make expiration and key length changeable by DAYS and KEYLEN

variables in the certificate Makefile (#1058108)
- change default hash to sha256 (#1062325)

Makefile.certificate

@@ -1,5 +1,8 @@
 UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
 SERIAL=0
+DAYS=365
+KEYLEN=2048
+TYPE=rsa:$(KEYLEN)
 
 .PHONY: usage
 .SUFFIXES: .key .csr .crt .pem
@@ -21,6 +24,7 @@ usage:
 	@echo "To create a test certificate for use with Apache, run \"make testcert\"."
 	@echo
 	@echo "To create a test certificate with serial number other than zero, add SERIAL=num"
+	@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
 	@echo
 	@echo Examples:
 	@echo "  make server.key"
@@ -38,7 +42,7 @@ usage:
 	umask 77 ; \
 	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
 	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
-	/usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
+	/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 -set_serial $(SERIAL) ; \
 	cat $$PEM1 >  $@ ; \
 	echo ""    >> $@ ; \
 	cat $$PEM2 >> $@ ; \
@@ -46,7 +50,7 @@ usage:
 
 %.key:
 	umask 77 ; \
-	/usr/bin/openssl genrsa -aes128 2048 > $@
+	/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
 
 %.csr: %.key
 	umask 77 ; \
@@ -54,7 +58,7 @@ usage:
 
 %.crt: %.key
 	umask 77 ; \
-	/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL)
+	/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ -set_serial $(SERIAL)
 
 TLSROOT=/etc/pki/tls
 KEY=$(TLSROOT)/private/localhost.key
@@ -71,4 +75,4 @@ $(CSR): $(KEY)
 
 $(CRT): $(KEY)
 	umask 77 ; \
-	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL)
+	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) -set_serial $(SERIAL)

openssl-1.0.1e-defaults.patch

@@ -1,13 +1,22 @@
-diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cnf
---- openssl-1.0.0f/apps/openssl.cnf.defaults	2011-12-06 01:01:00.000000000 +0100
-+++ openssl-1.0.0f/apps/openssl.cnf	2012-01-05 13:16:15.000000000 +0100
+diff -up openssl-1.0.1e/apps/openssl.cnf.defaults openssl-1.0.1e/apps/openssl.cnf
+--- openssl-1.0.1e/apps/openssl.cnf.defaults	2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/apps/openssl.cnf	2014-02-06 18:00:00.170929334 +0100
+@@ -72,7 +72,7 @@ cert_opt 	= ca_default		# Certificate fi
+ 
+ default_days	= 365			# how long to certify for
+ default_crl_days= 30			# how long before next CRL
+-default_md	= default		# use public key default MD
++default_md	= sha256		# use SHA-256 by default
+ preserve	= no			# keep passed DN ordering
+ 
+ # A few difference way of specifying how similar the request should look
 @@ -103,7 +103,8 @@ emailAddress		= optional
  
  ####################################################################
  [ req ]
 -default_bits		= 1024
 +default_bits		= 2048
-+default_md		= sha1
++default_md		= sha256
  default_keyfile 	= privkey.pem
  distinguished_name	= req_distinguished_name
  attributes		= req_attributes
@@ -25,7 +34,7 @@ diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cn
 +#stateOrProvinceName_default	= Default Province
  
  localityName			= Locality Name (eg, city)
-+localityName_default	= Default City
++localityName_default		= Default City
  
  0.organizationName		= Organization Name (eg, company)
 -0.organizationName_default	= Internet Widgits Pty Ltd
@@ -42,3 +51,12 @@ diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cn
  commonName_max			= 64
  
  emailAddress			= Email Address
+@@ -339,7 +341,7 @@ signer_key	= $dir/private/tsakey.pem # T
+ default_policy	= tsa_policy1		# Policy if request did not specify it
+ 					# (optional)
+ other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+-digests		= md5, sha1		# Acceptable message digests (mandatory)
++digests		= sha1, sha256, sha384, sha512	# Acceptable message digests (mandatory)
+ accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+ clock_precision_digits  = 0	# number of digits after dot. (optional)
+ ordering		= yes	# Is ordering defined for timestamps?

openssl.spec

@@ -21,7 +21,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1e
-Release: 38%{?dist}
+Release: 39%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -39,7 +39,7 @@ Source12: ec_curve.c
 Source13: ectest.c
 # Build changes
 Patch1: openssl-1.0.1-beta2-rpmbuild.patch
-Patch2: openssl-1.0.0f-defaults.patch
+Patch2: openssl-1.0.1e-defaults.patch
 Patch4: openssl-1.0.0-beta5-enginesdir.patch
 Patch5: openssl-0.9.8a-no-rpath.patch
 Patch6: openssl-0.9.8b-test-use-localhost.patch
@@ -474,6 +474,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Thu Feb  6 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-39
+- make expiration and key length changeable by DAYS and KEYLEN
+  variables in the certificate Makefile (#1058108)
+- change default hash to sha256 (#1062325)
+
 * Wed Jan 22 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-38
 - make 3des strength to be 128 bits instead of 168 (#1056616)