diff --git a/tests/cfg/pki/build-ca b/tests/cfg/pki/build-ca new file mode 100755 index 0000000..bce29a6 --- /dev/null +++ b/tests/cfg/pki/build-ca @@ -0,0 +1,8 @@ +#!/bin/sh + +# +# Build a root certificate +# + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --initca $* diff --git a/tests/cfg/pki/build-dh b/tests/cfg/pki/build-dh new file mode 100755 index 0000000..4beb127 --- /dev/null +++ b/tests/cfg/pki/build-dh @@ -0,0 +1,11 @@ +#!/bin/sh + +# Build Diffie-Hellman parameters for the server side +# of an SSL/TLS connection. + +if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then + $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/tests/cfg/pki/build-inter b/tests/cfg/pki/build-inter new file mode 100755 index 0000000..87bf98d --- /dev/null +++ b/tests/cfg/pki/build-inter @@ -0,0 +1,7 @@ +#!/bin/sh + +# Make an intermediate CA certificate/private key pair using a locally generated +# root certificate. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --inter $* diff --git a/tests/cfg/pki/build-key b/tests/cfg/pki/build-key new file mode 100755 index 0000000..6c0fed8 --- /dev/null +++ b/tests/cfg/pki/build-key @@ -0,0 +1,7 @@ +#!/bin/sh + +# Make a certificate/private key pair using a locally generated +# root certificate. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact $* diff --git a/tests/cfg/pki/build-key-pass b/tests/cfg/pki/build-key-pass new file mode 100755 index 0000000..8ef8307 --- /dev/null +++ b/tests/cfg/pki/build-key-pass @@ -0,0 +1,7 @@ +#!/bin/sh + +# Similar to build-key, but protect the private key +# with a password. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --pass $* diff --git a/tests/cfg/pki/build-key-pkcs12 b/tests/cfg/pki/build-key-pkcs12 new file mode 100755 index 0000000..ba90e6a --- /dev/null +++ b/tests/cfg/pki/build-key-pkcs12 @@ -0,0 +1,8 @@ +#!/bin/sh + +# Make a certificate/private key pair using a locally generated +# root certificate and convert it to a PKCS #12 file including the +# the CA certificate as well. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --pkcs12 $* diff --git a/tests/cfg/pki/build-key-server b/tests/cfg/pki/build-key-server new file mode 100755 index 0000000..fee0194 --- /dev/null +++ b/tests/cfg/pki/build-key-server @@ -0,0 +1,10 @@ +#!/bin/sh + +# Make a certificate/private key pair using a locally generated +# root certificate. +# +# Explicitly set nsCertType to server using the "server" +# extension in the openssl.cnf file. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --server $* diff --git a/tests/cfg/pki/build-req b/tests/cfg/pki/build-req new file mode 100755 index 0000000..559d512 --- /dev/null +++ b/tests/cfg/pki/build-req @@ -0,0 +1,7 @@ +#!/bin/sh + +# Build a certificate signing request and private key. Use this +# when your root certificate and key is not available locally. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --csr $* diff --git a/tests/cfg/pki/build-req-pass b/tests/cfg/pki/build-req-pass new file mode 100755 index 0000000..b73ee1b --- /dev/null +++ b/tests/cfg/pki/build-req-pass @@ -0,0 +1,7 @@ +#!/bin/sh + +# Like build-req, but protect your private key +# with a password. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --csr --pass $* diff --git a/tests/cfg/pki/clean-all b/tests/cfg/pki/clean-all new file mode 100755 index 0000000..b1d0237 --- /dev/null +++ b/tests/cfg/pki/clean-all @@ -0,0 +1,16 @@ +#!/bin/sh + +# Initialize the $KEY_DIR directory. +# Note that this script does a +# rm -rf on $KEY_DIR so be careful! + +if [ "$KEY_DIR" ]; then + rm -rf "$KEY_DIR" + mkdir "$KEY_DIR" && \ + chmod go-rwx "$KEY_DIR" && \ + touch "$KEY_DIR/index.txt" && \ + echo 01 >"$KEY_DIR/serial" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/tests/cfg/pki/inherit-inter b/tests/cfg/pki/inherit-inter new file mode 100755 index 0000000..1fe3539 --- /dev/null +++ b/tests/cfg/pki/inherit-inter @@ -0,0 +1,39 @@ +#!/bin/sh + +# Build a new PKI which is rooted on an intermediate certificate generated +# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should +# have independent vars settings, and must use a different KEY_DIR directory +# from the parent. This tool can be used to generate arbitrary depth +# certificate chains. +# +# To build an intermediate CA, follow the same steps for a regular PKI but +# replace ./build-key or ./pkitool --initca with this script. + +# The EXPORT_CA file will contain the CA certificate chain and should be +# referenced by the OpenVPN "ca" directive in config files. The ca.crt file +# will only contain the local intermediate CA -- it's needed by the easy-rsa +# scripts but not by OpenVPN directly. +EXPORT_CA="export-ca.crt" + +if [ $# -ne 2 ]; then + echo "usage: $0 " + echo "parent-key-dir: the KEY_DIR directory of the parent PKI" + echo "common-name: the common name of the intermediate certificate in the parent PKI" + exit 1; +fi + +if [ "$KEY_DIR" ]; then + cp "$1/$2.crt" "$KEY_DIR/ca.crt" + cp "$1/$2.key" "$KEY_DIR/ca.key" + + if [ -e "$1/$EXPORT_CA" ]; then + PARENT_CA="$1/$EXPORT_CA" + else + PARENT_CA="$1/ca.crt" + fi + cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA" + cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/tests/cfg/pki/keys/01.pem b/tests/cfg/pki/keys/01.pem new file mode 100644 index 0000000..8236ff8 --- /dev/null +++ b/tests/cfg/pki/keys/01.pem @@ -0,0 +1,98 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + Validity + Not Before: Aug 26 17:07:32 2016 GMT + Not After : Aug 24 17:07:32 2026 GMT + Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=-h/name=EasyRSA/emailAddress=me@myhost.mydomain + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:b4:af:eb:bb:05:0d:4d:a8:a1:7b:65:79:1f:a2: + ad:8b:af:d5:2d:75:92:38:e7:0d:79:68:4a:6a:03: + 0a:c6:3a:93:fd:e3:9a:e7:f5:18:8f:07:c7:c9:30: + aa:db:6c:7e:18:84:09:9c:69:32:5b:55:40:a1:1f: + 1d:49:f1:cd:12:ec:aa:55:ad:fd:a0:13:60:d4:ed: + e6:6b:15:19:2a:a4:d5:a0:06:62:1c:36:f0:69:b5: + 13:df:5d:5d:8a:90:2e:42:75:94:00:2f:61:d4:ef: + 08:b7:37:fb:98:4e:b6:b9:4c:3b:cc:f2:05:21:8e: + 1e:1d:8e:a9:dc:d1:e0:f8:2b:31:8b:db:cf:fd:66: + e2:ed:cb:da:b3:3e:e4:92:17:18:c1:31:9f:ae:35: + 3c:c6:01:1e:35:fe:8c:74:6e:14:43:0b:bb:40:15: + 32:3d:10:46:c6:f6:54:d8:26:ac:c2:98:ee:a0:66: + ed:81:69:3f:b8:2d:2b:f3:fa:3f:0d:6d:c4:9f:8c: + 4d:82:f1:01:d6:66:1f:73:49:80:cd:73:bd:22:f1: + 12:51:f1:fe:e6:8f:e0:be:32:99:74:50:3b:dc:8f: + ae:74:a0:58:64:b8:b7:40:b3:d5:f0:a8:19:20:cb: + 7b:86:47:45:96:ae:f4:4a:f3:39:7d:ff:19:8e:50: + 98:63 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + Easy-RSA Generated Certificate + X509v3 Subject Key Identifier: + B4:F1:77:6A:ED:D2:67:AB:19:75:00:B5:DE:02:04:8C:F4:7E:4B:87 + X509v3 Authority Key Identifier: + keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73 + DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + serial:F9:2F:C6:8B:0E:F1:EB:9E + + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + X509v3 Subject Alternative Name: + DNS:-h + Signature Algorithm: sha256WithRSAEncryption + 0b:b4:40:74:21:70:12:4f:e9:b5:30:d0:2c:64:d9:fc:1a:01: + ac:9e:79:cf:a7:92:c7:27:c4:d8:55:e7:3f:ec:f6:11:36:07: + 17:44:53:4c:f4:09:78:93:5b:ec:31:3c:08:d8:15:49:00:b6: + fc:5f:f5:46:d5:4e:d0:7f:a0:c3:9d:6c:43:cf:52:fa:22:cf: + 14:ff:8e:92:68:90:23:22:41:6d:b9:5e:65:c0:81:56:61:63: + e4:73:33:7d:5d:43:49:9d:bb:d9:48:58:d0:65:f9:e9:bf:90: + 15:30:51:dc:e2:27:c4:5b:4d:e7:46:4c:49:05:3a:f7:9b:dc: + f3:70:56:b4:69:24:25:92:33:48:eb:fe:07:95:5c:eb:4d:e6: + 45:a3:27:5e:75:59:62:a4:3e:18:66:30:17:58:15:87:f0:63: + b9:d6:bd:01:e2:a9:a8:de:34:0d:5b:ab:41:8f:7a:f4:5a:c1: + 7c:fa:5c:7d:cf:ab:8a:cb:36:53:12:fc:97:11:c5:b8:d0:a8: + 7d:fc:f2:2f:74:95:c5:c0:62:cc:57:2a:8e:1f:9d:72:90:7e: + 9b:d5:5a:cf:26:ff:3e:3a:cb:80:c7:e7:c6:77:d9:ef:e1:a5: + 42:8f:9e:f7:15:2b:62:9c:8c:6a:35:36:3e:08:71:c6:06:44: + eb:43:4f:02 +-----BEGIN CERTIFICATE----- +MIIFWjCCBEKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx +CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv +cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV +BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3 +DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDczMloXDTI2MDgy +NDE3MDczMlowgakxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM +U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15 +T3JnYW5pemF0aW9uYWxVbml0MQswCQYDVQQDEwItaDEQMA4GA1UEKRMHRWFzeVJT +QTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtK/ruwUNTaihe2V5H6Kti6/VLXWSOOcNeWhK +agMKxjqT/eOa5/UYjwfHyTCq22x+GIQJnGkyW1VAoR8dSfHNEuyqVa39oBNg1O3m +axUZKqTVoAZiHDbwabUT311dipAuQnWUAC9h1O8Itzf7mE62uUw7zPIFIY4eHY6p +3NHg+Csxi9vP/Wbi7cvasz7kkhcYwTGfrjU8xgEeNf6MdG4UQwu7QBUyPRBGxvZU +2CaswpjuoGbtgWk/uC0r8/o/DW3En4xNgvEB1mYfc0mAzXO9IvESUfH+5o/gvjKZ +dFA73I+udKBYZLi3QLPV8KgZIMt7hkdFlq70SvM5ff8ZjlCYYwIDAQABo4IBfDCC +AXgwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVk +IENlcnRpZmljYXRlMB0GA1UdDgQWBBS08Xdq7dJnqxl1ALXeAgSM9H5LhzCB6wYD +VR0jBIHjMIHggBTjK+R0z5u8bm3mUh0RBPxmHyVKc6GBvKSBuTCBtjELMAkGA1UE +BhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNV +BAoTDEZvcnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQx +GDAWBgNVBAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8G +CSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluggkA+S/Giw7x654wEwYDVR0l +BAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0GA1UdEQQGMASCAi1oMA0GCSqG +SIb3DQEBCwUAA4IBAQALtEB0IXAST+m1MNAsZNn8GgGsnnnPp5LHJ8TYVec/7PYR +NgcXRFNM9Al4k1vsMTwI2BVJALb8X/VG1U7Qf6DDnWxDz1L6Is8U/46SaJAjIkFt +uV5lwIFWYWPkczN9XUNJnbvZSFjQZfnpv5AVMFHc4ifEW03nRkxJBTr3m9zzcFa0 +aSQlkjNI6/4HlVzrTeZFoydedVlipD4YZjAXWBWH8GO51r0B4qmo3jQNW6tBj3r0 +WsF8+lx9z6uKyzZTEvyXEcW40Kh9/PIvdJXFwGLMVyqOH51ykH6b1VrPJv8+OsuA +x+fGd9nv4aVCj573FStinIxqNTY+CHHGBkTrQ08C +-----END CERTIFICATE----- diff --git a/tests/cfg/pki/keys/02.pem b/tests/cfg/pki/keys/02.pem new file mode 100644 index 0000000..60814a2 --- /dev/null +++ b/tests/cfg/pki/keys/02.pem @@ -0,0 +1,99 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + Validity + Not Before: Aug 26 17:08:14 2016 GMT + Not After : Aug 24 17:08:14 2026 GMT + Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=ts.uts-server.org/name=EasyRSA/emailAddress=me@myhost.mydomain + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d3:50:7a:93:b7:10:8e:d2:2e:31:30:f6:10:9f: + bc:d6:db:ab:f0:4c:96:46:d2:bf:b2:2a:a0:f6:f7: + 5c:48:83:66:54:75:3e:a3:25:20:89:2d:f7:9a:c5: + 32:12:b1:32:a0:99:27:f4:9c:f0:e8:a2:19:9b:83: + a6:e1:aa:42:0a:f4:0b:81:a2:9c:3e:f2:5a:1c:ad: + 5e:f8:24:12:e9:ec:75:cc:43:7c:6b:16:9a:5f:aa: + 9e:39:b5:9f:2c:3e:b0:3f:cd:31:7f:90:46:a9:60: + 74:d3:e0:18:e8:ee:0e:71:bf:37:bc:fe:2b:94:33: + 61:3d:01:02:ed:f8:b8:66:6a:9f:76:c0:06:c8:06: + 2b:70:5e:87:d2:17:b7:cd:aa:40:1f:ae:af:a4:c7: + 3f:60:bc:be:54:ee:30:4e:fe:8e:2d:32:27:5c:f9: + af:2f:f9:f1:d2:2b:08:b5:6d:89:8b:84:3e:e9:d4: + e8:0b:c4:d7:5f:07:4e:96:5c:a2:4b:63:ef:a8:49: + 55:39:55:34:1d:b5:ce:8e:5d:13:69:8d:52:d5:1e: + 30:f9:ed:73:0b:2b:7d:8c:e1:c0:93:a9:28:20:d7: + f0:ec:04:37:bf:4b:85:0e:e2:3a:e8:54:ad:d9:e3: + 27:8f:c7:43:8e:65:e1:f9:51:f0:c3:96:f2:0e:8d: + 83:79 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + Easy-RSA Generated Certificate + X509v3 Subject Key Identifier: + FF:2D:69:50:05:46:A3:95:F4:A3:E0:2E:34:39:EF:9B:BC:E2:F0:86 + X509v3 Authority Key Identifier: + keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73 + DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + serial:F9:2F:C6:8B:0E:F1:EB:9E + + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + X509v3 Subject Alternative Name: + DNS:ts.uts-server.org + Signature Algorithm: sha256WithRSAEncryption + d2:ff:65:c8:fe:69:7d:fd:99:b9:4e:4c:c3:fe:ff:97:74:59: + a1:89:b6:47:b3:10:79:76:ee:7b:0b:26:7e:db:cd:fd:e1:52: + 4b:94:78:3e:72:ba:8c:58:48:4f:67:ef:05:29:9e:7b:1a:07: + 82:72:27:67:78:ef:43:e1:67:08:73:2c:11:e1:91:f4:4e:73: + 5a:a8:09:61:9f:33:d1:33:c7:43:10:8b:a9:e8:16:63:97:e9: + 81:63:74:f4:5a:b5:fc:88:46:a6:c9:c4:89:23:1d:ac:4a:02: + 3f:29:ae:59:a2:6f:37:a1:27:e1:6e:34:c8:99:35:0b:50:5e: + bc:3d:64:01:7e:5e:4e:ee:79:48:a9:e6:26:bb:2d:f8:18:88: + ea:22:df:8e:7b:71:24:c1:6b:17:26:4c:96:0c:d0:d2:b4:29: + 9a:1d:9a:ae:26:2b:aa:95:a9:9b:15:58:a6:9a:c4:5b:48:64: + ff:e0:e6:fb:53:37:0d:20:83:94:95:4e:5a:b9:3c:62:47:bc: + fb:6d:0a:eb:f2:b1:9c:d7:ee:30:9b:07:9f:1a:27:1f:e0:bb: + 5e:36:4b:06:19:10:89:43:14:98:fc:cd:52:82:48:59:cc:77: + 64:bd:ff:e7:b4:b1:00:ad:7a:94:c6:47:c7:f9:32:25:ad:2c: + 14:e6:1c:df +-----BEGIN CERTIFICATE----- +MIIFeDCCBGCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx +CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv +cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV +BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3 +DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDgxNFoXDTI2MDgy +NDE3MDgxNFowgbgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM +U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15 +T3JnYW5pemF0aW9uYWxVbml0MRowGAYDVQQDExF0cy51dHMtc2VydmVyLm9yZzEQ +MA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9t +YWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA01B6k7cQjtIuMTD2 +EJ+81tur8EyWRtK/siqg9vdcSINmVHU+oyUgiS33msUyErEyoJkn9Jzw6KIZm4Om +4apCCvQLgaKcPvJaHK1e+CQS6ex1zEN8axaaX6qeObWfLD6wP80xf5BGqWB00+AY +6O4Ocb83vP4rlDNhPQEC7fi4ZmqfdsAGyAYrcF6H0he3zapAH66vpMc/YLy+VO4w +Tv6OLTInXPmvL/nx0isItW2Ji4Q+6dToC8TXXwdOllyiS2PvqElVOVU0HbXOjl0T +aY1S1R4w+e1zCyt9jOHAk6koINfw7AQ3v0uFDuI66FSt2eMnj8dDjmXh+VHww5by +Do2DeQIDAQABo4IBizCCAYcwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFz +eS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT/LWlQBUajlfSj +4C40Oe+bvOLwhjCB6wYDVR0jBIHjMIHggBTjK+R0z5u8bm3mUh0RBPxmHyVKc6GB +vKSBuTCBtjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5G +cmFuY2lzY28xFTATBgNVBAoTDEZvcnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdh +bml6YXRpb25hbFVuaXQxGDAWBgNVBAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UE +KRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluggkA ++S/Giw7x654wEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMBwGA1Ud +EQQVMBOCEXRzLnV0cy1zZXJ2ZXIub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQDS/2XI +/ml9/Zm5TkzD/v+XdFmhibZHsxB5du57CyZ+28394VJLlHg+crqMWEhPZ+8FKZ57 +GgeCcidneO9D4WcIcywR4ZH0TnNaqAlhnzPRM8dDEIup6BZjl+mBY3T0WrX8iEam +ycSJIx2sSgI/Ka5Zom83oSfhbjTImTULUF68PWQBfl5O7nlIqeYmuy34GIjqIt+O +e3EkwWsXJkyWDNDStCmaHZquJiuqlambFVimmsRbSGT/4Ob7UzcNIIOUlU5auTxi +R7z7bQrr8rGc1+4wmwefGicf4LteNksGGRCJQxSY/M1SgkhZzHdkvf/ntLEArXqU +xkfH+TIlrSwU5hzf +-----END CERTIFICATE----- diff --git a/tests/cfg/pki/keys/03.pem b/tests/cfg/pki/keys/03.pem new file mode 100644 index 0000000..19d8795 --- /dev/null +++ b/tests/cfg/pki/keys/03.pem @@ -0,0 +1,98 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + Validity + Not Before: Aug 26 17:08:43 2016 GMT + Not After : Aug 24 17:08:43 2026 GMT + Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=tsa1/name=EasyRSA/emailAddress=me@myhost.mydomain + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c8:00:8c:27:a0:52:ac:87:1f:e5:b4:1c:2d:be: + af:a0:8b:aa:ea:1b:8d:02:30:41:00:1b:3a:34:dc: + 6f:04:5d:9f:c5:59:6f:a5:fa:d5:1e:3c:0e:22:52: + 10:1e:7e:b2:48:b1:65:cd:0c:be:55:60:0e:98:d2: + 34:8d:e9:9b:50:a2:98:92:6b:6a:09:db:9e:f6:f7: + 80:22:d1:8b:f3:71:6e:bd:53:b3:fb:23:70:4e:01: + 20:73:75:12:20:87:37:d3:ca:e5:0b:ff:ba:5e:bd: + ad:cd:ff:05:e2:91:31:7c:b1:99:34:ef:d2:6f:1e: + 22:fe:77:e9:40:ac:8b:dc:f0:e8:23:04:f6:b7:b3: + 60:34:2c:82:df:3c:3d:ca:14:52:d8:8a:57:1f:40: + 1b:70:a2:ac:65:df:54:87:ba:7d:85:7b:d8:93:bd: + 8e:85:fc:de:9a:0b:6a:88:52:b2:27:1b:0c:16:e0: + 87:ba:7c:c9:94:a3:f7:10:79:88:0e:96:b4:a7:40: + 76:00:58:b1:5a:ab:50:89:55:f6:f8:48:4f:76:66: + e5:1c:fa:bb:7a:59:57:df:33:57:7b:d4:0c:36:7f: + d6:6e:0a:40:a2:06:b7:c0:f2:31:f7:55:11:20:74: + cf:68:b2:b2:96:74:4c:58:a0:3e:ec:ee:8e:df:d1: + 51:ff + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + Easy-RSA Generated Certificate + X509v3 Subject Key Identifier: + 6D:48:DA:1F:19:A2:88:71:0F:3D:80:5D:AB:44:5C:F5:06:B5:BB:0B + X509v3 Authority Key Identifier: + keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73 + DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + serial:F9:2F:C6:8B:0E:F1:EB:9E + + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + X509v3 Subject Alternative Name: + DNS:tsa1 + Signature Algorithm: sha256WithRSAEncryption + a2:b6:e1:66:78:ff:d0:f1:53:58:2f:8a:26:0b:c1:7f:71:f8: + 9a:d1:fa:70:f8:5b:b7:ce:da:79:92:52:0b:5f:d1:ed:c1:86: + eb:bc:29:f7:ed:0f:5b:c4:10:ab:a3:ce:9e:97:c8:a0:c8:5c: + af:bc:f2:58:77:00:59:69:85:2f:a1:16:92:45:b8:a9:3b:8d: + 8c:bd:1a:bb:08:07:79:6d:6a:e9:8b:7c:fb:fb:0e:72:0a:e1: + fa:4c:ca:d5:d6:99:fc:2c:5f:1d:8a:28:38:da:bd:d4:88:36: + a2:a4:1a:e5:f9:77:72:e6:ed:13:62:31:19:79:ec:ad:9e:b5: + d1:92:7a:cf:f8:e0:ad:56:dd:5b:68:c6:64:c5:32:51:83:0e: + 89:17:14:22:29:53:09:bb:49:06:3a:f1:02:8f:de:fc:94:59: + 82:3d:d1:97:d8:70:53:ff:b5:0d:04:6f:2a:3f:30:50:7b:b1: + 61:b3:a3:10:ee:94:dd:de:b8:ac:7c:0d:a4:af:f6:c2:8a:74: + dd:e8:95:db:ee:ab:d5:ef:68:0a:96:7c:46:05:93:12:93:d8: + 84:5a:6d:38:ff:69:40:51:84:29:62:91:62:7b:af:17:18:b7: + bb:59:19:89:89:89:5d:75:54:92:bf:75:2f:7e:e4:fb:eb:a7: + ae:b5:a2:2f +-----BEGIN CERTIFICATE----- +MIIFXjCCBEagAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx +CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv +cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV +BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3 +DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDg0M1oXDTI2MDgy +NDE3MDg0M1owgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM +U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15 +T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwR0c2ExMRAwDgYDVQQpEwdFYXN5 +UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIAIwnoFKshx/ltBwtvq+gi6rqG40CMEEA +Gzo03G8EXZ/FWW+l+tUePA4iUhAefrJIsWXNDL5VYA6Y0jSN6ZtQopiSa2oJ2572 +94Ai0YvzcW69U7P7I3BOASBzdRIghzfTyuUL/7peva3N/wXikTF8sZk079JvHiL+ +d+lArIvc8OgjBPa3s2A0LILfPD3KFFLYilcfQBtwoqxl31SHun2Fe9iTvY6F/N6a +C2qIUrInGwwW4Ie6fMmUo/cQeYgOlrSnQHYAWLFaq1CJVfb4SE92ZuUc+rt6WVff +M1d71Aw2f9ZuCkCiBrfA8jH3VREgdM9osrKWdExYoD7s7o7f0VH/AgMBAAGjggF+ +MIIBejAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0 +ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFG1I2h8ZoohxDz2AXatEXPUGtbsLMIHr +BgNVHSMEgeMwgeCAFOMr5HTPm7xubeZSHREE/GYfJUpzoYG8pIG5MIG2MQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG +A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p +dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw +HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD5L8aLDvHrnjATBgNV +HSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDwYDVR0RBAgwBoIEdHNhMTAN +BgkqhkiG9w0BAQsFAAOCAQEAorbhZnj/0PFTWC+KJgvBf3H4mtH6cPhbt87aeZJS +C1/R7cGG67wp9+0PW8QQq6POnpfIoMhcr7zyWHcAWWmFL6EWkkW4qTuNjL0auwgH +eW1q6Yt8+/sOcgrh+kzK1daZ/CxfHYooONq91Ig2oqQa5fl3cubtE2IxGXnsrZ61 +0ZJ6z/jgrVbdW2jGZMUyUYMOiRcUIilTCbtJBjrxAo/e/JRZgj3Rl9hwU/+1DQRv +Kj8wUHuxYbOjEO6U3d64rHwNpK/2wop03eiV2+6r1e9oCpZ8RgWTEpPYhFptOP9p +QFGEKWKRYnuvFxi3u1kZiYmJXXVUkr91L37k++unrrWiLw== +-----END CERTIFICATE----- diff --git a/tests/cfg/pki/keys/04.pem b/tests/cfg/pki/keys/04.pem new file mode 100644 index 0000000..6bbeef4 --- /dev/null +++ b/tests/cfg/pki/keys/04.pem @@ -0,0 +1,98 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4 (0x4) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + Validity + Not Before: Aug 26 17:08:44 2016 GMT + Not After : Aug 24 17:08:44 2026 GMT + Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=tsa2/name=EasyRSA/emailAddress=me@myhost.mydomain + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:9b:34:5c:6b:ac:10:e9:63:50:cd:f5:f1:9e:80: + a8:be:ed:4f:21:25:7c:54:67:8f:f0:c1:16:57:ad: + 1c:c7:14:90:8c:8d:1f:b4:e4:91:3b:fd:2c:44:a1: + c3:7d:1d:f5:cb:54:c2:45:a4:e3:e9:07:14:60:60: + 63:07:d7:6d:92:2b:99:5a:c3:c1:91:87:92:b5:6d: + 4b:d0:22:cd:62:13:34:9a:d1:c6:8f:e6:f6:df:50: + ba:1a:51:80:b8:2e:c9:dc:03:79:3d:97:a9:89:ce: + 91:68:e4:dc:90:7d:f3:aa:74:2d:48:2b:40:f5:cf: + ba:d5:e8:07:d2:34:74:e0:31:c6:e1:0c:df:89:25: + c9:49:34:f6:0d:e8:1c:05:54:4c:eb:79:7b:04:bb: + e8:1e:f9:c3:dc:f8:d7:6f:d1:c3:77:a5:97:78:45: + 1c:82:5a:52:a5:26:3e:4b:78:9e:6d:f8:75:3e:40: + b9:69:d6:e8:3f:ea:d7:6b:6e:e9:d3:a9:10:a4:92: + 5e:96:e2:d8:f3:7e:2e:35:f2:81:85:b9:6d:9c:14: + 02:38:c3:53:0f:a1:84:ef:c3:62:13:7f:10:0f:e4: + 2e:43:4d:d0:48:06:5b:38:e4:49:e1:35:13:f6:d6: + 83:1e:1c:f4:10:21:29:45:e3:48:47:01:9c:6a:4d: + b6:0b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + Easy-RSA Generated Certificate + X509v3 Subject Key Identifier: + 6E:12:12:1A:40:9F:52:2F:48:9C:B5:EE:DC:BF:20:B7:7A:30:02:DC + X509v3 Authority Key Identifier: + keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73 + DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + serial:F9:2F:C6:8B:0E:F1:EB:9E + + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + X509v3 Subject Alternative Name: + DNS:tsa2 + Signature Algorithm: sha256WithRSAEncryption + 89:6d:03:f4:e6:29:77:ae:b4:82:de:7b:d6:39:56:10:2f:64: + f7:68:58:6e:3b:cf:9f:96:ab:a3:66:b0:53:80:98:88:c2:70: + 3a:7e:de:d6:3f:69:ff:09:56:22:4f:b3:61:c3:43:ed:73:7f: + 9f:29:10:31:31:ba:d6:78:a2:bc:7d:45:2c:5f:5a:8a:77:62: + 3e:d8:38:fb:41:3c:54:8b:67:29:c5:d7:5a:a9:d3:a9:52:53: + 81:eb:0b:55:9e:4e:f3:73:b5:f9:87:0d:a9:59:c4:2a:66:36: + 47:bc:02:78:12:5b:12:7f:f5:c2:1c:a3:be:d0:bc:3e:72:1e: + 96:f2:a4:16:71:d8:0f:af:76:1d:44:bd:1c:ef:e9:6a:09:00: + 79:61:b1:20:83:61:1f:13:00:69:30:c6:ae:3b:31:a3:6c:db: + 67:52:5d:ef:44:14:eb:53:b4:79:39:62:53:a6:d5:ea:96:ee: + 2c:5f:38:9f:04:32:0c:39:24:e7:1c:04:79:ea:27:90:1f:e2: + b3:ed:93:a1:92:5c:c6:fa:d5:58:1f:9e:3a:a5:32:01:ce:b8: + 61:f6:fa:bd:ff:37:1c:3f:30:54:8e:69:13:91:1b:95:6c:43: + c7:23:47:c8:2b:c1:97:00:d4:9b:46:52:ae:b4:dd:da:a6:13: + a5:6b:07:dc +-----BEGIN CERTIFICATE----- +MIIFXjCCBEagAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx +CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv +cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV +BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3 +DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDg0NFoXDTI2MDgy +NDE3MDg0NFowgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM +U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15 +T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwR0c2EyMRAwDgYDVQQpEwdFYXN5 +UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbNFxrrBDpY1DN9fGegKi+7U8hJXxUZ4/w +wRZXrRzHFJCMjR+05JE7/SxEocN9HfXLVMJFpOPpBxRgYGMH122SK5law8GRh5K1 +bUvQIs1iEzSa0caP5vbfULoaUYC4LsncA3k9l6mJzpFo5NyQffOqdC1IK0D1z7rV +6AfSNHTgMcbhDN+JJclJNPYN6BwFVEzreXsEu+ge+cPc+Ndv0cN3pZd4RRyCWlKl +Jj5LeJ5t+HU+QLlp1ug/6tdrbunTqRCkkl6W4tjzfi418oGFuW2cFAI4w1MPoYTv +w2ITfxAP5C5DTdBIBls45EnhNRP21oMeHPQQISlF40hHAZxqTbYLAgMBAAGjggF+ +MIIBejAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0 +ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFG4SEhpAn1IvSJy17ty/ILd6MALcMIHr +BgNVHSMEgeMwgeCAFOMr5HTPm7xubeZSHREE/GYfJUpzoYG8pIG5MIG2MQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG +A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p +dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw +HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD5L8aLDvHrnjATBgNV +HSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDwYDVR0RBAgwBoIEdHNhMjAN +BgkqhkiG9w0BAQsFAAOCAQEAiW0D9OYpd660gt571jlWEC9k92hYbjvPn5aro2aw +U4CYiMJwOn7e1j9p/wlWIk+zYcND7XN/nykQMTG61niivH1FLF9aindiPtg4+0E8 +VItnKcXXWqnTqVJTgesLVZ5O83O1+YcNqVnEKmY2R7wCeBJbEn/1whyjvtC8PnIe +lvKkFnHYD692HUS9HO/pagkAeWGxIINhHxMAaTDGrjsxo2zbZ1Jd70QU61O0eTli +U6bV6pbuLF84nwQyDDkk5xwEeeonkB/is+2ToZJcxvrVWB+eOqUyAc64Yfb6vf83 +HD8wVI5pE5EblWxDxyNHyCvBlwDUm0ZSrrTd2qYTpWsH3A== +-----END CERTIFICATE----- diff --git a/tests/cfg/pki/keys/05.pem b/tests/cfg/pki/keys/05.pem new file mode 100644 index 0000000..8b33bf7 --- /dev/null +++ b/tests/cfg/pki/keys/05.pem @@ -0,0 +1,98 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 5 (0x5) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + Validity + Not Before: Aug 26 17:08:56 2016 GMT + Not After : Aug 24 17:08:56 2026 GMT + Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=clt1/name=EasyRSA/emailAddress=me@myhost.mydomain + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d5:f2:1c:23:59:41:87:a7:68:06:7d:2f:5f:aa: + 88:16:4a:91:59:11:7f:d9:28:d1:ec:d6:c9:bc:b0: + 6b:90:ee:44:94:44:e7:d4:b9:11:48:f7:f1:ca:9e: + f8:ce:02:44:b2:7b:90:3d:e1:97:42:b1:02:fe:ab: + 1c:2a:89:81:50:81:42:9f:7f:87:41:87:be:b5:bc: + c0:9f:33:81:26:81:86:24:a9:4c:72:6c:7f:e9:a8: + 71:1f:aa:45:4a:38:bd:c8:57:c4:25:8c:47:14:d0: + e0:60:4b:07:ee:bb:52:b9:95:d3:66:24:c4:6b:79: + 36:83:af:6b:b8:01:8f:67:f2:81:7f:3e:fe:c3:4f: + 72:ac:06:65:43:39:0f:fc:5f:71:bc:5c:12:f6:36: + ef:27:61:a0:32:4c:d1:cd:e1:15:e2:64:b5:fd:fd: + 54:d5:63:45:a1:96:9a:38:50:c5:b7:7e:0e:fb:96: + d9:a7:a7:4f:58:58:af:a1:17:50:fa:66:62:43:1e: + 8a:38:6a:7c:54:3f:8d:5a:12:5c:e3:cc:95:55:25: + 9b:ee:bc:33:40:3a:54:cb:39:3e:6c:17:30:79:fa: + 24:ba:1c:5a:54:ff:b0:30:11:d4:aa:92:5a:d7:a6: + 39:16:45:d7:74:fe:40:9c:d4:cd:f4:74:34:95:ef: + 4a:99 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + Easy-RSA Generated Certificate + X509v3 Subject Key Identifier: + DC:E2:70:D0:59:39:F5:F5:E0:48:E2:A9:5F:35:D2:98:34:EA:20:FB + X509v3 Authority Key Identifier: + keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73 + DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + serial:F9:2F:C6:8B:0E:F1:EB:9E + + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + X509v3 Subject Alternative Name: + DNS:clt1 + Signature Algorithm: sha256WithRSAEncryption + ad:80:83:dd:ac:17:9c:da:ca:71:c6:99:13:c7:b5:b7:b4:69: + a9:fa:0f:dd:fa:b6:4f:a2:19:10:3a:ea:7e:37:e1:a8:29:a0: + 45:76:7e:d2:a8:08:17:f6:4a:ad:9e:31:ad:b1:b4:e5:5a:3f: + 4a:e3:2f:e3:fa:37:0e:3d:04:ca:aa:9a:8d:4e:6f:a2:35:ae: + 48:37:9e:a3:cc:83:21:34:34:2f:e2:71:c6:51:a1:5b:46:ad: + d5:10:26:ea:e2:4b:18:df:8e:e2:ab:ac:e3:3b:a2:a7:fb:99: + f2:0e:05:3b:76:38:f0:18:fd:44:93:c1:06:79:1d:d5:c3:a6: + bf:c1:0a:98:d8:81:9a:66:a9:85:42:c0:fe:dd:ff:ef:21:6e: + 00:9f:68:0a:df:97:c8:5e:f3:d6:c1:fb:06:d6:40:3d:14:59: + a7:3a:f5:c9:70:fd:b1:93:88:5f:18:45:5d:58:97:60:6a:aa: + a6:6e:74:de:0e:ba:cc:9b:bf:35:3c:b3:f6:0c:1c:48:7c:5d: + 70:73:db:73:db:28:a9:b8:bc:1a:1e:b8:1c:d5:36:03:f3:22: + 91:d1:e7:8d:eb:36:00:f9:10:b2:16:2b:65:e4:6e:1a:9e:5f: + cd:f0:fd:9f:39:8f:71:35:de:5c:57:a8:1a:d0:fa:25:12:80: + fb:9a:da:bb +-----BEGIN CERTIFICATE----- +MIIFXjCCBEagAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx +CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv +cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV +BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3 +DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDg1NloXDTI2MDgy +NDE3MDg1NlowgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM +U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15 +T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwRjbHQxMRAwDgYDVQQpEwdFYXN5 +UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDV8hwjWUGHp2gGfS9fqogWSpFZEX/ZKNHs +1sm8sGuQ7kSUROfUuRFI9/HKnvjOAkSye5A94ZdCsQL+qxwqiYFQgUKff4dBh761 +vMCfM4EmgYYkqUxybH/pqHEfqkVKOL3IV8QljEcU0OBgSwfuu1K5ldNmJMRreTaD +r2u4AY9n8oF/Pv7DT3KsBmVDOQ/8X3G8XBL2Nu8nYaAyTNHN4RXiZLX9/VTVY0Wh +lpo4UMW3fg77ltmnp09YWK+hF1D6ZmJDHoo4anxUP41aElzjzJVVJZvuvDNAOlTL +OT5sFzB5+iS6HFpU/7AwEdSqklrXpjkWRdd0/kCc1M30dDSV70qZAgMBAAGjggF+ +MIIBejAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0 +ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNzicNBZOfX14EjiqV810pg06iD7MIHr +BgNVHSMEgeMwgeCAFOMr5HTPm7xubeZSHREE/GYfJUpzoYG8pIG5MIG2MQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG +A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p +dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw +HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD5L8aLDvHrnjATBgNV +HSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDwYDVR0RBAgwBoIEY2x0MTAN +BgkqhkiG9w0BAQsFAAOCAQEArYCD3awXnNrKccaZE8e1t7RpqfoP3fq2T6IZEDrq +fjfhqCmgRXZ+0qgIF/ZKrZ4xrbG05Vo/SuMv4/o3Dj0EyqqajU5vojWuSDeeo8yD +ITQ0L+JxxlGhW0at1RAm6uJLGN+O4qus4zuip/uZ8g4FO3Y48Bj9RJPBBnkd1cOm +v8EKmNiBmmaphULA/t3/7yFuAJ9oCt+XyF7z1sH7BtZAPRRZpzr1yXD9sZOIXxhF +XViXYGqqpm503g66zJu/NTyz9gwcSHxdcHPbc9soqbi8Gh64HNU2A/MikdHnjes2 +APkQshYrZeRuGp5fzfD9nzmPcTXeXFeoGtD6JRKA+5rauw== +-----END CERTIFICATE----- diff --git a/tests/cfg/pki/keys/ca.crt b/tests/cfg/pki/keys/ca.crt new file mode 100644 index 0000000..c482b08 --- /dev/null +++ b/tests/cfg/pki/keys/ca.crt @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFEjCCA/qgAwIBAgIJAPkvxosO8eueMA0GCSqGSIb3DQEBCwUAMIG2MQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG +A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p +dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw +HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wHhcNMTYwODI2MTcwNjMx +WhcNMjYwODI0MTcwNjMxWjCBtjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUw +EwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZvcnQtRnVuc3RvbjEdMBsG +A1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNVBAMTD0ZvcnQtRnVuc3Rv +biBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0 +Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1NZs05qa ++/07CjD+XWYienpCY0MSwQIWfzdMMCYhj9XdLYVS78Qt543nQ+KFdlIUvXKZteMz +0eYhPrRuqO+IJqBY/c35HLbz1RWhPta7UzUY2iFK+b2ja55KJvpoTESXWhrX5dNS +qzkuoYScn8FDADWbT04kcJmJYwcCucZl++as8yNQrNgOeItZbj9xiFpkq8Xy0aQ0 +U0G7+Ip1+Z3TNzP/sZ5Jg5CIuZhs7+pkoFqrEJhSpjAdAXb5ZdioLsqE7sDSyeVa +8RM6a9y3fVAGY45/oZ02i/cAoWz9Oe4702QnhxHwdwEBF3JOHwdDDhrZdF9PmCKB +4cMZ+8gCs8vIewIDAQABo4IBHzCCARswHQYDVR0OBBYEFOMr5HTPm7xubeZSHREE +/GYfJUpzMIHrBgNVHSMEgeMwgeCAFOMr5HTPm7xubeZSHREE/GYfJUpzoYG8pIG5 +MIG2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5j +aXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXph +dGlvbmFsVW5pdDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdF +YXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD5L8aL +DvHrnjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAP8mlnPOO15Xsl +DBAI3/PD7HbgPfQCq/7mOkW+QFFMOZ4HqZcgdVUM/yhkzpEQJBrQgYr4X1I48D8N +bdcG8JEEOXwgj/xu1M+buZIeh0vBQ1j4zNjzYhcho5kiUwW8vVvHyFhugfZUpQZL +WnR8GTP00/XuBNqTuXBnBzT8/MTBec4TDPfG7f0Tyosypvg9R8TYuZmYU8qdpVMA +W4JxpVGmCyUTi/7gQnntpUm7fbCwD166/phJXU5tuMyDdNuejd3mmkM4euHpL07m +CD5kizBstiHWRrb0vOzvZenZg8pCzJjSTJhfA1gPd4z1XUYN5HRWqqcE2UiR88b+ +OChbJBgi +-----END CERTIFICATE----- diff --git a/tests/cfg/pki/keys/ca.key b/tests/cfg/pki/keys/ca.key new file mode 100644 index 0000000..53888de --- /dev/null +++ b/tests/cfg/pki/keys/ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDU1mzTmpr7/TsK +MP5dZiJ6ekJjQxLBAhZ/N0wwJiGP1d0thVLvxC3njedD4oV2UhS9cpm14zPR5iE+ +tG6o74gmoFj9zfkctvPVFaE+1rtTNRjaIUr5vaNrnkom+mhMRJdaGtfl01KrOS6h +hJyfwUMANZtPTiRwmYljBwK5xmX75qzzI1Cs2A54i1luP3GIWmSrxfLRpDRTQbv4 +inX5ndM3M/+xnkmDkIi5mGzv6mSgWqsQmFKmMB0Bdvll2KguyoTuwNLJ5VrxEzpr +3Ld9UAZjjn+hnTaL9wChbP057jvTZCeHEfB3AQEXck4fB0MOGtl0X0+YIoHhwxn7 +yAKzy8h7AgMBAAECggEAPoNQaYJifRruqVqki2hBPjoEn8UGkBv94ZWrUgURHH8T +PJiJOJUlanp6b6zryEnpf49WaF74THFMWG+EhSf9lGLKYJmLzoxJ5883kg5d7N2O +lBrtO5cgla5jVzl7QtNupO93dDByeooMETKzEhUgicI1AMER4OSnvqdDfK8yKx8X +ej3/t/7zoH4+WCZuRuJs6yo8KdVckr0Kc7T/9aksr3mk8aq/o4FvBMBMswVki5UF +bw6veVmvvpW+Dy3Z8nmsov1QKi4GgHG0ZorgezwaUp7xVdzWsd1EpVNFWKBJ2s0G +WBn/A3ihTom8BUICqQNSfPVxUUKkR+CzuqeWN6QegQKBgQDym/+vHWuLlAQMNj1J +Cp0ql4DlaGQGCgyJBYObHTk7H03/D3ZyQj1olJ/NCYWY9txXyEVtqvGejKWkhyHR +VS1/K/EB4xkacTC0mXxn8CaN3wM2+ayIZCS1FVLILhvSSNhSThy2FoR5pZ1CVGmC +RooCO3g4B45TazTS8nyXk9qsQQKBgQDglcJ6xBgGeJDW5vOdwtH2lxgEKsou5XsV +tRJ7p7LvrKyi+ZcFCqZi1qIvlRR8fbsd25mFPRZXgxhDDMIFud9sxO1TSEDWslcK +cKYKBU0KCxqScZHmwv/P6IH1y68OW//85JUBYf53k4TesX5GQ+brx4a7+c3d9+EZ +GHA7nca1uwKBgQCFWFLHOB9lPzyeTa2PmOLbhxwUezUG0L0lDr/QINbU9RbUivYq +RNglxBK1CnfApGZlZTEr3togr+NXM+LVgMCZ9lfoFp80lmQTz4y+QBOgxKOqsr4u +1QQL96VhW151TQ6A5mgHeQblKa7uxyCatxSht3gTK6wBk5ocG6V5Vo3JQQKBgEHj +TeIsg4vqdTvHF/PRwz2gCFi4oQZvJtQwglKq2XE9bIyHwwmknTnkFEL3bsIzNOFG +mtyfFl3oRQbuyEFbzbOgdqv3R6Z1Pdn/QIcyFO78YPhTv2U/EkPRx8bv0dTZotlz +yk9Ui45TRij7U7uTkjzcFagyWnZjkbOGGu8yk6ifAoGBAJn8JqkQLryz/eAzM9vw +YIjEXxh4pqvflQtlD5rK+PSxceq7pDObaRyPx38Sv0G+usAPjSUGUiUaVwqhaqVG +pPKqCJtUtBpSHClZzHuUnh91BAE0c5V1zJI9GNCccKy94A1cIP9fApP7aqLn6uaP +rr/mnZBf1ip0YN6dTEtUh5iW +-----END PRIVATE KEY----- diff --git a/tests/cfg/pki/keys/clt1.crt b/tests/cfg/pki/keys/clt1.crt new file mode 100644 index 0000000..8b33bf7 --- /dev/null +++ b/tests/cfg/pki/keys/clt1.crt @@ -0,0 +1,98 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 5 (0x5) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + Validity + Not Before: Aug 26 17:08:56 2016 GMT + Not After : Aug 24 17:08:56 2026 GMT + Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=clt1/name=EasyRSA/emailAddress=me@myhost.mydomain + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d5:f2:1c:23:59:41:87:a7:68:06:7d:2f:5f:aa: + 88:16:4a:91:59:11:7f:d9:28:d1:ec:d6:c9:bc:b0: + 6b:90:ee:44:94:44:e7:d4:b9:11:48:f7:f1:ca:9e: + f8:ce:02:44:b2:7b:90:3d:e1:97:42:b1:02:fe:ab: + 1c:2a:89:81:50:81:42:9f:7f:87:41:87:be:b5:bc: + c0:9f:33:81:26:81:86:24:a9:4c:72:6c:7f:e9:a8: + 71:1f:aa:45:4a:38:bd:c8:57:c4:25:8c:47:14:d0: + e0:60:4b:07:ee:bb:52:b9:95:d3:66:24:c4:6b:79: + 36:83:af:6b:b8:01:8f:67:f2:81:7f:3e:fe:c3:4f: + 72:ac:06:65:43:39:0f:fc:5f:71:bc:5c:12:f6:36: + ef:27:61:a0:32:4c:d1:cd:e1:15:e2:64:b5:fd:fd: + 54:d5:63:45:a1:96:9a:38:50:c5:b7:7e:0e:fb:96: + d9:a7:a7:4f:58:58:af:a1:17:50:fa:66:62:43:1e: + 8a:38:6a:7c:54:3f:8d:5a:12:5c:e3:cc:95:55:25: + 9b:ee:bc:33:40:3a:54:cb:39:3e:6c:17:30:79:fa: + 24:ba:1c:5a:54:ff:b0:30:11:d4:aa:92:5a:d7:a6: + 39:16:45:d7:74:fe:40:9c:d4:cd:f4:74:34:95:ef: + 4a:99 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + Easy-RSA Generated Certificate + X509v3 Subject Key Identifier: + DC:E2:70:D0:59:39:F5:F5:E0:48:E2:A9:5F:35:D2:98:34:EA:20:FB + X509v3 Authority Key Identifier: + keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73 + DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + serial:F9:2F:C6:8B:0E:F1:EB:9E + + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + X509v3 Subject Alternative Name: + DNS:clt1 + Signature Algorithm: sha256WithRSAEncryption + ad:80:83:dd:ac:17:9c:da:ca:71:c6:99:13:c7:b5:b7:b4:69: + a9:fa:0f:dd:fa:b6:4f:a2:19:10:3a:ea:7e:37:e1:a8:29:a0: + 45:76:7e:d2:a8:08:17:f6:4a:ad:9e:31:ad:b1:b4:e5:5a:3f: + 4a:e3:2f:e3:fa:37:0e:3d:04:ca:aa:9a:8d:4e:6f:a2:35:ae: + 48:37:9e:a3:cc:83:21:34:34:2f:e2:71:c6:51:a1:5b:46:ad: + d5:10:26:ea:e2:4b:18:df:8e:e2:ab:ac:e3:3b:a2:a7:fb:99: + f2:0e:05:3b:76:38:f0:18:fd:44:93:c1:06:79:1d:d5:c3:a6: + bf:c1:0a:98:d8:81:9a:66:a9:85:42:c0:fe:dd:ff:ef:21:6e: + 00:9f:68:0a:df:97:c8:5e:f3:d6:c1:fb:06:d6:40:3d:14:59: + a7:3a:f5:c9:70:fd:b1:93:88:5f:18:45:5d:58:97:60:6a:aa: + a6:6e:74:de:0e:ba:cc:9b:bf:35:3c:b3:f6:0c:1c:48:7c:5d: + 70:73:db:73:db:28:a9:b8:bc:1a:1e:b8:1c:d5:36:03:f3:22: + 91:d1:e7:8d:eb:36:00:f9:10:b2:16:2b:65:e4:6e:1a:9e:5f: + cd:f0:fd:9f:39:8f:71:35:de:5c:57:a8:1a:d0:fa:25:12:80: + fb:9a:da:bb +-----BEGIN CERTIFICATE----- +MIIFXjCCBEagAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx +CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv +cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV +BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3 +DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDg1NloXDTI2MDgy +NDE3MDg1NlowgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM +U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15 +T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwRjbHQxMRAwDgYDVQQpEwdFYXN5 +UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDV8hwjWUGHp2gGfS9fqogWSpFZEX/ZKNHs +1sm8sGuQ7kSUROfUuRFI9/HKnvjOAkSye5A94ZdCsQL+qxwqiYFQgUKff4dBh761 +vMCfM4EmgYYkqUxybH/pqHEfqkVKOL3IV8QljEcU0OBgSwfuu1K5ldNmJMRreTaD +r2u4AY9n8oF/Pv7DT3KsBmVDOQ/8X3G8XBL2Nu8nYaAyTNHN4RXiZLX9/VTVY0Wh +lpo4UMW3fg77ltmnp09YWK+hF1D6ZmJDHoo4anxUP41aElzjzJVVJZvuvDNAOlTL +OT5sFzB5+iS6HFpU/7AwEdSqklrXpjkWRdd0/kCc1M30dDSV70qZAgMBAAGjggF+ +MIIBejAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0 +ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNzicNBZOfX14EjiqV810pg06iD7MIHr +BgNVHSMEgeMwgeCAFOMr5HTPm7xubeZSHREE/GYfJUpzoYG8pIG5MIG2MQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG +A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p +dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw +HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD5L8aLDvHrnjATBgNV +HSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDwYDVR0RBAgwBoIEY2x0MTAN +BgkqhkiG9w0BAQsFAAOCAQEArYCD3awXnNrKccaZE8e1t7RpqfoP3fq2T6IZEDrq +fjfhqCmgRXZ+0qgIF/ZKrZ4xrbG05Vo/SuMv4/o3Dj0EyqqajU5vojWuSDeeo8yD +ITQ0L+JxxlGhW0at1RAm6uJLGN+O4qus4zuip/uZ8g4FO3Y48Bj9RJPBBnkd1cOm +v8EKmNiBmmaphULA/t3/7yFuAJ9oCt+XyF7z1sH7BtZAPRRZpzr1yXD9sZOIXxhF +XViXYGqqpm503g66zJu/NTyz9gwcSHxdcHPbc9soqbi8Gh64HNU2A/MikdHnjes2 +APkQshYrZeRuGp5fzfD9nzmPcTXeXFeoGtD6JRKA+5rauw== +-----END CERTIFICATE----- diff --git a/tests/cfg/pki/keys/clt1.csr b/tests/cfg/pki/keys/clt1.csr new file mode 100644 index 0000000..661d7c3 --- /dev/null +++ b/tests/cfg/pki/keys/clt1.csr @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIC8TCCAdkCAQAwgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UE +BxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsT +FE15T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwRjbHQxMRAwDgYDVQQpEwdF +YXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDV8hwjWUGHp2gGfS9fqogWSpFZEX/Z +KNHs1sm8sGuQ7kSUROfUuRFI9/HKnvjOAkSye5A94ZdCsQL+qxwqiYFQgUKff4dB +h761vMCfM4EmgYYkqUxybH/pqHEfqkVKOL3IV8QljEcU0OBgSwfuu1K5ldNmJMRr +eTaDr2u4AY9n8oF/Pv7DT3KsBmVDOQ/8X3G8XBL2Nu8nYaAyTNHN4RXiZLX9/VTV +Y0Whlpo4UMW3fg77ltmnp09YWK+hF1D6ZmJDHoo4anxUP41aElzjzJVVJZvuvDNA +OlTLOT5sFzB5+iS6HFpU/7AwEdSqklrXpjkWRdd0/kCc1M30dDSV70qZAgMBAAGg +ADANBgkqhkiG9w0BAQsFAAOCAQEAk0u+mwQtAqx5g6BLXTgSwzcHGpxItbOasuIv +8BtQsVoIvbVzUu8v83BjJK2OfusTqgLQvDafAbCPn7LUbKFLW6/tHtsgdCDEuY1R ++1FuFmI16E2OukJc8A/rfkIrYl9uV5VKE3irU5rGF0EMWwfixxu8Vnv9VzTPEoL6 +B8rqAKE6uFm9IKoJPeDb/nv73PhpPbU76qb/aYJ60Hh1jEXAe8THKxU1oH2z2DWx +4kYCncjjfhrwaQZQ9FHH8/gZ1Xjn55+fAz82rPPdZVtJM2PlGUzzLfaDn9En4tU9 +vVt1/5NU4gZeUVuPH0wyjeNDSZmczX610k+Me4eccKspOtIL2A== +-----END CERTIFICATE REQUEST----- diff --git a/tests/cfg/pki/keys/clt1.key b/tests/cfg/pki/keys/clt1.key new file mode 100644 index 0000000..d89d5ce --- /dev/null +++ b/tests/cfg/pki/keys/clt1.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDV8hwjWUGHp2gG +fS9fqogWSpFZEX/ZKNHs1sm8sGuQ7kSUROfUuRFI9/HKnvjOAkSye5A94ZdCsQL+ +qxwqiYFQgUKff4dBh761vMCfM4EmgYYkqUxybH/pqHEfqkVKOL3IV8QljEcU0OBg +Swfuu1K5ldNmJMRreTaDr2u4AY9n8oF/Pv7DT3KsBmVDOQ/8X3G8XBL2Nu8nYaAy +TNHN4RXiZLX9/VTVY0Whlpo4UMW3fg77ltmnp09YWK+hF1D6ZmJDHoo4anxUP41a +ElzjzJVVJZvuvDNAOlTLOT5sFzB5+iS6HFpU/7AwEdSqklrXpjkWRdd0/kCc1M30 +dDSV70qZAgMBAAECggEAdX75pRAnxPBTWPz3P3rQMi3RlTDfHcwlPgTX1iCtcnLo +huUwzMq2i3Rf/f9AdSMZx0vE87co8x9znZkrZtENi8DxbdcD2SFLw1NeFhCbJSKN +ISU5Lr4XoaM4PUOtug1fbN+GgXiAsRXlo/yQ5rNJw1JdPwOCO+Pd5IQ6jFuO/m5X +T2ZpsmSeI0q8f5oe4mjKelyMJhbO4eBZiZg421Q7BkWqc+waeEaFWjppmaaiqA/7 +sva3KSP/GyEyc3a62vsE2f0zqkc9xQo1s4GTgBt4AOWuOe6oDxhaNygU66LeOLUH +yL/qfbzd4c8kdZieeMC2vZU/6fmPfPJ0HsUjllXW4QKBgQDsB8w8ydfYai4c6yHF +ntaDZ32JYbPfWwQ+sI9AhlNfV8aSoO8Vhkn1aPgS+AYq+7SwV3CKJPeClRr88gU6 +/utZ19uPRAckng0ZvdejUe6saMVLCG3FgskONc/a8wBv1JBuq37cQbrd+Fr+A6bU +5BwxoRMch/QMlg42DXBWTLSvPwKBgQDoC/o7gqs1XxYFsh54iYWnIBJUEu0XP15E +XACUf2UKSGEicRhjIDR45oMTFhGdh+43Etzkes/VavwNAqaNzggJPKUJz0SAbDmo +mhKAqAJE5u4e8V4P+3ZUpE20lpC8d4b0fm3JM7UP6IdH91e4lXyangZr875mZRrM +z+d1KgloJwKBgQCkUy17KN9wWUQvd/g0OMiKBbQdwHrVRu2mo4+oUZyb5WVnUkoB +x1OYWvNTaYAJzuHWX5oHY4M6U4rNjcXcc/vwudqvXKJIeQ0P3d7SYslzGSI6gezC +tLI7hXVnrwSf1vKTSixxNgXeYfkfnfU5hHKojsbad0COvq24LhUG0DJ/SwKBgQCg +xcOvPb6fsOzSL3H7M9U9UPRB+gb5B3epx1DDkmyQLkvWkCNEcsjIR3XjYHP+AHMl +B1WynACproFKBl8devWIaNM0M74TeGiOj4loSH+h+5paKANy8VgwFtKb34ISgoIn +nf003TWC+ynXy+CkTDZT7k8mtm9iBIUICLgmLmTsGwKBgFoLwh1kCjIKqmjSnZdS +OzTpAa49xDE0fkGXWCnW2E+KMIBZE/VOPh0MYj2YWThKqt5yEk+tPmxiyxvo5ohH +2GZKOzkcsOpZROaNfX/9edPDsL0VYHv0IDPDcoJyiEGANh0VwIqFUAX6Hmwzno6Q +nw7R4xO7SN9M9fxuexGrU3Ba +-----END PRIVATE KEY----- diff --git a/tests/cfg/pki/keys/index.txt b/tests/cfg/pki/keys/index.txt new file mode 100644 index 0000000..56e0993 --- /dev/null +++ b/tests/cfg/pki/keys/index.txt @@ -0,0 +1,5 @@ +V 260824170732Z 01 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=-h/name=EasyRSA/emailAddress=me@myhost.mydomain +V 260824170814Z 02 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=ts.uts-server.org/name=EasyRSA/emailAddress=me@myhost.mydomain +V 260824170843Z 03 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=tsa1/name=EasyRSA/emailAddress=me@myhost.mydomain +V 260824170844Z 04 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=tsa2/name=EasyRSA/emailAddress=me@myhost.mydomain +V 260824170856Z 05 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=clt1/name=EasyRSA/emailAddress=me@myhost.mydomain diff --git a/tests/cfg/pki/keys/index.txt.attr b/tests/cfg/pki/keys/index.txt.attr new file mode 100644 index 0000000..8f7e63a --- /dev/null +++ b/tests/cfg/pki/keys/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/tests/cfg/pki/keys/index.txt.attr.old b/tests/cfg/pki/keys/index.txt.attr.old new file mode 100644 index 0000000..8f7e63a --- /dev/null +++ b/tests/cfg/pki/keys/index.txt.attr.old @@ -0,0 +1 @@ +unique_subject = yes diff --git a/tests/cfg/pki/keys/index.txt.old b/tests/cfg/pki/keys/index.txt.old new file mode 100644 index 0000000..ac55022 --- /dev/null +++ b/tests/cfg/pki/keys/index.txt.old @@ -0,0 +1,4 @@ +V 260824170732Z 01 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=-h/name=EasyRSA/emailAddress=me@myhost.mydomain +V 260824170814Z 02 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=ts.uts-server.org/name=EasyRSA/emailAddress=me@myhost.mydomain +V 260824170843Z 03 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=tsa1/name=EasyRSA/emailAddress=me@myhost.mydomain +V 260824170844Z 04 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=tsa2/name=EasyRSA/emailAddress=me@myhost.mydomain diff --git a/tests/cfg/pki/keys/serial b/tests/cfg/pki/keys/serial new file mode 100644 index 0000000..cd672a5 --- /dev/null +++ b/tests/cfg/pki/keys/serial @@ -0,0 +1 @@ +06 diff --git a/tests/cfg/pki/keys/serial.old b/tests/cfg/pki/keys/serial.old new file mode 100644 index 0000000..eeee65e --- /dev/null +++ b/tests/cfg/pki/keys/serial.old @@ -0,0 +1 @@ +05 diff --git a/tests/cfg/pki/keys/ts.uts-server.org.crt b/tests/cfg/pki/keys/ts.uts-server.org.crt new file mode 100644 index 0000000..60814a2 --- /dev/null +++ b/tests/cfg/pki/keys/ts.uts-server.org.crt @@ -0,0 +1,99 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + Validity + Not Before: Aug 26 17:08:14 2016 GMT + Not After : Aug 24 17:08:14 2026 GMT + Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=ts.uts-server.org/name=EasyRSA/emailAddress=me@myhost.mydomain + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d3:50:7a:93:b7:10:8e:d2:2e:31:30:f6:10:9f: + bc:d6:db:ab:f0:4c:96:46:d2:bf:b2:2a:a0:f6:f7: + 5c:48:83:66:54:75:3e:a3:25:20:89:2d:f7:9a:c5: + 32:12:b1:32:a0:99:27:f4:9c:f0:e8:a2:19:9b:83: + a6:e1:aa:42:0a:f4:0b:81:a2:9c:3e:f2:5a:1c:ad: + 5e:f8:24:12:e9:ec:75:cc:43:7c:6b:16:9a:5f:aa: + 9e:39:b5:9f:2c:3e:b0:3f:cd:31:7f:90:46:a9:60: + 74:d3:e0:18:e8:ee:0e:71:bf:37:bc:fe:2b:94:33: + 61:3d:01:02:ed:f8:b8:66:6a:9f:76:c0:06:c8:06: + 2b:70:5e:87:d2:17:b7:cd:aa:40:1f:ae:af:a4:c7: + 3f:60:bc:be:54:ee:30:4e:fe:8e:2d:32:27:5c:f9: + af:2f:f9:f1:d2:2b:08:b5:6d:89:8b:84:3e:e9:d4: + e8:0b:c4:d7:5f:07:4e:96:5c:a2:4b:63:ef:a8:49: + 55:39:55:34:1d:b5:ce:8e:5d:13:69:8d:52:d5:1e: + 30:f9:ed:73:0b:2b:7d:8c:e1:c0:93:a9:28:20:d7: + f0:ec:04:37:bf:4b:85:0e:e2:3a:e8:54:ad:d9:e3: + 27:8f:c7:43:8e:65:e1:f9:51:f0:c3:96:f2:0e:8d: + 83:79 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + Easy-RSA Generated Certificate + X509v3 Subject Key Identifier: + FF:2D:69:50:05:46:A3:95:F4:A3:E0:2E:34:39:EF:9B:BC:E2:F0:86 + X509v3 Authority Key Identifier: + keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73 + DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + serial:F9:2F:C6:8B:0E:F1:EB:9E + + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + X509v3 Subject Alternative Name: + DNS:ts.uts-server.org + Signature Algorithm: sha256WithRSAEncryption + d2:ff:65:c8:fe:69:7d:fd:99:b9:4e:4c:c3:fe:ff:97:74:59: + a1:89:b6:47:b3:10:79:76:ee:7b:0b:26:7e:db:cd:fd:e1:52: + 4b:94:78:3e:72:ba:8c:58:48:4f:67:ef:05:29:9e:7b:1a:07: + 82:72:27:67:78:ef:43:e1:67:08:73:2c:11:e1:91:f4:4e:73: + 5a:a8:09:61:9f:33:d1:33:c7:43:10:8b:a9:e8:16:63:97:e9: + 81:63:74:f4:5a:b5:fc:88:46:a6:c9:c4:89:23:1d:ac:4a:02: + 3f:29:ae:59:a2:6f:37:a1:27:e1:6e:34:c8:99:35:0b:50:5e: + bc:3d:64:01:7e:5e:4e:ee:79:48:a9:e6:26:bb:2d:f8:18:88: + ea:22:df:8e:7b:71:24:c1:6b:17:26:4c:96:0c:d0:d2:b4:29: + 9a:1d:9a:ae:26:2b:aa:95:a9:9b:15:58:a6:9a:c4:5b:48:64: + ff:e0:e6:fb:53:37:0d:20:83:94:95:4e:5a:b9:3c:62:47:bc: + fb:6d:0a:eb:f2:b1:9c:d7:ee:30:9b:07:9f:1a:27:1f:e0:bb: + 5e:36:4b:06:19:10:89:43:14:98:fc:cd:52:82:48:59:cc:77: + 64:bd:ff:e7:b4:b1:00:ad:7a:94:c6:47:c7:f9:32:25:ad:2c: + 14:e6:1c:df +-----BEGIN CERTIFICATE----- +MIIFeDCCBGCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx +CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv +cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV +BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3 +DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDgxNFoXDTI2MDgy +NDE3MDgxNFowgbgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM +U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15 +T3JnYW5pemF0aW9uYWxVbml0MRowGAYDVQQDExF0cy51dHMtc2VydmVyLm9yZzEQ +MA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9t +YWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA01B6k7cQjtIuMTD2 +EJ+81tur8EyWRtK/siqg9vdcSINmVHU+oyUgiS33msUyErEyoJkn9Jzw6KIZm4Om +4apCCvQLgaKcPvJaHK1e+CQS6ex1zEN8axaaX6qeObWfLD6wP80xf5BGqWB00+AY +6O4Ocb83vP4rlDNhPQEC7fi4ZmqfdsAGyAYrcF6H0he3zapAH66vpMc/YLy+VO4w +Tv6OLTInXPmvL/nx0isItW2Ji4Q+6dToC8TXXwdOllyiS2PvqElVOVU0HbXOjl0T +aY1S1R4w+e1zCyt9jOHAk6koINfw7AQ3v0uFDuI66FSt2eMnj8dDjmXh+VHww5by +Do2DeQIDAQABo4IBizCCAYcwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFz +eS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT/LWlQBUajlfSj +4C40Oe+bvOLwhjCB6wYDVR0jBIHjMIHggBTjK+R0z5u8bm3mUh0RBPxmHyVKc6GB +vKSBuTCBtjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5G +cmFuY2lzY28xFTATBgNVBAoTDEZvcnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdh +bml6YXRpb25hbFVuaXQxGDAWBgNVBAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UE +KRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluggkA ++S/Giw7x654wEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMBwGA1Ud +EQQVMBOCEXRzLnV0cy1zZXJ2ZXIub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQDS/2XI +/ml9/Zm5TkzD/v+XdFmhibZHsxB5du57CyZ+28394VJLlHg+crqMWEhPZ+8FKZ57 +GgeCcidneO9D4WcIcywR4ZH0TnNaqAlhnzPRM8dDEIup6BZjl+mBY3T0WrX8iEam +ycSJIx2sSgI/Ka5Zom83oSfhbjTImTULUF68PWQBfl5O7nlIqeYmuy34GIjqIt+O +e3EkwWsXJkyWDNDStCmaHZquJiuqlambFVimmsRbSGT/4Ob7UzcNIIOUlU5auTxi +R7z7bQrr8rGc1+4wmwefGicf4LteNksGGRCJQxSY/M1SgkhZzHdkvf/ntLEArXqU +xkfH+TIlrSwU5hzf +-----END CERTIFICATE----- diff --git a/tests/cfg/pki/keys/ts.uts-server.org.csr b/tests/cfg/pki/keys/ts.uts-server.org.csr new file mode 100644 index 0000000..7a27d15 --- /dev/null +++ b/tests/cfg/pki/keys/ts.uts-server.org.csr @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIC/jCCAeYCAQAwgbgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UE +BxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsT +FE15T3JnYW5pemF0aW9uYWxVbml0MRowGAYDVQQDExF0cy51dHMtc2VydmVyLm9y +ZzEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15 +ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA01B6k7cQjtIu +MTD2EJ+81tur8EyWRtK/siqg9vdcSINmVHU+oyUgiS33msUyErEyoJkn9Jzw6KIZ +m4Om4apCCvQLgaKcPvJaHK1e+CQS6ex1zEN8axaaX6qeObWfLD6wP80xf5BGqWB0 +0+AY6O4Ocb83vP4rlDNhPQEC7fi4ZmqfdsAGyAYrcF6H0he3zapAH66vpMc/YLy+ +VO4wTv6OLTInXPmvL/nx0isItW2Ji4Q+6dToC8TXXwdOllyiS2PvqElVOVU0HbXO +jl0TaY1S1R4w+e1zCyt9jOHAk6koINfw7AQ3v0uFDuI66FSt2eMnj8dDjmXh+VHw +w5byDo2DeQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAL+AN6jZ6QA2yxFk2rWy +4dqrDl+FGsxwIM9FTDD527+PgA0by8bPCLG+f/ep4HdH9CNJhmhArBcRLUs80b7H +fO8tvqDC7IE4Xahpc4sZHL2wJC0dVFsGtSk5wUmW9JnF2p0xy8EVF7aOYAalC1Lo +10y+6JqKZOyJOeLTjhmjpjtYI9qP8ss61Vw7Z8AkDJHelw/Bv2SYQ6uztDm8PvVW +aESnloNlAUmaqVqG+iDZ0ZaSyPy9Haf/O1kygyu7ganS+jXHm3T8LoCNYTCb03IV +zNVSP+N07sNfSGErhmMPi2MO5ahEJaTxfjo31MqvwOl4S45zjjnQoFc2HWEjX1OH +YlE= +-----END CERTIFICATE REQUEST----- diff --git a/tests/cfg/pki/keys/ts.uts-server.org.key b/tests/cfg/pki/keys/ts.uts-server.org.key new file mode 100644 index 0000000..0bb744e --- /dev/null +++ b/tests/cfg/pki/keys/ts.uts-server.org.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDTUHqTtxCO0i4x +MPYQn7zW26vwTJZG0r+yKqD291xIg2ZUdT6jJSCJLfeaxTISsTKgmSf0nPDoohmb +g6bhqkIK9AuBopw+8locrV74JBLp7HXMQ3xrFppfqp45tZ8sPrA/zTF/kEapYHTT +4Bjo7g5xvze8/iuUM2E9AQLt+Lhmap92wAbIBitwXofSF7fNqkAfrq+kxz9gvL5U +7jBO/o4tMidc+a8v+fHSKwi1bYmLhD7p1OgLxNdfB06WXKJLY++oSVU5VTQdtc6O +XRNpjVLVHjD57XMLK32M4cCTqSgg1/DsBDe/S4UO4jroVK3Z4yePx0OOZeH5UfDD +lvIOjYN5AgMBAAECggEBAKa35h3I3v1vghY5ZMn03U4+/kaWhjHWcHum+lwfCOYF +FaUo44Rf9G2GoMWxMzJgL2tZqpZphABmdAGoOu/sHjL6HGHo45EeME5T0ovAGlQI +xV+lFvJ+YMl9mVw6mRyVUQTlZVoZgEZ93W6UbdLIjwjbLqSje8pvRxaUR7Vs+D+E +DBBiAGWu74HKNzQ8GvoEZ/1tjI6/EZUrNY6tIJ7I4XyVoiPWnoXlOp0tmgJZLpRv +sTAmUlPoy/gYSxrMY0Ld/ar+gPscSl4KCiCjdH76BjAoTYCb3QyM1olNDOMSbXoP +tvpb3IFAwxs82yn+clpGXAu9v76jU0Sw8HODO0+HVAECgYEA99W+rbtLL0OPIyEY +6JzeEMf4WoIdwl/lzFFIKmZuEJEjrrFTRktiWuBp1V1BAfrUw3UWj2D0OXo45mQA +WVSO9Ked6yMbd98lELkc/n6GXvrDBfgyXyWwsGh9GJXZ+Apn41Ze1p6n0zEel1Fk +MN0AaleCHPf7Y5ZbVbf23d1nXbkCgYEA2ka3nNdhiHwZEfoB2mtF1Sonn301hdCk +Wgvz+ehRv9Z2tSU+mpROjIZ5Th68UuXIeiPLxXN01Z5cdQjNwNpjBiXFpTHRBdXg +woh9snV/ABTJRYUqPabUVMLb8kRL0D4PZy3CLjH92hvKmSYG+WofYNUU1zrbAx1h +RA2JucWUM8ECgYEAxmbdxBUJJmguQZAwcZ+LAuIjRsmda0r8GyoC3LatbCPU7ffV +U5PrxBadgwqpjR0xkNu+WL/kI9Ndk8sAoILaAq/g8ylixv7jnFSlCnNdvNGAqNm9 +8X+pyD+Nzc3A9hnWex9cwvG2JpLPC5JD4/44Y+l0Jx66qEnpCmFAhvLE2jkCgYAs +dpdUhbNCgDUDKnBSM+PnxkyH+pN6jMPN6/1o/OAaOe+4ervD9U4C5imztiMap+As +sToDIL+9/CJNXNu82z+ssukN+5XeoHDGb9NbFQAn3hQZ60RthpxeH8t6EFt5Mgsl +M3cIvfo+AcdFZy+oguudaAp0xXJzsfpsSG2zwAGugQKBgQCkpLHyZLCD2ciOYg4f +V3NqpxviGAYx1FBSr6S97xA1dD7SnH8Mrv/ldxsK0ScGJVFjrGEFiU19HWoIYE9a +4//CVir2hxQ5Z8Ejp9ugTxbKcUukVoHbIw0PnWMJShQNbaGonn8pFJH7BJUZ0eI+ +UhK6b0mz4qIixnYJBxuczj8WGA== +-----END PRIVATE KEY----- diff --git a/tests/cfg/pki/keys/tsa1.crt b/tests/cfg/pki/keys/tsa1.crt new file mode 100644 index 0000000..19d8795 --- /dev/null +++ b/tests/cfg/pki/keys/tsa1.crt @@ -0,0 +1,98 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + Validity + Not Before: Aug 26 17:08:43 2016 GMT + Not After : Aug 24 17:08:43 2026 GMT + Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=tsa1/name=EasyRSA/emailAddress=me@myhost.mydomain + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c8:00:8c:27:a0:52:ac:87:1f:e5:b4:1c:2d:be: + af:a0:8b:aa:ea:1b:8d:02:30:41:00:1b:3a:34:dc: + 6f:04:5d:9f:c5:59:6f:a5:fa:d5:1e:3c:0e:22:52: + 10:1e:7e:b2:48:b1:65:cd:0c:be:55:60:0e:98:d2: + 34:8d:e9:9b:50:a2:98:92:6b:6a:09:db:9e:f6:f7: + 80:22:d1:8b:f3:71:6e:bd:53:b3:fb:23:70:4e:01: + 20:73:75:12:20:87:37:d3:ca:e5:0b:ff:ba:5e:bd: + ad:cd:ff:05:e2:91:31:7c:b1:99:34:ef:d2:6f:1e: + 22:fe:77:e9:40:ac:8b:dc:f0:e8:23:04:f6:b7:b3: + 60:34:2c:82:df:3c:3d:ca:14:52:d8:8a:57:1f:40: + 1b:70:a2:ac:65:df:54:87:ba:7d:85:7b:d8:93:bd: + 8e:85:fc:de:9a:0b:6a:88:52:b2:27:1b:0c:16:e0: + 87:ba:7c:c9:94:a3:f7:10:79:88:0e:96:b4:a7:40: + 76:00:58:b1:5a:ab:50:89:55:f6:f8:48:4f:76:66: + e5:1c:fa:bb:7a:59:57:df:33:57:7b:d4:0c:36:7f: + d6:6e:0a:40:a2:06:b7:c0:f2:31:f7:55:11:20:74: + cf:68:b2:b2:96:74:4c:58:a0:3e:ec:ee:8e:df:d1: + 51:ff + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + Easy-RSA Generated Certificate + X509v3 Subject Key Identifier: + 6D:48:DA:1F:19:A2:88:71:0F:3D:80:5D:AB:44:5C:F5:06:B5:BB:0B + X509v3 Authority Key Identifier: + keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73 + DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + serial:F9:2F:C6:8B:0E:F1:EB:9E + + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + X509v3 Subject Alternative Name: + DNS:tsa1 + Signature Algorithm: sha256WithRSAEncryption + a2:b6:e1:66:78:ff:d0:f1:53:58:2f:8a:26:0b:c1:7f:71:f8: + 9a:d1:fa:70:f8:5b:b7:ce:da:79:92:52:0b:5f:d1:ed:c1:86: + eb:bc:29:f7:ed:0f:5b:c4:10:ab:a3:ce:9e:97:c8:a0:c8:5c: + af:bc:f2:58:77:00:59:69:85:2f:a1:16:92:45:b8:a9:3b:8d: + 8c:bd:1a:bb:08:07:79:6d:6a:e9:8b:7c:fb:fb:0e:72:0a:e1: + fa:4c:ca:d5:d6:99:fc:2c:5f:1d:8a:28:38:da:bd:d4:88:36: + a2:a4:1a:e5:f9:77:72:e6:ed:13:62:31:19:79:ec:ad:9e:b5: + d1:92:7a:cf:f8:e0:ad:56:dd:5b:68:c6:64:c5:32:51:83:0e: + 89:17:14:22:29:53:09:bb:49:06:3a:f1:02:8f:de:fc:94:59: + 82:3d:d1:97:d8:70:53:ff:b5:0d:04:6f:2a:3f:30:50:7b:b1: + 61:b3:a3:10:ee:94:dd:de:b8:ac:7c:0d:a4:af:f6:c2:8a:74: + dd:e8:95:db:ee:ab:d5:ef:68:0a:96:7c:46:05:93:12:93:d8: + 84:5a:6d:38:ff:69:40:51:84:29:62:91:62:7b:af:17:18:b7: + bb:59:19:89:89:89:5d:75:54:92:bf:75:2f:7e:e4:fb:eb:a7: + ae:b5:a2:2f +-----BEGIN CERTIFICATE----- +MIIFXjCCBEagAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx +CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv +cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV +BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3 +DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDg0M1oXDTI2MDgy +NDE3MDg0M1owgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM +U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15 +T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwR0c2ExMRAwDgYDVQQpEwdFYXN5 +UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIAIwnoFKshx/ltBwtvq+gi6rqG40CMEEA +Gzo03G8EXZ/FWW+l+tUePA4iUhAefrJIsWXNDL5VYA6Y0jSN6ZtQopiSa2oJ2572 +94Ai0YvzcW69U7P7I3BOASBzdRIghzfTyuUL/7peva3N/wXikTF8sZk079JvHiL+ +d+lArIvc8OgjBPa3s2A0LILfPD3KFFLYilcfQBtwoqxl31SHun2Fe9iTvY6F/N6a +C2qIUrInGwwW4Ie6fMmUo/cQeYgOlrSnQHYAWLFaq1CJVfb4SE92ZuUc+rt6WVff +M1d71Aw2f9ZuCkCiBrfA8jH3VREgdM9osrKWdExYoD7s7o7f0VH/AgMBAAGjggF+ +MIIBejAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0 +ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFG1I2h8ZoohxDz2AXatEXPUGtbsLMIHr +BgNVHSMEgeMwgeCAFOMr5HTPm7xubeZSHREE/GYfJUpzoYG8pIG5MIG2MQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG +A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p +dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw +HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD5L8aLDvHrnjATBgNV +HSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDwYDVR0RBAgwBoIEdHNhMTAN +BgkqhkiG9w0BAQsFAAOCAQEAorbhZnj/0PFTWC+KJgvBf3H4mtH6cPhbt87aeZJS +C1/R7cGG67wp9+0PW8QQq6POnpfIoMhcr7zyWHcAWWmFL6EWkkW4qTuNjL0auwgH +eW1q6Yt8+/sOcgrh+kzK1daZ/CxfHYooONq91Ig2oqQa5fl3cubtE2IxGXnsrZ61 +0ZJ6z/jgrVbdW2jGZMUyUYMOiRcUIilTCbtJBjrxAo/e/JRZgj3Rl9hwU/+1DQRv +Kj8wUHuxYbOjEO6U3d64rHwNpK/2wop03eiV2+6r1e9oCpZ8RgWTEpPYhFptOP9p +QFGEKWKRYnuvFxi3u1kZiYmJXXVUkr91L37k++unrrWiLw== +-----END CERTIFICATE----- diff --git a/tests/cfg/pki/keys/tsa1.csr b/tests/cfg/pki/keys/tsa1.csr new file mode 100644 index 0000000..2961ddb --- /dev/null +++ b/tests/cfg/pki/keys/tsa1.csr @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIC8TCCAdkCAQAwgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UE +BxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsT +FE15T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwR0c2ExMRAwDgYDVQQpEwdF +YXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIAIwnoFKshx/ltBwtvq+gi6rqG40C +MEEAGzo03G8EXZ/FWW+l+tUePA4iUhAefrJIsWXNDL5VYA6Y0jSN6ZtQopiSa2oJ +257294Ai0YvzcW69U7P7I3BOASBzdRIghzfTyuUL/7peva3N/wXikTF8sZk079Jv +HiL+d+lArIvc8OgjBPa3s2A0LILfPD3KFFLYilcfQBtwoqxl31SHun2Fe9iTvY6F +/N6aC2qIUrInGwwW4Ie6fMmUo/cQeYgOlrSnQHYAWLFaq1CJVfb4SE92ZuUc+rt6 +WVffM1d71Aw2f9ZuCkCiBrfA8jH3VREgdM9osrKWdExYoD7s7o7f0VH/AgMBAAGg +ADANBgkqhkiG9w0BAQsFAAOCAQEAF/TgnEcEdYC0tZ/Dr3j03Y6+HMOXUDjN9yQp +1HPZlXc0cl9k3JDMEbqE3xnLF6xkk2CBfG9YkHZwUk/CcoaRAg2qF3/4SF9WfboX +42a1AcMpsbD2tbDAulndvONPREGOx+b4aUJ8ddWDnkQtx7JEoQ57GldgQ4c/bU6v +QfNAtBnnlNDvo1lOYi2RNInTHR/zui6s+z4we95FJcYkh6qlS6/o+tRYu5E7qxVl +P+66RmmlsMydIrM712O8wZSFRoRoHXqrolG+BdWK5nj2CEuhk4g8plNwcMLx/8FI +FGeKATizb4zAAtRnBH3uf3HOVkOgMdNkKJK447zuqaE/+KeG6Q== +-----END CERTIFICATE REQUEST----- diff --git a/tests/cfg/pki/keys/tsa1.key b/tests/cfg/pki/keys/tsa1.key new file mode 100644 index 0000000..8cce4a7 --- /dev/null +++ b/tests/cfg/pki/keys/tsa1.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDIAIwnoFKshx/l +tBwtvq+gi6rqG40CMEEAGzo03G8EXZ/FWW+l+tUePA4iUhAefrJIsWXNDL5VYA6Y +0jSN6ZtQopiSa2oJ257294Ai0YvzcW69U7P7I3BOASBzdRIghzfTyuUL/7peva3N +/wXikTF8sZk079JvHiL+d+lArIvc8OgjBPa3s2A0LILfPD3KFFLYilcfQBtwoqxl +31SHun2Fe9iTvY6F/N6aC2qIUrInGwwW4Ie6fMmUo/cQeYgOlrSnQHYAWLFaq1CJ +Vfb4SE92ZuUc+rt6WVffM1d71Aw2f9ZuCkCiBrfA8jH3VREgdM9osrKWdExYoD7s +7o7f0VH/AgMBAAECggEAJfRcpKR7K/yUpA3TDydRwwDeVYEW+GRZ4YBJQoDWnJh7 +2oLHelMooI07DW5PWsomYT8xF4GkmSUagAvcJ1Y+wEWq+JZj0C0adLmxWmozyeYr +4sgArtch19vE4cRExWGDybCGWQmVv6b1VdNgtYdiQcyeS3p7j9TDRVFSNZDJFgtX +QJBHNnMjP96EtVNUp3aHP/N1a+3FRqjWwCW41xqKYc2Gg9W5peZdso8/6avTu2uJ +dJB7wcccPiIAnfgX3Xs8yMdXsPVR2ZqSDKfC9dHyEO65xYLs1nDo7a6rS7OSarL+ +dOYt85AmUswdr69X72DIzaVRBxgzbg4ONlVodAIr2QKBgQD9sPTFZRsh+RoU3eWF +B4BwF/CA+KuBoKxxDtTp6ARWHal70Q4BZwg5mEhkJ2yslRwBevZHkO8DDKkB53jc +XAHcr2l9VdJni7ynrmoypvDn04vpsxnoY70klyrqSePKD93SU/Ll3hYvF0Ie1IDr +kj3/0TNPIuxzIzX3zkx2J2YerQKBgQDJ0oH79GAt3dUZTmyPvazMSR5JBUWjK0of +aHxo1jBZf9MDtTLNyDxtqKKjEEcBCWrnHt682m7BYVbuU7MC+z1rQ9pWYLDBq0XG +8aY46aR5AudG09l9VDOwZdNsghglstdDURk1zWKsS10x1JwgJdGzKCMZAxO0RrIM +Pf1znA/k2wKBgGh1OYQh6nclo7id2YjaGueM4+mm+q+IYhi3W7HoaAixc/zYiqTH +MNrOOliK5zN0vjBZ2hiDs/aUeu6eyeQqOlYNICmMcfNS1V5R8cZjeORr9btHlM5c +ayAq4m/P9uxXdiXJjUVbGdVQBVi+dUsKT18LW84k+ik6gVlE57Tq6iCNAoGBALA/ +/zYaXxgPHzefbl1FRq+Mtz8LtJnfhzbQl70yOD0gzRXy2vAtCuC1IXsIDwoPwGUg +Z2JD2+9TY4h0XeOfpy6Srg07GYG4YhJwHDqdh/4KFBGdltTFgPJuqmmbXx0lBqqK +G1sKBz7x/ewzgTjt7ijoR2ZjcoTALGNWi42334V7AoGBAPsRnyG2cmruO9/SpQxd +QOjM0QtIGUKsjssiuRMWytYFD+fCv0Ft+iwnLyxCjBY1Ad6qSwtv50hEoygHnJ5X +DiyTptqErIxpSpp0Up8LPN6sXNawM/C7wcvRBGNafK+ijjS38QiWG3enGo5sAG+Y +n6Dq8vmFQAKsFz8o1JwJGteB +-----END PRIVATE KEY----- diff --git a/tests/cfg/pki/keys/tsa2.crt b/tests/cfg/pki/keys/tsa2.crt new file mode 100644 index 0000000..6bbeef4 --- /dev/null +++ b/tests/cfg/pki/keys/tsa2.crt @@ -0,0 +1,98 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4 (0x4) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + Validity + Not Before: Aug 26 17:08:44 2016 GMT + Not After : Aug 24 17:08:44 2026 GMT + Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=tsa2/name=EasyRSA/emailAddress=me@myhost.mydomain + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:9b:34:5c:6b:ac:10:e9:63:50:cd:f5:f1:9e:80: + a8:be:ed:4f:21:25:7c:54:67:8f:f0:c1:16:57:ad: + 1c:c7:14:90:8c:8d:1f:b4:e4:91:3b:fd:2c:44:a1: + c3:7d:1d:f5:cb:54:c2:45:a4:e3:e9:07:14:60:60: + 63:07:d7:6d:92:2b:99:5a:c3:c1:91:87:92:b5:6d: + 4b:d0:22:cd:62:13:34:9a:d1:c6:8f:e6:f6:df:50: + ba:1a:51:80:b8:2e:c9:dc:03:79:3d:97:a9:89:ce: + 91:68:e4:dc:90:7d:f3:aa:74:2d:48:2b:40:f5:cf: + ba:d5:e8:07:d2:34:74:e0:31:c6:e1:0c:df:89:25: + c9:49:34:f6:0d:e8:1c:05:54:4c:eb:79:7b:04:bb: + e8:1e:f9:c3:dc:f8:d7:6f:d1:c3:77:a5:97:78:45: + 1c:82:5a:52:a5:26:3e:4b:78:9e:6d:f8:75:3e:40: + b9:69:d6:e8:3f:ea:d7:6b:6e:e9:d3:a9:10:a4:92: + 5e:96:e2:d8:f3:7e:2e:35:f2:81:85:b9:6d:9c:14: + 02:38:c3:53:0f:a1:84:ef:c3:62:13:7f:10:0f:e4: + 2e:43:4d:d0:48:06:5b:38:e4:49:e1:35:13:f6:d6: + 83:1e:1c:f4:10:21:29:45:e3:48:47:01:9c:6a:4d: + b6:0b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + Easy-RSA Generated Certificate + X509v3 Subject Key Identifier: + 6E:12:12:1A:40:9F:52:2F:48:9C:B5:EE:DC:BF:20:B7:7A:30:02:DC + X509v3 Authority Key Identifier: + keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73 + DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain + serial:F9:2F:C6:8B:0E:F1:EB:9E + + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + X509v3 Subject Alternative Name: + DNS:tsa2 + Signature Algorithm: sha256WithRSAEncryption + 89:6d:03:f4:e6:29:77:ae:b4:82:de:7b:d6:39:56:10:2f:64: + f7:68:58:6e:3b:cf:9f:96:ab:a3:66:b0:53:80:98:88:c2:70: + 3a:7e:de:d6:3f:69:ff:09:56:22:4f:b3:61:c3:43:ed:73:7f: + 9f:29:10:31:31:ba:d6:78:a2:bc:7d:45:2c:5f:5a:8a:77:62: + 3e:d8:38:fb:41:3c:54:8b:67:29:c5:d7:5a:a9:d3:a9:52:53: + 81:eb:0b:55:9e:4e:f3:73:b5:f9:87:0d:a9:59:c4:2a:66:36: + 47:bc:02:78:12:5b:12:7f:f5:c2:1c:a3:be:d0:bc:3e:72:1e: + 96:f2:a4:16:71:d8:0f:af:76:1d:44:bd:1c:ef:e9:6a:09:00: + 79:61:b1:20:83:61:1f:13:00:69:30:c6:ae:3b:31:a3:6c:db: + 67:52:5d:ef:44:14:eb:53:b4:79:39:62:53:a6:d5:ea:96:ee: + 2c:5f:38:9f:04:32:0c:39:24:e7:1c:04:79:ea:27:90:1f:e2: + b3:ed:93:a1:92:5c:c6:fa:d5:58:1f:9e:3a:a5:32:01:ce:b8: + 61:f6:fa:bd:ff:37:1c:3f:30:54:8e:69:13:91:1b:95:6c:43: + c7:23:47:c8:2b:c1:97:00:d4:9b:46:52:ae:b4:dd:da:a6:13: + a5:6b:07:dc +-----BEGIN CERTIFICATE----- +MIIFXjCCBEagAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx +CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv +cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV +BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3 +DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDg0NFoXDTI2MDgy +NDE3MDg0NFowgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM +U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15 +T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwR0c2EyMRAwDgYDVQQpEwdFYXN5 +UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbNFxrrBDpY1DN9fGegKi+7U8hJXxUZ4/w +wRZXrRzHFJCMjR+05JE7/SxEocN9HfXLVMJFpOPpBxRgYGMH122SK5law8GRh5K1 +bUvQIs1iEzSa0caP5vbfULoaUYC4LsncA3k9l6mJzpFo5NyQffOqdC1IK0D1z7rV +6AfSNHTgMcbhDN+JJclJNPYN6BwFVEzreXsEu+ge+cPc+Ndv0cN3pZd4RRyCWlKl +Jj5LeJ5t+HU+QLlp1ug/6tdrbunTqRCkkl6W4tjzfi418oGFuW2cFAI4w1MPoYTv +w2ITfxAP5C5DTdBIBls45EnhNRP21oMeHPQQISlF40hHAZxqTbYLAgMBAAGjggF+ +MIIBejAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0 +ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFG4SEhpAn1IvSJy17ty/ILd6MALcMIHr +BgNVHSMEgeMwgeCAFOMr5HTPm7xubeZSHREE/GYfJUpzoYG8pIG5MIG2MQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG +A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p +dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw +HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD5L8aLDvHrnjATBgNV +HSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDwYDVR0RBAgwBoIEdHNhMjAN +BgkqhkiG9w0BAQsFAAOCAQEAiW0D9OYpd660gt571jlWEC9k92hYbjvPn5aro2aw +U4CYiMJwOn7e1j9p/wlWIk+zYcND7XN/nykQMTG61niivH1FLF9aindiPtg4+0E8 +VItnKcXXWqnTqVJTgesLVZ5O83O1+YcNqVnEKmY2R7wCeBJbEn/1whyjvtC8PnIe +lvKkFnHYD692HUS9HO/pagkAeWGxIINhHxMAaTDGrjsxo2zbZ1Jd70QU61O0eTli +U6bV6pbuLF84nwQyDDkk5xwEeeonkB/is+2ToZJcxvrVWB+eOqUyAc64Yfb6vf83 +HD8wVI5pE5EblWxDxyNHyCvBlwDUm0ZSrrTd2qYTpWsH3A== +-----END CERTIFICATE----- diff --git a/tests/cfg/pki/keys/tsa2.csr b/tests/cfg/pki/keys/tsa2.csr new file mode 100644 index 0000000..1d4e782 --- /dev/null +++ b/tests/cfg/pki/keys/tsa2.csr @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIC8TCCAdkCAQAwgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UE +BxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsT +FE15T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwR0c2EyMRAwDgYDVQQpEwdF +YXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbNFxrrBDpY1DN9fGegKi+7U8hJXxU +Z4/wwRZXrRzHFJCMjR+05JE7/SxEocN9HfXLVMJFpOPpBxRgYGMH122SK5law8GR +h5K1bUvQIs1iEzSa0caP5vbfULoaUYC4LsncA3k9l6mJzpFo5NyQffOqdC1IK0D1 +z7rV6AfSNHTgMcbhDN+JJclJNPYN6BwFVEzreXsEu+ge+cPc+Ndv0cN3pZd4RRyC +WlKlJj5LeJ5t+HU+QLlp1ug/6tdrbunTqRCkkl6W4tjzfi418oGFuW2cFAI4w1MP +oYTvw2ITfxAP5C5DTdBIBls45EnhNRP21oMeHPQQISlF40hHAZxqTbYLAgMBAAGg +ADANBgkqhkiG9w0BAQsFAAOCAQEAVXOIPyQqN2P/ZfcdsbklM/X0d1qfFAbkBV3M +MWh5QzrmyrxPnhGnSYBvwX0thN5G8FF5jlHit67G5Le5M5feczdRSXhGlLcao/U+ +T/yr87Yojwagg9HgDGI+S82eLNSbI27x8A3dlaOGB5mPA+ff+WvRlqoC95sSDnEo +0W2cHMJTjwtj0/hDqlboh6iReXvicihdNVHJvfuED9CIOOPSLnW9WiZ+PM3GFvRi +EBZaoK/151mOqjfwIXCMelvozZG9kg8BKT+0+mtoFMHzaJWidPhArZt1hKyMc1FI +7jyUN+9X1d5piXIlN2RhO5CAx6ilhlqh7aZtEjkwnik+q8/P0w== +-----END CERTIFICATE REQUEST----- diff --git a/tests/cfg/pki/keys/tsa2.key b/tests/cfg/pki/keys/tsa2.key new file mode 100644 index 0000000..ca2d276 --- /dev/null +++ b/tests/cfg/pki/keys/tsa2.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCbNFxrrBDpY1DN +9fGegKi+7U8hJXxUZ4/wwRZXrRzHFJCMjR+05JE7/SxEocN9HfXLVMJFpOPpBxRg +YGMH122SK5law8GRh5K1bUvQIs1iEzSa0caP5vbfULoaUYC4LsncA3k9l6mJzpFo +5NyQffOqdC1IK0D1z7rV6AfSNHTgMcbhDN+JJclJNPYN6BwFVEzreXsEu+ge+cPc ++Ndv0cN3pZd4RRyCWlKlJj5LeJ5t+HU+QLlp1ug/6tdrbunTqRCkkl6W4tjzfi41 +8oGFuW2cFAI4w1MPoYTvw2ITfxAP5C5DTdBIBls45EnhNRP21oMeHPQQISlF40hH +AZxqTbYLAgMBAAECggEBAI2WX/XOHAN+Gfo6szjA8LB092oqs1igvZyJ2aMUhxtK +tG+0UseIeMH8PcVCuX9LtK7Q3QYB3fT5A2rEo7NEoW3mnllCGjV0M6+VTMNM7Ibb +NHNEils+/dpN3+kgj0f3TymKdbFtyTmxm8/QcTLT5FWM9L5Qz0swPabkrTXjqvfW +pW3znLJsI/31LzFqicNRzSG3/PTE/RDhPrHnc7Evbz9TYZS8/D3FnvO8QJB8F2Uk +/0WunCYU1IKeyVwZvArTLHIAZgQoEoaQIrkfr7AGBi4/uyGPI5GvrCib3MMdBm6s +HpxQMo68MwSTm7HVLE9l7QQIGv17iGdks3WuyuUc4bECgYEAy53xVse3EBoUxRZ8 +yb1i/fr/aMYcCnPoVSHFJh6bGzxy9DeX5kOo0ksge7OgY8MWdoZWHmN3KzSAxkUF +Cgz9znRHwAP1Ka7VpFShxmgj752yNSqm7nXj9GJs9P3Y9Pwnp8LMQPOoZmWulJWT +HrxoZCpGeC5wQsZ6Ve1xcazr+skCgYEAwyIDSIBygtRjUCyoJhsJR9Vhc7FBLFBY +yqu+ZrP2HV31p99M3IT3zEfNYj97MXpE4ggCXuMsPxiHRhDbthOrO1DEDZiZ/zU7 +c9gzqGjJoa+n77T/88dDpukqm7FbB4pMiUZXj0HOYLmKppTAGO2R01xPgsOrKcU6 +yNTLUYeUwDMCgYBDQ7AAbQWKqjMGUMF0m73iDVLmt9t3kIbF6NwKFb5DpxqKlvr1 +NJDGt87JTrPDgSUgjoxQiadKfJO17AMYKOaHl15Ejook9P7axKKUur50X/IJIkf3 +Krbdes5nuJw9gjdPckirhFKzUQ/1QdxSIQeTX2vcM+seBBdR35jEZs2mEQKBgGZM +kJgT7vSz0BUaNFU121mzflGe3eIThVlLTJifRCoFNmJ56Nu7QgXwprYZPcakqTQu +qr+ALZQukcyjzevYx+5i20WdeS6Yg8Cp2fsyZHLFmi9LHtx43PjGSLYy9twvHwzg +ucq63y1KWGwYk9T9x3Odc3nEhxlw8u6S0Ly/bbaNAoGAJYp4drHJ8uLGufVURrK0 +NQJIdPl7bcRaUdzBt1bmE5IiQOqzsdDkJpN1/ZD8SVkGPni6m+ZpvOprw7gtXs3T +dQ3Ri2dMZ4VJkyACi8z21eErRjr16pi92MhZKVnk1PEsxldEPa6XdJPaBm34O+BE +rzhN9WafVc6yL45gNLnUlRc= +-----END PRIVATE KEY----- diff --git a/tests/cfg/pki/list-crl b/tests/cfg/pki/list-crl new file mode 100755 index 0000000..32c1143 --- /dev/null +++ b/tests/cfg/pki/list-crl @@ -0,0 +1,13 @@ +#!/bin/sh + +# list revoked certificates + +CRL="${1:-crl.pem}" + +if [ "$KEY_DIR" ]; then + cd "$KEY_DIR" && \ + $OPENSSL crl -text -noout -in "$CRL" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/tests/cfg/pki/openssl-0.9.6.cnf b/tests/cfg/pki/openssl-0.9.6.cnf new file mode 100644 index 0000000..fb08fea --- /dev/null +++ b/tests/cfg/pki/openssl-0.9.6.cnf @@ -0,0 +1,268 @@ +# For use with easy-rsa version 2.0 + +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::KEY_DIR # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha256 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = $ENV::KEY_SIZE +default_keyfile = privkey.pem +default_md = sha256 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::KEY_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::KEY_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::KEY_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::KEY_ORG + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_default = $ENV::KEY_EMAIL +emailAddress_max = 40 + +# JY -- added for batch mode +organizationalUnitName_default = $ENV::KEY_OU +commonName_default = $ENV::KEY_CN + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Easy-RSA Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=clientAuth +keyUsage = digitalSignature + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +subjectAltName=$ENV::KEY_ALTNAMES + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ server ] + +# JY ADDED -- Make a cert with nsCertType set to "server" +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "Easy-RSA Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment +subjectAltName=$ENV::KEY_ALTNAMES + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/tests/cfg/pki/openssl-0.9.8.cnf b/tests/cfg/pki/openssl-0.9.8.cnf new file mode 100644 index 0000000..90331a0 --- /dev/null +++ b/tests/cfg/pki/openssl-0.9.8.cnf @@ -0,0 +1,293 @@ +# For use with easy-rsa version 2.0 + +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +openssl_conf = openssl_init + +[ openssl_init ] +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids +engines = engine_section + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::KEY_DIR # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha256 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +#################################################################### +[ req ] +default_bits = $ENV::KEY_SIZE +default_keyfile = privkey.pem +default_md = sha256 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::KEY_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::KEY_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::KEY_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::KEY_ORG + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +name = Name +name_max = 64 + +emailAddress = Email Address +emailAddress_default = $ENV::KEY_EMAIL +emailAddress_max = 40 + +# JY -- added for batch mode +organizationalUnitName_default = $ENV::KEY_OU +commonName_default = $ENV::KEY_CN +name_default = $ENV::KEY_NAME + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Easy-RSA Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=clientAuth +keyUsage = digitalSignature + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +subjectAltName=$ENV::KEY_ALTNAMES + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ server ] + +# JY ADDED -- Make a cert with nsCertType set to "server" +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "Easy-RSA Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment +subjectAltName=$ENV::KEY_ALTNAMES + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ engine_section ] +# +# If you are using PKCS#11 +# Install engine_pkcs11 of opensc (www.opensc.org) +# And uncomment the following +# verify that dynamic_path points to the correct location +# +#pkcs11 = pkcs11_section + +[ pkcs11_section ] +engine_id = pkcs11 +dynamic_path = /usr/lib/engines/engine_pkcs11.so +MODULE_PATH = $ENV::PKCS11_MODULE_PATH +PIN = $ENV::PKCS11_PIN +init = 0 diff --git a/tests/cfg/pki/openssl-1.0.0.cnf b/tests/cfg/pki/openssl-1.0.0.cnf new file mode 100644 index 0000000..c301e44 --- /dev/null +++ b/tests/cfg/pki/openssl-1.0.0.cnf @@ -0,0 +1,288 @@ +# For use with easy-rsa version 2.0 and OpenSSL 1.0.0* + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +openssl_conf = openssl_init + +[ openssl_init ] +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids +engines = engine_section + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::KEY_DIR # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha256 # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +#################################################################### +[ req ] +default_bits = $ENV::KEY_SIZE +default_keyfile = privkey.pem +default_md = sha256 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation after 2004). +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::KEY_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::KEY_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::KEY_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::KEY_ORG + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +name = Name +name_max = 64 + +emailAddress = Email Address +emailAddress_default = $ENV::KEY_EMAIL +emailAddress_max = 40 + +# JY -- added for batch mode +organizationalUnitName_default = $ENV::KEY_OU +commonName_default = $ENV::KEY_CN +name_default = $ENV::KEY_NAME + + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Easy-RSA Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=clientAuth +keyUsage = digitalSignature + + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +subjectAltName=$ENV::KEY_ALTNAMES + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ server ] + +# JY ADDED -- Make a cert with nsCertType set to "server" +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "Easy-RSA Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment +subjectAltName=$ENV::KEY_ALTNAMES + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ engine_section ] +# +# If you are using PKCS#11 +# Install engine_pkcs11 of opensc (www.opensc.org) +# And uncomment the following +# verify that dynamic_path points to the correct location +# +#pkcs11 = pkcs11_section + +[ pkcs11_section ] +engine_id = pkcs11 +dynamic_path = /usr/lib/engines/engine_pkcs11.so +MODULE_PATH = $ENV::PKCS11_MODULE_PATH +PIN = $ENV::PKCS11_PIN +init = 0 diff --git a/tests/cfg/pki/pkitool b/tests/cfg/pki/pkitool new file mode 100755 index 0000000..44145ad --- /dev/null +++ b/tests/cfg/pki/pkitool @@ -0,0 +1,399 @@ +#!/bin/sh + +# OpenVPN -- An application to securely tunnel IP networks +# over a single TCP/UDP port, with support for SSL/TLS-based +# session authentication and key exchange, +# packet encryption, packet authentication, and +# packet compression. +# +# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program (see the file COPYING included with this +# distribution); if not, write to the Free Software Foundation, Inc., +# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# pkitool is a front-end for the openssl tool. + +# Calling scripts can set the certificate organizational +# unit with the KEY_OU environmental variable. + +# Calling scripts can also set the KEY_NAME environmental +# variable to set the "name" X509 subject field. + +PROGNAME=pkitool +VERSION=2.0 +DEBUG=0 + +die() +{ + local m="$1" + + echo "$m" >&2 + exit 1 +} + +need_vars() +{ + cat < root certificate (--ca) + ca.key -> root key, keep secure (not directly used by OpenVPN) + .crt files -> client/server certificates (--cert) + .key files -> private keys, keep secure (--key) + .csr files -> certificate signing request (not directly used by OpenVPN) + dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh) + +Examples: + $PROGNAME --initca -> Build root certificate + $PROGNAME --initca --pass -> Build root certificate with password-protected key + $PROGNAME --server server1 -> Build "server1" certificate/key + $PROGNAME client1 -> Build "client1" certificate/key + $PROGNAME --pass client2 -> Build password-protected "client2" certificate/key + $PROGNAME --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format + $PROGNAME --csr client4 -> Build "client4" CSR to be signed by another CA + $PROGNAME --sign client4 -> Sign "client4" CSR + $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key + Also see ./inherit-inter script. + $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5 + -> Build "client5" certificate/key in PKCS#11 token + +Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys. +Protect client2 key with a password. Build DH parms. Generated files in ./keys : + [edit vars with your site-specific info] + source ./vars + ./clean-all + ./build-dh -> takes a long time, consider backgrounding + ./$PROGNAME --initca + ./$PROGNAME --server myserver + ./$PROGNAME client1 + ./$PROGNAME --pass client2 + +Typical usage for adding client cert to existing PKI: + source ./vars + ./$PROGNAME client-new +EOM +} + +# Set tool defaults +[ -n "$OPENSSL" ] || export OPENSSL="openssl" +[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool" +[ -n "$GREP" ] || export GREP="grep" + +# Set defaults +DO_REQ="1" +REQ_EXT="" +DO_CA="1" +CA_EXT="" +DO_P12="0" +DO_P11="0" +DO_ROOT="0" +NODES_REQ="-nodes" +NODES_P12="" +BATCH="-batch" +CA="ca" +# must be set or errors of openssl.cnf +PKCS11_MODULE_PATH="dummy" +PKCS11_PIN="dummy" + +# Process options +while [ $# -gt 0 ]; do + case "$1" in + --keysize ) KEY_SIZE=$2 + shift;; + --server ) REQ_EXT="$REQ_EXT -extensions server" + CA_EXT="$CA_EXT -extensions server" ;; + --batch ) BATCH="-batch" ;; + --interact ) BATCH="" ;; + --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;; + --initca ) DO_ROOT="1" ;; + --pass ) NODES_REQ="" ;; + --csr ) DO_CA="0" ;; + --sign ) DO_REQ="0" ;; + --pkcs12 ) DO_P12="1" ;; + --pkcs11 ) DO_P11="1" + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_ID="$4" + PKCS11_LABEL="$5" + shift 4;; + + # standalone + --pkcs11-init) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_LABEL="$4" + if [ -z "$PKCS11_LABEL" ]; then + die "Please specify library name, slot and label" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ + --label "$PKCS11_LABEL" && + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" + exit $?;; + --pkcs11-slots) + PKCS11_MODULE_PATH="$2" + if [ -z "$PKCS11_MODULE_PATH" ]; then + die "Please specify library name" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots + exit 0;; + --pkcs11-objects) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + if [ -z "$PKCS11_SLOT" ]; then + die "Please specify library name and slot" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" + exit 0;; + + --help|--usage) + usage + exit ;; + --version) + echo "$PROGNAME $VERSION" + exit ;; + # errors + --* ) die "$PROGNAME: unknown option: $1" ;; + * ) break ;; + esac + shift +done + +if ! [ -z "$BATCH" ]; then + if $OPENSSL version | grep 0.9.6 > /dev/null; then + die "Batch mode is unsupported in openssl<0.9.7" + fi +fi + +if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then + die "PKCS#11 and PKCS#12 cannot be specified together" +fi + +if [ $DO_P11 -eq 1 ]; then + if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then + die "Please edit $KEY_CONFIG and setup PKCS#11 engine" + fi +fi + +# If we are generating pkcs12, only encrypt the final step +if [ $DO_P12 -eq 1 ]; then + NODES_P12="$NODES_REQ" + NODES_REQ="-nodes" +fi + +if [ $DO_P11 -eq 1 ]; then + if [ -z "$PKCS11_LABEL" ]; then + die "PKCS#11 arguments incomplete" + fi +fi + +# If undefined, set default key expiration intervals +if [ -z "$KEY_EXPIRE" ]; then + KEY_EXPIRE=3650 +fi +if [ -z "$CA_EXPIRE" ]; then + CA_EXPIRE=3650 +fi + +# Set organizational unit to empty string if undefined +if [ -z "$KEY_OU" ]; then + KEY_OU="" +fi + +# Set X509 Name string to empty string if undefined +if [ -z "$KEY_NAME" ]; then + KEY_NAME="" +fi + +# Set KEY_CN, FN +if [ $DO_ROOT -eq 1 ]; then + if [ -z "$KEY_CN" ]; then + if [ "$1" ]; then + KEY_CN="$1" + KEY_ALTNAMES="DNS:${KEY_CN}" + elif [ "$KEY_ORG" ]; then + KEY_CN="$KEY_ORG CA" + KEY_ALTNAMES="$KEY_CN" + fi + fi + if [ $BATCH ] && [ "$KEY_CN" ]; then + echo "Using CA Common Name:" "$KEY_CN" + KEY_ALTNAMES="$KEY_CN" + fi + FN="$KEY_CN" +elif [ $BATCH ] && [ "$KEY_CN" ]; then + echo "Using Common Name:" "$KEY_CN" + KEY_ALTNAMES="$KEY_CN" + FN="$KEY_CN" + if [ "$1" ]; then + FN="$1" + fi +else + KEY_CN="$1" + KEY_ALTNAMES="DNS:$1" + shift + while [ "x$1" != "x" ] + do + KEY_ALTNAMES="${KEY_ALTNAMES},DNS:$1" + shift + done + FN="$KEY_CN" +fi + +export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN KEY_ALTNAMES + +# Show parameters (debugging) +if [ $DEBUG -eq 1 ]; then + echo DO_REQ $DO_REQ + echo REQ_EXT $REQ_EXT + echo DO_CA $DO_CA + echo CA_EXT $CA_EXT + echo NODES_REQ $NODES_REQ + echo NODES_P12 $NODES_P12 + echo DO_P12 $DO_P12 + echo KEY_CN $KEY_CN + echo KEY_ALTNAMES $KEY_ALTNAMES + echo BATCH $BATCH + echo DO_ROOT $DO_ROOT + echo KEY_EXPIRE $KEY_EXPIRE + echo CA_EXPIRE $CA_EXPIRE + echo KEY_OU $KEY_OU + echo KEY_NAME $KEY_NAME + echo DO_P11 $DO_P11 + echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH + echo PKCS11_SLOT $PKCS11_SLOT + echo PKCS11_ID $PKCS11_ID + echo PKCS11_LABEL $PKCS11_LABEL +fi + +# Make sure ./vars was sourced beforehand +if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then + cd "$KEY_DIR" + + # Make sure $KEY_CONFIG points to the correct version + # of openssl.cnf + if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then + : + else + echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" + echo "version of openssl.cnf: $KEY_CONFIG" + echo "The correct version should have a comment that says: easy-rsa version 2.x"; + exit 1; + fi + + # Build root CA + if [ $DO_ROOT -eq 1 ]; then + $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ + -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ + chmod 0600 "$CA.key" + else + # Make sure CA key/cert is available + if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then + if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then + echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" + echo "Try $PROGNAME --initca to build a root certificate/key." + exit 1 + fi + fi + + # Generate key for PKCS#11 token + PKCS11_ARGS= + if [ $DO_P11 -eq 1 ]; then + stty -echo + echo -n "User PIN: " + read -r PKCS11_PIN + stty echo + export PKCS11_PIN + + echo "Generating key pair on PKCS#11 token..." + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ + --login --pin "$PKCS11_PIN" \ + --key-type rsa:1024 \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 + PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" + fi + + # Build cert/key + ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH $NODES_REQ -new -newkey rsa:$KEY_SIZE \ + -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ + ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ + -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ + ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \ + -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \ + ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \ + ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" ) + + # Load certificate into PKCS#11 token + if [ $DO_P11 -eq 1 ]; then + $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ + --login --pin "$PKCS11_PIN" \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" + [ -e "$FN.crt.der" ]; rm "$FN.crt.der" + fi + + fi + +# Need definitions +else + need_vars +fi diff --git a/tests/cfg/pki/revoke-full b/tests/cfg/pki/revoke-full new file mode 100755 index 0000000..e9c7d02 --- /dev/null +++ b/tests/cfg/pki/revoke-full @@ -0,0 +1,43 @@ +#!/bin/sh + +# revoke a certificate, regenerate CRL, +# and verify revocation + +CRL="crl.pem" +RT="revoke-test.pem" + +if [ $# -ne 1 ]; then + echo "usage: revoke-full "; + exit 1 +fi + +if [ "$KEY_DIR" ]; then + cd "$KEY_DIR" + rm -f "$RT" + + # set defaults + export KEY_CN="" + export KEY_OU="" + export KEY_NAME="" + + # required due to hack in openssl.cnf that supports Subject Alternative Names + export KEY_ALTNAMES="" + + # revoke key and generate a new CRL + $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG" + + # generate a new CRL -- try to be compatible with + # intermediate PKIs + $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" + if [ -e export-ca.crt ]; then + cat export-ca.crt "$CRL" >"$RT" + else + cat ca.crt "$CRL" >"$RT" + fi + + # verify the revocation + $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/tests/cfg/pki/sign-req b/tests/cfg/pki/sign-req new file mode 100755 index 0000000..6cae7b4 --- /dev/null +++ b/tests/cfg/pki/sign-req @@ -0,0 +1,7 @@ +#!/bin/sh + +# Sign a certificate signing request (a .csr file) +# with a local root certificate and key. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --sign $* diff --git a/tests/cfg/pki/vars b/tests/cfg/pki/vars new file mode 100644 index 0000000..e60420c --- /dev/null +++ b/tests/cfg/pki/vars @@ -0,0 +1,80 @@ +# easy-rsa parameter settings + +# NOTE: If you installed from an RPM, +# don't edit this file in place in +# /usr/share/openvpn/easy-rsa -- +# instead, you should copy the whole +# easy-rsa directory to another location +# (such as /etc/openvpn) so that your +# edits will not be wiped out by a future +# OpenVPN package upgrade. + +# This variable should point to +# the top level of the easy-rsa +# tree. +export EASY_RSA="`pwd`" + +# +# This variable should point to +# the requested executables +# +export OPENSSL="openssl" +export PKCS11TOOL="pkcs11-tool" +export GREP="grep" + + +# This variable should point to +# the openssl.cnf file included +# with easy-rsa. +export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` + +# Edit this variable to point to +# your soon-to-be-created key +# directory. +# +# WARNING: clean-all will do +# a rm -rf on this directory +# so make sure you define +# it correctly! +export KEY_DIR="$EASY_RSA/keys" + +# Issue rm -rf warning +echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR + +# PKCS11 fixes +export PKCS11_MODULE_PATH="dummy" +export PKCS11_PIN="dummy" + +# Increase this to 2048 if you +# are paranoid. This will slow +# down TLS negotiation performance +# as well as the one-time DH parms +# generation process. +export KEY_SIZE=2048 + +# In how many days should the root CA key expire? +export CA_EXPIRE=3650 + +# In how many days should certificates expire? +export KEY_EXPIRE=3650 + +# These are the default values for fields +# which will be placed in the certificate. +# Don't leave any of these fields blank. +export KEY_COUNTRY="US" +export KEY_PROVINCE="CA" +export KEY_CITY="SanFrancisco" +export KEY_ORG="Fort-Funston" +export KEY_EMAIL="me@myhost.mydomain" +export KEY_OU="MyOrganizationalUnit" + +# X509 Subject Field +export KEY_NAME="EasyRSA" + +# PKCS11 Smart Card +# export PKCS11_MODULE_PATH="/usr/lib/changeme.so" +# export PKCS11_PIN=1234 + +# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below +# You will also need to make sure your OpenVPN server config has the duplicate-cn option set +# export KEY_CN="CommonName" diff --git a/tests/cfg/pki/whichopensslcnf b/tests/cfg/pki/whichopensslcnf new file mode 100755 index 0000000..4c5f3c7 --- /dev/null +++ b/tests/cfg/pki/whichopensslcnf @@ -0,0 +1,26 @@ +#!/bin/sh + +cnf="$1/openssl.cnf" + +if [ "$OPENSSL" ]; then + if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-0.9.6.cnf" + elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-0.9.8.cnf" + elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-1.0.0.cnf" + else + cnf="$1/openssl.cnf" + fi +fi + +echo $cnf + +if [ ! -r $cnf ]; then + echo "**************************************************************" >&2 + echo " No $cnf file could be found" >&2 + echo " Further invocations will fail" >&2 + echo "**************************************************************" >&2 +fi + +exit 0 diff --git a/tests/cfg/uts-server.cnf b/tests/cfg/uts-server.cnf new file mode 100644 index 0000000..0a8b990 --- /dev/null +++ b/tests/cfg/uts-server.cnf @@ -0,0 +1,142 @@ +[ new_oids ] + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +[ main ] + +# Comma-separated list of ips:ports to listen on. +# If the port is SSL, a letter s must be appended. +listening_ports = 127.0.0.1:2020 +#listening_ports = 80,443s + +# Allows clients to reuse TCP connection for subsequent HTTP requests, which improves performance. +enable_keep_alive = no + +# Number of worker threads. +num_threads = 50 + +# Switch to given user credentials after startup. +# Required to run on privileged ports and not be run as root. +# run_as_user = uts-server + +# Limit download speed for clients. throttle is a comma-separated list of key=value pairs: +# * limit speed for all connections +# x.x.x.x/mask limit speed for specified subnet +# The value is a floating-point number of bytes per second, optionally followed by a k or m character +# meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate +throttle = * +#throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0 + +# Timeout for network read and network write operations, in milliseconds. +request_timeout_ms = 30000 + +# Path to the SSL certificate file. (PEM format containing private key and certificate) +#ssl_certificate = /etc/uts-server/cert.pem + +# Enable client's certificate verification by the server. +#ssl_verify_peer = yes + +# Name of a directory containing trusted CA certificates +#ssl_ca_path = /etc/ssl/ca/ + +# Path to a .pem file containing trusted certificates. The file may contain more than one certificate. +#ssl_ca_file = /etc/uts-server/ca.pem + +# Sets maximum depth of certificate chain. +# If client's certificate chain is longer than the depth set here connection is refused. +#ssl_verify_depth = 9 + +# Loads default trusted certificates locations set at openssl compile time. +#ssl_default_verify_paths = yes + +# see https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed +#ssl_cipher_list = ALL:!eNULL + +# Sets the minimal accepted version of SSL/TLS protocol according to the table: +# SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 0 +# SSL3+TLS1.0+TLS1.1+TLS1.2 1 +# TLS1.0+TLS1.1+TLS1.2 2 +# TLS1.1+TLS1.2 3 +# TLS1.2 4 + +#ssl_protocol_version = 3 + +# Enables the use of short lived certificates +#ssl_short_trust = no + +# comma separated list of IP subnets to accept/deny +# deny all accesses, only allow 192.168/16 subnet +#access_control_allow_origin = -0.0.0.0/0,+192.168/16 + +# Enable TCP_NODELAY socket option on client connections. +tcp_nodelay = 0 + +# loglevel +# debug, info, notice, warn, err, emerg, crit +log_level = info + +#################################################################### +[ tsa ] + +# The default TSA section. +default_tsa = tsa_config1 + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. + +# TSA root directory +dir = ./demoCA + +# The current serial number +# (mandatory) +serial = ./tsaserial + +# OpenSSL engine to use for signing +crypto_device = builtin + +# The TSA signing certificat +# (optional) +signer_cert = $dir/tsacert.pem + +# Certificate chain to include in reply +# (optional) +certs = $dir/cacert.pem + +# The TSA private key +# (optional) +signer_key = $dir/private/tsakey.pem + +# Policy if request did not specify it +# (optional) +default_policy = tsa_policy1 + +# Acceptable policies +# (optional) +other_policies = tsa_policy2, tsa_policy3 + +# Acceptable message digests +# (mandatory) +digests = md5, sha1 + +# (optional) +accuracy = secs:1, millisecs:500, microsecs:100 + +# Number of digits after dot. +# (optional) +clock_precision_digits = 0 + +# Is ordering defined for timestamps? +# (optional, default: no) +ordering = yes + +# Must the TSA name be included in the reply? +## (optional, default: no) +tsa_name = yes + +# Must the ESS cert id chain be included? +# (optional, default: no) +ess_cert_id_chain = no