make expiration and key length changeable by DAYS and KEYLEN

variables in the certificate Makefile (#1058108)
- change default hash to sha256 (#1062325)
This commit is contained in:
Tomas Mraz 2014-02-06 18:07:59 +01:00
parent 40825564d8
commit abe62302b2
3 changed files with 38 additions and 11 deletions

View File

@ -1,5 +1,8 @@
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8) UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
SERIAL=0 SERIAL=0
DAYS=365
KEYLEN=2048
TYPE=rsa:$(KEYLEN)
.PHONY: usage .PHONY: usage
.SUFFIXES: .key .csr .crt .pem .SUFFIXES: .key .csr .crt .pem
@ -21,6 +24,7 @@ usage:
@echo "To create a test certificate for use with Apache, run \"make testcert\"." @echo "To create a test certificate for use with Apache, run \"make testcert\"."
@echo @echo
@echo "To create a test certificate with serial number other than zero, add SERIAL=num" @echo "To create a test certificate with serial number other than zero, add SERIAL=num"
@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
@echo @echo
@echo Examples: @echo Examples:
@echo " make server.key" @echo " make server.key"
@ -38,7 +42,7 @@ usage:
umask 77 ; \ umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \ /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 -set_serial $(SERIAL) ; \
cat $$PEM1 > $@ ; \ cat $$PEM1 > $@ ; \
echo "" >> $@ ; \ echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \ cat $$PEM2 >> $@ ; \
@ -46,7 +50,7 @@ usage:
%.key: %.key:
umask 77 ; \ umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > $@ /usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
%.csr: %.key %.csr: %.key
umask 77 ; \ umask 77 ; \
@ -54,7 +58,7 @@ usage:
%.crt: %.key %.crt: %.key
umask 77 ; \ umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL) /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ -set_serial $(SERIAL)
TLSROOT=/etc/pki/tls TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key KEY=$(TLSROOT)/private/localhost.key
@ -71,4 +75,4 @@ $(CSR): $(KEY)
$(CRT): $(KEY) $(CRT): $(KEY)
umask 77 ; \ umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL) /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) -set_serial $(SERIAL)

View File

@ -1,13 +1,22 @@
diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cnf diff -up openssl-1.0.1e/apps/openssl.cnf.defaults openssl-1.0.1e/apps/openssl.cnf
--- openssl-1.0.0f/apps/openssl.cnf.defaults 2011-12-06 01:01:00.000000000 +0100 --- openssl-1.0.1e/apps/openssl.cnf.defaults 2013-02-11 16:26:04.000000000 +0100
+++ openssl-1.0.0f/apps/openssl.cnf 2012-01-05 13:16:15.000000000 +0100 +++ openssl-1.0.1e/apps/openssl.cnf 2014-02-06 18:00:00.170929334 +0100
@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
-default_md = default # use public key default MD
+default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
@@ -103,7 +103,8 @@ emailAddress = optional @@ -103,7 +103,8 @@ emailAddress = optional
#################################################################### ####################################################################
[ req ] [ req ]
-default_bits = 1024 -default_bits = 1024
+default_bits = 2048 +default_bits = 2048
+default_md = sha1 +default_md = sha256
default_keyfile = privkey.pem default_keyfile = privkey.pem
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
attributes = req_attributes attributes = req_attributes
@ -25,7 +34,7 @@ diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cn
+#stateOrProvinceName_default = Default Province +#stateOrProvinceName_default = Default Province
localityName = Locality Name (eg, city) localityName = Locality Name (eg, city)
+localityName_default = Default City +localityName_default = Default City
0.organizationName = Organization Name (eg, company) 0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Internet Widgits Pty Ltd -0.organizationName_default = Internet Widgits Pty Ltd
@ -42,3 +51,12 @@ diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cn
commonName_max = 64 commonName_max = 64
emailAddress = Email Address emailAddress = Email Address
@@ -339,7 +341,7 @@ signer_key = $dir/private/tsakey.pem # T
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
-digests = md5, sha1 # Acceptable message digests (mandatory)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?

View File

@ -21,7 +21,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.0.1e Version: 1.0.1e
Release: 38%{?dist} Release: 39%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -39,7 +39,7 @@ Source12: ec_curve.c
Source13: ectest.c Source13: ectest.c
# Build changes # Build changes
Patch1: openssl-1.0.1-beta2-rpmbuild.patch Patch1: openssl-1.0.1-beta2-rpmbuild.patch
Patch2: openssl-1.0.0f-defaults.patch Patch2: openssl-1.0.1e-defaults.patch
Patch4: openssl-1.0.0-beta5-enginesdir.patch Patch4: openssl-1.0.0-beta5-enginesdir.patch
Patch5: openssl-0.9.8a-no-rpath.patch Patch5: openssl-0.9.8a-no-rpath.patch
Patch6: openssl-0.9.8b-test-use-localhost.patch Patch6: openssl-0.9.8b-test-use-localhost.patch
@ -474,6 +474,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%changelog %changelog
* Thu Feb 6 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-39
- make expiration and key length changeable by DAYS and KEYLEN
variables in the certificate Makefile (#1058108)
- change default hash to sha256 (#1062325)
* Wed Jan 22 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-38 * Wed Jan 22 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-38
- make 3des strength to be 128 bits instead of 168 (#1056616) - make 3des strength to be 128 bits instead of 168 (#1056616)