refactor + restore raising specific PKey errors

kares · kares · commit 63017288fc67 · 2026-03-09T18:12:01.000+01:00
diff --git a/src/main/java/org/jruby/ext/openssl/PKeyDSA.java b/src/main/java/org/jruby/ext/openssl/PKeyDSA.java
@@ -144,24 +144,26 @@ public IRubyObject initialize_copy(final IRubyObject original) {
     public String getAlgorithm() { return "DSA"; }
 
     @JRubyMethod(name = "generate", meta = true)
-    public static IRubyObject generate(IRubyObject self, IRubyObject arg) {
-        final Ruby runtime = self.getRuntime();
+    public static IRubyObject generate(ThreadContext context, IRubyObject self, IRubyObject arg) {
         final int keySize = RubyNumeric.fix2int(arg);
-        return dsaGenerate(runtime, new PKeyDSA(runtime, (RubyClass) self), keySize);
+        return dsaGenerate(context.runtime, new PKeyDSA(context.runtime, (RubyClass) self), keySize);
+    }
+
+    static PKeyDSA generateImpl(final Ruby runtime, PKeyDSA dsa, int keySize) throws NoSuchAlgorithmException {
+        KeyPairGenerator gen = SecurityHelper.getKeyPairGenerator("DSA");
+        gen.initialize(keySize, getSecureRandom(runtime));
+        KeyPair pair = gen.generateKeyPair();
+        dsa.privateKey = (DSAPrivateKey) pair.getPrivate();
+        dsa.publicKey = (DSAPublicKey) pair.getPublic();
+        return dsa;
     }
 
     /*
      * c: dsa_generate
      */
-    private static PKeyDSA dsaGenerate(final Ruby runtime,
-        PKeyDSA dsa, int keySize) throws RaiseException {
+    private static PKeyDSA dsaGenerate(final Ruby runtime, PKeyDSA dsa, int keySize) throws RaiseException {
         try {
-            KeyPairGenerator gen = SecurityHelper.getKeyPairGenerator("DSA");
-            gen.initialize(keySize, getSecureRandom(runtime));
-            KeyPair pair = gen.generateKeyPair();
-            dsa.privateKey = (DSAPrivateKey) pair.getPrivate();
-            dsa.publicKey = (DSAPublicKey) pair.getPublic();
-            return dsa;
+            return generateImpl(runtime, dsa, keySize);
         }
         catch (NoSuchAlgorithmException e) {
             throw newDSAError(runtime, e.getMessage());
@@ -303,7 +305,7 @@ public RubyBoolean private_p() {
     @JRubyMethod(name = "public_to_der")
     public RubyString public_to_der(ThreadContext context) {
         if (publicKey == null) {
-            throw newPKeyError(context.runtime, "incompletely initialized DSA key");
+            throw newDSAError(context.runtime, "incompletely initialized DSA key");
         }
         final byte[] bytes;
         try {
@@ -329,7 +331,7 @@ public RubyString to_der() {
             throw newDSAError(getRuntime(), bcExceptionMessage(e));
         }
         catch (IllegalArgumentException e) {
-            throw newPKeyError(getRuntime(), e.getMessage());
+            throw newDSAError(getRuntime(), e.getMessage());
         }
         catch (IOException e) {
             throw newDSAError(getRuntime(), e.getMessage(), e);
@@ -486,13 +488,13 @@ public IRubyObject verify_raw(IRubyObject digest, IRubyObject sign, IRubyObject
             return runtime.newBoolean(verify("NONEwithDSA", getPublicKey(), dataBytes, sigBytes));
         }
         catch (NoSuchAlgorithmException e) {
-            throw newPKeyError(runtime, e.getMessage());
+            throw newDSAError(runtime, e.getMessage());
         }
         catch (SignatureException e) {
-            throw newPKeyError(runtime, "invalid signature");
+            throw newDSAError(runtime, "invalid signature");
         }
         catch (InvalidKeyException e) {
-            throw newPKeyError(runtime, "invalid key");
+            throw newDSAError(runtime, "invalid key");
         }
     }
 
diff --git a/src/main/java/org/jruby/ext/openssl/PKeyEC.java b/src/main/java/org/jruby/ext/openssl/PKeyEC.java
@@ -440,7 +440,7 @@ public PKeyEC generate_key(final ThreadContext context) {
             this.privateKey = pair.getPrivate();
         }
         catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException ex) {
-            throw PKey.newPKeyError(context.runtime, ex.getMessage());
+            throw newECError(context.runtime, ex.getMessage());
         }
         catch (GeneralSecurityException ex) {
             throw (RaiseException) newECError(context.runtime, ex.toString()).initCause(ex);
@@ -745,7 +745,7 @@ public RubyString to_der() {
             return public_to_der(runtime);
         }
         if (privateKey == null) {
-            throw PKey.newPKeyError(runtime, "can't export - no public key set");
+            throw newECError(runtime, "can't export - no public key set");
         }
 
         try {
diff --git a/src/main/java/org/jruby/ext/openssl/PKeyRSA.java b/src/main/java/org/jruby/ext/openssl/PKeyRSA.java
@@ -220,32 +220,33 @@ public static IRubyObject generate(IRubyObject self, IRubyObject[] args) {
         return rsaGenerate(runtime, new PKeyRSA(runtime, (RubyClass) self), keySize, exp);
     }
 
+    static PKeyRSA generateImpl(final Ruby runtime, PKeyRSA rsa, int keySize, BigInteger exp)
+        throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
+        KeyPairGenerator gen = SecurityHelper.getKeyPairGenerator("RSA");
+        if ( "IBMJCEFIPS".equals( gen.getProvider().getName() ) ) {
+            gen.initialize(keySize); // IBMJCEFIPS does not support parameters
+        } else {
+            gen.initialize(new RSAKeyGenParameterSpec(keySize, exp), getSecureRandom(runtime));
+        }
+        KeyPair pair = gen.generateKeyPair();
+        rsa.privateKey = (RSAPrivateCrtKey) pair.getPrivate();
+        rsa.publicKey = (RSAPublicKey) pair.getPublic();
+        return rsa;
+    }
+
     /*
      * c: rsa_generate
      */
-    private static PKeyRSA rsaGenerate(final Ruby runtime,
-        PKeyRSA rsa, int keySize, BigInteger exp) throws RaiseException {
+    static PKeyRSA rsaGenerate(final Ruby runtime, PKeyRSA rsa, int keySize, BigInteger exp) throws RaiseException {
         try {
-            KeyPairGenerator gen = SecurityHelper.getKeyPairGenerator("RSA");
-            if ( "IBMJCEFIPS".equals( gen.getProvider().getName() ) ) {
-                gen.initialize(keySize); // IBMJCEFIPS does not support parameters
-            } else {
-                gen.initialize(new RSAKeyGenParameterSpec(keySize, exp), getSecureRandom(runtime));
-            }
-            KeyPair pair = gen.generateKeyPair();
-            rsa.privateKey = (RSAPrivateCrtKey) pair.getPrivate();
-            rsa.publicKey = (RSAPublicKey) pair.getPublic();
-        }
-        catch (NoSuchAlgorithmException e) {
-            throw newRSAError(runtime, e.getMessage());
+            return generateImpl(runtime, rsa, keySize, exp);
         }
-        catch (InvalidAlgorithmParameterException e) {
+        catch (NoSuchAlgorithmException|InvalidAlgorithmParameterException e) {
             throw newRSAError(runtime, e.getMessage());
         }
         catch (RuntimeException e) {
-            throw newRSAError(rsa.getRuntime(), e);
+            throw newRSAError(runtime, e);
         }
-        return rsa;
     }
 
     @JRubyMethod(rest = true, visibility = Visibility.PRIVATE)
@@ -336,7 +337,7 @@ public IRubyObject initialize(final ThreadContext context, final IRubyObject[] a
         if ( key == null ) key = tryPKCS8EncodedKey(runtime, rsaFactory, str.getBytes());
         if ( key == null ) key = tryX509EncodedKey(runtime, rsaFactory, str.getBytes());
 
-        if ( key == null ) throw newPKeyError(runtime, "Neither PUB key nor PRIV key:");
+        if ( key == null ) throw newRSAError(runtime, "Neither PUB key nor PRIV key:");
 
         if ( key instanceof KeyPair ) {
             PublicKey publicKey = ((KeyPair) key).getPublic();
@@ -615,7 +616,7 @@ private static ASN1ObjectIdentifier osslNameToCipherOid(final String osslName) {
 
     private String getPadding(final int padding) {
         if ( padding < 1 || padding > 4 ) {
-            throw newPKeyError(getRuntime(), "");
+            throw newRSAError(getRuntime(), "");
         }
         // BC accepts "/NONE/*" but SunJCE doesn't. use "/ECB/*"
         String p = "/ECB/PKCS1Padding";
@@ -635,7 +636,7 @@ public IRubyObject private_encrypt(final ThreadContext context, final IRubyObjec
         if ( Arity.checkArgumentCount(context.runtime, args, 1, 2) == 2 && ! args[1].isNil() ) {
             padding = RubyNumeric.fix2int(args[1]);
         }
-        if ( privateKey == null ) throw newPKeyError(context.runtime, "incomplete RSA");
+        if ( privateKey == null ) throw newRSAError(context.runtime, "incomplete RSA");
         return doCipherRSA(context.runtime, args[0], padding, ENCRYPT_MODE, privateKey);
     }
 
@@ -645,7 +646,7 @@ public IRubyObject private_decrypt(final ThreadContext context, final IRubyObjec
         if ( Arity.checkArgumentCount(context.runtime, args, 1, 2) == 2 && ! args[1].isNil())  {
             padding = RubyNumeric.fix2int(args[1]);
         }
-        if ( privateKey == null ) throw newPKeyError(context.runtime, "incomplete RSA");
+        if ( privateKey == null ) throw newRSAError(context.runtime, "incomplete RSA");
         return doCipherRSA(context.runtime, args[0], padding, DECRYPT_MODE, privateKey);
     }
 
@@ -655,7 +656,7 @@ public IRubyObject public_encrypt(final ThreadContext context, final IRubyObject
         if ( Arity.checkArgumentCount(context.runtime, args, 1, 2) == 2 && ! args[1].isNil())  {
             padding = RubyNumeric.fix2int(args[1]);
         }
-        if ( publicKey == null ) throw newPKeyError(context.runtime, "incomplete RSA");
+        if ( publicKey == null ) throw newRSAError(context.runtime, "incomplete RSA");
         return doCipherRSA(context.runtime, args[0], padding, ENCRYPT_MODE, publicKey);
     }
 
@@ -665,7 +666,7 @@ public IRubyObject public_decrypt(final ThreadContext context, final IRubyObject
         if ( Arity.checkArgumentCount(context.runtime, args, 1, 2) == 2 && ! args[1].isNil() ) {
             padding = RubyNumeric.fix2int(args[1]);
         }
-        if ( publicKey == null ) throw newPKeyError(context.runtime, "incomplete RSA");
+        if ( publicKey == null ) throw newRSAError(context.runtime, "incomplete RSA");
         return doCipherRSA(context.runtime, args[0], padding, DECRYPT_MODE, publicKey);
     }
 
@@ -699,7 +700,7 @@ public IRubyObject oid() {
     @JRubyMethod(name = "sign_raw", required = 2, optional = 1)
     public IRubyObject sign_raw(ThreadContext context, IRubyObject[] args) {
         final Ruby runtime = context.runtime;
-        if (privateKey == null) throw newPKeyError(runtime, "Private RSA key needed!");
+        if (privateKey == null) throw newRSAError(runtime, "Private RSA key needed!");
 
         final String digestAlg = getDigestAlgName(args[0]);
         final byte[] hashBytes = args[1].convertToString().getBytes();
@@ -715,7 +716,7 @@ public IRubyObject sign_raw(ThreadContext context, IRubyObject[] args) {
                 try {
                     return StringHelper.newString(runtime, signWithPSS(hashBytes, digestAlg, mgf1Alg, saltLen));
                 } catch (IllegalArgumentException | CryptoException e) {
-                    throw (RaiseException) newPKeyError(runtime, e.getMessage()).initCause(e);
+                    throw (RaiseException) newRSAError(runtime, e.getMessage()).initCause(e);
                 }
             }
         }
@@ -726,13 +727,13 @@ public IRubyObject sign_raw(ThreadContext context, IRubyObject[] args) {
             ByteList signed = sign("NONEwithRSA", privateKey, new ByteList(digestInfoBytes, false));
             return RubyString.newString(runtime, signed);
         } catch (IOException e) {
-            throw newPKeyError(runtime, "failed to encode DigestInfo: " + e.getMessage());
+            throw newRSAError(runtime, "failed to encode DigestInfo: " + e.getMessage());
         } catch (NoSuchAlgorithmException e) {
-            throw newPKeyError(runtime, "unsupported algorithm: NONEwithRSA");
+            throw newRSAError(runtime, "unsupported algorithm: NONEwithRSA");
         } catch (InvalidKeyException e) {
-            throw newPKeyError(runtime, "invalid key");
+            throw newRSAError(runtime, "invalid key");
         } catch (SignatureException e) {
-            throw newPKeyError(runtime, e.getMessage());
+            throw newRSAError(runtime, e.getMessage());
         }
     }
 
@@ -765,11 +766,11 @@ public IRubyObject verify_raw(ThreadContext context, IRubyObject[] args) {
                     new ByteList(sigBytes, false));
             return runtime.newBoolean(ok);
         } catch (IOException e) {
-            throw newPKeyError(runtime, "failed to encode DigestInfo: " + e.getMessage());
+            throw newRSAError(runtime, "failed to encode DigestInfo: " + e.getMessage());
         } catch (NoSuchAlgorithmException e) {
-            throw newPKeyError(runtime, "unsupported algorithm: NONEwithRSA");
+            throw newRSAError(runtime, "unsupported algorithm: NONEwithRSA");
         } catch (InvalidKeyException e) {
-            throw newPKeyError(runtime, "invalid key");
+            throw newRSAError(runtime, "invalid key");
         } catch (SignatureException e) {
             return runtime.getFalse();
         }
@@ -819,7 +820,7 @@ public IRubyObject sign(ThreadContext context, IRubyObject[] args) {
             if (!(opts instanceof RubyHash)) throw runtime.newTypeError("expected Hash");
             String paddingMode = Utils.extractStringOpt(context, opts, "rsa_padding_mode", true);
             if ("pss".equalsIgnoreCase(paddingMode)) {
-                if (privateKey == null) throw newPKeyError(runtime, "Private RSA key needed!");
+                if (privateKey == null) throw newRSAError(runtime, "Private RSA key needed!");
                 final String digestAlg = getDigestAlgName(digest);
                 int saltLen = Utils.extractIntOpt(context, opts, "rsa_pss_saltlen", -1, true);
                 String mgf1Alg = Utils.extractStringOpt(context, opts, "rsa_mgf1_md", true);
@@ -830,7 +831,7 @@ public IRubyObject sign(ThreadContext context, IRubyObject[] args) {
                 try {
                     signedData = signDataWithPSS(runtime, data.convertToString(), digestAlg, mgf1Alg, saltLen);
                 } catch (IllegalArgumentException | DataLengthException | CryptoException e) {
-                    throw (RaiseException) newPKeyError(runtime, e.getMessage()).initCause(e);
+                    throw (RaiseException) newRSAError(runtime, e.getMessage()).initCause(e);
                 }
                 return StringHelper.newString(runtime, signedData);
             }
@@ -843,7 +844,7 @@ public IRubyObject sign(ThreadContext context, IRubyObject[] args) {
     @JRubyMethod(name = "sign_pss", required = 2, optional = 1)
     public IRubyObject sign_pss(ThreadContext context, IRubyObject[] args) {
         final Ruby runtime = context.runtime;
-        if (privateKey == null) throw newPKeyError(runtime, "Private RSA key needed!");
+        if (privateKey == null) throw newRSAError(runtime, "Private RSA key needed!");
         final String digestAlg = getDigestAlgName(args[0]);
         final IRubyObject opts  = args.length > 2 ? args[2] : context.nil;
         final int maxSalt = maxPSSSaltLength(digestAlg, privateKey.getModulus().bitLength());
@@ -869,7 +870,7 @@ public IRubyObject sign_pss(ThreadContext context, IRubyObject[] args) {
         try {
             signedData = signDataWithPSS(runtime, args[1].convertToString(), digestAlg, mgf1Alg, saltLen);
         } catch (IllegalArgumentException | DataLengthException | CryptoException e) {
-            throw (RaiseException) newPKeyError(runtime, e.getMessage()).initCause(e);
+            throw (RaiseException) newRSAError(runtime, e.getMessage()).initCause(e);
         }
         return StringHelper.newString(runtime, signedData);
     }
diff --git a/src/test/ruby/dsa/test_dsa.rb b/src/test/ruby/dsa/test_dsa.rb
@@ -41,7 +41,7 @@ def test_new
   def test_new_empty
     key = OpenSSL::PKey::DSA.new
     assert_nil(key.p)
-    assert_raise(OpenSSL::PKey::PKeyError) { key.to_der }
+    assert_pkey_error { key.to_der }
   end
 
   def test_dup
diff --git a/src/test/ruby/ec/test_ec.rb b/src/test/ruby/ec/test_ec.rb
@@ -49,7 +49,7 @@ def test_ec_key
   end
 
   def test_generate
-    assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey::EC.generate("non-existent") }
+    assert_pkey_error { OpenSSL::PKey::EC.generate("non-existent") }
     g = OpenSSL::PKey::EC::Group.new("prime256v1")
     ec = OpenSSL::PKey::EC.generate(g)
     assert_equal(true, ec.private?)
diff --git a/src/test/ruby/rsa/test_rsa.rb b/src/test/ruby/rsa/test_rsa.rb
@@ -14,8 +14,8 @@ def test_no_private_exp
     rsa = Fixtures.pkey("rsa-1.pem")
     key.set_key(rsa.n, rsa.e, nil)
     key.set_factors(rsa.p, rsa.q)
-    assert_raise(OpenSSL::PKey::PKeyError){ key.private_encrypt("foo") }
-    assert_raise(OpenSSL::PKey::PKeyError){ key.private_decrypt("foo") }
+    assert_pkey_error { key.private_encrypt("foo") }
+    assert_pkey_error { key.private_decrypt("foo") }
   end
 
   def test_private
@@ -201,7 +201,7 @@ def test_sign_verify_raw_legacy
     # Failure cases
     assert_raise(ArgumentError){ key.private_encrypt() }
     assert_raise(ArgumentError){ key.private_encrypt("hi", 1, nil) }
-    assert_raise(OpenSSL::PKey::PKeyError){ key.private_encrypt(plain0, 666) }
+    assert_pkey_error { key.private_encrypt(plain0, 666) }
   end
 
   def test_sign_verify_raw
@@ -219,7 +219,7 @@ def test_sign_verify_raw
     assert_equal false, key.verify_raw("SHA256", signature, wrong_hash)
 
     # Data exceeding the key modulus must raise PKeyError
-    assert_raise(OpenSSL::PKey::PKeyError) {
+    assert_pkey_error {
       key.sign_raw("SHA1", "x" * (key.n.num_bytes + 1))
     }
 
@@ -283,7 +283,7 @@ def test_sign_verify_pss
                    key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA256")
     end
 
-    assert_raise(OpenSSL::PKey::PKeyError) {
+    assert_pkey_error {
       key.sign_pss("SHA256", data, salt_length: 223, mgf1_hash: "SHA256")
     }
   end
@@ -437,7 +437,7 @@ def test_RSAPrivateKey_encrypted
     cipher = OpenSSL::Cipher.new("aes-128-cbc")
     exported = rsa1024.to_pem(cipher, "abcdef\0\1")
     assert_same_rsa rsa1024, OpenSSL::PKey::RSA.new(exported, "abcdef\0\1")
-    assert_raise(OpenSSL::PKey::PKeyError) {
+    assert_pkey_error {
       OpenSSL::PKey::RSA.new(exported, "abcdef")
     }
   end
diff --git a/src/test/ruby/test_helper.rb b/src/test/ruby/test_helper.rb
@@ -69,6 +69,10 @@ def setup; require 'openssl' end
 
   alias assert_raise assert_raises unless method_defined?(:assert_raise)
 
+  def assert_pkey_error(&block)
+    assert_raise_kind_of(OpenSSL::PKey::PKeyError, &block)
+  end
+
   unless method_defined?(:skip)
     if method_defined?(:omit)
       alias skip omit

Original file line number	Diff line number	Diff line change
`@@ -440,7 +440,7 @@ public PKeyEC generate_key(final ThreadContext context) {`
`440`	`440`	`this.privateKey = pair.getPrivate();`
`441`	`441`	`}`
`442`	`442`	`catch (NoSuchAlgorithmException \| InvalidAlgorithmParameterException ex) {`
`443`		`- throw PKey.newPKeyError(context.runtime, ex.getMessage());`
	`443`	`+ throw newECError(context.runtime, ex.getMessage());`
`444`	`444`	`}`
`445`	`445`	`catch (GeneralSecurityException ex) {`
`446`	`446`	`throw (RaiseException) newECError(context.runtime, ex.toString()).initCause(ex);`
`@@ -745,7 +745,7 @@ public RubyString to_der() {`
`745`	`745`	`return public_to_der(runtime);`
`746`	`746`	`}`
`747`	`747`	`if (privateKey == null) {`
`748`		`- throw PKey.newPKeyError(runtime, "can't export - no public key set");`
	`748`	`+ throw newECError(runtime, "can't export - no public key set");`
`749`	`749`	`}`
`750`	`750`
`751`	`751`	`try {`