[PATCH] Apache-Test/lib/Apache/TestSSLCA.pm to always generate PKCS#1 keys with opensssl >= 3

Wed, 18 Oct 2023 06:09:51 -0700 

Before openssl 3.0 the command `openssl genrsa` used to generate
private keys in PKCS#1 format, since openssl >= 3.0 it now generates
them in PKCS#8 format by default (while passing -traditional at the
command line allows to restore the old behaviour).

This is not an issue as long as httpd and TestSSLCA.pm use the same
openssl version (either < 3 or >= 3), but if e.g. httpd is
compiled/linked/-rpath'ed against an openssl < 3 and TestSSLCA.pm uses
the system's openssl >= 3 then mod_proxy won't be able to load the
PKCS#8 keys. It comes from PEM_X509_INFO_read_bio() which ignores them
with openssl < 3, while (AIUI) it is the easiest/recommended way to
load certificates and keys using the openssl API (without yet more
churn in mod_ssl compat code, probably not worth it).

It seems easier for httpd to document/require running with openssl >=
3 or ProxyMachineCertificateFile to take PKCS#1 keys only, hence
possibly make TestSSLCA.pm always generate "traditional" PKCS#1 keys
too (which can be read by all openssl versions, so far :p).

This patch adds -traditional to the `openssl genrsa` calls when
TestSSLCA.pm is running with openssl >= 3.

Maybe it should be configurable but I'm afraid it's above my
perl/Apache-Test foo..

Index: Apache-Test/lib/Apache/TestSSLCA.pm
===================================================================
--- Apache-Test/lib/Apache/TestSSLCA.pm    (revision 1913056)
+++ Apache-Test/lib/Apache/TestSSLCA.pm    (working copy)
@@ -332,6 +332,13 @@ sub new_ca {
     export_cert('ca'); #useful for importing into IE
 }

+#RSA keys are always generated in "traditional" PKCS#1 format
+my $genrsa_traditional = "";
+if (Apache::Test::normalize_vstring($version) >=
+    Apache::Test::normalize_vstring("3.0.0")) {
+    $genrsa_traditional = "-traditional";
+}
+
 sub new_key {
     my $name = shift;

@@ -348,7 +355,7 @@ sub new_key {
         openssl gendsa => "$out dsa-param";
     }
     else {
-        openssl genrsa => "$out 2048";
+        openssl genrsa => "$genrsa_traditional $out 2048";
     }
 }

--


Regards;
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@perl.apache.org
For additional commands, e-mail: dev-h...@perl.apache.org

Reply via email to