QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-04-27 02:04:37 +00:00
Code Issues Projects Releases Wiki Activity

Cleanup cert config files for tests

Browse Source 
Merge test/P[12]ss.cnf into one config file
Merge CAss.cnf and Uss.cnf into ca-and-certs.cnf
Remove Netscape cert extensions, add keyUsage comment from some cnf files

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11347)
This commit is contained in:
Rich Salz 2020-03-04 14:08:31 -05:00 committed by Tomas Mraz
parent 5c01a133ec
commit 4e6e57cfcd
15 changed files with 198 additions and 345 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
apps/openssl-vms.cnf
View File

@ -171,27 +171,9 @@ unstructuredName = An optional company name
basicConstraints=CA:FALSE basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate. # This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates. # PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer authorityKeyIdentifier=keyid,issuer
@ -206,13 +188,6 @@ authorityKeyIdentifier=keyid,issuer
# Copy subject details # Copy subject details
# issuerAltName=issuer:copy # issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates. # This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping # extendedKeyUsage = critical,timeStamping
@ -242,9 +217,6 @@ basicConstraints = critical,CA:true
# left out by default. # left out by default.
# keyUsage = cRLSign, keyCertSign # keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation # Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy # subjectAltName=email:copy
# Copy issuer details # Copy issuer details
@ -272,27 +244,9 @@ authorityKeyIdentifier=keyid:always
basicConstraints=CA:FALSE basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate. # This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates. # PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer authorityKeyIdentifier=keyid,issuer
@ -307,13 +261,6 @@ authorityKeyIdentifier=keyid,issuer
# Copy subject details # Copy subject details
# issuerAltName=issuer:copy # issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate. # This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

53
apps/openssl.cnf
View File

@ -171,27 +171,9 @@ unstructuredName = An optional company name
basicConstraints=CA:FALSE basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate. # This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates. # PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer authorityKeyIdentifier=keyid,issuer
@ -206,13 +188,6 @@ authorityKeyIdentifier=keyid,issuer
# Copy subject details # Copy subject details
# issuerAltName=issuer:copy # issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates. # This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping # extendedKeyUsage = critical,timeStamping
@ -242,9 +217,6 @@ basicConstraints = critical,CA:true
# left out by default. # left out by default.
# keyUsage = cRLSign, keyCertSign # keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation # Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy # subjectAltName=email:copy
# Copy issuer details # Copy issuer details
@ -272,27 +244,9 @@ authorityKeyIdentifier=keyid:always
basicConstraints=CA:FALSE basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate. # This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates. # PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer authorityKeyIdentifier=keyid,issuer
@ -307,13 +261,6 @@ authorityKeyIdentifier=keyid,issuer
# Copy subject details # Copy subject details
# issuerAltName=issuer:copy # issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate. # This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

6
demos/certs/apps/apps.cnf
View File

@ -35,9 +35,6 @@ commonName = $ENV::CN
basicConstraints=critical, CA:FALSE basicConstraints=critical, CA:FALSE
keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
[ ec_cert ] [ ec_cert ]
# These extensions are added when 'ca' signs a request for an end entity # These extensions are added when 'ca' signs a request for an end entity
@ -46,9 +43,6 @@ nsComment = "OpenSSL Generated Certificate"
basicConstraints=critical, CA:FALSE basicConstraints=critical, CA:FALSE
keyUsage=critical, nonRepudiation, digitalSignature, keyAgreement keyUsage=critical, nonRepudiation, digitalSignature, keyAgreement
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates. # PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid authorityKeyIdentifier=keyid

6
demos/certs/ca.cnf
View File

@ -35,9 +35,6 @@ commonName = $ENV::CN
basicConstraints=critical, CA:FALSE basicConstraints=critical, CA:FALSE
keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates. # PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid authorityKeyIdentifier=keyid
@ -47,9 +44,6 @@ authorityKeyIdentifier=keyid
basicConstraints=critical, CA:FALSE basicConstraints=critical, CA:FALSE
keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates. # PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid authorityKeyIdentifier=keyid

4
doc/man7/proxy-certificates.pod
View File

@ -116,7 +116,7 @@ two commands:
openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \ openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \
-CA user.crt -CAkey user.key -days 7 \ -CA user.crt -CAkey user.key -days 7 \
-extfile proxy.cnf -extensions v3_proxy1 -extfile proxy.cnf -extensions proxy
You can also create a proxy certificate using another proxy You can also create a proxy certificate using another proxy
certificate as issuer (note: using a different configuration certificate as issuer (note: using a different configuration
@ -128,7 +128,7 @@ section for the proxy extensions):
openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \ openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \
-CA proxy.crt -CAkey proxy.key -days 7 \ -CA proxy.crt -CAkey proxy.key -days 7 \
-extfile proxy.cnf -extensions v3_proxy2 -extfile proxy.cnf -extensions proxy_2
=head2 Using proxy certs in applications =head2 Using proxy certs in applications

69
test/CAss.cnf
View File

@ -1,69 +0,0 @@
####################################################################
[ req ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
default_md = sha1
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_value = AU
organizationName = Organization Name (eg, company)
organizationName_value = Dodgy Brothers
commonName = Common Name (eg, YOUR name)
commonName_value = Dodgy CA
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
x509_extensions = v3_ca # The extensions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical,CA:true,pathlen:1
keyUsage = cRLSign, keyCertSign
issuerAltName=issuer:copy

31
test/P1ss.cnf
View File

@ -1,31 +0,0 @@
####################################################################
[ req ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
default_md = sha256
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_value = AU
organizationName = Organization Name (eg, company)
organizationName_value = Dodgy Brothers
0.commonName = Common Name (eg, YOUR name)
0.commonName_value = Brother 1
1.commonName = Common Name (eg, YOUR name)
1.commonName_value = Brother 2
2.commonName = Common Name (eg, YOUR name)
2.commonName_value = Proxy 1
[ v3_proxy ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB

39
test/P2ss.cnf
View File

@ -1,39 +0,0 @@
####################################################################
[ req ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
default_md = sha256
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_value = AU
organizationName = Organization Name (eg, company)
organizationName_value = Dodgy Brothers
0.commonName = Common Name (eg, YOUR name)
0.commonName_value = Brother 1
1.commonName = Common Name (eg, YOUR name)
1.commonName_value = Brother 2
2.commonName = Common Name (eg, YOUR name)
2.commonName_value = Proxy 1
3.commonName = Common Name (eg, YOUR name)
3.commonName_value = Proxy 2
[ v3_proxy ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
proxyCertInfo=critical,@proxy_ext
[ proxy_ext ]
language=id-ppl-anyLanguage
pathlen=0
policy=text:BC

36
test/Uss.cnf
View File

@ -1,36 +0,0 @@
CN2 = Brother 2
####################################################################
[ req ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
default_md = sha256
prompt = no
[ req_distinguished_name ]
countryName = AU
organizationName = Dodgy Brothers
0.commonName = Brother 1
1.commonName = $ENV::CN2
[ v3_ee ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ee_dsa ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature
[ v3_ee_ec ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyAgreement

90
test/ca-and-certs.cnf Normal file
View File

@ -0,0 +1,90 @@
CN2 = Brother 2
####################################################################
[ req ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
default_md = sha1
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_value = AU
organizationName = Organization Name (eg, company)
organizationName_value = Dodgy Brothers
commonName = Common Name (eg, YOUR name)
commonName_value = Dodgy CA
####################################################################
[ userreq ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = user_dn
encrypt_rsa_key = no
default_md = sha256
prompt = no
[ user_dn ]
countryName = AU
organizationName = Dodgy Brothers
0.commonName = Brother 1
1.commonName = $ENV::CN2
[ v3_ee ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ee_dsa ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature
[ v3_ee_ec ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyAgreement
####################################################################
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./demoCA
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
x509_extensions = v3_ca
name_opt = ca_default
cert_opt = ca_default
default_days = 365
default_crl_days= 30
default_md = sha1
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true,pathlen:1
keyUsage = cRLSign, keyCertSign
issuerAltName = issuer:copy

61
test/proxy.cnf Normal file
View File

@ -0,0 +1,61 @@
## Config file for proxy certificate testing.
[ req ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name_p1
encrypt_rsa_key = no
default_md = sha256
[ req_distinguished_name_p1 ]
countryName = Country Name (2 letter code)
countryName_value = AU
organizationName = Organization Name (eg, company)
organizationName_value = Dodgy Brothers
0.commonName = Common Name (eg, YOUR name)
0.commonName_value = Brother 1
1.commonName = Common Name (eg, YOUR name)
1.commonName_value = Brother 2
2.commonName = Common Name (eg, YOUR name)
2.commonName_value = Proxy 1
[ proxy ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
####################################################################
[ proxy2_req ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name_p2
encrypt_rsa_key = no
default_md = sha256
[ req_distinguished_name_p2 ]
countryName = Country Name (2 letter code)
countryName_value = AU
organizationName = Organization Name (eg, company)
organizationName_value = Dodgy Brothers
0.commonName = Common Name (eg, YOUR name)
0.commonName_value = Brother 1
1.commonName = Common Name (eg, YOUR name)
1.commonName_value = Brother 2
2.commonName = Common Name (eg, YOUR name)
2.commonName_value = Proxy 1
3.commonName = Common Name (eg, YOUR name)
3.commonName_value = Proxy 2
[ proxy_2 ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
proxyCertInfo = critical,@proxy_ext
[ proxy_ext ]
language = id-ppl-anyLanguage
pathlen = 0
policy = text:BC

31
test/recipes/25-test_verify_store.t
View File

@ -18,34 +18,31 @@ plan tests => 10;
my $dummycnf = srctop_file("apps", "openssl.cnf"); my $dummycnf = srctop_file("apps", "openssl.cnf");
my $cnf=srctop_file("test","ca-and-certs.cnf");
my $CAkey = "keyCA.ss"; my $CAkey = "keyCA.ss";
my $CAcert="certCA.ss"; my $CAcert="certCA.ss";
my $CAserial="certCA.srl"; my $CAserial="certCA.srl";
my $CAreq="reqCA.ss"; my $CAreq="reqCA.ss";
my $CAconf=srctop_file("test","CAss.cnf");
my $CAreq2="req2CA.ss"; # temp my $CAreq2="req2CA.ss"; # temp
my $Uconf=srctop_file("test","Uss.cnf");
my $Ukey="keyU.ss"; my $Ukey="keyU.ss";
my $Ureq="reqU.ss"; my $Ureq="reqU.ss";
my $Ucert="certU.ss"; my $Ucert="certU.ss";
SKIP: { SKIP: {
req( 'make cert request', req( 'make cert request',
qw(-new), qw(-new -section userreq),
-config => $CAconf, -config => $cnf,
-out => $CAreq, -out => $CAreq,
-keyout => $CAkey ); -keyout => $CAkey );
skip 'failure', 8 unless skip 'failure', 8 unless
x509( 'convert request into self-signed cert', x509( 'convert request into self-signed cert',
qw(-req -CAcreateserial), qw(-req -CAcreateserial -days 30),
qw(-extensions v3_ca),
-in => $CAreq, -in => $CAreq,
-out => $CAcert, -out => $CAcert,
-signkey => $CAkey, -signkey => $CAkey,
-days => 30, -extfile => $cnf );
-extfile => $CAconf,
-extensions => 'v3_ca' );
skip 'failure', 7 unless skip 'failure', 7 unless
x509( 'convert cert into a cert request', x509( 'convert cert into a cert request',
@ -56,13 +53,13 @@ SKIP: {
skip 'failure', 6 unless skip 'failure', 6 unless
req( 'verify request 1', req( 'verify request 1',
qw(-verify -noout), qw(-verify -noout -section userreq),
-config => $dummycnf, -config => $dummycnf,
-in => $CAreq ); -in => $CAreq );
skip 'failure', 5 unless skip 'failure', 5 unless
req( 'verify request 2', req( 'verify request 2',
qw(-verify -noout), qw(-verify -noout -section userreq),
-config => $dummycnf, -config => $dummycnf,
-in => $CAreq2 ); -in => $CAreq2 );
@ -73,29 +70,27 @@ SKIP: {
skip 'failure', 3 unless skip 'failure', 3 unless
req( 'make a user cert request', req( 'make a user cert request',
qw(-new), qw(-new -section userreq),
-config => $Uconf, -config => $cnf,
-out => $Ureq, -out => $Ureq,
-keyout => $Ukey ); -keyout => $Ukey );
skip 'failure', 2 unless skip 'failure', 2 unless
x509( 'sign user cert request', x509( 'sign user cert request',
qw(-req -CAcreateserial), qw(-req -CAcreateserial -days 30 -extensions v3_ee),
-in => $Ureq, -in => $Ureq,
-out => $Ucert, -out => $Ucert,
-CA => $CAcert, -CA => $CAcert,
-CAkey => $CAkey, -CAkey => $CAkey,
-CAserial => $CAserial, -CAserial => $CAserial,
-days => 30, -extfile => $cnf )
-extfile => $Uconf,
-extensions => 'v3_ee' )
&& verify( undef, && verify( undef,
-CAstore => $CAcert, -CAstore => $CAcert,
$Ucert ); $Ucert );
skip 'failure', 0 unless skip 'failure', 0 unless
x509( 'Certificate details', x509( 'Certificate details',
qw( -subject -issuer -startdate -enddate -noout), qw(-subject -issuer -startdate -enddate -noout),
-in => $Ucert ); -in => $Ucert );
} }

23
test/recipes/80-test_ca.t
View File

@ -18,26 +18,29 @@ use OpenSSL::Test::Utils;
setup("test_ca"); setup("test_ca");
$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
my $std_openssl_cnf =
srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf"); my $cnf = '"' . srctop_file("test","ca-and-certs.cnf") . '"';;
my $std_openssl_cnf = '"'
. srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf")
. '"';
rmtree("demoCA", { safe => 0 }); rmtree("demoCA", { safe => 0 });
plan tests => 6; plan tests => 6;
SKIP: { SKIP: {
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"'; $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
skip "failed creating CA structure", 4 skip "failed creating CA structure", 4
if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)), if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)),
'creating CA structure'); 'creating CA structure');
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"'; $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
skip "failed creating new certificate request", 3 skip "failed creating new certificate request", 3
if !ok(run(perlapp(["CA.pl","-newreq", if !ok(run(perlapp(["CA.pl","-newreq",
"-extra-req","-outform DER"])), '-extra-req', '-outform DER -section userreq'])),
'creating certificate request'); 'creating certificate request');
$ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config "'.$std_openssl_cnf.'"'; $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf;
skip "failed to sign certificate request", 2 skip "failed to sign certificate request", 2
if !is(yes(cmdstr(perlapp(["CA.pl", "-sign", "-extra-ca"]))), 0, if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
'signing certificate request'); 'signing certificate request');
ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])), ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
@ -46,8 +49,8 @@ plan tests => 6;
skip "CT not configured, can't use -precert", 1 skip "CT not configured, can't use -precert", 1
if disabled("ct"); if disabled("ct");
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"'; $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
ok(run(perlapp(["CA.pl", "-precert"], stderr => undef)), ok(run(perlapp(["CA.pl", "-precert", '-extra-req', '-section userreq'], stderr => undef)),
'creating new pre-certificate'); 'creating new pre-certificate');
} }
@ -56,7 +59,7 @@ SKIP: {
if disabled("sm2"); if disabled("sm2");
is(yes(cmdstr(app(["openssl", "ca", "-config", is(yes(cmdstr(app(["openssl", "ca", "-config",
srctop_file("test", "CAss.cnf"), $cnf,
"-in", srctop_file("test", "certs", "sm2-csr.pem"), "-in", srctop_file("test", "certs", "sm2-csr.pem"),
"-out", "sm2-test.crt", "-out", "sm2-test.crt",
"-sigopt", "distid:1234567812345678", "-sigopt", "distid:1234567812345678",

36
test/recipes/80-test_ssl_old.t
View File

@ -44,33 +44,27 @@ my @verifycmd = ("openssl", "verify");
my @genpkeycmd = ("openssl", "genpkey"); my @genpkeycmd = ("openssl", "genpkey");
my $dummycnf = srctop_file("apps", "openssl.cnf"); my $dummycnf = srctop_file("apps", "openssl.cnf");
my $cnf=srctop_file("test","ca-and-certs.cnf");
my $CAkey = "keyCA.ss"; my $CAkey = "keyCA.ss";
my $CAcert="certCA.ss"; my $CAcert="certCA.ss";
my $CAserial="certCA.srl"; my $CAserial="certCA.srl";
my $CAreq="reqCA.ss"; my $CAreq="reqCA.ss";
my $CAconf=srctop_file("test","CAss.cnf");
my $CAreq2="req2CA.ss"; # temp my $CAreq2="req2CA.ss"; # temp
my $Uconf=srctop_file("test","Uss.cnf");
my $Ukey="keyU.ss"; my $Ukey="keyU.ss";
my $Ureq="reqU.ss"; my $Ureq="reqU.ss";
my $Ucert="certU.ss"; my $Ucert="certU.ss";
my $Dkey="keyD.ss"; my $Dkey="keyD.ss";
my $Dreq="reqD.ss"; my $Dreq="reqD.ss";
my $Dcert="certD.ss"; my $Dcert="certD.ss";
my $Ekey="keyE.ss"; my $Ekey="keyE.ss";
my $Ereq="reqE.ss"; my $Ereq="reqE.ss";
my $Ecert="certE.ss"; my $Ecert="certE.ss";
my $P1conf=srctop_file("test","P1ss.cnf"); my $proxycnf=srctop_file("test","proxy.cnf");
my $P1key="keyP1.ss"; my $P1key="keyP1.ss";
my $P1req="reqP1.ss"; my $P1req="reqP1.ss";
my $P1cert="certP1.ss"; my $P1cert="certP1.ss";
my $P1intermediate="tmp_intP1.ss"; my $P1intermediate="tmp_intP1.ss";
my $P2conf=srctop_file("test","P2ss.cnf");
my $P2key="keyP2.ss"; my $P2key="keyP2.ss";
my $P2req="reqP2.ss"; my $P2req="reqP2.ss";
my $P2cert="certP2.ss"; my $P2cert="certP2.ss";
@ -133,7 +127,7 @@ sub testss {
SKIP: { SKIP: {
skip 'failure', 16 unless skip 'failure', 16 unless
ok(run(app([@reqcmd, "-config", $CAconf, ok(run(app([@reqcmd, "-config", $cnf,
"-out", $CAreq, "-keyout", $CAkey, "-out", $CAreq, "-keyout", $CAkey,
@req_new])), @req_new])),
'make cert request'); 'make cert request');
@ -141,7 +135,7 @@ sub testss {
skip 'failure', 15 unless skip 'failure', 15 unless
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30", ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30",
"-req", "-out", $CAcert, "-signkey", $CAkey, "-req", "-out", $CAcert, "-signkey", $CAkey,
"-extfile", $CAconf, "-extensions", "v3_ca"], "-extfile", $cnf, "-extensions", "v3_ca"],
stdout => "err.ss")), stdout => "err.ss")),
'convert request into self-signed cert'); 'convert request into self-signed cert');
@ -167,7 +161,7 @@ sub testss {
'verify signature'); 'verify signature');
skip 'failure', 10 unless skip 'failure', 10 unless
ok(run(app([@reqcmd, "-config", $Uconf, ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq",
"-out", $Ureq, "-keyout", $Ukey, @req_new], "-out", $Ureq, "-keyout", $Ukey, @req_new],
stdout => "err.ss")), stdout => "err.ss")),
'make a user cert request'); 'make a user cert request');
@ -176,7 +170,7 @@ sub testss {
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30", ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30",
"-req", "-out", $Ucert, "-req", "-out", $Ucert,
"-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial,
"-extfile", $Uconf, "-extensions", "v3_ee"], "-extfile", $cnf, "-extensions", "v3_ee"],
stdout => "err.ss")) stdout => "err.ss"))
&& run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])), && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])),
'sign user cert request'); 'sign user cert request');
@ -202,7 +196,8 @@ sub testss {
stdout => "err.ss")), stdout => "err.ss")),
"make a DSA key"); "make a DSA key");
skip 'failure', 3 unless skip 'failure', 3 unless
ok(run(app([@reqcmd, "-new", "-config", $Uconf, ok(run(app([@reqcmd, "-new", "-config", $cnf,
"-section", "userreq",
"-out", $Dreq, "-key", $Dkey], "-out", $Dreq, "-key", $Dkey],
stdout => "err.ss")), stdout => "err.ss")),
"make a DSA user cert request"); "make a DSA user cert request");
@ -214,7 +209,7 @@ sub testss {
"-out", $Dcert, "-out", $Dcert,
"-CA", $CAcert, "-CAkey", $CAkey, "-CA", $CAcert, "-CAkey", $CAkey,
"-CAserial", $CAserial, "-CAserial", $CAserial,
"-extfile", $Uconf, "-extfile", $cnf,
"-extensions", "v3_ee_dsa"], "-extensions", "v3_ee_dsa"],
stdout => "err.ss")), stdout => "err.ss")),
"sign DSA user cert request"); "sign DSA user cert request");
@ -247,7 +242,8 @@ sub testss {
"-out", "ecp.ss"])), "-out", "ecp.ss"])),
"make EC parameters"); "make EC parameters");
skip 'failure', 3 unless skip 'failure', 3 unless
ok(run(app([@reqcmd, "-config", $Uconf, ok(run(app([@reqcmd, "-config", $cnf,
"-section", "userreq",
"-out", $Ereq, "-keyout", $Ekey, "-out", $Ereq, "-keyout", $Ekey,
"-newkey", "ec:ecp.ss"], "-newkey", "ec:ecp.ss"],
stdout => "err.ss")), stdout => "err.ss")),
@ -260,7 +256,7 @@ sub testss {
"-out", $Ecert, "-out", $Ecert,
"-CA", $CAcert, "-CAkey", $CAkey, "-CA", $CAcert, "-CAkey", $CAkey,
"-CAserial", $CAserial, "-CAserial", $CAserial,
"-extfile", $Uconf, "-extfile", $cnf,
"-extensions", "v3_ee_ec"], "-extensions", "v3_ee_ec"],
stdout => "err.ss")), stdout => "err.ss")),
"sign ECDSA/ECDH user cert request"); "sign ECDSA/ECDH user cert request");
@ -277,7 +273,7 @@ sub testss {
}; };
skip 'failure', 5 unless skip 'failure', 5 unless
ok(run(app([@reqcmd, "-config", $P1conf, ok(run(app([@reqcmd, "-config", $proxycnf,
"-out", $P1req, "-keyout", $P1key, @req_new], "-out", $P1req, "-keyout", $P1key, @req_new],
stdout => "err.ss")), stdout => "err.ss")),
'make a proxy cert request'); 'make a proxy cert request');
@ -287,7 +283,7 @@ sub testss {
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30", ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30",
"-req", "-out", $P1cert, "-req", "-out", $P1cert,
"-CA", $Ucert, "-CAkey", $Ukey, "-CA", $Ucert, "-CAkey", $Ukey,
"-extfile", $P1conf, "-extensions", "v3_proxy"], "-extfile", $proxycnf, "-extensions", "proxy"],
stdout => "err.ss")), stdout => "err.ss")),
'sign proxy with user cert'); 'sign proxy with user cert');
@ -300,7 +296,7 @@ sub testss {
'Certificate details'); 'Certificate details');
skip 'failure', 2 unless skip 'failure', 2 unless
ok(run(app([@reqcmd, "-config", $P2conf, ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req",
"-out", $P2req, "-keyout", $P2key, "-out", $P2req, "-keyout", $P2key,
@req_new], @req_new],
stdout => "err.ss")), stdout => "err.ss")),
@ -311,7 +307,7 @@ sub testss {
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30", ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30",
"-req", "-out", $P2cert, "-req", "-out", $P2cert,
"-CA", $P1cert, "-CAkey", $P1key, "-CA", $P1cert, "-CAkey", $P1key,
"-extfile", $P2conf, "-extensions", "v3_proxy"], "-extfile", $proxycnf, "-extensions", "proxy_2"],
stdout => "err.ss")), stdout => "err.ss")),
'sign second proxy cert request with the first proxy cert'); 'sign second proxy cert request with the first proxy cert');

5
test/recipes/90-test_store.t
View File

@ -16,6 +16,7 @@ my $test_name = "test_store";
setup($test_name); setup($test_name);
my $mingw = config('target') =~ m|^mingw|; my $mingw = config('target') =~ m|^mingw|;
my $cnf=srctop_file("test","ca-and-certs.cnf");
my @noexist_files = my @noexist_files =
( "test/blahdiblah.pem", ( "test/blahdiblah.pem",
@ -295,7 +296,7 @@ sub init {
}, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files)) }, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files))
# *-cert.pem (intermediary for the .p12 inits) # *-cert.pem (intermediary for the .p12 inits)
&& run(app(["openssl", "req", "-x509", && run(app(["openssl", "req", "-x509",
"-config", data_file("ca.cnf"), "-nodes", "-config", $cnf, "-nodes",
"-out", "cacert.pem", "-keyout", "cakey.pem"])) "-out", "cacert.pem", "-keyout", "cakey.pem"]))
&& runall(sub { && runall(sub {
my $srckey = shift; my $srckey = shift;
@ -303,7 +304,7 @@ sub init {
(my $csr = $dstfile) =~ s|\.pem|.csr|; (my $csr = $dstfile) =~ s|\.pem|.csr|;
(run(app(["openssl", "req", "-new", (run(app(["openssl", "req", "-new",
"-config", data_file("user.cnf"), "-config", $cnf,
"-key", $srckey, "-out", $csr])) "-key", $srckey, "-out", $csr]))
&& &&
run(app(["openssl", "x509", "-days", "3650", run(app(["openssl", "x509", "-days", "3650",