From 2fcd7c776838ca45897502db434e25a4be18b573 Mon Sep 17 00:00:00 2001 From: Michael Hashizume Date: Wed, 12 Jul 2023 10:32:10 -0700 Subject: [PATCH 1/2] (PUP-11935) Update JRuby in tests to 9.3.y.z Puppetserver upgraded from the JRuby 9.2.y.z series to JRuby 9.3.y.z as part of SERVER-3133. This commit updates the JRuby version used in Rspec tests to match the most recent JRuby version used in the Puppetserver 7.x series. --- .github/workflows/rspec_tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rspec_tests.yaml b/.github/workflows/rspec_tests.yaml index 7f2dba5efb3..b6e6c2efe05 100644 --- a/.github/workflows/rspec_tests.yaml +++ b/.github/workflows/rspec_tests.yaml @@ -20,7 +20,7 @@ jobs: - {os: ubuntu-latest, ruby: '2.6'} - {os: ubuntu-latest, ruby: '2.7'} - {os: ubuntu-latest, ruby: '3.0'} - - {os: ubuntu-latest, ruby: 'jruby-9.2.21.0'} + - {os: ubuntu-latest, ruby: 'jruby-9.3.9.0'} - {os: windows-2019, ruby: '2.5'} - {os: windows-2019, ruby: '2.6'} - {os: windows-2019, ruby: '2.7'} From 760ec827428e76c2ad158662b34b109a27b2baa9 Mon Sep 17 00:00:00 2001 From: Michael Hashizume Date: Fri, 15 Sep 2023 15:06:52 -0700 Subject: [PATCH 2/2] (PUP-11935) Handle JRuby OpenSSL behavior Starting with jruby-openssl 0.13.0[1] (which is included in JRuby >= 9.3.5.0), certificate signing raises an error when there is a discrepancy between the certificate and key. This behavior in JRuby differs from MRI OpenSSL. This commit adds a test for this JRuby-specific behavior and updates existing tests to skip when running on affected versions of JRuby. [1] https://github.com/jruby/jruby-openssl/commit/4b2968b3fd2ee9e5f91d34548e6b4faa270a3eb9 --- spec/unit/ssl/certificate_signer_spec.rb | 17 +++++++++++++++++ spec/unit/ssl/ssl_provider_spec.rb | 4 ++-- 2 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 spec/unit/ssl/certificate_signer_spec.rb diff --git a/spec/unit/ssl/certificate_signer_spec.rb b/spec/unit/ssl/certificate_signer_spec.rb new file mode 100644 index 00000000000..45f0108da15 --- /dev/null +++ b/spec/unit/ssl/certificate_signer_spec.rb @@ -0,0 +1,17 @@ +require 'spec_helper' + +describe Puppet::SSL::CertificateSigner do + include PuppetSpec::Files + + let(:wrong_key) { OpenSSL::PKey::RSA.new(512) } + let(:client_cert) { cert_fixture('signed.pem') } + + # jruby-openssl >= 0.13.0 (JRuby >= 9.3.5.0) raises an error when signing a + # certificate when there is a discrepancy between the certificate and key. + it 'raises if client cert signature is invalid', if: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do + expect { + client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new) + }.to raise_error(OpenSSL::X509::CertificateError, + 'invalid public key data') + end +end diff --git a/spec/unit/ssl/ssl_provider_spec.rb b/spec/unit/ssl/ssl_provider_spec.rb index 8a84fb8fafb..13321207dd8 100644 --- a/spec/unit/ssl/ssl_provider_spec.rb +++ b/spec/unit/ssl/ssl_provider_spec.rb @@ -298,7 +298,7 @@ ).to eq(['CN=signed', 'CN=Test CA Subauthority', 'CN=Test CA']) end - it 'raises if client cert signature is invalid' do + it 'raises if client cert signature is invalid', unless: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new) expect { subject.create_context(**config.merge(client_cert: client_cert)) @@ -337,7 +337,7 @@ end end - it 'raises if intermediate CA signature is invalid' do + it 'raises if intermediate CA signature is invalid', unless: Puppet::Util::Platform.jruby? && RUBY_VERSION.to_f >= 2.6 do int = global_cacerts.last int.sign(wrong_key, OpenSSL::Digest::SHA256.new)