From e45d943665e806ff49d06cfbdd566a8e2d57d56d Mon Sep 17 00:00:00 2001 From: Shane Lontis Date: Wed, 1 Jul 2020 14:37:32 +1000 Subject: [PATCH] Add FIPS related configuration data to the default openssl application configuration file Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/12333) --- apps/openssl-vms.cnf | 34 ++++++++++++++++++++++++++++++---- apps/openssl.cnf | 34 ++++++++++++++++++++++++++++++---- doc/man5/config.pod | 1 + 3 files changed, 61 insertions(+), 8 deletions(-) diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index 2420e9c9f5..ca21149efd 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -1,7 +1,9 @@ # # OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. +# See doc/man5/config.pod for more info. # +# This is mostly being used for generation of certificate requests, +# but may be used for auto loading of providers # Note that you can include other files from the main configuration # file using the .include directive. @@ -11,9 +13,12 @@ # defined. HOME = . + # Use this in order to automatically load providers. +openssl_conf = openssl_init + # Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid -oid_section = new_oids +# oid_file = $ENV::HOME/.oid +oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the @@ -23,7 +28,6 @@ oid_section = new_oids # X.509v3 extensions in its main [= default] section.) [ new_oids ] - # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. # Add a simple OID like this: # testoid1=1.2.3.4 @@ -35,6 +39,28 @@ tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 +# For FIPS +# Optionally include a file that is generated by the OpenSSL fipsinstall +# application. This file contains configuration data required by the OpenSSL +# fips provider. It contains a named section e.g. [fips_sect] which is +# referenced from the [provider_sect] below. +# Refer to the OpenSSL security policy for more information. +# .include fipsmodule.cnf + +[openssl_init] +providers = provider_sect + +# List of providers to load +[provider_sect] +default = default_sect +# The fips section name should match the section name inside the +# included fipsmodule.cnf. +# fips = fips_sect + +[default_sect] +# activate = 1 + + #################################################################### [ ca ] default_ca = CA_default # The default ca section diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 4fd5286d2e..3e8c0cbb2c 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -1,7 +1,9 @@ # # OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. +# See doc/man5/config.pod for more info. # +# This is mostly being used for generation of certificate requests, +# but may be used for auto loading of providers # Note that you can include other files from the main configuration # file using the .include directive. @@ -11,9 +13,12 @@ # defined. HOME = . + # Use this in order to automatically load providers. +openssl_conf = openssl_init + # Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid -oid_section = new_oids +# oid_file = $ENV::HOME/.oid +oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the @@ -23,7 +28,6 @@ oid_section = new_oids # X.509v3 extensions in its main [= default] section.) [ new_oids ] - # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. # Add a simple OID like this: # testoid1=1.2.3.4 @@ -35,6 +39,28 @@ tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 +# For FIPS +# Optionally include a file that is generated by the OpenSSL fipsinstall +# application. This file contains configuration data required by the OpenSSL +# fips provider. It contains a named section e.g. [fips_sect] which is +# referenced from the [provider_sect] below. +# Refer to the OpenSSL security policy for more information. +# .include fipsmodule.cnf + +[openssl_init] +providers = provider_sect + +# List of providers to load +[provider_sect] +default = default_sect +# The fips section name should match the section name inside the +# included fipsmodule.cnf. +# fips = fips_sect + +[default_sect] +# activate = 1 + + #################################################################### [ ca ] default_ca = CA_default # The default ca section diff --git a/doc/man5/config.pod b/doc/man5/config.pod index 13bd526c49..58948b4b78 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -474,6 +474,7 @@ configuration files using that syntax will have to be modified. =head1 SEE ALSO L, L, L, +L, L, L, L,