[Testing] Fix spiffe portability (#41205)

Fix a few issues when build with OpenSSL versions

OpenSSL1.0.2 - copied some CRL related test code that was not valid assumptions for these tests.
OpenSSL1.1.1 - The regex is too sensitive, only do the regex check for BoringSSL
OpenSSL3 - We though the Invalid UTF8-SAN behavior should cause handshake failures for OpenSSL3 here and included different behavior, but that is still what is breaking. Let's revert that change.

Closes #41205

COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/41205 from gtcooke94:fix_spiffe_portability 8818df50053944444c1093bdf500944b690422d3
PiperOrigin-RevId: 842526173

diff --git a/test/core/tsi/spiffe_ssl_transport_security_test.cc b/test/core/tsi/spiffe_ssl_transport_security_test.cc
index 9718b4de5efc883e0c806117ae7e5d106d9da1c0..19d24bf796712e9f4c31016618e94418c3bf7996 100644 (file)
--- a/test/core/tsi/spiffe_ssl_transport_security_test.cc
+++ b/test/core/tsi/spiffe_ssl_transport_security_test.cc
@@ -205,12 +205,6 @@ class SpiffeSslTransportSecurityTest
       expect_client_success = GetParam() == tsi_tls_version::TSI_TLS1_2
                                   ? expect_client_success_1_2_
                                   : expect_client_success_1_3_;
-#else
-      //  If using OpenSSL version < 1.1, the CRL revocation won't
-      //  be enabled anyways, so we always expect the connection to
-      //  be successful.
-      expect_server_success = true;
-      expect_client_success = expect_server_success;
 #endif
       tsi_peer peer;
       if (expect_client_success) {
@@ -410,15 +404,8 @@ TEST_P(SpiffeSslTransportSecurityTest, InvalidUTF8Fails) {
   auto* fixture_pass = new SslTsiTestFixture(
       kServerKeyPath, kServerCertPath, kInvalidUtf8SanKeyPath,
       kInvalidUtf8SanCertPath, "", "", kCaPemPath,
-  // OpenSSL3 and above will fail the handshake because of the invalid
-  // UTF-8 URI SAN.
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-      /*expect_server_success=*/false,
-      /*expect_client_success_1_2=*/false,
-#else
       /*expect_server_success=*/true,
       /*expect_client_success_1_2=*/true,
-#endif
       /*expect_client_success_1_3=*/true);
   fixture_pass->Run();
   // Should fail SPIFFE verification because of multiple URI SANs.

diff --git a/test/cpp/end2end/spiffe_bundle_map_end2end_test.cc b/test/cpp/end2end/spiffe_bundle_map_end2end_test.cc
index 773b14f751d1ed802227f198dc69d202521b8ea5..29e120fa363c931b315aa2a423c6d205eaaab846 100644 (file)
--- a/test/cpp/end2end/spiffe_bundle_map_end2end_test.cc
+++ b/test/cpp/end2end/spiffe_bundle_map_end2end_test.cc
@@ -185,7 +185,8 @@ void DoRpc(const std::string& server_addr,
     EXPECT_EQ(result.error_code(), failure_code);
 // The expected failure message only matches when building against BoringSSL or
 // OpenSSL < 3.0.
-#if GTEST_USES_POSIX_RE && OPENSSL_VERSION_NUMBER < 0x30000000L
+#if GTEST_USES_POSIX_RE && OPENSSL_VERSION_NUMBER < 0x30000000L && \
+    defined(OPENSSL_IS_BORINGSSL)
     EXPECT_THAT(result.error_message(),
                 ::testing::MatchesRegex(failure_message_regex));
 #endif