[compat] support PKey::DSA#sign_raw and verify_raw

Author: kares

src/main/java/org/jruby/ext/openssl/PKeyDSA.java

@@ -440,8 +440,8 @@ public RubyString public_to_pem(ThreadContext context) {
     public IRubyObject syssign(IRubyObject data) {
         final Ruby runtime = getRuntime();
 
-        DSAPrivateKey privateKey;
-        if ((privateKey = this.privateKey) == null) {
+        DSAPrivateKey privateKey = this.privateKey;
+        if (privateKey == null) {
             throw newDSAError(runtime, "Private DSA key needed!");
         }
 
@@ -454,13 +454,55 @@ public IRubyObject syssign(IRubyObject data) {
         }
     }
 
+    // In OpenSSL, sign_raw/verify_raw are base-class PKey methods that use EVP_PKEY_sign /
+    // EVP_PKEY_verify (low-level, no-hashing operations).
+    // When the digest argument is non-nil, EVP_PKEY_CTX_set_signature_md is called, but for DSA
+    // this only affects input-length validation inside OpenSSL - does not hash the data.
+    //
+    // In JCA, "NONEwithDSA" is the direct equivalent: it accepts already-hashed bytes and signs
+    // them without any further digest step.
+    // The digest argument therefore does not influence the JCA algorithm and is intentionally unused.
+    @JRubyMethod(name = "sign_raw")
+    public IRubyObject sign_raw(ThreadContext context, IRubyObject digest, IRubyObject data) {
+        DSAPrivateKey privateKey = this.privateKey;
+        if (privateKey == null) {
+            throw newDSAError(context.runtime, "Private DSA key needed!");
+        }
+        try {
+            ByteList sign = sign("NONEwithDSA", privateKey, data.convertToString().getByteList());
+            return RubyString.newString(context.runtime, sign);
+        }
+        catch (GeneralSecurityException ex) {
+            throw newDSAError(context.runtime, ex.getMessage());
+        }
+    }
+
+    @JRubyMethod(name = "verify_raw")
+    public IRubyObject verify_raw(IRubyObject digest, IRubyObject sign, IRubyObject data) {
+        final Ruby runtime = getRuntime();
+        ByteList sigBytes = convertToString(runtime, sign, "OpenSSL::PKey::PKeyError", "invalid signature").getByteList();
+        ByteList dataBytes = convertToString(runtime, data, "OpenSSL::PKey::PKeyError", "invalid data").getByteList();
+        try {
+            return runtime.newBoolean(verify("NONEwithDSA", getPublicKey(), dataBytes, sigBytes));
+        }
+        catch (NoSuchAlgorithmException e) {
+            throw newPKeyError(runtime, e.getMessage());
+        }
+        catch (SignatureException e) {
+            throw newPKeyError(runtime, "invalid signature");
+        }
+        catch (InvalidKeyException e) {
+            throw newPKeyError(runtime, "invalid key");
+        }
+    }
+
     @JRubyMethod // ossl_dsa_verify
     public IRubyObject sysverify(IRubyObject data, IRubyObject sign) {
         final Ruby runtime = getRuntime();
         ByteList sigBytes = convertToString(runtime, sign, "OpenSSL::PKey::DSAError", "invalid signature").getByteList();
         ByteList dataBytes = convertToString(runtime, data, "OpenSSL::PKey::DSAError", "invalid data").getByteList();
         try {
-            return runtime.newBoolean( verify("NONEwithDSA", getPublicKey(), dataBytes, sigBytes) );
+            return runtime.newBoolean(verify("NONEwithDSA", getPublicKey(), dataBytes, sigBytes));
         }
         catch (NoSuchAlgorithmException e) {
             throw newDSAError(runtime, e.getMessage());

src/test/ruby/dsa/test_dsa.rb

@@ -118,6 +118,28 @@ def test_dsa_sys_sign_verify
     assert dsa.sysverify(digest, sig).eql?(true)
   end
 
+  def test_sign_verify_raw
+    key = Fixtures.pkey("dsa2048")
+    data = 'Sign me!'
+    digest = OpenSSL::Digest.digest('SHA1', data)
+
+    invalid_sig = key.sign_raw(nil, digest.succ)
+
+    # Sign by #syssign
+    sig = key.syssign(digest)
+    assert_equal true, key.sysverify(digest, sig)
+    assert_equal false, key.sysverify(digest, invalid_sig)
+    assert_equal true, key.verify_raw(nil, sig, digest)
+    assert_equal false, key.verify_raw(nil, invalid_sig, digest)
+
+    # Sign by #sign_raw
+    sig = key.sign_raw(nil, digest)
+    assert_equal true, key.sysverify(digest, sig)
+    assert_equal false, key.sysverify(digest, invalid_sig)
+    assert_equal true, key.verify_raw(nil, sig, digest)
+    assert_equal false, key.verify_raw(nil, invalid_sig, digest)
+  end
+
   def test_DSAPrivateKey
     # OpenSSL DSAPrivateKey format; similar to RSAPrivateKey
     dsa512 = Fixtures.pkey("dsa512")

src/test/ruby/fixtures/pkey/dsa2048

@@ -0,0 +1,15 @@
+-----BEGIN PRIVATE KEY-----
+MIICXgIBADCCAjYGByqGSM44BAEwggIpAoIBAQDXZhJ/dQoWkQELzjzlx8FtIp96
+voCYe5NY0H8j0jz7GyHpXt41+MteqkZK3/Ah+cNR9uG8iEYArAZ71LcWotfee2Gz
+xdxozr9bRt0POYhO2YIsfMpBrEskPsDH2g/2nFV8l4OJgxU2qZUrF4PN5ha+Mu6u
+sVtN8hjvAvnbf4Pxn0b8NN9f4PJncroUa8acv5WsV85E1RW7NYCefggU4LytYIHg
+euRF9eY9gVCX5MkUgW2xODHIYJhwk/+5lJxG7qUsSahD/nPHO/yoWgdVHq2DkdTq
+KYXkAxx2PJcTBOHTglhE6mgCbEKp8vcfElnBWyCT6QykclZiPXXD2JV829J/Ah0A
+vYa+/G/gUZiomyejVje6UsGoCc+vInxmovOL8QKCAQEAhnKEigYPw6u8JY7v5iGo
+Ylz8qiMFYmaJCwevf3KCjWeEXuNO4OrKdfzkQl1tPuGLioYFfP1A2yGosjdUdLEB
+0JqnzlKxUp+G6RfBj+WYzbgc5hr7t0M+reAJh09/hDzqfxjcgiHstq7mpRXBP8Y7
+iu27s7TRYJNSAYRvWcXNSBEUym3mHBBbZn7VszYooSrn60/iZ8I+VY1UF/fgqhbj
+JfaaZNQCDO9K3Vb3rsXoYd8+bOZIen9uHB+pNjMqhpl4waysqrlpGFeeqdxivH6S
+vkrHLs6/eWVMnS08RdcryoCrI3Bm8mMBKQglDwKLnWLfzG565qEhslzyCd/l9k9a
+cwQfAh0Ao8/g72fSFmo04FizM7DZJSIPqDLjfZu9hLvUFA==
+-----END PRIVATE KEY-----