unit-test: Improve test suite compatiblity with newer OpenSSL by xnox · Pull Request #57 · aws/aws-ec2-instance-connect-config

xnox · 2025-01-30T22:06:21Z

No impact or changes to production scripts.

More recent OpenSSL requires additional keyUsage & basic constraints
to be set on the test certificates. Adjust test key generation to have
them, note production certificates already have all of those settings.

Fingerprint parsing had mismatched capitaliation - asking OpenSSL to
provide lowercase fingerprint and matching for uppercase one. Make
them consistent.

Without these changes test suite has these errors:

CN = intermediate.managedssh.amazonaws.com
error 89 at 1 depth lookup: Basic Constraints of CA cert not marked critical
CN = intermediate.managedssh.amazonaws.com
error 92 at 1 depth lookup: CA cert does not include key usage extension
CN = managedssh.amazonaws.com
error 92 at 2 depth lookup: CA cert does not include key usage extension
error /dev/shm/tmp-i7Fdjp2e/cert.pem: verification failed
mixed FAILED
EXPECTED: exit 0 with output
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAQmefSRJyiAUSlICBKAO+4heV1kkA46PQm5ZQVxxhv7pF1yWWLhgFJ9IG9qmeeKIQ3bzKBzGv5UHSeJbuRfwY6ZtKynBfjzN1WRuYY2oaDjlh2vzK5WgvVttUJk8oAYcZM2h+aXpJtlWV95yqaTSD4XcuWOg3E3KCTcK2Xf/BaB4IN/pJF1SyuLg5ygWh0dKi4X+tH81aHcEg8pWfDLFkdKUF0d6GwIi+iCJxfb5bubY3/+0qYc0IqWOxa4vf6ggW7yI5m3mOX0kRuOAPEY/6fe4KfcGqLZvraKe1ZLYMgQUKuawhpPzooVeI/EtI3gtFDC0b8YAPjA2CUDc/3APR
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAQmefSRJyiAUSlICBKAO+4heV1kkA46PQm5ZQVxxhv7pF1yWWLhgFJ9IG9qmeeKIQ3bzKBzGv5UHSeJbuRfwY6ZtKynBfjzN1WRuYY2oaDjlh2vzK5WgvVttUJk8oAYcZM2h+aXpJtlWV95yqaTSD4XcuWOg3E3KCTcK2Xf/BaB4IN/pJF1SyuLg5ygWh0dKi4X+tH81aHcEg8pWfDLFkdKUF0d6GwIi+iCJxfb5bubY3/+0qYc0IqWOxa4vf6ggW7yI5m3mOX0kRuOAPEY/6fe4KfcGqLZvraKe1ZLYMgQUKuawhpPzooVeI/EtI3gtFDC0b8YAPjA2CUDc/3APR
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAQmefSRJyiAUSlICBKAO+4heV1kkA46PQm5ZQVxxhv7pF1yWWLhgFJ9IG9qmeeKIQ3bzKBzGv5UHSeJbuRfwY6ZtKynBfjzN1WRuYY2oaDjlh2vzK5WgvVttUJk8oAYcZM2h+aXpJtlWV95yqaTSD4XcuWOg3E3KCTcK2Xf/BaB4IN/pJF1SyuLg5ygWh0dKi4X+tH81aHcEg8pWfDLFkdKUF0d6GwIi+iCJxfb5bubY3/+0qYc0IqWOxa4vf6ggW7yI5m3mOX0kRuOAPEY/6fe4KfcGqLZvraKe1ZLYMgQUKuawhpPzooVeI/EtI3gtFDC0b8YAPjA2CUDc/3APR
ACTUAL: exit 2 with output

With these changes in place:

$ ./bin/unit_test_suite.sh
empty PASSED
invalid-signature PASSED
different-fingerprint PASSED
expired-timestamp PASSED
invalid-instance PASSED
missing-data PASSED
mixed PASSED
valid-key PASSED

No impact or changes to production scripts. More recent OpenSSL requires additional keyUsage & basic constraints to be set on the test certificates. Adjust test key generation to have them, note production certificates already have all of those settings. Fingerprint parsing had mismatched capitaliation - asking OpenSSL to provide lowercase fingerprint and matching for uppercase one. Make them consistent. Without these changes test suite has these errors: CN = intermediate.managedssh.amazonaws.com error 89 at 1 depth lookup: Basic Constraints of CA cert not marked critical CN = intermediate.managedssh.amazonaws.com error 92 at 1 depth lookup: CA cert does not include key usage extension CN = managedssh.amazonaws.com error 92 at 2 depth lookup: CA cert does not include key usage extension error /dev/shm/tmp-i7Fdjp2e/cert.pem: verification failed mixed FAILED EXPECTED: exit 0 with output ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAQmefSRJyiAUSlICBKAO+4heV1kkA46PQm5ZQVxxhv7pF1yWWLhgFJ9IG9qmeeKIQ3bzKBzGv5UHSeJbuRfwY6ZtKynBfjzN1WRuYY2oaDjlh2vzK5WgvVttUJk8oAYcZM2h+aXpJtlWV95yqaTSD4XcuWOg3E3KCTcK2Xf/BaB4IN/pJF1SyuLg5ygWh0dKi4X+tH81aHcEg8pWfDLFkdKUF0d6GwIi+iCJxfb5bubY3/+0qYc0IqWOxa4vf6ggW7yI5m3mOX0kRuOAPEY/6fe4KfcGqLZvraKe1ZLYMgQUKuawhpPzooVeI/EtI3gtFDC0b8YAPjA2CUDc/3APR ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAQmefSRJyiAUSlICBKAO+4heV1kkA46PQm5ZQVxxhv7pF1yWWLhgFJ9IG9qmeeKIQ3bzKBzGv5UHSeJbuRfwY6ZtKynBfjzN1WRuYY2oaDjlh2vzK5WgvVttUJk8oAYcZM2h+aXpJtlWV95yqaTSD4XcuWOg3E3KCTcK2Xf/BaB4IN/pJF1SyuLg5ygWh0dKi4X+tH81aHcEg8pWfDLFkdKUF0d6GwIi+iCJxfb5bubY3/+0qYc0IqWOxa4vf6ggW7yI5m3mOX0kRuOAPEY/6fe4KfcGqLZvraKe1ZLYMgQUKuawhpPzooVeI/EtI3gtFDC0b8YAPjA2CUDc/3APR ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAQmefSRJyiAUSlICBKAO+4heV1kkA46PQm5ZQVxxhv7pF1yWWLhgFJ9IG9qmeeKIQ3bzKBzGv5UHSeJbuRfwY6ZtKynBfjzN1WRuYY2oaDjlh2vzK5WgvVttUJk8oAYcZM2h+aXpJtlWV95yqaTSD4XcuWOg3E3KCTcK2Xf/BaB4IN/pJF1SyuLg5ygWh0dKi4X+tH81aHcEg8pWfDLFkdKUF0d6GwIi+iCJxfb5bubY3/+0qYc0IqWOxa4vf6ggW7yI5m3mOX0kRuOAPEY/6fe4KfcGqLZvraKe1ZLYMgQUKuawhpPzooVeI/EtI3gtFDC0b8YAPjA2CUDc/3APR ACTUAL: exit 2 with output With these changes in place: $ ./bin/unit_test_suite.sh empty PASSED invalid-signature PASSED different-fingerprint PASSED expired-timestamp PASSED invalid-instance PASSED missing-data PASSED mixed PASSED valid-key PASSED

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comments

unit-test: Improve test suite compatiblity with newer OpenSSL#57

unit-test: Improve test suite compatiblity with newer OpenSSL#57
xnox wants to merge 1 commit intoaws:masterfrom
xnox:fix-testsuite

xnox commented Jan 30, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Comments

Conversation

xnox commented Jan 30, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant