Merge pull request #61 from ClearlyClaire/openssl-3

brauliomartinezlm · web-flow · commit 530db2f061e9 · 2022-07-03T19:19:56.000-03:00
Add support for OpenSSL 3.0
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -22,6 +22,7 @@ jobs:
           - 2.5.8
           - 2.4.10
         gemfile:
+          - openssl_3_0
           - openssl_2_2
           - openssl_2_1
           - openssl_2_0
diff --git a/Appraisals b/Appraisals
@@ -12,5 +12,9 @@ appraise "openssl_2_0" do
   gem "openssl", "~> 2.0.0"
 end
 
+appraise "openssl_3_0" do
+  gem "openssl", "~> 3.0.0"
+end
+
 appraise "openssl_default" do
 end
diff --git a/lib/cose/key/ec2.rb b/lib/cose/key/ec2.rb
@@ -71,13 +71,31 @@ def to_pkey
           pkey = OpenSSL::PKey::EC.new(group)
           public_key_bn = OpenSSL::BN.new("\x04" + x + y, 2)
           public_key_point = OpenSSL::PKey::EC::Point.new(group, public_key_bn)
-          pkey.public_key = public_key_point
+
+          # RFC5480 SubjectPublicKeyInfo
+          asn1 = OpenSSL::ASN1::Sequence([
+            OpenSSL::ASN1::Sequence([
+              OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
+              OpenSSL::ASN1::ObjectId(curve.pkey_name),
+            ]),
+            OpenSSL::ASN1::BitString(public_key_point.to_octet_string(:uncompressed))
+          ])
 
           if d
-            pkey.private_key = OpenSSL::BN.new(d, 2)
+            # RFC5915 ECPrivateKey
+            asn1 = OpenSSL::ASN1::Sequence([
+              OpenSSL::ASN1::Integer.new(1),
+              # Not properly padded but OpenSSL doesn't mind
+              OpenSSL::ASN1::OctetString(OpenSSL::BN.new(d, 2).to_s(2)),
+              OpenSSL::ASN1::ObjectId(curve.pkey_name, 0, :EXPLICIT),
+              OpenSSL::ASN1::BitString(public_key_point.to_octet_string(:uncompressed), 1, :EXPLICIT),
+            ])
+
+            der = asn1.to_der
+            return OpenSSL::PKey::EC.new(der)
           end
 
-          pkey
+          OpenSSL::PKey::EC.new(asn1.to_der)
         else
           raise "Unsupported curve #{crv}"
         end
diff --git a/lib/cose/key/rsa.rb b/lib/cose/key/rsa.rb
@@ -88,31 +88,28 @@ def map
       end
 
       def to_pkey
-        pkey = OpenSSL::PKey::RSA.new
-
-        if pkey.respond_to?(:set_key)
-          pkey.set_key(bn(n), bn(e), bn(d))
-        else
-          pkey.n = bn(n)
-          pkey.e = bn(e)
-          pkey.d = bn(d)
-        end
+        # PKCS#1 RSAPublicKey
+        asn1 = OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer.new(bn(n)),
+          OpenSSL::ASN1::Integer.new(bn(e)),
+        ])
+        pkey = OpenSSL::PKey::RSA.new(asn1.to_der)
 
         if private?
-          if pkey.respond_to?(:set_factors)
-            pkey.set_factors(bn(p), bn(q))
-          else
-            pkey.p = bn(p)
-            pkey.q = bn(q)
-          end
-
-          if pkey.respond_to?(:set_crt_params)
-            pkey.set_crt_params(bn(dp), bn(dq), bn(qinv))
-          else
-            pkey.dmp1 = bn(dp)
-            pkey.dmq1 = bn(dq)
-            pkey.iqmp = bn(qinv)
-          end
+          # PKCS#1 RSAPrivateKey
+          asn1 = OpenSSL::ASN1::Sequence([
+            OpenSSL::ASN1::Integer.new(0),
+            OpenSSL::ASN1::Integer.new(bn(n)),
+            OpenSSL::ASN1::Integer.new(bn(e)),
+            OpenSSL::ASN1::Integer.new(bn(d)),
+            OpenSSL::ASN1::Integer.new(bn(p)),
+            OpenSSL::ASN1::Integer.new(bn(q)),
+            OpenSSL::ASN1::Integer.new(bn(dp)),
+            OpenSSL::ASN1::Integer.new(bn(dq)),
+            OpenSSL::ASN1::Integer.new(bn(qinv)),
+          ])
+
+          pkey = OpenSSL::PKey::RSA.new(asn1.to_der)
         end
 
         pkey
diff --git a/spec/cose/key/ec2_spec.rb b/spec/cose/key/ec2_spec.rb
@@ -93,7 +93,7 @@
 
   context "#to_pkey" do
     it "works for an EC key in the P-256 curve" do
-      original_pkey = OpenSSL::PKey::EC.new("prime256v1").generate_key
+      original_pkey = OpenSSL::PKey::EC.generate("prime256v1")
       pkey = COSE::Key::EC2.from_pkey(original_pkey).to_pkey
 
       expect(pkey).to be_a(OpenSSL::PKey::EC)
@@ -103,7 +103,7 @@
     end
 
     it "works for an EC key in the P-384 curve" do
-      original_pkey = OpenSSL::PKey::EC.new("secp384r1").generate_key
+      original_pkey = OpenSSL::PKey::EC.generate("secp384r1")
       pkey = COSE::Key::EC2.from_pkey(original_pkey).to_pkey
 
       expect(pkey).to be_a(OpenSSL::PKey::EC)
@@ -113,7 +113,7 @@
     end
 
     it "works for an EC key in the P-521 curve" do
-      original_pkey = OpenSSL::PKey::EC.new("secp521r1").generate_key
+      original_pkey = OpenSSL::PKey::EC.generate("secp521r1")
       pkey = COSE::Key::EC2.from_pkey(original_pkey).to_pkey
 
       expect(pkey).to be_a(OpenSSL::PKey::EC)
@@ -123,7 +123,7 @@
     end
 
     it "works for an EC key in the secp256k1 curve" do
-      original_pkey = OpenSSL::PKey::EC.new("secp256k1").generate_key
+      original_pkey = OpenSSL::PKey::EC.generate("secp256k1")
       pkey = COSE::Key::EC2.from_pkey(original_pkey).to_pkey
 
       expect(pkey).to be_a(OpenSSL::PKey::EC)
diff --git a/spec/cose/key_spec.rb b/spec/cose/key_spec.rb
@@ -7,7 +7,7 @@
 RSpec.describe COSE::Key do
   describe ".serialize" do
     it "can serialize EC P-256 key" do
-      key = OpenSSL::PKey::EC.new("prime256v1").generate_key
+      key = OpenSSL::PKey::EC.generate("prime256v1")
 
       cbor = COSE::Key.serialize(key)
       map = CBOR.decode(cbor)
@@ -21,7 +21,7 @@
     end
 
     it "can serialize EC P-384 key" do
-      key = OpenSSL::PKey::EC.new("secp384r1").generate_key
+      key = OpenSSL::PKey::EC.generate("secp384r1")
 
       cbor = COSE::Key.serialize(key)
       map = CBOR.decode(cbor)
@@ -35,7 +35,7 @@
     end
 
     it "can serialize EC P-521 key" do
-      key = OpenSSL::PKey::EC.new("secp521r1").generate_key
+      key = OpenSSL::PKey::EC.generate("secp521r1")
 
       cbor = COSE::Key.serialize(key)
       map = CBOR.decode(cbor)
