From 6da8ecf7cb4c5bce6c00ee7d85443ac082d6aaeb Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <peter@eisentraut.org>
Date: Tue, 22 Aug 2023 09:25:34 +0200
Subject: [PATCH 1/2] Generate encrypted SSL test keys in PKCS#8 format

---
 src/test/modules/ssl_passphrase_callback/Makefile    | 2 +-
 src/test/modules/ssl_passphrase_callback/meson.build | 2 +-
 src/test/ssl/sslfiles.mk                             | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/test/modules/ssl_passphrase_callback/Makefile b/src/test/modules/ssl_passphrase_callback/Makefile
index 922f0ee078..40ed38dc70 100644
--- a/src/test/modules/ssl_passphrase_callback/Makefile
+++ b/src/test/modules/ssl_passphrase_callback/Makefile
@@ -33,7 +33,7 @@ PASS = FooBaR1
 ssl-files:
 	$(OPENSSL) req -new -x509 -days 10000 -nodes -out server.crt \
 		-keyout server.ckey -subj "/CN=localhost"
-	$(OPENSSL) rsa -aes256 -in server.ckey -out server.key -passout pass:$(PASS)
+	$(OPENSSL) pkey -aes256 -in server.ckey -out server.key -passout pass:$(PASS)
 	rm server.ckey
 
 ssl-files-clean:
diff --git a/src/test/modules/ssl_passphrase_callback/meson.build b/src/test/modules/ssl_passphrase_callback/meson.build
index c2a022b4f1..3e35f8cae0 100644
--- a/src/test/modules/ssl_passphrase_callback/meson.build
+++ b/src/test/modules/ssl_passphrase_callback/meson.build
@@ -40,7 +40,7 @@ if openssl.found()
   custom_target('server.key',
     input: [cert[1]],
     output: ['server.key'],
-    command: [openssl, 'rsa', '-aes256', '-in', '@INPUT0@', '-out', '@OUTPUT0@', '-passout', 'pass:@0@'.format(pass)]
+    command: [openssl, 'pkey', '-aes256', '-in', '@INPUT0@', '-out', '@OUTPUT0@', '-passout', 'pass:@0@'.format(pass)]
   )
 endif
 
diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk
index f7ababe42c..569f1731cd 100644
--- a/src/test/ssl/sslfiles.mk
+++ b/src/test/ssl/sslfiles.mk
@@ -109,7 +109,7 @@ ssl/server-rsapss.crt: ssl/server-rsapss.key conf/server-rsapss.config
 
 # Password-protected version of server-cn-only.key
 ssl/server-password.key: ssl/server-cn-only.key
-	$(OPENSSL) rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
+	$(OPENSSL) pkey -aes256 -in $< -out $@ -passout 'pass:secret1'
 
 # Key that uses the RSA-PSS algorithm
 ssl/server-rsapss.key:
@@ -122,7 +122,7 @@ ssl/client-der.key: ssl/client.key
 # Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1)
 # formats to test libpq's support for the sslpassword= option.
 ssl/client-encrypted-pem.key: ssl/client.key
-	$(OPENSSL) rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@
+	$(OPENSSL) pkey -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@
 # TODO Explicitly choosing -aes128 generates a key unusable to PostgreSQL with
 # OpenSSL 3.0.0, so fall back on the default for now.
 ssl/client-encrypted-der.key: ssl/client.key
-- 
2.41.0