test/smime-certs/ca.cnf: clean up comments, simplify settings using SKID and AKID...

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19064)

diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf
index 7d453e895758d4e7445102add690f2ebb4baf69f..9e6f8a917ebd4165054202db0ecfa6b4d31f8f1b 100644 (file)
--- a/test/smime-certs/ca.cnf
+++ b/test/smime-certs/ca.cnf
@@ -18,8 +18,8 @@ default_keyfile       = privkey.pem
 # Don't prompt for fields: use those in section directly
 prompt                 = no
 distinguished_name     = req_distinguished_name
-x509_extensions        = v3_ca # The extensions to add to the self signed cert
-string_mask = utf8only
+x509_extensions         = v3_ca # The extensions to add to the self signed cert
+string_mask             = utf8only
 
 # req_extensions = v3_req # The extensions to add to a certificate request
 
@@ -32,46 +32,39 @@ commonName                  = $ENV::CN
 
 [ usr_cert ]
 
-# These extensions are added when 'ca' signs a request for an end entity
-# certificate
+# These extensions are added when 'ca' signs a request for a normal end-entity
+# certificate with key usage restrictions compatible with RSA keys
 
-basicConstraints=critical, CA:FALSE
-keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
+basicConstraints = CA:FALSE
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
 
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid
+# Following SKID and AKID settings are meanwhile by default in all certificates.
+# See doc/man5/x509v3_config.pod for details.
 
-[ dh_cert ]
+# subjectKeyIdentifier   = hash
+# authorityKeyIdentifier = keyid, issuer
 
-# These extensions are added when 'ca' signs a request for an end entity
-# DH certificate
+[ dh_cert ]
 
-basicConstraints=critical, CA:FALSE
-keyUsage=critical, keyAgreement
+# These extensions are added when 'ca' signs a request for an end-entity
+# DH certificate, for which only key agreement makes sense
 
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid
+basicConstraints = CA:FALSE
+keyUsage = critical, keyAgreement
 
 [ codesign_cert ]
 
 # These extensions are added when 'ca' signs a request for a code-signing
-# end-entity certificate
+# end-entity certificate compatible with RSA and ECC keys
 
-basicConstraints=CA:FALSE
-keyUsage=critical, digitalSignature
-extendedKeyUsage=codeSigning
+basicConstraints = CA:FALSE
+keyUsage = critical, digitalSignature
+extendedKeyUsage = codeSigning
 
 [ v3_ca ]
 
+# Extensions for a typical CA as required by RFC 5280 etc.
+# SKID and AKID are by default set according to PKIX recommendation.
 
-# Extensions for a typical CA
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always
-basicConstraints = critical,CA:true
+basicConstraints = critical, CA:true
 keyUsage = critical, cRLSign, keyCertSign
-