adding test configuration for ssl setup

2016-09-11 23:57:25 +02:00 · 2016-09-11 23:57:25 +02:00 · 1e8f0d7248
parent 3080d00e45
commit 1e8f0d7248
2 changed files with 161 additions and 2 deletions
--- a/tests/cfg/pki/create_tsa_certs
+++ b/tests/cfg/pki/create_tsa_certs
@ -28,7 +28,7 @@ create_tsa_cert () {
    export INDEX
    EXT=$2
    TSDNSECT=ts_cert_dn
-    export TSDNSECT   
+    export TSDNSECT

    openssl req -new \
        -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem
@ -41,13 +41,34 @@ echo Using extension $EXT
    test $? != 0 && error
 }

+create_cert () {
+
+    INDEX=$1
+    export INDEX
+    TSDNSECT=ts_cert_dn
+    export TSDNSECT
+
+    openssl req -new \
+        -out tsa_req${INDEX}.pem -keyout ssl_key${INDEX}.pem
+    test $? != 0 && error
+    openssl x509 -req \
+        -in tsa_req${INDEX}.pem -out ssl_cert${INDEX}.pem \
+        -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \
+        -extensions server_cert
+    test $? != 0 && error
+    cat ssl_key${INDEX}.pem ssl_cert${INDEX}.pem >ssl_keycerts${INDEX}.pem
+}
+
 echo "Creating CA for TSA tests..."
 create_ca

 echo "Creating tsa_cert1.pem TSA server cert..."
 create_tsa_cert 1 tsa_cert

-echo "Creating tsa_cert2.pem non-TSA server cert..."
+echo "Creating tsa_cert2.pem TSA server cert..."
 create_tsa_cert 2 tsa_cert

+echo "Creating ssl_keycerts1.pem for ssl"
+create_cert 1
+
 exit 0
--- a/tests/cfg/uts-server-ssl.cnf
+++ b/tests/cfg/uts-server-ssl.cnf
@ -0,0 +1,138 @@
+[ oids ]
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+[ main ]
+
+# Comma-separated list of ips:ports to listen on.
+# If the port is SSL, a letter s must be appended.
+listening_ports = 127.0.0.1:2020s
+#listening_ports = 80,443s
+
+# Allows clients to reuse TCP connection for subsequent HTTP requests, which improves performance.
+enable_keep_alive = no
+
+# Number of worker threads
+num_threads = 10
+
+# Switch to given user credentials after startup.
+# Required to run on privileged ports and not be run as root.
+#run_as_user = uts-server
+
+# Limit download speed for clients. throttle is a comma-separated list of key=value pairs:
+# *                   limit speed for all connections
+# x.x.x.x/mask        limit speed for specified subnet
+# The value is a floating-point number of bytes per second, optionally followed by a k or m character
+# meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate
+throttle = *=0
+#throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0
+
+# Timeout for network read and network write operations, in milliseconds.
+request_timeout_ms = 30000
+
+# Path to the SSL certificate file. (PEM format containing private key and certificate)
+ssl_certificate = ./pki/ssl_keycerts1.pem
+
+# Enable client's certificate verification by the server.
+ssl_verify_peer = no
+
+# Name of a directory containing trusted CA certificates
+#ssl_ca_path = /etc/ssl/ca/
+
+# Path to a .pem file containing trusted certificates. The file may contain more than one certificate.
+ssl_ca_file = ./pki/tsaca.pem
+
+# Sets maximum depth of certificate chain.
+# If client's certificate chain is longer than the depth set here connection is refused.
+#ssl_verify_depth = 9
+
+# Loads default trusted certificates locations set at openssl compile time.
+#ssl_default_verify_paths = yes
+
+# see https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed
+ssl_cipher_list = ALL:!eNULL
+
+# Sets the minimal accepted version of SSL/TLS protocol according to the table:
+# SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2  0
+# SSL3+TLS1.0+TLS1.1+TLS1.2       1
+# TLS1.0+TLS1.1+TLS1.2            2
+# TLS1.1+TLS1.2                   3
+# TLS1.2                          4
+
+ssl_protocol_version = 3
+
+# Enables the use of short lived certificates
+#ssl_short_trust = no
+
+# comma separated list of IP subnets to accept/deny
+# deny all accesses, only allow 192.168/16 subnet
+#access_control_allow_origin = -0.0.0.0/0,+192.168/16
+
+# Enable TCP_NODELAY socket option on client connections.
+tcp_nodelay = 0
+
+# loglevel
+# debug, info, notice, warn, err, emerg, crit
+log_level = info
+
+####################################################################
+[ tsa ]
+
+# The default TSA section.
+default_tsa = tsa_config1
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+
+# TSA root directory
+dir		= ./pki
+
+# OpenSSL engine to use for signing
+crypto_device	= builtin
+
+# The TSA signing certificat
+# (optional)
+signer_cert	= $dir/tsa_cert1.pem
+
+# Certificate chain to include in reply
+# (optional)
+certs		= $dir/tsaca.pem
+
+# The TSA private key
+# (optional)
+signer_key	= $dir/tsa_key1.pem
+
+# Policy if request did not specify it
+# (optional)
+default_policy	= tsa_policy1
+
+# Acceptable policies
+# (optional)
+other_policies	= tsa_policy2, tsa_policy3
+
+# Acceptable message digests
+# (mandatory)
+digests		= md5, sha1
+
+# (optional)
+accuracy	= secs:1, millisecs:500, microsecs:100
+
+# Number of digits after dot.
+# (optional)
+clock_precision_digits  = 0
+
+# Is ordering defined for timestamps?
+# (optional, default: no)
+ordering		= yes
+
+# Must the TSA name be included in the reply?
+## (optional, default: no)
+tsa_name		= yes
+
+# Must the ESS cert id chain be included?
+# (optional, default: no)
+ess_cert_id_chain	= no