From 5c2a5d41d84b84134eebfba0a8128fecdb1103f6 Mon Sep 17 00:00:00 2001
From: Pavel Kovtunov <pkovtunov@gmail.com>
Date: Fri, 3 Jan 2025 09:40:05 +0100
Subject: [PATCH 1/6] fix: remove nokey option and set empty passwords

---
 manifests/export/pem_key.pp | 8 ++++----
 manifests/export/pkcs12.pp  | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/manifests/export/pem_key.pp b/manifests/export/pem_key.pp
index 390b8b14..af0aa9d0 100644
--- a/manifests/export/pem_key.pp
+++ b/manifests/export/pem_key.pp
@@ -26,18 +26,18 @@
 ) {
   if $ensure == 'present' {
     if $in_pass {
-      $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN']
+      $passin_opt = ['-passin', 'env:CERTIFICATE_PASSIN']
       $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"]
     } else {
-      $passin_opt = []
+      $passin_opt = ['-passin', 'pass:']
       $passin_env = []
     }
 
     if $out_pass {
-      $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT']
+      $passout_opt = ['-passout', 'env:CERTIFICATE_PASSOUT']
       $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"]
     } else {
-      $passout_opt = []
+      $passout_opt = ['-nodes']
       $passout_env = []
     }
 
diff --git a/manifests/export/pkcs12.pp b/manifests/export/pkcs12.pp
index ccef3f38..a6e6ef0b 100644
--- a/manifests/export/pkcs12.pp
+++ b/manifests/export/pkcs12.pp
@@ -34,18 +34,18 @@
 
   if $ensure == 'present' {
     if $in_pass {
-      $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN']
+      $passin_opt = ['-passin', 'env:CERTIFICATE_PASSIN']
       $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"]
     } else {
-      $passin_opt = []
+      $passin_opt = ['-passin', 'pass:']
       $passin_env = []
     }
 
     if $out_pass {
-      $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT']
+      $passout_opt = ['-passout', 'env:CERTIFICATE_PASSOUT']
       $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"]
     } else {
-      $passout_opt = []
+      $passout_opt = ['-passout', 'pass:']
       $passout_env = []
     }
 

From 87c1e605769fce33a32cf96033989301ab05c990 Mon Sep 17 00:00:00 2001
From: Marcus Poller <marcus.poller@betadots.de>
Date: Thu, 9 Jan 2025 18:09:44 +0100
Subject: [PATCH 2/6] Examples for Key->Cert->PKCS12->PEMkey to facilite
 automated testing

---
 examples/export_pkc12_from_key.pp  |  7 +++++++
 examples/generate_cert_from_key.pp | 27 +++++++++++++++++++++++++++
 examples/generate_key.pp           |  5 +++++
 examples/generate_pem_key.pp       |  6 ++++++
 4 files changed, 45 insertions(+)
 create mode 100644 examples/export_pkc12_from_key.pp
 create mode 100644 examples/generate_cert_from_key.pp
 create mode 100644 examples/generate_key.pp
 create mode 100644 examples/generate_pem_key.pp

diff --git a/examples/export_pkc12_from_key.pp b/examples/export_pkc12_from_key.pp
new file mode 100644
index 00000000..25eef346
--- /dev/null
+++ b/examples/export_pkc12_from_key.pp
@@ -0,0 +1,7 @@
+include openssl
+openssl::export::pkcs12 { 'export.pkcs12':
+  ensure   => 'present',
+  basedir  => '/tmp',
+  pkey     => '/tmp/private.key',
+  cert     => '/tmp/cert.crt',
+}
diff --git a/examples/generate_cert_from_key.pp b/examples/generate_cert_from_key.pp
new file mode 100644
index 00000000..f26155c3
--- /dev/null
+++ b/examples/generate_cert_from_key.pp
@@ -0,0 +1,27 @@
+include openssl
+
+file {'/tmp/template.cnf':
+  ensure   => file,
+  content => epp('openssl/cert.cnf', {
+  	   'country' => 'de',
+	   'state'   => 'BW',
+	   'locality'=> 'undef',
+	   'organization'=> 'voxpupuli',
+	   'unit'        => 'anybody',
+	   'commonname'  => 'testpipeline.voxpupuli.org',
+	   'email'       => 'do_not_reply@voxpupuli.org',
+	   'default_bits'=> 4096,
+	   'default_md'  => 'sha256',
+	   'default_keyfile' => '/tmp/private.key',
+	   'basicconstraints' => ['CA:false'],
+	   'extendedkeyusages' => ['serverAuth'],
+	   'keyusages' => ['critical'],
+	   'subjectaltnames' => ['cert.voxpupuli.org', 'foo.bar.de'],
+	   })
+}
+
+x509_cert { '/tmp/cert.crt':
+    ensure => present,
+    private_key => '/tmp/private.key',
+    template => '/tmp/template.cnf',
+}
diff --git a/examples/generate_key.pp b/examples/generate_key.pp
new file mode 100644
index 00000000..43ad8117
--- /dev/null
+++ b/examples/generate_key.pp
@@ -0,0 +1,5 @@
+contain openssl
+ssl_pkey { '/tmp/private.key':
+  ensure => present,
+}
+
diff --git a/examples/generate_pem_key.pp b/examples/generate_pem_key.pp
new file mode 100644
index 00000000..21ab3818
--- /dev/null
+++ b/examples/generate_pem_key.pp
@@ -0,0 +1,6 @@
+include openssl
+openssl::export::pem_key { 'key-UUID':
+  ensure => present,
+  pfx_cert => '/tmp/export.pkcs12.p12',
+  pem_key => '/tmp/key.pem'
+}
\ No newline at end of file

From d7476626e397027f0c7af4a700e98168a9143cd1 Mon Sep 17 00:00:00 2001
From: Marcus Poller <marcus.poller@betadots.de>
Date: Thu, 9 Jan 2025 18:19:46 +0100
Subject: [PATCH 3/6] lint: lint_fix

---
 examples/export_pkc12_from_key.pp  |  8 +++---
 examples/generate_cert_from_key.pp | 40 +++++++++++++++---------------
 examples/generate_key.pp           |  1 -
 examples/generate_pem_key.pp       |  6 ++---
 4 files changed, 27 insertions(+), 28 deletions(-)

diff --git a/examples/export_pkc12_from_key.pp b/examples/export_pkc12_from_key.pp
index 25eef346..9d1daa6c 100644
--- a/examples/export_pkc12_from_key.pp
+++ b/examples/export_pkc12_from_key.pp
@@ -1,7 +1,7 @@
 include openssl
 openssl::export::pkcs12 { 'export.pkcs12':
-  ensure   => 'present',
-  basedir  => '/tmp',
-  pkey     => '/tmp/private.key',
-  cert     => '/tmp/cert.crt',
+  ensure  => 'present',
+  basedir => '/tmp',
+  pkey    => '/tmp/private.key',
+  cert    => '/tmp/cert.crt',
 }
diff --git a/examples/generate_cert_from_key.pp b/examples/generate_cert_from_key.pp
index f26155c3..2a68d675 100644
--- a/examples/generate_cert_from_key.pp
+++ b/examples/generate_cert_from_key.pp
@@ -1,27 +1,27 @@
 include openssl
 
-file {'/tmp/template.cnf':
-  ensure   => file,
+file { '/tmp/template.cnf':
+  ensure  => file,
   content => epp('openssl/cert.cnf', {
-  	   'country' => 'de',
-	   'state'   => 'BW',
-	   'locality'=> 'undef',
-	   'organization'=> 'voxpupuli',
-	   'unit'        => 'anybody',
-	   'commonname'  => 'testpipeline.voxpupuli.org',
-	   'email'       => 'do_not_reply@voxpupuli.org',
-	   'default_bits'=> 4096,
-	   'default_md'  => 'sha256',
-	   'default_keyfile' => '/tmp/private.key',
-	   'basicconstraints' => ['CA:false'],
-	   'extendedkeyusages' => ['serverAuth'],
-	   'keyusages' => ['critical'],
-	   'subjectaltnames' => ['cert.voxpupuli.org', 'foo.bar.de'],
-	   })
+      'country'           => 'de',
+      'state'             => 'BW',
+      'locality'          => 'undef',
+      'organization'      => 'voxpupuli',
+      'unit'              => 'anybody',
+      'commonname'        => 'testpipeline.voxpupuli.org',
+      'email'             => 'do_not_reply@voxpupuli.org',
+      'default_bits'      => 4096,
+      'default_md'        => 'sha256',
+      'default_keyfile'   => '/tmp/private.key',
+      'basicconstraints'  => ['CA:false'],
+      'extendedkeyusages' => ['serverAuth'],
+      'keyusages'         => ['critical'],
+      'subjectaltnames'   => ['cert.voxpupuli.org', 'foo.bar.de'],
+  }),
 }
 
 x509_cert { '/tmp/cert.crt':
-    ensure => present,
-    private_key => '/tmp/private.key',
-    template => '/tmp/template.cnf',
+  ensure      => present,
+  private_key => '/tmp/private.key',
+  template    => '/tmp/template.cnf',
 }
diff --git a/examples/generate_key.pp b/examples/generate_key.pp
index 43ad8117..ce9027cc 100644
--- a/examples/generate_key.pp
+++ b/examples/generate_key.pp
@@ -2,4 +2,3 @@
 ssl_pkey { '/tmp/private.key':
   ensure => present,
 }
-
diff --git a/examples/generate_pem_key.pp b/examples/generate_pem_key.pp
index 21ab3818..6addd620 100644
--- a/examples/generate_pem_key.pp
+++ b/examples/generate_pem_key.pp
@@ -1,6 +1,6 @@
 include openssl
 openssl::export::pem_key { 'key-UUID':
-  ensure => present,
+  ensure   => present,
   pfx_cert => '/tmp/export.pkcs12.p12',
-  pem_key => '/tmp/key.pem'
-}
\ No newline at end of file
+  pem_key  => '/tmp/key.pem',
+}

From a749147cb5d0e155b5fb2fd99f3052cc341d5372 Mon Sep 17 00:00:00 2001
From: Marcus Poller <marcus.poller@betadots.de>
Date: Fri, 10 Jan 2025 09:57:30 +0100
Subject: [PATCH 4/6] add example for OpenSSL PEM key

---
 examples/x509_pkcs12_pemkey.pp | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 examples/x509_pkcs12_pemkey.pp

diff --git a/examples/x509_pkcs12_pemkey.pp b/examples/x509_pkcs12_pemkey.pp
new file mode 100644
index 00000000..b1055fa7
--- /dev/null
+++ b/examples/x509_pkcs12_pemkey.pp
@@ -0,0 +1,20 @@
+contain openssl
+
+openssl::certificate::x509 { 'sample_x509':
+  ensure   => present,
+  base_dir => '/tmp',
+  key_size => 1024, #entropy in CI is limited
+}
+
+openssl::export::pkcs12 { 'export.pkcs12':
+  ensure  => 'present',
+  basedir => '/tmp',
+  pkey    => '/tmp/sample_x509.key',
+  cert    => '/tmp/sample_x509.crt',
+}
+
+openssl::export::pem_key { 'key-UUID':
+  ensure   => present,
+  pfx_cert => '/tmp/export.pkcs12.p12',
+  pem_key  => '/tmp/key.pem',
+}

From 07e246996bd1b763dc4c73a1ac082e1d34708c0b Mon Sep 17 00:00:00 2001
From: Marcus Poller <marcus.poller@betadots.de>
Date: Fri, 10 Jan 2025 10:21:30 +0100
Subject: [PATCH 5/6] Test Case for x509->pkcs12 conversion

---
 spec/acceptance/x509_pkcs12.rb | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 spec/acceptance/x509_pkcs12.rb

diff --git a/spec/acceptance/x509_pkcs12.rb b/spec/acceptance/x509_pkcs12.rb
new file mode 100644
index 00000000..0d229e1e
--- /dev/null
+++ b/spec/acceptance/x509_pkcs12.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'spec_helper_acceptance'
+
+# the openssl output changed and differs between EL9 vs older versions
+# https://github.com/mizzy/serverspec/commit/ac366dd40015f0b53e70a3ed881b931dfc83c603 might not be a correct fix
+# Ewoud is working on a fix in https://github.com/ekohl/serverspec/commit/64874e9c8cc70b097300c3a60281572a3528768e
+# in the meantime we won't use x509_certificate matcher
+describe 'x509 to pkcs12 to pem key' do
+  it_behaves_like 'the example', 'x509_pkcs12_pemkey.pp' do
+    it { expect(file('/tmp/sample_x509.crt')).to be_file.and(have_attributes(owner: 'root')) }
+    # it { expect(x509_certificate('/tmp/foo.example.com.crt')).to be_certificate.and(have_attributes(subject: 'C = CH, O = Example.com, CN = foo.example.com')) }
+
+    describe x509_certificate('/tmp/sample_x509.crt') do
+      it { is_expected.to be_certificate }
+      it { is_expected.to be_valid }
+      #      its(:subject) { is_expected.to match_without_whitespace(%r{C = CH, O = Example.com, CN = foo.example.com}) }
+      its(:keylength) { is_expected.to eq 1024 }
+    end
+
+    #    it { expect(file('/tmp/foo.example.com.key')).to be_file.and(have_attributes(owner: 'nobody', mode: '600')) }
+    #    it { expect(x509_private_key('/tmp/foo.example.com.key', passin: 'pass:mahje1Qu')).to have_matching_certificate('/tmp/foo.example.com.crt') }
+  end
+end

From 6569c195d76d0bdb2d8cb8e5c6aa6cd2e23e2f53 Mon Sep 17 00:00:00 2001
From: Marcus Poller <marcus.poller@betadots.de>
Date: Fri, 10 Jan 2025 10:40:37 +0100
Subject: [PATCH 6/6] rspec pkcs12

---
 examples/x509_pkcs12_pemkey.pp                        |  7 ++++---
 .../{x509_pkcs12.rb => x509_pkcs12_spec.rb}           | 11 ++++++-----
 2 files changed, 10 insertions(+), 8 deletions(-)
 rename spec/acceptance/{x509_pkcs12.rb => x509_pkcs12_spec.rb} (52%)

diff --git a/examples/x509_pkcs12_pemkey.pp b/examples/x509_pkcs12_pemkey.pp
index b1055fa7..4124a1c9 100644
--- a/examples/x509_pkcs12_pemkey.pp
+++ b/examples/x509_pkcs12_pemkey.pp
@@ -1,9 +1,10 @@
 contain openssl
 
 openssl::certificate::x509 { 'sample_x509':
-  ensure   => present,
-  base_dir => '/tmp',
-  key_size => 1024, #entropy in CI is limited
+  ensure       => present,
+  base_dir     => '/tmp',
+  key_size     => 1024, #entropy in CI is limited
+  organization => 'voxpupuli',
 }
 
 openssl::export::pkcs12 { 'export.pkcs12':
diff --git a/spec/acceptance/x509_pkcs12.rb b/spec/acceptance/x509_pkcs12_spec.rb
similarity index 52%
rename from spec/acceptance/x509_pkcs12.rb
rename to spec/acceptance/x509_pkcs12_spec.rb
index 0d229e1e..a52f1958 100644
--- a/spec/acceptance/x509_pkcs12.rb
+++ b/spec/acceptance/x509_pkcs12_spec.rb
@@ -8,17 +8,18 @@
 # in the meantime we won't use x509_certificate matcher
 describe 'x509 to pkcs12 to pem key' do
   it_behaves_like 'the example', 'x509_pkcs12_pemkey.pp' do
-    it { expect(file('/tmp/sample_x509.crt')).to be_file.and(have_attributes(owner: 'root')) }
-    # it { expect(x509_certificate('/tmp/foo.example.com.crt')).to be_certificate.and(have_attributes(subject: 'C = CH, O = Example.com, CN = foo.example.com')) }
+    it { expect(file('/tmp/sample_x509.crt')).to be_file.and(its(:size) { is_expected.to > 0 }) }
+    it { expect(file('/tmp/sample_x509.key')).to be_file.and(its(:size) { is_expected.to > 0 }) }
+    it { expect(file('/tmp/export.pkcs12.p12')).to be_file.and(its(:size) { is_expected.to > 0 }) }
 
     describe x509_certificate('/tmp/sample_x509.crt') do
       it { is_expected.to be_certificate }
       it { is_expected.to be_valid }
-      #      its(:subject) { is_expected.to match_without_whitespace(%r{C = CH, O = Example.com, CN = foo.example.com}) }
       its(:keylength) { is_expected.to eq 1024 }
     end
 
-    #    it { expect(file('/tmp/foo.example.com.key')).to be_file.and(have_attributes(owner: 'nobody', mode: '600')) }
-    #    it { expect(x509_private_key('/tmp/foo.example.com.key', passin: 'pass:mahje1Qu')).to have_matching_certificate('/tmp/foo.example.com.crt') }
+    describe command('openssl -text -noout -in /tmp/export.pkcs12.p12 -inpass pass:') do
+      its(:exit_status) { is_expected.to eq 0 }
+    end
   end
 end