Mercurial Mercurial > hg / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests/sslcerts/README
author Matt Harbison <matt_harbison@yahoo.com>
Thu, 26 Sep 2024 18:15:36 -0400
changeset 51923 b455dfddfed0
parent 29579 43f3c0df2fab
permissions -rw-r--r--
interfaces: convert the zope `Attribute` attrs to regular fields At this point, we should have a useful protocol class. The file syntax requires the type to be supplied for any fields that are declared, but we'll leave the complex ones partially unspecified for now, for simplicity. (Also, the things documented as `Callable` are really as future type annotating worked showed- roll with it for now, but they're marked as TODO for fixing later.) All of the fields and all of the attrs will need type annotations, or the type rules say they are considered to be `Any`. That can be done in a separate pass, possibly applying the `dirstate.pyi` file generated from the concrete class. The first cut of this turned the `interfaceutil.Attribute` fields into plain fields, and thus the types on them. PyCharm flagged a few things as having incompatible signatures when the concrete dirstate class subclassed this, when the concrete class has them declared as `@property`. So they've been changed to `@property` here in those cases. The remaining fields that are decorated in the concrete class have comments noting the differences. We'll see if they need to be changed going forward, but leave them for now. We'll be in trouble if the `@util.propertycache` is needed, because we can't import that module here at runtime, due to circular imports.

Generate a private key (priv.pem):

  $ openssl genrsa -out priv.pem 2048

Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem):

  $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
    -out pub.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'
  $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
    -out pub-other.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'

Now generate an expired certificate by turning back the system time:

  $ faketime 2016-01-01T00:00:00Z \
    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
    -out pub-expired.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'

Generate a certificate not yet active by advancing the system time:

  $ faketime 2030-01-1T00:00:00Z \
    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
    -out pub-not-yet.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'

Generate a passphrase protected client certificate private key:

  $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048

Create a copy of the private key without a passphrase:

  $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem

Create a CSR and sign the key using the server keypair:

  $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
    openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
  $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
    -set_serial 01 -out client-cert.pem

When replacing the certificates, references to certificate fingerprints will
need to be updated in test files.

Fingerprints for certs can be obtained by running:

  $ openssl x509 -in pub.pem -noout -sha1 -fingerprint
  $ openssl x509 -in pub.pem -noout -sha256 -fingerprint
Mercurial