[Swan-dev] generating x509 certificates

Matt Rogers mrogers at redhat.com
Wed Feb 4 18:02:53 EET 2015 

On 02/04, Andrew Cagney wrote:
> Matt,
> thanks for the reply,
> 
> On 3 February 2015 at 17:27, Matt Rogers <mrogers at redhat.com> wrote:
> 
> > Hey, sorry for the late reply here. Been away from email/irc for the
> > day. In short the dist_certs.py is the WIP replacement for the
> > shell script, however right now it is only tuned to x509 tests that
> > are not a part of the make check list. IIRC ones that are still in the
> > list are just basic cases and use the east/west certs. So for the full
> > run you will want to still use dist_certs.
> 
> The problem here is that the old dist_certs file is broken - it dies
> trying to sign an invalid cert using "openssl ca".  While it, in
> theory, it might be fixable, I don't see any value in the effort.
> What is being done here is decidedly "off script" so the more powerful
> combination of a programming language like python and direct openssl
> library calls is a far better solution(1).
> 

Yeah, the set -ue in the script points out these problems, but they were
really ignorable since it wasn't affecting the active tests. For now you
can just comment that out and run the script to get the certs you need.

> > I have a _lot_ of changes to the certificate code on the way and part
> > of that will be revised set of x509 tests that can be included in make
> > check, so when we're ready I'll be sure to update it with dist_certs.py
> 
> Cool.  I thought more about the suggestion to add it to swantest and I
> don't like it - this is part of the build system so should be fully
> exposed in the Makefiles.
> 

I think having it a part of make check is best, so a run can always have
a cert set from the latest dist_certs.py changes.

> (1) I speak from experience, I've had to abuse Java's certificate
> library so it would do decidedly off-script stuff involving HTTPS,
> certificates, key stores and trust stores.  Neither openssl, nor
> keytool, were sufficient.

Using pyOpenSSL served to be a lot better for our need than the openssl
commands, of course, and will make it easier to cover more of the
certificate code than before. Plus I like writing python a lot more than
bash :)

Note that dist_certs.py is only intended to create the certificate batch,
and any of the NSS db creation, importing, etc. that is needed for a
individual test is handled by swan-prep with the --x509 option. 

Regards,
Matt

More information about the Swan-dev mailing list