From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Thu, 25 Aug 2022 15:45:40 +0000 (+0200)
Subject: test/smime-certs/ca.cnf: clean up comments, simplify settings using SKID and AKID... 
X-Git-Tag: openssl-3.2.0-alpha1~1698
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a275afc527d05b5187b457bdbcd0e1dcb18839f1;p=thirdparty%2Fopenssl.git

test/smime-certs/ca.cnf: clean up comments, simplify settings using SKID and AKID defaults

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19064)
---

diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf
index 7d453e89575..9e6f8a917eb 100644
--- a/test/smime-certs/ca.cnf
+++ b/test/smime-certs/ca.cnf
@@ -18,8 +18,8 @@ default_keyfile 	= privkey.pem
 # Don't prompt for fields: use those in section directly
 prompt			= no
 distinguished_name	= req_distinguished_name
-x509_extensions	= v3_ca	# The extensions to add to the self signed cert
-string_mask = utf8only
+x509_extensions         = v3_ca # The extensions to add to the self signed cert
+string_mask             = utf8only
 
 # req_extensions = v3_req # The extensions to add to a certificate request
 
@@ -32,46 +32,39 @@ commonName			= $ENV::CN
 
 [ usr_cert ]
 
-# These extensions are added when 'ca' signs a request for an end entity
-# certificate
+# These extensions are added when 'ca' signs a request for a normal end-entity
+# certificate with key usage restrictions compatible with RSA keys
 
-basicConstraints=critical, CA:FALSE
-keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
+basicConstraints = CA:FALSE
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
 
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid
+# Following SKID and AKID settings are meanwhile by default in all certificates.
+# See doc/man5/x509v3_config.pod for details.
 
-[ dh_cert ]
+# subjectKeyIdentifier   = hash
+# authorityKeyIdentifier = keyid, issuer
 
-# These extensions are added when 'ca' signs a request for an end entity
-# DH certificate
+[ dh_cert ]
 
-basicConstraints=critical, CA:FALSE
-keyUsage=critical, keyAgreement
+# These extensions are added when 'ca' signs a request for an end-entity
+# DH certificate, for which only key agreement makes sense
 
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid
+basicConstraints = CA:FALSE
+keyUsage = critical, keyAgreement
 
 [ codesign_cert ]
 
 # These extensions are added when 'ca' signs a request for a code-signing
-# end-entity certificate
+# end-entity certificate compatible with RSA and ECC keys
 
-basicConstraints=CA:FALSE
-keyUsage=critical, digitalSignature
-extendedKeyUsage=codeSigning
+basicConstraints = CA:FALSE
+keyUsage = critical, digitalSignature
+extendedKeyUsage = codeSigning
 
 [ v3_ca ]
 
+# Extensions for a typical CA as required by RFC 5280 etc.
+# SKID and AKID are by default set according to PKIX recommendation.
 
-# Extensions for a typical CA
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always
-basicConstraints = critical,CA:true
+basicConstraints = critical, CA:true
 keyUsage = critical, cRLSign, keyCertSign
-