search

cchandler / certificate_authority

Ruby gem for managing the core functions outlined in RFC-3280 for PKI
https://github.com/cchandler/certificate_authority
194 stars 44 forks source link

"CertificateAuthority::Certificate from_openssl should check to make sure that if a certificate had extensions they were imported" fails with OpenSSL 3.0 #62

Open enr0n opened 2 years ago

enr0n commented 2 years ago

The print format for X509v3 authority key identifier was changed in openssl, and in openssl >= 3.0 the keyid: prefix is no longer included in most cases. See https://github.com/openssl/openssl/commit/86afd005fb8184e37c41d85128a01b58ac152d60 and https://github.com/openssl/openssl/pull/6226 for context.

This appears to cause a test failure when running against openssl 3.0:

Failures:

  1) CertificateAuthority::Certificate from_openssl should check to make sure that if a certificate had extensions they were imported
     Failure/Error: expect(@cert_with_extensions.extensions["authorityKeyIdentifier"]).to eq(expected_authorityKeyIdentifier)

       expected: #<CertificateAuthority::Extensions::AuthorityKeyIdentifier:0x000055d255e61018 @critical=false, @identifier="keyid:4C:58:CB:25:F0:41:4F:52:F4:28:C8:81:43:9B:A6:A8:A0:E6:92:E5">
            got: #<CertificateAuthority::Extensions::AuthorityKeyIdentifier:0x000055d255e58828 @critical=false, @identifier="4C:58:CB:25:F0:41:4F:52:F4:28:C8:81:43:9B:A6:A8:A0:E6:92:E5">

       (compared using ==)

       Diff:

       @@ -1,5 +1,4 @@
       -#<CertificateAuthority::Extensions::AuthorityKeyIdentifier:0x000055d255e61018
       +#<CertificateAuthority::Extensions::AuthorityKeyIdentifier:0x000055d255e58828
         @critical=false,
       - @identifier=
       -  "keyid:4C:58:CB:25:F0:41:4F:52:F4:28:C8:81:43:9B:A6:A8:A0:E6:92:E5">
       + @identifier="4C:58:CB:25:F0:41:4F:52:F4:28:C8:81:43:9B:A6:A8:A0:E6:92:E5">
     # ./spec/units/certificate_spec.rb:427:in `block (3 levels) in <top (required)>'

Finished in 1.22 seconds (files took 0.44575 seconds to load)
189 examples, 1 failure, 1 pending

Failed examples:

rspec ./spec/units/certificate_spec.rb:403 # CertificateAuthority::Certificate from_openssl should check to make sure that if a certificate had extensions they were imported

This is from an Ubuntu package build, and the full log can be found here: https://launchpadlibrarian.net/609963185/buildlog_ubuntu-kinetic-amd64.ruby-certificate-authority_1.0.0-1_BUILDING.txt.gz.

enr0n commented 2 years ago

This fixes the issue against openssl 3.0, but I guess a proper fix should check the openssl version?

--- a/spec/units/certificate_spec.rb
+++ b/spec/units/certificate_spec.rb
@@ -423,7 +423,7 @@
       expect(@cert_with_extensions.extensions["subjectKeyIdentifier"]).to eq(expected_subjectKeyIdentifier)

       expected_authorityKeyIdentifier = CertificateAuthority::Extensions::AuthorityKeyIdentifier.new
-      expected_authorityKeyIdentifier.identifier = "keyid:4C:58:CB:25:F0:41:4F:52:F4:28:C8:81:43:9B:A6:A8:A0:E6:92:E5"
+      expected_authorityKeyIdentifier.identifier = "4C:58:CB:25:F0:41:4F:52:F4:28:C8:81:43:9B:A6:A8:A0:E6:92:E5"
       expect(@cert_with_extensions.extensions["authorityKeyIdentifier"]).to eq(expected_authorityKeyIdentifier)

       expected_authorityInfoAccess = CertificateAuthority::Extensions::AuthorityInfoAccess.new
dentarg commented 1 year ago

https://github.com/cchandler/certificate_authority/pull/63 seems to address this