(PUP-11699) Add support for OpenSSL 3

joshcooper · joshcooper · commit f478bd00a2fa · 2023-01-11T23:44:10.000-08:00
OpenSSL 3 changed some of the error messages and X509_V_ERR_* error codes.
Update the tests to work with both openssl 1.1.1 and 3.0.
diff --git a/spec/unit/ssl/certificate_request_spec.rb b/spec/unit/ssl/certificate_request_spec.rb
@@ -198,7 +198,7 @@
 
         expect do
           request.generate(key, :csr_attributes => csr_attributes)
-        end.to raise_error Puppet::Error, /Cannot create CSR with attribute thats\.no\.moon: first num too large/
+        end.to raise_error Puppet::Error, /Cannot create CSR with attribute thats\.no\.moon: /
       end
 
       it "should support old non-DER encoded extensions" do
@@ -271,7 +271,7 @@
         exts = {"thats.no.moon" => "death star"}
         expect do
           request.generate(key, :extension_requests => exts)
-        end.to raise_error Puppet::Error, /Cannot create CSR with extension request thats\.no\.moon.*: first num too large/
+        end.to raise_error Puppet::Error, /Cannot create CSR with extension request thats\.no\.moon.*: /
       end
     end
 
@@ -313,6 +313,7 @@
 
     it "should use SHA1 to sign the csr when SHA256 isn't available" do
       csr = OpenSSL::X509::Request.new
+      csr.public_key = key.public_key
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(true)
       signer = Puppet::SSL::CertificateSigner.new
@@ -323,6 +324,7 @@
     it "should use SHA512 to sign the csr when SHA256 and SHA1 aren't available" do
       key = OpenSSL::PKey::RSA.new(2048)
       csr = OpenSSL::X509::Request.new
+      csr.public_key = key.public_key
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(true)
@@ -334,6 +336,7 @@
     it "should use SHA384 to sign the csr when SHA256/SHA1/SHA512 aren't available" do
       key = OpenSSL::PKey::RSA.new(2048)
       csr = OpenSSL::X509::Request.new
+      csr.public_key = key.public_key
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(false)
@@ -345,6 +348,7 @@
 
     it "should use SHA224 to sign the csr when SHA256/SHA1/SHA512/SHA384 aren't available" do
       csr = OpenSSL::X509::Request.new
+      csr.public_key = key.public_key
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(false)
diff --git a/spec/unit/ssl/ssl_provider_spec.rb b/spec/unit/ssl/ssl_provider_spec.rb
@@ -459,10 +459,13 @@
     it "raises if root CA's isCA basic constraint is false", unless: Puppet::Util::Platform.jruby? || OpenSSL::OPENSSL_VERSION_NUMBER < 0x10100000 do
       certs = [cert_fixture('bad-basic-constraints.pem'), cert_fixture('intermediate.pem')]
 
+      # openssl 3 returns 79
+      # define X509_V_ERR_NO_ISSUER_PUBLIC_KEY                 24
+      # define X509_V_ERR_INVALID_CA                           79
       expect {
         subject.create_context(**config.merge(cacerts: certs, crls: [], revocation: false))
       }.to raise_error(Puppet::SSL::CertVerifyError,
-                       "Certificate 'CN=Test CA' failed verification (24): invalid CA certificate")
+                       /Certificate 'CN=Test CA' failed verification \((24|79)\): invalid CA certificate/)
     end
 
     # OpenSSL < 1.1 does not verify basicConstraints
@@ -472,7 +475,7 @@
       expect {
         subject.create_context(**config.merge(cacerts: certs, crls: [], revocation: false))
       }.to raise_error(Puppet::SSL::CertVerifyError,
-                       "Certificate 'CN=Test CA Subauthority' failed verification (24): invalid CA certificate")
+                       /Certificate 'CN=Test CA Subauthority' failed verification \((24|79)\): invalid CA certificate/)
     end
 
     it 'accepts CA certs in any order' do
diff --git a/spec/unit/x509/cert_provider_spec.rb b/spec/unit/x509/cert_provider_spec.rb
@@ -280,7 +280,7 @@ def expects_private_file(path)
           # password is 74695716c8b6
           expect {
             provider.load_private_key('encrypted-key')
-          }.to raise_error(OpenSSL::PKey::PKeyError, /Could not parse PKey: no start line/)
+          }.to raise_error(OpenSSL::PKey::PKeyError, /Could not parse PKey: (no start line|bad decrypt)/)
         end
 
         it 'decrypts an RSA key previously saved using 3DES' do
@@ -315,7 +315,7 @@ def expects_private_file(path)
           # password is 74695716c8b6
           expect {
             provider.load_private_key('encrypted-ec-key')
-          }.to raise_error(OpenSSL::PKey::PKeyError, /(unknown|invalid) curve name|Could not parse PKey: no start line/)
+          }.to raise_error(OpenSSL::PKey::PKeyError, /(unknown|invalid) curve name|Could not parse PKey: (no start line|bad decrypt)/)
         end
       end
     end
