unit tests for repoauth are failing on Fedora 25
m2crypto 0.25 raises an exception when dealing with dates after 2050. The certificates we use for repoauth and oid_validation expire in 2116. As a result platform has 5 failing unit tests on Fedora 25.
Update testing certificates for oid_validation and repoauth
It looks worse than it is. m2crypto has started to reject any certificate with and expiration data past 2050, which was the case with our testing certificates here. Since I fully expect we'll want to bring the repoauth and oid validation features forward to Pulp 3, I thought it was worth scripting up the openssl-fu necessary to easily remake these certificates in the future.
I reorganized the test_oid_validation file significantly, but the only real functional change was conflating the ideas of "VALID_CA2" and "INVALID_CA". There was actually nothing invalid about INVALID_CA; the only thing invalid about it was that it wasn't VALID_CA. This was also true for VALID_CA2, so they got merged into "OTHER_CA", since (as far as I could tell) there was no test that wanted to use both INVALID_CA and VALID_CA2 at the same time. Most of the churn comes from loading these certs from the filesystem instead of embedding them as strings in the test module. The repoauth tests already worked this way, but don't have as many testing certs, so the regenerate script also does repoauth a solid and updates its certs while it's freshening everything up.
Finally, I renamed the contants to be a little more consistent within the test module, and removed constants aren't being used anywhere.
#2 Updated by email@example.com about 5 years ago
Yes, the idea is to generate new certs and sign them with the valid_ca.crt. The certs live in two places:
#5 Updated by semyers about 5 years ago
I was able to regenerate most certs using basic openssl commands, which fixed repoauth, but oid_validation is still breaking. It looks like the contents of the various ssl keys/certs get embedded into the test file as strings, where the repoauth tests load them from the filesystem. Since the repoauth tests are working fine this way, and it's a lot easier to make copy/paste openssl commands to write files than it is to get it to put stuff into python files, I think I'm going to fix up the oid_validation test suite to load its keys and certs from the filesystem similar to how repoauth does it.
I've been keeping docs on how to do this, so when we have to re-discover how to create test CAs and certs (including entitlement certs), we can hopefully follow the guide here and not require an openssl expert to fix/update our test fixtures.