openssl
/
openssl
mirror of https://github.com/openssl/openssl
1
0
Fork 0
Code Issues Releases Wiki Activity

Cleanup cert config files for tests 

Merge test/P[12]ss.cnf into one config file
Merge CAss.cnf and Uss.cnf into ca-and-certs.cnf
Remove Netscape cert extensions, add keyUsage comment from some cnf files

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11347)
This commit is contained in:
Rich Salz 2020-03-04 14:08:31 -05:00 committed by Tomas Mraz
parent 5c01a133ec
commit 4e6e57cfcd
15 changed files with 198 additions and 345 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
apps/openssl-vms.cnf
View File

@ -171,27 +171,9 @@ unstructuredName = An optional company name
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
@ -206,13 +188,6 @@ authorityKeyIdentifier=keyid,issuer
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
@ -242,9 +217,6 @@ basicConstraints = critical,CA:true
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
@ -272,27 +244,9 @@ authorityKeyIdentifier=keyid:always
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
@ -307,13 +261,6 @@ authorityKeyIdentifier=keyid,issuer
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

53
apps/openssl.cnf
View File

@ -171,27 +171,9 @@ unstructuredName = An optional company name
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
@ -206,13 +188,6 @@ authorityKeyIdentifier=keyid,issuer
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
@ -242,9 +217,6 @@ basicConstraints = critical,CA:true
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
@ -272,27 +244,9 @@ authorityKeyIdentifier=keyid:always
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
@ -307,13 +261,6 @@ authorityKeyIdentifier=keyid,issuer
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

6
demos/certs/apps/apps.cnf
View File

@ -35,9 +35,6 @@ commonName = $ENV::CN
basicConstraints=critical, CA:FALSE
keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
[ ec_cert ]
# These extensions are added when 'ca' signs a request for an end entity
@ -46,9 +43,6 @@ nsComment = "OpenSSL Generated Certificate"
basicConstraints=critical, CA:FALSE
keyUsage=critical, nonRepudiation, digitalSignature, keyAgreement
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid

6
demos/certs/ca.cnf
View File

@ -35,9 +35,6 @@ commonName = $ENV::CN
basicConstraints=critical, CA:FALSE
keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
@ -47,9 +44,6 @@ authorityKeyIdentifier=keyid
basicConstraints=critical, CA:FALSE
keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid

4
doc/man7/proxy-certificates.pod
View File

@ -116,7 +116,7 @@ two commands:
openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \
-CA user.crt -CAkey user.key -days 7 \
-extfile proxy.cnf -extensions v3_proxy1
-extfile proxy.cnf -extensions proxy
You can also create a proxy certificate using another proxy
certificate as issuer (note: using a different configuration
@ -128,7 +128,7 @@ section for the proxy extensions):
openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \
-CA proxy.crt -CAkey proxy.key -days 7 \
-extfile proxy.cnf -extensions v3_proxy2
-extfile proxy.cnf -extensions proxy_2
=head2 Using proxy certs in applications

69
test/CAss.cnf
View File

@ -1,69 +0,0 @@
####################################################################
[ req ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
default_md = sha1
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_value = AU
organizationName = Organization Name (eg, company)
organizationName_value = Dodgy Brothers
commonName = Common Name (eg, YOUR name)
commonName_value = Dodgy CA
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
x509_extensions = v3_ca # The extensions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical,CA:true,pathlen:1
keyUsage = cRLSign, keyCertSign
issuerAltName=issuer:copy

31
test/P1ss.cnf
View File

@ -1,31 +0,0 @@
####################################################################
[ req ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
default_md = sha256
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_value = AU
organizationName = Organization Name (eg, company)
organizationName_value = Dodgy Brothers
0.commonName = Common Name (eg, YOUR name)
0.commonName_value = Brother 1
1.commonName = Common Name (eg, YOUR name)
1.commonName_value = Brother 2
2.commonName = Common Name (eg, YOUR name)
2.commonName_value = Proxy 1
[ v3_proxy ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB

39
test/P2ss.cnf
View File

@ -1,39 +0,0 @@
####################################################################
[ req ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
default_md = sha256
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_value = AU
organizationName = Organization Name (eg, company)
organizationName_value = Dodgy Brothers
0.commonName = Common Name (eg, YOUR name)
0.commonName_value = Brother 1
1.commonName = Common Name (eg, YOUR name)
1.commonName_value = Brother 2
2.commonName = Common Name (eg, YOUR name)
2.commonName_value = Proxy 1
3.commonName = Common Name (eg, YOUR name)
3.commonName_value = Proxy 2
[ v3_proxy ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
proxyCertInfo=critical,@proxy_ext
[ proxy_ext ]
language=id-ppl-anyLanguage
pathlen=0
policy=text:BC

36
test/Uss.cnf
View File

@ -1,36 +0,0 @@
CN2 = Brother 2
####################################################################
[ req ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
default_md = sha256
prompt = no
[ req_distinguished_name ]
countryName = AU
organizationName = Dodgy Brothers
0.commonName = Brother 1
1.commonName = $ENV::CN2
[ v3_ee ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ee_dsa ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature
[ v3_ee_ec ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyAgreement

90
test/ca-and-certs.cnf Normal file
View File

@ -0,0 +1,90 @@
CN2 = Brother 2
####################################################################
[ req ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
default_md = sha1
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_value = AU
organizationName = Organization Name (eg, company)
organizationName_value = Dodgy Brothers
commonName = Common Name (eg, YOUR name)
commonName_value = Dodgy CA
####################################################################
[ userreq ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = user_dn
encrypt_rsa_key = no
default_md = sha256
prompt = no
[ user_dn ]
countryName = AU
organizationName = Dodgy Brothers
0.commonName = Brother 1
1.commonName = $ENV::CN2
[ v3_ee ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ee_dsa ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature
[ v3_ee_ec ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyAgreement
####################################################################
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./demoCA
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
x509_extensions = v3_ca
name_opt = ca_default
cert_opt = ca_default
default_days = 365
default_crl_days= 30
default_md = sha1
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true,pathlen:1
keyUsage = cRLSign, keyCertSign
issuerAltName = issuer:copy

61
test/proxy.cnf Normal file
View File

@ -0,0 +1,61 @@
## Config file for proxy certificate testing.
[ req ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name_p1
encrypt_rsa_key = no
default_md = sha256
[ req_distinguished_name_p1 ]
countryName = Country Name (2 letter code)
countryName_value = AU
organizationName = Organization Name (eg, company)
organizationName_value = Dodgy Brothers
0.commonName = Common Name (eg, YOUR name)
0.commonName_value = Brother 1
1.commonName = Common Name (eg, YOUR name)
1.commonName_value = Brother 2
2.commonName = Common Name (eg, YOUR name)
2.commonName_value = Proxy 1
[ proxy ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
####################################################################
[ proxy2_req ]
default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name_p2
encrypt_rsa_key = no
default_md = sha256
[ req_distinguished_name_p2 ]
countryName = Country Name (2 letter code)
countryName_value = AU
organizationName = Organization Name (eg, company)
organizationName_value = Dodgy Brothers
0.commonName = Common Name (eg, YOUR name)
0.commonName_value = Brother 1
1.commonName = Common Name (eg, YOUR name)
1.commonName_value = Brother 2
2.commonName = Common Name (eg, YOUR name)
2.commonName_value = Proxy 1
3.commonName = Common Name (eg, YOUR name)
3.commonName_value = Proxy 2
[ proxy_2 ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
proxyCertInfo = critical,@proxy_ext
[ proxy_ext ]
language = id-ppl-anyLanguage
pathlen = 0
policy = text:BC

31
test/recipes/25-test_verify_store.t
View File

@ -18,34 +18,31 @@ plan tests => 10;
my $dummycnf = srctop_file("apps", "openssl.cnf");
my $cnf=srctop_file("test","ca-and-certs.cnf");
my $CAkey = "keyCA.ss";
my $CAcert="certCA.ss";
my $CAserial="certCA.srl";
my $CAreq="reqCA.ss";
my $CAconf=srctop_file("test","CAss.cnf");
my $CAreq2="req2CA.ss"; # temp
my $Uconf=srctop_file("test","Uss.cnf");
my $Ukey="keyU.ss";
my $Ureq="reqU.ss";
my $Ucert="certU.ss";
SKIP: {
req( 'make cert request',
qw(-new),
-config => $CAconf,
qw(-new -section userreq),
-config => $cnf,
-out => $CAreq,
-keyout => $CAkey );
skip 'failure', 8 unless
x509( 'convert request into self-signed cert',
qw(-req -CAcreateserial),
qw(-req -CAcreateserial -days 30),
qw(-extensions v3_ca),
-in => $CAreq,
-out => $CAcert,
-signkey => $CAkey,
-days => 30,
-extfile => $CAconf,
-extensions => 'v3_ca' );
-extfile => $cnf );
skip 'failure', 7 unless
x509( 'convert cert into a cert request',
@ -56,13 +53,13 @@ SKIP: {
skip 'failure', 6 unless
req( 'verify request 1',
qw(-verify -noout),
qw(-verify -noout -section userreq),
-config => $dummycnf,
-in => $CAreq );
skip 'failure', 5 unless
req( 'verify request 2',
qw(-verify -noout),
qw(-verify -noout -section userreq),
-config => $dummycnf,
-in => $CAreq2 );
@ -73,29 +70,27 @@ SKIP: {
skip 'failure', 3 unless
req( 'make a user cert request',
qw(-new),
-config => $Uconf,
qw(-new -section userreq),
-config => $cnf,
-out => $Ureq,
-keyout => $Ukey );
skip 'failure', 2 unless
x509( 'sign user cert request',
qw(-req -CAcreateserial),
qw(-req -CAcreateserial -days 30 -extensions v3_ee),
-in => $Ureq,
-out => $Ucert,
-CA => $CAcert,
-CAkey => $CAkey,
-CAserial => $CAserial,
-days => 30,
-extfile => $Uconf,
-extensions => 'v3_ee' )
-extfile => $cnf )
&& verify( undef,
-CAstore => $CAcert,
$Ucert );
skip 'failure', 0 unless
x509( 'Certificate details',
qw( -subject -issuer -startdate -enddate -noout),
qw(-subject -issuer -startdate -enddate -noout),
-in => $Ucert );
}

23
test/recipes/80-test_ca.t
View File

@ -18,26 +18,29 @@ use OpenSSL::Test::Utils;
setup("test_ca");
$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
my $std_openssl_cnf =
srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf");
my $cnf = '"' . srctop_file("test","ca-and-certs.cnf") . '"';;
my $std_openssl_cnf = '"'
. srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf")
. '"';
rmtree("demoCA", { safe => 0 });
plan tests => 6;
SKIP: {
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"';
$ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
skip "failed creating CA structure", 4
if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)),
'creating CA structure');
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
$ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
skip "failed creating new certificate request", 3
if !ok(run(perlapp(["CA.pl","-newreq",
"-extra-req","-outform DER"])),
'-extra-req', '-outform DER -section userreq'])),
'creating certificate request');
$ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config "'.$std_openssl_cnf.'"';
$ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf;
skip "failed to sign certificate request", 2
if !is(yes(cmdstr(perlapp(["CA.pl", "-sign", "-extra-ca"]))), 0,
if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
'signing certificate request');
ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
@ -46,8 +49,8 @@ plan tests => 6;
skip "CT not configured, can't use -precert", 1
if disabled("ct");
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
ok(run(perlapp(["CA.pl", "-precert"], stderr => undef)),
$ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
ok(run(perlapp(["CA.pl", "-precert", '-extra-req', '-section userreq'], stderr => undef)),
'creating new pre-certificate');
}
@ -56,7 +59,7 @@ SKIP: {
if disabled("sm2");
is(yes(cmdstr(app(["openssl", "ca", "-config",
srctop_file("test", "CAss.cnf"),
$cnf,
"-in", srctop_file("test", "certs", "sm2-csr.pem"),
"-out", "sm2-test.crt",
"-sigopt", "distid:1234567812345678",

36
test/recipes/80-test_ssl_old.t
View File

@ -44,33 +44,27 @@ my @verifycmd = ("openssl", "verify");
my @genpkeycmd = ("openssl", "genpkey");
my $dummycnf = srctop_file("apps", "openssl.cnf");
my $cnf=srctop_file("test","ca-and-certs.cnf");
my $CAkey = "keyCA.ss";
my $CAcert="certCA.ss";
my $CAserial="certCA.srl";
my $CAreq="reqCA.ss";
my $CAconf=srctop_file("test","CAss.cnf");
my $CAreq2="req2CA.ss"; # temp
my $Uconf=srctop_file("test","Uss.cnf");
my $Ukey="keyU.ss";
my $Ureq="reqU.ss";
my $Ucert="certU.ss";
my $Dkey="keyD.ss";
my $Dreq="reqD.ss";
my $Dcert="certD.ss";
my $Ekey="keyE.ss";
my $Ereq="reqE.ss";
my $Ecert="certE.ss";
my $P1conf=srctop_file("test","P1ss.cnf");
my $proxycnf=srctop_file("test","proxy.cnf");
my $P1key="keyP1.ss";
my $P1req="reqP1.ss";
my $P1cert="certP1.ss";
my $P1intermediate="tmp_intP1.ss";
my $P2conf=srctop_file("test","P2ss.cnf");
my $P2key="keyP2.ss";
my $P2req="reqP2.ss";
my $P2cert="certP2.ss";
@ -133,7 +127,7 @@ sub testss {
SKIP: {
skip 'failure', 16 unless
ok(run(app([@reqcmd, "-config", $CAconf,
ok(run(app([@reqcmd, "-config", $cnf,
"-out", $CAreq, "-keyout", $CAkey,
@req_new])),
'make cert request');
@ -141,7 +135,7 @@ sub testss {
skip 'failure', 15 unless
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30",
"-req", "-out", $CAcert, "-signkey", $CAkey,
"-extfile", $CAconf, "-extensions", "v3_ca"],
"-extfile", $cnf, "-extensions", "v3_ca"],
stdout => "err.ss")),
'convert request into self-signed cert');
@ -167,7 +161,7 @@ sub testss {
'verify signature');
skip 'failure', 10 unless
ok(run(app([@reqcmd, "-config", $Uconf,
ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq",
"-out", $Ureq, "-keyout", $Ukey, @req_new],
stdout => "err.ss")),
'make a user cert request');
@ -176,7 +170,7 @@ sub testss {
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30",
"-req", "-out", $Ucert,
"-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial,
"-extfile", $Uconf, "-extensions", "v3_ee"],
"-extfile", $cnf, "-extensions", "v3_ee"],
stdout => "err.ss"))
&& run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])),
'sign user cert request');
@ -202,7 +196,8 @@ sub testss {
stdout => "err.ss")),
"make a DSA key");
skip 'failure', 3 unless
ok(run(app([@reqcmd, "-new", "-config", $Uconf,
ok(run(app([@reqcmd, "-new", "-config", $cnf,
"-section", "userreq",
"-out", $Dreq, "-key", $Dkey],
stdout => "err.ss")),
"make a DSA user cert request");
@ -214,7 +209,7 @@ sub testss {
"-out", $Dcert,
"-CA", $CAcert, "-CAkey", $CAkey,
"-CAserial", $CAserial,
"-extfile", $Uconf,
"-extfile", $cnf,
"-extensions", "v3_ee_dsa"],
stdout => "err.ss")),
"sign DSA user cert request");
@ -247,7 +242,8 @@ sub testss {
"-out", "ecp.ss"])),
"make EC parameters");
skip 'failure', 3 unless
ok(run(app([@reqcmd, "-config", $Uconf,
ok(run(app([@reqcmd, "-config", $cnf,
"-section", "userreq",
"-out", $Ereq, "-keyout", $Ekey,
"-newkey", "ec:ecp.ss"],
stdout => "err.ss")),
@ -260,7 +256,7 @@ sub testss {
"-out", $Ecert,
"-CA", $CAcert, "-CAkey", $CAkey,
"-CAserial", $CAserial,
"-extfile", $Uconf,
"-extfile", $cnf,
"-extensions", "v3_ee_ec"],
stdout => "err.ss")),
"sign ECDSA/ECDH user cert request");
@ -277,7 +273,7 @@ sub testss {
};
skip 'failure', 5 unless
ok(run(app([@reqcmd, "-config", $P1conf,
ok(run(app([@reqcmd, "-config", $proxycnf,
"-out", $P1req, "-keyout", $P1key, @req_new],
stdout => "err.ss")),
'make a proxy cert request');
@ -287,7 +283,7 @@ sub testss {
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30",
"-req", "-out", $P1cert,
"-CA", $Ucert, "-CAkey", $Ukey,
"-extfile", $P1conf, "-extensions", "v3_proxy"],
"-extfile", $proxycnf, "-extensions", "proxy"],
stdout => "err.ss")),
'sign proxy with user cert');
@ -300,7 +296,7 @@ sub testss {
'Certificate details');
skip 'failure', 2 unless
ok(run(app([@reqcmd, "-config", $P2conf,
ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req",
"-out", $P2req, "-keyout", $P2key,
@req_new],
stdout => "err.ss")),
@ -311,7 +307,7 @@ sub testss {
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30",
"-req", "-out", $P2cert,
"-CA", $P1cert, "-CAkey", $P1key,
"-extfile", $P2conf, "-extensions", "v3_proxy"],
"-extfile", $proxycnf, "-extensions", "proxy_2"],
stdout => "err.ss")),
'sign second proxy cert request with the first proxy cert');

5
test/recipes/90-test_store.t
View File

@ -16,6 +16,7 @@ my $test_name = "test_store";
setup($test_name);
my $mingw = config('target') =~ m|^mingw|;
my $cnf=srctop_file("test","ca-and-certs.cnf");
my @noexist_files =
( "test/blahdiblah.pem",
@ -295,7 +296,7 @@ sub init {
}, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files))
# *-cert.pem (intermediary for the .p12 inits)
&& run(app(["openssl", "req", "-x509",
"-config", data_file("ca.cnf"), "-nodes",
"-config", $cnf, "-nodes",
"-out", "cacert.pem", "-keyout", "cakey.pem"]))
&& runall(sub {
my $srckey = shift;
@ -303,7 +304,7 @@ sub init {
(my $csr = $dstfile) =~ s|\.pem|.csr|;
(run(app(["openssl", "req", "-new",
"-config", data_file("user.cnf"),
"-config", $cnf,
"-key", $srckey, "-out", $csr]))
&&
run(app(["openssl", "x509", "-days", "3650",