make expiration and key length changeable by DAYS and KEYLEN

variables in the certificate Makefile (#1058108) - change default hash to sha256 (#1062325)
2014-02-06 18:07:59 +01:00 · 2014-02-06 18:07:59 +01:00 · abe62302b2
commit abe62302b2
parent 40825564d8
3 changed files with 38 additions and 11 deletions
--- a/Makefile.certificate
+++ b/Makefile.certificate
@ -1,5 +1,8 @@
 UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
 SERIAL=0
+DAYS=365
+KEYLEN=2048
+TYPE=rsa:$(KEYLEN)

 .PHONY: usage
 .SUFFIXES: .key .csr .crt .pem
@ -21,6 +24,7 @@ usage:
 	@echo "To create a test certificate for use with Apache, run \"make testcert\"."
 	@echo
 	@echo "To create a test certificate with serial number other than zero, add SERIAL=num"
+	@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
 	@echo
 	@echo Examples:
 	@echo "  make server.key"
@ -38,7 +42,7 @@ usage:
 	umask 77 ; \
 	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
 	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
-	/usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
+	/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 -set_serial $(SERIAL) ; \
 	cat $$PEM1 >  $@ ; \
 	echo ""    >> $@ ; \
 	cat $$PEM2 >> $@ ; \
@ -46,7 +50,7 @@ usage:

 %.key:
 	umask 77 ; \
-	/usr/bin/openssl genrsa -aes128 2048 > $@
+	/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@

 %.csr: %.key
 	umask 77 ; \
@ -54,7 +58,7 @@ usage:

 %.crt: %.key
 	umask 77 ; \
-	/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL)
+	/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ -set_serial $(SERIAL)

 TLSROOT=/etc/pki/tls
 KEY=$(TLSROOT)/private/localhost.key
@ -71,4 +75,4 @@ $(CSR): $(KEY)

 $(CRT): $(KEY)
 	umask 77 ; \
-	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL)
+	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) -set_serial $(SERIAL)
--- a/openssl-1.0.1e-defaults.patch
+++ b/openssl-1.0.1e-defaults.patch
@ -1,13 +1,22 @@
-diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cnf
--- openssl-1.0.0f/apps/openssl.cnf.defaults	2011-12-06 01:01:00.000000000 +0100
-+++ openssl-1.0.0f/apps/openssl.cnf	2012-01-05 13:16:15.000000000 +0100
+diff -up openssl-1.0.1e/apps/openssl.cnf.defaults openssl-1.0.1e/apps/openssl.cnf
+--- openssl-1.0.1e/apps/openssl.cnf.defaults	2013-02-11 16:26:04.000000000 +0100
+++ openssl-1.0.1e/apps/openssl.cnf	2014-02-06 18:00:00.170929334 +0100
+@@ -72,7 +72,7 @@ cert_opt 	= ca_default		# Certificate fi
+ 
+ default_days	= 365			# how long to certify for
+ default_crl_days= 30			# how long before next CRL
+-default_md	= default		# use public key default MD
+default_md	= sha256		# use SHA-256 by default
+ preserve	= no			# keep passed DN ordering
+ 
+ # A few difference way of specifying how similar the request should look
@@ -103,7 +103,8 @@ emailAddress		= optional
 
 ####################################################################
 [ req ]
 -default_bits		= 1024
 +default_bits		= 2048
-+default_md		= sha1
+default_md		= sha256
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
@ -25,7 +34,7 @@ diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cn
 +#stateOrProvinceName_default	= Default Province
 
 localityName			= Locality Name (eg, city)
-+localityName_default	= Default City
+localityName_default		= Default City
 
 0.organizationName		= Organization Name (eg, company)
 -0.organizationName_default	= Internet Widgits Pty Ltd
@ -42,3 +51,12 @@ diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cn
 commonName_max			= 64
 
 emailAddress			= Email Address
+@@ -339,7 +341,7 @@ signer_key	= $dir/private/tsakey.pem # T
+ default_policy	= tsa_policy1		# Policy if request did not specify it
+ 					# (optional)
+ other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests		= sha1, sha256, sha384, sha512	# Acceptable message digests (mandatory)
+ accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+ clock_precision_digits  = 0	# number of digits after dot. (optional)
+ ordering		= yes	# Is ordering defined for timestamps?
--- a/openssl.spec
+++ b/openssl.spec
@ -21,7 +21,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1e
-Release: 38%{?dist}
+Release: 39%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -39,7 +39,7 @@ Source12: ec_curve.c
 Source13: ectest.c
 # Build changes
 Patch1: openssl-1.0.1-beta2-rpmbuild.patch
-Patch2: openssl-1.0.0f-defaults.patch
+Patch2: openssl-1.0.1e-defaults.patch
 Patch4: openssl-1.0.0-beta5-enginesdir.patch
 Patch5: openssl-0.9.8a-no-rpath.patch
 Patch6: openssl-0.9.8b-test-use-localhost.patch
@ -474,6 +474,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig

 %changelog
+* Thu Feb  6 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-39
+- make expiration and key length changeable by DAYS and KEYLEN
+  variables in the certificate Makefile (#1058108)
+- change default hash to sha256 (#1062325)
+
 * Wed Jan 22 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-38
 - make 3des strength to be 128 bits instead of 168 (#1056616)