openssl3/contribs10/0004-Override-default-paths-for-the-CA-directory-tree.patch

From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:17:26 +0200
Subject: Override default paths for the CA directory tree

Also add default section to load crypto-policies configuration
for TLS.

It needs to be reverted before running tests.

(was openssl-1.1.1-conf-paths.patch)
---
 apps/CA.pl.in    |  2 +-
 apps/openssl.cnf | 20 ++++++++++++++++++--
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/apps/CA.pl.in b/apps/CA.pl.in
index c0afb96716..d6a5fabd16 100644
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
 my $PKCS12 = "$openssl pkcs12";
 
 # Default values for various configuration settings.
-my $CATOP = "./demoCA";
+my $CATOP = "/etc/pki/CA";
 my $CAKEY = "cakey.pem";
 my $CAREQ = "careq.pem";
 my $CACERT = "cacert.pem";
diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf
--- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls  2021-07-06 13:41:39.204978272 +0200
+++ openssl-3.0.0-alpha16/apps/openssl.cnf      2021-07-06 13:49:50.362857683 +0200
@@ -53,6 +53,8 @@ tsa_policy3 = 1.2.3.4.5.7
 
 [openssl_init]
 providers = provider_sect
+# Load default TLS policy configuration
+ssl_conf = ssl_module
 
 # List of providers to load
 [provider_sect]
@@ -64,6 +66,13 @@ default = default_sect
 [default_sect]
 # activate = 1
 
+[ ssl_module ]
+
+system_default = crypto_policy
+
+[ crypto_policy ]
+
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
 
 ####################################################################
 [ ca ]
@@ -72,7 +81,7 @@ default_ca    = CA_default            # The default c
 ####################################################################
 [ CA_default ]
 
-dir            = ./demoCA              # Where everything is kept
+dir            = /etc/pki/CA           # Where everything is kept
 certs          = $dir/certs            # Where the issued certs are kept
 crl_dir                = $dir/crl              # Where the issued crl are kept
 database       = $dir/index.txt        # database index file.
@@ -304,7 +313,7 @@ default_tsa = tsa_config1   # the default
 [ tsa_config1 ]
 
 # These are used by the TSA reply generation only.
-dir            = ./demoCA              # TSA root directory
+dir            = /etc/pki/CA           # TSA root directory
 serial         = $dir/tsaserial        # The current serial number (mandatory)
 crypto_device  = builtin               # OpenSSL engine to use for signing
 signer_cert    = $dir/tsacert.pem      # The TSA signing certificate
1	jpp	1.1	From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001
2			From: Tomas Mraz <tmraz@fedoraproject.org>
3			Date: Thu, 24 Sep 2020 09:17:26 +0200
4			Subject: Override default paths for the CA directory tree
5
6			Also add default section to load crypto-policies configuration
7			for TLS.
8
9			It needs to be reverted before running tests.
10
11			(was openssl-1.1.1-conf-paths.patch)
12			---
13			apps/CA.pl.in \| 2 +-
14			apps/openssl.cnf \| 20 ++++++++++++++++++--
15			2 files changed, 19 insertions(+), 3 deletions(-)
16
17			diff --git a/apps/CA.pl.in b/apps/CA.pl.in
18			index c0afb96716..d6a5fabd16 100644
19			--- a/apps/CA.pl.in
20			+++ b/apps/CA.pl.in
21			@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
22			my $PKCS12 = "$openssl pkcs12";
23
24			# Default values for various configuration settings.
25			-my $CATOP = "./demoCA";
26			+my $CATOP = "/etc/pki/CA";
27			my $CAKEY = "cakey.pem";
28			my $CAREQ = "careq.pem";
29			my $CACERT = "cacert.pem";
30			diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf
31			--- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200
32			+++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200
33			@@ -53,6 +53,8 @@ tsa_policy3 = 1.2.3.4.5.7
34
35			[openssl_init]
36			providers = provider_sect
37			+# Load default TLS policy configuration
38			+ssl_conf = ssl_module
39
40			# List of providers to load
41			[provider_sect]
42			@@ -64,6 +66,13 @@ default = default_sect
43			[default_sect]
44			# activate = 1
45
46			+[ ssl_module ]
47			+
48			+system_default = crypto_policy
49			+
50			+[ crypto_policy ]
51			+
52			+.include = /etc/crypto-policies/back-ends/opensslcnf.config
53
54			####################################################################
55			[ ca ]
56			@@ -72,7 +81,7 @@ default_ca = CA_default # The default c
57			####################################################################
58			[ CA_default ]
59
60			-dir = ./demoCA # Where everything is kept
61			+dir = /etc/pki/CA # Where everything is kept
62			certs = $dir/certs # Where the issued certs are kept
63			crl_dir = $dir/crl # Where the issued crl are kept
64			database = $dir/index.txt # database index file.
65			@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default
66			[ tsa_config1 ]
67
68			# These are used by the TSA reply generation only.
69			-dir = ./demoCA # TSA root directory
70			+dir = /etc/pki/CA # TSA root directory
71			serial = $dir/tsaserial # The current serial number (mandatory)
72			crypto_device = builtin # OpenSSL engine to use for signing
73			signer_cert = $dir/tsacert.pem # The TSA signing certificate