New subject: [PATCH] build: Generate test certs using OpenSSL 3 legacy provider

Friday, 20 May 2022

OpenSSL 3 moved some legacy algorithms to a separate "legacy" provider,
so they are not available by default. Add the necessary command line
parameters for use with OpenSSL 3, which distros are switching to. For
example, Ubuntu 22.04 and Fedora 36 are the first version of those
distributions to use OpenSSL 3 or later.

This does break compatibility with older OpenSSL versions and
configuring the project with "--enable-maintainer-mode". The
tradeoff is keeping the autoconf/automake checks simpler.
---
 Makefile.am | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index d8ba99c..b8423c4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -444,7 +444,8 @@ unit/cert-client-key-pkcs1.pem:
 	$(AM_V_GEN)openssl genrsa -out [email protected] $($(AM_V_P)_redirect_openssl)
 
 unit/cert-client-key-pkcs1-des.pem: unit/cert-client-key-pkcs1.pem
-	$(AM_V_GEN)openssl rsa -in $< -out [email protected] -des -passout pass:abc
+	$(AM_V_GEN)openssl rsa -in $< -out [email protected] -des -passout pass:abc \
+			-provider legacy -provider default
 
 unit/cert-client-key-pkcs1-des3.pem: unit/cert-client-key-pkcs1.pem
 	$(AM_V_GEN)openssl rsa -in $< -out [email protected] -des3 -passout pass:abc
@@ -463,15 +464,18 @@ unit/cert-client-key-pkcs8.pem: unit/cert-client-key-pkcs1.pem
 
 unit/cert-client-key-pkcs8-md5-des.pem: unit/cert-client-key-pkcs8.pem
 	$(AM_V_GEN)openssl pkcs8 -in $< -out [email protected] \
-			-topk8 -v1 PBE-MD5-DES -passout pass:abc
+			-topk8 -v1 PBE-MD5-DES -passout pass:abc \
+			-provider legacy -provider default
 
 unit/cert-client-key-pkcs8-sha1-des.pem: unit/cert-client-key-pkcs8.pem
 	$(AM_V_GEN)openssl pkcs8 -in $< -out [email protected] \
-			-topk8 -v1 PBE-SHA1-DES -passout pass:abc
+			-topk8 -v1 PBE-SHA1-DES -passout pass:abc \
+			-provider legacy -provider default
 
 unit/cert-client-key-pkcs8-v2-des.pem: unit/cert-client-key-pkcs8.pem
 	$(AM_V_GEN)openssl pkcs8 -in $< -out [email protected] \
-			-topk8 -v2 des-cbc -v2prf hmacWithSHA1 -passout pass:abc
+			-topk8 -v2 des-cbc -v2prf hmacWithSHA1 -passout pass:abc \
+			-provider legacy -provider default
 
 unit/cert-client-key-pkcs8-v2-des-ede3.pem: unit/cert-client-key-pkcs8.pem
 	$(AM_V_GEN)openssl pkcs8 -in $< -out [email protected] \
@@ -575,19 +579,20 @@ unit/cert-entity-pkcs12-nomac.p12: unit/cert-entity-int-key.pem
unit/cert-entity
 	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -out [email protected]
-export -passout pass:abc -nomac # defaut ciphers
 
 unit/cert-entity-pkcs12-rc2-sha1.p12: unit/cert-entity-int-key.pem
unit/cert-entity-int.pem unit/cert-chain.pem
-	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem
-certfile $(builddir)/unit/cert-chain.pem -out [email protected] -export -passout pass:abc -certpbe
PBE-SHA1-RC2-40 -keypbe PBE-SHA1-RC2-128 -macalg sha1
+	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem
-certfile $(builddir)/unit/cert-chain.pem -out [email protected] -export -passout pass:abc -certpbe
PBE-SHA1-RC2-40 -keypbe PBE-SHA1-RC2-128 -macalg sha1 -provider legacy -provider default
 
 unit/cert-entity-pkcs12-des-sha256.p12: unit/cert-entity-int-key.pem
unit/cert-entity-int.pem unit/cert-chain.pem
 	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem
-certfile $(builddir)/unit/cert-chain.pem -out [email protected] -export -passout pass:abc -certpbe
PBE-SHA1-3DES -keypbe PBE-SHA1-2DES -macalg sha256
 
 unit/cert-entity-pkcs12-rc4-sha384.p12: unit/cert-entity-int-key.pem
unit/cert-entity-int.pem unit/cert-chain.pem
-	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem
-certfile $(builddir)/unit/cert-chain.pem -out [email protected] -export -passout pass:abc -certpbe
PBE-SHA1-RC4-128 -keypbe PBE-SHA1-RC2-40 -macalg sha384
+	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem
-certfile $(builddir)/unit/cert-chain.pem -out [email protected] -export -passout pass:abc -certpbe
PBE-SHA1-RC4-128 -keypbe PBE-SHA1-RC2-40 -macalg sha384 -provider legacy -provider
default
 
 unit/cert-entity-pkcs12-pkcs5-sha512.p12: unit/cert-entity-int-key.pem
unit/cert-entity-int.pem unit/cert-chain.pem
-	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem
-certfile $(builddir)/unit/cert-chain.pem -out [email protected] -export -passout pass:abc -certpbe
des-cbc -keypbe des-cbc -macalg sha512
+	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem
-certfile $(builddir)/unit/cert-chain.pem -out [email protected] -export -passout pass:abc -certpbe
des-cbc -keypbe des-cbc -macalg sha512 -provider legacy -provider default
 
 unit/cert-entity-combined.pem: unit/cert-entity-pkcs12-rc2-sha1.p12
-	$(AM_V_GEN)openssl pkcs12 -in $< -out [email protected] -passin pass:abc -passout pass:abc
+	$(AM_V_GEN)openssl pkcs12 -in $< -out [email protected] -passin pass:abc -passout pass:abc \
+			 -provider legacy -provider default
 
 unit/key-plaintext.h: unit/plaintext.txt
 	$(AM_V_GEN)xxd -i < $< > [email protected]
-- 
2.36.1

    

2022

2021

2020

2019

2018

2017

2016

2015

2014

[PATCH] build: Generate test certs using OpenSSL 3 legacy provider