Merge pull request #413 from jlledom/fix-tests-last-openssl

Fix tests for recent openssl versions
3scale · Jan 13, 2025 · 137a303 · 137a303
2 parents 0537b18 + b471437
commit 137a303
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 28 deletions.
diff --git a/test/test_helpers/certificates.rb b/test/test_helpers/certificates.rb
@@ -28,31 +28,48 @@ def create_key(alg)
       end
     end
 
-    def create_cert(key = create_key(:rsa))
-      public_key = get_public_key(key)
+    def create_ca(key = create_key(:rsa))
+      root_ca = OpenSSL::X509::Certificate.new
+      root_ca.version = 2 # cf. RFC 5280 - to make it a "v3" certificate
+      root_ca.serial = 0x1
+      root_ca.subject = OpenSSL::X509::Name.parse "/DC=test/DC=backend/CN=TestCA"
+      root_ca.issuer = root_ca.subject # root CA's are "self-signed"
+      root_ca.public_key = get_public_key(key)
+      root_ca.not_before = Time.now
+      root_ca.not_after = root_ca.not_before + 2 * 365 * 24 * 60 * 60 # 2 years validity
 
-      subject = "/C=BE/O=Test/OU=Test/CN=Test"
+      ef = OpenSSL::X509::ExtensionFactory.new
+      ef.subject_certificate = root_ca
+      ef.issuer_certificate = root_ca
+
+      root_ca.add_extension(ef.create_extension("basicConstraints","CA:TRUE", true))
+      root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
+      root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash", false))
+      root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always", false))
+
+      root_ca.sign(key, OpenSSL::Digest.new('SHA512'))
+
+      root_ca
+    end
 
+    def create_cert(key = create_key(:rsa), root_ca, root_key)
       cert = OpenSSL::X509::Certificate.new
-      cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
-      cert.not_before = Time.now
-      cert.not_after = Time.now + 365 * 24 * 60 * 60
-      cert.public_key = public_key
-      cert.serial = 0x0
       cert.version = 2
+      cert.serial = 0x2
+      cert.subject = OpenSSL::X509::Name.parse "/DC=test/DC=backend/CN=TestCert"
+      cert.issuer = root_ca.subject # root CA is the issuer
+      cert.public_key = get_public_key(key)
+      cert.not_before = Time.now
+      cert.not_after = cert.not_before + 1 * 365 * 24 * 60 * 60 # 1 year validity
 
       ef = OpenSSL::X509::ExtensionFactory.new
       ef.subject_certificate = cert
-      ef.issuer_certificate = cert
-      cert.extensions = [
-        ef.create_extension("basicConstraints","CA:TRUE", true),
-        ef.create_extension("subjectKeyIdentifier", "hash"),
-      # ef.create_extension("keyUsage", "cRLSign,keyCertSign", true),
-      ]
-      cert.add_extension ef.create_extension("authorityKeyIdentifier",
-                                             "keyid:always,issuer:always")
+      ef.issuer_certificate = root_ca
+
+      cert.add_extension(ef.create_extension("keyUsage","digitalSignature", true))
+      cert.add_extension(ef.create_extension("subjectKeyIdentifier","hash", false))
+      cert.sign(root_key, OpenSSL::Digest.new('SHA256'))
 
-      cert.sign key, (key.is_a?(OpenSSL::PKey::DSA) ? OpenSSL::Digest::SHA1.new : OpenSSL::Digest::SHA512.new)
       cert
     end
 

diff --git a/test/unit/storage_async_test.rb b/test/unit/storage_async_test.rb
@@ -228,7 +228,7 @@ def test_tls_no_client_certificate
     config_obj = {
       url: 'rediss://localhost:46379',
       ssl_params: {
-        ca_file: create_ca(:rsa).path
+        ca_file: create_certs(:rsa, ca_only: true).path
       }
     }
     storage = StorageAsync::Client.send :new, Storage::Helpers.config_with(config_obj)
@@ -285,16 +285,15 @@ def test_acl_tls
 
   private
 
-  def create_ca(alg)
-    Tempfile.new('ca-root-cert.pem').tap do |ca_cert_file|
-      ca_cert_file.write(create_cert(create_key(alg)).to_pem)
-      ca_cert_file.flush
-      ca_cert_file.close
-    end
-  end
+  def create_certs(alg, ca_only: false)
+    ca_cert_key = create_key alg
+    ca_cert = create_ca(ca_cert_key)
+    ca_cert_file = Tempfile.new('ca-root-cert.pem')
+    ca_cert_file.write(ca_cert.to_pem)
+    ca_cert_file.flush
+    ca_cert_file.close
 
-  def create_certs(alg)
-    ca_cert_file = create_ca(alg)
+    return ca_cert_file if ca_only
 
     key = create_key alg
     key_file = Tempfile.new("redis-#{alg}.pem")
@@ -303,7 +302,7 @@ def create_certs(alg)
     key_file.close
 
     cert_file = Tempfile.new("redis-#{alg}.crt")
-    cert_file.write(create_cert(key).to_pem)
+    cert_file.write(create_cert(key, ca_cert, ca_cert_key).to_pem)
     cert_file.flush
     cert_file.close