Skip to content

Commit 8c22b5f

Browse files
harinvadodariaharinvadodaria
committed
Bug#31562947: SSL TESTS ARE FAILING BECAUSE OF AN EXPIRED CERTIFICATE
Description: Some of the certificates used for testing CRL support are expired. This caused various tests to failed. Fix: - Added new set of certificates - Updated read-me for CRL generation RB: 24714
1 parent 84c0cf9 commit 8c22b5f

File tree

11 files changed

+445
-380
lines changed

11 files changed

+445
-380
lines changed

mysql-test/std_data/crl-ca-cert.pem

Lines changed: 64 additions & 63 deletions
Original file line numberDiff line numberDiff line change
@@ -2,79 +2,80 @@ Certificate:
22
Data:
33
Version: 3 (0x2)
44
Serial Number:
5-
27:9a:6f:41:cc:a4:9a:73:13:55:a3:b6:f4:3f:71:d5:8a:a8:91:1d
6-
Signature Algorithm: sha256WithRSAEncryption
7-
Issuer: C=IN, ST=KA, O=Oracle, OU=MySQL, CN=MySQL CRL test ca certificate
5+
bf:07:54:de:af:cf:c4:de
6+
Signature Algorithm: sha256WithRSAEncryption
7+
Issuer: C=IN, ST=Karnataka, L=Bengaluru, O=Oracle, OU=MySQL, CN=MySQL CRL test ca certificate
88
Validity
9-
Not Before: Jul 1 11:58:53 2019 GMT
10-
Not After : Jun 30 11:58:53 2022 GMT
11-
Subject: C=IN, ST=KA, O=Oracle, OU=MySQL, CN=MySQL CRL test ca certificate
9+
Not Before: Jul 1 07:44:35 2020 GMT
10+
Not After : Jun 29 07:44:35 2030 GMT
11+
Subject: C=IN, ST=Karnataka, L=Bengaluru, O=Oracle, OU=MySQL, CN=MySQL CRL test ca certificate
1212
Subject Public Key Info:
1313
Public Key Algorithm: rsaEncryption
14-
RSA Public-Key: (2048 bit)
14+
Public-Key: (2048 bit)
1515
Modulus:
16-
00:c9:09:95:54:a0:91:fd:f9:26:2f:ca:c4:ce:4a:
17-
cc:25:72:44:34:f2:68:7a:4d:91:ab:1a:54:90:50:
18-
fc:14:8a:f2:5b:83:f3:68:c9:0e:bc:0f:dd:11:2f:
19-
25:43:9e:d4:5a:cf:e0:2a:4f:63:d8:1d:de:ef:7d:
20-
6b:14:4f:8f:2e:9a:44:b8:4f:41:b3:88:95:71:e2:
21-
cd:8b:22:96:7c:55:fb:39:1a:6b:18:05:18:2c:95:
22-
15:9f:b0:e3:92:76:c5:c6:e3:3f:56:44:2d:fe:a5:
23-
61:d7:47:db:84:be:08:19:d6:39:f3:4f:dd:6c:d9:
24-
ff:e1:c2:ba:78:2b:87:a8:32:02:e2:a9:e7:8a:14:
25-
bb:c5:7a:a8:33:ff:54:0b:5c:c6:20:cf:2e:e3:ee:
26-
f5:fe:4c:98:26:a5:fc:1a:4a:3f:62:8f:df:a6:31:
27-
d2:a0:f4:c8:04:dd:f5:b8:5e:6b:6c:c3:c4:c7:da:
28-
80:19:2f:40:e1:df:7d:39:a0:9d:c7:fe:59:db:75:
29-
f1:5e:2f:da:07:7f:5f:ac:0b:18:eb:0f:61:a5:17:
30-
b1:9e:cb:d5:56:9a:b4:54:89:93:45:2b:90:7e:ef:
31-
c3:a2:36:d5:7f:64:aa:a2:79:23:74:8c:02:93:5b:
32-
da:dd:10:03:01:9e:84:49:4d:8f:32:75:f1:63:57:
33-
88:19
16+
00:c9:08:13:81:df:5a:aa:45:2a:82:1e:73:4f:d6:
17+
2f:6b:7a:78:41:a7:fb:ea:02:5c:30:15:95:6a:a4:
18+
60:6b:08:4c:7d:46:4f:1a:7c:14:67:c6:19:e0:bf:
19+
c9:12:c3:96:7f:71:12:79:ba:a1:d2:51:1b:fb:f1:
20+
0f:43:9d:22:6d:7f:46:a7:94:0c:51:c2:25:ad:36:
21+
c8:1c:59:45:91:e1:20:4d:5e:31:b1:33:b1:4b:2b:
22+
a0:62:fb:8a:c6:ee:7e:84:77:d2:aa:23:f8:31:74:
23+
d5:94:60:72:88:a7:3a:ec:f3:d8:80:28:36:c1:5a:
24+
7f:58:be:8c:d2:eb:9d:fb:22:de:ec:2c:d3:41:81:
25+
b2:e4:91:e4:da:12:b2:84:0e:8f:f7:b0:1e:36:07:
26+
88:87:8e:1d:63:ad:1b:a5:31:39:d2:02:10:e0:97:
27+
21:3f:7e:e9:f1:a2:e8:c3:aa:ad:e3:bd:05:62:e1:
28+
a2:8d:ed:d5:cd:d7:66:8a:2b:15:dd:e1:91:e2:75:
29+
18:c4:50:62:fb:a1:f9:96:93:af:84:78:f7:69:b6:
30+
7f:82:f7:c8:97:13:10:46:7b:de:a2:a9:c9:71:78:
31+
f1:8e:a1:78:b5:e5:b7:dd:69:4d:8c:1b:ae:34:0e:
32+
5f:94:26:8e:81:b3:23:6e:1f:be:de:e0:e0:41:dc:
33+
71:49
3434
Exponent: 65537 (0x10001)
3535
X509v3 extensions:
3636
X509v3 Subject Key Identifier:
37-
A7:2E:CA:53:05:52:06:12:BD:ED:FF:CF:B8:BA:30:E7:7A:1F:96:46
37+
43:AB:3F:4D:D3:EB:37:3D:3D:2A:FE:BD:4E:C2:8A:DD:C9:E5:B1:B1
3838
X509v3 Authority Key Identifier:
39-
keyid:A7:2E:CA:53:05:52:06:12:BD:ED:FF:CF:B8:BA:30:E7:7A:1F:96:46
39+
keyid:43:AB:3F:4D:D3:EB:37:3D:3D:2A:FE:BD:4E:C2:8A:DD:C9:E5:B1:B1
4040

41-
X509v3 Basic Constraints: critical
41+
X509v3 Basic Constraints:
4242
CA:TRUE
4343
Signature Algorithm: sha256WithRSAEncryption
44-
53:ce:08:79:96:94:22:9b:1f:8e:2f:3c:ad:7b:1f:0e:45:7e:
45-
65:c1:c2:7f:46:f1:73:be:9c:e4:1b:2c:13:bd:bf:05:95:2b:
46-
3c:6e:70:62:b2:14:1e:a6:60:e3:a7:b7:40:22:97:db:74:d1:
47-
fc:47:27:ba:de:89:50:7e:e1:3b:f5:3e:95:aa:01:e8:8a:e6:
48-
f9:49:48:97:d2:91:a0:1f:9d:82:b5:35:16:58:01:d1:82:1d:
49-
b4:dc:68:b9:1b:84:fb:e3:ec:06:a6:55:69:e9:84:69:7d:34:
50-
ba:dd:dd:57:15:1a:9e:d8:f4:c7:44:98:07:35:66:ec:a6:1e:
51-
91:b8:a4:b2:9b:85:52:e8:98:e6:e8:28:8c:d4:1e:8e:45:50:
52-
58:c9:68:fd:b4:4b:4f:b7:58:9f:45:7b:b1:12:ae:7d:70:0d:
53-
4b:42:7e:46:d0:5a:d5:21:9f:f1:99:b6:21:75:34:7b:2a:d8:
54-
45:2e:f9:4d:fa:b4:72:a8:9e:22:e6:66:4b:81:1d:8e:b2:54:
55-
f3:0f:02:17:68:7f:79:ca:df:a7:5d:17:70:50:bf:47:df:5a:
56-
6a:e1:7f:af:ab:ca:54:86:ad:d8:35:c5:b8:f7:9d:72:0e:db:
57-
dc:0c:c3:08:2d:d1:9a:18:5c:c3:c1:64:7a:f3:9a:5a:6d:69:
58-
12:e1:fd:c2
44+
16:b8:f3:2a:4a:f7:82:7b:99:cb:40:20:a1:76:7a:2b:19:c9:
45+
4f:4f:90:b3:e4:7c:6e:42:28:c8:47:4b:37:12:ab:fa:64:ec:
46+
d6:50:f8:2f:bd:61:cd:d6:09:96:d3:84:b1:e6:60:ae:99:ae:
47+
4a:1a:b1:34:a6:ee:b7:3b:1f:6f:cc:94:39:26:e4:9d:d2:02:
48+
d9:75:ce:e7:dd:e9:3a:b2:c4:84:1a:75:0e:64:ce:32:7f:68:
49+
5b:81:b7:5e:18:bd:ac:56:69:1c:1a:a0:a1:61:85:f2:11:78:
50+
50:42:4e:e8:b8:67:8a:50:85:09:75:67:d9:09:e1:2a:61:64:
51+
24:1a:52:79:12:5c:d1:a5:53:5f:70:63:2b:30:fe:4e:e5:c6:
52+
3a:7c:f3:36:3e:7b:ab:6b:57:04:12:53:7e:dd:18:63:bf:25:
53+
ae:b0:14:f8:93:bb:0a:a6:d4:7b:77:60:58:52:ee:9e:76:9c:
54+
63:ef:84:40:fd:5a:be:54:74:d7:b8:4a:85:09:a0:13:0e:75:
55+
75:e6:2c:73:1b:e3:94:ff:ad:73:0b:c6:e3:b0:68:56:ce:ff:
56+
8d:75:f4:9d:14:5c:05:a0:8d:ad:ab:96:aa:4f:58:cb:79:cf:
57+
5b:85:84:e7:4a:66:54:09:fd:da:c2:3a:3b:ee:3c:3c:0a:66:
58+
36:bc:a6:f0
5959
-----BEGIN CERTIFICATE-----
60-
MIIDpzCCAo+gAwIBAgIUJ5pvQcykmnMTVaO29D9x1YqokR0wDQYJKoZIhvcNAQEL
61-
BQAwYzELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAktBMQ8wDQYDVQQKDAZPcmFjbGUx
62-
DjAMBgNVBAsMBU15U1FMMSYwJAYDVQQDDB1NeVNRTCBDUkwgdGVzdCBjYSBjZXJ0
63-
aWZpY2F0ZTAeFw0xOTA3MDExMTU4NTNaFw0yMjA2MzAxMTU4NTNaMGMxCzAJBgNV
64-
BAYTAklOMQswCQYDVQQIDAJLQTEPMA0GA1UECgwGT3JhY2xlMQ4wDAYDVQQLDAVN
65-
eVNRTDEmMCQGA1UEAwwdTXlTUUwgQ1JMIHRlc3QgY2EgY2VydGlmaWNhdGUwggEi
66-
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJCZVUoJH9+SYvysTOSswlckQ0
67-
8mh6TZGrGlSQUPwUivJbg/NoyQ68D90RLyVDntRaz+AqT2PYHd7vfWsUT48umkS4
68-
T0GziJVx4s2LIpZ8Vfs5GmsYBRgslRWfsOOSdsXG4z9WRC3+pWHXR9uEvggZ1jnz
69-
T91s2f/hwrp4K4eoMgLiqeeKFLvFeqgz/1QLXMYgzy7j7vX+TJgmpfwaSj9ij9+m
70-
MdKg9MgE3fW4Xmtsw8TH2oAZL0Dh3305oJ3H/lnbdfFeL9oHf1+sCxjrD2GlF7Ge
71-
y9VWmrRUiZNFK5B+78OiNtV/ZKqieSN0jAKTW9rdEAMBnoRJTY8ydfFjV4gZAgMB
72-
AAGjUzBRMB0GA1UdDgQWBBSnLspTBVIGEr3t/8+4ujDneh+WRjAfBgNVHSMEGDAW
73-
gBSnLspTBVIGEr3t/8+4ujDneh+WRjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
74-
DQEBCwUAA4IBAQBTzgh5lpQimx+OLzytex8ORX5lwcJ/RvFzvpzkGywTvb8FlSs8
75-
bnBishQepmDjp7dAIpfbdNH8Rye63olQfuE79T6VqgHoiub5SUiX0pGgH52CtTUW
76-
WAHRgh203Gi5G4T74+wGplVp6YRpfTS63d1XFRqe2PTHRJgHNWbsph6RuKSym4VS
77-
6Jjm6CiM1B6ORVBYyWj9tEtPt1ifRXuxEq59cA1LQn5G0FrVIZ/xmbYhdTR7KthF
78-
LvlN+rRyqJ4i5mZLgR2OslTzDwIXaH95yt+nXRdwUL9H31pq4X+vq8pUhq3YNcW4
79-
951yDtvcDMMILdGaGFzDwWR685pabWkS4f3C
60+
MIIDzzCCAregAwIBAgIJAL8HVN6vz8TeMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNV
61+
BAYTAklOMRIwEAYDVQQIDAlLYXJuYXRha2ExEjAQBgNVBAcMCUJlbmdhbHVydTEP
62+
MA0GA1UECgwGT3JhY2xlMQ4wDAYDVQQLDAVNeVNRTDEmMCQGA1UEAwwdTXlTUUwg
63+
Q1JMIHRlc3QgY2EgY2VydGlmaWNhdGUwHhcNMjAwNzAxMDc0NDM1WhcNMzAwNjI5
64+
MDc0NDM1WjB+MQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0YWthMRIwEAYD
65+
VQQHDAlCZW5nYWx1cnUxDzANBgNVBAoMBk9yYWNsZTEOMAwGA1UECwwFTXlTUUwx
66+
JjAkBgNVBAMMHU15U1FMIENSTCB0ZXN0IGNhIGNlcnRpZmljYXRlMIIBIjANBgkq
67+
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyQgTgd9aqkUqgh5zT9Yva3p4Qaf76gJc
68+
MBWVaqRgawhMfUZPGnwUZ8YZ4L/JEsOWf3ESebqh0lEb+/EPQ50ibX9Gp5QMUcIl
69+
rTbIHFlFkeEgTV4xsTOxSyugYvuKxu5+hHfSqiP4MXTVlGByiKc67PPYgCg2wVp/
70+
WL6M0uud+yLe7CzTQYGy5JHk2hKyhA6P97AeNgeIh44dY60bpTE50gIQ4JchP37p
71+
8aLow6qt470FYuGije3VzddmiisV3eGR4nUYxFBi+6H5lpOvhHj3abZ/gvfIlxMQ
72+
RnveoqnJcXjxjqF4teW33WlNjBuuNA5flCaOgbMjbh++3uDgQdxxSQIDAQABo1Aw
73+
TjAdBgNVHQ4EFgQUQ6s/TdPrNz09Kv69TsKK3cnlsbEwHwYDVR0jBBgwFoAUQ6s/
74+
TdPrNz09Kv69TsKK3cnlsbEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
75+
AQEAFrjzKkr3gnuZy0AgoXZ6KxnJT0+Qs+R8bkIoyEdLNxKr+mTs1lD4L71hzdYJ
76+
ltOEseZgrpmuShqxNKbutzsfb8yUOSbkndIC2XXO593pOrLEhBp1DmTOMn9oW4G3
77+
Xhi9rFZpHBqgoWGF8hF4UEJO6LhnilCFCXVn2QnhKmFkJBpSeRJc0aVTX3BjKzD+
78+
TuXGOnzzNj57q2tXBBJTft0YY78lrrAU+JO7CqbUe3dgWFLunnacY++EQP1avlR0
79+
17hKhQmgEw51deYscxvjlP+tcwvG47BoVs7/jXX0nRRcBaCNrauWqk9Yy3nPW4WE
80+
50pmVAn92sI6O+48PApmNrym8A==
8081
-----END CERTIFICATE-----

mysql-test/std_data/crl-certificate-readme.txt

Lines changed: 74 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
These are the instructions on how to generate test files for the CRL tests
22
using openSSL.
33

4+
If you have root access on the system
5+
=====================================
6+
47
1. Make sure you have the right validity periods in CA.pl and openssl.cnf
58
2. Create a new certification authority : CA.pl -newca
69
3. Copy demoCA/cacert.pem to crl-ca-cert.pem
@@ -21,11 +24,77 @@ using openSSL.
2124
key while copying it :
2225
openssl rsa -in newkey.pem -out crl-client-key-revoked.pem
2326
16. Revoke the crl-client-invalid-cert.pem :
24-
openssl ca -revoke crl-client-key-revoked.pem
27+
openssl ca -revoke crl-client-invalid-cert.pem
2528
17. Generate a CRL file :
2629
openssl ca -gencrl -crldays=3650 -out crl-client-revoked.crl
2730
18. Clean up all the files in the crldir directory
28-
19. Copy the CA certificate into it :
29-
cp crl-ca-cert.pem `openssl x509 -in crl-ca-cert.pem -noout -hash`.0
30-
20. Copy the CRL file into it :
31-
cp crl-client-revoked.crl `openssl crl -in crl-ca-cert.pem -noout -hash`.r0
31+
19. Copy the CRL file into it :
32+
cp crl-client-revoked.crl `openssl crl -in crl-client-revoked.crl -noout -hash`.r0
33+
34+
35+
If you are using your own CA
36+
============================
37+
38+
Prepare directory
39+
-----------------
40+
41+
1. mkdir new_crlcerts && cd new_crlcerts
42+
2. mkdir crldir
43+
3. mkdir private
44+
45+
Generate CA and 3 set of certificates
46+
-------------------------------------
47+
48+
4. Generate CA
49+
openssl genrsa 2048 > crl-ca-key.pem
50+
openssl req -new -x509 -nodes -days 3650 -key crl-ca-key.pem -out crl-ca-cert.pem
51+
52+
5. Generate Server certificate
53+
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout crl-server-key.pem -out crl-server-req.pem
54+
openssl rsa -in crl-server-key.pem -out crl-server-key.pem
55+
openssl x509 -req -in crl-server-req.pem -days 3600 -CA crl-ca-cert.pem -CAkey crl-ca-key.pem -set_serial 01 -out crl-server-cert.pem
56+
57+
6. Generate Client certificate
58+
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout crl-client-key.pem -out crl-client-req.pem
59+
openssl rsa -in crl-client-key.pem -out crl-client-key.pem
60+
openssl x509 -req -in crl-client-req.pem -days 3600 -CA crl-ca-cert.pem -CAkey crl-ca-key.pem -set_serial 02 -out crl-client-cert.pem
61+
62+
7. Generate Client certificate that will be revoked later
63+
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout crl-client-revoked-key.pem -out crl-client-revoked-req.pem
64+
openssl rsa -in crl-client-revoked-key.pem -out crl-client-revoked-key.pem
65+
openssl x509 -req -in crl-client-revoked-req.pem -days 3600 -CA crl-ca-cert.pem -CAkey crl-ca-key.pem -set_serial 03 -out crl-client-revoked-cert.pem
66+
67+
Prepare for certificate revocation
68+
----------------------------------
69+
70+
8. cp crl-ca-cert.pem cacert.pem
71+
9. cp crl-ca-key.pem private/cakey.pem
72+
10. touch index.txt
73+
11. echo 1000 > crlnumber
74+
12. copy global openssl.cnf to current working dirctory
75+
13. Open local copy of openssl.cnf and in [CA_default] section
76+
- Update dir to point to current working directory
77+
- Update certs to point to $dir and not $dir/certs
78+
79+
Revoke a certificate and create crl file
80+
----------------------------------------
81+
82+
14. openssl ca -config openssl.cnf -revoke crl-client-revoked-cert.pem
83+
15. openssl ca -config openssl.cnf -gencrl -crldays 3600 -out crl-client-revoked.crl
84+
16. cp crl-client-revoked.crl `openssl crl -in crl-client-revoked.pem -noout -hash`.r0
85+
86+
Replace existing certs
87+
----------------------
88+
17. Replace following files in <src>/mysql-test/std_data/ with files generated above
89+
crl-ca-cert.pem
90+
crl-client-cert.pem
91+
crl-client-key.pem
92+
crl-client-revoked-cert.pem
93+
crl-client-revoked-key.pem
94+
crl-client-revoked.crl
95+
crl-server-cert.pem
96+
crl-server-key.pem
97+
98+
18. Remove file in <src>/mysql-test/std_data/crldir
99+
19. Copy file generated in step 16 above to <src>/mysql-test/std_data/crldir
100+
20. You may now remove new_crls directory

0 commit comments

Comments
 (0)