From 04243a85c7610db68fc53e858960c1a32fbde36a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
Date: Thu, 17 Mar 2022 13:59:46 +0100
Subject: [PATCH] test: improve https_renew_cert.sh script

- To avoid unnecessarily large diffs, only generate a new private key
  if necessary. Otherwise, reuse the existing private key and only
  issue a new certificate.
- Remove an unnecessary conversion step using openssl rsa and the
  intermediate rsa.pem and csr.pem files.
- Extend the certificate validity from 1 year to 10 years.
- Show a text representation of the issued certificate upon completion
  such that the user can verify the validity.
- Make the script executable.
- Use "#!/usr/bin/env bash" instead of "#!/bin/bash".
- Allow the script to be called from any directory.

Refs: https://github.com/nodejs/node/pull/42342
Refs: https://github.com/nodejs/node/pull/37990

PR-URL: https://github.com/nodejs/node/pull/42343
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Mestery <mestery@protonmail.com>
---
 .../keys/selfsigned-no-keycertsign/cert.pem   | 20 +++++++++----------
 .../https_renew_cert.sh                       | 17 +++++++++++-----
 2 files changed, 22 insertions(+), 15 deletions(-)
 mode change 100644 => 100755 test/fixtures/keys/selfsigned-no-keycertsign/https_renew_cert.sh

diff --git a/test/fixtures/keys/selfsigned-no-keycertsign/cert.pem b/test/fixtures/keys/selfsigned-no-keycertsign/cert.pem
index 488d57f38f4610..c2b824ef45e907 100644
--- a/test/fixtures/keys/selfsigned-no-keycertsign/cert.pem
+++ b/test/fixtures/keys/selfsigned-no-keycertsign/cert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDATCCAemgAwIBAgIUetgkeY+KShrAfmm5LR+QFsKJWlUwDQYJKoZIhvcNAQEL
-BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIyMDMxNTEwMjIxMFoXDTIzMDMx
-NTEwMjIxMFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+MIIDATCCAemgAwIBAgIUb32MablwTzVJh3UQXwdun9pBoF0wDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIyMDMxNTE2MzQwOFoXDTMyMDMx
+MjE2MzQwOFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
 AAOCAQ8AMIIBCgKCAQEA11wz7hAhdN072sp2aTySdsla65aZT10L1o74JNBZmMye
 DSq7Lbbvqq8XuLlwogS0ACAQVEjL7GPVMgJwzRytdaSWdzr26dftPCL3m1h8azU/
 Bs1nafHWhi3rx8RQnLfyusq0fThR9Xd3xfjDuaqhoa7Nc36XbG98XWkgxpm2R7wR
@@ -9,11 +9,11 @@ pLyNT9K2Ixvry9orZicTxv0Zyq+tD3CzSEch5OCApVZNaqEcIDgiN1zE/zqIe83v
 9+NYpLo61yPiqqedCqZaKp037uwJCp/RL9g6bh7IFDGZcNFv3k0xjZB4BVm4BZMp
 SlbI49hncVIJZNB7qWt5ilCzEbwOhgLt6Y3Yh8rgMwIDAQABo0swSTALBgNVHQ8E
 BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwJQYDVR0RBB4wHIIJMTI3LjAuMC4x
-gglsb2NhbGhvc3SHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAACPB26XVV99W575
-p2iE1qHYAK6KCDrLyJTi0epITgzP5mAXv9aoq14qldvz4ryZp7X5R4rVvezPmfwk
-NWTgCzFkVbGDozdrcmaXx1sAx1guxJMTpU+DkIw1cahD9UdqI6Dr5rVlGcZvdh9S
-w0Q4fU6zSfp5e8wfGUxXaWqNpBzX0Z9VeHo3Rjgt6+V+9xSwEirE+5tzwy5MaMTs
-N5nJbJH6YOBVUDsOszPX+2TcWvebMGkViN2qkSu8Kwxge5Ijbwb3tWMFByaaiWUp
-XaRH77CoVU39LKj0u/M/GiHJ5FhR//7UqqtOqk2+keGNv61s/iBGKMdjbm7b2pJT
-EYIl4lo=
+gglsb2NhbGhvc3SHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAEEXVnMzax6vmGPY
+TNNK6HJuN8xUUbEKVHKPDTwKbn2ZPQRGNOs4CJ5vVc1h2tU1mfgg20FZzPqZ+y9N
+hIFIaESTpX881NXM87aE21Gqo4rS66lubcoEUHWeY1+/LcdD6Gh/Ur0V4CBORZjA
+W/H1nASZQKQLMHIkriopbclMQPOsUYM11JxLsTH6hOPCJRM5cl1K1KsHWY2yJ656
+Gw9IX0NBTak0flEAL/JQkFlm2PRFJhWShPBHsC8/AWBcvgJH/0noNnDS5vAtCWa6
+rJO6SoHFJwWK3xCVU2YsC6No2DrAukyqEdN8arifJ/2hEjx1XAfockNsWzrT1mB5
+EpLq2L0=
 -----END CERTIFICATE-----
diff --git a/test/fixtures/keys/selfsigned-no-keycertsign/https_renew_cert.sh b/test/fixtures/keys/selfsigned-no-keycertsign/https_renew_cert.sh
old mode 100644
new mode 100755
index 092f27a8867cbb..c40046d83b4727
--- a/test/fixtures/keys/selfsigned-no-keycertsign/https_renew_cert.sh
+++ b/test/fixtures/keys/selfsigned-no-keycertsign/https_renew_cert.sh
@@ -1,6 +1,13 @@
-#!/bin/bash
-openssl genrsa -out rsa.pem 2048
-openssl rsa -in rsa.pem -out key.pem
-openssl req -sha256 -new -key key.pem -out csr.pem -subj "/CN=localhost"
-openssl x509 -req -extfile cert.conf -extensions v3_req -days 365 -in csr.pem -signkey key.pem -out cert.pem
+#!/usr/bin/env bash
+set -euo pipefail
+shopt -s inherit_errexit
 
+cd -- "$(dirname -- "${BASH_SOURCE[0]}")"
+
+if [ ! -f key.pem ]; then
+  openssl genrsa -out key.pem 2048
+fi
+
+openssl req -sha256 -new -key key.pem -subj "/CN=localhost" | \
+  openssl x509 -req -extfile cert.conf -extensions v3_req -days 3650 -signkey key.pem -out cert.pem
+openssl x509 -in cert.pem -noout -text