[openssl] master update

dev at ddvo.net dev at ddvo.net
Mon Jun 8 03:40:19 UTC 2020


The branch master has been updated
       via  71273ab57a27e0e6a1d4356891a2eb8e2298f458 (commit)
       via  49f84002d07a0fef5f673aff4c3a4be475563b27 (commit)
       via  c29ba6a92ea9c2c9616e044c1dd0efedafa0aeef (commit)
       via  4ca015555b97f00101c5f7274e99302ffe2db500 (commit)
       via  9f5ff440b8baffae14a851af95443a7cadb24bcd (commit)
      from  c4683009ad6e8d64e80112fd689921f6c169bd20 (commit)


- Log -----------------------------------------------------------------
commit 71273ab57a27e0e6a1d4356891a2eb8e2298f458
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Tue May 5 14:04:30 2020 +0200

    Fix 90-test_store.t for latest config, limits, providers, and disabled algos
    
    Also make sure that the test do not 'pass' if their initialization fails.
    Leave out the expensive parts of DSA key gen and RSA keygen for efficiency.
    Fix use of the new CA configuration file test/ca-and-certs.cnf.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/11733)

commit 49f84002d07a0fef5f673aff4c3a4be475563b27
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Wed May 6 13:08:45 2020 +0200

    Fix documentation of OSSL_STORE
    
    Among others, make clear that OSSL_STORE_close() meanwhile does nothing on NULL.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/11733)

commit c29ba6a92ea9c2c9616e044c1dd0efedafa0aeef
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Tue May 5 11:31:05 2020 +0200

    Fix mem leaks and allow missing pkey and/or cert in try_decode_PKCS12()
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/11733)

commit 4ca015555b97f00101c5f7274e99302ffe2db500
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Tue May 5 14:18:46 2020 +0200

    Add chain to PKCS#12 test file generation in 90-test_store.t
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/11733)

commit 9f5ff440b8baffae14a851af95443a7cadb24bcd
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Tue May 5 11:24:49 2020 +0200

    Fix code layout in crypto/store/loader_file.c satisfying check-format.pl -l
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/11733)

-----------------------------------------------------------------------

Summary of changes:
 crypto/store/loader_file.c                         | 83 ++++++++++++----------
 doc/man3/OSSL_STORE_INFO.pod                       | 29 ++++----
 doc/man3/OSSL_STORE_open.pod                       | 31 ++++----
 test/recipes/90-test_store.t                       | 83 ++++++++++++++--------
 test/recipes/90-test_store_data/ca.cnf             | 56 ---------------
 .../dsaparam.pem                                   |  0
 test/recipes/90-test_store_data/rsa-key-2432.pem   | 32 +++++++++
 test/recipes/90-test_store_data/user.cnf           | 19 -----
 8 files changed, 160 insertions(+), 173 deletions(-)
 delete mode 100644 test/recipes/90-test_store_data/ca.cnf
 copy test/recipes/{04-test_pem_data => 90-test_store_data}/dsaparam.pem (100%)
 create mode 100644 test/recipes/90-test_store_data/rsa-key-2432.pem
 delete mode 100644 test/recipes/90-test_store_data/user.cnf

diff --git a/crypto/store/loader_file.c b/crypto/store/loader_file.c
index 6b5cebc835..ed74e55834 100644
--- a/crypto/store/loader_file.c
+++ b/crypto/store/loader_file.c
@@ -36,7 +36,7 @@
 DEFINE_STACK_OF(X509)
 
 #ifdef _WIN32
-# define stat    _stat
+# define stat _stat
 #endif
 
 #ifndef S_ISDIR
@@ -219,7 +219,6 @@ static OSSL_STORE_INFO *try_decode_PKCS12(const char *pem_name,
     if (ctx == NULL) {
         /* Initial parsing */
         PKCS12 *p12;
-        int ok = 0;
 
         if (pem_name != NULL)
             /* No match, there is no PEM PKCS12 tag */
@@ -256,37 +255,46 @@ static OSSL_STORE_INFO *try_decode_PKCS12(const char *pem_name,
                 OSSL_STORE_INFO *osi_pkey = NULL;
                 OSSL_STORE_INFO *osi_cert = NULL;
                 OSSL_STORE_INFO *osi_ca = NULL;
-
-                if ((ctx = sk_OSSL_STORE_INFO_new_null()) != NULL
-                    && (osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL
-                    && sk_OSSL_STORE_INFO_push(ctx, osi_pkey) != 0
-                    && (osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL
-                    && sk_OSSL_STORE_INFO_push(ctx, osi_cert) != 0) {
-                    ok = 1;
-                    osi_pkey = NULL;
-                    osi_cert = NULL;
-
-                    while(sk_X509_num(chain) > 0) {
+                int ok = 1;
+
+                if ((ctx = sk_OSSL_STORE_INFO_new_null()) != NULL) {
+                    if (pkey != NULL) {
+                        if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL
+                            /* clearing pkey here avoids case distinctions */
+                            && (pkey = NULL) == NULL
+                            && sk_OSSL_STORE_INFO_push(ctx, osi_pkey) != 0)
+                            osi_pkey = NULL;
+                        else
+                            ok = 0;
+                    }
+                    if (ok && cert != NULL) {
+                        if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL
+                            /* clearing cert here avoids case distinctions */
+                            && (cert = NULL) == NULL
+                            && sk_OSSL_STORE_INFO_push(ctx, osi_cert) != 0)
+                            osi_cert = NULL;
+                        else
+                            ok = 0;
+                    }
+                    while (ok && sk_X509_num(chain) > 0) {
                         X509 *ca = sk_X509_value(chain, 0);
 
-                        if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) == NULL
-                            || sk_OSSL_STORE_INFO_push(ctx, osi_ca) == 0) {
+                        if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL
+                            && sk_X509_shift(chain) != NULL
+                            && sk_OSSL_STORE_INFO_push(ctx, osi_ca) != 0)
+                            osi_ca = NULL;
+                        else
                             ok = 0;
-                            break;
-                        }
-                        osi_ca = NULL;
-                        (void)sk_X509_shift(chain);
                     }
                 }
-                sk_X509_free(chain);
+                EVP_PKEY_free(pkey);
+                X509_free(cert);
+                sk_X509_pop_free(chain, X509_free);
+                OSSL_STORE_INFO_free(osi_pkey);
+                OSSL_STORE_INFO_free(osi_cert);
+                OSSL_STORE_INFO_free(osi_ca);
                 if (!ok) {
-                    OSSL_STORE_INFO_free(osi_ca);
-                    OSSL_STORE_INFO_free(osi_cert);
-                    OSSL_STORE_INFO_free(osi_pkey);
                     sk_OSSL_STORE_INFO_pop_free(ctx, OSSL_STORE_INFO_free);
-                    EVP_PKEY_free(pkey);
-                    X509_free(cert);
-                    sk_X509_pop_free(chain, X509_free);
                     ctx = NULL;
                 }
                 *pctx = ctx;
@@ -294,15 +302,12 @@ static OSSL_STORE_INFO *try_decode_PKCS12(const char *pem_name,
         }
      p12_end:
         PKCS12_free(p12);
-        if (!ok)
+        if (ctx == NULL)
             return NULL;
     }
 
-    if (ctx != NULL) {
-        *matchcount = 1;
-        store_info = sk_OSSL_STORE_INFO_shift(ctx);
-    }
-
+    *matchcount = 1;
+    store_info = sk_OSSL_STORE_INFO_shift(ctx);
     return store_info;
 }
 
@@ -326,7 +331,7 @@ static FILE_HANDLER PKCS12_handler = {
     try_decode_PKCS12,
     eof_PKCS12,
     destroy_ctx_PKCS12,
-    1                            /* repeatable */
+    1 /* repeatable */
 };
 
 /*
@@ -772,7 +777,7 @@ struct ossl_store_loader_ctx_st {
 #define FILE_FLAG_ATTACHED       (1<<1)
     unsigned int flags;
     union {
-        struct {                 /* Used with is_raw and is_pem */
+        struct { /* Used with is_raw and is_pem */
             BIO *file;
 
             /*
@@ -782,7 +787,7 @@ struct ossl_store_loader_ctx_st {
             const FILE_HANDLER *last_handler;
             void *last_handler_ctx;
         } file;
-        struct {                 /* Used with is_dir */
+        struct { /* Used with is_dir */
             OPENSSL_DIR_CTX *ctx;
             int end_reached;
 
@@ -1316,10 +1321,10 @@ static int ends_with_dirsep(const char *uri)
 {
     if (*uri != '\0')
         uri += strlen(uri) - 1;
-#if defined __VMS
+#if defined(__VMS)
     if (*uri == ']' || *uri == '>' || *uri == ':')
         return 1;
-#elif defined _WIN32
+#elif defined(_WIN32)
     if (*uri == '\\')
         return 1;
 #endif
@@ -1394,7 +1399,7 @@ static int file_name_check(OSSL_STORE_LOADER_CTX *ctx, const char *name)
     while (ossl_isdigit(*p))
         p++;
 
-# ifdef __VMS
+#ifdef __VMS
     /*
      * One extra step here, check for a possible generation number.
      */
@@ -1402,7 +1407,7 @@ static int file_name_check(OSSL_STORE_LOADER_CTX *ctx, const char *name)
         for (p++; *p != '\0'; p++)
             if (!ossl_isdigit(*p))
                 break;
-# endif
+#endif
 
     /*
      * If we've reached the end of the string at this point, we've successfully
diff --git a/doc/man3/OSSL_STORE_INFO.pod b/doc/man3/OSSL_STORE_INFO.pod
index bf69474977..095a4028b0 100644
--- a/doc/man3/OSSL_STORE_INFO.pod
+++ b/doc/man3/OSSL_STORE_INFO.pod
@@ -54,25 +54,24 @@ loaders to create B<OSSL_STORE_INFO> holders.
 =head2 Types
 
 B<OSSL_STORE_INFO> is an opaque type that's just an intermediary holder for
-the objects that have been retrieved by OSSL_STORE_load() and similar
-functions.
+the objects that have been retrieved by OSSL_STORE_load() and similar functions.
 Supported OpenSSL type object can be extracted using one of
-STORE_INFO_get0_TYPE().
+STORE_INFO_get0_<TYPE>() where <TYPE> can be NAME, PARAMS, PKEY, CERT, or CRL.
 The life time of this extracted object is as long as the life time of
 the B<OSSL_STORE_INFO> it was extracted from, so care should be taken not
 to free the latter too early.
-As an alternative, STORE_INFO_get1_TYPE() extracts a duplicate (or the
+As an alternative, STORE_INFO_get1_<TYPE>() extracts a duplicate (or the
 same object with its reference count increased), which can be used
 after the containing B<OSSL_STORE_INFO> has been freed.
-The object returned by STORE_INFO_get1_TYPE() must be freed separately
+The object returned by STORE_INFO_get1_<TYPE>() must be freed separately
 by the caller.
-See L</SUPPORTED OBJECTS> for more information on the types that are
-supported.
+See L</SUPPORTED OBJECTS> for more information on the types that are supported.
 
 =head2 Functions
 
 OSSL_STORE_INFO_get_type() takes a B<OSSL_STORE_INFO> and returns the STORE
 type number for the object inside.
+
 STORE_INFO_get_type_string() takes a STORE type number and returns a
 short string describing it.
 
@@ -94,6 +93,8 @@ OSSL_STORE_INFO_new_NAME() , OSSL_STORE_INFO_new_PARAMS(),
 OSSL_STORE_INFO_new_PKEY(), OSSL_STORE_INFO_new_CERT() and
 OSSL_STORE_INFO_new_CRL() create a B<OSSL_STORE_INFO>
 object to hold the given input object.
+On success the input object is consumed.
+
 Additionally, for B<OSSL_STORE_INFO_NAME>` objects,
 OSSL_STORE_INFO_set0_NAME_description() can be used to add an extra
 description.
@@ -162,9 +163,9 @@ OSSL_STORE_INFO_get0_PARAMS(), OSSL_STORE_INFO_get0_PKEY(),
 OSSL_STORE_INFO_get0_CERT() and OSSL_STORE_INFO_get0_CRL() all return
 a pointer to the OpenSSL object on success, NULL otherwise.
 
-OSSL_STORE_INFO_get0_NAME(), OSSL_STORE_INFO_get0_NAME_description(),
-OSSL_STORE_INFO_get0_PARAMS(), OSSL_STORE_INFO_get0_PKEY(),
-OSSL_STORE_INFO_get0_CERT() and OSSL_STORE_INFO_get0_CRL() all return
+OSSL_STORE_INFO_get1_NAME(), OSSL_STORE_INFO_get1_NAME_description(),
+OSSL_STORE_INFO_get1_PARAMS(), OSSL_STORE_INFO_get1_PKEY(),
+OSSL_STORE_INFO_get1_CERT() and OSSL_STORE_INFO_get1_CRL() all return
 a pointer to a duplicate of the OpenSSL object on success, NULL otherwise.
 
 OSSL_STORE_INFO_type_string() returns a string on success, or B<NULL> on
@@ -184,13 +185,7 @@ L<ossl_store(7)>, L<OSSL_STORE_open(3)>, L<OSSL_STORE_register_loader(3)>
 
 =head1 HISTORY
 
-OSSL_STORE_INFO(), OSSL_STORE_INFO_get_type(), OSSL_STORE_INFO_get0_NAME(),
-OSSL_STORE_INFO_get0_PARAMS(), OSSL_STORE_INFO_get0_PKEY(),
-OSSL_STORE_INFO_get0_CERT(), OSSL_STORE_INFO_get0_CRL(),
-OSSL_STORE_INFO_type_string(), OSSL_STORE_INFO_free(), OSSL_STORE_INFO_new_NAME(),
-OSSL_STORE_INFO_new_PARAMS(), OSSL_STORE_INFO_new_PKEY(),
-OSSL_STORE_INFO_new_CERT() and OSSL_STORE_INFO_new_CRL()
-were added in OpenSSL 1.1.1.
+The OSSL_STORE API was added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 
diff --git a/doc/man3/OSSL_STORE_open.pod b/doc/man3/OSSL_STORE_open.pod
index be61ad5b73..6d4ae01809 100644
--- a/doc/man3/OSSL_STORE_open.pod
+++ b/doc/man3/OSSL_STORE_open.pod
@@ -46,21 +46,22 @@ OSSL_STORE_close() to work together.
 
 =head2 Functions
 
-OSSL_STORE_open() takes a uri or path B<uri>, password UI method
-B<ui_method> with associated data B<ui_data>, and post processing
-callback B<post_process> with associated data B<post_process_data>,
+OSSL_STORE_open() takes a uri or path I<uri>, password UI method
+I<ui_method> with associated data I<ui_data>, and post processing
+callback I<post_process> with associated data I<post_process_data>,
 opens a channel to the data located at that URI and returns a
 B<OSSL_STORE_CTX> with all necessary internal information.
-The given B<ui_method> and B<ui_data_data> will be reused by all
-functions that use B<OSSL_STORE_CTX> when interaction is needed.
-The given B<post_process> and B<post_process_data> will be reused by
+The given I<ui_method> and I<ui_data> will be reused by all
+functions that use B<OSSL_STORE_CTX> when interaction is needed,
+for instance to provide a password.
+The given I<post_process> and I<post_process_data> will be reused by
 OSSL_STORE_load() to manipulate or drop the value to be returned.
-The B<post_process> function drops values by returning B<NULL>, which
+The I<post_process> function drops values by returning NULL, which
 will cause OSSL_STORE_load() to start its process over with loading
-the next object, until B<post_process> returns something other than
-B<NULL>, or the end of data is reached as indicated by OSSL_STORE_eof().
+the next object, until I<post_process> returns something other than
+NULL, or the end of data is reached as indicated by OSSL_STORE_eof().
 
-OSSL_STORE_ctrl() takes a B<OSSL_STORE_CTX>, and command number B<cmd> and
+OSSL_STORE_ctrl() takes a B<OSSL_STORE_CTX>, and command number I<cmd> and
 more arguments not specified here.
 The available loader specific command numbers and arguments they each
 take depends on the loader that's used and is documented together with
@@ -94,6 +95,7 @@ OSSL_STORE_eof() shows that the end of data has been reached.
 OSSL_STORE_close() takes a B<OSSL_STORE_CTX>, closes the channel that was opened
 by OSSL_STORE_open() and frees all other information that was stored in the
 B<OSSL_STORE_CTX>, as well as the B<OSSL_STORE_CTX> itself.
+If I<ctx> is NULL it does nothing.
 
 =head1 SUPPORTED SCHEMES
 
@@ -123,12 +125,12 @@ See L<passphrase-encoding(7)> for further information.
 =head1 RETURN VALUES
 
 OSSL_STORE_open() returns a pointer to a B<OSSL_STORE_CTX> on success, or
-B<NULL> on failure.
+NULL on failure.
 
 OSSL_STORE_load() returns a pointer to a B<OSSL_STORE_INFO> on success, or
-B<NULL> on error or when end of data is reached.
+NULL on error or when end of data is reached.
 Use OSSL_STORE_error() and OSSL_STORE_eof() to determine the meaning of a
-returned B<NULL>.
+returned NULL.
 
 OSSL_STORE_eof() returns 1 if the end of data has been reached, otherwise
 0.
@@ -149,6 +151,9 @@ OSSL_STORE_CTX(), OSSL_STORE_post_process_info_fn(), OSSL_STORE_open(),
 OSSL_STORE_ctrl(), OSSL_STORE_load(), OSSL_STORE_eof() and OSSL_STORE_close()
 were added in OpenSSL 1.1.1.
 
+Handling of NULL I<ctx> argument for OSSL_STORE_close()
+was introduced in OpenSSL 1.1.1h.
+
 =head1 COPYRIGHT
 
 Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t
index 9fd0acf762..9f4eaa2961 100644
--- a/test/recipes/90-test_store.t
+++ b/test/recipes/90-test_store.t
@@ -16,7 +16,11 @@ my $test_name = "test_store";
 setup($test_name);
 
 my $mingw = config('target') =~ m|^mingw|;
-my $cnf = srctop_file("test", "ca-and-certs.cnf");
+
+my $use_md5 = !disabled("md5");
+my $use_des = !disabled("des"); # also affects 3des and pkcs12 app
+my $use_dsa = !disabled("dsa");
+my $use_ecc = !disabled("ec");
 
 my @noexist_files =
     ( "test/blahdiblah.pem",
@@ -41,25 +45,35 @@ my @generated_files =
      "rsa-key-pkcs1.pem", "rsa-key-pkcs1.der",
      "rsa-key-pkcs1-aes128.pem",
      "rsa-key-pkcs8.pem", "rsa-key-pkcs8.der",
-     "rsa-key-pkcs8-pbes1-sha1-3des.pem", "rsa-key-pkcs8-pbes1-sha1-3des.der",
      "rsa-key-pkcs8-pbes2-sha1.pem", "rsa-key-pkcs8-pbes2-sha1.der",
+     "rsa-key-pkcs8-pbes2-sha256.pem", "rsa-key-pkcs8-pbes2-sha256.der",
+    );
+push(@generated_files, (
+     "rsa-key-pkcs8-pbes1-sha1-3des.pem", "rsa-key-pkcs8-pbes1-sha1-3des.der",
+    )) if $use_des;
+push(@generated_files, (
      "rsa-key-sha1-3des-sha1.p12", "rsa-key-sha1-3des-sha256.p12",
      "rsa-key-aes256-cbc-sha256.p12",
      "rsa-key-md5-des-sha1.p12",
-     "rsa-key-aes256-cbc-md5-des-sha256.p12",
-     "rsa-key-pkcs8-pbes2-sha256.pem", "rsa-key-pkcs8-pbes2-sha256.der",
-     "rsa-key-pkcs8-pbes1-md5-des.pem", "rsa-key-pkcs8-pbes1-md5-des.der",
+     "rsa-key-aes256-cbc-md5-des-sha256.p12"
+     )) if $use_des;
+push(@generated_files, (
+     "rsa-key-pkcs8-pbes1-md5-des.pem", "rsa-key-pkcs8-pbes1-md5-des.der"
+     )) if $use_md5 && $use_des;
+push(@generated_files, (
      "dsa-key-pkcs1.pem", "dsa-key-pkcs1.der",
      "dsa-key-pkcs1-aes128.pem",
      "dsa-key-pkcs8.pem", "dsa-key-pkcs8.der",
      "dsa-key-pkcs8-pbes2-sha1.pem", "dsa-key-pkcs8-pbes2-sha1.der",
-     "dsa-key-aes256-cbc-sha256.p12",
+     )) if $use_dsa;
+push(@generated_files, "dsa-key-aes256-cbc-sha256.p12") if $use_dsa && $use_des;
+push(@generated_files, (
      "ec-key-pkcs1.pem", "ec-key-pkcs1.der",
      "ec-key-pkcs1-aes128.pem",
      "ec-key-pkcs8.pem", "ec-key-pkcs8.der",
      "ec-key-pkcs8-pbes2-sha1.pem", "ec-key-pkcs8-pbes2-sha1.der",
-     "ec-key-aes256-cbc-sha256.p12",
-    );
+     )) if $use_ecc;
+push(@generated_files, "ec-key-aes256-cbc-sha256.p12") if $use_ecc && $use_des;
 my %generated_file_files =
     $^O eq 'linux'
     ? ( "test/testx509.pem" => "file:testx509.pem",
@@ -85,7 +99,7 @@ plan tests => $n;
 indir "store_$$" => sub {
  SKIP:
     {
-        skip "failed initialisation", $n unless init();
+        init() or die "init failed";
 
         my $rehash = init_rehash();
 
@@ -220,28 +234,35 @@ indir "store_$$" => sub {
 }, create => 1, cleanup => 1;
 
 sub init {
+    my $cnf = srctop_file('test', 'ca-and-certs.cnf');
+    my $cakey = srctop_file('test', 'certs', 'ca-key.pem');
     return (
             # rsa-key-pkcs1.pem
-            run(app(["openssl", "genrsa",
-                     "-out", "rsa-key-pkcs1.pem", "2432"]))
-            # dsa-key-pkcs1.pem
-            && run(app(["openssl", "dsaparam", "-genkey",
-                        "-out", "dsa-key-pkcs1.pem", "1024"]))
-            # ec-key-pkcs1.pem (one might think that 'genec' would be practical)
-            && run(app(["openssl", "ecparam", "-genkey", "-name", "prime256v1",
-                        "-out", "ec-key-pkcs1.pem"]))
+            run(app(["openssl", "pkey",
+                     "-in", data_file("rsa-key-2432.pem"),
+                     "-out", "rsa-key-pkcs1.pem"]))
             # rsa-key-pkcs1-aes128.pem
             && run(app(["openssl", "rsa", "-passout", "pass:password", "-aes128",
                         "-in", "rsa-key-pkcs1.pem",
                         "-out", "rsa-key-pkcs1-aes128.pem"]))
+            # dsa-key-pkcs1.pem
+            && (!$use_dsa || run(app(["openssl", "gendsa",
+                                      "-out", "dsa-key-pkcs1.pem",
+                                      data_file("dsaparam.pem")])))
             # dsa-key-pkcs1-aes128.pem
-            && run(app(["openssl", "dsa", "-passout", "pass:password", "-aes128",
-                        "-in", "dsa-key-pkcs1.pem",
-                        "-out", "dsa-key-pkcs1-aes128.pem"]))
+            && (!$use_dsa || run(app(["openssl", "dsa",
+                                      "-passout", "pass:password", "-aes128",
+                                      "-in", "dsa-key-pkcs1.pem",
+                                      "-out", "dsa-key-pkcs1-aes128.pem"])))
+            # ec-key-pkcs1.pem (one might think that 'genec' would be practical)
+            && (!$use_ecc || run(app(["openssl", "ecparam", "-genkey",
+                                      "-name", "prime256v1",
+                                      "-out", "ec-key-pkcs1.pem"])))
             # ec-key-pkcs1-aes128.pem
-            && run(app(["openssl", "ec", "-passout", "pass:password", "-aes128",
-                        "-in", "ec-key-pkcs1.pem",
-                        "-out", "ec-key-pkcs1-aes128.pem"]))
+            && (!$use_ecc || run(app(["openssl", "ec",
+                                      "-passout", "pass:password", "-aes128",
+                                      "-in", "ec-key-pkcs1.pem",
+                                      "-out", "ec-key-pkcs1-aes128.pem"])))
             # *-key-pkcs8.pem
             && runall(sub {
                           my $dstfile = shift;
@@ -297,19 +318,19 @@ sub init {
             # *-cert.pem (intermediary for the .p12 inits)
             && run(app(["openssl", "req", "-x509",
                         "-config", $cnf, "-nodes",
-                        "-out", "cacert.pem", "-keyout", "cakey.pem"]))
+                        "-key", $cakey, "-out", "cacert.pem"]))
             && runall(sub {
                           my $srckey = shift;
                           (my $dstfile = $srckey) =~ s|-key-pkcs8\.|-cert.|;
                           (my $csr = $dstfile) =~ s|\.pem|.csr|;
 
                           (run(app(["openssl", "req", "-new",
-                                    "-config", $cnf,
+                                    "-config", $cnf, "-section", "userreq",
                                     "-key", $srckey, "-out", $csr]))
                            &&
                            run(app(["openssl", "x509", "-days", "3650",
                                     "-CA", "cacert.pem",
-                                    "-CAkey", "cakey.pem",
+                                    "-CAkey", $cakey,
                                     "-set_serial", time(), "-req",
                                     "-in", $csr, "-out", $dstfile])));
                       }, grep(/-key-pkcs8\.pem$/, @generated_files))
@@ -350,17 +371,21 @@ sub init {
                           my $macalg = $macalgs{$macalg_index};
                           if (!defined($certpbe) || !defined($keypbe)
                               || !defined($macalg)) {
-                              print STDERR "Cert PBE for $pbe_index not defined\n"
+                              print STDERR "Cert PBE for $certpbe_index not defined\n"
                                   unless defined $certpbe;
-                              print STDERR "Key PBE for $pbe_index not defined\n"
+                              print STDERR "Key PBE for $keypbe_index not defined\n"
                                   unless defined $keypbe;
                               print STDERR "MACALG for $macalg_index not defined\n"
                                   unless defined $macalg;
                               print STDERR "(destination file was $dstfile)\n";
                               return 0;
                           }
-                          run(app(["openssl", "pkcs12", "-inkey", $srckey,
+                          run(app(["openssl", "pkcs12",
+                                   "-provider", "default",
+                                   "-provider", "legacy",
+                                   "-inkey", $srckey,
                                    "-in", $srccert, "-passout", "pass:password",
+                                   "-chain", "-CAfile", "cacert.pem",
                                    "-export", "-macalg", $macalg,
                                    "-certpbe", $certpbe, "-keypbe", $keypbe,
                                    "-out", $dstfile]));
diff --git a/test/recipes/90-test_store_data/ca.cnf b/test/recipes/90-test_store_data/ca.cnf
deleted file mode 100644
index bda6eec4b0..0000000000
--- a/test/recipes/90-test_store_data/ca.cnf
+++ /dev/null
@@ -1,56 +0,0 @@
-####################################################################
-[ req ]
-default_bits		= 2432
-default_keyfile 	= cakey.pem
-default_md	        = sha256
-distinguished_name	= req_DN
-string_mask             = utf8only
-x509_extensions         = v3_selfsign
-
-[ req_DN ]
-commonName                      = "Common Name"
-commonName_value              = "CA"
-
-[ v3_selfsign ]
-basicConstraints = critical,CA:true
-keyUsage = keyCertSign
-subjectKeyIdentifier=hash
-
-####################################################################
-[ ca ]
-default_ca      = CA_default            # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir             = ./demoCA
-certificate	= ./demoCA/cacert.pem
-serial		= ./demoCA/serial
-private_key	= ./demoCA/private/cakey.pem
-new_certs_dir   = ./demoCA/newcerts
-
-certificate     = cacert.pem
-private_key     = cakey.pem
-
-x509_extensions = v3_user
-
-name_opt        = ca_default            # Subject Name options
-cert_opt        = ca_default            # Certificate field options
-
-policy          = policy_anything
-
-[ policy_anything ]
-countryName             = optional
-stateOrProvinceName     = optional
-localityName            = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-[ v3_user ]
-basicConstraints=critical,CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-issuerAltName=issuer:copy
-
diff --git a/test/recipes/04-test_pem_data/dsaparam.pem b/test/recipes/90-test_store_data/dsaparam.pem
similarity index 100%
copy from test/recipes/04-test_pem_data/dsaparam.pem
copy to test/recipes/90-test_store_data/dsaparam.pem
diff --git a/test/recipes/90-test_store_data/rsa-key-2432.pem b/test/recipes/90-test_store_data/rsa-key-2432.pem
new file mode 100644
index 0000000000..b5e37f4b8a
--- /dev/null
+++ b/test/recipes/90-test_store_data/rsa-key-2432.pem
@@ -0,0 +1,32 @@
+-----BEGIN PRIVATE KEY-----
+MIIFlQIBADANBgkqhkiG9w0BAQEFAASCBX8wggV7AgEAAoIBMQCrCYwxGQmujZVF
+lnZeobOyrk+JiHh4/6IjpepHlb1hRMZbDS2V2kZAupNr3oV14Dx4bDwbxAMOvGQr
+sVDiM+LAAZtxXXq6sQNOrq3yTPuCdW6IbsHaB5ZuPwz4cNWOOHs19Jx9UufxoFZ+
+1Cj3WG0joTCTbPNe08llJ67YKCj4b3l19AJKauPFWyLl8sQE5f29rBGGnnJYzrf3
+ZRrrZApbXy2PxDVKfkjLf89la6Hcr/RihgPiZHLoN7TyAPOL4OPY+Jv6fVG9PTrf
+3hwoTRD9Wp0ZdmOSCiU93vvoTFovnBMpfh7Qb6k+ufqZV0cvdDWYV7UQO1MBx24R
+mqcVGwHzPCMET71GoRNKvtMI3zrN/ZN8lyyqKU3pEPcLvykZ8Pi2lZB31uLA0x6Z
+zUe+rEavAgMBAAECggEwM8aFIMvCiYukl1cv5/+tRTbNLwYX6hEAhSgRnq/uj0Zh
+gWig1w8nWyrfu7S10/QYeh/RploUzt4quKtJn+AzEQqrgorYvzEcnjH0yDeTn29r
+EXPtzNGlMSR3CbImg5IHglLVGH8DZbqy1FvnNtEW4MVHzikaFyenfK6hmB+4H1Sn
+gRRnqR1oa/LlwpRV0GHLCSLQf17xoH4chaLLZXi3kdIOIcg9bzDef7APQmKHdu01
+hlAhFZ3rPib63anYtg9jG4hLrZCUHwEwHsOaDEh9QVNSxqZJS2KTtMbYIclK3hDG
+wZFmlv9bemE+KiR3EAJt9/xMROjLTNDgTOZZujR/O4IObszQ6obExiL0Z37K0AAz
+f0hhMbweg0W1hC3j/pseOZpEvfoK5QZYY0nbdNqVkQKBmQDczLiFYgDEcCbc2ak4
+VGDA/N+R1lUFvfBoBKLlWaOFSnfYC9XrGa1lVe5nMZN4OAgkR4Ogvo1uh5BzXptP
+s+fYfh40JS6RFXeO8/K8meFOUnjKiMZroBuFcJHSCDDJZFyfEM1vVqnsaLsqQHAd
+casa3PewKvUbUDMWQFNImW6dMuDL3GpKpGc4/eU3208JnpoApcnp2qLPlwKBmQDG
+TexoAiQLKRlSHrZcZJTemrTZQFoCPEoXZjbzXHERYoSOcriINWWVuhvAtA64WY/+
+lOYXb3H1kD+CccR1NLUu9lrrFbizeHl9ovrvhLCR8smgVhwP4QjW1fjNYEOfIXXX
+BPLCizKSdqDLID/Jph+ym29vOedbjHZmr6Pto3fVBKQPpkLkQmyj061pmknE8DES
+k6GFHAAkqQKBmQDTVtxzRwfm/lYkY+417YWikyhHRfihg1k9ptpoXnFG3q1xTHrY
+Cf7PFP4ZJfm6Qx9/4jeaP2nOVtGrq+1Kz69lp+mvDbvRwNNsMBGx9jQSrJvTeDE7
+yMcu5T2d5JsV2QtScVnBbRk+IEytt3nYpPkawFAP/j4Xg58yeCV/QuT+cDl8x5+x
+jEUE5vhki3TOh1Fut0FZphzaRwKBmHPpKkzlK3JGlKFWiFtbA1VWcm0mWzZBTUF+
+IpJ/LyvtPPQShGBBbd5lyUELPittVmiFWjTKlH7n0OeLXjzwEROhNiWBLdPhkInq
+UOjd02OL2WTZ0E9LxyHkMijBouUJ5tpG7yrduDK6GmSAtihE7PQ2PJ1z6BKv+Kku
+8w+9ZBbkPo1TLnhDh0L/QLagU4xEpTpphpjKdB75AoGYcaonPrYPhvM+EAe4DDTf
+qpxI6wX6P+ws9Fx8VuD/UN3DB8AhE+tlFYQYJQkgqpAvNiOg9ix0mwNDe6oB4xwB
+iQKxoBtCKYhwwP7AvXrzyqe73aWtvW9VFYUbdiVQQVqR/+Gd1wL572qFTcnw56je
+wxTi4bfTajt7O/nY7jYs3WWstBh0wyl5XNZ14Acic6ZsSp+PLCEfpLo=
+-----END PRIVATE KEY-----
diff --git a/test/recipes/90-test_store_data/user.cnf b/test/recipes/90-test_store_data/user.cnf
deleted file mode 100644
index 91f796947a..0000000000
--- a/test/recipes/90-test_store_data/user.cnf
+++ /dev/null
@@ -1,19 +0,0 @@
-####################################################################
-[ req ]
-default_bits            = 2432
-default_md	        = sha256
-distinguished_name	= req_DN
-string_mask = utf8only
-
-req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_DN ]
-commonName                      = "Common Name"
-commonName_value              = "A user"
-userId = "User ID"
-userId_value = "test"
-
-[ v3_req ]
-extendedKeyUsage = clientAuth
-subjectKeyIdentifier = hash
-basicConstraints = CA:false


More information about the openssl-commits mailing list