static VALUE ossl_ocspcid_initialize(int argc, VALUE *argv, VALUE self) { OCSP_CERTID *id, *newid; X509 *x509s, *x509i; VALUE subject, issuer, digest; const EVP_MD *md; if (rb_scan_args(argc, argv, "21", &subject, &issuer, &digest) == 0) { return self; } x509s = GetX509CertPtr(subject); /* NO NEED TO DUP */ x509i = GetX509CertPtr(issuer); /* NO NEED TO DUP */ if (!NIL_P(digest)) { md = GetDigestPtr(digest); newid = OCSP_cert_to_id(md, x509s, x509i); } else { newid = OCSP_cert_to_id(NULL, x509s, x509i); } if(!newid) ossl_raise(eOCSPError, NULL); GetOCSPCertId(self, id); OCSP_CERTID_free(id); RDATA(self)->data = newid; return self; }
static VALUE ossl_cipher_pkcs5_keyivgen(int argc, VALUE *argv, VALUE self) { EVP_CIPHER_CTX *ctx; const EVP_MD *digest; VALUE vpass, vsalt, viter, vdigest; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH], *salt = NULL; int iter; rb_scan_args(argc, argv, "13", &vpass, &vsalt, &viter, &vdigest); StringValue(vpass); if(!NIL_P(vsalt)){ StringValue(vsalt); if(RSTRING(vsalt)->len != PKCS5_SALT_LEN) rb_raise(eCipherError, "salt must be an 8-octet string"); salt = RSTRING(vsalt)->ptr; } iter = NIL_P(viter) ? 2048 : NUM2INT(viter); digest = NIL_P(vdigest) ? EVP_md5() : GetDigestPtr(vdigest); GetCipher(self, ctx); EVP_BytesToKey(EVP_CIPHER_CTX_cipher(ctx), digest, salt, RSTRING(vpass)->ptr, RSTRING(vpass)->len, iter, key, iv); if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, -1) != 1) ossl_raise(eCipherError, NULL); OPENSSL_cleanse(key, sizeof key); OPENSSL_cleanse(iv, sizeof iv); return Qnil; }
/* * call-seq: * HMAC.new(key, digest) -> hmac * * Returns an instance of OpenSSL::HMAC set with the key and digest * algorithm to be used. The instance represents the initial state of * the message authentication code before any data has been processed. * To process data with it, use the instance method #update with your * data as an argument. * * === Example * * key = 'key' * digest = OpenSSL::Digest.new('sha1') * instance = OpenSSL::HMAC.new(key, digest) * #=> f42bb0eeb018ebbd4597ae7213711ec60760843f * instance.class * #=> OpenSSL::HMAC * * === A note about comparisons * * Two instances won't be equal when they're compared, even if they have the * same value. Use #to_s or #hexdigest to return the authentication code that * the instance represents. For example: * * other_instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1')) * #=> f42bb0eeb018ebbd4597ae7213711ec60760843f * instance * #=> f42bb0eeb018ebbd4597ae7213711ec60760843f * instance == other_instance * #=> false * instance.to_s == other_instance.to_s * #=> true * */ static VALUE ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest) { HMAC_CTX *ctx; StringValue(key); GetHMAC(self, ctx); HMAC_Init(ctx, RSTRING_PTR(key), RSTRING_LENINT(key), GetDigestPtr(digest)); return self; }
static VALUE ossl_x509crl_sign(VALUE self, VALUE key, VALUE digest) { X509_CRL *crl; EVP_PKEY *pkey; const EVP_MD *md; GetX509CRL(self, crl); pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */ md = GetDigestPtr(digest); if (!X509_CRL_sign(crl, pkey, md)) { ossl_raise(eX509CRLError, NULL); } return self; }
/* * call-seq: * spki.sign(key, digest) => spki * * === Parameters * * +key+ - the private key to be used for signing this instance * * +digest+ - the digest to be used for signing this instance * * To sign an SPKI, the private key corresponding to the public key set * for this instance should be used, in addition to a digest algorithm in * the form of an OpenSSL::Digest. The private key should be an instance of * OpenSSL::PKey. */ static VALUE ossl_spki_sign(VALUE self, VALUE key, VALUE digest) { NETSCAPE_SPKI *spki; EVP_PKEY *pkey; const EVP_MD *md; pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */ md = GetDigestPtr(digest); GetSPKI(self, spki); if (!NETSCAPE_SPKI_sign(spki, pkey, md)) { ossl_raise(eSPKIError, NULL); } return self; }
/* * call-seq: * Digest.new(string) -> digest * */ static VALUE ossl_digest_initialize(VALUE self, SEL sel, int argc, VALUE *argv) { EVP_MD_CTX *ctx; const EVP_MD *md; VALUE type, data; rb_scan_args(argc, argv, "11", &type, &data); md = GetDigestPtr(type); if (!NIL_P(data)) StringValue(data); GetDigest(self, ctx); EVP_DigestInit_ex(ctx, md, NULL); if (!NIL_P(data)) return ossl_digest_update(self, 0, data); return self; }
static VALUE ossl_pkcs7si_initialize(VALUE self, VALUE cert, VALUE key, VALUE digest) { PKCS7_SIGNER_INFO *p7si; EVP_PKEY *pkey; X509 *x509; const EVP_MD *md; pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */ x509 = GetX509CertPtr(cert); /* NO NEED TO DUP */ md = GetDigestPtr(digest); GetPKCS7si(self, p7si); if (!(PKCS7_SIGNER_INFO_set(p7si, x509, pkey, (EVP_MD*)md))) { ossl_raise(ePKCS7Error, NULL); } return self; }
/* * call-seq: * Digest.new(string [, data]) -> Digest * * Creates a Digest instance based on +string+, which is either the ln * (long name) or sn (short name) of a supported digest algorithm. * If +data+ (a +String+) is given, it is used as the initial input to the * Digest instance, i.e. * digest = OpenSSL::Digest.new('sha256', 'digestdata') * is equal to * digest = OpenSSL::Digest.new('sha256') * digest.update('digestdata') * * === Example * digest = OpenSSL::Digest.new('sha1') * * */ static VALUE ossl_digest_initialize(int argc, VALUE *argv, VALUE self) { EVP_MD_CTX *ctx; const EVP_MD *md; VALUE type, data; rb_scan_args(argc, argv, "11", &type, &data); md = GetDigestPtr(type); if (!NIL_P(data)) StringValue(data); GetDigest(self, ctx); if (EVP_DigestInit_ex(ctx, md, NULL) != 1) { ossl_raise(eDigestError, "Digest initialization failed."); } if (!NIL_P(data)) return ossl_digest_update(self, data); return self; }
/* * call-seq: * PKCS5.pbkdf2_hmac(pass, salt, iter, keylen, digest) => string * * === Parameters * * +pass+ - string * * +salt+ - string * * +iter+ - integer - should be greater than 1000. 2000 is better. * * +keylen+ - integer * * +digest+ - a string or OpenSSL::Digest object. * * Available in OpenSSL 0.9.9?. * * Digests other than SHA1 may not be supported by other cryptography libraries. */ static VALUE ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE keylen, VALUE digest) { VALUE str; const EVP_MD *md; int len = NUM2INT(keylen); StringValue(pass); StringValue(salt); md = GetDigestPtr(digest); str = rb_str_new(0, len); if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), (unsigned char *)RSTRING_PTR(salt), RSTRING_LEN(salt), NUM2INT(iter), md, len, (unsigned char *)RSTRING_PTR(str)) != 1) ossl_raise(ePKCS5, "PKCS5_PBKDF2_HMAC"); return str; }
/* * call-seq: * pkey.verify(digest, signature, data) -> String * * To verify the +String+ +signature+, +digest+, an instance of * OpenSSL::Digest, must be provided to re-compute the message digest of the * original +data+, also a +String+. The return value is +true+ if the * signature is valid, +false+ otherwise. A PKeyError is raised should errors * occur. * Any previous state of the +Digest+ instance is irrelevant to the validation * outcome, the digest instance is reset to its initial state during the * operation. * * == Example * data = 'Sign me!' * digest = OpenSSL::Digest::SHA256.new * pkey = OpenSSL::PKey::RSA.new(2048) * signature = pkey.sign(digest, data) * pub_key = pkey.public_key * puts pub_key.verify(digest, signature, data) # => true */ static VALUE ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data) { EVP_PKEY *pkey; EVP_MD_CTX ctx; GetPKey(self, pkey); EVP_VerifyInit(&ctx, GetDigestPtr(digest)); StringValue(sig); StringValue(data); EVP_VerifyUpdate(&ctx, RSTRING_PTR(data), RSTRING_LEN(data)); switch (EVP_VerifyFinal(&ctx, (unsigned char *)RSTRING_PTR(sig), RSTRING_LENINT(sig), pkey)) { case 0: return Qfalse; case 1: return Qtrue; default: ossl_raise(ePKeyError, NULL); } return Qnil; /* dummy */ }
/* * call-seq: * pkey.sign(digest, data) -> String * * To sign the +String+ +data+, +digest+, an instance of OpenSSL::Digest, must * be provided. The return value is again a +String+ containing the signature. * A PKeyError is raised should errors occur. * Any previous state of the +Digest+ instance is irrelevant to the signature * outcome, the digest instance is reset to its initial state during the * operation. * * == Example * data = 'Sign me!' * digest = OpenSSL::Digest::SHA256.new * pkey = OpenSSL::PKey::RSA.new(2048) * signature = pkey.sign(digest, data) */ static VALUE ossl_pkey_sign(VALUE self, VALUE digest, VALUE data) { EVP_PKEY *pkey; EVP_MD_CTX ctx; unsigned int buf_len; VALUE str; if (rb_funcallv(self, id_private_q, 0, NULL) != Qtrue) { ossl_raise(rb_eArgError, "Private key is needed."); } GetPKey(self, pkey); EVP_SignInit(&ctx, GetDigestPtr(digest)); StringValue(data); EVP_SignUpdate(&ctx, RSTRING_PTR(data), RSTRING_LEN(data)); str = rb_str_new(0, EVP_PKEY_size(pkey)+16); if (!EVP_SignFinal(&ctx, (unsigned char *)RSTRING_PTR(str), &buf_len, pkey)) ossl_raise(ePKeyError, NULL); assert((long)buf_len <= RSTRING_LEN(str)); rb_str_set_len(str, buf_len); return str; }