voxpupuli · bastelfreak · Jan 3, 2025 · Jan 9, 2025 · Jan 9, 2025 · Jan 10, 2025
diff --git a/examples/export_pkc12_from_key.pp b/examples/export_pkc12_from_key.pp
@@ -0,0 +1,7 @@
+include openssl
+openssl::export::pkcs12 { 'export.pkcs12':
+  ensure  => 'present',
+  basedir => '/tmp',
+  pkey    => '/tmp/private.key',
+  cert    => '/tmp/cert.crt',
+}
diff --git a/examples/generate_cert_from_key.pp b/examples/generate_cert_from_key.pp
@@ -0,0 +1,27 @@
+include openssl
+
+file { '/tmp/template.cnf':
+  ensure  => file,
+  content => epp('openssl/cert.cnf', {
+      'country'           => 'de',
+      'state'             => 'BW',
+      'locality'          => 'undef',
+      'organization'      => 'voxpupuli',
+      'unit'              => 'anybody',
+      'commonname'        => 'testpipeline.voxpupuli.org',
+      'email'             => '[email protected]',
+      'default_bits'      => 4096,
+      'default_md'        => 'sha256',
+      'default_keyfile'   => '/tmp/private.key',
+      'basicconstraints'  => ['CA:false'],
+      'extendedkeyusages' => ['serverAuth'],
+      'keyusages'         => ['critical'],
+      'subjectaltnames'   => ['cert.voxpupuli.org', 'foo.bar.de'],
+  }),
+}
+
+x509_cert { '/tmp/cert.crt':
+  ensure      => present,
+  private_key => '/tmp/private.key',
+  template    => '/tmp/template.cnf',
+}
diff --git a/examples/generate_key.pp b/examples/generate_key.pp
@@ -0,0 +1,4 @@
+contain openssl
+ssl_pkey { '/tmp/private.key':
+  ensure => present,
+}
diff --git a/examples/generate_pem_key.pp b/examples/generate_pem_key.pp
@@ -0,0 +1,6 @@
+include openssl
+openssl::export::pem_key { 'key-UUID':
+  ensure   => present,
+  pfx_cert => '/tmp/export.pkcs12.p12',
+  pem_key  => '/tmp/key.pem',
+}
diff --git a/examples/x509_pkcs12_pemkey.pp b/examples/x509_pkcs12_pemkey.pp
@@ -0,0 +1,19 @@
+openssl::certificate::x509 { 'sample_x509':
+  ensure       => present,
+  base_dir     => '/tmp',
+  key_size     => 1024, #entropy in CI is limited
+  organization => 'voxpupuli',
+}
+
+-> openssl::export::pkcs12 { 'export':
+  ensure  => 'present',
+  basedir => '/tmp',
+  pkey    => '/tmp/sample_x509.key',
+  cert    => '/tmp/sample_x509.crt',
+}
+
+-> openssl::export::pem_key { 'key-UUID':
+  ensure   => present,
+  pfx_cert => '/tmp/export.p12',
+  pem_key  => '/tmp/key.pem',
+}
diff --git a/manifests/export/pem_key.pp b/manifests/export/pem_key.pp
@@ -26,18 +26,18 @@
 ) {
   if $ensure == 'present' {
     if $in_pass {
-      $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN']
+      $passin_opt = ['-passin', 'env:CERTIFICATE_PASSIN']
       $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"]
     } else {
-      $passin_opt = []
+      $passin_opt = ['-passin', 'pass:']
       $passin_env = []
     }
 
     if $out_pass {
-      $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT']
+      $passout_opt = ['-passout', 'env:CERTIFICATE_PASSOUT']
       $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"]
     } else {
-      $passout_opt = []
+      $passout_opt = ['-nodes']
       $passout_env = []
     }
 

diff --git a/manifests/export/pkcs12.pp b/manifests/export/pkcs12.pp
@@ -34,18 +34,18 @@
 
   if $ensure == 'present' {
     if $in_pass {
-      $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN']
+      $passin_opt = ['-passin', 'env:CERTIFICATE_PASSIN']
       $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"]
     } else {
-      $passin_opt = []
+      $passin_opt = ['-passin', 'pass:']
       $passin_env = []
     }
 
     if $out_pass {
-      $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT']
+      $passout_opt = ['-passout', 'env:CERTIFICATE_PASSOUT']
       $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"]
     } else {
-      $passout_opt = []
+      $passout_opt = ['-passout', 'pass:']
       $passout_env = []
     }
 

diff --git a/spec/acceptance/x509_pkcs12_spec.rb b/spec/acceptance/x509_pkcs12_spec.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'spec_helper_acceptance'
+
+# the openssl output changed and differs between EL9 vs older versions
+# https://github.com/mizzy/serverspec/commit/ac366dd40015f0b53e70a3ed881b931dfc83c603 might not be a correct fix
+# Ewoud is working on a fix in https://github.com/ekohl/serverspec/commit/64874e9c8cc70b097300c3a60281572a3528768e
+# in the meantime we won't use x509_certificate matcher
+describe 'x509 to pkcs12 to pem key' do
+  it_behaves_like 'the example', 'x509_pkcs12_pemkey.pp' do
+    describe x509_certificate('/tmp/sample_x509.crt') do
+      it { is_expected.to be_certificate }
+      it { is_expected.to be_valid }
+      its(:keylength) { is_expected.to eq 1024 }
+    end
+
+    describe command('openssl pkcs12 -info -in /tmp/export.p12 -passin pass: -passout pass:') do
+      its(:exit_status) { is_expected.to eq 0 }
+    end
+  end
+
+  # rubocop:disable RSpec/RepeatedExampleGroupBody
+  describe file('/tmp/sample_x509.crt') do
+    it { is_expected.to be_file }
+    its(:size) { is_expected.to be > 0 }
+  end
+
+  describe file('/tmp/sample_x509.key') do
+    it { is_expected.to be_file }
+    its(:size) { is_expected.to be > 0 }
+  end
+
+  describe file('/tmp/export.p12') do
+    it { is_expected.to be_file }
+    its(:size) { is_expected.to be > 0 }
+  end
+  # rubocop:enable RSpec/RepeatedExampleGroupBody
+end