Make GitLab work with OpenSSL 3
What does this MR do and why?
The backstory:
- Let's add Go 1.22 to the build! gitlab-build-images!771 (merged)
- OMG! We have more than 200 images now in the
gitlab-build-images
matrix. GitLab won't let us do that. - We don't need to be building so many combinations. Nuke Debian
bullseye
from the matrix. - Oh wait! We shipped Debian
bookworm
in Cloud Native GitLab (gitlab-org/build/CNG!1616 (merged)), but we're still testing against Debianbullseye
in GitLab Rails. - Ok, let's bump to Debian
bookworm
in CI: !144151 (merged) - Auto-merge set!
- Oh wait, lots of test failures due to OpenSSL 3 now, especially around signed commits.
- Wait, all these failures are due to a trailing newline that is now gone?
This merge request fixes three issues:
- Fix
Gitlab::X509::Signature#x509_issuer
not working with OpenSSL 3
The change in OpenSSL 3 along with
https://github.com/ruby/ruby/commit/cff5bd63065da3ca53e877b086c2671884ae16dd
caused the formatting of OpenSSL::X509::Extension#value
to change
from this in OpenSSL 1.1:
keyid:<some fingerprint>\n
To this in OpenSSL 3 with no trailing newline:
<some fingerprint>
Since Gitlab::X509::Signature#issuer_subject_key_identifier
was
using String#delete!
, the missing newline caused this method to return
nil
, which effectively prevented any signature from working.
To cut down on string allocations and avoid this bug, return the
key_identifier
after String#gsub!
and String#chomp!
are run.
- Avoid mutating
OpenSSL::PKey::EC
keys
OpenSSL v3 no longer allows mutating OpenSSL::PKey::EC
types: https://github.com/ruby/openssl/commit/6848d2d969
- Fix p12_spec.rb for OpenSSL 3
In OpenSSL 3, PKCS12_parse
returns with a parse error instead of a MAC verify error. Fix the test accordingly.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
Presumably we need to use X.509 certificates to sign commits (https://docs.gitlab.com/ee/user/project/repository/signed_commits/x509.html), but the changes here are isolated and covered by unit tests.