Convert encrypted SSL test keys to PKCS#8 format

Started by Peter Eisentrautover 2 years ago3 messages

peter@eisentraut.org

over 2 years ago

2 attachment(s)

This is part of the larger project of allowing all test suites to pass
in OpenSSL FIPS mode. We had previously integrated several patches that
avoid or isolate use of MD5 in various forms in the tests. Now to
another issue.

OpenSSL in FIPS mode rejects several encrypted private keys used in the
test suites ssl and ssl_passphrase_callback. The reason for this is
explained in [0]https://groups.google.com/g/mailing.openssl.users/c/Sd5E8VY5O2s/m/QYGezoQeo84J:

Technically you shouldn't use keys created outside FIPS mode in FIPS
mode.

In FIPS mode the "traditional" format is not supported because it used
MD5 for key derivation. The more standard PKCS#8 mode using SHA1 for
key derivation is use instead. You can convert keys using the pkcs8
command outside FIPS mode but again technically you aren't supposed
to...

[0]: https://groups.google.com/g/mailing.openssl.users/c/Sd5E8VY5O2s/m/QYGezoQeo84J
https://groups.google.com/g/mailing.openssl.users/c/Sd5E8VY5O2s/m/QYGezoQeo84J

The affected files are

src/test/modules/ssl_passphrase_callback/server.key
src/test/ssl/ssl/client-encrypted-pem.key
src/test/ssl/ssl/server-password.key

A fix is to convert them from their existing PKCS#1 format to the PKCS#8
format, like this:

openssl pkcs8 -topk8 -in
src/test/modules/ssl_passphrase_callback/server.key -passin pass:FooBaR1
-out src/test/modules/ssl_passphrase_callback/server.key.new -passout
pass:FooBaR1
mv src/test/modules/ssl_passphrase_callback/server.key.new
src/test/modules/ssl_passphrase_callback/server.key

etc.

(Fun fact: The above command also doesn't work if your OpenSSL
installation is in FIPS mode because it will refuse to read the old file.)

We should also update the generation rules to generate the newer format,
like this:

-   $(OPENSSL) rsa -aes256 -in server.ckey -out server.key -passout 
pass:$(PASS)
+   $(OPENSSL) pkey -aes256 -in server.ckey -out server.key -passout 
pass:$(PASS)

I have attached two patches, one to update the generation rules, and one
where I have converted the existing test files. (I didn't generate them
from scratch, so for example
src/test/modules/ssl_passphrase_callback/server.crt that corresponds to
one of the keys does not need to be updated.)

To check that these new files are backward compatible, I have
successfully tested them on CentOS 7 with the included version 1.0.2k.

It's also interesting that if you generate all private keys from scratch
using the existing rules on a new OpenSSL version (3+), they will be
generated in PKCS#8 format by default. In those OpenSSL versions, the
openssl-rsa command has a -traditional option to get the old format, but
of course old OpenSSL versions don't have that. As OpenSSL 3 gets more
widespread, we might need to rethink these rules anyway to make sure we
get consistent behavior.

Attachments:

0001-Generate-encrypted-SSL-test-keys-in-PKCS-8-format.patchtext/plain; charset=UTF-8; name=0001-Generate-encrypted-SSL-test-keys-in-PKCS-8-format.patchDownload

From 6da8ecf7cb4c5bce6c00ee7d85443ac082d6aaeb Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <peter@eisentraut.org>
Date: Tue, 22 Aug 2023 09:25:34 +0200
Subject: [PATCH 1/2] Generate encrypted SSL test keys in PKCS#8 format

---
 src/test/modules/ssl_passphrase_callback/Makefile    | 2 +-
 src/test/modules/ssl_passphrase_callback/meson.build | 2 +-
 src/test/ssl/sslfiles.mk                             | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/test/modules/ssl_passphrase_callback/Makefile b/src/test/modules/ssl_passphrase_callback/Makefile
index 922f0ee078..40ed38dc70 100644
--- a/src/test/modules/ssl_passphrase_callback/Makefile
+++ b/src/test/modules/ssl_passphrase_callback/Makefile
@@ -33,7 +33,7 @@ PASS = FooBaR1
 ssl-files:
 	$(OPENSSL) req -new -x509 -days 10000 -nodes -out server.crt \
 		-keyout server.ckey -subj "/CN=localhost"
-	$(OPENSSL) rsa -aes256 -in server.ckey -out server.key -passout pass:$(PASS)
+	$(OPENSSL) pkey -aes256 -in server.ckey -out server.key -passout pass:$(PASS)
 	rm server.ckey
 
 ssl-files-clean:
diff --git a/src/test/modules/ssl_passphrase_callback/meson.build b/src/test/modules/ssl_passphrase_callback/meson.build
index c2a022b4f1..3e35f8cae0 100644
--- a/src/test/modules/ssl_passphrase_callback/meson.build
+++ b/src/test/modules/ssl_passphrase_callback/meson.build
@@ -40,7 +40,7 @@ if openssl.found()
   custom_target('server.key',
     input: [cert[1]],
     output: ['server.key'],
-    command: [openssl, 'rsa', '-aes256', '-in', '@INPUT0@', '-out', '@OUTPUT0@', '-passout', 'pass:@0@'.format(pass)]
+    command: [openssl, 'pkey', '-aes256', '-in', '@INPUT0@', '-out', '@OUTPUT0@', '-passout', 'pass:@0@'.format(pass)]
   )
 endif
 
diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk
index f7ababe42c..569f1731cd 100644
--- a/src/test/ssl/sslfiles.mk
+++ b/src/test/ssl/sslfiles.mk
@@ -109,7 +109,7 @@ ssl/server-rsapss.crt: ssl/server-rsapss.key conf/server-rsapss.config
 
 # Password-protected version of server-cn-only.key
 ssl/server-password.key: ssl/server-cn-only.key
-	$(OPENSSL) rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
+	$(OPENSSL) pkey -aes256 -in $< -out $@ -passout 'pass:secret1'
 
 # Key that uses the RSA-PSS algorithm
 ssl/server-rsapss.key:
@@ -122,7 +122,7 @@ ssl/client-der.key: ssl/client.key
 # Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1)
 # formats to test libpq's support for the sslpassword= option.
 ssl/client-encrypted-pem.key: ssl/client.key
-	$(OPENSSL) rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@
+	$(OPENSSL) pkey -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@
 # TODO Explicitly choosing -aes128 generates a key unusable to PostgreSQL with
 # OpenSSL 3.0.0, so fall back on the default for now.
 ssl/client-encrypted-der.key: ssl/client.key
-- 
2.41.0

0002-Convert-encrypted-SSL-test-keys-to-PKCS-8-format.patchtext/plain; charset=UTF-8; name=0002-Convert-encrypted-SSL-test-keys-to-PKCS-8-format.patchDownload

From e50cb5dfdffc5c5be3cae67a7cf2bfd132b92b3d Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <peter@eisentraut.org>
Date: Tue, 22 Aug 2023 09:26:36 +0200
Subject: [PATCH 2/2] Convert encrypted SSL test keys to PKCS#8 format

---
 .../ssl_passphrase_callback/server.key        | 60 +++++++++----------
 src/test/ssl/ssl/client-encrypted-pem.key     | 60 +++++++++----------
 src/test/ssl/ssl/server-password.key          | 60 +++++++++----------
 3 files changed, 90 insertions(+), 90 deletions(-)

diff --git a/src/test/modules/ssl_passphrase_callback/server.key b/src/test/modules/ssl_passphrase_callback/server.key
index 1475007c73..9b41008934 100644
--- a/src/test/modules/ssl_passphrase_callback/server.key
+++ b/src/test/modules/ssl_passphrase_callback/server.key
@@ -1,30 +1,30 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,DB0E7068D4DCE79FFE63C95B8D8F7CEA
-
-Y4uvnlWX/kyulqsmt8aWI55vKFdfJL4wEZItL8ZKlQFuZuxC9w0OworyjTdqO38R
-v9hwnetZBDgK8kEv6U7wR58mTfwHHCGuxYgSiPZtiW7btS4zu16ePdh8oBEzCxjW
-ALrCFt7uvRu5h2AWy/4BgV4gLNVPNB+lJFABtUoiSnUDr7+bcx7UjZ4An6HriGxC
-Kg/N1pKjT/xiKOy+yHtrp1Jih5HYDE4i99jPtMuTROf8Uyz7ibyrdd/E7QNvANQN
-Cmw4I4Xk4hZ68F0iGU0C0wLND3pWbeYPKorpo3PkI4Du+Aqlg15ae5u8CtU3fXGJ
-mq4/qLGAi1sr/45f5P5a3Q8BQpKkCmGopXMaFYOOiaf3YYgD1eVOxLhsCWqUB+O8
-ygcTNRCoKhzY+ULComXp880J3fFk5b92g4Hm1PAO42uDKzhWSnrmCBJ7ynXvnEc+
-JqhiE8Obrp6FBIHvfN26JtHcXTd/bgUMXSh7AXjsotfvPPV0URve9JJG+RnwckeT
-K3AYDOQK/lbqDGliNqHg1WiMSA2oHSqDhUMB0Sm0jh6+jxCQlsmSDvPvJfWRo5wY
-zbZZZARQnFUaHa9CZVdFxbaPGhYU6vAwxDqi42osSJEdf68Gy2KVXcelqpU/2dKk
-aHfTgAWOsajbgt9p+0369TeZb39+zLODdDJnvZYiu1pTASHP5VrJ2xHhu5zOdjXm
-GafYiPwYBM280wkIVQ0HsTX7BViU2R/7W3FqflXgQvBiraVQVwHyaX4bOU1a3rzg
-emHNLTCpRamT0i/D0tkEPgS42bWSVi9ko5Mn9yb+qToBjAOLVUOAOs9Bv3qxawhI
-XFbBDZ7DS59l2yV6eQkrG7DUCLDf4dv4WZeBnhrPe/Jg8HKcsKcJYV3cejZh8sgu
-XHeCU50+jpJDfTZVPW3TjZWmrTqStGwF1UFpj+tTsTcX+OHAY/shFs3bBZulAsMy
-5UWZWzyWHMWr/wbxW7dbhTb1gNmOgpQQz9dunSgcZ8umzSGLa0ZGmnQj9P/kZkQA
-RenuswH5O7CK/MDmf3J6svwyLt/jULmH26MZTcNu7igT6dj3VMSwkoQQaaQdtmzb
-glzN3uqf8qM+CEjV8dxlt8fv6KJV7gvoYfPAz+1pp5DVJBmRo/+b4e/d4QTV9iWS
-ScBYdonc9WXcrjmExX9+Wf/K/IKfLnKLIi2MZ3pwr1n7yY+dMeF6iREYSjFVIpZd
-MH3G9/SxTrqR7X/eHjwdv1UupYYyaDag8wpVn1RMCb0xYqh2/QP1k0pQycckL0WQ
-lieXibEuQhV/heXcqt83G6pGqLImc6YPYU46jdGpPIMyOK+ZSqJTHUWHfRMQTIMz
-varR2M3uhHvwUFzmvjLh/o6I3r0a0Rl1MztpYfjBV6MS4BKYfraWZ0kxCyV+e6tz
-O7vD0P5W2qm6b89Md3nqjUcbOM8AojcfBl3xpQrpSdgJ25YJBoJ9L2I2pIMNCK/x
-yDNEJl7yP87fdHfXZm2VoUXclDUYHyNys9Rtv9NSr+VNkIMcqrCHEgpAxwQQ5NsO
-/vOZe3wjhXXLyRO7Nh5W8jojw3xcb9c9avFUWUvM2BaS4vEYcItUoF4QuHohrCwk
------END RSA PRIVATE KEY-----
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIzt8o0JBXEZgCAggA
+MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDf6wFurd23+1qjDeGbGjYoBIIE
+0MSl5dFRkS9D9Pva9X8TjHTiYlhu2dbvrbiV5yeIAnIa8RWawH1vP4ZhxqnygcnU
+IaL/NzK0ylpD7Zwyi8NSgaAmAdP0vc+oVIHkdQ12+feR+/cE2PXxGKa7JOlEFMHG
+JS3Z0c1KXys9ZKpb3+VvGm6tGvdakoaAmgbWgew2ppHlU6xNGUJwL8+VfZVt81wg
+Y4iPVQmQU+wRz/AoJLgV2z3eVwkef66Vsud7ofmXmmkMhUtez0x2n4ScMtD03rFA
+uRf2m7xcDgVxxnO0n0K2BGGXh/eYXEA8XLY2rr8vL/aj5t6+6mfgX01OVgziQwgj
+cMmPMqNuNUJX0k1v6fr3Bwd17BYjatjFpCZgawSS/pWSDnCoT7hUwLw6UvGQ+uaf
+KtihGrTvGrO1sB9pO+u8z16eYmb5pICX+hh/Qfcs6045Jr3oeFeFh35FLXQH7Bil
+vyezHJHXOrRvA9AmH8XYGAM0sXOszyCdWFFQD/4fouOl6mfLQY1xxVl9AQCYyNV2
+dlhYDCTkiHHNqxSI+xFfrIApJaEKhL1bJkFk//PfHWUDeMpG3t3T4WGdwpax3doN
+iwfnr1cae5CU+1R2Zo1aaLY6L7lccuUBN1lk5/7rcA2yhJl4M3ijRtLyi4YR149Z
+HPvsNlfDpgALB/nuFx/Xx3PV5lpa4lzVSAJ/KxN2/YYGoxJ2qf94wBCZrBpZMWCX
+EjGn/DD6Tx29dq6VJnDUFPokeQDQcQaFK3UAcm/6t/wixZZTiz6rWO+doU9j3GVO
+nqdPMvPsGfnOC4U8CChY3eOKiBy2EosFvigZ4n064bG+XK1Cr9leyrAMOgOt9F+i
+l98QXAtLjQfzBSbxoGYt9nTm+4IsOoSJuDcAFu0Hj88aJhh/ax/jZNzC6mbN95q4
+QArvxA1SKJbPcnj5ZESpvGhOUa5tr34DcOh+IIZbQITxuR6V7EhvAd5tYOIr5gaW
+SvV9ew31dP7p0VOXV7qMr0C/Kgxpq020SBYKivpooRGOwnf4Y6yD1pvHL6IhS7tH
+fWHmM5Q9qStNQGwZwjcJCnuq6Vz2zaHJCfq546mcs0Xlw2pL/BAvwQtF3EKt9PWV
+Vj7MXEfIc4kYNLkU2pTDu+qbGliJHqCt9UgdmR6kwCN8LssYYkKdtzMrcl6opiPA
+k51DHhxXKQ0iDLia5DR32lswHFFqesGhXPA5Frb1wQUTWLe8VdRmVQaKb6mlQPWQ
+z4IA1k6+KWoQJic/MJZVTLC+dA6P85q1W1WOkAY5SMcZzLVsZsq8kTw2n1OT7d4n
+FY5yVffsKvokMfude4PG1lhwfxgzOckK+PQjuOrdg9nr0YkE/sy0wJhmzfeXMuXj
+YFg/fF9qhWcFOY3DoT4k8okd/bgFRHsU7qWTUzYjnkiqXmolBpjSRRRVGM1c3uMx
+InnWmzDMG+8JY1G7SafTQV+2HuhK1qH9uIQ6UpqmLafJCFAgFzCQa7cFUfXuVsJ9
+XoXfc2xSzmwx7A4VwnoK7pO6zLzu47xOWEHykIfAMfQa0MKh/SrdzkLvu9Vw41GU
+p7i4tVWNdRjMnC7roSjW9uSJPN61NB+wk2PAkoW5XvBnZB2d0iFaRf1qMFZiEngw
+kvhRpuPu/oVkcLVyi4ByKu3nNw/fPplkXejgE1cwxQPd
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/src/test/ssl/ssl/client-encrypted-pem.key b/src/test/ssl/ssl/client-encrypted-pem.key
index 1e7052a5bb..58fe68ab41 100644
--- a/src/test/ssl/ssl/client-encrypted-pem.key
+++ b/src/test/ssl/ssl/client-encrypted-pem.key
@@ -1,30 +1,30 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,E619306A930B60F360BF805500BA5659
-
-B9aYmIdIoF7hT9tJARMQWE7Ii7g+KDNaF4U0ljBsxgbtMyi9DQrlrFsbUO0Wy6iO
-UY/h57UA1pk7yF+rwkTK0L2t0j/d+HZc3ddsN3cZ040PmX8+8QZJWRUs2ywTLa4O
-JxPm2rUxLSeVa+FY9Nr1Cl6meQ2JS7MA7KBNuriBWNleGGgkbBMaH7zq98aOJmaz
-l02J2wrJ5STP2UI8uEaT/UtAgLInlAljCSg5oe5cj4u9UyUkRN7fj4mexq1r5YNU
-zTu7GrgcAdXrhsAhg9mAJol4frwsQuEiJbVIurAAvCrJk7Gm8xVjKCN1stDOASAY
-aawO1huIdTzjbGXFHBtJ4YuRClXZr5ij6kN+KeQaS+JLjehsAb6762l9wUPP5Bxv
-8c6CCxc+U4ndN0ZQPsx0UrJ/AYO1s12mebuKZvIdNoYdLIqJLfX/HSrzaXw6XA8b
-gAvVOruKGq12v71OrIdahxSzRs7s6GODGynSayFprn3CK+GZJumwQ0EK+fBzrzB1
-8JTp98qwMYfSuDmGl8VbT9k8OZFZbDD4k5wj8fHx5R4zkdgfNqBNAKXPrwm5uRT8
-+0mnYdP3ZnihnZnAoZvGXOE77TcZ/N9fLvwkBpwPmtftbn10HwlwXQgmn1ijMj60
-ZOYo1fvKJMmvCr+NUtyJALIvUdLQmjWx0PoZetIb24KBkTkr2ciU1d1RDEwOfffZ
-jwTfcJU/AXnxPBR6MBT9a+YkaMiOU0JF7vs/x0hG/o8GsXQJB/G7Vzakg0hxQ1WF
-KU0jInXPf2uCiBMEwuWRPHh25wspLjsHgt5pD55vE/M9Q7LFOez/9/RQqmmjDjZH
-sLJtdAjN57aaIhtzbYIYa7K7Eu5v0NrZ5++wP3h82aTy9PIlSmRGY8WiZSDDir0P
-w+PBP7JN/3ifqXURUmSDGbfdArbyuuF79Say6N9ijFeBAZrCgauw3jBs1dhusGJ/
-T6wh8mjdGf8SRm9SQdGuIyK7M657z3P0WRlpHN4beeGpzgGVexqjiyvtwQNH8kps
-3EDNwTe3HJMWf7G2FNjqtM0h3fnaB7d+prfzZIL5Y1Somgfiljp7zG/FfkYEybK6
-8OvW6O8byCSqJzugUa5HCv//iPYFrcALAXtva4KXtfauGhKmWpn3Wa5AW9/034H6
-QW/A8mcKSMKhGixZj5MZKGTMA9cRus3IRTAYnhCd5njJ1N/o67wwTGVuXVu6ExrM
-wY/WjkRrDlRopqo0U3wodHjfZ8/837rINwmcqzXTxasu+ApWUVZFuuQh/q3i8aTv
-BzFVOfLylxpIsoQHBQvNdM/u0HGXbw7wyjs6n+LCjeGwRuxKkoYlKf5cItNLDNvF
-6LYwA44BJ3/XfUSVZRD8PAVp5haUgpesPym1G5QdvYN4rWE6lsAtGSZDatWvaCsI
-S0qTwLFbw9BvclwkvJicvLwAmKiGMDyAwGNCPLnG7nZ48to4dXD93LmgC/mnENbp
-7EgW7fUtMvz0Lt2Xcd26ZTlJdOkT3sdKPSDxhgqsQoI4dQSmB4Fz40HsFvFtTCuF
-FXMFXjSkjiKrdfI+CQ1tJGXKpYAod8PcZ89vN3TjxehwhK6GxS0CiOJ+phh6q22i
------END RSA PRIVATE KEY-----
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIPkWPlqhlRUECAggA
+MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDZopec789nFFeEfB363dt4BIIE
+0NVzp4OZvzXiE7eOKmJ3/GpB8PYOI2CzOlx4+n1AfE9631HkUWHQZO5ThsuCPCOl
+JDmVdagwY3KNnA4ZiDytFEMPtekUBH8OuzeIqkO8ng2UPuJNKBSOkcFXypZw6BM/
+Fb3JrWFImvWjSEfJhx626vwanzvNxr+HrldX3OIS/ohbY2x5AfVgOsDUGtVEkH2h
+gLqxeaXS00trNYz0xGqba6fYuMAEqHAkfLRHR3a3pXmEcR2sq+yxicUTAMtfN+FH
+SwMcuu8w6GPOoFy+JRcOOL7lACRV18LxnNP+aBg4xjpU8X+OMqKLJ8oWkZYg8+z+
+o9iMAkcTbKL8FpsHa++GMkRWB382RJKhBGKxPKczBzNwVKet9xH681vKFCAcf+ZO
+9UjckktgYfCjQGYYWtlxVen1oJPOFvKr4HaEvvHyjZPITn891d/2D7Ox4gaIcpnF
+RHNfvjda6UpdX1C09qDF0BfQjA6YpNcvJfAWhSwhCQD+lLvVRJNeQdngb31Swr3E
+xn8nVLG8wDJdtsHorkYZiDGvOQPT9J9GcnAMcSG1pgYGBQMax03ZUjGZgu7uI/h0
+H2+EKDWOhI7asuSrva0jXRkKOYmdqkE3UMUr1MAXFEjrbVvILkWzxvJElwd1XJwl
+Sg/gTD8mZlHydSTEikkAiFfEj4AiNC5yrmZ9uLXgBAs75VDTLeF68Qirvy36rDW1
+7eUmULnyKqZ9evusbHlvipF2rUrsEzfrcSHxxuwHAwGxnxV2L5yq3pGYis97j93i
+95lZ1p5lFqLCc4OFpn8mIPkUP8dzhYF+ttcfo0xwBD9kR053xqQoEBzEK++o/qlU
+QT80f2Jv8utp9CpMM83ZVhxSTjd4Kh9IzlXVmVuT1CO6WrfUHt4lYo0WIyJxjstz
+6lnuD+k9imENaGfsmYdFiDtWrNmlDyMrv0i3g6SLPyeSKHoktKsXq00y+hcut8wX
+pSPaPGK9cPIwu964/YeHkm801mjHPMrSEVwLkIQWpucPyzIk+votBjbueO0Gr/EU
+Xs90jAudv6BTjGl9FgdjAjL56gDs7UWxNQ6f4ZhdCkXZXaMEktJ8EzWRtezO93Vd
+RKDAFanOd6+4Js4cJ6WP2tak6IArON9sKqtcOmAfuw+Cy2ff6wX3mvyD79MD1d9n
+xqyQYQxkWa32V1AR8ZIgjl8+k8CZTL/1OFUNp/fThV5v1jk1DOQ5izs9ffpykSCm
+Ecr/UqbJHHDnL+N4mkdSNkm2djlUXBlxSlb6zUUcyyUno0jEgfdYrXsl/ptQT9Jv
+M7HzBa9EwMd22deVN8mW461zxwXn7+fv9ij3frG4zOtaMGysbRhK8MBPoOZBa2Q4
+jI5Nd9revJZ98ml4iBTgXJ5oqQUOdiZr2UYwRJuhT5fKgscpoqIxmy9YJt0GtR6L
+1JUHF7vB/h54MhR/abcSvoxLv1Rfp6+5ufMXujzIodZp6BzGg69pGACtBjU9olZb
+hzwr+gVICFI7Em6aOEQFjZa5we6mtQYyozyUUsVQgNAGs0T9ofQcRlzTNSecjDnf
+9nb2m2UmWpCVfrgtuFmKpV512HMVfgkdAw21P9I300dxOELpdX3PzsFg3DeKH1zN
+VmjdDNPwnZ5OZ8suAf5T+qUJJRS0ymoPG4igJ0P/IlBx
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/src/test/ssl/ssl/server-password.key b/src/test/ssl/ssl/server-password.key
index a8e383a949..bbe70789a0 100644
--- a/src/test/ssl/ssl/server-password.key
+++ b/src/test/ssl/ssl/server-password.key
@@ -1,30 +1,30 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,B335CBE53A05F4FC5805FC038BA80BA0
-
-1U4+GwI8FGpcrk+9uzMlQU5UZ9xOJMOZb9xA3IYMw+2BLF7zVbAkYyyiqF2pKUmi
-doOYFOGIXNV1VhVwlw674SMN+PIg72b2F7DDrqEYlicLCU4o7eeGhoiIKzTksRTU
-YV3nYCCDZCEw7V+pFeGCUAc9fc+Y0BGMYIshLVdlTYgVjZScL5kHuD9t8xa6AaTS
-mQp3jInRnHjEJbRSZnFQ9CR1LUtmGE02TOcWzoGshFdwCdtO/lJzBmmMxoL/qV1R
-Cqc0PKSANsbgvTJMriZXYSFjpMYXmxBQXDYNuFfwq67bssAVIpTSvWu9SfcY/JwV
-OqERcb1zPgDmprDvd/L7Vh/cdEWWWewOVoUo89cT7CrLvMINHqE6smM2x1xv91BB
-AOpyoGJliPGAcLDVJINm9zC1ErEjSEcR/VumZKsgSTsBYgyYezTPQYAfe+h820rs
-eC4GMu+zr31U2TVLYcb4j2t19fTgaQBj/LH3OBse9+0quoJhzmDjKelS3O3BaF05
-DM20tJRHANM+1WQ9+aFinXa1ozcGsrLSUa99oFqL4vKgL7jd0+wmCzwxaSp3rHB3
-AFHCdUOayDAdPhnGwathhAZ0AjyEJyWnA47pEpWDr7SytpbiMwOoPcW8/oKid10e
-qBK7uGK1Zc7rtckjK3CrM1VFDbxzwGbF2aKHtFFyrJtUvJwfP0Y1V2DncOsiy5Nx
-gJ3vxfi11gxnhd9VmcoY3JVvTHOsw48xYNFrZXve/X3o9eUDqb9VRs/vV3t5w+xR
-RaUPdz9cdlp2AA4xW/IvIQ7XwuBWPaPVr/g9pUvI9iJ9Z4RdruvjqDAD+ICVx9MM
-8SuN7X3gmg4mF5FEL0ct5ZdP16U8/EYvl7Np7vN3kYqbqucwCJH15R8LckAfbzIH
-yYTXC1iik4GfyN9tTpQtZsZCvV2Uo+Fo3mxP/EzB6tNbfOi3LG/coverSwgZLQsA
-Q6+Kta4PT671xXdaGLT9tEMIai9SiW5acqcdhjYvcaP69J8ZtKpNpP6HTL7IZD8p
-SbMxE9jw+bYXILR3Ie0x98z4Z04Q28/bPbvPTbXK8nv6/YpjKgq4hrRG58psHdbX
-ggS3RNzcJJMDArBka+zvbWL4jfWZhllMyGqc7q/FuoEqC5JlMTUBpru3NTNp6ZgQ
-QXRV1Pc02ff8Dp1H8FP7B7bG3E2D9eTUqR60WvmGnuAqvXgA0+4rEaUKfxELH5qc
-dZgu/yiuMttCha835wMLnOxsOJmHILwrc6/uQWydx3vNEWFx0tbV3FzVBIvqdpME
-LA4iAAz5xqvLgA5ii23Hn18ycZGU7gTERK8RdiALRzPtBW6hPreQjiMTJnBaMhXA
-Xq9opGsNmH/rZgXuk2VZ79bbl9pKN+z9ssRGzbHCVlEckfaxlrYfANwzk8PbOrZJ
-6UW3Gf2PwRRNtiVEabf0upVng7V70KSRzjfC7KBHYwbRIL4nObgTG+vc1SjgNgrx
-Ue/e8h9qiDBmgdH0Uvqfqb19HF+QzmUNoP9TVQFj+4+DuW5zN0D8weF4TuBgyHr6
-Y+Rbmq0WJlIlc8KMwX87nACesmFNSJkI0ftSLDHrLuvXRtB8f7s2cw3hd81i+scE
------END RSA PRIVATE KEY-----
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQINxoPgf5EIpICAggA
+MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDfIvFm0PjN6PZqYGX1sNXoBIIE
+0OQEuDDHzFECSkTud0BLN3eFhCTXHz2pnqNyCa56D/Oc5w2vC8GuuiSiFrTUF4Di
+HLfqjiejkiwl427CDb1iSrhlUcJFYVtQdo5195vLbNi/Js3Txg9F5MwEYKIAVskd
+fpN7L873+c6eBtis5SxlUoK2cMkttGShkMbxIgAccUJdbAcBQfkE/TRuBRR1KUBk
+B4ZlkQVv2AzunLpZ+f2AdqCa/VXSaYOtXulTUB+1KdCTHNeCvRruoc29Qfedamu9
+VekBPi+2jHtEe8PW45JY95RuvZd37FFRLxpJUOoh5sY3ltbDKIuw1PTXUZK0Czx4
+HaMhWdPD7N3KROmLPmwt9SDlBbfFoxAwsVluK1pJPdztc/YrgBcPcWv6RsEnhaM7
+jpk1jwjlyaCcImKA3nsqSKYNjvwc6FgDZFQRjdfHAByp+7ey/g0ftaWoDlmQ7ejW
+bhRlpE+Sf/YjZlVlO+9OqDMmCzDi7QA63T7frdy4NuVm6IXPD14EKODP6UH+aImM
+CbyPW8dECZWHbPN1NKFblKAYGzIL1zOKEK/XCwpgDQiPm5O4c6e6fVFspKYlyfwQ
+FA+zW1zePA63wsnrgbNdNByfQ2A91tAFMTkc2hij64eZLWxxkFS+kW8u7Vy5HJE6
+tjsU8n33E4WzZhk95vaFyaQui5FYyqxohkexNhJ3jY4yLr692JHIKIZF1+KolaNI
+ZDub6p+kLSJbsNDJL616MxMpgXCwPWi00rl+x31sDAYfTcpIdcmm1GfM0z4R3qpB
+3io0PhbE8c9e0pxackYXrLnZs0+hsmNQaRfDBUirSVTjMPDZUC4q1CahG1TdVSlK
+EmE3fbnM5L1o5twdny5EDl6/PZsbaFLctK/cCvHiclSl7ARJEbCPOKofhxHlXY93
+oBq8c6uG3lwjqFN3TVxtlu5g8PHy+9urlE/s9EqV6Ll0LcvPprUr8VKidMdsVT9N
+RwN2SQ+6sCXCkBloTN9eIq5OihGHYOlvswoca0/7EBlSneGZyMYPRwtduq/iIvlk
+4n0D2wfjCbf16SNVsAzEoApXVGr7BShzCAn8TQnldaBYh3LY2m1lU/2vi+RVtxI3
+l+DErH5JEeFcqAbgDzJ+W7SL5NDvRRGmb+9u7qZwPvu8tOGPd+sIonnkw+AAe1UI
+sI/KD/3f/JOWj5MnGqbq/tSDbzNBDmIXJd+vERruBlBB+BClwzuO7s8+ZfGFi4fN
+O0xS5mbp1UBQCIgvCPhn2gV8hdw1RoAixREhWWeUnu8MqiLe5fFE8SQIwUjtLedE
+AYfrQ8Z28u3H4t/O62345NVP/GilbKQYFaugEj4rKvXeBG5PA9XQtJfo6JPLN1a9
+AtPRO+mrdTFNEdXK/MC7P7woI+DusjmraRH79CZhUT3csnBornPBtjHjjLZPlgtv
+MyusmU9gaq+rB6YI2+9ZO0s9h70UHzD7vtMk6wXTtnFHv7OABtf2q3c9/q0ucUX5
+1Ox0nQJGHR8ACAD7QTNuGgnfczUOctBjuorfkymxthkjejU1nBC6WtJD1IzqzFTb
+MJ+4G70yQ4lGs4szfT3d8FCACPdLv+d9MorbPKZn17STJywkK5NtbYhl1ChbrUWt
+J097zL/4jB0JNOmymAdZqjmEOl5FJwJmHVLvM9OHkhMy
+-----END ENCRYPTED PRIVATE KEY-----
-- 
2.41.0

Jacob Champion

jchampion@timescale.com

over 2 years ago

In reply to: Peter Eisentraut (#1)

Re: Convert encrypted SSL test keys to PKCS#8 format

On Tue, Aug 22, 2023 at 1:07 AM Peter Eisentraut <peter@eisentraut.org> wrote:

I have attached two patches, one to update the generation rules, and one
where I have converted the existing test files. (I didn't generate them
from scratch, so for example
src/test/modules/ssl_passphrase_callback/server.crt that corresponds to
one of the keys does not need to be updated.)

Looks good from here. I don't have a FIPS setup right now, but the new
files pass tests on OpenSSL 1.0.2u, 1.1.1v, 3.0.2-0ubuntu1.10, and
LibreSSL 3.8. Tests continue to pass after a full clean and rebuild of
the sslfiles.

It's also interesting that if you generate all private keys from scratch
using the existing rules on a new OpenSSL version (3+), they will be
generated in PKCS#8 format by default. In those OpenSSL versions, the
openssl-rsa command has a -traditional option to get the old format, but
of course old OpenSSL versions don't have that. As OpenSSL 3 gets more
widespread, we might need to rethink these rules anyway to make sure we
get consistent behavior.

Yeah. Looks like OpenSSL 3 also adds new v3 extensions to the
certificates... For now they look benign, but I assume someone's going
to run into weirdness at some point.

Thanks!
--Jacob

Peter Eisentraut

peter@eisentraut.org

over 2 years ago

In reply to: Jacob Champion (#2)

Re: Convert encrypted SSL test keys to PKCS#8 format

On 22.08.23 21:02, Jacob Champion wrote:

On Tue, Aug 22, 2023 at 1:07 AM Peter Eisentraut <peter@eisentraut.org> wrote:

I have attached two patches, one to update the generation rules, and one
where I have converted the existing test files. (I didn't generate them
from scratch, so for example
src/test/modules/ssl_passphrase_callback/server.crt that corresponds to
one of the keys does not need to be updated.)

Looks good from here. I don't have a FIPS setup right now, but the new
files pass tests on OpenSSL 1.0.2u, 1.1.1v, 3.0.2-0ubuntu1.10, and
LibreSSL 3.8. Tests continue to pass after a full clean and rebuild of
the sslfiles.

Committed, thanks.