Skip to content

Commit 5b75dbb

Browse files
rheniumrhenium
committed
ssl: update keys used in tests
Use generic keys whenever possible.
1 parent c4b29c9 commit 5b75dbb

File tree

1 file changed

+17
-9
lines changed

1 file changed

+17
-9
lines changed

test/openssl/test_ssl.rb

Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -2079,7 +2079,7 @@ def test_pqc_sigalg
20792079
digest: nil)
20802080
mldsa_cert = issue_cert(@svr, mldsa, 60, [], mldsa_ca_cert, mldsa_ca_key,
20812081
digest: nil)
2082-
rsa = Fixtures.pkey("rsa2048")
2082+
rsa = Fixtures.pkey("rsa-1")
20832083
rsa_cert = issue_cert(@svr, rsa, 61, [], @ca_cert, @ca_key)
20842084
ctx_proc = -> ctx {
20852085
# Unset values set by start_server
@@ -2246,22 +2246,30 @@ def test_security_level
22462246
end
22472247
assert_equal(1, ctx.security_level)
22482248

2249-
dsa512 = Fixtures.pkey("dsa512")
2250-
dsa512_cert = issue_cert(@svr, dsa512, 50, [], @ca_cert, @ca_key)
2251-
rsa1024 = Fixtures.pkey("rsa1024")
2252-
rsa1024_cert = issue_cert(@svr, rsa1024, 51, [], @ca_cert, @ca_key)
2249+
# See SSL_CTX_set_security_level(3). Definitions of security levels may
2250+
# change in future OpenSSL versions. As of OpenSSL 1.1.0:
2251+
# - Level 1 requires 160-bit ECC keys or 1024-bit RSA keys.
2252+
# - Level 2 requires 224-bit ECC keys or 2048-bit RSA keys.
2253+
begin
2254+
ec112 = OpenSSL::PKey::EC.generate("secp112r1")
2255+
ec112_cert = issue_cert(@svr, ec112, 50, [], @ca_cert, @ca_key)
2256+
ec192 = OpenSSL::PKey::EC.generate("prime192v1")
2257+
ec192_cert = issue_cert(@svr, ec192, 51, [], @ca_cert, @ca_key)
2258+
rescue OpenSSL::PKey::PKeyError
2259+
# Distro-provided OpenSSL may refuse to generate small keys
2260+
return
2261+
end
22532262

22542263
assert_raise(OpenSSL::SSL::SSLError) {
2255-
# 512 bit DSA key is rejected because it offers < 80 bits of security
2256-
ctx.add_certificate(dsa512_cert, dsa512)
2264+
ctx.add_certificate(ec112_cert, ec112)
22572265
}
22582266
assert_nothing_raised {
2259-
ctx.add_certificate(rsa1024_cert, rsa1024)
2267+
ctx.add_certificate(ec192_cert, ec192)
22602268
}
22612269
ctx.security_level = 2
22622270
assert_raise(OpenSSL::SSL::SSLError) {
22632271
# < 112 bits of security
2264-
ctx.add_certificate(rsa1024_cert, rsa1024)
2272+
ctx.add_certificate(ec192_cert, ec192)
22652273
}
22662274
end
22672275

0 commit comments

Comments
 (0)