From 7345df96832ecd951d621268f9d497a4d411ebb6 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 18 Jul 2024 18:16:11 +0200 Subject: [PATCH 1/2] password encryption: switch from des3->aes-256-cbc This updates the algorithm for password encryption in certificates from the outdated des3 to aes-256-cbc. --- lib/puppet/provider/ssl_pkey/openssl.rb | 2 +- spec/unit/puppet/provider/ssl_pkey/openssl_spec.rb | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/puppet/provider/ssl_pkey/openssl.rb b/lib/puppet/provider/ssl_pkey/openssl.rb index 8ca7df9..3d241b6 100644 --- a/lib/puppet/provider/ssl_pkey/openssl.rb +++ b/lib/puppet/provider/ssl_pkey/openssl.rb @@ -25,7 +25,7 @@ def self.generate_key(resource) def self.to_pem(resource, key) if resource[:password] - cipher = OpenSSL::Cipher.new('des3') + cipher = OpenSSL::Cipher.new('aes-256-cbc') key.to_pem(cipher, resource[:password]) else key.to_pem diff --git a/spec/unit/puppet/provider/ssl_pkey/openssl_spec.rb b/spec/unit/puppet/provider/ssl_pkey/openssl_spec.rb index 91bd125..4636b0f 100644 --- a/spec/unit/puppet/provider/ssl_pkey/openssl_spec.rb +++ b/spec/unit/puppet/provider/ssl_pkey/openssl_spec.rb @@ -42,7 +42,7 @@ it 'creates with given password' do resource[:password] = '2x$5{' allow(OpenSSL::PKey::RSA).to receive(:new).with(2048).and_return(key) - allow(OpenSSL::Cipher).to receive(:new).with('des3') + allow(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc') expect(File).to receive(:write).with('/tmp/foo.key', kind_of(String)) resource.provider.create end @@ -72,7 +72,7 @@ resource[:authentication] = :rsa resource[:password] = '2x$5{' allow(OpenSSL::PKey::RSA).to receive(:new).with(2048).and_return(key) - allow(OpenSSL::Cipher).to receive(:new).with('des3') + allow(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc') expect(File).to receive(:write).with('/tmp/foo.key', kind_of(String)) resource.provider.create end @@ -102,7 +102,7 @@ resource[:authentication] = :dsa resource[:password] = '2x$5{' allow(OpenSSL::PKey::DSA).to receive(:new).with(2048).and_return(key) - allow(OpenSSL::Cipher).to receive(:new).with('des3') + allow(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc') expect(File).to receive(:write).with('/tmp/foo.key', kind_of(String)) resource.provider.create end @@ -134,7 +134,7 @@ resource[:authentication] = :ec resource[:password] = '2x$5{' allow(OpenSSL::PKey::EC).to receive(:new).with('secp384r1').and_return(key) - allow(OpenSSL::Cipher).to receive(:new).with('des3') + allow(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc') expect(File).to receive(:write).with('/tmp/foo.key', kind_of(String)) resource.provider.create end From 35160e1033cbdba4f2062fd94df992d06dfdc1e1 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 18 Jul 2024 20:29:21 +0200 Subject: [PATCH 2/2] Switch from allow to expect --- spec/unit/puppet/provider/ssl_pkey/openssl_spec.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/spec/unit/puppet/provider/ssl_pkey/openssl_spec.rb b/spec/unit/puppet/provider/ssl_pkey/openssl_spec.rb index 4636b0f..dc22dca 100644 --- a/spec/unit/puppet/provider/ssl_pkey/openssl_spec.rb +++ b/spec/unit/puppet/provider/ssl_pkey/openssl_spec.rb @@ -42,7 +42,7 @@ it 'creates with given password' do resource[:password] = '2x$5{' allow(OpenSSL::PKey::RSA).to receive(:new).with(2048).and_return(key) - allow(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc') + expect(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc') expect(File).to receive(:write).with('/tmp/foo.key', kind_of(String)) resource.provider.create end @@ -72,7 +72,7 @@ resource[:authentication] = :rsa resource[:password] = '2x$5{' allow(OpenSSL::PKey::RSA).to receive(:new).with(2048).and_return(key) - allow(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc') + expect(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc') expect(File).to receive(:write).with('/tmp/foo.key', kind_of(String)) resource.provider.create end @@ -102,7 +102,7 @@ resource[:authentication] = :dsa resource[:password] = '2x$5{' allow(OpenSSL::PKey::DSA).to receive(:new).with(2048).and_return(key) - allow(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc') + expect(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc') expect(File).to receive(:write).with('/tmp/foo.key', kind_of(String)) resource.provider.create end @@ -134,7 +134,7 @@ resource[:authentication] = :ec resource[:password] = '2x$5{' allow(OpenSSL::PKey::EC).to receive(:new).with('secp384r1').and_return(key) - allow(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc') + expect(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc') expect(File).to receive(:write).with('/tmp/foo.key', kind_of(String)) resource.provider.create end