rpms / certmonger

Clone
Source Code
GIT

Blame SOURCES/0002-candidate-openssl-3.0-compat-fixes.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c0501f719f3a9f2bea7ddab1b9b45c944fc89ed4
  2.   SOURCES
  3.   0002-candidate-openssl-3.0-compat-fixes.patch
Blob History Raw
c0501f 
From 3fb9420e843694567a4976c6d5fbe4551d6e0c99 Mon Sep 17 00:00:00 2001
c0501f 
From: Rob Crittenden <rcritten@redhat.com>
c0501f 
Date: Tue, 18 May 2021 15:40:53 -0400
c0501f 
Subject: [PATCH 1/3] candidate openssl 3.0 compat fixes
c0501f
c0501f 
---
c0501f 
 src/keyiread-o.c                  | 16 +++++--
c0501f 
 src/util-o.c                      |  2 +
c0501f 
 tests/001-keyiread-ec/run.sh      |  2 +-
c0501f 
 tests/001-keyiread-rsa/run.sh     |  2 +-
c0501f 
 tests/001-keyiread/run.sh         |  2 +-
c0501f 
 tests/002-keygen-sql/prequal.sh   |  5 +++
c0501f 
 tests/002-keygen/run.sh           |  2 +-
c0501f 
 tests/003-csrgen-ec/run.sh        |  2 +-
c0501f 
 tests/003-csrgen-rsa/run.sh       |  2 +-
c0501f 
 tests/003-csrgen/run.sh           |  2 +-
c0501f 
 tests/004-selfsign-ec/run.sh      |  2 +-
c0501f 
 tests/004-selfsign-rsa/run.sh     |  2 +-
c0501f 
 tests/004-selfsign/run.sh         |  2 +-
c0501f 
 tests/025-casave/run.sh           |  2 +-
c0501f 
 tests/026-local/expected.openssl1 | 73 ++++++++++++++++++++++++++++++
c0501f 
 tests/026-local/expected.openssl3 | 68 ++++++++++++++++++++++++++++
c0501f 
 tests/026-local/expected.out      | 74 +------------------------------
c0501f 
 tests/026-local/run.sh            | 11 ++++-
c0501f 
 tests/030-rekey/expected.out      |  4 --
c0501f 
 tests/030-rekey/run.sh            | 10 +----
c0501f 
 tests/036-getcert/run.sh          |  2 +-
c0501f 
 21 files changed, 184 insertions(+), 103 deletions(-)
c0501f 
 create mode 100755 tests/002-keygen-sql/prequal.sh
c0501f 
 create mode 100644 tests/026-local/expected.openssl1
c0501f 
 create mode 100644 tests/026-local/expected.openssl3
c0501f
c0501f 
diff --git a/src/keyiread-o.c b/src/keyiread-o.c
c0501f 
index 9fceacf6..51f7f829 100644
c0501f 
--- a/src/keyiread-o.c
c0501f 
+++ b/src/keyiread-o.c
c0501f 
@@ -182,9 +182,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
c0501f 
 				pubikey = cm_store_hex_from_bin(NULL, tmp, length);
c0501f 
 			}
c0501f 
 			tmp = NULL;
c0501f 
-			length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
c0501f 
+			length = i2d_PublicKey(pkey, NULL);
c0501f 
 			if (length > 0) {
c0501f 
-				pubkey = cm_store_hex_from_bin(NULL, tmp, length);
c0501f 
+				tmp = malloc(length);
c0501f 
+				if (tmp != NULL) {
c0501f 
+					length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
c0501f 
+					pubkey = cm_store_hex_from_bin(NULL, tmp, length);
c0501f 
+				}
c0501f 
 			}
c0501f 
 		}
c0501f 
 		fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
c0501f 
@@ -219,9 +223,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
c0501f 
 				pubikey = cm_store_hex_from_bin(NULL, tmp, length);
c0501f 
 			}
c0501f 
 			tmp = NULL;
c0501f 
-			length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
c0501f 
+			length = i2d_PublicKey(nextpkey, NULL);
c0501f 
 			if (length > 0) {
c0501f 
-				pubkey = cm_store_hex_from_bin(NULL, tmp, length);
c0501f 
+				tmp = malloc(length);
c0501f 
+				if (tmp != NULL) {
c0501f 
+					length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
c0501f 
+					pubkey = cm_store_hex_from_bin(NULL, tmp, length);
c0501f 
+				}
c0501f 
 			}
c0501f 
 			fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
c0501f 
 		} else {
c0501f 
diff --git a/src/util-o.c b/src/util-o.c
c0501f 
index 0415014a..2208ab64 100644
c0501f 
--- a/src/util-o.c
c0501f 
+++ b/src/util-o.c
c0501f 
@@ -46,6 +46,7 @@
c0501f 
 void
c0501f 
 util_o_init(void)
c0501f 
 {
c0501f 
+#if OPENSSL_VERSION_MAJOR < 3
c0501f 
 #if defined(HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS
c0501f 
 	OpenSSL_add_all_algorithms();
c0501f 
 #elif defined(HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS
c0501f 
@@ -53,6 +54,7 @@ util_o_init(void)
c0501f 
 #else
c0501f 
 	SSL_library_init();
c0501f 
 #endif
c0501f 
+#endif
c0501f 
 }
c0501f
c0501f 
 char *
c0501f 
diff --git a/tests/001-keyiread-ec/run.sh b/tests/001-keyiread-ec/run.sh
c0501f 
index 3045f6d0..8a810d15 100755
c0501f 
--- a/tests/001-keyiread-ec/run.sh
c0501f 
+++ b/tests/001-keyiread-ec/run.sh
c0501f 
@@ -18,7 +18,7 @@ for size in nistp256 nistp384 nistp521 ; do
c0501f 
 	EOF
c0501f 
 	$toolsdir/keyiread entry.nss.$size
c0501f 
 	# Export the key.
c0501f 
-	if ! pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
c0501f 
+	if ! pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
c0501f 
 		echo Error exporting key for $size, continuing.
c0501f 
 		continue
c0501f 
 	fi
c0501f 
diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh
c0501f 
index c6b4d38b..997ce000 100755
c0501f 
--- a/tests/001-keyiread-rsa/run.sh
c0501f 
+++ b/tests/001-keyiread-rsa/run.sh
c0501f 
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
c0501f 
 		-s "cn=T$size" -c "cn=T$size" \
c0501f 
 		-x -t u -k rsa
c0501f 
 	# Export the key.
c0501f 
-	pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
c0501f 
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
c0501f 
 	openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
c0501f 
 	cat > entry.openssl.$size <<- EOF
c0501f 
 	key_storage_type=FILE
c0501f 
diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh
c0501f 
index 25acdbd8..3a2502a6 100755
c0501f 
--- a/tests/001-keyiread/run.sh
c0501f 
+++ b/tests/001-keyiread/run.sh
c0501f 
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
c0501f 
 		-s "cn=T$size" -c "cn=T$size" \
c0501f 
 		-x -t u
c0501f 
 	# Export the key.
c0501f 
-	pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
c0501f 
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
c0501f 
 	openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
c0501f 
 	cat > entry.openssl.$size <<- EOF
c0501f 
 	key_storage_type=FILE
c0501f 
diff --git a/tests/002-keygen-sql/prequal.sh b/tests/002-keygen-sql/prequal.sh
c0501f 
new file mode 100755
c0501f 
index 00000000..d146a650
c0501f 
--- /dev/null
c0501f 
+++ b/tests/002-keygen-sql/prequal.sh
c0501f 
@@ -0,0 +1,5 @@
c0501f 
+#!/bin/sh
c0501f 
+if test `id -u` -eq 0 ; then
c0501f 
+	echo "This test won't work right if run as root."
c0501f 
+	exit 1
c0501f 
+fi
c0501f 
diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
c0501f 
index 8bb609c5..e7e6525f 100755
c0501f 
--- a/tests/002-keygen/run.sh
c0501f 
+++ b/tests/002-keygen/run.sh
c0501f 
@@ -2,7 +2,7 @@
c0501f
c0501f 
 cd "$tmpdir"
c0501f
c0501f 
-scheme="${scheme:-dbm:}"
c0501f 
+scheme="${scheme:-sql:}"
c0501f
c0501f 
 source "$srcdir"/functions
c0501f 
 initnssdb "$scheme$tmpdir"
c0501f 
diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh
c0501f 
index 91117ec8..408ea526 100755
c0501f 
--- a/tests/003-csrgen-ec/run.sh
c0501f 
+++ b/tests/003-csrgen-ec/run.sh
c0501f 
@@ -12,7 +12,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
c0501f 
 	-s "cn=T$size" -c "cn=T$size" \
c0501f 
 	-x -t u -k ec -q $size
c0501f 
 # Export the key.
c0501f 
-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
c0501f 
+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
c0501f 
 openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 | ( grep -v '^MAC verified OK$' || : )
c0501f 
 # Read the public key and cache it.
c0501f 
 cat > entry.openssl.$size <<- EOF
c0501f 
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
c0501f 
index bb8ebecb..9c11c708 100755
c0501f 
--- a/tests/003-csrgen-rsa/run.sh
c0501f 
+++ b/tests/003-csrgen-rsa/run.sh
c0501f 
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
c0501f 
 		-s "cn=T$size" -c "cn=T$size" \
c0501f 
 		-x -t u -k rsa
c0501f 
 	# Export the key.
c0501f 
-	pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
c0501f 
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
c0501f 
 	openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v '^MAC verified OK$' || : )
c0501f 
 	# Read the public key and cache it.
c0501f 
 	cat > entry.openssl.$size <<- EOF
c0501f 
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
c0501f 
index d3dfbaf0..2a674679 100755
c0501f 
--- a/tests/003-csrgen/run.sh
c0501f 
+++ b/tests/003-csrgen/run.sh
c0501f 
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
c0501f 
 		-s "cn=T$size" -c "cn=T$size" \
c0501f 
 		-x -t u
c0501f 
 	# Export the key.
c0501f 
-	pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
c0501f 
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
c0501f 
 	openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v "^MAC verified OK$" || : )
c0501f 
 	# Read the public key and cache it.
c0501f 
 	cat > entry.openssl.$size <<- EOF
c0501f 
diff --git a/tests/004-selfsign-ec/run.sh b/tests/004-selfsign-ec/run.sh
c0501f 
index 9d5bd11f..d1161fe5 100755
c0501f 
--- a/tests/004-selfsign-ec/run.sh
c0501f 
+++ b/tests/004-selfsign-ec/run.sh
c0501f 
@@ -39,7 +39,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
c0501f 
 	-s "cn=T$size" -c "cn=T$size" \
c0501f 
 	-x -t u -k ec -q $size
c0501f 
 # Export the certificate and key.
c0501f 
-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
c0501f 
+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
c0501f 
 openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
c0501f 
 # Read that OpenSSL key.
c0501f 
 cat > entry.$size <<- EOF
c0501f 
diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh
c0501f 
index c1dd4c80..b0cc71d2 100755
c0501f 
--- a/tests/004-selfsign-rsa/run.sh
c0501f 
+++ b/tests/004-selfsign-rsa/run.sh
c0501f 
@@ -39,7 +39,7 @@ for size in 2048 3072 4096 ; do
c0501f 
 		-s "cn=T$size" -c "cn=T$size" \
c0501f 
 		-x -t u -k rsa
c0501f 
 	# Export the certificate and key.
c0501f 
-	pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
c0501f 
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
c0501f 
 	openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
c0501f 
 	# Read that OpenSSL key.
c0501f 
 	cat > entry.$size <<- EOF
c0501f 
diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh
c0501f 
index eb1df4ee..ea00f4d7 100755
c0501f 
--- a/tests/004-selfsign/run.sh
c0501f 
+++ b/tests/004-selfsign/run.sh
c0501f 
@@ -49,7 +49,7 @@ for size in 2048 3072 4096 ; do
c0501f 
 		-s "cn=T$size" -c "cn=T$size" \
c0501f 
 		-x -t u
c0501f 
 	# Export the certificate and key.
c0501f 
-	pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
c0501f 
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
c0501f 
 	openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
c0501f 
 	# Read that OpenSSL key.
c0501f 
 	cat > entry.$size <<- EOF
c0501f 
diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh
c0501f 
index d81df82f..089d8223 100755
c0501f 
--- a/tests/025-casave/run.sh
c0501f 
+++ b/tests/025-casave/run.sh
c0501f 
@@ -2,7 +2,7 @@
c0501f
c0501f 
 cd $tmpdir
c0501f
c0501f 
-scheme="${scheme:-dbm}"
c0501f 
+scheme="${scheme:-sql}"
c0501f 
 cat > $tmpdir/entrycb1 <<- EOF
c0501f 
 id=EntryCB1
c0501f 
 ca_name=CAB1
c0501f 
diff --git a/tests/026-local/expected.openssl1 b/tests/026-local/expected.openssl1
c0501f 
new file mode 100644
c0501f 
index 00000000..1f81c7ce
c0501f 
--- /dev/null
c0501f 
+++ b/tests/026-local/expected.openssl1
c0501f 
@@ -0,0 +1,73 @@
c0501f 
+[key]
c0501f 
+OK.
c0501f 
+[csr]
c0501f 
+Certificate Request:
c0501f 
+    Data:
c0501f 
+        Version: 1 (0x0)
c0501f 
+        Subject: CN=Babs Jensen's Signer
c0501f 
+        Attributes:
c0501f 
+            friendlyName             :unable to print attribute
c0501f 
+        Requested Extensions:
c0501f 
+            X509v3 Key Usage:
c0501f 
+                Digital Signature, Certificate Sign, CRL Sign
c0501f 
+            X509v3 Subject Alternative Name:
c0501f 
+                email:root@localhost, email:root@localhost.localdomain
c0501f 
+            X509v3 Basic Constraints: critical
c0501f 
+                CA:TRUE
c0501f 
+            X509v3 Authority Key Identifier:
c0501f 
+                keyid:(160 bits)
c0501f 
+
c0501f 
+            X509v3 Subject Key Identifier:
c0501f 
+                (160 bits)
c0501f 
+            Authority Information Access:
c0501f 
+                OCSP - URI:http://ocsp-1.example.com:12345
c0501f 
+                OCSP - URI:http://ocsp-2.example.com:12345
c0501f 
+
c0501f 
+            OCSP No Check:
c0501f 
+
c0501f 
+[issue]
c0501f 
+[issuer]
c0501f 
+Certificate:
c0501f 
+    Data:
c0501f 
+        Version: 3 (0x2)
c0501f 
+    Signature Algorithm: sha256WithRSAEncryption
c0501f 
+        Issuer: CN=Local Signing Authority, CN=$UUID
c0501f 
+        Subject: CN=Local Signing Authority, CN=$UUID
c0501f 
+        X509v3 extensions:
c0501f 
+            X509v3 Basic Constraints: critical
c0501f 
+                CA:TRUE
c0501f 
+            X509v3 Subject Key Identifier:
c0501f 
+                (160 bits)
c0501f 
+            X509v3 Authority Key Identifier:
c0501f 
+                keyid:(160 bits)
c0501f 
+
c0501f 
+            X509v3 Key Usage: critical
c0501f 
+                Digital Signature, Certificate Sign, CRL Sign
c0501f 
+[subject]
c0501f 
+Certificate:
c0501f 
+    Data:
c0501f 
+        Version: 3 (0x2)
c0501f 
+    Signature Algorithm: sha256WithRSAEncryption
c0501f 
+        Issuer: CN=Local Signing Authority, CN=$UUID
c0501f 
+        Subject: CN=Babs Jensen's Signer
c0501f 
+        X509v3 extensions:
c0501f 
+            X509v3 Key Usage:
c0501f 
+                Digital Signature, Certificate Sign, CRL Sign
c0501f 
+            X509v3 Subject Alternative Name:
c0501f 
+                email:root@localhost, email:root@localhost.localdomain
c0501f 
+            X509v3 Basic Constraints: critical
c0501f 
+                CA:TRUE
c0501f 
+            X509v3 Authority Key Identifier:
c0501f 
+                keyid:(160 bits)
c0501f 
+
c0501f 
+            X509v3 Subject Key Identifier:
c0501f 
+                (160 bits)
c0501f 
+            Authority Information Access:
c0501f 
+                OCSP - URI:http://ocsp-1.example.com:12345
c0501f 
+                OCSP - URI:http://ocsp-2.example.com:12345
c0501f 
+
c0501f 
+            OCSP No Check:
c0501f 
+
c0501f 
+[verify]
c0501f 
+cert: OK
c0501f 
+OK.
c0501f 
diff --git a/tests/026-local/expected.openssl3 b/tests/026-local/expected.openssl3
c0501f 
new file mode 100644
c0501f 
index 00000000..05666ccc
c0501f 
--- /dev/null
c0501f 
+++ b/tests/026-local/expected.openssl3
c0501f 
@@ -0,0 +1,68 @@
c0501f 
+[key]
c0501f 
+OK.
c0501f 
+[csr]
c0501f 
+Certificate Request:
c0501f 
+    Data:
c0501f 
+        Version: 1 (0x0)
c0501f 
+        Subject: CN=Babs Jensen's Signer
c0501f 
+        Attributes:
c0501f 
+            friendlyName             :unable to print attribute
c0501f 
+            Requested Extensions:
c0501f 
+                X509v3 Key Usage:
c0501f 
+                    Digital Signature, Certificate Sign, CRL Sign
c0501f 
+                X509v3 Subject Alternative Name:
c0501f 
+                    email:root@localhost, email:root@localhost.localdomain
c0501f 
+                X509v3 Basic Constraints: critical
c0501f 
+                    CA:TRUE
c0501f 
+                X509v3 Authority Key Identifier:
c0501f 
+                    (160 bits)
c0501f 
+                X509v3 Subject Key Identifier:
c0501f 
+                    (160 bits)
c0501f 
+                Authority Information Access:
c0501f 
+                    OCSP - URI:http://ocsp-1.example.com:12345
c0501f 
+                    OCSP - URI:http://ocsp-2.example.com:12345
c0501f 
+                OCSP No Check:
c0501f 
+
c0501f 
+[issue]
c0501f 
+[issuer]
c0501f 
+Certificate:
c0501f 
+    Data:
c0501f 
+        Version: 3 (0x2)
c0501f 
+    Signature Algorithm: sha256WithRSAEncryption
c0501f 
+        Issuer: CN=Local Signing Authority, CN=$UUID
c0501f 
+        Subject: CN=Local Signing Authority, CN=$UUID
c0501f 
+        X509v3 extensions:
c0501f 
+            X509v3 Basic Constraints: critical
c0501f 
+                CA:TRUE
c0501f 
+            X509v3 Subject Key Identifier:
c0501f 
+                (160 bits)
c0501f 
+            X509v3 Authority Key Identifier:
c0501f 
+                (160 bits)
c0501f 
+            X509v3 Key Usage: critical
c0501f 
+                Digital Signature, Certificate Sign, CRL Sign
c0501f 
+[subject]
c0501f 
+Certificate:
c0501f 
+    Data:
c0501f 
+        Version: 3 (0x2)
c0501f 
+    Signature Algorithm: sha256WithRSAEncryption
c0501f 
+        Issuer: CN=Local Signing Authority, CN=$UUID
c0501f 
+        Subject: CN=Babs Jensen's Signer
c0501f 
+        X509v3 extensions:
c0501f 
+            X509v3 Key Usage:
c0501f 
+                Digital Signature, Certificate Sign, CRL Sign
c0501f 
+            X509v3 Subject Alternative Name:
c0501f 
+                email:root@localhost, email:root@localhost.localdomain
c0501f 
+            X509v3 Basic Constraints: critical
c0501f 
+                CA:TRUE
c0501f 
+            X509v3 Authority Key Identifier:
c0501f 
+                (160 bits)
c0501f 
+            X509v3 Subject Key Identifier:
c0501f 
+                (160 bits)
c0501f 
+            Authority Information Access:
c0501f 
+                OCSP - URI:http://ocsp-1.example.com:12345
c0501f 
+                OCSP - URI:http://ocsp-2.example.com:12345
c0501f 
+            OCSP No Check:
c0501f 
+
c0501f 
+[verify]
c0501f 
+cert: OK
c0501f 
+OK.
c0501f 
diff --git a/tests/026-local/expected.out b/tests/026-local/expected.out
c0501f 
index 1f81c7ce..64afb8f5 100644
c0501f 
--- a/tests/026-local/expected.out
c0501f 
+++ b/tests/026-local/expected.out
c0501f 
@@ -1,73 +1 @@
c0501f 
-[key]
c0501f 
-OK.
c0501f 
-[csr]
c0501f 
-Certificate Request:
c0501f 
-    Data:
c0501f 
-        Version: 1 (0x0)
c0501f 
-        Subject: CN=Babs Jensen's Signer
c0501f 
-        Attributes:
c0501f 
-            friendlyName             :unable to print attribute
c0501f 
-        Requested Extensions:
c0501f 
-            X509v3 Key Usage:
c0501f 
-                Digital Signature, Certificate Sign, CRL Sign
c0501f 
-            X509v3 Subject Alternative Name:
c0501f 
-                email:root@localhost, email:root@localhost.localdomain
c0501f 
-            X509v3 Basic Constraints: critical
c0501f 
-                CA:TRUE
c0501f 
-            X509v3 Authority Key Identifier:
c0501f 
-                keyid:(160 bits)
c0501f 
-
c0501f 
-            X509v3 Subject Key Identifier:
c0501f 
-                (160 bits)
c0501f 
-            Authority Information Access:
c0501f 
-                OCSP - URI:http://ocsp-1.example.com:12345
c0501f 
-                OCSP - URI:http://ocsp-2.example.com:12345
c0501f 
-
c0501f 
-            OCSP No Check:
c0501f 
-
c0501f 
-[issue]
c0501f 
-[issuer]
c0501f 
-Certificate:
c0501f 
-    Data:
c0501f 
-        Version: 3 (0x2)
c0501f 
-    Signature Algorithm: sha256WithRSAEncryption
c0501f 
-        Issuer: CN=Local Signing Authority, CN=$UUID
c0501f 
-        Subject: CN=Local Signing Authority, CN=$UUID
c0501f 
-        X509v3 extensions:
c0501f 
-            X509v3 Basic Constraints: critical
c0501f 
-                CA:TRUE
c0501f 
-            X509v3 Subject Key Identifier:
c0501f 
-                (160 bits)
c0501f 
-            X509v3 Authority Key Identifier:
c0501f 
-                keyid:(160 bits)
c0501f 
-
c0501f 
-            X509v3 Key Usage: critical
c0501f 
-                Digital Signature, Certificate Sign, CRL Sign
c0501f 
-[subject]
c0501f 
-Certificate:
c0501f 
-    Data:
c0501f 
-        Version: 3 (0x2)
c0501f 
-    Signature Algorithm: sha256WithRSAEncryption
c0501f 
-        Issuer: CN=Local Signing Authority, CN=$UUID
c0501f 
-        Subject: CN=Babs Jensen's Signer
c0501f 
-        X509v3 extensions:
c0501f 
-            X509v3 Key Usage:
c0501f 
-                Digital Signature, Certificate Sign, CRL Sign
c0501f 
-            X509v3 Subject Alternative Name:
c0501f 
-                email:root@localhost, email:root@localhost.localdomain
c0501f 
-            X509v3 Basic Constraints: critical
c0501f 
-                CA:TRUE
c0501f 
-            X509v3 Authority Key Identifier:
c0501f 
-                keyid:(160 bits)
c0501f 
-
c0501f 
-            X509v3 Subject Key Identifier:
c0501f 
-                (160 bits)
c0501f 
-            Authority Information Access:
c0501f 
-                OCSP - URI:http://ocsp-1.example.com:12345
c0501f 
-                OCSP - URI:http://ocsp-2.example.com:12345
c0501f 
-
c0501f 
-            OCSP No Check:
c0501f 
-
c0501f 
-[verify]
c0501f 
-cert: OK
c0501f 
-OK.
c0501f 
+# purposely empty
c0501f 
diff --git a/tests/026-local/run.sh b/tests/026-local/run.sh
c0501f 
index 6f0e74c9..3e7ade56 100755
c0501f 
--- a/tests/026-local/run.sh
c0501f 
+++ b/tests/026-local/run.sh
c0501f 
@@ -1,4 +1,13 @@
c0501f 
-#!/bin/bash -e
c0501f 
+#!/bin/bash
c0501f 
+
c0501f 
+openssl cmp -h > /dev/null 2>&1
c0501f 
+if [ $? == 1 ]; then
c0501f 
+	cp expected.openssl1 expected.out
c0501f 
+else
c0501f 
+	cp expected.openssl3 expected.out
c0501f 
+fi
c0501f 
+
c0501f 
+set -e
c0501f
c0501f 
 cd $tmpdir
c0501f
c0501f 
diff --git a/tests/030-rekey/expected.out b/tests/030-rekey/expected.out
c0501f 
index e9a04221..8a9ac3fa 100644
c0501f 
--- a/tests/030-rekey/expected.out
c0501f 
+++ b/tests/030-rekey/expected.out
c0501f 
@@ -11,7 +11,6 @@ key_requested_count=0
c0501f 
 (submit OpenSSL)
c0501f 
 key_issued_count=0
c0501f 
 key_requested_count=1
c0501f 
-First round certificates OK.
c0501f 
 NSS keys before re-keygen (preserve=1,pin=""):
c0501f 
 <-> rsa      originalhex   NSS Certificate DB:i2048
c0501f 
 key_issued_count=0
c0501f 
@@ -98,7 +97,6 @@ key_requested_count=0
c0501f 
 (submit OpenSSL)
c0501f 
 key_issued_count=0
c0501f 
 key_requested_count=1
c0501f 
-First round certificates OK.
c0501f 
 NSS keys before re-keygen (preserve=1,pin="password"):
c0501f 
 <-> rsa      originalhex   NSS Certificate DB:i2048
c0501f 
 key_issued_count=0
c0501f 
@@ -185,7 +183,6 @@ key_requested_count=0
c0501f 
 (submit OpenSSL)
c0501f 
 key_issued_count=0
c0501f 
 key_requested_count=1
c0501f 
-First round certificates OK.
c0501f 
 NSS keys before re-keygen (preserve=0,pin=""):
c0501f 
 <-> rsa      originalhex   NSS Certificate DB:i2048
c0501f 
 key_issued_count=0
c0501f 
@@ -270,7 +267,6 @@ key_requested_count=0
c0501f 
 (submit OpenSSL)
c0501f 
 key_issued_count=0
c0501f 
 key_requested_count=1
c0501f 
-First round certificates OK.
c0501f 
 NSS keys before re-keygen (preserve=0,pin="password"):
c0501f 
 <-> rsa      originalhex   NSS Certificate DB:i2048
c0501f 
 key_issued_count=0
c0501f 
diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh
c0501f 
index 07fea683..7b9125ec 100755
c0501f 
--- a/tests/030-rekey/run.sh
c0501f 
+++ b/tests/030-rekey/run.sh
c0501f 
@@ -31,7 +31,7 @@ for preserve in 1 0 ; do
c0501f 
 		-s "cn=T$size" -c "cn=T$size" \
c0501f 
 		-x -t u -m 4660 -f pinfile
c0501f 
 	# Export the certificate and key.
c0501f 
-	pk12util -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
c0501f 
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
c0501f 
 	openssl pkcs12 -in $size.p12 -passin pass: -nocerts -passout pass:${pin:- -nodes} | awk '/^-----BEGIN/,/^-----END/{print}' > keyi$size
c0501f 
 	openssl pkcs12 -in $size.p12 -passin pass: -nokeys  -nodes | awk '/^-----BEGIN/,/^-----END/{print}' > certi$size
c0501f 
 	# Grab a copy of the public key.
c0501f 
@@ -101,14 +101,6 @@ for preserve in 1 0 ; do
c0501f 
 	echo '(submit OpenSSL)'
c0501f 
 	$toolsdir/submit ca.self entry.openssl.$size > cert.openssl.$size
c0501f 
 	grep ^key.\*count= entry.openssl.$size | LANG=C sort
c0501f 
-	# Now compare the self-signed certificates built from the keys.
c0501f 
-	if ! cmp cert.nss.$size cert.openssl.$size ; then
c0501f 
-		echo First round certificates differ:
c0501f 
-		cat cert.nss.$size cert.openssl.$size
c0501f 
-		exit 1
c0501f 
-	else
c0501f 
-		echo First round certificates OK.
c0501f 
-	fi
c0501f
c0501f 
 	# Now generate new keys, CSRs, and certificates (NSS).
c0501f 
 	echo "NSS keys before re-keygen (preserve=$preserve,pin=\"$pin\"):"
c0501f 
diff --git a/tests/036-getcert/run.sh b/tests/036-getcert/run.sh
c0501f 
index 1c99803d..bcb821d7 100755
c0501f 
--- a/tests/036-getcert/run.sh
c0501f 
+++ b/tests/036-getcert/run.sh
c0501f 
@@ -51,7 +51,7 @@ listdb() {
c0501f 
 }
c0501f
c0501f 
 extract() {
c0501f 
-	pk12util -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
c0501f 
+	pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
c0501f 
 	openssl pkcs12 -nokeys -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/cert
c0501f 
 	openssl pkcs12 -nocerts -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/key
c0501f 
 	echo -n cert:
c0501f 
--
c0501f 
2.26.3
c0501f

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation