From 46cd5a7d9434ed104093152bdf0a55404e6a1c6b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 5 Oct 2021 11:04:10 -0400
Subject: [PATCH] Update csrgen test to understand OpenSSL 3.0.0 output

OpenSSL 3.0.0 change a lot of output messages. When verifying
a certificate instead of printing just "verify OK" it prints
"Certificate request self-signature verify OK"

Modify the check to match both OpenSSL 1.x and 3.x

Related: https://pagure.io/certmonger/issue/223

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
 tests/003-csrgen-ec/run.sh  | 4 ++--
 tests/003-csrgen-rsa/run.sh | 4 ++--
 tests/003-csrgen/run.sh     | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh
index 91117ec8..7c0505f8 100755
--- a/tests/003-csrgen-ec/run.sh
+++ b/tests/003-csrgen-ec/run.sh
@@ -42,8 +42,8 @@ grep ^minicert= entry.nss.$size | sed s,^minicert=,, | base64 -d > minicert.nss.
 openssl x509 -out minicert.nss.$size.pem -in minicert.nss.$size -inform der
 # The RSA tests already verify the contents of the requests, so we really only
 # need to care about the signatures passing verification.
-openssl req   -verify -noout < csr.nss.$size 2>&1
-openssl req   -verify -noout < csr.openssl.$size 2>&1
+openssl req   -verify -noout -noenc < csr.nss.$size 2>&1 | sed 's/Certificate request self-signature //'
+openssl req   -verify -noout -noenc < csr.openssl.$size 2>&1 | sed 's/Certificate request self-signature //'
 openssl spkac -verify -noout < spkac.nss.$size 2>&1
 openssl spkac -verify -noout < spkac.openssl.$size 2>&1
 openssl verify -CAfile minicert.openssl.$size.pem minicert.openssl.$size.pem 2>&1
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
index bb8ebecb..4f0c0ef0 100755
--- a/tests/003-csrgen-rsa/run.sh
+++ b/tests/003-csrgen-rsa/run.sh
@@ -118,14 +118,14 @@ iterate() {
 	echo key_pubkey=616263 >> entry.openssl.$size
 	$toolsdir/csrgen entry.nss.$size > csr.nss.$size
 	# Both should verify.
-	if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then
+	if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
 		echo Signature failed for OpenSSL:
 		cat csr.openssl.$size
 		echo Private key:
 		awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size
 		exit 1
 	fi
-	if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then
+	if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
 		echo Signature failed for NSS:
 		cat csr.nss.$size
 		echo Private key:
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
index d3dfbaf0..093beabf 100755
--- a/tests/003-csrgen/run.sh
+++ b/tests/003-csrgen/run.sh
@@ -170,14 +170,14 @@ iterate() {
 	echo key_pubkey=616263 >> entry.openssl.$size
 	$toolsdir/csrgen entry.nss.$size > csr.nss.$size
 	# Both should verify.
-	if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then
+	if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
 		echo Signature failed for OpenSSL:
 		cat csr.openssl.$size
 		echo Private key:
 		awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size
 		exit 1
 	fi
-	if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then
+	if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
 		echo Signature failed for NSS:
 		cat csr.nss.$size
 		echo Private key:
-- 
2.31.1