From 46cd5a7d9434ed104093152bdf0a55404e6a1c6b Mon Sep 17 00:00:00 2001

From: Rob Crittenden <rcritten@redhat.com>

Date: Tue, 5 Oct 2021 11:04:10 -0400

Subject: [PATCH] Update csrgen test to understand OpenSSL 3.0.0 output

OpenSSL 3.0.0 change a lot of output messages. When verifying

a certificate instead of printing just "verify OK" it prints

"Certificate request self-signature verify OK"

Modify the check to match both OpenSSL 1.x and 3.x

Related: https://pagure.io/certmonger/issue/223

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

---

 tests/003-csrgen-ec/run.sh  | 4 ++--

 tests/003-csrgen-rsa/run.sh | 4 ++--

 tests/003-csrgen/run.sh     | 4 ++--

 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh

index 91117ec8..7c0505f8 100755

--- a/tests/003-csrgen-ec/run.sh

+++ b/tests/003-csrgen-ec/run.sh

@@ -42,8 +42,8 @@ grep ^minicert= entry.nss.$size | sed s,^minicert=,, | base64 -d > minicert.nss.

 openssl x509 -out minicert.nss.$size.pem -in minicert.nss.$size -inform der

 # The RSA tests already verify the contents of the requests, so we really only

 # need to care about the signatures passing verification.

-openssl req   -verify -noout < csr.nss.$size 2>&1

-openssl req   -verify -noout < csr.openssl.$size 2>&1

+openssl req   -verify -noout -noenc < csr.nss.$size 2>&1 | sed 's/Certificate request self-signature //'

+openssl req   -verify -noout -noenc < csr.openssl.$size 2>&1 | sed 's/Certificate request self-signature //'

 openssl spkac -verify -noout < spkac.nss.$size 2>&1

 openssl spkac -verify -noout < spkac.openssl.$size 2>&1

 openssl verify -CAfile minicert.openssl.$size.pem minicert.openssl.$size.pem 2>&1

diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh

index bb8ebecb..4f0c0ef0 100755

--- a/tests/003-csrgen-rsa/run.sh

+++ b/tests/003-csrgen-rsa/run.sh

@@ -118,14 +118,14 @@ iterate() {

 	echo key_pubkey=616263 >> entry.openssl.$size

 	$toolsdir/csrgen entry.nss.$size > csr.nss.$size

 	# Both should verify.

-	if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then

+	if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then

 		echo Signature failed for OpenSSL:

 		cat csr.openssl.$size

 		echo Private key:

 		awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size

 		exit 1

 	fi

-	if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then

+	if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then

 		echo Signature failed for NSS:

 		cat csr.nss.$size

 		echo Private key:

diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh

index d3dfbaf0..093beabf 100755

--- a/tests/003-csrgen/run.sh

+++ b/tests/003-csrgen/run.sh

@@ -170,14 +170,14 @@ iterate() {

 	echo key_pubkey=616263 >> entry.openssl.$size

 	$toolsdir/csrgen entry.nss.$size > csr.nss.$size

 	# Both should verify.

-	if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then

+	if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then

 		echo Signature failed for OpenSSL:

 		cat csr.openssl.$size

 		echo Private key:

 		awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size

 		exit 1

 	fi

-	if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then

+	if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then

 		echo Signature failed for NSS:

 		cat csr.nss.$size

 		echo Private key:

-- 

2.31.1