tests/sslcerts/README
author Manuel Jacob <me@manueljacob.de>
Mon, 29 Jun 2020 15:03:36 +0200
branchstable
changeset 45022 e3b19004087a
parent 29579 43f3c0df2fab
permissions -rw-r--r--
convert: correctly convert paths to UTF-8 for Subversion The previous code using encoding.tolocal() only worked by chance in these situations: * The string is ASCII: The fast path was triggered and the string was returned unmodified. * The local encoding is UTF-8: The source and target encoding is the same. * The string is not valid UTF-8 and the native encoding is ISO-8859-1: If the string doesn’t decode using UTF-8, ISO-8859-1 is tried as a fallback. During `hg convert`, the local encoding is always UTF-8. The irony is that in this case, encoding.tolocal() behaves like what someone would expect the reverse function, encoding.fromlocal(), to do. When the locale encoding is ISO-8859-15, trying to convert a SVN repo `/tmp/a€` failed before like this: file:///tmp/a%C2%A4 does not look like a Subversion repository to libsvn version 1.14.0 The correct URL is `file:///tmp/a%E2%82%AC`. Unlike previously (with the ISO-8859-1 fallback), decoding the path using the locale encoding can fail. In this case, we have to bail out, as Subversion won’t be able to do anything useful with the path.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
     1
Generate a private key (priv.pem):
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
     2
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
     3
  $ openssl genrsa -out priv.pem 2048
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
     4
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
     5
Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem):
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
     6
29579
43f3c0df2fab tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29526
diff changeset
     7
  $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
43f3c0df2fab tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29526
diff changeset
     8
    -out pub.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'
43f3c0df2fab tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29526
diff changeset
     9
  $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
43f3c0df2fab tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29526
diff changeset
    10
    -out pub-other.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff changeset
    11
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    12
Now generate an expired certificate by turning back the system time:
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    13
29579
43f3c0df2fab tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29526
diff changeset
    14
  $ faketime 2016-01-01T00:00:00Z \
43f3c0df2fab tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29526
diff changeset
    15
    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
43f3c0df2fab tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29526
diff changeset
    16
    -out pub-expired.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff changeset
    17
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    18
Generate a certificate not yet active by advancing the system time:
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    19
29579
43f3c0df2fab tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29526
diff changeset
    20
  $ faketime 2030-01-1T00:00:00Z \
43f3c0df2fab tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29526
diff changeset
    21
    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
43f3c0df2fab tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29526
diff changeset
    22
    -out pub-not-yet.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    23
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    24
Generate a passphrase protected client certificate private key:
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    25
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    26
  $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    27
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    28
Create a copy of the private key without a passphrase:
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    29
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    30
  $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff changeset
    31
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    32
Create a CSR and sign the key using the server keypair:
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    33
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    34
  $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    35
    openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    36
  $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    37
    -set_serial 01 -out client-cert.pem
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff changeset
    38
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    39
When replacing the certificates, references to certificate fingerprints will
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    40
need to be updated in test files.
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    41
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    42
Fingerprints for certs can be obtained by running:
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    43
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    44
  $ openssl x509 -in pub.pem -noout -sha1 -fingerprint
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
    45
  $ openssl x509 -in pub.pem -noout -sha256 -fingerprint