Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modify SSLContext#add_certificate_chain_file #309

Merged
merged 8 commits into from
Jan 24, 2020
Merged

Modify SSLContext#add_certificate_chain_file #309

merged 8 commits into from
Jan 24, 2020

Conversation

thekuwayama
Copy link
Contributor

Hi!

This PR is related to #305.

This modifies OpenSSL::SSL::SSLContext#add_certificate_chain_file to accept the path to the private key.

This PR

  • modifies add_certificate_chain_file
  • adds the doc for add_certificate_chain_file
  • modifies testcase about add_certificate_chain_file

This PR referenced SSLContext#add_certificate.

thekuwayama
thekuwayama commented Jan 1, 2020
View reviewed changes
ext/openssl/ossl_ssl.c Outdated
if (!pub_pkey)
rb_raise(rb_eArgError, "certificate does not contain public key");

if (EVP_PKEY_cmp(pub_pkey, pkey) != 1)
Copy link
Contributor Author

@thekuwayama thekuwayama Jan 1, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need a review.

To check arguments in advance, I chose not to use SSL_CTX_check_private_key.
If SSL_CTX_check_private_key is called and returned the value is not 1, the set private key should be cleared.
But, the API to clear the private key is not supported, as far as I can see.
It checks arguments first so that it is not set the certificate chain and the private key to the ctx.

bdewater
bdewater reviewed Jan 4, 2020
View reviewed changes
test/test_ssl.rb Outdated Show resolved Hide resolved
bdewater
bdewater reviewed Jan 4, 2020
View reviewed changes
test/test_ssl.rb Outdated Show resolved Hide resolved
ioquatix
ioquatix reviewed Jan 4, 2020
View reviewed changes
test/test_ssl.rb
@@ -186,8 +186,107 @@ def test_add_certificate_multiple_certs
end

def test_add_certificate_chain_file
ctx = OpenSSL::SSL::SSLContext.new
assert ctx.add_certificate_chain_file(Fixtures.file_path("chain", "server.crt"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe create a separate test, since this is still a useful test, no?

Copy link
Contributor Author

@thekuwayama thekuwayama Jan 4, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!! You commented about assert ctx.add_certificate_chain_file?
Now, SSLContext#add_certificate_chain_file returns self, not boolean.
I have modified tests to call assert_nothing_raised.

Copy link
Contributor Author

@thekuwayama thekuwayama Jan 4, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have modified add_certificate_chain_file to return self. It is the reason the following as:

  1. It is exceptional situations to fail to add the certificate or the private key. So, when failed to add, add_certificate_chain_file be better to raise an error instead of returning false, I think.
  2. add_certificate(method for a similar purpose) raises an error if failed to add, too.

@thekuwayama thekuwayama force-pushed the modify__add_certificate_chain_file branch from b73ba43 to 417e8cf Compare January 17, 2020 06:05
@thekuwayama
Copy link
Contributor Author

I have done the rebase and push.

ioquatix
ioquatix requested changes Jan 24, 2020
View reviewed changes
ext/openssl/ossl_ssl.c Outdated Show resolved Hide resolved
@ioquatix ioquatix merged commit 0da0dfa into ruby:master Jan 24, 2020
@ioquatix ioquatix added this to the v2.2.0 milestone Jan 24, 2020
@thekuwayama thekuwayama deleted the modify__add_certificate_chain_file branch January 24, 2020 11:33
@thekuwayama
Copy link
Contributor Author

@ioquatix Thank you for reviewing!! 😄
I close #305.

@rhenium rhenium mentioned this pull request May 10, 2020
Closed
rhenium added a commit to rhenium/ruby-openssl that referenced this pull request May 13, 2020
@rhenium
ssl: temporarily remove SSLContext#add_certificate_chain_file
ea92561 
Let's revert the changes for now, as it cannot be included in the 2.2.0
release.

My comment on ruby#257:

> A blocker is OpenSSL::SSL::SSLContext#add_certificate_chain_file. It
> has a pending change and I don't want to include it in an incomplete
> state.
>
> The initial implementation in commit 46e4bdb was not really
> useful. The issue is described in ruby#305. ruby#309 extended it
> to take the corresponding private key together. However, the new
> implementation was incompatible on Windows and was reverted by ruby#320 to
> the initial one.
>
> (The prerequisite to implement it in) an alternative way is ruby#288, and
> it's still cooking.

This effectively reverts the following commits:

 - dacd089 ("ssl: suppress test failure with SSLContext#add_certificate_chain_file", 2020-03-09)
 - 46e4bdb ("Add support for SSL_CTX_use_certificate_chain_file. Fixes ruby#254.", 2019-06-13)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bdewater bdewater bdewater left review comments

@ioquatix ioquatix ioquatix requested changes

Assignees
No one assigned
Labels
None yet
Milestone
v2.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@thekuwayama @ioquatix @bdewater