ea4ff2c97f
- Certmonger SCEP renewal should not use old challenges (#1990926) - Certmonger certificates stuck in NEED_GUIDANCE (#2001082) - certmonger creates CSRs with invalid DER syntax for X509v3 extensions with critical=FALSE (#2012261) - Re-enable 003-csrgen test Resolves: #1990926, #2001082, #2012261
81 lines
3.7 KiB
Diff
81 lines
3.7 KiB
Diff
From 46cd5a7d9434ed104093152bdf0a55404e6a1c6b Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Tue, 5 Oct 2021 11:04:10 -0400
|
|
Subject: [PATCH] Update csrgen test to understand OpenSSL 3.0.0 output
|
|
|
|
OpenSSL 3.0.0 change a lot of output messages. When verifying
|
|
a certificate instead of printing just "verify OK" it prints
|
|
"Certificate request self-signature verify OK"
|
|
|
|
Modify the check to match both OpenSSL 1.x and 3.x
|
|
|
|
Related: https://pagure.io/certmonger/issue/223
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
tests/003-csrgen-ec/run.sh | 4 ++--
|
|
tests/003-csrgen-rsa/run.sh | 4 ++--
|
|
tests/003-csrgen/run.sh | 4 ++--
|
|
3 files changed, 6 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh
|
|
index 91117ec8..7c0505f8 100755
|
|
--- a/tests/003-csrgen-ec/run.sh
|
|
+++ b/tests/003-csrgen-ec/run.sh
|
|
@@ -42,8 +42,8 @@ grep ^minicert= entry.nss.$size | sed s,^minicert=,, | base64 -d > minicert.nss.
|
|
openssl x509 -out minicert.nss.$size.pem -in minicert.nss.$size -inform der
|
|
# The RSA tests already verify the contents of the requests, so we really only
|
|
# need to care about the signatures passing verification.
|
|
-openssl req -verify -noout < csr.nss.$size 2>&1
|
|
-openssl req -verify -noout < csr.openssl.$size 2>&1
|
|
+openssl req -verify -noout -noenc < csr.nss.$size 2>&1 | sed 's/Certificate request self-signature //'
|
|
+openssl req -verify -noout -noenc < csr.openssl.$size 2>&1 | sed 's/Certificate request self-signature //'
|
|
openssl spkac -verify -noout < spkac.nss.$size 2>&1
|
|
openssl spkac -verify -noout < spkac.openssl.$size 2>&1
|
|
openssl verify -CAfile minicert.openssl.$size.pem minicert.openssl.$size.pem 2>&1
|
|
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
|
|
index bb8ebecb..4f0c0ef0 100755
|
|
--- a/tests/003-csrgen-rsa/run.sh
|
|
+++ b/tests/003-csrgen-rsa/run.sh
|
|
@@ -118,14 +118,14 @@ iterate() {
|
|
echo key_pubkey=616263 >> entry.openssl.$size
|
|
$toolsdir/csrgen entry.nss.$size > csr.nss.$size
|
|
# Both should verify.
|
|
- if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then
|
|
+ if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
|
|
echo Signature failed for OpenSSL:
|
|
cat csr.openssl.$size
|
|
echo Private key:
|
|
awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size
|
|
exit 1
|
|
fi
|
|
- if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then
|
|
+ if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
|
|
echo Signature failed for NSS:
|
|
cat csr.nss.$size
|
|
echo Private key:
|
|
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
|
|
index d3dfbaf0..093beabf 100755
|
|
--- a/tests/003-csrgen/run.sh
|
|
+++ b/tests/003-csrgen/run.sh
|
|
@@ -170,14 +170,14 @@ iterate() {
|
|
echo key_pubkey=616263 >> entry.openssl.$size
|
|
$toolsdir/csrgen entry.nss.$size > csr.nss.$size
|
|
# Both should verify.
|
|
- if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then
|
|
+ if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
|
|
echo Signature failed for OpenSSL:
|
|
cat csr.openssl.$size
|
|
echo Private key:
|
|
awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size
|
|
exit 1
|
|
fi
|
|
- if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then
|
|
+ if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
|
|
echo Signature failed for NSS:
|
|
cat csr.nss.$size
|
|
echo Private key:
|
|
--
|
|
2.31.1
|
|
|