Fix unit test CSR versions for OpenSSL 3.4 change

seanmil · seanmil · commit e51dcb29ba32 · 2025-04-16T16:31:10.000-05:00
The only valid CSR version is version 1, which is encoded
with "csr.version = 0". Versions of OpenSSL prior to 3.4
would allow other versions to be set / versions to be unset
but OpenSSL 3.4 is strict about only allowing version 1.

This change updates the unit tests and test fixtures to all
specify or contain version 1 CSRs.
diff --git a/spec/fixtures/ssl/request.pem b/spec/fixtures/ssl/request.pem
@@ -1,10 +1,10 @@
 Certificate Request:
     Data:
-        Version: 3 (0x2)
+        Version: 1 (0x0)
         Subject: CN=pending
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:ca:4a:fc:49:f0:75:de:db:71:88:87:f7:48:ec:
                     77:67:7c:38:a4:91:24:47:a4:85:1c:38:e4:ec:6d:
@@ -26,35 +26,38 @@ Certificate Request:
                     4d:17
                 Exponent: 65537 (0x10001)
         Attributes:
-            a0:00
+            (none)
+            Requested Extensions:
     Signature Algorithm: sha256WithRSAEncryption
-         4b:33:bf:da:81:1a:39:41:11:c4:1c:d0:e5:3c:c6:93:8d:df:
-         e5:91:c4:9f:d0:6b:07:61:94:25:d8:dc:9e:99:0d:9d:96:91:
-         b3:92:ff:eb:2e:f4:93:cd:05:26:6d:42:70:7b:73:08:59:2f:
-         4f:c8:7f:5a:ea:de:84:a8:62:b9:6b:6c:24:0a:89:6c:83:66:
-         43:d2:f5:84:d2:09:63:9e:21:44:9f:70:4a:90:9e:9d:4a:e2:
-         e6:b1:62:79:0f:12:cf:f7:91:39:31:e6:24:ee:96:bc:82:5f:
-         4e:0e:a4:f3:81:75:6f:e3:59:bd:e2:8e:24:9e:3f:fd:c4:52:
-         81:f6:0d:95:31:36:48:0b:29:4e:94:22:10:a6:25:1f:f9:a7:
-         9d:e9:fc:8d:c9:33:87:1e:00:c9:f8:81:0e:d7:02:31:74:f7:
-         57:ef:31:06:b8:fd:10:d3:43:a5:e9:ee:47:83:05:ac:8a:69:
-         22:19:03:52:66:df:ee:0a:3c:82:33:23:9c:ef:c6:f2:e3:88:
-         9e:03:aa:c1:ab:92:e5:ca:b7:ab:e9:ab:40:ab:8f:73:53:69:
-         ca:19:89:8c:a5:e2:2f:9a:0b:31:59:17:08:03:4b:d5:6e:74:
-         5a:d0:c8:b8:df:d7:39:88:45:cb:6a:02:d4:41:1c:f2:1e:b9:
-         77:3f:09:80
+    Signature Value:
+        83:dd:e5:75:b1:5b:15:6e:1e:b0:54:87:db:d0:c8:dd:12:a7:
+        42:1b:5e:b3:d0:4b:c3:d5:dc:70:6f:73:2a:09:1c:db:88:02:
+        93:20:d1:07:ee:dd:be:ab:a4:e7:e5:9f:de:ec:6a:ec:95:17:
+        1f:2d:89:85:42:b2:9c:e8:a5:d5:28:21:6a:83:33:a6:62:bd:
+        98:72:3d:63:db:94:08:21:4a:ad:d4:15:75:c1:f0:f4:30:d1:
+        f4:17:e8:e7:5f:74:e9:69:e7:33:77:9e:4b:92:4c:27:ee:4b:
+        bd:c1:e5:69:18:f3:55:37:11:c6:57:5b:61:22:24:bf:3a:1b:
+        c7:29:c0:72:50:3c:ce:4b:75:e4:64:16:8f:31:4d:19:04:95:
+        3b:61:f0:c3:ae:ac:2c:b9:f2:b4:10:c7:f0:e7:79:db:4a:37:
+        aa:63:3e:e6:b3:88:03:63:b8:1c:65:d6:3c:9f:d5:a6:43:49:
+        ed:e7:bb:f3:c4:9c:5b:aa:34:23:91:38:13:12:68:22:a2:cc:
+        f8:56:6c:8b:bc:f5:46:36:2b:2b:9c:b1:94:d0:09:59:fd:07:
+        c7:62:74:aa:ee:f8:1b:0d:83:05:37:43:4d:d4:0b:c9:a4:57:
+        9d:91:ce:9b:5b:5f:6f:87:12:02:69:f7:43:6d:05:f3:6b:e8:
+        f2:a5:9f:6b
+
 -----BEGIN CERTIFICATE REQUEST-----
-MIICVzCCAT8CAQIwEjEQMA4GA1UEAwwHcGVuZGluZzCCASIwDQYJKoZIhvcNAQEB
+MIICVzCCAT8CAQAwEjEQMA4GA1UEAwwHcGVuZGluZzCCASIwDQYJKoZIhvcNAQEB
 BQADggEPADCCAQoCggEBAMpK/Enwdd7bcYiH90jsd2d8OKSRJEekhRw45Oxtiqok
 jfscQcqW15JwFJ3MpybVkQSHw5u8fMJ9X41QddYCUaM4lLi4Y0s4zwgLwDHZptth
 txEylcqH3FQh0btWuSzyxoQfVN8J0VCdrpdF+cBmWNljPvu/r+YayO6Ea81Q/tx6
 UnQXPDWJS6dIO7iErtEMPFzg40wg+KqkcE4QFV6lbm+Zh/15RUAra+zjNnrtcwIo
 x8suoMo0BTH1mMknQObj8yYqJcyJUoegM6VhosZzvaf8pguTRv47p2+jO6RtHhvR
 xCgJ6h20qvOa+xCisiHyhnCkuKjfTAks+9JIqRw6TRcCAwEAAaAAMA0GCSqGSIb3
-DQEBCwUAA4IBAQBLM7/agRo5QRHEHNDlPMaTjd/lkcSf0GsHYZQl2NyemQ2dlpGz
-kv/rLvSTzQUmbUJwe3MIWS9PyH9a6t6EqGK5a2wkColsg2ZD0vWE0gljniFEn3BK
-kJ6dSuLmsWJ5DxLP95E5MeYk7pa8gl9ODqTzgXVv41m94o4knj/9xFKB9g2VMTZI
-CylOlCIQpiUf+aed6fyNyTOHHgDJ+IEO1wIxdPdX7zEGuP0Q00Ol6e5HgwWsimki
-GQNSZt/uCjyCMyOc78by44ieA6rBq5Llyrer6atAq49zU2nKGYmMpeIvmgsxWRcI
-A0vVbnRa0Mi439c5iEXLagLUQRzyHrl3PwmA
+DQEBCwUAA4IBAQCD3eV1sVsVbh6wVIfb0MjdEqdCG16z0EvD1dxwb3MqCRzbiAKT
+INEH7t2+q6Tn5Z/e7GrslRcfLYmFQrKc6KXVKCFqgzOmYr2Ycj1j25QIIUqt1BV1
+wfD0MNH0F+jnX3Tpaeczd55Lkkwn7ku9weVpGPNVNxHGV1thIiS/OhvHKcByUDzO
+S3XkZBaPMU0ZBJU7YfDDrqwsufK0EMfw53nbSjeqYz7ms4gDY7gcZdY8n9WmQ0nt
+57vzxJxbqjQjkTgTEmgiosz4VmyLvPVGNisrnLGU0AlZ/QfHYnSq7vgbDYMFN0NN
+1AvJpFedkc6bW19vhxICafdDbQXza+jypZ9r
 -----END CERTIFICATE REQUEST-----
diff --git a/spec/fixtures/ssl/tampered-csr.pem b/spec/fixtures/ssl/tampered-csr.pem
@@ -1,60 +1,63 @@
 Certificate Request:
     Data:
-        Version: 3 (0x2)
+        Version: 1 (0x0)
         Subject: CN=signed
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:ca:3c:49:ca:69:e4:42:bc:a6:01:37:4e:c6:6c:
-                    1e:a9:d3:b1:7d:20:b6:7f:a9:74:c2:ce:33:f8:32:
-                    85:50:8a:c4:da:d6:47:2c:8e:3e:ef:9e:14:42:b3:
-                    43:b9:9f:59:ca:18:2c:32:f8:f8:5d:c6:74:1b:29:
-                    27:f8:d0:90:05:2e:03:46:b3:a2:c2:9d:38:de:06:
-                    f6:30:52:ff:e5:26:6e:88:fc:c4:23:32:f3:d3:09:
-                    67:1d:a6:52:f1:cc:06:28:2b:4e:af:7b:b2:50:a9:
-                    4f:7f:9b:62:6b:5a:cb:8c:f6:7e:ae:ed:a2:f2:4f:
-                    0d:d2:f5:42:2e:d8:50:b8:0f:fc:38:cd:80:7d:2a:
-                    d8:fc:76:e6:f7:28:91:f9:59:a7:d7:81:88:78:5c:
-                    74:0c:82:9b:14:65:35:2d:04:69:53:24:e4:c2:37:
-                    96:36:61:0b:e0:0f:2c:ac:50:85:84:ca:68:df:a4:
-                    15:2a:b0:a3:03:50:1f:11:45:d4:82:6a:02:eb:76:
-                    8b:82:1c:36:2b:8c:7e:3b:a6:12:c4:5a:8a:20:ab:
-                    2d:08:f8:49:1b:d6:f9:45:dc:d8:34:6c:8c:7b:2d:
-                    2a:8a:c6:87:d0:6a:45:20:9d:f0:43:d0:0f:0a:a2:
-                    69:d6:9b:a1:69:9c:57:e8:b2:f8:56:8f:f6:e4:24:
-                    af:c1
+                    00:ce:36:ca:f6:30:fc:6f:d1:e2:51:15:98:d6:51:
+                    ac:3c:43:3b:d4:26:f0:5c:ba:d8:9e:f1:21:9d:75:
+                    6f:ae:eb:d0:b9:93:92:f9:a8:a8:9e:f1:bc:b0:15:
+                    16:ba:c4:e5:6c:89:1d:89:d8:93:09:83:a2:a8:bc:
+                    01:ce:3c:a7:8e:0e:a1:bd:30:44:c8:90:b2:f1:80:
+                    03:c6:e6:7a:3c:6a:cc:87:55:74:18:a0:f7:01:2b:
+                    ba:aa:29:5b:3e:99:34:79:a0:09:17:5d:83:9c:dc:
+                    46:71:1b:14:94:99:81:05:e9:a9:cc:ad:3f:eb:e5:
+                    be:4e:70:39:ae:ec:10:35:bb:6a:59:18:23:f7:93:
+                    39:c9:a8:8f:76:ad:8b:dd:69:43:4a:2b:80:70:ec:
+                    ec:5e:f3:5c:09:f1:2e:5f:eb:14:02:77:5f:a2:4e:
+                    f5:fb:46:03:d1:83:4b:47:e4:45:f0:bf:a2:6f:1a:
+                    57:9a:5e:c5:99:f4:0b:b1:fd:f2:43:50:d7:b3:ef:
+                    46:93:47:91:8d:86:81:9b:85:b4:fd:b3:82:eb:a9:
+                    8e:3e:13:b0:e7:72:d7:e1:d2:f8:46:56:41:d9:e9:
+                    72:2b:3c:66:2d:07:db:4e:75:0c:37:23:63:6c:21:
+                    19:a7:1c:0c:2d:e6:f6:ad:e3:be:96:e7:1e:05:4e:
+                    3e:d7
                 Exponent: 65537 (0x10001)
         Attributes:
-            a0:00
+            (none)
+            Requested Extensions:
     Signature Algorithm: sha256WithRSAEncryption
-         9f:1b:09:61:fd:59:7a:99:8d:c3:f3:44:44:10:af:ac:82:f6:
-         20:5e:5e:3d:e3:07:af:e7:f6:0e:31:1f:ae:7e:bc:fd:4c:db:
-         53:8c:6b:6b:ea:76:e7:96:2c:21:f7:e7:ac:ff:ce:47:ec:e3:
-         61:c2:40:3a:0a:58:ac:94:80:c2:24:25:c3:75:82:8a:60:aa:
-         c6:20:8a:b6:28:b6:97:56:7e:0c:92:d8:da:2f:e0:0e:59:6d:
-         e1:55:b0:01:a1:e7:a9:bc:57:a1:50:de:b3:47:8a:cc:2c:44:
-         cd:5a:9b:bf:64:d3:aa:f9:b1:b2:55:db:c6:6f:5a:6c:54:19:
-         8b:4d:b2:9c:54:e0:2b:6e:c7:8c:26:d4:8d:c7:6c:43:8d:3b:
-         d1:12:87:c2:ca:ba:49:1f:93:eb:e2:8a:a9:7c:7d:e6:32:f6:
-         78:83:ab:54:9b:47:d1:c1:c2:bb:b4:25:b0:9d:bb:29:40:db:
-         30:7f:9a:4d:7a:94:5b:a0:1d:33:99:0e:9a:02:f3:4f:a4:82:
-         dd:47:15:f6:76:03:14:9f:60:9e:89:1a:4f:04:fa:a8:23:49:
-         48:af:65:bd:8c:3a:0f:77:fa:c3:86:d4:87:1a:9c:94:61:28:
-         0b:72:2e:91:98:19:0b:fe:9a:93:45:2a:92:a7:93:83:89:d9:
-         93:6b:d5:ee
+    Signature Value:
+        27:52:1c:b3:c8:73:77:cd:1f:95:45:c3:27:63:a1:16:c7:34:
+        fe:a4:5b:b6:cb:d2:be:05:87:69:5c:cf:7b:5a:2d:2f:7c:16:
+        e8:37:72:35:1d:c3:7e:fb:b9:d3:44:8c:bf:14:7c:89:ce:44:
+        b0:a8:4b:1a:1f:c6:80:c2:aa:c0:2b:2c:8c:4a:62:16:9c:f1:
+        55:ea:7b:3d:a5:a6:de:54:6b:31:a6:ad:b7:b9:2b:df:56:10:
+        69:c3:1e:b5:e0:35:bd:92:5a:4b:e2:68:e6:cf:8e:8b:75:13:
+        41:d2:56:32:ed:df:a0:26:0b:96:03:cd:4f:e7:fd:cf:cd:98:
+        69:ec:cd:3f:c3:1c:53:a7:b9:21:1b:f8:89:d9:a0:a7:46:de:
+        06:0d:6d:c4:07:40:aa:8e:f0:9c:4b:15:74:c7:85:d5:8c:24:
+        88:ef:9d:2f:00:62:7d:59:63:0e:97:86:0d:6b:3a:aa:72:92:
+        99:2e:08:34:97:40:0d:fb:40:d4:be:ec:9d:3d:8d:a7:5d:7d:
+        3d:eb:30:9f:e5:5b:4a:b9:dd:0b:38:24:3b:8f:59:ba:d5:27:
+        9f:8f:f7:f4:24:b9:78:24:d3:57:f4:02:e4:77:b2:77:c0:e3:
+        c8:f3:0e:32:74:f6:79:e5:a5:f2:6c:c8:b6:f3:95:e6:cd:00:
+        70:24:6e:1a
+
 -----BEGIN CERTIFICATE REQUEST-----
-MIICVjCCAT4CAQIwETEPMA0GA1UEAwwGc2lnbmVkMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAyjxJymnkQrymATdOxmweqdOxfSC2f6l0ws4z+DKFUIrE
-2tZHLI4+754UQrNDuZ9ZyhgsMvj4XcZ0Gykn+NCQBS4DRrOiwp043gb2MFL/5SZu
-iPzEIzLz0wlnHaZS8cwGKCtOr3uyUKlPf5tia1rLjPZ+ru2i8k8N0vVCLthQuA/8
-OM2AfSrY/Hbm9yiR+Vmn14GIeFx0DIKbFGU1LQRpUyTkwjeWNmEL4A8srFCFhMpo
-36QVKrCjA1AfEUXUgmoC63aLghw2K4x+O6YSxFqKIKstCPhJG9b5RdzYNGyMey0q
-isaH0GpFIJ3wQ9APCqJp1puhaZxX6LL4Vo/25CSvwQIDAQABoAAwDQYJKoZIhvcN
-AQELBQADggEBAJ8bCWH9WXqZjcPzREQQr6yC9iBeXj3jB6/n9g4xH65+vP1M21OM
-a2vqdueWLCH356z/zkfs42HCQDoKWKyUgMIkJcN1gopgqsYgirYotpdWfgyS2Nov
-4A5ZbeFVsAGh56m8V6FQ3rNHiswsRM1am79k06r5sbJV28ZvWmxUGYtNspxU4Ctu
-x4wm1I3HbEONO9ESh8LKukkfk+viiql8feYy9niDq1SbR9HBwru0JbCduylA2zB/
-mk16lFugHTOZDpoC80+kgt1HFfZ2AxSfYJ6JGk8E+qgjSUivZb2MOg93+sOG1Ica
-nJRhKAtyLpGYGQv+mpNFKpKnk4OJ2ZNr1e4=
+MIICVjCCAT4CAQAwETEPMA0GA1UEAwwGc2lnbmVkMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAzjbK9jD8b9HiURWY1lGsPEM71CbwXLrYnvEhnXVvruvQ
+uZOS+aionvG8sBUWusTlbIkdidiTCYOiqLwBzjynjg6hvTBEyJCy8YADxuZ6PGrM
+h1V0GKD3ASu6qilbPpk0eaAJF12DnNxGcRsUlJmBBempzK0/6+W+TnA5ruwQNbtq
+WRgj95M5yaiPdq2L3WlDSiuAcOzsXvNcCfEuX+sUAndfok71+0YD0YNLR+RF8L+i
+bxpXml7FmfQLsf3yQ1DXs+9Gk0eRjYaBm4W0/bOC66mOPhOw53LX4dL4RlZB2ely
+KzxmLQfbTnUMNyNjbCEZpxwMLeb2reO+luceBU4+1wIDAQABoAAwDQYJKoZIhvcN
+AQELBQADggEBACdSHLPIc3fNH5VFwydjoRbHNP6kW7bL0r4Fh2lcz3taLS98Fug3
+cjUdw377udNEjL8UfInORLCoSxofxoDCqsArLIxKYhac8VXqez2lpt5UazGmrbe5
+K99WEGnDHrXgNb2SWkviaObPjot1E0HSVjLt36AmC5YDzU/n/c/NmGnszT/DHFOn
+uSEb+InZoKdG3gYNbcQHQKqO8JxLFXTHhdWMJIjvnS8AYn1ZYw6Xhg1rOqpykpku
+CDSXQA37QNS+7J09jaddfT3rMJ/lW0q53Qs4JDuPWbrVJ5+P9/QkuXgk01f0AuR3
+snfA48jzDjJ09nnlpfJsyLbzlebNAHAkbho=
 -----END CERTIFICATE REQUEST-----
diff --git a/spec/lib/puppet/test_ca.rb b/spec/lib/puppet/test_ca.rb
@@ -34,7 +34,7 @@ def create_request(name)
       csr = OpenSSL::X509::Request.new
       csr.public_key = key.public_key
       csr.subject = OpenSSL::X509::Name.new([["CN", name]])
-      csr.version = 2
+      csr.version = 0
       csr.sign(key, @digest)
       { private_key: key, csr: csr }
     end
diff --git a/spec/unit/ssl/certificate_request_spec.rb b/spec/unit/ssl/certificate_request_spec.rb
@@ -314,6 +314,7 @@
     it "should use SHA1 to sign the csr when SHA256 isn't available" do
       csr = OpenSSL::X509::Request.new
       csr.public_key = key.public_key
+      csr.version = 0
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(true)
       signer = Puppet::SSL::CertificateSigner.new
@@ -325,6 +326,7 @@
       key = OpenSSL::PKey::RSA.new(2048)
       csr = OpenSSL::X509::Request.new
       csr.public_key = key.public_key
+      csr.version = 0
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(true)
@@ -337,6 +339,7 @@
       key = OpenSSL::PKey::RSA.new(2048)
       csr = OpenSSL::X509::Request.new
       csr.public_key = key.public_key
+      csr.version = 0
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(false)
@@ -349,6 +352,7 @@
     it "should use SHA224 to sign the csr when SHA256/SHA1/SHA512/SHA384 aren't available" do
       csr = OpenSSL::X509::Request.new
       csr.public_key = key.public_key
+      csr.version = 0
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false)
       expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(false)
