[openssl] master update
tmraz at fedoraproject.org
tmraz at fedoraproject.org
Wed Jun 3 07:57:40 UTC 2020
The branch master has been updated
via 2b584ff372b2b25bb6801172bbeb90074b26f88c (commit)
via 4e6e57cfcdd75b827ff7171927d87e95b5b86ae8 (commit)
from 5c01a133ecafc5ffa4ae55effd32f4f1fb642293 (commit)
- Log -----------------------------------------------------------------
commit 2b584ff372b2b25bb6801172bbeb90074b26f88c
Author: Rich Salz <rsalz at akamai.com>
Date: Mon Apr 27 12:57:01 2020 -0400
Update manpage to fix examples, other minor tweaks
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11347)
commit 4e6e57cfcdd75b827ff7171927d87e95b5b86ae8
Author: Rich Salz <rsalz at akamai.com>
Date: Wed Mar 4 14:08:31 2020 -0500
Cleanup cert config files for tests
Merge test/P[12]ss.cnf into one config file
Merge CAss.cnf and Uss.cnf into ca-and-certs.cnf
Remove Netscape cert extensions, add keyUsage comment from some cnf files
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11347)
-----------------------------------------------------------------------
Summary of changes:
apps/openssl-vms.cnf | 53 ----------------------
apps/openssl.cnf | 53 ----------------------
demos/certs/apps/apps.cnf | 6 ---
demos/certs/ca.cnf | 6 ---
doc/man7/proxy-certificates.pod | 36 +++++++--------
test/CAss.cnf | 69 ----------------------------
test/P1ss.cnf | 31 -------------
test/P2ss.cnf | 39 ----------------
test/Uss.cnf | 36 ---------------
test/ca-and-certs.cnf | 90 +++++++++++++++++++++++++++++++++++++
test/proxy.cnf | 61 +++++++++++++++++++++++++
test/recipes/25-test_verify_store.t | 31 ++++++-------
test/recipes/80-test_ca.t | 23 +++++-----
test/recipes/80-test_ssl_old.t | 36 +++++++--------
test/recipes/90-test_store.t | 5 ++-
15 files changed, 213 insertions(+), 362 deletions(-)
delete mode 100644 test/CAss.cnf
delete mode 100644 test/P1ss.cnf
delete mode 100644 test/P2ss.cnf
delete mode 100644 test/Uss.cnf
create mode 100644 test/ca-and-certs.cnf
create mode 100644 test/proxy.cnf
diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index c7e7abe994..2420e9c9f5 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -171,27 +171,9 @@ unstructuredName = An optional company name
basicConstraints=CA:FALSE
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
@@ -206,13 +188,6 @@ authorityKeyIdentifier=keyid,issuer
# Copy subject details
# issuerAltName=issuer:copy
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
@@ -242,9 +217,6 @@ basicConstraints = critical,CA:true
# left out by default.
# keyUsage = cRLSign, keyCertSign
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
@@ -272,27 +244,9 @@ authorityKeyIdentifier=keyid:always
basicConstraints=CA:FALSE
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
@@ -307,13 +261,6 @@ authorityKeyIdentifier=keyid,issuer
# Copy subject details
# issuerAltName=issuer:copy
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 52706ae166..4fd5286d2e 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -171,27 +171,9 @@ unstructuredName = An optional company name
basicConstraints=CA:FALSE
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
@@ -206,13 +188,6 @@ authorityKeyIdentifier=keyid,issuer
# Copy subject details
# issuerAltName=issuer:copy
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
@@ -242,9 +217,6 @@ basicConstraints = critical,CA:true
# left out by default.
# keyUsage = cRLSign, keyCertSign
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
@@ -272,27 +244,9 @@ authorityKeyIdentifier=keyid:always
basicConstraints=CA:FALSE
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
@@ -307,13 +261,6 @@ authorityKeyIdentifier=keyid,issuer
# Copy subject details
# issuerAltName=issuer:copy
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf
index bd762b7ddc..07a3d10b55 100644
--- a/demos/certs/apps/apps.cnf
+++ b/demos/certs/apps/apps.cnf
@@ -35,9 +35,6 @@ commonName = $ENV::CN
basicConstraints=critical, CA:FALSE
keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
[ ec_cert ]
# These extensions are added when 'ca' signs a request for an end entity
@@ -46,9 +43,6 @@ nsComment = "OpenSSL Generated Certificate"
basicConstraints=critical, CA:FALSE
keyUsage=critical, nonRepudiation, digitalSignature, keyAgreement
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf
index c75a71a6aa..2fbf20490b 100644
--- a/demos/certs/ca.cnf
+++ b/demos/certs/ca.cnf
@@ -35,9 +35,6 @@ commonName = $ENV::CN
basicConstraints=critical, CA:FALSE
keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
@@ -47,9 +44,6 @@ authorityKeyIdentifier=keyid
basicConstraints=critical, CA:FALSE
keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
diff --git a/doc/man7/proxy-certificates.pod b/doc/man7/proxy-certificates.pod
index df5ee1b4b5..eab28b5658 100644
--- a/doc/man7/proxy-certificates.pod
+++ b/doc/man7/proxy-certificates.pod
@@ -57,24 +57,22 @@ See L</NOTES> for a discussion on this requirement.
Creating proxy certificates can be done using the L<openssl-x509(1)>
command, with some extra extensions:
- [ v3_proxy ]
+ [ proxy ]
# A proxy certificate MUST NEVER be a CA certificate.
- basicConstraints=CA:FALSE
-
+ basicConstraints = CA:FALSE
# Usual authority key ID
- authorityKeyIdentifier=keyid,issuer:always
-
+ authorityKeyIdentifier = keyid,issuer:always
# The extension which marks this certificate as a proxy
- proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
+ proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
It's also possible to specify the proxy extension in a separate section:
- proxyCertInfo=critical, at proxy_ext
+ proxyCertInfo = critical, at proxy_ext
[ proxy_ext ]
- language=id-ppl-anyLanguage
- pathlen=0
- policy=text:BC
+ language = id-ppl-anyLanguage
+ pathlen = 0
+ policy = text:BC
The policy value has a specific syntax, I<syntag>:I<string>, where the
I<syntag> determines what will be done with the string. The following
@@ -99,12 +97,12 @@ colons between each byte (every second hex digit):
indicates that the text of the policy should be taken from a file.
The string is then a filename. This is useful for policies that are
-large (more than a few lines, e.g. XML documents).
+more than a few lines, such as XML or other markup.
=back
-I<NOTE: The proxy policy value is what determines the rights granted
-to the process during the proxy certificate. It's up to the
+Note that the proxy policy value is what determines the rights granted
+to the process during the proxy certificate, and it is up to the
application to interpret and combine these policies.>
With a proxy extension, creating a proxy certificate is a matter of
@@ -112,23 +110,23 @@ two commands:
openssl req -new -config proxy.cnf \
-out proxy.req -keyout proxy.key \
- -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1"
+ -subj "/DC=org/DC=openssl/DC=users/CN=proxy"
openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \
-CA user.crt -CAkey user.key -days 7 \
- -extfile proxy.cnf -extensions v3_proxy1
+ -extfile proxy.cnf -extensions proxy
You can also create a proxy certificate using another proxy
-certificate as issuer (note: using a different configuration
-section for the proxy extensions):
+certificate as issuer. Note that this example uses a different
+configuration section for the proxy extensions:
openssl req -new -config proxy.cnf \
-out proxy2.req -keyout proxy2.key \
- -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1/CN=proxy 2"
+ -subj "/DC=org/DC=openssl/DC=users/CN=proxy/CN=proxy 2"
openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \
-CA proxy.crt -CAkey proxy.key -days 7 \
- -extfile proxy.cnf -extensions v3_proxy2
+ -extfile proxy.cnf -extensions proxy_2
=head2 Using proxy certs in applications
diff --git a/test/CAss.cnf b/test/CAss.cnf
deleted file mode 100644
index d63f85628b..0000000000
--- a/test/CAss.cnf
+++ /dev/null
@@ -1,69 +0,0 @@
-
-####################################################################
-[ req ]
-default_bits = 2048
-default_keyfile = keySS.pem
-distinguished_name = req_distinguished_name
-encrypt_rsa_key = no
-default_md = sha1
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = AU
-countryName_value = AU
-
-organizationName = Organization Name (eg, company)
-organizationName_value = Dodgy Brothers
-
-commonName = Common Name (eg, YOUR name)
-commonName_value = Dodgy CA
-
-####################################################################
-[ ca ]
-default_ca = CA_default # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir = ./demoCA # Where everything is kept
-certs = $dir/certs # Where the issued certs are kept
-crl_dir = $dir/crl # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-#unique_subject = no # Set to 'no' to allow creation of
- # several certificates with same subject.
-new_certs_dir = $dir/newcerts # default place for new certs.
-
-certificate = $dir/cacert.pem # The CA certificate
-serial = $dir/serial # The current serial number
-crl = $dir/crl.pem # The current CRL
-private_key = $dir/private/cakey.pem# The private key
-
-x509_extensions = v3_ca # The extensions to add to the cert
-
-name_opt = ca_default # Subject Name options
-cert_opt = ca_default # Certificate field options
-
-default_days = 365 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = md5 # which md to use.
-preserve = no # keep passed DN ordering
-
-policy = policy_anything
-
-[ policy_anything ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-
-
-[ v3_ca ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = critical,CA:true,pathlen:1
-keyUsage = cRLSign, keyCertSign
-issuerAltName=issuer:copy
diff --git a/test/P1ss.cnf b/test/P1ss.cnf
deleted file mode 100644
index 69baaaf849..0000000000
--- a/test/P1ss.cnf
+++ /dev/null
@@ -1,31 +0,0 @@
-
-####################################################################
-[ req ]
-default_bits = 2048
-default_keyfile = keySS.pem
-distinguished_name = req_distinguished_name
-encrypt_rsa_key = no
-default_md = sha256
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = AU
-countryName_value = AU
-
-organizationName = Organization Name (eg, company)
-organizationName_value = Dodgy Brothers
-
-0.commonName = Common Name (eg, YOUR name)
-0.commonName_value = Brother 1
-
-1.commonName = Common Name (eg, YOUR name)
-1.commonName_value = Brother 2
-
-2.commonName = Common Name (eg, YOUR name)
-2.commonName_value = Proxy 1
-
-[ v3_proxy ]
-basicConstraints=CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
diff --git a/test/P2ss.cnf b/test/P2ss.cnf
deleted file mode 100644
index 8d4f3c8a68..0000000000
--- a/test/P2ss.cnf
+++ /dev/null
@@ -1,39 +0,0 @@
-
-####################################################################
-[ req ]
-default_bits = 2048
-default_keyfile = keySS.pem
-distinguished_name = req_distinguished_name
-encrypt_rsa_key = no
-default_md = sha256
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = AU
-countryName_value = AU
-
-organizationName = Organization Name (eg, company)
-organizationName_value = Dodgy Brothers
-
-0.commonName = Common Name (eg, YOUR name)
-0.commonName_value = Brother 1
-
-1.commonName = Common Name (eg, YOUR name)
-1.commonName_value = Brother 2
-
-2.commonName = Common Name (eg, YOUR name)
-2.commonName_value = Proxy 1
-
-3.commonName = Common Name (eg, YOUR name)
-3.commonName_value = Proxy 2
-
-[ v3_proxy ]
-basicConstraints=CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-proxyCertInfo=critical, at proxy_ext
-
-[ proxy_ext ]
-language=id-ppl-anyLanguage
-pathlen=0
-policy=text:BC
diff --git a/test/Uss.cnf b/test/Uss.cnf
deleted file mode 100644
index 95ffb67deb..0000000000
--- a/test/Uss.cnf
+++ /dev/null
@@ -1,36 +0,0 @@
-
-CN2 = Brother 2
-
-####################################################################
-[ req ]
-default_bits = 2048
-default_keyfile = keySS.pem
-distinguished_name = req_distinguished_name
-encrypt_rsa_key = no
-default_md = sha256
-prompt = no
-
-[ req_distinguished_name ]
-countryName = AU
-organizationName = Dodgy Brothers
-0.commonName = Brother 1
-1.commonName = $ENV::CN2
-
-[ v3_ee ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-basicConstraints = CA:false
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ee_dsa ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always
-basicConstraints = CA:false
-keyUsage = nonRepudiation, digitalSignature
-
-[ v3_ee_ec ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always
-basicConstraints = CA:false
-keyUsage = nonRepudiation, digitalSignature, keyAgreement
-
diff --git a/test/ca-and-certs.cnf b/test/ca-and-certs.cnf
new file mode 100644
index 0000000000..598db2b6a0
--- /dev/null
+++ b/test/ca-and-certs.cnf
@@ -0,0 +1,90 @@
+
+CN2 = Brother 2
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha1
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_value = AU
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+commonName = Common Name (eg, YOUR name)
+commonName_value = Dodgy CA
+
+####################################################################
+[ userreq ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = user_dn
+encrypt_rsa_key = no
+default_md = sha256
+prompt = no
+
+[ user_dn ]
+countryName = AU
+organizationName = Dodgy Brothers
+0.commonName = Brother 1
+1.commonName = $ENV::CN2
+
+[ v3_ee ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ee_dsa ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature
+
+[ v3_ee_ec ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature, keyAgreement
+
+####################################################################
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir = ./demoCA
+certs = $dir/certs
+crl_dir = $dir/crl
+database = $dir/index.txt
+new_certs_dir = $dir/newcerts
+certificate = $dir/cacert.pem
+serial = $dir/serial
+crl = $dir/crl.pem
+private_key = $dir/private/cakey.pem
+x509_extensions = v3_ca
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 365
+default_crl_days= 30
+default_md = sha1
+preserve = no
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = critical,CA:true,pathlen:1
+keyUsage = cRLSign, keyCertSign
+issuerAltName = issuer:copy
diff --git a/test/proxy.cnf b/test/proxy.cnf
new file mode 100644
index 0000000000..e6b60542bb
--- /dev/null
+++ b/test/proxy.cnf
@@ -0,0 +1,61 @@
+
+## Config file for proxy certificate testing.
+
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name_p1
+encrypt_rsa_key = no
+default_md = sha256
+
+[ req_distinguished_name_p1 ]
+countryName = Country Name (2 letter code)
+countryName_value = AU
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+0.commonName = Common Name (eg, YOUR name)
+0.commonName_value = Brother 1
+1.commonName = Common Name (eg, YOUR name)
+1.commonName_value = Brother 2
+2.commonName = Common Name (eg, YOUR name)
+2.commonName_value = Proxy 1
+
+[ proxy ]
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
+
+####################################################################
+
+[ proxy2_req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name_p2
+encrypt_rsa_key = no
+default_md = sha256
+
+[ req_distinguished_name_p2 ]
+countryName = Country Name (2 letter code)
+countryName_value = AU
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+0.commonName = Common Name (eg, YOUR name)
+0.commonName_value = Brother 1
+1.commonName = Common Name (eg, YOUR name)
+1.commonName_value = Brother 2
+2.commonName = Common Name (eg, YOUR name)
+2.commonName_value = Proxy 1
+3.commonName = Common Name (eg, YOUR name)
+3.commonName_value = Proxy 2
+
+[ proxy_2 ]
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+proxyCertInfo = critical, at proxy_ext
+
+[ proxy_ext ]
+language = id-ppl-anyLanguage
+pathlen = 0
+policy = text:BC
diff --git a/test/recipes/25-test_verify_store.t b/test/recipes/25-test_verify_store.t
index c8c57a7b2b..2afb8cb56f 100644
--- a/test/recipes/25-test_verify_store.t
+++ b/test/recipes/25-test_verify_store.t
@@ -18,34 +18,31 @@ plan tests => 10;
my $dummycnf = srctop_file("apps", "openssl.cnf");
+my $cnf = srctop_file("test", "ca-and-certs.cnf");
my $CAkey = "keyCA.ss";
my $CAcert="certCA.ss";
my $CAserial="certCA.srl";
my $CAreq="reqCA.ss";
-my $CAconf=srctop_file("test","CAss.cnf");
my $CAreq2="req2CA.ss"; # temp
-
-my $Uconf=srctop_file("test","Uss.cnf");
my $Ukey="keyU.ss";
my $Ureq="reqU.ss";
my $Ucert="certU.ss";
SKIP: {
req( 'make cert request',
- qw(-new),
- -config => $CAconf,
+ qw(-new -section userreq),
+ -config => $cnf,
-out => $CAreq,
-keyout => $CAkey );
skip 'failure', 8 unless
x509( 'convert request into self-signed cert',
- qw(-req -CAcreateserial),
+ qw(-req -CAcreateserial -days 30),
+ qw(-extensions v3_ca),
-in => $CAreq,
-out => $CAcert,
-signkey => $CAkey,
- -days => 30,
- -extfile => $CAconf,
- -extensions => 'v3_ca' );
+ -extfile => $cnf );
skip 'failure', 7 unless
x509( 'convert cert into a cert request',
@@ -56,13 +53,13 @@ SKIP: {
skip 'failure', 6 unless
req( 'verify request 1',
- qw(-verify -noout),
+ qw(-verify -noout -section userreq),
-config => $dummycnf,
-in => $CAreq );
skip 'failure', 5 unless
req( 'verify request 2',
- qw(-verify -noout),
+ qw(-verify -noout -section userreq),
-config => $dummycnf,
-in => $CAreq2 );
@@ -73,29 +70,27 @@ SKIP: {
skip 'failure', 3 unless
req( 'make a user cert request',
- qw(-new),
- -config => $Uconf,
+ qw(-new -section userreq),
+ -config => $cnf,
-out => $Ureq,
-keyout => $Ukey );
skip 'failure', 2 unless
x509( 'sign user cert request',
- qw(-req -CAcreateserial),
+ qw(-req -CAcreateserial -days 30 -extensions v3_ee),
-in => $Ureq,
-out => $Ucert,
-CA => $CAcert,
-CAkey => $CAkey,
-CAserial => $CAserial,
- -days => 30,
- -extfile => $Uconf,
- -extensions => 'v3_ee' )
+ -extfile => $cnf )
&& verify( undef,
-CAstore => $CAcert,
$Ucert );
skip 'failure', 0 unless
x509( 'Certificate details',
- qw( -subject -issuer -startdate -enddate -noout),
+ qw(-subject -issuer -startdate -enddate -noout),
-in => $Ucert );
}
diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t
index 3d4dfcd060..bbb0af7577 100644
--- a/test/recipes/80-test_ca.t
+++ b/test/recipes/80-test_ca.t
@@ -18,26 +18,29 @@ use OpenSSL::Test::Utils;
setup("test_ca");
$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
-my $std_openssl_cnf =
- srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf");
+
+my $cnf = '"' . srctop_file("test","ca-and-certs.cnf") . '"';;
+my $std_openssl_cnf = '"'
+ . srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf")
+ . '"';
rmtree("demoCA", { safe => 0 });
plan tests => 6;
SKIP: {
- $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"';
+ $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
skip "failed creating CA structure", 4
if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)),
'creating CA structure');
- $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
+ $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
skip "failed creating new certificate request", 3
if !ok(run(perlapp(["CA.pl","-newreq",
- "-extra-req","-outform DER"])),
+ '-extra-req', '-outform DER -section userreq'])),
'creating certificate request');
- $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config "'.$std_openssl_cnf.'"';
+ $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf;
skip "failed to sign certificate request", 2
- if !is(yes(cmdstr(perlapp(["CA.pl", "-sign", "-extra-ca"]))), 0,
+ if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
'signing certificate request');
ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
@@ -46,8 +49,8 @@ plan tests => 6;
skip "CT not configured, can't use -precert", 1
if disabled("ct");
- $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
- ok(run(perlapp(["CA.pl", "-precert"], stderr => undef)),
+ $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
+ ok(run(perlapp(["CA.pl", "-precert", '-extra-req', '-section userreq'], stderr => undef)),
'creating new pre-certificate');
}
@@ -56,7 +59,7 @@ SKIP: {
if disabled("sm2");
is(yes(cmdstr(app(["openssl", "ca", "-config",
- srctop_file("test", "CAss.cnf"),
+ $cnf,
"-in", srctop_file("test", "certs", "sm2-csr.pem"),
"-out", "sm2-test.crt",
"-sigopt", "distid:1234567812345678",
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index e01137d593..85f71614c4 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -44,33 +44,27 @@ my @verifycmd = ("openssl", "verify");
my @genpkeycmd = ("openssl", "genpkey");
my $dummycnf = srctop_file("apps", "openssl.cnf");
+my $cnf = srctop_file("test", "ca-and-certs.cnf");
my $CAkey = "keyCA.ss";
my $CAcert="certCA.ss";
my $CAserial="certCA.srl";
my $CAreq="reqCA.ss";
-my $CAconf=srctop_file("test","CAss.cnf");
my $CAreq2="req2CA.ss"; # temp
-
-my $Uconf=srctop_file("test","Uss.cnf");
my $Ukey="keyU.ss";
my $Ureq="reqU.ss";
my $Ucert="certU.ss";
-
my $Dkey="keyD.ss";
my $Dreq="reqD.ss";
my $Dcert="certD.ss";
-
my $Ekey="keyE.ss";
my $Ereq="reqE.ss";
my $Ecert="certE.ss";
-my $P1conf=srctop_file("test","P1ss.cnf");
+my $proxycnf=srctop_file("test", "proxy.cnf");
my $P1key="keyP1.ss";
my $P1req="reqP1.ss";
my $P1cert="certP1.ss";
my $P1intermediate="tmp_intP1.ss";
-
-my $P2conf=srctop_file("test","P2ss.cnf");
my $P2key="keyP2.ss";
my $P2req="reqP2.ss";
my $P2cert="certP2.ss";
@@ -133,7 +127,7 @@ sub testss {
SKIP: {
skip 'failure', 16 unless
- ok(run(app([@reqcmd, "-config", $CAconf,
+ ok(run(app([@reqcmd, "-config", $cnf,
"-out", $CAreq, "-keyout", $CAkey,
@req_new])),
'make cert request');
@@ -141,7 +135,7 @@ sub testss {
skip 'failure', 15 unless
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30",
"-req", "-out", $CAcert, "-signkey", $CAkey,
- "-extfile", $CAconf, "-extensions", "v3_ca"],
+ "-extfile", $cnf, "-extensions", "v3_ca"],
stdout => "err.ss")),
'convert request into self-signed cert');
@@ -167,7 +161,7 @@ sub testss {
'verify signature');
skip 'failure', 10 unless
- ok(run(app([@reqcmd, "-config", $Uconf,
+ ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq",
"-out", $Ureq, "-keyout", $Ukey, @req_new],
stdout => "err.ss")),
'make a user cert request');
@@ -176,7 +170,7 @@ sub testss {
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30",
"-req", "-out", $Ucert,
"-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial,
- "-extfile", $Uconf, "-extensions", "v3_ee"],
+ "-extfile", $cnf, "-extensions", "v3_ee"],
stdout => "err.ss"))
&& run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])),
'sign user cert request');
@@ -202,7 +196,8 @@ sub testss {
stdout => "err.ss")),
"make a DSA key");
skip 'failure', 3 unless
- ok(run(app([@reqcmd, "-new", "-config", $Uconf,
+ ok(run(app([@reqcmd, "-new", "-config", $cnf,
+ "-section", "userreq",
"-out", $Dreq, "-key", $Dkey],
stdout => "err.ss")),
"make a DSA user cert request");
@@ -214,7 +209,7 @@ sub testss {
"-out", $Dcert,
"-CA", $CAcert, "-CAkey", $CAkey,
"-CAserial", $CAserial,
- "-extfile", $Uconf,
+ "-extfile", $cnf,
"-extensions", "v3_ee_dsa"],
stdout => "err.ss")),
"sign DSA user cert request");
@@ -247,7 +242,8 @@ sub testss {
"-out", "ecp.ss"])),
"make EC parameters");
skip 'failure', 3 unless
- ok(run(app([@reqcmd, "-config", $Uconf,
+ ok(run(app([@reqcmd, "-config", $cnf,
+ "-section", "userreq",
"-out", $Ereq, "-keyout", $Ekey,
"-newkey", "ec:ecp.ss"],
stdout => "err.ss")),
@@ -260,7 +256,7 @@ sub testss {
"-out", $Ecert,
"-CA", $CAcert, "-CAkey", $CAkey,
"-CAserial", $CAserial,
- "-extfile", $Uconf,
+ "-extfile", $cnf,
"-extensions", "v3_ee_ec"],
stdout => "err.ss")),
"sign ECDSA/ECDH user cert request");
@@ -277,7 +273,7 @@ sub testss {
};
skip 'failure', 5 unless
- ok(run(app([@reqcmd, "-config", $P1conf,
+ ok(run(app([@reqcmd, "-config", $proxycnf,
"-out", $P1req, "-keyout", $P1key, @req_new],
stdout => "err.ss")),
'make a proxy cert request');
@@ -287,7 +283,7 @@ sub testss {
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30",
"-req", "-out", $P1cert,
"-CA", $Ucert, "-CAkey", $Ukey,
- "-extfile", $P1conf, "-extensions", "v3_proxy"],
+ "-extfile", $proxycnf, "-extensions", "proxy"],
stdout => "err.ss")),
'sign proxy with user cert');
@@ -300,7 +296,7 @@ sub testss {
'Certificate details');
skip 'failure', 2 unless
- ok(run(app([@reqcmd, "-config", $P2conf,
+ ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req",
"-out", $P2req, "-keyout", $P2key,
@req_new],
stdout => "err.ss")),
@@ -311,7 +307,7 @@ sub testss {
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30",
"-req", "-out", $P2cert,
"-CA", $P1cert, "-CAkey", $P1key,
- "-extfile", $P2conf, "-extensions", "v3_proxy"],
+ "-extfile", $proxycnf, "-extensions", "proxy_2"],
stdout => "err.ss")),
'sign second proxy cert request with the first proxy cert');
diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t
index 3e2e69f439..337bbb10c9 100644
--- a/test/recipes/90-test_store.t
+++ b/test/recipes/90-test_store.t
@@ -16,6 +16,7 @@ my $test_name = "test_store";
setup($test_name);
my $mingw = config('target') =~ m|^mingw|;
+my $cnf = srctop_file("test", "ca-and-certs.cnf");
my @noexist_files =
( "test/blahdiblah.pem",
@@ -295,7 +296,7 @@ sub init {
}, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files))
# *-cert.pem (intermediary for the .p12 inits)
&& run(app(["openssl", "req", "-x509",
- "-config", data_file("ca.cnf"), "-nodes",
+ "-config", $cnf, "-nodes",
"-out", "cacert.pem", "-keyout", "cakey.pem"]))
&& runall(sub {
my $srckey = shift;
@@ -303,7 +304,7 @@ sub init {
(my $csr = $dstfile) =~ s|\.pem|.csr|;
(run(app(["openssl", "req", "-new",
- "-config", data_file("user.cnf"),
+ "-config", $cnf,
"-key", $srckey, "-out", $csr]))
&&
run(app(["openssl", "x509", "-days", "3650",
More information about the openssl-commits
mailing list