Cleanup cert config files for tests
authorRich Salz <rsalz@akamai.com>
Wed, 4 Mar 2020 19:08:31 +0000 (14:08 -0500)
committerTomas Mraz <tmraz@fedoraproject.org>
Wed, 3 Jun 2020 07:56:56 +0000 (09:56 +0200)
Merge test/P[12]ss.cnf into one config file
Merge CAss.cnf and Uss.cnf into ca-and-certs.cnf
Remove Netscape cert extensions, add keyUsage comment from some cnf files

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11347)

15 files changed:
apps/openssl-vms.cnf
apps/openssl.cnf
demos/certs/apps/apps.cnf
demos/certs/ca.cnf
doc/man7/proxy-certificates.pod
test/CAss.cnf [deleted file]
test/P1ss.cnf [deleted file]
test/P2ss.cnf [deleted file]
test/Uss.cnf [deleted file]
test/ca-and-certs.cnf [new file with mode: 0644]
test/proxy.cnf [new file with mode: 0644]
test/recipes/25-test_verify_store.t
test/recipes/80-test_ca.t
test/recipes/80-test_ssl_old.t
test/recipes/90-test_store.t

index c7e7abe..2420e9c 100644 (file)
@@ -171,27 +171,9 @@ unstructuredName           = An optional company name
 
 basicConstraints=CA:FALSE
 
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType                   = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment                      = "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -206,13 +188,6 @@ authorityKeyIdentifier=keyid,issuer
 # Copy subject details
 # issuerAltName=issuer:copy
 
-#nsCaRevocationUrl             = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
 # This is required for TSA certificates.
 # extendedKeyUsage = critical,timeStamping
 
@@ -242,9 +217,6 @@ basicConstraints = critical,CA:true
 # left out by default.
 # keyUsage = cRLSign, keyCertSign
 
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
 # Include email address in subject alt name: another PKIX recommendation
 # subjectAltName=email:copy
 # Copy issuer details
@@ -272,27 +244,9 @@ authorityKeyIdentifier=keyid:always
 
 basicConstraints=CA:FALSE
 
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType                   = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment                      = "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -307,13 +261,6 @@ authorityKeyIdentifier=keyid,issuer
 # Copy subject details
 # issuerAltName=issuer:copy
 
-#nsCaRevocationUrl             = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
 # This really needs to be in place for it to be a proxy certificate.
 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 
index 52706ae..4fd5286 100644 (file)
@@ -171,27 +171,9 @@ unstructuredName           = An optional company name
 
 basicConstraints=CA:FALSE
 
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType                   = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment                      = "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -206,13 +188,6 @@ authorityKeyIdentifier=keyid,issuer
 # Copy subject details
 # issuerAltName=issuer:copy
 
-#nsCaRevocationUrl             = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
 # This is required for TSA certificates.
 # extendedKeyUsage = critical,timeStamping
 
@@ -242,9 +217,6 @@ basicConstraints = critical,CA:true
 # left out by default.
 # keyUsage = cRLSign, keyCertSign
 
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
 # Include email address in subject alt name: another PKIX recommendation
 # subjectAltName=email:copy
 # Copy issuer details
@@ -272,27 +244,9 @@ authorityKeyIdentifier=keyid:always
 
 basicConstraints=CA:FALSE
 
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType                   = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment                      = "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -307,13 +261,6 @@ authorityKeyIdentifier=keyid,issuer
 # Copy subject details
 # issuerAltName=issuer:copy
 
-#nsCaRevocationUrl             = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
 # This really needs to be in place for it to be a proxy certificate.
 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 
index bd762b7..07a3d10 100644 (file)
@@ -35,9 +35,6 @@ commonName                    = $ENV::CN
 basicConstraints=critical, CA:FALSE
 keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment                      = "OpenSSL Generated Certificate"
-
 [ ec_cert ]
 
 # These extensions are added when 'ca' signs a request for an end entity
@@ -46,9 +43,6 @@ nsComment                     = "OpenSSL Generated Certificate"
 basicConstraints=critical, CA:FALSE
 keyUsage=critical, nonRepudiation, digitalSignature, keyAgreement
 
-# This will be displayed in Netscape's comment listbox.
-nsComment                      = "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
index c75a71a..2fbf204 100644 (file)
@@ -35,9 +35,6 @@ commonName                    = $ENV::CN
 basicConstraints=critical, CA:FALSE
 keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment                      = "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
@@ -47,9 +44,6 @@ authorityKeyIdentifier=keyid
 basicConstraints=critical, CA:FALSE
 keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment                      = "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
index df5ee1b..ca1f491 100644 (file)
@@ -116,7 +116,7 @@ two commands:
 
     openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \
         -CA user.crt -CAkey user.key -days 7 \
-        -extfile proxy.cnf -extensions v3_proxy1
+        -extfile proxy.cnf -extensions proxy
 
 You can also create a proxy certificate using another proxy
 certificate as issuer (note: using a different configuration
@@ -128,7 +128,7 @@ section for the proxy extensions):
 
     openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \
         -CA proxy.crt -CAkey proxy.key -days 7 \
-        -extfile proxy.cnf -extensions v3_proxy2
+        -extfile proxy.cnf -extensions proxy_2
 
 =head2 Using proxy certs in applications
 
diff --git a/test/CAss.cnf b/test/CAss.cnf
deleted file mode 100644 (file)
index d63f856..0000000
+++ /dev/null
@@ -1,69 +0,0 @@
-
-####################################################################
-[ req ]
-default_bits           = 2048
-default_keyfile        = keySS.pem
-distinguished_name     = req_distinguished_name
-encrypt_rsa_key                = no
-default_md             = sha1
-
-[ req_distinguished_name ]
-countryName                    = Country Name (2 letter code)
-countryName_default            = AU
-countryName_value              = AU
-
-organizationName               = Organization Name (eg, company)
-organizationName_value         = Dodgy Brothers
-
-commonName                     = Common Name (eg, YOUR name)
-commonName_value               = Dodgy CA
-
-####################################################################
-[ ca ]
-default_ca     = CA_default            # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir            = ./demoCA              # Where everything is kept
-certs          = $dir/certs            # Where the issued certs are kept
-crl_dir                = $dir/crl              # Where the issued crl are kept
-database       = $dir/index.txt        # database index file.
-#unique_subject        = no                    # Set to 'no' to allow creation of
-                                       # several certificates with same subject.
-new_certs_dir  = $dir/newcerts         # default place for new certs.
-
-certificate    = $dir/cacert.pem       # The CA certificate
-serial         = $dir/serial           # The current serial number
-crl            = $dir/crl.pem          # The current CRL
-private_key    = $dir/private/cakey.pem# The private key
-
-x509_extensions        = v3_ca                 # The extensions to add to the cert
-
-name_opt       = ca_default            # Subject Name options
-cert_opt       = ca_default            # Certificate field options
-
-default_days   = 365                   # how long to certify for
-default_crl_days= 30                   # how long before next CRL
-default_md     = md5                   # which md to use.
-preserve       = no                    # keep passed DN ordering
-
-policy         = policy_anything
-
-[ policy_anything ]
-countryName            = optional
-stateOrProvinceName    = optional
-localityName           = optional
-organizationName       = optional
-organizationalUnitName = optional
-commonName             = supplied
-emailAddress           = optional
-
-
-
-[ v3_ca ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = critical,CA:true,pathlen:1
-keyUsage = cRLSign, keyCertSign
-issuerAltName=issuer:copy
diff --git a/test/P1ss.cnf b/test/P1ss.cnf
deleted file mode 100644 (file)
index 69baaaf..0000000
+++ /dev/null
@@ -1,31 +0,0 @@
-
-####################################################################
-[ req ]
-default_bits           = 2048
-default_keyfile        = keySS.pem
-distinguished_name     = req_distinguished_name
-encrypt_rsa_key                = no
-default_md             = sha256
-
-[ req_distinguished_name ]
-countryName                    = Country Name (2 letter code)
-countryName_default            = AU
-countryName_value              = AU
-
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Dodgy Brothers
-
-0.commonName                   = Common Name (eg, YOUR name)
-0.commonName_value             = Brother 1
-
-1.commonName                   = Common Name (eg, YOUR name)
-1.commonName_value             = Brother 2
-
-2.commonName                   = Common Name (eg, YOUR name)
-2.commonName_value             = Proxy 1
-
-[ v3_proxy ]
-basicConstraints=CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
diff --git a/test/P2ss.cnf b/test/P2ss.cnf
deleted file mode 100644 (file)
index 8d4f3c8..0000000
+++ /dev/null
@@ -1,39 +0,0 @@
-
-####################################################################
-[ req ]
-default_bits           = 2048
-default_keyfile        = keySS.pem
-distinguished_name     = req_distinguished_name
-encrypt_rsa_key                = no
-default_md             = sha256
-
-[ req_distinguished_name ]
-countryName                    = Country Name (2 letter code)
-countryName_default            = AU
-countryName_value              = AU
-
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Dodgy Brothers
-
-0.commonName                   = Common Name (eg, YOUR name)
-0.commonName_value             = Brother 1
-
-1.commonName                   = Common Name (eg, YOUR name)
-1.commonName_value             = Brother 2
-
-2.commonName                   = Common Name (eg, YOUR name)
-2.commonName_value             = Proxy 1
-
-3.commonName                   = Common Name (eg, YOUR name)
-3.commonName_value             = Proxy 2
-
-[ v3_proxy ]
-basicConstraints=CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-proxyCertInfo=critical,@proxy_ext
-
-[ proxy_ext ]
-language=id-ppl-anyLanguage
-pathlen=0
-policy=text:BC
diff --git a/test/Uss.cnf b/test/Uss.cnf
deleted file mode 100644 (file)
index 95ffb67..0000000
+++ /dev/null
@@ -1,36 +0,0 @@
-
-CN2 = Brother 2
-
-####################################################################
-[ req ]
-default_bits           = 2048
-default_keyfile        = keySS.pem
-distinguished_name     = req_distinguished_name
-encrypt_rsa_key                = no
-default_md                 = sha256
-prompt              = no
-
-[ req_distinguished_name ]
-countryName         = AU
-organizationName    = Dodgy Brothers
-0.commonName        = Brother 1
-1.commonName           = $ENV::CN2
-
-[ v3_ee ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-basicConstraints = CA:false
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ee_dsa ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always
-basicConstraints = CA:false
-keyUsage = nonRepudiation, digitalSignature
-
-[ v3_ee_ec ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always
-basicConstraints = CA:false
-keyUsage = nonRepudiation, digitalSignature, keyAgreement
-
diff --git a/test/ca-and-certs.cnf b/test/ca-and-certs.cnf
new file mode 100644 (file)
index 0000000..598db2b
--- /dev/null
@@ -0,0 +1,90 @@
+
+CN2 = Brother 2
+
+####################################################################
+[ req ]
+default_bits           = 2048
+default_keyfile        = keySS.pem
+distinguished_name     = req_distinguished_name
+encrypt_rsa_key                = no
+default_md             = sha1
+
+[ req_distinguished_name ]
+countryName                    = Country Name (2 letter code)
+countryName_value              = AU
+organizationName               = Organization Name (eg, company)
+organizationName_value         = Dodgy Brothers
+commonName                     = Common Name (eg, YOUR name)
+commonName_value               = Dodgy CA
+
+####################################################################
+[ userreq ]
+default_bits           = 2048
+default_keyfile        = keySS.pem
+distinguished_name     = user_dn
+encrypt_rsa_key                = no
+default_md             = sha256
+prompt                 = no
+
+[ user_dn ]
+countryName            = AU
+organizationName       = Dodgy Brothers
+0.commonName           = Brother 1
+1.commonName           = $ENV::CN2
+
+[ v3_ee ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints       = CA:false
+keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ee_dsa ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always
+basicConstraints       = CA:false
+keyUsage               = nonRepudiation, digitalSignature
+
+[ v3_ee_ec ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always
+basicConstraints       = CA:false
+keyUsage               = nonRepudiation, digitalSignature, keyAgreement
+
+####################################################################
+[ ca ]
+default_ca     = CA_default
+
+[ CA_default ]
+dir            = ./demoCA
+certs          = $dir/certs
+crl_dir                = $dir/crl
+database       = $dir/index.txt
+new_certs_dir  = $dir/newcerts
+certificate    = $dir/cacert.pem
+serial         = $dir/serial
+crl            = $dir/crl.pem
+private_key    = $dir/private/cakey.pem
+x509_extensions        = v3_ca
+name_opt       = ca_default
+cert_opt       = ca_default
+default_days   = 365
+default_crl_days= 30
+default_md     = sha1
+preserve       = no
+policy         = policy_anything
+
+[ policy_anything ]
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = optional
+
+[ v3_ca ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints       = critical,CA:true,pathlen:1
+keyUsage               = cRLSign, keyCertSign
+issuerAltName          = issuer:copy
diff --git a/test/proxy.cnf b/test/proxy.cnf
new file mode 100644 (file)
index 0000000..e6b6054
--- /dev/null
@@ -0,0 +1,61 @@
+
+## Config file for proxy certificate testing.
+
+[ req ]
+default_bits           = 2048
+default_keyfile        = keySS.pem
+distinguished_name     = req_distinguished_name_p1
+encrypt_rsa_key                = no
+default_md             = sha256
+
+[ req_distinguished_name_p1 ]
+countryName                    = Country Name (2 letter code)
+countryName_value              = AU
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Dodgy Brothers
+0.commonName                   = Common Name (eg, YOUR name)
+0.commonName_value             = Brother 1
+1.commonName                   = Common Name (eg, YOUR name)
+1.commonName_value             = Brother 2
+2.commonName                   = Common Name (eg, YOUR name)
+2.commonName_value             = Proxy 1
+
+[ proxy ]
+basicConstraints       = CA:FALSE
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer:always
+proxyCertInfo  = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
+
+####################################################################
+
+[ proxy2_req ]
+default_bits           = 2048
+default_keyfile        = keySS.pem
+distinguished_name     = req_distinguished_name_p2
+encrypt_rsa_key                = no
+default_md             = sha256
+
+[ req_distinguished_name_p2 ]
+countryName                    = Country Name (2 letter code)
+countryName_value              = AU
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Dodgy Brothers
+0.commonName                   = Common Name (eg, YOUR name)
+0.commonName_value             = Brother 1
+1.commonName                   = Common Name (eg, YOUR name)
+1.commonName_value             = Brother 2
+2.commonName                   = Common Name (eg, YOUR name)
+2.commonName_value             = Proxy 1
+3.commonName                   = Common Name (eg, YOUR name)
+3.commonName_value             = Proxy 2
+
+[ proxy_2 ]
+basicConstraints       = CA:FALSE
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer:always
+proxyCertInfo          = critical,@proxy_ext
+
+[ proxy_ext ]
+language       = id-ppl-anyLanguage
+pathlen                = 0
+policy         = text:BC
index c8c57a7..9246f33 100644 (file)
@@ -18,34 +18,31 @@ plan tests => 10;
 
 my $dummycnf = srctop_file("apps", "openssl.cnf");
 
+my $cnf=srctop_file("test","ca-and-certs.cnf");
 my $CAkey = "keyCA.ss";
 my $CAcert="certCA.ss";
 my $CAserial="certCA.srl";
 my $CAreq="reqCA.ss";
-my $CAconf=srctop_file("test","CAss.cnf");
 my $CAreq2="req2CA.ss";        # temp
-
-my $Uconf=srctop_file("test","Uss.cnf");
 my $Ukey="keyU.ss";
 my $Ureq="reqU.ss";
 my $Ucert="certU.ss";
 
 SKIP: {
     req( 'make cert request',
-         qw(-new),
-         -config       => $CAconf,
+         qw(-new -section userreq),
+         -config       => $cnf,
          -out          => $CAreq,
          -keyout       => $CAkey );
 
     skip 'failure', 8 unless
         x509( 'convert request into self-signed cert',
-              qw(-req -CAcreateserial),
+              qw(-req -CAcreateserial -days 30),
+              qw(-extensions v3_ca),
               -in       => $CAreq,
               -out      => $CAcert,
               -signkey  => $CAkey,
-              -days     => 30,
-              -extfile  => $CAconf,
-              -extensions => 'v3_ca' );
+              -extfile  => $cnf );
 
     skip 'failure', 7 unless
         x509( 'convert cert into a cert request',
@@ -56,13 +53,13 @@ SKIP: {
 
     skip 'failure', 6 unless
         req( 'verify request 1',
-             qw(-verify -noout),
+             qw(-verify -noout -section userreq),
              -config    => $dummycnf,
              -in        => $CAreq );
 
     skip 'failure', 5 unless
         req( 'verify request 2',
-             qw(-verify -noout),
+             qw(-verify -noout -section userreq),
              -config    => $dummycnf,
              -in        => $CAreq2 );
 
@@ -73,29 +70,27 @@ SKIP: {
 
     skip 'failure', 3 unless
         req( 'make a user cert request',
-             qw(-new),
-             -config  => $Uconf,
+             qw(-new -section userreq),
+             -config  => $cnf,
              -out     => $Ureq,
              -keyout  => $Ukey );
 
     skip 'failure', 2 unless
         x509( 'sign user cert request',
-              qw(-req -CAcreateserial),
+              qw(-req -CAcreateserial -days 30 -extensions v3_ee),
               -in     => $Ureq,
               -out    => $Ucert,
               -CA     => $CAcert,
               -CAkey  => $CAkey,
               -CAserial => $CAserial,
-              -days   => 30,
-              -extfile => $Uconf,
-              -extensions => 'v3_ee' )
+              -extfile => $cnf )
         && verify( undef,
                    -CAstore => $CAcert,
                    $Ucert );
 
     skip 'failure', 0 unless
         x509( 'Certificate details',
-              qw( -subject -issuer -startdate -enddate -noout),
+              qw(-subject -issuer -startdate -enddate -noout),
               -in     => $Ucert );
 }
 
index 3d4dfcd..bbb0af7 100644 (file)
@@ -18,26 +18,29 @@ use OpenSSL::Test::Utils;
 setup("test_ca");
 
 $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
-my $std_openssl_cnf =
-    srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf");
+
+my $cnf = '"' . srctop_file("test","ca-and-certs.cnf") . '"';;
+my $std_openssl_cnf = '"'
+    . srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf")
+    . '"';
 
 rmtree("demoCA", { safe => 0 });
 
 plan tests => 6;
  SKIP: {
-     $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"';
+     $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
      skip "failed creating CA structure", 4
         if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)),
                'creating CA structure');
 
-     $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
+     $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
      skip "failed creating new certificate request", 3
         if !ok(run(perlapp(["CA.pl","-newreq",
-                             "-extra-req","-outform DER"])),
+                             '-extra-req', '-outform DER -section userreq'])),
                'creating certificate request');
-     $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config "'.$std_openssl_cnf.'"';
+     $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf;
      skip "failed to sign certificate request", 2
-        if !is(yes(cmdstr(perlapp(["CA.pl", "-sign", "-extra-ca"]))), 0,
+        if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
                'signing certificate request');
 
      ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
@@ -46,8 +49,8 @@ plan tests => 6;
      skip "CT not configured, can't use -precert", 1
          if disabled("ct");
 
-     $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
-     ok(run(perlapp(["CA.pl", "-precert"], stderr => undef)),
+     $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
+     ok(run(perlapp(["CA.pl", "-precert", '-extra-req', '-section userreq'], stderr => undef)),
         'creating new pre-certificate');
 }
 
@@ -56,7 +59,7 @@ SKIP: {
              if disabled("sm2");
 
     is(yes(cmdstr(app(["openssl", "ca", "-config",
-                       srctop_file("test", "CAss.cnf"),
+                       $cnf,
                        "-in", srctop_file("test", "certs", "sm2-csr.pem"),
                        "-out", "sm2-test.crt",
                        "-sigopt", "distid:1234567812345678",
index e01137d..b49d895 100644 (file)
@@ -44,33 +44,27 @@ my @verifycmd = ("openssl", "verify");
 my @genpkeycmd = ("openssl", "genpkey");
 my $dummycnf = srctop_file("apps", "openssl.cnf");
 
+my $cnf=srctop_file("test","ca-and-certs.cnf");
 my $CAkey = "keyCA.ss";
 my $CAcert="certCA.ss";
 my $CAserial="certCA.srl";
 my $CAreq="reqCA.ss";
-my $CAconf=srctop_file("test","CAss.cnf");
 my $CAreq2="req2CA.ss";        # temp
-
-my $Uconf=srctop_file("test","Uss.cnf");
 my $Ukey="keyU.ss";
 my $Ureq="reqU.ss";
 my $Ucert="certU.ss";
-
 my $Dkey="keyD.ss";
 my $Dreq="reqD.ss";
 my $Dcert="certD.ss";
-
 my $Ekey="keyE.ss";
 my $Ereq="reqE.ss";
 my $Ecert="certE.ss";
 
-my $P1conf=srctop_file("test","P1ss.cnf");
+my $proxycnf=srctop_file("test","proxy.cnf");
 my $P1key="keyP1.ss";
 my $P1req="reqP1.ss";
 my $P1cert="certP1.ss";
 my $P1intermediate="tmp_intP1.ss";
-
-my $P2conf=srctop_file("test","P2ss.cnf");
 my $P2key="keyP2.ss";
 my $P2req="reqP2.ss";
 my $P2cert="certP2.ss";
@@ -133,7 +127,7 @@ sub testss {
 
   SKIP: {
       skip 'failure', 16 unless
-         ok(run(app([@reqcmd, "-config", $CAconf,
+         ok(run(app([@reqcmd, "-config", $cnf,
                      "-out", $CAreq, "-keyout", $CAkey,
                      @req_new])),
             'make cert request');
@@ -141,7 +135,7 @@ sub testss {
       skip 'failure', 15 unless
          ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30",
                      "-req", "-out", $CAcert, "-signkey", $CAkey,
-                     "-extfile", $CAconf, "-extensions", "v3_ca"],
+                     "-extfile", $cnf, "-extensions", "v3_ca"],
                     stdout => "err.ss")),
             'convert request into self-signed cert');
 
@@ -167,7 +161,7 @@ sub testss {
             'verify signature');
 
       skip 'failure', 10 unless
-         ok(run(app([@reqcmd, "-config", $Uconf,
+         ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq",
                      "-out", $Ureq, "-keyout", $Ukey, @req_new],
                     stdout => "err.ss")),
             'make a user cert request');
@@ -176,7 +170,7 @@ sub testss {
          ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30",
                      "-req", "-out", $Ucert,
                      "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial,
-                     "-extfile", $Uconf, "-extensions", "v3_ee"],
+                     "-extfile", $cnf, "-extensions", "v3_ee"],
                     stdout => "err.ss"))
             && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])),
             'sign user cert request');
@@ -202,7 +196,8 @@ sub testss {
                                stdout => "err.ss")),
                        "make a DSA key");
                 skip 'failure', 3 unless
-                    ok(run(app([@reqcmd, "-new", "-config", $Uconf,
+                    ok(run(app([@reqcmd, "-new", "-config", $cnf,
+                                "-section", "userreq",
                                 "-out", $Dreq, "-key", $Dkey],
                                stdout => "err.ss")),
                        "make a DSA user cert request");
@@ -214,7 +209,7 @@ sub testss {
                                 "-out", $Dcert,
                                 "-CA", $CAcert, "-CAkey", $CAkey,
                                 "-CAserial", $CAserial,
-                                "-extfile", $Uconf,
+                                "-extfile", $cnf,
                                 "-extensions", "v3_ee_dsa"],
                                stdout => "err.ss")),
                        "sign DSA user cert request");
@@ -247,7 +242,8 @@ sub testss {
                                 "-out", "ecp.ss"])),
                        "make EC parameters");
                 skip 'failure', 3 unless
-                    ok(run(app([@reqcmd, "-config", $Uconf,
+                    ok(run(app([@reqcmd, "-config", $cnf,
+                                "-section", "userreq",
                                 "-out", $Ereq, "-keyout", $Ekey,
                                 "-newkey", "ec:ecp.ss"],
                                stdout => "err.ss")),
@@ -260,7 +256,7 @@ sub testss {
                                 "-out", $Ecert,
                                 "-CA", $CAcert, "-CAkey", $CAkey,
                                 "-CAserial", $CAserial,
-                                "-extfile", $Uconf,
+                                "-extfile", $cnf,
                                 "-extensions", "v3_ee_ec"],
                                stdout => "err.ss")),
                        "sign ECDSA/ECDH user cert request");
@@ -277,7 +273,7 @@ sub testss {
       };
 
       skip 'failure', 5 unless
-         ok(run(app([@reqcmd, "-config", $P1conf,
+         ok(run(app([@reqcmd, "-config", $proxycnf,
                      "-out", $P1req, "-keyout", $P1key, @req_new],
                     stdout => "err.ss")),
             'make a proxy cert request');
@@ -287,7 +283,7 @@ sub testss {
          ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30",
                      "-req", "-out", $P1cert,
                      "-CA", $Ucert, "-CAkey", $Ukey,
-                     "-extfile", $P1conf, "-extensions", "v3_proxy"],
+                     "-extfile", $proxycnf, "-extensions", "proxy"],
                     stdout => "err.ss")),
             'sign proxy with user cert');
 
@@ -300,7 +296,7 @@ sub testss {
         'Certificate details');
 
       skip 'failure', 2 unless
-         ok(run(app([@reqcmd, "-config", $P2conf,
+         ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req",
                      "-out", $P2req, "-keyout", $P2key,
                      @req_new],
                     stdout => "err.ss")),
@@ -311,7 +307,7 @@ sub testss {
          ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30",
                      "-req", "-out", $P2cert,
                      "-CA", $P1cert, "-CAkey", $P1key,
-                     "-extfile", $P2conf, "-extensions", "v3_proxy"],
+                     "-extfile", $proxycnf, "-extensions", "proxy_2"],
                     stdout => "err.ss")),
             'sign second proxy cert request with the first proxy cert');
 
index 3e2e69f..09d9604 100644 (file)
@@ -16,6 +16,7 @@ my $test_name = "test_store";
 setup($test_name);
 
 my $mingw = config('target') =~ m|^mingw|;
+my $cnf=srctop_file("test","ca-and-certs.cnf");
 
 my @noexist_files =
     ( "test/blahdiblah.pem",
@@ -295,7 +296,7 @@ sub init {
                       }, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files))
             # *-cert.pem (intermediary for the .p12 inits)
             && run(app(["openssl", "req", "-x509",
-                        "-config", data_file("ca.cnf"), "-nodes",
+                        "-config", $cnf, "-nodes",
                         "-out", "cacert.pem", "-keyout", "cakey.pem"]))
             && runall(sub {
                           my $srckey = shift;
@@ -303,7 +304,7 @@ sub init {
                           (my $csr = $dstfile) =~ s|\.pem|.csr|;
 
                           (run(app(["openssl", "req", "-new",
-                                    "-config", data_file("user.cnf"),
+                                    "-config", $cnf,
                                     "-key", $srckey, "-out", $csr]))
                            &&
                            run(app(["openssl", "x509", "-days", "3650",