main

Libreswan VCS commit list Mon, 20 Jan 2025 13:05:18 -0800

New commits:
commit b58f735d7d5b998abdc366a548d6832c4c7aeb3d
Merge: db8f7125bc c4a269ff50
Author: Andrew Cagney <cag...@gnu.org>
Date:   Mon Jan 20 16:03:28 2025 -0500


    testing x509: don't use dist_certs.py to generate fake PKI
    
    i.e., not pyca/cryptography and not pyca/openssl
    
    Instead generate them using NSS's certutil, and pk12util and
    OpenSSL's openssl-pkcs12.
    
    Merge commit 'c4a269ff500d31acbeae37135be29bebd44d8a9a'

commit c4a269ff500d31acbeae37135be29bebd44d8a9a
Author: Andrew Cagney <cag...@gnu.org>
Date:   Mon Jan 20 12:23:36 2025 -0500

    testing x509: update tests to work with nss.sh generated fake certs
    
    - NSS's subject is encoded in the reverse order to OpenSSL!
    
      OpenSSL: C=CA, CN=Ontario, ...
      NSS:     .... CN=Ontario, C=CA
    
    - the .p12 files use short common names
    
      for instance, mainca, mainec
    
    - just the certs and keys that are needed are imported
    
      - east no longer has west's private key
      - no longer need to delete CAs

commit 4aaad7803b5b98ca79287450aaec0f4f675de67d
Author: Andrew Cagney <cag...@gnu.org>
Date:   Thu Jan 16 16:03:41 2025 -0500

    testing x509: add nss.sh, generate fake certs using pk12util, certutil, and 
openssl
    
    ... and drop code in dist_certs.py doing something similar
    
    The script generates two directories:
    
      real/
      fake/
    
    both then contain the subdirectories:
    
      mainca/ (RSA)
      mainec/ (EC)
    
    and these subdirectories then contain a populated NSS database, along
    with key/cert and HOST keys and certs for EAST, WEST, NORTH, ROAD,
    NIC, RISE, SET:
    
      root.p12          root cert+key
      root.cert         root cert only
      HOST.all.p12              HOST's cert+key + cert chain
      HOST.end.p12              HOST's cert+key (i.e., no cert chain) NEW!
      HOST.end.cert             HOST's cert (i.e., no key, no cert chain)
    
    Just note there are some differences:
    
    - the directory and file layout is different to dist_certs.py
    
    - NSS orders the subject OIDs:
         E=user-e...@testing.libreswan.org, ..., ST=Ontario, C=CA
      where as OpenSSL orders them:
         C=CA, ST=Ontario, ..., E=user-e...@testing.libreswan.org
    
    - the root cert's nickname is mainca and not "Testing ...."

commit 549248a9bae56f3ca590f0d976dd093a85cfce5d
Author: Andrew Cagney <cag...@gnu.org>
Date:   Mon Jan 20 10:12:46 2025 -0500

    testing: dump cert DB content after adding fake certs
    
    to confirm what is expected

_______________________________________________
Swan-commit mailing list -- swan-commit@lists.libreswan.org
To unsubscribe send an email to swan-commit-le...@lists.libreswan.org

[Swan-commit] Changes to ref refs/heads/main

Reply via email to