Fix certificates exporting with LibreSSL #427
Conversation
| capture_output=True, | ||
| check=False, | ||
| ) | ||
| self.__SUPPORTS_NOENC__ = b"-noenc" in completed_process.stdout or b"-noenc" in completed_process.stderr |
There was a problem hiding this comment.
just out of curiosity, what are the cases when help text goes to stderr?
There was a problem hiding this comment.
Excellent question actually. LibreSSL doesn't support neither -help nor help and emits the usage to stderr:
% openssl version
LibreSSL 3.3.6
% openssl pkcs12 help
unknown option 'help'
usage: pkcs12 [-aes128 | -aes192 | -aes256 | -camellia128 |
-camellia192 | -camellia256 | -des | -des3 | -idea]
[-cacerts] [-CAfile file] [-caname name]
[-CApath directory] [-certfile file] [-certpbe alg]
[-chain] [-clcerts] [-CSP name] [-descert] [-export]
[-in file] [-info] [-inkey file] [-keyex] [-keypbe alg]
[-keysig] [-LMK] [-macalg alg] [-maciter] [-name name]
[-nocerts] [-nodes] [-noiter] [-nokeys] [-nomac]
[-nomaciter] [-nomacver] [-noout] [-out file]
[-passin arg] [-passout arg] [-password arg] [-twopass]
-aes128 Encrypt PEM output with CBC AES
...
-nodes Don't encrypt private keys
...Perhaps this requires even a code comment?
There was a problem hiding this comment.
I added a comment about it in 1af5984.
There was a problem hiding this comment.
ha, that makes sense! and yes, commend in the code is totally helpful.
There was a problem hiding this comment.
but you search for -noenc in stderr just because you expect that LibreSSL will support it at some point but still without support of -help, is that correct? otherwise we can just check the first condition and immeddiately return the result.
There was a problem hiding this comment.
My hope (or assumtion?) is that maybe some day LibreSSL will follow OpenSSL and then both will support -noenc. As it is now, we'd get automatic support to the updated version.
| @@ -54,6 +54,9 @@ def _is_noenc_flag_supported(self) -> bool: | |||
| capture_output=True, | |||
| check=False, | |||
| ) | |||
| # Check both stdout and stderr because LibreSSL doesn't have help commands per-se. | |||
| # Execution fails, and it just outputs "unknown option '-help'" along with full | |||
There was a problem hiding this comment.
for the sake of accuracy, the output is unknown option 'help' (no dash)
There was a problem hiding this comment.
Here the output is indeed "unknown option '-help'", because the openssl pkcs12 is called with -help argument that OpenSSL supports.
Fixes #419
PR #411 introduced a regression when exporting Apple code signing certificates to PKCS#12 containers.
Just checking
openssl versionto decide whether-noencoption is supported for PKCS#12 export can yield misleading results as there are different implementations whose versioning schemes and APIs do not agree with each other.For example OpenSSL 3.0.0+ has deprecated
-nodesin favor of-noenc, while LibreSSL 3.3.6. still uses-nodesand doesn't even recognize-noenc.To choose correct flag to skip private key encryption for
openssl pkcs12, just check the help message and see if it contains-noenc, otherwise use the legacy-nodes.Updated actions:
app-store-connect certificates create,app-store-connect certificates get,app-store-connect certificates list,app-store-connect fetch-signing-files.QA notes
Tested on systems with different
opensslinstallations