diff --git a/examples/export_pkc12_from_key.pp b/examples/export_pkc12_from_key.pp new file mode 100644 index 0000000..9d1daa6 --- /dev/null +++ b/examples/export_pkc12_from_key.pp @@ -0,0 +1,7 @@ +include openssl +openssl::export::pkcs12 { 'export.pkcs12': + ensure => 'present', + basedir => '/tmp', + pkey => '/tmp/private.key', + cert => '/tmp/cert.crt', +} diff --git a/examples/generate_cert_from_key.pp b/examples/generate_cert_from_key.pp new file mode 100644 index 0000000..2a68d67 --- /dev/null +++ b/examples/generate_cert_from_key.pp @@ -0,0 +1,27 @@ +include openssl + +file { '/tmp/template.cnf': + ensure => file, + content => epp('openssl/cert.cnf', { + 'country' => 'de', + 'state' => 'BW', + 'locality' => 'undef', + 'organization' => 'voxpupuli', + 'unit' => 'anybody', + 'commonname' => 'testpipeline.voxpupuli.org', + 'email' => 'do_not_reply@voxpupuli.org', + 'default_bits' => 4096, + 'default_md' => 'sha256', + 'default_keyfile' => '/tmp/private.key', + 'basicconstraints' => ['CA:false'], + 'extendedkeyusages' => ['serverAuth'], + 'keyusages' => ['critical'], + 'subjectaltnames' => ['cert.voxpupuli.org', 'foo.bar.de'], + }), +} + +x509_cert { '/tmp/cert.crt': + ensure => present, + private_key => '/tmp/private.key', + template => '/tmp/template.cnf', +} diff --git a/examples/generate_key.pp b/examples/generate_key.pp new file mode 100644 index 0000000..ce9027c --- /dev/null +++ b/examples/generate_key.pp @@ -0,0 +1,4 @@ +contain openssl +ssl_pkey { '/tmp/private.key': + ensure => present, +} diff --git a/examples/generate_pem_key.pp b/examples/generate_pem_key.pp new file mode 100644 index 0000000..6addd62 --- /dev/null +++ b/examples/generate_pem_key.pp @@ -0,0 +1,6 @@ +include openssl +openssl::export::pem_key { 'key-UUID': + ensure => present, + pfx_cert => '/tmp/export.pkcs12.p12', + pem_key => '/tmp/key.pem', +} diff --git a/examples/x509_pkcs12_pemkey.pp b/examples/x509_pkcs12_pemkey.pp new file mode 100644 index 0000000..e34cc80 --- /dev/null +++ b/examples/x509_pkcs12_pemkey.pp @@ -0,0 +1,19 @@ +openssl::certificate::x509 { 'sample_x509': + ensure => present, + base_dir => '/tmp', + key_size => 1024, #entropy in CI is limited + organization => 'voxpupuli', +} + +-> openssl::export::pkcs12 { 'export': + ensure => 'present', + basedir => '/tmp', + pkey => '/tmp/sample_x509.key', + cert => '/tmp/sample_x509.crt', +} + +-> openssl::export::pem_key { 'key-UUID': + ensure => present, + pfx_cert => '/tmp/export.p12', + pem_key => '/tmp/key.pem', +} diff --git a/manifests/export/pem_key.pp b/manifests/export/pem_key.pp index 390b8b1..af0aa9d 100644 --- a/manifests/export/pem_key.pp +++ b/manifests/export/pem_key.pp @@ -26,18 +26,18 @@ ) { if $ensure == 'present' { if $in_pass { - $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN'] + $passin_opt = ['-passin', 'env:CERTIFICATE_PASSIN'] $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"] } else { - $passin_opt = [] + $passin_opt = ['-passin', 'pass:'] $passin_env = [] } if $out_pass { - $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT'] + $passout_opt = ['-passout', 'env:CERTIFICATE_PASSOUT'] $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"] } else { - $passout_opt = [] + $passout_opt = ['-nodes'] $passout_env = [] } diff --git a/manifests/export/pkcs12.pp b/manifests/export/pkcs12.pp index ccef3f3..a6e6ef0 100644 --- a/manifests/export/pkcs12.pp +++ b/manifests/export/pkcs12.pp @@ -34,18 +34,18 @@ if $ensure == 'present' { if $in_pass { - $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN'] + $passin_opt = ['-passin', 'env:CERTIFICATE_PASSIN'] $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"] } else { - $passin_opt = [] + $passin_opt = ['-passin', 'pass:'] $passin_env = [] } if $out_pass { - $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT'] + $passout_opt = ['-passout', 'env:CERTIFICATE_PASSOUT'] $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"] } else { - $passout_opt = [] + $passout_opt = ['-passout', 'pass:'] $passout_env = [] } diff --git a/spec/acceptance/x509_pkcs12_spec.rb b/spec/acceptance/x509_pkcs12_spec.rb new file mode 100644 index 0000000..ad06b31 --- /dev/null +++ b/spec/acceptance/x509_pkcs12_spec.rb @@ -0,0 +1,38 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +# the openssl output changed and differs between EL9 vs older versions +# https://github.com/mizzy/serverspec/commit/ac366dd40015f0b53e70a3ed881b931dfc83c603 might not be a correct fix +# Ewoud is working on a fix in https://github.com/ekohl/serverspec/commit/64874e9c8cc70b097300c3a60281572a3528768e +# in the meantime we won't use x509_certificate matcher +describe 'x509 to pkcs12 to pem key' do + it_behaves_like 'the example', 'x509_pkcs12_pemkey.pp' do + describe x509_certificate('/tmp/sample_x509.crt') do + it { is_expected.to be_certificate } + it { is_expected.to be_valid } + its(:keylength) { is_expected.to eq 1024 } + end + + describe command('openssl pkcs12 -info -in /tmp/export.p12 -passin pass: -passout pass:') do + its(:exit_status) { is_expected.to eq 0 } + end + end + + # rubocop:disable RSpec/RepeatedExampleGroupBody + describe file('/tmp/sample_x509.crt') do + it { is_expected.to be_file } + its(:size) { is_expected.to be > 0 } + end + + describe file('/tmp/sample_x509.key') do + it { is_expected.to be_file } + its(:size) { is_expected.to be > 0 } + end + + describe file('/tmp/export.p12') do + it { is_expected.to be_file } + its(:size) { is_expected.to be > 0 } + end + # rubocop:enable RSpec/RepeatedExampleGroupBody +end