Skip to content

Make GitLab work with OpenSSL 3

Stan Hu requested to merge sh-fix-openssl-3 into master

What does this MR do and why?

The backstory:

  1. Let's add Go 1.22 to the build! gitlab-build-images!771 (merged)
  2. OMG! We have more than 200 images now in the gitlab-build-images matrix. GitLab won't let us do that.
  3. We don't need to be building so many combinations. Nuke Debian bullseye from the matrix.
  4. Oh wait! We shipped Debian bookworm in Cloud Native GitLab (gitlab-org/build/CNG!1616 (merged)), but we're still testing against Debian bullseye in GitLab Rails.
  5. Ok, let's bump to Debian bookworm in CI: !144151 (merged)
  6. Auto-merge set!
  7. Oh wait, lots of test failures due to OpenSSL 3 now, especially around signed commits.
  8. Wait, all these failures are due to a trailing newline that is now gone?

This merge request fixes three issues:

  1. Fix Gitlab::X509::Signature#x509_issuer not working with OpenSSL 3

The change in OpenSSL 3 along with https://github.com/ruby/ruby/commit/cff5bd63065da3ca53e877b086c2671884ae16dd caused the formatting of OpenSSL::X509::Extension#value to change from this in OpenSSL 1.1:

keyid:<some fingerprint>\n

To this in OpenSSL 3 with no trailing newline:

<some fingerprint>

Since Gitlab::X509::Signature#issuer_subject_key_identifier was using String#delete!, the missing newline caused this method to return nil, which effectively prevented any signature from working.

To cut down on string allocations and avoid this bug, return the key_identifier after String#gsub! and String#chomp! are run.

  1. Avoid mutating OpenSSL::PKey::EC keys

OpenSSL v3 no longer allows mutating OpenSSL::PKey::EC types: https://github.com/ruby/openssl/commit/6848d2d969

  1. Fix p12_spec.rb for OpenSSL 3

In OpenSSL 3, PKCS12_parse returns with a parse error instead of a MAC verify error. Fix the test accordingly.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Presumably we need to use X.509 certificates to sign commits (https://docs.gitlab.com/ee/user/project/repository/signed_commits/x509.html), but the changes here are isolated and covered by unit tests.

Edited by Stan Hu

Merge request reports