From 6e3a0206b330502f33d29b2dc54c11ef19cf5b01 Mon Sep 17 00:00:00 2001 From: Cyprien DIOT Date: Fri, 4 Sep 2015 16:58:04 +0200 Subject: [PATCH 1/4] attempt to check crls --- include/x509.h | 6 +- index.js | 1 + src/addon.cc | 1 + src/x509.cc | 125 ++++++++- test/test.js | 10 +- test/verify/build-ca | 8 + test/verify/build-dh | 11 + test/verify/build-inter | 7 + test/verify/build-key | 7 + test/verify/build-key-pass | 7 + test/verify/build-key-pkcs12 | 8 + test/verify/build-key-server | 10 + test/verify/build-req | 7 + test/verify/build-req-pass | 7 + test/verify/clean-all | 16 ++ test/verify/inherit-inter | 39 +++ test/verify/keys/01.pem | 99 +++++++ test/verify/keys/02.pem | 99 +++++++ test/verify/keys/ca.crt | 30 +++ test/verify/keys/ca.key | 28 ++ test/verify/keys/crl.pem | 14 + test/verify/keys/index.txt | 2 + test/verify/keys/index.txt.attr | 1 + test/verify/keys/index.txt.attr.old | 1 + test/verify/keys/index.txt.old | 2 + test/verify/keys/mandela.crt | 32 +++ test/verify/keys/mandela.crt~ | 99 +++++++ test/verify/keys/mandela.csr | 18 ++ test/verify/keys/mandela.key | 28 ++ test/verify/keys/revoke-test.pem | 44 +++ test/verify/keys/robert.crt | 99 +++++++ test/verify/keys/robert.csr | 18 ++ test/verify/keys/robert.key | 28 ++ test/verify/keys/serial | 1 + test/verify/keys/serial.old | 1 + test/verify/list-crl | 13 + test/verify/openssl-0.9.6.cnf | 268 ++++++++++++++++++ test/verify/openssl-0.9.8.cnf | 293 ++++++++++++++++++++ test/verify/openssl-1.0.0.cnf | 288 ++++++++++++++++++++ test/verify/pkitool | 404 ++++++++++++++++++++++++++++ test/verify/revoke-full | 43 +++ test/verify/sign-req | 7 + test/verify/vars | 80 ++++++ test/verify/whichopensslcnf | 26 ++ 44 files changed, 2331 insertions(+), 5 deletions(-) create mode 100755 test/verify/build-ca create mode 100755 test/verify/build-dh create mode 100755 test/verify/build-inter create mode 100755 test/verify/build-key create mode 100755 test/verify/build-key-pass create mode 100755 test/verify/build-key-pkcs12 create mode 100755 test/verify/build-key-server create mode 100755 test/verify/build-req create mode 100755 test/verify/build-req-pass create mode 100755 test/verify/clean-all create mode 100755 test/verify/inherit-inter create mode 100644 test/verify/keys/01.pem create mode 100644 test/verify/keys/02.pem create mode 100644 test/verify/keys/ca.crt create mode 100644 test/verify/keys/ca.key create mode 100644 test/verify/keys/crl.pem create mode 100644 test/verify/keys/index.txt create mode 100644 test/verify/keys/index.txt.attr create mode 100644 test/verify/keys/index.txt.attr.old create mode 100644 test/verify/keys/index.txt.old create mode 100644 test/verify/keys/mandela.crt create mode 100644 test/verify/keys/mandela.crt~ create mode 100644 test/verify/keys/mandela.csr create mode 100644 test/verify/keys/mandela.key create mode 100644 test/verify/keys/revoke-test.pem create mode 100644 test/verify/keys/robert.crt create mode 100644 test/verify/keys/robert.csr create mode 100644 test/verify/keys/robert.key create mode 100644 test/verify/keys/serial create mode 100644 test/verify/keys/serial.old create mode 100755 test/verify/list-crl create mode 100644 test/verify/openssl-0.9.6.cnf create mode 100644 test/verify/openssl-0.9.8.cnf create mode 100644 test/verify/openssl-1.0.0.cnf create mode 100755 test/verify/pkitool create mode 100755 test/verify/revoke-full create mode 100755 test/verify/sign-req create mode 100644 test/verify/vars create mode 100755 test/verify/whichopensslcnf diff --git a/include/x509.h b/include/x509.h index 1afb9e5..155d2ea 100644 --- a/include/x509.h +++ b/include/x509.h @@ -29,13 +29,13 @@ using namespace v8; void get_issuer(const FunctionCallbackInfo &args); char* parse_args(const FunctionCallbackInfo &args); void parse_cert(const FunctionCallbackInfo &args); - void extract_p12(const FunctionCallbackInfo &args); + void verifycrl(const FunctionCallbackInfo &args); #else Handle get_altnames(const Arguments &args); Handle get_subject(const Arguments &args); Handle get_issuer(const Arguments &args); Handle parse_cert(const Arguments &args); - Handle extract_p12(const Arguments &args); + Handle verifycrl(const Arguments &args); #endif Handle try_parse(char *data); @@ -44,6 +44,6 @@ Handle parse_serial(ASN1_INTEGER *serial); Handle parse_name(X509_NAME *subject); char* real_name(char *data); Handle extract_from_p12(char *data, char* password); - +Handle verify_cert(char *inputcert, char *inputcrl); #endif diff --git a/index.js b/index.js index 740fe64..fb5c388 100644 --- a/index.js +++ b/index.js @@ -6,6 +6,7 @@ exports.getAltNames = x509.getAltNames; exports.getSubject = x509.getSubject; exports.getIssuer = x509.getIssuer; exports.extractP12 = x509.extractP12; +exports.verifycrl = x509.verifycrl; exports.parseCert = function(path) { var ret = x509.parseCert(path); diff --git a/src/addon.cc b/src/addon.cc index 6b02fd7..48fc3c0 100644 --- a/src/addon.cc +++ b/src/addon.cc @@ -14,6 +14,7 @@ void init(Handle exports) { exports->Set(String::NewSymbol("getIssuer"), FunctionTemplate::New(get_issuer)->GetFunction()); exports->Set(String::NewSymbol("parseCert"), FunctionTemplate::New(parse_cert)->GetFunction()); exports->Set(String::NewSymbol("extractP12"), FunctionTemplate::New(extract_p12)->GetFunction()); + exports->Set(String::NewSymbol("verifycrl"), FunctionTemplate::New(verifycrl)->GetFunction()); } NODE_MODULE(wopenssl, init) diff --git a/src/x509.cc b/src/x509.cc index 7936dce..3819400 100644 --- a/src/x509.cc +++ b/src/x509.cc @@ -67,6 +67,22 @@ void parse_cert(const FunctionCallbackInfo &args) { args.GetReturnValue().Set(exports); } +void verifycrl(const FunctionCallbackInfo &args) { + if (args.Length() < 2) { + ThrowException(Exception::Error(String::New("Must provide a certificate file and a crl."))); + return NULL; + } + + if (!args[0]->IsString() || !args[1]->IsString()) { + ThrowException(Exception::TypeError(String::New("Certificate and crl must be strings."))); + return NULL; + } + + Local exports(verify_cert(args[0]->ToString(), args[1]->ToString())->ToObject()); + + args.GetReturnValue().Set(exports); +} + #else /* @@ -115,6 +131,29 @@ Handle parse_cert(const Arguments &args) { String::Utf8Value value(args[0]); return scope.Close(try_parse(*value)); } + + +Handle verifycrl(const Arguments &args) { + HandleScope scope; + + if (args.Length() < 2) { + ThrowException(Exception::Error(String::New("Must provide a certificate and a crl"))); + return scope.Close(Undefined()); + } + + if (!args[0]->IsString() || !args[1]->IsString()) { + ThrowException(Exception::TypeError(String::New("Certificate and crl must be a strings."))); + return scope.Close(Undefined()); + } + + + String::Utf8Value cert(args[0]); + String::Utf8Value crl(args[1]); + return scope.Close(verify_cert(*cert, *crl)); +} + + + #endif // NODE_VERSION_AT_LEAST @@ -123,7 +162,6 @@ Handle parse_cert(const Arguments &args) { * This is where everything is handled for both -0.11.2 and 0.11.3+. */ - Handle try_parse(char *data) { HandleScope scope; Handle exports(Object::New()); @@ -379,3 +417,88 @@ char* real_name(char *data) { return data; } + + +Handle verify_cert(char *inputcert, char *inputcrl) { + HandleScope scope; + Handle exports(Object::New()); + X509_STORE_CTX *ctx; + X509_STORE *store; + X509 *cert; + STACK_OF(X509) *chain = NULL; + X509_CRL *crl; + char error[128]; + + store = X509_STORE_new(); + ctx = X509_STORE_CTX_new(); + if (!ctx || !store) { + ThrowException(Exception::Error(String::New("Cannot allocate x509 store container"))); + return scope.Close(Undefined()); + } + + BIO *bio = BIO_new(BIO_s_mem()); + int result = BIO_puts(bio, inputcert); + + if (result == -2) { + ThrowException(Exception::Error(String::New("BIO doesn't support BIO_puts."))); + return scope.Close(exports); + } + else if (result <= 0) { + ThrowException(Exception::Error(String::New("No data was written to BIO."))); + return scope.Close(exports); + } + + // Try raw read + cert = PEM_read_bio_X509(bio, NULL, 0, NULL); + + if (cert == NULL) { + // Switch to file BIO + bio = BIO_new(BIO_s_file()); + + // If raw read fails, try reading the input as a filename. + if (!BIO_read_filename(bio, inputcert)) { + ThrowException(Exception::Error(String::New("File doesn't exist."))); + return scope.Close(exports); + } + + // Try reading the bio again with the file in it. + cert = PEM_read_bio_X509(bio, NULL, 0, NULL); + + if (cert == NULL) { + ThrowException(Exception::Error(String::New("Unable to parse certificate."))); + return scope.Close(exports); + } + } + BIO *crlbio = BIO_new(BIO_s_file()); + BIO_read_filename(crlbio, inputcrl); + // bio = BIO_new(BIO_s_mem()); + // BIO_puts(bio, inputcrl); + crl = PEM_read_bio_X509_CRL(crlbio, NULL, NULL, NULL); + // crl = d2i_X509_CRL_bio(bio, NULL); + if (!crl) { + ThrowException(Exception::Error(String::New("Cannot parse PEM CRL"))); + return scope.Close(exports); + } + + X509_STORE_add_cert(store, cert); + X509_STORE_CTX_init(ctx, store, cert, NULL); + // check returns + X509_STORE_add_crl(store, crl); + X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); + X509_STORE_CTX_set0_param(ctx, param); + + if (X509_verify_cert(ctx) <= 0) { + ERR_error_string_n(ERR_get_error(), error, sizeof(error)); + ThrowException(Exception::Error(String::New(error))); + return scope.Close(exports); + } + X509_VERIFY_PARAM_free(param); + BIO_free(bio); + BIO_free(crlbio); + X509_free(cert); + X509_STORE_CTX_free(ctx); + + + return scope.Close(exports); +} diff --git a/test/test.js b/test/test.js index 63aa756..8b93849 100644 --- a/test/test.js +++ b/test/test.js @@ -5,6 +5,9 @@ var x509 = require('../index'), // All cert files should read without throwing an error. // Simple enough test, no? + +console.log("=========== [ Certificates parsing ] =========="); + fs.readdirSync(path.join(__dirname, 'certs')).forEach(function (file) { console.log("File: %s", file); console.log(x509.parseCert(path.join(__dirname, 'certs', file))); @@ -12,5 +15,10 @@ fs.readdirSync(path.join(__dirname, 'certs')).forEach(function (file) { console.log(); }); +console.log("=========== [ p12 extracting ] =========="); + +console.log(x509.parseCert(x509.extractP12("test/p12/cert.p12", "password").certificate)); + +console.log("=========== [ crl verifying ] =========="); -console.log(x509.parseCert(x509.extractP12("test/p12/cert.p12", "password").certificate)); \ No newline at end of file +console.log(x509.verifycrl("test/verify/keys/mandela.crt", "test/verify/keys/crl.pem")); diff --git a/test/verify/build-ca b/test/verify/build-ca new file mode 100755 index 0000000..bce29a6 --- /dev/null +++ b/test/verify/build-ca @@ -0,0 +1,8 @@ +#!/bin/sh + +# +# Build a root certificate +# + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --initca $* diff --git a/test/verify/build-dh b/test/verify/build-dh new file mode 100755 index 0000000..4beb127 --- /dev/null +++ b/test/verify/build-dh @@ -0,0 +1,11 @@ +#!/bin/sh + +# Build Diffie-Hellman parameters for the server side +# of an SSL/TLS connection. + +if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then + $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/test/verify/build-inter b/test/verify/build-inter new file mode 100755 index 0000000..87bf98d --- /dev/null +++ b/test/verify/build-inter @@ -0,0 +1,7 @@ +#!/bin/sh + +# Make an intermediate CA certificate/private key pair using a locally generated +# root certificate. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --inter $* diff --git a/test/verify/build-key b/test/verify/build-key new file mode 100755 index 0000000..6c0fed8 --- /dev/null +++ b/test/verify/build-key @@ -0,0 +1,7 @@ +#!/bin/sh + +# Make a certificate/private key pair using a locally generated +# root certificate. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact $* diff --git a/test/verify/build-key-pass b/test/verify/build-key-pass new file mode 100755 index 0000000..8ef8307 --- /dev/null +++ b/test/verify/build-key-pass @@ -0,0 +1,7 @@ +#!/bin/sh + +# Similar to build-key, but protect the private key +# with a password. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --pass $* diff --git a/test/verify/build-key-pkcs12 b/test/verify/build-key-pkcs12 new file mode 100755 index 0000000..ba90e6a --- /dev/null +++ b/test/verify/build-key-pkcs12 @@ -0,0 +1,8 @@ +#!/bin/sh + +# Make a certificate/private key pair using a locally generated +# root certificate and convert it to a PKCS #12 file including the +# the CA certificate as well. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --pkcs12 $* diff --git a/test/verify/build-key-server b/test/verify/build-key-server new file mode 100755 index 0000000..fee0194 --- /dev/null +++ b/test/verify/build-key-server @@ -0,0 +1,10 @@ +#!/bin/sh + +# Make a certificate/private key pair using a locally generated +# root certificate. +# +# Explicitly set nsCertType to server using the "server" +# extension in the openssl.cnf file. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --server $* diff --git a/test/verify/build-req b/test/verify/build-req new file mode 100755 index 0000000..559d512 --- /dev/null +++ b/test/verify/build-req @@ -0,0 +1,7 @@ +#!/bin/sh + +# Build a certificate signing request and private key. Use this +# when your root certificate and key is not available locally. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --csr $* diff --git a/test/verify/build-req-pass b/test/verify/build-req-pass new file mode 100755 index 0000000..b73ee1b --- /dev/null +++ b/test/verify/build-req-pass @@ -0,0 +1,7 @@ +#!/bin/sh + +# Like build-req, but protect your private key +# with a password. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --csr --pass $* diff --git a/test/verify/clean-all b/test/verify/clean-all new file mode 100755 index 0000000..b1d0237 --- /dev/null +++ b/test/verify/clean-all @@ -0,0 +1,16 @@ +#!/bin/sh + +# Initialize the $KEY_DIR directory. +# Note that this script does a +# rm -rf on $KEY_DIR so be careful! + +if [ "$KEY_DIR" ]; then + rm -rf "$KEY_DIR" + mkdir "$KEY_DIR" && \ + chmod go-rwx "$KEY_DIR" && \ + touch "$KEY_DIR/index.txt" && \ + echo 01 >"$KEY_DIR/serial" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/test/verify/inherit-inter b/test/verify/inherit-inter new file mode 100755 index 0000000..1fe3539 --- /dev/null +++ b/test/verify/inherit-inter @@ -0,0 +1,39 @@ +#!/bin/sh + +# Build a new PKI which is rooted on an intermediate certificate generated +# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should +# have independent vars settings, and must use a different KEY_DIR directory +# from the parent. This tool can be used to generate arbitrary depth +# certificate chains. +# +# To build an intermediate CA, follow the same steps for a regular PKI but +# replace ./build-key or ./pkitool --initca with this script. + +# The EXPORT_CA file will contain the CA certificate chain and should be +# referenced by the OpenVPN "ca" directive in config files. The ca.crt file +# will only contain the local intermediate CA -- it's needed by the easy-rsa +# scripts but not by OpenVPN directly. +EXPORT_CA="export-ca.crt" + +if [ $# -ne 2 ]; then + echo "usage: $0 " + echo "parent-key-dir: the KEY_DIR directory of the parent PKI" + echo "common-name: the common name of the intermediate certificate in the parent PKI" + exit 1; +fi + +if [ "$KEY_DIR" ]; then + cp "$1/$2.crt" "$KEY_DIR/ca.crt" + cp "$1/$2.key" "$KEY_DIR/ca.key" + + if [ -e "$1/$EXPORT_CA" ]; then + PARENT_CA="$1/$EXPORT_CA" + else + PARENT_CA="$1/ca.crt" + fi + cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA" + cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/test/verify/keys/01.pem b/test/verify/keys/01.pem new file mode 100644 index 0000000..71d4410 --- /dev/null +++ b/test/verify/keys/01.pem @@ -0,0 +1,99 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=ZA, ST=EC, L=Port Elizabeth, O=SouthPort Mansion, OU=PMSIPilot, CN=SouthPort Mansion CA/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za + Validity + Not Before: Sep 4 12:21:07 2015 GMT + Not After : Sep 1 12:21:07 2025 GMT + Subject: C=ZA, ST=EC, L=Port Elizabeth, O=SouthPort Mansion, OU=PMSIPilot, CN=robert/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:bb:55:44:18:68:2d:cd:55:6b:1a:df:9c:e1:b5: + 4e:b7:38:0a:26:80:69:fe:e4:83:e5:9b:80:fe:a8: + 4c:b2:eb:d2:20:8c:7c:f0:f5:a5:3e:0b:bf:70:75: + bb:04:82:1b:db:6d:dc:75:82:cc:b6:8e:80:37:d1: + 76:4c:42:5e:b6:3d:88:17:07:d0:81:ba:17:f6:b4: + 84:ab:be:0f:b5:6a:cb:25:58:d7:47:6b:e2:fd:0d: + 1a:58:90:46:48:29:ab:a7:02:a6:64:49:ba:ef:16: + 46:c6:93:13:66:57:8b:72:4d:5b:b8:7f:16:1a:4c: + 74:96:80:4c:b4:33:52:95:96:57:dd:fa:ca:b3:60: + 3b:d1:cf:6f:2e:20:0d:f4:66:66:54:e9:83:c6:89: + b8:40:56:a8:bb:17:51:bb:9a:e1:23:60:5e:4b:fb: + 53:76:42:f0:df:99:99:9f:2a:f8:dc:e7:55:e4:14: + 0b:85:1e:a9:cc:37:6d:b6:12:7b:dc:53:73:29:4a: + 03:7b:57:10:b3:db:bf:b0:6e:85:fc:fc:12:06:ce: + 77:37:c4:5d:f5:4f:7e:32:d6:c6:2c:3a:64:73:34: + e3:8d:fe:13:e0:87:5e:02:84:2a:e2:15:9f:f3:32: + 9c:dd:f5:e6:23:df:f5:29:04:4c:4b:5c:99:ec:82: + c6:5d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + Easy-RSA Generated Certificate + X509v3 Subject Key Identifier: + 53:C5:A9:66:4D:BC:D4:D9:96:77:11:F6:FA:83:67:6A:8F:32:DA:5E + X509v3 Authority Key Identifier: + keyid:D5:F5:B4:A1:44:5F:BD:83:B5:80:BC:AD:96:3D:FA:FE:32:1C:CA:57 + DirName:/C=ZA/ST=EC/L=Port Elizabeth/O=SouthPort Mansion/OU=PMSIPilot/CN=SouthPort Mansion CA/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za + serial:80:21:94:BE:8A:B0:45:3C + + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + X509v3 Subject Alternative Name: + DNS:robert + Signature Algorithm: sha256WithRSAEncryption + 78:fb:3b:8e:bb:85:43:bb:b2:97:cd:7a:9e:45:ee:6e:20:5c: + b0:73:f8:76:26:af:0c:77:bd:5a:1c:35:88:f9:13:0f:b2:15: + 1b:01:91:aa:7f:2c:c3:a2:b7:e5:12:68:97:6d:57:b8:ba:bb: + 39:c0:ac:a8:3c:b1:94:d3:15:66:2c:2a:25:75:5f:8b:49:67: + 2b:72:f1:81:cc:17:2a:25:8e:33:c9:ef:a5:73:46:29:48:d1: + 1e:cb:1b:66:ec:08:f0:7c:8e:06:2d:b8:b3:5b:9b:5a:d6:c4: + b1:4a:4d:ca:30:60:d4:7c:85:f1:aa:13:10:9c:85:d5:b7:07: + d0:fe:64:99:5c:56:aa:ba:2d:65:66:af:83:f0:13:86:aa:6d: + 1f:9d:7b:ad:f0:ca:60:23:a5:bf:f6:99:84:36:e1:3a:6e:38: + e5:76:dd:65:d0:29:35:82:c8:fa:a5:a3:08:30:74:08:aa:0a: + 67:80:78:f9:48:85:1a:15:e0:f3:18:7f:99:e8:ab:3e:2a:a0: + f6:be:b1:19:5f:74:bf:bb:0f:df:20:0b:dd:36:c0:2f:4d:31: + 71:9d:ad:2f:3e:bb:fc:57:55:5d:6a:62:d5:6b:62:63:6f:33: + 62:30:9a:7f:02:8e:9e:a3:ed:bf:c0:85:8c:d0:3a:22:d5:7b: + 6e:9b:aa:37 +-----BEGIN CERTIFICATE----- +MIIFbzCCBFegAwIBAgIBATANBgkqhkiG9w0BAQsFADCBvDELMAkGA1UEBhMCWkEx +CzAJBgNVBAgTAkVDMRcwFQYDVQQHEw5Qb3J0IEVsaXphYmV0aDEaMBgGA1UEChMR +U291dGhQb3J0IE1hbnNpb24xEjAQBgNVBAsTCVBNU0lQaWxvdDEdMBsGA1UEAxMU +U291dGhQb3J0IE1hbnNpb24gQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG +9w0BCQEWF2N5cHJpZW4uZGlvdEBubW11LmFjLnphMB4XDTE1MDkwNDEyMjEwN1oX +DTI1MDkwMTEyMjEwN1owga4xCzAJBgNVBAYTAlpBMQswCQYDVQQIEwJFQzEXMBUG +A1UEBxMOUG9ydCBFbGl6YWJldGgxGjAYBgNVBAoTEVNvdXRoUG9ydCBNYW5zaW9u +MRIwEAYDVQQLEwlQTVNJUGlsb3QxDzANBgNVBAMTBnJvYmVydDEQMA4GA1UEKRMH +RWFzeVJTQTEmMCQGCSqGSIb3DQEJARYXY3lwcmllbi5kaW90QG5tbXUuYWMuemEw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7VUQYaC3NVWsa35zhtU63 +OAomgGn+5IPlm4D+qEyy69IgjHzw9aU+C79wdbsEghvbbdx1gsy2joA30XZMQl62 +PYgXB9CBuhf2tISrvg+1asslWNdHa+L9DRpYkEZIKaunAqZkSbrvFkbGkxNmV4ty +TVu4fxYaTHSWgEy0M1KVllfd+sqzYDvRz28uIA30ZmZU6YPGibhAVqi7F1G7muEj +YF5L+1N2QvDfmZmfKvjc51XkFAuFHqnMN222EnvcU3MpSgN7VxCz27+wboX8/BIG +znc3xF31T34y1sYsOmRzNOON/hPgh14ChCriFZ/zMpzd9eYj3/UpBExLXJnsgsZd +AgMBAAGjggGGMIIBgjAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJT +QSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFPFqWZNvNTZlncR9vqD +Z2qPMtpeMIHxBgNVHSMEgekwgeaAFNX1tKFEX72DtYC8rZY9+v4yHMpXoYHCpIG/ +MIG8MQswCQYDVQQGEwJaQTELMAkGA1UECBMCRUMxFzAVBgNVBAcTDlBvcnQgRWxp +emFiZXRoMRowGAYDVQQKExFTb3V0aFBvcnQgTWFuc2lvbjESMBAGA1UECxMJUE1T +SVBpbG90MR0wGwYDVQQDExRTb3V0aFBvcnQgTWFuc2lvbiBDQTEQMA4GA1UEKRMH +RWFzeVJTQTEmMCQGCSqGSIb3DQEJARYXY3lwcmllbi5kaW90QG5tbXUuYWMuemGC +CQCAIZS+irBFPDATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEQYD +VR0RBAowCIIGcm9iZXJ0MA0GCSqGSIb3DQEBCwUAA4IBAQB4+zuOu4VDu7KXzXqe +Re5uIFywc/h2Jq8Md71aHDWI+RMPshUbAZGqfyzDorflEmiXbVe4urs5wKyoPLGU +0xVmLColdV+LSWcrcvGBzBcqJY4zye+lc0YpSNEeyxtm7AjwfI4GLbizW5ta1sSx +Sk3KMGDUfIXxqhMQnIXVtwfQ/mSZXFaqui1lZq+D8BOGqm0fnXut8MpgI6W/9pmE +NuE6bjjldt1l0Ck1gsj6paMIMHQIqgpngHj5SIUaFeDzGH+Z6Ks+KqD2vrEZX3S/ +uw/fIAvdNsAvTTFxna0vPrv8V1VdamLVa2JjbzNiMJp/Ao6eo+2/wIWM0Doi1Xtu +m6o3 +-----END CERTIFICATE----- diff --git a/test/verify/keys/02.pem b/test/verify/keys/02.pem new file mode 100644 index 0000000..9866d1d --- /dev/null +++ b/test/verify/keys/02.pem @@ -0,0 +1,99 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=ZA, ST=EC, L=Port Elizabeth, O=SouthPort Mansion, OU=PMSIPilot, CN=SouthPort Mansion CA/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za + Validity + Not Before: Sep 4 12:21:41 2015 GMT + Not After : Sep 1 12:21:41 2025 GMT + Subject: C=ZA, ST=EC, L=Port Elizabeth, O=SouthPort Mansion, OU=PMSIPilot, CN=mandela/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:bd:cd:2a:05:82:4a:2b:9e:4f:72:50:81:03:fe: + df:80:d9:3b:80:34:08:85:13:29:88:82:b9:52:ec: + 70:12:62:6c:0e:0c:01:e5:e6:a4:a5:4b:2c:dc:7e: + d0:8a:de:54:37:fa:4c:06:47:0f:d3:cd:10:dd:ca: + af:b0:03:9b:e0:b3:06:cf:4c:89:6f:7c:3f:79:43: + da:a3:66:4a:58:56:a1:db:df:7d:15:d8:05:10:f7: + c2:19:e0:5d:08:d5:2a:13:98:2b:03:d6:ba:8d:61: + 36:9e:f0:30:b3:bf:6e:3f:96:07:e0:40:c8:78:31: + 52:8f:65:af:d7:d6:bd:5a:c4:cc:1a:54:53:b1:08: + 7d:6f:b1:a8:ab:51:14:0a:c5:b5:18:06:c1:66:44: + 69:40:6d:1a:61:a1:de:59:8d:86:6b:68:6f:65:e9: + 93:77:a9:1b:9a:e3:ea:b5:94:69:17:ab:7c:c4:f8: + 0d:5c:12:d0:51:4c:9d:04:ff:51:0f:83:e3:cb:72: + 6a:13:fd:b9:c2:e5:8c:0f:21:01:4a:a5:69:c1:95: + cd:35:f8:e2:ab:f4:1b:27:51:0a:09:8d:8a:e5:43: + 6f:3e:7c:e5:3f:c1:6e:a8:5b:e7:fd:ad:4c:90:3f: + ed:26:17:19:8d:d1:a2:09:93:af:33:ea:35:ad:a0: + 8a:f1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + Easy-RSA Generated Certificate + X509v3 Subject Key Identifier: + 80:90:D6:14:31:4E:7B:1A:31:DC:E9:3D:54:12:4C:ED:13:ED:87:F1 + X509v3 Authority Key Identifier: + keyid:D5:F5:B4:A1:44:5F:BD:83:B5:80:BC:AD:96:3D:FA:FE:32:1C:CA:57 + DirName:/C=ZA/ST=EC/L=Port Elizabeth/O=SouthPort Mansion/OU=PMSIPilot/CN=SouthPort Mansion CA/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za + serial:80:21:94:BE:8A:B0:45:3C + + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + X509v3 Subject Alternative Name: + DNS:mandela + Signature Algorithm: sha256WithRSAEncryption + 56:c3:6c:e2:6b:d2:02:27:ca:0f:78:2f:8a:66:71:31:06:98: + 2b:81:af:9a:6a:19:61:6d:cd:a8:02:0b:75:f1:c4:7f:d0:d0: + 11:18:b3:6c:32:0a:cf:a4:06:30:47:03:7c:3d:72:49:8f:d8: + 80:33:4e:73:2c:18:98:8f:81:a8:76:50:97:78:eb:f5:f2:0e: + 81:ad:0a:49:f1:ad:6e:54:7e:13:d6:02:43:e0:2d:7d:9e:92: + a5:80:b4:0f:8f:be:b9:a8:ee:95:6a:b1:7b:7d:92:dd:e8:3c: + 30:fc:06:67:d7:32:d2:91:31:f9:57:35:20:9c:1e:de:a0:6d: + c6:2d:3f:70:d6:b8:5f:7f:2e:4d:af:ca:3c:31:a2:ad:05:06: + d7:c3:8a:46:a3:38:c8:82:45:57:b1:8d:87:bb:72:a8:c7:61: + 61:4f:d6:90:dd:ff:8d:a8:df:5b:87:05:70:75:21:f2:49:b4: + 6b:af:51:cb:6d:02:70:cd:9c:eb:d8:48:aa:65:7b:a5:85:d2: + b6:7f:f2:e1:06:46:de:4f:54:e2:e0:5c:17:0c:95:e5:7e:af: + 96:18:63:70:f2:85:45:2d:bc:c2:95:ba:80:a0:a8:a8:38:67: + 74:91:99:29:d1:81:f6:45:27:8c:10:6d:96:cf:07:ee:6b:bd: + ba:f1:02:c9 +-----BEGIN CERTIFICATE----- +MIIFcTCCBFmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBvDELMAkGA1UEBhMCWkEx +CzAJBgNVBAgTAkVDMRcwFQYDVQQHEw5Qb3J0IEVsaXphYmV0aDEaMBgGA1UEChMR +U291dGhQb3J0IE1hbnNpb24xEjAQBgNVBAsTCVBNU0lQaWxvdDEdMBsGA1UEAxMU +U291dGhQb3J0IE1hbnNpb24gQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG +9w0BCQEWF2N5cHJpZW4uZGlvdEBubW11LmFjLnphMB4XDTE1MDkwNDEyMjE0MVoX +DTI1MDkwMTEyMjE0MVowga8xCzAJBgNVBAYTAlpBMQswCQYDVQQIEwJFQzEXMBUG +A1UEBxMOUG9ydCBFbGl6YWJldGgxGjAYBgNVBAoTEVNvdXRoUG9ydCBNYW5zaW9u +MRIwEAYDVQQLEwlQTVNJUGlsb3QxEDAOBgNVBAMTB21hbmRlbGExEDAOBgNVBCkT +B0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2N5cHJpZW4uZGlvdEBubW11LmFjLnph +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvc0qBYJKK55PclCBA/7f +gNk7gDQIhRMpiIK5UuxwEmJsDgwB5eakpUss3H7Qit5UN/pMBkcP080Q3cqvsAOb +4LMGz0yJb3w/eUPao2ZKWFah2999FdgFEPfCGeBdCNUqE5grA9a6jWE2nvAws79u +P5YH4EDIeDFSj2Wv19a9WsTMGlRTsQh9b7Goq1EUCsW1GAbBZkRpQG0aYaHeWY2G +a2hvZemTd6kbmuPqtZRpF6t8xPgNXBLQUUydBP9RD4Pjy3JqE/25wuWMDyEBSqVp +wZXNNfjiq/QbJ1EKCY2K5UNvPnzlP8FuqFvn/a1MkD/tJhcZjdGiCZOvM+o1raCK +8QIDAQABo4IBhzCCAYMwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1S +U0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSAkNYUMU57GjHc6T1U +EkztE+2H8TCB8QYDVR0jBIHpMIHmgBTV9bShRF+9g7WAvK2WPfr+MhzKV6GBwqSB +vzCBvDELMAkGA1UEBhMCWkExCzAJBgNVBAgTAkVDMRcwFQYDVQQHEw5Qb3J0IEVs +aXphYmV0aDEaMBgGA1UEChMRU291dGhQb3J0IE1hbnNpb24xEjAQBgNVBAsTCVBN +U0lQaWxvdDEdMBsGA1UEAxMUU291dGhQb3J0IE1hbnNpb24gQ0ExEDAOBgNVBCkT +B0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2N5cHJpZW4uZGlvdEBubW11LmFjLnph +ggkAgCGUvoqwRTwwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMBIG +A1UdEQQLMAmCB21hbmRlbGEwDQYJKoZIhvcNAQELBQADggEBAFbDbOJr0gInyg94 +L4pmcTEGmCuBr5pqGWFtzagCC3XxxH/Q0BEYs2wyCs+kBjBHA3w9ckmP2IAzTnMs +GJiPgah2UJd46/XyDoGtCknxrW5UfhPWAkPgLX2ekqWAtA+Pvrmo7pVqsXt9kt3o +PDD8BmfXMtKRMflXNSCcHt6gbcYtP3DWuF9/Lk2vyjwxoq0FBtfDikajOMiCRVex +jYe7cqjHYWFP1pDd/42o31uHBXB1IfJJtGuvUcttAnDNnOvYSKple6WF0rZ/8uEG +Rt5PVOLgXBcMleV+r5YYY3DyhUUtvMKVuoCgqKg4Z3SRmSnRgfZFJ4wQbZbPB+5r +vbrxAsk= +-----END CERTIFICATE----- diff --git a/test/verify/keys/ca.crt b/test/verify/keys/ca.crt new file mode 100644 index 0000000..5dd7340 --- /dev/null +++ b/test/verify/keys/ca.crt @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFJDCCBAygAwIBAgIJAIAhlL6KsEU8MA0GCSqGSIb3DQEBCwUAMIG8MQswCQYD +VQQGEwJaQTELMAkGA1UECBMCRUMxFzAVBgNVBAcTDlBvcnQgRWxpemFiZXRoMRow +GAYDVQQKExFTb3V0aFBvcnQgTWFuc2lvbjESMBAGA1UECxMJUE1TSVBpbG90MR0w +GwYDVQQDExRTb3V0aFBvcnQgTWFuc2lvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEm +MCQGCSqGSIb3DQEJARYXY3lwcmllbi5kaW90QG5tbXUuYWMuemEwHhcNMTUwOTA0 +MTIyMDM0WhcNMjUwOTAxMTIyMDM0WjCBvDELMAkGA1UEBhMCWkExCzAJBgNVBAgT +AkVDMRcwFQYDVQQHEw5Qb3J0IEVsaXphYmV0aDEaMBgGA1UEChMRU291dGhQb3J0 +IE1hbnNpb24xEjAQBgNVBAsTCVBNU0lQaWxvdDEdMBsGA1UEAxMUU291dGhQb3J0 +IE1hbnNpb24gQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2N5 +cHJpZW4uZGlvdEBubW11LmFjLnphMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAojCFW+2H7IKVQakXTTX4WVlxgnuIXdLinsFo7vDyaFGV6wViXWumYCrR +phj8AF7/Ryw46VtN2759H+zHDnRATmadmg2x6gwyjjAChIV3d8FFWjCydqoiJxPr +vJXMcK614cu+mkZRCadOJCIduMIXVj5SSzCbXfa5I+7lOxeIjoi/196vNwE68GPn +83UGl+gHk4V01lvb+GwDSKuvXNCLCtmqauIbGydlfZJxOaYnfh3n6ucTzhfbYEWH +QvN4Ca3kV+6Y9CZPd+6FtLxBT70P67feS5GUn6CtTvLO/xa/91/dkhmxL3V/poGa +zWQOMWTd87oi/oXrj5S/JwUcvobkcwIDAQABo4IBJTCCASEwHQYDVR0OBBYEFNX1 +tKFEX72DtYC8rZY9+v4yHMpXMIHxBgNVHSMEgekwgeaAFNX1tKFEX72DtYC8rZY9 ++v4yHMpXoYHCpIG/MIG8MQswCQYDVQQGEwJaQTELMAkGA1UECBMCRUMxFzAVBgNV +BAcTDlBvcnQgRWxpemFiZXRoMRowGAYDVQQKExFTb3V0aFBvcnQgTWFuc2lvbjES +MBAGA1UECxMJUE1TSVBpbG90MR0wGwYDVQQDExRTb3V0aFBvcnQgTWFuc2lvbiBD +QTEQMA4GA1UEKRMHRWFzeVJTQTEmMCQGCSqGSIb3DQEJARYXY3lwcmllbi5kaW90 +QG5tbXUuYWMuemGCCQCAIZS+irBFPDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB +CwUAA4IBAQBWvDnjeoY/A/wFYwhr3/mD0MJg6Z+tlmplB9Qym2LjFxP55bi8kN1Q +fVQ5Uplrzc/mVCy0UsBbY3WjIrjgO/iwMd2v6fwjsZtHRH6zMGktm5gSIW9bUigv +vmL2RZumBpZvlQIZ8xfhQEv0zEyXlGX0nkHvYl6/lCJrPXPKXx4wIZDfeCG/ZJ6M +kLL8cxhhWqZTzGVzXi1kNmrA/I/y47ZFBIEUPH7xKocDItjPpXVqsQN85vby/Rqo +NWGCrudwFqYD2Ks6/+tsCsC7Kv8Kbb23QRR+1eDzaIJYxOlvEZ4tEPmJSD7SvFNy +ff6ZLjZ3zOTkkwHxhhRVG8aQYSgBCPsz +-----END CERTIFICATE----- diff --git a/test/verify/keys/ca.key b/test/verify/keys/ca.key new file mode 100644 index 0000000..b2d42a1 --- /dev/null +++ b/test/verify/keys/ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCiMIVb7YfsgpVB +qRdNNfhZWXGCe4hd0uKewWju8PJoUZXrBWJda6ZgKtGmGPwAXv9HLDjpW03bvn0f +7McOdEBOZp2aDbHqDDKOMAKEhXd3wUVaMLJ2qiInE+u8lcxwrrXhy76aRlEJp04k +Ih24whdWPlJLMJtd9rkj7uU7F4iOiL/X3q83ATrwY+fzdQaX6AeThXTWW9v4bANI +q69c0IsK2apq4hsbJ2V9knE5pid+Hefq5xPOF9tgRYdC83gJreRX7pj0Jk937oW0 +vEFPvQ/rt95LkZSfoK1O8s7/Fr/3X92SGbEvdX+mgZrNZA4xZN3zuiL+heuPlL8n +BRy+huRzAgMBAAECggEBAJ8GOBv0gCtztejVZFV+L21b96HagdCMr0q9lKeDdAq4 +w+fWNaYnoM/16+2R3bR3cJFWWM7liSeGVKTywhH4Bf1ZO/oKp4E2SHOFu1I4kvTG +ebt+t90F38q1C5Syw+tQQmGMJeyaOWbftgxTrxSyqbMUFBhJJm0xNkJ3QCd6YZhu +CRskLoiTsm0dCwO9vs1bndFH6XvMiM/oRy3FbPWmts7tIeCSNRqSbsw+zPtJFsR8 +XzAe7Y4qC8weoACjhn+DR1q3qeWnJHa5QH2iDmcrYcj+VtrD+DenwU1NgIZm2bpP +kiOAi8sU9/TVEBVRslp20KozeDZetMPnYGfYBffmDvECgYEAztJxpjRhD4/iuMJ8 +FpkkbzhUtzP09zDybuLbhD4LRqfTym3su9bUqz9WtNuxugsfaLL9vxEkh+kr37vZ +RZW+CFJaxs/qoixT0S2+ip00Awo4JI+ztF26gT6xTDTRKFTaeT1soH5q8QdualMG +kQRfd5zwYRylKvOIEEByJrLolicCgYEAyME7Txe7TdW22PW0TMz2j5yjvv9/oan7 +QKm+sSTDgyrLOmim6emwvC01JDhSfPbfue6G3YCcgA2GLSr+2tFotnomwxXAV3dC +7yS6n7yv8hlsy2DYqT2e1wCOVHUQ2jfBF+wonCej3Oog2cMUuDmlQTyMolSGK0Pi +Z4cLoqluGtUCgYEApMSNHB8wkEhOFGmEmDBLEXwsKYPwDZpmGacLwS/4pcKAfQ3U +AtWkugUM26sGzTOdQzkN5FEQ7GH7vROXhdNFALYzcZ4kzCxKXiR2X1HcJOvYTHBb +dz8QnXTHpPGTC/GF1/7ycm4kXn9QHM6mNZPpRo62BnfesfgwFtpw1pnDqBMCgYBn +Y9z/puE3/NDme+QXiZeR7sIGI9+/iqNzcfhbkut+KhPwSOVtooT65O1xcfBJm3st +bsLWYN44tL5dlL8cQq0DDXXZEuK0KR+3udrDWZHjxWRaec4bmziq0gZ7SK8dM4mm +oGFpyqCBrbKtc+K/3jBVoLFtCMrwjU2Us+AyLcAe4QKBgQCMVk26FcE3Q468y3uR +ic/YrWiU0eRofiIZCXTQcqzKQ+B9alTCM7v5tomQhx2fDXuJYtPb9OngOVvhJLeX +ksW6vzkrORdUMQsWXD2bS1tpDs1UI5WCnz9Y2oCeEcwBGNHH7ALVehuVSl+1HVQg +47CWzJE55Kr84njvk5uwGLs/9w== +-----END PRIVATE KEY----- diff --git a/test/verify/keys/crl.pem b/test/verify/keys/crl.pem new file mode 100644 index 0000000..9a5c532 --- /dev/null +++ b/test/verify/keys/crl.pem @@ -0,0 +1,14 @@ +-----BEGIN X509 CRL----- +MIICGjCCAQIwDQYJKoZIhvcNAQELBQAwgbwxCzAJBgNVBAYTAlpBMQswCQYDVQQI +EwJFQzEXMBUGA1UEBxMOUG9ydCBFbGl6YWJldGgxGjAYBgNVBAoTEVNvdXRoUG9y +dCBNYW5zaW9uMRIwEAYDVQQLEwlQTVNJUGlsb3QxHTAbBgNVBAMTFFNvdXRoUG9y +dCBNYW5zaW9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSYwJAYJKoZIhvcNAQkBFhdj +eXByaWVuLmRpb3RAbm1tdS5hYy56YRcNMTUwOTA0MTIyMTUzWhcNMTUxMDA0MTIy +MTUzWjAUMBICAQEXDTE1MDkwNDEyMjE1M1owDQYJKoZIhvcNAQELBQADggEBAJWN +QHAa8u7IBQhKWGqrGOW3lSYI5C3tCTO79O+2TbyGjS2KkTS7+AKZXWXvJSFOL8il +13u+cwx02Jw8wA3BhWnyAYQnwxv5KfCB1PeF827au4/PSBWPpjOGokqzxScyPaDl +8F2yxEtYWvcS6bvO5dDeUwc5QECh5l6MlaPmcqCD663kIcPvSuZ5nvun9CnGoMN7 +fk/gx1MVIr2JA+QIzROuFNGAq2rpU9SOMoYsWVJVP3IdgzHMyApNxewt5xZFGuDI +wbZHidu+t/g8Z8toD84uFnTn1XEt3jo8tc/PJ/dZ8TG7RBAjY7m20rvbfgsrxdrS +P6aeFLvyQmFoSJvA4v4= +-----END X509 CRL----- diff --git a/test/verify/keys/index.txt b/test/verify/keys/index.txt new file mode 100644 index 0000000..b764303 --- /dev/null +++ b/test/verify/keys/index.txt @@ -0,0 +1,2 @@ +R 250901122107Z 150904122153Z 01 unknown /C=ZA/ST=EC/L=Port Elizabeth/O=SouthPort Mansion/OU=PMSIPilot/CN=robert/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za +V 250901122141Z 02 unknown /C=ZA/ST=EC/L=Port Elizabeth/O=SouthPort Mansion/OU=PMSIPilot/CN=mandela/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za diff --git a/test/verify/keys/index.txt.attr b/test/verify/keys/index.txt.attr new file mode 100644 index 0000000..8f7e63a --- /dev/null +++ b/test/verify/keys/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/test/verify/keys/index.txt.attr.old b/test/verify/keys/index.txt.attr.old new file mode 100644 index 0000000..8f7e63a --- /dev/null +++ b/test/verify/keys/index.txt.attr.old @@ -0,0 +1 @@ +unique_subject = yes diff --git a/test/verify/keys/index.txt.old b/test/verify/keys/index.txt.old new file mode 100644 index 0000000..7cf7236 --- /dev/null +++ b/test/verify/keys/index.txt.old @@ -0,0 +1,2 @@ +V 250901122107Z 01 unknown /C=ZA/ST=EC/L=Port Elizabeth/O=SouthPort Mansion/OU=PMSIPilot/CN=robert/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za +V 250901122141Z 02 unknown /C=ZA/ST=EC/L=Port Elizabeth/O=SouthPort Mansion/OU=PMSIPilot/CN=mandela/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za diff --git a/test/verify/keys/mandela.crt b/test/verify/keys/mandela.crt new file mode 100644 index 0000000..5932418 --- /dev/null +++ b/test/verify/keys/mandela.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFcTCCBFmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBvDELMAkGA1UEBhMCWkEx +CzAJBgNVBAgTAkVDMRcwFQYDVQQHEw5Qb3J0IEVsaXphYmV0aDEaMBgGA1UEChMR +U291dGhQb3J0IE1hbnNpb24xEjAQBgNVBAsTCVBNU0lQaWxvdDEdMBsGA1UEAxMU +U291dGhQb3J0IE1hbnNpb24gQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG +9w0BCQEWF2N5cHJpZW4uZGlvdEBubW11LmFjLnphMB4XDTE1MDkwNDEyMjE0MVoX +DTI1MDkwMTEyMjE0MVowga8xCzAJBgNVBAYTAlpBMQswCQYDVQQIEwJFQzEXMBUG +A1UEBxMOUG9ydCBFbGl6YWJldGgxGjAYBgNVBAoTEVNvdXRoUG9ydCBNYW5zaW9u +MRIwEAYDVQQLEwlQTVNJUGlsb3QxEDAOBgNVBAMTB21hbmRlbGExEDAOBgNVBCkT +B0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2N5cHJpZW4uZGlvdEBubW11LmFjLnph +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvc0qBYJKK55PclCBA/7f +gNk7gDQIhRMpiIK5UuxwEmJsDgwB5eakpUss3H7Qit5UN/pMBkcP080Q3cqvsAOb +4LMGz0yJb3w/eUPao2ZKWFah2999FdgFEPfCGeBdCNUqE5grA9a6jWE2nvAws79u +P5YH4EDIeDFSj2Wv19a9WsTMGlRTsQh9b7Goq1EUCsW1GAbBZkRpQG0aYaHeWY2G +a2hvZemTd6kbmuPqtZRpF6t8xPgNXBLQUUydBP9RD4Pjy3JqE/25wuWMDyEBSqVp +wZXNNfjiq/QbJ1EKCY2K5UNvPnzlP8FuqFvn/a1MkD/tJhcZjdGiCZOvM+o1raCK +8QIDAQABo4IBhzCCAYMwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1S +U0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSAkNYUMU57GjHc6T1U +EkztE+2H8TCB8QYDVR0jBIHpMIHmgBTV9bShRF+9g7WAvK2WPfr+MhzKV6GBwqSB +vzCBvDELMAkGA1UEBhMCWkExCzAJBgNVBAgTAkVDMRcwFQYDVQQHEw5Qb3J0IEVs +aXphYmV0aDEaMBgGA1UEChMRU291dGhQb3J0IE1hbnNpb24xEjAQBgNVBAsTCVBN +U0lQaWxvdDEdMBsGA1UEAxMUU291dGhQb3J0IE1hbnNpb24gQ0ExEDAOBgNVBCkT +B0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2N5cHJpZW4uZGlvdEBubW11LmFjLnph +ggkAgCGUvoqwRTwwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMBIG +A1UdEQQLMAmCB21hbmRlbGEwDQYJKoZIhvcNAQELBQADggEBAFbDbOJr0gInyg94 +L4pmcTEGmCuBr5pqGWFtzagCC3XxxH/Q0BEYs2wyCs+kBjBHA3w9ckmP2IAzTnMs +GJiPgah2UJd46/XyDoGtCknxrW5UfhPWAkPgLX2ekqWAtA+Pvrmo7pVqsXt9kt3o +PDD8BmfXMtKRMflXNSCcHt6gbcYtP3DWuF9/Lk2vyjwxoq0FBtfDikajOMiCRVex +jYe7cqjHYWFP1pDd/42o31uHBXB1IfJJtGuvUcttAnDNnOvYSKple6WF0rZ/8uEG +Rt5PVOLgXBcMleV+r5YYY3DyhUUtvMKVuoCgqKg4Z3SRmSnRgfZFJ4wQbZbPB+5r +vbrxAsk= +-----END CERTIFICATE----- diff --git a/test/verify/keys/mandela.crt~ b/test/verify/keys/mandela.crt~ new file mode 100644 index 0000000..9866d1d --- /dev/null +++ b/test/verify/keys/mandela.crt~ @@ -0,0 +1,99 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=ZA, ST=EC, L=Port Elizabeth, O=SouthPort Mansion, OU=PMSIPilot, CN=SouthPort Mansion CA/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za + Validity + Not Before: Sep 4 12:21:41 2015 GMT + Not After : Sep 1 12:21:41 2025 GMT + Subject: C=ZA, ST=EC, L=Port Elizabeth, O=SouthPort Mansion, OU=PMSIPilot, CN=mandela/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:bd:cd:2a:05:82:4a:2b:9e:4f:72:50:81:03:fe: + df:80:d9:3b:80:34:08:85:13:29:88:82:b9:52:ec: + 70:12:62:6c:0e:0c:01:e5:e6:a4:a5:4b:2c:dc:7e: + d0:8a:de:54:37:fa:4c:06:47:0f:d3:cd:10:dd:ca: + af:b0:03:9b:e0:b3:06:cf:4c:89:6f:7c:3f:79:43: + da:a3:66:4a:58:56:a1:db:df:7d:15:d8:05:10:f7: + c2:19:e0:5d:08:d5:2a:13:98:2b:03:d6:ba:8d:61: + 36:9e:f0:30:b3:bf:6e:3f:96:07:e0:40:c8:78:31: + 52:8f:65:af:d7:d6:bd:5a:c4:cc:1a:54:53:b1:08: + 7d:6f:b1:a8:ab:51:14:0a:c5:b5:18:06:c1:66:44: + 69:40:6d:1a:61:a1:de:59:8d:86:6b:68:6f:65:e9: + 93:77:a9:1b:9a:e3:ea:b5:94:69:17:ab:7c:c4:f8: + 0d:5c:12:d0:51:4c:9d:04:ff:51:0f:83:e3:cb:72: + 6a:13:fd:b9:c2:e5:8c:0f:21:01:4a:a5:69:c1:95: + cd:35:f8:e2:ab:f4:1b:27:51:0a:09:8d:8a:e5:43: + 6f:3e:7c:e5:3f:c1:6e:a8:5b:e7:fd:ad:4c:90:3f: + ed:26:17:19:8d:d1:a2:09:93:af:33:ea:35:ad:a0: + 8a:f1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + Easy-RSA Generated Certificate + X509v3 Subject Key Identifier: + 80:90:D6:14:31:4E:7B:1A:31:DC:E9:3D:54:12:4C:ED:13:ED:87:F1 + X509v3 Authority Key Identifier: + keyid:D5:F5:B4:A1:44:5F:BD:83:B5:80:BC:AD:96:3D:FA:FE:32:1C:CA:57 + DirName:/C=ZA/ST=EC/L=Port Elizabeth/O=SouthPort Mansion/OU=PMSIPilot/CN=SouthPort Mansion CA/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za + serial:80:21:94:BE:8A:B0:45:3C + + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + X509v3 Subject Alternative Name: + DNS:mandela + Signature Algorithm: sha256WithRSAEncryption + 56:c3:6c:e2:6b:d2:02:27:ca:0f:78:2f:8a:66:71:31:06:98: + 2b:81:af:9a:6a:19:61:6d:cd:a8:02:0b:75:f1:c4:7f:d0:d0: + 11:18:b3:6c:32:0a:cf:a4:06:30:47:03:7c:3d:72:49:8f:d8: + 80:33:4e:73:2c:18:98:8f:81:a8:76:50:97:78:eb:f5:f2:0e: + 81:ad:0a:49:f1:ad:6e:54:7e:13:d6:02:43:e0:2d:7d:9e:92: + a5:80:b4:0f:8f:be:b9:a8:ee:95:6a:b1:7b:7d:92:dd:e8:3c: + 30:fc:06:67:d7:32:d2:91:31:f9:57:35:20:9c:1e:de:a0:6d: + c6:2d:3f:70:d6:b8:5f:7f:2e:4d:af:ca:3c:31:a2:ad:05:06: + d7:c3:8a:46:a3:38:c8:82:45:57:b1:8d:87:bb:72:a8:c7:61: + 61:4f:d6:90:dd:ff:8d:a8:df:5b:87:05:70:75:21:f2:49:b4: + 6b:af:51:cb:6d:02:70:cd:9c:eb:d8:48:aa:65:7b:a5:85:d2: + b6:7f:f2:e1:06:46:de:4f:54:e2:e0:5c:17:0c:95:e5:7e:af: + 96:18:63:70:f2:85:45:2d:bc:c2:95:ba:80:a0:a8:a8:38:67: + 74:91:99:29:d1:81:f6:45:27:8c:10:6d:96:cf:07:ee:6b:bd: + ba:f1:02:c9 +-----BEGIN CERTIFICATE----- +MIIFcTCCBFmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBvDELMAkGA1UEBhMCWkEx +CzAJBgNVBAgTAkVDMRcwFQYDVQQHEw5Qb3J0IEVsaXphYmV0aDEaMBgGA1UEChMR +U291dGhQb3J0IE1hbnNpb24xEjAQBgNVBAsTCVBNU0lQaWxvdDEdMBsGA1UEAxMU +U291dGhQb3J0IE1hbnNpb24gQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG +9w0BCQEWF2N5cHJpZW4uZGlvdEBubW11LmFjLnphMB4XDTE1MDkwNDEyMjE0MVoX +DTI1MDkwMTEyMjE0MVowga8xCzAJBgNVBAYTAlpBMQswCQYDVQQIEwJFQzEXMBUG +A1UEBxMOUG9ydCBFbGl6YWJldGgxGjAYBgNVBAoTEVNvdXRoUG9ydCBNYW5zaW9u +MRIwEAYDVQQLEwlQTVNJUGlsb3QxEDAOBgNVBAMTB21hbmRlbGExEDAOBgNVBCkT +B0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2N5cHJpZW4uZGlvdEBubW11LmFjLnph +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvc0qBYJKK55PclCBA/7f +gNk7gDQIhRMpiIK5UuxwEmJsDgwB5eakpUss3H7Qit5UN/pMBkcP080Q3cqvsAOb +4LMGz0yJb3w/eUPao2ZKWFah2999FdgFEPfCGeBdCNUqE5grA9a6jWE2nvAws79u +P5YH4EDIeDFSj2Wv19a9WsTMGlRTsQh9b7Goq1EUCsW1GAbBZkRpQG0aYaHeWY2G +a2hvZemTd6kbmuPqtZRpF6t8xPgNXBLQUUydBP9RD4Pjy3JqE/25wuWMDyEBSqVp +wZXNNfjiq/QbJ1EKCY2K5UNvPnzlP8FuqFvn/a1MkD/tJhcZjdGiCZOvM+o1raCK +8QIDAQABo4IBhzCCAYMwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1S +U0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSAkNYUMU57GjHc6T1U +EkztE+2H8TCB8QYDVR0jBIHpMIHmgBTV9bShRF+9g7WAvK2WPfr+MhzKV6GBwqSB +vzCBvDELMAkGA1UEBhMCWkExCzAJBgNVBAgTAkVDMRcwFQYDVQQHEw5Qb3J0IEVs +aXphYmV0aDEaMBgGA1UEChMRU291dGhQb3J0IE1hbnNpb24xEjAQBgNVBAsTCVBN +U0lQaWxvdDEdMBsGA1UEAxMUU291dGhQb3J0IE1hbnNpb24gQ0ExEDAOBgNVBCkT +B0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2N5cHJpZW4uZGlvdEBubW11LmFjLnph +ggkAgCGUvoqwRTwwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMBIG +A1UdEQQLMAmCB21hbmRlbGEwDQYJKoZIhvcNAQELBQADggEBAFbDbOJr0gInyg94 +L4pmcTEGmCuBr5pqGWFtzagCC3XxxH/Q0BEYs2wyCs+kBjBHA3w9ckmP2IAzTnMs +GJiPgah2UJd46/XyDoGtCknxrW5UfhPWAkPgLX2ekqWAtA+Pvrmo7pVqsXt9kt3o +PDD8BmfXMtKRMflXNSCcHt6gbcYtP3DWuF9/Lk2vyjwxoq0FBtfDikajOMiCRVex +jYe7cqjHYWFP1pDd/42o31uHBXB1IfJJtGuvUcttAnDNnOvYSKple6WF0rZ/8uEG +Rt5PVOLgXBcMleV+r5YYY3DyhUUtvMKVuoCgqKg4Z3SRmSnRgfZFJ4wQbZbPB+5r +vbrxAsk= +-----END CERTIFICATE----- diff --git a/test/verify/keys/mandela.csr b/test/verify/keys/mandela.csr new file mode 100644 index 0000000..e33e3b8 --- /dev/null +++ b/test/verify/keys/mandela.csr @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIC9TCCAd0CAQAwga8xCzAJBgNVBAYTAlpBMQswCQYDVQQIEwJFQzEXMBUGA1UE +BxMOUG9ydCBFbGl6YWJldGgxGjAYBgNVBAoTEVNvdXRoUG9ydCBNYW5zaW9uMRIw +EAYDVQQLEwlQTVNJUGlsb3QxEDAOBgNVBAMTB21hbmRlbGExEDAOBgNVBCkTB0Vh +c3lSU0ExJjAkBgkqhkiG9w0BCQEWF2N5cHJpZW4uZGlvdEBubW11LmFjLnphMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvc0qBYJKK55PclCBA/7fgNk7 +gDQIhRMpiIK5UuxwEmJsDgwB5eakpUss3H7Qit5UN/pMBkcP080Q3cqvsAOb4LMG +z0yJb3w/eUPao2ZKWFah2999FdgFEPfCGeBdCNUqE5grA9a6jWE2nvAws79uP5YH +4EDIeDFSj2Wv19a9WsTMGlRTsQh9b7Goq1EUCsW1GAbBZkRpQG0aYaHeWY2Ga2hv +ZemTd6kbmuPqtZRpF6t8xPgNXBLQUUydBP9RD4Pjy3JqE/25wuWMDyEBSqVpwZXN +Nfjiq/QbJ1EKCY2K5UNvPnzlP8FuqFvn/a1MkD/tJhcZjdGiCZOvM+o1raCK8QID +AQABoAAwDQYJKoZIhvcNAQELBQADggEBAEg52EIHSN5BfdqGfhpaR9O909zNHsCF +Qqef5QoIRfIwRE+ipS8L2MF3RsmjxQqIiMpjH03RjZKTTbMNh2kVuzJ9vTIDiWYP +T0+dF+eowE5ckdDPLtsJUmoTMklLbWY5SEO60PINc1t1uLU8SPo7CuRzvMrdoHcr +tyaCfxM26JVhCOWBaiRdpu+oXFFTN/cDm+/uQXycfaXw1F6feyXp+vdMX0UfOqo9 +SClF7bWGKUBr5+wHPIxd0lEVwytxpxAGSnHgU3jy3oSPrRDfKhkxzCNRy+HCLVcV +ZnjUn3fr4oUjaIDYkldm8IBPZqffVTFA0Kjp51u8Pse0tqD+yINp7ds= +-----END CERTIFICATE REQUEST----- diff --git a/test/verify/keys/mandela.key b/test/verify/keys/mandela.key new file mode 100644 index 0000000..9524b60 --- /dev/null +++ b/test/verify/keys/mandela.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC9zSoFgkornk9y +UIED/t+A2TuANAiFEymIgrlS7HASYmwODAHl5qSlSyzcftCK3lQ3+kwGRw/TzRDd +yq+wA5vgswbPTIlvfD95Q9qjZkpYVqHb330V2AUQ98IZ4F0I1SoTmCsD1rqNYTae +8DCzv24/lgfgQMh4MVKPZa/X1r1axMwaVFOxCH1vsairURQKxbUYBsFmRGlAbRph +od5ZjYZraG9l6ZN3qRua4+q1lGkXq3zE+A1cEtBRTJ0E/1EPg+PLcmoT/bnC5YwP +IQFKpWnBlc01+OKr9BsnUQoJjYrlQ28+fOU/wW6oW+f9rUyQP+0mFxmN0aIJk68z +6jWtoIrxAgMBAAECggEANTuutn7VaKhtJeW4WbOJYi0LSCjP3usB8hyf98cCo9Vg +8wuhGKb4tLeB7JHQ0bILsuuLmRMjOEdCnMI1Rkus03fCyC9yOIeDkfJbBwswfNhH +a1CiV5cPzLOAiBtqXIjU1UwPfHMkPXTvieJZ9oARXtooeVgSIcvLmRZvHD1JPISL +/gG+xbVpKN3NqaoyuX7MVdD8YepbR+nSdHFXw24XuAqlXMlA31VN8ZIhr6gF5Klb +0zDK6K+TzOFgpPNZ0OMkRVAdPnAxj5bxwjm/IhFIMB+tAcWAir56+Sx6NIkio75P +z5vEublfFJkOl18GMF4rNZtMkiaAR36aBuSSoAno5QKBgQDiFqE2gDpG/hrAtuWX +4xkt71YCDFT12ltmEsZ4Wh2K/jBn3MAx/ZEzrcj1uPSIMi6Uy/wllW6i3OPulTYW +yvzuyUmqUPN+MEumF8LYRI4k8A8y/cZBQCaStp3FcLZOqbOBtV4miVapPq7jHeHm +D71tZB1scSpdJE1xyC4ZxmzjCwKBgQDW6Yif4RioFm9b1p36+30mM5rkf0O1fpgL +C1qGbIwAha8sRTN/MJwdepfMgLPNDeNLNjbb2O9oH+US54/dIbWOV9JHpOGJaoLQ +0nP+UyxkpqGXigrLMzAEidU+32gCKDCZ0aj0wg8eE0EXwPp+whM5jX1biGGK3fbR +iDjSZkvHcwKBgQCLXGGhI6dIjWdWNScO2dhyfR3qA0n3hdJi993I39toCskxrFv4 +NJHlZhECjjCFJ1GZPKe/Tv40e64wKV9+6z6/vemfh2if9wsaZXkgMBniYOsthkpH +fFCKjPBxfMmTcX2JzY8sd+moR1AsBQZy9m7QWC7e4l63rSHjqf3ou2vxAwKBgBtq +9dQ32nZvTkuwKL2BYikCgmtOVSwNd4ZJL4ZgyMe0RnHmbjh20iPspPshHE83y1yo +EP2hQoHNN+NeiXsTtt7vE1OylFd8sC3F+6hhohNBMvJrWQ8te53Im90GkXVc/T5S +gjSfoWAb4r0OEKclSWCZTXnk/1TBFqEKuP0WsepDAoGBALgfhMf1knZmNUV5qtDz +JG83W/1I4WbZvxLBe9V5J4mpzWcPR1qtNjNcZ0fqt11xtvdst+quiKCmjypZmYVl +mUHSLw9gsHpOIPzZCmhqPnki81QvGz2yvii1WLdkWOeo0qSm7IjmBhTIjRLiVTqU +lQv8UQgHZ2cHGPTrEu/sLPPn +-----END PRIVATE KEY----- diff --git a/test/verify/keys/revoke-test.pem b/test/verify/keys/revoke-test.pem new file mode 100644 index 0000000..e727422 --- /dev/null +++ b/test/verify/keys/revoke-test.pem @@ -0,0 +1,44 @@ +-----BEGIN CERTIFICATE----- +MIIFJDCCBAygAwIBAgIJAIAhlL6KsEU8MA0GCSqGSIb3DQEBCwUAMIG8MQswCQYD +VQQGEwJaQTELMAkGA1UECBMCRUMxFzAVBgNVBAcTDlBvcnQgRWxpemFiZXRoMRow +GAYDVQQKExFTb3V0aFBvcnQgTWFuc2lvbjESMBAGA1UECxMJUE1TSVBpbG90MR0w +GwYDVQQDExRTb3V0aFBvcnQgTWFuc2lvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEm +MCQGCSqGSIb3DQEJARYXY3lwcmllbi5kaW90QG5tbXUuYWMuemEwHhcNMTUwOTA0 +MTIyMDM0WhcNMjUwOTAxMTIyMDM0WjCBvDELMAkGA1UEBhMCWkExCzAJBgNVBAgT +AkVDMRcwFQYDVQQHEw5Qb3J0IEVsaXphYmV0aDEaMBgGA1UEChMRU291dGhQb3J0 +IE1hbnNpb24xEjAQBgNVBAsTCVBNU0lQaWxvdDEdMBsGA1UEAxMUU291dGhQb3J0 +IE1hbnNpb24gQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2N5 +cHJpZW4uZGlvdEBubW11LmFjLnphMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAojCFW+2H7IKVQakXTTX4WVlxgnuIXdLinsFo7vDyaFGV6wViXWumYCrR +phj8AF7/Ryw46VtN2759H+zHDnRATmadmg2x6gwyjjAChIV3d8FFWjCydqoiJxPr +vJXMcK614cu+mkZRCadOJCIduMIXVj5SSzCbXfa5I+7lOxeIjoi/196vNwE68GPn +83UGl+gHk4V01lvb+GwDSKuvXNCLCtmqauIbGydlfZJxOaYnfh3n6ucTzhfbYEWH +QvN4Ca3kV+6Y9CZPd+6FtLxBT70P67feS5GUn6CtTvLO/xa/91/dkhmxL3V/poGa +zWQOMWTd87oi/oXrj5S/JwUcvobkcwIDAQABo4IBJTCCASEwHQYDVR0OBBYEFNX1 +tKFEX72DtYC8rZY9+v4yHMpXMIHxBgNVHSMEgekwgeaAFNX1tKFEX72DtYC8rZY9 ++v4yHMpXoYHCpIG/MIG8MQswCQYDVQQGEwJaQTELMAkGA1UECBMCRUMxFzAVBgNV +BAcTDlBvcnQgRWxpemFiZXRoMRowGAYDVQQKExFTb3V0aFBvcnQgTWFuc2lvbjES +MBAGA1UECxMJUE1TSVBpbG90MR0wGwYDVQQDExRTb3V0aFBvcnQgTWFuc2lvbiBD +QTEQMA4GA1UEKRMHRWFzeVJTQTEmMCQGCSqGSIb3DQEJARYXY3lwcmllbi5kaW90 +QG5tbXUuYWMuemGCCQCAIZS+irBFPDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB +CwUAA4IBAQBWvDnjeoY/A/wFYwhr3/mD0MJg6Z+tlmplB9Qym2LjFxP55bi8kN1Q +fVQ5Uplrzc/mVCy0UsBbY3WjIrjgO/iwMd2v6fwjsZtHRH6zMGktm5gSIW9bUigv +vmL2RZumBpZvlQIZ8xfhQEv0zEyXlGX0nkHvYl6/lCJrPXPKXx4wIZDfeCG/ZJ6M +kLL8cxhhWqZTzGVzXi1kNmrA/I/y47ZFBIEUPH7xKocDItjPpXVqsQN85vby/Rqo +NWGCrudwFqYD2Ks6/+tsCsC7Kv8Kbb23QRR+1eDzaIJYxOlvEZ4tEPmJSD7SvFNy +ff6ZLjZ3zOTkkwHxhhRVG8aQYSgBCPsz +-----END CERTIFICATE----- +-----BEGIN X509 CRL----- +MIICGjCCAQIwDQYJKoZIhvcNAQELBQAwgbwxCzAJBgNVBAYTAlpBMQswCQYDVQQI +EwJFQzEXMBUGA1UEBxMOUG9ydCBFbGl6YWJldGgxGjAYBgNVBAoTEVNvdXRoUG9y +dCBNYW5zaW9uMRIwEAYDVQQLEwlQTVNJUGlsb3QxHTAbBgNVBAMTFFNvdXRoUG9y +dCBNYW5zaW9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSYwJAYJKoZIhvcNAQkBFhdj +eXByaWVuLmRpb3RAbm1tdS5hYy56YRcNMTUwOTA0MTIyMTUzWhcNMTUxMDA0MTIy +MTUzWjAUMBICAQEXDTE1MDkwNDEyMjE1M1owDQYJKoZIhvcNAQELBQADggEBAJWN +QHAa8u7IBQhKWGqrGOW3lSYI5C3tCTO79O+2TbyGjS2KkTS7+AKZXWXvJSFOL8il +13u+cwx02Jw8wA3BhWnyAYQnwxv5KfCB1PeF827au4/PSBWPpjOGokqzxScyPaDl +8F2yxEtYWvcS6bvO5dDeUwc5QECh5l6MlaPmcqCD663kIcPvSuZ5nvun9CnGoMN7 +fk/gx1MVIr2JA+QIzROuFNGAq2rpU9SOMoYsWVJVP3IdgzHMyApNxewt5xZFGuDI +wbZHidu+t/g8Z8toD84uFnTn1XEt3jo8tc/PJ/dZ8TG7RBAjY7m20rvbfgsrxdrS +P6aeFLvyQmFoSJvA4v4= +-----END X509 CRL----- diff --git a/test/verify/keys/robert.crt b/test/verify/keys/robert.crt new file mode 100644 index 0000000..71d4410 --- /dev/null +++ b/test/verify/keys/robert.crt @@ -0,0 +1,99 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=ZA, ST=EC, L=Port Elizabeth, O=SouthPort Mansion, OU=PMSIPilot, CN=SouthPort Mansion CA/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za + Validity + Not Before: Sep 4 12:21:07 2015 GMT + Not After : Sep 1 12:21:07 2025 GMT + Subject: C=ZA, ST=EC, L=Port Elizabeth, O=SouthPort Mansion, OU=PMSIPilot, CN=robert/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:bb:55:44:18:68:2d:cd:55:6b:1a:df:9c:e1:b5: + 4e:b7:38:0a:26:80:69:fe:e4:83:e5:9b:80:fe:a8: + 4c:b2:eb:d2:20:8c:7c:f0:f5:a5:3e:0b:bf:70:75: + bb:04:82:1b:db:6d:dc:75:82:cc:b6:8e:80:37:d1: + 76:4c:42:5e:b6:3d:88:17:07:d0:81:ba:17:f6:b4: + 84:ab:be:0f:b5:6a:cb:25:58:d7:47:6b:e2:fd:0d: + 1a:58:90:46:48:29:ab:a7:02:a6:64:49:ba:ef:16: + 46:c6:93:13:66:57:8b:72:4d:5b:b8:7f:16:1a:4c: + 74:96:80:4c:b4:33:52:95:96:57:dd:fa:ca:b3:60: + 3b:d1:cf:6f:2e:20:0d:f4:66:66:54:e9:83:c6:89: + b8:40:56:a8:bb:17:51:bb:9a:e1:23:60:5e:4b:fb: + 53:76:42:f0:df:99:99:9f:2a:f8:dc:e7:55:e4:14: + 0b:85:1e:a9:cc:37:6d:b6:12:7b:dc:53:73:29:4a: + 03:7b:57:10:b3:db:bf:b0:6e:85:fc:fc:12:06:ce: + 77:37:c4:5d:f5:4f:7e:32:d6:c6:2c:3a:64:73:34: + e3:8d:fe:13:e0:87:5e:02:84:2a:e2:15:9f:f3:32: + 9c:dd:f5:e6:23:df:f5:29:04:4c:4b:5c:99:ec:82: + c6:5d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + Easy-RSA Generated Certificate + X509v3 Subject Key Identifier: + 53:C5:A9:66:4D:BC:D4:D9:96:77:11:F6:FA:83:67:6A:8F:32:DA:5E + X509v3 Authority Key Identifier: + keyid:D5:F5:B4:A1:44:5F:BD:83:B5:80:BC:AD:96:3D:FA:FE:32:1C:CA:57 + DirName:/C=ZA/ST=EC/L=Port Elizabeth/O=SouthPort Mansion/OU=PMSIPilot/CN=SouthPort Mansion CA/name=EasyRSA/emailAddress=cyprien.diot@nmmu.ac.za + serial:80:21:94:BE:8A:B0:45:3C + + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + X509v3 Subject Alternative Name: + DNS:robert + Signature Algorithm: sha256WithRSAEncryption + 78:fb:3b:8e:bb:85:43:bb:b2:97:cd:7a:9e:45:ee:6e:20:5c: + b0:73:f8:76:26:af:0c:77:bd:5a:1c:35:88:f9:13:0f:b2:15: + 1b:01:91:aa:7f:2c:c3:a2:b7:e5:12:68:97:6d:57:b8:ba:bb: + 39:c0:ac:a8:3c:b1:94:d3:15:66:2c:2a:25:75:5f:8b:49:67: + 2b:72:f1:81:cc:17:2a:25:8e:33:c9:ef:a5:73:46:29:48:d1: + 1e:cb:1b:66:ec:08:f0:7c:8e:06:2d:b8:b3:5b:9b:5a:d6:c4: + b1:4a:4d:ca:30:60:d4:7c:85:f1:aa:13:10:9c:85:d5:b7:07: + d0:fe:64:99:5c:56:aa:ba:2d:65:66:af:83:f0:13:86:aa:6d: + 1f:9d:7b:ad:f0:ca:60:23:a5:bf:f6:99:84:36:e1:3a:6e:38: + e5:76:dd:65:d0:29:35:82:c8:fa:a5:a3:08:30:74:08:aa:0a: + 67:80:78:f9:48:85:1a:15:e0:f3:18:7f:99:e8:ab:3e:2a:a0: + f6:be:b1:19:5f:74:bf:bb:0f:df:20:0b:dd:36:c0:2f:4d:31: + 71:9d:ad:2f:3e:bb:fc:57:55:5d:6a:62:d5:6b:62:63:6f:33: + 62:30:9a:7f:02:8e:9e:a3:ed:bf:c0:85:8c:d0:3a:22:d5:7b: + 6e:9b:aa:37 +-----BEGIN CERTIFICATE----- +MIIFbzCCBFegAwIBAgIBATANBgkqhkiG9w0BAQsFADCBvDELMAkGA1UEBhMCWkEx +CzAJBgNVBAgTAkVDMRcwFQYDVQQHEw5Qb3J0IEVsaXphYmV0aDEaMBgGA1UEChMR +U291dGhQb3J0IE1hbnNpb24xEjAQBgNVBAsTCVBNU0lQaWxvdDEdMBsGA1UEAxMU +U291dGhQb3J0IE1hbnNpb24gQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG +9w0BCQEWF2N5cHJpZW4uZGlvdEBubW11LmFjLnphMB4XDTE1MDkwNDEyMjEwN1oX +DTI1MDkwMTEyMjEwN1owga4xCzAJBgNVBAYTAlpBMQswCQYDVQQIEwJFQzEXMBUG +A1UEBxMOUG9ydCBFbGl6YWJldGgxGjAYBgNVBAoTEVNvdXRoUG9ydCBNYW5zaW9u +MRIwEAYDVQQLEwlQTVNJUGlsb3QxDzANBgNVBAMTBnJvYmVydDEQMA4GA1UEKRMH +RWFzeVJTQTEmMCQGCSqGSIb3DQEJARYXY3lwcmllbi5kaW90QG5tbXUuYWMuemEw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7VUQYaC3NVWsa35zhtU63 +OAomgGn+5IPlm4D+qEyy69IgjHzw9aU+C79wdbsEghvbbdx1gsy2joA30XZMQl62 +PYgXB9CBuhf2tISrvg+1asslWNdHa+L9DRpYkEZIKaunAqZkSbrvFkbGkxNmV4ty +TVu4fxYaTHSWgEy0M1KVllfd+sqzYDvRz28uIA30ZmZU6YPGibhAVqi7F1G7muEj +YF5L+1N2QvDfmZmfKvjc51XkFAuFHqnMN222EnvcU3MpSgN7VxCz27+wboX8/BIG +znc3xF31T34y1sYsOmRzNOON/hPgh14ChCriFZ/zMpzd9eYj3/UpBExLXJnsgsZd +AgMBAAGjggGGMIIBgjAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJT +QSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFPFqWZNvNTZlncR9vqD +Z2qPMtpeMIHxBgNVHSMEgekwgeaAFNX1tKFEX72DtYC8rZY9+v4yHMpXoYHCpIG/ +MIG8MQswCQYDVQQGEwJaQTELMAkGA1UECBMCRUMxFzAVBgNVBAcTDlBvcnQgRWxp +emFiZXRoMRowGAYDVQQKExFTb3V0aFBvcnQgTWFuc2lvbjESMBAGA1UECxMJUE1T +SVBpbG90MR0wGwYDVQQDExRTb3V0aFBvcnQgTWFuc2lvbiBDQTEQMA4GA1UEKRMH +RWFzeVJTQTEmMCQGCSqGSIb3DQEJARYXY3lwcmllbi5kaW90QG5tbXUuYWMuemGC +CQCAIZS+irBFPDATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwEQYD +VR0RBAowCIIGcm9iZXJ0MA0GCSqGSIb3DQEBCwUAA4IBAQB4+zuOu4VDu7KXzXqe +Re5uIFywc/h2Jq8Md71aHDWI+RMPshUbAZGqfyzDorflEmiXbVe4urs5wKyoPLGU +0xVmLColdV+LSWcrcvGBzBcqJY4zye+lc0YpSNEeyxtm7AjwfI4GLbizW5ta1sSx +Sk3KMGDUfIXxqhMQnIXVtwfQ/mSZXFaqui1lZq+D8BOGqm0fnXut8MpgI6W/9pmE +NuE6bjjldt1l0Ck1gsj6paMIMHQIqgpngHj5SIUaFeDzGH+Z6Ks+KqD2vrEZX3S/ +uw/fIAvdNsAvTTFxna0vPrv8V1VdamLVa2JjbzNiMJp/Ao6eo+2/wIWM0Doi1Xtu +m6o3 +-----END CERTIFICATE----- diff --git a/test/verify/keys/robert.csr b/test/verify/keys/robert.csr new file mode 100644 index 0000000..28796f6 --- /dev/null +++ b/test/verify/keys/robert.csr @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIC9DCCAdwCAQAwga4xCzAJBgNVBAYTAlpBMQswCQYDVQQIEwJFQzEXMBUGA1UE +BxMOUG9ydCBFbGl6YWJldGgxGjAYBgNVBAoTEVNvdXRoUG9ydCBNYW5zaW9uMRIw +EAYDVQQLEwlQTVNJUGlsb3QxDzANBgNVBAMTBnJvYmVydDEQMA4GA1UEKRMHRWFz +eVJTQTEmMCQGCSqGSIb3DQEJARYXY3lwcmllbi5kaW90QG5tbXUuYWMuemEwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7VUQYaC3NVWsa35zhtU63OAom +gGn+5IPlm4D+qEyy69IgjHzw9aU+C79wdbsEghvbbdx1gsy2joA30XZMQl62PYgX +B9CBuhf2tISrvg+1asslWNdHa+L9DRpYkEZIKaunAqZkSbrvFkbGkxNmV4tyTVu4 +fxYaTHSWgEy0M1KVllfd+sqzYDvRz28uIA30ZmZU6YPGibhAVqi7F1G7muEjYF5L ++1N2QvDfmZmfKvjc51XkFAuFHqnMN222EnvcU3MpSgN7VxCz27+wboX8/BIGznc3 +xF31T34y1sYsOmRzNOON/hPgh14ChCriFZ/zMpzd9eYj3/UpBExLXJnsgsZdAgMB +AAGgADANBgkqhkiG9w0BAQsFAAOCAQEACjfNxn5pKIndd+h/858HNjA1OkO5xeBr +R59W05oUe9IaigkbQZvCUy5/MLwm5KB8Snil76HhtLngHWtqD6Mj0Zxpsl6t81oi +vU6oVnXdGPrTeZOrZt2jZAetWivxx2szHeVVNdITgQOYg5q2akHTfYSYY2cDjBJ1 +1ITw51nClmXs2Rflo6IGTrvBcZy0GYi3hOk9uTUtgP4HiARndt2MK6kwYObm+ROu +Smm7ZMskaKRNRqKpWe+/72C6LHM1y932+y40L/bvvKj1lq28jiW6+gfcxjd6ThmD +uqAHUJPdxyxGdTQVrukk/6XBrWaKBYGha/dHhshgREUl74/0Og95cg== +-----END CERTIFICATE REQUEST----- diff --git a/test/verify/keys/robert.key b/test/verify/keys/robert.key new file mode 100644 index 0000000..0c103a9 --- /dev/null +++ b/test/verify/keys/robert.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC7VUQYaC3NVWsa +35zhtU63OAomgGn+5IPlm4D+qEyy69IgjHzw9aU+C79wdbsEghvbbdx1gsy2joA3 +0XZMQl62PYgXB9CBuhf2tISrvg+1asslWNdHa+L9DRpYkEZIKaunAqZkSbrvFkbG +kxNmV4tyTVu4fxYaTHSWgEy0M1KVllfd+sqzYDvRz28uIA30ZmZU6YPGibhAVqi7 +F1G7muEjYF5L+1N2QvDfmZmfKvjc51XkFAuFHqnMN222EnvcU3MpSgN7VxCz27+w +boX8/BIGznc3xF31T34y1sYsOmRzNOON/hPgh14ChCriFZ/zMpzd9eYj3/UpBExL +XJnsgsZdAgMBAAECggEBAJYU/MY1CKTdzz4rckud7x94pSEtdj4Ao+8bA2CCQ1iA +98qd4ydFFgq8bLZTi+5Tsq+8t4fpr8p+JhkSFh2Iesq0R0h0OUcFaVd8TmItlfY5 +ReF46JhOxf8INVhI1hXQVLYruFTWgQ41IaTLhhpS/uQnN9l676FIKYu95DXmfD5c +YSxp87KuSc4JqLre1Za627kConPsOgi6i7OP583hVZYEjuo08KvMaeVOumgD2Mfz +PUyfMLL9fAyV9UjlU+ukrSG3kl/z3vB+nLPhfKpHTb5vFSagyVCE/3vuXfcHjEtE +19MqLt1GAat8RhPoR3orYcKy1y6YymkjarKuu8flWd0CgYEA8QeGUGoKRZmyk4DC +7WFeZRlaN8cROGeIHioXrL6oG48qY6LKbPNSdBu3XJR46qFu75HEHMmtslIrU4b4 +5wWKgZM6s2YQlAkmNBlINknO7W9A/9vashDtgGg9Jx/wDd4la3rtaXyf+SE3kfvV +/XQ5TBsuFOZmTFrQVmV4J+eZpQMCgYEAxvfyHCcRun/szxhiGmYfp54RMtYix4tv +mpolu1vkhcxAcpmb4RxGlF1zkhNgwjxAFXaSFHgsw82veU9jjUvgoY3YfV3FdM9s +8ds7vgsp8cELvqTAZhH6or4QuJ1IP/R1TZFe6T2yxUfRBixdWbV+tLe9LJlvuj3N +5xNIhHTDmR8CgYEAzUcjVYl6hhyIwqd/XLz4sBIPjEG2oNtMSqR+1Vjrw80CxSj4 +TiJNryWL3QV2lh43ZUI4TGxXyu/AhrsFcXx+oizKadAbfnjsWKLPpazm18FREpgk +glN4c0xUCOZihO0V4ZwoZxcFCCEKOwLJFbvOsMrVTGeN6KnPlkWFODc/3BECgYBz +yGtaWJ3ncnPim6TTCeSXzNLjS1sX1ZtPUy5r1fCor5A9YAgmuiaURcFwGtiujxMX +qlUdlkUueC4JoNokqigAuyNk6MFz1RTntRUR5Ts2VIk6GnNfskywkXv3goc9uEre +pZ6eienTBZSsS/rSrlwaW+W441zx+u8r7bvAYJZGLwKBgQDbAXUog3/3W3q/h1i/ +o27jsz5510sODbCRw8ISlErx33GaWawJVAkm1AfpQM3ZAScbe7eOShoz+VyZ4L8t +fN6GZLSKKlDGtEys9bE1G72ruyapukX9TxvbJxhskjSgNBuhYeBmFvEIKunWA1XW +bT6xxeK1EskFGUuXknBm/d6ULw== +-----END PRIVATE KEY----- diff --git a/test/verify/keys/serial b/test/verify/keys/serial new file mode 100644 index 0000000..75016ea --- /dev/null +++ b/test/verify/keys/serial @@ -0,0 +1 @@ +03 diff --git a/test/verify/keys/serial.old b/test/verify/keys/serial.old new file mode 100644 index 0000000..9e22bcb --- /dev/null +++ b/test/verify/keys/serial.old @@ -0,0 +1 @@ +02 diff --git a/test/verify/list-crl b/test/verify/list-crl new file mode 100755 index 0000000..32c1143 --- /dev/null +++ b/test/verify/list-crl @@ -0,0 +1,13 @@ +#!/bin/sh + +# list revoked certificates + +CRL="${1:-crl.pem}" + +if [ "$KEY_DIR" ]; then + cd "$KEY_DIR" && \ + $OPENSSL crl -text -noout -in "$CRL" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/test/verify/openssl-0.9.6.cnf b/test/verify/openssl-0.9.6.cnf new file mode 100644 index 0000000..fb08fea --- /dev/null +++ b/test/verify/openssl-0.9.6.cnf @@ -0,0 +1,268 @@ +# For use with easy-rsa version 2.0 + +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::KEY_DIR # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha256 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = $ENV::KEY_SIZE +default_keyfile = privkey.pem +default_md = sha256 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::KEY_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::KEY_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::KEY_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::KEY_ORG + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_default = $ENV::KEY_EMAIL +emailAddress_max = 40 + +# JY -- added for batch mode +organizationalUnitName_default = $ENV::KEY_OU +commonName_default = $ENV::KEY_CN + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Easy-RSA Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=clientAuth +keyUsage = digitalSignature + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +subjectAltName=$ENV::KEY_ALTNAMES + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ server ] + +# JY ADDED -- Make a cert with nsCertType set to "server" +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "Easy-RSA Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment +subjectAltName=$ENV::KEY_ALTNAMES + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/test/verify/openssl-0.9.8.cnf b/test/verify/openssl-0.9.8.cnf new file mode 100644 index 0000000..90331a0 --- /dev/null +++ b/test/verify/openssl-0.9.8.cnf @@ -0,0 +1,293 @@ +# For use with easy-rsa version 2.0 + +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +openssl_conf = openssl_init + +[ openssl_init ] +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids +engines = engine_section + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::KEY_DIR # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha256 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +#################################################################### +[ req ] +default_bits = $ENV::KEY_SIZE +default_keyfile = privkey.pem +default_md = sha256 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::KEY_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::KEY_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::KEY_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::KEY_ORG + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +name = Name +name_max = 64 + +emailAddress = Email Address +emailAddress_default = $ENV::KEY_EMAIL +emailAddress_max = 40 + +# JY -- added for batch mode +organizationalUnitName_default = $ENV::KEY_OU +commonName_default = $ENV::KEY_CN +name_default = $ENV::KEY_NAME + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Easy-RSA Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=clientAuth +keyUsage = digitalSignature + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +subjectAltName=$ENV::KEY_ALTNAMES + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ server ] + +# JY ADDED -- Make a cert with nsCertType set to "server" +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "Easy-RSA Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment +subjectAltName=$ENV::KEY_ALTNAMES + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ engine_section ] +# +# If you are using PKCS#11 +# Install engine_pkcs11 of opensc (www.opensc.org) +# And uncomment the following +# verify that dynamic_path points to the correct location +# +#pkcs11 = pkcs11_section + +[ pkcs11_section ] +engine_id = pkcs11 +dynamic_path = /usr/lib/engines/engine_pkcs11.so +MODULE_PATH = $ENV::PKCS11_MODULE_PATH +PIN = $ENV::PKCS11_PIN +init = 0 diff --git a/test/verify/openssl-1.0.0.cnf b/test/verify/openssl-1.0.0.cnf new file mode 100644 index 0000000..c301e44 --- /dev/null +++ b/test/verify/openssl-1.0.0.cnf @@ -0,0 +1,288 @@ +# For use with easy-rsa version 2.0 and OpenSSL 1.0.0* + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +openssl_conf = openssl_init + +[ openssl_init ] +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids +engines = engine_section + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::KEY_DIR # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha256 # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +#################################################################### +[ req ] +default_bits = $ENV::KEY_SIZE +default_keyfile = privkey.pem +default_md = sha256 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation after 2004). +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::KEY_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::KEY_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::KEY_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::KEY_ORG + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +name = Name +name_max = 64 + +emailAddress = Email Address +emailAddress_default = $ENV::KEY_EMAIL +emailAddress_max = 40 + +# JY -- added for batch mode +organizationalUnitName_default = $ENV::KEY_OU +commonName_default = $ENV::KEY_CN +name_default = $ENV::KEY_NAME + + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Easy-RSA Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=clientAuth +keyUsage = digitalSignature + + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +subjectAltName=$ENV::KEY_ALTNAMES + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ server ] + +# JY ADDED -- Make a cert with nsCertType set to "server" +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "Easy-RSA Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment +subjectAltName=$ENV::KEY_ALTNAMES + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ engine_section ] +# +# If you are using PKCS#11 +# Install engine_pkcs11 of opensc (www.opensc.org) +# And uncomment the following +# verify that dynamic_path points to the correct location +# +#pkcs11 = pkcs11_section + +[ pkcs11_section ] +engine_id = pkcs11 +dynamic_path = /usr/lib/engines/engine_pkcs11.so +MODULE_PATH = $ENV::PKCS11_MODULE_PATH +PIN = $ENV::PKCS11_PIN +init = 0 diff --git a/test/verify/pkitool b/test/verify/pkitool new file mode 100755 index 0000000..c92d943 --- /dev/null +++ b/test/verify/pkitool @@ -0,0 +1,404 @@ +#!/bin/sh + +# OpenVPN -- An application to securely tunnel IP networks +# over a single TCP/UDP port, with support for SSL/TLS-based +# session authentication and key exchange, +# packet encryption, packet authentication, and +# packet compression. +# +# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program (see the file COPYING included with this +# distribution); if not, write to the Free Software Foundation, Inc., +# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# pkitool is a front-end for the openssl tool. + +# Calling scripts can set the certificate organizational +# unit with the KEY_OU environmental variable. + +# Calling scripts can also set the KEY_NAME environmental +# variable to set the "name" X509 subject field. + +PROGNAME=pkitool +VERSION=2.0 +DEBUG=0 + +die() +{ + local m="$1" + + echo "$m" >&2 + exit 1 +} + +need_vars() +{ + cat < root certificate (--ca) + ca.key -> root key, keep secure (not directly used by OpenVPN) + .crt files -> client/server certificates (--cert) + .key files -> private keys, keep secure (--key) + .csr files -> certificate signing request (not directly used by OpenVPN) + dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh) + +Examples: + $PROGNAME --initca -> Build root certificate + $PROGNAME --initca --pass -> Build root certificate with password-protected key + $PROGNAME --server server1 -> Build "server1" certificate/key + $PROGNAME client1 -> Build "client1" certificate/key + $PROGNAME --pass client2 -> Build password-protected "client2" certificate/key + $PROGNAME --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format + $PROGNAME --csr client4 -> Build "client4" CSR to be signed by another CA + $PROGNAME --sign client4 -> Sign "client4" CSR + $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key + Also see ./inherit-inter script. + $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5 + -> Build "client5" certificate/key in PKCS#11 token + +Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys. +Protect client2 key with a password. Build DH parms. Generated files in ./keys : + [edit vars with your site-specific info] + source ./vars + ./clean-all + ./build-dh -> takes a long time, consider backgrounding + ./$PROGNAME --initca + ./$PROGNAME --server myserver + ./$PROGNAME client1 + ./$PROGNAME --pass client2 + +Typical usage for adding client cert to existing PKI: + source ./vars + ./$PROGNAME client-new +EOM +} + +# Set tool defaults +[ -n "$OPENSSL" ] || export OPENSSL="openssl" +[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool" +[ -n "$GREP" ] || export GREP="grep" + +# Set defaults +DO_REQ="1" +REQ_EXT="" +DO_CA="1" +CA_EXT="" +DO_P12="0" +DO_P11="0" +DO_ROOT="0" +NODES_REQ="-nodes" +NODES_P12="" +BATCH="-batch" +CA="ca" +# must be set or errors of openssl.cnf +PKCS11_MODULE_PATH="dummy" +PKCS11_PIN="dummy" + +# Process options +while [ $# -gt 0 ]; do + case "$1" in + --keysize ) KEY_SIZE=$2 + shift;; + --server ) REQ_EXT="$REQ_EXT -extensions server" + CA_EXT="$CA_EXT -extensions server" ;; + --batch ) BATCH="-batch" ;; + --interact ) BATCH="" ;; + --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;; + --initca ) DO_ROOT="1" ;; + --pass ) NODES_REQ="" ;; + --csr ) DO_CA="0" ;; + --sign ) DO_REQ="0" ;; + --pkcs12 ) DO_P12="1" ;; + --pkcs11 ) DO_P11="1" + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_ID="$4" + PKCS11_LABEL="$5" + shift 4;; + + # standalone + --pkcs11-init) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_LABEL="$4" + if [ -z "$PKCS11_LABEL" ]; then + die "Please specify library name, slot and label" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ + --label "$PKCS11_LABEL" && + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" + exit $?;; + --pkcs11-slots) + PKCS11_MODULE_PATH="$2" + if [ -z "$PKCS11_MODULE_PATH" ]; then + die "Please specify library name" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots + exit 0;; + --pkcs11-objects) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + if [ -z "$PKCS11_SLOT" ]; then + die "Please specify library name and slot" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" + exit 0;; + + --help|--usage) + usage + exit ;; + --version) + echo "$PROGNAME $VERSION" + exit ;; + # errors + --* ) die "$PROGNAME: unknown option: $1" ;; + * ) break ;; + esac + shift +done + +if ! [ -z "$BATCH" ]; then + if $OPENSSL version | grep 0.9.6 > /dev/null; then + die "Batch mode is unsupported in openssl<0.9.7" + fi +fi + +if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then + die "PKCS#11 and PKCS#12 cannot be specified together" +fi + +if [ $DO_P11 -eq 1 ]; then + if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then + die "Please edit $KEY_CONFIG and setup PKCS#11 engine" + fi +fi + +# If we are generating pkcs12, only encrypt the final step +if [ $DO_P12 -eq 1 ]; then + NODES_P12="$NODES_REQ" + NODES_REQ="-nodes" +fi + +if [ $DO_P11 -eq 1 ]; then + if [ -z "$PKCS11_LABEL" ]; then + die "PKCS#11 arguments incomplete" + fi +fi + +# If undefined, set default key expiration intervals +if [ -z "$KEY_EXPIRE" ]; then + KEY_EXPIRE=3650 +fi +if [ -z "$CA_EXPIRE" ]; then + CA_EXPIRE=3650 +fi + +# Set organizational unit to empty string if undefined +if [ -z "$KEY_OU" ]; then + KEY_OU="" +fi + +# Set X509 Name string to empty string if undefined +if [ -z "$KEY_NAME" ]; then + KEY_NAME="" +fi + +# Set KEY_CN, FN +if [ $DO_ROOT -eq 1 ]; then + if [ -z "$KEY_CN" ]; then + if [ "$1" ]; then + KEY_CN="$1" + KEY_ALTNAMES="DNS:${KEY_CN}" + elif [ "$KEY_ORG" ]; then + KEY_CN="$KEY_ORG CA" + KEY_ALTNAMES="$KEY_CN" + fi + fi + if [ $BATCH ] && [ "$KEY_CN" ]; then + echo "Using CA Common Name:" "$KEY_CN" + KEY_ALTNAMES="$KEY_CN" + fi + FN="$KEY_CN" +elif [ $BATCH ] && [ "$KEY_CN" ]; then + echo "Using Common Name:" "$KEY_CN" + KEY_ALTNAMES="$KEY_CN" + FN="$KEY_CN" + if [ "$1" ]; then + FN="$1" + fi +else + if [ $# -ne 1 ]; then + usage + exit 1 + else + KEY_CN="$1" + KEY_ALTNAMES="DNS:$1" + shift + while [ "x$1" != "x" ] + do + KEY_ALTNAMES="${KEY_ALTNAMES},DNS:$1" + shift + done + fi + FN="$KEY_CN" +fi + +export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN KEY_ALTNAMES + +# Show parameters (debugging) +if [ $DEBUG -eq 1 ]; then + echo DO_REQ $DO_REQ + echo REQ_EXT $REQ_EXT + echo DO_CA $DO_CA + echo CA_EXT $CA_EXT + echo NODES_REQ $NODES_REQ + echo NODES_P12 $NODES_P12 + echo DO_P12 $DO_P12 + echo KEY_CN $KEY_CN + echo KEY_ALTNAMES $KEY_ALTNAMES + echo BATCH $BATCH + echo DO_ROOT $DO_ROOT + echo KEY_EXPIRE $KEY_EXPIRE + echo CA_EXPIRE $CA_EXPIRE + echo KEY_OU $KEY_OU + echo KEY_NAME $KEY_NAME + echo DO_P11 $DO_P11 + echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH + echo PKCS11_SLOT $PKCS11_SLOT + echo PKCS11_ID $PKCS11_ID + echo PKCS11_LABEL $PKCS11_LABEL +fi + +# Make sure ./vars was sourced beforehand +if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then + cd "$KEY_DIR" + + # Make sure $KEY_CONFIG points to the correct version + # of openssl.cnf + if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then + : + else + echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" + echo "version of openssl.cnf: $KEY_CONFIG" + echo "The correct version should have a comment that says: easy-rsa version 2.x"; + exit 1; + fi + + # Build root CA + if [ $DO_ROOT -eq 1 ]; then + $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ + -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ + chmod 0600 "$CA.key" + else + # Make sure CA key/cert is available + if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then + if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then + echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" + echo "Try $PROGNAME --initca to build a root certificate/key." + exit 1 + fi + fi + + # Generate key for PKCS#11 token + PKCS11_ARGS= + if [ $DO_P11 -eq 1 ]; then + stty -echo + echo -n "User PIN: " + read -r PKCS11_PIN + stty echo + export PKCS11_PIN + + echo "Generating key pair on PKCS#11 token..." + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ + --login --pin "$PKCS11_PIN" \ + --key-type rsa:1024 \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 + PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" + fi + + # Build cert/key + ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH $NODES_REQ -new -newkey rsa:$KEY_SIZE \ + -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ + ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ + -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ + ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \ + -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \ + ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \ + ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" ) + + # Load certificate into PKCS#11 token + if [ $DO_P11 -eq 1 ]; then + $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ + --login --pin "$PKCS11_PIN" \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" + [ -e "$FN.crt.der" ]; rm "$FN.crt.der" + fi + + fi + +# Need definitions +else + need_vars +fi diff --git a/test/verify/revoke-full b/test/verify/revoke-full new file mode 100755 index 0000000..e9c7d02 --- /dev/null +++ b/test/verify/revoke-full @@ -0,0 +1,43 @@ +#!/bin/sh + +# revoke a certificate, regenerate CRL, +# and verify revocation + +CRL="crl.pem" +RT="revoke-test.pem" + +if [ $# -ne 1 ]; then + echo "usage: revoke-full "; + exit 1 +fi + +if [ "$KEY_DIR" ]; then + cd "$KEY_DIR" + rm -f "$RT" + + # set defaults + export KEY_CN="" + export KEY_OU="" + export KEY_NAME="" + + # required due to hack in openssl.cnf that supports Subject Alternative Names + export KEY_ALTNAMES="" + + # revoke key and generate a new CRL + $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG" + + # generate a new CRL -- try to be compatible with + # intermediate PKIs + $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" + if [ -e export-ca.crt ]; then + cat export-ca.crt "$CRL" >"$RT" + else + cat ca.crt "$CRL" >"$RT" + fi + + # verify the revocation + $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/test/verify/sign-req b/test/verify/sign-req new file mode 100755 index 0000000..6cae7b4 --- /dev/null +++ b/test/verify/sign-req @@ -0,0 +1,7 @@ +#!/bin/sh + +# Sign a certificate signing request (a .csr file) +# with a local root certificate and key. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --sign $* diff --git a/test/verify/vars b/test/verify/vars new file mode 100644 index 0000000..c9dcdef --- /dev/null +++ b/test/verify/vars @@ -0,0 +1,80 @@ +# easy-rsa parameter settings + +# NOTE: If you installed from an RPM, +# don't edit this file in place in +# /usr/share/openvpn/easy-rsa -- +# instead, you should copy the whole +# easy-rsa directory to another location +# (such as /etc/openvpn) so that your +# edits will not be wiped out by a future +# OpenVPN package upgrade. + +# This variable should point to +# the top level of the easy-rsa +# tree. +export EASY_RSA="`pwd`" + +# +# This variable should point to +# the requested executables +# +export OPENSSL="openssl" +export PKCS11TOOL="pkcs11-tool" +export GREP="grep" + + +# This variable should point to +# the openssl.cnf file included +# with easy-rsa. +export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` + +# Edit this variable to point to +# your soon-to-be-created key +# directory. +# +# WARNING: clean-all will do +# a rm -rf on this directory +# so make sure you define +# it correctly! +export KEY_DIR="$EASY_RSA/keys" + +# Issue rm -rf warning +echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR + +# PKCS11 fixes +export PKCS11_MODULE_PATH="dummy" +export PKCS11_PIN="dummy" + +# Increase this to 2048 if you +# are paranoid. This will slow +# down TLS negotiation performance +# as well as the one-time DH parms +# generation process. +export KEY_SIZE=2048 + +# In how many days should the root CA key expire? +export CA_EXPIRE=3650 + +# In how many days should certificates expire? +export KEY_EXPIRE=3650 + +# These are the default values for fields +# which will be placed in the certificate. +# Don't leave any of these fields blank. +export KEY_COUNTRY="ZA" +export KEY_PROVINCE="EC" +export KEY_CITY="Port Elizabeth" +export KEY_ORG="SouthPort Mansion" +export KEY_EMAIL="cyprien.diot@nmmu.ac.za" +export KEY_OU="PMSIPilot" + +# X509 Subject Field +export KEY_NAME="EasyRSA" + +# PKCS11 Smart Card +# export PKCS11_MODULE_PATH="/usr/lib/changeme.so" +# export PKCS11_PIN=1234 + +# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below +# You will also need to make sure your OpenVPN server config has the duplicate-cn option set +# export KEY_CN="CommonName" diff --git a/test/verify/whichopensslcnf b/test/verify/whichopensslcnf new file mode 100755 index 0000000..4c5f3c7 --- /dev/null +++ b/test/verify/whichopensslcnf @@ -0,0 +1,26 @@ +#!/bin/sh + +cnf="$1/openssl.cnf" + +if [ "$OPENSSL" ]; then + if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-0.9.6.cnf" + elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-0.9.8.cnf" + elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-1.0.0.cnf" + else + cnf="$1/openssl.cnf" + fi +fi + +echo $cnf + +if [ ! -r $cnf ]; then + echo "**************************************************************" >&2 + echo " No $cnf file could be found" >&2 + echo " Further invocations will fail" >&2 + echo "**************************************************************" >&2 +fi + +exit 0 From 1d48144f1cea3e1339e8c23284a617ed1f75530d Mon Sep 17 00:00:00 2001 From: Cyprien DIOT Date: Fri, 4 Sep 2015 17:33:40 +0200 Subject: [PATCH 2/4] attempt not to check issuer --- src/x509.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/x509.cc b/src/x509.cc index 3819400..db874e7 100644 --- a/src/x509.cc +++ b/src/x509.cc @@ -485,12 +485,12 @@ Handle verify_cert(char *inputcert, char *inputcrl) { // check returns X509_STORE_add_crl(store, crl); X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); + X509_VERIFY_PARAM_clear_flags(param, X509_V_FLAG_CB_ISSUER_CHECK); + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_IGNORE_CRITICAL); X509_STORE_CTX_set0_param(ctx, param); if (X509_verify_cert(ctx) <= 0) { - ERR_error_string_n(ERR_get_error(), error, sizeof(error)); - ThrowException(Exception::Error(String::New(error))); + ThrowException(Exception::Error(String::New(X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx))))); return scope.Close(exports); } X509_VERIFY_PARAM_free(param); From 8612287f06053cdff18fd5735a7f2d528be62309 Mon Sep 17 00:00:00 2001 From: Cyprien DIOT Date: Mon, 7 Sep 2015 15:53:01 +0200 Subject: [PATCH 3/4] better crl parsing --- src/pkcs12.cc | 1 + src/x509.cc | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pkcs12.cc b/src/pkcs12.cc index 5dc81fa..b49d0ed 100644 --- a/src/pkcs12.cc +++ b/src/pkcs12.cc @@ -73,6 +73,7 @@ Handle extract_from_p12(char *data, char* password) { p12 = d2i_PKCS12_fp(fp, NULL); fclose (fp); if (!p12) { + ERR_print_errors_fp(stderr); ThrowException(Exception::TypeError(String::New("Error reading PKCS#12 file\n"))); return scope.Close(Undefined()); } diff --git a/src/x509.cc b/src/x509.cc index db874e7..4e5f9ce 100644 --- a/src/x509.cc +++ b/src/x509.cc @@ -474,7 +474,6 @@ Handle verify_cert(char *inputcert, char *inputcrl) { // bio = BIO_new(BIO_s_mem()); // BIO_puts(bio, inputcrl); crl = PEM_read_bio_X509_CRL(crlbio, NULL, NULL, NULL); - // crl = d2i_X509_CRL_bio(bio, NULL); if (!crl) { ThrowException(Exception::Error(String::New("Cannot parse PEM CRL"))); return scope.Close(exports); From d341861627d0f5c74b621341aa8c9203683eb63b Mon Sep 17 00:00:00 2001 From: Cyprien DIOT Date: Fri, 18 Sep 2015 17:23:03 +0200 Subject: [PATCH 4/4] verifycrl now verify w/ ca, renammed "verify", do not check crl anymore --- include/x509.h | 6 +-- index.js | 2 +- src/addon.cc | 2 +- src/x509.cc | 105 ++++++++++++++++++++++++++++++++----------------- 4 files changed, 75 insertions(+), 40 deletions(-) diff --git a/include/x509.h b/include/x509.h index 155d2ea..0fce255 100644 --- a/include/x509.h +++ b/include/x509.h @@ -29,13 +29,13 @@ using namespace v8; void get_issuer(const FunctionCallbackInfo &args); char* parse_args(const FunctionCallbackInfo &args); void parse_cert(const FunctionCallbackInfo &args); - void verifycrl(const FunctionCallbackInfo &args); + void verify(const FunctionCallbackInfo &args); #else Handle get_altnames(const Arguments &args); Handle get_subject(const Arguments &args); Handle get_issuer(const Arguments &args); Handle parse_cert(const Arguments &args); - Handle verifycrl(const Arguments &args); + Handle verify(const Arguments &args); #endif Handle try_parse(char *data); @@ -44,6 +44,6 @@ Handle parse_serial(ASN1_INTEGER *serial); Handle parse_name(X509_NAME *subject); char* real_name(char *data); Handle extract_from_p12(char *data, char* password); -Handle verify_cert(char *inputcert, char *inputcrl); +Handle verify_cert(char *inputcert, const Handle& calist); #endif diff --git a/index.js b/index.js index fb5c388..45b5c34 100644 --- a/index.js +++ b/index.js @@ -6,7 +6,7 @@ exports.getAltNames = x509.getAltNames; exports.getSubject = x509.getSubject; exports.getIssuer = x509.getIssuer; exports.extractP12 = x509.extractP12; -exports.verifycrl = x509.verifycrl; +exports.verify = x509.verify; exports.parseCert = function(path) { var ret = x509.parseCert(path); diff --git a/src/addon.cc b/src/addon.cc index 48fc3c0..30a4bae 100644 --- a/src/addon.cc +++ b/src/addon.cc @@ -14,7 +14,7 @@ void init(Handle exports) { exports->Set(String::NewSymbol("getIssuer"), FunctionTemplate::New(get_issuer)->GetFunction()); exports->Set(String::NewSymbol("parseCert"), FunctionTemplate::New(parse_cert)->GetFunction()); exports->Set(String::NewSymbol("extractP12"), FunctionTemplate::New(extract_p12)->GetFunction()); - exports->Set(String::NewSymbol("verifycrl"), FunctionTemplate::New(verifycrl)->GetFunction()); + exports->Set(String::NewSymbol("verify"), FunctionTemplate::New(verify)->GetFunction()); } NODE_MODULE(wopenssl, init) diff --git a/src/x509.cc b/src/x509.cc index 4e5f9ce..93f5a8b 100644 --- a/src/x509.cc +++ b/src/x509.cc @@ -67,19 +67,20 @@ void parse_cert(const FunctionCallbackInfo &args) { args.GetReturnValue().Set(exports); } -void verifycrl(const FunctionCallbackInfo &args) { - if (args.Length() < 2) { - ThrowException(Exception::Error(String::New("Must provide a certificate file and a crl."))); +void verify(const FunctionCallbackInfo &args) { + if (args.Length() < 1) { + ThrowException(Exception::Error(String::New("Must provide a certificate file"))); return NULL; } - if (!args[0]->IsString() || !args[1]->IsString()) { - ThrowException(Exception::TypeError(String::New("Certificate and crl must be strings."))); + if (!args[0]->IsString()) { + ThrowException(Exception::TypeError(String::New("Certificate must be strings."))); return NULL; } - Local exports(verify_cert(args[0]->ToString(), args[1]->ToString())->ToObject()); + Handle array(args[1]->ToObject()); + Local exports(verify_cert(args[0]->ToString())); args.GetReturnValue().Set(exports); } @@ -133,23 +134,23 @@ Handle parse_cert(const Arguments &args) { } -Handle verifycrl(const Arguments &args) { +Handle verify(const Arguments &args) { HandleScope scope; - if (args.Length() < 2) { - ThrowException(Exception::Error(String::New("Must provide a certificate and a crl"))); + if (args.Length() < 1) { + ThrowException(Exception::Error(String::New("Must provide a certificate"))); return scope.Close(Undefined()); } - if (!args[0]->IsString() || !args[1]->IsString()) { - ThrowException(Exception::TypeError(String::New("Certificate and crl must be a strings."))); + if (!args[0]->IsString()) { + ThrowException(Exception::TypeError(String::New("Certificate must be a strings."))); return scope.Close(Undefined()); } String::Utf8Value cert(args[0]); - String::Utf8Value crl(args[1]); - return scope.Close(verify_cert(*cert, *crl)); + Handle ca(args[1]->ToObject()); + return scope.Close(verify_cert(*cert, ca)); } @@ -419,14 +420,13 @@ char* real_name(char *data) { } -Handle verify_cert(char *inputcert, char *inputcrl) { +Handle verify_cert(char *inputcert, const Handle& calist) { HandleScope scope; Handle exports(Object::New()); X509_STORE_CTX *ctx; X509_STORE *store; X509 *cert; STACK_OF(X509) *chain = NULL; - X509_CRL *crl; char error[128]; store = X509_STORE_new(); @@ -469,32 +469,67 @@ Handle verify_cert(char *inputcert, char *inputcrl) { return scope.Close(exports); } } - BIO *crlbio = BIO_new(BIO_s_file()); - BIO_read_filename(crlbio, inputcrl); - // bio = BIO_new(BIO_s_mem()); - // BIO_puts(bio, inputcrl); - crl = PEM_read_bio_X509_CRL(crlbio, NULL, NULL, NULL); - if (!crl) { - ThrowException(Exception::Error(String::New("Cannot parse PEM CRL"))); - return scope.Close(exports); - } - + BIO_free(bio); + + + + + if (calist->IsArray()) + { + chain = sk_X509_new_null(); + Array *carray = Array::Cast(*calist); + for (int i = 0; i < carray->Length(); i++) + { + String::Utf8Value certstring(carray->Get(i)); + bio = BIO_new(BIO_s_mem()); + result = BIO_puts(bio, *certstring); + + if (result == -2) { + ThrowException(Exception::Error(String::New("BIO doesn't support BIO_puts."))); + return scope.Close(exports); + } + else if (result <= 0) { + ThrowException(Exception::Error(String::New("No data was written to BIO."))); + return scope.Close(exports); + } + + // Try raw read + cert = PEM_read_bio_X509(bio, NULL, 0, NULL); + + if (cert == NULL) { + // Switch to file BIO + bio = BIO_new(BIO_s_file()); + + // If raw read fails, try reading the input as a filename. + if (!BIO_read_filename(bio, *certstring)) { + ThrowException(Exception::Error(String::New("File doesn't exist."))); + return scope.Close(exports); + } + + // Try reading the bio again with the file in it. + cert = PEM_read_bio_X509(bio, NULL, 0, NULL); + + if (cert == NULL) { + ThrowException(Exception::Error(String::New("Unable to parse CA certificate."))); + return scope.Close(exports); + } + } + sk_X509_push(chain, cert); + BIO_free(bio); + + } + } + + X509_STORE_add_cert(store, cert); - X509_STORE_CTX_init(ctx, store, cert, NULL); - // check returns - X509_STORE_add_crl(store, crl); - X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); - X509_VERIFY_PARAM_clear_flags(param, X509_V_FLAG_CB_ISSUER_CHECK); - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_IGNORE_CRITICAL); - X509_STORE_CTX_set0_param(ctx, param); + X509_STORE_CTX_init(ctx, store, cert, chain); if (X509_verify_cert(ctx) <= 0) { ThrowException(Exception::Error(String::New(X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx))))); return scope.Close(exports); } - X509_VERIFY_PARAM_free(param); - BIO_free(bio); - BIO_free(crlbio); + + X509_free(cert); X509_STORE_CTX_free(ctx);