Cleanup cert config files for tests

Merge test/P[12]ss.cnf into one config file
Merge CAss.cnf and Uss.cnf into ca-and-certs.cnf
Remove Netscape cert extensions, add keyUsage comment from some cnf files

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11347)

apps/openssl-vms.cnf

@@ -171,27 +171,9 @@ unstructuredName		= An optional company name
 
 basicConstraints=CA:FALSE
 
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -206,13 +188,6 @@ authorityKeyIdentifier=keyid,issuer
 # Copy subject details
 # issuerAltName=issuer:copy
 
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
 # This is required for TSA certificates.
 # extendedKeyUsage = critical,timeStamping
 
@@ -242,9 +217,6 @@ basicConstraints = critical,CA:true
 # left out by default.
 # keyUsage = cRLSign, keyCertSign
 
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
 # Include email address in subject alt name: another PKIX recommendation
 # subjectAltName=email:copy
 # Copy issuer details
@@ -272,27 +244,9 @@ authorityKeyIdentifier=keyid:always
 
 basicConstraints=CA:FALSE
 
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -307,13 +261,6 @@ authorityKeyIdentifier=keyid,issuer
 # Copy subject details
 # issuerAltName=issuer:copy
 
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
 # This really needs to be in place for it to be a proxy certificate.
 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 

apps/openssl.cnf

@@ -171,27 +171,9 @@ unstructuredName		= An optional company name
 
 basicConstraints=CA:FALSE
 
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -206,13 +188,6 @@ authorityKeyIdentifier=keyid,issuer
 # Copy subject details
 # issuerAltName=issuer:copy
 
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
 # This is required for TSA certificates.
 # extendedKeyUsage = critical,timeStamping
 
@@ -242,9 +217,6 @@ basicConstraints = critical,CA:true
 # left out by default.
 # keyUsage = cRLSign, keyCertSign
 
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
 # Include email address in subject alt name: another PKIX recommendation
 # subjectAltName=email:copy
 # Copy issuer details
@@ -272,27 +244,9 @@ authorityKeyIdentifier=keyid:always
 
 basicConstraints=CA:FALSE
 
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -307,13 +261,6 @@ authorityKeyIdentifier=keyid,issuer
 # Copy subject details
 # issuerAltName=issuer:copy
 
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
 # This really needs to be in place for it to be a proxy certificate.
 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 

demos/certs/apps/apps.cnf

@@ -35,9 +35,6 @@ commonName			= $ENV::CN
 basicConstraints=critical, CA:FALSE
 keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 [ ec_cert ]
 
 # These extensions are added when 'ca' signs a request for an end entity
@@ -46,9 +43,6 @@ nsComment			= "OpenSSL Generated Certificate"
 basicConstraints=critical, CA:FALSE
 keyUsage=critical, nonRepudiation, digitalSignature, keyAgreement
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid

demos/certs/ca.cnf

@@ -35,9 +35,6 @@ commonName			= $ENV::CN
 basicConstraints=critical, CA:FALSE
 keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
@@ -47,9 +44,6 @@ authorityKeyIdentifier=keyid
 basicConstraints=critical, CA:FALSE
 keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
 
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid

doc/man7/proxy-certificates.pod

@@ -116,7 +116,7 @@ two commands:
 
     openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \
         -CA user.crt -CAkey user.key -days 7 \
-        -extfile proxy.cnf -extensions v3_proxy1
+        -extfile proxy.cnf -extensions proxy
 
 You can also create a proxy certificate using another proxy
 certificate as issuer (note: using a different configuration
@@ -128,7 +128,7 @@ section for the proxy extensions):
 
     openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \
         -CA proxy.crt -CAkey proxy.key -days 7 \
-        -extfile proxy.cnf -extensions v3_proxy2
+        -extfile proxy.cnf -extensions proxy_2
 
 =head2 Using proxy certs in applications
 

test/CAss.cnf

@@ -1,69 +0,0 @@
-
-####################################################################
-[ req ]
-default_bits		= 2048
-default_keyfile 	= keySS.pem
-distinguished_name	= req_distinguished_name
-encrypt_rsa_key		= no
-default_md		= sha1
-
-[ req_distinguished_name ]
-countryName			= Country Name (2 letter code)
-countryName_default		= AU
-countryName_value		= AU
-
-organizationName		= Organization Name (eg, company)
-organizationName_value		= Dodgy Brothers
-
-commonName			= Common Name (eg, YOUR name)
-commonName_value		= Dodgy CA
-
-####################################################################
-[ ca ]
-default_ca	= CA_default		# The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir		= ./demoCA		# Where everything is kept
-certs		= $dir/certs		# Where the issued certs are kept
-crl_dir		= $dir/crl		# Where the issued crl are kept
-database	= $dir/index.txt	# database index file.
-#unique_subject	= no			# Set to 'no' to allow creation of
-					# several certificates with same subject.
-new_certs_dir	= $dir/newcerts		# default place for new certs.
-
-certificate	= $dir/cacert.pem 	# The CA certificate
-serial		= $dir/serial 		# The current serial number
-crl		= $dir/crl.pem 		# The current CRL
-private_key	= $dir/private/cakey.pem# The private key
-
-x509_extensions	= v3_ca			# The extensions to add to the cert
-
-name_opt 	= ca_default		# Subject Name options
-cert_opt 	= ca_default		# Certificate field options
-
-default_days	= 365			# how long to certify for
-default_crl_days= 30			# how long before next CRL
-default_md	= md5			# which md to use.
-preserve	= no			# keep passed DN ordering
-
-policy		= policy_anything
-
-[ policy_anything ]
-countryName		= optional
-stateOrProvinceName	= optional
-localityName		= optional
-organizationName	= optional
-organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
-
-
-
-[ v3_ca ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = critical,CA:true,pathlen:1
-keyUsage = cRLSign, keyCertSign
-issuerAltName=issuer:copy

test/P1ss.cnf

@@ -1,31 +0,0 @@
-
-####################################################################
-[ req ]
-default_bits		= 2048
-default_keyfile 	= keySS.pem
-distinguished_name	= req_distinguished_name
-encrypt_rsa_key		= no
-default_md		= sha256
-
-[ req_distinguished_name ]
-countryName			= Country Name (2 letter code)
-countryName_default		= AU
-countryName_value		= AU
-
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Dodgy Brothers
-
-0.commonName			= Common Name (eg, YOUR name)
-0.commonName_value		= Brother 1
-
-1.commonName			= Common Name (eg, YOUR name)
-1.commonName_value		= Brother 2
-
-2.commonName			= Common Name (eg, YOUR name)
-2.commonName_value		= Proxy 1
-
-[ v3_proxy ]
-basicConstraints=CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB

test/P2ss.cnf

@@ -1,39 +0,0 @@
-
-####################################################################
-[ req ]
-default_bits		= 2048
-default_keyfile 	= keySS.pem
-distinguished_name	= req_distinguished_name
-encrypt_rsa_key		= no
-default_md		= sha256
-
-[ req_distinguished_name ]
-countryName			= Country Name (2 letter code)
-countryName_default		= AU
-countryName_value		= AU
-
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Dodgy Brothers
-
-0.commonName			= Common Name (eg, YOUR name)
-0.commonName_value		= Brother 1
-
-1.commonName			= Common Name (eg, YOUR name)
-1.commonName_value		= Brother 2
-
-2.commonName			= Common Name (eg, YOUR name)
-2.commonName_value		= Proxy 1
-
-3.commonName			= Common Name (eg, YOUR name)
-3.commonName_value		= Proxy 2
-
-[ v3_proxy ]
-basicConstraints=CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-proxyCertInfo=critical,@proxy_ext
-
-[ proxy_ext ]
-language=id-ppl-anyLanguage
-pathlen=0
-policy=text:BC

test/Uss.cnf

@@ -1,36 +0,0 @@
-
-CN2 = Brother 2
-
-####################################################################
-[ req ]
-default_bits		= 2048
-default_keyfile 	= keySS.pem
-distinguished_name	= req_distinguished_name
-encrypt_rsa_key		= no
-default_md		    = sha256
-prompt              = no
-
-[ req_distinguished_name ]
-countryName         = AU
-organizationName    = Dodgy Brothers
-0.commonName        = Brother 1
-1.commonName		= $ENV::CN2
-
-[ v3_ee ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-basicConstraints = CA:false
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ee_dsa ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always
-basicConstraints = CA:false
-keyUsage = nonRepudiation, digitalSignature
-
-[ v3_ee_ec ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always
-basicConstraints = CA:false
-keyUsage = nonRepudiation, digitalSignature, keyAgreement
-

test/ca-and-certs.cnf

@@ -0,0 +1,90 @@
+
+CN2 = Brother 2
+
+####################################################################
+[ req ]
+default_bits		= 2048
+default_keyfile 	= keySS.pem
+distinguished_name	= req_distinguished_name
+encrypt_rsa_key		= no
+default_md		= sha1
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_value		= AU
+organizationName		= Organization Name (eg, company)
+organizationName_value		= Dodgy Brothers
+commonName			= Common Name (eg, YOUR name)
+commonName_value		= Dodgy CA
+
+####################################################################
+[ userreq ]
+default_bits		= 2048
+default_keyfile 	= keySS.pem
+distinguished_name	= user_dn
+encrypt_rsa_key		= no
+default_md		= sha256
+prompt			= no
+
+[ user_dn ]
+countryName		= AU
+organizationName	= Dodgy Brothers
+0.commonName		= Brother 1
+1.commonName		= $ENV::CN2
+
+[ v3_ee ]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid,issuer:always
+basicConstraints 	= CA:false
+keyUsage		= nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ee_dsa ]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always
+basicConstraints	= CA:false
+keyUsage		= nonRepudiation, digitalSignature
+
+[ v3_ee_ec ]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always
+basicConstraints	= CA:false
+keyUsage		= nonRepudiation, digitalSignature, keyAgreement
+
+####################################################################
+[ ca ]
+default_ca	= CA_default
+
+[ CA_default ]
+dir		= ./demoCA
+certs		= $dir/certs
+crl_dir		= $dir/crl
+database	= $dir/index.txt
+new_certs_dir	= $dir/newcerts
+certificate	= $dir/cacert.pem
+serial		= $dir/serial
+crl		= $dir/crl.pem
+private_key	= $dir/private/cakey.pem
+x509_extensions	= v3_ca
+name_opt 	= ca_default
+cert_opt 	= ca_default
+default_days	= 365
+default_crl_days= 30
+default_md	= sha1
+preserve	= no
+policy		= policy_anything
+
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ v3_ca ]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always,issuer:always
+basicConstraints 	= critical,CA:true,pathlen:1
+keyUsage		= cRLSign, keyCertSign
+issuerAltName		= issuer:copy

test/proxy.cnf

@@ -0,0 +1,61 @@
+
+## Config file for proxy certificate testing.
+
+[ req ]
+default_bits		= 2048
+default_keyfile 	= keySS.pem
+distinguished_name	= req_distinguished_name_p1
+encrypt_rsa_key		= no
+default_md		= sha256
+
+[ req_distinguished_name_p1 ]
+countryName			= Country Name (2 letter code)
+countryName_value		= AU
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Dodgy Brothers
+0.commonName			= Common Name (eg, YOUR name)
+0.commonName_value		= Brother 1
+1.commonName			= Common Name (eg, YOUR name)
+1.commonName_value		= Brother 2
+2.commonName			= Common Name (eg, YOUR name)
+2.commonName_value		= Proxy 1
+
+[ proxy ]
+basicConstraints	= CA:FALSE
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid,issuer:always
+proxyCertInfo	= critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
+
+####################################################################
+
+[ proxy2_req ]
+default_bits		= 2048
+default_keyfile 	= keySS.pem
+distinguished_name	= req_distinguished_name_p2
+encrypt_rsa_key		= no
+default_md		= sha256
+
+[ req_distinguished_name_p2 ]
+countryName			= Country Name (2 letter code)
+countryName_value		= AU
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Dodgy Brothers
+0.commonName			= Common Name (eg, YOUR name)
+0.commonName_value		= Brother 1
+1.commonName			= Common Name (eg, YOUR name)
+1.commonName_value		= Brother 2
+2.commonName			= Common Name (eg, YOUR name)
+2.commonName_value		= Proxy 1
+3.commonName			= Common Name (eg, YOUR name)
+3.commonName_value		= Proxy 2
+
+[ proxy_2 ]
+basicConstraints	= CA:FALSE
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid,issuer:always
+proxyCertInfo		= critical,@proxy_ext
+
+[ proxy_ext ]
+language	= id-ppl-anyLanguage
+pathlen		= 0
+policy		= text:BC

test/recipes/25-test_verify_store.t

@@ -18,34 +18,31 @@ plan tests => 10;
 
 my $dummycnf = srctop_file("apps", "openssl.cnf");
 
+my $cnf=srctop_file("test","ca-and-certs.cnf");
 my $CAkey = "keyCA.ss";
 my $CAcert="certCA.ss";
 my $CAserial="certCA.srl";
 my $CAreq="reqCA.ss";
-my $CAconf=srctop_file("test","CAss.cnf");
 my $CAreq2="req2CA.ss";	# temp
-
-my $Uconf=srctop_file("test","Uss.cnf");
 my $Ukey="keyU.ss";
 my $Ureq="reqU.ss";
 my $Ucert="certU.ss";
 
 SKIP: {
     req( 'make cert request',
-         qw(-new),
-         -config       => $CAconf,
+         qw(-new -section userreq),
+         -config       => $cnf,
          -out          => $CAreq,
          -keyout       => $CAkey );
 
     skip 'failure', 8 unless
         x509( 'convert request into self-signed cert',
-              qw(-req -CAcreateserial),
+              qw(-req -CAcreateserial -days 30),
+              qw(-extensions v3_ca),
               -in       => $CAreq,
               -out      => $CAcert,
               -signkey  => $CAkey,
-              -days     => 30,
-              -extfile  => $CAconf,
-              -extensions => 'v3_ca' );
+              -extfile  => $cnf );
 
     skip 'failure', 7 unless
         x509( 'convert cert into a cert request',
@@ -56,13 +53,13 @@ SKIP: {
 
     skip 'failure', 6 unless
         req( 'verify request 1',
-             qw(-verify -noout),
+             qw(-verify -noout -section userreq),
              -config    => $dummycnf,
              -in        => $CAreq );
 
     skip 'failure', 5 unless
         req( 'verify request 2',
-             qw(-verify -noout),
+             qw(-verify -noout -section userreq),
              -config    => $dummycnf,
              -in        => $CAreq2 );
 
@@ -73,29 +70,27 @@ SKIP: {
 
     skip 'failure', 3 unless
         req( 'make a user cert request',
-             qw(-new),
-             -config  => $Uconf,
+             qw(-new -section userreq),
+             -config  => $cnf,
              -out     => $Ureq,
              -keyout  => $Ukey );
 
     skip 'failure', 2 unless
         x509( 'sign user cert request',
-              qw(-req -CAcreateserial),
+              qw(-req -CAcreateserial -days 30 -extensions v3_ee),
               -in     => $Ureq,
               -out    => $Ucert,
               -CA     => $CAcert,
               -CAkey  => $CAkey,
               -CAserial => $CAserial,
-              -days   => 30,
-              -extfile => $Uconf,
-              -extensions => 'v3_ee' )
+              -extfile => $cnf )
         && verify( undef,
                    -CAstore => $CAcert,
                    $Ucert );
 
     skip 'failure', 0 unless
         x509( 'Certificate details',
-              qw( -subject -issuer -startdate -enddate -noout),
+              qw(-subject -issuer -startdate -enddate -noout),
               -in     => $Ucert );
 }
 

test/recipes/80-test_ca.t

@@ -18,26 +18,29 @@ use OpenSSL::Test::Utils;
 setup("test_ca");
 
 $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
-my $std_openssl_cnf =
-    srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf");
+
+my $cnf = '"' . srctop_file("test","ca-and-certs.cnf") . '"';;
+my $std_openssl_cnf = '"'
+    . srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf")
+    . '"';
 
 rmtree("demoCA", { safe => 0 });
 
 plan tests => 6;
  SKIP: {
-     $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"';
+     $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
      skip "failed creating CA structure", 4
 	 if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)),
 		'creating CA structure');
 
-     $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
+     $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
      skip "failed creating new certificate request", 3
 	 if !ok(run(perlapp(["CA.pl","-newreq",
-                             "-extra-req","-outform DER"])),
+                             '-extra-req', '-outform DER -section userreq'])),
 		'creating certificate request');
-     $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config "'.$std_openssl_cnf.'"';
+     $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf;
      skip "failed to sign certificate request", 2
-	 if !is(yes(cmdstr(perlapp(["CA.pl", "-sign", "-extra-ca"]))), 0,
+	 if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
 		'signing certificate request');
 
      ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
@@ -46,8 +49,8 @@ plan tests => 6;
      skip "CT not configured, can't use -precert", 1
          if disabled("ct");
 
-     $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
-     ok(run(perlapp(["CA.pl", "-precert"], stderr => undef)),
+     $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
+     ok(run(perlapp(["CA.pl", "-precert", '-extra-req', '-section userreq'], stderr => undef)),
         'creating new pre-certificate');
 }
 
@@ -56,7 +59,7 @@ SKIP: {
 	      if disabled("sm2");
 
     is(yes(cmdstr(app(["openssl", "ca", "-config",
-                       srctop_file("test", "CAss.cnf"),
+                       $cnf,
                        "-in", srctop_file("test", "certs", "sm2-csr.pem"),
                        "-out", "sm2-test.crt",
                        "-sigopt", "distid:1234567812345678",

test/recipes/80-test_ssl_old.t

@@ -44,33 +44,27 @@ my @verifycmd = ("openssl", "verify");
 my @genpkeycmd = ("openssl", "genpkey");
 my $dummycnf = srctop_file("apps", "openssl.cnf");
 
+my $cnf=srctop_file("test","ca-and-certs.cnf");
 my $CAkey = "keyCA.ss";
 my $CAcert="certCA.ss";
 my $CAserial="certCA.srl";
 my $CAreq="reqCA.ss";
-my $CAconf=srctop_file("test","CAss.cnf");
 my $CAreq2="req2CA.ss";	# temp
-
-my $Uconf=srctop_file("test","Uss.cnf");
 my $Ukey="keyU.ss";
 my $Ureq="reqU.ss";
 my $Ucert="certU.ss";
-
 my $Dkey="keyD.ss";
 my $Dreq="reqD.ss";
 my $Dcert="certD.ss";
-
 my $Ekey="keyE.ss";
 my $Ereq="reqE.ss";
 my $Ecert="certE.ss";
 
-my $P1conf=srctop_file("test","P1ss.cnf");
+my $proxycnf=srctop_file("test","proxy.cnf");
 my $P1key="keyP1.ss";
 my $P1req="reqP1.ss";
 my $P1cert="certP1.ss";
 my $P1intermediate="tmp_intP1.ss";
-
-my $P2conf=srctop_file("test","P2ss.cnf");
 my $P2key="keyP2.ss";
 my $P2req="reqP2.ss";
 my $P2cert="certP2.ss";
@@ -133,7 +127,7 @@ sub testss {
 
   SKIP: {
       skip 'failure', 16 unless
-	  ok(run(app([@reqcmd, "-config", $CAconf,
+	  ok(run(app([@reqcmd, "-config", $cnf,
 		      "-out", $CAreq, "-keyout", $CAkey,
 		      @req_new])),
 	     'make cert request');
@@ -141,7 +135,7 @@ sub testss {
       skip 'failure', 15 unless
 	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30",
 		      "-req", "-out", $CAcert, "-signkey", $CAkey,
-		      "-extfile", $CAconf, "-extensions", "v3_ca"],
+		      "-extfile", $cnf, "-extensions", "v3_ca"],
 		     stdout => "err.ss")),
 	     'convert request into self-signed cert');
 
@@ -167,7 +161,7 @@ sub testss {
 	     'verify signature');
 
       skip 'failure', 10 unless
-	  ok(run(app([@reqcmd, "-config", $Uconf,
+	  ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq",
 		      "-out", $Ureq, "-keyout", $Ukey, @req_new],
 		     stdout => "err.ss")),
 	     'make a user cert request');
@@ -176,7 +170,7 @@ sub testss {
 	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30",
 		      "-req", "-out", $Ucert,
 		      "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial,
-		      "-extfile", $Uconf, "-extensions", "v3_ee"],
+		      "-extfile", $cnf, "-extensions", "v3_ee"],
 		     stdout => "err.ss"))
 	     && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])),
 	     'sign user cert request');
@@ -202,7 +196,8 @@ sub testss {
                                stdout => "err.ss")),
                        "make a DSA key");
                 skip 'failure', 3 unless
-                    ok(run(app([@reqcmd, "-new", "-config", $Uconf,
+                    ok(run(app([@reqcmd, "-new", "-config", $cnf,
+                                "-section", "userreq",
                                 "-out", $Dreq, "-key", $Dkey],
                                stdout => "err.ss")),
                        "make a DSA user cert request");
@@ -214,7 +209,7 @@ sub testss {
                                 "-out", $Dcert,
                                 "-CA", $CAcert, "-CAkey", $CAkey,
                                 "-CAserial", $CAserial,
-                                "-extfile", $Uconf,
+                                "-extfile", $cnf,
                                 "-extensions", "v3_ee_dsa"],
                                stdout => "err.ss")),
                        "sign DSA user cert request");
@@ -247,7 +242,8 @@ sub testss {
                                 "-out", "ecp.ss"])),
                        "make EC parameters");
                 skip 'failure', 3 unless
-                    ok(run(app([@reqcmd, "-config", $Uconf,
+                    ok(run(app([@reqcmd, "-config", $cnf,
+                                "-section", "userreq",
                                 "-out", $Ereq, "-keyout", $Ekey,
                                 "-newkey", "ec:ecp.ss"],
                                stdout => "err.ss")),
@@ -260,7 +256,7 @@ sub testss {
                                 "-out", $Ecert,
                                 "-CA", $CAcert, "-CAkey", $CAkey,
                                 "-CAserial", $CAserial,
-                                "-extfile", $Uconf,
+                                "-extfile", $cnf,
                                 "-extensions", "v3_ee_ec"],
                                stdout => "err.ss")),
                        "sign ECDSA/ECDH user cert request");
@@ -277,7 +273,7 @@ sub testss {
       };
 
       skip 'failure', 5 unless
-	  ok(run(app([@reqcmd, "-config", $P1conf,
+	  ok(run(app([@reqcmd, "-config", $proxycnf,
 		      "-out", $P1req, "-keyout", $P1key, @req_new],
 		     stdout => "err.ss")),
 	     'make a proxy cert request');
@@ -287,7 +283,7 @@ sub testss {
 	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30",
 		      "-req", "-out", $P1cert,
 		      "-CA", $Ucert, "-CAkey", $Ukey,
-		      "-extfile", $P1conf, "-extensions", "v3_proxy"],
+		      "-extfile", $proxycnf, "-extensions", "proxy"],
 		     stdout => "err.ss")),
 	     'sign proxy with user cert');
 
@@ -300,7 +296,7 @@ sub testss {
 	 'Certificate details');
 
       skip 'failure', 2 unless
-	  ok(run(app([@reqcmd, "-config", $P2conf,
+	  ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req",
 		      "-out", $P2req, "-keyout", $P2key,
 		      @req_new],
 		     stdout => "err.ss")),
@@ -311,7 +307,7 @@ sub testss {
 	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30",
 		      "-req", "-out", $P2cert,
 		      "-CA", $P1cert, "-CAkey", $P1key,
-		      "-extfile", $P2conf, "-extensions", "v3_proxy"],
+		      "-extfile", $proxycnf, "-extensions", "proxy_2"],
 		     stdout => "err.ss")),
 	     'sign second proxy cert request with the first proxy cert');
 

test/recipes/90-test_store.t

@@ -16,6 +16,7 @@ my $test_name = "test_store";
 setup($test_name);
 
 my $mingw = config('target') =~ m|^mingw|;
+my $cnf=srctop_file("test","ca-and-certs.cnf");
 
 my @noexist_files =
     ( "test/blahdiblah.pem",
@@ -295,7 +296,7 @@ sub init {
                       }, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files))
             # *-cert.pem (intermediary for the .p12 inits)
             && run(app(["openssl", "req", "-x509",
-                        "-config", data_file("ca.cnf"), "-nodes",
+                        "-config", $cnf, "-nodes",
                         "-out", "cacert.pem", "-keyout", "cakey.pem"]))
             && runall(sub {
                           my $srckey = shift;
@@ -303,7 +304,7 @@ sub init {
                           (my $csr = $dstfile) =~ s|\.pem|.csr|;
 
                           (run(app(["openssl", "req", "-new",
-                                    "-config", data_file("user.cnf"),
+                                    "-config", $cnf,
                                     "-key", $srckey, "-out", $csr]))
                            &&
                            run(app(["openssl", "x509", "-days", "3650",