ruby/ruby-3.2.0-ossl_ocsp-use-null.patch

From a1f6cbc26119244a3556864c5402123666db5376 Mon Sep 17 00:00:00 2001
From: Jarek Prokop <jprokop@redhat.com>
Date: Tue, 12 Apr 2022 09:44:21 +0200
Subject: [PATCH 1/2] Let OpenSSL choose the digest if digest for
 Openssl::OCSP::Request#sign is nil.

---
 ext/openssl/ossl_ocsp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c
index 1e87484a..543df271 100644
--- a/ext/openssl/ossl_ocsp.c
+++ b/ext/openssl/ossl_ocsp.c
@@ -382,7 +382,7 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
     if (!NIL_P(flags))
 	flg = NUM2INT(flags);
     if (NIL_P(digest))
-	md = EVP_sha1();
+	md = NULL;
     else
 	md = ossl_evp_get_digestbyname(digest);
     if (NIL_P(certs))

From 27efcd7e1ccc8afb9bb57f8616e4d01f0656d1dc Mon Sep 17 00:00:00 2001
From: Jarek Prokop <jprokop@redhat.com>
Date: Tue, 12 Apr 2022 09:44:37 +0200
Subject: [PATCH 2/2] Let OpenSSL choose the digest if digest for
 Openssl::OCSP::BasicResponse#sign is nil.

---
 ext/openssl/ossl_ocsp.c   | 2 +-
 test/openssl/test_ocsp.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c
index 543df271..9c8d768d 100644
--- a/ext/openssl/ossl_ocsp.c
+++ b/ext/openssl/ossl_ocsp.c
@@ -1033,7 +1033,7 @@ ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
     if (!NIL_P(flags))
 	flg = NUM2INT(flags);
     if (NIL_P(digest))
-	md = EVP_sha1();
+	md = NULL;
     else
 	md = ossl_evp_get_digestbyname(digest);
     if (NIL_P(certs))
diff --git a/test/openssl/test_ocsp.rb b/test/openssl/test_ocsp.rb
index ef7321ab..85f13375 100644
--- a/test/openssl/test_ocsp.rb
+++ b/test/openssl/test_ocsp.rb
@@ -99,7 +99,7 @@ def test_request_der
     request.sign(@cert, @cert_key, [@ca_cert], 0)
     asn1 = OpenSSL::ASN1.decode(request.to_der)
     assert_equal cid.to_der, asn1.value[0].value.find { |a| a.tag_class == :UNIVERSAL }.value[0].value[0].to_der
-    assert_equal OpenSSL::ASN1.ObjectId("sha1WithRSAEncryption").to_der, asn1.value[1].value[0].value[0].value[0].to_der
+    assert_equal OpenSSL::ASN1.ObjectId("sha256WithRSAEncryption").to_der, asn1.value[1].value[0].value[0].value[0].to_der
     assert_equal @cert.to_der, asn1.value[1].value[0].value[2].value[0].value[0].to_der
     assert_equal @ca_cert.to_der, asn1.value[1].value[0].value[2].value[0].value[1].to_der
     assert_equal asn1.to_der, OpenSSL::OCSP::Request.new(asn1.to_der).to_der
Add upstream patches to avoid SHA1 usage in ossl 2022-12-22 16:34:59 +00:00			`From a1f6cbc26119244a3556864c5402123666db5376 Mon Sep 17 00:00:00 2001`
			`From: Jarek Prokop <jprokop@redhat.com>`
			`Date: Tue, 12 Apr 2022 09:44:21 +0200`
			`Subject: [PATCH 1/2] Let OpenSSL choose the digest if digest for`
			`Openssl::OCSP::Request#sign is nil.`

			`---`
			`ext/openssl/ossl_ocsp.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c`
			`index 1e87484a..543df271 100644`
			`--- a/ext/openssl/ossl_ocsp.c`
			`+++ b/ext/openssl/ossl_ocsp.c`
			`@@ -382,7 +382,7 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)`
			`if (!NIL_P(flags))`
			`flg = NUM2INT(flags);`
			`if (NIL_P(digest))`
			`- md = EVP_sha1();`
			`+ md = NULL;`
			`else`
			`md = ossl_evp_get_digestbyname(digest);`
			`if (NIL_P(certs))`

			`From 27efcd7e1ccc8afb9bb57f8616e4d01f0656d1dc Mon Sep 17 00:00:00 2001`
			`From: Jarek Prokop <jprokop@redhat.com>`
			`Date: Tue, 12 Apr 2022 09:44:37 +0200`
			`Subject: [PATCH 2/2] Let OpenSSL choose the digest if digest for`
			`Openssl::OCSP::BasicResponse#sign is nil.`

			`---`
			`ext/openssl/ossl_ocsp.c \| 2 +-`
			`test/openssl/test_ocsp.rb \| 2 +-`
			`2 files changed, 2 insertions(+), 2 deletions(-)`

			`diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c`
			`index 543df271..9c8d768d 100644`
			`--- a/ext/openssl/ossl_ocsp.c`
			`+++ b/ext/openssl/ossl_ocsp.c`
			`@@ -1033,7 +1033,7 @@ ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)`
			`if (!NIL_P(flags))`
			`flg = NUM2INT(flags);`
			`if (NIL_P(digest))`
			`- md = EVP_sha1();`
			`+ md = NULL;`
			`else`
			`md = ossl_evp_get_digestbyname(digest);`
			`if (NIL_P(certs))`
			`diff --git a/test/openssl/test_ocsp.rb b/test/openssl/test_ocsp.rb`
			`index ef7321ab..85f13375 100644`
			`--- a/test/openssl/test_ocsp.rb`
			`+++ b/test/openssl/test_ocsp.rb`
			`@@ -99,7 +99,7 @@ def test_request_der`
			`request.sign(@cert, @cert_key, [@ca_cert], 0)`
			`asn1 = OpenSSL::ASN1.decode(request.to_der)`
			`assert_equal cid.to_der, asn1.value[0].value.find { \|a\| a.tag_class == :UNIVERSAL }.value[0].value[0].to_der`
			`- assert_equal OpenSSL::ASN1.ObjectId("sha1WithRSAEncryption").to_der, asn1.value[1].value[0].value[0].value[0].to_der`
			`+ assert_equal OpenSSL::ASN1.ObjectId("sha256WithRSAEncryption").to_der, asn1.value[1].value[0].value[0].value[0].to_der`
			`assert_equal @cert.to_der, asn1.value[1].value[0].value[2].value[0].value[0].to_der`
			`assert_equal @ca_cert.to_der, asn1.value[1].value[0].value[2].value[0].value[1].to_der`
			`assert_equal asn1.to_der, OpenSSL::OCSP::Request.new(asn1.to_der).to_der`