SSL test fixes

* fix CRL tests to work * regenerate certificates to be at least 2048 bit (fixes buster and rhel8 in buildbot) * update generate-ssl-cert.sh to generate crl files * make all SSL tests to use certificates generated in generate-ssl-cert.sh, remove unused certificates Backport from 10.4 9c60535f8676
author: Sergei Golubchik <serg@mariadb.org> 2019-02-20 15:15:34 +0100
committer: Sergei Golubchik <serg@mariadb.org> 2019-03-01 12:41:05 -0500
commit: 8d47d9ed8852d4fbc1c8708e06eeb180e15587c6 (patch)
tree: e43802b5b8aa2db1100c2d25b85078b97615e7d2 /mysql-test/lib
parent: 20043cf650f84dc7fcd5e2b73d1db0c5ce15e103 (diff)
download: mariadb-git-8d47d9ed8852d4fbc1c8708e06eeb180e15587c6.tar.gz
1 files changed, 28 insertions, 9 deletions
diff --git a/mysql-test/lib/generate-ssl-certs.sh b/mysql-test/lib/generate-ssl-certs.sh
index 8f15ba9d521..0894be3a299 100755
--- a/mysql-test/lib/generate-ssl-certs.sh
+++ b/mysql-test/lib/generate-ssl-certs.sh
@@ -10,30 +10,49 @@ rm -rf demoCA
 mkdir demoCA demoCA/newcerts
 touch demoCA/index.txt
 echo 01 > demoCA/serial
+echo 01 > demoCA/crlnumber
 
 # CA certificate, self-signed
 openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 7300 -nodes -subj '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -text
 
 # server certificate signing request and private key. Note the very long subject (for MDEV-7859)
-openssl req -newkey rsa:1024 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name'
+openssl req -newkey rsa:2048 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name'
 # convert the key to yassl compatible format
 openssl rsa -in server-key.pem -out server-key.pem
 # sign the server certificate with CA certificate
-openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -infiles demoCA/server-req.pem
+openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -in demoCA/server-req.pem
 
+# server certificate with different validity period (MDEV-7598)
+openssl req -newkey rsa:2048 -keyout server-new-key.pem -out demoCA/server-new-req.pem -days 7301 -nodes -subj '/CN=server-new/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
+openssl rsa -in server-new-key.pem -out server-new-key.pem
+openssl ca -keyfile cakey.pem -days 7301 -batch -cert cacert.pem -policy policy_anything -out server-new-cert.pem -in demoCA/server-new-req.pem
+
+# 8K cert
 openssl req -newkey rsa:8192 -keyout server8k-key.pem -out demoCA/server8k-req.pem -days 7300 -nodes -subj '/CN=server8k/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
 openssl rsa -in server8k-key.pem -out server8k-key.pem
-openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -infiles demoCA/server8k-req.pem
-
-openssl req -newkey rsa:1024 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
-openssl rsa -in client-key.pem -out client-key.pem
-openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -infiles demoCA/client-req.pem
+openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -in demoCA/server8k-req.pem
 
 # with SubjectAltName, only for OpenSSL 1.0.2+
 cat > demoCA/sanext.conf <<EOF
 subjectAltName=DNS:localhost
 EOF
-openssl req -newkey rsa:1024 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
-openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -infiles demoCA/serversan-req.pem
+openssl req -newkey rsa:2048 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
+openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -in demoCA/serversan-req.pem
+
+# client cert
+openssl req -newkey rsa:2048 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
+openssl rsa -in client-key.pem -out client-key.pem
+openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -in demoCA/client-req.pem
+
+# generate crls
+openssl ca -revoke server-cert.pem -keyfile cakey.pem -batch -cert cacert.pem
+openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out server-cert.crl
+# we only want to have one certificate per CRL. Un-revoke server-cert.crl
+cp demoCA/index.txt.old demoCA/index.txt
+openssl ca -revoke client-cert.pem -keyfile cakey.pem -batch -cert cacert.pem
+openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out client-cert.crl
+
+rm -fv crldir/*
+cp -v client-cert.crl crldir/`openssl x509 -in client-cert.pem -noout -issuer_hash`.r0
 
 rm -rf demoCA
author	Sergei Golubchik <serg@mariadb.org>	2019-02-20 15:15:34 +0100
committer	Sergei Golubchik <serg@mariadb.org>	2019-03-01 12:41:05 -0500
commit	8d47d9ed8852d4fbc1c8708e06eeb180e15587c6 (patch)
tree	e43802b5b8aa2db1100c2d25b85078b97615e7d2 /mysql-test/lib
parent	20043cf650f84dc7fcd5e2b73d1db0c5ce15e103 (diff)
download	mariadb-git-8d47d9ed8852d4fbc1c8708e06eeb180e15587c6.tar.gz