[Swan-dev] generating x509 certificates
Andrew Cagney
andrew.cagney at gmail.com
Wed Feb 4 16:53:48 EET 2015
Matt,
thanks for the reply,
On 3 February 2015 at 17:27, Matt Rogers <mrogers at redhat.com> wrote:
> Hey, sorry for the late reply here. Been away from email/irc for the
> day. In short the dist_certs.py is the WIP replacement for the
> shell script, however right now it is only tuned to x509 tests that
> are not a part of the make check list. IIRC ones that are still in the
> list are just basic cases and use the east/west certs. So for the full
> run you will want to still use dist_certs.
The problem here is that the old dist_certs file is broken - it dies
trying to sign an invalid cert using "openssl ca". While it, in
theory, it might be fixable, I don't see any value in the effort.
What is being done here is decidedly "off script" so the more powerful
combination of a programming language like python and direct openssl
library calls is a far better solution(1).
> I have a _lot_ of changes to the certificate code on the way and part
> of that will be revised set of x509 tests that can be included in make
> check, so when we're ready I'll be sure to update it with dist_certs.py
Cool. I thought more about the suggestion to add it to swantest and I
don't like it - this is part of the build system so should be fully
exposed in the Makefiles.
Can you check in what you have? Since I'm going to use dist_certs.py
regardless, I might as well run the current code.
Andrew
(1) I speak from experience, I've had to abuse Java's certificate
library so it would do decidedly off-script stuff involving HTTPS,
certificates, key stores and trust stores. Neither openssl, nor
keytool, were sufficient.
More information about the Swan-dev
mailing list