Fix test CSR versions for OpenSSL 3.4 change

The only valid CSR version is version 1, which is encoded
with "csr.version = 0". Versions of OpenSSL prior to 3.4
would allow other versions to be set / versions to be unset
but OpenSSL 3.4 is strict about only allowing version 1.

This change updates the unit tests to use version 1 in
all CSRs generated as part of testing.  It also adds
the start of a script to help regenerate the
spec/fixtures/ssl directory contents.

Author: seanmil

spec/fixtures/ssl/generate_fixtures.rb

@@ -0,0 +1,54 @@
+# This will regenerate SSL fixtures.  It does not cover all fixtures yet.
+# Run it from the spec/fixtures/ssl directory.
+
+require_relative '../../lib/puppet_spec/ssl'
+
+def make_subject(name)
+  OpenSSL::X509::Name.new([["CN", name]])
+end
+
+def write_pem(content, path)
+  File.write(path, "#{content.to_text}\n#{content.to_pem}")
+  puts "Wrote #{content.class} to #{path}"
+end
+
+def read_pem(path, type)
+  text = File.read(path, encoding: 'UTF-8')
+  type.new(text)
+end
+
+def load_or_generate_key(path, size = nil)
+  if File.exist?(path)
+    puts "Loading RSA key from #{path}"
+    read_pem(path, OpenSSL::PKey::RSA)
+  else
+    puts "Generating new RSA key"
+    PuppetSpec::SSL.create_private_key(size)
+  end
+end
+
+def load_or_generate_csr(path, key = nil, name = nil)
+  if File.exist?(path)
+    puts "Loading CSR from #{path}"
+    return read_pem(path, OpenSSL::X509::Request)
+  end
+
+  raise "Must pass key and name parameters if CSR needs to be generated" unless key && name
+
+  csr = PuppetSpec::SSL.create_csr(key, "CN=#{name}")
+  puts "Generating new CSR for #{csr.subject}"
+  write_pem(csr, 'request.pem')
+end
+
+# Load or generate request-key.pem and request.pem
+req_key = load_or_generate_key('request-key.pem')
+req_csr = load_or_generate_csr('request.pem', req_key, 'pending')
+
+# Swap associated public key in request.pem to create a tampered CSR:
+unless File.exist?('tampered-csr.pem')
+  tampered_csr = load_or_generate_csr('request.pem')
+  tampered_csr.subject = make_subject('signed')
+  write_pem(tampered_csr, 'tampered-csr.pem')
+end
+
+puts "NOTE: Most fixtures are not yet able to be generated with this script"

spec/lib/puppet/test_ca.rb

@@ -34,7 +34,7 @@ def create_request(name)
       csr = OpenSSL::X509::Request.new
       csr.public_key = key.public_key
       csr.subject = OpenSSL::X509::Name.new([["CN", name]])
-      csr.version = 2
+      csr.version = 0
       csr.sign(key, @digest)
       { private_key: key, csr: csr }
     end

spec/lib/puppet_spec/ssl.rb

@@ -61,7 +61,7 @@ def self.create_csr(key, name)
 
       csr.public_key = key.public_key
       csr.subject = OpenSSL::X509::Name.parse(name)
-      csr.version = 2
+      csr.version = 0
       csr.sign(key, DEFAULT_SIGNING_DIGEST)
 
       csr

spec/unit/ssl/certificate_request_spec.rb

@@ -314,6 +314,7 @@
     it "should use SHA1 to sign the csr when SHA256 isn't available" do
       csr = OpenSSL::X509::Request.new
       csr.public_key = key.public_key
+      csr.version = 0
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(true)
       signer = Puppet::SSL::CertificateSigner.new
@@ -325,6 +326,7 @@
       key = OpenSSL::PKey::RSA.new(2048)
       csr = OpenSSL::X509::Request.new
       csr.public_key = key.public_key
+      csr.version = 0
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(true)
@@ -337,6 +339,7 @@
       key = OpenSSL::PKey::RSA.new(2048)
       csr = OpenSSL::X509::Request.new
       csr.public_key = key.public_key
+      csr.version = 0
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(false)
@@ -349,6 +352,7 @@
     it "should use SHA224 to sign the csr when SHA256/SHA1/SHA512/SHA384 aren't available" do
       csr = OpenSSL::X509::Request.new
       csr.public_key = key.public_key
+      csr.version = 0
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(false)