From: Joni Hahkala Date: Wed, 9 Dec 2009 17:39:06 +0000 (+0000) Subject: -less unnecessary cert for other than trusted ca X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=3772e32069210b3630856754148dcc86976e3223;p=glite-security-test-utils.git -less unnecessary cert for other than trusted ca -rfc test certs -all non-fake cas in grid-security/certificates directory -regenrated cas to enable changes --- diff --git a/bin/generate-ca-certificates-for-cvs.sh b/bin/generate-ca-certificates-for-cvs.sh index aebb19e..fa72f8c 100755 --- a/bin/generate-ca-certificates-for-cvs.sh +++ b/bin/generate-ca-certificates-for-cvs.sh @@ -15,9 +15,10 @@ CONFIGDIR=$PWD/$(dirname $0)/../config BASEDIR=$PWD/$(dirname $0)/../test -CONFIGFILES="index.txt serial.txt req_conf.cnf" +CONFIGFILES="index.txt serial.txt" PASSWORD='changeit' CATYPES='trusted fake big expired nokeyusage root subca subsubca' +#CATYPES='trusted fake expired nokeyusage root subca subsubca' BIG_BITS=8192 SMALL_BITS=1024 @@ -34,6 +35,8 @@ function create_ca { cp $CONFIGDIR/$config . done + sed "s/\$ENV::CATYPE/${catype}/" <$CONFIGDIR/req_conf.cnf > req_conf.cnf + if [ "$catype" = "big" ]; then BITS=$BIG_BITS else @@ -83,7 +86,7 @@ EOF function generate_ca_cert { catype=$1 # current CA to generate - export CATYPE=$2 # parent CA if applicable + parenttype=$2 # parent CA if applicable DAYS=$3 # days flag selfsign=$4 # whether to generate self signed CA or hierarchical bits=$5 # number of bits for the CA cert @@ -103,18 +106,29 @@ function generate_ca_cert { echo CA certificate request generation failed! exit 1 fi + echo `pwd` openssl ca -in ${catype}.req -out ${catype}.cert -outdir . \ - -md md5 -config req_conf.cnf -batch -extensions ca_cert_req ${DAYS} + -md md5 -cert $CASROOT/$parenttype-ca/$parenttype.cert -keyfile $CASROOT/$parenttype-ca/$parenttype.priv \ + -config req_conf.cnf -batch -extensions ca_cert_req ${DAYS} if [ $? -ne "0" ]; then echo CA certificate signing failed! exit 1 fi else - openssl req -new -x509 -out ${catype}.cert $DAYS -nodes \ - -keyout ${catype}.priv -config req_conf.cnf -newkey rsa:$bits -extensions ca_cert_req -subj "${dn}" - if [ $? -ne "0" ]; then - echo CA certificate generation failed! - exit 1 + if [ x$catype == "xnokeyusage" ]; then + openssl req -new -x509 -out ${catype}.cert $DAYS -nodes \ + -keyout ${catype}.priv -config req_conf.cnf -newkey rsa:$bits -extensions ca_cert_req_nokeyusage -subj "${dn}" + if [ $? -ne "0" ]; then + echo CA certificate generation failed! + exit 1 + fi + else + openssl req -new -x509 -out ${catype}.cert $DAYS -nodes \ + -keyout ${catype}.priv -config req_conf.cnf -newkey rsa:$bits -extensions ca_cert_req -subj "${dn}" + if [ $? -ne "0" ]; then + echo CA certificate generation failed! + exit 1 + fi fi fi diff --git a/bin/generate-test-certificates.sh b/bin/generate-test-certificates.sh index fe1fa98..24c4d8b 100755 --- a/bin/generate-test-certificates.sh +++ b/bin/generate-test-certificates.sh @@ -30,7 +30,7 @@ function create_cert { dn="/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=$2" - echo "Creating a cert for '$CN' in files named $filebase.(cert|priv)" + echo "Creating a cert for '$2' in files named $filebase.(cert|priv)" echo " with $flags flags and $validity days validity time" if [ -r "$filebase.cert" -o -r "$filebase.priv" ]; then @@ -114,19 +114,10 @@ function create_cert { exit 1 fi - # Get the serial number of the certificate that will eventually sign the proxy. - # Put it into a temporary file to be read by the ca command later. - -# SERIAL=$(openssl x509 -in ${filebase}.cert -noout -serial | sed 's/^serial=//') -# echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt - # cat ${CA_DIR}/serial_proxy.txt - - # some minor cleanup -# rm $filebase.req - create_p12 $filebase } +# create_cert_proxy "file base (signer)" "ignored" "added part to filename" "CN part to add" "days" function create_cert_proxy { filebase=$1 @@ -135,6 +126,8 @@ function create_cert_proxy { ending="grid_proxy" + echo "##### creating proxy $1.$3.$ending" + # This really depends on if we make a proxy or a proxy-proxy X509_SIGNING_CERT=${filebase}.cert X509_SIGNING_KEY=${filebase}.priv @@ -144,7 +137,11 @@ function create_cert_proxy { X509_PROX_REQ=${filebase}.${ident}.req X509_PROX_GRID=${filebase}.${ident}.${ending} - dn="`openssl x509 -in ${X509_SIGNING_CERT} -subject -noout| sed 's/^subject= //'`/CN=$4" + if [ x$ident == "xproxy_dnerror2" ]; then + dn="`openssl x509 -in ${X509_SIGNING_CERT} -subject -noout| sed 's/^subject= //'` dnerror2/CN=$4" + else + dn="`openssl x509 -in ${X509_SIGNING_CERT} -subject -noout| sed 's/^subject= //'`/CN=$4" + fi echo "Creating a proxy cert ${X509_PROX_CERT} for '$dn" echo " in files named $filebase.(cert|priv)" @@ -156,11 +153,6 @@ function create_cert_proxy { return fi - - # Have to 'edit' the ca database to remove the entry for the signing certificate. - # maybe no need... make a dummy database, touch and then delete afterwards... -# touch ${CA_DIR}/index_proxy.txt - # instead save the ones for real certs and copy the ones saved before and use them and later switch back cp ${CA_DIR}/index.txt ${CA_DIR}/index_cert_save.txt cp ${CA_DIR}/serial.txt ${CA_DIR}/serial_cert_save.txt @@ -186,7 +178,6 @@ function create_cert_proxy { fi # Sign the cert request with the user cert and key. Set the serial number here! - CMD="openssl ca -verbose -in ${X509_PROX_REQ} \ -cert ${X509_SIGNING_CERT} \ -keyfile ${X509_SIGNING_KEY} \ @@ -195,6 +186,27 @@ function create_cert_proxy { -preserveDN \ -config ${REQ_CONFIG_FILE} -md md5 -days ${validity} -batch \ -passin pass:${PASSWORD} -notext" + + case $ident in + proxy_rfc) + CMD="$CMD -extensions proxy_rfc" + ;; + proxy_rfc_anyp) + CMD="$CMD -extensions proxy_rfc_anypolicy" + ;; + proxy_rfc_indep) + CMD="$CMD -extensions proxy_rfc_independent" + ;; + proxy_rfc_lim) + CMD="$CMD -extensions proxy_rfc_limited" + ;; + proxy_rfc_plen) + CMD="$CMD -extensions proxy_rfc_pathLen1" + ;; + proxy_invKeyusage) + CMD="$CMD -extensions proxy_invalid_usage" + ;; + esac echo $CMD; $CMD if [ $? != 0 ]; then @@ -243,23 +255,43 @@ function create_cert_proxy { # copy the normal cert files back cp ${CA_DIR}/index_cert_save.txt ${CA_DIR}/index.txt cp ${CA_DIR}/serial_cert_save.txt ${CA_DIR}/serial.txt - - # Clean up stuff - # rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt - # most of the cleanup should be done in the create_cert_proxy_proxy function - # since some files need to be kept for signing purposes later! } +# create_cert_proxy "file base (signer)" "ignored" "added part to filename" "CN part to add" "days" +# create_cert_proxy_proxy "file base (signer)" "ignored" "added part to filename" "CN part to add" "days" "first proxy type" function create_cert_proxy_proxy { ending="grid_proxy" + echo "############## creating proxy-proxy $1.$6.$3.$ending" + create_cert_proxy $1.$6 "$2" $3 "$4" $5 + # adding in the original certificate to the chain. 03/06/05 + CMD="openssl x509 -in $1.cert >> \"$1.$6.$3.$ending\"" + echo "$CMD"; eval "$CMD" + + if [ $? != 0 ]; then + echo Proxy file generation failed! + exit 1 + fi +} + +# create_cert_proxy "file base (signer)" "ignored" "added part to filename" "CN part to add" "days" +# create_cert_proxy_proxy "file base (signer)" "ignored" "added part to filename" "CN part to add" "days" "first proxy type" +# create_cert_proxy_proxy_proxy "file base (signer)" "ignored" "added part to filename" "CN part to add" "days" "first proxy type" "second proxy type" +function create_cert_proxy_proxy_proxy { + + ending="grid_proxy" + + echo "############################ creating proxy-proxy-proxy $1.$6.$7.$3.$ending" + + create_cert_proxy_proxy $1.$6 "$2" $3 "$4" $5 $7 + # echo Appending $1.cert to "$1.$3.$6.$ending" # adding in the original certificate to the chain. 03/06/05 - CMD="openssl x509 -in $1.cert >> \"$1.$3.$6.$ending\"" + CMD="openssl x509 -in $1.cert >> \"$1.$6.$7.$3.$ending\"" echo "$CMD"; eval "$CMD" if [ $? != 0 ]; then @@ -352,21 +384,7 @@ function create_some { # generating CRL openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $REQ_CONFIG_FILE - # make it user friendly - if [ ! -d 'grid-security/certificates' ]; then - mkdir -p 'grid-security/certificates' - fi - hash=$(openssl x509 -hash -noout -in $CA_DIR/${catype}.cert) - cp $CA_DIR/${catype}.cert grid-security/certificates/${hash}.0 - cp $CA_DIR/${catype}.crl grid-security/certificates/${hash}.r0 - # generating a signing_policy file - subject_name=$(openssl x509 -in $CA_DIR/${catype}.cert -subject -noout) - cat <grid-security/certificates/${hash}.signing_policy -# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##') -access_id_CA X509 '${subject_name:9}' -pos_rights globus CA:sign -cond_subjects globus '"$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"' -EOF + add_ca_grid_sec ${catype} cp $CERT_DIR/${catype}_host.cert grid-security/hostcert.pem openssl rsa -passin pass:$PASSWORD -in $CERT_DIR/${catype}_host.priv -out grid-security/hostkey.pem @@ -426,17 +444,30 @@ EOF fi } +# add a ca to the grid-security/certificates directory +function add_ca_grid_sec { -# create all certificates -function create_all { + if [ ! -d 'grid-security/certificates' ]; then + mkdir -p 'grid-security/certificates' + fi + hash=$(openssl x509 -hash -noout -in $CA_DIR/${catype}.cert) + cp $CA_DIR/${catype}.cert grid-security/certificates/${hash}.0 + cp $CA_DIR/${catype}.crl grid-security/certificates/${hash}.r0 + # generating a signing_policy file + subject_name=$(openssl x509 -in $CA_DIR/${catype}.cert -subject -noout) + cat <grid-security/certificates/${hash}.signing_policy +# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##') +access_id_CA X509 '${subject_name:9}' +pos_rights globus CA:sign +cond_subjects globus '"$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"' +EOF - # If we have the trusted CA, then generate a user cert/key pair - # And also a host cert/key pair. - if [ "$catype" == "trusted" ]; then - create_some - rm ${CA_DIR}/serial_proxy.txt; # touch ${CA_DIR}/serial_proxy.txt - fi +} + + +# create all certificates +function create_all { # create valid certs with proxies @@ -448,8 +479,17 @@ function create_all { create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_dnerror "dnerror proxy" $PROXY_VALIDITY + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_dnerror2 "proxy" $PROXY_VALIDITY create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_lim "limited proxy" $PROXY_VALIDITY create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_rfc "rfc proxy" $PROXY_VALIDITY + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_rfc_anyp "rfc any policy proxy" $PROXY_VALIDITY + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_rfc_lim "limited rfc proxy" $PROXY_VALIDITY + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_rfc_indep "rfc independent proxy" $PROXY_VALIDITY + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_rfc_plen "rfc path len 1 proxy" $PROXY_VALIDITY + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_invKeyusage "proxy" $PROXY_VALIDITY + + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_dnerror "dnerror proxy" $PROXY_VALIDITY proxy create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_lim "limited proxy" $PROXY_VALIDITY proxy @@ -466,6 +506,14 @@ function create_all { create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy_exp create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_rfc "rfc proxy" $PROXY_VALIDITY proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy_rfc + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_rfc_lim "limited proxy" $PROXY_VALIDITY proxy_rfc + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_rfc "rfc proxy" $PROXY_VALIDITY proxy_rfc_plen + + create_cert_proxy_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_rfc "rfc proxy" $PROXY_VALIDITY proxy_rfc_plen proxy_rfc + + TYPE="clientbaddn" CTYPE="client with bad DN" @@ -484,224 +532,238 @@ function create_all { create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy - TYPE="clientserial" - CTYPE="client serial" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy - - TYPE="clientemail" - CTYPE="client email" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDIT $PROXY_VALIDITY proxy - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp - - TYPE="clientuid" - CTYPE="client UID" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp - - TYPE="fclient" - CTYPE="flag client" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp - - TYPE="bigclient" - CTYPE="bigclient" - TYPE2="client" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS 4096 - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp - - TYPE="verybigclient" - CTYPE="very big client" - TYPE2="client" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS 8192 - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp - - TYPE="server" - CTYPE="server" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp - - TYPE="host" - CTYPE="$HOSTNAME" - TYPE2="server" - - create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} $DAYS - - TYPE="host_rev" - CTYPE="$HOSTNAME" - TYPE2="server" - - create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} $DAYS - openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE - - - TYPE="host_exp" - CTYPE="$HOSTNAME" - TYPE2="server" - - create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} -1 - - TYPE="host_baddn" - CTYPE="$HOSTNAME" - TYPE2="hostbaddn" - - create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} $DAYS - - TYPE="altname" - CTYPE="altname" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype\/xxx.foo.bar" ${TYPE} $DAYS - - TYPE="altname" - CTYPE="altname2" - - create_cert $CERT_DIR/${catype}_${TYPE}2 "xxx.foo.bar" ${TYPE} $DAYS - - TYPE="server" - CTYPE="server2" - - create_cert $CERT_DIR/${catype}_${TYPE}2 "xxx.foo.bar" ${TYPE} $DAYS - - TYPE="clientserver" - CTYPE="clientserver" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp - - TYPE="none" - CTYPE="none" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp - + if [ $catype == "trusted" ]; then + + TYPE="clientserial" + CTYPE="client serial" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy + + TYPE="clientemail" + CTYPE="client email" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDIT $PROXY_VALIDITY proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp + + TYPE="clientuid" + CTYPE="client UID" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp + + TYPE="fclient" + CTYPE="flag client" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp + + TYPE="bigclient" + CTYPE="bigclient" + TYPE2="client" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS 4096 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp + + TYPE="verybigclient" + CTYPE="very big client" + TYPE2="client" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS 8192 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp + + TYPE="server" + CTYPE="server" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp + + TYPE="host" + CTYPE="$HOSTNAME" + TYPE2="server" + + create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} $DAYS + + TYPE="host_rev" + CTYPE="$HOSTNAME" + TYPE2="server" + + create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} $DAYS + openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE + + + TYPE="host_exp" + CTYPE="$HOSTNAME" + TYPE2="server" + + create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} -1 + + TYPE="host_baddn" + CTYPE="$HOSTNAME" + TYPE2="hostbaddn" + + create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} $DAYS + + TYPE="altname" + CTYPE="altname" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype\/xxx.foo.bar" ${TYPE} $DAYS + + TYPE="altname" + CTYPE="altname2" + + create_cert $CERT_DIR/${catype}_${TYPE}2 "xxx.foo.bar" ${TYPE} $DAYS + + TYPE="server" + CTYPE="server2" + + create_cert $CERT_DIR/${catype}_${TYPE}2 "xxx.foo.bar" ${TYPE} $DAYS + + TYPE="clientserver" + CTYPE="clientserver" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp + + TYPE="none" + CTYPE="none" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp + # create certs with valid proxies, but expired user certs - - TYPE="client_exp" - CTYPE="client expired" - TYPE2="client" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - - TYPE="fclient_exp" - CTYPE="flag client expired" - TYPE2="fclient" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - - TYPE="server_exp" - CTYPE="flag server expired" - TYPE2="server" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - - TYPE="clientserver_exp" - CTYPE="clientserver expired" - TYPE2="clientserver" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - - TYPE="none_exp" - CTYPE="none expired" - TYPE2="none" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - + + TYPE="client_exp" + CTYPE="client expired" + TYPE2="client" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + + TYPE="fclient_exp" + CTYPE="flag client expired" + TYPE2="fclient" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + + TYPE="server_exp" + CTYPE="flag server expired" + TYPE2="server" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + + TYPE="clientserver_exp" + CTYPE="clientserver expired" + TYPE2="clientserver" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + + TYPE="none_exp" + CTYPE="none expired" + TYPE2="none" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1 + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + # Create revoked certificates with otherwise valid proxies - - TYPE="client_rev" - CTYPE="client revoked" - TYPE2="client" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE - - TYPE="fclient_rev" - CTYPE="flag client revoked" - TYPE2="fclient" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE - - TYPE="server_rev" - CTYPE="server revoked" - TYPE2="server" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE - - TYPE="clientserver_rev" - CTYPE="clientserver revoked" - TYPE2="clientserver" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE - - TYPE="none_rev" - CTYPE="none revoked" - TYPE2="none" - - create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS - create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY - create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy - openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE - - # some extra certificates + + TYPE="client_rev" + CTYPE="client revoked" + TYPE2="client" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE + TYPE="fclient_rev" + CTYPE="flag client revoked" + TYPE2="fclient" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE + + TYPE="server_rev" + CTYPE="server revoked" + TYPE2="server" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE + + TYPE="clientserver_rev" + CTYPE="clientserver revoked" + TYPE2="clientserver" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE + + TYPE="none_rev" + CTYPE="none revoked" + TYPE2="none" + + create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS + create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY + create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy + openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE + + fi + # generating CRL openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $REQ_CONFIG_FILE + # If we have the trusted CA, then generate a user cert/key pair + # And also a host cert/key pair. + + if [ "$catype" == "trusted" ]; then + create_some + else + # othewise if the ca is not the fake one, add them to the grid-security/certificates directory + if [ "$catype" != "fake" ]; then + add_ca_grid_sec $catype + fi + fi + # now do the clean-up? rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt ${CA_DIR}/serial_cert_save.txt ${CA_DIR}/index_cert_save.txt @@ -803,11 +865,11 @@ for catype in $CATYPES; do echo "+-----------------------" cd $TARGETDIR - export CATYPE=${catype} - export CA_DIR=${catype}-ca - export CERT_DIR=${catype}-certs - export REQ_CONFIG_FILE=$CA_DIR/req_conf.cnf - export PROXY_BITS=1024 + CA_DIR=${catype}-ca + CERT_DIR=${catype}-certs + REQ_CONFIG_FILE=$CA_DIR/req_conf.cnf + PROXY_BITS=1024 + # this is needed for the req_config.cnf to work export CASROOT=./ # putting the CA certificate to the right place @@ -833,16 +895,10 @@ for catype in $CATYPES; do mkdir -p $CERT_DIR - if [ $catype = "bad" ] ; then - #Create a CA with bad certificates (namespaces, signing policies etc.) - create_bad + if [ "$ALL" = "yes" ]; then + create_all else - - if [ "$ALL" = "yes" ]; then - create_all - else - create_some - fi + create_some fi done diff --git a/config/req_conf.cnf b/config/req_conf.cnf index be7a104..fedc6fd 100644 --- a/config/req_conf.cnf +++ b/config/req_conf.cnf @@ -1,5 +1,10 @@ ### req command +oid_section = new_oids + +[ new_oids ] +limitedProxyOid = 1.3.6.1.4.1.3536.1.1.1.9 + [ req ] default_bits = 1024 distinguished_name = req_distinguished_name @@ -10,7 +15,13 @@ distinguished_name = req_distinguished_name basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always -keyUsage = cRLSign, keyCertSign +keyUsage = critical, cRLSign, keyCertSign + +[ ca_cert_req_nokeyusage ] +basicConstraints = CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = critical, cRLSign [ proxy_cert_req ] @@ -81,3 +92,20 @@ nsComment = "OpenSSL Generated Client Certificate without Flags" [ proxy_none ] keyUsage = critical,digitalSignature,keyEncipherment +[ proxy_invalid_usage ] +keyUsage = critical,keyEncipherment + +[ proxy_rfc_pathLen1 ] +proxyCertInfo=critical,language:id-ppl-inheritAll,pathlen:1 + +[ proxy_rfc ] +proxyCertInfo=critical,language:id-ppl-inheritAll + +[ proxy_rfc_anypolicy ] +proxyCertInfo=critical,language:id-ppl-anyLanguage,policy:text:AB + +[ proxy_rfc_independent ] +proxyCertInfo=critical,language:id-ppl-independent,pathlen:1 + +[ proxy_rfc_limited ] +proxyCertInfo=critical,language:limitedProxyOid diff --git a/test/big-ca/big.cert b/test/big-ca/big.cert index 21f751d..dd94855 100644 --- a/test/big-ca/big.cert +++ b/test/big-ca/big.cert @@ -1,56 +1,56 @@ -----BEGIN CERTIFICATE----- -MIIKATCCBemgAwIBAgIJAJ8B/7ukFzCMMA0GCSqGSIb3DQEBBQUAMFkxCzAJBgNV +MIIKBDCCBeygAwIBAgIJAMAFlm8hDOq7MA0GCSqGSIb3DQEBBQUAMFkxCzAJBgNV BAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UE -CxMKUmVsYXhhdGlvbjETMBEGA1UEAxMKdGhlIGJpZyBDQTAeFw0wOTExMTgyMDA5 -NTdaFw0zNzA0MDUyMDA5NTdaMFkxCzAJBgNVBAYTAlVHMQ8wDQYDVQQHEwZUcm9w +CxMKUmVsYXhhdGlvbjETMBEGA1UEAxMKdGhlIGJpZyBDQTAeFw0wOTEyMDkxNjI3 +MDhaFw0zNzA0MjYxNjI3MDhaMFkxCzAJBgNVBAYTAlVHMQ8wDQYDVQQHEwZUcm9w aWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UECxMKUmVsYXhhdGlvbjETMBEGA1UE -AxMKdGhlIGJpZyBDQTCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQBAMMP -gBs+EVHOOA2uzaKfom1nc2JmCSjYTBcJV3PlZtLO+1a3B2Rfp1uJ9YnLZoJHkmiI -du2aUvSndEQ2rD0k9EB9yHCPI8qaq2CWM1uJgPt2olWnVSIHVEdU27D3ADSWTY+6 -VixPcDqNjk8uMjNuNYJGr1azL6z79ig8RAQyHhMzUEdgMBKgSE6HdAGYJNjqm1+S -WliBXi83bKcmB07cBl5rKW0zD2WATlCJh1wkURvrCpsVKBmVcK8itwsl5Jebnwmw -QCN0gXfjnRfTEM4Rp3PQfY9IydgwP72To/Jou8Lm73nGg251XLvvYFFnPX/sjZ3p -RPFZkZoF4nEQc61/ziWtlWc3DvtwbxoLMNqy/jtrfq7+AB/p19vfFZ3+vBfgqjPa -h75MC7gRRaR5ia8tDlaKGvq8O7iKo4d6QBgX2hX4FP4WbPu1hH91OhvUklYTvDc+ -zAQngEtf80WOve38TVTINbimhlxo3xSBEyd0Zdpgq0WKXfpmaHoUpqvyrQLTaASh -yhHqMzh5i+m3JKpovU2G3jO7Iav0uEcRWOKLSZjDaP/TTYimzi71PxkFNu/a/sOr -16VchTOr+SAwgseM9PMZTsFKHwgfeIRPz1kAhWMz6rnQdfBg3Q/wEc3NqsgF1GMt -6ttDFlGMrq7wWo59aE01R/+uR9OiP3N6GxEVw6cY2e2tWRZwJOMJM6M27bfkXG+R -nuctC5fUBOXaFyuUHLars2Yo0Eygu0MOgYz2WPbjIe5WbKYC/sZjcJAmD7lFGo3e -6ChHjxq9XKCLD3+t42Sh2n+c7D5R0F2Q0QEwwbCca6ulZ5bJTGBVP8Dr1BiJRICg -BcmoHhHVg+/zvERAqHU9fk5jvpb5BFQPS3/ReRYH+dFiiqzNhLjfSPuWYKFW70Xg -3QHQBu0IqNdJq1Og8SIcDxJ/kiNbW6GYYb1e5ZDWjszhtsPvKT8n9q8sqN6JzcX2 -2n9e1UAjz0tJn2z1IY3FJIalKmyo+DgvThAE8tPecW3370/LI64Slb1WoEYTwt1j -s2hSXqODMdC4xAJWuIQJIIxNFEtb5PE9ahpV8/Ff7vuka8EG8jLOjifNCrSpkOYf -8EbHgbv+j9JQ68d9MDXdk3YgznXkQnEHVb8lw2NdjheM1GrTHfRz4VlbSChSM4l/ -pZC4CNLB7gItngJC5sSuc+L3hLFqqbiloFQpU6HUKnPFxBjVlaaf7HZcVsBWVehh -/6jPDuutR4Q79QZrcxBUeuhH+X7ofvAvb9QWaqdlCM47/uZdD3PuOk0rN3UamB4G -0VypiUpKI4R//69nG8kTCB8qLjjZWxPQvmtPhj+JnNt+9TB0xAhOhIrtfz5EYWmL -cQf0D1r5JUfeeJkFyd8CAwEAAaOByzCByDAMBgNVHRMEBTADAQH/MB0GA1UdDgQW -BBQgseI4jmaCF37DPSVAkJU0EhRpjTCBiwYDVR0jBIGDMIGAgBQgseI4jmaCF37D -PSVAkJU0EhRpjaFdpFswWTELMAkGA1UEBhMCVUcxDzANBgNVBAcTBlRyb3BpYzEP +AxMKdGhlIGJpZyBDQTCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQBANkY +oZ/9Bi83Mn6PTnbxo4JgJRCXcfaefgScjIxKk40KhqBozEBOLBwz42GAWJ0rVz2+ +kF9ZGApAqCRmlann/dDEoOYQfSL29XUr+dr9h3GATtzU+9xfa/0BnykZAAcl6MFV +MYy4aJUY5wiOaeaanDAeNuoj+RVYCZAvv23IYlIrjU0QySx8ykdIs+IQ75W6+inA +PKb80Y8lj7TpArbicJoo29JLXCzHRMRBfBhNOAf6IVSWKcabyq9HmYFOwhPd7dLB +6gZLrh0FEBrAju0IMGf8RlgaDJAqpda63DU4xrH+8yZcR/GAxa0Ax92AM04b9Atn +e4xz1cIyrEcDj/EM+E9YPWTyag0dRMJDpC6BNajDWQibScy5D2UA1wL0MjHJYenS +e/Xk0gEMjsLK91Io8rH9LfNoIaASqZ2tN+cO/UuP+vZCE6NoGTLFWKH8oMpnQfk6 +ARgA32uy+MDmW8jWM2vTC9JOBs3oZYtuS66VuC9CSqtG/S/4nbK7O/14Ooi0YaZQ +cztDE9EP4nNKwTWKidTioUXAVJcF1FIzltxHsUClUyII6s3hHeIeRxZN9UBB+lBN +QktjZx3nRmeMDfN7uBWYplX406c5jSPH4ZlDHepTEHddDHyy0mhQwKa/hhE2hZjZ +63AYhc0DyaiJp0PsqLyk0FgBd3HdvNbT8hyjgtqKzinCsb64NREPCDzLcxC9fQUo +Oxe58VnfI8HtnylWL3CTNFEiijotDxbpIFGxXZJHS+GsnvsSd076rGBVCv2GX9W9 +EJ0zZgv/tq+fdTV88Y4CjIexuzTxE6q5DKKUF/BKVyn++jBWamoWoh/RzDbKcsJP +sE/rV7h5FVMaX2KfhdcYEaJ0kg/3RPzGuWryV4e83x7YvBPeMxSWEHW/ydHWc+PI +6a7zACIhT3YnJqPrOrXijr3G1tMG2L9tHVV87xOftVs5fu2O+feXBv5T12xj4fgJ +gEbGkS8AiuiY2c0EGH2dbgrzBAR7ubjlAndMOSWxxD874X7KLFw0n/zck7BME/hH +o+k6ZC7OI1cCywVgaI1bZCPOkyLiHTzKha6nc6KjB0BQnObZatDTcWVg/uS8WyN9 +gRgv+Ga8MRJ58te4GYHlV6kbSuoEfIujWL7VDFi8t3b+U4Uqb4eaPuCdcnEYje1g +8r9gFdUeg50YL1Mk5Roz20K0KKbz5yAyptDaGB8ld3v6zbvCw6qnZA3g7AXoFHNb +Y3HTU+r4USSIxonGIQJPMVa0xtfNOInxix5Hz5UthFeZ25KLzLOHkfTTr271dwcv +Cm1/ExkdUtSmtI5IKQofNJk9x237QLTOGZNBUwg/1ZAYa7T1d4ndmo+OTPXEIRUu +hAwmb1MJjmHavd9I7NMCAwEAAaOBzjCByzAMBgNVHRMEBTADAQH/MB0GA1UdDgQW +BBSyeeMzGfYa1Z+R0JX2b+biUseWujCBiwYDVR0jBIGDMIGAgBSyeeMzGfYa1Z+R +0JX2b+biUseWuqFdpFswWTELMAkGA1UEBhMCVUcxDzANBgNVBAcTBlRyb3BpYzEP MA0GA1UEChMGVXRvcGlhMRMwEQYDVQQLEwpSZWxheGF0aW9uMRMwEQYDVQQDEwp0 -aGUgYmlnIENBggkAnwH/u6QXMIwwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUA -A4IEAQBi7pMGytwry4CalH6FjQSlGV/gF3HMMzDZ7Byf2m6jGs+8f6R/s0ruATwx -VbER9ro36xCEJmrDVKeW3PSkcyJAFoxribSmgLaWa8E9O4GGTv0IlLDyDRaQs2IY -icskfNCEEq6p9rnkA5MXq7hVsojafc1CShH4Bw5QOPxK/uX09DGcutO78TBdPMja -jDoZi2toOUv6AwAeobbwKdRezRBoQVA97DPpb4ex+/AqZF9/nJsuaO9P87RtvJCA -DRK+K/xYWeo9G+QrqSDxCqL48aDE6WAaaJkf3BzVj8xm+kNjWkpNHAt6Tr6IdUUt -PuWyr329CqwiEDQcYt9y3fvi4LKkJRmKZrRoUWdD1ChWe6JbCWoa1mop6Wff1JU5 -WtY3N1COrqfGc/0xUG4pysSbzlk03UrHyRkCHOSt9AukxvWtU33tGN/TqKBLwntI -y8Nq4ZdSwyni2INV+eIogZMt0CSejLb4dsrBMXCRfWeg0T6tL1B0upGb85vD2fn6 -m9xF1SDx+IjDfieLHjECE09fSi+G2oBebhqfWEArRyW8aaKjwFaPBL7kGMASJ83Y -9HLg/tgNqSc4MI0+3Mnt9bPi83Lr2piIto3axB/GM2XP9gM+nxy1i63JqcfSWhF9 -eFOObROXiMSRKvJx2jhN4lwEB1TvfgtL3szDXuIuob8hsRZHzvlXMDxbZoFuwnLo -kU62uqq5XR86B7TElwEBZkPIFTyNvp051e/hm/6uPuJXSDFAiqiNX/dzKObpEzOh -1Mv+xQUVOuN8dRu/2rBKGp+vuZKEwVayjKF0NEmeygNMFal0GJ1NcZcydxnO8U0g -GeBlUhDbM+eHmTCO4zzbTHydSP6x+eBbdJq9figqqhS4OD7SWPYyHEEeDLfs5Vgr -ulzkexF0JxGcaQwKD1gFFZrUWB4J1dY7YIMPiQ8kaGsl1sGQgD7axnGRt7WPc0Yb -HqaGGvV/ZBh88HkZPzYZqYwtHjVjvOkbCS8QSHvzWZSUKkyH/hKAHRcQ/g1tY/vF -nSJYydt5qKhyxa+A/hbgqDNQpQscWTQ/lRBZakOfkpB8ZGd/EFbtV1tt+sHpToRp -R/feABVYl3fa4jWT5om/I97PrKC2Jm4/qEx8P3LybUwUbw91iBRgVoQt9pU6PvfT -YBnVz2N8diBGj8yZ7wyTxNiO3WjJUldrY4Q2FADUm09fOBw2pcF5gnor54NBKXT2 -7K2B3GoaNa3+Tk0bE5WhS2+hyolmt1qeu/5lGfbIUb5UlAxBYFOLpGuoDFutR86P -MMyFqDMRWpEtqSLa2MA1WRSrS4v8r6wawpy6ZfX0B45TSDt4RemgqKVreVg7Oe13 -tOEKBYEvhpvq0ZQgcaUWPVE7eP3I +aGUgYmlnIENBggkAwAWWbyEM6rswDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEB +BQUAA4IEAQCUNIxuOf4Q2sTdTP6xUWPUnhGGes7LAEacOIw/QsFyEFbgaH0+lB7g +nc1I8gG2/ZuvOBPo73s2oRai2Yn0OMHonJjlF+21iYAHyd0+XjmVbMwOMwJyUyV0 +QRZJt3i0eel4Ti6ml0w5qYoNoRqMh/xgVSFlaXaXl1TaxYDT3ZJNkajCIw2PcRcP +HYdY41GpldLOUsyeqEAP4ktbwcHGjm5ThmFtl3PsDEoJpZ6/bhuy82GIImV9nOzl +WEhry8tJL7l0N4znrjze/Lu4UknqqU9Y/Blj3mR+MYQMt2/dwqeqPsy7vk83uC2C +OR+WUHjWSBn1hBScGUBUHWVMcGn2j5A5+k8LvRgSvrBDJGBzGVHDYtix5g1fDSM8 +Ocb+7shEsRgwu7FEt8p/E1QiQusO5sOkT9AN4430nZEn23SY9dejyRgsCMv2fgK9 +dY+FQjwubcY5SKvLcTEWwMkgeQkRs3Qot9h6rufPMsxjoI5D985ShpEQeJq5LXDT +yK8hvSUF8IXA61pGtQ6CfmXmdaESq/33y3CD6iDtnifrllkDXu9dZHmpoK0xm/Ng +CJAO/i+OLFARI92X6fMZ70dgOlOsnftunDkFstL9aSUwRItvJLEvgCO5ow9AcVBj +957BbAvyo/T77v+Sps2yWVy/ryGyOWfjiMGna6oL79s/TrMTiwCJq24++rXDteMe +x+dGQwkrXXx5ETIwbQeUhHyNwda9JxZRghEjpyIjfP4J0CO/KzOfHWFsnS35R22L +5a1johlMA/cNHj8Scn5uCQA9QZD2npSDSYDyzB11VC+yWNXuY9d9/y/VsWCEyKKg +IyEeqcMK1a/tOVSnLITxMrCWAdt20XDbLuqMeZTXFLTq5aP4gTZWbrY9bJDzDtaq +7+M/Mt+VPz+C3KGKyd38wx6dP8mb/5sEax9JgZvpnVQTCRFzi2AOGEX75LEQOkYI +Xf2IwkYCeW/o3DhfwqyzxyjboQlabD0GYsB7BrxyGEQ8XxspGb2PNa5Lyvy7WH5L ++8v4++gtDwqkDID/+hO0MDfuqGrCyThFMuKBwqvmo/z5xia2/s8/cUteQXjxQW2S +4to6ooB3Z+Llihgkd5wM0zVm9GnQbHr3oaeqOmd6CfvxVzkAPAfDm2tW1hamme84 +Dw7n0NFromRErcqE9HRZ8l3+BR4tJ96ZBCZNNlfaxAT8nvMXgrwsAUfTSifnSj1+ +XMPxYppbHsx0OYmZY1ApkQuIU3T+VaJBAS5owf136KgUO2v9EuTRslYjMeHvMxWg +UT+fvt1dbre29hVV998ZxOT+d2YvXh80NtN2sOv3MRn6DuHi2vdDo1X6msFEjELu +65zrURNK4nhfrN2nS/rV671gDOVI1mw/ -----END CERTIFICATE----- diff --git a/test/big-ca/big.p12 b/test/big-ca/big.p12 index e554dea..f76732a 100644 Binary files a/test/big-ca/big.p12 and b/test/big-ca/big.p12 differ diff --git a/test/big-ca/big.priv b/test/big-ca/big.priv index c0ff3dd..5804b26 100644 --- a/test/big-ca/big.priv +++ b/test/big-ca/big.priv @@ -1,99 +1,99 @@ -----BEGIN RSA PRIVATE KEY----- -MIISJwIBAAKCBAEAww+AGz4RUc44Da7Nop+ibWdzYmYJKNhMFwlXc+Vm0s77VrcH -ZF+nW4n1ictmgkeSaIh27ZpS9Kd0RDasPST0QH3IcI8jypqrYJYzW4mA+3aiVadV -IgdUR1TbsPcANJZNj7pWLE9wOo2OTy4yM241gkavVrMvrPv2KDxEBDIeEzNQR2Aw -EqBITod0AZgk2OqbX5JaWIFeLzdspyYHTtwGXmspbTMPZYBOUImHXCRRG+sKmxUo -GZVwryK3CyXkl5ufCbBAI3SBd+OdF9MQzhGnc9B9j0jJ2DA/vZOj8mi7wubvecaD -bnVcu+9gUWc9f+yNnelE8VmRmgXicRBzrX/OJa2VZzcO+3BvGgsw2rL+O2t+rv4A -H+nX298Vnf68F+CqM9qHvkwLuBFFpHmJry0OVooa+rw7uIqjh3pAGBfaFfgU/hZs -+7WEf3U6G9SSVhO8Nz7MBCeAS1/zRY697fxNVMg1uKaGXGjfFIETJ3Rl2mCrRYpd -+mZoehSmq/KtAtNoBKHKEeozOHmL6bckqmi9TYbeM7shq/S4RxFY4otJmMNo/9NN -iKbOLvU/GQU279r+w6vXpVyFM6v5IDCCx4z08xlOwUofCB94hE/PWQCFYzPqudB1 -8GDdD/ARzc2qyAXUYy3q20MWUYyurvBajn1oTTVH/65H06I/c3obERXDpxjZ7a1Z -FnAk4wkzozbtt+Rcb5Ge5y0Ll9QE5doXK5QctquzZijQTKC7Qw6BjPZY9uMh7lZs -pgL+xmNwkCYPuUUajd7oKEePGr1coIsPf63jZKHaf5zsPlHQXZDRATDBsJxrq6Vn -lslMYFU/wOvUGIlEgKAFyageEdWD7/O8RECodT1+TmO+lvkEVA9Lf9F5Fgf50WKK -rM2EuN9I+5ZgoVbvReDdAdAG7Qio10mrU6DxIhwPEn+SI1tboZhhvV7lkNaOzOG2 -w+8pPyf2ryyo3onNxfbaf17VQCPPS0mfbPUhjcUkhqUqbKj4OC9OEATy095xbffv -T8sjrhKVvVagRhPC3WOzaFJeo4Mx0LjEAla4hAkgjE0US1vk8T1qGlXz8V/u+6Rr -wQbyMs6OJ80KtKmQ5h/wRseBu/6P0lDrx30wNd2TdiDOdeRCcQdVvyXDY12OF4zU -atMd9HPhWVtIKFIziX+lkLgI0sHuAi2eAkLmxK5z4veEsWqpuKWgVClTodQqc8XE -GNWVpp/sdlxWwFZV6GH/qM8O661HhDv1BmtzEFR66Ef5fuh+8C9v1BZqp2UIzjv+ -5l0Pc+46TSs3dRqYHgbRXKmJSkojhH//r2cbyRMIHyouONlbE9C+a0+GP4mc2371 -MHTECE6Eiu1/PkRhaYtxB/QPWvklR954mQXJ3wIDAQABAoIEAERYgweImOL0Abnx -nMW1b2EsFUbN/7mbCBYuRMEsCPomYfSBTwrBZU9yqGDuru1JDKip4Bnir9xfbCKW -kYUfFKIgMIIX9W+BADloh3g0VshFSh3+8ppovQP9XLjF4wGKBIUuwhDmiKlLfiiK -RDa3D/Kkt70GLddLtXVloGNj+Bu8KA3KSy3LkWpKlcAVQhvrICO9kQBf29NpdR2f -+oGMIIMmwy4q7OMgsNARUCdd5jmFAoNSR2mnbgM/g6lZTp48fd4ULnT91nteemWl -o8bAcs7mp4fz9h1U0pCnUZOXVOq2pgQiJV0nrCWBe1sqdGcFSJ2i5XA3dQfltfDt -1cpd9KpJBwdSSGKbg6I5d5W5j9DcGlhQUVTdR7AXm2hvoBIxuxFOKa/oz1ZgXumB -WFfTzqlN3KQsHjTMBv5qPFj0yopWEWzyCJ+te055kbG8qsWURqeIzk1KVe6TIRcn -K69ebu4c9I3Nc1ifukJh84cohqOcqYZFNCaPiV31LG0lK6/IyTKOSdI7IFVSaU6r -yCIZbvLiJas0j1jD92mXT3CZY2EuXvT8YbdW0vmrHr+yjww9zHRdGsMrBtUTFchM -lxY6cn1XSbv6L6NV+5FIsZs6zoHy5/TRcPGXzv1Nnb9hp8xMFp3lsdu/xusuAury -9pfkow4idCbHNw2VVOwuRZuX56T9OIfCZkdmLsrHN78liuWoZq02jEWFs8i/ZCQ6 -xTFd52D9yxKVbWJ44kca6rUtEk4uNyvq8a8/rZoZE4P9gzN4tHDRDmP7vqO9Q9G3 -pGuYsyk25I6usdHpUGcP7gfXttIDens+d2uKuVFwJuHmijhrOduQ/8iGsNLg3xKq -SdGoommvzJGUGbe3h9ghYW2XDfRniRl/c+wisUHb/t1yhGRcqowh22KbOucdYkuZ -W96BVm3Bt2O/sQcVPeSxykvhlwoJljED52HgDqUT7grZMVtYDJuI4KF6RgK5ubsT -7zbF7Pe42P95XzUp2mEPW4unU8H3MA6tJ/md7QEfM2ZwlNDcYDhYuFoF6lGOc6Ug -8LMzyfuqeBCuYBHr9TM17oys6IkmY5BrUi5JKIobGMM0apVIzAv1anLxgE4yY6K5 -/NTvI/KKdYSawiH8XcUcMW0nhAWPBFU/VPcoLzYX7DN4iUQaSL3ArPiif3mWQXfH -fQiagCxkOZdIlsVn32asoIlKnWM9/u/7Ww3G8dDDOoWY0vgZ0rmW9GpU6W9hvxS1 -Amx1nkeLX7JWxdJI6teQRJFBckhmc5NS3gOiFUwggwO2FYornwdlAn3z/XcfqCBY -jnkdG7k/hcojyduQ5bY0yxFxGmkMKdsj2IeU16F08ZIIb4DGknjwldXQnkMdmk4c -HSv4SEECggIBAONthGamE/BLTPVCvyDgbFCFrkVBgz4u3xZp/ag1hEzBDNjoN8lp -KGh1eRLobWIx0BbQnor+WL/TIOiRF5DWgqRoNampf3uZAgHuAX8XwS7nbdeX8qf/ -dciPR5Iw+Px+/GeagLUOtl6TizG3oSuw44tEDqh58N20IpnxfAJUnUKn8Ax2q+HO -rMsZAT5Ax3qSyABr8VXh5GbZ+2q9UL/9swEKX/gXz235XqT90Q3Gh3GJtoa9pGBV -6kYaZuQgcQO7CNomQTcaujXf1wjzw/ktu8eIBKuLTvD6yc8OSo19QBj+gHi5G/T1 -9hZvpCGnR2MWiUjJmVA1yOkQkYmT3RP/BOs/+tkYENxw6yMYMEul4rzNstGXhDEA -PsC6EUAmElnKuLLzbMsJNPPgYPnQULIPMs80HQ+oAkGEc+0ldq6bniNGgnSvMQ3o -ziRiVf+xb9aQjpBekb7RZMbdECS+YKmkubzUCs2DaQ+hWaFLOyIqTw1/Pj091VYA -me3ovLn1lqJk4szSA9wD2qz/YPRGQgtiPHnNpRYmllNDsQoayTxYbxOxJOiuVONQ -Ce9sqYsJKH+PSaem68Nen69iR7zDCAokcKnVGxk/4Qx7NHGJyZaewPny8pKgEQ15 -MfOjkUReP3u3tlXtzv9mNrEyuSMDvMPCj9FeL0mI8yFXMeVzme3F5oyhAoICAQDb -kP6pLI/R/F8dkChP0lZdE/tY42RgyVJBfNfV6jLmKw2AFevxkBafNs+eHIcB8uZH -Xx0DQ982pa6V5chv6egiASq9w7uSahZUdFuWMHXMmpyp49PHCugW6zZhnCWL5O6e -FbQf+ZifKFWeIN2gHGbr9sfXucxlX0vnVbBBGXkZlo/JKeKoYD9L3Qbr9SGRIYSQ -gxReeyBDZqynQSqSe21zFCJT9TMYChSOMJafIsDE7+YG6n/4TT5e1E9kBR+G2Klk -k5tVIeTpJdQnnes7PW0AK7aJrMIXyZuMWmjU1d0agy97LmZoPQ+eg9yJ5jSkzoYn -1GqtQFw2MFZD8PmeGVBnp6fVUmeQt/ydEWEKUGKUHdVkRSuy2bZaJkJLyzjJL3Bj -QRNEKy4JTNjFwlRnbrLo1wp8ug/xMIV/d6VBdAYaxg7PGVeaJdjQtGcJlUDPPCB0 -FPVldfdk5q5ODcP5CvbNjeAELHw5MeDvgLMhMfVg50wMYDwOoMbelsYowkVtM37y -smvGHIQ0nEOrwbJRgtwIaiPjuwqMRbi4X5SwZCN5CJbTH80oehcgQkJd2NTLiOuW -MzQrF4qeFcFM9rL6HnMiZGPSY7nbMJNsevpiUBOiHeLXbXGfqzubfTJc/A86nJ8r -sIq3k80D/hRCoASIxFYLRdJGFTB84lLVV9jm0fJGfwKCAgAr8mW7UCxaKrLcUeGN -ANDtXmemilpKEdSaCDEz5+OA0W0iHP1qth9Q0CJtPOymJOoI/pckVLHhn3KkfiUH -n+vuyRRVjKNNxutUZCF15ak23xGir4H8ZKjl8Inr/fqfEArGGlz0n7st22TyXoGO -Z8gQiT4r4CRjMwPcq4VDDga1cq44OlZMdBt/w30yAmKJlQOA0Vr5NYVlOooSvjJ0 -ZxnIAbE5x6AVqDJZv5I+DzbtAad7sfmpg/CZS1DGlF5CUkoLnYjMlSWWc4KiADjG -VcgLboU4gNroRg3pLOHLJYDVU5iPu3VjiIPdIgWdWy24QAqXPh2aGkqQftsgsqnt -y0GwE9TtTnEzp75IMcxjUdLWmQkM5zJsJZf6tfnPY4v4Pewi6FcFhOnullUm8NIn -FjjDQVa8R8Ln1ihwkuS0KO4N8voSgigAgBQVg8sKdccetyBVVXDkZqIKq30LHJ6h -KWuayX6s58/NbWhceqUanQJZoVTtkJ1A2SzlhCuz43kQOF57JboJMdV3yIF7snfg -q0L0ZoCYHyy9Oj9jrHlmZ9BPBdQUAlv08Op6kYzRiRuCSrX455B3WDmTMnKaTzWm -gBQlPUDXSDi8qLIhnnaN3G993SxymOuyptC4O8s+YtfxmDZrtGBjieTXqO2NjpNT -YK1Zz9FjbEtPDgJeTFBaWfuLAQKCAgBPG0JlOUTn5wFt6U5c0++BwX1BXUwBAwe7 -yHsK+0IzYzeN+lfzxHIiEuFimeyaayVEeaQ+VOnLCo6IOy2oBKI5/imkDS07ZzV8 -YB/PUM5gVSQ0oXzfrbJI7528NUHh0S2Xj0JCcu7mCOYv/q9azGDYiyUdODfIHjl+ -s4S5L7BN480SMSEUgPjNIGkqAjuByo20c0WXdMz++7Mg332zIP0iBRMJJMKv2pHl -WOQrmZ3SVoyN2VcZ4tqh1+RyqNXfA5ikP/orBfcveQ2i6GakBVGMSjOODswvPdfp -DXnPlO4Aa1tkCiejTryd4+xFUseMyUvUddepbBLNA0VRXTTSHVS2w9TYKsRdg6xj -+qr3yFZ7/vOvGKzR11a3zCj+nc1rzsezOvLyEIyZlTJUrdszGNMkyLVikrbDszOl -5TmJB4BbjRgwzXSeeRxQtW6aKUgcYhFfQV3YnFPx6prKTHNa+vRIwuD/H/fxs2LT -Z48iWpmJvEvN+a4ppwt/jtr+PGA/I9qNHnNuAUAwpExNSZAxhfA4p+UeW3lFaKlQ -5D7x/mI5bTrJ/h8wgixq1vSKU2D3o/EdQH1/ORAcPMJUNF3vd6ELtxev6XZA3pN+ -9h/X4/nu4s2jyC6z1EG5l7XZgocKGvvOBeE0mu+2jIhIKNb5X6OQlCtaTLAXjoNB -klD3eJTNiQKCAgBK7hoDqYRUQP29WKGaJSk91TsPO3zEErB8Z0R9KiX31TC4Ln9U -eh4dYvQvyQi0agtP5/+eQBiOALqRRwbzoA0fI2s7z4KTTGlDwnFZxIiY2ylYgBFV -KPb/lK2UurnwxJQ9j4GLsVOBhD3KXZDEY8Jl+Gr82+azDeMlUSrqXzj4txk/RkZh -BNZXlBQHx5ouWUp/f8dB2jqVnsn6r6EqKwiLfFEd6z9IAlWQtENBwGq5kRG0BZ/6 -f00dCh5U1VE+Kx8eKlyXVqscYndLZG3bJbQBYwXKGh4fku8zEiBw+yEE6/LZIIWQ -KYrfIGu3r74pQEG/ZYdxdCasjidrdgZRrbjeo1A6R4uywI7L8bOzLBzu8HWIwGU3 -DTDcBRR9EU/wkKsXUhi0RkDRGfamDfz4DIxGOdHNe6UXSW8MKciOxI4gmO44VkgN -wxadNnt27+puetDXQZdxRXZgBN/LZeu9AzFwclI3WtjiHCeS0Lp+GjpYB8wS2rOk -3zqQnIx0He0rVuVEMAOdvMrtFw2fuU1EomrUuFHjOkq2ulZ4wC/MvXgEo2c6puKb -YameI61Q3PdY9IwWoy1QOt47cjxT8MyZYnWHuOUbeHUFwOqfAyFMRvF1+G0l2gm0 -eWbX7BKTYYLG5NSca3N40zspX4fXjzi7wekoRmFWrEe1jU3KzboL6iRLeg== +MIISKQIBAAKCBAEA2Rihn/0GLzcyfo9OdvGjgmAlEJdx9p5+BJyMjEqTjQqGoGjM +QE4sHDPjYYBYnStXPb6QX1kYCkCoJGaVqef90MSg5hB9Ivb1dSv52v2HcYBO3NT7 +3F9r/QGfKRkAByXowVUxjLholRjnCI5p5pqcMB426iP5FVgJkC+/bchiUiuNTRDJ +LHzKR0iz4hDvlbr6KcA8pvzRjyWPtOkCtuJwmijb0ktcLMdExEF8GE04B/ohVJYp +xpvKr0eZgU7CE93t0sHqBkuuHQUQGsCO7QgwZ/xGWBoMkCql1rrcNTjGsf7zJlxH +8YDFrQDH3YAzThv0C2d7jHPVwjKsRwOP8Qz4T1g9ZPJqDR1EwkOkLoE1qMNZCJtJ +zLkPZQDXAvQyMclh6dJ79eTSAQyOwsr3Uijysf0t82ghoBKpna035w79S4/69kIT +o2gZMsVYofygymdB+ToBGADfa7L4wOZbyNYza9ML0k4Gzehli25LrpW4L0JKq0b9 +L/idsrs7/Xg6iLRhplBzO0MT0Q/ic0rBNYqJ1OKhRcBUlwXUUjOW3EexQKVTIgjq +zeEd4h5HFk31QEH6UE1CS2NnHedGZ4wN83u4FZimVfjTpzmNI8fhmUMd6lMQd10M +fLLSaFDApr+GETaFmNnrcBiFzQPJqImnQ+yovKTQWAF3cd281tPyHKOC2orOKcKx +vrg1EQ8IPMtzEL19BSg7F7nxWd8jwe2fKVYvcJM0USKKOi0PFukgUbFdkkdL4aye ++xJ3TvqsYFUK/YZf1b0QnTNmC/+2r591NXzxjgKMh7G7NPETqrkMopQX8EpXKf76 +MFZqahaiH9HMNspywk+wT+tXuHkVUxpfYp+F1xgRonSSD/dE/Ma5avJXh7zfHti8 +E94zFJYQdb/J0dZz48jprvMAIiFPdicmo+s6teKOvcbW0wbYv20dVXzvE5+1Wzl+ +7Y7595cG/lPXbGPh+AmARsaRLwCK6JjZzQQYfZ1uCvMEBHu5uOUCd0w5JbHEPzvh +fsosXDSf/NyTsEwT+Eej6TpkLs4jVwLLBWBojVtkI86TIuIdPMqFrqdzoqMHQFCc +5tlq0NNxZWD+5LxbI32BGC/4ZrwxEnny17gZgeVXqRtK6gR8i6NYvtUMWLy3dv5T +hSpvh5o+4J1ycRiN7WDyv2AV1R6DnRgvUyTlGjPbQrQopvPnIDKm0NoYHyV3e/rN +u8LDqqdkDeDsBegUc1tjcdNT6vhRJIjGicYhAk8xVrTG1804ifGLHkfPlS2EV5nb +kovMs4eR9NOvbvV3By8KbX8TGR1S1Ka0jkgpCh80mT3HbftAtM4Zk0FTCD/VkBhr +tPV3id2aj45M9cQhFS6EDCZvUwmOYdq930js0wIDAQABAoIEAQC5aHroq2yzuF1s +jzGBDgAKIdil4eGXsWaIw7aZPjvj0eCGcNo39UtgzsPcCoQjvtckSXL9q5aHcw7m +/6HEWPiBatzLf7uPuACMEIG0EKCzQ9SWb2OmouwUSWVH8Sz/7dVqADtwJjJTW9A8 +k3xIUTUhNzzJHO3m16hbNxwzQ1cNPFrSPYrCbtVGqgXPBY3If8aVD7P9HaBPs9GW +vQXvcVafolOSt3/CUnEdd5vnGVPIJEyA9Do7f+RLbEfikoPX+craG3il5c6OxDsr +zdaDA2Jr/J2LMrwWCAZYbIATCClR7R52XYun6sVoamlHd+zZQbBcaQWwP2GJGEPf +5l/xi5UqFn9gjlQaXSvTCXfXq8xLFIMegZk2ubo3Fc+Lm0ifEpGH45awu7rK4JGw +NS2iQox7jHHJFt7Y2fd4TW6X7EpRVWcNGAOzo/0ZSkfXGG2uTx+eHXa/rEcjsNcX +z+UFkkKaTMUk2DSheF/5A7qpIP8LhX9F5jvn01nDQnsKj7rV89AN/VlcfH4ZJ4rL +0kVOV8I9SUxYyNi1nmnlxl+KQ8RTJJ7qS1lVeXRPIHKvzuas+WwxVrpOrldrx5Bu +cMOddcUS1KsCc583i0RKEbRPc23CKSy/9HzspsBiDM1r29hBLSJOF5cmxhrHq/t2 +8BElRqIZclzpPF9ppOlZQ+vbn53qy9twP55kpXmE1ablwyz1VnNaWwyMS1zFc/vq +Wpn/CTCzZmqo5pETxpc2aEVPIsSmjakYL2+xqoMxFso9uBFmxe92VjvzlbJtiq8I +I2COqm3Rj3+b8Y5U47e4mQXmcyRc/XSCANM9bo1/l/9YuOwvkGfEm/L5eSLAQxrZ +4LY9lJZa2GWpaulPqwUKVsE1MiUj6NNjU3eXlMyMfz9agL7AW2rsgX3yYHYpzL0V +dS+zg6UHmk1WL6I/b2DzKVUV809I5FjPFEEHoQFDUGYedunEHFsCiFYWVTKbPXyB +6RK62mEd+a9xTwI1MPXyMFK1460+58F4LTv+VbnNfZDF1PjWSYK444j4YrIT616w +gULc+ktrplbDs2Cz8ILJKhFHDIf4qXr8wRmM0lHNcAzQNvAUE7jJgpUxYtvN14gd +4DD5auFzkbmdbapVIJ7Q3bEXKpPRbofcurmSS9CMRr+S0q64iJ1jvAXqrM+YIpT6 +Hs3h9R5wKEkGAJ9bXaan/jhNcla4Q70j6286iMJ2TEQzdGG3BgeQGm3P6xkXhMvQ +BQrII8jNk4ngHDvb10A8hgxhox02paj9EwCUB/SQ/HRtuT9U1cOimsGqT9gj2zHZ +pqSK5WKT4qErnCbaJg2uHn0e9MhrZlldad7xFLhPl1xy50qHpgCL4Xi8r5yr4zhh +fg1R3c/BAoICAQD9MYjbfx4xqoiMKLEkoeTyEBN5s0d63ihomlqBTcHeC6BI2VLf +Rb8Uw/aE0Vd4rRj9VF6fp4tIwklEesO9Rhp+FbyTtHyjDikOOpBKhG+uhkqoac2M +1VUuzthkQzk2Hy+kaGwcKFRbqSH7HAldv1Gu8MMgaiDeio1hfgPoi5Ud988CiQcz +pLRbSjguLdzjZEw3zmrTwxMg3Vp1AKjAHsXYFNWLUTVFCyqxI/sXhgoQkN8RCfPz +8tHD6qKP9LcmDhdnpEG1KJxCvfJo26+Yh92zUZMuk1cvhGoV0zH8fcQ+7ac0L+qn +M8sGIOSpbgSkoa8YNjywiOXJSIDbGTLzJo+jcXlCU6XRSFm24fzoGR2vyTUWZ0wD +rvWrP546PD7insG6i/ulA8ax32vKq01rA/uErHkjXx3NNj0fAzuNRzdZ+p65Llmi +R5veDXbax8zBmjymJu0ohz11Q4CcCMEnJ0aqc5GldE9zBxCqXjbulO+3s6HQoW6V +pOaPC1NAZdFWvmdT+nGc/diQmjRzJ6z8LAvfJuS95h7q/SXHT7aU87hg7wfpRJNH +w4k59N63fBq7Z6ty1C34IN0wbRDzIsPuiw+gub8VbA11e26BhVBepP4z+hOHDYVD +HDU9RFaW79TmI071t+GsQe/SwpGa7U1DNq/HnIkidLv0/2/AhhEJpqgzoQKCAgEA +24CqpriNPOfKCUwUxM9F+0EMzVLnBpc57u7ZG5vsy3BXeXXIsoqJ35vE/C9c0Vhp +ZbgNtDzfgvvTw0BeqXVcSxL8VpKCMxXIJbdRZrx4/tNjV/ppYMUlo+Z/xMhiBvgb +G42v4LcFUIKzD1JN/csliwxrcfSjD1cDKmBJ57l8TYCWB3K94MdZRDA8jluwpnRc +HakVemJYfzeWASSnnUzNmxTeTwyTxd1HcUqCf56pkVCJT7vJcaWFzXRjVGV31A/U +abV/265MauMUtdngfHEw01I4bHa2SOgJSJ/dxWlsvLtp7pgCwLJlr6HVc1uDxCBQ +vGHYHdSOFVp65InFNpNgRd6ZWm06LzBJnDHFJa9+EJ/haUZnnm0Ng9w6h+qi3ALF +ai+gmpKgDfK33rV8SxvX04cIZaBoqIkk6FAI5KUGtfCPLUuugmOm3Tq7GBa/pXvR +OUcEdLsF4yBzWzzgUQlgzBahMfBQHUzy3zFjYJ5u/QNhOqh4+RKFt5fbjVoO0vTy +BHXrn1YfKNPs2Bnz5f4c/3gUSHCefgCSJ/d1h4uWFhfSv43BaQPLe9PgAyJCKP6E +eKiFATgmgVcmAoh4er3UY/g3b/n3yAji9v5/aXdkfNpX/dCYmnbhkkO2IjYn7Sy8 +o1yddJXqxn/rcOJnGpLctoMR0rgTaM5/zQXZ5DpoC/MCggIAO1tVfj+60GHuSQ1x +GelqRuVF643//+n9ByjIdu/Ht0p6dRmduAId3bxjGpgJLZ1G8nzJAhzBJnmFu6wc +H09D/rMR1n7FiWRUc6V/FjkeBYguEHVdXtrUcXjEehzYWLvO63gfgCpkPGjWMoxM +FdI4UA7Zb8vxkLpikqx8NhQjDTd/LFT7fzvpnE02Bn1x/00QITUfDi35WgcKoctZ +xFByiUm5FkQffOQ1Sfnpb4ZY7bFI2jG/Iz2Vt5xWJ/FyzlUXX5C+Zr3yhCMLpVF7 +RQL1EojZPF4GXnlodV1hppPFYgtM24swM6qMug8UDDRimkXdSovMhoZReHKq4rJx +o1cy7Vo41zfM89dGUP2B0Neygfdlnq7wvxxRM6hia7yb8XzOZfFTOUg9WI3MM2Md +by0r1dqpO4Wc8vL4OUEEwQYlD88VTsxy7vxiqhf1+SxF8E08Uqdlic7Ktabxi6Lx +xUAL7QHS7zrpNUo+ufIEZsI7wJE4KjTuO97AvmAlUD+OaAuTJbjc0bUhBCVijmyK +vUOGNPZlQa+lJ+nY5XTmlNzeKLtg22rcLELG9PNXEyThD3YqV20uqbDqqeOnyZgo +3s9zBncFOPxv207ohSy/vrBnd7/0vACLcUQ3pvlSY2guPRWh+TD2ku+STZKXl/5x +0oQLiXxFGfLL7Y/EnxnO/Lg5ToECggIAZWjubpQ4/HiCCQWTWtIAHPKSvZGdlpfr +dg33VCAXqG3AnCbkkEgdJqfKvFANa9KS7yG3gxvUj6lUzpJAqb3E5BJjboPFj2By +1an5+6L7q49yCEVyxfiPSUfGo92IHHwn2fT92q3z0JxxqZR239gpAjK8uSsy4nVq +yvstaddyLERKDCrguqafATff4k1OMbj0jed+OsqQ5EWEEgcjQTMokotzocXHx9RR +m2+3FsrwwGga6DF0AgNc6+znrygp0ll141itN4sxVviOqu18H0IUMq17z/CQiuJY +16q0RO5OBGv5pven3esNu7Ti7qbLG6NqaX4y4KVA93CT8l4MNQilo+IRq4tnJEIE +4BrGYIDRl1CmTYLvgGwVoGPwzraCg27sUgCrDH7NX2RRupzSTckRT3LFWF5hu+uQ +l5vSYAA2N3xqSZz7hNYRU4g8xAZOiF/J69J5pox5TdPCN9bKM+ZHSEL0OiQyfzb7 +xk4FAbBwyofzNax8J2Z9TLLmBkojKydrYNAyCa06PBydAcILwqhCMW0Cwez17HTL +EZfsPrEoqBBdl44gWyobqpvalNgRBOuBvFTvDf8pGvxuXSE7uElXhNA6nIs6BLrG +USKHLuywCla97E+hEUv3LyIFVYz7qUHP7RFu1Vwl2Ytj9QVEaSyMt+2aIGZW4Ub2 +GHypjB3H0C0CggIBAI7/LJMEBnU7U/KSpgzNsv9hrwfjbONqC8bAUkdxRdWxTXNB +baZeUgz7nFVrT7LSiL+9NKIlNzbXNMPCBoGkYML9Gm/KIzFa2xqV466ceRuK90jW +MkU1w4WFnWZfzhWc/U621eLTMg/mzUKjMcgEvLv5KM1PWzRp/Fs1xeTrsYt6WCUj +TPANfXUvvnz4YluYODhlKEr8BhR91S//i0QtaGqlV0GnemkoXcJN2QF3fvDAh8hI +vPsItXOusQKxSeJUJkgJGnAOx2Br72r12NSjd7+sOsrnwyqsq3kHah7ZhH2cSFaZ +FrbTDASGoXrO3+EGfTHnOWneu2mKVMcSq0amellnxo7kRkFkUI0Rdi4qzPqV4a9j +mdwIM/iOQrYsC3lMePTfUQFJwqB8lNKoRDqjilxU69bMzqCU5iFZncyASiACv+T7 +f3yHXbLQrEXuO2Xowj6ppnohI2vdqI+UDodIh/2E2weunnRJfhtJZTjN4HOH/HxX +ANK1J3CCJSoIx4nCcY4JFchXTgr2hgcuju9C+mK+CTIGNy8BtDxAC6AuW//YD+Pj +hO/j6sXVhU4qootkxGeswWGfsylk8zrOW9qkt2/ZFgQ0ClooyeVNGvTk5wNcLTX0 +LflBnWCq5gO2d8sOehskNSR8u3rEX32pA6ZX5hDJ1mKE3xVbTCw0sPsLd6y/ -----END RSA PRIVATE KEY----- diff --git a/test/big-ca/req_conf.cnf b/test/big-ca/req_conf.cnf index 2262038..9be2294 100644 --- a/test/big-ca/req_conf.cnf +++ b/test/big-ca/req_conf.cnf @@ -1,5 +1,10 @@ ### req command +oid_section = new_oids + +[ new_oids ] +limitedProxyOid = 1.3.6.1.4.1.3536.1.1.1.9 + [ req ] default_bits = 1024 distinguished_name = req_distinguished_name @@ -10,16 +15,13 @@ distinguished_name = req_distinguished_name basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always -keyUsage = cRLSign, keyCertSign - -#[ serial_cert_req ] -#serialNumber = 12341324 +keyUsage = critical, cRLSign, keyCertSign -#[ email_cert_req ] -#emailAddress = test@home.org - -#[ uid_cert_req ] -#userId = testuserid +[ ca_cert_req_nokeyusage ] +basicConstraints = CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = critical, cRLSign [ proxy_cert_req ] @@ -31,13 +33,13 @@ keyUsage = cRLSign, keyCertSign default_ca = CA_default [CA_default] -dir = $ENV::CASROOT/$ENV::CATYPE-ca +dir = $ENV::CASROOT/big-ca database = $dir/index.txt serial = $dir/serial.txt default_md = sha1 -certificate = $dir/$ENV::CATYPE.cert -private_key = $dir/$ENV::CATYPE.priv +certificate = $dir/big.cert +private_key = $dir/big.priv policy = policy_any @@ -90,3 +92,20 @@ nsComment = "OpenSSL Generated Client Certificate without Flags" [ proxy_none ] keyUsage = critical,digitalSignature,keyEncipherment +[ proxy_invalid_usage ] +keyUsage = critical,keyEncipherment + +[ proxy_rfc_pathLen1 ] +proxyCertInfo=critical,language:id-ppl-inheritAll,pathlen:1 + +[ proxy_rfc ] +proxyCertInfo=critical,language:id-ppl-inheritAll + +[ proxy_rfc_anypolicy ] +proxyCertInfo=critical,language:id-ppl-anyLanguage,policy:text:AB + +[ proxy_rfc_independent ] +proxyCertInfo=critical,language:id-ppl-independent,pathlen:1 + +[ proxy_rfc_limited ] +proxyCertInfo=critical,language:limitedProxyOid diff --git a/test/expired-ca/expired.cert b/test/expired-ca/expired.cert index 45be69b..98c4e16 100644 --- a/test/expired-ca/expired.cert +++ b/test/expired-ca/expired.cert @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDCDCCAnGgAwIBAgIJAJO9tXDLWAPpMA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV +MIIDCzCCAnSgAwIBAgIJAOT06wOW29j4MA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV BAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UE -CxMKUmVsYXhhdGlvbjEXMBUGA1UEAxMOdGhlIGV4cGlyZWQgQ0EwHhcNMDkxMTE4 -MjAwOTU3WhcNMDkxMTE3MjAwOTU3WjBdMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMG +CxMKUmVsYXhhdGlvbjEXMBUGA1UEAxMOdGhlIGV4cGlyZWQgQ0EwHhcNMDkxMjA5 +MTYyNzA5WhcNMDkxMjA4MTYyNzA5WjBdMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMG VHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRpb24xFzAV BgNVBAMTDnRoZSBleHBpcmVkIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB -gQC1CZ0a6cakhd8Ql58VXnzy23ToUOp77bRTmR1M1iwiy8+h4faW+B2Gm4oGJrhD -oYp7cEVpnrlQuWQdYs+sT01GZmdzCfQ4fznc0VTMsGtpavWVOo5cZYUVfz48zu0B -bgB7W08EL88uGMBubaFDLB5Rb/yHkP+5fmis+ugKpdiffQIDAQABo4HPMIHMMAwG -A1UdEwQFMAMBAf8wHQYDVR0OBBYEFBTlEzymeVaSezNLUZA1dHU0E8wcMIGPBgNV -HSMEgYcwgYSAFBTlEzymeVaSezNLUZA1dHU0E8wcoWGkXzBdMQswCQYDVQQGEwJV +gQC9AK5saP9/piHGc0T7yTCh3pf59wKFZ8AWVUciYgGmfk+PtUh3lWabYhK7cB+j +6es3o236GLMfesl/WQAwsXHuR/aCr/NAESYdF7zthGHpxB47wHmG9XihklryOqjf +ixCFV4SQ8RM/SJa6lHCdQvWR/u3XSegiyUlFxSkz5J/vWQIDAQABo4HSMIHPMAwG +A1UdEwQFMAMBAf8wHQYDVR0OBBYEFAbNZ7iK5Ae28C18F4T8XKlvXHSAMIGPBgNV +HSMEgYcwgYSAFAbNZ7iK5Ae28C18F4T8XKlvXHSAoWGkXzBdMQswCQYDVQQGEwJV RzEPMA0GA1UEBxMGVHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJl -bGF4YXRpb24xFzAVBgNVBAMTDnRoZSBleHBpcmVkIENBggkAk721cMtYA+kwCwYD -VR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBABnlqhW3QU6WZcLsBMHjRn23ruQ8 -8CKYxN/LAl+7QraMQ1bE8rlqQLzKdnaFHq6R3P6adhnLgnyaAhYt3GozRBwsSJ1d -K0EAmbl0Lk2rdRC+53lHOC++byK1pSZM4KkwVZt33z9WkR4gpb6wyQb527g7vSZK -BLXE+M5wgxtjUXV2 +bGF4YXRpb24xFzAVBgNVBAMTDnRoZSBleHBpcmVkIENBggkA5PTrA5bb2PgwDgYD +VR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAD3osvnJVrhT4YYWC+k5iMBP +91KDTwsO1wIKhM9cFsQRBI8YGjhcRk5ppTXlAoXkbRIoE96nYrSAYmaizn18D1tN +xn0AQ21tUTwxZzKi+scDHoyeC0DFEHJJpDqRwhctazp+gS8bjnKmLHwCyDBoeRb6 +t4+7FZ7HIwpPNQDEqBtu -----END CERTIFICATE----- diff --git a/test/expired-ca/expired.p12 b/test/expired-ca/expired.p12 index 7716e8e..71e3739 100644 Binary files a/test/expired-ca/expired.p12 and b/test/expired-ca/expired.p12 differ diff --git a/test/expired-ca/expired.priv b/test/expired-ca/expired.priv index 3563372..a3cdbca 100644 --- a/test/expired-ca/expired.priv +++ b/test/expired-ca/expired.priv @@ -1,15 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQC1CZ0a6cakhd8Ql58VXnzy23ToUOp77bRTmR1M1iwiy8+h4faW -+B2Gm4oGJrhDoYp7cEVpnrlQuWQdYs+sT01GZmdzCfQ4fznc0VTMsGtpavWVOo5c -ZYUVfz48zu0BbgB7W08EL88uGMBubaFDLB5Rb/yHkP+5fmis+ugKpdiffQIDAQAB -AoGAbYlMkm0iMIeDaQGkUoSiKzsXaD0VMzim4/H/pW7ss30HuxYCYmPrUXeosoIY -+WqzZG6QwRA1Zh9V8OXJa6NryAkFjwIzrBpNKRXNFBnOGtJIRzmQtr97WeNTDv2o -bPFDcdRMLhd3/VPC/8SEziy6TrOmmYM7HDBnpys3QfuZlU0CQQDhIWAJqHEUnTo+ -NRPQQW4b/ECh8rkbSBvQlInrft4zRmScvwv4CpO0Iump0fuXEb7BEFCIKh8F4hsW -39i+peE3AkEAzdx5H7GRoAvohPIKRGsApSXn6Qfj3+aSfDCvdKR5VCXt6xOUR/jX -B4l2fMBNvOEqnoQcX07+MynRtzYvrT0u6wJBAKOhcH5UkaxcAwNH7NjHVdK9a/TJ -yMUNijn2XLBwC+zU0zgim/5zIZwibBdkaisJWM5Wn1H424eZKftcQ9t+Ec0CQCtA -6co4+woPtnlIidO6T9ZjUojp+X0v6xNg/1yYuk1t8sFzybIdnMCep2Cq3yqSfOv1 -giicZljFrqS6I+ZYdqUCQHpcJQdZO4iRcmtJEA5zqVOjtx/l6+BBnd95ZuZ38Ph8 -mWzzAMCUZ2Fw8ZYsJIi3MmnKqEagzH6AnpgW0z/3ntk= +MIICWwIBAAKBgQC9AK5saP9/piHGc0T7yTCh3pf59wKFZ8AWVUciYgGmfk+PtUh3 +lWabYhK7cB+j6es3o236GLMfesl/WQAwsXHuR/aCr/NAESYdF7zthGHpxB47wHmG +9XihklryOqjfixCFV4SQ8RM/SJa6lHCdQvWR/u3XSegiyUlFxSkz5J/vWQIDAQAB +AoGAZlgYG1w//j9Xyr5gfHdVflGquhCnrNWhjnZfLp8jhaSgMJFZzGd6SGmy+wyc +FYZ1eItm4ia92C4FLpBjKfrsVcu28cCAHgBeAQ6BmLk9oRGJMxwjs5QXz8YmVaGl +Rac6R/7oiBSWxL8SabFAq5i/OgVxRoDGLpTj3ymQHgKMggECQQD1jvRBjeMFXBBy +q7HD8L6VuufSZo87nfVZy2DTFZJJq2q4UyD0Ms89obkWmJmT5T86LPMAfNe7vsVQ +3nK1TWjdAkEAxQoVw61lWk2d+5zWroGZaaOyxCC0YVxgSi0HxGjGWwS8BvOFtRge +Kxt+HjOuFxgJVAXTiUUYEreZ+v3Uq+Y6rQJAdpiIV3DTiC8isn9B58RKB76xX+iw +nLZ5XNjg9pGgiXwEmulrLQWtGbMV1Vf2NHuvwcUbx8yD1OUaHyiQdgfg8QJAaj98 +6u32KBKQbNvum1zA58jgnYdxHMreFUFg3dUNmIjeBvWLlNIzelUx1YFSj5tjdE5L ++corJ/Se8EutQSA9ZQJAQnOKQsZ2wHJPUM52gyq+YETtAB1qsexeuhSJWs1v2dOk +tWuapfHTQ9AzrUZTGJ3W3h+uXcR4DXMy1I/urG/l3A== -----END RSA PRIVATE KEY----- diff --git a/test/expired-ca/req_conf.cnf b/test/expired-ca/req_conf.cnf index 2262038..18be02c 100644 --- a/test/expired-ca/req_conf.cnf +++ b/test/expired-ca/req_conf.cnf @@ -1,5 +1,10 @@ ### req command +oid_section = new_oids + +[ new_oids ] +limitedProxyOid = 1.3.6.1.4.1.3536.1.1.1.9 + [ req ] default_bits = 1024 distinguished_name = req_distinguished_name @@ -10,16 +15,13 @@ distinguished_name = req_distinguished_name basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always -keyUsage = cRLSign, keyCertSign - -#[ serial_cert_req ] -#serialNumber = 12341324 +keyUsage = critical, cRLSign, keyCertSign -#[ email_cert_req ] -#emailAddress = test@home.org - -#[ uid_cert_req ] -#userId = testuserid +[ ca_cert_req_nokeyusage ] +basicConstraints = CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = critical, cRLSign [ proxy_cert_req ] @@ -31,13 +33,13 @@ keyUsage = cRLSign, keyCertSign default_ca = CA_default [CA_default] -dir = $ENV::CASROOT/$ENV::CATYPE-ca +dir = $ENV::CASROOT/expired-ca database = $dir/index.txt serial = $dir/serial.txt default_md = sha1 -certificate = $dir/$ENV::CATYPE.cert -private_key = $dir/$ENV::CATYPE.priv +certificate = $dir/expired.cert +private_key = $dir/expired.priv policy = policy_any @@ -90,3 +92,20 @@ nsComment = "OpenSSL Generated Client Certificate without Flags" [ proxy_none ] keyUsage = critical,digitalSignature,keyEncipherment +[ proxy_invalid_usage ] +keyUsage = critical,keyEncipherment + +[ proxy_rfc_pathLen1 ] +proxyCertInfo=critical,language:id-ppl-inheritAll,pathlen:1 + +[ proxy_rfc ] +proxyCertInfo=critical,language:id-ppl-inheritAll + +[ proxy_rfc_anypolicy ] +proxyCertInfo=critical,language:id-ppl-anyLanguage,policy:text:AB + +[ proxy_rfc_independent ] +proxyCertInfo=critical,language:id-ppl-independent,pathlen:1 + +[ proxy_rfc_limited ] +proxyCertInfo=critical,language:limitedProxyOid diff --git a/test/fake-ca/fake.cert b/test/fake-ca/fake.cert index 7503541..4a0ca5e 100644 --- a/test/fake-ca/fake.cert +++ b/test/fake-ca/fake.cert @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIC/zCCAmigAwIBAgIJAJOODvhASivmMA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV +MIIDAjCCAmugAwIBAgIJAO0FFDQThQMjMA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV BAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UE -CxMKUmVsYXhhdGlvbjEUMBIGA1UEAxMLdGhlIGZha2UgQ0EwHhcNMDkxMTE4MjAw -OTMwWhcNMzcwNDA1MjAwOTMwWjBaMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMGVHJv +CxMKUmVsYXhhdGlvbjEUMBIGA1UEAxMLdGhlIGZha2UgQ0EwHhcNMDkxMjA5MTYy +NjEwWhcNMzcwNDI2MTYyNjEwWjBaMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMGVHJv cGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRpb24xFDASBgNV -BAMTC3RoZSBmYWtlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzJg2Y -4PEy7IHjJtnAUoHsJTFiwH3upubJ21J1xIwbuwCCvUrBpj/OzEzaPdxU6fzjPXD2 -wVDzE2vqLF6hvxyzUlLKXmuB10lOfly8vkMHO7T/P1pO4vrZIpzo3pGFgx3fw4E4 -ZCdlsbjV/yHjVpO6+pnWdpka+S7rOIKMJfjfMwIDAQABo4HMMIHJMAwGA1UdEwQF -MAMBAf8wHQYDVR0OBBYEFGASma3GAhhYIPGOPve5MAxg7ce2MIGMBgNVHSMEgYQw -gYGAFGASma3GAhhYIPGOPve5MAxg7ce2oV6kXDBaMQswCQYDVQQGEwJVRzEPMA0G +BAMTC3RoZSBmYWtlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcesdY +OZsBJPCJvQicfeyNM4uZT30FhKTO47/SrQiotN9nE36oUVzqQ096RBGrxxGDEYae +xqa8p3gHp9urqAteHb6MhimkASns68UwS9VwBjqkKTz9TV91MgPAgUcYkxuIOff+ +sYUYXDUQSExTWuzb4xlG5+wfrqryYEQkORWD+QIDAQABo4HPMIHMMAwGA1UdEwQF +MAMBAf8wHQYDVR0OBBYEFN07u5oRDwxZe3RIxhCNSOD9rXhuMIGMBgNVHSMEgYQw +gYGAFN07u5oRDwxZe3RIxhCNSOD9rXhuoV6kXDBaMQswCQYDVQQGEwJVRzEPMA0G A1UEBxMGVHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRp -b24xFDASBgNVBAMTC3RoZSBmYWtlIENBggkAk44O+EBKK+YwCwYDVR0PBAQDAgEG -MA0GCSqGSIb3DQEBBQUAA4GBABt1ebIzQl2S2vu8nuGgssYpBHdUyTCiZNg6RFBx -GRmxPvd7/F6Ag60/xbz3rKtpQqeDoZg/FtpBHlAbIuOc3+kGDl3UatNV1VVozC6q -gocDvafELWoH0Xqmiv/WRoi7vzqsB7k387QkKCnYeahmQPS75pwE99A0HwhhaM/A -T9ia +b24xFDASBgNVBAMTC3RoZSBmYWtlIENBggkA7QUUNBOFAyMwDgYDVR0PAQH/BAQD +AgEGMA0GCSqGSIb3DQEBBQUAA4GBAG26hxwZ/ov3Qz9q2Cc24SNxgSu8WkjFNJBD +yEcZx0JTRMkHCCuEqYhgOjcMCD5imXydDCCFYG5XWJcdJImZqYSRdyd8KZyXE6xi +gTYZhLuOmNIzekwMee9QhOeYuXbghpDp85ID4gbdVfVh7K6M+/Ro+5qrDQyz58Vi +WiUn4Ezn -----END CERTIFICATE----- diff --git a/test/fake-ca/fake.p12 b/test/fake-ca/fake.p12 index f0c2ed2..6e927e8 100644 Binary files a/test/fake-ca/fake.p12 and b/test/fake-ca/fake.p12 differ diff --git a/test/fake-ca/fake.priv b/test/fake-ca/fake.priv index 3c8fcfc..876da90 100644 --- a/test/fake-ca/fake.priv +++ b/test/fake-ca/fake.priv @@ -1,15 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQCzJg2Y4PEy7IHjJtnAUoHsJTFiwH3upubJ21J1xIwbuwCCvUrB -pj/OzEzaPdxU6fzjPXD2wVDzE2vqLF6hvxyzUlLKXmuB10lOfly8vkMHO7T/P1pO -4vrZIpzo3pGFgx3fw4E4ZCdlsbjV/yHjVpO6+pnWdpka+S7rOIKMJfjfMwIDAQAB -AoGAEw7tS2JCxqQafUvYxnkAkVqzkkngG89tpfPLJfQu45RVTZNNrKQ/DYT2eBE0 -q2PpH1Od/OI79mAOju8BcjueldeO7bWM7ujW3o8zt/k/enq+Y/qcP6tWx8ulm4Ij -ALno9t5Zcp8B1Zq2LV/mqRvC25BbFsX7K6nLKVnnUkobfiECQQDYOaR6Ml5jrnXZ -a/EgAbx0wYnpOFO1ZU1i/wk2ffK6P8vWpuvL5Ad5QF1dBxWo/mtifTzNimuk6BYG -rwJPsU+nAkEA1BpsX3/qGx8ze5XpQEa8hbUVidLhMldNrcskQXd9KSd8YJPDsTcC -HG0DDu+7hhNaWEV2hLVTWeapiMAk4fbFlQJAL6ekpHnta7LLrnunzRIU4va02n3b -lSMahzMGaMghcwMUfd6UIX/EVejlqtcg4voP2MkZWYOkbdfo4tg3fjDqCQJBAKV2 -r5CYw1LBNnJ08m/YPv231MOeJVwWS10HGpOP2a4fRaI54/H9zcHLMRWX45ymwFYY -amsA4bNChINQEfXNgzkCQE0lhV6MD0R9geM32+pCQlImfVIhsLYQJs+D2lsjlvSW -S4nS6t2M8CFVJlOvOpdZL3x7eHuan2dhHHP1sz3jCx4= +MIICXQIBAAKBgQDcesdYOZsBJPCJvQicfeyNM4uZT30FhKTO47/SrQiotN9nE36o +UVzqQ096RBGrxxGDEYaexqa8p3gHp9urqAteHb6MhimkASns68UwS9VwBjqkKTz9 +TV91MgPAgUcYkxuIOff+sYUYXDUQSExTWuzb4xlG5+wfrqryYEQkORWD+QIDAQAB +AoGBAJesy0hxUKYH4IYRCkSGCF7XD/knCs3qA2rkmMj5CpTs4SdK7P4kAvSR27Iz +86glqXFudBr0dC4iU1uI6YD8eNw+VqiYJDSICk01DV/lHfuvu8k8nEgTgZekjgfC +ax+xiQbvtGko4v4Fz0Wutz6foWzevJeHd21JDhvw73a2EnkBAkEA8QDOTRt1KrsB +erC8scTuMrWu4bKSjqOSHtihzE3ZKcQrIMSp9Xmt+tmskhLhOFKkAkyUZ3I5lExi +yJKhw+3FGQJBAOozCBXnLQN3vf3fUMwsyorb4S6jlZlvmxBGQQ01D5Msg3kV75fp +4AnlAiNpA/w01mZxpAcjxhwH5SafMCwdseECQQCVf9h5wISoIyVBxIzpAa55SnbX +jvyW+yTTebK0l74UyJmwVA7SNc8VAx6n5opLdAhFXNfaa+MH+XJ11W//qGlRAkBb +/Xt5jvpBWHFKHMNRz24nKMLEXQDP6eSQeefnViYt+tgRYapgkz6q5Eb4vbERCXgF +eTGilEymiftaNkDnsypBAkBdych3aA7N186aNQ+KPN+nfnWcMyYh9yQm3VzKsT1R +7Nh4rf3yB/Y4AI4E/qfeMr0vbWYoqft+hmE0rPNCskO+ -----END RSA PRIVATE KEY----- diff --git a/test/fake-ca/req_conf.cnf b/test/fake-ca/req_conf.cnf index 2262038..41dcda6 100644 --- a/test/fake-ca/req_conf.cnf +++ b/test/fake-ca/req_conf.cnf @@ -1,5 +1,10 @@ ### req command +oid_section = new_oids + +[ new_oids ] +limitedProxyOid = 1.3.6.1.4.1.3536.1.1.1.9 + [ req ] default_bits = 1024 distinguished_name = req_distinguished_name @@ -10,16 +15,13 @@ distinguished_name = req_distinguished_name basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always -keyUsage = cRLSign, keyCertSign - -#[ serial_cert_req ] -#serialNumber = 12341324 +keyUsage = critical, cRLSign, keyCertSign -#[ email_cert_req ] -#emailAddress = test@home.org - -#[ uid_cert_req ] -#userId = testuserid +[ ca_cert_req_nokeyusage ] +basicConstraints = CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = critical, cRLSign [ proxy_cert_req ] @@ -31,13 +33,13 @@ keyUsage = cRLSign, keyCertSign default_ca = CA_default [CA_default] -dir = $ENV::CASROOT/$ENV::CATYPE-ca +dir = $ENV::CASROOT/fake-ca database = $dir/index.txt serial = $dir/serial.txt default_md = sha1 -certificate = $dir/$ENV::CATYPE.cert -private_key = $dir/$ENV::CATYPE.priv +certificate = $dir/fake.cert +private_key = $dir/fake.priv policy = policy_any @@ -90,3 +92,20 @@ nsComment = "OpenSSL Generated Client Certificate without Flags" [ proxy_none ] keyUsage = critical,digitalSignature,keyEncipherment +[ proxy_invalid_usage ] +keyUsage = critical,keyEncipherment + +[ proxy_rfc_pathLen1 ] +proxyCertInfo=critical,language:id-ppl-inheritAll,pathlen:1 + +[ proxy_rfc ] +proxyCertInfo=critical,language:id-ppl-inheritAll + +[ proxy_rfc_anypolicy ] +proxyCertInfo=critical,language:id-ppl-anyLanguage,policy:text:AB + +[ proxy_rfc_independent ] +proxyCertInfo=critical,language:id-ppl-independent,pathlen:1 + +[ proxy_rfc_limited ] +proxyCertInfo=critical,language:limitedProxyOid diff --git a/test/nokeyusage-ca/nokeyusage.cert b/test/nokeyusage-ca/nokeyusage.cert index dd98c4a..7469a86 100644 --- a/test/nokeyusage-ca/nokeyusage.cert +++ b/test/nokeyusage-ca/nokeyusage.cert @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDETCCAnqgAwIBAgIJAJXRhilSGEmtMA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNV +MIIDFDCCAn2gAwIBAgIJAMam5pwcE352MA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNV BAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UE CxMKUmVsYXhhdGlvbjEaMBgGA1UEAxMRdGhlIG5va2V5dXNhZ2UgQ0EwHhcNMDkx -MTE4MjAwOTU3WhcNMzcwNDA1MjAwOTU3WjBgMQswCQYDVQQGEwJVRzEPMA0GA1UE +MjA5MTYyNzA5WhcNMzcwNDI2MTYyNzA5WjBgMQswCQYDVQQGEwJVRzEPMA0GA1UE BxMGVHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRpb24x GjAYBgNVBAMTEXRoZSBub2tleXVzYWdlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN -ADCBiQKBgQCoVc7fs7Owtyzi24NxaBoemkPQRv/mDDfhJTzX5cGVcymMWXLqhjHk -KhuCziQ1pIRFPPUxmlNJneeo95WzrCWHe3HFILDSrjXoIw48aHPcgHmJRTU2U+wE -fIwvw1nrSsQXS5ftQuMb5PcOCcI6cZiQzZquEy64Kkqovx7CvEKqOQIDAQABo4HS -MIHPMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFD5yNicj3eNgIHr1/Ou0UciEePrH -MIGSBgNVHSMEgYowgYeAFD5yNicj3eNgIHr1/Ou0UciEePrHoWSkYjBgMQswCQYD +ADCBiQKBgQC1sDcjw5TH+LYj2sNRaR5CEo4zecP3nMyGWL1B84HEDBejvNXMZbpk +FV6aWc/aIsZjM1NVKDBx4OH+JimjX1y1TnURlq0k4S/4/cqPxIX6wY2Om0QF418l +6yVEcXPFkGvfM22MkNDdukpBxYIUYAlcoEflb0wVNXR0LD0cqaWtkQIDAQABo4HV +MIHSMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFHtqwoVzbfSCBoAchgVr0Kdlb+QN +MIGSBgNVHSMEgYowgYeAFHtqwoVzbfSCBoAchgVr0Kdlb+QNoWSkYjBgMQswCQYD VQQGEwJVRzEPMA0GA1UEBxMGVHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNV -BAsTClJlbGF4YXRpb24xGjAYBgNVBAMTEXRoZSBub2tleXVzYWdlIENBggkAldGG -KVIYSa0wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAAZY4vy4uPDsiqdp -Y7LycXMQ20Dzp9WYOncjrUvw0UgSiF3kgOvjdJSNI+2ISSCvL8qKB5m4v88dhZvV -N0xr/QhTZidAH/EnarURy4s46ueqW/80PGFszLsUQwMB/lQCKDbXXiJ31GytxZMr -tLUfi9j+FtxbQRTNBvF93zh2sVwi +BAsTClJlbGF4YXRpb24xGjAYBgNVBAMTEXRoZSBub2tleXVzYWdlIENBggkAxqbm +nBwTfnYwDgYDVR0PAQH/BAQDAgECMA0GCSqGSIb3DQEBBQUAA4GBADhep4H9Lnfm +uoKLUR4Xuyvnv8OvvVtqMO/Gk35nv645jqoFfLMX/hWnMke7vd0oUiMoWo5B9wlN +CWW2z14rRg75aX08SCT1XE5UAdrBQJIbKzFRGoEKzRyukfMCoX4K3mVdGwH7igoH +sF8HmwdlUOl0gaagKM1qWkQrcHGNLEeq -----END CERTIFICATE----- diff --git a/test/nokeyusage-ca/nokeyusage.p12 b/test/nokeyusage-ca/nokeyusage.p12 index dcdeb7d..42e628a 100644 Binary files a/test/nokeyusage-ca/nokeyusage.p12 and b/test/nokeyusage-ca/nokeyusage.p12 differ diff --git a/test/nokeyusage-ca/nokeyusage.priv b/test/nokeyusage-ca/nokeyusage.priv index 0efdc83..cebee71 100644 --- a/test/nokeyusage-ca/nokeyusage.priv +++ b/test/nokeyusage-ca/nokeyusage.priv @@ -1,15 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIICWwIBAAKBgQCoVc7fs7Owtyzi24NxaBoemkPQRv/mDDfhJTzX5cGVcymMWXLq -hjHkKhuCziQ1pIRFPPUxmlNJneeo95WzrCWHe3HFILDSrjXoIw48aHPcgHmJRTU2 -U+wEfIwvw1nrSsQXS5ftQuMb5PcOCcI6cZiQzZquEy64Kkqovx7CvEKqOQIDAQAB -AoGAfZJFGCr9SD3chf4qN1bo5Rs+qwfLrNhAdvtIP+VsWwflXoT7bGdeoE2o6BLO -gBWRdfTbE32D086vGSRX0AgClbBjq6F4zV6YyWxU8B5W55AObvkGFVXmbWc3Bqso -F4EOr3EdXNGYKvguoXIJ+cSrpt72X9SBOS5XGYUdwDTZ2AECQQDWyhMoAy/j/QML -LvA1IwJilcD7U2FEK/Gs6qD/yUqPit0hj3I4jXVkpXX2s6n1VbB+rmYj8YPaBFzd -nWSOSEnhAkEAyKIEzmLoP90cMiWcR7jhSSHprdnhpmo4W7xLrxYfZ95cjuzNEdlV -ex2jzPRHRA5eDauQj0J+rG9PIFi/Op5bWQJAOIjj1epQ1q+n92+ZZkMaw5wrOXvO -5ES0zhDL48e1ymaAoe7B38TMG3u5uv+7QooVdKKu29McI2x2jRZ6e0DnwQJAcavy -Ayjgo0ZYMkVC3RPveCrhpaE7irjFw5vUWZe0JXpDgKrDqSg0mTN62aVRN0rYmPAq -UDCBapsJ/q6pccHEyQJAfHkXV65981psqotNFMO7Xvs/uePIifSkuopiNM9cXVPR -PghtFTnSLavjBOa94EzT4mTc3X2kjfecVZvMSf0Yow== +MIICWwIBAAKBgQC1sDcjw5TH+LYj2sNRaR5CEo4zecP3nMyGWL1B84HEDBejvNXM +ZbpkFV6aWc/aIsZjM1NVKDBx4OH+JimjX1y1TnURlq0k4S/4/cqPxIX6wY2Om0QF +418l6yVEcXPFkGvfM22MkNDdukpBxYIUYAlcoEflb0wVNXR0LD0cqaWtkQIDAQAB +AoGAYPvCQzX4alIpr7PrxL4u56gN/g5GfBtX1XLy+4xnPWYTDFUVbvjyaNA7YnsE +h3U+nt9b4T4FthQLrmVinpGd40ZOzbRXmY7K9QyUmFobGlQNK+TT+wKdF0brajiJ +bMwk2j65vmNVflmRe4lyq6FV+1oyj+WzkXOKwOpmURZICxECQQDx2xE1IIij4T1Q +i135ujGsFQhvcSBRNJgtevHTblcoQULEvE1zV1wWg2eIZu1CqwLkrJOMxn8Q1Mv7 +jR/qIULFAkEAwFBayrnx75LdBSxdvsx8HRtiDsIePkf1InLpOAF8CS72W2rRniNE +mef+hWPiXRK80KkoPpHMgalDEFdFAeV8XQI/VBTU5qNo3ZBwwI+zHB6fJjQpupSZ +p6GhRi535Al4Q4Zsr/jG9FJqsWj9lW4zDfpmBxn4MfjQNAnG4K0vazYlAkEAnJZQ +9tRki/92+ylew2ZYgJK1SvMAERIiJQSPpMyApDGa4mCdgTeSOgbOFOp5e/Mvzm6N +mDS64bBiLMICLEMg+QJANy+y9S7o5eH+svlRYcj9DNdqD41JLsBE3q+60S/cv85W +eX5Oc3j+c0O/JPO8UxFoYAlDCfVQd2937kiNz19MHg== -----END RSA PRIVATE KEY----- diff --git a/test/nokeyusage-ca/req_conf.cnf b/test/nokeyusage-ca/req_conf.cnf index 2262038..6a51485 100644 --- a/test/nokeyusage-ca/req_conf.cnf +++ b/test/nokeyusage-ca/req_conf.cnf @@ -1,5 +1,10 @@ ### req command +oid_section = new_oids + +[ new_oids ] +limitedProxyOid = 1.3.6.1.4.1.3536.1.1.1.9 + [ req ] default_bits = 1024 distinguished_name = req_distinguished_name @@ -10,16 +15,13 @@ distinguished_name = req_distinguished_name basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always -keyUsage = cRLSign, keyCertSign - -#[ serial_cert_req ] -#serialNumber = 12341324 +keyUsage = critical, cRLSign, keyCertSign -#[ email_cert_req ] -#emailAddress = test@home.org - -#[ uid_cert_req ] -#userId = testuserid +[ ca_cert_req_nokeyusage ] +basicConstraints = CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = critical, cRLSign [ proxy_cert_req ] @@ -31,13 +33,13 @@ keyUsage = cRLSign, keyCertSign default_ca = CA_default [CA_default] -dir = $ENV::CASROOT/$ENV::CATYPE-ca +dir = $ENV::CASROOT/nokeyusage-ca database = $dir/index.txt serial = $dir/serial.txt default_md = sha1 -certificate = $dir/$ENV::CATYPE.cert -private_key = $dir/$ENV::CATYPE.priv +certificate = $dir/nokeyusage.cert +private_key = $dir/nokeyusage.priv policy = policy_any @@ -90,3 +92,20 @@ nsComment = "OpenSSL Generated Client Certificate without Flags" [ proxy_none ] keyUsage = critical,digitalSignature,keyEncipherment +[ proxy_invalid_usage ] +keyUsage = critical,keyEncipherment + +[ proxy_rfc_pathLen1 ] +proxyCertInfo=critical,language:id-ppl-inheritAll,pathlen:1 + +[ proxy_rfc ] +proxyCertInfo=critical,language:id-ppl-inheritAll + +[ proxy_rfc_anypolicy ] +proxyCertInfo=critical,language:id-ppl-anyLanguage,policy:text:AB + +[ proxy_rfc_independent ] +proxyCertInfo=critical,language:id-ppl-independent,pathlen:1 + +[ proxy_rfc_limited ] +proxyCertInfo=critical,language:limitedProxyOid diff --git a/test/root-ca/index.txt b/test/root-ca/index.txt index 3d85f6d..e69de29 100644 --- a/test/root-ca/index.txt +++ b/test/root-ca/index.txt @@ -1 +0,0 @@ -V 370405200958Z 0176 unknown /C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA diff --git a/test/root-ca/req_conf.cnf b/test/root-ca/req_conf.cnf index 2262038..0b0b34e 100644 --- a/test/root-ca/req_conf.cnf +++ b/test/root-ca/req_conf.cnf @@ -1,5 +1,10 @@ ### req command +oid_section = new_oids + +[ new_oids ] +limitedProxyOid = 1.3.6.1.4.1.3536.1.1.1.9 + [ req ] default_bits = 1024 distinguished_name = req_distinguished_name @@ -10,16 +15,13 @@ distinguished_name = req_distinguished_name basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always -keyUsage = cRLSign, keyCertSign - -#[ serial_cert_req ] -#serialNumber = 12341324 +keyUsage = critical, cRLSign, keyCertSign -#[ email_cert_req ] -#emailAddress = test@home.org - -#[ uid_cert_req ] -#userId = testuserid +[ ca_cert_req_nokeyusage ] +basicConstraints = CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = critical, cRLSign [ proxy_cert_req ] @@ -31,13 +33,13 @@ keyUsage = cRLSign, keyCertSign default_ca = CA_default [CA_default] -dir = $ENV::CASROOT/$ENV::CATYPE-ca +dir = $ENV::CASROOT/root-ca database = $dir/index.txt serial = $dir/serial.txt default_md = sha1 -certificate = $dir/$ENV::CATYPE.cert -private_key = $dir/$ENV::CATYPE.priv +certificate = $dir/root.cert +private_key = $dir/root.priv policy = policy_any @@ -90,3 +92,20 @@ nsComment = "OpenSSL Generated Client Certificate without Flags" [ proxy_none ] keyUsage = critical,digitalSignature,keyEncipherment +[ proxy_invalid_usage ] +keyUsage = critical,keyEncipherment + +[ proxy_rfc_pathLen1 ] +proxyCertInfo=critical,language:id-ppl-inheritAll,pathlen:1 + +[ proxy_rfc ] +proxyCertInfo=critical,language:id-ppl-inheritAll + +[ proxy_rfc_anypolicy ] +proxyCertInfo=critical,language:id-ppl-anyLanguage,policy:text:AB + +[ proxy_rfc_independent ] +proxyCertInfo=critical,language:id-ppl-independent,pathlen:1 + +[ proxy_rfc_limited ] +proxyCertInfo=critical,language:limitedProxyOid diff --git a/test/root-ca/root.cert b/test/root-ca/root.cert index 56dfa73..a70b8fa 100644 --- a/test/root-ca/root.cert +++ b/test/root-ca/root.cert @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIC/zCCAmigAwIBAgIJAOwn+bdeOP7lMA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV +MIIDAjCCAmugAwIBAgIJAN70gOiGeHNkMA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV BAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UE -CxMKUmVsYXhhdGlvbjEUMBIGA1UEAxMLdGhlIHJvb3QgQ0EwHhcNMDkxMTE4MjAw -OTU4WhcNMzcwNDA1MjAwOTU4WjBaMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMGVHJv +CxMKUmVsYXhhdGlvbjEUMBIGA1UEAxMLdGhlIHJvb3QgQ0EwHhcNMDkxMjA5MTYy +NzA5WhcNMzcwNDI2MTYyNzA5WjBaMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMGVHJv cGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRpb24xFDASBgNV -BAMTC3RoZSByb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxw6fX -Pm7OJc5QC0QaRHIjRXCK2CWVz1GXJ+1Fp9nN2OF3lhIr2JnYKkD3Shg9/6R43LUL -pBOF8bEdQzC8P3XZTr2HHoS79bI8TVnZ4xtEM+bZO7k6EGQhzd+xjfQ7dGEqk4TS -36PuyzIXyUJ9CrgpmzrD3r/wZreGNENql4iW6wIDAQABo4HMMIHJMAwGA1UdEwQF -MAMBAf8wHQYDVR0OBBYEFC3z3nM1NSxp66FO7/5rlG43PPUxMIGMBgNVHSMEgYQw -gYGAFC3z3nM1NSxp66FO7/5rlG43PPUxoV6kXDBaMQswCQYDVQQGEwJVRzEPMA0G +BAMTC3RoZSByb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsBAlZ +L671sIktcVJcoEYdHMqtLlf/RYJt0da0upIWRxXvpS28UDOGkiGXqqXNgayWTrf6 +ecBYAnfXjIDCG42RQiEzcnHQWTyGhVKclGgeXv49B1Fn1hH77wMhQrtyUbMhvSGI +sRHYv4EH45UOLVtQc4fGa9x7LgP6cJg9i1+DGQIDAQABo4HPMIHMMAwGA1UdEwQF +MAMBAf8wHQYDVR0OBBYEFL2h6oGN//VQZjdV1+QmQMKpOD7EMIGMBgNVHSMEgYQw +gYGAFL2h6oGN//VQZjdV1+QmQMKpOD7EoV6kXDBaMQswCQYDVQQGEwJVRzEPMA0G A1UEBxMGVHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRp -b24xFDASBgNVBAMTC3RoZSByb290IENBggkA7Cf5t144/uUwCwYDVR0PBAQDAgEG -MA0GCSqGSIb3DQEBBQUAA4GBACzSdZyhnSj5wArIua8Nc6Tc6XIVp0by/jYz/cOa -FAZZmY7GaTTL65SDu0QH1NJIRC6G8wWvQeCouK9dgKXA9vQZ3Caf+8LOwyAU4rZe -2maDgk4CcLYz953CYDxRSwmLPTVkXAJHPD15SS8gXxWcNKIUInoov6cSzjTEfjw9 -1kCX +b24xFDASBgNVBAMTC3RoZSByb290IENBggkA3vSA6IZ4c2QwDgYDVR0PAQH/BAQD +AgEGMA0GCSqGSIb3DQEBBQUAA4GBAI0KSvSjFgzWR26b8N9jpU/20Nw6xH6uS2AF +czdqlJxBJZKzPCOkfPB2oh82CTcebzdDOWOOqa0Sft65s8wTqHeG7JS6BnceiNKL +w6dj4WBgvgWBgl4euue0wlTQLOd849cvKOlOfFZmtwOjqIV/Bc2+VXPXkLGe66z8 +wMLCxTdo -----END CERTIFICATE----- diff --git a/test/root-ca/root.p12 b/test/root-ca/root.p12 index a9190e8..67ecb02 100644 Binary files a/test/root-ca/root.p12 and b/test/root-ca/root.p12 differ diff --git a/test/root-ca/root.priv b/test/root-ca/root.priv index 52c4b21..5489a06 100644 --- a/test/root-ca/root.priv +++ b/test/root-ca/root.priv @@ -1,15 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQCxw6fXPm7OJc5QC0QaRHIjRXCK2CWVz1GXJ+1Fp9nN2OF3lhIr -2JnYKkD3Shg9/6R43LULpBOF8bEdQzC8P3XZTr2HHoS79bI8TVnZ4xtEM+bZO7k6 -EGQhzd+xjfQ7dGEqk4TS36PuyzIXyUJ9CrgpmzrD3r/wZreGNENql4iW6wIDAQAB -AoGAMdlWFcwSMojzhArEvED5aN6uIqFeWNZcYPD3XpMlRs5M28Yfrl/9NFsVAMOs -bKZlrubldjA6sVMHgdc3sXJyT1fY7GYGt0Xsgy/pGL1+c5uREiFSXl/nhXgeZrfY -M/C6Dl0269a6K3OSwk92OVYRUqRZM2nUK4bpODOAnAtGkcECQQDp30uqbx7BAkcj -Z49Txg5sGfmHHrJgWGzJK9RKSdrE0OH/DTus08h/wMm3fXxPffchLIAHWp94m4uM -Zi0AfBkbAkEAwpVZP/GoSPGwvDtw4t3YVvz2oNgoxFQtmU5xx4LgRNWVHrAE4sXd -8opTBnqikAIbOADXEF/A04ViMvR0Kw6mcQJAXFfr04b+uK0Ck8svP5/DUBHNgfmv -6vTfN2uT7iVNOUtVANUjy/DviOoBe+8TZ3vQWYvtnXm93+xi5HPvrvJRIwJBAK4B -/ulHAzYQJPt/sIjA2QmZeDgIdhR0Lr7tPqSrLkGAOrVRtVzSk5OlDXA61QsxRwQD -BFBZQMgnfNSSdRxYIpECQD3aPIAP/tv6mWeSOc6aP7jH0NyEceDEOPnpFitSfJqe -8m/wecCuED9DgXTSpmJJ0BuFc8oXKRV7OgwhqfIuEwc= +MIICXQIBAAKBgQDsBAlZL671sIktcVJcoEYdHMqtLlf/RYJt0da0upIWRxXvpS28 +UDOGkiGXqqXNgayWTrf6ecBYAnfXjIDCG42RQiEzcnHQWTyGhVKclGgeXv49B1Fn +1hH77wMhQrtyUbMhvSGIsRHYv4EH45UOLVtQc4fGa9x7LgP6cJg9i1+DGQIDAQAB +AoGBAIqwKIonEgm/7iws7jgN2oWa+KJhnEYeI3HDIAbdp6C9ru8+wixpeI24a1MD +bSDg9Xjx0vy19MgC00dvge4OYNX86ec28N2PmERPNzilqFMj5sGNx2BWArnJT6fV +odkQ6UIh+USMiAk6xGpo68T+jBt6DyK81sCOL90PCCRQDoKNAkEA/DqnJOG7xU5Z +glsf226XE+U1UDyK/ePHnIOHIV1D/4x0aIAvFqeyER5+iTILnoWT0YepaDoM+tWY +9xzjvQ2qPwJBAO+LVLRpYdn2YSGMUxVvLt4RJKr7zQ+SwwC+wi+b3VmS+iCGXwWu +QX3eFbtRlmv35d9b5xcaA/eoOGMoiozljKcCQFC0y8qnWBe4DDgDxFvINRsumjKE +TM0UV0ijZVetqhZY8N6HNYoAOp/zq/VmSAV/JF9FE1XATWrtcbaQTeauOq0CQBM3 +8IHQ+qLMG5rfcUME+pOieHinXxpiwfZrV5UOQkIPgrXdUf5YrrR0fvXaY+EhsHWt +H+tAkRTrkCqUdBk9yX0CQQDh6J7uGU44tvMwxgc9jSqib5DqgflzF3hXJpLhZX8S +Y9GaWp6pfrZUH0E46f7aorAaTeZ/4GobazC9VLcK5wPK -----END RSA PRIVATE KEY----- diff --git a/test/root-ca/serial.txt b/test/root-ca/serial.txt index 04db0ac..3dcc795 100644 --- a/test/root-ca/serial.txt +++ b/test/root-ca/serial.txt @@ -1 +1 @@ -0177 +0176 diff --git a/test/subca-ca/index.txt b/test/subca-ca/index.txt index 86c98fb..50f9539 100644 --- a/test/subca-ca/index.txt +++ b/test/subca-ca/index.txt @@ -1 +1 @@ -V 370405200958Z 0176 unknown /C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA +V 370426162710Z 0176 unknown /C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA diff --git a/test/subca-ca/req_conf.cnf b/test/subca-ca/req_conf.cnf index 2262038..ce2b1ab 100644 --- a/test/subca-ca/req_conf.cnf +++ b/test/subca-ca/req_conf.cnf @@ -1,5 +1,10 @@ ### req command +oid_section = new_oids + +[ new_oids ] +limitedProxyOid = 1.3.6.1.4.1.3536.1.1.1.9 + [ req ] default_bits = 1024 distinguished_name = req_distinguished_name @@ -10,16 +15,13 @@ distinguished_name = req_distinguished_name basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always -keyUsage = cRLSign, keyCertSign - -#[ serial_cert_req ] -#serialNumber = 12341324 +keyUsage = critical, cRLSign, keyCertSign -#[ email_cert_req ] -#emailAddress = test@home.org - -#[ uid_cert_req ] -#userId = testuserid +[ ca_cert_req_nokeyusage ] +basicConstraints = CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = critical, cRLSign [ proxy_cert_req ] @@ -31,13 +33,13 @@ keyUsage = cRLSign, keyCertSign default_ca = CA_default [CA_default] -dir = $ENV::CASROOT/$ENV::CATYPE-ca +dir = $ENV::CASROOT/subca-ca database = $dir/index.txt serial = $dir/serial.txt default_md = sha1 -certificate = $dir/$ENV::CATYPE.cert -private_key = $dir/$ENV::CATYPE.priv +certificate = $dir/subca.cert +private_key = $dir/subca.priv policy = policy_any @@ -90,3 +92,20 @@ nsComment = "OpenSSL Generated Client Certificate without Flags" [ proxy_none ] keyUsage = critical,digitalSignature,keyEncipherment +[ proxy_invalid_usage ] +keyUsage = critical,keyEncipherment + +[ proxy_rfc_pathLen1 ] +proxyCertInfo=critical,language:id-ppl-inheritAll,pathlen:1 + +[ proxy_rfc ] +proxyCertInfo=critical,language:id-ppl-inheritAll + +[ proxy_rfc_anypolicy ] +proxyCertInfo=critical,language:id-ppl-anyLanguage,policy:text:AB + +[ proxy_rfc_independent ] +proxyCertInfo=critical,language:id-ppl-independent,pathlen:1 + +[ proxy_rfc_limited ] +proxyCertInfo=critical,language:limitedProxyOid diff --git a/test/subca-ca/subca.cert b/test/subca-ca/subca.cert index a5f95fb..aaa165b 100644 --- a/test/subca-ca/subca.cert +++ b/test/subca-ca/subca.cert @@ -5,59 +5,59 @@ Certificate: Signature Algorithm: md5WithRSAEncryption Issuer: C=UG, L=Tropic, O=Utopia, OU=Relaxation, CN=the root CA Validity - Not Before: Nov 18 20:09:58 2009 GMT - Not After : Apr 5 20:09:58 2037 GMT + Not Before: Dec 9 16:27:10 2009 GMT + Not After : Apr 26 16:27:10 2037 GMT Subject: C=UG, L=Tropic, O=Utopia, OU=Relaxation, CN=the subca CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): - 00:ba:44:79:30:f9:57:b7:5a:8d:86:95:51:1c:5c: - 9d:f8:dd:e1:c7:e9:e3:d6:8e:9a:4d:7c:cc:0b:ef: - e2:85:99:8b:c1:df:7c:b4:41:60:6f:a6:55:0c:51: - cc:ed:d5:46:2a:64:24:a0:3a:d4:d1:ff:ef:44:20: - 07:c0:51:eb:67:ae:af:a7:d7:22:14:36:08:98:76: - 06:85:34:42:9f:30:23:0a:6b:f4:d5:47:38:67:54: - 0a:92:1b:33:5c:37:cb:e7:7c:76:94:45:ad:45:23: - 6c:b1:0c:80:5b:00:bc:4e:83:44:cc:0a:a0:a7:dd: - ef:59:ca:da:02:73:d6:f4:b3 + 00:c6:2d:d0:cd:2c:7d:2d:5e:96:a6:3d:78:62:97: + bd:da:51:33:95:8a:24:0f:8d:fd:14:b1:fa:b3:ac: + eb:f8:e9:f3:31:3b:f7:f3:c1:f6:e0:5a:bf:9b:93: + 22:08:ec:f2:09:55:58:44:bd:c5:bb:07:c0:8c:bc: + 7d:9c:04:66:51:b3:26:d8:d9:37:76:6e:ca:88:ef: + b2:cd:43:cf:e9:3a:61:fc:2e:30:96:90:fa:8b:8b: + ce:7b:3a:64:a5:0f:a1:9d:c2:25:0a:21:ee:ed:be: + ce:d1:ea:0f:6e:20:36:7c:e8:f1:8a:ca:6c:4e:3c: + 41:46:c5:4d:40:aa:09:91:27 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:TRUE X509v3 Subject Key Identifier: - 97:58:6D:62:00:14:32:1C:0E:B1:6F:89:3B:3C:92:A9:95:15:8A:05 + CE:3B:77:9F:05:35:41:E3:6C:26:B9:F7:CF:CA:01:F6:F5:15:89:02 X509v3 Authority Key Identifier: - keyid:2D:F3:DE:73:35:35:2C:69:EB:A1:4E:EF:FE:6B:94:6E:37:3C:F5:31 + keyid:BD:A1:EA:81:8D:FF:F5:50:66:37:55:D7:E4:26:40:C2:A9:38:3E:C4 DirName:/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the root CA - serial:EC:27:F9:B7:5E:38:FE:E5 + serial:DE:F4:80:E8:86:78:73:64 - X509v3 Key Usage: + X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: md5WithRSAEncryption - 6c:03:5f:54:ba:53:fd:b4:fe:42:f5:96:1f:4d:98:64:11:6b: - 7c:95:8e:e6:91:22:a8:b7:d5:0a:5c:50:6f:16:ea:51:f2:aa: - 18:30:9a:55:1d:af:10:be:38:79:d7:eb:b9:2f:94:14:c4:0b: - 37:21:b8:76:b7:df:96:67:c5:98:56:8c:d6:88:c6:8b:ba:6d: - 06:a4:bb:c1:ad:72:c7:96:ff:85:f5:d5:36:88:ac:10:15:66: - 04:44:04:54:98:be:db:6c:83:78:48:aa:2a:52:9f:85:81:71: - 50:b7:af:22:2a:7c:f8:b8:94:bf:35:0e:6b:57:61:14:22:66: - 7c:6b + 98:0e:78:59:02:57:26:43:33:cc:70:82:69:e1:a9:bf:df:a1: + 9c:3a:4b:f5:c2:eb:f2:7a:97:88:87:7e:4b:c2:5d:2e:61:a5: + a2:5d:73:76:13:e5:d6:0d:07:de:2b:23:e2:11:b5:93:3a:9c: + cc:f2:ed:61:65:15:23:2e:73:2e:90:07:5b:fd:88:49:ba:b3: + 6a:d0:1d:38:e6:82:08:5d:35:eb:fb:da:cf:5e:a5:b3:31:11: + 04:30:18:78:76:c2:da:65:4a:c6:71:47:dd:14:56:2e:77:e3: + e8:31:6b:c7:0b:9a:48:30:90:13:d3:2e:b9:3d:75:54:d3:d8: + 7d:02 -----BEGIN CERTIFICATE----- -MIIC+TCCAmKgAwIBAgICAXYwDQYJKoZIhvcNAQEEBQAwWjELMAkGA1UEBhMCVUcx +MIIC/DCCAmWgAwIBAgICAXYwDQYJKoZIhvcNAQEEBQAwWjELMAkGA1UEBhMCVUcx DzANBgNVBAcTBlRyb3BpYzEPMA0GA1UEChMGVXRvcGlhMRMwEQYDVQQLEwpSZWxh -eGF0aW9uMRQwEgYDVQQDEwt0aGUgcm9vdCBDQTAeFw0wOTExMTgyMDA5NThaFw0z -NzA0MDUyMDA5NThaMFsxCzAJBgNVBAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzAN +eGF0aW9uMRQwEgYDVQQDEwt0aGUgcm9vdCBDQTAeFw0wOTEyMDkxNjI3MTBaFw0z +NzA0MjYxNjI3MTBaMFsxCzAJBgNVBAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzAN BgNVBAoTBlV0b3BpYTETMBEGA1UECxMKUmVsYXhhdGlvbjEVMBMGA1UEAxMMdGhl -IHN1YmNhIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6RHkw+Ve3Wo2G -lVEcXJ343eHH6ePWjppNfMwL7+KFmYvB33y0QWBvplUMUczt1UYqZCSgOtTR/+9E -IAfAUetnrq+n1yIUNgiYdgaFNEKfMCMKa/TVRzhnVAqSGzNcN8vnfHaURa1FI2yx -DIBbALxOg0TMCqCn3e9ZytoCc9b0swIDAQABo4HMMIHJMAwGA1UdEwQFMAMBAf8w -HQYDVR0OBBYEFJdYbWIAFDIcDrFviTs8kqmVFYoFMIGMBgNVHSMEgYQwgYGAFC3z -3nM1NSxp66FO7/5rlG43PPUxoV6kXDBaMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMG +IHN1YmNhIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGLdDNLH0tXpam +PXhil73aUTOViiQPjf0UsfqzrOv46fMxO/fzwfbgWr+bkyII7PIJVVhEvcW7B8CM +vH2cBGZRsybY2Td2bsqI77LNQ8/pOmH8LjCWkPqLi857OmSlD6GdwiUKIe7tvs7R +6g9uIDZ86PGKymxOPEFGxU1AqgmRJwIDAQABo4HPMIHMMAwGA1UdEwQFMAMBAf8w +HQYDVR0OBBYEFM47d58FNUHjbCa598/KAfb1FYkCMIGMBgNVHSMEgYQwgYGAFL2h +6oGN//VQZjdV1+QmQMKpOD7EoV6kXDBaMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMG VHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRpb24xFDAS -BgNVBAMTC3RoZSByb290IENBggkA7Cf5t144/uUwCwYDVR0PBAQDAgEGMA0GCSqG -SIb3DQEBBAUAA4GBAGwDX1S6U/20/kL1lh9NmGQRa3yVjuaRIqi31QpcUG8W6lHy -qhgwmlUdrxC+OHnX67kvlBTECzchuHa335ZnxZhWjNaIxou6bQaku8GtcseW/4X1 -1TaIrBAVZgREBFSYvttsg3hIqipSn4WBcVC3ryIqfPi4lL81DmtXYRQiZnxr +BgNVBAMTC3RoZSByb290IENBggkA3vSA6IZ4c2QwDgYDVR0PAQH/BAQDAgEGMA0G +CSqGSIb3DQEBBAUAA4GBAJgOeFkCVyZDM8xwgmnhqb/foZw6S/XC6/J6l4iHfkvC +XS5hpaJdc3YT5dYNB94rI+IRtZM6nMzy7WFlFSMucy6QB1v9iEm6s2rQHTjmgghd +Nev72s9epbMxEQQwGHh2wtplSsZxR90UVi534+gxa8cLmkgwkBPTLrk9dVTT2H0C -----END CERTIFICATE----- diff --git a/test/subca-ca/subca.p12 b/test/subca-ca/subca.p12 index c0a9358..1c31c28 100644 Binary files a/test/subca-ca/subca.p12 and b/test/subca-ca/subca.p12 differ diff --git a/test/subca-ca/subca.priv b/test/subca-ca/subca.priv index c449abc..3a707bf 100644 --- a/test/subca-ca/subca.priv +++ b/test/subca-ca/subca.priv @@ -1,15 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQC6RHkw+Ve3Wo2GlVEcXJ343eHH6ePWjppNfMwL7+KFmYvB33y0 -QWBvplUMUczt1UYqZCSgOtTR/+9EIAfAUetnrq+n1yIUNgiYdgaFNEKfMCMKa/TV -RzhnVAqSGzNcN8vnfHaURa1FI2yxDIBbALxOg0TMCqCn3e9ZytoCc9b0swIDAQAB -AoGAB3GTEkT0n2wr+bPf4O1GltpvGmkbZMigG/afxN5aRBKFxkKjHiT6sJuKDIr8 -UIjUW/9Sg2C2fonmyucoyCO9735TR7JTeIiEsrTWKI2OR2rMtvLyUV1x7MzfZtw+ -uIolrukbMD0a5RKKnAI1PqLVqgIDp8nSCbG7r8LLRvF3MGkCQQDfx4lSVZ5deHvy -H33QOqIekglKHesF6tin4J6xHN7l1bi76FpYQuOBmI4EuQfatlej/CbASt5vPFHj -+QxJXkCHAkEA1RZA9tpzslI3JeIBdMMtWRrBPRW8b1BFL7Y+hNBT/Gk5uG7Q0giE -4FH7Q95Phi1fMy8OIGskpyj2psC7DdGRdQJAf6nKAZquugxeSYcFs6F/k4kkm4/t -4HZWG4/deJVL5DrFJQ4tXGTsfaaWfsNAY9narcbQJKuRskvrO+98vu5ySQJAd//X -R+0P2K1aJzhWj5XWtOZPSoIyIxG2VL8yCAN2OKBdhBLMAGwRwG4KrVbFvA9THHT0 -ZKdR9d0owhGphYeufQJBANnY/Uc437oWe7qd/Kssai0omuGTswxztOZWWr4dAokP -9A18VsU3gSmFGMK6OCmtJcX6R3pO3FvuVSqtQz+HTLY= +MIICXAIBAAKBgQDGLdDNLH0tXpamPXhil73aUTOViiQPjf0UsfqzrOv46fMxO/fz +wfbgWr+bkyII7PIJVVhEvcW7B8CMvH2cBGZRsybY2Td2bsqI77LNQ8/pOmH8LjCW +kPqLi857OmSlD6GdwiUKIe7tvs7R6g9uIDZ86PGKymxOPEFGxU1AqgmRJwIDAQAB +AoGARDzmVp9pAsQ9D0S/PQOOxauMHYORYyG68PNPpap3HiBAMsW5XN9+yEW3EDSb +VYNw27HdUN4fRYUn0c3dWmlRaVkfUAtHx1VhcsTfWRxp+FN4enl1HFvi2ji/5UYd +e8z2GumVgwthxK1mGS2Q3pRB/VobGrX1r8384r7qCqRVyUECQQDns994mE751SyD +Aa53ifeh85hbT4kJDN3wjOpQn++JuLu4qWoUHhRFXKD2DL6+TOewD0Y9iAkUAyTN +yuUpVLBRAkEA2vX9aMqv9qPQqBzwScbJQr+YMND363OKwrvQa2ed94O8oFwl/+vC +C83TV5eLxUinfFsT0zNMca3eIQVqBPqD9wJBANp4LcPlyMGkkN3N3hV0j3uy1fty +2QEhkrrYA6+VviSbfNU3WIAzhGWKW3LkvY1tsh+9pzspY3XtKOyp3L3FzqECQGiO +tL6YoyQ0n4vXncqtGSg9k3AkKW8OkoFg7CqNpTovdyBgQGkP7G50j+ow3LaNdiUE +3NeqlGNocjz0d+b+tYsCQAhOG1xXly1tBduUJTQ+V5Cs9fKG7nn9QftCe53CocPS +RHQFd6d4WYZjhxorAduJf5gVXWU2tdyhYqY239dVxhY= -----END RSA PRIVATE KEY----- diff --git a/test/subca-ca/subca.req b/test/subca-ca/subca.req index 8cfc5b1..1e0646f 100644 --- a/test/subca-ca/subca.req +++ b/test/subca-ca/subca.req @@ -1,11 +1,11 @@ -----BEGIN CERTIFICATE REQUEST----- MIIBmzCCAQQCAQAwWzELMAkGA1UEBhMCVUcxDzANBgNVBAcTBlRyb3BpYzEPMA0G A1UEChMGVXRvcGlhMRMwEQYDVQQLEwpSZWxheGF0aW9uMRUwEwYDVQQDEwx0aGUg -c3ViY2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALpEeTD5V7dajYaV -URxcnfjd4cfp49aOmk18zAvv4oWZi8HffLRBYG+mVQxRzO3VRipkJKA61NH/70Qg -B8BR62eur6fXIhQ2CJh2BoU0Qp8wIwpr9NVHOGdUCpIbM1w3y+d8dpRFrUUjbLEM -gFsAvE6DRMwKoKfd71nK2gJz1vSzAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQCK -08BejkSBKvmzprupFEkKdaKcu+dDthDDpNGDrGJsYzIM/w4KU8PBQYZ1899YBu02 -TtusdVST6k8Q1uE35qdcd/hHRqRanQM8Vbzfzwoi2iOhUVvERW9/rEfdJ2HeiPzg -550HXO/kRbMOiATQEqNz5JcXWCS64raA7D9X7Y0jIQ== +c3ViY2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYt0M0sfS1elqY9 +eGKXvdpRM5WKJA+N/RSx+rOs6/jp8zE79/PB9uBav5uTIgjs8glVWES9xbsHwIy8 +fZwEZlGzJtjZN3Zuyojvss1Dz+k6YfwuMJaQ+ouLzns6ZKUPoZ3CJQoh7u2+ztHq +D24gNnzo8YrKbE48QUbFTUCqCZEnAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQAr +HDqquBnfR1ZvErqw3A7u3m1wq+wWzGvc/AU66wX5pA0n8eGGRoB7AX/VIxowgbQk +415R37S9kUbVc2vW7a4Qr+cAhyiknVOWcakSjf7g5tzg/KYawA1kvvzxLV6dTZhZ +ACTnvCY3Q2DDcvkOJ+20PbACPRpbWbg9ekZYkHq3VQ== -----END CERTIFICATE REQUEST----- diff --git a/test/subsubca-ca/index.txt b/test/subsubca-ca/index.txt index e69de29..16acbf6 100644 --- a/test/subsubca-ca/index.txt +++ b/test/subsubca-ca/index.txt @@ -0,0 +1 @@ +V 370426162710Z 0176 unknown /C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA diff --git a/test/subsubca-ca/req_conf.cnf b/test/subsubca-ca/req_conf.cnf index 2262038..40a418e 100644 --- a/test/subsubca-ca/req_conf.cnf +++ b/test/subsubca-ca/req_conf.cnf @@ -1,5 +1,10 @@ ### req command +oid_section = new_oids + +[ new_oids ] +limitedProxyOid = 1.3.6.1.4.1.3536.1.1.1.9 + [ req ] default_bits = 1024 distinguished_name = req_distinguished_name @@ -10,16 +15,13 @@ distinguished_name = req_distinguished_name basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always -keyUsage = cRLSign, keyCertSign - -#[ serial_cert_req ] -#serialNumber = 12341324 +keyUsage = critical, cRLSign, keyCertSign -#[ email_cert_req ] -#emailAddress = test@home.org - -#[ uid_cert_req ] -#userId = testuserid +[ ca_cert_req_nokeyusage ] +basicConstraints = CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = critical, cRLSign [ proxy_cert_req ] @@ -31,13 +33,13 @@ keyUsage = cRLSign, keyCertSign default_ca = CA_default [CA_default] -dir = $ENV::CASROOT/$ENV::CATYPE-ca +dir = $ENV::CASROOT/subsubca-ca database = $dir/index.txt serial = $dir/serial.txt default_md = sha1 -certificate = $dir/$ENV::CATYPE.cert -private_key = $dir/$ENV::CATYPE.priv +certificate = $dir/subsubca.cert +private_key = $dir/subsubca.priv policy = policy_any @@ -90,3 +92,20 @@ nsComment = "OpenSSL Generated Client Certificate without Flags" [ proxy_none ] keyUsage = critical,digitalSignature,keyEncipherment +[ proxy_invalid_usage ] +keyUsage = critical,keyEncipherment + +[ proxy_rfc_pathLen1 ] +proxyCertInfo=critical,language:id-ppl-inheritAll,pathlen:1 + +[ proxy_rfc ] +proxyCertInfo=critical,language:id-ppl-inheritAll + +[ proxy_rfc_anypolicy ] +proxyCertInfo=critical,language:id-ppl-anyLanguage,policy:text:AB + +[ proxy_rfc_independent ] +proxyCertInfo=critical,language:id-ppl-independent,pathlen:1 + +[ proxy_rfc_limited ] +proxyCertInfo=critical,language:limitedProxyOid diff --git a/test/subsubca-ca/serial.txt b/test/subsubca-ca/serial.txt index 3dcc795..04db0ac 100644 --- a/test/subsubca-ca/serial.txt +++ b/test/subsubca-ca/serial.txt @@ -1 +1 @@ -0176 +0177 diff --git a/test/subsubca-ca/subsubca.cert b/test/subsubca-ca/subsubca.cert index fc5eca4..648263f 100644 --- a/test/subsubca-ca/subsubca.cert +++ b/test/subsubca-ca/subsubca.cert @@ -5,59 +5,59 @@ Certificate: Signature Algorithm: md5WithRSAEncryption Issuer: C=UG, L=Tropic, O=Utopia, OU=Relaxation, CN=the subca CA Validity - Not Before: Nov 18 20:09:58 2009 GMT - Not After : Apr 5 20:09:58 2037 GMT + Not Before: Dec 9 16:27:10 2009 GMT + Not After : Apr 26 16:27:10 2037 GMT Subject: C=UG, L=Tropic, O=Utopia, OU=Relaxation, CN=the subsubca CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): - 00:e9:4b:ca:3a:8f:65:d5:44:72:1f:21:9a:16:42: - 61:e7:67:93:38:13:cc:c2:0d:81:dc:ff:fe:8d:c4: - c1:a1:57:c1:43:64:18:bd:a2:22:0b:fd:51:84:12: - a2:b7:86:f2:1c:a0:dd:b2:e9:01:53:43:e2:c7:de: - 44:ea:41:97:85:08:91:b4:f9:b8:f8:1e:da:e9:a2: - 3c:1b:4e:33:8d:1a:05:d8:3a:40:21:f6:9d:2a:84: - c7:f6:10:8c:ea:21:2c:40:cc:a1:c8:6e:1e:76:c3: - 0d:21:ec:8f:fc:76:62:d8:78:ae:e1:11:9d:3c:66: - c3:56:bc:bb:8f:87:d2:2c:4b + 00:bc:29:f6:02:17:f1:46:b2:28:0d:50:1d:f5:b3: + 90:1b:ea:43:ea:cf:58:eb:fe:91:21:64:59:78:d9: + ad:dd:cd:82:5c:1c:17:b6:75:74:fa:42:96:1c:b1: + 1f:a2:76:ab:06:e4:ff:28:65:49:08:ed:b1:92:c6: + 25:7d:ad:dc:2a:23:ab:b1:bf:06:71:27:70:2a:2d: + ed:3c:dc:1b:bb:ea:ba:11:20:9a:d7:9e:9c:62:18: + 27:bb:05:74:b5:50:44:33:72:f5:fb:37:a3:00:44: + 55:67:74:0e:84:ae:5c:72:68:30:01:6c:0f:c9:bc: + a5:c1:94:e4:2a:72:26:ee:e5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:TRUE X509v3 Subject Key Identifier: - 03:4A:F7:6F:2F:37:6B:B7:24:C1:92:6E:FB:54:26:42:C1:84:20:26 + 1B:F6:7F:35:4E:C6:B8:06:BC:67:63:FD:A4:93:D8:9E:1F:D1:C0:44 X509v3 Authority Key Identifier: - keyid:97:58:6D:62:00:14:32:1C:0E:B1:6F:89:3B:3C:92:A9:95:15:8A:05 + keyid:CE:3B:77:9F:05:35:41:E3:6C:26:B9:F7:CF:CA:01:F6:F5:15:89:02 DirName:/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the root CA serial:01:76 - X509v3 Key Usage: + X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: md5WithRSAEncryption - ae:93:74:7c:61:3d:7c:38:c3:95:f8:48:71:33:6f:2b:00:eb: - 35:bb:5d:f2:0c:09:10:bf:07:48:ef:3f:10:d8:a9:ae:c8:74: - 82:12:18:01:6d:ce:b7:28:9b:6c:b1:b0:74:e5:b6:70:c4:d0: - 47:22:8b:ed:40:d8:79:d9:8a:93:03:94:cf:12:27:b9:06:ce: - e2:e8:a2:42:89:97:e0:12:e7:7f:0c:93:38:6f:56:4c:ca:6b: - 0a:23:df:6c:37:5e:32:1f:13:0f:2b:59:df:f3:e4:8c:80:8f: - c8:4e:01:f2:3a:20:87:be:15:96:ef:cf:94:8d:9a:79:35:bb: - f2:22 + a3:f2:83:56:21:14:83:51:b5:65:0e:9f:58:dc:f3:67:13:a3: + c3:d5:96:35:8e:bb:8a:85:d2:c8:e7:c2:12:63:51:04:3b:c2: + bf:a8:6b:09:91:0b:ed:2d:24:d9:eb:2a:7f:73:ef:13:51:d3: + 30:44:d6:99:46:62:f3:fe:af:9b:71:e5:fb:96:6d:0e:f4:ee: + f2:9a:18:88:4e:2d:7c:7f:7e:73:16:52:82:e8:06:2b:49:60: + 40:0e:be:6b:c8:e4:f1:75:0f:9d:8d:52:f7:ea:c6:e9:70:4e: + 0d:d4:64:73:9e:fa:0c:e9:25:72:e9:40:14:77:aa:6e:e9:55: + 85:34 -----BEGIN CERTIFICATE----- -MIIC9DCCAl2gAwIBAgICAXYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCVUcx +MIIC9zCCAmCgAwIBAgICAXYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCVUcx DzANBgNVBAcTBlRyb3BpYzEPMA0GA1UEChMGVXRvcGlhMRMwEQYDVQQLEwpSZWxh -eGF0aW9uMRUwEwYDVQQDEwx0aGUgc3ViY2EgQ0EwHhcNMDkxMTE4MjAwOTU4WhcN -MzcwNDA1MjAwOTU4WjBeMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMGVHJvcGljMQ8w +eGF0aW9uMRUwEwYDVQQDEwx0aGUgc3ViY2EgQ0EwHhcNMDkxMjA5MTYyNzEwWhcN +MzcwNDI2MTYyNzEwWjBeMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMGVHJvcGljMQ8w DQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRpb24xGDAWBgNVBAMTD3Ro -ZSBzdWJzdWJjYSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6UvKOo9l -1URyHyGaFkJh52eTOBPMwg2B3P/+jcTBoVfBQ2QYvaIiC/1RhBKit4byHKDdsukB -U0Pix95E6kGXhQiRtPm4+B7a6aI8G04zjRoF2DpAIfadKoTH9hCM6iEsQMyhyG4e -dsMNIeyP/HZi2Hiu4RGdPGbDVry7j4fSLEsCAwEAAaOBwzCBwDAMBgNVHRMEBTAD -AQH/MB0GA1UdDgQWBBQDSvdvLzdrtyTBkm77VCZCwYQgJjCBgwYDVR0jBHwweoAU -l1htYgAUMhwOsW+JOzySqZUVigWhXqRcMFoxCzAJBgNVBAYTAlVHMQ8wDQYDVQQH +ZSBzdWJzdWJjYSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvCn2Ahfx +RrIoDVAd9bOQG+pD6s9Y6/6RIWRZeNmt3c2CXBwXtnV0+kKWHLEfonarBuT/KGVJ +CO2xksYlfa3cKiOrsb8GcSdwKi3tPNwbu+q6ESCa156cYhgnuwV0tVBEM3L1+zej +AERVZ3QOhK5ccmgwAWwPybylwZTkKnIm7uUCAwEAAaOBxjCBwzAMBgNVHRMEBTAD +AQH/MB0GA1UdDgQWBBQb9n81Tsa4BrxnY/2kk9ieH9HARDCBgwYDVR0jBHwweoAU +zjt3nwU1QeNsJrn3z8oB9vUViQKhXqRcMFoxCzAJBgNVBAYTAlVHMQ8wDQYDVQQH EwZUcm9waWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UECxMKUmVsYXhhdGlvbjEU -MBIGA1UEAxMLdGhlIHJvb3QgQ0GCAgF2MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B -AQQFAAOBgQCuk3R8YT18OMOV+EhxM28rAOs1u13yDAkQvwdI7z8Q2KmuyHSCEhgB -bc63KJtssbB05bZwxNBHIovtQNh52YqTA5TPEie5Bs7i6KJCiZfgEud/DJM4b1ZM -ymsKI99sN14yHxMPK1nf8+SMgI/ITgHyOiCHvhWW78+UjZp5NbvyIg== +MBIGA1UEAxMLdGhlIHJvb3QgQ0GCAgF2MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG +9w0BAQQFAAOBgQCj8oNWIRSDUbVlDp9Y3PNnE6PD1ZY1jruKhdLI58ISY1EEO8K/ +qGsJkQvtLSTZ6yp/c+8TUdMwRNaZRmLz/q+bceX7lm0O9O7ymhiITi18f35zFlKC +6AYrSWBADr5ryOTxdQ+djVL36sbpcE4N1GRznvoM6SVy6UAUd6pu6VWFNA== -----END CERTIFICATE----- diff --git a/test/subsubca-ca/subsubca.p12 b/test/subsubca-ca/subsubca.p12 index 5ea8e3f..dc32138 100644 Binary files a/test/subsubca-ca/subsubca.p12 and b/test/subsubca-ca/subsubca.p12 differ diff --git a/test/subsubca-ca/subsubca.priv b/test/subsubca-ca/subsubca.priv index ecc8a89..3076cc1 100644 --- a/test/subsubca-ca/subsubca.priv +++ b/test/subsubca-ca/subsubca.priv @@ -1,15 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQDpS8o6j2XVRHIfIZoWQmHnZ5M4E8zCDYHc//6NxMGhV8FDZBi9 -oiIL/VGEEqK3hvIcoN2y6QFTQ+LH3kTqQZeFCJG0+bj4HtrpojwbTjONGgXYOkAh -9p0qhMf2EIzqISxAzKHIbh52ww0h7I/8dmLYeK7hEZ08ZsNWvLuPh9IsSwIDAQAB -AoGAWUWNLvdsaj10xgDfq6DfQeNabFz3P1JX3S+AQtOFnK2t4JHO/dGq4Zeft8BB -z6StxNKxwyJyRWB2yTB+gn1y8tQaTUIgihKKNOLb0gAKH71VNucFAidSYGqWZG6l -IOAHvd8kJDteqAKzsHn8xSB/IPeKg27IiUAep6ozUhaRn+ECQQD0tNWt+M8os1hY -F1OEmaMJeMPte6mQ75TngYMLs0feKERMIVw6mmCp7LioEFRj3IU/TVrzHXCEReKE -095vl2QpAkEA9BAk5AR4jb4kxB+1Wl84PoTUJkNi76/VOMHqqxWKR/2ohUyiBgov -2YMxk0CEmKg99sSS6Cv3fLx1/GGn41V7UwJAGiq8Lr5MaK3E5KaZ57QGGx0u1lZC -65yy746J1NZ2+OqVYw6uLhYUABewJ0iXvZX3Ka277ANZ5MsUTd/aCVTHAQJBANWc -i61GfH0SvvspBYFjdcbCWyxiLmW6b9SNZOb4o17/FFAXEnhW0ip+ORW4klVKa3Ff -+3RZhvMVv+51SowedSECQQDCg5KIpLI/a1MIciiSsamypdGdDU8B/HshrHm1ZUJ1 -b7dc3pffJwtOlQiwzX5Ihwxx4lW0eY+Xo8i2abhpPXun +MIICXQIBAAKBgQC8KfYCF/FGsigNUB31s5Ab6kPqz1jr/pEhZFl42a3dzYJcHBe2 +dXT6QpYcsR+idqsG5P8oZUkI7bGSxiV9rdwqI6uxvwZxJ3AqLe083Bu76roRIJrX +npxiGCe7BXS1UEQzcvX7N6MARFVndA6ErlxyaDABbA/JvKXBlOQqcibu5QIDAQAB +AoGBALH1wa0DNffWAZltv5gk5tPwAaIvzvsMPfjl7tUkk5MmjfdNvoObnTIgDdc/ +EhtWvrR7mnN7L9MY84xMiSLPb1xwS3uAGYDTtMpydOdWZZYwcoZMM36YjXYFgqvl +QW4Kcfi60/gWW7TMp9329M8ibDyAomDfd1e0Vg//g8zjnRg1AkEA3RoZkhT9/8rn +z3Sqg8l4ys6VUuYBylPPSjPLbTKG6oX5PWKyQw3GrJrN/2NpOE21/QPfvmIBsJlC +35oG479s3wJBANnc9VmEERy139BjQse/1lHJ5N83Cy64smE2Bm9TxkbIhvxZWO31 +f5sSU2FFGq36fHJyM6uJ3FX0dtq1sNsSmLsCQDPKJEkyf5iF96yBYFuEOrYOk62a +ULsKzJhN742Bc1bF0O7PCoBoXqwZir0SlRfqJAHDAYq/vDOYgrCLjKeWNDMCQQDV +onew7PF+ztYHWZ6dk39NOoZFYIuFqDW7X6fVuTegJ3k+sTqkNW2JGeJLauEro4ov +C8+hMZGvdAaslygy2ryLAkAJEow6EQXqtve6enOWk6SYeTJ82hKBc2L8cQeUA2jR +fVDfECxJoC3IezBZzhuMkmX0BL7n6GxhyFOmdg2uqJ2h -----END RSA PRIVATE KEY----- diff --git a/test/subsubca-ca/subsubca.req b/test/subsubca-ca/subsubca.req index 9d0bb27..82b5437 100644 --- a/test/subsubca-ca/subsubca.req +++ b/test/subsubca-ca/subsubca.req @@ -1,11 +1,11 @@ -----BEGIN CERTIFICATE REQUEST----- MIIBnjCCAQcCAQAwXjELMAkGA1UEBhMCVUcxDzANBgNVBAcTBlRyb3BpYzEPMA0G A1UEChMGVXRvcGlhMRMwEQYDVQQLEwpSZWxheGF0aW9uMRgwFgYDVQQDEw90aGUg -c3Vic3ViY2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOlLyjqPZdVE -ch8hmhZCYednkzgTzMINgdz//o3EwaFXwUNkGL2iIgv9UYQSoreG8hyg3bLpAVND -4sfeROpBl4UIkbT5uPge2umiPBtOM40aBdg6QCH2nSqEx/YQjOohLEDMochuHnbD -DSHsj/x2Yth4ruERnTxmw1a8u4+H0ixLAgMBAAGgADANBgkqhkiG9w0BAQUFAAOB -gQB15WCrFk3RykaCyJjnoToQfi72KkPr0ZpK4AjtGiTx1TepFFcXzgyU+1jtbTzv -v8Wo0En5wzi7CzHJnFHfwhPF3fkNf6F6WbF+tC1O9XQ4fzqpvlYIbxS11I6VeLwb -X1Owgu3ns9lhgVtqRjohEYDveoi8NdJVtC/iCKe46IBtkg== +c3Vic3ViY2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwp9gIX8Uay +KA1QHfWzkBvqQ+rPWOv+kSFkWXjZrd3NglwcF7Z1dPpClhyxH6J2qwbk/yhlSQjt +sZLGJX2t3Cojq7G/BnEncCot7TzcG7vquhEgmteenGIYJ7sFdLVQRDNy9fs3owBE +VWd0DoSuXHJoMAFsD8m8pcGU5CpyJu7lAgMBAAGgADANBgkqhkiG9w0BAQUFAAOB +gQBeHdKgFoI8OGM2Xc2j00eBVGYsxfIXjYsagPuyLxG2+WbQjsQfSlehDvJcf5E/ +g/iHI++poo36TcWnLh+YGcEP0taOp2O9wBNXGDWX3KGKdQ5XLpkPiGHG5Zvhkx7a +Y4KTlUw4GnfWYciHbzjK3ZGL//jwgvHJNJ6/Iw5bDpNGfg== -----END CERTIFICATE REQUEST----- diff --git a/test/trusted-ca/req_conf.cnf b/test/trusted-ca/req_conf.cnf index 2262038..187be7c 100644 --- a/test/trusted-ca/req_conf.cnf +++ b/test/trusted-ca/req_conf.cnf @@ -1,5 +1,10 @@ ### req command +oid_section = new_oids + +[ new_oids ] +limitedProxyOid = 1.3.6.1.4.1.3536.1.1.1.9 + [ req ] default_bits = 1024 distinguished_name = req_distinguished_name @@ -10,16 +15,13 @@ distinguished_name = req_distinguished_name basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always -keyUsage = cRLSign, keyCertSign - -#[ serial_cert_req ] -#serialNumber = 12341324 +keyUsage = critical, cRLSign, keyCertSign -#[ email_cert_req ] -#emailAddress = test@home.org - -#[ uid_cert_req ] -#userId = testuserid +[ ca_cert_req_nokeyusage ] +basicConstraints = CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = critical, cRLSign [ proxy_cert_req ] @@ -31,13 +33,13 @@ keyUsage = cRLSign, keyCertSign default_ca = CA_default [CA_default] -dir = $ENV::CASROOT/$ENV::CATYPE-ca +dir = $ENV::CASROOT/trusted-ca database = $dir/index.txt serial = $dir/serial.txt default_md = sha1 -certificate = $dir/$ENV::CATYPE.cert -private_key = $dir/$ENV::CATYPE.priv +certificate = $dir/trusted.cert +private_key = $dir/trusted.priv policy = policy_any @@ -90,3 +92,20 @@ nsComment = "OpenSSL Generated Client Certificate without Flags" [ proxy_none ] keyUsage = critical,digitalSignature,keyEncipherment +[ proxy_invalid_usage ] +keyUsage = critical,keyEncipherment + +[ proxy_rfc_pathLen1 ] +proxyCertInfo=critical,language:id-ppl-inheritAll,pathlen:1 + +[ proxy_rfc ] +proxyCertInfo=critical,language:id-ppl-inheritAll + +[ proxy_rfc_anypolicy ] +proxyCertInfo=critical,language:id-ppl-anyLanguage,policy:text:AB + +[ proxy_rfc_independent ] +proxyCertInfo=critical,language:id-ppl-independent,pathlen:1 + +[ proxy_rfc_limited ] +proxyCertInfo=critical,language:limitedProxyOid diff --git a/test/trusted-ca/trusted.cert b/test/trusted-ca/trusted.cert index 184c8a1..eb5fe75 100644 --- a/test/trusted-ca/trusted.cert +++ b/test/trusted-ca/trusted.cert @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDCDCCAnGgAwIBAgIJANziUWMgmUwRMA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV +MIIDCzCCAnSgAwIBAgIJALIbmjlwx6A+MA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV BAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UE -CxMKUmVsYXhhdGlvbjEXMBUGA1UEAxMOdGhlIHRydXN0ZWQgQ0EwHhcNMDkxMTE4 -MjAwOTMwWhcNMzcwNDA1MjAwOTMwWjBdMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMG +CxMKUmVsYXhhdGlvbjEXMBUGA1UEAxMOdGhlIHRydXN0ZWQgQ0EwHhcNMDkxMjA5 +MTYyNjEwWhcNMzcwNDI2MTYyNjEwWjBdMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMG VHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRpb24xFzAV BgNVBAMTDnRoZSB0cnVzdGVkIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB -gQDTgxhpXPFdUAZ6vdOUeDhNNq7O+CCeYnOv/sMIoauTNxRSlMOIGwIB8d4VlgsK -U/JKNhmV2Bx1jCAB4nBsoY3mIryPWvt86emR+5lWcfJfG9Q2HHMed0oNwUf7i3g9 -DX22x/B69Kq4KR5C24QlZEwloPi97ltg+ILWp5WULD2v+wIDAQABo4HPMIHMMAwG -A1UdEwQFMAMBAf8wHQYDVR0OBBYEFFLVqrGqen8FRIdghQ2W5M5+VLFfMIGPBgNV -HSMEgYcwgYSAFFLVqrGqen8FRIdghQ2W5M5+VLFfoWGkXzBdMQswCQYDVQQGEwJV +gQCX3cRHcag8RiQV4LztIAx7B7i381yF+zf39ZZq84Ycc8ZI+LFBzrRQsjaEPsbi +6f1dbDh1IwLFptttwG+AJBKwjHjPSdbPqtOYshBIjG+phanVTLg9chPEIirYf5ng +idfDOCMw9mNdFcPnrBA7CXDNCoY7hsPSf3U986B2csZfgQIDAQABo4HSMIHPMAwG +A1UdEwQFMAMBAf8wHQYDVR0OBBYEFMQRFAPFkx4YXYvN7xawfJOsXtilMIGPBgNV +HSMEgYcwgYSAFMQRFAPFkx4YXYvN7xawfJOsXtiloWGkXzBdMQswCQYDVQQGEwJV RzEPMA0GA1UEBxMGVHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJl -bGF4YXRpb24xFzAVBgNVBAMTDnRoZSB0cnVzdGVkIENBggkA3OJRYyCZTBEwCwYD -VR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAJz6xkG3SctVcVOlRrgdGSpqlE2v -Fw1j8tasKRYrhHWZYQT32oiP34ov6ZFTxZ0lBtgjNfRhI0VxXDvr5tamt819hTUL -F5F8yPoabSvBbpWjeDJa4ma74N4jn3Rmdp8K7i1Xno+Eslbx60QYy+Zk8GlFtEsX -CR53OZzZdYBWFa5W +bGF4YXRpb24xFzAVBgNVBAMTDnRoZSB0cnVzdGVkIENBggkAshuaOXDHoD4wDgYD +VR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBABLlJ29AZEJqgwGp27/paP0f +brMWEmlBQrObohg+K8oflMUVPNotwkChR58hwyNfNCKR+r/8bIJOWI+lFTkh5EQq +Yqz2q5bLhy/Odgkyk5QSNm2YsMpvfWyA1A9ROtpvIXquBXMG6fx0/xYG1/NQkbK/ +BE0sTheSsSSJLTDB7PwE -----END CERTIFICATE----- diff --git a/test/trusted-ca/trusted.p12 b/test/trusted-ca/trusted.p12 index a3d9c28..5ea7f66 100644 Binary files a/test/trusted-ca/trusted.p12 and b/test/trusted-ca/trusted.p12 differ diff --git a/test/trusted-ca/trusted.priv b/test/trusted-ca/trusted.priv index e698708..e1e1831 100644 --- a/test/trusted-ca/trusted.priv +++ b/test/trusted-ca/trusted.priv @@ -1,15 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQDTgxhpXPFdUAZ6vdOUeDhNNq7O+CCeYnOv/sMIoauTNxRSlMOI -GwIB8d4VlgsKU/JKNhmV2Bx1jCAB4nBsoY3mIryPWvt86emR+5lWcfJfG9Q2HHMe -d0oNwUf7i3g9DX22x/B69Kq4KR5C24QlZEwloPi97ltg+ILWp5WULD2v+wIDAQAB -AoGAI0CnUfBOvjm3Sr/WwtkisSPbEN3kOeG43G1+vjKL8TZt6bGnwUiXFhHk7P4c -CvWg3WOU8heZ7rGTKB1Alap7hsEeVC6kVZHz4PmvjkJbIyBKlFfeUm3UY7kq+eyD -148CGk9gSCtRs/vOHygpJwEvIac6toKE64gCh3xn9NZo/UkCQQD6dr93AX3hh7qb -Ht3ep2TD5nKdiRfNtW5uieXGm2wG4jinKziQHOeURJ8kFjzbmIo58zGLjbeUD42C -eAjkr3D1AkEA2C/wQeYp6lNh7AIx2GAPSTGlKHa1x016j69pVUMXyPQBht7o66WG -lGEC4v22axMFogbj8Ln5Pj84k6IGyGRHLwJAeR4rgJUMFp/YMWM/z4gLRmCOVHgT -Nrrh6DpvDxfhqYKD+vL/q1EO+7gjbQQD8f1V+qgL8XxaphLPT6RUSKI+cQJBAM9I -t78X5xyssnlOaWikQkPV/BveJtFgMqHOeNqtqAKgI06kMQSxA2cF1XS7+8qSxJXk -sW3Bg3/xslerxYEi1TUCQQDYo/EVIhFigU3ONRguQxZ4rHCF5zwl3rdw2wXcIdS0 -4nREE6He1zwNrTlS3bRU+asmD4dtYxuUgSTqvvyArsCe +MIICWwIBAAKBgQCX3cRHcag8RiQV4LztIAx7B7i381yF+zf39ZZq84Ycc8ZI+LFB +zrRQsjaEPsbi6f1dbDh1IwLFptttwG+AJBKwjHjPSdbPqtOYshBIjG+phanVTLg9 +chPEIirYf5ngidfDOCMw9mNdFcPnrBA7CXDNCoY7hsPSf3U986B2csZfgQIDAQAB +AoGAZ6OzkKIzErc3ZyrRI+5MNiYF3JubV+AiyPhz55c7ve0Qs7nsliFvkuacJ9ID +vtW6z+fL+7yh5qtBcnvyW/vCOGb1SZR8TaeK4eYPYn7+f34cMY+EYqVB9jws8Er8 +VByq7rx7Gmwr1ykiGiT04HdeFKw1uhYpqtdKwpNG+5L2g+UCQQDFqlkOxNWdx1Iy +RK9Z1JWBh5BaywBexiBxObA98AA/pYpi6Bd01HSA28R0nQXkKSRJl1Y0Fv8UKl2v +ovsNguIbAkEAxK9JXNYDQX4gVqf/nk/UVaqbpt60ahRRWkDHgCueVW6PipwV3TgA +SkKkS5M1E1aTSw8tPP6XXshK31amN1Q+kwJADRrbJrCEHR7O40hMe98tPlY3it10 +m9P06KzTc3fK/G1EPIR4saU4SCbJ4pVag6L6pepjq7ZumO6qIW/jxySLSwJAXh/Q +iPf2GOqGCVJeduGXKOP7lzDuv/E3OWzUzFaTcCj30op9wB8jrGYWAADTnoyI8pux +t4XS5M4PXrA13TaYtwJAB5jWQUN+Hk8pqMC5R8ft10Z9pUB5WCAEeOqJBRmpbg5m +TYOzpXPGwNglpzaXG7EQp1pC71I3k3gsI0jXjmnwkQ== -----END RSA PRIVATE KEY-----