From: Mat Martineau <mathew.j.martineau at linux.intel.com>
To: ell at lists.01.org
Subject: Re: [PATCH] build: Generate test certs using OpenSSL 3 legacy provider
Date: Wed, 25 May 2022 16:20:43 -0700 [thread overview]
Message-ID: <13d780a4-a97d-15-6519-f4f281a61c71@linux.intel.com> (raw)
In-Reply-To: 20220521001534.1050889-1-mathew.j.martineau@linux.intel.com
[-- Attachment #1: Type: text/plain, Size: 5328 bytes --]
On Fri, 20 May 2022, Mat Martineau wrote:
> OpenSSL 3 moved some legacy algorithms to a separate "legacy" provider,
> so they are not available by default. Add the necessary command line
> parameters for use with OpenSSL 3, which distros are switching to. For
> example, Ubuntu 22.04 and Fedora 36 are the first version of those
> distributions to use OpenSSL 3 or later.
>
> This does break compatibility with older OpenSSL versions and
> configuring the project with "--enable-maintainer-mode". The
> tradeoff is keeping the autoconf/automake checks simpler.
> ---
> Makefile.am | 21 +++++++++++++--------
> 1 file changed, 13 insertions(+), 8 deletions(-)
Marcel, Denis -
Any further thoughts on which approach to openssl3 compatibility you
prefer for ELL - this patch or "build: Check for openssl legacy provider
requirement" with reverse compatibility?
Thanks,
Mat
> diff --git a/Makefile.am b/Makefile.am
> index d8ba99c..b8423c4 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -444,7 +444,8 @@ unit/cert-client-key-pkcs1.pem:
> $(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
>
> unit/cert-client-key-pkcs1-des.pem: unit/cert-client-key-pkcs1.pem
> - $(AM_V_GEN)openssl rsa -in $< -out $@ -des -passout pass:abc
> + $(AM_V_GEN)openssl rsa -in $< -out $@ -des -passout pass:abc \
> + -provider legacy -provider default
>
> unit/cert-client-key-pkcs1-des3.pem: unit/cert-client-key-pkcs1.pem
> $(AM_V_GEN)openssl rsa -in $< -out $@ -des3 -passout pass:abc
> @@ -463,15 +464,18 @@ unit/cert-client-key-pkcs8.pem: unit/cert-client-key-pkcs1.pem
>
> unit/cert-client-key-pkcs8-md5-des.pem: unit/cert-client-key-pkcs8.pem
> $(AM_V_GEN)openssl pkcs8 -in $< -out $@ \
> - -topk8 -v1 PBE-MD5-DES -passout pass:abc
> + -topk8 -v1 PBE-MD5-DES -passout pass:abc \
> + -provider legacy -provider default
>
> unit/cert-client-key-pkcs8-sha1-des.pem: unit/cert-client-key-pkcs8.pem
> $(AM_V_GEN)openssl pkcs8 -in $< -out $@ \
> - -topk8 -v1 PBE-SHA1-DES -passout pass:abc
> + -topk8 -v1 PBE-SHA1-DES -passout pass:abc \
> + -provider legacy -provider default
>
> unit/cert-client-key-pkcs8-v2-des.pem: unit/cert-client-key-pkcs8.pem
> $(AM_V_GEN)openssl pkcs8 -in $< -out $@ \
> - -topk8 -v2 des-cbc -v2prf hmacWithSHA1 -passout pass:abc
> + -topk8 -v2 des-cbc -v2prf hmacWithSHA1 -passout pass:abc \
> + -provider legacy -provider default
>
> unit/cert-client-key-pkcs8-v2-des-ede3.pem: unit/cert-client-key-pkcs8.pem
> $(AM_V_GEN)openssl pkcs8 -in $< -out $@ \
> @@ -575,19 +579,20 @@ unit/cert-entity-pkcs12-nomac.p12: unit/cert-entity-int-key.pem unit/cert-entity
> $(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -out $@ -export -passout pass:abc -nomac # defaut ciphers
>
> unit/cert-entity-pkcs12-rc2-sha1.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
> - $(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-RC2-40 -keypbe PBE-SHA1-RC2-128 -macalg sha1
> + $(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-RC2-40 -keypbe PBE-SHA1-RC2-128 -macalg sha1 -provider legacy -provider default
>
> unit/cert-entity-pkcs12-des-sha256.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
> $(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-2DES -macalg sha256
>
> unit/cert-entity-pkcs12-rc4-sha384.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
> - $(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-RC4-128 -keypbe PBE-SHA1-RC2-40 -macalg sha384
> + $(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-RC4-128 -keypbe PBE-SHA1-RC2-40 -macalg sha384 -provider legacy -provider default
>
> unit/cert-entity-pkcs12-pkcs5-sha512.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
> - $(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe des-cbc -keypbe des-cbc -macalg sha512
> + $(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe des-cbc -keypbe des-cbc -macalg sha512 -provider legacy -provider default
>
> unit/cert-entity-combined.pem: unit/cert-entity-pkcs12-rc2-sha1.p12
> - $(AM_V_GEN)openssl pkcs12 -in $< -out $@ -passin pass:abc -passout pass:abc
> + $(AM_V_GEN)openssl pkcs12 -in $< -out $@ -passin pass:abc -passout pass:abc \
> + -provider legacy -provider default
>
> unit/key-plaintext.h: unit/plaintext.txt
> $(AM_V_GEN)xxd -i < $< > $@
> --
> 2.36.1
>
>
--
Mat Martineau
Intel
next reply other threads:[~2022-05-25 23:20 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-25 23:20 Mat Martineau [this message]
-- strict thread matches above, loose matches on Subject: below --
2022-05-21 0:15 [PATCH] build: Generate test certs using OpenSSL 3 legacy provider Mat Martineau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=13d780a4-a97d-15-6519-f4f281a61c71@linux.intel.com \
--to=ell@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).