[openssl] master update

dev at ddvo.net dev at ddvo.net
Thu May 27 09:06:57 UTC 2021


The branch master has been updated
       via  91f2b15f2ecd9dd92b6ed2563b10c1a126db2643 (commit)
       via  8b893c35da65c7b9a126c779caf42500e1297e7d (commit)
       via  54e8f7259bec08a6655a0693a315a75d9ce65e95 (commit)
      from  3257179b7a9a9430c5b54fe0321fdc6862f91345 (commit)


- Log -----------------------------------------------------------------
commit 91f2b15f2ecd9dd92b6ed2563b10c1a126db2643
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Sat Dec 12 22:04:05 2020 +0100

    TEST: Prefer using precomputed RSA and DH keys for more efficient tests
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/13715)

commit 8b893c35da65c7b9a126c779caf42500e1297e7d
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Wed May 26 09:22:48 2021 +0200

    APPS req: Extend the -keyout option to be respected also with -key
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/13715)

commit 54e8f7259bec08a6655a0693a315a75d9ce65e95
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Wed May 26 09:08:14 2021 +0200

    DOC: Improve description of 'req' app: -new, -newkey, and -keyout options
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/13715)

-----------------------------------------------------------------------

Summary of changes:
 apps/req.c                                    | 26 +++++++++++--------
 doc/man1/openssl-req.pod.in                   | 37 ++++++++++++++++-----------
 test/CAtsa.cnf                                |  1 -
 test/ca-and-certs.cnf                         |  4 ---
 test/certs/dhk2048.pem                        | 14 ++++++++++
 test/endecode_test.c                          | 34 ++++++++++++++----------
 test/endecoder_legacy_test.c                  | 31 +++++++++++++++++++++-
 test/evp_libctx_test.c                        |  5 ++--
 test/proxy.cnf                                |  4 ---
 test/recipes/04-test_encoder_decoder.t        |  5 +++-
 test/recipes/04-test_encoder_decoder_legacy.t |  6 +++--
 test/recipes/25-test_req.t                    |  2 ++
 test/recipes/25-test_verify_store.t           |  4 +++
 test/recipes/80-test_ca.t                     | 10 +++++---
 test/recipes/80-test_ssl_old.t                | 20 +++++++--------
 test/recipes/80-test_tsa.t                    |  7 +++--
 test/test.cnf                                 |  4 ---
 17 files changed, 141 insertions(+), 73 deletions(-)
 create mode 100644 test/certs/dhk2048.pem

diff --git a/apps/req.c b/apps/req.c
index 67cefa7e87..a9769b7452 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -142,10 +142,11 @@ const OPTIONS req_options[] = {
     {"key", OPT_KEY, 's', "Private key to use"},
     {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
     {"pubkey", OPT_PUBKEY, '-', "Output public key"},
-    {"keyout", OPT_KEYOUT, '>', "File to save newly created private key"},
+    {"keyout", OPT_KEYOUT, '>', "File to write private key to"},
     {"passin", OPT_PASSIN, 's', "Private key and certificate password source"},
     {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
-    {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"},
+    {"newkey", OPT_NEWKEY, 's',
+     "Generate new key with [<alg>:]<nbits> or <alg>[:<file>] or param:<file>"},
     {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
     {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
     {"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"},
@@ -675,17 +676,21 @@ int req_main(int argc, char **argv)
 
         EVP_PKEY_CTX_free(genctx);
         genctx = NULL;
+    }
+    if (keyout == NULL) {
+        keyout = NCONF_get_string(req_conf, section, KEYFILE);
+        if (keyout == NULL)
+            ERR_clear_error();
+    }
 
-        if (keyout == NULL) {
-            keyout = NCONF_get_string(req_conf, section, KEYFILE);
+    if (pkey != NULL && (keyfile == NULL || keyout != NULL)) {
+        if (verbose) {
+            BIO_printf(bio_err, "Writing private key to ");
             if (keyout == NULL)
-                ERR_clear_error();
+                BIO_printf(bio_err, "stdout\n");
+            else
+                BIO_printf(bio_err, "'%s'\n", keyout);
         }
-
-        if (keyout == NULL)
-            BIO_printf(bio_err, "Writing new private key to stdout\n");
-        else
-            BIO_printf(bio_err, "Writing new private key to '%s'\n", keyout);
         out = bio_open_owner(keyout, outformat, newreq);
         if (out == NULL)
             goto end;
@@ -704,7 +709,6 @@ int req_main(int argc, char **argv)
 
         i = 0;
  loop:
-        assert(newreq);
         if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
                                       NULL, 0, NULL, passout)) {
             if ((ERR_GET_REASON(ERR_peek_error()) ==
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 32434852ed..7897610818 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -149,29 +149,33 @@ the user for the relevant field values. The actual fields
 prompted for and their maximum and minimum sizes are specified
 in the configuration file and any requested extensions.
 
-If the B<-key> option is not given it will generate a new RSA private key
+If the B<-key> option is not given it will generate a new private key
 using information specified in the configuration file or given with
-the B<-newkey> and B<-pkeyopt> options, else by default with 2048 bits length.
+the B<-newkey> and B<-pkeyopt> options,
+else by default an RSA key with 2048 bits length.
 
 =item B<-newkey> I<arg>
 
 This option creates a new certificate request and a new private
 key. The argument takes one of several forms.
 
-B<rsa:>I<nbits>, where
-I<nbits> is the number of bits, generates an RSA key I<nbits>
-in size. If I<nbits> is omitted, i.e. B<-newkey> I<rsa> specified,
-the default key size, specified in the configuration file is used.
+[B<rsa:>]I<nbits> generates an RSA key I<nbits> in size.
+If I<nbits> is omitted, i.e., B<-newkey> B<rsa> is specified,
+the default key size specified in the configuration file
+with the B<default_bits> option is used if present, else 2048.
 
-All other algorithms support the B<-newkey> I<alg>:I<file> form, where file
-may be an algorithm parameter file, created with C<openssl genpkey -genparam>
+All other algorithms support the B<-newkey> I<algname>:I<file> form, where
+I<file> is an algorithm parameter file, created with C<openssl genpkey -genparam>
 or an X.509 certificate for a key with appropriate algorithm.
 
 B<param:>I<file> generates a key using the parameter file or certificate
-I<file>, the algorithm is determined by the parameters. I<algname>:I<file>
-use algorithm I<algname> and parameter file I<file>: the two algorithms must
-match or an error occurs. I<algname> just uses algorithm I<algname>, and
-parameters, if necessary should be specified via B<-pkeyopt> parameter.
+I<file>, the algorithm is determined by the parameters.
+
+I<algname>[:I<file>] generates a key using the given algorithm I<algname>.
+If a parameter file I<file> is given then the parameters specified there
+are used, where the algorithm parameters must match I<algname>.
+If algorithm parameters are not given,
+any necessary parameters should be specified via the B<-pkeyopt> option.
 
 B<dsa:>I<filename> generates a DSA key using the parameters
 in the file I<filename>. B<ec:>I<filename> generates EC key (usable both with
@@ -200,9 +204,12 @@ See L<openssl-format-options(1)> for details.
 
 =item B<-keyout> I<filename>
 
-This gives the filename to write the newly created private key to.
-If this option is not specified then the filename present in the
-configuration file is used.
+This gives the filename to write any private key to that has been newly created
+or read from B<-key>.
+If the B<-keyout> option is not given the filename specified in the
+configuration file with the B<default_keyfile> option is used, if present.
+If a new key is generated and no filename is specified
+the key is written to standard output.
 
 =item B<-noenc>
 
diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf
index e7ca8c5a1e..e232e7023e 100644
--- a/test/CAtsa.cnf
+++ b/test/CAtsa.cnf
@@ -48,7 +48,6 @@ emailAddress		= optional
 
 #----------------------------------------------------------------------
 [ req ]
-default_bits		= 2048
 default_md		= sha1
 distinguished_name	= $ENV::TSDNSECT
 encrypt_rsa_key		= no
diff --git a/test/ca-and-certs.cnf b/test/ca-and-certs.cnf
index 598db2b6a0..f6663924ae 100644
--- a/test/ca-and-certs.cnf
+++ b/test/ca-and-certs.cnf
@@ -3,8 +3,6 @@ CN2 = Brother 2
 
 ####################################################################
 [ req ]
-default_bits		= 2048
-default_keyfile 	= keySS.pem
 distinguished_name	= req_distinguished_name
 encrypt_rsa_key		= no
 default_md		= sha1
@@ -19,8 +17,6 @@ commonName_value		= Dodgy CA
 
 ####################################################################
 [ userreq ]
-default_bits		= 2048
-default_keyfile 	= keySS.pem
 distinguished_name	= user_dn
 encrypt_rsa_key		= no
 default_md		= sha256
diff --git a/test/certs/dhk2048.pem b/test/certs/dhk2048.pem
new file mode 100644
index 0000000000..1e1cef4b8c
--- /dev/null
+++ b/test/certs/dhk2048.pem
@@ -0,0 +1,14 @@
+-----BEGIN PRIVATE KEY-----
+MIICKgIBADCCARsGCSqGSIb3DQEDATCCAQwCggEBAP//////////yQ/aoiFowjTE
+xmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJRSgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP
+4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJ
+KGZR7ORbPcIAfLihY78FmNpINhxV05ppFj+o/STPX4NlXSPco62WHGLzViCFUrue
+1SkHcJaWbWcMNU5KvJgE8XRsCMoYIXwykF5GLjbOO+OedywYDoYDmyeDouwHoo+1
+xV3wb0xSyd4ry/aVWBcYOZVJfOqVauUV0iYYmPoFEBVyjlqKrKpo//////////8C
+AQICAgf/BIIBBAKCAQBPXxEkDA2EWknARF2EzUo6gc1eFNdKMVwa7aT3e2ClTIkN
+B4Y6XsJCS5C4q0vKhHtdH5LswCxUPfTQQAOlKPzcdMcGuOvx8gl90kvaOuxnD0wQ
+rpRmC64FbN+h503UJuGuNTFO2AvgLVb6EA637soAcWR6qLtRJ3wDpr1OW/ertIUj
+jhzD1i255j+z6UVQBNLy882AUSHfjr1UzWTYfcyn1zpQbZtbIh+0O5cloIl6Ek4N
+c3NtCgwAmTROrsKqHGmaW+pw4sOAAtNJByPT0y725s7tq4mAJKJgCc2J8Lbwbx9Z
+s+tEoCidGYuBRNouVH6I6POwjIhdpU0kIscdv+w8
+-----END PRIVATE KEY-----
diff --git a/test/endecode_test.c b/test/endecode_test.c
index 9d0ebeb7e7..f851f73ffd 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -88,6 +88,7 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
 }
 #endif
 
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC)
 static EVP_PKEY *make_key(const char *type, EVP_PKEY *template,
                           OSSL_PARAM *genparams)
 {
@@ -109,6 +110,7 @@ static EVP_PKEY *make_key(const char *type, EVP_PKEY *template,
     EVP_PKEY_CTX_free(ctx);
     return pkey;
 }
+#endif
 
 /* Main test driver */
 
@@ -1182,6 +1184,9 @@ static int create_ec_explicit_trinomial_params(OSSL_PARAM_BLD *bld)
 # endif /* OPENSSL_NO_EC2M */
 #endif /* OPENSSL_NO_EC */
 
+#define USAGE "rsa-key.pem rsa-pss-key.pem\n"
+OPT_TEST_DECLARE_USAGE(USAGE)
+
 int setup_tests(void)
 {
 # ifndef OPENSSL_NO_RC4
@@ -1207,12 +1212,14 @@ int setup_tests(void)
     };
 #endif
 
-    /* 7 is the default magic number */
-    static unsigned int rsapss_min_saltlen = 7;
-    OSSL_PARAM RSA_PSS_params[] = {
-        OSSL_PARAM_uint("saltlen", &rsapss_min_saltlen),
-        OSSL_PARAM_END
-    };
+    if (!test_skip_common_options()) {
+        TEST_error("Error parsing test options\n");
+        return 0;
+    }
+    if (test_get_argument_count() != 2) {
+        TEST_error("usage: endecode_test %s", USAGE);
+        return 0;
+    }
 
 #ifndef OPENSSL_NO_EC
     if (!TEST_ptr(bnctx = BN_CTX_new_ex(NULL))
@@ -1237,15 +1244,16 @@ int setup_tests(void)
     TEST_info("Generating keys...");
 
 #ifndef OPENSSL_NO_DH
+    TEST_info("Generating DH keys...");
     MAKE_DOMAIN_KEYS(DH, "DH", NULL);
     MAKE_DOMAIN_KEYS(DHX, "X9.42 DH", NULL);
-    TEST_info("Generating keys...DH done");
 #endif
 #ifndef OPENSSL_NO_DSA
+    TEST_info("Generating DSA keys...");
     MAKE_DOMAIN_KEYS(DSA, "DSA", DSA_params);
-    TEST_info("Generating keys...DSA done");
 #endif
 #ifndef OPENSSL_NO_EC
+    TEST_info("Generating EC keys...");
     MAKE_DOMAIN_KEYS(EC, "EC", EC_params);
     MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);
     MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);
@@ -1257,12 +1265,12 @@ int setup_tests(void)
     MAKE_KEYS(ED448, "ED448", NULL);
     MAKE_KEYS(X25519, "X25519", NULL);
     MAKE_KEYS(X448, "X448", NULL);
-    TEST_info("Generating keys...EC done");
 #endif
-    MAKE_KEYS(RSA, "RSA", NULL);
-    TEST_info("Generating keys...RSA done");
-    MAKE_KEYS(RSA_PSS, "RSA-PSS", RSA_PSS_params);
-    TEST_info("Generating keys...RSA_PSS done");
+    TEST_info("Loading RSA key...");
+    ok = ok && TEST_ptr(key_RSA = load_pkey_pem(test_get_argument(0), NULL));
+    TEST_info("Loading RSA_PSS key...");
+    ok = ok && TEST_ptr(key_RSA_PSS = load_pkey_pem(test_get_argument(1), NULL));
+    TEST_info("Generating keys done");
 
     if (ok) {
 #ifndef OPENSSL_NO_DH
diff --git a/test/endecoder_legacy_test.c b/test/endecoder_legacy_test.c
index 9e54f1f03b..b3bd4f5872 100644
--- a/test/endecoder_legacy_test.c
+++ b/test/endecoder_legacy_test.c
@@ -674,19 +674,48 @@ static int test_key(int idx)
     return ok;
 }
 
+#define USAGE "rsa-key.pem dh-key.pem\n"
+OPT_TEST_DECLARE_USAGE(USAGE)
+
 int setup_tests(void)
 {
     size_t i;
 
+    if (!test_skip_common_options()) {
+        TEST_error("Error parsing test options\n");
+        return 0;
+    }
+    if (test_get_argument_count() != 2) {
+        TEST_error("usage: endecoder_legacy_test %s", USAGE);
+        return 0;
+    }
+
     TEST_info("Generating keys...");
 
     for (i = 0; i < OSSL_NELEM(keys); i++) {
+#ifndef OPENSSL_NO_DH
+        if (strcmp(keys[i].keytype, "DH") == 0) {
+            if (!TEST_ptr(keys[i].key =
+                          load_pkey_pem(test_get_argument(1), NULL)))
+                return  0;
+            continue;
+        }
+#endif
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+        if (strcmp(keys[i].keytype, "RSA") == 0) {
+            if (!TEST_ptr(keys[i].key =
+                          load_pkey_pem(test_get_argument(0), NULL)))
+                return  0;
+            continue;
+        }
+#endif
+        TEST_info("Generating %s key...", keys[i].keytype);
         if (!TEST_ptr(keys[i].key =
                       make_key(keys[i].keytype, keys[i].template_params)))
             return 0;
     }
 
-    TEST_info("Generating key... done");
+    TEST_info("Generating keys done");
 
     ADD_ALL_TESTS(test_key, OSSL_NELEM(test_stanzas));
     return 1;
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
index 1fcfdadeef..5e8f436cca 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -530,15 +530,16 @@ static int kem_rsa_gen_recover(void)
     unsigned char ct[256] = { 0, };
     unsigned char unwrap[256] = { 0, };
     size_t ctlen = 0, unwraplen = 0, secretlen = 0;
+    int bits = 2048;
 
-    ret = TEST_true(rsa_keygen(2048, &pub, &priv))
+    ret = TEST_true(rsa_keygen(bits, &pub, &priv))
           && TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL))
           && TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), 1)
           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(sctx, "RSASVE"), 1)
           && TEST_int_eq(EVP_PKEY_encapsulate(sctx, NULL, &ctlen, NULL,
                                               &secretlen), 1)
           && TEST_int_eq(ctlen, secretlen)
-          && TEST_int_eq(ctlen, 2048 / 8)
+          && TEST_int_eq(ctlen, bits / 8)
           && TEST_int_eq(EVP_PKEY_encapsulate(sctx, ct, &ctlen, secret,
                                               &secretlen), 1)
           && TEST_ptr(rctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL))
diff --git a/test/proxy.cnf b/test/proxy.cnf
index e6b60542bb..ceac227c04 100644
--- a/test/proxy.cnf
+++ b/test/proxy.cnf
@@ -2,8 +2,6 @@
 ## Config file for proxy certificate testing.
 
 [ req ]
-default_bits		= 2048
-default_keyfile 	= keySS.pem
 distinguished_name	= req_distinguished_name_p1
 encrypt_rsa_key		= no
 default_md		= sha256
@@ -29,8 +27,6 @@ proxyCertInfo	= critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
 ####################################################################
 
 [ proxy2_req ]
-default_bits		= 2048
-default_keyfile 	= keySS.pem
 distinguished_name	= req_distinguished_name_p2
 encrypt_rsa_key		= no
 default_md		= sha256
diff --git a/test/recipes/04-test_encoder_decoder.t b/test/recipes/04-test_encoder_decoder.t
index 2041eb1fb9..0152519716 100644
--- a/test/recipes/04-test_encoder_decoder.t
+++ b/test/recipes/04-test_encoder_decoder.t
@@ -20,4 +20,7 @@ plan tests => 1;
 $ENV{OPENSSL_MODULES} = abs_path(bldtop_dir("providers"));
 $ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "default-and-legacy.cnf"));
 
-ok(run(test(["endecode_test"])));
+my $rsa_key = srctop_file("test", "certs", "ee-key.pem");
+my $pss_key = srctop_file("test", "certs", "ca-pss-key.pem");
+
+ok(run(test(["endecode_test", $rsa_key, $pss_key])));
diff --git a/test/recipes/04-test_encoder_decoder_legacy.t b/test/recipes/04-test_encoder_decoder_legacy.t
index d6671b2215..f278e17e48 100644
--- a/test/recipes/04-test_encoder_decoder_legacy.t
+++ b/test/recipes/04-test_encoder_decoder_legacy.t
@@ -20,8 +20,10 @@ plan skip_all => "Not available in a no-deprecated build"
     if disabled("deprecated");
 plan tests => 1;
 
-
 $ENV{OPENSSL_MODULES} = abs_path(bldtop_dir("providers"));
 $ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "default.cnf"));
 
-ok(run(test(["endecoder_legacy_test"])));
+my $rsa_key = srctop_file("test", "certs", "ee-key.pem");
+my $dh_key = srctop_file("test", "certs", "dhk2048.pem");
+
+ok(run(test(["endecoder_legacy_test", $rsa_key, $dh_key])));
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index 0fcb56a46a..9783fe3960 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -33,6 +33,7 @@ if (disabled("rsa")) {
 
 # Check for duplicate -addext parameters, and one "working" case.
 my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem",
+                    "-key",  srctop_file("test", "certs", "ee-key.pem"),
     "-config", srctop_file("test", "test.cnf"), @req_new );
 my $val = "subjectAltName=DNS:example.com";
 my $val2 = " " . $val;
@@ -288,6 +289,7 @@ subtest "generating certificate requests" => sub {
     plan tests => 2;
 
     ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
+                "-key", srctop_file("test", "certs", "ee-key.pem"),
                 @req_new, "-out", "testreq.pem"])),
        "Generating request");
 
diff --git a/test/recipes/25-test_verify_store.t b/test/recipes/25-test_verify_store.t
index 920b608a37..a2268c59e4 100644
--- a/test/recipes/25-test_verify_store.t
+++ b/test/recipes/25-test_verify_store.t
@@ -17,6 +17,8 @@ setup("test_verify_store");
 plan tests => 10;
 
 my $dummycnf = srctop_file("apps", "openssl.cnf");
+my $cakey = srctop_file("test", "certs", "ca-key.pem");
+my $ukey = srctop_file("test", "certs", "ee-key.pem");
 
 my $cnf = srctop_file("test", "ca-and-certs.cnf");
 my $CAkey = "keyCA.ss";
@@ -33,6 +35,7 @@ SKIP: {
          qw(-new -section userreq),
          -config       => $cnf,
          -out          => $CAreq,
+         -key          => $cakey,
          -keyout       => $CAkey );
 
     skip 'failure', 8 unless
@@ -73,6 +76,7 @@ SKIP: {
              qw(-new -section userreq),
              -config  => $cnf,
              -out     => $Ureq,
+             -key     => $ukey,
              -keyout  => $Ukey );
 
     skip 'failure', 2 unless
diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t
index 4b145264ad..59a09ee917 100644
--- a/test/recipes/80-test_ca.t
+++ b/test/recipes/80-test_ca.t
@@ -29,15 +29,18 @@ rmtree("demoCA", { safe => 0 });
 
 plan tests => 15;
  SKIP: {
+     my $cakey = srctop_file("test", "certs", "ca-key.pem");
      $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
      skip "failed creating CA structure", 4
-	 if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)),
+	 if !ok(run(perlapp(["CA.pl","-newca",
+                             "-extra-req", "-key $cakey"], stdin => undef)),
 		'creating CA structure');
 
+     my $eekey = srctop_file("test", "certs", "ee-key.pem");
      $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
      skip "failed creating new certificate request", 3
 	 if !ok(run(perlapp(["CA.pl","-newreq",
-                             '-extra-req', '-outform DER -section userreq'])),
+                             '-extra-req', "-outform DER -section userreq -key $eekey"])),
 		'creating certificate request');
      $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf;
      skip "failed to sign certificate request", 2
@@ -50,8 +53,9 @@ plan tests => 15;
      skip "CT not configured, can't use -precert", 1
          if disabled("ct");
 
+     my $eekey2 = srctop_file("test", "certs", "ee-key-3072.pem");
      $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
-     ok(run(perlapp(["CA.pl", "-precert", '-extra-req', '-section userreq'], stderr => undef)),
+     ok(run(perlapp(["CA.pl", "-precert", '-extra-req', "-section userreq -key $eekey2"], stderr => undef)),
         'creating new pre-certificate');
 }
 
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index d01b2b72a8..59f364d7f7 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -46,12 +46,12 @@ my @genpkeycmd = ("openssl", "genpkey");
 my $dummycnf = srctop_file("apps", "openssl.cnf");
 
 my $cnf = srctop_file("test", "ca-and-certs.cnf");
-my $CAkey = "keyCA.ss";
+my $CAkey = srctop_file("test", "certs", "ca-key.pem"); # "keyCA.ss"
 my $CAcert="certCA.ss";
 my $CAserial="certCA.srl";
 my $CAreq="reqCA.ss";
 my $CAreq2="req2CA.ss";	# temp
-my $Ukey="keyU.ss";
+my $Ukey = srctop_file("test", "certs", "ee-key.pem"); # "keyU.ss";
 my $Ureq="reqU.ss";
 my $Ucert="certU.ss";
 my $Dkey="keyD.ss";
@@ -62,11 +62,11 @@ my $Ereq="reqE.ss";
 my $Ecert="certE.ss";
 
 my $proxycnf=srctop_file("test", "proxy.cnf");
-my $P1key="keyP1.ss";
+my $P1key= srctop_file("test", "certs", "alt1-key.pem"); # "keyP1.ss";
 my $P1req="reqP1.ss";
 my $P1cert="certP1.ss";
 my $P1intermediate="tmp_intP1.ss";
-my $P2key="keyP2.ss";
+my $P2key= srctop_file("test", "certs", "alt2-key.pem"); # "keyP2.ss";
 my $P2req="reqP2.ss";
 my $P2cert="certP2.ss";
 my $P2intermediate="tmp_intP2.ss";
@@ -125,7 +125,7 @@ sub testss {
   SKIP: {
       skip 'failure', 16 unless
 	  ok(run(app([@reqcmd, "-config", $cnf,
-		      "-out", $CAreq, "-keyout", $CAkey,
+		      "-out", $CAreq, "-key", $CAkey,
 		      @req_new])),
 	     'make cert request');
 
@@ -159,7 +159,7 @@ sub testss {
 
       skip 'failure', 10 unless
 	  ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq",
-		      "-out", $Ureq, "-keyout", $Ukey, @req_new],
+		      "-out", $Ureq, "-key", $Ukey, @req_new],
 		     stdout => "err.ss")),
 	     'make a user cert request');
 
@@ -271,7 +271,7 @@ sub testss {
 
       skip 'failure', 5 unless
 	  ok(run(app([@reqcmd, "-config", $proxycnf,
-		      "-out", $P1req, "-keyout", $P1key, @req_new],
+		      "-out", $P1req, "-key", $P1key, @req_new],
 		     stdout => "err.ss")),
 	     'make a proxy cert request');
 
@@ -294,7 +294,7 @@ sub testss {
 
       skip 'failure', 2 unless
 	  ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req",
-		      "-out", $P2req, "-keyout", $P2key,
+		      "-out", $P2req, "-key", $P2key,
 		      @req_new],
 		     stdout => "err.ss")),
 	     'make another proxy cert request');
@@ -427,11 +427,11 @@ sub testssl {
         my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
 
         if (!$no_dsa) {
-            push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss";
+            push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
         }
 
         if (!$no_ec) {
-            push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss";
+            push @exkeys, "-s_cert", "certE.ss", "-s_key", $Ekey;
         }
 
         my @protocols = ();
diff --git a/test/recipes/80-test_tsa.t b/test/recipes/80-test_tsa.t
index 6fa005aebc..a76d4a9d05 100644
--- a/test/recipes/80-test_tsa.t
+++ b/test/recipes/80-test_tsa.t
@@ -25,6 +25,7 @@ plan skip_all => "TS is not supported by this OpenSSL build"
 # here, however, to be available in all subroutines.
 my $openssl_conf;
 my $testtsa;
+my $tsacakey;
 my $CAtsa;
 my @QUERY = ("openssl", "ts", "-query");
 my @REPLY;
@@ -38,12 +39,13 @@ sub create_tsa_cert {
 
     ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new",
                 "-out", "tsa_req${INDEX}.pem",
+                "-key", srctop_file("test", "certs", "alt${INDEX}-key.pem"),
                 "-keyout", "tsa_key${INDEX}.pem"])));
     note "using extension $EXT";
     ok(run(app(["openssl", "x509", "-req",
                 "-in", "tsa_req${INDEX}.pem",
                 "-out", "tsa_cert${INDEX}.pem",
-                "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
+                "-CA", "tsaca.pem", "-CAkey", $tsacakey,
                 "-CAcreateserial",
                 "-extfile", $openssl_conf, "-extensions", $EXT])));
 }
@@ -90,6 +92,7 @@ indir "tsa" => sub
 {
     $openssl_conf = srctop_file("test", "CAtsa.cnf");
     $testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
+    $tsacakey = srctop_file("test", "certs", "ca-key.pem");
     $CAtsa = srctop_file("test", "CAtsa.cnf");
     @REPLY = ("openssl", "ts", "-config", $openssl_conf, "-reply");
 
@@ -102,7 +105,7 @@ indir "tsa" => sub
      skip "failed", 19
          unless ok(run(app(["openssl", "req", "-config", $openssl_conf,
                             "-new", "-x509", "-noenc",
-                            "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
+                            "-out", "tsaca.pem", "-key", $tsacakey])),
                    'creating a new CA for the TSA tests');
 
      skip "failed", 18
diff --git a/test/test.cnf b/test/test.cnf
index a686c3d8bd..8b2f92ad8e 100644
--- a/test/test.cnf
+++ b/test/test.cnf
@@ -49,15 +49,11 @@ emailAddress		= optional
 
 ####################################################################
 [ req ]
-default_bits		= 2048
-default_keyfile 	= testkey.pem
 distinguished_name	= req_distinguished_name
 encrypt_rsa_key		= no
 
 # Make altreq be identical to req
 [ altreq ]
-default_bits		= 2048
-default_keyfile 	= testkey.pem
 distinguished_name	= req_distinguished_name
 encrypt_rsa_key		= no
 


More information about the openssl-commits mailing list