[PATCH] tests: regenerate x509 test certificates
Anton Shestakov
engored at ya.ru
Wed Jul 13 01:56:10 EDT 2016
13.07.2016, 13:28, "Gregory Szorc" <gregory.szorc at gmail.com>:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc at gmail.com>
> # Date 1468387564 25200
> # Tue Jul 12 22:26:04 2016 -0700
> # Node ID 1f6185a33fd4b88b15e35117fbc6563d8ae1f5ca
> # Parent a4a5217e826490e3e37206133dc35a2b090668fd
> tests: regenerate x509 test certificates
>
> The old x509 test certificates were using cryptographic settings
> that are ancient by today's standards, namely 512 bit RSA keys.
> To put things in perspective, browsers have been dropping support
> for 1024 bit RSA keys.
>
> I think it is important that tests match the realities of the times.
> And 2048 bit RSA keys with SHA-2 hashing are what the world is
> moving to.
>
> This patch replaces all the x509 certificates with new versions using
> modern best practices. In addition, the docs for generating the
> keys have been updated, as the existing docs left out a few steps,
> namely how to generate certs that were not active yet or expired.
>
> diff --git a/tests/sslcerts/README b/tests/sslcerts/README
> --- a/tests/sslcerts/README
> +++ b/tests/sslcerts/README
> @@ -1,26 +1,50 @@
> -Certificates created with:
> - printf '.\n.\n.\n.\n.\nlocalhost\nhg at localhost\n' | \
> - openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
> -Can be dumped with:
> - openssl x509 -in pub.pem -text
> -
> - - priv.pem
> - - pub.pem
> - - pub-other.pem
> -
> -pub.pem patched with other notBefore / notAfter:
> +Generate a private key (priv.pem):
>
> - - pub-not-yet.pem
> - - pub-expired.pem
> + $ openssl genrsa -out priv.pem 2048
>
> -Client certificates created with:
> - openssl genrsa -aes128 -passout pass:1234 -out client-key.pem 512
> - openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem
> - printf '.\n.\n.\n.\n.\n.\nhg-client at localhost\n.\n.\n' | \
> - openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
> - openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
> - -set_serial 01 -out client-cert.pem
> +Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem):
>
> - - client-key.pem
> - - client-key-decrypted.pem
> - - client-cert.pem
> + $ printf '.\n.\n.\n.\n.\nlocalhost\nhg at localhost\n' | \
> + openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub.pem
Nit: using -subj '/CN=localhost/emailAddress=hg at localhost' is probably more readable than this printf incantation.
More information about the Mercurial-devel
mailing list