From 95e16935d6b020f33f25a8be20c4d143ee266860 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Thu, 30 Jan 2025 11:45:42 +0000 Subject: [PATCH] unit-test: Improve test suite compatiblity with newer OpenSSL No impact or changes to production scripts. More recent OpenSSL requires additional keyUsage & basic constraints to be set on the test certificates. Adjust test key generation to have them, note production certificates already have all of those settings. Fingerprint parsing had mismatched capitaliation - asking OpenSSL to provide lowercase fingerprint and matching for uppercase one. Make them consistent. Without these changes test suite has these errors: CN = intermediate.managedssh.amazonaws.com error 89 at 1 depth lookup: Basic Constraints of CA cert not marked critical CN = intermediate.managedssh.amazonaws.com error 92 at 1 depth lookup: CA cert does not include key usage extension CN = managedssh.amazonaws.com error 92 at 2 depth lookup: CA cert does not include key usage extension error /dev/shm/tmp-i7Fdjp2e/cert.pem: verification failed mixed FAILED EXPECTED: exit 0 with output ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAQmefSRJyiAUSlICBKAO+4heV1kkA46PQm5ZQVxxhv7pF1yWWLhgFJ9IG9qmeeKIQ3bzKBzGv5UHSeJbuRfwY6ZtKynBfjzN1WRuYY2oaDjlh2vzK5WgvVttUJk8oAYcZM2h+aXpJtlWV95yqaTSD4XcuWOg3E3KCTcK2Xf/BaB4IN/pJF1SyuLg5ygWh0dKi4X+tH81aHcEg8pWfDLFkdKUF0d6GwIi+iCJxfb5bubY3/+0qYc0IqWOxa4vf6ggW7yI5m3mOX0kRuOAPEY/6fe4KfcGqLZvraKe1ZLYMgQUKuawhpPzooVeI/EtI3gtFDC0b8YAPjA2CUDc/3APR ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAQmefSRJyiAUSlICBKAO+4heV1kkA46PQm5ZQVxxhv7pF1yWWLhgFJ9IG9qmeeKIQ3bzKBzGv5UHSeJbuRfwY6ZtKynBfjzN1WRuYY2oaDjlh2vzK5WgvVttUJk8oAYcZM2h+aXpJtlWV95yqaTSD4XcuWOg3E3KCTcK2Xf/BaB4IN/pJF1SyuLg5ygWh0dKi4X+tH81aHcEg8pWfDLFkdKUF0d6GwIi+iCJxfb5bubY3/+0qYc0IqWOxa4vf6ggW7yI5m3mOX0kRuOAPEY/6fe4KfcGqLZvraKe1ZLYMgQUKuawhpPzooVeI/EtI3gtFDC0b8YAPjA2CUDc/3APR ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAQmefSRJyiAUSlICBKAO+4heV1kkA46PQm5ZQVxxhv7pF1yWWLhgFJ9IG9qmeeKIQ3bzKBzGv5UHSeJbuRfwY6ZtKynBfjzN1WRuYY2oaDjlh2vzK5WgvVttUJk8oAYcZM2h+aXpJtlWV95yqaTSD4XcuWOg3E3KCTcK2Xf/BaB4IN/pJF1SyuLg5ygWh0dKi4X+tH81aHcEg8pWfDLFkdKUF0d6GwIi+iCJxfb5bubY3/+0qYc0IqWOxa4vf6ggW7yI5m3mOX0kRuOAPEY/6fe4KfcGqLZvraKe1ZLYMgQUKuawhpPzooVeI/EtI3gtFDC0b8YAPjA2CUDc/3APR ACTUAL: exit 2 with output With these changes in place: $ ./bin/unit_test_suite.sh empty PASSED invalid-signature PASSED different-fingerprint PASSED expired-timestamp PASSED invalid-instance PASSED missing-data PASSED mixed PASSED valid-key PASSED --- bin/unit-test/setup_certificates.sh | 5 +++-- bin/unit_test_suite.sh | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/bin/unit-test/setup_certificates.sh b/bin/unit-test/setup_certificates.sh index 30a5087..c66de21 100755 --- a/bin/unit-test/setup_certificates.sh +++ b/bin/unit-test/setup_certificates.sh @@ -78,7 +78,8 @@ extendedKeyUsage = OCSPSigning [v3_ca] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always -basicConstraints = CA:TRUE +basicConstraints = critical, CA:TRUE +keyUsage = critical, cRLSign, digitalSignature, keyCertSign [req] distinguished_name = req_distinguished_name @@ -91,7 +92,7 @@ sed -i "s|REPLACE_WITH_CERTPATH|${certpath}|" "${certpath}/ca.conf" # Generate the CA "${OPENSSL}" genrsa -out "${certpath}/ca.key" 2048 > /dev/null 2>&1 -"${OPENSSL}" req -x509 -new -nodes -key "${certpath}/ca.key" -sha256 -days 1 -out "${certpath}/ca.crt" -subj "/CN=managedssh.amazonaws.com" > /dev/null 2>&1 +"${OPENSSL}" req -x509 -new -nodes -config "${certpath}/ca.conf" -key "${certpath}/ca.key" -sha256 -days 1 -out "${certpath}/ca.crt" -extensions v3_ca -subj "/CN=managedssh.amazonaws.com" > /dev/null 2>&1 "${OPENSSL}" x509 -in "${certpath}/ca.crt" -outform PEM -out "${certpath}/ca.pem" subject=$("${OPENSSL}" x509 -noout -subject -in "${certpath}/ca.pem" | sed -n -e 's/^.*CN=//p') # Add "# subject" to start diff --git a/bin/unit_test_suite.sh b/bin/unit_test_suite.sh index ab6df32..3342b7a 100755 --- a/bin/unit_test_suite.sh +++ b/bin/unit_test_suite.sh @@ -31,8 +31,8 @@ trap 'rm -rf "${tmpdir}"' EXIT # Combine unittest & intermediate into the trust chain for the actual AuthorizedKeysCommand cat "${tmpdir}/unittest.pem" "${tmpdir}/intermediate.pem" "${tmpdir}/ca.pem" > "${tmpdir}/chain.pem" -intermediate_fingerprint="$(openssl x509 -noout -fingerprint -sha1 -inform pem -in "${tmpdir}/intermediate.pem" | sed -n 's/SHA1 Fingerprint=\(.*\)/\1/p' | tr -d ':')" -unittest_fingerprint="$(openssl x509 -noout -fingerprint -sha1 -inform pem -in "${tmpdir}"/unittest.pem | sed -n 's/SHA1 Fingerprint=\(.*\)/\1/p' | tr -d ':')" +intermediate_fingerprint="$(openssl x509 -noout -fingerprint -SHA1 -inform pem -in "${tmpdir}/intermediate.pem" | sed -n 's/SHA1 Fingerprint=\(.*\)/\1/p' | tr -d ':')" +unittest_fingerprint="$(openssl x509 -noout -fingerprint -SHA1 -inform pem -in "${tmpdir}"/unittest.pem | sed -n 's/SHA1 Fingerprint=\(.*\)/\1/p' | tr -d ':')" # Generate OCSP for those certificates "${TOPDIR}/bin/unit-test/generate_ocsp.sh" "${OPENSSL}" "${tmpdir}/intermediate.crt" "${tmpdir}/ca" "${tmpdir}/${intermediate_fingerprint}"