Adapt to OpenSSL 3

For the moment enable the legacy OpenSSL crypto policies, since our test certificates are not compliant with latest crypto.
italiangrid · Apr 2, 2024 · b77bb5a · b77bb5a
1 parent 90a402b
commit b77bb5a
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 6 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -119,6 +119,10 @@ jobs:
         echo "ARTIFACTS_PATH=${ARTIFACTS_PATH}" >> ${GITHUB_ENV}
         mkdir -p ${ARTIFACTS_PATH}/logs ${ARTIFACTS_PATH}/java ${ARTIFACTS_PATH}/cpp
 
+    - name: Enable legacy OpenSSL crypto policies on EL9
+      if: matrix.client == '9-beta'
+      run: docker-compose --file docker-compose.ci.yml exec testsuite bash -c "sudo update-crypto-policies --set LEGACY"
+
     - name: Run testsuite for java clients
       run: docker-compose --file docker-compose.ci.yml exec -T -e ROBOT_OPTIONS="${ROBOT_OPTIONS}" testsuite bash /scripts/ci-run-testsuite.sh
       working-directory: compose

diff --git a/compose/docker-compose.ci.yml b/compose/docker-compose.ci.yml
@@ -7,7 +7,7 @@ volumes:
 services:
 
   trust:
-    image: indigoiam/egi-trustanchors
+    image: indigoiam/egi-trustanchors:igi-test-ca
 
     volumes:
       - trustanchors:/tmp/certificates

diff --git a/lib/vomslib.robot b/lib/vomslib.robot
@@ -46,7 +46,7 @@ Stop using certificate
 
 Get certificate subject   [Arguments]   ${certFile}
   File Should Exist   ${certFile}
-  ${subject}   Execute and Check Success   openssl x509 -in ${certFile} -noout -subject | sed "s#subject= ##"
+  ${subject}   Execute and Check Success   openssl x509 -in ${certFile} -noout -subject $(grep -q "^OpenSSL 3\." <(openssl version) && echo -nameopt compat) | sed -E "s#subject= ?##"
   RETURN   ${subject}
 
 Get named certificate subject   [Arguments]   ${cert}

diff --git a/tests/clients/init/errors.robot b/tests/clients/init/errors.robot
@@ -132,7 +132,7 @@ See if voms-proxy-init fails correctly when the key is corrupted
   Execute and Check Success  cat %{HOME}/.globus/userkey.pem|tr [a-z] [A-Z] > ${tmpKey}
   Execute and Check Success   chmod 400 ${tmpKey}
   ${output}   Create Proxy Failure   --cert %{HOME}/.globus/usercert.pem --key ${tmpKey}
-  ${expected}  Set Variable If  ${client_version} == 2  wrong tag*Function: proxy_init_cred  *Can not load the PEM private key*
+  ${expected}  Set Variable If  ${client_version} == 2  *wrong tag*  *Can not load the PEM private key*
   Should Match   ${output}   ${expected}
   [Teardown]  Stop using certificate
 
@@ -156,7 +156,7 @@ A user gets the right message when trying to create a proxy providing the wrong
   [Tags]  legacy
   [Setup]  Use certificate   test0
   ${output}  Execute and Check Failure   echo "CAMAGHE" | voms-proxy-init -pwstdin
-  ${expected}  Set Variable If  ${client_version} == 2  wrong pass phrase  Error decrypting private key: the password is incorrect or the PEM data is corrupted.
+  ${expected}  Set Variable If  ${client_version} == 2  wrong pass  Error decrypting private key: the password is incorrect or the PEM data is corrupted.
   Should Contain  ${output}  ${expected}
   [Teardown]  Stop using certificate
 
@@ -192,9 +192,9 @@ See if voms-proxy-init -pwstdin fails correctly when no password is provided
   [Setup]  Use certificate  test0
   IF  ${client_version} == 2
     ${output}  Execute and Check Failure   echo "" | voms-proxy-init -pwstdin
-    Should Contain  ${output}  bad password read
+    Should Contain Any  ${output}  bad password read  empty password
     ${output}  Execute and Check Failure   echo "" | voms-proxy-init -pwstdin -debug
-    Should Contain  ${output}  bad password read
+    Should Contain Any  ${output}  bad password read  empty password
   ELSE
     ${output}  Execute and Check Failure  echo "" | voms-proxy-init --pwstdin
     Should contain  ${output}  No credentials found!