Mercurial > hg

view tests/sslcerts/README @ 50303:0d3690f8ce2a stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
cext: fix for PyLong refactoring in CPython 3.12 Compiling Mercurial with Python 3.12 a5 would fail with: mercurial/cext/dirs.c: In function '_addpath': mercurial/cext/dirs.c:19:44: error: 'PyLongObject' {aka 'struct _longobject'} has no member named 'ob_digit' 19 | #define PYLONG_VALUE(o) ((PyLongObject *)o)->ob_digit[0] | ^~ mercurial/cext/dirs.c:97:25: note: in expansion of macro 'PYLONG_VALUE' 97 | PYLONG_VALUE(val) += 1; | ^~~~~~~~~~~~ mercurial/cext/dirs.c:19:44: error: 'PyLongObject' {aka 'struct _longobject'} has no member named 'ob_digit' 19 | #define PYLONG_VALUE(o) ((PyLongObject *)o)->ob_digit[0] | ^~ mercurial/cext/dirs.c:108:17: note: in expansion of macro 'PYLONG_VALUE' 108 | PYLONG_VALUE(val) = 1; | ^~~~~~~~~~~~ mercurial/cext/dirs.c: In function '_delpath': mercurial/cext/dirs.c:19:44: error: 'PyLongObject' {aka 'struct _longobject'} has no member named 'ob_digit' 19 | #define PYLONG_VALUE(o) ((PyLongObject *)o)->ob_digit[0] | ^~ mercurial/cext/dirs.c:145:23: note: in expansion of macro 'PYLONG_VALUE' 145 | if (--PYLONG_VALUE(val) <= 0) { | ^~~~~~~~~~~~ This was caused by https://github.com/python/cpython/commit/c1b1f51cd1632f0b77dacd43092fb44ed5e053a9 .
author Mads Kiilerich <mads@kiilerich.com>
date Tue, 07 Mar 2023 16:25:51 +0100
parents 43f3c0df2fab
children
line wrap: on
line source

Generate a private key (priv.pem):

  $ openssl genrsa -out priv.pem 2048

Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem):

  $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
    -out pub.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'
  $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
    -out pub-other.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'

Now generate an expired certificate by turning back the system time:

  $ faketime 2016-01-01T00:00:00Z \
    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
    -out pub-expired.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'

Generate a certificate not yet active by advancing the system time:

  $ faketime 2030-01-1T00:00:00Z \
    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
    -out pub-not-yet.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'

Generate a passphrase protected client certificate private key:

  $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048

Create a copy of the private key without a passphrase:

  $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem

Create a CSR and sign the key using the server keypair:

  $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
    openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
  $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
    -set_serial 01 -out client-cert.pem

When replacing the certificates, references to certificate fingerprints will
need to be updated in test files.

Fingerprints for certs can be obtained by running:

  $ openssl x509 -in pub.pem -noout -sha1 -fingerprint
  $ openssl x509 -in pub.pem -noout -sha256 -fingerprint