[2.7] bpo-34542: Update test certs and keys (GH-8997) (GH-9397)

Update all test certs and keys to use future proof crypto settings:

* 3072 bit RSA keys
* SHA-256 signature

Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit e6dac0077996b1e1f886f036d6f2606237fa4c85)



https://bugs.python.org/issue34542

1 files changed, 5 insertions, 3 deletions

diff --git a/Lib/test/make_ssl_certs.py b/Lib/test/make_ssl_certs.py
index a1f298de34..ca2c12cada 100644
--- a/Lib/test/make_ssl_certs.py
+++ b/Lib/test/make_ssl_certs.py
@@ -50,7 +50,7 @@ req_template = """
     dir = cadir
     database  = $dir/index.txt
     crlnumber = $dir/crl.txt
-    default_md = sha1
+    default_md = sha256
     default_days = 3600
     default_crl_days = 3600
     certificate = pycacert.pem
@@ -88,7 +88,9 @@ req_template = """
 
 here = os.path.abspath(os.path.dirname(__file__))
 
-def make_cert_key(hostname, sign=False, extra_san=''):
+
+def make_cert_key(hostname, sign=False, extra_san='',
+                  ext='req_x509_extensions_full', key='rsa:3072'):
     print("creating cert for " + hostname)
     tempnames = []
     for i in range(3):
@@ -146,7 +148,7 @@ def make_ca():
         t.flush()
         with tempfile.NamedTemporaryFile() as f:
             args = ['req', '-new', '-days', '3650', '-extensions', 'v3_ca', '-nodes',
-                    '-newkey', 'rsa:2048', '-keyout', 'pycakey.pem',
+                    '-newkey', 'rsa:3072', '-keyout', 'pycakey.pem',
                     '-out', f.name,
                     '-subj', '/C=XY/L=Castle Anthrax/O=Python Software Foundation CA/CN=our-ca-server']
             check_call(['openssl'] + args)