From d2ef0fee71bec00aa53093a7bd618db155b25ed7 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Wed, 14 Sep 2022 23:48:12 +0200
Subject: [PATCH] nightly: support OpenSSL 3.0 with Paramiko

OpenSSL 3.0 changed the default output format from PKCS#1 to PKCS#8,
which paramiko does not support.

https://www.openssl.org/docs/man3.0/man1/openssl-rsa.html#traditional
https://github.com/paramiko/paramiko/issues/1015
---
 .gitlab-ci.yml                    |   1 +
 MANIFEST.in                       |   1 +
 fdroidserver/nightly.py           |  20 +++++--
 tests/aosp_testkey_debug.keystore | Bin 0 -> 2557 bytes
 tests/nightly.TestCase            |  91 ++++++++++++++++++++++++++++++
 5 files changed, 109 insertions(+), 4 deletions(-)
 create mode 100644 tests/aosp_testkey_debug.keystore

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f3964b93..887a0855 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -245,6 +245,7 @@ black:
         tests/lint.TestCase
         tests/metadata.TestCase
         tests/ndk-release-checksums.py
+        tests/nightly.TestCase
         tests/rewritemeta.TestCase
 
 
diff --git a/MANIFEST.in b/MANIFEST.in
index 3435bee0..010563c3 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -43,6 +43,7 @@ include locale/zh_Hant/LC_MESSAGES/fdroidserver.po
 include makebuildserver
 include README.md
 include tests/androguard_test.py
+include tests/aosp_testkey_debug.keystore
 include tests/bad-unicode-*.apk
 include tests/build.TestCase
 include tests/build-tools/17.0.0/aapt-output-com.moez.QKSMS_182.txt
diff --git a/fdroidserver/nightly.py b/fdroidserver/nightly.py
index 4d0d80ad..7ca8b863 100644
--- a/fdroidserver/nightly.py
+++ b/fdroidserver/nightly.py
@@ -25,6 +25,7 @@ import os
 import paramiko
 import platform
 import shutil
+import ssl
 import subprocess
 import sys
 import tempfile
@@ -47,7 +48,11 @@ DISTINGUISHED_NAME = 'CN=Android Debug,O=Android,C=US'
 NIGHTLY = '-nightly'
 
 
-def _ssh_key_from_debug_keystore(keystore=KEYSTORE_FILE):
+def _ssh_key_from_debug_keystore(keystore=None):
+    if keystore is None:
+        # set this here so it can be overridden in the tests
+        # TODO convert this to a class to get rid of this nonsense
+        keystore = KEYSTORE_FILE
     tmp_dir = tempfile.mkdtemp(prefix='.')
     privkey = os.path.join(tmp_dir, '.privkey')
     key_pem = os.path.join(tmp_dir, '.key.pem')
@@ -94,10 +99,17 @@ def _ssh_key_from_debug_keystore(keystore=KEYSTORE_FILE):
         ],
         env={'LC_ALL': 'C.UTF-8'},
     )
+
+    # OpenSSL 3.0 changed the default output format from PKCS#1 to
+    # PKCS#8, which paramiko does not support.
+    # https://www.openssl.org/docs/man3.0/man1/openssl-rsa.html#traditional
+    # https://github.com/paramiko/paramiko/issues/1015
+    openssl_rsa_cmd = ['openssl', 'rsa']
+    if ssl.OPENSSL_VERSION_INFO[0] >= 3:
+        openssl_rsa_cmd += ['-traditional']
     subprocess.check_call(
-        [
-            'openssl',
-            'rsa',
+        openssl_rsa_cmd
+        + [
             '-in',
             key_pem,
             '-out',
diff --git a/tests/aosp_testkey_debug.keystore b/tests/aosp_testkey_debug.keystore
new file mode 100644
index 0000000000000000000000000000000000000000..ecbdcb4dc59dfbacd33f24d6f1690900c6ee16b0
GIT binary patch
literal 2557
zcmd6o`8(A88pr25Gsf1C21Ajd5n1XxcCr+aeG3nh9D^a-sIg`rYKlB0Tcf6IMGx7F
z!r0f;v6X$-NJu1GH6A^ub57TF&L8mna9{Uzzwgfv_vdrH@7IU5%vy#(Ake)4{t8|K
z$&Kvi>E=ds3H0zLUfI(_)jo=wK_F}Z7z6(f@*ucm5da*Jf${+W8w4H$UtknmK#bJ!
zhV)t`=U>ek<&Q8?=!q``vPP3p5JNv%tF$wt>5xnOR`a^_KV~WK6m~TuG#Wp;KM9vn
z<`{Hx!<Wpqon7x;!>n+<riCg<vh;jkzY;1KSd8z@%(Oh98!}k_VcJ;IyBCo9QW|3N
z!b+|GLGqZ2(@{ITpmc+=(zZaPAOWgB(4|J(C`}XTc&TnpWqwO>xc$i~ov&a2^MYfA
z@j`!x<_Pl|kHsos$>-#>(~Qz3Walt&n83262lUZTD6Q)=CO0AI?nJ%w`sCmFgx6Fn
zoDj~@>g~l&>i1a@Xn8}r&g3f>Gcwf8h+;HSowZ}RP9r?ztsb}?$P(qvXws`l<0-ik
zR>OR}f3oPIG~U~j-XC`DDRFE14e^S~eeOZh&VenbK5C;FshH&-Ieu?mpeWAUbxBg4
zxREfSVljn1INlJ>s~8YFt^#dKDdx#%Ce5st%X8g*ep*po(O_d5m*9!dyumB|+xIbN
zw$I^yOOR~m%Bb}y%7Dd{IqU7!N|N)tH})AX4VvqdqzB875fB{G<Cb4?+(;S^!lAlJ
zTf0V%*rkTz4tMTR@JSnc9!IxUCBtStq&QBfDjijYwu>yVAXP9zqZ1y4Xe%)Yo%_^G
z35AfH+MPh#hdWXlmV;c|LyHKc$yiSC5tq_4B0_hzjk>MP1e4;j-K{UY#glzA1U<s0
zP2)`aX60w*i618`$`PS#eqk&c!n5R7E;@w)BZ{~yAmhWSn+fBkH!t7@PVgSRaC%iO
zy|i#G7*#ktzZLXAm8na7;@)E}?3`Elp6f+Rt99cP^<;bL=Kj%Xf$;Xjnu5Fhh0Cv`
z+2?zzZuDPA`4Pw4Z$ECwv^oC6cx*Ik4y#j*6SktQmCtiUEUo&?2?d>*s<G~+Rk^;m
zWlGC(IcUuq2<zCp$Da>+`HZe<j^V~0@k``%Vpsh(Mohl#NMoK02g+~(-$Y2MWh-6J
z<O65!_@K*TiytfB+Gw1&TAbtyRD#;re;+GH&Qg@BPz6)GX|tNEb?{RyL)}scTYlVf
zKX*$9UY7xNJd)n9I49;&D1R;V>(1zcIxs?Po?p^y^(XQPqh}@4T&ozvun%41?L#58
zpEiT;lZq^_IS$~nwE94Gl@+ZP8?5kj#ml*`0(oM?h?^z{^@aPT8O&%#O(|K&J{#vR
zXTUw^%SG0RYbnsIoicF2e7XA)NAK%}IM#07=?H9JlksrGbtvsJObJTjUa2UeK8fnn
z97GOLgZ1RZ=s2mYcvjZ=1_9^VImZ)Ytxh!sD6wnc!}h;9d!weayR1a#R_QX`%EZpK
zr{4Xv<?Ev@FFtWQlxbjP?FF7W(#<8%IkaQkqU$_YzPn>0hI<=GatEl%f(XwL+JeB>
zM@jdt>t8zvIz<InJ@0<^)@|F~g^nTN2ARpwzOyG*jF<11cKa&CP#*<JZU~Iy5KnW>
z%r|&d4qg6mZ)bYZx2X$Re5pr|&>2&?eOd8P#^7O`Gp$HyKzo%4i*s9^ZIyMbU-Hkv
z&MV7wwANmX{mvGq^Y&`9mRNzn^n7eW>($tLM{G?N2kO!vUcoNcpYK;zvEY}K*AA|d
zs)DLj3A_-gR?e0Cz0*HUuXW<xliCUKGJnI7i~N2tV~)P~VrBa@ryAu|+Hjc2Yen7U
z<i7~XW`A56REI#|MSDCf0ApacvS3gE3gv{Pkct@WYrrIkL~zPb4XK;RJwmcUKuRi(
z8{|a5Y~ctL)b<<>1@iqUI8a=A1Rqa#KQhUafD;7ye~9cTq?unJDS+Tf!q|BdgK_)!
zh`XnAq1aFVi_HI4xc^6i{a29yG5?u?6A(oGr246!`M9f}FL)S@1l2$V1$7XosHmiZ
zM<W%LK~<dU&+_j&b_{^|^?~>PAXp55gn%&s2Q&r%Aa7HI;S+7#*s|qzm#N_)Np0;{
zK8vC=yNHB>_q7GDy!%5)`CR!vOr9EEnzF<0uy*icz4`ZACT`Vptek$P-Rg`-!J+zc
z@M%aBT#sQ&7OFP*A}&Dvq?T<S*ThhZN@V;qsjGS9@GRK*A*Cn3dCd5;r3BKFgI!@N
zIs^UDi%rpi`6zWsu43(KR-SuDXzI{O9H)kd>hTk92O3Dex~uj=lPnmed*8sB5ufqq
zYOKAmAy6UdhO(%ixYH>eY&iPG!^;LqvFWJkVt+n!)>e_P#XED;Z(^xC(R02drzbJw
zC?-{hMvl;gv&b}2+T`70wXAY<RIccGFV=z>6oBPYzJZi&P;}2YqC9XxIKQC-#7;{}
z&Y+l&%9a-(T*TRxzz0$~fAo*QDUBe75&eJ9WK%NpC>eiKC&c`+ar=H;1qEjVVF0lE
zt3CGiZ_ge8B(x+wVbQYXG@F%B&q!eja6Uc=FO@Hl(^P38!7s2o@*2j8ug{a;Wal9J
zU_9S7lg5kT5XLcmIS!Mi$Y<G+MRbOc9LBut9N)U_5cZkf=-imZsbu*;D(gm?C{Vz9
zT8!6qK6hbD3CD(&Fi23Dk&|)SPJJsn2zt$RZloQ`Z9E|=%s<{HcF<)+eoJZt#(L;{
zQqBfh7Y^K0c~PFJd$|!kX{|Zh`k4}HG_~?*UtLrHIx^HkSW9nRf}QM6GBt~xuESF~
z!arNcFNx3SclpSc3Nm9|qb>Vdz>oP&ULr>QL0tBQQ3qqXQ*IjK)by}*aA4<vpoZmd
bJQvNLV$w@Z0W_TzWS;jmNZcmP&6@rvG=ec6

literal 0
HcmV?d00001

diff --git a/tests/nightly.TestCase b/tests/nightly.TestCase
index afe34752..627ebab4 100755
--- a/tests/nightly.TestCase
+++ b/tests/nightly.TestCase
@@ -1,12 +1,19 @@
 #!/usr/bin/env python3
 
 import inspect
+import logging
 import optparse
 import os
 import requests
+import shutil
 import sys
+import tempfile
+import time
 import unittest
 
+from pathlib import Path
+from unittest.mock import patch
+
 localmodule = os.path.realpath(
     os.path.join(os.path.dirname(inspect.getfile(inspect.currentframe())), '..')
 )
@@ -17,7 +24,51 @@ if localmodule not in sys.path:
 from fdroidserver import common, nightly
 
 
+AOSP_TESTKEY_DEBUG_KEYSTORE_KEY_FILE_NAME = (
+    'debug_keystore_k47SVrA85+oMZAexHc62PkgvIgO8TJBYN00U82xSlxc_id_rsa'
+)
+
+
+class Options:
+    allow_disabled_algorithms = False
+    clean = False
+    delete_unknown = False
+    nosign = False
+    pretty = True
+    rename_apks = False
+    verbose = False
+
+
 class NightlyTest(unittest.TestCase):
+
+    basedir = Path(__file__).resolve().parent
+    path = os.environ['PATH']
+
+    def setUp(self):
+        logging.basicConfig(level=logging.WARNING)
+        self.basedir = Path(localmodule) / 'tests'
+        self.testroot = Path(localmodule) / '.testfiles'
+        self.testroot.mkdir(exist_ok=True)
+        os.chdir(self.basedir)
+        self.tempdir = tempfile.TemporaryDirectory(
+            str(time.time()), self._testMethodName + '_', self.testroot
+        )
+        self.testdir = Path(self.tempdir.name)
+        self.home = self.testdir / 'home'
+        self.home.mkdir()
+        self.dot_android = self.home / '.android'
+        nightly.KEYSTORE_FILE = str(self.dot_android / 'debug.keystore')
+
+    def tearDown(self):
+        self.tempdir.cleanup()
+
+    def _copy_test_debug_keystore(self):
+        self.dot_android.mkdir()
+        shutil.copy(
+            self.basedir / 'aosp_testkey_debug.keystore',
+            self.dot_android / 'debug.keystore',
+        )
+
     def test_get_repo_base_url(self):
         for clone_url, repo_git_base, result in [
             (
@@ -37,6 +88,46 @@ class NightlyTest(unittest.TestCase):
             # gitlab.com often returns 403 Forbidden from their cloudflare restrictions
             self.assertTrue(r.status_code in (200, 403), 'should not be a redirect')
 
+    @patch.dict(os.environ, clear=True)
+    def test_ssh_key_from_debug_keystore(self):
+        os.environ['HOME'] = str(self.home)
+        os.environ['PATH'] = self.path
+        ssh_private_key_file = nightly._ssh_key_from_debug_keystore(
+            self.basedir / 'aosp_testkey_debug.keystore'
+        )
+        with open(ssh_private_key_file) as fp:
+            assert '-----BEGIN RSA PRIVATE KEY-----' in fp.read()
+        with open(ssh_private_key_file + '.pub') as fp:
+            assert fp.read(8) == 'ssh-rsa '
+
+    @patch.dict(os.environ, clear=True)
+    @patch('sys.argv', ['fdroid nightly', '--verbose'])
+    def test_main_empty_dot_android(self):
+        """Test that it exits with an error when ~/.android is empty"""
+        os.environ['HOME'] = str(self.home)
+        os.environ['PATH'] = self.path
+        with self.assertRaises(SystemExit) as cm:
+            nightly.main()
+        self.assertEqual(cm.exception.code, 1)
+
+    @patch.dict(os.environ, clear=True)
+    @patch('sys.argv', ['fdroid nightly', '--verbose'])
+    def test_main_on_user_machine(self):
+        """Test that `fdroid nightly` runs on the user's machine
+
+        Careful!  If the test env is wrong, it can mess up the local
+        SSH setup.
+
+        """
+        dot_ssh = self.home / '.ssh'
+        dot_ssh.mkdir()
+        self._copy_test_debug_keystore()
+        os.environ['HOME'] = str(self.home)
+        os.environ['PATH'] = self.path
+        nightly.main()
+        assert (dot_ssh / AOSP_TESTKEY_DEBUG_KEYSTORE_KEY_FILE_NAME).exists()
+        assert (dot_ssh / (AOSP_TESTKEY_DEBUG_KEYSTORE_KEY_FILE_NAME + '.pub')).exists()
+
 
 if __name__ == "__main__":
     os.chdir(os.path.dirname(__file__))