Use OpenSSL::PKey.read to read private keys

This utilizes a method where OpenSSL itself determines the encryption type rather than a static parameter. This is more flexible because it requires fewer parameters to be specified.
voxpupuli · May 22, 2024 · de9a4a4 · de9a4a4
1 parent 5198eb5
commit de9a4a4
Show file tree

Hide file tree

Showing 9 changed files with 6 additions and 86 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -1255,7 +1255,6 @@ Default value: `present`
 
 The following parameters are available in the `x509_cert` type.
 
-* [`authentication`](#-x509_cert--authentication)
 * [`ca`](#-x509_cert--ca)
 * [`cakey`](#-x509_cert--cakey)
 * [`csr`](#-x509_cert--csr)
@@ -1268,14 +1267,6 @@ The following parameters are available in the `x509_cert` type.
 * [`req_ext`](#-x509_cert--req_ext)
 * [`template`](#-x509_cert--template)
 
-##### <a name="-x509_cert--authentication"></a>`authentication`
-
-Valid values: `rsa`, `dsa`, `ec`
-
-The authentication algorithm: 'rsa', 'dsa or ec'
-
-Default value: `rsa`
-
 ##### <a name="-x509_cert--ca"></a>`ca`
 
 The optional ca certificate filepath
@@ -1353,7 +1344,6 @@ Default value: `present`
 
 The following parameters are available in the `x509_request` type.
 
-* [`authentication`](#-x509_request--authentication)
 * [`encrypted`](#-x509_request--encrypted)
 * [`force`](#-x509_request--force)
 * [`password`](#-x509_request--password)
@@ -1362,14 +1352,6 @@ The following parameters are available in the `x509_request` type.
 * [`provider`](#-x509_request--provider)
 * [`template`](#-x509_request--template)
 
-##### <a name="-x509_request--authentication"></a>`authentication`
-
-Valid values: `rsa`, `dsa`, `ec`
-
-The authentication algorithm: 'rsa', 'dsa' or ec
-
-Default value: `rsa`
-
 ##### <a name="-x509_request--encrypted"></a>`encrypted`
 
 Valid values: `true`, `false`

diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb
@@ -8,17 +8,7 @@
 
   def self.private_key(resource)
     file = File.read(resource[:private_key])
-    case resource[:authentication]
-    when :dsa
-      OpenSSL::PKey::DSA.new(file, resource[:password])
-    when :rsa
-      OpenSSL::PKey::RSA.new(file, resource[:password])
-    when :ec
-      OpenSSL::PKey::EC.new(file, resource[:password])
-    else
-      raise Puppet::Error,
-            "Unknown authentication type '#{resource[:authentication]}'"
-    end
+    OpenSSL::PKey.read(file, resource[:password])
   end
 
   def self.check_private_key(resource)

diff --git a/lib/puppet/provider/x509_request/openssl.rb b/lib/puppet/provider/x509_request/openssl.rb
@@ -8,17 +8,7 @@
 
   def self.private_key(resource)
     file = File.read(resource[:private_key])
-    case resource[:authentication]
-    when :dsa
-      OpenSSL::PKey::DSA.new(file, resource[:password])
-    when :rsa
-      OpenSSL::PKey::RSA.new(file, resource[:password])
-    when :ec
-      OpenSSL::PKey::EC.new(file, resource[:password])
-    else
-      raise Puppet::Error,
-            "Unknown authentication type '#{resource[:authentication]}'"
-    end
+    OpenSSL::PKey.read(file, resource[:password])
   end
 
   def self.check_private_key(resource)

diff --git a/lib/puppet/type/x509_cert.rb b/lib/puppet/type/x509_cert.rb
@@ -59,12 +59,6 @@
     end
   end
 
-  newparam(:authentication) do
-    desc "The authentication algorithm: 'rsa', 'dsa or ec'"
-    newvalues :rsa, :dsa, :ec
-    defaultto :rsa
-  end
-
   newparam(:csr) do
     desc 'The optional certificate signing request path'
   end

diff --git a/lib/puppet/type/x509_request.rb b/lib/puppet/type/x509_request.rb
@@ -48,12 +48,6 @@
     end
   end
 
-  newparam(:authentication) do
-    desc "The authentication algorithm: 'rsa', 'dsa' or ec"
-    newvalues :rsa, :dsa, :ec
-    defaultto :rsa
-  end
-
   newparam(:encrypted, boolean: true) do
     desc 'Whether to generate the key unencrypted. This is needed by some applications like OpenLDAP'
     newvalues(:true, :false)

diff --git a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb
@@ -92,7 +92,7 @@
       expect(Pathname).to receive(:new).with(path).and_return(pathname)
       expect(pathname).to receive(:exist?).and_return(true)
       expect(OpenSSL::X509::Certificate).to receive(:new).with('cert').twice.and_return(cert)
-      expect(OpenSSL::PKey::RSA).to receive(:new)
+      expect(OpenSSL::PKey).to receive(:read).with('pkey', nil)
       expect(cert).to receive(:check_private_key).and_return(true)
       expect(resource.provider.exists?).to be(true)
     end
@@ -104,7 +104,7 @@
       expect(Pathname).to receive(:new).with(path).and_return(pathname)
       expect(pathname).to receive(:exist?).and_return(true)
       expect(OpenSSL::X509::Certificate).to receive(:new).with('cert').and_return(cert)
-      expect(OpenSSL::PKey::RSA).to receive(:new)
+      expect(OpenSSL::PKey).to receive(:read).with('pkey', nil)
       expect(cert).to receive(:check_private_key).and_return(false)
       expect(resource.provider.exists?).to be(false)
     end

diff --git a/spec/unit/puppet/provider/x509_request/openssl_spec.rb b/spec/unit/puppet/provider/x509_request/openssl_spec.rb
@@ -58,7 +58,7 @@
       expect(Pathname).to receive(:new).with(path).and_return(pathname)
       expect(pathname).to receive(:exist?).and_return(true)
       allow(OpenSSL::X509::Request).to receive(:new).and_return(cert)
-      allow(OpenSSL::PKey::RSA).to receive(:new)
+      expect(OpenSSL::PKey).to receive(:read)
       expect(cert).to receive(:verify).and_return(true)
       expect(resource.provider.exists?).to be(true)
     end
@@ -69,7 +69,7 @@
       expect(Pathname).to receive(:new).with(path).and_return(pathname)
       expect(pathname).to receive(:exist?).and_return(true)
       allow(OpenSSL::X509::Request).to receive(:new).and_return(cert)
-      allow(OpenSSL::PKey::RSA).to receive(:new)
+      expect(OpenSSL::PKey).to receive(:read)
       expect(cert).to receive(:verify).and_return(false)
       expect(resource.provider.exists?).to be(false)
     end

diff --git a/spec/unit/puppet/type/x509_cert_spec.rb b/spec/unit/puppet/type/x509_cert_spec.rb
@@ -65,21 +65,6 @@
     end.to raise_error(Puppet::Error, %r{Invalid value :foo})
   end
 
-  it 'accepts a valid authentication' do
-    resource[:authentication] = :rsa
-    expect(resource[:authentication]).to eq(:rsa)
-    resource[:authentication] = :dsa
-    expect(resource[:authentication]).to eq(:dsa)
-    resource[:authentication] = :ec
-    expect(resource[:authentication]).to eq(:ec)
-  end
-
-  it 'does not accept an invalid authentication' do
-    expect do
-      resource[:authentication] = :foo
-    end.to raise_error(Puppet::Error, %r{Invalid value :foo})
-  end
-
   it 'accepts a valid csr parameter' do
     resource[:csr] = '/tmp/foo.csr'
     expect(resource[:csr]).to eq('/tmp/foo.csr')

diff --git a/spec/unit/puppet/type/x509_request_spec.rb b/spec/unit/puppet/type/x509_request_spec.rb
@@ -53,19 +53,4 @@
       resource[:force] = :foo
     end.to raise_error(Puppet::Error, %r{Invalid value :foo})
   end
-
-  it 'accepts a valid authentication' do
-    resource[:authentication] = :rsa
-    expect(resource[:authentication]).to eq(:rsa)
-    resource[:authentication] = :dsa
-    expect(resource[:authentication]).to eq(:dsa)
-    resource[:authentication] = :ec
-    expect(resource[:authentication]).to eq(:ec)
-  end
-
-  it 'does not accept an invalid authentication' do
-    expect do
-      resource[:authentication] = :foo
-    end.to raise_error(Puppet::Error, %r{Invalid value :foo})
-  end
 end