From 2357ac46131ea86ce9c3c89ae67cd4557e527f35 Mon Sep 17 00:00:00 2001 From: Thijs Schreijer Date: Mon, 16 Jul 2018 21:50:35 +0200 Subject: [PATCH] update test certs --- .gitignore | 2 ++ src/copas.lua | 22 ++++++++--------- tests/certs/clientA.pem | 49 ++++++++++++++++++------------------- tests/certs/clientAcert.pem | 22 ++++++++--------- tests/certs/clientAkey.pem | 28 ++++++++++----------- tests/certs/clientAreq.pem | 14 +++++------ tests/certs/rootA.pem | 26 ++++++++++---------- tests/certs/rootAkey.pem | 28 ++++++++++----------- tests/certs/rootAreq.pem | 14 +++++------ tests/certs/serverA.pem | 49 ++++++++++++++++++------------------- tests/certs/serverAcert.pem | 22 ++++++++--------- tests/certs/serverAkey.pem | 28 ++++++++++----------- tests/certs/serverAreq.pem | 14 +++++------ 13 files changed, 159 insertions(+), 159 deletions(-) diff --git a/.gitignore b/.gitignore index e69de29..5ca0973 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +.DS_Store + diff --git a/src/copas.lua b/src/copas.lua index e2d36fc..4452760 100644 --- a/src/copas.lua +++ b/src/copas.lua @@ -42,20 +42,20 @@ local function statusHandler(status, ...) end function socket.protect(func) -return function (...) + return function (...) return statusHandler(pcall(func, ...)) - end + end end function socket.newtry(finalizer) -return function (...) - local status = (...) - if not status then + return function (...) + local status = (...) + if not status then pcall(finalizer, select(2, ...)) - error({ (select(2, ...)) }, 0) + error({ (select(2, ...)) }, 0) + end + return ... end - return ... - end end local copas = {} @@ -764,19 +764,19 @@ end function copas.step(timeout) _sleeping_t:tick(gettime()) - -- Need to wake up the select call it time for the next sleeping event + -- Need to wake up the select call in time for the next sleeping event local nextwait = _sleeping:getnext() if nextwait then timeout = timeout and math.min(nextwait, timeout) or nextwait else if copas.finished() then return false - end + end end local err = _select (timeout) if err then - if err == "timeout" then return false end + if err == "timeout" then return false end return nil, err end diff --git a/tests/certs/clientA.pem b/tests/certs/clientA.pem index 2f09848..bdc18ed 100644 --- a/tests/certs/clientA.pem +++ b/tests/certs/clientA.pem @@ -1,44 +1,43 @@ -----BEGIN CERTIFICATE----- -MIIDNTCCAp6gAwIBAgIJAOIlTl6l0XV8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD +MIIDNTCCAp6gAwIBAgIJANemCVlJDxN9MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDlaFw0xODA2MjIxOTIxMDlaMIGdMQswCQYD +BlJvb3QgQTAeFw0xODA3MTYxOTQyMzRaFw0xOTA3MTYxOTQyMzRaMIGdMQswCQYD VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhD -bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmPCHWAHNKzTWUZk/ -vMpErq3ZwKsbFHaUVj0pzLccTu16S+Y1veN8YxnqQRiimtQzzAVTAqGEOgsibi7f -6uvi4pgs0QSlemGBWdopqOSKYcHl6ZHIl1pDcjyEiGCFmXWAMl6WEIMoIizE5zJC -u9ADTI00QF+SNs+bQMwRy6fi3ysCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB +bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqgmw9Lff2yb2Q+DE +BL5WP4vbhceAaKoAg0wd7x2LIW7jXyxEJsWIIPKYF0Fc62N51Xzu2/CFXFP9NF94 +e5KuuO2hq347FExPjcAdFG/owyRs8tUQe7CcaL56drpRVIWd8NMdCGXyrr9JAShi +aqYUy22LuVDFMHFD1vfrKkmrYPcCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE -FDd+6wOlZBAyQV4dckc+8+sGc61LMB8GA1UdIwQYMBaAFFG/cjK0+S9u05oKZT1O -gsc5EaxQMA0GCSqGSIb3DQEBBQUAA4GBACAx4J2JCBEK8HDde1J/+pxEUktBczFF -ywymGOkpK5YSsqqCalILdXUxPT5XL/gXzAhzhzoFxlErQ7mwg5O9Gj7XCaJOVLxF -yt+RWxv33JsVwV7HJVHKmSZeyhzhhcNfry6QhqU8HY44B3uAt8O91XZ5J5ZytVn0 -J84qpYxH1TKE +FCDXAeKTRvjBgQrQnMm3V2xSx24DMB8GA1UdIwQYMBaAFJqLTBDdTkyou7inDtgb +5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBAMSqQyatsFCPwux6lqI04VLSgXTSmlaq +p22QcyLWTHHIyX0o+lyHXrrqmUsDJmHu73x0lFOMwvzLDwmb+N8rC3rjZGl/srtM +Hap5kI/8i9RNrFiCN1rid7bLvMSDILyIa1FNMQ+exSgkV8uRXaPKw0ahk8Uuqi5m +/1l1/fTpSY1i -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIDwjCCAyugAwIBAgIJAMB4Jht1jkbcMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD +MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDVaFw0xODA2MjIxOTIxMDVaMIGdMQswCQYD +BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvKqlaBwEf51hkCB3 -WgQ6P/5YpwOXxtQzGo3hE0kWaBgBMEVcAI/AmGU7wc0jOW+VHpq03J/LC810792n -DkxzEPg6VGQgrrd5DgxEEr3J8NPmavX0GUt5LRTCFs8cDwL/J13sSeGufGbXoaPD -MN9C5ZfcviMyK6lOnLGubkevmPkCAwEAAaOCAQYwggECMB0GA1UdDgQWBBRRv3Iy -tPkvbtOaCmU9ToLHORGsUDCB0gYDVR0jBIHKMIHHgBRRv3IytPkvbtOaCmU9ToLH -ORGsUKGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh +BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX +txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu +zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr +8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ +3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae +mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl -ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDAeCYbdY5G3DAMBgNVHRMEBTAD -AQH/MA0GCSqGSIb3DQEBBQUAA4GBADx3k5hsOZkZZP/U3YVh3ieY9AXwhtB8r/vQ -ZZI9MSc3OD/PbgkrXt6u5ZVdsatul/5BN/uqapD7sBktXoWz9B3nCJ0AovwS4rwn -qZ9MB44engpEbZLvkXiUyqk3os2UaeKd3WhV6pUW2H+3V4xcmHbB90zNjnC+AU5b -g34jvD4v +ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD +AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A +RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z +0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA +234dl4Tu -----END CERTIFICATE----- - \ No newline at end of file diff --git a/tests/certs/clientAcert.pem b/tests/certs/clientAcert.pem index 2092dff..10afc38 100644 --- a/tests/certs/clientAcert.pem +++ b/tests/certs/clientAcert.pem @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDNTCCAp6gAwIBAgIJAOIlTl6l0XV8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD +MIIDNTCCAp6gAwIBAgIJANemCVlJDxN9MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDlaFw0xODA2MjIxOTIxMDlaMIGdMQswCQYD +BlJvb3QgQTAeFw0xODA3MTYxOTQyMzRaFw0xOTA3MTYxOTQyMzRaMIGdMQswCQYD VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhD -bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmPCHWAHNKzTWUZk/ -vMpErq3ZwKsbFHaUVj0pzLccTu16S+Y1veN8YxnqQRiimtQzzAVTAqGEOgsibi7f -6uvi4pgs0QSlemGBWdopqOSKYcHl6ZHIl1pDcjyEiGCFmXWAMl6WEIMoIizE5zJC -u9ADTI00QF+SNs+bQMwRy6fi3ysCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB +bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqgmw9Lff2yb2Q+DE +BL5WP4vbhceAaKoAg0wd7x2LIW7jXyxEJsWIIPKYF0Fc62N51Xzu2/CFXFP9NF94 +e5KuuO2hq347FExPjcAdFG/owyRs8tUQe7CcaL56drpRVIWd8NMdCGXyrr9JAShi +aqYUy22LuVDFMHFD1vfrKkmrYPcCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE -FDd+6wOlZBAyQV4dckc+8+sGc61LMB8GA1UdIwQYMBaAFFG/cjK0+S9u05oKZT1O -gsc5EaxQMA0GCSqGSIb3DQEBBQUAA4GBACAx4J2JCBEK8HDde1J/+pxEUktBczFF -ywymGOkpK5YSsqqCalILdXUxPT5XL/gXzAhzhzoFxlErQ7mwg5O9Gj7XCaJOVLxF -yt+RWxv33JsVwV7HJVHKmSZeyhzhhcNfry6QhqU8HY44B3uAt8O91XZ5J5ZytVn0 -J84qpYxH1TKE +FCDXAeKTRvjBgQrQnMm3V2xSx24DMB8GA1UdIwQYMBaAFJqLTBDdTkyou7inDtgb +5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBAMSqQyatsFCPwux6lqI04VLSgXTSmlaq +p22QcyLWTHHIyX0o+lyHXrrqmUsDJmHu73x0lFOMwvzLDwmb+N8rC3rjZGl/srtM +Hap5kI/8i9RNrFiCN1rid7bLvMSDILyIa1FNMQ+exSgkV8uRXaPKw0ahk8Uuqi5m +/1l1/fTpSY1i -----END CERTIFICATE----- diff --git a/tests/certs/clientAkey.pem b/tests/certs/clientAkey.pem index 6768f54..651c8c4 100644 --- a/tests/certs/clientAkey.pem +++ b/tests/certs/clientAkey.pem @@ -1,16 +1,16 @@ -----BEGIN PRIVATE KEY----- -MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAJjwh1gBzSs01lGZ -P7zKRK6t2cCrGxR2lFY9Kcy3HE7tekvmNb3jfGMZ6kEYoprUM8wFUwKhhDoLIm4u -3+rr4uKYLNEEpXphgVnaKajkimHB5emRyJdaQ3I8hIhghZl1gDJelhCDKCIsxOcy -QrvQA0yNNEBfkjbPm0DMEcun4t8rAgMBAAECgYEAiiH0nBBEdpmqWNjJMIKftgVf -fx0LwFe5coqbjkJ0VvU2WAb80xz746YsZc8STjUK82J7rwyimKol1s6Pf2a96/Vm -ibPFNNHXSpLPsMn5AvvnqaQEIB2PXk+loC3MrPXLYQk3VhlqjxAUD6jPoTKp6b1k -IM0o5dZOBf8mRGLASgECQQDLO99CwYq17astx6YDMtgEiTABUv/aBo8kD5SqFnZI -MyUZiEQcRjxbYqDKLvLYCC6+FgVhHti1VgS6kBQK1k7hAkEAwKXMcwsZm9EB+rSw -HJFvj7bd19AND9yUoO8WkuoOgrDFoR72b85htNxOywjGFkbEGJ28kAl7GapiYcsN -ak5riwJANQcuPfDaDJYy8AMD4hnGG4jgKbhKYc0MVFBsbeTmf/g4We0gOHBrFz0o -zxho7M1VxOtiA/FUghwrp7IoSJuagQJBAK/rN2Wer0XweIQ918xeqqdr7+0RWbww -S7EiY1TJU3LYhb/6DERRDDwiKfmSC4FwIcXw1K4bWkQ3qRtwVtHKxr0CQAX9r5hH -cbIpt6gYBV3ggGYo865oqJ3jipYqE12RrEsccjyKaDwSH2f6xCsfi4CdhKh3aqJE -KHaXPqk3+8RQXCM= +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKoJsPS339sm9kPg +xAS+Vj+L24XHgGiqAINMHe8diyFu418sRCbFiCDymBdBXOtjedV87tvwhVxT/TRf +eHuSrrjtoat+OxRMT43AHRRv6MMkbPLVEHuwnGi+ena6UVSFnfDTHQhl8q6/SQEo +YmqmFMtti7lQxTBxQ9b36ypJq2D3AgMBAAECgYB+U+jmR13HAfFgiLLZG1gUqiGU +CJ48JGFxKrHqnrZpRmsioE6Zx5PVdqbMUEFqmGNB2ynSuaU67SNnL67hkB7CCxfT ++IjOs9TwP8QeY8MGJo3B+aLgdgCISiFcmcvahWUHvRUR8rq7WTr5ThTQyo/IPUbu +54ED3PB8HjiEDh0RIQJBAN5BhTIb8ReXaVpSltpaEKwzG8RrWEZ9bB1v4fwd4KHN +oU27cX9WljSv+g+Ojl+f4qIoOOBicKkW6WudxDn+UbkCQQDD2pjZ82BBbzd6xHmR +YsY7AVEEO3euYeqff1SyjCOIyznGPJHH4+/5B6iWrTC6gLbMVuSF9sd9c1LcetBO +fWAvAkEAvzt25H+gOKFBt8KaI7Qc5l1vRdjq8nPWQ5nRwsDeV7n7UUu3w034HctQ +iHQrUmHaeZXMIlzw/LxHCR6NCS0mmQJAVXCRadNAVIteGpKHriL281q5qyz+IvbY +UchMfK+h+NUfWRmnRxpq36q1ozXeoh3woOfvPXnQwSuEJGb3ZKZRRQJBAMYqGioX +EZQNfBJ1kSnW1PoZaR/TCVOi2DJ13FQslQP1BUmVLCvm0Z21YbcKhlFDzBny4nCD +0ksTfouj7w/VR94= -----END PRIVATE KEY----- diff --git a/tests/certs/clientAreq.pem b/tests/certs/clientAreq.pem index bc5e56b..bdd77b3 100644 --- a/tests/certs/clientAreq.pem +++ b/tests/certs/clientAreq.pem @@ -3,11 +3,11 @@ MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy IFNjaWVuY2UxETAPBgNVBAMTCENsaWVudCBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN -ADCBiQKBgQCY8IdYAc0rNNZRmT+8ykSurdnAqxsUdpRWPSnMtxxO7XpL5jW943xj -GepBGKKa1DPMBVMCoYQ6CyJuLt/q6+LimCzRBKV6YYFZ2imo5IphweXpkciXWkNy -PISIYIWZdYAyXpYQgygiLMTnMkK70ANMjTRAX5I2z5tAzBHLp+LfKwIDAQABoAAw -DQYJKoZIhvcNAQEFBQADgYEATV1z5nOIQ6HRkUJUG3Bli5mpUJibjn37DgVFBQsR -jI1VsoMywesGR3nUDUqY+TOTiPUG6tUImEb/69EPPN9O7KpiNEzvyWpmyCEBkoxT -hNiGzg9LFNCTA8AqU0bsYGwDQgNa1uRxlXnKx2v20uu7Euj3OOEk+5PR8dLKa/sp -DIc= +ADCBiQKBgQCqCbD0t9/bJvZD4MQEvlY/i9uFx4BoqgCDTB3vHYshbuNfLEQmxYgg +8pgXQVzrY3nVfO7b8IVcU/00X3h7kq647aGrfjsUTE+NwB0Ub+jDJGzy1RB7sJxo +vnp2ulFUhZ3w0x0IZfKuv0kBKGJqphTLbYu5UMUwcUPW9+sqSatg9wIDAQABoAAw +DQYJKoZIhvcNAQEFBQADgYEAJXW12Ov1xFANtbru6GGVKzv42CQ53nruaVEltSmx +0TN1BljnkuVY5vCckv7LXC8ogGF2NCAOFzVBTuUWYeX8lBjV0wuN3qCZbChoDKid +Gvwszyj8xZr0Aof4eDPm6iKoxLQm23fvPvL00jIYqsqUe23gYoxWXFmAclmp4+vr +U4w= -----END CERTIFICATE REQUEST----- diff --git a/tests/certs/rootA.pem b/tests/certs/rootA.pem index cbd837b..dac07a0 100644 --- a/tests/certs/rootA.pem +++ b/tests/certs/rootA.pem @@ -1,23 +1,23 @@ -----BEGIN CERTIFICATE----- -MIIDwjCCAyugAwIBAgIJAMB4Jht1jkbcMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD +MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDVaFw0xODA2MjIxOTIxMDVaMIGdMQswCQYD +BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvKqlaBwEf51hkCB3 -WgQ6P/5YpwOXxtQzGo3hE0kWaBgBMEVcAI/AmGU7wc0jOW+VHpq03J/LC810792n -DkxzEPg6VGQgrrd5DgxEEr3J8NPmavX0GUt5LRTCFs8cDwL/J13sSeGufGbXoaPD -MN9C5ZfcviMyK6lOnLGubkevmPkCAwEAAaOCAQYwggECMB0GA1UdDgQWBBRRv3Iy -tPkvbtOaCmU9ToLHORGsUDCB0gYDVR0jBIHKMIHHgBRRv3IytPkvbtOaCmU9ToLH -ORGsUKGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh +BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX +txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu +zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr +8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ +3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae +mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl -ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDAeCYbdY5G3DAMBgNVHRMEBTAD -AQH/MA0GCSqGSIb3DQEBBQUAA4GBADx3k5hsOZkZZP/U3YVh3ieY9AXwhtB8r/vQ -ZZI9MSc3OD/PbgkrXt6u5ZVdsatul/5BN/uqapD7sBktXoWz9B3nCJ0AovwS4rwn -qZ9MB44engpEbZLvkXiUyqk3os2UaeKd3WhV6pUW2H+3V4xcmHbB90zNjnC+AU5b -g34jvD4v +ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD +AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A +RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z +0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA +234dl4Tu -----END CERTIFICATE----- diff --git a/tests/certs/rootAkey.pem b/tests/certs/rootAkey.pem index 6c809b1..987a73e 100644 --- a/tests/certs/rootAkey.pem +++ b/tests/certs/rootAkey.pem @@ -1,16 +1,16 @@ -----BEGIN PRIVATE KEY----- -MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALyqpWgcBH+dYZAg -d1oEOj/+WKcDl8bUMxqN4RNJFmgYATBFXACPwJhlO8HNIzlvlR6atNyfywvNdO/d -pw5McxD4OlRkIK63eQ4MRBK9yfDT5mr19BlLeS0UwhbPHA8C/ydd7Enhrnxm16Gj -wzDfQuWX3L4jMiupTpyxrm5Hr5j5AgMBAAECgYEAqfmD8/vqAZ8k2tilLrBIWoco -D7Ao+bUMJYxVjy51xWp7B6Y1cTwR5DqwT7YlWgWxb1UqROqh4AxGoiQr8bHmp4Jm -mmRFr8upCcglDsHSR4XsYkPJWjhtCkU9gGEDdurxz90INoqOWY/kgPiuBFzMX0rO -+lUBJc+3ge18ybBlelECQQDqgw4/5b6ilqD/w5OH2EQ4ENskUZ5L/ZpXpmJkOAZ+ -rcMDC5X1pDhaaH15pdeCQc+pVaL63Jwt/0UyArFlnU2PAkEAzfQyTla0I2oPLvM+ -Mll7zf2Wr5wAuN1/Vt9KxTsqL8AUh7n13Y4Jk1qNJ2VsC/3tyUhRyb9tYbBIMqf6 -W9/89wJAKZ95N/4fB9yUVtDvrnzEHu9e9eNGpVYtvsDZVdBb1sAgjLnRs/ehyOoi -2ySES6pCoVuBweTGE6PrNCUmN1LkIQJAW473GkqDVMceruGmQd30IxRce/9fds/J -f4ZPCDWQQKAkwF4UhoVRjneQDvaQvRgLMRN8gLMgXnBu+E4jB9sg6wJAbT87IpPn -36kgbB+ARdmyfYwxJswCPggwbotmLPp0JtD3AHn+B5UUMRP676LQZnvElNV7Lv2g -V9rKcnclNnBLzA== +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO7g0Slvtdvb6ulm +V7cUkuvc58dvtDY1qWpq8Pw0SjXY6qgZVvbwbpNhX1b9getJHULitfHY1AmWKcWq +rs6t3UxGG2LlSOaXeSszU+Xms+ZeOgShqI6uJ8PMMqHLnEFWkVxS8jWdvPOC4pJB +K/IRujA7upM/9nxKB4s0VMgQ9FOxAgMBAAECgYEAlboIoEZK4PHpPj5NwI1+waQH +C3Syqj/cXr2FKy/DTBkYjCDF56YwSOSBk872PfnoA2KC1IIp9ZBPwnwHcbh8ufo9 +vZP0rEpjSV5B7d81uoMOt4YaS1UOxv8GQCO3r+5dj/L/CVYsj13W1MaozYVmvTiW +md7Rz+N4JjHWYu60EqECQQD4SHAXsEJfi+cbadV5/+HTmiqoH3cUYnK34BNs4ulo +D+3QGIiaslyde97D+08EbVWWdyWcGwoSft0CJG4Gim09AkEA9k2L4GP6qa1Afn+I +YmkMRtyo/4taCc9QBWuNRfvd1UTarvrA4nLKyBjL9Y7walFv3q/DaLrCyg/Bg/ZQ +aV8PhQJBAJuRh+rP3kbP+ncK0WAoHO/hYWkGji6PoSHlnUZUx7sUgAYr2SxVJgLn +YqWaCeDUQRSOg1pU9vKv2vtEqEwg4GECQE1uRYoOhE/xWnQqLbsaYTSpzCtCKNUq +qnJ5xFj6/Fs+oS0fQaIvClbrjLsu65/Q6EVuphT3maMiXujYd6EYtG0CQHYvVroh +2jzj0VZaoWEIJgMXjV8+UVpP5cQMHltSZtzuQITKmAAEhcqXm26W940sRfMGRgrw +u0M3347nbXdYj8c= -----END PRIVATE KEY----- diff --git a/tests/certs/rootAreq.pem b/tests/certs/rootAreq.pem index 27639cb..8d66597 100644 --- a/tests/certs/rootAreq.pem +++ b/tests/certs/rootAreq.pem @@ -3,11 +3,11 @@ MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEaMBgGA1UEChMR U2FudG8gVG9uaWNvIEx0ZGExJzAlBgNVBAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0 ZXIgU2NpZW5jZTEPMA0GA1UEAxMGUm9vdCBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN -ADCBiQKBgQC8qqVoHAR/nWGQIHdaBDo//linA5fG1DMajeETSRZoGAEwRVwAj8CY -ZTvBzSM5b5UemrTcn8sLzXTv3acOTHMQ+DpUZCCut3kODEQSvcnw0+Zq9fQZS3kt -FMIWzxwPAv8nXexJ4a58Zteho8Mw30Lll9y+IzIrqU6csa5uR6+Y+QIDAQABoAAw -DQYJKoZIhvcNAQEFBQADgYEAjAS9/dtDcC345uUVpdZHDeF2yrNna6Lb9U2Mgy3S -Cqd8OsBwdOuOLmeR0GG+F/qP2YiRrXHbM522Dqt4xah84axmgpAo+7xl/YLMNTq2 -I2lAgapnCfVOVA99bCloFFuJyXyt4w7A6YxMD9orjVdJdt4AYGb2mNeOB0AeKPRI -ZYQ= +ADCBiQKBgQDu4NEpb7Xb2+rpZle3FJLr3OfHb7Q2NalqavD8NEo12OqoGVb28G6T +YV9W/YHrSR1C4rXx2NQJlinFqq7Ord1MRhti5Ujml3krM1Pl5rPmXjoEoaiOrifD +zDKhy5xBVpFcUvI1nbzzguKSQSvyEbowO7qTP/Z8SgeLNFTIEPRTsQIDAQABoAAw +DQYJKoZIhvcNAQEFBQADgYEA2QCr5Q66xJoE+CTbvhhneLCvpjU+KBIKOAQ28s3f +RfFMXvO4UOXdB+NU06hQDkeYZbACeikw/5Cl+Q2O5Kx57LteW+AWvP9T2Bvh9WnJ +fgjm+GArxuVSb2r9KwAF8Cn6r8O09L0C75hmQTVU+rjBghZ1lsl0dVtdn+ueoVHj +MKo= -----END CERTIFICATE REQUEST----- diff --git a/tests/certs/serverA.pem b/tests/certs/serverA.pem index 6b50c67..02324d0 100644 --- a/tests/certs/serverA.pem +++ b/tests/certs/serverA.pem @@ -1,44 +1,43 @@ -----BEGIN CERTIFICATE----- -MIIDSjCCArOgAwIBAgIJAOIlTl6l0XV7MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD +MIIDSjCCArOgAwIBAgIJANemCVlJDxN8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDdaFw0xODA2MjIxOTIxMDdaMIGdMQswCQYD +BlJvb3QgQTAeFw0xODA3MTYxOTQyMjNaFw0xOTA3MTYxOTQyMjNaMIGdMQswCQYD VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhT -ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsKyppd9LbWZZ8bAk -/WtRh5uWUqv14z6IKNloY+niDsfmipME3W4uK762jjSv3woCLBy9LU+i1UbxwnGe -asHb8ZykyvoFZqYllZOoC5m5jiBrI66iiBdkjOw0C4uXxsQ2Kz1NXfIigtTo+NOh -mLoGP45sAiWEEDWoP3kgp2A4d/sCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG +ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo41QhH/YvQQA/wzv +uPayMbSReq0LghCvSAFXPfeRLMEBoYA+hiF+HqByKRG/SRY1hZkTY1GrNn3XT5Gd +Dy0IyKXqZXsMAP9gKOe3meWpPdM5ibsenQywjfJJQJDDKRL4oS12Ir5vgu4lvQOU +L39S9P7W0YEhTK0Cw5PRnEZss2UCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG SAGG+EIBAQQEAwIGQDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg -Q2VydGlmaWNhdGUwHQYDVR0OBBYEFKSuYfhndGCO5opzbDEdo0cac/1aMB8GA1Ud -IwQYMBaAFFG/cjK0+S9u05oKZT1Ogsc5EaxQMA0GCSqGSIb3DQEBBQUAA4GBAE/2 -FVob8QI09FDHIYH2VOqT5UfvxuoSxz6okMVbmrDIgiTHdrtBZ1pHQv4+nCXvk/Yl -GUaVsYytIbKnEW6GYkMHaX5AibLqFA9r6bXAPpbuwQjxWVX6dyGVGe1WBTTZWytq -aMIP0TcYboF1e8zKNEl7Od6CnmjFnBGSdkS7RXNP +Q2VydGlmaWNhdGUwHQYDVR0OBBYEFIXCp7y4eaLeSSst0Yy7wFZ/dmS5MB8GA1Ud +IwQYMBaAFJqLTBDdTkyou7inDtgb5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBACN0 +hei2KY0AYe+TrwYq3UfyyskhNT7L48makxs/qHArXZCDf2BTctmY+95Nfgpj5kLi +oW+e/Wu92cbor/UJAYQ0cJYLNa4k55loL6hjm2PKo2eni3NEk6SxHRQFtuVowCtF +Kgbi29DkkQc7WRWDy2blZiIYb1oUOlktk1vp8CxY -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIDwjCCAyugAwIBAgIJAMB4Jht1jkbcMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD +MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDVaFw0xODA2MjIxOTIxMDVaMIGdMQswCQYD +BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvKqlaBwEf51hkCB3 -WgQ6P/5YpwOXxtQzGo3hE0kWaBgBMEVcAI/AmGU7wc0jOW+VHpq03J/LC810792n -DkxzEPg6VGQgrrd5DgxEEr3J8NPmavX0GUt5LRTCFs8cDwL/J13sSeGufGbXoaPD -MN9C5ZfcviMyK6lOnLGubkevmPkCAwEAAaOCAQYwggECMB0GA1UdDgQWBBRRv3Iy -tPkvbtOaCmU9ToLHORGsUDCB0gYDVR0jBIHKMIHHgBRRv3IytPkvbtOaCmU9ToLH -ORGsUKGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh +BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX +txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu +zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr +8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ +3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae +mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl -ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDAeCYbdY5G3DAMBgNVHRMEBTAD -AQH/MA0GCSqGSIb3DQEBBQUAA4GBADx3k5hsOZkZZP/U3YVh3ieY9AXwhtB8r/vQ -ZZI9MSc3OD/PbgkrXt6u5ZVdsatul/5BN/uqapD7sBktXoWz9B3nCJ0AovwS4rwn -qZ9MB44engpEbZLvkXiUyqk3os2UaeKd3WhV6pUW2H+3V4xcmHbB90zNjnC+AU5b -g34jvD4v +ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD +AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A +RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z +0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA +234dl4Tu -----END CERTIFICATE----- - \ No newline at end of file diff --git a/tests/certs/serverAcert.pem b/tests/certs/serverAcert.pem index 76295a1..72d2c87 100644 --- a/tests/certs/serverAcert.pem +++ b/tests/certs/serverAcert.pem @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDSjCCArOgAwIBAgIJAOIlTl6l0XV7MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD +MIIDSjCCArOgAwIBAgIJANemCVlJDxN8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDdaFw0xODA2MjIxOTIxMDdaMIGdMQswCQYD +BlJvb3QgQTAeFw0xODA3MTYxOTQyMjNaFw0xOTA3MTYxOTQyMjNaMIGdMQswCQYD VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhT -ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsKyppd9LbWZZ8bAk -/WtRh5uWUqv14z6IKNloY+niDsfmipME3W4uK762jjSv3woCLBy9LU+i1UbxwnGe -asHb8ZykyvoFZqYllZOoC5m5jiBrI66iiBdkjOw0C4uXxsQ2Kz1NXfIigtTo+NOh -mLoGP45sAiWEEDWoP3kgp2A4d/sCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG +ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo41QhH/YvQQA/wzv +uPayMbSReq0LghCvSAFXPfeRLMEBoYA+hiF+HqByKRG/SRY1hZkTY1GrNn3XT5Gd +Dy0IyKXqZXsMAP9gKOe3meWpPdM5ibsenQywjfJJQJDDKRL4oS12Ir5vgu4lvQOU +L39S9P7W0YEhTK0Cw5PRnEZss2UCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG SAGG+EIBAQQEAwIGQDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg -Q2VydGlmaWNhdGUwHQYDVR0OBBYEFKSuYfhndGCO5opzbDEdo0cac/1aMB8GA1Ud -IwQYMBaAFFG/cjK0+S9u05oKZT1Ogsc5EaxQMA0GCSqGSIb3DQEBBQUAA4GBAE/2 -FVob8QI09FDHIYH2VOqT5UfvxuoSxz6okMVbmrDIgiTHdrtBZ1pHQv4+nCXvk/Yl -GUaVsYytIbKnEW6GYkMHaX5AibLqFA9r6bXAPpbuwQjxWVX6dyGVGe1WBTTZWytq -aMIP0TcYboF1e8zKNEl7Od6CnmjFnBGSdkS7RXNP +Q2VydGlmaWNhdGUwHQYDVR0OBBYEFIXCp7y4eaLeSSst0Yy7wFZ/dmS5MB8GA1Ud +IwQYMBaAFJqLTBDdTkyou7inDtgb5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBACN0 +hei2KY0AYe+TrwYq3UfyyskhNT7L48makxs/qHArXZCDf2BTctmY+95Nfgpj5kLi +oW+e/Wu92cbor/UJAYQ0cJYLNa4k55loL6hjm2PKo2eni3NEk6SxHRQFtuVowCtF +Kgbi29DkkQc7WRWDy2blZiIYb1oUOlktk1vp8CxY -----END CERTIFICATE----- diff --git a/tests/certs/serverAkey.pem b/tests/certs/serverAkey.pem index 3fb8745..c9f6b65 100644 --- a/tests/certs/serverAkey.pem +++ b/tests/certs/serverAkey.pem @@ -1,16 +1,16 @@ -----BEGIN PRIVATE KEY----- -MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALCsqaXfS21mWfGw -JP1rUYebllKr9eM+iCjZaGPp4g7H5oqTBN1uLiu+to40r98KAiwcvS1PotVG8cJx -nmrB2/GcpMr6BWamJZWTqAuZuY4gayOuoogXZIzsNAuLl8bENis9TV3yIoLU6PjT -oZi6Bj+ObAIlhBA1qD95IKdgOHf7AgMBAAECgYB0kafpmpgg2ZxU3Dy7vFhx2hVn -/K/jPPoHwdKfwcx2piyVmAVouG7cTBwVXewAhJEEW/3x7I5qnEGdYuv8UmZ0PThb -JMQT5l3Gf8iaA0J0e8munOfXI6bycVfAlLxuFi4yh7JWhN/zzcKwusQFHAPDEWyX -6/tddjvg3BOP/IolyQJBAOrhoBg4DT/aVPe/HPpChw6MuPW8uTojGj51u1LsLM1x -E0g1PCsTwG9VcddZLnUnxPsshYWjIslC6jZ6xly/lwcCQQDAj0MT3m5oewAdpZuL -R6SblIFht+5sKlovRczPtAVp9apeAkFQVDrrDXcHDassUwB2OokPR4MLNkQcBv1I -TQZtAkEAr4uj0JYL6P4v5N30NWKFeC1ai2badQYJNkddkrMrJPxu8de/uV5Qw6Tz -qYRgwXTQtvzmaiOr+wnE7KTEHkue/wJADDtNdH6lnsdpa3iwl7lWUHevfEiVwZMz -JVuWtf7mdSOgzdXw1ixzjajOTcllfSxMlDYFrM3LGjQ5QVqETkpuRQJATlYDDFv1 -vFn6wCK+PT/JLZZoBD74iPskOUJ+raELWctAM6u3rRP9qzacv4gjXJ1IIxSrOlia -Z0EEKCmEu3XOkg== +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKONUIR/2L0EAP8M +77j2sjG0kXqtC4IQr0gBVz33kSzBAaGAPoYhfh6gcikRv0kWNYWZE2NRqzZ910+R +nQ8tCMil6mV7DAD/YCjnt5nlqT3TOYm7Hp0MsI3ySUCQwykS+KEtdiK+b4LuJb0D +lC9/UvT+1tGBIUytAsOT0ZxGbLNlAgMBAAECgYBcMPYoGiDEOxOMsXAXpQfBOPWg +XxbTlDAZuJfC2GA/B/SxYqbb2NlMzkhLmjNnMVuuGSFypMCMENdjhMMxoMMH4HZ8 +XFsecHE9OS2KrkNQJ7OxIa9RRtGwtm8QdVav2YsQQHwoG9qB4Q+vKTyUkofIEH86 +bV2aX7lpY7b2E8jZgQJBANcJO2+GmTOKlV0KFWtvL7x+mULJCkrpLDHEPMyFCyQT +xkzWJ8ZeL0l0r8gbF91ykO2mnjm2X2pHC9XU6lkIDRUCQQDCtVWnvGF+QCwsmAIo +RnTZtSd0jCjQQWCA+ZvqAIRMXtIQ3gL60kuYCnVMIk4XvF2iZltpgxJsPoCysGnW +q8ERAkBHq4EOy8q1/gOITfsToqxDY+KK+tyeWRbsw14MQG+VJ64ZH+uD1xJlpimM +RVNv8GZTfwwPajRlBKbyLxOoduF9AkEAuzBWXuJO4G+ViHHDcTD7Weo9OmEdQ8n2 +m0hdysQgbMOkNS8bskPHBS7Ywg8hANTJOD4rl+65IXOdiyzrM8T/4QJBAMzV6Bkz +uQYRFULqLjQnaS3wOyJtoPZChWBsKaJO8WJSp+zB5Fk75cmFkLdrkKdmf0zxZX9h +sbvrkWGXdyBD9y8= -----END PRIVATE KEY----- diff --git a/tests/certs/serverAreq.pem b/tests/certs/serverAreq.pem index ccf2778..bf93f3f 100644 --- a/tests/certs/serverAreq.pem +++ b/tests/certs/serverAreq.pem @@ -3,11 +3,11 @@ MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy IFNjaWVuY2UxETAPBgNVBAMTCFNlcnZlciBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN -ADCBiQKBgQCwrKml30ttZlnxsCT9a1GHm5ZSq/XjPogo2Whj6eIOx+aKkwTdbi4r -vraONK/fCgIsHL0tT6LVRvHCcZ5qwdvxnKTK+gVmpiWVk6gLmbmOIGsjrqKIF2SM -7DQLi5fGxDYrPU1d8iKC1Oj406GYugY/jmwCJYQQNag/eSCnYDh3+wIDAQABoAAw -DQYJKoZIhvcNAQELBQADgYEACr7TW7m5hDJlD5oz2bsM43RcOSzLJLv3UZiJbklN -pX3NqpSpWIqZRjlbppL+f1VPbIhvxuIGdjCKJ5IhMwiaI5+5bAVbT0m6GSLw47Vu -oidCX+Lhahv8bCQPP87WzXtBnx45igt4YNU9vthj4Ov1MiXN0S9i8JuqS1YCiw5l -Sxg= +ADCBiQKBgQCjjVCEf9i9BAD/DO+49rIxtJF6rQuCEK9IAVc995EswQGhgD6GIX4e +oHIpEb9JFjWFmRNjUas2fddPkZ0PLQjIpeplewwA/2Ao57eZ5ak90zmJux6dDLCN +8klAkMMpEvihLXYivm+C7iW9A5Qvf1L0/tbRgSFMrQLDk9GcRmyzZQIDAQABoAAw +DQYJKoZIhvcNAQELBQADgYEAFGv0sHAVvqDtEbW0afiFeuWwJqBf4lz+xNZt1x2I +qrxDX9iZ/EiIZNXubPZLsOAnYE9+BcfJ0tGC2p9b6+EmmtkwxytIlbaVAtleHTt2 +f0xr27k4YqIIrB63N8seaawOtQebyq76BHBSpoRHnzrfelnrkTqH+yR4Ldee7mJA +9mY= -----END CERTIFICATE REQUEST----- From b84301acb0e7b60e9428b7f626b82d301869cf74 Mon Sep 17 00:00:00 2001 From: Thijs Schreijer Date: Mon, 3 Dec 2018 10:38:48 +0100 Subject: [PATCH] auto-generate test certificates through makefile --- .gitignore | 3 +- Makefile | 39 +++-- src/copas/http.lua | 20 +-- tests/certs/_readme.md | 3 + tests/certs/all.bat | 14 ++ tests/certs/all.sh | 13 ++ tests/certs/clientA.bat | 9 + tests/certs/clientA.cnf | 316 ++++++++++++++++++++++++++++++++++++ tests/certs/clientA.pem | 43 ----- tests/certs/clientA.sh | 12 ++ tests/certs/clientAcert.pem | 20 --- tests/certs/clientAkey.pem | 16 -- tests/certs/clientAreq.pem | 13 -- tests/certs/clientB.bat | 9 + tests/certs/clientB.cnf | 316 ++++++++++++++++++++++++++++++++++++ tests/certs/clientB.sh | 12 ++ tests/certs/rootA.bat | 7 + tests/certs/rootA.cnf | 315 +++++++++++++++++++++++++++++++++++ tests/certs/rootA.pem | 23 --- tests/certs/rootA.sh | 7 + tests/certs/rootAkey.pem | 16 -- tests/certs/rootAreq.pem | 13 -- tests/certs/rootB.bat | 7 + tests/certs/rootB.cnf | 315 +++++++++++++++++++++++++++++++++++ tests/certs/rootB.sh | 7 + tests/certs/serverA.bat | 9 + tests/certs/serverA.cnf | 316 ++++++++++++++++++++++++++++++++++++ tests/certs/serverA.pem | 43 ----- tests/certs/serverA.sh | 12 ++ tests/certs/serverAcert.pem | 20 --- tests/certs/serverAkey.pem | 16 -- tests/certs/serverAreq.pem | 13 -- tests/certs/serverB.bat | 9 + tests/certs/serverB.cnf | 316 ++++++++++++++++++++++++++++++++++++ tests/certs/serverB.sh | 12 ++ 35 files changed, 2076 insertions(+), 258 deletions(-) create mode 100644 tests/certs/_readme.md create mode 100644 tests/certs/all.bat create mode 100755 tests/certs/all.sh create mode 100644 tests/certs/clientA.bat create mode 100644 tests/certs/clientA.cnf delete mode 100644 tests/certs/clientA.pem create mode 100755 tests/certs/clientA.sh delete mode 100644 tests/certs/clientAcert.pem delete mode 100644 tests/certs/clientAkey.pem delete mode 100644 tests/certs/clientAreq.pem create mode 100644 tests/certs/clientB.bat create mode 100644 tests/certs/clientB.cnf create mode 100755 tests/certs/clientB.sh create mode 100644 tests/certs/rootA.bat create mode 100644 tests/certs/rootA.cnf delete mode 100644 tests/certs/rootA.pem create mode 100755 tests/certs/rootA.sh delete mode 100644 tests/certs/rootAkey.pem delete mode 100644 tests/certs/rootAreq.pem create mode 100644 tests/certs/rootB.bat create mode 100644 tests/certs/rootB.cnf create mode 100755 tests/certs/rootB.sh create mode 100644 tests/certs/serverA.bat create mode 100644 tests/certs/serverA.cnf delete mode 100644 tests/certs/serverA.pem create mode 100755 tests/certs/serverA.sh delete mode 100644 tests/certs/serverAcert.pem delete mode 100644 tests/certs/serverAkey.pem delete mode 100644 tests/certs/serverAreq.pem create mode 100644 tests/certs/serverB.bat create mode 100644 tests/certs/serverB.cnf create mode 100755 tests/certs/serverB.sh diff --git a/.gitignore b/.gitignore index 5ca0973..18e0fea 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .DS_Store - +**/*.srl +**/*.pem diff --git a/Makefile b/Makefile index 5b383d3..5580f9f 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # $Id: Makefile,v 1.3 2007/10/29 22:50:16 carregal Exp $ -DESTDIR ?= +DESTDIR ?= # Default prefix PREFIX ?= /usr/local @@ -8,11 +8,14 @@ PREFIX ?= /usr/local # System's lua directory (where Lua libraries are installed) LUA_DIR ?= $(PREFIX)/share/lua/5.1 +DELIM=-e "print(([[=]]):rep(70))" PKGPATH=-e "package.path='src/?.lua;'..package.path" # Lua interpreter LUA=lua +.PHONY: certs + install: mkdir -p $(DESTDIR)$(LUA_DIR)/copas cp src/copas.lua $(DESTDIR)$(LUA_DIR)/copas.lua @@ -21,16 +24,29 @@ install: cp src/copas/http.lua $(DESTDIR)$(LUA_DIR)/copas/http.lua cp src/copas/limit.lua $(DESTDIR)$(LUA_DIR)/copas/limit.lua -test: - $(LUA) $(PKGPATH) tests/largetransfer.lua - $(LUA) $(PKGPATH) tests/request.lua 'http://www.google.com' - $(LUA) $(PKGPATH) tests/request.lua 'https://www.google.nl' - $(LUA) $(PKGPATH) tests/httpredirect.lua - $(LUA) $(PKGPATH) tests/limit.lua - $(LUA) $(PKGPATH) tests/connecttwice.lua - $(LUA) $(PKGPATH) tests/exit.lua - $(LUA) $(PKGPATH) tests/exittest.lua - $(LUA) $(PKGPATH) tests/removeserver.lua +tests/certs/clientA.pem: + cd ./tests/certs && \ + ./rootA.sh && \ + ./rootB.sh && \ + ./serverA.sh && \ + ./serverB.sh && \ + ./clientA.sh && \ + ./clientB.sh && \ + cd ../.. + +certs: tests/certs/clientA.pem + +test: certs + $(LUA) $(DELIM) $(PKGPATH) tests/largetransfer.lua + $(LUA) $(DELIM) $(PKGPATH) tests/request.lua 'http://www.google.com' + $(LUA) $(DELIM) $(PKGPATH) tests/request.lua 'https://www.google.nl' + $(LUA) $(DELIM) $(PKGPATH) tests/httpredirect.lua + $(LUA) $(DELIM) $(PKGPATH) tests/limit.lua + $(LUA) $(DELIM) $(PKGPATH) tests/connecttwice.lua + $(LUA) $(DELIM) $(PKGPATH) tests/exit.lua + $(LUA) $(DELIM) $(PKGPATH) tests/exittest.lua + $(LUA) $(DELIM) $(PKGPATH) tests/removeserver.lua + $(LUA) $(DELIM) coverage: $(RM) luacov.stats.out @@ -39,3 +55,4 @@ coverage: clean: $(RM) luacov.stats.out luacov.report.out + $(RM) tests/certs/*.pem tests/certs/*.srl diff --git a/src/copas/http.lua b/src/copas/http.lua index 8e8dc64..d6508e1 100644 --- a/src/copas/http.lua +++ b/src/copas/http.lua @@ -230,7 +230,7 @@ local function adjustheaders(reqt) } -- if we have authentication information, pass it along if reqt.user and reqt.password then - lower["authorization"] = + lower["authorization"] = "Basic " .. (mime.b64(reqt.user .. ":" .. reqt.password)) end -- override with user headers @@ -254,7 +254,7 @@ local function adjustrequest(reqt) -- explicit components override url for i,v in base.pairs(reqt) do nreqt[i] = v end if nreqt.port == "" then nreqt.port = 80 end - socket.try(nreqt.host and nreqt.host ~= "", + socket.try(nreqt.host and nreqt.host ~= "", "invalid host '" .. base.tostring(nreqt.host) .. "'") -- compute uri if user hasn't overriden nreqt.uri = reqt.uri or adjusturi(nreqt) @@ -292,10 +292,10 @@ local trequest, tredirect source = reqt.source, sink = reqt.sink, headers = reqt.headers, - proxy = reqt.proxy, + proxy = reqt.proxy, nredirects = (reqt.nredirects or 0) + 1, create = reqt.create - } + } -- pass location header back as a hint we redirected headers = headers or {} headers.location = headers.location or location @@ -312,7 +312,7 @@ end h:sendheaders(nreqt.headers) -- if there is a body, send it if nreqt.source then - h:sendbody(nreqt.headers, nreqt.source, nreqt.step) + h:sendbody(nreqt.headers, nreqt.source, nreqt.step) end local code, status = h:receivestatusline() -- if it is an HTTP/0.9 server, simply get the body and we are done @@ -322,13 +322,13 @@ end end local headers -- ignore any 100-continue messages - while code == 100 do + while code == 100 do headers = h:receiveheaders() code, status = h:receivestatusline() end headers = h:receiveheaders() -- at this point we should have a honest reply from the server - -- we can't redirect if we already used the source, so we report the error + -- we can't redirect if we already used the source, so we report the error if shouldredirect(nreqt, code, headers) and not nreqt.source then h:close() return tredirect(reqt, headers.location) @@ -361,7 +361,7 @@ local function tcp(params) if not u.port then u.port = _M.SSLPORT reqt.url = url.build(u) - reqt.port = _M.SSLPORT + reqt.port = _M.SSLPORT end washttps = true return conn @@ -371,7 +371,7 @@ local function tcp(params) try(nil, "Unallowed insecure redirect https to http") end return copas.wrap(socket.tcp()) - end + end end end @@ -395,7 +395,7 @@ _M.parseRequest = function(u, b) end _M.request = socket.protect(function(reqt, body) - if base.type(reqt) == "string" then + if base.type(reqt) == "string" then reqt = _M.parseRequest(reqt, body) local ok, code, headers, status = _M.request(reqt) diff --git a/tests/certs/_readme.md b/tests/certs/_readme.md new file mode 100644 index 0000000..1cd8396 --- /dev/null +++ b/tests/certs/_readme.md @@ -0,0 +1,3 @@ +The certificate generation scripts here are copied from LuaSec + + diff --git a/tests/certs/all.bat b/tests/certs/all.bat new file mode 100644 index 0000000..b1e03ca --- /dev/null +++ b/tests/certs/all.bat @@ -0,0 +1,14 @@ +REM make sure the 'openssl.exe' commandline tool is in your path before starting! +REM set the path below; +set opensslpath=c:\program files (x86)\openssl-win32\bin + + + +setlocal +set path=%opensslpath%;%path% +call roota.bat +call rootb.bat +call servera.bat +call serverb.bat +call clienta.bat +call clientb.bat diff --git a/tests/certs/all.sh b/tests/certs/all.sh new file mode 100755 index 0000000..da6ac96 --- /dev/null +++ b/tests/certs/all.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +CWD=$(PWD) +cd $( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +./rootA.sh +./rootB.sh +./serverA.sh +./serverB.sh +./clientA.sh +./clientB.sh + +cd $CWD diff --git a/tests/certs/clientA.bat b/tests/certs/clientA.bat new file mode 100644 index 0000000..112cdef --- /dev/null +++ b/tests/certs/clientA.bat @@ -0,0 +1,9 @@ +rem #!/bin/sh + +openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch + +openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out clientAcert.pem -days 365 + +copy clientAcert.pem + rootA.pem clientA.pem + +openssl x509 -subject -issuer -noout -in clientA.pem diff --git a/tests/certs/clientA.cnf b/tests/certs/clientA.cnf new file mode 100644 index 0000000..0fea787 --- /dev/null +++ b/tests/certs/clientA.cnf @@ -0,0 +1,316 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem # The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = BR +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State +stateOrProvinceName_default = Espirito Santo + +localityName = Locality Name (eg, city) +localityName_default = Santo Antonio do Canaa + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Sao Tonico Ltda + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = Department of Computer Science + +commonName = Common Name (eg, YOUR name) +commonName_default = Client A +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/tests/certs/clientA.pem b/tests/certs/clientA.pem deleted file mode 100644 index bdc18ed..0000000 --- a/tests/certs/clientA.pem +++ /dev/null @@ -1,43 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDNTCCAp6gAwIBAgIJANemCVlJDxN9MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD -VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv -IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw -JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTAeFw0xODA3MTYxOTQyMzRaFw0xOTA3MTYxOTQyMzRaMIGdMQswCQYD -VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv -IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG -A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhD -bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqgmw9Lff2yb2Q+DE -BL5WP4vbhceAaKoAg0wd7x2LIW7jXyxEJsWIIPKYF0Fc62N51Xzu2/CFXFP9NF94 -e5KuuO2hq347FExPjcAdFG/owyRs8tUQe7CcaL56drpRVIWd8NMdCGXyrr9JAShi -aqYUy22LuVDFMHFD1vfrKkmrYPcCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB -hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE -FCDXAeKTRvjBgQrQnMm3V2xSx24DMB8GA1UdIwQYMBaAFJqLTBDdTkyou7inDtgb -5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBAMSqQyatsFCPwux6lqI04VLSgXTSmlaq -p22QcyLWTHHIyX0o+lyHXrrqmUsDJmHu73x0lFOMwvzLDwmb+N8rC3rjZGl/srtM -Hap5kI/8i9RNrFiCN1rid7bLvMSDILyIa1FNMQ+exSgkV8uRXaPKw0ahk8Uuqi5m -/1l1/fTpSY1i ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD -VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv -IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw -JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD -VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv -IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw -JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX -txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu -zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr -8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ -3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae -mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh -bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT -YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl -ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD -AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A -RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z -0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA -234dl4Tu ------END CERTIFICATE----- diff --git a/tests/certs/clientA.sh b/tests/certs/clientA.sh new file mode 100755 index 0000000..0350ede --- /dev/null +++ b/tests/certs/clientA.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem \ + -nodes -config ./clientA.cnf -days 365 -batch + +openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf \ + -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \ + -out clientAcert.pem -days 365 + +cat clientAcert.pem rootA.pem > clientA.pem + +openssl x509 -subject -issuer -noout -in clientA.pem diff --git a/tests/certs/clientAcert.pem b/tests/certs/clientAcert.pem deleted file mode 100644 index 10afc38..0000000 --- a/tests/certs/clientAcert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDNTCCAp6gAwIBAgIJANemCVlJDxN9MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD -VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv -IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw -JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTAeFw0xODA3MTYxOTQyMzRaFw0xOTA3MTYxOTQyMzRaMIGdMQswCQYD -VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv -IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG -A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhD -bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqgmw9Lff2yb2Q+DE -BL5WP4vbhceAaKoAg0wd7x2LIW7jXyxEJsWIIPKYF0Fc62N51Xzu2/CFXFP9NF94 -e5KuuO2hq347FExPjcAdFG/owyRs8tUQe7CcaL56drpRVIWd8NMdCGXyrr9JAShi -aqYUy22LuVDFMHFD1vfrKkmrYPcCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB -hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE -FCDXAeKTRvjBgQrQnMm3V2xSx24DMB8GA1UdIwQYMBaAFJqLTBDdTkyou7inDtgb -5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBAMSqQyatsFCPwux6lqI04VLSgXTSmlaq -p22QcyLWTHHIyX0o+lyHXrrqmUsDJmHu73x0lFOMwvzLDwmb+N8rC3rjZGl/srtM -Hap5kI/8i9RNrFiCN1rid7bLvMSDILyIa1FNMQ+exSgkV8uRXaPKw0ahk8Uuqi5m -/1l1/fTpSY1i ------END CERTIFICATE----- diff --git a/tests/certs/clientAkey.pem b/tests/certs/clientAkey.pem deleted file mode 100644 index 651c8c4..0000000 --- a/tests/certs/clientAkey.pem +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKoJsPS339sm9kPg -xAS+Vj+L24XHgGiqAINMHe8diyFu418sRCbFiCDymBdBXOtjedV87tvwhVxT/TRf -eHuSrrjtoat+OxRMT43AHRRv6MMkbPLVEHuwnGi+ena6UVSFnfDTHQhl8q6/SQEo -YmqmFMtti7lQxTBxQ9b36ypJq2D3AgMBAAECgYB+U+jmR13HAfFgiLLZG1gUqiGU -CJ48JGFxKrHqnrZpRmsioE6Zx5PVdqbMUEFqmGNB2ynSuaU67SNnL67hkB7CCxfT -+IjOs9TwP8QeY8MGJo3B+aLgdgCISiFcmcvahWUHvRUR8rq7WTr5ThTQyo/IPUbu -54ED3PB8HjiEDh0RIQJBAN5BhTIb8ReXaVpSltpaEKwzG8RrWEZ9bB1v4fwd4KHN -oU27cX9WljSv+g+Ojl+f4qIoOOBicKkW6WudxDn+UbkCQQDD2pjZ82BBbzd6xHmR -YsY7AVEEO3euYeqff1SyjCOIyznGPJHH4+/5B6iWrTC6gLbMVuSF9sd9c1LcetBO -fWAvAkEAvzt25H+gOKFBt8KaI7Qc5l1vRdjq8nPWQ5nRwsDeV7n7UUu3w034HctQ -iHQrUmHaeZXMIlzw/LxHCR6NCS0mmQJAVXCRadNAVIteGpKHriL281q5qyz+IvbY -UchMfK+h+NUfWRmnRxpq36q1ozXeoh3woOfvPXnQwSuEJGb3ZKZRRQJBAMYqGioX -EZQNfBJ1kSnW1PoZaR/TCVOi2DJ13FQslQP1BUmVLCvm0Z21YbcKhlFDzBny4nCD -0ksTfouj7w/VR94= ------END PRIVATE KEY----- diff --git a/tests/certs/clientAreq.pem b/tests/certs/clientAreq.pem deleted file mode 100644 index bdd77b3..0000000 --- a/tests/certs/clientAreq.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT -YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP -U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy -IFNjaWVuY2UxETAPBgNVBAMTCENsaWVudCBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN -ADCBiQKBgQCqCbD0t9/bJvZD4MQEvlY/i9uFx4BoqgCDTB3vHYshbuNfLEQmxYgg -8pgXQVzrY3nVfO7b8IVcU/00X3h7kq647aGrfjsUTE+NwB0Ub+jDJGzy1RB7sJxo -vnp2ulFUhZ3w0x0IZfKuv0kBKGJqphTLbYu5UMUwcUPW9+sqSatg9wIDAQABoAAw -DQYJKoZIhvcNAQEFBQADgYEAJXW12Ov1xFANtbru6GGVKzv42CQ53nruaVEltSmx -0TN1BljnkuVY5vCckv7LXC8ogGF2NCAOFzVBTuUWYeX8lBjV0wuN3qCZbChoDKid -Gvwszyj8xZr0Aof4eDPm6iKoxLQm23fvPvL00jIYqsqUe23gYoxWXFmAclmp4+vr -U4w= ------END CERTIFICATE REQUEST----- diff --git a/tests/certs/clientB.bat b/tests/certs/clientB.bat new file mode 100644 index 0000000..9f341f6 --- /dev/null +++ b/tests/certs/clientB.bat @@ -0,0 +1,9 @@ +rem #!/bin/sh + +openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch + +openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out clientBcert.pem -days 365 + +copy clientBcert.pem + rootB.pem clientB.pem + +openssl x509 -subject -issuer -noout -in clientB.pem diff --git a/tests/certs/clientB.cnf b/tests/certs/clientB.cnf new file mode 100644 index 0000000..7de08de --- /dev/null +++ b/tests/certs/clientB.cnf @@ -0,0 +1,316 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem # The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = BR +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State +stateOrProvinceName_default = Espirito Santo + +localityName = Locality Name (eg, city) +localityName_default = Santo Antonio do Canaa + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Sao Tonico Ltda + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = Department of Computer Science + +commonName = Common Name (eg, YOUR name) +commonName_default = Client B +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/tests/certs/clientB.sh b/tests/certs/clientB.sh new file mode 100755 index 0000000..94f8986 --- /dev/null +++ b/tests/certs/clientB.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem \ + -nodes -config ./clientB.cnf -days 365 -batch + +openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf \ + -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \ + -out clientBcert.pem -days 365 + +cat clientBcert.pem rootB.pem > clientB.pem + +openssl x509 -subject -issuer -noout -in clientB.pem diff --git a/tests/certs/rootA.bat b/tests/certs/rootA.bat new file mode 100644 index 0000000..6449bfa --- /dev/null +++ b/tests/certs/rootA.bat @@ -0,0 +1,7 @@ +REM #!/bin/sh + +openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch + +openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365 + +openssl x509 -subject -issuer -noout -in rootA.pem diff --git a/tests/certs/rootA.cnf b/tests/certs/rootA.cnf new file mode 100644 index 0000000..2dc39c8 --- /dev/null +++ b/tests/certs/rootA.cnf @@ -0,0 +1,315 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem # The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = BR +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Espirito Santo + +localityName = Locality Name (eg, city) +localityName_default = Santo Antonio do Canaa + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Santo Tonico Ltda + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = Department of Computer Science + +commonName = Common Name (eg, YOUR name) +commonName_max = 64 +commonName_default = Root A + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/tests/certs/rootA.pem b/tests/certs/rootA.pem deleted file mode 100644 index dac07a0..0000000 --- a/tests/certs/rootA.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD -VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv -IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw -JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD -VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv -IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw -JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX -txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu -zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr -8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ -3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae -mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh -bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT -YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl -ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD -AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A -RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z -0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA -234dl4Tu ------END CERTIFICATE----- diff --git a/tests/certs/rootA.sh b/tests/certs/rootA.sh new file mode 100755 index 0000000..7b588bf --- /dev/null +++ b/tests/certs/rootA.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch + +openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365 + +openssl x509 -subject -issuer -noout -in rootA.pem diff --git a/tests/certs/rootAkey.pem b/tests/certs/rootAkey.pem deleted file mode 100644 index 987a73e..0000000 --- a/tests/certs/rootAkey.pem +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO7g0Slvtdvb6ulm -V7cUkuvc58dvtDY1qWpq8Pw0SjXY6qgZVvbwbpNhX1b9getJHULitfHY1AmWKcWq -rs6t3UxGG2LlSOaXeSszU+Xms+ZeOgShqI6uJ8PMMqHLnEFWkVxS8jWdvPOC4pJB -K/IRujA7upM/9nxKB4s0VMgQ9FOxAgMBAAECgYEAlboIoEZK4PHpPj5NwI1+waQH -C3Syqj/cXr2FKy/DTBkYjCDF56YwSOSBk872PfnoA2KC1IIp9ZBPwnwHcbh8ufo9 -vZP0rEpjSV5B7d81uoMOt4YaS1UOxv8GQCO3r+5dj/L/CVYsj13W1MaozYVmvTiW -md7Rz+N4JjHWYu60EqECQQD4SHAXsEJfi+cbadV5/+HTmiqoH3cUYnK34BNs4ulo -D+3QGIiaslyde97D+08EbVWWdyWcGwoSft0CJG4Gim09AkEA9k2L4GP6qa1Afn+I -YmkMRtyo/4taCc9QBWuNRfvd1UTarvrA4nLKyBjL9Y7walFv3q/DaLrCyg/Bg/ZQ -aV8PhQJBAJuRh+rP3kbP+ncK0WAoHO/hYWkGji6PoSHlnUZUx7sUgAYr2SxVJgLn -YqWaCeDUQRSOg1pU9vKv2vtEqEwg4GECQE1uRYoOhE/xWnQqLbsaYTSpzCtCKNUq -qnJ5xFj6/Fs+oS0fQaIvClbrjLsu65/Q6EVuphT3maMiXujYd6EYtG0CQHYvVroh -2jzj0VZaoWEIJgMXjV8+UVpP5cQMHltSZtzuQITKmAAEhcqXm26W940sRfMGRgrw -u0M3347nbXdYj8c= ------END PRIVATE KEY----- diff --git a/tests/certs/rootAreq.pem b/tests/certs/rootAreq.pem deleted file mode 100644 index 8d66597..0000000 --- a/tests/certs/rootAreq.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT -YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEaMBgGA1UEChMR -U2FudG8gVG9uaWNvIEx0ZGExJzAlBgNVBAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0 -ZXIgU2NpZW5jZTEPMA0GA1UEAxMGUm9vdCBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN -ADCBiQKBgQDu4NEpb7Xb2+rpZle3FJLr3OfHb7Q2NalqavD8NEo12OqoGVb28G6T -YV9W/YHrSR1C4rXx2NQJlinFqq7Ord1MRhti5Ujml3krM1Pl5rPmXjoEoaiOrifD -zDKhy5xBVpFcUvI1nbzzguKSQSvyEbowO7qTP/Z8SgeLNFTIEPRTsQIDAQABoAAw -DQYJKoZIhvcNAQEFBQADgYEA2QCr5Q66xJoE+CTbvhhneLCvpjU+KBIKOAQ28s3f -RfFMXvO4UOXdB+NU06hQDkeYZbACeikw/5Cl+Q2O5Kx57LteW+AWvP9T2Bvh9WnJ -fgjm+GArxuVSb2r9KwAF8Cn6r8O09L0C75hmQTVU+rjBghZ1lsl0dVtdn+ueoVHj -MKo= ------END CERTIFICATE REQUEST----- diff --git a/tests/certs/rootB.bat b/tests/certs/rootB.bat new file mode 100644 index 0000000..99f358a --- /dev/null +++ b/tests/certs/rootB.bat @@ -0,0 +1,7 @@ +rem #!/bin/sh + +openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch + +openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365 + +openssl x509 -subject -issuer -noout -in rootB.pem diff --git a/tests/certs/rootB.cnf b/tests/certs/rootB.cnf new file mode 100644 index 0000000..ee45752 --- /dev/null +++ b/tests/certs/rootB.cnf @@ -0,0 +1,315 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem # The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = BR +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Espirito Santo + +localityName = Locality Name (eg, city) +localityName_default = Santo Antonio do Canaa + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Sao Tonico Ltda + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = Department of Computer Science + +commonName = Common Name (eg, YOUR name) +commonName_default = Root B +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/tests/certs/rootB.sh b/tests/certs/rootB.sh new file mode 100755 index 0000000..53969b3 --- /dev/null +++ b/tests/certs/rootB.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch + +openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365 + +openssl x509 -subject -issuer -noout -in rootB.pem diff --git a/tests/certs/serverA.bat b/tests/certs/serverA.bat new file mode 100644 index 0000000..78934d5 --- /dev/null +++ b/tests/certs/serverA.bat @@ -0,0 +1,9 @@ +rem #!/bin/sh + +openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch + +openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out serverAcert.pem -days 365 + +copy serverAcert.pem + rootA.pem serverA.pem + +openssl x509 -subject -issuer -noout -in serverA.pem diff --git a/tests/certs/serverA.cnf b/tests/certs/serverA.cnf new file mode 100644 index 0000000..b9c736f --- /dev/null +++ b/tests/certs/serverA.cnf @@ -0,0 +1,316 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem # The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = BR +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State +stateOrProvinceName_default = Espirito Santo + +localityName = Locality Name (eg, city) +localityName_default = Santo Antonio do Canaa + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Sao Tonico Ltda + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = Department of Computer Science + +commonName = Common Name (eg, YOUR name) +commonName_default = Server A +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/tests/certs/serverA.pem b/tests/certs/serverA.pem deleted file mode 100644 index 02324d0..0000000 --- a/tests/certs/serverA.pem +++ /dev/null @@ -1,43 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDSjCCArOgAwIBAgIJANemCVlJDxN8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD -VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv -IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw -JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTAeFw0xODA3MTYxOTQyMjNaFw0xOTA3MTYxOTQyMjNaMIGdMQswCQYD -VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv -IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG -A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhT -ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo41QhH/YvQQA/wzv -uPayMbSReq0LghCvSAFXPfeRLMEBoYA+hiF+HqByKRG/SRY1hZkTY1GrNn3XT5Gd -Dy0IyKXqZXsMAP9gKOe3meWpPdM5ibsenQywjfJJQJDDKRL4oS12Ir5vgu4lvQOU -L39S9P7W0YEhTK0Cw5PRnEZss2UCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG -SAGG+EIBAQQEAwIGQDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg -Q2VydGlmaWNhdGUwHQYDVR0OBBYEFIXCp7y4eaLeSSst0Yy7wFZ/dmS5MB8GA1Ud -IwQYMBaAFJqLTBDdTkyou7inDtgb5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBACN0 -hei2KY0AYe+TrwYq3UfyyskhNT7L48makxs/qHArXZCDf2BTctmY+95Nfgpj5kLi -oW+e/Wu92cbor/UJAYQ0cJYLNa4k55loL6hjm2PKo2eni3NEk6SxHRQFtuVowCtF -Kgbi29DkkQc7WRWDy2blZiIYb1oUOlktk1vp8CxY ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD -VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv -IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw -JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD -VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv -IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw -JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX -txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu -zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr -8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ -3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae -mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh -bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT -YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl -ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD -AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A -RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z -0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA -234dl4Tu ------END CERTIFICATE----- diff --git a/tests/certs/serverA.sh b/tests/certs/serverA.sh new file mode 100755 index 0000000..7fa04e0 --- /dev/null +++ b/tests/certs/serverA.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem \ + -config ./serverA.cnf -nodes -days 365 -batch + +openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf \ + -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \ + -out serverAcert.pem -days 365 + +cat serverAcert.pem rootA.pem > serverA.pem + +openssl x509 -subject -issuer -noout -in serverA.pem diff --git a/tests/certs/serverAcert.pem b/tests/certs/serverAcert.pem deleted file mode 100644 index 72d2c87..0000000 --- a/tests/certs/serverAcert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDSjCCArOgAwIBAgIJANemCVlJDxN8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD -VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv -IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw -JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT -BlJvb3QgQTAeFw0xODA3MTYxOTQyMjNaFw0xOTA3MTYxOTQyMjNaMIGdMQswCQYD -VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv -IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG -A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhT -ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo41QhH/YvQQA/wzv -uPayMbSReq0LghCvSAFXPfeRLMEBoYA+hiF+HqByKRG/SRY1hZkTY1GrNn3XT5Gd -Dy0IyKXqZXsMAP9gKOe3meWpPdM5ibsenQywjfJJQJDDKRL4oS12Ir5vgu4lvQOU -L39S9P7W0YEhTK0Cw5PRnEZss2UCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG -SAGG+EIBAQQEAwIGQDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg -Q2VydGlmaWNhdGUwHQYDVR0OBBYEFIXCp7y4eaLeSSst0Yy7wFZ/dmS5MB8GA1Ud -IwQYMBaAFJqLTBDdTkyou7inDtgb5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBACN0 -hei2KY0AYe+TrwYq3UfyyskhNT7L48makxs/qHArXZCDf2BTctmY+95Nfgpj5kLi -oW+e/Wu92cbor/UJAYQ0cJYLNa4k55loL6hjm2PKo2eni3NEk6SxHRQFtuVowCtF -Kgbi29DkkQc7WRWDy2blZiIYb1oUOlktk1vp8CxY ------END CERTIFICATE----- diff --git a/tests/certs/serverAkey.pem b/tests/certs/serverAkey.pem deleted file mode 100644 index c9f6b65..0000000 --- a/tests/certs/serverAkey.pem +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKONUIR/2L0EAP8M -77j2sjG0kXqtC4IQr0gBVz33kSzBAaGAPoYhfh6gcikRv0kWNYWZE2NRqzZ910+R -nQ8tCMil6mV7DAD/YCjnt5nlqT3TOYm7Hp0MsI3ySUCQwykS+KEtdiK+b4LuJb0D -lC9/UvT+1tGBIUytAsOT0ZxGbLNlAgMBAAECgYBcMPYoGiDEOxOMsXAXpQfBOPWg -XxbTlDAZuJfC2GA/B/SxYqbb2NlMzkhLmjNnMVuuGSFypMCMENdjhMMxoMMH4HZ8 -XFsecHE9OS2KrkNQJ7OxIa9RRtGwtm8QdVav2YsQQHwoG9qB4Q+vKTyUkofIEH86 -bV2aX7lpY7b2E8jZgQJBANcJO2+GmTOKlV0KFWtvL7x+mULJCkrpLDHEPMyFCyQT -xkzWJ8ZeL0l0r8gbF91ykO2mnjm2X2pHC9XU6lkIDRUCQQDCtVWnvGF+QCwsmAIo -RnTZtSd0jCjQQWCA+ZvqAIRMXtIQ3gL60kuYCnVMIk4XvF2iZltpgxJsPoCysGnW -q8ERAkBHq4EOy8q1/gOITfsToqxDY+KK+tyeWRbsw14MQG+VJ64ZH+uD1xJlpimM -RVNv8GZTfwwPajRlBKbyLxOoduF9AkEAuzBWXuJO4G+ViHHDcTD7Weo9OmEdQ8n2 -m0hdysQgbMOkNS8bskPHBS7Ywg8hANTJOD4rl+65IXOdiyzrM8T/4QJBAMzV6Bkz -uQYRFULqLjQnaS3wOyJtoPZChWBsKaJO8WJSp+zB5Fk75cmFkLdrkKdmf0zxZX9h -sbvrkWGXdyBD9y8= ------END PRIVATE KEY----- diff --git a/tests/certs/serverAreq.pem b/tests/certs/serverAreq.pem deleted file mode 100644 index bf93f3f..0000000 --- a/tests/certs/serverAreq.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT -YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP -U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy -IFNjaWVuY2UxETAPBgNVBAMTCFNlcnZlciBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN -ADCBiQKBgQCjjVCEf9i9BAD/DO+49rIxtJF6rQuCEK9IAVc995EswQGhgD6GIX4e -oHIpEb9JFjWFmRNjUas2fddPkZ0PLQjIpeplewwA/2Ao57eZ5ak90zmJux6dDLCN -8klAkMMpEvihLXYivm+C7iW9A5Qvf1L0/tbRgSFMrQLDk9GcRmyzZQIDAQABoAAw -DQYJKoZIhvcNAQELBQADgYEAFGv0sHAVvqDtEbW0afiFeuWwJqBf4lz+xNZt1x2I -qrxDX9iZ/EiIZNXubPZLsOAnYE9+BcfJ0tGC2p9b6+EmmtkwxytIlbaVAtleHTt2 -f0xr27k4YqIIrB63N8seaawOtQebyq76BHBSpoRHnzrfelnrkTqH+yR4Ldee7mJA -9mY= ------END CERTIFICATE REQUEST----- diff --git a/tests/certs/serverB.bat b/tests/certs/serverB.bat new file mode 100644 index 0000000..294be57 --- /dev/null +++ b/tests/certs/serverB.bat @@ -0,0 +1,9 @@ +rem #!/bin/sh + +openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch + +openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out serverBcert.pem -days 365 + +copy serverBcert.pem + rootB.pem serverB.pem + +openssl x509 -subject -issuer -noout -in serverB.pem diff --git a/tests/certs/serverB.cnf b/tests/certs/serverB.cnf new file mode 100644 index 0000000..ec5d031 --- /dev/null +++ b/tests/certs/serverB.cnf @@ -0,0 +1,316 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem # The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = BR +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State +stateOrProvinceName_default = Espirito Santo + +localityName = Locality Name (eg, city) +localityName_default = Santo Antonio do Canaa + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Sao Tonico Ltda + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = Department of Computer Science + +commonName = Common Name (eg, YOUR name) +commonName_default = Server B +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/tests/certs/serverB.sh b/tests/certs/serverB.sh new file mode 100755 index 0000000..c75b00a --- /dev/null +++ b/tests/certs/serverB.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem \ + -config ./serverB.cnf -nodes -days 365 -batch + +openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf \ + -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \ + -out serverBcert.pem -days 365 + +cat serverBcert.pem rootB.pem > serverB.pem + +openssl x509 -subject -issuer -noout -in serverB.pem