From b1eaefa01d7148c29dd6987177931f93d4aea11c Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Mon, 16 Sep 2024 14:57:37 +0200
Subject: [PATCH] correctly exit non zero when the SAN doesn't match

(cherry picked from commit 03655d0abcd96a14cd4509324348a25642baf7a6)
---
 bin/katello-certs-check                       | 10 ++-----
 .../certs/foreman-bad-san.example.com.crt     | 21 ++++++++++++++
 .../certs/foreman-bad-san.example.com.key     | 28 +++++++++++++++++++
 .../katello-certs-check/create_cert.sh        | 10 +++++++
 spec/katello_certs_check_spec.rb              | 14 +++++++++-
 5 files changed, 74 insertions(+), 9 deletions(-)
 create mode 100644 spec/fixtures/katello-certs-check/certs/foreman-bad-san.example.com.crt
 create mode 100644 spec/fixtures/katello-certs-check/certs/foreman-bad-san.example.com.key

diff --git a/bin/katello-certs-check b/bin/katello-certs-check
index 82f56856..680851be 100755
--- a/bin/katello-certs-check
+++ b/bin/katello-certs-check
@@ -210,15 +210,9 @@ function check-cert-san () {
             return
           fi
         done
-        error
-        echo "The $CERT_FILE does not have a Subject Alt Name matching the Subject CN"
+        error 11 "The $CERT_FILE does not have a Subject Alt Name matching the Subject CN"
     else
-        error
-        cat <<Explanation
-$CERT_FILE does not contain a Subject Alt Name. Common Name is deprecated, use Subject Alt Name instead.
-See: https://tools.ietf.org/html/rfc2818#section-3.1
-
-Explanation
+        error 11 "The $CERT_FILE does not contain a Subject Alt Name. Common Name is deprecated, use Subject Alt Name instead. See: https://tools.ietf.org/html/rfc2818#section-3.1"
     fi
 }
 
diff --git a/spec/fixtures/katello-certs-check/certs/foreman-bad-san.example.com.crt b/spec/fixtures/katello-certs-check/certs/foreman-bad-san.example.com.crt
new file mode 100644
index 00000000..54303b65
--- /dev/null
+++ b/spec/fixtures/katello-certs-check/certs/foreman-bad-san.example.com.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXjCCAkagAwIBAgIUHYl6NxLcZpBuyTUI4LaWJOaM8iAwDQYJKoZIhvcNAQEL
+BQAwHjEcMBoGA1UEAwwTVGVzdCBTZWxmLVNpZ25lZCBDQTAeFw0yNDA5MTYxMjU2
+NTBaFw0zNDA5MTQxMjU2NTBaMCYxJDAiBgNVBAMMG2ZvcmVtYW4tYmFkLXNhbi5l
+eGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALfDETt1
+UPBqx5dr7cVywZ2wz5s8SyLLtbcXEqXxcS38kJCeFEh2WsSYrNp9MfA6ORZcp0AG
+ZiAnXNPLSNteBCiGkk3TNiq0VY1M8iph75uDPrJBu+whlMhYrJQ00jLxh5lAD8Xx
+a4s6AnwKniQTXBaX4pybRQn4BE2PuXey+oBn6vPlYjGBn2LvUeq9uR2IahRScKGM
+DkkOEX+h251EGSxAdMpciOpXJullMHU55RP6WWubaRosh6ZZbIqg/M9eLkiswU1N
+HP9J9G4Mr6f1Z+LHLG3lvQHP/uLOXLKF7X8areI09l4OP1VNJ45mOfm4Embv5dEq
+iF4lMQkJIyQ7FsECAwEAAaOBizCBiDALBgNVHQ8EBAMCBSAwOQYDVR0RBDIwMIIT
+Zm9yZW1hbi5leGFtcGxlLmNvbYIZZm9yZW1hbi1lYzM4NC5leGFtcGxlLmNvbTAd
+BgNVHQ4EFgQUujQ5fdBkDZBlVRj1lkSvBR7DXzMwHwYDVR0jBBgwFoAUM/NEeWkW
+/3oJxDCh0KJ1DN8YI+gwDQYJKoZIhvcNAQELBQADggEBAIFXaKOP6My13xNGXYfP
+p0cWuV3lGWhFk2iOWIe51EwZmd3thW0PrEDRVUFo1PXKeTAftQns3Cgb/DMIsLTV
+H5dQZ/x+74RpgLC2iuLqQpeQqGJkrN1SCJuiFESdaocxA7uYuewgUsZ3LAaYsjp1
+zaSs8mN/AJ9FbOSssaNqFMGOQNU3uFou23K1Qqs7jDjk/MGORp+6PD3FMqB6qO9X
+aVFPsHZQDUIK1vEjaRWwZSPRJrbZ9xteYiSudi4KJcVnoI2lHENF7j2N+3RyXZBq
+PgQGMB69gGsTmkahy6ItQue+zKqfku9515a5bq5LxAa6gWuwP4LkKvUNcpYgEFcj
+1KE=
+-----END CERTIFICATE-----
diff --git a/spec/fixtures/katello-certs-check/certs/foreman-bad-san.example.com.key b/spec/fixtures/katello-certs-check/certs/foreman-bad-san.example.com.key
new file mode 100644
index 00000000..4c149ca3
--- /dev/null
+++ b/spec/fixtures/katello-certs-check/certs/foreman-bad-san.example.com.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC3wxE7dVDwaseX
+a+3FcsGdsM+bPEsiy7W3FxKl8XEt/JCQnhRIdlrEmKzafTHwOjkWXKdABmYgJ1zT
+y0jbXgQohpJN0zYqtFWNTPIqYe+bgz6yQbvsIZTIWKyUNNIy8YeZQA/F8WuLOgJ8
+Cp4kE1wWl+Kcm0UJ+ARNj7l3svqAZ+rz5WIxgZ9i71HqvbkdiGoUUnChjA5JDhF/
+odudRBksQHTKXIjqVybpZTB1OeUT+llrm2kaLIemWWyKoPzPXi5IrMFNTRz/SfRu
+DK+n9Wfixyxt5b0Bz/7izlyyhe1/Gq3iNPZeDj9VTSeOZjn5uBJm7+XRKoheJTEJ
+CSMkOxbBAgMBAAECggEADvpblnbUus/dRlqR9hDJNr7xYQQMVMD5Zfu/tZ5lHPwz
+1VHJMfHRqqoOFr3zGtNIEWpKaJXM76x9rLaqUNUMLjhvxt+jD96EhaCisXErnEeZ
+jeJ9PH0tORo/MNJQWr4kkQlvb7EilKXNC4q7ApJAZIgLPLwMJ8ibIy5Gjfrc36fU
+++htHVWB1yhPujxHEbxoIrxJ8Qctf/Jz2Sa42PyofJ0yDmFTtJRu0DfFNv4O4Q5o
+TvOs4TafS8RDit5NtEGX1E0+08g5N/v5hp7t+XrrDWqaCj+I+Cp2jSExlwUrLTxk
+r+PvskMaSCYLboS4t8ZBsF/JkgzssLOuIa82i0Vw9QKBgQD6yOP3u4tFD0WxKJcI
+o8YCxSFsDjvdn3SBwqQEqwjIWvg32XQWLILCPpIuaDEg6dsuJUppO4pOYb43j7U7
+DES+K/m+dSOyLWFxlR/DEO6uEwUczW3meTDw2Qo/fcJZ5xGLuc1XZan20K36af/V
+Ce5+XLJG0/Mz0hNiEP1sJAvZ9QKBgQC7lV2xcsHtXOSLZNSFOSWBXISgHFv3Vsbf
+Lg3DNx9puaJ+1VtqJ9HbvXmMZV6nJA68yrI/AN0TCqmwc3I0icFuxne/Fwk/fIJ9
+29Cn/ZPcjXu1zL8jmTHDz5L7KFbToyy7ok503waBUgKOPvRoJdXZQq9M4OSgDtNP
+o+8X0hgOHQKBgQC6g0/wff3dNbeKQ3rYhR0OEFiECa4CbMX0f7MGecGFaQq0Vric
+iSwSlQCZHQp0xRgqoLdPvmVlWBJlNi7+JGi32vLZ8DrFGDUhiVve8qfgtOqXej0j
+LLz2UyTpBXnW7SBCf8Q1HLokgxzxYYZQhhtmxUAdpyJ4RuP9ik8/7ysVRQKBgQCl
+Lvftnd+V1PpQob7ffh4/1yfXEoINwXWo7JYj9PONl3G3fMxeI6iSdzyE3HNIfeEY
+cOobvvfun7Ij9tV33GLg2JZ0SKXVKSCEEkCg3hUJ3/Eze5RJlcqT4sNMtg4XmhZ3
+OIscMZU55ezoNBnnaIHzKtzRtyy8obGE7RhLgq+6JQKBgQDQ2xskB8dob6R4esLy
+s2E3kf2OmVswllK15H36u6FkS1h/AxiaRTUTkbmvpiobdqDAAKGlZGxF8hck4wmq
++3uZWUcdbO67ld/P0xiP3RNwSOpQ7WZsv7zKGnCaungxGPvqNp5Dm7RTqR+kQtKV
+A/FM9fRgYNuJPmgpee84o2Dk4Q==
+-----END PRIVATE KEY-----
diff --git a/spec/fixtures/katello-certs-check/create_cert.sh b/spec/fixtures/katello-certs-check/create_cert.sh
index fd361939..aed88310 100755
--- a/spec/fixtures/katello-certs-check/create_cert.sh
+++ b/spec/fixtures/katello-certs-check/create_cert.sh
@@ -38,6 +38,16 @@ else
   echo "CA certificate bundle with trust rules exists. Skipping."
 fi
 
+CERT_NAME=foreman-bad-san.example.com
+if [[ ! -f "$CERTS_DIR/$CERT_NAME.key" || ! -f "$CERTS_DIR/$CERT_NAME.crt" ]]; then
+  echo "Generate server certificate"
+  openssl genrsa -out $CERTS_DIR/$CERT_NAME.key 2048
+  openssl req -new -key $CERTS_DIR/$CERT_NAME.key -out $CERTS_DIR/$CERT_NAME.csr -subj "/CN=${CERT_NAME}"
+  openssl x509 -req -in $CERTS_DIR/$CERT_NAME.csr -CA $CERTS_DIR/$CA_CERT_NAME.crt -CAkey $CERTS_DIR/$CA_CERT_NAME.key -CAcreateserial -out $CERTS_DIR/$CERT_NAME.crt -days 3650 -sha256 -extfile extensions.txt -extensions extensions
+else
+  echo "Server certificate with bad SAN exists. Skipping."
+fi
+
 CERT_NAME=foreman.example.com
 if [[ ! -f "$CERTS_DIR/$CERT_NAME.key" || ! -f "$CERTS_DIR/$CERT_NAME.crt" ]]; then
   echo "Generate server certificate"
diff --git a/spec/katello_certs_check_spec.rb b/spec/katello_certs_check_spec.rb
index 0eef3057..547c882f 100644
--- a/spec/katello_certs_check_spec.rb
+++ b/spec/katello_certs_check_spec.rb
@@ -49,7 +49,19 @@ def fixture(filename)
       command_with_certs = "#{command} -b #{ca} -k #{key} -c #{cert}"
       _stdout, stderr, status = Open3.capture3(command_with_certs)
       expect(stderr).to include 'does not verify'
-      expect(status.exitstatus).to eq 4
+      expect(status.exitstatus).to eq 15 # the code for invalid is 4, but the cert is also failing the SAN check, making it 15
+    end
+  end
+
+  context 'with invalid SAN server certificates' do
+    let(:key) { File.join(certs_directory, 'foreman-bad-san.example.com.key') }
+    let(:cert) { File.join(certs_directory, 'foreman-bad-san.example.com.crt') }
+
+    it 'fails if purpose is not sslserver' do
+      command_with_certs = "#{command} -b #{ca} -k #{key} -c #{cert}"
+      _stdout, stderr, status = Open3.capture3(command_with_certs)
+      expect(stderr).to include 'does not have a Subject Alt Name matching the Subject CN'
+      expect(status.exitstatus).to eq 11
     end
   end