Kazuki Yamaguchi

icon indicating a website link https://rhe.jp/ icon indicating an email [email protected]

icon location @ruby core team | AS51044 operator

Results 109 comments of Kazuki Yamaguchi

Add OpenSSL::Digest.digests to get a list of available digests

> Is there an official document about the "shot name" and "long name" as a return value in OpenSSL project? I am confused because for example, both "SHA512-224" and "sha512-224"...

Intermediate structure wrapping SSL on sockets

Wrapping the `SSL` struct should be unnecessary. `SSL` has the `ex_data` to store an arbitrary data with it, and in ruby/openssl, every `SSL` struct has a corresponding `SSLSocket` object, so...

remove file check to support proxied SSL connection

Currently, SSLSocket passes the file descriptor to OpenSSL and doesn't use Ruby's IO interface. https://github.com/ruby/openssl/blob/45c731c5bbada6be9eb84013939dd74c3779acdd/ext/openssl/ossl_ssl.c#L1688-L1689 OpenSSL uses an abstraction layer called BIO to interact with the underlying socket. Here is...

remove file check to support proxied SSL connection

I was exploring the approach to implement a `BIO_METHOD` that simply translates those Ruby IO methods. It's not reviewed carefully, but here is a WIP PR: #736 Thanks for the...

OpenSSL 3 support for loading engine keys

Related to #722. Could you tell us which engine you are using?

OpenSSL 3 support for loading engine keys

I reproduced the error using the gost engine with OpenSSL 3.2. According to https://github.com/gost-engine/engine/blob/e0a500ab877ba72cb14026a24d462dd923b90ced/README.prov.md, pkeys haven't been ported to a provider and are only implemented through the legacy engine interface....

OpenSSL 3 | Providers | Support broader range of URI schemes for loading keys

Could you tell us which engine or provider you are using? > In the [migration guide](https://www.openssl.org/docs/man3.0/man7/migration_guide.html), the proposed alternative is the usage of OSSL_STORE. As far as I can tell,...

OpenSSL::PKey::PKey subclass for EVP_PKEY_RSA_PSS

You can currently use `OpenSSL::PKey::PKey#sign` to do RSA-PSS without needing the `RSA#sign_pss`. The test code may be useful for you today: https://github.com/ruby/openssl/blob/9569999f7654dd369181f53dae5481429042dcc2/test/openssl/test_pkey_rsa.rb#L96-L116

OpenSSL::PKey::PKey subclass for EVP_PKEY_RSA_PSS

I wonder if we could add a PKey class for `EVP_PKEY_RSA_PSS`. I think `#sign_pss` and `#verify_pss` should just work on the pkey object decoded from PKCS#8. `EVP_PKEY_RSA_PSS` seems to be...

OpenSSL 3.2.0 - sessions, time, signed vs unsigned, failure with negative session timeout values

Thank you for digging into this! IIUC OpenSSL 3.2.0 didn't intend to break backwards-compatibility, but setting the timeout value to a negative number doesn't seem like a feature. The SSLeay...