search

cchandler / certificate_authority

Ruby gem for managing the core functions outlined in RFC-3280 for PKI
https://github.com/cchandler/certificate_authority
194 stars 44 forks source link

Doesn't work against openssl 3.0.0 #61

Closed terceiro closed 2 years ago

terceiro commented 2 years ago

Hi,

I'm updating certificate_authority to 1.0.0 in Debian, where we are now at ruby 3.0 and openssl 3.0.0, and the tests fail for me there:

$ gem list openssl

*** LOCAL GEMS ***

openssl (default: 3.0.0)
$ rake
/usr/lib/ruby-standalone/bin/ruby -I/home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-support-3.9.3/lib:/home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-core-3.9.2/lib /home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-core-3.9.2/exe/rspec --pattern spec/\*\*\{,/\*/\*\*\}/\*_spec.rb --colour --format progress --tag ~pkcs11
[Coveralls] Set up the SimpleCov formatter.
[Coveralls] Using SimpleCov's default settings.
Run options: exclude {:pkcs11=>true}
.......................................FFFFFFFFFFFFF*FFFF....................................................................................................................................

Pending: (Failures listed here are expected and do not affect your suite's status)

  1) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CertificatePolicies should contain a nested userNotice if specified
     # No reason given
     Failure/Error: config[k] = hash[k]

     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

Failures:

  1) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support BasicConstraints
     Failure/Error: config[k] = hash[k]

     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  2) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support subjectKeyIdentifier
     Failure/Error: config[k] = hash[k]

     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  3) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support authorityKeyIdentifier
     Failure/Error: config[k] = hash[k]

     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  4) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should order subjectKeyIdentifier before authorityKeyIdentifier
     Failure/Error: config[k] = hash[k]

     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  5) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support keyUsage
     Failure/Error: config[k] = hash[k]

     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  6) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support extendedKeyUsage
     Failure/Error: config[k] = hash[k]

     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  7) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should have a subjectAltName if specified
     Failure/Error: config[k] = hash[k]

     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  8) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should NOT have a subjectAltName if one was not specified
     Failure/Error: config[k] = hash[k]

     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  9) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should replace email:copy with email address
     Failure/Error: config[k] = hash[k]

     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  10) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates AuthorityInfoAccess should have an authority info access if specified
      Failure/Error: config[k] = hash[k]

      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  11) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CrlDistributionPoints should have a crlDistributionPoint if specified
      Failure/Error: config[k] = hash[k]

      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  12) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CrlDistributionPoints should NOT have a crlDistributionPoint if one was not specified
      Failure/Error: config[k] = hash[k]

      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  13) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CertificatePolicies should have a certificatePolicy if specified
      Failure/Error: config[k] = hash[k]

      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  14) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CertificatePolicies should NOT include a certificatePolicy if not specified
      Failure/Error: config[k] = hash[k]

      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  15) CertificateAuthority::Certificate Signing profile should be able to sign with an optional policy hash
      Failure/Error: config[k] = hash[k]

      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:353:in `block (3 levels) in <top (required)>'

  16) CertificateAuthority::Certificate Signing profile should support a default signing digest of SHA512
      Failure/Error: config[k] = hash[k]

      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:357:in `block (3 levels) in <top (required)>'

  17) CertificateAuthority::Certificate Signing profile should support a configurable digest algorithm
      Failure/Error: config[k] = hash[k]

      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:364:in `block (3 levels) in <top (required)>'

Finished in 1 second (files took 0.38893 seconds to load)
189 examples, 17 failures, 1 pending

Failed examples:

rspec ./spec/units/certificate_spec.rb:293 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support BasicConstraints
rspec ./spec/units/certificate_spec.rb:298 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support subjectKeyIdentifier
rspec ./spec/units/certificate_spec.rb:303 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support authorityKeyIdentifier
rspec ./spec/units/certificate_spec.rb:308 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should order subjectKeyIdentifier before authorityKeyIdentifier
rspec ./spec/units/certificate_spec.rb:315 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support keyUsage
rspec ./spec/units/certificate_spec.rb:320 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support extendedKeyUsage
rspec ./spec/units/certificate_spec.rb:180 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should have a subjectAltName if specified
rspec ./spec/units/certificate_spec.rb:186 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should NOT have a subjectAltName if one was not specified
rspec ./spec/units/certificate_spec.rb:192 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should replace email:copy with email address
rspec ./spec/units/certificate_spec.rb:211 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates AuthorityInfoAccess should have an authority info access if specified
rspec ./spec/units/certificate_spec.rb:226 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CrlDistributionPoints should have a crlDistributionPoint if specified
rspec ./spec/units/certificate_spec.rb:232 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CrlDistributionPoints should NOT have a crlDistributionPoint if one was not specified
rspec ./spec/units/certificate_spec.rb:248 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CertificatePolicies should have a certificatePolicy if specified
rspec ./spec/units/certificate_spec.rb:285 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CertificatePolicies should NOT include a certificatePolicy if not specified
rspec ./spec/units/certificate_spec.rb:352 # CertificateAuthority::Certificate Signing profile should be able to sign with an optional policy hash
rspec ./spec/units/certificate_spec.rb:356 # CertificateAuthority::Certificate Signing profile should support a default signing digest of SHA512
rspec ./spec/units/certificate_spec.rb:362 # CertificateAuthority::Certificate Signing profile should support a configurable digest algorithm

[Coveralls] Outside the CI environment, not sending data.
/usr/lib/ruby-standalone/bin/ruby -I/home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-support-3.9.3/lib:/home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-core-3.9.2/lib /home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-core-3.9.2/exe/rspec --pattern spec/\*\*\{,/\*/\*\*\}/\*_spec.rb --colour --format progress --tag ~pkcs11 failed

This change make all the tests pass, but is probably breaking something that is not covered by the tests:

diff --git a/lib/certificate_authority/certificate.rb b/lib/certificate_authority/certificate.rb
index cdf432c..63d150b 100644
--- a/lib/certificate_authority/certificate.rb
+++ b/lib/certificate_authority/certificate.rb
@@ -92,7 +92,7 @@ module CertificateAuthority

       self.extensions.keys.each do |k|
         config_extensions = extensions[k].config_extensions
-        openssl_config = merge_options(openssl_config,config_extensions)
+        #openssl_config = merge_options(openssl_config,config_extensions)
       end

       # p openssl_config.sections
terceiro commented 2 years ago

sorry for the noise, this has been fixed in e324a15703be4d6b907155ea101c76b051f6d40a