diff options
author | Rich Salz <rsalz@akamai.com> | 2020-03-04 14:08:31 -0500 |
---|---|---|
committer | Tomas Mraz <tmraz@fedoraproject.org> | 2020-06-03 09:56:56 +0200 |
commit | 4e6e57cfcdd75b827ff7171927d87e95b5b86ae8 (patch) | |
tree | 5966ad0b0dee601e0e042a5936422a24d2e79a8b /test/recipes | |
parent | 5c01a133ecafc5ffa4ae55effd32f4f1fb642293 (diff) | |
download | openssl-4e6e57cfcdd75b827ff7171927d87e95b5b86ae8.tar.gz |
Cleanup cert config files for tests
Merge test/P[12]ss.cnf into one config file
Merge CAss.cnf and Uss.cnf into ca-and-certs.cnf
Remove Netscape cert extensions, add keyUsage comment from some cnf files
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11347)
Diffstat (limited to 'test/recipes')
-rw-r--r-- | test/recipes/25-test_verify_store.t | 31 | ||||
-rw-r--r-- | test/recipes/80-test_ca.t | 23 | ||||
-rw-r--r-- | test/recipes/80-test_ssl_old.t | 36 | ||||
-rw-r--r-- | test/recipes/90-test_store.t | 5 |
4 files changed, 45 insertions, 50 deletions
diff --git a/test/recipes/25-test_verify_store.t b/test/recipes/25-test_verify_store.t index c8c57a7b2b..9246f33868 100644 --- a/test/recipes/25-test_verify_store.t +++ b/test/recipes/25-test_verify_store.t @@ -18,34 +18,31 @@ plan tests => 10; my $dummycnf = srctop_file("apps", "openssl.cnf"); +my $cnf=srctop_file("test","ca-and-certs.cnf"); my $CAkey = "keyCA.ss"; my $CAcert="certCA.ss"; my $CAserial="certCA.srl"; my $CAreq="reqCA.ss"; -my $CAconf=srctop_file("test","CAss.cnf"); my $CAreq2="req2CA.ss"; # temp - -my $Uconf=srctop_file("test","Uss.cnf"); my $Ukey="keyU.ss"; my $Ureq="reqU.ss"; my $Ucert="certU.ss"; SKIP: { req( 'make cert request', - qw(-new), - -config => $CAconf, + qw(-new -section userreq), + -config => $cnf, -out => $CAreq, -keyout => $CAkey ); skip 'failure', 8 unless x509( 'convert request into self-signed cert', - qw(-req -CAcreateserial), + qw(-req -CAcreateserial -days 30), + qw(-extensions v3_ca), -in => $CAreq, -out => $CAcert, -signkey => $CAkey, - -days => 30, - -extfile => $CAconf, - -extensions => 'v3_ca' ); + -extfile => $cnf ); skip 'failure', 7 unless x509( 'convert cert into a cert request', @@ -56,13 +53,13 @@ SKIP: { skip 'failure', 6 unless req( 'verify request 1', - qw(-verify -noout), + qw(-verify -noout -section userreq), -config => $dummycnf, -in => $CAreq ); skip 'failure', 5 unless req( 'verify request 2', - qw(-verify -noout), + qw(-verify -noout -section userreq), -config => $dummycnf, -in => $CAreq2 ); @@ -73,29 +70,27 @@ SKIP: { skip 'failure', 3 unless req( 'make a user cert request', - qw(-new), - -config => $Uconf, + qw(-new -section userreq), + -config => $cnf, -out => $Ureq, -keyout => $Ukey ); skip 'failure', 2 unless x509( 'sign user cert request', - qw(-req -CAcreateserial), + qw(-req -CAcreateserial -days 30 -extensions v3_ee), -in => $Ureq, -out => $Ucert, -CA => $CAcert, -CAkey => $CAkey, -CAserial => $CAserial, - -days => 30, - -extfile => $Uconf, - -extensions => 'v3_ee' ) + -extfile => $cnf ) && verify( undef, -CAstore => $CAcert, $Ucert ); skip 'failure', 0 unless x509( 'Certificate details', - qw( -subject -issuer -startdate -enddate -noout), + qw(-subject -issuer -startdate -enddate -noout), -in => $Ucert ); } diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t index 3d4dfcd060..bbb0af7577 100644 --- a/test/recipes/80-test_ca.t +++ b/test/recipes/80-test_ca.t @@ -18,26 +18,29 @@ use OpenSSL::Test::Utils; setup("test_ca"); $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); -my $std_openssl_cnf = - srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf"); + +my $cnf = '"' . srctop_file("test","ca-and-certs.cnf") . '"';; +my $std_openssl_cnf = '"' + . srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf") + . '"'; rmtree("demoCA", { safe => 0 }); plan tests => 6; SKIP: { - $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"'; + $ENV{OPENSSL_CONFIG} = '-config ' . $cnf; skip "failed creating CA structure", 4 if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)), 'creating CA structure'); - $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"'; + $ENV{OPENSSL_CONFIG} = '-config ' . $cnf; skip "failed creating new certificate request", 3 if !ok(run(perlapp(["CA.pl","-newreq", - "-extra-req","-outform DER"])), + '-extra-req', '-outform DER -section userreq'])), 'creating certificate request'); - $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config "'.$std_openssl_cnf.'"'; + $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf; skip "failed to sign certificate request", 2 - if !is(yes(cmdstr(perlapp(["CA.pl", "-sign", "-extra-ca"]))), 0, + if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0, 'signing certificate request'); ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])), @@ -46,8 +49,8 @@ plan tests => 6; skip "CT not configured, can't use -precert", 1 if disabled("ct"); - $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"'; - ok(run(perlapp(["CA.pl", "-precert"], stderr => undef)), + $ENV{OPENSSL_CONFIG} = '-config ' . $cnf; + ok(run(perlapp(["CA.pl", "-precert", '-extra-req', '-section userreq'], stderr => undef)), 'creating new pre-certificate'); } @@ -56,7 +59,7 @@ SKIP: { if disabled("sm2"); is(yes(cmdstr(app(["openssl", "ca", "-config", - srctop_file("test", "CAss.cnf"), + $cnf, "-in", srctop_file("test", "certs", "sm2-csr.pem"), "-out", "sm2-test.crt", "-sigopt", "distid:1234567812345678", diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index e01137d593..b49d895c32 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -44,33 +44,27 @@ my @verifycmd = ("openssl", "verify"); my @genpkeycmd = ("openssl", "genpkey"); my $dummycnf = srctop_file("apps", "openssl.cnf"); +my $cnf=srctop_file("test","ca-and-certs.cnf"); my $CAkey = "keyCA.ss"; my $CAcert="certCA.ss"; my $CAserial="certCA.srl"; my $CAreq="reqCA.ss"; -my $CAconf=srctop_file("test","CAss.cnf"); my $CAreq2="req2CA.ss"; # temp - -my $Uconf=srctop_file("test","Uss.cnf"); my $Ukey="keyU.ss"; my $Ureq="reqU.ss"; my $Ucert="certU.ss"; - my $Dkey="keyD.ss"; my $Dreq="reqD.ss"; my $Dcert="certD.ss"; - my $Ekey="keyE.ss"; my $Ereq="reqE.ss"; my $Ecert="certE.ss"; -my $P1conf=srctop_file("test","P1ss.cnf"); +my $proxycnf=srctop_file("test","proxy.cnf"); my $P1key="keyP1.ss"; my $P1req="reqP1.ss"; my $P1cert="certP1.ss"; my $P1intermediate="tmp_intP1.ss"; - -my $P2conf=srctop_file("test","P2ss.cnf"); my $P2key="keyP2.ss"; my $P2req="reqP2.ss"; my $P2cert="certP2.ss"; @@ -133,7 +127,7 @@ sub testss { SKIP: { skip 'failure', 16 unless - ok(run(app([@reqcmd, "-config", $CAconf, + ok(run(app([@reqcmd, "-config", $cnf, "-out", $CAreq, "-keyout", $CAkey, @req_new])), 'make cert request'); @@ -141,7 +135,7 @@ sub testss { skip 'failure', 15 unless ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30", "-req", "-out", $CAcert, "-signkey", $CAkey, - "-extfile", $CAconf, "-extensions", "v3_ca"], + "-extfile", $cnf, "-extensions", "v3_ca"], stdout => "err.ss")), 'convert request into self-signed cert'); @@ -167,7 +161,7 @@ sub testss { 'verify signature'); skip 'failure', 10 unless - ok(run(app([@reqcmd, "-config", $Uconf, + ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq", "-out", $Ureq, "-keyout", $Ukey, @req_new], stdout => "err.ss")), 'make a user cert request'); @@ -176,7 +170,7 @@ sub testss { ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30", "-req", "-out", $Ucert, "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, - "-extfile", $Uconf, "-extensions", "v3_ee"], + "-extfile", $cnf, "-extensions", "v3_ee"], stdout => "err.ss")) && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])), 'sign user cert request'); @@ -202,7 +196,8 @@ sub testss { stdout => "err.ss")), "make a DSA key"); skip 'failure', 3 unless - ok(run(app([@reqcmd, "-new", "-config", $Uconf, + ok(run(app([@reqcmd, "-new", "-config", $cnf, + "-section", "userreq", "-out", $Dreq, "-key", $Dkey], stdout => "err.ss")), "make a DSA user cert request"); @@ -214,7 +209,7 @@ sub testss { "-out", $Dcert, "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, - "-extfile", $Uconf, + "-extfile", $cnf, "-extensions", "v3_ee_dsa"], stdout => "err.ss")), "sign DSA user cert request"); @@ -247,7 +242,8 @@ sub testss { "-out", "ecp.ss"])), "make EC parameters"); skip 'failure', 3 unless - ok(run(app([@reqcmd, "-config", $Uconf, + ok(run(app([@reqcmd, "-config", $cnf, + "-section", "userreq", "-out", $Ereq, "-keyout", $Ekey, "-newkey", "ec:ecp.ss"], stdout => "err.ss")), @@ -260,7 +256,7 @@ sub testss { "-out", $Ecert, "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, - "-extfile", $Uconf, + "-extfile", $cnf, "-extensions", "v3_ee_ec"], stdout => "err.ss")), "sign ECDSA/ECDH user cert request"); @@ -277,7 +273,7 @@ sub testss { }; skip 'failure', 5 unless - ok(run(app([@reqcmd, "-config", $P1conf, + ok(run(app([@reqcmd, "-config", $proxycnf, "-out", $P1req, "-keyout", $P1key, @req_new], stdout => "err.ss")), 'make a proxy cert request'); @@ -287,7 +283,7 @@ sub testss { ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30", "-req", "-out", $P1cert, "-CA", $Ucert, "-CAkey", $Ukey, - "-extfile", $P1conf, "-extensions", "v3_proxy"], + "-extfile", $proxycnf, "-extensions", "proxy"], stdout => "err.ss")), 'sign proxy with user cert'); @@ -300,7 +296,7 @@ sub testss { 'Certificate details'); skip 'failure', 2 unless - ok(run(app([@reqcmd, "-config", $P2conf, + ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req", "-out", $P2req, "-keyout", $P2key, @req_new], stdout => "err.ss")), @@ -311,7 +307,7 @@ sub testss { ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30", "-req", "-out", $P2cert, "-CA", $P1cert, "-CAkey", $P1key, - "-extfile", $P2conf, "-extensions", "v3_proxy"], + "-extfile", $proxycnf, "-extensions", "proxy_2"], stdout => "err.ss")), 'sign second proxy cert request with the first proxy cert'); diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t index 3e2e69f439..09d9604e9d 100644 --- a/test/recipes/90-test_store.t +++ b/test/recipes/90-test_store.t @@ -16,6 +16,7 @@ my $test_name = "test_store"; setup($test_name); my $mingw = config('target') =~ m|^mingw|; +my $cnf=srctop_file("test","ca-and-certs.cnf"); my @noexist_files = ( "test/blahdiblah.pem", @@ -295,7 +296,7 @@ sub init { }, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files)) # *-cert.pem (intermediary for the .p12 inits) && run(app(["openssl", "req", "-x509", - "-config", data_file("ca.cnf"), "-nodes", + "-config", $cnf, "-nodes", "-out", "cacert.pem", "-keyout", "cakey.pem"])) && runall(sub { my $srckey = shift; @@ -303,7 +304,7 @@ sub init { (my $csr = $dstfile) =~ s|\.pem|.csr|; (run(app(["openssl", "req", "-new", - "-config", data_file("user.cnf"), + "-config", $cnf, "-key", $srckey, "-out", $csr])) && run(app(["openssl", "x509", "-days", "3650", |