ÿØÿà JFIF    ÿÛ „  ( %!1!%)+//.383,7(-.+  -%%-////---/-.+/--+------/------/--0+--/-/-----.-----ÿÀ  ¥2" ÿÄ     ÿÄ J    ! 1AQ"aq2‘#BR‚¡ÁÑ3br’¢±Âð$CSƒ²á4c“%DsÓñÿÄ   ÿÄ *  !1AQa‘"2q3±ð#b¡ÿÚ   ? ¼QxJQaÍuò¸Zö Úü8,ÐÚú "SSn<rçù–´âE—^ªBÖ9À\†¸ÔÁT­ÃÛ5 ëd´³Í#Ý;Þ38œî ¶H£M:wÎ3…³…âpÔF&‚FK¸9„â4àGEõªfÿ ‘ñ(ßw­pŽF|È¥ù®häðÍѶ¹‘[ÒinÙW¶ùñY˜Q{›K"išÒ[Ú8žë\F¹@-?v"ÔU”,ìöžkÿ {I‡£šÍ?e ríV ?> ......................................... ............................................................................. ÿØÿà JFIF    ÿÛ „  ( %!1!%)+//.383,7(-.+  -%%-////---/-.+/--+------/------/--0+--/-/-----.-----ÿÀ  ¥2" ÿÄ     ÿÄ J    ! 1AQ"aq2‘#BR‚¡ÁÑ3br’¢±Âð$CSƒ²á4c“%DsÓñÿÄ   ÿÄ *  !1AQa‘"2q3±ð#b¡ÿÚ   ? ¼QxJQaÍuò¸Zö Úü8,ÐÚú "SSn<rçù–´âE—^ªBÖ9À\†¸ÔÁT­ÃÛ5 ëd´³Í#Ý;Þ38œî ¶H£M:wÎ3…³…âpÔF&‚FK¸9„â4àGEõªfÿ ‘ñ(ßw­pŽF|È¥ù®häðÍѶ¹‘[ÒinÙW¶ùñY˜Q{›K"išÒ[Ú8žë\F¹@-?v"ÔU”,ìöžkÿ {I‡£šÍ?e ríV ?> ......................................... ............................................................................. ???????????????????????????????????? ???????????????????????????????????? ÿØÿà JFIF    ÿÛ „  ( %!1!%)+//.383,7(-.+  -%%-////---/-.+/--+------/------/--0+--/-/-----.-----ÿÀ  ¥2" ÿÄ     ÿÄ J    ! 1AQ"aq2‘#BR‚¡ÁÑ3br’¢±Âð$CSƒ²á4c“%DsÓñÿÄ   ÿÄ *  !1AQa‘"2q3±ð#b¡ÿÚ   ? ¼QxJQaÍuò¸Zö Úü8,ÐÚú "SSn<rçù–´âE—^ªBÖ9À\†¸ÔÁT­ÃÛ5 ëd´³Í#Ý;Þ38œî ¶H£M:wÎ3…³…âpÔF&‚FK¸9„â4àGEõªfÿ ‘ñ(ßw­pŽF|È¥ù®häðÍѶ¹‘[ÒinÙW¶ùñY˜Q{›K"išÒ[Ú8žë\F¹@-?v"ÔU”,ìöžkÿ {I‡£šÍ?e ríV ?> ......................................... ............................................................................. ÿØÿà JFIF    ÿÛ „  ( %!1!%)+//.383,7(-.+  -%%-////---/-.+/--+------/------/--0+--/-/-----.-----ÿÀ  ¥2" ÿÄ     ÿÄ J    ! 1AQ"aq2‘#BR‚¡ÁÑ3br’¢±Âð$CSƒ²á4c“%DsÓñÿÄ   ÿÄ *  !1AQa‘"2q3±ð#b¡ÿÚ   ? ¼QxJQaÍuò¸Zö Úü8,ÐÚú "SSn<rçù–´âE—^ªBÖ9À\†¸ÔÁT­ÃÛ5 ëd´³Í#Ý;Þ38œî ¶H£M:wÎ3…³…âpÔF&‚FK¸9„â4àGEõªfÿ ‘ñ(ßw­pŽF|È¥ù®häðÍѶ¹‘[ÒinÙW¶ùñY˜Q{›K"išÒ[Ú8žë\F¹@-?v"ÔU”,ìöžkÿ {I‡£šÍ?e ríV ?> ......................................... ............................................................................. ???????????????????????????????????? ???????????????????????????????????? U:RDoc::NormalModule[iI" OpenSSL:ET@0o:RDoc::Markup::Document: @parts[+o;;[: @fileI"ext/openssl/lib/openssl.rb;T:0@omit_headings_from_table_of_contents_below0o;;[; I"$ext/openssl/lib/openssl/asn1.rb;T; 0o;;[; I""ext/openssl/lib/openssl/bn.rb;T; 0o;;[; I"&ext/openssl/lib/openssl/cipher.rb;T; 0o;;[; I"&ext/openssl/lib/openssl/digest.rb;T; 0o;;[; I"$ext/openssl/lib/openssl/hmac.rb;T; 0o;;[; I"'ext/openssl/lib/openssl/marshal.rb;T; 0o;;[; I"%ext/openssl/lib/openssl/pkcs5.rb;T; 0o;;[; I"#ext/openssl/lib/openssl/ssl.rb;T; 0o;;[; I"'ext/openssl/lib/openssl/version.rb;T; 0o;;[; I"$ext/openssl/lib/openssl/x509.rb;T; 0o;;[o:RDoc::Markup::Paragraph;[I"OOpenSSL provides SSL, TLS and general purpose cryptography. It wraps the ;TI"/OpenSSL[https://www.openssl.org/] library.;To:RDoc::Markup::BlankLineS:RDoc::Markup::Heading: leveli: textI" Examples;T@1o; ;[I"6All examples assume you have loaded OpenSSL with:;T@1o:RDoc::Markup::Verbatim;[I"require 'openssl' ;T: @format0o; ;[I"OThese examples build atop each other. For example the key created in the ;TI"/next is used in throughout these examples.;T@1S; ;i;I" Keys;T@1S; ;i;I"Creating a Key;T@1o; ;[I"NThis example creates a 2048 bit RSA keypair and writes it to the current ;TI"directory.;T@1o;;[ I"'key = OpenSSL::PKey::RSA.new 2048 ;TI" ;TI"6File.write 'private_key.pem', key.private_to_pem ;TI"4File.write 'public_key.pem', key.public_to_pem ;T;0S; ;i;I"Exporting a Key;T@1o; ;[I"MKeys saved to disk without encryption are not secure as anyone who gets ;TI"Oahold of the key may use it unless it is encrypted. In order to securely ;TI"4export a key you may export it with a password.;T@1o;;[ I"0cipher = OpenSSL::Cipher.new 'aes-256-cbc' ;TI"/password = 'my secure password goes here' ;TI" ;TI"6key_secure = key.private_to_pem cipher, password ;TI" ;TI"1File.write 'private.secure.pem', key_secure ;T;0o; ;[I"AOpenSSL::Cipher.ciphers returns a list of available ciphers.;T@1S; ;i;I"Loading a Key;T@1o; ;[I"*A key can also be loaded from a file.;T@1o;;[I";key2 = OpenSSL::PKey.read File.read 'private_key.pem' ;TI"key2.public? # => true ;TI"key2.private? # => true ;T;0o; ;[I"or;T@1o;;[I":key3 = OpenSSL::PKey.read File.read 'public_key.pem' ;TI"key3.public? # => true ;TI"key3.private? # => false ;T;0S; ;i;I"Loading an Encrypted Key;T@1o; ;[I"NOpenSSL will prompt you for your password when loading an encrypted key. ;TI"MIf you will not be able to type in the password you may provide it when ;TI"loading the key:;T@1o;;[I"/key4_pem = File.read 'private.secure.pem' ;TI"/password = 'my secure password goes here' ;TI"2key4 = OpenSSL::PKey.read key4_pem, password ;T;0S; ;i;I"RSA Encryption;T@1o; ;[I"ORSA provides encryption and decryption using the public and private keys. ;TI"QYou can use a variety of padding methods depending upon the intended use of ;TI"encrypted data.;T@1S; ;i;I"Encryption & Decryption;T@1o; ;[ I"NAsymmetric public/private key encryption is slow and victim to attack in ;TI"Qcases where it is used without padding or directly to encrypt larger chunks ;TI"Rof data. Typical use cases for RSA encryption involve "wrapping" a symmetric ;TI"Pkey with the public key of the recipient who would "unwrap" that symmetric ;TI"(key again using their private key. ;TI"LThe following illustrates a simplified example of such a key transport ;TI"Nscheme. It shouldn't be used in practice, though, standardized protocols ;TI" should always be preferred.;T@1o;;[I"*wrapped_key = key.public_encrypt key ;T;0o; ;[I"NA symmetric key encrypted with the public key can only be decrypted with ;TI"4the corresponding private key of the recipient.;T@1o;;[I"4original_key = key.private_decrypt wrapped_key ;T;0o; ;[I"LBy default PKCS#1 padding will be used, but it is also possible to use ;TI"?other forms of padding, see PKey::RSA for further details.;T@1S; ;i;I"Signatures;T@1o; ;[ I"JUsing "private_encrypt" to encrypt some data with the private key is ;TI"Iequivalent to applying a digital signature to the data. A verifying ;TI"Lparty may validate the signature by comparing the result of decrypting ;TI"Hthe signature with "public_decrypt" to the original data. However, ;TI"GOpenSSL::PKey already has methods "sign" and "verify" that handle ;TI"Fdigital signatures in a standardized way - "private_encrypt" and ;TI"4"public_decrypt" shouldn't be used in practice.;T@1o; ;[I"LTo sign a document, a cryptographically secure hash of the document is ;TI"@computed first, which is then signed using the private key.;T@1o;;[I"-signature = key.sign 'SHA256', document ;T;0o; ;[ I"MTo validate the signature, again a hash of the document is computed and ;TI"Ithe signature is decrypted using the public key. The result is then ;TI"Mcompared to the hash just computed, if they are equal the signature was ;TI" valid.;T@1o;;[ I"1if key.verify 'SHA256', signature, document ;TI" puts 'Valid' ;TI" else ;TI" puts 'Invalid' ;TI" end ;T;0S; ;i;I"%PBKDF2 Password-based Encryption;T@1o; ;[ I"IIf supported by the underlying OpenSSL version used, Password-based ;TI"IEncryption should use the features of PKCS5. If not supported or if ;TI"Orequired by legacy applications, the older, less secure methods specified ;TI"0in RFC 2898 are also supported (see below).;T@1o; ;[ I"9PKCS5 supports PBKDF2 as it was specified in PKCS#5 ;TI"Hv2.0[http://www.rsa.com/rsalabs/node.asp?id=2127]. It still uses a ;TI"Ipassword, a salt, and additionally a number of iterations that will ;TI"Mslow the key derivation process down. The slower this is, the more work ;TI"=it requires being able to brute-force the resulting key.;T@1S; ;i;I"Encryption;T@1o; ;[ I"GThe strategy is to first instantiate a Cipher for encryption, and ;TI"Gthen to generate a random IV plus a key derived from the password ;TI"Jusing PBKDF2. PKCS #5 v2.0 recommends at least 8 bytes for the salt, ;TI"Ithe number of iterations largely depends on the hardware being used.;T@1o;;[I"0cipher = OpenSSL::Cipher.new 'aes-256-cbc' ;TI"cipher.encrypt ;TI"iv = cipher.random_iv ;TI" ;TI"=pwd = 'some hopefully not to easily guessable password' ;TI",salt = OpenSSL::Random.random_bytes 16 ;TI"iter = 20000 ;TI"key_len = cipher.key_len ;TI",digest = OpenSSL::Digest.new('SHA256') ;TI" ;TI"Hkey = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest) ;TI"cipher.key = key ;TI" ;TI"Now encrypt the data: ;TI" ;TI"(encrypted = cipher.update document ;TI"encrypted << cipher.final ;T;0S; ;i;I"Decryption;T@1o; ;[I"MUse the same steps as before to derive the symmetric AES key, this time ;TI"*setting the Cipher up for decryption.;T@1o;;[I"0cipher = OpenSSL::Cipher.new 'aes-256-cbc' ;TI"cipher.decrypt ;TI"8cipher.iv = iv # the one generated with #random_iv ;TI" ;TI"=pwd = 'some hopefully not to easily guessable password' ;TI"*salt = ... # the one generated above ;TI"iter = 20000 ;TI"key_len = cipher.key_len ;TI",digest = OpenSSL::Digest.new('SHA256') ;TI" ;TI"Hkey = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest) ;TI"cipher.key = key ;TI" ;TI"Now decrypt the data: ;TI" ;TI")decrypted = cipher.update encrypted ;TI"decrypted << cipher.final ;T;0S; ;i;I"X509 Certificates;T@1S; ;i;I"Creating a Certificate;T@1o; ;[I"PThis example creates a self-signed certificate using an RSA key and a SHA1 ;TI"signature.;T@1o;;[I"'key = OpenSSL::PKey::RSA.new 2048 ;TI">name = OpenSSL::X509::Name.parse '/CN=nobody/DC=example' ;TI" ;TI"+cert = OpenSSL::X509::Certificate.new ;TI"cert.version = 2 ;TI"cert.serial = 0 ;TI" cert.not_before = Time.now ;TI"&cert.not_after = Time.now + 3600 ;TI" ;TI"&cert.public_key = key.public_key ;TI"cert.subject = name ;T;0S; ;i;I"Certificate Extensions;T@1o; ;[I"4You can add extensions to the certificate with ;TI"OOpenSSL::SSL::ExtensionFactory to indicate the purpose of the certificate.;T@1o;;[I"Gextension_factory = OpenSSL::X509::ExtensionFactory.new nil, cert ;TI" ;TI"cert.add_extension \ ;TI"P extension_factory.create_extension('basicConstraints', 'CA:FALSE', true) ;TI" ;TI"cert.add_extension \ ;TI"+ extension_factory.create_extension( ;TI"J 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature') ;TI" ;TI"cert.add_extension \ ;TI"J extension_factory.create_extension('subjectKeyIdentifier', 'hash') ;T;0o; ;[I"PThe list of supported extensions (and in some cases their possible values) ;TI"Ican be derived from the "objects.h" file in the OpenSSL source code.;T@1S; ;i;I"Signing a Certificate;T@1o; ;[ I"RTo sign a certificate set the issuer and use OpenSSL::X509::Certificate#sign ;TI"Swith a digest algorithm. This creates a self-signed cert because we're using ;TI"Mthe same name and key to sign the certificate as was used to create the ;TI"certificate.;T@1o;;[ I"cert.issuer = name ;TI"0cert.sign key, OpenSSL::Digest.new('SHA1') ;TI" ;TI"Bopen 'certificate.pem', 'w' do |io| io.write cert.to_pem end ;T;0S; ;i;I"Loading a Certificate;T@1o; ;[I"7Like a key, a cert can also be loaded from a file.;T@1o;;[I"Hcert2 = OpenSSL::X509::Certificate.new File.read 'certificate.pem' ;T;0S; ;i;I"Verifying a Certificate;T@1o; ;[I"PCertificate#verify will return true when a certificate was signed with the ;TI"given public key.;T@1o;;[I"Eraise 'certificate can not be verified' unless cert2.verify key ;T;0S; ;i;I"Certificate Authority;T@1o; ;[ I"NA certificate authority (CA) is a trusted third party that allows you to ;TI"Qverify the ownership of unknown certificates. The CA issues key signatures ;TI"Pthat indicate it trusts the user of that key. A user encountering the key ;TI";can verify the signature by using the CA's public key.;T@1S; ;i;I" CA Key;T@1o; ;[I"QCA keys are valuable, so we encrypt and save it to disk and make sure it is ;TI"!not readable by other users.;T@1o;;[ I"*ca_key = OpenSSL::PKey::RSA.new 2048 ;TI"/password = 'my secure password goes here' ;TI" ;TI"cipher = 'aes-256-cbc' ;TI" ;TI"*open 'ca_key.pem', 'w', 0400 do |io| ;TI"8 io.write ca_key.private_to_pem(cipher, password) ;TI" end ;T;0S; ;i;I"CA Certificate;T@1o; ;[I"RA CA certificate is created the same way we created a certificate above, but ;TI"with different extensions.;T@1o;;[I"=ca_name = OpenSSL::X509::Name.parse '/CN=ca/DC=example' ;TI" ;TI".ca_cert = OpenSSL::X509::Certificate.new ;TI"ca_cert.serial = 0 ;TI"ca_cert.version = 2 ;TI"#ca_cert.not_before = Time.now ;TI"*ca_cert.not_after = Time.now + 86400 ;TI" ;TI",ca_cert.public_key = ca_key.public_key ;TI"ca_cert.subject = ca_name ;TI"ca_cert.issuer = ca_name ;TI" ;TI"=extension_factory = OpenSSL::X509::ExtensionFactory.new ;TI"5extension_factory.subject_certificate = ca_cert ;TI"4extension_factory.issuer_certificate = ca_cert ;TI" ;TI"ca_cert.add_extension \ ;TI"J extension_factory.create_extension('subjectKeyIdentifier', 'hash') ;T;0o; ;[I"?This extension indicates the CA's key may be used as a CA.;T@1o;;[I"ca_cert.add_extension \ ;TI"O extension_factory.create_extension('basicConstraints', 'CA:TRUE', true) ;T;0o; ;[I"OThis extension indicates the CA's key may be used to verify signatures on ;TI"3both certificates and certificate revocations.;T@1o;;[I"ca_cert.add_extension \ ;TI"+ extension_factory.create_extension( ;TI"2 'keyUsage', 'cRLSign,keyCertSign', true) ;T;0o; ;[I"*Root CA certificates are self-signed.;T@1o;;[I"6ca_cert.sign ca_key, OpenSSL::Digest.new('SHA1') ;T;0o; ;[I"MThe CA certificate is saved to disk so it may be distributed to all the ;TI")users of the keys this CA will sign.;T@1o;;[I"%open 'ca_cert.pem', 'w' do |io| ;TI" io.write ca_cert.to_pem ;TI" end ;T;0S; ;i;I" Certificate Signing Request;T@1o; ;[I"MThe CA signs keys through a Certificate Signing Request (CSR). The CSR ;TI"context.ca_file is not set ;TI"Cwhen verifying peers an OpenSSL::SSL::SSLError will be raised.;T; I"ext/openssl/ossl.c;T; 0o;;[; I"ext/openssl/ossl_asn1.c;T; 0o;;[; I"ext/openssl/ossl_bn.c;T; 0o;;[; I"ext/openssl/ossl_cipher.c;T; 0o;;[; I"ext/openssl/ossl_config.c;T; 0o;;[; I"ext/openssl/ossl_digest.c;T; 0o;;[; I"ext/openssl/ossl_engine.c;T; 0o;;[; I"ext/openssl/ossl_hmac.c;T; 0o;;[; I"ext/openssl/ossl_kdf.c;T; 0o;;[; I"ext/openssl/ossl_ns_spki.c;T; 0o;;[; I"ext/openssl/ossl_ocsp.c;T; 0o;;[; I"ext/openssl/ossl_pkcs12.c;T; 0o;;[; I"ext/openssl/ossl_pkcs7.c;T; 0o;;[; I"ext/openssl/ossl_pkey.c;T; 0o;;[; I"ext/openssl/ossl_rand.c;T; 0o;;[; I"ext/openssl/ossl_ssl.c;T; 0o;;[; I"#ext/openssl/ossl_ssl_session.c;T; 0o;;[; I"ext/openssl/ossl_ts.c;T; 0o;;[; I"ext/openssl/ossl_x509.c;T; 0o;;[; I" ext/openssl/ossl_x509attr.c;T; 0o;;[; I" ext/openssl/ossl_x509cert.c;T; 0o;;[; I"ext/openssl/ossl_x509crl.c;T; 0o;;[; I"ext/openssl/ossl_x509ext.c;T; 0o;;[; I" ext/openssl/ossl_x509name.c;T; 0o;;[; I"ext/openssl/ossl_x509req.c;T; 0o;;[; I"#ext/openssl/ossl_x509revoked.c;T; 0o;;[; I"!ext/openssl/ossl_x509store.c;T; 0; 0; 0[[ U:RDoc::Constant[iI" VERSION;TI"OpenSSL::VERSION;T: public0o;;[; @'; 0@'@cRDoc::NormalModule0U;[iI"OPENSSL_VERSION;TI"OpenSSL::OPENSSL_VERSION;T;0o;;[o; ;[I"AVersion of OpenSSL the ruby OpenSSL extension was built with;T; @5; 0@5@@0U;[iI"OPENSSL_LIBRARY_VERSION;TI"%OpenSSL::OPENSSL_LIBRARY_VERSION;T;0o;;[; @5; 0@5@@0U;[iI"OPENSSL_VERSION_NUMBER;TI"$OpenSSL::OPENSSL_VERSION_NUMBER;T;0o;;[ o; ;[I"IVersion number of OpenSSL the ruby OpenSSL extension was built with ;TI"&(base 16). The formats are below.;T@1o:RDoc::Markup::List: @type: LABEL: @items[o:RDoc::Markup::ListItem: @label[I"OpenSSL 3;T;[o; ;[I"10xMNN00PP0 (major minor 00 patch 0);To;;[I"OpenSSL before 3;T;[o; ;[I"70xMNNFFPPS (major minor fix patch status);To;;[I" LibreSSL;T;[o; ;[I"&0x20000000 (fixed value);T@1o; ;[I"5See also the man page OPENSSL_VERSION_NUMBER(3).;T; @5; 0@5@@0U;[iI"LIBRESSL_VERSION_NUMBER;TI"%OpenSSL::LIBRESSL_VERSION_NUMBER;T;0o;;[o; ;[I"JVersion number of LibreSSL the ruby OpenSSL extension was built with ;TI"A(base 16). The format is 0xMNNFF00f (major minor fix 00 ;TI"Cstatus). This constant is only defined in LibreSSL cases.;T@1o; ;[I"6See also the man page LIBRESSL_VERSION_NUMBER(3).;T; @5; 0@5@@0U;[iI"OPENSSL_FIPS;TI"OpenSSL::OPENSSL_FIPS;T;0o;;[o; ;[I">Boolean indicating whether OpenSSL is FIPS-capable or not;T; @5; 0@5@@0[[[I" class;T[[;[ [I" Digest;TI"&ext/openssl/lib/openssl/digest.rb;T[I" debug;TI"ext/openssl/ossl.c;T[I" debug=;T@[I" errors;T@[I"fips_mode;T@[I"fips_mode=;T@[I" fixed_length_secure_compare;T@[I"secure_compare;TI"ext/openssl/lib/openssl.rb;T[:protected[[: private[[I" instance;T[[;[[;[[;[[@@[[U:RDoc::Context::Section[i0o;;[; 0; 0[9@ @@I")ext/openssl/lib/openssl/buffering.rb;T@@@@@!I"$ext/openssl/lib/openssl/pkey.rb;T@$@'@*@5@8@;@>@A@D@G@J@M@P@S@V@Y@\@_@b@e@h@k@n@q@t@w@z@}@@I"lib/net/http.rb;TI"lib/open-uri.rb;TI"*lib/rubygems/commands/cert_command.rb;TI"lib/rubygems/request.rb;TI""lib/rubygems/s3_uri_signer.rb;TI"lib/rubygems/security.rb;TI"$lib/rubygems/security/policy.rb;TI"$lib/rubygems/security/signer.rb;TI"'lib/rubygems/security/trust_dir.rb;TI"lib/rubygems/source/git.rb;TI"lib/securerandom.rb;TI"lib/un.rb;T@cRDoc::TopLevel