From 4727e568d5cd28cebdb2c5a67299e81ee75f45c3 Mon Sep 17 00:00:00 2001
From: Efim Poberezkin <8711996+efim-poberezkin@users.noreply.github.com>
Date: Mon, 3 Jan 2022 20:59:53 +0400
Subject: [PATCH] fix x509 call to be compatible with openssl version 1.1.1
 (#253)

---
 apps/smp-server/Main.hs   | 23 +++++++++++------------
 tests/fixtures/README.md  | 11 ++++++-----
 tests/fixtures/server.crt | 12 ++++++------
 3 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/apps/smp-server/Main.hs b/apps/smp-server/Main.hs
index bdade5f4a..496b4b45d 100644
--- a/apps/smp-server/Main.hs
+++ b/apps/smp-server/Main.hs
@@ -144,7 +144,7 @@ initializeServer InitOptions {enableStoreLog, signAlgorithm} = do
       -- server certificate (online)
       run $ "openssl genpkey -algorithm " <> show signAlgorithm <> " -out " <> serverKeyFile
       run $ "openssl req -new -config " <> opensslCnfFile <> " -reqexts v3_req -key " <> serverKeyFile <> " -out " <> serverCsrFile
-      run $ "openssl x509 -req -days 999999 -copy_extensions copy -in " <> serverCsrFile <> " -CA " <> caCrtFile <> " -CAkey " <> caKeyFile <> " -out " <> serverCrtFile
+      run $ "openssl x509 -req -days 999999 -extfile " <> opensslCnfFile <> " -extensions v3_req -in " <> serverCsrFile <> " -CA " <> caCrtFile <> " -CAkey " <> caKeyFile <> " -CAcreateserial -out " <> serverCrtFile
       where
         run cmd = void $ readCreateProcess (shell cmd) ""
         opensslCnfFile = combine cfgDir "openssl.cnf"
@@ -186,6 +186,16 @@ initializeServer InitOptions {enableStoreLog, signAlgorithm} = do
              \port: 5223\n\
              \websockets: on\n"
 
+    warnCAPrivateKeyFile =
+      putStrLn $
+        "----------\n\
+        \You should store CA private key securely and delete it from the server.\n\
+        \If server TLS credential is compromised this key can be used to sign a new one, \
+        \keeping the same server identity and established connections.\n\
+        \CA private key location:\n"
+          <> caKeyFile
+          <> "\n----------"
+
 data IniOptions = IniOptions
   { enableStoreLog :: Bool,
     port :: ServiceName,
@@ -264,16 +274,5 @@ printServiceInfo fpStr = do
 version :: String
 version = "SMP server v" <> simplexMQVersion
 
-warnCAPrivateKeyFile :: IO ()
-warnCAPrivateKeyFile =
-  putStrLn $
-    "----------\n\
-    \You should store CA private key securely and delete it from the server.\n\
-    \If server TLS credential is compromised this key can be used to sign a new one, \
-    \keeping the same server identity and established connections.\n\
-    \CA private key location:\n"
-      <> caKeyFile
-      <> "\n----------"
-
 loadSavedFingerprint :: IO String
 loadSavedFingerprint = withFile fingerprintFile ReadMode hGetLine
diff --git a/tests/fixtures/README.md b/tests/fixtures/README.md
index 8946cab31..9e12802a6 100644
--- a/tests/fixtures/README.md
+++ b/tests/fixtures/README.md
@@ -9,7 +9,7 @@ openssl req -new -x509 -days 999999 -config openssl.cnf -extensions v3_ca -key c
 # server certificate (online)
 openssl genpkey -algorithm ED448 -out server.key
 openssl req -new -config openssl.cnf -reqexts v3_req -key server.key -out server.csr
-openssl x509 -req -days 999999 -copy_extensions copy -in server.csr -CA ca.crt -CAkey ca.key -out server.crt
+openssl x509 -req -days 999999 -extfile openssl.cnf -extensions v3_req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
 # to pretty-print
 openssl x509 -in ca.crt -text -noout
 openssl req -in server.csr -text -noout
@@ -18,8 +18,9 @@ openssl x509 -in server.crt -text -noout
 
 To compute fingerprint for tests:
 
-```sh
-stack ghci --ghci-options src/Simplex/Messaging/Transport.hs
-> fingerprint <- loadFingerprint "tests/fixtures/ca.crt"
-> encodeFingerprint fingerprint
+```haskell
+stack ghci
+> import Data.X509.Validation (Fingerprint (..))
+> Fingerprint fp <- loadFingerprint "tests/fixtures/ca.crt"
+> strEncode fp
 ```
diff --git a/tests/fixtures/server.crt b/tests/fixtures/server.crt
index 2adee7641..2c01c2183 100644
--- a/tests/fixtures/server.crt
+++ b/tests/fixtures/server.crt
@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIIBpjCCASagAwIBAgIUaZBiYKJjueUsvwoaeK9mh+F2mn0wBQYDK2VxMBQxEjAQ
-BgNVBAMMCWxvY2FsaG9zdDAgFw0yMTEyMjMxNzEzMzNaGA80NzU5MTExOTE3MTMz
-M1owFDESMBAGA1UEAwwJbG9jYWxob3N0MEMwBQYDK2VxAzoA/q7ngl2MOKDeHVgC
+MIIBpjCCASagAwIBAgIUZVFfBPmSQ+hPioDvatGcRuwcKhgwBQYDK2VxMBQxEjAQ
+BgNVBAMMCWxvY2FsaG9zdDAgFw0yMjAxMDMxNjI1MDhaGA80NzU5MTEzMDE2MjUw
+OFowFDESMBAGA1UEAwwJbG9jYWxob3N0MEMwBQYDK2VxAzoA/q7ngl2MOKDeHVgC
 4aNgO4+pOQ7cfHJhgVTKz0W6CCK9Ce39B0N+cRy6/dPzGCSSOYNKyGE0rnWAo28w
 bTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDyDATBgNVHSUEDDAKBggrBgEFBQcDATAd
 BgNVHQ4EFgQUQP8dENbwDxWZNX2QwauT1Ple6aswHwYDVR0jBBgwFoAUxJBTkCx0
-2jIpcUKU4fJYcnce59QwBQYDK2VxA3MATscvAiT11CqXODKwx/0uLan3mKRLfJrP
-gqshoOmIG4HUXoSPZwjgARaCKTwFwMlLmMJt6wd7c8iAnKdfghvDvE+fgSKDe1d4
-tVKQt+RWUzMb5w4WyqivxmKQyIBHNHzkj3Qh54P6JLpfMz29j84/pxIA
+2jIpcUKU4fJYcnce59QwBQYDK2VxA3MAyQKimFiGGPR+vHHo2PVh5hHG9QSJn+34
+b36oGP4ekP/JFA0P3ZS7Kt7mLx2Lm8WmB31Ah1xJu1SA79LpArfum4QLn9GvOIyt
+K4Ox/bUdYRvnWqFF8msQAWetO2tt0ZUar7zI7ac3uHBdKAzLFDw1fjgA
 -----END CERTIFICATE-----