From e255c504a83b31a7a27be21c0298b95ad117b9ee Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Wed, 22 May 2024 19:46:10 +0200
Subject: [PATCH] Use OpenSSL::PKey.read to read private keys

This utilizes a method where OpenSSL itself determines the encryption
type rather than a static parameter. This is more flexible because it
requires fewer parameters to be specified.
---
 REFERENCE.md                                   | 18 ------------------
 lib/puppet/provider/x509_cert/openssl.rb       | 12 +-----------
 lib/puppet/provider/x509_request/openssl.rb    | 12 +-----------
 lib/puppet/type/x509_cert.rb                   |  6 ------
 lib/puppet/type/x509_request.rb                |  6 ------
 .../puppet/provider/x509_cert/openssl_spec.rb  |  4 ++--
 .../provider/x509_request/openssl_spec.rb      |  4 ++--
 spec/unit/puppet/type/x509_cert_spec.rb        | 15 ---------------
 spec/unit/puppet/type/x509_request_spec.rb     | 15 ---------------
 9 files changed, 6 insertions(+), 86 deletions(-)

diff --git a/REFERENCE.md b/REFERENCE.md
index 15bcf45a..8a55d7a6 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -1255,7 +1255,6 @@ Default value: `present`
 
 The following parameters are available in the `x509_cert` type.
 
-* [`authentication`](#-x509_cert--authentication)
 * [`ca`](#-x509_cert--ca)
 * [`cakey`](#-x509_cert--cakey)
 * [`csr`](#-x509_cert--csr)
@@ -1268,14 +1267,6 @@ The following parameters are available in the `x509_cert` type.
 * [`req_ext`](#-x509_cert--req_ext)
 * [`template`](#-x509_cert--template)
 
-##### <a name="-x509_cert--authentication"></a>`authentication`
-
-Valid values: `rsa`, `dsa`, `ec`
-
-The authentication algorithm: 'rsa', 'dsa or ec'
-
-Default value: `rsa`
-
 ##### <a name="-x509_cert--ca"></a>`ca`
 
 The optional ca certificate filepath
@@ -1353,7 +1344,6 @@ Default value: `present`
 
 The following parameters are available in the `x509_request` type.
 
-* [`authentication`](#-x509_request--authentication)
 * [`encrypted`](#-x509_request--encrypted)
 * [`force`](#-x509_request--force)
 * [`password`](#-x509_request--password)
@@ -1362,14 +1352,6 @@ The following parameters are available in the `x509_request` type.
 * [`provider`](#-x509_request--provider)
 * [`template`](#-x509_request--template)
 
-##### <a name="-x509_request--authentication"></a>`authentication`
-
-Valid values: `rsa`, `dsa`, `ec`
-
-The authentication algorithm: 'rsa', 'dsa' or ec
-
-Default value: `rsa`
-
 ##### <a name="-x509_request--encrypted"></a>`encrypted`
 
 Valid values: `true`, `false`
diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb
index e5262a71..2f0c55fc 100644
--- a/lib/puppet/provider/x509_cert/openssl.rb
+++ b/lib/puppet/provider/x509_cert/openssl.rb
@@ -8,17 +8,7 @@
 
   def self.private_key(resource)
     file = File.read(resource[:private_key])
-    case resource[:authentication]
-    when :dsa
-      OpenSSL::PKey::DSA.new(file, resource[:password])
-    when :rsa
-      OpenSSL::PKey::RSA.new(file, resource[:password])
-    when :ec
-      OpenSSL::PKey::EC.new(file, resource[:password])
-    else
-      raise Puppet::Error,
-            "Unknown authentication type '#{resource[:authentication]}'"
-    end
+    OpenSSL::PKey.read(file, resource[:password])
   end
 
   def self.check_private_key(resource)
diff --git a/lib/puppet/provider/x509_request/openssl.rb b/lib/puppet/provider/x509_request/openssl.rb
index 3a17d8e3..732330a1 100644
--- a/lib/puppet/provider/x509_request/openssl.rb
+++ b/lib/puppet/provider/x509_request/openssl.rb
@@ -8,17 +8,7 @@
 
   def self.private_key(resource)
     file = File.read(resource[:private_key])
-    case resource[:authentication]
-    when :dsa
-      OpenSSL::PKey::DSA.new(file, resource[:password])
-    when :rsa
-      OpenSSL::PKey::RSA.new(file, resource[:password])
-    when :ec
-      OpenSSL::PKey::EC.new(file, resource[:password])
-    else
-      raise Puppet::Error,
-            "Unknown authentication type '#{resource[:authentication]}'"
-    end
+    OpenSSL::PKey.read(file, resource[:password])
   end
 
   def self.check_private_key(resource)
diff --git a/lib/puppet/type/x509_cert.rb b/lib/puppet/type/x509_cert.rb
index fce72234..0411e8a6 100644
--- a/lib/puppet/type/x509_cert.rb
+++ b/lib/puppet/type/x509_cert.rb
@@ -59,12 +59,6 @@
     end
   end
 
-  newparam(:authentication) do
-    desc "The authentication algorithm: 'rsa', 'dsa or ec'"
-    newvalues :rsa, :dsa, :ec
-    defaultto :rsa
-  end
-
   newparam(:csr) do
     desc 'The optional certificate signing request path'
   end
diff --git a/lib/puppet/type/x509_request.rb b/lib/puppet/type/x509_request.rb
index cc32dd65..19f2af45 100644
--- a/lib/puppet/type/x509_request.rb
+++ b/lib/puppet/type/x509_request.rb
@@ -48,12 +48,6 @@
     end
   end
 
-  newparam(:authentication) do
-    desc "The authentication algorithm: 'rsa', 'dsa' or ec"
-    newvalues :rsa, :dsa, :ec
-    defaultto :rsa
-  end
-
   newparam(:encrypted, boolean: true) do
     desc 'Whether to generate the key unencrypted. This is needed by some applications like OpenLDAP'
     newvalues(:true, :false)
diff --git a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb
index 4aa938d3..ddd42493 100644
--- a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb
+++ b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb
@@ -92,7 +92,7 @@
       expect(Pathname).to receive(:new).with(path).and_return(pathname)
       expect(pathname).to receive(:exist?).and_return(true)
       expect(OpenSSL::X509::Certificate).to receive(:new).with('cert').twice.and_return(cert)
-      expect(OpenSSL::PKey::RSA).to receive(:new)
+      expect(OpenSSL::PKey).to receive(:read).with('pkey', nil)
       expect(cert).to receive(:check_private_key).and_return(true)
       expect(resource.provider.exists?).to be(true)
     end
@@ -104,7 +104,7 @@
       expect(Pathname).to receive(:new).with(path).and_return(pathname)
       expect(pathname).to receive(:exist?).and_return(true)
       expect(OpenSSL::X509::Certificate).to receive(:new).with('cert').and_return(cert)
-      expect(OpenSSL::PKey::RSA).to receive(:new)
+      expect(OpenSSL::PKey).to receive(:read).with('pkey', nil)
       expect(cert).to receive(:check_private_key).and_return(false)
       expect(resource.provider.exists?).to be(false)
     end
diff --git a/spec/unit/puppet/provider/x509_request/openssl_spec.rb b/spec/unit/puppet/provider/x509_request/openssl_spec.rb
index 2e669db0..dc240ff7 100644
--- a/spec/unit/puppet/provider/x509_request/openssl_spec.rb
+++ b/spec/unit/puppet/provider/x509_request/openssl_spec.rb
@@ -58,7 +58,7 @@
       expect(Pathname).to receive(:new).with(path).and_return(pathname)
       expect(pathname).to receive(:exist?).and_return(true)
       allow(OpenSSL::X509::Request).to receive(:new).and_return(cert)
-      allow(OpenSSL::PKey::RSA).to receive(:new)
+      expect(OpenSSL::PKey).to receive(:read)
       expect(cert).to receive(:verify).and_return(true)
       expect(resource.provider.exists?).to be(true)
     end
@@ -69,7 +69,7 @@
       expect(Pathname).to receive(:new).with(path).and_return(pathname)
       expect(pathname).to receive(:exist?).and_return(true)
       allow(OpenSSL::X509::Request).to receive(:new).and_return(cert)
-      allow(OpenSSL::PKey::RSA).to receive(:new)
+      expect(OpenSSL::PKey).to receive(:read)
       expect(cert).to receive(:verify).and_return(false)
       expect(resource.provider.exists?).to be(false)
     end
diff --git a/spec/unit/puppet/type/x509_cert_spec.rb b/spec/unit/puppet/type/x509_cert_spec.rb
index 23997928..3a13e3de 100644
--- a/spec/unit/puppet/type/x509_cert_spec.rb
+++ b/spec/unit/puppet/type/x509_cert_spec.rb
@@ -65,21 +65,6 @@
     end.to raise_error(Puppet::Error, %r{Invalid value :foo})
   end
 
-  it 'accepts a valid authentication' do
-    resource[:authentication] = :rsa
-    expect(resource[:authentication]).to eq(:rsa)
-    resource[:authentication] = :dsa
-    expect(resource[:authentication]).to eq(:dsa)
-    resource[:authentication] = :ec
-    expect(resource[:authentication]).to eq(:ec)
-  end
-
-  it 'does not accept an invalid authentication' do
-    expect do
-      resource[:authentication] = :foo
-    end.to raise_error(Puppet::Error, %r{Invalid value :foo})
-  end
-
   it 'accepts a valid csr parameter' do
     resource[:csr] = '/tmp/foo.csr'
     expect(resource[:csr]).to eq('/tmp/foo.csr')
diff --git a/spec/unit/puppet/type/x509_request_spec.rb b/spec/unit/puppet/type/x509_request_spec.rb
index e07c40e1..ad88a862 100644
--- a/spec/unit/puppet/type/x509_request_spec.rb
+++ b/spec/unit/puppet/type/x509_request_spec.rb
@@ -53,19 +53,4 @@
       resource[:force] = :foo
     end.to raise_error(Puppet::Error, %r{Invalid value :foo})
   end
-
-  it 'accepts a valid authentication' do
-    resource[:authentication] = :rsa
-    expect(resource[:authentication]).to eq(:rsa)
-    resource[:authentication] = :dsa
-    expect(resource[:authentication]).to eq(:dsa)
-    resource[:authentication] = :ec
-    expect(resource[:authentication]).to eq(:ec)
-  end
-
-  it 'does not accept an invalid authentication' do
-    expect do
-      resource[:authentication] = :foo
-    end.to raise_error(Puppet::Error, %r{Invalid value :foo})
-  end
 end