[openssl] master update

tmraz at fedoraproject.org tmraz at fedoraproject.org
Wed Jun 3 07:57:40 UTC 2020


The branch master has been updated
       via  2b584ff372b2b25bb6801172bbeb90074b26f88c (commit)
       via  4e6e57cfcdd75b827ff7171927d87e95b5b86ae8 (commit)
      from  5c01a133ecafc5ffa4ae55effd32f4f1fb642293 (commit)


- Log -----------------------------------------------------------------
commit 2b584ff372b2b25bb6801172bbeb90074b26f88c
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Apr 27 12:57:01 2020 -0400

    Update manpage to fix examples, other minor tweaks
    
    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/11347)

commit 4e6e57cfcdd75b827ff7171927d87e95b5b86ae8
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Mar 4 14:08:31 2020 -0500

    Cleanup cert config files for tests
    
    Merge test/P[12]ss.cnf into one config file
    Merge CAss.cnf and Uss.cnf into ca-and-certs.cnf
    Remove Netscape cert extensions, add keyUsage comment from some cnf files
    
    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/11347)

-----------------------------------------------------------------------

Summary of changes:
 apps/openssl-vms.cnf                | 53 ----------------------
 apps/openssl.cnf                    | 53 ----------------------
 demos/certs/apps/apps.cnf           |  6 ---
 demos/certs/ca.cnf                  |  6 ---
 doc/man7/proxy-certificates.pod     | 36 +++++++--------
 test/CAss.cnf                       | 69 ----------------------------
 test/P1ss.cnf                       | 31 -------------
 test/P2ss.cnf                       | 39 ----------------
 test/Uss.cnf                        | 36 ---------------
 test/ca-and-certs.cnf               | 90 +++++++++++++++++++++++++++++++++++++
 test/proxy.cnf                      | 61 +++++++++++++++++++++++++
 test/recipes/25-test_verify_store.t | 31 ++++++-------
 test/recipes/80-test_ca.t           | 23 +++++-----
 test/recipes/80-test_ssl_old.t      | 36 +++++++--------
 test/recipes/90-test_store.t        |  5 ++-
 15 files changed, 213 insertions(+), 362 deletions(-)
 delete mode 100644 test/CAss.cnf
 delete mode 100644 test/P1ss.cnf
 delete mode 100644 test/P2ss.cnf
 delete mode 100644 test/Uss.cnf
 create mode 100644 test/ca-and-certs.cnf
 create mode 100644 test/proxy.cnf

diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index c7e7abe994..2420e9c9f5 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -171,27 +171,9 @@ unstructuredName		= An optional company name
 
 basicConstraints=CA:FALSE
 
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -206,13 +188,6 @@ authorityKeyIdentifier=keyid,issuer
 # Copy subject details
 # issuerAltName=issuer:copy
 
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
 # This is required for TSA certificates.
 # extendedKeyUsage = critical,timeStamping
 
@@ -242,9 +217,6 @@ basicConstraints = critical,CA:true
 # left out by default.
 # keyUsage = cRLSign, keyCertSign
 
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
 # Include email address in subject alt name: another PKIX recommendation
 # subjectAltName=email:copy
 # Copy issuer details
@@ -272,27 +244,9 @@ authorityKeyIdentifier=keyid:always
 
 basicConstraints=CA:FALSE
 
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -307,13 +261,6 @@ authorityKeyIdentifier=keyid,issuer
 # Copy subject details
 # issuerAltName=issuer:copy
 
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
 # This really needs to be in place for it to be a proxy certificate.
 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 52706ae166..4fd5286d2e 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -171,27 +171,9 @@ unstructuredName		= An optional company name
 
 basicConstraints=CA:FALSE
 
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -206,13 +188,6 @@ authorityKeyIdentifier=keyid,issuer
 # Copy subject details
 # issuerAltName=issuer:copy
 
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
 # This is required for TSA certificates.
 # extendedKeyUsage = critical,timeStamping
 
@@ -242,9 +217,6 @@ basicConstraints = critical,CA:true
 # left out by default.
 # keyUsage = cRLSign, keyCertSign
 
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
 # Include email address in subject alt name: another PKIX recommendation
 # subjectAltName=email:copy
 # Copy issuer details
@@ -272,27 +244,9 @@ authorityKeyIdentifier=keyid:always
 
 basicConstraints=CA:FALSE
 
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -307,13 +261,6 @@ authorityKeyIdentifier=keyid,issuer
 # Copy subject details
 # issuerAltName=issuer:copy
 
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
 # This really needs to be in place for it to be a proxy certificate.
 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 
diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf
index bd762b7ddc..07a3d10b55 100644
--- a/demos/certs/apps/apps.cnf
+++ b/demos/certs/apps/apps.cnf
@@ -35,9 +35,6 @@ commonName			= $ENV::CN
 basicConstraints=critical, CA:FALSE
 keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 [ ec_cert ]
 
 # These extensions are added when 'ca' signs a request for an end entity
@@ -46,9 +43,6 @@ nsComment			= "OpenSSL Generated Certificate"
 basicConstraints=critical, CA:FALSE
 keyUsage=critical, nonRepudiation, digitalSignature, keyAgreement
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf
index c75a71a6aa..2fbf20490b 100644
--- a/demos/certs/ca.cnf
+++ b/demos/certs/ca.cnf
@@ -35,9 +35,6 @@ commonName			= $ENV::CN
 basicConstraints=critical, CA:FALSE
 keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
@@ -47,9 +44,6 @@ authorityKeyIdentifier=keyid
 basicConstraints=critical, CA:FALSE
 keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
diff --git a/doc/man7/proxy-certificates.pod b/doc/man7/proxy-certificates.pod
index df5ee1b4b5..eab28b5658 100644
--- a/doc/man7/proxy-certificates.pod
+++ b/doc/man7/proxy-certificates.pod
@@ -57,24 +57,22 @@ See L</NOTES> for a discussion on this requirement.
 Creating proxy certificates can be done using the L<openssl-x509(1)>
 command, with some extra extensions:
 
-    [ v3_proxy ]
+    [ proxy ]
     # A proxy certificate MUST NEVER be a CA certificate.
-    basicConstraints=CA:FALSE
-
+    basicConstraints = CA:FALSE
     # Usual authority key ID
-    authorityKeyIdentifier=keyid,issuer:always
-
+    authorityKeyIdentifier = keyid,issuer:always
     # The extension which marks this certificate as a proxy
-    proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
+    proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
 
 It's also possible to specify the proxy extension in a separate section:
 
-    proxyCertInfo=critical, at proxy_ext
+    proxyCertInfo = critical, at proxy_ext
 
     [ proxy_ext ]
-    language=id-ppl-anyLanguage
-    pathlen=0
-    policy=text:BC
+    language = id-ppl-anyLanguage
+    pathlen = 0
+    policy = text:BC
 
 The policy value has a specific syntax, I<syntag>:I<string>, where the
 I<syntag> determines what will be done with the string.  The following
@@ -99,12 +97,12 @@ colons between each byte (every second hex digit):
 
 indicates that the text of the policy should be taken from a file.
 The string is then a filename.  This is useful for policies that are
-large (more than a few lines, e.g. XML documents).
+more than a few lines, such as XML or other markup.
 
 =back
 
-I<NOTE: The proxy policy value is what determines the rights granted
-to the process during the proxy certificate.  It's up to the
+Note that the proxy policy value is what determines the rights granted
+to the process during the proxy certificate, and it is up to the
 application to interpret and combine these policies.>
 
 With a proxy extension, creating a proxy certificate is a matter of
@@ -112,23 +110,23 @@ two commands:
 
     openssl req -new -config proxy.cnf \
         -out proxy.req -keyout proxy.key \
-        -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1"
+        -subj "/DC=org/DC=openssl/DC=users/CN=proxy"
 
     openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \
         -CA user.crt -CAkey user.key -days 7 \
-        -extfile proxy.cnf -extensions v3_proxy1
+        -extfile proxy.cnf -extensions proxy
 
 You can also create a proxy certificate using another proxy
-certificate as issuer (note: using a different configuration
-section for the proxy extensions):
+certificate as issuer. Note that this example uses a different
+configuration section for the proxy extensions:
 
     openssl req -new -config proxy.cnf \
         -out proxy2.req -keyout proxy2.key \
-        -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1/CN=proxy 2"
+        -subj "/DC=org/DC=openssl/DC=users/CN=proxy/CN=proxy 2"
 
     openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \
         -CA proxy.crt -CAkey proxy.key -days 7 \
-        -extfile proxy.cnf -extensions v3_proxy2
+        -extfile proxy.cnf -extensions proxy_2
 
 =head2 Using proxy certs in applications
 
diff --git a/test/CAss.cnf b/test/CAss.cnf
deleted file mode 100644
index d63f85628b..0000000000
--- a/test/CAss.cnf
+++ /dev/null
@@ -1,69 +0,0 @@
-
-####################################################################
-[ req ]
-default_bits		= 2048
-default_keyfile 	= keySS.pem
-distinguished_name	= req_distinguished_name
-encrypt_rsa_key		= no
-default_md		= sha1
-
-[ req_distinguished_name ]
-countryName			= Country Name (2 letter code)
-countryName_default		= AU
-countryName_value		= AU
-
-organizationName		= Organization Name (eg, company)
-organizationName_value		= Dodgy Brothers
-
-commonName			= Common Name (eg, YOUR name)
-commonName_value		= Dodgy CA
-
-####################################################################
-[ ca ]
-default_ca	= CA_default		# The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir		= ./demoCA		# Where everything is kept
-certs		= $dir/certs		# Where the issued certs are kept
-crl_dir		= $dir/crl		# Where the issued crl are kept
-database	= $dir/index.txt	# database index file.
-#unique_subject	= no			# Set to 'no' to allow creation of
-					# several certificates with same subject.
-new_certs_dir	= $dir/newcerts		# default place for new certs.
-
-certificate	= $dir/cacert.pem 	# The CA certificate
-serial		= $dir/serial 		# The current serial number
-crl		= $dir/crl.pem 		# The current CRL
-private_key	= $dir/private/cakey.pem# The private key
-
-x509_extensions	= v3_ca			# The extensions to add to the cert
-
-name_opt 	= ca_default		# Subject Name options
-cert_opt 	= ca_default		# Certificate field options
-
-default_days	= 365			# how long to certify for
-default_crl_days= 30			# how long before next CRL
-default_md	= md5			# which md to use.
-preserve	= no			# keep passed DN ordering
-
-policy		= policy_anything
-
-[ policy_anything ]
-countryName		= optional
-stateOrProvinceName	= optional
-localityName		= optional
-organizationName	= optional
-organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
-
-
-
-[ v3_ca ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = critical,CA:true,pathlen:1
-keyUsage = cRLSign, keyCertSign
-issuerAltName=issuer:copy
diff --git a/test/P1ss.cnf b/test/P1ss.cnf
deleted file mode 100644
index 69baaaf849..0000000000
--- a/test/P1ss.cnf
+++ /dev/null
@@ -1,31 +0,0 @@
-
-####################################################################
-[ req ]
-default_bits		= 2048
-default_keyfile 	= keySS.pem
-distinguished_name	= req_distinguished_name
-encrypt_rsa_key		= no
-default_md		= sha256
-
-[ req_distinguished_name ]
-countryName			= Country Name (2 letter code)
-countryName_default		= AU
-countryName_value		= AU
-
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Dodgy Brothers
-
-0.commonName			= Common Name (eg, YOUR name)
-0.commonName_value		= Brother 1
-
-1.commonName			= Common Name (eg, YOUR name)
-1.commonName_value		= Brother 2
-
-2.commonName			= Common Name (eg, YOUR name)
-2.commonName_value		= Proxy 1
-
-[ v3_proxy ]
-basicConstraints=CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
diff --git a/test/P2ss.cnf b/test/P2ss.cnf
deleted file mode 100644
index 8d4f3c8a68..0000000000
--- a/test/P2ss.cnf
+++ /dev/null
@@ -1,39 +0,0 @@
-
-####################################################################
-[ req ]
-default_bits		= 2048
-default_keyfile 	= keySS.pem
-distinguished_name	= req_distinguished_name
-encrypt_rsa_key		= no
-default_md		= sha256
-
-[ req_distinguished_name ]
-countryName			= Country Name (2 letter code)
-countryName_default		= AU
-countryName_value		= AU
-
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Dodgy Brothers
-
-0.commonName			= Common Name (eg, YOUR name)
-0.commonName_value		= Brother 1
-
-1.commonName			= Common Name (eg, YOUR name)
-1.commonName_value		= Brother 2
-
-2.commonName			= Common Name (eg, YOUR name)
-2.commonName_value		= Proxy 1
-
-3.commonName			= Common Name (eg, YOUR name)
-3.commonName_value		= Proxy 2
-
-[ v3_proxy ]
-basicConstraints=CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-proxyCertInfo=critical, at proxy_ext
-
-[ proxy_ext ]
-language=id-ppl-anyLanguage
-pathlen=0
-policy=text:BC
diff --git a/test/Uss.cnf b/test/Uss.cnf
deleted file mode 100644
index 95ffb67deb..0000000000
--- a/test/Uss.cnf
+++ /dev/null
@@ -1,36 +0,0 @@
-
-CN2 = Brother 2
-
-####################################################################
-[ req ]
-default_bits		= 2048
-default_keyfile 	= keySS.pem
-distinguished_name	= req_distinguished_name
-encrypt_rsa_key		= no
-default_md		    = sha256
-prompt              = no
-
-[ req_distinguished_name ]
-countryName         = AU
-organizationName    = Dodgy Brothers
-0.commonName        = Brother 1
-1.commonName		= $ENV::CN2
-
-[ v3_ee ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-basicConstraints = CA:false
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ee_dsa ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always
-basicConstraints = CA:false
-keyUsage = nonRepudiation, digitalSignature
-
-[ v3_ee_ec ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always
-basicConstraints = CA:false
-keyUsage = nonRepudiation, digitalSignature, keyAgreement
-
diff --git a/test/ca-and-certs.cnf b/test/ca-and-certs.cnf
new file mode 100644
index 0000000000..598db2b6a0
--- /dev/null
+++ b/test/ca-and-certs.cnf
@@ -0,0 +1,90 @@
+
+CN2 = Brother 2
+
+####################################################################
+[ req ]
+default_bits		= 2048
+default_keyfile 	= keySS.pem
+distinguished_name	= req_distinguished_name
+encrypt_rsa_key		= no
+default_md		= sha1
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_value		= AU
+organizationName		= Organization Name (eg, company)
+organizationName_value		= Dodgy Brothers
+commonName			= Common Name (eg, YOUR name)
+commonName_value		= Dodgy CA
+
+####################################################################
+[ userreq ]
+default_bits		= 2048
+default_keyfile 	= keySS.pem
+distinguished_name	= user_dn
+encrypt_rsa_key		= no
+default_md		= sha256
+prompt			= no
+
+[ user_dn ]
+countryName		= AU
+organizationName	= Dodgy Brothers
+0.commonName		= Brother 1
+1.commonName		= $ENV::CN2
+
+[ v3_ee ]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid,issuer:always
+basicConstraints 	= CA:false
+keyUsage		= nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ee_dsa ]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always
+basicConstraints	= CA:false
+keyUsage		= nonRepudiation, digitalSignature
+
+[ v3_ee_ec ]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always
+basicConstraints	= CA:false
+keyUsage		= nonRepudiation, digitalSignature, keyAgreement
+
+####################################################################
+[ ca ]
+default_ca	= CA_default
+
+[ CA_default ]
+dir		= ./demoCA
+certs		= $dir/certs
+crl_dir		= $dir/crl
+database	= $dir/index.txt
+new_certs_dir	= $dir/newcerts
+certificate	= $dir/cacert.pem
+serial		= $dir/serial
+crl		= $dir/crl.pem
+private_key	= $dir/private/cakey.pem
+x509_extensions	= v3_ca
+name_opt 	= ca_default
+cert_opt 	= ca_default
+default_days	= 365
+default_crl_days= 30
+default_md	= sha1
+preserve	= no
+policy		= policy_anything
+
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ v3_ca ]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always,issuer:always
+basicConstraints 	= critical,CA:true,pathlen:1
+keyUsage		= cRLSign, keyCertSign
+issuerAltName		= issuer:copy
diff --git a/test/proxy.cnf b/test/proxy.cnf
new file mode 100644
index 0000000000..e6b60542bb
--- /dev/null
+++ b/test/proxy.cnf
@@ -0,0 +1,61 @@
+
+## Config file for proxy certificate testing.
+
+[ req ]
+default_bits		= 2048
+default_keyfile 	= keySS.pem
+distinguished_name	= req_distinguished_name_p1
+encrypt_rsa_key		= no
+default_md		= sha256
+
+[ req_distinguished_name_p1 ]
+countryName			= Country Name (2 letter code)
+countryName_value		= AU
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Dodgy Brothers
+0.commonName			= Common Name (eg, YOUR name)
+0.commonName_value		= Brother 1
+1.commonName			= Common Name (eg, YOUR name)
+1.commonName_value		= Brother 2
+2.commonName			= Common Name (eg, YOUR name)
+2.commonName_value		= Proxy 1
+
+[ proxy ]
+basicConstraints	= CA:FALSE
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid,issuer:always
+proxyCertInfo	= critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
+
+####################################################################
+
+[ proxy2_req ]
+default_bits		= 2048
+default_keyfile 	= keySS.pem
+distinguished_name	= req_distinguished_name_p2
+encrypt_rsa_key		= no
+default_md		= sha256
+
+[ req_distinguished_name_p2 ]
+countryName			= Country Name (2 letter code)
+countryName_value		= AU
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Dodgy Brothers
+0.commonName			= Common Name (eg, YOUR name)
+0.commonName_value		= Brother 1
+1.commonName			= Common Name (eg, YOUR name)
+1.commonName_value		= Brother 2
+2.commonName			= Common Name (eg, YOUR name)
+2.commonName_value		= Proxy 1
+3.commonName			= Common Name (eg, YOUR name)
+3.commonName_value		= Proxy 2
+
+[ proxy_2 ]
+basicConstraints	= CA:FALSE
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid,issuer:always
+proxyCertInfo		= critical, at proxy_ext
+
+[ proxy_ext ]
+language	= id-ppl-anyLanguage
+pathlen		= 0
+policy		= text:BC
diff --git a/test/recipes/25-test_verify_store.t b/test/recipes/25-test_verify_store.t
index c8c57a7b2b..2afb8cb56f 100644
--- a/test/recipes/25-test_verify_store.t
+++ b/test/recipes/25-test_verify_store.t
@@ -18,34 +18,31 @@ plan tests => 10;
 
 my $dummycnf = srctop_file("apps", "openssl.cnf");
 
+my $cnf = srctop_file("test", "ca-and-certs.cnf");
 my $CAkey = "keyCA.ss";
 my $CAcert="certCA.ss";
 my $CAserial="certCA.srl";
 my $CAreq="reqCA.ss";
-my $CAconf=srctop_file("test","CAss.cnf");
 my $CAreq2="req2CA.ss";	# temp
-
-my $Uconf=srctop_file("test","Uss.cnf");
 my $Ukey="keyU.ss";
 my $Ureq="reqU.ss";
 my $Ucert="certU.ss";
 
 SKIP: {
     req( 'make cert request',
-         qw(-new),
-         -config       => $CAconf,
+         qw(-new -section userreq),
+         -config       => $cnf,
          -out          => $CAreq,
          -keyout       => $CAkey );
 
     skip 'failure', 8 unless
         x509( 'convert request into self-signed cert',
-              qw(-req -CAcreateserial),
+              qw(-req -CAcreateserial -days 30),
+              qw(-extensions v3_ca),
               -in       => $CAreq,
               -out      => $CAcert,
               -signkey  => $CAkey,
-              -days     => 30,
-              -extfile  => $CAconf,
-              -extensions => 'v3_ca' );
+              -extfile  => $cnf );
 
     skip 'failure', 7 unless
         x509( 'convert cert into a cert request',
@@ -56,13 +53,13 @@ SKIP: {
 
     skip 'failure', 6 unless
         req( 'verify request 1',
-             qw(-verify -noout),
+             qw(-verify -noout -section userreq),
              -config    => $dummycnf,
              -in        => $CAreq );
 
     skip 'failure', 5 unless
         req( 'verify request 2',
-             qw(-verify -noout),
+             qw(-verify -noout -section userreq),
              -config    => $dummycnf,
              -in        => $CAreq2 );
 
@@ -73,29 +70,27 @@ SKIP: {
 
     skip 'failure', 3 unless
         req( 'make a user cert request',
-             qw(-new),
-             -config  => $Uconf,
+             qw(-new -section userreq),
+             -config  => $cnf,
              -out     => $Ureq,
              -keyout  => $Ukey );
 
     skip 'failure', 2 unless
         x509( 'sign user cert request',
-              qw(-req -CAcreateserial),
+              qw(-req -CAcreateserial -days 30 -extensions v3_ee),
               -in     => $Ureq,
               -out    => $Ucert,
               -CA     => $CAcert,
               -CAkey  => $CAkey,
               -CAserial => $CAserial,
-              -days   => 30,
-              -extfile => $Uconf,
-              -extensions => 'v3_ee' )
+              -extfile => $cnf )
         && verify( undef,
                    -CAstore => $CAcert,
                    $Ucert );
 
     skip 'failure', 0 unless
         x509( 'Certificate details',
-              qw( -subject -issuer -startdate -enddate -noout),
+              qw(-subject -issuer -startdate -enddate -noout),
               -in     => $Ucert );
 }
 
diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t
index 3d4dfcd060..bbb0af7577 100644
--- a/test/recipes/80-test_ca.t
+++ b/test/recipes/80-test_ca.t
@@ -18,26 +18,29 @@ use OpenSSL::Test::Utils;
 setup("test_ca");
 
 $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
-my $std_openssl_cnf =
-    srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf");
+
+my $cnf = '"' . srctop_file("test","ca-and-certs.cnf") . '"';;
+my $std_openssl_cnf = '"'
+    . srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf")
+    . '"';
 
 rmtree("demoCA", { safe => 0 });
 
 plan tests => 6;
  SKIP: {
-     $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"';
+     $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
      skip "failed creating CA structure", 4
 	 if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)),
 		'creating CA structure');
 
-     $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
+     $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
      skip "failed creating new certificate request", 3
 	 if !ok(run(perlapp(["CA.pl","-newreq",
-                             "-extra-req","-outform DER"])),
+                             '-extra-req', '-outform DER -section userreq'])),
 		'creating certificate request');
-     $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config "'.$std_openssl_cnf.'"';
+     $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf;
      skip "failed to sign certificate request", 2
-	 if !is(yes(cmdstr(perlapp(["CA.pl", "-sign", "-extra-ca"]))), 0,
+	 if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
 		'signing certificate request');
 
      ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
@@ -46,8 +49,8 @@ plan tests => 6;
      skip "CT not configured, can't use -precert", 1
          if disabled("ct");
 
-     $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
-     ok(run(perlapp(["CA.pl", "-precert"], stderr => undef)),
+     $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
+     ok(run(perlapp(["CA.pl", "-precert", '-extra-req', '-section userreq'], stderr => undef)),
         'creating new pre-certificate');
 }
 
@@ -56,7 +59,7 @@ SKIP: {
 	      if disabled("sm2");
 
     is(yes(cmdstr(app(["openssl", "ca", "-config",
-                       srctop_file("test", "CAss.cnf"),
+                       $cnf,
                        "-in", srctop_file("test", "certs", "sm2-csr.pem"),
                        "-out", "sm2-test.crt",
                        "-sigopt", "distid:1234567812345678",
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index e01137d593..85f71614c4 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -44,33 +44,27 @@ my @verifycmd = ("openssl", "verify");
 my @genpkeycmd = ("openssl", "genpkey");
 my $dummycnf = srctop_file("apps", "openssl.cnf");
 
+my $cnf = srctop_file("test", "ca-and-certs.cnf");
 my $CAkey = "keyCA.ss";
 my $CAcert="certCA.ss";
 my $CAserial="certCA.srl";
 my $CAreq="reqCA.ss";
-my $CAconf=srctop_file("test","CAss.cnf");
 my $CAreq2="req2CA.ss";	# temp
-
-my $Uconf=srctop_file("test","Uss.cnf");
 my $Ukey="keyU.ss";
 my $Ureq="reqU.ss";
 my $Ucert="certU.ss";
-
 my $Dkey="keyD.ss";
 my $Dreq="reqD.ss";
 my $Dcert="certD.ss";
-
 my $Ekey="keyE.ss";
 my $Ereq="reqE.ss";
 my $Ecert="certE.ss";
 
-my $P1conf=srctop_file("test","P1ss.cnf");
+my $proxycnf=srctop_file("test", "proxy.cnf");
 my $P1key="keyP1.ss";
 my $P1req="reqP1.ss";
 my $P1cert="certP1.ss";
 my $P1intermediate="tmp_intP1.ss";
-
-my $P2conf=srctop_file("test","P2ss.cnf");
 my $P2key="keyP2.ss";
 my $P2req="reqP2.ss";
 my $P2cert="certP2.ss";
@@ -133,7 +127,7 @@ sub testss {
 
   SKIP: {
       skip 'failure', 16 unless
-	  ok(run(app([@reqcmd, "-config", $CAconf,
+	  ok(run(app([@reqcmd, "-config", $cnf,
 		      "-out", $CAreq, "-keyout", $CAkey,
 		      @req_new])),
 	     'make cert request');
@@ -141,7 +135,7 @@ sub testss {
       skip 'failure', 15 unless
 	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30",
 		      "-req", "-out", $CAcert, "-signkey", $CAkey,
-		      "-extfile", $CAconf, "-extensions", "v3_ca"],
+		      "-extfile", $cnf, "-extensions", "v3_ca"],
 		     stdout => "err.ss")),
 	     'convert request into self-signed cert');
 
@@ -167,7 +161,7 @@ sub testss {
 	     'verify signature');
 
       skip 'failure', 10 unless
-	  ok(run(app([@reqcmd, "-config", $Uconf,
+	  ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq",
 		      "-out", $Ureq, "-keyout", $Ukey, @req_new],
 		     stdout => "err.ss")),
 	     'make a user cert request');
@@ -176,7 +170,7 @@ sub testss {
 	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30",
 		      "-req", "-out", $Ucert,
 		      "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial,
-		      "-extfile", $Uconf, "-extensions", "v3_ee"],
+		      "-extfile", $cnf, "-extensions", "v3_ee"],
 		     stdout => "err.ss"))
 	     && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])),
 	     'sign user cert request');
@@ -202,7 +196,8 @@ sub testss {
                                stdout => "err.ss")),
                        "make a DSA key");
                 skip 'failure', 3 unless
-                    ok(run(app([@reqcmd, "-new", "-config", $Uconf,
+                    ok(run(app([@reqcmd, "-new", "-config", $cnf,
+                                "-section", "userreq",
                                 "-out", $Dreq, "-key", $Dkey],
                                stdout => "err.ss")),
                        "make a DSA user cert request");
@@ -214,7 +209,7 @@ sub testss {
                                 "-out", $Dcert,
                                 "-CA", $CAcert, "-CAkey", $CAkey,
                                 "-CAserial", $CAserial,
-                                "-extfile", $Uconf,
+                                "-extfile", $cnf,
                                 "-extensions", "v3_ee_dsa"],
                                stdout => "err.ss")),
                        "sign DSA user cert request");
@@ -247,7 +242,8 @@ sub testss {
                                 "-out", "ecp.ss"])),
                        "make EC parameters");
                 skip 'failure', 3 unless
-                    ok(run(app([@reqcmd, "-config", $Uconf,
+                    ok(run(app([@reqcmd, "-config", $cnf,
+                                "-section", "userreq",
                                 "-out", $Ereq, "-keyout", $Ekey,
                                 "-newkey", "ec:ecp.ss"],
                                stdout => "err.ss")),
@@ -260,7 +256,7 @@ sub testss {
                                 "-out", $Ecert,
                                 "-CA", $CAcert, "-CAkey", $CAkey,
                                 "-CAserial", $CAserial,
-                                "-extfile", $Uconf,
+                                "-extfile", $cnf,
                                 "-extensions", "v3_ee_ec"],
                                stdout => "err.ss")),
                        "sign ECDSA/ECDH user cert request");
@@ -277,7 +273,7 @@ sub testss {
       };
 
       skip 'failure', 5 unless
-	  ok(run(app([@reqcmd, "-config", $P1conf,
+	  ok(run(app([@reqcmd, "-config", $proxycnf,
 		      "-out", $P1req, "-keyout", $P1key, @req_new],
 		     stdout => "err.ss")),
 	     'make a proxy cert request');
@@ -287,7 +283,7 @@ sub testss {
 	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30",
 		      "-req", "-out", $P1cert,
 		      "-CA", $Ucert, "-CAkey", $Ukey,
-		      "-extfile", $P1conf, "-extensions", "v3_proxy"],
+		      "-extfile", $proxycnf, "-extensions", "proxy"],
 		     stdout => "err.ss")),
 	     'sign proxy with user cert');
 
@@ -300,7 +296,7 @@ sub testss {
 	 'Certificate details');
 
       skip 'failure', 2 unless
-	  ok(run(app([@reqcmd, "-config", $P2conf,
+	  ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req",
 		      "-out", $P2req, "-keyout", $P2key,
 		      @req_new],
 		     stdout => "err.ss")),
@@ -311,7 +307,7 @@ sub testss {
 	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30",
 		      "-req", "-out", $P2cert,
 		      "-CA", $P1cert, "-CAkey", $P1key,
-		      "-extfile", $P2conf, "-extensions", "v3_proxy"],
+		      "-extfile", $proxycnf, "-extensions", "proxy_2"],
 		     stdout => "err.ss")),
 	     'sign second proxy cert request with the first proxy cert');
 
diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t
index 3e2e69f439..337bbb10c9 100644
--- a/test/recipes/90-test_store.t
+++ b/test/recipes/90-test_store.t
@@ -16,6 +16,7 @@ my $test_name = "test_store";
 setup($test_name);
 
 my $mingw = config('target') =~ m|^mingw|;
+my $cnf = srctop_file("test", "ca-and-certs.cnf");
 
 my @noexist_files =
     ( "test/blahdiblah.pem",
@@ -295,7 +296,7 @@ sub init {
                       }, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files))
             # *-cert.pem (intermediary for the .p12 inits)
             && run(app(["openssl", "req", "-x509",
-                        "-config", data_file("ca.cnf"), "-nodes",
+                        "-config", $cnf, "-nodes",
                         "-out", "cacert.pem", "-keyout", "cakey.pem"]))
             && runall(sub {
                           my $srckey = shift;
@@ -303,7 +304,7 @@ sub init {
                           (my $csr = $dstfile) =~ s|\.pem|.csr|;
 
                           (run(app(["openssl", "req", "-new",
-                                    "-config", data_file("user.cnf"),
+                                    "-config", $cnf,
                                     "-key", $srckey, "-out", $csr]))
                            &&
                            run(app(["openssl", "x509", "-days", "3650",


More information about the openssl-commits mailing list