From 479b9adb88b9050186c1e9fc94879906f378b14b Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Wed, 1 Jun 2022 16:37:05 +0200 Subject: [PATCH] Change the SCT issuer key to RSA 2048 This avoids the need to use SECLEVEL=1 in 12-ct.cnf.in. Reviewed-by: Paul Dale Reviewed-by: Todd Short (Merged from https://github.com/openssl/openssl/pull/18450) --- test/certs/embeddedSCTs1.pem | 17 ++++++----- test/certs/embeddedSCTs1.sct | 10 +++---- test/certs/embeddedSCTs1_issuer-key.pem | 38 ++++++++++++++++--------- test/certs/embeddedSCTs1_issuer.pem | 29 +++++++++++-------- test/ssl-tests/12-ct.cnf | 24 ++++++++-------- test/ssl-tests/12-ct.cnf.in | 14 +-------- 6 files changed, 70 insertions(+), 62 deletions(-) diff --git a/test/certs/embeddedSCTs1.pem b/test/certs/embeddedSCTs1.pem index d2a111fb82..c9c6490716 100644 --- a/test/certs/embeddedSCTs1.pem +++ b/test/certs/embeddedSCTs1.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDeDCCAuGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk +MIID+TCCAuGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMDAxMjUxMTUwMTNaGA8yMTIwMDEy NjExNTAxM1owGTEXMBUGA1UEAwwOc2VydmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3 @@ -12,10 +12,13 @@ wuN7dH2TSsZrlxrt1cCf1TKkoqnbnHg1emeMZfm3FURh82+pAgMBAAGjggEMMIIB CDAdBgNVHQ4EFgQUtMa8XD5ylrF9AqCdnPEhXa63H2owHwYDVR0jBBgwFoAUX52I Dchz5lTU+A3Y5rDBJLRHw1UwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcD ATCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN8cLsEVAJRSR6lhaDJd3Fx5Wej3xtOI -/AAuC70/dNdkAAABb15m6AAAAAQDAEcwRQIgfDPo8RArm/vcSEZ608Q1u+XQ55QB -u67SZEuZxLpbUM0CIQDRsgcTud4PDy8Cgg+lHeAS7UxgSKBbWAznYOuorwNewzAZ -BgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOBgQCWFKKR -RNkDRzB25NK07OLkbzebhnpKtbP4i3blRx1HAvTSamf/3uuHI7kfiPJorJymJpT1 -IuJvSVKyMu1qONWBimiBfiyGL7+le1izHEJIP5lVTbddfzSIBIvrlHHcWIOL3H+W -YT6yTEIzJuO07Xp61qnB1CE2TrinUWlyC46Zkw== +/AAuC70/dNdkAAABb15m6AAAAAQDAEcwRQIgVVLvhQAex2omlFnb+MczYTjvUETM +SW6EeAIxPuicWWcCIQCYJYPr1uLeBMcq2RJCtoWgs/F0BsfUFnhJk/lav8NoNDAZ +BgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOCAQEATRog +ZfvqRl9hMgYODL8VVRJNgqQqKVLCGME4ksBudWKPO0ulfD+de81WCFEHINBu2sPa +NSs3YHv/5eaw0tJAd4lPGGhGCl/qEIqQxN6wKcenIWu2M4QzsH6V4D7IuR+OUZCC +vNN//NpdIH1KbNGViQCw7o5ClL1+ow0MT+PuzGCI7LkdHTJzyoftzGSHqF/DzDDd +uO4ez6fQR4aj/CvQ6UZAy8ihYc2B+dz6NR/nGdCkIs7eEWISOxCgmH8NAJLgPOaU +Odw3qk4hXEyTiPkMsSjl9QSfQi5s6d9rbEuQ22ow6H092n7Du15AZS4kKlHxDa5s +G8vj2f3xch0fyx+c+w== -----END CERTIFICATE----- diff --git a/test/certs/embeddedSCTs1.sct b/test/certs/embeddedSCTs1.sct index 9e413e3dc7..475d7b8f77 100644 --- a/test/certs/embeddedSCTs1.sct +++ b/test/certs/embeddedSCTs1.sct @@ -5,8 +5,8 @@ Signed Certificate Timestamp: Timestamp : Jan 1 00:00:00.000 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 - 30:45:02:20:7C:33:E8:F1:10:2B:9B:FB:DC:48:46:7A: - D3:C4:35:BB:E5:D0:E7:94:01:BB:AE:D2:64:4B:99:C4: - BA:5B:50:CD:02:21:00:D1:B2:07:13:B9:DE:0F:0F:2F: - 02:82:0F:A5:1D:E0:12:ED:4C:60:48:A0:5B:58:0C:E7: - 60:EB:A8:AF:03:5E:C3 + 30:45:02:20:55:52:EF:85:00:1E:C7:6A:26:94:59:DB: + F8:C7:33:61:38:EF:50:44:CC:49:6E:84:78:02:31:3E: + E8:9C:59:67:02:21:00:98:25:83:EB:D6:E2:DE:04:C7: + 2A:D9:12:42:B6:85:A0:B3:F1:74:06:C7:D4:16:78:49: + 93:F9:5A:BF:C3:68:34 diff --git a/test/certs/embeddedSCTs1_issuer-key.pem b/test/certs/embeddedSCTs1_issuer-key.pem index 9326e38b1e..0cb59e43cb 100644 --- a/test/certs/embeddedSCTs1_issuer-key.pem +++ b/test/certs/embeddedSCTs1_issuer-key.pem @@ -1,15 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7jHbrkVfT0PtLO1FuzsvR -yY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjPKDHM5nugSlojgZ88ujfm -JNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnLsvfP34b7arnRsQIDAQAB -AoGAJLR6xEJp+5IXRFlLn7WTkFvO0ddtxJ7bXhiIkTctyruyfqp7LF9Jv1G2m3PK -QPUtBc73w/GYkfnwIwdfJbOmPHL7XyEGHZYmEXgIgEtw6LXvAv0G5JpUnNwsSBfL -GfSQqI5Z5ytyzlJXkMcTGA2kTgNAYc73h4EnU+pwUnDPdAECQQD2aj+4LtYk1XPq -r3gjgI6MoGvgYJfPmAtZhxxVbhXQKciFUCAcBiwlQdHIdLWE9j65ctmZRWidKifr -4O4nz+TBAkEA3djNW/rTQq5fKZy+mCF1WYnIU/3yhJaptzRqLm7AHqe7+hdrGXJw -+mCtU8T3L/Ms8bH1yFBZhmkp1PbR8gl48QJAQo70YyWThiN5yfxXcQ96cZWrTdIJ -b3NcLXSHPLQdhDqlBQ1dfvRT3ERpC8IqfZ2d162kBPhwh3MpkVcSPQK0gQJAC/dY -xGBYKt2a9nSk9zG+0bCT5Kvq++ngh6hFHfINXNnxUsEWns3EeEzkrIMQTj7QqszN -lBt5aL2dawZRNrv6EQJBAOo4STF9KEwQG0HLC/ryh1FeB0OBA5yIepXze+eJVKei -T0cCECOQJKfWHEzYJYDJhyEFF/sYp9TXwKSDjOifrsU= +MIIEogIBAAKCAQEAwckj9DNhinn9gUivB5TNOW8vsn8Kn5UXms8V3TlYQx9I37mW +kabOB5meZ6221is1oANJkQk9MZv3Jlap/8P3Vt4yAmslclbuT7oOoZdpX8x5yoED +L3PoSNARLj25PvWR7Djtd9O9pTuZcUEbd5guJddw5Pj3HA0Q7a+5tHOSWG63p3pF +ZONyticwBVWfvBkMHbWkA8g6EDvAbKmz26r5FQlfsOw/0U6CP0oJKkhJHSchFYG8 +IsjfkV3LXNbCwV4n9vOCx4cZNUznjaF0uUsOj0kmvP0bprVSEXMIGxitl4Z/vUru +WaR3mN2/Od/TnicxyMohAKqeeG16QK2Z4uXe8wIDAQABAoIBADYYp1/JZCZbDaik +mK/eGzg4ULFcg6Ou5CsEOk9Kbdg3CInj7iN01DkM6kp5FPxOjabApC3HzXxm1KSw +Nr6+fvKSDpXcQVTc7aP2BZWYhgMHOsyMHU6G5cZFxzYIZwkrVnQCJFB6HIveymPy +T++f3OoVbV+OHLWI9DvV/VphlO34ZaWHtDjor4+ycNSkdpH2t1ecmob/zs/5lt+T +5xfQ38qpuWWJiXstd6O4THgTU9u8/E6CIAdS5CiYORoW/EqRMlV8lt10dfG75feF +WvZD+w/DHgFi1izLaSRsHqHHT1hc3h1tFl1c1XDvkTFPgTqbk01VK9IvsPn9QKcc ++Sw7o0ECgYEA8ghy34lSSbGrvk+djU+vwQ7VEPE5+gicp4Dl2E0tEeZyRt3q4Vt5 +QF60D7Q6E6NjzIEVsm7Ic/qo12klOSMJ4NB5r+oMTJ6R+09/9gzyWx9sYb1rzgYh +FtOex6fzYQnqPydb06u/crdL7lbxmYlK09rr/wcqzMx7gmkqMBmtS9MCgYEAzPfv +Uc+wN8ZPzpRbGabenoyTf+v4+f+VfIGMUw9TKQZozsGVypZeAy++l9sAymaty3FH +oob5P8i9dwFHhaaXmWCBZyWxRJbQ+tTYAulQd/FZoaGX8SdENPmcLnTTXnDPXJTT +YyDQwpYFl2Qv6n0DPY0HvtR3iG/0VoM9Rt7wzGECgYApYYJqb6sPCH6JokkYsQgm +pOeO5v93nWNTTDl/+un6xoDBVw3ii+Y2ODrm+HR5iRT2ERfpkwFYuwGFGugPVctJ +kbtMdWK28uGYqyYApoQFSmEYcO9uoSOlKHdcQX3eGHjhZVRQ42tvLKGh1WGnU47k +m+h/iPUrYMa5LEvXP3yemwKBgDhWCSxGVlvuIO9ZrXRufg+7+aqWVDd6fT7caJJH +ywaioVn6sU4eaDad/9fDNQNsl2Yse5D7YjSa2yCDdIISmOZqNQcBwChm/4eByuF5 ++UkOSCF5xcZdkYyx8rB+Ib56aTQ8H6HGWjqxe1XyDo130NUxFyjnQvd4NgM1TTlW +e37hAoGAGj8eUtfqyChkIYFqnDZM/cH9a/hISTXItFwMVltY46s+IoxrQK9xG8Ke +K1pGSiKs3m0L/qKLmKGThBdR1DjFw6Y7qajg0JZtzdcnyWRQpOrTC7mxtjSkcQ3e +56h1nvYF3IgtobIOyxoO05oiQHv1fn8hK5PjdBMdeDxkWJT/a2s= -----END RSA PRIVATE KEY----- diff --git a/test/certs/embeddedSCTs1_issuer.pem b/test/certs/embeddedSCTs1_issuer.pem index 6aa9455f09..ebcd4b4861 100644 --- a/test/certs/embeddedSCTs1_issuer.pem +++ b/test/certs/embeddedSCTs1_issuer.pem @@ -1,18 +1,23 @@ -----BEGIN CERTIFICATE----- -MIIC0jCCAjugAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk +MIID1zCCAr+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMjA2MDExMDM4MDJaGA8yMTIyMDUw ODEwMzgwMlowVTELMAkGA1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRy YW5zcGFyZW5jeSBDQTEOMAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW4w -gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWKaFNiEKJxGZNud4MhGBwqQBPG -0HuMduuRV9PQ+0s7UW7Oy9HJjZHFL3Q/q2NdVQmc0Tq68xrlQUQkUadMeBbyJDz4 -SM8oMczme6BKWiOBnzy6N+Yk2cO9spm4Od3+JjHSyzqE/HuytcUvz8FP/0BvXNRG -acuy98/fhvtqudGxAgMBAAGjga8wgawwHQYDVR0OBBYEFF+diA3Ic+ZU1PgN2Oaw -wSS0R8NVMH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQsw -CQYDVQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENB -MQ4wDAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAMBgNVHRMEBTAD -AQH/MA0GCSqGSIb3DQEBCwUAA4GBAD0aYh9OkFYfXV7kBfhrtD0PJG2U47OV/1qq -+uFpqB0S1WO06eJT0pzYf1ebUcxjBkajbJZm/FHT85VthZ1lFHsky87aFD8XlJCo -2IOhKOkvvWKPUdFLoO/ZVXqEVKkcsS1eXK1glFvb07eJZya3JVG0KdMhV2YoDg6c -Doud4XrO +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBySP0M2GKef2BSK8HlM05 +by+yfwqflReazxXdOVhDH0jfuZaRps4HmZ5nrbbWKzWgA0mRCT0xm/cmVqn/w/dW +3jICayVyVu5Pug6hl2lfzHnKgQMvc+hI0BEuPbk+9ZHsOO13072lO5lxQRt3mC4l +13Dk+PccDRDtr7m0c5JYbrenekVk43K2JzAFVZ+8GQwdtaQDyDoQO8BsqbPbqvkV +CV+w7D/RToI/SgkqSEkdJyEVgbwiyN+RXctc1sLBXif284LHhxk1TOeNoXS5Sw6P +SSa8/RumtVIRcwgbGK2Xhn+9Su5ZpHeY3b8539OeJzHIyiEAqp54bXpArZni5d7z +AgMBAAGjga8wgawwHQYDVR0OBBYEFF+diA3Ic+ZU1PgN2OawwSS0R8NVMH0GA1Ud +IwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQswCQYDVQQGEwJHQjEk +MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX +YWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQAx4nGkweUG9fE1IpAsRSNoW+OzxWmzhLXHWFslPHe8P7OODW+y +t5nUWdAwPej7vGo/y2nF9Y2WbRKwJrAcNFn6rLnrA5nuzH+mOJt5EckajWWU2MqF +9nLfQiNsds85//r3ENQ3wfh6hZojvh98o+5mC5AV8JzORyj5NxzDXp5zdf8dt00s +D612d/RTFMPPzVK5vYBOoCusafV5qI/c4DYi02B00xtkUj3lFZc5afGpWIbJIarc +ESlqR3J66UetqbK4bP/nwQlW3PgZCpJXSHVPuwK3V+4ZTSVd5+FbYVp1DXp/qbq8 +P6RD7n+MnBgdEH0AFtgQ28effUXaSWDTXxze -----END CERTIFICATE----- diff --git a/test/ssl-tests/12-ct.cnf b/test/ssl-tests/12-ct.cnf index 369c5d4e8e..2e6e9dea67 100644 --- a/test/ssl-tests/12-ct.cnf +++ b/test/ssl-tests/12-ct.cnf @@ -19,11 +19,11 @@ client = 0-ct-permissive-without-scts-client [0-ct-permissive-without-scts-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT@SECLEVEL=1 +CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [0-ct-permissive-without-scts-client] -CipherString = DEFAULT@SECLEVEL=1 +CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -46,11 +46,11 @@ client = 1-ct-permissive-with-scts-client [1-ct-permissive-with-scts-server] Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem -CipherString = DEFAULT@SECLEVEL=1 +CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem [1-ct-permissive-with-scts-client] -CipherString = DEFAULT@SECLEVEL=1 +CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem VerifyMode = Peer @@ -73,11 +73,11 @@ client = 2-ct-strict-without-scts-client [2-ct-strict-without-scts-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT@SECLEVEL=1 +CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [2-ct-strict-without-scts-client] -CipherString = DEFAULT@SECLEVEL=1 +CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -101,11 +101,11 @@ client = 3-ct-strict-with-scts-client [3-ct-strict-with-scts-server] Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem -CipherString = DEFAULT@SECLEVEL=1 +CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem [3-ct-strict-with-scts-client] -CipherString = DEFAULT@SECLEVEL=1 +CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem VerifyMode = Peer @@ -130,11 +130,11 @@ resume-client = 4-ct-permissive-resumption-client [4-ct-permissive-resumption-server] Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem -CipherString = DEFAULT@SECLEVEL=1 +CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem [4-ct-permissive-resumption-client] -CipherString = DEFAULT@SECLEVEL=1 +CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem VerifyMode = Peer @@ -162,11 +162,11 @@ resume-client = 5-ct-strict-resumption-resume-client [5-ct-strict-resumption-server] Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem -CipherString = DEFAULT@SECLEVEL=1 +CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem [5-ct-strict-resumption-client] -CipherString = DEFAULT@SECLEVEL=1 +CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem VerifyMode = Peer diff --git a/test/ssl-tests/12-ct.cnf.in b/test/ssl-tests/12-ct.cnf.in index 93890b9fce..ddafd3fc4c 100644 --- a/test/ssl-tests/12-ct.cnf.in +++ b/test/ssl-tests/12-ct.cnf.in @@ -1,5 +1,5 @@ # -*- mode: perl; -*- -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -19,10 +19,8 @@ our @tests = ( { name => "ct-permissive-without-scts", server => { - "CipherString" => 'DEFAULT@SECLEVEL=1', }, client => { - "CipherString" => 'DEFAULT@SECLEVEL=1', extra => { "CTValidation" => "Permissive", }, @@ -34,12 +32,10 @@ our @tests = ( { name => "ct-permissive-with-scts", server => { - "CipherString" => 'DEFAULT@SECLEVEL=1', "Certificate" => test_pem("embeddedSCTs1.pem"), "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), }, client => { - "CipherString" => 'DEFAULT@SECLEVEL=1', "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), extra => { "CTValidation" => "Permissive", @@ -52,10 +48,8 @@ our @tests = ( { name => "ct-strict-without-scts", server => { - "CipherString" => 'DEFAULT@SECLEVEL=1', }, client => { - "CipherString" => 'DEFAULT@SECLEVEL=1', extra => { "CTValidation" => "Strict", }, @@ -68,12 +62,10 @@ our @tests = ( { name => "ct-strict-with-scts", server => { - "CipherString" => 'DEFAULT@SECLEVEL=1', "Certificate" => test_pem("embeddedSCTs1.pem"), "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), }, client => { - "CipherString" => 'DEFAULT@SECLEVEL=1', "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), extra => { "CTValidation" => "Strict", @@ -86,12 +78,10 @@ our @tests = ( { name => "ct-permissive-resumption", server => { - "CipherString" => 'DEFAULT@SECLEVEL=1', "Certificate" => test_pem("embeddedSCTs1.pem"), "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), }, client => { - "CipherString" => 'DEFAULT@SECLEVEL=1', "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), extra => { "CTValidation" => "Permissive", @@ -106,12 +96,10 @@ our @tests = ( { name => "ct-strict-resumption", server => { - "CipherString" => 'DEFAULT@SECLEVEL=1', "Certificate" => test_pem("embeddedSCTs1.pem"), "PrivateKey" => test_pem("embeddedSCTs1-key.pem"), }, client => { - "CipherString" => 'DEFAULT@SECLEVEL=1', "VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"), extra => { "CTValidation" => "Strict",