hcq/postgresql
1
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2026-02-18 04:17:00 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
91f20bc2f7e4fcf5de5c65a6cb1190e0afa91c0b
postgresql/src/test/modules/ssl_passphrase_callback/Makefile
Peter Eisentraut 648c72956f Convert encrypted SSL test keys to PKCS#8 format 
OpenSSL in FIPS mode rejects several encrypted private keys used in
the test suites ssl and ssl_passphrase_callback.  This is because they
are in a "traditional" OpenSSL format that uses MD5 for key
generation.  The fix is to convert them to the more standard PKCS#8
format that uses SHA1 for key derivation.

This commit contains the converted keys, with the conversion done like
this:

openssl pkcs8 -topk8 -in src/test/modules/ssl_passphrase_callback/server.key -passin pass:FooBaR1 -out src/test/modules/ssl_passphrase_callback/server.key.new -passout pass:FooBaR1
mv src/test/modules/ssl_passphrase_callback/server.key.new src/test/modules/ssl_passphrase_callback/server.key

etc., as well as updated build rules to generate the keys in the new
format if they need to be regenerated.

Reviewed-by: Jacob Champion <jchampion@timescale.com>
Discussion: https://www.postgresql.org/message-id/flat/64de784b-8833-e055-3bd4-7420e6675351%40eisentraut.org
2023-08-28 07:37:43 +02:00

41 lines
1.1 KiB
Makefile
Raw Blame History

# ssl_passphrase_callback Makefile
export with_ssl
MODULE_big = ssl_passphrase_func
OBJS = ssl_passphrase_func.o $(WIN32RES)
PGFILEDESC = "callback function to provide a passphrase"
TAP_TESTS = 1
ifdef USE_PGXS
PG_CONFIG = pg_config
PGXS := $(shell $(PG_CONFIG) --pgxs)
include $(PGXS)
else
subdir = src/test/modules/ssl_passphrase_callback
top_builddir = ../../../..
include $(top_builddir)/src/Makefile.global
include $(top_srcdir)/contrib/contrib-global.mk
endif
SHLIB_LINK += $(filter -lssl -lcrypto -lssleay32 -leay32, $(LIBS))
# Targets to generate or remove the ssl certificate and key
# Normally not needed. Don't run these targets in a vpath build, the results
# won't be in the right place if you do.
# needs to agree with what's in the test script
PASS = FooBaR1
.PHONY: ssl-files ssl-files-clean
ssl-files:
$(OPENSSL) req -new -x509 -days 10000 -nodes -out server.crt \
-keyout server.ckey -subj "/CN=localhost"
$(OPENSSL) pkey -aes256 -in server.ckey -out server.key -passout pass:$(PASS)
rm server.ckey
ssl-files-clean:
rm -f server.crt server.key
Reference in New Issue View Git Blame Copy Permalink