pkey: unify error classes into PKeyError #929
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rhenium
force-pushed
the
ky/pkey-unify-errors
branch
from
2ff41f4 to
2cba2db
Compare
Remove the following subclasses of OpenSSL::PKey::PKeyError and make
them aliases of it.
- OpenSSL::PKey::DHError
- OpenSSL::PKey::DSAError
- OpenSSL::PKey::ECError
- OpenSSL::PKey::RSAError
Historically, methods defined on OpenSSL::PKey and OpenSSL::PKey::PKey
raise OpenSSL::PKey::PKeyError, while methods on the subclasses raise
their respective exception classes. However, this distinction is not
particularly useful since all those exception classes represent the
same kind of errors from the underlying EVP_PKEY API.
I think this convention comes from the fact that OpenSSL::PKey::{DH,
DSA,RSA} originally wrapped the corresponding OpenSSL structs DH, DSA,
and RSA, before they were unified to wrap EVP_PKEY, way back in 2002.
OpenSSL::PKey::EC::Group::Error and OpenSSL::PKey::EC::Point::Error
are out of scope of this change, as they are not subclasses of
OpenSSL::PKey::PKeyError and do not represent errors from the EVP_PKEY
API.
rhenium
force-pushed
the
ky/pkey-unify-errors
branch
from
2cba2db to
e74ff3e
Compare
enescakir
added a commit
to ubicloud/ubicloud
that referenced
this pull request
Jan 6, 2026
First rubocop fails with the following error:
lib/util.rb:29:3: W: Lint/ShadowedException: Do not shadow rescued Exceptions.
rescue OpenSSL::PKey::ECError, OpenSSL::PKey::DSAError ...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It's starting to complain about because errors are unified under
OpenSSL::PKey::PKeyError at ruby/openssl#929
So no need to rescue specific errors anymore, we can just rescue the
parent error.
Secondly, postgres_resource_nexus_spec test fails with the following
error:
1) Prog::Postgres::PostgresResourceNexus#refresh_certificates rotates server certificate using root_cert_2 if root_cert_1 is close to expiration
Failure/Error: expect { nx.refresh_certificates }.to hop("wait")
ArgumentError:
OpenSSL::PKey::EC.new cannot be called without arguments; pkeys are immutable with OpenSSL 3.0
# ./prog/postgres/postgres_resource_nexus.rb:305:in 'OpenSSL::PKey::EC#initialize'
# ./prog/postgres/postgres_resource_nexus.rb:305:in 'Class#new'
# ./prog/postgres/postgres_resource_nexus.rb:305:in 'Prog::Postgres::PostgresResourceNexus#create_certificate'
# ./prog/postgres/postgres_resource_nexus.rb:187:in 'Prog::Postgres::PostgresResourceNexus#refresh_certificates'
# ./spec/prog/postgres/postgres_resource_nexus_spec.rb:324:in 'block (4 levels) in <top (required)>'
# ./spec/spec_helper.rb:173:in 'block (3 levels) in <top (required)>'
# ./spec/prog/postgres/postgres_resource_nexus_spec.rb:324:in 'block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:62:in 'block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:61:in 'block (2 levels) in <top (required)>'
It doesn't allow to pass nil to OpenSSL::PKey::EC.new anymore.
enescakir
added a commit
to ubicloud/ubicloud
that referenced
this pull request
Jan 6, 2026
First rubocop fails with the following error:
lib/util.rb:29:3: W: Lint/ShadowedException: Do not shadow rescued Exceptions.
rescue OpenSSL::PKey::ECError, OpenSSL::PKey::DSAError ...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It's starting to complain about because errors are unified under
OpenSSL::PKey::PKeyError at ruby/openssl#929
So no need to rescue specific errors anymore, we can just rescue the
parent error.
Secondly, postgres_resource_nexus_spec test fails with the following
error:
1) Prog::Postgres::PostgresResourceNexus#refresh_certificates rotates server certificate using root_cert_2 if root_cert_1 is close to expiration
Failure/Error: expect { nx.refresh_certificates }.to hop("wait")
ArgumentError:
OpenSSL::PKey::EC.new cannot be called without arguments; pkeys are immutable with OpenSSL 3.0
# ./prog/postgres/postgres_resource_nexus.rb:305:in 'OpenSSL::PKey::EC#initialize'
# ./prog/postgres/postgres_resource_nexus.rb:305:in 'Class#new'
# ./prog/postgres/postgres_resource_nexus.rb:305:in 'Prog::Postgres::PostgresResourceNexus#create_certificate'
# ./prog/postgres/postgres_resource_nexus.rb:187:in 'Prog::Postgres::PostgresResourceNexus#refresh_certificates'
# ./spec/prog/postgres/postgres_resource_nexus_spec.rb:324:in 'block (4 levels) in <top (required)>'
# ./spec/spec_helper.rb:173:in 'block (3 levels) in <top (required)>'
# ./spec/prog/postgres/postgres_resource_nexus_spec.rb:324:in 'block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:62:in 'block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:61:in 'block (2 levels) in <top (required)>'
It doesn't allow to pass nil to OpenSSL::PKey::EC.new anymore.
enescakir
added a commit
to ubicloud/ubicloud
that referenced
this pull request
Jan 7, 2026
First rubocop fails with the following error:
lib/util.rb:29:3: W: Lint/ShadowedException: Do not shadow rescued Exceptions.
rescue OpenSSL::PKey::ECError, OpenSSL::PKey::DSAError ...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It's starting to complain about because errors are unified under
OpenSSL::PKey::PKeyError at ruby/openssl#929
So no need to rescue specific errors anymore, we can just rescue the
parent error.
Secondly, postgres_resource_nexus_spec test fails with the following
error:
1) Prog::Postgres::PostgresResourceNexus#refresh_certificates rotates server certificate using root_cert_2 if root_cert_1 is close to expiration
Failure/Error: expect { nx.refresh_certificates }.to hop("wait")
ArgumentError:
OpenSSL::PKey::EC.new cannot be called without arguments; pkeys are immutable with OpenSSL 3.0
# ./prog/postgres/postgres_resource_nexus.rb:305:in 'OpenSSL::PKey::EC#initialize'
# ./prog/postgres/postgres_resource_nexus.rb:305:in 'Class#new'
# ./prog/postgres/postgres_resource_nexus.rb:305:in 'Prog::Postgres::PostgresResourceNexus#create_certificate'
# ./prog/postgres/postgres_resource_nexus.rb:187:in 'Prog::Postgres::PostgresResourceNexus#refresh_certificates'
# ./spec/prog/postgres/postgres_resource_nexus_spec.rb:324:in 'block (4 levels) in <top (required)>'
# ./spec/spec_helper.rb:173:in 'block (3 levels) in <top (required)>'
# ./spec/prog/postgres/postgres_resource_nexus_spec.rb:324:in 'block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:62:in 'block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:61:in 'block (2 levels) in <top (required)>'
It doesn't allow to pass nil to OpenSSL::PKey::EC.new anymore.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Remove the following subclasses of
OpenSSL::PKey::PKeyErrorand make them aliases of it.OpenSSL::PKey::DHErrorOpenSSL::PKey::DSAErrorOpenSSL::PKey::ECErrorOpenSSL::PKey::RSAErrorHistorically, methods defined on
OpenSSL::PKeyandOpenSSL::PKey::PKeyraiseOpenSSL::PKey::PKeyError, while methods on the subclasses raise their respective exception classes. However, this distinction is not particularly useful since all those exception classes represent the same kind of errors from the underlyingEVP_PKEYAPI.I think this convention comes from the fact that
OpenSSL::PKey::{DH, DSA,RSA}originally wrapped the corresponding OpenSSL structsDH,DSA, andRSA, before they were unified to wrapEVP_PKEY, way back in 2002.OpenSSL::PKey::EC::Group::ErrorandOpenSSL::PKey::EC::Point::Errorare out of scope of this change, as they are not subclasses ofOpenSSL::PKey::PKeyErrorand do not represent errors from theEVP_PKEYAPI.