From 4e6e57cfcdd75b827ff7171927d87e95b5b86ae8 Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Wed, 4 Mar 2020 14:08:31 -0500 Subject: [PATCH] Cleanup cert config files for tests Merge test/P[12]ss.cnf into one config file Merge CAss.cnf and Uss.cnf into ca-and-certs.cnf Remove Netscape cert extensions, add keyUsage comment from some cnf files Reviewed-by: Matthias St. Pierre Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/11347) --- apps/openssl-vms.cnf | 53 ----------------- apps/openssl.cnf | 53 ----------------- demos/certs/apps/apps.cnf | 6 -- demos/certs/ca.cnf | 6 -- doc/man7/proxy-certificates.pod | 4 +- test/CAss.cnf | 69 ---------------------- test/P1ss.cnf | 31 ---------- test/P2ss.cnf | 39 ------------- test/Uss.cnf | 36 ------------ test/ca-and-certs.cnf | 90 +++++++++++++++++++++++++++++ test/proxy.cnf | 61 +++++++++++++++++++ test/recipes/25-test_verify_store.t | 31 +++++----- test/recipes/80-test_ca.t | 23 ++++---- test/recipes/80-test_ssl_old.t | 36 +++++------- test/recipes/90-test_store.t | 5 +- 15 files changed, 198 insertions(+), 345 deletions(-) delete mode 100644 test/CAss.cnf delete mode 100644 test/P1ss.cnf delete mode 100644 test/P2ss.cnf delete mode 100644 test/Uss.cnf create mode 100644 test/ca-and-certs.cnf create mode 100644 test/proxy.cnf diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index c7e7abe994..2420e9c9f5 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -171,27 +171,9 @@ unstructuredName = An optional company name basicConstraints=CA:FALSE -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer @@ -206,13 +188,6 @@ authorityKeyIdentifier=keyid,issuer # Copy subject details # issuerAltName=issuer:copy -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - # This is required for TSA certificates. # extendedKeyUsage = critical,timeStamping @@ -242,9 +217,6 @@ basicConstraints = critical,CA:true # left out by default. # keyUsage = cRLSign, keyCertSign -# Some might want this also -# nsCertType = sslCA, emailCA - # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details @@ -272,27 +244,9 @@ authorityKeyIdentifier=keyid:always basicConstraints=CA:FALSE -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer @@ -307,13 +261,6 @@ authorityKeyIdentifier=keyid,issuer # Copy subject details # issuerAltName=issuer:copy -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - # This really needs to be in place for it to be a proxy certificate. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 52706ae166..4fd5286d2e 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -171,27 +171,9 @@ unstructuredName = An optional company name basicConstraints=CA:FALSE -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer @@ -206,13 +188,6 @@ authorityKeyIdentifier=keyid,issuer # Copy subject details # issuerAltName=issuer:copy -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - # This is required for TSA certificates. # extendedKeyUsage = critical,timeStamping @@ -242,9 +217,6 @@ basicConstraints = critical,CA:true # left out by default. # keyUsage = cRLSign, keyCertSign -# Some might want this also -# nsCertType = sslCA, emailCA - # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details @@ -272,27 +244,9 @@ authorityKeyIdentifier=keyid:always basicConstraints=CA:FALSE -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer @@ -307,13 +261,6 @@ authorityKeyIdentifier=keyid,issuer # Copy subject details # issuerAltName=issuer:copy -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - # This really needs to be in place for it to be a proxy certificate. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf index bd762b7ddc..07a3d10b55 100644 --- a/demos/certs/apps/apps.cnf +++ b/demos/certs/apps/apps.cnf @@ -35,9 +35,6 @@ commonName = $ENV::CN basicConstraints=critical, CA:FALSE keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - [ ec_cert ] # These extensions are added when 'ca' signs a request for an end entity @@ -46,9 +43,6 @@ nsComment = "OpenSSL Generated Certificate" basicConstraints=critical, CA:FALSE keyUsage=critical, nonRepudiation, digitalSignature, keyAgreement -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf index c75a71a6aa..2fbf20490b 100644 --- a/demos/certs/ca.cnf +++ b/demos/certs/ca.cnf @@ -35,9 +35,6 @@ commonName = $ENV::CN basicConstraints=critical, CA:FALSE keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid @@ -47,9 +44,6 @@ authorityKeyIdentifier=keyid basicConstraints=critical, CA:FALSE keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid diff --git a/doc/man7/proxy-certificates.pod b/doc/man7/proxy-certificates.pod index df5ee1b4b5..ca1f491ac5 100644 --- a/doc/man7/proxy-certificates.pod +++ b/doc/man7/proxy-certificates.pod @@ -116,7 +116,7 @@ two commands: openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \ -CA user.crt -CAkey user.key -days 7 \ - -extfile proxy.cnf -extensions v3_proxy1 + -extfile proxy.cnf -extensions proxy You can also create a proxy certificate using another proxy certificate as issuer (note: using a different configuration @@ -128,7 +128,7 @@ section for the proxy extensions): openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \ -CA proxy.crt -CAkey proxy.key -days 7 \ - -extfile proxy.cnf -extensions v3_proxy2 + -extfile proxy.cnf -extensions proxy_2 =head2 Using proxy certs in applications diff --git a/test/CAss.cnf b/test/CAss.cnf deleted file mode 100644 index d63f85628b..0000000000 --- a/test/CAss.cnf +++ /dev/null @@ -1,69 +0,0 @@ - -#################################################################### -[ req ] -default_bits = 2048 -default_keyfile = keySS.pem -distinguished_name = req_distinguished_name -encrypt_rsa_key = no -default_md = sha1 - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_value = AU - -organizationName = Organization Name (eg, company) -organizationName_value = Dodgy Brothers - -commonName = Common Name (eg, YOUR name) -commonName_value = Dodgy CA - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = ./demoCA # Where everything is kept -certs = $dir/certs # Where the issued certs are kept -crl_dir = $dir/crl # Where the issued crl are kept -database = $dir/index.txt # database index file. -#unique_subject = no # Set to 'no' to allow creation of - # several certificates with same subject. -new_certs_dir = $dir/newcerts # default place for new certs. - -certificate = $dir/cacert.pem # The CA certificate -serial = $dir/serial # The current serial number -crl = $dir/crl.pem # The current CRL -private_key = $dir/private/cakey.pem# The private key - -x509_extensions = v3_ca # The extensions to add to the cert - -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options - -default_days = 365 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = md5 # which md to use. -preserve = no # keep passed DN ordering - -policy = policy_anything - -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - - - -[ v3_ca ] -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always -basicConstraints = critical,CA:true,pathlen:1 -keyUsage = cRLSign, keyCertSign -issuerAltName=issuer:copy diff --git a/test/P1ss.cnf b/test/P1ss.cnf deleted file mode 100644 index 69baaaf849..0000000000 --- a/test/P1ss.cnf +++ /dev/null @@ -1,31 +0,0 @@ - -#################################################################### -[ req ] -default_bits = 2048 -default_keyfile = keySS.pem -distinguished_name = req_distinguished_name -encrypt_rsa_key = no -default_md = sha256 - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_value = AU - -organizationName = Organization Name (eg, company) -organizationName_value = Dodgy Brothers - -0.commonName = Common Name (eg, YOUR name) -0.commonName_value = Brother 1 - -1.commonName = Common Name (eg, YOUR name) -1.commonName_value = Brother 2 - -2.commonName = Common Name (eg, YOUR name) -2.commonName_value = Proxy 1 - -[ v3_proxy ] -basicConstraints=CA:FALSE -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always -proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB diff --git a/test/P2ss.cnf b/test/P2ss.cnf deleted file mode 100644 index 8d4f3c8a68..0000000000 --- a/test/P2ss.cnf +++ /dev/null @@ -1,39 +0,0 @@ - -#################################################################### -[ req ] -default_bits = 2048 -default_keyfile = keySS.pem -distinguished_name = req_distinguished_name -encrypt_rsa_key = no -default_md = sha256 - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_value = AU - -organizationName = Organization Name (eg, company) -organizationName_value = Dodgy Brothers - -0.commonName = Common Name (eg, YOUR name) -0.commonName_value = Brother 1 - -1.commonName = Common Name (eg, YOUR name) -1.commonName_value = Brother 2 - -2.commonName = Common Name (eg, YOUR name) -2.commonName_value = Proxy 1 - -3.commonName = Common Name (eg, YOUR name) -3.commonName_value = Proxy 2 - -[ v3_proxy ] -basicConstraints=CA:FALSE -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always -proxyCertInfo=critical,@proxy_ext - -[ proxy_ext ] -language=id-ppl-anyLanguage -pathlen=0 -policy=text:BC diff --git a/test/Uss.cnf b/test/Uss.cnf deleted file mode 100644 index 95ffb67deb..0000000000 --- a/test/Uss.cnf +++ /dev/null @@ -1,36 +0,0 @@ - -CN2 = Brother 2 - -#################################################################### -[ req ] -default_bits = 2048 -default_keyfile = keySS.pem -distinguished_name = req_distinguished_name -encrypt_rsa_key = no -default_md = sha256 -prompt = no - -[ req_distinguished_name ] -countryName = AU -organizationName = Dodgy Brothers -0.commonName = Brother 1 -1.commonName = $ENV::CN2 - -[ v3_ee ] -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always -basicConstraints = CA:false -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ee_dsa ] -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always -basicConstraints = CA:false -keyUsage = nonRepudiation, digitalSignature - -[ v3_ee_ec ] -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always -basicConstraints = CA:false -keyUsage = nonRepudiation, digitalSignature, keyAgreement - diff --git a/test/ca-and-certs.cnf b/test/ca-and-certs.cnf new file mode 100644 index 0000000000..598db2b6a0 --- /dev/null +++ b/test/ca-and-certs.cnf @@ -0,0 +1,90 @@ + +CN2 = Brother 2 + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = keySS.pem +distinguished_name = req_distinguished_name +encrypt_rsa_key = no +default_md = sha1 + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_value = AU +organizationName = Organization Name (eg, company) +organizationName_value = Dodgy Brothers +commonName = Common Name (eg, YOUR name) +commonName_value = Dodgy CA + +#################################################################### +[ userreq ] +default_bits = 2048 +default_keyfile = keySS.pem +distinguished_name = user_dn +encrypt_rsa_key = no +default_md = sha256 +prompt = no + +[ user_dn ] +countryName = AU +organizationName = Dodgy Brothers +0.commonName = Brother 1 +1.commonName = $ENV::CN2 + +[ v3_ee ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +basicConstraints = CA:false +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ee_dsa ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always +basicConstraints = CA:false +keyUsage = nonRepudiation, digitalSignature + +[ v3_ee_ec ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always +basicConstraints = CA:false +keyUsage = nonRepudiation, digitalSignature, keyAgreement + +#################################################################### +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = ./demoCA +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +new_certs_dir = $dir/newcerts +certificate = $dir/cacert.pem +serial = $dir/serial +crl = $dir/crl.pem +private_key = $dir/private/cakey.pem +x509_extensions = v3_ca +name_opt = ca_default +cert_opt = ca_default +default_days = 365 +default_crl_days= 30 +default_md = sha1 +preserve = no +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = critical,CA:true,pathlen:1 +keyUsage = cRLSign, keyCertSign +issuerAltName = issuer:copy diff --git a/test/proxy.cnf b/test/proxy.cnf new file mode 100644 index 0000000000..e6b60542bb --- /dev/null +++ b/test/proxy.cnf @@ -0,0 +1,61 @@ + +## Config file for proxy certificate testing. + +[ req ] +default_bits = 2048 +default_keyfile = keySS.pem +distinguished_name = req_distinguished_name_p1 +encrypt_rsa_key = no +default_md = sha256 + +[ req_distinguished_name_p1 ] +countryName = Country Name (2 letter code) +countryName_value = AU +organizationName = Organization Name (eg, company) +organizationName_value = Dodgy Brothers +0.commonName = Common Name (eg, YOUR name) +0.commonName_value = Brother 1 +1.commonName = Common Name (eg, YOUR name) +1.commonName_value = Brother 2 +2.commonName = Common Name (eg, YOUR name) +2.commonName_value = Proxy 1 + +[ proxy ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB + +#################################################################### + +[ proxy2_req ] +default_bits = 2048 +default_keyfile = keySS.pem +distinguished_name = req_distinguished_name_p2 +encrypt_rsa_key = no +default_md = sha256 + +[ req_distinguished_name_p2 ] +countryName = Country Name (2 letter code) +countryName_value = AU +organizationName = Organization Name (eg, company) +organizationName_value = Dodgy Brothers +0.commonName = Common Name (eg, YOUR name) +0.commonName_value = Brother 1 +1.commonName = Common Name (eg, YOUR name) +1.commonName_value = Brother 2 +2.commonName = Common Name (eg, YOUR name) +2.commonName_value = Proxy 1 +3.commonName = Common Name (eg, YOUR name) +3.commonName_value = Proxy 2 + +[ proxy_2 ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +proxyCertInfo = critical,@proxy_ext + +[ proxy_ext ] +language = id-ppl-anyLanguage +pathlen = 0 +policy = text:BC diff --git a/test/recipes/25-test_verify_store.t b/test/recipes/25-test_verify_store.t index c8c57a7b2b..9246f33868 100644 --- a/test/recipes/25-test_verify_store.t +++ b/test/recipes/25-test_verify_store.t @@ -18,34 +18,31 @@ plan tests => 10; my $dummycnf = srctop_file("apps", "openssl.cnf"); +my $cnf=srctop_file("test","ca-and-certs.cnf"); my $CAkey = "keyCA.ss"; my $CAcert="certCA.ss"; my $CAserial="certCA.srl"; my $CAreq="reqCA.ss"; -my $CAconf=srctop_file("test","CAss.cnf"); my $CAreq2="req2CA.ss"; # temp - -my $Uconf=srctop_file("test","Uss.cnf"); my $Ukey="keyU.ss"; my $Ureq="reqU.ss"; my $Ucert="certU.ss"; SKIP: { req( 'make cert request', - qw(-new), - -config => $CAconf, + qw(-new -section userreq), + -config => $cnf, -out => $CAreq, -keyout => $CAkey ); skip 'failure', 8 unless x509( 'convert request into self-signed cert', - qw(-req -CAcreateserial), + qw(-req -CAcreateserial -days 30), + qw(-extensions v3_ca), -in => $CAreq, -out => $CAcert, -signkey => $CAkey, - -days => 30, - -extfile => $CAconf, - -extensions => 'v3_ca' ); + -extfile => $cnf ); skip 'failure', 7 unless x509( 'convert cert into a cert request', @@ -56,13 +53,13 @@ SKIP: { skip 'failure', 6 unless req( 'verify request 1', - qw(-verify -noout), + qw(-verify -noout -section userreq), -config => $dummycnf, -in => $CAreq ); skip 'failure', 5 unless req( 'verify request 2', - qw(-verify -noout), + qw(-verify -noout -section userreq), -config => $dummycnf, -in => $CAreq2 ); @@ -73,29 +70,27 @@ SKIP: { skip 'failure', 3 unless req( 'make a user cert request', - qw(-new), - -config => $Uconf, + qw(-new -section userreq), + -config => $cnf, -out => $Ureq, -keyout => $Ukey ); skip 'failure', 2 unless x509( 'sign user cert request', - qw(-req -CAcreateserial), + qw(-req -CAcreateserial -days 30 -extensions v3_ee), -in => $Ureq, -out => $Ucert, -CA => $CAcert, -CAkey => $CAkey, -CAserial => $CAserial, - -days => 30, - -extfile => $Uconf, - -extensions => 'v3_ee' ) + -extfile => $cnf ) && verify( undef, -CAstore => $CAcert, $Ucert ); skip 'failure', 0 unless x509( 'Certificate details', - qw( -subject -issuer -startdate -enddate -noout), + qw(-subject -issuer -startdate -enddate -noout), -in => $Ucert ); } diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t index 3d4dfcd060..bbb0af7577 100644 --- a/test/recipes/80-test_ca.t +++ b/test/recipes/80-test_ca.t @@ -18,26 +18,29 @@ use OpenSSL::Test::Utils; setup("test_ca"); $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); -my $std_openssl_cnf = - srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf"); + +my $cnf = '"' . srctop_file("test","ca-and-certs.cnf") . '"';; +my $std_openssl_cnf = '"' + . srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf") + . '"'; rmtree("demoCA", { safe => 0 }); plan tests => 6; SKIP: { - $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"'; + $ENV{OPENSSL_CONFIG} = '-config ' . $cnf; skip "failed creating CA structure", 4 if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)), 'creating CA structure'); - $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"'; + $ENV{OPENSSL_CONFIG} = '-config ' . $cnf; skip "failed creating new certificate request", 3 if !ok(run(perlapp(["CA.pl","-newreq", - "-extra-req","-outform DER"])), + '-extra-req', '-outform DER -section userreq'])), 'creating certificate request'); - $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config "'.$std_openssl_cnf.'"'; + $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf; skip "failed to sign certificate request", 2 - if !is(yes(cmdstr(perlapp(["CA.pl", "-sign", "-extra-ca"]))), 0, + if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0, 'signing certificate request'); ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])), @@ -46,8 +49,8 @@ plan tests => 6; skip "CT not configured, can't use -precert", 1 if disabled("ct"); - $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"'; - ok(run(perlapp(["CA.pl", "-precert"], stderr => undef)), + $ENV{OPENSSL_CONFIG} = '-config ' . $cnf; + ok(run(perlapp(["CA.pl", "-precert", '-extra-req', '-section userreq'], stderr => undef)), 'creating new pre-certificate'); } @@ -56,7 +59,7 @@ SKIP: { if disabled("sm2"); is(yes(cmdstr(app(["openssl", "ca", "-config", - srctop_file("test", "CAss.cnf"), + $cnf, "-in", srctop_file("test", "certs", "sm2-csr.pem"), "-out", "sm2-test.crt", "-sigopt", "distid:1234567812345678", diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index e01137d593..b49d895c32 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -44,33 +44,27 @@ my @verifycmd = ("openssl", "verify"); my @genpkeycmd = ("openssl", "genpkey"); my $dummycnf = srctop_file("apps", "openssl.cnf"); +my $cnf=srctop_file("test","ca-and-certs.cnf"); my $CAkey = "keyCA.ss"; my $CAcert="certCA.ss"; my $CAserial="certCA.srl"; my $CAreq="reqCA.ss"; -my $CAconf=srctop_file("test","CAss.cnf"); my $CAreq2="req2CA.ss"; # temp - -my $Uconf=srctop_file("test","Uss.cnf"); my $Ukey="keyU.ss"; my $Ureq="reqU.ss"; my $Ucert="certU.ss"; - my $Dkey="keyD.ss"; my $Dreq="reqD.ss"; my $Dcert="certD.ss"; - my $Ekey="keyE.ss"; my $Ereq="reqE.ss"; my $Ecert="certE.ss"; -my $P1conf=srctop_file("test","P1ss.cnf"); +my $proxycnf=srctop_file("test","proxy.cnf"); my $P1key="keyP1.ss"; my $P1req="reqP1.ss"; my $P1cert="certP1.ss"; my $P1intermediate="tmp_intP1.ss"; - -my $P2conf=srctop_file("test","P2ss.cnf"); my $P2key="keyP2.ss"; my $P2req="reqP2.ss"; my $P2cert="certP2.ss"; @@ -133,7 +127,7 @@ sub testss { SKIP: { skip 'failure', 16 unless - ok(run(app([@reqcmd, "-config", $CAconf, + ok(run(app([@reqcmd, "-config", $cnf, "-out", $CAreq, "-keyout", $CAkey, @req_new])), 'make cert request'); @@ -141,7 +135,7 @@ sub testss { skip 'failure', 15 unless ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30", "-req", "-out", $CAcert, "-signkey", $CAkey, - "-extfile", $CAconf, "-extensions", "v3_ca"], + "-extfile", $cnf, "-extensions", "v3_ca"], stdout => "err.ss")), 'convert request into self-signed cert'); @@ -167,7 +161,7 @@ sub testss { 'verify signature'); skip 'failure', 10 unless - ok(run(app([@reqcmd, "-config", $Uconf, + ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq", "-out", $Ureq, "-keyout", $Ukey, @req_new], stdout => "err.ss")), 'make a user cert request'); @@ -176,7 +170,7 @@ sub testss { ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30", "-req", "-out", $Ucert, "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, - "-extfile", $Uconf, "-extensions", "v3_ee"], + "-extfile", $cnf, "-extensions", "v3_ee"], stdout => "err.ss")) && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])), 'sign user cert request'); @@ -202,7 +196,8 @@ sub testss { stdout => "err.ss")), "make a DSA key"); skip 'failure', 3 unless - ok(run(app([@reqcmd, "-new", "-config", $Uconf, + ok(run(app([@reqcmd, "-new", "-config", $cnf, + "-section", "userreq", "-out", $Dreq, "-key", $Dkey], stdout => "err.ss")), "make a DSA user cert request"); @@ -214,7 +209,7 @@ sub testss { "-out", $Dcert, "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, - "-extfile", $Uconf, + "-extfile", $cnf, "-extensions", "v3_ee_dsa"], stdout => "err.ss")), "sign DSA user cert request"); @@ -247,7 +242,8 @@ sub testss { "-out", "ecp.ss"])), "make EC parameters"); skip 'failure', 3 unless - ok(run(app([@reqcmd, "-config", $Uconf, + ok(run(app([@reqcmd, "-config", $cnf, + "-section", "userreq", "-out", $Ereq, "-keyout", $Ekey, "-newkey", "ec:ecp.ss"], stdout => "err.ss")), @@ -260,7 +256,7 @@ sub testss { "-out", $Ecert, "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, - "-extfile", $Uconf, + "-extfile", $cnf, "-extensions", "v3_ee_ec"], stdout => "err.ss")), "sign ECDSA/ECDH user cert request"); @@ -277,7 +273,7 @@ sub testss { }; skip 'failure', 5 unless - ok(run(app([@reqcmd, "-config", $P1conf, + ok(run(app([@reqcmd, "-config", $proxycnf, "-out", $P1req, "-keyout", $P1key, @req_new], stdout => "err.ss")), 'make a proxy cert request'); @@ -287,7 +283,7 @@ sub testss { ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30", "-req", "-out", $P1cert, "-CA", $Ucert, "-CAkey", $Ukey, - "-extfile", $P1conf, "-extensions", "v3_proxy"], + "-extfile", $proxycnf, "-extensions", "proxy"], stdout => "err.ss")), 'sign proxy with user cert'); @@ -300,7 +296,7 @@ sub testss { 'Certificate details'); skip 'failure', 2 unless - ok(run(app([@reqcmd, "-config", $P2conf, + ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req", "-out", $P2req, "-keyout", $P2key, @req_new], stdout => "err.ss")), @@ -311,7 +307,7 @@ sub testss { ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30", "-req", "-out", $P2cert, "-CA", $P1cert, "-CAkey", $P1key, - "-extfile", $P2conf, "-extensions", "v3_proxy"], + "-extfile", $proxycnf, "-extensions", "proxy_2"], stdout => "err.ss")), 'sign second proxy cert request with the first proxy cert'); diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t index 3e2e69f439..09d9604e9d 100644 --- a/test/recipes/90-test_store.t +++ b/test/recipes/90-test_store.t @@ -16,6 +16,7 @@ my $test_name = "test_store"; setup($test_name); my $mingw = config('target') =~ m|^mingw|; +my $cnf=srctop_file("test","ca-and-certs.cnf"); my @noexist_files = ( "test/blahdiblah.pem", @@ -295,7 +296,7 @@ sub init { }, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files)) # *-cert.pem (intermediary for the .p12 inits) && run(app(["openssl", "req", "-x509", - "-config", data_file("ca.cnf"), "-nodes", + "-config", $cnf, "-nodes", "-out", "cacert.pem", "-keyout", "cakey.pem"])) && runall(sub { my $srckey = shift; @@ -303,7 +304,7 @@ sub init { (my $csr = $dstfile) =~ s|\.pem|.csr|; (run(app(["openssl", "req", "-new", - "-config", data_file("user.cnf"), + "-config", $cnf, "-key", $srckey, "-out", $csr])) && run(app(["openssl", "x509", "-days", "3650",