Mercurial > hg
annotate tests/sslcerts/README @ 37533:df4985497986
wireproto: implement capabilities for wire protocol v2
The capabilities mechanism for wire protocol version 2 represents a
clean break from version 1.
Instead of effectively exchanging a set of capabilities, we're
exchanging a rich data structure.
This data structure currently contains information about
every available command, including its accepted arguments. It also
contains information about supported compression formats.
Exposing information about supported commands will allow clients
to automatically generate bindings to the server. Clients will be
able to do things like detect when they are attempting to run a
command that isn't known to the server. Exposing the required
permissions to run a command can be used by clients to determine if
they have privileges to call a command before actually calling it.
We could potentially even have clients send credentials
preemptively without waiting for the server to deny the command
request. Lots of potential here.
The data returned by this command will likely evolve heavily. So we
shouldn't bikeshed the implementation just yet.
Differential Revision: https://phab.mercurial-scm.org/D3200
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Mon, 09 Apr 2018 11:52:31 -0700 |
| parents | 43f3c0df2fab |
| children |
| rev | line source |
|---|---|
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
1 Generate a private key (priv.pem): |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
2 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
3 $ openssl genrsa -out priv.pem 2048 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
4 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
5 Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem): |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
6 |
|
29579
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
7 $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \ |
|
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
8 -out pub.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' |
|
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
9 $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \ |
|
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
10 -out pub-other.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
11 |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
12 Now generate an expired certificate by turning back the system time: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
13 |
|
29579
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
14 $ faketime 2016-01-01T00:00:00Z \ |
|
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
15 openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \ |
|
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
16 -out pub-expired.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
17 |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
18 Generate a certificate not yet active by advancing the system time: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
19 |
|
29579
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
20 $ faketime 2030-01-1T00:00:00Z \ |
|
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
21 openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \ |
|
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
22 -out pub-not-yet.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
23 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
24 Generate a passphrase protected client certificate private key: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
25 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
26 $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
27 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
28 Create a copy of the private key without a passphrase: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
29 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
30 $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
31 |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
32 Create a CSR and sign the key using the server keypair: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
33 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
34 $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \ |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
35 openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
36 $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \ |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
37 -set_serial 01 -out client-cert.pem |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
38 |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
39 When replacing the certificates, references to certificate fingerprints will |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
40 need to be updated in test files. |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
41 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
42 Fingerprints for certs can be obtained by running: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
43 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
44 $ openssl x509 -in pub.pem -noout -sha1 -fingerprint |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
45 $ openssl x509 -in pub.pem -noout -sha256 -fingerprint |