Merge pull request #233 from bastelfreak/test

fix: remove `nokeys` option and set default empty import/export passwords
voxpupuli · Feb 10, 2025 · 084efb7 · 084efb7
2 parents b4f2682 + b92aaf3
commit 084efb7
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 8 deletions.
diff --git a/examples/export_pkcs12_from_key.pp b/examples/export_pkcs12_from_key.pp
@@ -37,3 +37,41 @@
   cert     => '/tmp/foo2.example.com.crt',
   out_pass => 'mahje1Qu',
 }
+
+# same as above, just no password for the X509/pkcs12
+openssl::certificate::x509 { 'foo3.example.com':
+  ensure       => present,
+  country      => 'CH',
+  organization => 'Example.com',
+  commonname   => 'foo3.example.com',
+  base_dir     => '/tmp',
+  owner        => 'nobody',
+  # This is just to speed up CI - use 2048 or more in production
+  key_size     => 1024,
+}
+-> openssl::export::pkcs12 { 'export3.pkcs12':
+  ensure  => 'present',
+  basedir => '/tmp',
+  pkey    => '/tmp/foo3.example.com.key',
+  cert    => '/tmp/foo3.example.com.crt',
+}
+
+# same as above, just with password for the X509 / no password for pkcs12
+openssl::certificate::x509 { 'foo4.example.com':
+  ensure       => present,
+  country      => 'CH',
+  organization => 'Example.com',
+  commonname   => 'foo4.example.com',
+  base_dir     => '/tmp',
+  owner        => 'nobody',
+  password     => 'mahje1Qu',
+  # This is just to speed up CI - use 2048 or more in production
+  key_size     => 1024,
+}
+-> openssl::export::pkcs12 { 'export4.pkcs12':
+  ensure  => 'present',
+  basedir => '/tmp',
+  pkey    => '/tmp/foo4.example.com.key',
+  cert    => '/tmp/foo4.example.com.crt',
+  in_pass => 'mahje1Qu',
+}
diff --git a/manifests/export/pem_key.pp b/manifests/export/pem_key.pp
@@ -26,18 +26,18 @@
 ) {
   if $ensure == 'present' {
     if $in_pass {
-      $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN']
+      $passin_opt = ['-passin', 'env:CERTIFICATE_PASSIN']
       $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"]
     } else {
-      $passin_opt = []
+      $passin_opt = ['-passin', 'pass:']
       $passin_env = []
     }
 
     if $out_pass {
-      $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT']
+      $passout_opt = ['-passout', 'env:CERTIFICATE_PASSOUT']
       $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"]
     } else {
-      $passout_opt = []
+      $passout_opt = ['-nodes']
       $passout_env = []
     }
 

diff --git a/manifests/export/pkcs12.pp b/manifests/export/pkcs12.pp
@@ -34,18 +34,18 @@
 
   if $ensure == 'present' {
     if $in_pass {
-      $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN']
+      $passin_opt = ['-passin', 'env:CERTIFICATE_PASSIN']
       $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"]
     } else {
-      $passin_opt = []
+      $passin_opt = ['-passin', 'pass:']
       $passin_env = []
     }
 
     if $out_pass {
-      $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT']
+      $passout_opt = ['-passout', 'env:CERTIFICATE_PASSOUT']
       $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"]
     } else {
-      $passout_opt = []
+      $passout_opt = ['-passout', 'pass:']
       $passout_env = []
     }
 

diff --git a/spec/acceptance/pkcs12_spec.rb b/spec/acceptance/pkcs12_spec.rb
@@ -10,6 +10,12 @@
     it { expect(file('/tmp/foo2.example.com.crt')).to be_file.and(have_attributes(owner: 'nobody', group: 'root')) }
     it { expect(file('/tmp/foo2.example.com.key')).to be_file.and(have_attributes(owner: 'nobody', group: 'root')) }
     it { expect(file('/tmp/export2.pkcs12.p12')).to be_file.and(have_attributes(owner: 'root', group: 'root')) }
+    it { expect(file('/tmp/foo3.example.com.crt')).to be_file.and(have_attributes(owner: 'nobody', group: 'root')) }
+    it { expect(file('/tmp/foo3.example.com.key')).to be_file.and(have_attributes(owner: 'nobody', group: 'root')) }
+    it { expect(file('/tmp/export3.pkcs12.p12')).to be_file.and(have_attributes(owner: 'root', group: 'root')) }
+    it { expect(file('/tmp/foo4.example.com.crt')).to be_file.and(have_attributes(owner: 'nobody', group: 'root')) }
+    it { expect(file('/tmp/foo4.example.com.key')).to be_file.and(have_attributes(owner: 'nobody', group: 'root')) }
+    it { expect(file('/tmp/export4.pkcs12.p12')).to be_file.and(have_attributes(owner: 'root', group: 'root')) }
   end
   # rubocop:disable RSpec/RepeatedExampleGroupBody
   describe file('/tmp/export.pkcs12.p12') do
@@ -19,5 +25,13 @@
   describe file('/tmp/export2.pkcs12.p12') do
     its(:size) { is_expected.to be > 0 }
   end
+
+  describe file('/tmp/export3.pkcs12.p12') do
+    its(:size) { is_expected.to be > 0 }
+  end
+
+  describe file('/tmp/export4.pkcs12.p12') do
+    its(:size) { is_expected.to be > 0 }
+  end
   # rubocop:enable RSpec/RepeatedExampleGroupBody
 end