	`+ der = pkcs12.to_der`
		b7242a	`+ decoded = OpenSSL::PKCS12.new(der, "omg")`
		b7242a	`+ assert_equal @mykey.to_der, decoded.key.to_der`
		b7242a	`+ assert_equal @mycert, decoded.certificate`
		b7242a	`+ assert_equal [], Array(decoded.ca_certs)`
		b7242a	`end`
		b7242a
		b7242a	`def test_create_no_pass`
		b7242a	`@@ -62,14 +59,17 @@ def test_create_no_pass`
		b7242a	`nil,`
		b7242a	`"hello",`
		b7242a	`@mykey,`
		b7242a	`- @mycert`
		b7242a	`+ @mycert,`
		b7242a	`+ nil,`
		b7242a	`+ DEFAULT_PBE_PKEYS,`
		b7242a	`+ DEFAULT_PBE_CERTS,`
		b7242a	`)`
		b7242a	`- assert_equal @mycert.to_der, pkcs12.certificate.to_der`
		b7242a	`+ assert_equal @mycert, pkcs12.certificate`
		b7242a	`assert_equal @mykey.to_der, pkcs12.key.to_der`
		b7242a	`assert_nil pkcs12.ca_certs`
		b7242a
		b7242a	`decoded = OpenSSL::PKCS12.new(pkcs12.to_der)`
		b7242a	`- assert_cert @mycert, decoded.certificate`
		b7242a	`+ assert_equal @mycert, decoded.certificate`
		b7242a	`end`
		b7242a
		b7242a	`def test_create_with_chain`
		b7242a	`@@ -80,7 +80,9 @@ def test_create_with_chain`
		b7242a	`"hello",`
		b7242a	`@mykey,`
		b7242a	`@mycert,`
		b7242a	`- chain`
		b7242a	`+ chain,`
		b7242a	`+ DEFAULT_PBE_PKEYS,`
		b7242a	`+ DEFAULT_PBE_CERTS,`
		b7242a	`)`
		b7242a	`assert_equal chain, pkcs12.ca_certs`
		b7242a	`end`
		b7242a	`@@ -95,14 +97,16 @@ def test_create_with_chain_decode`
		b7242a	`"hello",`
		b7242a	`@mykey,`
		b7242a	`@mycert,`
		b7242a	`- chain`
		b7242a	`+ chain,`
		b7242a	`+ DEFAULT_PBE_PKEYS,`
		b7242a	`+ DEFAULT_PBE_CERTS,`
		b7242a	`)`
		b7242a
		b7242a	`decoded = OpenSSL::PKCS12.new(pkcs12.to_der, passwd)`
		b7242a	`assert_equal chain.size, decoded.ca_certs.size`
		b7242a	`- assert_include_cert @cacert, decoded.ca_certs`
		b7242a	`- assert_include_cert @inter_cacert, decoded.ca_certs`
		b7242a	`- assert_cert @mycert, decoded.certificate`
		b7242a	`+ assert_include decoded.ca_certs, @cacert`
		b7242a	`+ assert_include decoded.ca_certs, @inter_cacert`
		b7242a	`+ assert_equal @mycert, decoded.certificate`
		b7242a	`assert_equal @mykey.to_der, decoded.key.to_der`
		b7242a	`end`
		b7242a
		b7242a	`@@ -126,8 +130,8 @@ def test_create_with_itr`
		b7242a	`@mykey,`
		b7242a	`@mycert,`
		b7242a	`[],`
		b7242a	`- nil,`
		b7242a	`- nil,`
		b7242a	`+ DEFAULT_PBE_PKEYS,`
		b7242a	`+ DEFAULT_PBE_CERTS,`
		b7242a	`2048`
		b7242a	`)`
		b7242a
		b7242a	`@@ -138,8 +142,8 @@ def test_create_with_itr`
		b7242a	`@mykey,`
		b7242a	`@mycert,`
		b7242a	`[],`
		b7242a	`- nil,`
		b7242a	`- nil,`
		b7242a	`+ DEFAULT_PBE_PKEYS,`
		b7242a	`+ DEFAULT_PBE_CERTS,`
		b7242a	`"omg"`
		b7242a	`)`
		b7242a	`end`
		b7242a	`@@ -152,7 +156,8 @@ def test_create_with_mac_itr`
		b7242a	`@mykey,`
		b7242a	`@mycert,`
		b7242a	`[],`
		b7242a	`- nil,`
		b7242a	`+ DEFAULT_PBE_PKEYS,`
		b7242a	`+ DEFAULT_PBE_CERTS,`
		b7242a	`nil,`
		b7242a	`nil,`
		b7242a	`2048`
		b7242a	`@@ -165,148 +170,144 @@ def test_create_with_mac_itr`
		b7242a	`@mykey,`
		b7242a	`@mycert,`
		b7242a	`[],`
		b7242a	`- nil,`
		b7242a	`- nil,`
		b7242a	`+ DEFAULT_PBE_PKEYS,`
		b7242a	`+ DEFAULT_PBE_CERTS,`
		b7242a	`nil,`
		b7242a	`"omg"`
		b7242a	`)`
		b7242a	`end`
		b7242a	`end`
		b7242a
		b7242a	`- def test_new_with_one_key_and_one_cert`
		b7242a	`- # generated with:`
		b7242a	`- # openssl version #=> OpenSSL 1.0.2h 3 May 2016`
		b7242a	`- # openssl pkcs12 -in <@mycert> -inkey <RSA1024> -export -out <out>`
		b7242a	`- str = <<~EOF.unpack("m").first`
		b7242a	`-MIIGQQIBAzCCBgcGCSqGSIb3DQEHAaCCBfgEggX0MIIF8DCCAu8GCSqGSIb3DQEH`
		b7242a	`-BqCCAuAwggLcAgEAMIIC1QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIeZPM`
		b7242a	`-Rh6KiXgCAggAgIICqL6O+LCZmBzdIg6mozPF3FpY0hVbWHvTNMiDHieW3CrAanhN`
		b7242a	`-YCH2/wHqH8WpFpEWwF0qEEXAWjHsIlYB4Cfqo6b7XpuZe5eVESsjNTOTMF1JCUJj`
		b7242a	`-A6iNefXmCFLync1JK5LUodRDhTlKLU1WPK20X9X4vuEwHn8wt5RUb8P0E+Xh6rpS`
		b7242a	`-XC4LkZKT45zF3cJa/n5+dW65ohVGNVnF9D1bCNEKHMOllK1V9omutQ9slW88hpga`
		b7242a	`-LGiFsJoFOb/ESGb78KO+bd6zbX1MdKdBV+WD6t1uF/cgU65y+2A4nXs1urda+MJ7`
		b7242a	`-7iVqiB7Vnc9cANTbAkTSGNyoUDVM/NZde782/8IvddLAzUZ2EftoRDke6PvuBOVL`
		b7242a	`-ljBhNWmdamrtBqzuzVZCRdWq44KZkF2Xoc9asepwIkdVmntzQF7f1Z+Ta5yg6HFp`
		b7242a	`-xnr7CuM+MlHEShXkMgYtHnwAq10fDMSXIvjhi/AA5XUAusDO3D+hbtcRDcJ4uUes`
		b7242a	`-dm5dhQE2qJ02Ysn4aH3o1F3RYNOzrxejHJwl0D2TCE8Ww2X342xib57+z9u03ufj`
		b7242a	`-jswhiMKxy67f1LhUMq3XrT3uV6kCVXk/KUOUPcXPlPVNA5JmZeFhMp6GrtB5xJJ9`
		b7242a	`-wwBZD8UL5A2U2Mxi2OZsdUBv8eo3jnjZ284aFpt+mCjIHrLW5O0jwY8OCwSlYUoY`
		b7242a	`-IY00wlabX0s82kBcIQNZbC1RSV2267ro/7A0MClc8YQ/zWN0FKY6apgtUkHJI1cL`
		b7242a	`-1dc77mhnjETjwW94iLMDFy4zQfVu7IfCBqOBzygRNnqqUG66UhTs1xFnWM0mWXl/`
		b7242a	`-Zh9+AMpbRLIPaKCktIjl5juzzm+KEgkhD+707XRCFIGUYGP5bSHzGaz8PK9hj0u1`
		b7242a	`-E2SpZHUvYOcawmxtA7pmpSxl5uQjMIIC+QYJKoZIhvcNAQcBoIIC6gSCAuYwggLi`
		b7242a	`-MIIC3gYLKoZIhvcNAQwKAQKgggKmMIICojAcBgoqhkiG9w0BDAEDMA4ECKB338m8`
		b7242a	`-qSzHAgIIAASCAoACFhJeqA3xx+s1qIH6udNQYY5hAL6oz7SXoGwFhDiceSyJjmAD`
		b7242a	`-Dby9XWM0bPl1Gj5nqdsuI/lAM++fJeoETk+rxw8q6Ofk2zUaRRE39qgpwBwSk44o`
		b7242a	`-0SAFJ6bzHpc5CFh6sZmDaUX5Lm9GtjnGFmmsPTSJT5an5JuJ9WczGBEd0nSBQhJq`
		b7242a	`-xHbTGZiN8i3SXcIH531Sub+CBIFWy5lyCKgDYh/kgJFGQAaWUOjLI+7dCEESonXn`
		b7242a	`-F3Jh2uPbnDF9MGJyAFoNgWFhgSpi1cf6AUi87GY4Oyur88ddJ1o0D0Kz2uw8/bpG`
		b7242a	`-s3O4PYnIW5naZ8mozzbnYByEFk7PoTwM7VhoFBfYNtBoAI8+hBnPY/Y71YUojEXf`
		b7242a	`-SeX6QbtkIANfzS1XuFNKElShC3DPQIHpKzaatEsfxHfP+8VOav6zcn4mioao7NHA`
		b7242a	`-x7Dp6R1enFGoQOq4UNjBT8YjnkG5vW8zQHW2dAHLTJBq6x2Fzm/4Pjo/8vM1FiGl`
		b7242a	`-BQdW5vfDeJ/l6NgQm3xR9ka2E2HaDqIcj1zWbN8jy/bHPFJYuF/HH8MBV/ngMIXE`
		b7242a	`-vFEW/ToYv8eif0+EpUtzBsCKD4a7qYYYh87RmEVoQU96q6m+UbhpD2WztYfAPkfo`
		b7242a	`-OSL9j2QHhVczhL7OAgqNeM95pOsjA9YMe7exTeqK31LYnTX8oH8WJD1xGbRSJYgu`
		b7242a	`-SY6PQbumcJkc/TFPn0GeVUpiDdf83SeG50lo/i7UKQi2l1hi5Y51fQhnBnyMr68D`
		b7242a	`-llSZEvSWqfDxBJkBpeg6PIYvkTpEwKRJpVQoM3uYvdqVSSnW6rydqIb+snfOrlhd`
		b7242a	`-f+xCtq9xr+kHeTSqLIDRRAnMfgFRhY3IBlj6MSUwIwYJKoZIhvcNAQkVMRYEFBdb`
		b7242a	`-8XGWehZ6oPj56Pf/uId46M9AMDEwITAJBgUrDgMCGgUABBRvSCB04/f8f13pp2PF`
		b7242a	`-vyl2WuMdEwQIMWFFphPkIUICAggA`
		b7242a	`- EOF`
		b7242a	`- p12 = OpenSSL::PKCS12.new(str, "abc123")`
		b7242a	`-`
		b7242a	`- assert_equal @mykey.to_der, p12.key.to_der`
		b7242a	`- assert_equal @mycert.subject.to_der, p12.certificate.subject.to_der`
		b7242a	`- assert_equal [], Array(p12.ca_certs)`
		b7242a	`- end`
		b7242a	`-`
		b7242a	`def test_new_with_no_keys`
		b7242a	`# generated with:`
		b7242a	`- # openssl pkcs12 -in <@mycert> -nokeys -export -out <out>`
		b7242a	`+ # openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -nokeys -export`
		b7242a	`str = <<~EOF.unpack("m").first`
		b7242a	`-MIIDHAIBAzCCAuIGCSqGSIb3DQEHAaCCAtMEggLPMIICyzCCAscGCSqGSIb3DQEH`
		b7242a	`-BqCCArgwggK0AgEAMIICrQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIX4+W`
		b7242a	`-irqwH40CAggAgIICgOaCyo+5+6IOVoGCCL80c50bkkzAwqdXxvkKExJSdcJz2uMU`
		b7242a	`-0gRrKnZEjL5wrUsN8RwZu8DvgQTEhNEkKsUgM7AWainmN/EnwohIdHZAHpm6WD67`
		b7242a	`-I9kLGp0/DHrqZrV9P2dLfhXLUSQE8PI0tqZPZ8UEABhizkViw4eISTkrOUN7pGbN`
		b7242a	`-Qtx/oqgitXDuX2polbxYYDwt9vfHZhykHoKgew26SeJyZfeMs/WZ6olEI4cQUAFr`
		b7242a	`-mvYGuC1AxEGTo9ERmU8Pm16j9Hr9PFk50WYe+rnk9oX3wJogQ7XUWS5kYf7XRycd`
		b7242a	`-NDkNiwV/ts94bbuaGZp1YA6I48FXpIc8b5fX7t9tY0umGaWy0bARe1L7o0Y89EPe`
		b7242a	`-lMg25rOM7j3uPtFG8whbSfdETSy57UxzzTcJ6UwexeaK6wb2jqEmj5AOoPLWeaX0`
		b7242a	`-LyOAszR3v7OPAcjIDYZGdrbb3MZ2f2vo2pdQfu9698BrWhXuM7Odh73RLhJVreNI`
		b7242a	`-aezNOAtPyBlvGiBQBGTzRIYHSLL5Y5aVj2vWLAa7hjm5qTL5C5mFdDIo6TkEMr6I`
		b7242a	`-OsexNQofEGs19kr8nARXDlcbEimk2VsPj4efQC2CEXZNzURsKca82pa62MJ8WosB`
		b7242a	`-DTFd8X06zZZ4nED50vLopZvyW4fyW60lELwOyThAdG8UchoAaz2baqP0K4de44yM`
		b7242a	`-Y5/yPFDu4+GoimipJfbiYviRwbzkBxYW8+958ILh0RtagLbvIGxbpaym9PqGjOzx`
		b7242a	`-ShNXjLK2aAFZsEizQ8kd09quJHU/ogq2cUXdqqhmOqPnUWrJVi/VCoRB3Pv1/lE4`
		b7242a	`-mrUgr2YZ11rYvBw6g5XvNvFcSc53OKyV7SLn0dwwMTAhMAkGBSsOAwIaBQAEFEWP`
		b7242a	`-1WRQykaoD4uJCpTx/wv0SLLBBAiDKI26LJK7xgICCAA=`
		b7242a	`+MIIGJAIBAzCCBeoGCSqGSIb3DQEHAaCCBdsEggXXMIIF0zCCBc8GCSqGSIb3`
		b7242a	`+DQEHBqCCBcAwggW8AgEAMIIFtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMw`
		b7242a	`+DgQIjv5c3OHvnBgCAggAgIIFiMJa8Z/w7errRvCQPXh9dGQz3eJaFq3S2gXD`
		b7242a	`+rh6oiwsgIRJZvYAWgU6ll9NV7N5SgvS2DDNVuc3tsP8TPWjp+bIxzS9qmGUV`
		b7242a	`+kYWuURWLMKhpF12ZRDab8jcIwBgKoSGiDJk8xHjx6L613/XcRM6ln3VeQK+C`
		b7242a	`+hlW5kXniNAUAgTft25Fn61Xa8xnhmsz/fk1ycGnyGjKCnr7Mgy7KV0C1vs23`
		b7242a	`+18n8+b1ktDWLZPYgpmXuMFVh0o+HJTV3O86mkIhJonMcnOMgKZ+i8KeXaocN`
		b7242a	`+JQlAPBG4+HOip7FbQT/h6reXv8/J+hgjLfqAb5aV3m03rUX9mXx66nR1tQU0`
		b7242a	`+Jq+XPfDh5+V4akIczLlMyyo/xZjI1/qupcMjr+giOGnGd8BA3cuXW+ueLQiA`
		b7242a	`+PpTp+DQLVHRfz9XTZbyqOReNEtEXvO9gOlKSEY5lp65ItXVEs2Oqyf9PfU9y`
		b7242a	`+DUltN6fCMilwPyyrsIBKXCu2ZLM5h65KVCXAYEX9lNqj9zrQ7vTqvCNN8RhS`
		b7242a	`+ScYouTX2Eqa4Z+gTZWLHa8RCQFoyP6hd+97/Tg2Gv2UTH0myQxIVcnpdi1wy`
		b7242a	`+cqb+er7tyKbcO96uSlUjpj/JvjlodtjJcX+oinEqGb/caj4UepbBwiG3vv70`
		b7242a	`+63bS3jTsOLNjDRsR9if3LxIhLa6DW8zOJiGC+EvMD1o4dzHcGVpQ/pZWCHZC`
		b7242a	`++YiNJpQOBApiZluE+UZ0m3XrtHFQYk7xblTrh+FJF91wBsok0rZXLAKd8m4p`
		b7242a	`+OJsc7quCq3cuHRRTzJQ4nSe01uqbwGDAYwLvi6VWy3svU5qa05eDRmgzEFTG`
		b7242a	`+e84Gp/1LQCtpQFr4txkjFchO2whWS80KoQKqmLPyGm1D9Lv53Q4ZsKMgNihs`
		b7242a	`+rEepuaOZMKHl4yMAYFoOXZCAYzfbhN6b2phcFAHjMUHUw9e3F0QuDk9D0tsr`
		b7242a	`+riYTrkocqlOKfK4QTomx27O0ON2J6f1rtEojGgfl9RNykN7iKGzjS3914QjW`
		b7242a	`+W6gGiZejxHsDPEAa4gUp0WiSUSXtD5WJgoyAzLydR2dKWsQ4WlaUXi01CuGy`
		b7242a	`++xvncSn2nO3bbot8VD5H6XU1CjREVtnIfbeRYO/uofyLUP3olK5RqN6ne6Xo`
		b7242a	`+eXnJ/bjYphA8NGuuuvuW1SCITmINkZDLC9cGlER9+K65RR/DR3TigkexXMeN`
		b7242a	`+aJ70ivZYAl0OuhZt3TGIlAzS64TIoyORe3z7Ta1Pp9PZQarYJpF9BBIZIFor`
		b7242a	`+757PHHuQKRuugiRkp8B7v4eq1BQ+VeAxCKpyZ7XrgEtbY/AWDiaKcGPKPjc3`
		b7242a	`+AqQraVeQm7kMBT163wFmZArCphzkDOI3bz2oEO8YArMgLq2Vto9jAZlqKyWr`
		b7242a	`+pi2bSJxuoP1aoD58CHcWMrf8/j1LVdQhKgHQXSik2ID0H2Wc/XnglhzlVFuJ`
		b7242a	`+JsNIW/EGJlZh/5WDez9U0bXqnBlu3uasPEOezdoKlcCmQlmTO5+uLHYLEtNA`
		b7242a	`+EH9MtnGZebi9XS5meTuS6z5LILt8O9IHZxmT3JRPHYj287FEzotlLdcJ4Ee5`
		b7242a	`+enW41UHjLrfv4OaITO1hVuoLRGdzjESx/fHMWmxroZ1nVClxECOdT42zvIYJ`
		b7242a	`+J3xBZ0gppzQ5fjoYiKjJpxTflRxUuxshk3ih6VUoKtqj/W18tBQ3g5SOlkgT`
		b7242a	`+yCW8r74yZlfYmNrPyDMUQYpLUPWj2n71GF0KyPfTU5yOatRgvheh262w5BG3`
		b7242a	`+omFY7mb3tCv8/U2jdMIoukRKacpZiagofz3SxojOJq52cHnCri+gTHBMX0cO`
		b7242a	`+j58ygfntHWRzst0pV7Ze2X3fdCAJ4DokH6bNJNthcgmolFJ/y3V1tJjgsdtQ`
		b7242a	`+7Pjn/vE6xUV0HXE2x4yoVYNirbAMIvkN/X+atxrN0dA4AchN+zGp8TAxMCEw`
		b7242a	`+CQYFKw4DAhoFAAQUQ+6XXkyhf6uYgtbibILN2IjKnOAECLiqoY45MPCrAgII`
		b7242a	`+AA==`
		b7242a	`EOF`
		b7242a	`p12 = OpenSSL::PKCS12.new(str, "abc123")`
		b7242a
		b7242a	`assert_equal nil, p12.key`
		b7242a	`assert_equal nil, p12.certificate`
		b7242a	`assert_equal 1, p12.ca_certs.size`
		b7242a	`- assert_equal @mycert.subject.to_der, p12.ca_certs[0].subject.to_der`
		b7242a	`+ assert_equal @mycert.subject, p12.ca_certs[0].subject`
		b7242a	`end`
		b7242a
		b7242a	`def test_new_with_no_certs`
		b7242a	`# generated with:`
		b7242a	`- # openssl pkcs12 -inkey <RSA1024> -nocerts -export -out <out>`
		b7242a	`+ # openssl pkcs12 -inkey fixtures/openssl/pkey/rsa-1.pem -nocerts -export`
		b7242a	`str = <<~EOF.unpack("m").first`
		b7242a	`-MIIDJwIBAzCCAu0GCSqGSIb3DQEHAaCCAt4EggLaMIIC1jCCAtIGCSqGSIb3DQEH`
		b7242a	`-AaCCAsMEggK/MIICuzCCArcGCyqGSIb3DQEMCgECoIICpjCCAqIwHAYKKoZIhvcN`
		b7242a	`-AQwBAzAOBAg6AaYnJs84SwICCAAEggKAQzZH+fWSpcQYD1J7PsGSune85A++fLCQ`
		b7242a	`-V7tacp2iv95GJkxwYmfTP176pJdgs00mceB9UJ/u9EX5nD0djdjjQjwo6sgKjY0q`
		b7242a	`-cpVhZw8CMxw7kBD2dhtui0zT8z5hy03LePxsjEKsGiSbeVeeGbSfw/I6AAYbv+Uh`
		b7242a	`-O/YPBGumeHj/D2WKnfsHJLQ9GAV3H6dv5VKYNxjciK7f/JEyZCuUQGIN64QFHDhJ`
		b7242a	`-7fzLqd/ul3FZzJZO6a+dwvcgux09SKVXDRSeFmRCEX4b486iWhJJVspCo9P2KNne`
		b7242a	`-ORrpybr3ZSwxyoICmjyo8gj0OSnEfdx9790Ej1takPqSA1wIdSdBLekbZqB0RBQg`
		b7242a	`-DEuPOsXNo3QFi8ji1vu0WBRJZZSNC2hr5NL6lNR+DKxG8yzDll2j4W4BBIp22mAE`
		b7242a	`-7QRX7kVxu17QJXQhOUac4Dd1qXmzebP8t6xkAxD9L7BWEN5OdiXWwSWGjVjMBneX`
		b7242a	`-nYObi/3UT/aVc5WHMHK2BhCI1bwH51E6yZh06d5m0TQpYGUTWDJdWGBSrp3A+8jN`
		b7242a	`-N2PMQkWBFrXP3smHoTEN4oZC4FWiPsIEyAkQsfKRhcV9lGKl2Xgq54ROTFLnwKoj`
		b7242a	`-Z3zJScnq9qmNzvVZSMmDLkjLyDq0pxRxGKBvgouKkWY7VFFIwwBIJM39iDJ5NbBY`
		b7242a	`-i1AQFTRsRSsZrNVPasCXrIq7bhMoJZb/YZOGBLNyJVqKUoYXhtwsajzSq54VlWft`
		b7242a	`-JxsPayEd4Vi6O9EU1ahnj6qFEZiKFzsicgK2J1Rb8cYagrp0XWjHW0SBn5GVUWCg`
		b7242a	`-GUokSFG/0JTdeYTo/sQuG4qNgJkOolRjpeI48Fciq5VUWLvVdKioXzAxMCEwCQYF`
		b7242a	`-Kw4DAhoFAAQUYAuwVtGD1TdgbFK4Yal2XBgwUR4ECEawsN3rNaa6AgIIAA==`
		b7242a	`+MIIJ7wIBAzCCCbUGCSqGSIb3DQEHAaCCCaYEggmiMIIJnjCCCZoGCSqGSIb3`
		b7242a	`+DQEHAaCCCYsEggmHMIIJgzCCCX8GCyqGSIb3DQEMCgECoIIJbjCCCWowHAYK`
		b7242a	`+KoZIhvcNAQwBAzAOBAjX5nN8jyRKwQICCAAEgglIBIRLHfiY1mNHpl3FdX6+`
		b7242a	`+72L+ZOVXnlZ1MY9HSeg0RMkCJcm0mJ2UD7INUOGXvwpK9fr6WJUZM1IqTihQ`
		b7242a	`+1dM0crRC2m23aP7KtAlXh2DYD3otseDtwoN/NE19RsiJzeIiy5TSW1d47weU`
		b7242a	`++D4Ig/9FYVFPTDgMzdCxXujhvO/MTbZIjqtcS+IOyF+91KkXrHkfkGjZC7KS`
		b7242a	`+WRmYw9BBuIPQEewdTI35sAJcxT8rK7JIiL/9mewbSE+Z28Wq1WXwmjL3oZm9`
		b7242a	`+lw6+f515b197GYEGomr6LQqJJamSYpwQbTGHonku6Tf3ylB4NLFqOnRCKE4K`
		b7242a	`+zRSSYIqJBlKHmQ4pDm5awoupHYxMZLZKZvXNYyYN3kV8r1iiNVlY7KBR4CsX`
		b7242a	`+rqUkXehRmcPnuqEMW8aOpuYe/HWf8PYI93oiDZjcEZMwW2IZFFrgBbqUeNCM`
		b7242a	`+CQTkjAYxi5FyoaoTnHrj/aRtdLOg1xIJe4KKcmOXAVMmVM9QEPNfUwiXJrE7`
		b7242a	`+n42gl4NyzcZpxqwWBT++9TnQGZ/lEpwR6dzkZwICNQLdQ+elsdT7mumywP+1`
		b7242a	`+WaFqg9kpurimaiBu515vJNp9Iqv1Nmke6R8Lk6WVRKPg4Akw0fkuy6HS+LyN`
		b7242a	`+ofdCfVUkPGN6zkjAxGZP9ZBwvXUbLRC5W3N5qZuAy5WcsS75z+oVeX9ePV63`
		b7242a	`+cue23sClu8JSJcw3HFgPaAE4sfkQ4MoihPY5kezgT7F7Lw/j86S0ebrDNp4N`
		b7242a	`+Y685ec81NRHJ80CAM55f3kGCOEhoifD4VZrvr1TdHZY9Gm3b1RYaJCit2huF`
		b7242a	`+nlOfzeimdcv/tkjb6UsbpXx3JKkF2NFFip0yEBERRCdWRYMUpBRcl3ad6XHy`
		b7242a	`+w0pVTgIjTxGlbbtOCi3siqMOK0GNt6UgjoEFc1xqjsgLwU0Ta2quRu7RFPGM`
		b7242a	`+GoEwoC6VH23p9Hr4uTFOL0uHfkKWKunNN+7YPi6LT6IKmTQwrp+fTO61N6Xh`
		b7242a	`+KlqTpwESKsIJB2iMnc8wBkjXJtmG/e2n5oTqfhICIrxYmEb7zKDyK3eqeTj3`
		b7242a	`+FhQh2t7cUIiqcT52AckUqniPmlE6hf82yBjhaQUPfi/ExTBtTDSmFfRPUzq+`
		b7242a	`+Rlla4OHllPRzUXJExyansgCxZbPqlw46AtygSWRGcWoYAKUKwwoYjerqIV5g`
		b7242a	`+JoZICV9BOU9TXco1dHXZQTs/nnTwoRmYiL/Ly5XpvUAnQOhYeCPjBeFnPSBR`
		b7242a	`+R/hRNqrDH2MOV57v5KQIH2+mvy26tRG+tVGHmLMaOJeQkjLdxx+az8RfXIrH`
		b7242a	`+7hpAsoBb+g9jUDY1mUVavPk1T45GMpQH8u3kkzRvChfOst6533GyIZhE7FhN`
		b7242a	`+KanC6ACabVFDUs6P9pK9RPQMp1qJfpA0XJFx5TCbVbPkvnkZd8K5Tl/tzNM1`
		b7242a	`+n32eRao4MKr9KDwoDL93S1yJgYTlYjy1XW/ewdedtX+B4koAoz/wSXDYO+GQ`
		b7242a	`+Zu6ZSpKSEHTRPhchsJ4oICvpriVaJkn0/Z7H3YjNMB9U5RR9+GiIg1wY1Oa1`
		b7242a	`+S3WfuwrrI6eqfbQwj6PDNu3IKy6srEgvJwaofQALNBPSYWbauM2brc8qsD+t`
		b7242a	`+n8jC/aD1aMcy00+9t3H/RVCjEOb3yKfUpAldIkEA2NTTnZpoDQDXeNYU2F/W`
		b7242a	`+yhmFjJy8A0O4QOk2xnZK9kcxSRs0v8vI8HivvgWENoVPscsDC4742SSIe6SL`
		b7242a	`+f/T08reIX11f0K70rMtLhtFMQdHdYOTNl6JzhkHPLr/f9MEZsBEQx52depnF`
		b7242a	`+ARb3gXGbCt7BAi0OeCEBSbLr2yWuW4r55N0wRZSOBtgqgjsiHP7CDQSkbL6p`
		b7242a	`+FPlQS1do9gBSHiNYvsmN1LN5bG+mhcVb0UjZub4mL0EqGadjDfDdRJmWqlX0`
		b7242a	`+r5dyMcOWQVy4O2cPqYFlcP9lk8buc5otcyVI2isrAFdlvBK29oK6jc52Aq5Q`
		b7242a	`+0b2ESDlgX8WRgiOPPxK8dySKEeuIwngCtJyNTecP9Ug06TDsu0znZGCXJ+3P`
		b7242a	`+8JOpykgA8EQdOZOYHbo76ZfB2SkklI5KeRA5IBjGs9G3TZ4PHLy2DIwsbWzS`
		b7242a	`+H1g01o1x264nx1cJ+eEgUN/KIiGFIib42RS8Af4D5e+Vj54Rt3axq+ag3kI+`
		b7242a	`+53p8uotyu+SpvvXUP7Kv4xpQ/L6k41VM0rfrd9+DrlDVvSfxP2uh6I1TKF7A`
		b7242a	`+CT5n8zguMbng4PGjxvyPBM5k62t6hN5fuw6Af0aZFexh+IjB/5wFQ6onSz23`
		b7242a	`+fBzMW4St7RgSs8fDg3lrM+5rwXiey1jxY1ddaxOoUsWRMvvdd7rZxRZQoN5v`
		b7242a	`+AcI5iMkK/vvpQgC/sfzhtXtrJ2XOPZ+GVgi7VcuDLKSkdFMcPbGzO8SdxUnS`
		b7242a	`+SLV5XTKqKND+Lrfx7DAoKi5wbDFHu5496/MHK5qP4tBe6sJ5bZc+KDJIH46e`
		b7242a	`+wTV1oWtB5tV4q46hOb5WRcn/Wjz3HSKaGZgx5QbK1MfKTzD5CTUn+ArMockX`
		b7242a	`+2wJhPnFK85U4rgv8iBuh9bRjyw+YaKf7Z3loXRiE1eRG6RzuPF0ZecFiDumk`
		b7242a	`+AC/VUXynJhzePBLqzrQj0exanACdullN+pSfHiRWBxR2VFUkjoFP5X45GK3z`
		b7242a	`+OstSH6FOkMVU4afqEmjsIwozDFIyin5EyWTtdhJe3szdJSGY23Tut+9hUatx`
		b7242a	`+9FDFLESOd8z3tyQSNiLk/Hib+e/lbjxqbXBG/p/oyvP3N999PLUPtpKqtYkV`
		b7242a	`+H0+18sNh9CVfojiJl44fzxe8yCnuefBjut2PxEN0EFRBPv9P2wWlmOxkPKUq`
		b7242a	`+NrCJP0rDj5aONLrNZPrR8bZNdIShkZ/rKkoTuA0WMZ+xUlDRxAupdMkWAlrz`
		b7242a	`+8IcwNcdDjPnkGObpN5Ctm3vK7UGSBmPeNqkXOYf3QTJ9gStJEd0F6+DzTN5C`
		b7242a	`+KGt1IyuGwZqL2Yk51FDIIkr9ykEnBMaA39LS7GFHEDNGlW+fKC7AzA0zfoOr`
		b7242a	`+fXZlHMBuqHtXqk3zrsHRqGGoocigg4ctrhD1UREYKj+eIj1TBiRdf7c6+COf`
		b7242a	`+NIOmej8pX3FmZ4ui+dDA8r2ctgsWHrb4A6iiH+v1DRA61GtoaA/tNRggewXW`
		b7242a	`+VXCZCGWyyTuyHGOqq5ozrv5MlzZLWD/KV/uDsAWmy20RAed1C4AzcXlpX25O`
		b7242a	`+M4SNl47g5VRNJRtMqokc8j6TjZrzMDEwITAJBgUrDgMCGgUABBRrkIRuS5qg`
		b7242a	`+BC8fv38mue8LZVcbHQQIUNrWKEnskCoCAggA`
		b7242a	`EOF`
		b7242a	`p12 = OpenSSL::PKCS12.new(str, "abc123")`
		b7242a
		b7242a	`- assert_equal @mykey.to_der, p12.key.to_der`
		b7242a	`+ assert_equal Fixtures.pkey("rsa-1").to_der, p12.key.to_der`
		b7242a	`assert_equal nil, p12.certificate`
		b7242a	`assert_equal [], Array(p12.ca_certs)`
		b7242a	`end`
		b7242a
		b7242a	`def test_dup`
		b7242a	`- p12 = OpenSSL::PKCS12.create("pass", "name", @mykey, @mycert)`
		b7242a	`+ p12 = OpenSSL::PKCS12.create(`
		b7242a	`+ "pass",`
		b7242a	`+ "name",`
		b7242a	`+ @mykey,`
		b7242a	`+ @mycert,`
		b7242a	`+ nil,`
		b7242a	`+ DEFAULT_PBE_PKEYS,`
		b7242a	`+ DEFAULT_PBE_CERTS,`
		b7242a	`+ )`
		b7242a	`assert_equal p12.to_der, p12.dup.to_der`
		b7242a	`end`
		b7242a	`-`
		b7242a	`- private`
		b7242a	`- def assert_cert expected, actual`
		b7242a	`- [`
		b7242a	`- :subject,`
		b7242a	`- :issuer,`
		b7242a	`- :serial,`
		b7242a	`- :not_before,`
		b7242a	`- :not_after,`
		b7242a	`- ].each do \|attribute\|`
		b7242a	`- assert_equal expected.send(attribute), actual.send(attribute)`
		b7242a	`- end`
		b7242a	`- assert_equal expected.to_der, actual.to_der`
		b7242a	`- end`
		b7242a	`-`
		b7242a	`- def assert_include_cert cert, ary`
		b7242a	`- der = cert.to_der`
		b7242a	`- ary.each do \|candidate\|`
		b7242a	`- if candidate.to_der == der`
		b7242a	`- return true`
		b7242a	`- end`
		b7242a	`- end`
		b7242a	`- false`
		b7242a	`- end`
		b7242a	`end`
		b7242a	`end`
		b7242a
		b7242a
		b7242a	`From 1fc2fad3a163dc41e4e17dd1096e3e63f8e4f2dd Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Fri, 19 Mar 2021 19:18:25 +0900`
		b7242a	`Subject: [PATCH 16/21] ssl: use SSL_get_rbio() to check if SSL is started or`
		b7242a	`not`
		b7242a
		b7242a	`Use SSL_get_rbio() instead of SSL_get_fd(). SSL_get_rbio() is simpler`
		b7242a	`and does not need error handling.`
		b7242a	`---`
		b7242a	`ext/openssl/ossl_ssl.c \| 4 ++--`
		b7242a	`1 file changed, 2 insertions(+), 2 deletions(-)`
		b7242a
		b7242a	`diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c`
		b7242a	`index c80c939e..06bfd96d 100644`
		b7242a	`--- a/ext/openssl/ossl_ssl.c`
		b7242a	`+++ b/ext/openssl/ossl_ssl.c`
		b7242a	`@@ -1529,8 +1529,8 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)`
		b7242a	`static inline int`
		b7242a	`ssl_started(SSL *ssl)`
		b7242a	`{`
		b7242a	`- /* the FD is set in ossl_ssl_setup(), called by #connect or #accept */`
		b7242a	`- return SSL_get_fd(ssl) >= 0;`
		b7242a	`+ /* BIO is created through ossl_ssl_setup(), called by #connect or #accept */`
		b7242a	`+ return SSL_get_rbio(ssl) != NULL;`
		b7242a	`}`
		b7242a
		b7242a	`static void`
		b7242a
		b7242a	`From 01e123051d774355bdda1947d77a832216e5b595 Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Sat, 20 Mar 2021 23:16:16 +0900`
		b7242a	`Subject: [PATCH] pkey: use OSSL_STORE to load encrypted PEM on OpenSSL 3.0`
		b7242a
		b7242a	`---`
		b7242a	`ext/openssl/ossl_pkey.c \| 35 +++++++++++++++++++++++++++++++++++`
		b7242a	`1 file changed, 35 insertions(+)`
		b7242a
		b7242a	`diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c`
		b7242a	`index 3982b9c..f58a4c9 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey.c`
		b7242a	`@@ -140,12 +140,41 @@ ossl_pkey_new(EVP_PKEY *pkey)`
		b7242a	`return obj;`
		b7242a	`}`
		b7242a
		b7242a	`+#if OPENSSL_VERSION_MAJOR+0 >= 3`
		b7242a	`+# include <openssl/decoder.h>`
		b7242a	`+static EVP_PKEY *`
		b7242a	`+ossl_pkey_read_decoder(BIO bio, const char input_type, void *ppass)`
		b7242a	`+{`
		b7242a	`+ OSSL_DECODER_CTX *dctx;`
		b7242a	`+ EVP_PKEY *pkey = NULL;`
		b7242a	`+`
		b7242a	`+ dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, input_type, NULL, NULL, 0, NULL, NULL);`
		b7242a	`+ if (!dctx)`
		b7242a	`+ goto out;`
		b7242a	`+ if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ppass) != 1)`
		b7242a	`+ goto out;`
		b7242a	`+ if (OSSL_DECODER_from_bio(dctx, bio) != 1)`
		b7242a	`+ goto out;`
		b7242a	`+`
		b7242a	`+ out:`
		b7242a	`+ OSSL_DECODER_CTX_free(dctx);`
		b7242a	`+ return pkey;`
		b7242a	`+}`
		b7242a	`+#endif`
		b7242a	`+`
		b7242a	`EVP_PKEY *`
		b7242a	`ossl_pkey_read_generic(BIO *bio, VALUE pass)`
		b7242a	`{`
		b7242a	`void ppass = (void )pass;`
		b7242a	`EVP_PKEY *pkey;`
		b7242a
		b7242a	`+#if OPENSSL_VERSION_MAJOR+0 >= 3`
		b7242a	`+ if ((pkey = ossl_pkey_read_decoder(bio, "DER", ppass)))`
		b7242a	`+ goto out;`
		b7242a	`+ OSSL_BIO_reset(bio);`
		b7242a	`+ if ((pkey = ossl_pkey_read_decoder(bio, "PEM", ppass)))`
		b7242a	`+ goto out;`
		b7242a	`+#else`
		b7242a	`if ((pkey = d2i_PrivateKey_bio(bio, NULL)))`
		b7242a	`goto out;`
		b7242a	`OSSL_BIO_reset(bio);`
		b7242a	`@@ -164,8 +193,14 @@ ossl_pkey_read_generic(BIO *bio, VALUE pass)`
		b7242a	`OSSL_BIO_reset(bio);`
		b7242a	`if ((pkey = PEM_read_bio_Parameters(bio, NULL)))`
		b7242a	`goto out;`
		b7242a	`+#endif`
		b7242a
		b7242a	`out:`
		b7242a	`+#if OPENSSL_VERSION_MAJOR+0 >= 3`
		b7242a	`+ /* FIXME: OpenSSL bug? */`
		b7242a	`+ if (pkey)`
		b7242a	`+ ossl_clear_error();`
		b7242a	`+#endif`
		b7242a	`return pkey;`
		b7242a	`}`
		b7242a
		b7242a
		b7242a	`From 2bfc05abddd80f927e164bfe4545c87f0b30da81 Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Sat, 20 Mar 2021 23:16:41 +0900`
		b7242a	`Subject: [PATCH 18/21] pkey: skip checking if pkey has public key components`
		b7242a	`on OpenSSL 3.0`
		b7242a
		b7242a	`---`
		b7242a	`ext/openssl/ossl_pkey.c \| 6 ++++++`
		b7242a	`1 file changed, 6 insertions(+)`
		b7242a
		b7242a	`diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c`
		b7242a	`index df6aaa46..aceccb5b 100644`
		b7242a	`--- a/ext/openssl/ossl_pkey.c`
		b7242a	`+++ b/ext/openssl/ossl_pkey.c`
		b7242a	`@@ -251,6 +251,12 @@ ossl_pkey_check_public_key(const EVP_PKEY *pkey)`
		b7242a
		b7242a	`/* OpenSSL < 1.1.0 takes non-const pointer */`
		b7242a	`ptr = EVP_PKEY_get0((EVP_PKEY *)pkey);`
		b7242a	`+ /*`
		b7242a	`+ * OpenSSL 3.0.0's EVP_PKEY_get0() returns NULL - the lower level object`
		b7242a	`+ * may not be accesible`
		b7242a	`+ */`
		b7242a	`+ if (!ptr)`
		b7242a	`+ return;`
		b7242a	`switch (EVP_PKEY_base_id(pkey)) {`
		b7242a	`case EVP_PKEY_RSA:`
		b7242a	`RSA_get0_key(ptr, &n, &e, NULL);`
		b7242a
		b7242a	`From 04a0948ab085ab8452dd2fcb507b1af1ff9e0ab2 Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Sun, 21 Mar 2021 00:20:04 +0900`
		b7242a	`Subject: [PATCH 19/21] bn: make BN.pseudo_rand{,_range} an alias of`
		b7242a	`BN.rand{,_range}`
		b7242a
		b7242a	`BN_pseudo_rand() and BN_pseudo_rand_range() are deprecated in`
		b7242a	`OpenSSL 3.0. Since they are identical to their non-'pseudo' version`
		b7242a	`anyway, let's make them alias.`
		b7242a	`---`
		b7242a	`ext/openssl/ossl_bn.c \| 18 ++----------------`
		b7242a	`test/openssl/test_bn.rb \| 4 ++++`
		b7242a	`2 files changed, 6 insertions(+), 16 deletions(-)`
		b7242a
		b7242a	`diff --git a/ext/openssl/ossl_bn.c b/ext/openssl/ossl_bn.c`
		b7242a	`index e0eef4cd..fe62442f 100644`
		b7242a	`--- a/ext/openssl/ossl_bn.c`
		b7242a	`+++ b/ext/openssl/ossl_bn.c`
		b7242a	`@@ -794,12 +794,6 @@ BIGNUM_SELF_SHIFT(rshift)`
		b7242a	`*/`
		b7242a	`BIGNUM_RAND(rand)`
		b7242a
		b7242a	`-/*`
		b7242a	`- * Document-method: OpenSSL::BN.pseudo_rand`
		b7242a	`- * BN.pseudo_rand(bits [, fill [, odd]]) -> aBN`
		b7242a	`- */`
		b7242a	`-BIGNUM_RAND(pseudo_rand)`
		b7242a	`-`
		b7242a	`#define BIGNUM_RAND_RANGE(func) \`
		b7242a	`static VALUE \`
		b7242a	`ossl_bn_s_##func##_range(VALUE klass, VALUE range) \`
		b7242a	`@@ -825,14 +819,6 @@ BIGNUM_RAND(pseudo_rand)`
		b7242a	`*/`
		b7242a	`BIGNUM_RAND_RANGE(rand)`
		b7242a
		b7242a	`-/*`
		b7242a	`- * Document-method: OpenSSL::BN.pseudo_rand_range`
		b7242a	`- * call-seq:`
		b7242a	`- * BN.pseudo_rand_range(range) -> aBN`
		b7242a	`- *`
		b7242a	`- */`
		b7242a	`-BIGNUM_RAND_RANGE(pseudo_rand)`
		b7242a	`-`
		b7242a	`/*`
		b7242a	`* call-seq:`
		b7242a	`* BN.generate_prime(bits, [, safe [, add [, rem]]]) => bn`
		b7242a	`@@ -1182,9 +1168,9 @@ Init_ossl_bn(void)`
		b7242a	`* get_word */`
		b7242a
		b7242a	`rb_define_singleton_method(cBN, "rand", ossl_bn_s_rand, -1);`
		b7242a	`- rb_define_singleton_method(cBN, "pseudo_rand", ossl_bn_s_pseudo_rand, -1);`
		b7242a	`rb_define_singleton_method(cBN, "rand_range", ossl_bn_s_rand_range, 1);`
		b7242a	`- rb_define_singleton_method(cBN, "pseudo_rand_range", ossl_bn_s_pseudo_rand_range, 1);`
		b7242a	`+ rb_define_alias(rb_singleton_class(cBN), "pseudo_rand", "rand");`
		b7242a	`+ rb_define_alias(rb_singleton_class(cBN), "pseudo_rand_range", "rand_range");`
		b7242a
		b7242a	`rb_define_singleton_method(cBN, "generate_prime", ossl_bn_s_generate_prime, -1);`
		b7242a	`rb_define_method(cBN, "prime?", ossl_bn_is_prime, -1);`
		b7242a	`diff --git a/test/openssl/test_bn.rb b/test/openssl/test_bn.rb`
		b7242a	`index 1ed4bbee..36af9644 100644`
		b7242a	`--- a/test/openssl/test_bn.rb`
		b7242a	`+++ b/test/openssl/test_bn.rb`
		b7242a	`@@ -228,6 +228,10 @@ def test_random`
		b7242a	`r5 = OpenSSL::BN.rand_range(256)`
		b7242a	`assert_include(0..255, r5)`
		b7242a	`}`
		b7242a	`+`
		b7242a	`+ # Aliases`
		b7242a	`+ assert_include(128..255, OpenSSL::BN.pseudo_rand(8))`
		b7242a	`+ assert_include(0..255, OpenSSL::BN.pseudo_rand_range(256))`
		b7242a	`end`
		b7242a
		b7242a	`def test_prime`
		b7242a
		b7242a	`From a2de5b69f144491426cb393e1fc929af404fda12 Mon Sep 17 00:00:00 2001`
		b7242a	`From: Kazuki Yamaguchi <k@rhe.jp>`
		b7242a	`Date: Sun, 21 Mar 2021 00:23:31 +0900`
		b7242a	`Subject: [PATCH 20/21] test/openssl/test_ssl.rb: fix illegal SAN extension`
		b7242a
		b7242a	`A certificate can only have one SubjectAltName extension. OpenSSL 3.0`
		b7242a	`does a stricter validation and such a certificate is rejected.`
		b7242a	`---`
		b7242a	`test/openssl/test_ssl.rb \| 3 +--`
		b7242a	`1 file changed, 1 insertion(+), 2 deletions(-)`
		b7242a
		b7242a	`diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb`
		b7242a	`index 6c9547dc..60520b22 100644`
		b7242a	`--- a/test/openssl/test_ssl.rb`
		b7242a	`+++ b/test/openssl/test_ssl.rb`
		b7242a	`@@ -551,8 +551,7 @@ def test_post_connection_check`
		b7242a
		b7242a	`exts = [`
		b7242a	`["keyUsage","keyEncipherment,digitalSignature",true],`
		b7242a	`- ["subjectAltName","DNS:localhost.localdomain",false],`
		b7242a	`- ["subjectAltName","IP:127.0.0.1",false],`
		b7242a	`+ ["subjectAltName","DNS:localhost.localdomain,IP:127.0.0.1",false],`
		b7242a	`]`
		b7242a	`@svr_cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key)`
		b7242a	`start_server { \|port\|`

rpms / ruby

Source Code

Blame SOURCES/ruby-3.0-support-openssl-3.0-pr399.patch