From 11216b8beca0b5e104052a6c9f15290300dbe8ca Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Thu, 4 Jul 2024 17:05:05 +0900
Subject: [PATCH 1/4] x509cert: simplify test cases for Certificate.load_file

Remove files from test/openssl/fixtures/pkey/ which are not pkeys.
The test cases for OpenSSL::X509::Certificate.load_file can simply use
issue_cert and Tempfile.
---
 test/openssl/fixtures/pkey/certificate.der | Bin 1325 -> 0 bytes
 test/openssl/fixtures/pkey/empty.der       |   0
 test/openssl/fixtures/pkey/empty.pem       |   0
 test/openssl/fixtures/pkey/fullchain.pem   |  56 ---------------------
 test/openssl/fixtures/pkey/garbage.txt     |   1 -
 test/openssl/test_x509cert.rb              |  51 +++++++++++++------
 test/openssl/utils.rb                      |   4 --
 7 files changed, 35 insertions(+), 77 deletions(-)
 delete mode 100644 test/openssl/fixtures/pkey/certificate.der
 delete mode 100644 test/openssl/fixtures/pkey/empty.der
 delete mode 100644 test/openssl/fixtures/pkey/empty.pem
 delete mode 100644 test/openssl/fixtures/pkey/fullchain.pem
 delete mode 100644 test/openssl/fixtures/pkey/garbage.txt

diff --git a/test/openssl/fixtures/pkey/certificate.der b/test/openssl/fixtures/pkey/certificate.der
deleted file mode 100644
index 7d44df8413aac2a7b71767f5926cb70c12bf77f2..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1325
zcmXqLV%0QgVi8=x%*4pVB*YS}Y5&@@R;=l@RQB2j6>jsr40zc%wc0$|zVk9Na<eiR
z7#VUKaI!Invaks=g$5gn8Hj*5T*ACQsU_;g3a)v{MU@35Fh$J5OhLv5a^k#3h6W~v
z<_1P4#)g(rV6M5L8I)@vV<=@H0WyYJSg^djTrW94B{jb!F}oDV$~9<WR6=$HBP#=Q
z6C*zZP@IdYiII`v_=?Ism+w#VdYhP&e&uU3&lZP68<(Z-l(4&<EF%(h&|LQ2ZjSio
zJKi?7wK-|p-6tlnX=pI2D*YA`t_cjX*=)3dsrH7~llj`xdGV|7DTQlEWLyXcckNMg
z-WA{XrX{^Y%W3bmj=-mT*BbNwKY!<l&R^lM-pMw3uagc$&aP8C6`sYzZxrI-V!3`o
z+4QLI;v4KFRmvuaJfF27((3T-$lZIg_D0QSJm15sRU^7_^@43K?w?cr6~A>qoMbzx
zr^>1MTJ>-D0P$2l@5%3;SHFF9AgW;h6U~I%=l@Fj-~4dnkJqkKJBxlrx;{HD*3g<N
z=qx9i7Z$gptDxNT_=&%Y=NqPJGBGnUFfMLl@-=8;@-*NBhNCP$BjbM-7G@^a1qQMp
zzA6hSo;bAG7+G1_nHk|MCIcRjv@l3HlK}%nF&~Q<i^!=?#hE)c1}Wrr+HMR=T_1ep
z^v*~Fd5~gd76}8f1`!dx&Enf5!cMOX;B<H<zkY7F$f08fp)ivf8Cg6H+zk|Ad;`Wd
z(TtLk0xNy}B4fRLy_{5FI?>B7N;gn~D`9FALnz5aDA6~N0og0aB5EMqge86WfMgX|
zTn(HJIM~?I8+jO+7!AzXxPiW9VQjh&^c<sshJhN)9wtUHDX2Zk1;s#XN{T^_0VZ0o
zdzu(o*|@-3uT?U!FtId#V`==%@R6aMVT!^YxxTBtIUU9FP2Ea5ycciz#^v}=u}!?~
zryt?F=nw+~W5wM!{~{O|SeO|+4BVI$85Tx3zdl%9^Ql5?^Rf9VA@^SBeHVDy?{9Bg
z`|WCCQlT_ZNvr?I(k)WS|7L%$sC#qe=!TEG<2$qdmui@Ci5IZCrExKoF?@@eqJOd6
zKuIJ-g2P}+Sl?q`VM*it_j&XcxX<`~OnD5o*bi*6yMZgv)NAGY>w44LcK*FplvjT;
zzOrX;*M9Rh(eEL$Grbg_w$5Nu;8m;I#dqM87_XMi(eSn)1<mvy`;3(Dwk&zJ?-RqZ
z*ME_-95CMlvm7Hsk)mPemRCVXXH5E6_(|dEN0%AFv2vL+=bvXkHT%b((`hS>)<0d%
z`rr2QKG7YmwflVgdrMEX`EQpL>%S@fJLpwIxE*I>!r55CUu7cf=@OSWdFVyF71$Bv
z9~?CKTXU>wg5=_tSGb&_8xFLn{9@i=sOc{3R1*BtXPNbD-E=+Ktrh=8I~6b6b^O{R
z`AqletB4ubtz(~fH2u4JSH{`#LjH}XKF_lKLtowPc+26nJ-T}4`t$iS*NH6n;p8h9
z*>mvJPPx@S2laVA@YL<uIgR5be`G~b_!)srcGliW@k<(~?9n{qw_0(cl0@9vrd)+9
Z0U@rN4*R}v51n<EYhLPhR_`rGH~}7;-uwUn

diff --git a/test/openssl/fixtures/pkey/empty.der b/test/openssl/fixtures/pkey/empty.der
deleted file mode 100644
index e69de29bb..000000000
diff --git a/test/openssl/fixtures/pkey/empty.pem b/test/openssl/fixtures/pkey/empty.pem
deleted file mode 100644
index e69de29bb..000000000
diff --git a/test/openssl/fixtures/pkey/fullchain.pem b/test/openssl/fixtures/pkey/fullchain.pem
deleted file mode 100644
index 624785d32..000000000
--- a/test/openssl/fixtures/pkey/fullchain.pem
+++ /dev/null
@@ -1,56 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFKTCCBBGgAwIBAgISBFspP+tJfRaC6xprreB4Rp9KMA0GCSqGSIb3DQEBCwUA
-MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
-EwJSMzAeFw0yMTA0MTcwMjQzMTlaFw0yMTA3MTYwMjQzMTlaMBwxGjAYBgNVBAMT
-EXd3dy5jb2Rlb3Rha3UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAx6h5vNPfkkrtYWxn1PWDDLRAwrGmZbkYPttjHBRSwTcd7rsIX4PcSzw9fWxm
-K4vIkAYoKAElIvsSE3xRUjyzMrACfdhK5J8rG25fq94iVyoYaNBQV0WMJkO6X47s
-hGeIKkK91ohR5b2tMw3/z9zELP0TVo2TPG7rYsBZm34myldqDA8yVEBEOa+Qdpda
-9xewPhkkdpAU55qgWTrD21m7vGq9WpsBz4wNKnwVsaugtkRH82VPIfaL4ZI9kox6
-QoPWe/tHUBdlDkuT7ud77eLAWnC/5Clg28/9GU/Z8Nj8SrrKuXL6WUXmxxaAhWUR
-Qx4VblZeuIpwd0nHyP0hz4CWKQIDAQABo4ICTTCCAkkwDgYDVR0PAQH/BAQDAgWg
-MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
-A1UdDgQWBBTKiSGZuLFSIG2JPbFSZa9TxMu5WTAfBgNVHSMEGDAWgBQULrMXt1hW
-y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
-Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
-b3JnLzAcBgNVHREEFTATghF3d3cuY29kZW90YWt1LmNvbTBMBgNVHSAERTBDMAgG
-BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
-LmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AJQgvB6O
-1Y1siHMfgosiLA3R2k1ebE+UPWHbTi9YTaLCAAABeN3s/lgAAAQDAEgwRgIhAKFY
-Q+vBe3zyeBazxp8kVN7oLvcQ6Y9PPz199tVhYnEbAiEAhU/xdbQaY/6b93h+7NTF
-sPG7X4lq/3UoNgoXcAVGZgoAdgD2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvM
-TvFk4wAAAXjd7P5OAAAEAwBHMEUCIQDWd79+jWaGuf3acm5/yV95jL2KvzeGFfdU
-HZlKIeWFmAIgDSZ6ug7AyhYNKjzFV4ZSICln+L4yI92EpOa+8gDG6/0wDQYJKoZI
-hvcNAQELBQADggEBAHIhMYm06lLFmJL+cfIg5fFEmFNdHmmZn88Hypv4/MtmqTKv
-5asF/z3TvhW4hX2+TY+NdcqGT7cZFo/ZF/tS6oBXPgmBYM1dEfp2FAdnGNOySC5Y
-7RC4Uk9TUpP2g101YBmj6dQKQluAwIQk+gO4MSlHE0J0U/lMpjvrLWcuHbV4/xWJ
-IdM+iPq8GeYt5epYmNc7XeRIgv7V3RxDQdBv2OVM5mtPVerdiO0ISrdbe5mvz2+Z
-rhSg+EJNHlmMwcq5HqtMwS8M8Ax+vLmWCOkPWXhyV8wQaQcFjZJfpIGUvCnMTqsh
-kSIYXq2CbSDUUFRFssNN6EdVms0KnmW3BUu0xAk=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
-MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
-AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
-jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
-Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
-U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
-gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
-/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
-oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
-BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
-ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
-p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
-AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
-Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
-LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
-r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
-AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
-ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
-S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
-qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
-O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
-UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
------END CERTIFICATE-----
diff --git a/test/openssl/fixtures/pkey/garbage.txt b/test/openssl/fixtures/pkey/garbage.txt
deleted file mode 100644
index 557db03de..000000000
--- a/test/openssl/fixtures/pkey/garbage.txt
+++ /dev/null
@@ -1 +0,0 @@
-Hello World
diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb
index 6c16218f3..eecb985e1 100644
--- a/test/openssl/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@@ -370,34 +370,53 @@ def test_marshal
   end
 
   def test_load_file_empty_pem
-    empty_path = Fixtures.file_path("pkey", "empty.pem")
-    assert_raise(OpenSSL::X509::CertificateError) do
-      OpenSSL::X509::Certificate.load_file(empty_path)
+    Tempfile.create("empty.pem") do |f|
+      f.close
+
+      assert_raise(OpenSSL::X509::CertificateError) do
+        OpenSSL::X509::Certificate.load_file(f.path)
+      end
     end
   end
 
   def test_load_file_fullchain_pem
-    fullchain_path = Fixtures.file_path("pkey", "fullchain.pem")
-    certificates = OpenSSL::X509::Certificate.load_file(fullchain_path)
-    assert_equal 2, certificates.size
-    assert_equal "/CN=www.codeotaku.com", certificates[0].subject.to_s
-    assert_equal "/C=US/O=Let's Encrypt/CN=R3", certificates[1].subject.to_s
+    cert1 = issue_cert(@ee1, @rsa2048, 1, [], nil, nil)
+    cert2 = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
+
+    Tempfile.create("fullchain.pem") do |f|
+      f.puts cert1.to_pem
+      f.puts cert2.to_pem
+      f.close
+
+      certificates = OpenSSL::X509::Certificate.load_file(f.path)
+      assert_equal 2, certificates.size
+      assert_equal @ee1, certificates[0].subject
+      assert_equal @ca, certificates[1].subject
+    end
   end
 
   def test_load_file_certificate_der
-    fullchain_path = Fixtures.file_path("pkey", "certificate.der")
-    certificates = OpenSSL::X509::Certificate.load_file(fullchain_path)
+    cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
+    Tempfile.create("certificate.der", binmode: true) do |f|
+      f.write cert.to_der
+      f.close
 
-    # DER encoding can only contain one certificate:
-    assert_equal 1, certificates.size
-    assert_equal "/CN=www.codeotaku.com", certificates[0].subject.to_s
+      certificates = OpenSSL::X509::Certificate.load_file(f.path)
+
+      # DER encoding can only contain one certificate:
+      assert_equal 1, certificates.size
+      assert_equal cert.to_der, certificates[0].to_der
+    end
   end
 
   def test_load_file_fullchain_garbage
-    fullchain_path = Fixtures.file_path("pkey", "garbage.txt")
+    Tempfile.create("garbage.txt") do |f|
+      f.puts "not a certificate"
+      f.close
 
-    assert_raise(OpenSSL::X509::CertificateError) do
-      OpenSSL::X509::Certificate.load_file(fullchain_path)
+      assert_raise(OpenSSL::X509::CertificateError) do
+        OpenSSL::X509::Certificate.load_file(f.path)
+      end
     end
   end
 
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index f6c84eef6..4110d9b0f 100644
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@@ -24,10 +24,6 @@ def read_file(category, name)
       @file_cache[[category, name]] ||=
         File.read(File.join(__dir__, "fixtures", category, name + ".pem"))
     end
-
-    def file_path(category, name)
-      File.join(__dir__, "fixtures", category, name)
-    end
   end
 
   module_function

From 2f807ff30fb0df568c4d17eb9ea336305d5d0926 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Thu, 4 Jul 2024 17:28:10 +0900
Subject: [PATCH 2/4] pkey/ec: use heredoc for invalid key example in test
 cases

test/openssl/fixtures/pkey/p256_too_large.pem and p384_invalid.pem are
invalid keys where the encoded public key doesn't match the private key.
They are only useful for test cases for OpenSSL::PKey::EC#check_key and
will not be reused elsewhere. Let's directly include the PEM encoding
as a heredoc for clarity.

p384_invalid.pem is dropped because it is redundant.
---
 test/openssl/fixtures/pkey/p256_too_large.pem |  5 -----
 test/openssl/fixtures/pkey/p384_invalid.pem   |  6 ------
 test/openssl/test_pkey_ec.rb                  | 12 ++++++++----
 3 files changed, 8 insertions(+), 15 deletions(-)
 delete mode 100644 test/openssl/fixtures/pkey/p256_too_large.pem
 delete mode 100644 test/openssl/fixtures/pkey/p384_invalid.pem

diff --git a/test/openssl/fixtures/pkey/p256_too_large.pem b/test/openssl/fixtures/pkey/p256_too_large.pem
deleted file mode 100644
index a73ac37f8..000000000
--- a/test/openssl/fixtures/pkey/p256_too_large.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIP+TT0V8Fndsnacji9tyf6hmhHywcOWTee9XkiBeJoVloAoGCCqGSM49
-AwEHoUQDQgAEBkhhJIU/2/YdPSlY2I1k25xjK4trr5OXSgXvBC21PtY0HQ7lor7A
-jzT0giJITqmcd81fwGw5+96zLcdxTF1hVQ==
------END EC PRIVATE KEY-----
diff --git a/test/openssl/fixtures/pkey/p384_invalid.pem b/test/openssl/fixtures/pkey/p384_invalid.pem
deleted file mode 100644
index d5cdc9a3a..000000000
--- a/test/openssl/fixtures/pkey/p384_invalid.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDDA1Tm0m7YhkfeVpFuarAJYVlHp2tQj+1fOBiLa10t9E8TiQO/hVfxB
-vGaVEQwOheWgBwYFK4EEACKhZANiAASyGqmryZGqdpsq5gEDIfNvgC3AwSJxiBCL
-XKHBTFRp+tCezLDOK/6V8KK/vVGBJlGFW6/I7ahyXprxS7xs7hPA9iz5YiuqXlu+
-lbrIpZOz7b73hyQQCkvbBO/Avg+hPAk=
------END EC PRIVATE KEY-----
diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
index 2cb8e287a..5a15c5441 100644
--- a/test/openssl/test_pkey_ec.rb
+++ b/test/openssl/test_pkey_ec.rb
@@ -88,12 +88,16 @@ def test_check_key
     assert_equal(true, key2.check_key)
 
     # Behavior of EVP_PKEY_public_check changes between OpenSSL 1.1.1 and 3.0
-    key4 = Fixtures.pkey("p256_too_large")
+    # The public key does not match the private key
+    key4 = OpenSSL::PKey.read(<<~EOF)
+    -----BEGIN EC PRIVATE KEY-----
+    MHcCAQEEIP+TT0V8Fndsnacji9tyf6hmhHywcOWTee9XkiBeJoVloAoGCCqGSM49
+    AwEHoUQDQgAEBkhhJIU/2/YdPSlY2I1k25xjK4trr5OXSgXvBC21PtY0HQ7lor7A
+    jzT0giJITqmcd81fwGw5+96zLcdxTF1hVQ==
+    -----END EC PRIVATE KEY-----
+    EOF
     assert_raise(OpenSSL::PKey::ECError) { key4.check_key }
 
-    key5 = Fixtures.pkey("p384_invalid")
-    assert_raise(OpenSSL::PKey::ECError) { key5.check_key }
-
     # EC#private_key= is deprecated in 3.0 and won't work on OpenSSL 3.0
     if !openssl?(3, 0, 0)
       key2.private_key += 1

From fed9d09b76a9a1fb9f4d2e62e79924e908b4419f Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Sat, 17 Aug 2024 15:04:00 +0900
Subject: [PATCH 3/4] pkey: fix test case for new_raw_*key

Method names must start with "test_" to run.
---
 test/openssl/test_pkey.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb
index aae6b7e07..0a55364af 100644
--- a/test/openssl/test_pkey.rb
+++ b/test/openssl/test_pkey.rb
@@ -188,7 +188,7 @@ def test_x25519
       bob_public_raw
   end
 
-  def raw_initialize
+  def test_raw_initialize_errors
     pend "Ed25519 is not implemented" unless openssl?(1, 1, 1) # >= v1.1.1
 
     assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_private_key("foo123", "xxx") }

From 6cb6663c916ba56079e81dc6bf9ad97e7970b89f Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Tue, 7 Jan 2025 00:13:16 +0900
Subject: [PATCH 4/4] pkey: simplify X25519/Ed25519 test cases

When these test cases were written, we did not know the exact OpenSSL
and LibreSSL version number in which they would be implemented. Now that
we know it, we can use that information to ensure the tests are run
whenever they should be.

 - OpenSSL 1.1.0 added X25519 support
 - OpenSSL 1.1.1 added Ed25519 support and
   EVP_PKEY_new_raw_private_key()
 - LibreSSL 3.7.0 added X25519 and Ed25519 support in EVP_PKEY and
   EVP_PKEY_new_raw_private_key()
 - LibreSSL 3.8.1 allowed ASN1_item_sign() to use Ed25519
---
 test/openssl/test_pkey.rb | 71 ++++++++++++++++-----------------------
 1 file changed, 29 insertions(+), 42 deletions(-)

diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb
index 0a55364af..5fe4a3efc 100644
--- a/test/openssl/test_pkey.rb
+++ b/test/openssl/test_pkey.rb
@@ -2,25 +2,20 @@
 require_relative "utils"
 
 class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
-  def test_generic_oid_inspect
+  def test_generic_oid_inspect_rsa
     # RSA private key
     rsa = Fixtures.pkey("rsa-1")
     assert_instance_of OpenSSL::PKey::RSA, rsa
     assert_equal "rsaEncryption", rsa.oid
     assert_match %r{oid=rsaEncryption}, rsa.inspect
+  end
+
+  def test_generic_oid_inspect_x25519
+    omit "X25519 not supported" unless openssl?(1, 1, 0) || libressl?(3, 7, 0)
+    omit_on_fips
 
     # X25519 private key
-    x25519_pem = <<~EOF
-    -----BEGIN PRIVATE KEY-----
-    MC4CAQAwBQYDK2VuBCIEIHcHbQpzGKV9PBbBclGyZkXfTC+H68CZKrF3+6UduSwq
-    -----END PRIVATE KEY-----
-    EOF
-    begin
-      x25519 = OpenSSL::PKey.read(x25519_pem)
-    rescue OpenSSL::PKey::PKeyError
-      # OpenSSL < 1.1.0
-      pend "X25519 is not implemented"
-    end
+    x25519 = OpenSSL::PKey.generate_key("X25519")
     assert_instance_of OpenSSL::PKey::PKey, x25519
     assert_equal "X25519", x25519.oid
     assert_match %r{oid=X25519}, x25519.inspect
@@ -112,18 +107,14 @@ def test_ed25519
     assert_equal pub_pem, priv.public_to_pem
     assert_equal pub_pem, pub.public_to_pem
 
-    begin
-      assert_equal "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
-        priv.raw_private_key.unpack1("H*")
-      assert_equal OpenSSL::PKey.new_raw_private_key("ED25519", priv.raw_private_key).private_to_pem,
-        priv.private_to_pem
-      assert_equal "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
-        priv.raw_public_key.unpack1("H*")
-      assert_equal OpenSSL::PKey.new_raw_public_key("ED25519", priv.raw_public_key).public_to_pem,
-        pub.public_to_pem
-    rescue NoMethodError
-      pend "running OpenSSL version does not have raw public key support"
-    end
+    assert_equal "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
+      priv.raw_private_key.unpack1("H*")
+    assert_equal OpenSSL::PKey.new_raw_private_key("ED25519", priv.raw_private_key).private_to_pem,
+      priv.private_to_pem
+    assert_equal "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
+      priv.raw_public_key.unpack1("H*")
+    assert_equal OpenSSL::PKey.new_raw_public_key("ED25519", priv.raw_public_key).public_to_pem,
+      pub.public_to_pem
 
     sig = [<<~EOF.gsub(/[^0-9a-f]/, "")].pack("H*")
     92a009a9f0d4cab8720e820b5f642540
@@ -146,6 +137,9 @@ def test_ed25519
   end
 
   def test_x25519
+    omit "X25519 not supported" unless openssl?(1, 1, 0) || libressl?(3, 7, 0)
+    omit_on_fips
+
     # Test vector from RFC 7748 Section 6.1
     alice_pem = <<~EOF
     -----BEGIN PRIVATE KEY-----
@@ -158,38 +152,31 @@ def test_x25519
     -----END PUBLIC KEY-----
     EOF
     shared_secret = "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742"
-    begin
-      alice = OpenSSL::PKey.read(alice_pem)
-      bob = OpenSSL::PKey.read(bob_pem)
-    rescue OpenSSL::PKey::PKeyError
-      # OpenSSL < 1.1.0
-      pend "X25519 is not implemented"
-    end
+
+    alice = OpenSSL::PKey.read(alice_pem)
+    bob = OpenSSL::PKey.read(bob_pem)
     assert_instance_of OpenSSL::PKey::PKey, alice
     assert_equal alice_pem, alice.private_to_pem
     assert_equal bob_pem, bob.public_to_pem
     assert_equal [shared_secret].pack("H*"), alice.derive(bob)
-    begin
-      alice_private = OpenSSL::PKey.new_raw_private_key("X25519", alice.raw_private_key)
-      bob_public = OpenSSL::PKey.new_raw_public_key("X25519", bob.raw_public_key)
-      alice_private_raw = alice.raw_private_key.unpack1("H*")
-      bob_public_raw = bob.raw_public_key.unpack1("H*")
-    rescue NoMethodError
-      # OpenSSL < 1.1.1
-      pend "running OpenSSL version does not have raw public key support"
+
+    unless openssl?(1, 1, 1) || libressl?(3, 7, 0)
+      omit "running OpenSSL version does not have raw public key support"
     end
+    alice_private = OpenSSL::PKey.new_raw_private_key("X25519", alice.raw_private_key)
+    bob_public = OpenSSL::PKey.new_raw_public_key("X25519", bob.raw_public_key)
     assert_equal alice_private.private_to_pem,
       alice.private_to_pem
     assert_equal bob_public.public_to_pem,
       bob.public_to_pem
     assert_equal "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a",
-      alice_private_raw
+      alice.raw_private_key.unpack1("H*")
     assert_equal "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f",
-      bob_public_raw
+      bob.raw_public_key.unpack1("H*")
   end
 
   def test_raw_initialize_errors
-    pend "Ed25519 is not implemented" unless openssl?(1, 1, 1) # >= v1.1.1
+    omit "Ed25519 not supported" unless openssl?(1, 1, 1) || libressl?(3, 7, 0)
 
     assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_private_key("foo123", "xxx") }
     assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_private_key("ED25519", "xxx") }