(PUP-11439) Support Ed25519 keys/certificates

The generic interface usage was added by 78712fe, which improved key format support. ruby-openssl 3.0, shipped in Ruby 3.0, supports Ed25519 keys using the generic interface and returns a OpenSSL::PKey::PKey. The only thing preventing these from working is a simple type check. Remove it and update various type annotations to refer to OpenSSL::PKey::PKey, though the old types will still work.
puppetlabs · Jan 30, 2022 · e97bb73 · e97bb73
1 parent a5346b0
commit e97bb73
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 9 deletions.
diff --git a/lib/puppet/ssl/ssl_provider.rb b/lib/puppet/ssl/ssl_provider.rb
@@ -107,7 +107,7 @@ def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
   #
   # @param cacerts [Array<OpenSSL::X509::Certificate>] Array of trusted CA certs
   # @param crls [Array<OpenSSL::X509::CRL>] Array of CRLs
-  # @param private_key [OpenSSL::PKey::RSA, OpenSSL::PKey::EC] client's private key
+  # @param private_key [OpenSSL::PKey::PKey] client's private key
   # @param client_cert [OpenSSL::X509::Certificate] client's cert whose public
   #   key matches the `private_key`
   # @param revocation [:chain, :leaf, false] revocation mode
@@ -126,10 +126,6 @@ def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Pupp
     store = create_x509_store(cacerts, crls, revocation)
     client_chain = verify_cert_with_store(store, client_cert)
 
-    if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
-      raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
-    end
-
     unless client_cert.check_private_key(private_key)
       raise Puppet::SSL::SSLError, _("The certificate for '%{name}' does not match its private key") % { name: subject(client_cert) }
     end
@@ -178,7 +174,7 @@ def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_re
   # of the private key, and that it hasn't been tampered with since.
   #
   # @param csr [OpenSSL::X509::Request] certificate signing request
-  # @param public_key [OpenSSL::PKey::RSA, OpenSSL::PKey::EC] public key
+  # @param public_key [OpenSSL::PKey::PKey] public key
   # @raise [Puppet::SSL:SSLError] The private_key for the given `public_key` was
   #   not used to sign the CSR.
   # @api private

diff --git a/lib/puppet/x509/cert_provider.rb b/lib/puppet/x509/cert_provider.rb
@@ -150,7 +150,7 @@ def crl_last_update=(time)
   # historical reasons, names are case insensitive.
   #
   # @param name [String] The private key identity
-  # @param key [OpenSSL::PKey::RSA] private key
+  # @param key [OpenSSL::PKey::PKey] private key
   # @param password [String, nil] If non-nil, derive an encryption key
   #   from the password, and use that to encrypt the private key. If nil,
   #   save the private key unencrypted.
@@ -200,7 +200,7 @@ def load_private_key(name, required: false, password: nil)
   # @param password [String, nil] If the private key is encrypted, decrypt
   #   it using the password. If the key is encrypted, but a password is
   #   not specified, then the key cannot be loaded.
-  # @return [OpenSSL::PKey::RSA, OpenSSL::PKey::EC] The private key
+  # @return [OpenSSL::PKey::PKey] The private key
   # @raise [OpenSSL::PKey::PKeyError] The `pem` text does not contain a valid key
   #
   # @api private
@@ -271,7 +271,7 @@ def load_client_cert_from_pem(pem)
   # Create a certificate signing request (CSR).
   #
   # @param name [String] the request identity
-  # @param private_key [OpenSSL::PKey::RSA] private key
+  # @param private_key [OpenSSL::PKey::PKey] private key
   # @return [Puppet::X509::Request] The request
   #
   # @api private