diff options
author | Pete Higgins <pete@peterhiggins.org> | 2020-12-16 14:39:37 -0800 |
---|---|---|
committer | Pete Higgins <pete@peterhiggins.org> | 2020-12-16 14:39:37 -0800 |
commit | 8f2cbbdc7fb504cbf19b38321995870af32ef0b0 (patch) | |
tree | 8e8fd1650438f2d02d0f1f8f2cac9480648833e0 | |
parent | 34610f3efad8c8424760014a7ade4c721d3e12c7 (diff) | |
download | chef-8f2cbbdc7fb504cbf19b38321995870af32ef0b0.tar.gz |
Properly handle DER encoded certs and keys.
Signed-off-by: Pete Higgins <pete@peterhiggins.org>
-rw-r--r-- | lib/chef/http/ssl_policies.rb | 6 | ||||
-rw-r--r-- | spec/data/ssl/chef-rspec-der.cert | bin | 0 -> 1174 bytes | |||
-rw-r--r-- | spec/data/ssl/chef-rspec-der.key | bin | 0 -> 1191 bytes | |||
-rw-r--r-- | spec/data/trusted_certs/example_der.crt | bin | 0 -> 1174 bytes | |||
-rw-r--r-- | spec/unit/http/ssl_policies_spec.rb | 14 |
5 files changed, 17 insertions, 3 deletions
diff --git a/lib/chef/http/ssl_policies.rb b/lib/chef/http/ssl_policies.rb index d36e747ff6..5b4ac347f6 100644 --- a/lib/chef/http/ssl_policies.rb +++ b/lib/chef/http/ssl_policies.rb @@ -87,7 +87,7 @@ class Chef if config.trusted_certs_dir certs = Dir.glob(File.join(Chef::Util::PathHelper.escape_glob_dir(config.trusted_certs_dir), "*.{crt,pem}")) certs.each do |cert_file| - cert = OpenSSL::X509::Certificate.new(File.read(cert_file)) + cert = OpenSSL::X509::Certificate.new(File.binread(cert_file)) add_trusted_cert(cert) end end @@ -105,8 +105,8 @@ class Chef raise Chef::Exceptions::ConfigurationError, "The configured ssl_client_key #{config[:ssl_client_key]} does not exist" end - http_client.cert = OpenSSL::X509::Certificate.new(::File.read(config[:ssl_client_cert])) - http_client.key = OpenSSL::PKey::RSA.new(::File.read(config[:ssl_client_key])) + http_client.cert = OpenSSL::X509::Certificate.new(::File.binread(config[:ssl_client_cert])) + http_client.key = OpenSSL::PKey::RSA.new(::File.binread(config[:ssl_client_key])) end end diff --git a/spec/data/ssl/chef-rspec-der.cert b/spec/data/ssl/chef-rspec-der.cert Binary files differnew file mode 100644 index 0000000000..e49df6252a --- /dev/null +++ b/spec/data/ssl/chef-rspec-der.cert diff --git a/spec/data/ssl/chef-rspec-der.key b/spec/data/ssl/chef-rspec-der.key Binary files differnew file mode 100644 index 0000000000..d8adadc5c9 --- /dev/null +++ b/spec/data/ssl/chef-rspec-der.key diff --git a/spec/data/trusted_certs/example_der.crt b/spec/data/trusted_certs/example_der.crt Binary files differnew file mode 100644 index 0000000000..e49df6252a --- /dev/null +++ b/spec/data/trusted_certs/example_der.crt diff --git a/spec/unit/http/ssl_policies_spec.rb b/spec/unit/http/ssl_policies_spec.rb index 614b5018d1..245f66bf0d 100644 --- a/spec/unit/http/ssl_policies_spec.rb +++ b/spec/unit/http/ssl_policies_spec.rb @@ -122,6 +122,20 @@ describe "HTTP SSL Policy" do expect(http_client.cert.to_s).to eq(OpenSSL::X509::Certificate.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.cert")).to_s) expect(http_client.key.to_s).to eq(OpenSSL::PKey::RSA.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.key")).to_s) end + + it "configures the HTTP client's cert and private key with a DER encoded cert" do + Chef::Config[:ssl_client_cert] = CHEF_SPEC_DATA + "/ssl/chef-rspec-der.cert" + Chef::Config[:ssl_client_key] = CHEF_SPEC_DATA + "/ssl/chef-rspec.key" + expect(http_client.cert.to_s).to eq(OpenSSL::X509::Certificate.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.cert")).to_s) + expect(http_client.key.to_s).to eq(OpenSSL::PKey::RSA.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.key")).to_s) + end + + it "configures the HTTP client's cert and private key with a DER encoded key" do + Chef::Config[:ssl_client_cert] = CHEF_SPEC_DATA + "/ssl/chef-rspec.cert" + Chef::Config[:ssl_client_key] = CHEF_SPEC_DATA + "/ssl/chef-rspec-der.key" + expect(http_client.cert.to_s).to eq(OpenSSL::X509::Certificate.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.cert")).to_s) + expect(http_client.key.to_s).to eq(OpenSSL::PKey::RSA.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.key")).to_s) + end end context "when additional certs are located in the trusted_certs dir" do |