[openssl] master update
dev at ddvo.net
dev at ddvo.net
Thu May 27 09:06:57 UTC 2021
The branch master has been updated
via 91f2b15f2ecd9dd92b6ed2563b10c1a126db2643 (commit)
via 8b893c35da65c7b9a126c779caf42500e1297e7d (commit)
via 54e8f7259bec08a6655a0693a315a75d9ce65e95 (commit)
from 3257179b7a9a9430c5b54fe0321fdc6862f91345 (commit)
- Log -----------------------------------------------------------------
commit 91f2b15f2ecd9dd92b6ed2563b10c1a126db2643
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Sat Dec 12 22:04:05 2020 +0100
TEST: Prefer using precomputed RSA and DH keys for more efficient tests
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13715)
commit 8b893c35da65c7b9a126c779caf42500e1297e7d
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed May 26 09:22:48 2021 +0200
APPS req: Extend the -keyout option to be respected also with -key
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13715)
commit 54e8f7259bec08a6655a0693a315a75d9ce65e95
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed May 26 09:08:14 2021 +0200
DOC: Improve description of 'req' app: -new, -newkey, and -keyout options
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13715)
-----------------------------------------------------------------------
Summary of changes:
apps/req.c | 26 +++++++++++--------
doc/man1/openssl-req.pod.in | 37 ++++++++++++++++-----------
test/CAtsa.cnf | 1 -
test/ca-and-certs.cnf | 4 ---
test/certs/dhk2048.pem | 14 ++++++++++
test/endecode_test.c | 34 ++++++++++++++----------
test/endecoder_legacy_test.c | 31 +++++++++++++++++++++-
test/evp_libctx_test.c | 5 ++--
test/proxy.cnf | 4 ---
test/recipes/04-test_encoder_decoder.t | 5 +++-
test/recipes/04-test_encoder_decoder_legacy.t | 6 +++--
test/recipes/25-test_req.t | 2 ++
test/recipes/25-test_verify_store.t | 4 +++
test/recipes/80-test_ca.t | 10 +++++---
test/recipes/80-test_ssl_old.t | 20 +++++++--------
test/recipes/80-test_tsa.t | 7 +++--
test/test.cnf | 4 ---
17 files changed, 141 insertions(+), 73 deletions(-)
create mode 100644 test/certs/dhk2048.pem
diff --git a/apps/req.c b/apps/req.c
index 67cefa7e87..a9769b7452 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -142,10 +142,11 @@ const OPTIONS req_options[] = {
{"key", OPT_KEY, 's', "Private key to use"},
{"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
{"pubkey", OPT_PUBKEY, '-', "Output public key"},
- {"keyout", OPT_KEYOUT, '>', "File to save newly created private key"},
+ {"keyout", OPT_KEYOUT, '>', "File to write private key to"},
{"passin", OPT_PASSIN, 's', "Private key and certificate password source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
- {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"},
+ {"newkey", OPT_NEWKEY, 's',
+ "Generate new key with [<alg>:]<nbits> or <alg>[:<file>] or param:<file>"},
{"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
{"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"},
@@ -675,17 +676,21 @@ int req_main(int argc, char **argv)
EVP_PKEY_CTX_free(genctx);
genctx = NULL;
+ }
+ if (keyout == NULL) {
+ keyout = NCONF_get_string(req_conf, section, KEYFILE);
+ if (keyout == NULL)
+ ERR_clear_error();
+ }
- if (keyout == NULL) {
- keyout = NCONF_get_string(req_conf, section, KEYFILE);
+ if (pkey != NULL && (keyfile == NULL || keyout != NULL)) {
+ if (verbose) {
+ BIO_printf(bio_err, "Writing private key to ");
if (keyout == NULL)
- ERR_clear_error();
+ BIO_printf(bio_err, "stdout\n");
+ else
+ BIO_printf(bio_err, "'%s'\n", keyout);
}
-
- if (keyout == NULL)
- BIO_printf(bio_err, "Writing new private key to stdout\n");
- else
- BIO_printf(bio_err, "Writing new private key to '%s'\n", keyout);
out = bio_open_owner(keyout, outformat, newreq);
if (out == NULL)
goto end;
@@ -704,7 +709,6 @@ int req_main(int argc, char **argv)
i = 0;
loop:
- assert(newreq);
if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
NULL, 0, NULL, passout)) {
if ((ERR_GET_REASON(ERR_peek_error()) ==
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 32434852ed..7897610818 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -149,29 +149,33 @@ the user for the relevant field values. The actual fields
prompted for and their maximum and minimum sizes are specified
in the configuration file and any requested extensions.
-If the B<-key> option is not given it will generate a new RSA private key
+If the B<-key> option is not given it will generate a new private key
using information specified in the configuration file or given with
-the B<-newkey> and B<-pkeyopt> options, else by default with 2048 bits length.
+the B<-newkey> and B<-pkeyopt> options,
+else by default an RSA key with 2048 bits length.
=item B<-newkey> I<arg>
This option creates a new certificate request and a new private
key. The argument takes one of several forms.
-B<rsa:>I<nbits>, where
-I<nbits> is the number of bits, generates an RSA key I<nbits>
-in size. If I<nbits> is omitted, i.e. B<-newkey> I<rsa> specified,
-the default key size, specified in the configuration file is used.
+[B<rsa:>]I<nbits> generates an RSA key I<nbits> in size.
+If I<nbits> is omitted, i.e., B<-newkey> B<rsa> is specified,
+the default key size specified in the configuration file
+with the B<default_bits> option is used if present, else 2048.
-All other algorithms support the B<-newkey> I<alg>:I<file> form, where file
-may be an algorithm parameter file, created with C<openssl genpkey -genparam>
+All other algorithms support the B<-newkey> I<algname>:I<file> form, where
+I<file> is an algorithm parameter file, created with C<openssl genpkey -genparam>
or an X.509 certificate for a key with appropriate algorithm.
B<param:>I<file> generates a key using the parameter file or certificate
-I<file>, the algorithm is determined by the parameters. I<algname>:I<file>
-use algorithm I<algname> and parameter file I<file>: the two algorithms must
-match or an error occurs. I<algname> just uses algorithm I<algname>, and
-parameters, if necessary should be specified via B<-pkeyopt> parameter.
+I<file>, the algorithm is determined by the parameters.
+
+I<algname>[:I<file>] generates a key using the given algorithm I<algname>.
+If a parameter file I<file> is given then the parameters specified there
+are used, where the algorithm parameters must match I<algname>.
+If algorithm parameters are not given,
+any necessary parameters should be specified via the B<-pkeyopt> option.
B<dsa:>I<filename> generates a DSA key using the parameters
in the file I<filename>. B<ec:>I<filename> generates EC key (usable both with
@@ -200,9 +204,12 @@ See L<openssl-format-options(1)> for details.
=item B<-keyout> I<filename>
-This gives the filename to write the newly created private key to.
-If this option is not specified then the filename present in the
-configuration file is used.
+This gives the filename to write any private key to that has been newly created
+or read from B<-key>.
+If the B<-keyout> option is not given the filename specified in the
+configuration file with the B<default_keyfile> option is used, if present.
+If a new key is generated and no filename is specified
+the key is written to standard output.
=item B<-noenc>
diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf
index e7ca8c5a1e..e232e7023e 100644
--- a/test/CAtsa.cnf
+++ b/test/CAtsa.cnf
@@ -48,7 +48,6 @@ emailAddress = optional
#----------------------------------------------------------------------
[ req ]
-default_bits = 2048
default_md = sha1
distinguished_name = $ENV::TSDNSECT
encrypt_rsa_key = no
diff --git a/test/ca-and-certs.cnf b/test/ca-and-certs.cnf
index 598db2b6a0..f6663924ae 100644
--- a/test/ca-and-certs.cnf
+++ b/test/ca-and-certs.cnf
@@ -3,8 +3,6 @@ CN2 = Brother 2
####################################################################
[ req ]
-default_bits = 2048
-default_keyfile = keySS.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
default_md = sha1
@@ -19,8 +17,6 @@ commonName_value = Dodgy CA
####################################################################
[ userreq ]
-default_bits = 2048
-default_keyfile = keySS.pem
distinguished_name = user_dn
encrypt_rsa_key = no
default_md = sha256
diff --git a/test/certs/dhk2048.pem b/test/certs/dhk2048.pem
new file mode 100644
index 0000000000..1e1cef4b8c
--- /dev/null
+++ b/test/certs/dhk2048.pem
@@ -0,0 +1,14 @@
+-----BEGIN PRIVATE KEY-----
+MIICKgIBADCCARsGCSqGSIb3DQEDATCCAQwCggEBAP//////////yQ/aoiFowjTE
+xmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJRSgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP
+4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJ
+KGZR7ORbPcIAfLihY78FmNpINhxV05ppFj+o/STPX4NlXSPco62WHGLzViCFUrue
+1SkHcJaWbWcMNU5KvJgE8XRsCMoYIXwykF5GLjbOO+OedywYDoYDmyeDouwHoo+1
+xV3wb0xSyd4ry/aVWBcYOZVJfOqVauUV0iYYmPoFEBVyjlqKrKpo//////////8C
+AQICAgf/BIIBBAKCAQBPXxEkDA2EWknARF2EzUo6gc1eFNdKMVwa7aT3e2ClTIkN
+B4Y6XsJCS5C4q0vKhHtdH5LswCxUPfTQQAOlKPzcdMcGuOvx8gl90kvaOuxnD0wQ
+rpRmC64FbN+h503UJuGuNTFO2AvgLVb6EA637soAcWR6qLtRJ3wDpr1OW/ertIUj
+jhzD1i255j+z6UVQBNLy882AUSHfjr1UzWTYfcyn1zpQbZtbIh+0O5cloIl6Ek4N
+c3NtCgwAmTROrsKqHGmaW+pw4sOAAtNJByPT0y725s7tq4mAJKJgCc2J8Lbwbx9Z
+s+tEoCidGYuBRNouVH6I6POwjIhdpU0kIscdv+w8
+-----END PRIVATE KEY-----
diff --git a/test/endecode_test.c b/test/endecode_test.c
index 9d0ebeb7e7..f851f73ffd 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -88,6 +88,7 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
}
#endif
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC)
static EVP_PKEY *make_key(const char *type, EVP_PKEY *template,
OSSL_PARAM *genparams)
{
@@ -109,6 +110,7 @@ static EVP_PKEY *make_key(const char *type, EVP_PKEY *template,
EVP_PKEY_CTX_free(ctx);
return pkey;
}
+#endif
/* Main test driver */
@@ -1182,6 +1184,9 @@ static int create_ec_explicit_trinomial_params(OSSL_PARAM_BLD *bld)
# endif /* OPENSSL_NO_EC2M */
#endif /* OPENSSL_NO_EC */
+#define USAGE "rsa-key.pem rsa-pss-key.pem\n"
+OPT_TEST_DECLARE_USAGE(USAGE)
+
int setup_tests(void)
{
# ifndef OPENSSL_NO_RC4
@@ -1207,12 +1212,14 @@ int setup_tests(void)
};
#endif
- /* 7 is the default magic number */
- static unsigned int rsapss_min_saltlen = 7;
- OSSL_PARAM RSA_PSS_params[] = {
- OSSL_PARAM_uint("saltlen", &rsapss_min_saltlen),
- OSSL_PARAM_END
- };
+ if (!test_skip_common_options()) {
+ TEST_error("Error parsing test options\n");
+ return 0;
+ }
+ if (test_get_argument_count() != 2) {
+ TEST_error("usage: endecode_test %s", USAGE);
+ return 0;
+ }
#ifndef OPENSSL_NO_EC
if (!TEST_ptr(bnctx = BN_CTX_new_ex(NULL))
@@ -1237,15 +1244,16 @@ int setup_tests(void)
TEST_info("Generating keys...");
#ifndef OPENSSL_NO_DH
+ TEST_info("Generating DH keys...");
MAKE_DOMAIN_KEYS(DH, "DH", NULL);
MAKE_DOMAIN_KEYS(DHX, "X9.42 DH", NULL);
- TEST_info("Generating keys...DH done");
#endif
#ifndef OPENSSL_NO_DSA
+ TEST_info("Generating DSA keys...");
MAKE_DOMAIN_KEYS(DSA, "DSA", DSA_params);
- TEST_info("Generating keys...DSA done");
#endif
#ifndef OPENSSL_NO_EC
+ TEST_info("Generating EC keys...");
MAKE_DOMAIN_KEYS(EC, "EC", EC_params);
MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);
MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);
@@ -1257,12 +1265,12 @@ int setup_tests(void)
MAKE_KEYS(ED448, "ED448", NULL);
MAKE_KEYS(X25519, "X25519", NULL);
MAKE_KEYS(X448, "X448", NULL);
- TEST_info("Generating keys...EC done");
#endif
- MAKE_KEYS(RSA, "RSA", NULL);
- TEST_info("Generating keys...RSA done");
- MAKE_KEYS(RSA_PSS, "RSA-PSS", RSA_PSS_params);
- TEST_info("Generating keys...RSA_PSS done");
+ TEST_info("Loading RSA key...");
+ ok = ok && TEST_ptr(key_RSA = load_pkey_pem(test_get_argument(0), NULL));
+ TEST_info("Loading RSA_PSS key...");
+ ok = ok && TEST_ptr(key_RSA_PSS = load_pkey_pem(test_get_argument(1), NULL));
+ TEST_info("Generating keys done");
if (ok) {
#ifndef OPENSSL_NO_DH
diff --git a/test/endecoder_legacy_test.c b/test/endecoder_legacy_test.c
index 9e54f1f03b..b3bd4f5872 100644
--- a/test/endecoder_legacy_test.c
+++ b/test/endecoder_legacy_test.c
@@ -674,19 +674,48 @@ static int test_key(int idx)
return ok;
}
+#define USAGE "rsa-key.pem dh-key.pem\n"
+OPT_TEST_DECLARE_USAGE(USAGE)
+
int setup_tests(void)
{
size_t i;
+ if (!test_skip_common_options()) {
+ TEST_error("Error parsing test options\n");
+ return 0;
+ }
+ if (test_get_argument_count() != 2) {
+ TEST_error("usage: endecoder_legacy_test %s", USAGE);
+ return 0;
+ }
+
TEST_info("Generating keys...");
for (i = 0; i < OSSL_NELEM(keys); i++) {
+#ifndef OPENSSL_NO_DH
+ if (strcmp(keys[i].keytype, "DH") == 0) {
+ if (!TEST_ptr(keys[i].key =
+ load_pkey_pem(test_get_argument(1), NULL)))
+ return 0;
+ continue;
+ }
+#endif
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ if (strcmp(keys[i].keytype, "RSA") == 0) {
+ if (!TEST_ptr(keys[i].key =
+ load_pkey_pem(test_get_argument(0), NULL)))
+ return 0;
+ continue;
+ }
+#endif
+ TEST_info("Generating %s key...", keys[i].keytype);
if (!TEST_ptr(keys[i].key =
make_key(keys[i].keytype, keys[i].template_params)))
return 0;
}
- TEST_info("Generating key... done");
+ TEST_info("Generating keys done");
ADD_ALL_TESTS(test_key, OSSL_NELEM(test_stanzas));
return 1;
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
index 1fcfdadeef..5e8f436cca 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -530,15 +530,16 @@ static int kem_rsa_gen_recover(void)
unsigned char ct[256] = { 0, };
unsigned char unwrap[256] = { 0, };
size_t ctlen = 0, unwraplen = 0, secretlen = 0;
+ int bits = 2048;
- ret = TEST_true(rsa_keygen(2048, &pub, &priv))
+ ret = TEST_true(rsa_keygen(bits, &pub, &priv))
&& TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL))
&& TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), 1)
&& TEST_int_eq(EVP_PKEY_CTX_set_kem_op(sctx, "RSASVE"), 1)
&& TEST_int_eq(EVP_PKEY_encapsulate(sctx, NULL, &ctlen, NULL,
&secretlen), 1)
&& TEST_int_eq(ctlen, secretlen)
- && TEST_int_eq(ctlen, 2048 / 8)
+ && TEST_int_eq(ctlen, bits / 8)
&& TEST_int_eq(EVP_PKEY_encapsulate(sctx, ct, &ctlen, secret,
&secretlen), 1)
&& TEST_ptr(rctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL))
diff --git a/test/proxy.cnf b/test/proxy.cnf
index e6b60542bb..ceac227c04 100644
--- a/test/proxy.cnf
+++ b/test/proxy.cnf
@@ -2,8 +2,6 @@
## Config file for proxy certificate testing.
[ req ]
-default_bits = 2048
-default_keyfile = keySS.pem
distinguished_name = req_distinguished_name_p1
encrypt_rsa_key = no
default_md = sha256
@@ -29,8 +27,6 @@ proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
####################################################################
[ proxy2_req ]
-default_bits = 2048
-default_keyfile = keySS.pem
distinguished_name = req_distinguished_name_p2
encrypt_rsa_key = no
default_md = sha256
diff --git a/test/recipes/04-test_encoder_decoder.t b/test/recipes/04-test_encoder_decoder.t
index 2041eb1fb9..0152519716 100644
--- a/test/recipes/04-test_encoder_decoder.t
+++ b/test/recipes/04-test_encoder_decoder.t
@@ -20,4 +20,7 @@ plan tests => 1;
$ENV{OPENSSL_MODULES} = abs_path(bldtop_dir("providers"));
$ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "default-and-legacy.cnf"));
-ok(run(test(["endecode_test"])));
+my $rsa_key = srctop_file("test", "certs", "ee-key.pem");
+my $pss_key = srctop_file("test", "certs", "ca-pss-key.pem");
+
+ok(run(test(["endecode_test", $rsa_key, $pss_key])));
diff --git a/test/recipes/04-test_encoder_decoder_legacy.t b/test/recipes/04-test_encoder_decoder_legacy.t
index d6671b2215..f278e17e48 100644
--- a/test/recipes/04-test_encoder_decoder_legacy.t
+++ b/test/recipes/04-test_encoder_decoder_legacy.t
@@ -20,8 +20,10 @@ plan skip_all => "Not available in a no-deprecated build"
if disabled("deprecated");
plan tests => 1;
-
$ENV{OPENSSL_MODULES} = abs_path(bldtop_dir("providers"));
$ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "default.cnf"));
-ok(run(test(["endecoder_legacy_test"])));
+my $rsa_key = srctop_file("test", "certs", "ee-key.pem");
+my $dh_key = srctop_file("test", "certs", "dhk2048.pem");
+
+ok(run(test(["endecoder_legacy_test", $rsa_key, $dh_key])));
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index 0fcb56a46a..9783fe3960 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -33,6 +33,7 @@ if (disabled("rsa")) {
# Check for duplicate -addext parameters, and one "working" case.
my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem",
+ "-key", srctop_file("test", "certs", "ee-key.pem"),
"-config", srctop_file("test", "test.cnf"), @req_new );
my $val = "subjectAltName=DNS:example.com";
my $val2 = " " . $val;
@@ -288,6 +289,7 @@ subtest "generating certificate requests" => sub {
plan tests => 2;
ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
+ "-key", srctop_file("test", "certs", "ee-key.pem"),
@req_new, "-out", "testreq.pem"])),
"Generating request");
diff --git a/test/recipes/25-test_verify_store.t b/test/recipes/25-test_verify_store.t
index 920b608a37..a2268c59e4 100644
--- a/test/recipes/25-test_verify_store.t
+++ b/test/recipes/25-test_verify_store.t
@@ -17,6 +17,8 @@ setup("test_verify_store");
plan tests => 10;
my $dummycnf = srctop_file("apps", "openssl.cnf");
+my $cakey = srctop_file("test", "certs", "ca-key.pem");
+my $ukey = srctop_file("test", "certs", "ee-key.pem");
my $cnf = srctop_file("test", "ca-and-certs.cnf");
my $CAkey = "keyCA.ss";
@@ -33,6 +35,7 @@ SKIP: {
qw(-new -section userreq),
-config => $cnf,
-out => $CAreq,
+ -key => $cakey,
-keyout => $CAkey );
skip 'failure', 8 unless
@@ -73,6 +76,7 @@ SKIP: {
qw(-new -section userreq),
-config => $cnf,
-out => $Ureq,
+ -key => $ukey,
-keyout => $Ukey );
skip 'failure', 2 unless
diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t
index 4b145264ad..59a09ee917 100644
--- a/test/recipes/80-test_ca.t
+++ b/test/recipes/80-test_ca.t
@@ -29,15 +29,18 @@ rmtree("demoCA", { safe => 0 });
plan tests => 15;
SKIP: {
+ my $cakey = srctop_file("test", "certs", "ca-key.pem");
$ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
skip "failed creating CA structure", 4
- if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)),
+ if !ok(run(perlapp(["CA.pl","-newca",
+ "-extra-req", "-key $cakey"], stdin => undef)),
'creating CA structure');
+ my $eekey = srctop_file("test", "certs", "ee-key.pem");
$ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
skip "failed creating new certificate request", 3
if !ok(run(perlapp(["CA.pl","-newreq",
- '-extra-req', '-outform DER -section userreq'])),
+ '-extra-req', "-outform DER -section userreq -key $eekey"])),
'creating certificate request');
$ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf;
skip "failed to sign certificate request", 2
@@ -50,8 +53,9 @@ plan tests => 15;
skip "CT not configured, can't use -precert", 1
if disabled("ct");
+ my $eekey2 = srctop_file("test", "certs", "ee-key-3072.pem");
$ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
- ok(run(perlapp(["CA.pl", "-precert", '-extra-req', '-section userreq'], stderr => undef)),
+ ok(run(perlapp(["CA.pl", "-precert", '-extra-req', "-section userreq -key $eekey2"], stderr => undef)),
'creating new pre-certificate');
}
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index d01b2b72a8..59f364d7f7 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -46,12 +46,12 @@ my @genpkeycmd = ("openssl", "genpkey");
my $dummycnf = srctop_file("apps", "openssl.cnf");
my $cnf = srctop_file("test", "ca-and-certs.cnf");
-my $CAkey = "keyCA.ss";
+my $CAkey = srctop_file("test", "certs", "ca-key.pem"); # "keyCA.ss"
my $CAcert="certCA.ss";
my $CAserial="certCA.srl";
my $CAreq="reqCA.ss";
my $CAreq2="req2CA.ss"; # temp
-my $Ukey="keyU.ss";
+my $Ukey = srctop_file("test", "certs", "ee-key.pem"); # "keyU.ss";
my $Ureq="reqU.ss";
my $Ucert="certU.ss";
my $Dkey="keyD.ss";
@@ -62,11 +62,11 @@ my $Ereq="reqE.ss";
my $Ecert="certE.ss";
my $proxycnf=srctop_file("test", "proxy.cnf");
-my $P1key="keyP1.ss";
+my $P1key= srctop_file("test", "certs", "alt1-key.pem"); # "keyP1.ss";
my $P1req="reqP1.ss";
my $P1cert="certP1.ss";
my $P1intermediate="tmp_intP1.ss";
-my $P2key="keyP2.ss";
+my $P2key= srctop_file("test", "certs", "alt2-key.pem"); # "keyP2.ss";
my $P2req="reqP2.ss";
my $P2cert="certP2.ss";
my $P2intermediate="tmp_intP2.ss";
@@ -125,7 +125,7 @@ sub testss {
SKIP: {
skip 'failure', 16 unless
ok(run(app([@reqcmd, "-config", $cnf,
- "-out", $CAreq, "-keyout", $CAkey,
+ "-out", $CAreq, "-key", $CAkey,
@req_new])),
'make cert request');
@@ -159,7 +159,7 @@ sub testss {
skip 'failure', 10 unless
ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq",
- "-out", $Ureq, "-keyout", $Ukey, @req_new],
+ "-out", $Ureq, "-key", $Ukey, @req_new],
stdout => "err.ss")),
'make a user cert request');
@@ -271,7 +271,7 @@ sub testss {
skip 'failure', 5 unless
ok(run(app([@reqcmd, "-config", $proxycnf,
- "-out", $P1req, "-keyout", $P1key, @req_new],
+ "-out", $P1req, "-key", $P1key, @req_new],
stdout => "err.ss")),
'make a proxy cert request');
@@ -294,7 +294,7 @@ sub testss {
skip 'failure', 2 unless
ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req",
- "-out", $P2req, "-keyout", $P2key,
+ "-out", $P2req, "-key", $P2key,
@req_new],
stdout => "err.ss")),
'make another proxy cert request');
@@ -427,11 +427,11 @@ sub testssl {
my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
if (!$no_dsa) {
- push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss";
+ push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
}
if (!$no_ec) {
- push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss";
+ push @exkeys, "-s_cert", "certE.ss", "-s_key", $Ekey;
}
my @protocols = ();
diff --git a/test/recipes/80-test_tsa.t b/test/recipes/80-test_tsa.t
index 6fa005aebc..a76d4a9d05 100644
--- a/test/recipes/80-test_tsa.t
+++ b/test/recipes/80-test_tsa.t
@@ -25,6 +25,7 @@ plan skip_all => "TS is not supported by this OpenSSL build"
# here, however, to be available in all subroutines.
my $openssl_conf;
my $testtsa;
+my $tsacakey;
my $CAtsa;
my @QUERY = ("openssl", "ts", "-query");
my @REPLY;
@@ -38,12 +39,13 @@ sub create_tsa_cert {
ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new",
"-out", "tsa_req${INDEX}.pem",
+ "-key", srctop_file("test", "certs", "alt${INDEX}-key.pem"),
"-keyout", "tsa_key${INDEX}.pem"])));
note "using extension $EXT";
ok(run(app(["openssl", "x509", "-req",
"-in", "tsa_req${INDEX}.pem",
"-out", "tsa_cert${INDEX}.pem",
- "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
+ "-CA", "tsaca.pem", "-CAkey", $tsacakey,
"-CAcreateserial",
"-extfile", $openssl_conf, "-extensions", $EXT])));
}
@@ -90,6 +92,7 @@ indir "tsa" => sub
{
$openssl_conf = srctop_file("test", "CAtsa.cnf");
$testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
+ $tsacakey = srctop_file("test", "certs", "ca-key.pem");
$CAtsa = srctop_file("test", "CAtsa.cnf");
@REPLY = ("openssl", "ts", "-config", $openssl_conf, "-reply");
@@ -102,7 +105,7 @@ indir "tsa" => sub
skip "failed", 19
unless ok(run(app(["openssl", "req", "-config", $openssl_conf,
"-new", "-x509", "-noenc",
- "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
+ "-out", "tsaca.pem", "-key", $tsacakey])),
'creating a new CA for the TSA tests');
skip "failed", 18
diff --git a/test/test.cnf b/test/test.cnf
index a686c3d8bd..8b2f92ad8e 100644
--- a/test/test.cnf
+++ b/test/test.cnf
@@ -49,15 +49,11 @@ emailAddress = optional
####################################################################
[ req ]
-default_bits = 2048
-default_keyfile = testkey.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
# Make altreq be identical to req
[ altreq ]
-default_bits = 2048
-default_keyfile = testkey.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
More information about the openssl-commits
mailing list