diff options
38 files changed, 870 insertions, 67 deletions
diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index c81c725ea1..4c5281a718 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -117,13 +117,9 @@ int X509_check_trust(X509 *x, int id, int flags) int idx; /* We get this as a default value */ - if (id == 0) { - int rv; - rv = obj_trust(NID_anyExtendedKeyUsage, x, 0); - if (rv != X509_TRUST_UNTRUSTED) - return rv; - return trust_compat(NULL, x, 0); - } + if (id == X509_TRUST_DEFAULT) + return obj_trust(NID_anyExtendedKeyUsage, x, + flags | X509_TRUST_DO_SS_COMPAT); idx = X509_TRUST_get_by_id(id); if (idx == -1) return default_trust(id, x, flags); @@ -265,20 +261,25 @@ int X509_TRUST_get_trust(X509_TRUST *xp) static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) { - if (x->aux && (x->aux->trust || x->aux->reject)) - return obj_trust(trust->arg1, x, flags); /* - * we don't have any trust settings: for compatibility we return trusted - * if it is self signed + * Declare the chain verified if the desired trust OID is not rejected in + * any auxiliary trust info for this certificate, and the OID is either + * expressly trusted, or else either "anyEKU" is trusted, or the + * certificate is self-signed. */ - return trust_compat(trust, x, flags); + flags |= X509_TRUST_DO_SS_COMPAT | X509_TRUST_OK_ANY_EKU; + return obj_trust(trust->arg1, x, flags); } static int trust_1oid(X509_TRUST *trust, X509 *x, int flags) { - if (x->aux && (x->aux->trust || x->aux->reject)) - return obj_trust(trust->arg1, x, flags); - return X509_TRUST_UNTRUSTED; + /* + * Declare the chain verified only if the desired trust OID is not + * rejected and is expressly trusted. Neither "anyEKU" nor "compat" + * trust in self-signed certificates apply. + */ + flags &= ~(X509_TRUST_DO_SS_COMPAT | X509_TRUST_OK_ANY_EKU); + return obj_trust(trust->arg1, x, flags); } static int trust_compat(X509_TRUST *trust, X509 *x, int flags) @@ -296,23 +297,24 @@ static int obj_trust(int id, X509 *x, int flags) X509_CERT_AUX *ax = x->aux; int i; - if (!ax) - return X509_TRUST_UNTRUSTED; - if (ax->reject) { + if (ax && ax->reject) { for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->reject, i); int nid = OBJ_obj2nid(obj); - if (nid == id || nid == NID_anyExtendedKeyUsage) + if (nid == id || (nid == NID_anyExtendedKeyUsage && + (flags & X509_TRUST_OK_ANY_EKU))) return X509_TRUST_REJECTED; } } - if (ax->trust) { + + if (ax && ax->trust) { for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->trust, i); int nid = OBJ_obj2nid(obj); - if (nid == id || nid == NID_anyExtendedKeyUsage) + if (nid == id || (nid == NID_anyExtendedKeyUsage && + (flags & X509_TRUST_OK_ANY_EKU))) return X509_TRUST_TRUSTED; } /* @@ -331,5 +333,12 @@ static int obj_trust(int id, X509 *x, int flags) */ return X509_TRUST_REJECTED; } - return X509_TRUST_UNTRUSTED; + + if ((flags & X509_TRUST_DO_SS_COMPAT) == 0) + return X509_TRUST_UNTRUSTED; + + /* + * Not rejected, and there is no list of accepted uses, try compat. + */ + return trust_compat(NULL, x, flags); } diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 14d6a8d74e..1f3b2b9dab 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -369,12 +369,11 @@ static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, X509_NAME *nm) static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth, int must_be_ca) { - int pu_ok = X509_check_purpose(x, purpose, must_be_ca > 0); int tr_ok = X509_TRUST_UNTRUSTED; /* * For trusted certificates we want to see whether any auxiliary trust - * settings override the purpose constraints we failed to meet above. + * settings trump the purpose constraints. * * This is complicated by the fact that the trust ordinals in * ctx->param->trust are entirely independent of the purpose ordinals in @@ -388,15 +387,28 @@ static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth, * * Therefore, we can only check for trust overrides when the purpose we're * checking is the same as ctx->param->purpose and ctx->param->trust is - * also set, or can be inferred from the purpose. + * also set. */ if (depth >= ctx->num_untrusted && purpose == ctx->param->purpose) tr_ok = X509_check_trust(x, ctx->param->trust, X509_TRUST_NO_SS_COMPAT); - if (tr_ok != X509_TRUST_REJECTED && - (pu_ok == 1 || - (pu_ok != 0 && (ctx->param->flags & X509_V_FLAG_X509_STRICT) == 0))) + switch (tr_ok) { + case X509_TRUST_TRUSTED: return 1; + case X509_TRUST_REJECTED: + break; + default: + switch (X509_check_purpose(x, purpose, must_be_ca > 0)) { + case 1: + return 1; + case 0: + break; + default: + if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) == 0) + return 1; + } + break; + } ctx->error = X509_V_ERR_INVALID_PURPOSE; ctx->error_depth = depth; @@ -493,7 +505,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if (ret == 0) { ctx->error_depth = i; ctx->current_cert = x; - if (! ctx->verify_cb(0, ctx)) + if (!ctx->verify_cb(0, ctx)) return 0; } if (purpose > 0) { diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 3a1c5e2f56..06fc99ef30 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -201,7 +201,12 @@ DEFINE_STACK_OF(X509_TRUST) /* trust_flags values */ # define X509_TRUST_DYNAMIC (1U << 0) # define X509_TRUST_DYNAMIC_NAME (1U << 1) +/* No compat trust if self-signed, preempts "DO_SS" */ # define X509_TRUST_NO_SS_COMPAT (1U << 2) +/* Compat trust if no explicit accepted trust EKUs */ +# define X509_TRUST_DO_SS_COMPAT (1U << 3) +/* Accept "anyEKU" as a wildcard trust OID */ +# define X509_TRUST_OK_ANY_EKU (1U << 4) /* check_trust return codes */ diff --git a/test/certs/ca+anyEKU.pem b/test/certs/ca+anyEKU.pem new file mode 100644 index 0000000000..36ed837cf4 --- /dev/null +++ b/test/certs/ca+anyEKU.pem @@ -0,0 +1,18 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBADnZ9uXGAdwfNC3xuERIlBwgLROeBRGgcfHWdXZB/tWk +IM9ox88wYKWynanPbra4n0zhepooKt+naeY2HLR8UgwT6sTi0Yfld9mjytA8/DP6 +AcqtIDDf60vNI00sgxjgZqofVayA9KShzIPzjBec4zI1sg5YzoSNyH28VXFstEpi +8CVtmRYQHhc2gDI9MGge4sHRYwaIFkegzpwcEUnp6tTVe9ZvHawgsXF/rCGfH4M6 +uNO0D+9Md1bdW7382yOtWbkyibsugqnfBYCUH6hAhDlfYzpba2Smb0roc6Crq7HR +5HpEYY6qEir9wFMkD5MZsWrNRGRuzd5am82J+aaHz/4wCDAGBgRVHSUA +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/ca-anyEKU.pem b/test/certs/ca-anyEKU.pem new file mode 100644 index 0000000000..241d7b4986 --- /dev/null +++ b/test/certs/ca-anyEKU.pem @@ -0,0 +1,18 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBADnZ9uXGAdwfNC3xuERIlBwgLROeBRGgcfHWdXZB/tWk +IM9ox88wYKWynanPbra4n0zhepooKt+naeY2HLR8UgwT6sTi0Yfld9mjytA8/DP6 +AcqtIDDf60vNI00sgxjgZqofVayA9KShzIPzjBec4zI1sg5YzoSNyH28VXFstEpi +8CVtmRYQHhc2gDI9MGge4sHRYwaIFkegzpwcEUnp6tTVe9ZvHawgsXF/rCGfH4M6 +uNO0D+9Md1bdW7382yOtWbkyibsugqnfBYCUH6hAhDlfYzpba2Smb0roc6Crq7HR +5HpEYY6qEir9wFMkD5MZsWrNRGRuzd5am82J+aaHz/4wCKAGBgRVHSUA +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/ca-clientAuth.pem b/test/certs/ca-clientAuth.pem new file mode 100644 index 0000000000..838c70ee32 --- /dev/null +++ b/test/certs/ca-clientAuth.pem @@ -0,0 +1,18 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBADnZ9uXGAdwfNC3xuERIlBwgLROeBRGgcfHWdXZB/tWk +IM9ox88wYKWynanPbra4n0zhepooKt+naeY2HLR8UgwT6sTi0Yfld9mjytA8/DP6 +AcqtIDDf60vNI00sgxjgZqofVayA9KShzIPzjBec4zI1sg5YzoSNyH28VXFstEpi +8CVtmRYQHhc2gDI9MGge4sHRYwaIFkegzpwcEUnp6tTVe9ZvHawgsXF/rCGfH4M6 +uNO0D+9Md1bdW7382yOtWbkyibsugqnfBYCUH6hAhDlfYzpba2Smb0roc6Crq7HR +5HpEYY6qEir9wFMkD5MZsWrNRGRuzd5am82J+aaHz/4wDKAKBggrBgEFBQcDAg== +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/cca+anyEKU.pem b/test/certs/cca+anyEKU.pem new file mode 100644 index 0000000000..46ee9fae6d --- /dev/null +++ b/test/certs/cca+anyEKU.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD +VR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB6mihrap7ByLl3w +P/0XsqMvOkxCxoWTeI0cEwbxSpUXfMTE24oIQJiqIyHO6qeSRgSywk/DTU0uJWOB +Idr6dPI6wPrS4jvFqcgoFH1OPjAJCpl5CuCJEH8gB3LJ4dNfj+O7shT0XeI+R1vw +gp+fJ8v6jX4y8Nk/Bcy748dC1HZhMWHxQblzjRu8Xmd6lDiMskoWE2JAwgRK7b3M +dCpuTCHMTsdCspwBUvQ4gNYNP5IURE+09DBtEBQicN/1RHyRZOw7YGs5ZOdc5mRe +O5E+WHE1xiJ0QwUu2co55PFlukidWXx7LE02foNaNm+rw4OUTrzsqmmgkp1qqAab +ap/RSXgwCDAGBgRVHSUA +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/cca+clientAuth.pem b/test/certs/cca+clientAuth.pem new file mode 100644 index 0000000000..0b857eece4 --- /dev/null +++ b/test/certs/cca+clientAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD +VR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB6mihrap7ByLl3w +P/0XsqMvOkxCxoWTeI0cEwbxSpUXfMTE24oIQJiqIyHO6qeSRgSywk/DTU0uJWOB +Idr6dPI6wPrS4jvFqcgoFH1OPjAJCpl5CuCJEH8gB3LJ4dNfj+O7shT0XeI+R1vw +gp+fJ8v6jX4y8Nk/Bcy748dC1HZhMWHxQblzjRu8Xmd6lDiMskoWE2JAwgRK7b3M +dCpuTCHMTsdCspwBUvQ4gNYNP5IURE+09DBtEBQicN/1RHyRZOw7YGs5ZOdc5mRe +O5E+WHE1xiJ0QwUu2co55PFlukidWXx7LE02foNaNm+rw4OUTrzsqmmgkp1qqAab +ap/RSXgwDDAKBggrBgEFBQcDAg== +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/cca+serverAuth.pem b/test/certs/cca+serverAuth.pem new file mode 100644 index 0000000000..38a0bdb835 --- /dev/null +++ b/test/certs/cca+serverAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD +VR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB6mihrap7ByLl3w +P/0XsqMvOkxCxoWTeI0cEwbxSpUXfMTE24oIQJiqIyHO6qeSRgSywk/DTU0uJWOB +Idr6dPI6wPrS4jvFqcgoFH1OPjAJCpl5CuCJEH8gB3LJ4dNfj+O7shT0XeI+R1vw +gp+fJ8v6jX4y8Nk/Bcy748dC1HZhMWHxQblzjRu8Xmd6lDiMskoWE2JAwgRK7b3M +dCpuTCHMTsdCspwBUvQ4gNYNP5IURE+09DBtEBQicN/1RHyRZOw7YGs5ZOdc5mRe +O5E+WHE1xiJ0QwUu2co55PFlukidWXx7LE02foNaNm+rw4OUTrzsqmmgkp1qqAab +ap/RSXgwDDAKBggrBgEFBQcDAQ== +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/cca-anyEKU.pem b/test/certs/cca-anyEKU.pem new file mode 100644 index 0000000000..cb3e70894e --- /dev/null +++ b/test/certs/cca-anyEKU.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD +VR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB6mihrap7ByLl3w +P/0XsqMvOkxCxoWTeI0cEwbxSpUXfMTE24oIQJiqIyHO6qeSRgSywk/DTU0uJWOB +Idr6dPI6wPrS4jvFqcgoFH1OPjAJCpl5CuCJEH8gB3LJ4dNfj+O7shT0XeI+R1vw +gp+fJ8v6jX4y8Nk/Bcy748dC1HZhMWHxQblzjRu8Xmd6lDiMskoWE2JAwgRK7b3M +dCpuTCHMTsdCspwBUvQ4gNYNP5IURE+09DBtEBQicN/1RHyRZOw7YGs5ZOdc5mRe +O5E+WHE1xiJ0QwUu2co55PFlukidWXx7LE02foNaNm+rw4OUTrzsqmmgkp1qqAab +ap/RSXgwCKAGBgRVHSUA +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/cca-cert.pem b/test/certs/cca-cert.pem new file mode 100644 index 0000000000..6bccc4cce4 --- /dev/null +++ b/test/certs/cca-cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD +VR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB6mihrap7ByLl3w +P/0XsqMvOkxCxoWTeI0cEwbxSpUXfMTE24oIQJiqIyHO6qeSRgSywk/DTU0uJWOB +Idr6dPI6wPrS4jvFqcgoFH1OPjAJCpl5CuCJEH8gB3LJ4dNfj+O7shT0XeI+R1vw +gp+fJ8v6jX4y8Nk/Bcy748dC1HZhMWHxQblzjRu8Xmd6lDiMskoWE2JAwgRK7b3M +dCpuTCHMTsdCspwBUvQ4gNYNP5IURE+09DBtEBQicN/1RHyRZOw7YGs5ZOdc5mRe +O5E+WHE1xiJ0QwUu2co55PFlukidWXx7LE02foNaNm+rw4OUTrzsqmmgkp1qqAab +ap/RSXg= +-----END CERTIFICATE----- diff --git a/test/certs/cca-clientAuth.pem b/test/certs/cca-clientAuth.pem new file mode 100644 index 0000000000..0b857eece4 --- /dev/null +++ b/test/certs/cca-clientAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD +VR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB6mihrap7ByLl3w +P/0XsqMvOkxCxoWTeI0cEwbxSpUXfMTE24oIQJiqIyHO6qeSRgSywk/DTU0uJWOB +Idr6dPI6wPrS4jvFqcgoFH1OPjAJCpl5CuCJEH8gB3LJ4dNfj+O7shT0XeI+R1vw +gp+fJ8v6jX4y8Nk/Bcy748dC1HZhMWHxQblzjRu8Xmd6lDiMskoWE2JAwgRK7b3M +dCpuTCHMTsdCspwBUvQ4gNYNP5IURE+09DBtEBQicN/1RHyRZOw7YGs5ZOdc5mRe +O5E+WHE1xiJ0QwUu2co55PFlukidWXx7LE02foNaNm+rw4OUTrzsqmmgkp1qqAab +ap/RSXgwDDAKBggrBgEFBQcDAg== +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/cca-serverAuth.pem b/test/certs/cca-serverAuth.pem new file mode 100644 index 0000000000..46cbce05ae --- /dev/null +++ b/test/certs/cca-serverAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD +VR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB6mihrap7ByLl3w +P/0XsqMvOkxCxoWTeI0cEwbxSpUXfMTE24oIQJiqIyHO6qeSRgSywk/DTU0uJWOB +Idr6dPI6wPrS4jvFqcgoFH1OPjAJCpl5CuCJEH8gB3LJ4dNfj+O7shT0XeI+R1vw +gp+fJ8v6jX4y8Nk/Bcy748dC1HZhMWHxQblzjRu8Xmd6lDiMskoWE2JAwgRK7b3M +dCpuTCHMTsdCspwBUvQ4gNYNP5IURE+09DBtEBQicN/1RHyRZOw7YGs5ZOdc5mRe +O5E+WHE1xiJ0QwUu2co55PFlukidWXx7LE02foNaNm+rw4OUTrzsqmmgkp1qqAab +ap/RSXgwDKAKBggrBgEFBQcDAQ== +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/croot+anyEKU.pem b/test/certs/croot+anyEKU.pem new file mode 100644 index 0000000000..88ce120df0 --- /dev/null +++ b/test/certs/croot+anyEKU.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi/mR+SIa +bs1egGRRSAzqu4KkrOG1vGVQNj0XfHn1WeAdmwEAjNi+llErpkMyY08Cjb/3fiQc +6H9CA36utf/Ym84OQOY64m4C1Kikxw8EHudoPNvSWQAFEpCk5gs6rCJEnj9QolL3 +32IvZQ1m+GcrjGg976PccEaM7S362kTj+kcAswmS8iJmDAJ2b+ghHTFrFQS4GAw7 +XOcqQbinx9ntGn135VsJLOXKveYvQSD7sHKCd4RFrFTSEwWmtBL96vRXmTV5wTAr +tpkKKKw5N9CiHnbhNyVrSRiLCzVDTpYQDaBJhb7XOsHi+/HOzmbK6LHe0Lt1nP+k +4PR8O0S5WC0PlzAIMAYGBFUdJQA= +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/croot+clientAuth.pem b/test/certs/croot+clientAuth.pem new file mode 100644 index 0000000000..aa45a06ba1 --- /dev/null +++ b/test/certs/croot+clientAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi/mR+SIa +bs1egGRRSAzqu4KkrOG1vGVQNj0XfHn1WeAdmwEAjNi+llErpkMyY08Cjb/3fiQc +6H9CA36utf/Ym84OQOY64m4C1Kikxw8EHudoPNvSWQAFEpCk5gs6rCJEnj9QolL3 +32IvZQ1m+GcrjGg976PccEaM7S362kTj+kcAswmS8iJmDAJ2b+ghHTFrFQS4GAw7 +XOcqQbinx9ntGn135VsJLOXKveYvQSD7sHKCd4RFrFTSEwWmtBL96vRXmTV5wTAr +tpkKKKw5N9CiHnbhNyVrSRiLCzVDTpYQDaBJhb7XOsHi+/HOzmbK6LHe0Lt1nP+k +4PR8O0S5WC0PlzAMMAoGCCsGAQUFBwMC +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/croot+serverAuth.pem b/test/certs/croot+serverAuth.pem new file mode 100644 index 0000000000..35647691e2 --- /dev/null +++ b/test/certs/croot+serverAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi/mR+SIa +bs1egGRRSAzqu4KkrOG1vGVQNj0XfHn1WeAdmwEAjNi+llErpkMyY08Cjb/3fiQc +6H9CA36utf/Ym84OQOY64m4C1Kikxw8EHudoPNvSWQAFEpCk5gs6rCJEnj9QolL3 +32IvZQ1m+GcrjGg976PccEaM7S362kTj+kcAswmS8iJmDAJ2b+ghHTFrFQS4GAw7 +XOcqQbinx9ntGn135VsJLOXKveYvQSD7sHKCd4RFrFTSEwWmtBL96vRXmTV5wTAr +tpkKKKw5N9CiHnbhNyVrSRiLCzVDTpYQDaBJhb7XOsHi+/HOzmbK6LHe0Lt1nP+k +4PR8O0S5WC0PlzAMMAoGCCsGAQUFBwMB +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/croot-anyEKU.pem b/test/certs/croot-anyEKU.pem new file mode 100644 index 0000000000..50fffbfee5 --- /dev/null +++ b/test/certs/croot-anyEKU.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi/mR+SIa +bs1egGRRSAzqu4KkrOG1vGVQNj0XfHn1WeAdmwEAjNi+llErpkMyY08Cjb/3fiQc +6H9CA36utf/Ym84OQOY64m4C1Kikxw8EHudoPNvSWQAFEpCk5gs6rCJEnj9QolL3 +32IvZQ1m+GcrjGg976PccEaM7S362kTj+kcAswmS8iJmDAJ2b+ghHTFrFQS4GAw7 +XOcqQbinx9ntGn135VsJLOXKveYvQSD7sHKCd4RFrFTSEwWmtBL96vRXmTV5wTAr +tpkKKKw5N9CiHnbhNyVrSRiLCzVDTpYQDaBJhb7XOsHi+/HOzmbK6LHe0Lt1nP+k +4PR8O0S5WC0PlzAIoAYGBFUdJQA= +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/croot-cert.pem b/test/certs/croot-cert.pem new file mode 100644 index 0000000000..f3459f4c90 --- /dev/null +++ b/test/certs/croot-cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi/mR+SIa +bs1egGRRSAzqu4KkrOG1vGVQNj0XfHn1WeAdmwEAjNi+llErpkMyY08Cjb/3fiQc +6H9CA36utf/Ym84OQOY64m4C1Kikxw8EHudoPNvSWQAFEpCk5gs6rCJEnj9QolL3 +32IvZQ1m+GcrjGg976PccEaM7S362kTj+kcAswmS8iJmDAJ2b+ghHTFrFQS4GAw7 +XOcqQbinx9ntGn135VsJLOXKveYvQSD7sHKCd4RFrFTSEwWmtBL96vRXmTV5wTAr +tpkKKKw5N9CiHnbhNyVrSRiLCzVDTpYQDaBJhb7XOsHi+/HOzmbK6LHe0Lt1nP+k +4PR8O0S5WC0Plw== +-----END CERTIFICATE----- diff --git a/test/certs/croot-clientAuth.pem b/test/certs/croot-clientAuth.pem new file mode 100644 index 0000000000..78456413e8 --- /dev/null +++ b/test/certs/croot-clientAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi/mR+SIa +bs1egGRRSAzqu4KkrOG1vGVQNj0XfHn1WeAdmwEAjNi+llErpkMyY08Cjb/3fiQc +6H9CA36utf/Ym84OQOY64m4C1Kikxw8EHudoPNvSWQAFEpCk5gs6rCJEnj9QolL3 +32IvZQ1m+GcrjGg976PccEaM7S362kTj+kcAswmS8iJmDAJ2b+ghHTFrFQS4GAw7 +XOcqQbinx9ntGn135VsJLOXKveYvQSD7sHKCd4RFrFTSEwWmtBL96vRXmTV5wTAr +tpkKKKw5N9CiHnbhNyVrSRiLCzVDTpYQDaBJhb7XOsHi+/HOzmbK6LHe0Lt1nP+k +4PR8O0S5WC0PlzAMoAoGCCsGAQUFBwMC +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/croot-serverAuth.pem b/test/certs/croot-serverAuth.pem new file mode 100644 index 0000000000..7e4ffa7d69 --- /dev/null +++ b/test/certs/croot-serverAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi/mR+SIa +bs1egGRRSAzqu4KkrOG1vGVQNj0XfHn1WeAdmwEAjNi+llErpkMyY08Cjb/3fiQc +6H9CA36utf/Ym84OQOY64m4C1Kikxw8EHudoPNvSWQAFEpCk5gs6rCJEnj9QolL3 +32IvZQ1m+GcrjGg976PccEaM7S362kTj+kcAswmS8iJmDAJ2b+ghHTFrFQS4GAw7 +XOcqQbinx9ntGn135VsJLOXKveYvQSD7sHKCd4RFrFTSEwWmtBL96vRXmTV5wTAr +tpkKKKw5N9CiHnbhNyVrSRiLCzVDTpYQDaBJhb7XOsHi+/HOzmbK6LHe0Lt1nP+k +4PR8O0S5WC0PlzAMoAoGCCsGAQUFBwMB +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh index 5116daaf79..d5870c7d20 100755 --- a/test/certs/mkcert.sh +++ b/test/certs/mkcert.sh @@ -85,6 +85,10 @@ genroot() { local akid="authorityKeyIdentifier = keyid" exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true") + for eku in "$@" + do + exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") + done csr=$(req "$key" "$cn") || return 1 echo "$csr" | cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}" @@ -100,10 +104,14 @@ genca() { local akid="authorityKeyIdentifier = keyid" exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true") + for eku in "$@" + do + exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") + done csr=$(req "$key" "$cn") || return 1 echo "$csr" | cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ - -set_serial 2 -days "${DAYS}" "$@" + -set_serial 2 -days "${DAYS}" } genee() { diff --git a/test/certs/root-clientAuth.pem b/test/certs/root-clientAuth.pem new file mode 100644 index 0000000000..8d82866a4b --- /dev/null +++ b/test/certs/root-clientAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo1AwTjAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEAyRRJx27WYOogPXZpPfAMt8ptapr/ugLWGLlw +bzKySoyLpoV2/YNAvTAGB90iFq6x/ujjrK41/ES0p3v38/Qfuxo24gcZgc/oYLV2 +UqR+uGCx68p2OWLYctBsARtYWOEgPhHFb9aVxcOQKyZHtivDX0wLGX+nqZoHX9IY +mc0sbpRBRMzxRsChbzD5re9kZ5NrgkjA6DJ7jYh2GitOM6oIU3Dd9+pk3bCEkFUg +Ry9qN/k+AyeqH1Qcb5LU+MTmlw8bmyzmMOBZgdegtO4HshcBMO054KSB3WSfBPDO +bEhZ0vm/lw63TGi88yIMtlkmcU2g0RKpeQI96G6QeqHyKF3p8DAMoAoGCCsGAQUF +BwMC +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sca+anyEKU.pem b/test/certs/sca+anyEKU.pem new file mode 100644 index 0000000000..459a4dc5fb --- /dev/null +++ b/test/certs/sca+anyEKU.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD +VR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAB4hlnzu/V80J5+R +rT57HXi0ufIjXLTC4zEghc/xL3V5vKst2dDPTKJ6SqG6PWSlVg1nJJbjekR3kH+G +knFp8wMIDp4EZDt1vU2jHtEyLTEmuFPY/MiR2fnLtX4jlPk5EpuMCA7n69lBAD3I +rlyQxv/DVfBSxkXJYFKZCTghxYHsP7TrHvmI4qQ3Of0OXeH0vn7j8mqA8xBERUQl +ZCRUQWZoHd5zJX1ELv0iBaB7pQbV4f3ILhEBfWE04m8GxkbRNdEi4+i5BIvjSqw7 +SBKP9nn4g4+CfKFex6cHGafkAb+gBCoUWMofXJCNr1b7FBc6Zi6xnBMHwhUnhEdj +LGCBSw0wCDAGBgRVHSUA +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sca+clientAuth.pem b/test/certs/sca+clientAuth.pem new file mode 100644 index 0000000000..3807805f7f --- /dev/null +++ b/test/certs/sca+clientAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD +VR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAB4hlnzu/V80J5+R +rT57HXi0ufIjXLTC4zEghc/xL3V5vKst2dDPTKJ6SqG6PWSlVg1nJJbjekR3kH+G +knFp8wMIDp4EZDt1vU2jHtEyLTEmuFPY/MiR2fnLtX4jlPk5EpuMCA7n69lBAD3I +rlyQxv/DVfBSxkXJYFKZCTghxYHsP7TrHvmI4qQ3Of0OXeH0vn7j8mqA8xBERUQl +ZCRUQWZoHd5zJX1ELv0iBaB7pQbV4f3ILhEBfWE04m8GxkbRNdEi4+i5BIvjSqw7 +SBKP9nn4g4+CfKFex6cHGafkAb+gBCoUWMofXJCNr1b7FBc6Zi6xnBMHwhUnhEdj +LGCBSw0wDDAKBggrBgEFBQcDAg== +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sca+serverAuth.pem b/test/certs/sca+serverAuth.pem new file mode 100644 index 0000000000..952d288f66 --- /dev/null +++ b/test/certs/sca+serverAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD +VR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAB4hlnzu/V80J5+R +rT57HXi0ufIjXLTC4zEghc/xL3V5vKst2dDPTKJ6SqG6PWSlVg1nJJbjekR3kH+G +knFp8wMIDp4EZDt1vU2jHtEyLTEmuFPY/MiR2fnLtX4jlPk5EpuMCA7n69lBAD3I +rlyQxv/DVfBSxkXJYFKZCTghxYHsP7TrHvmI4qQ3Of0OXeH0vn7j8mqA8xBERUQl +ZCRUQWZoHd5zJX1ELv0iBaB7pQbV4f3ILhEBfWE04m8GxkbRNdEi4+i5BIvjSqw7 +SBKP9nn4g4+CfKFex6cHGafkAb+gBCoUWMofXJCNr1b7FBc6Zi6xnBMHwhUnhEdj +LGCBSw0wDDAKBggrBgEFBQcDAQ== +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sca-anyEKU.pem b/test/certs/sca-anyEKU.pem new file mode 100644 index 0000000000..a43c0211d6 --- /dev/null +++ b/test/certs/sca-anyEKU.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD +VR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAB4hlnzu/V80J5+R +rT57HXi0ufIjXLTC4zEghc/xL3V5vKst2dDPTKJ6SqG6PWSlVg1nJJbjekR3kH+G +knFp8wMIDp4EZDt1vU2jHtEyLTEmuFPY/MiR2fnLtX4jlPk5EpuMCA7n69lBAD3I +rlyQxv/DVfBSxkXJYFKZCTghxYHsP7TrHvmI4qQ3Of0OXeH0vn7j8mqA8xBERUQl +ZCRUQWZoHd5zJX1ELv0iBaB7pQbV4f3ILhEBfWE04m8GxkbRNdEi4+i5BIvjSqw7 +SBKP9nn4g4+CfKFex6cHGafkAb+gBCoUWMofXJCNr1b7FBc6Zi6xnBMHwhUnhEdj +LGCBSw0wCKAGBgRVHSUA +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sca-cert.pem b/test/certs/sca-cert.pem new file mode 100644 index 0000000000..6b800b6303 --- /dev/null +++ b/test/certs/sca-cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD +VR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAB4hlnzu/V80J5+R +rT57HXi0ufIjXLTC4zEghc/xL3V5vKst2dDPTKJ6SqG6PWSlVg1nJJbjekR3kH+G +knFp8wMIDp4EZDt1vU2jHtEyLTEmuFPY/MiR2fnLtX4jlPk5EpuMCA7n69lBAD3I +rlyQxv/DVfBSxkXJYFKZCTghxYHsP7TrHvmI4qQ3Of0OXeH0vn7j8mqA8xBERUQl +ZCRUQWZoHd5zJX1ELv0iBaB7pQbV4f3ILhEBfWE04m8GxkbRNdEi4+i5BIvjSqw7 +SBKP9nn4g4+CfKFex6cHGafkAb+gBCoUWMofXJCNr1b7FBc6Zi6xnBMHwhUnhEdj +LGCBSw0= +-----END CERTIFICATE----- diff --git a/test/certs/sca-clientAuth.pem b/test/certs/sca-clientAuth.pem new file mode 100644 index 0000000000..62a98ff345 --- /dev/null +++ b/test/certs/sca-clientAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD +VR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAB4hlnzu/V80J5+R +rT57HXi0ufIjXLTC4zEghc/xL3V5vKst2dDPTKJ6SqG6PWSlVg1nJJbjekR3kH+G +knFp8wMIDp4EZDt1vU2jHtEyLTEmuFPY/MiR2fnLtX4jlPk5EpuMCA7n69lBAD3I +rlyQxv/DVfBSxkXJYFKZCTghxYHsP7TrHvmI4qQ3Of0OXeH0vn7j8mqA8xBERUQl +ZCRUQWZoHd5zJX1ELv0iBaB7pQbV4f3ILhEBfWE04m8GxkbRNdEi4+i5BIvjSqw7 +SBKP9nn4g4+CfKFex6cHGafkAb+gBCoUWMofXJCNr1b7FBc6Zi6xnBMHwhUnhEdj +LGCBSw0wDKAKBggrBgEFBQcDAg== +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sca-serverAuth.pem b/test/certs/sca-serverAuth.pem new file mode 100644 index 0000000000..062087439b --- /dev/null +++ b/test/certs/sca-serverAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD +VR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAB4hlnzu/V80J5+R +rT57HXi0ufIjXLTC4zEghc/xL3V5vKst2dDPTKJ6SqG6PWSlVg1nJJbjekR3kH+G +knFp8wMIDp4EZDt1vU2jHtEyLTEmuFPY/MiR2fnLtX4jlPk5EpuMCA7n69lBAD3I +rlyQxv/DVfBSxkXJYFKZCTghxYHsP7TrHvmI4qQ3Of0OXeH0vn7j8mqA8xBERUQl +ZCRUQWZoHd5zJX1ELv0iBaB7pQbV4f3ILhEBfWE04m8GxkbRNdEi4+i5BIvjSqw7 +SBKP9nn4g4+CfKFex6cHGafkAb+gBCoUWMofXJCNr1b7FBc6Zi6xnBMHwhUnhEdj +LGCBSw0wDKAKBggrBgEFBQcDAQ== +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 795ff4aa0f..7de6a0e769 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -1,8 +1,8 @@ #! /bin/sh # Primary root: root-cert -# root certs variants: CA:false, key2, DN2 -# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU +# root cert variants: CA:false, key2, DN2 +# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU # ./mkcert.sh genroot "Root CA" root-key root-cert ./mkcert.sh genss "Root CA" root-key root-nonca @@ -16,6 +16,8 @@ openssl x509 -in root-cert.pem -trustout \ openssl x509 -in root-cert.pem -trustout \ -addtrust clientAuth -out root+clientAuth.pem openssl x509 -in root-cert.pem -trustout \ + -addreject clientAuth -out root-clientAuth.pem +openssl x509 -in root-cert.pem -trustout \ -addreject anyExtendedKeyUsage -out root-anyEKU.pem openssl x509 -in root-cert.pem -trustout \ -addtrust anyExtendedKeyUsage -out root+anyEKU.pem @@ -26,9 +28,45 @@ openssl x509 -in root-cert2.pem -trustout \ openssl x509 -in root-cert2.pem -trustout \ -addtrust clientAuth -out root2+clientAuth.pem +# primary client-EKU root: croot-cert +# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU +# +./mkcert.sh genroot "Root CA" root-key croot-cert clientAuth +# +openssl x509 -in croot-cert.pem -trustout \ + -addtrust serverAuth -out croot+serverAuth.pem +openssl x509 -in croot-cert.pem -trustout \ + -addreject serverAuth -out croot-serverAuth.pem +openssl x509 -in croot-cert.pem -trustout \ + -addtrust clientAuth -out croot+clientAuth.pem +openssl x509 -in croot-cert.pem -trustout \ + -addreject clientAuth -out croot-clientAuth.pem +openssl x509 -in croot-cert.pem -trustout \ + -addreject anyExtendedKeyUsage -out croot-anyEKU.pem +openssl x509 -in croot-cert.pem -trustout \ + -addtrust anyExtendedKeyUsage -out croot+anyEKU.pem + +# primary server-EKU root: sroot-cert +# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU +# +./mkcert.sh genroot "Root CA" root-key sroot-cert serverAuth +# +openssl x509 -in sroot-cert.pem -trustout \ + -addtrust serverAuth -out sroot+serverAuth.pem +openssl x509 -in sroot-cert.pem -trustout \ + -addreject serverAuth -out sroot-serverAuth.pem +openssl x509 -in sroot-cert.pem -trustout \ + -addtrust clientAuth -out sroot+clientAuth.pem +openssl x509 -in sroot-cert.pem -trustout \ + -addreject clientAuth -out sroot-clientAuth.pem +openssl x509 -in sroot-cert.pem -trustout \ + -addreject anyExtendedKeyUsage -out sroot-anyEKU.pem +openssl x509 -in sroot-cert.pem -trustout \ + -addtrust anyExtendedKeyUsage -out sroot+anyEKU.pem + # Primary intermediate ca: ca-cert # ca variants: CA:false, key2, DN2, issuer2, expired -# trust variants: +serverAuth, -serverAuth, +clientAuth +# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU # ./mkcert.sh genca "CA" ca-key ca-cert root-key root-cert ./mkcert.sh genee "CA" ca-key ca-nonca root-key root-cert @@ -43,6 +81,48 @@ openssl x509 -in ca-cert.pem -trustout \ -addreject serverAuth -out ca-serverAuth.pem openssl x509 -in ca-cert.pem -trustout \ -addtrust clientAuth -out ca+clientAuth.pem +openssl x509 -in ca-cert.pem -trustout \ + -addreject clientAuth -out ca-clientAuth.pem +openssl x509 -in ca-cert.pem -trustout \ + -addreject anyExtendedKeyUsage -out ca-anyEKU.pem +openssl x509 -in ca-cert.pem -trustout \ + -addtrust anyExtendedKeyUsage -out ca+anyEKU.pem + +# client intermediate ca: cca-cert +# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth +# +./mkcert.sh genca "CA" ca-key cca-cert root-key root-cert clientAuth +# +openssl x509 -in cca-cert.pem -trustout \ + -addtrust serverAuth -out cca+serverAuth.pem +openssl x509 -in cca-cert.pem -trustout \ + -addreject serverAuth -out cca-serverAuth.pem +openssl x509 -in cca-cert.pem -trustout \ + -addtrust clientAuth -out cca+clientAuth.pem +openssl x509 -in cca-cert.pem -trustout \ + -addtrust clientAuth -out cca-clientAuth.pem +openssl x509 -in cca-cert.pem -trustout \ + -addreject anyExtendedKeyUsage -out cca-anyEKU.pem +openssl x509 -in cca-cert.pem -trustout \ + -addtrust anyExtendedKeyUsage -out cca+anyEKU.pem + +# server intermediate ca: sca-cert +# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU +# +./mkcert.sh genca "CA" ca-key sca-cert root-key root-cert serverAuth +# +openssl x509 -in sca-cert.pem -trustout \ + -addtrust serverAuth -out sca+serverAuth.pem +openssl x509 -in sca-cert.pem -trustout \ + -addreject serverAuth -out sca-serverAuth.pem +openssl x509 -in sca-cert.pem -trustout \ + -addtrust clientAuth -out sca+clientAuth.pem +openssl x509 -in sca-cert.pem -trustout \ + -addreject clientAuth -out sca-clientAuth.pem +openssl x509 -in sca-cert.pem -trustout \ + -addreject anyExtendedKeyUsage -out sca-anyEKU.pem +openssl x509 -in sca-cert.pem -trustout \ + -addtrust anyExtendedKeyUsage -out sca+anyEKU.pem # Primary leaf cert: ee-cert # ee variants: expired, issuer-key2, issuer-name2 diff --git a/test/certs/sroot+anyEKU.pem b/test/certs/sroot+anyEKU.pem new file mode 100644 index 0000000000..9beefa9b0f --- /dev/null +++ b/test/certs/sroot+anyEKU.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAknUQhKHR +lI3BOPTuD+DMabjdfZ6Sb5ICpIOcvYFnlZV0lkyK3TuOw+iSlUUzHT3MlMos1w2a +mYPb1BpACTpB1vOcRZPaoSZqiOJrKzes+oUZG7R75lz+TK4Y1lQlWObsnUlFUDzr +c3P3mbCALr9RPee+Mqd10E/57jjIF0sb3Cq74l7MEzD/3JWKhxEtTmChG+Q29bzW +foaDqVaePdyk4M+TMQMioGqXYqu/4bzCnZyls1J5FfwBCtPGJ1/3wxLwk+Pavu9w +TSagWsC90QGRYH0EauS1KqlJ6dR6Tyf6G5HHmDPufzHT0ouL5Db6C59XSMWud6RG +E3ODKNXOOP3jsDAIMAYGBFUdJQA= +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sroot+clientAuth.pem b/test/certs/sroot+clientAuth.pem new file mode 100644 index 0000000000..939e3e85e0 --- /dev/null +++ b/test/certs/sroot+clientAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAknUQhKHR +lI3BOPTuD+DMabjdfZ6Sb5ICpIOcvYFnlZV0lkyK3TuOw+iSlUUzHT3MlMos1w2a +mYPb1BpACTpB1vOcRZPaoSZqiOJrKzes+oUZG7R75lz+TK4Y1lQlWObsnUlFUDzr +c3P3mbCALr9RPee+Mqd10E/57jjIF0sb3Cq74l7MEzD/3JWKhxEtTmChG+Q29bzW +foaDqVaePdyk4M+TMQMioGqXYqu/4bzCnZyls1J5FfwBCtPGJ1/3wxLwk+Pavu9w +TSagWsC90QGRYH0EauS1KqlJ6dR6Tyf6G5HHmDPufzHT0ouL5Db6C59XSMWud6RG +E3ODKNXOOP3jsDAMMAoGCCsGAQUFBwMC +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sroot+serverAuth.pem b/test/certs/sroot+serverAuth.pem new file mode 100644 index 0000000000..447d2e3a2e --- /dev/null +++ b/test/certs/sroot+serverAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAknUQhKHR +lI3BOPTuD+DMabjdfZ6Sb5ICpIOcvYFnlZV0lkyK3TuOw+iSlUUzHT3MlMos1w2a +mYPb1BpACTpB1vOcRZPaoSZqiOJrKzes+oUZG7R75lz+TK4Y1lQlWObsnUlFUDzr +c3P3mbCALr9RPee+Mqd10E/57jjIF0sb3Cq74l7MEzD/3JWKhxEtTmChG+Q29bzW +foaDqVaePdyk4M+TMQMioGqXYqu/4bzCnZyls1J5FfwBCtPGJ1/3wxLwk+Pavu9w +TSagWsC90QGRYH0EauS1KqlJ6dR6Tyf6G5HHmDPufzHT0ouL5Db6C59XSMWud6RG +E3ODKNXOOP3jsDAMMAoGCCsGAQUFBwMB +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sroot-anyEKU.pem b/test/certs/sroot-anyEKU.pem new file mode 100644 index 0000000000..7f1766a363 --- /dev/null +++ b/test/certs/sroot-anyEKU.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAknUQhKHR +lI3BOPTuD+DMabjdfZ6Sb5ICpIOcvYFnlZV0lkyK3TuOw+iSlUUzHT3MlMos1w2a +mYPb1BpACTpB1vOcRZPaoSZqiOJrKzes+oUZG7R75lz+TK4Y1lQlWObsnUlFUDzr +c3P3mbCALr9RPee+Mqd10E/57jjIF0sb3Cq74l7MEzD/3JWKhxEtTmChG+Q29bzW +foaDqVaePdyk4M+TMQMioGqXYqu/4bzCnZyls1J5FfwBCtPGJ1/3wxLwk+Pavu9w +TSagWsC90QGRYH0EauS1KqlJ6dR6Tyf6G5HHmDPufzHT0ouL5Db6C59XSMWud6RG +E3ODKNXOOP3jsDAIoAYGBFUdJQA= +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sroot-cert.pem b/test/certs/sroot-cert.pem new file mode 100644 index 0000000000..55508d9941 --- /dev/null +++ b/test/certs/sroot-cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAknUQhKHR +lI3BOPTuD+DMabjdfZ6Sb5ICpIOcvYFnlZV0lkyK3TuOw+iSlUUzHT3MlMos1w2a +mYPb1BpACTpB1vOcRZPaoSZqiOJrKzes+oUZG7R75lz+TK4Y1lQlWObsnUlFUDzr +c3P3mbCALr9RPee+Mqd10E/57jjIF0sb3Cq74l7MEzD/3JWKhxEtTmChG+Q29bzW +foaDqVaePdyk4M+TMQMioGqXYqu/4bzCnZyls1J5FfwBCtPGJ1/3wxLwk+Pavu9w +TSagWsC90QGRYH0EauS1KqlJ6dR6Tyf6G5HHmDPufzHT0ouL5Db6C59XSMWud6RG +E3ODKNXOOP3jsA== +-----END CERTIFICATE----- diff --git a/test/certs/sroot-clientAuth.pem b/test/certs/sroot-clientAuth.pem new file mode 100644 index 0000000000..e91f1d2d60 --- /dev/null +++ b/test/certs/sroot-clientAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAknUQhKHR +lI3BOPTuD+DMabjdfZ6Sb5ICpIOcvYFnlZV0lkyK3TuOw+iSlUUzHT3MlMos1w2a +mYPb1BpACTpB1vOcRZPaoSZqiOJrKzes+oUZG7R75lz+TK4Y1lQlWObsnUlFUDzr +c3P3mbCALr9RPee+Mqd10E/57jjIF0sb3Cq74l7MEzD/3JWKhxEtTmChG+Q29bzW +foaDqVaePdyk4M+TMQMioGqXYqu/4bzCnZyls1J5FfwBCtPGJ1/3wxLwk+Pavu9w +TSagWsC90QGRYH0EauS1KqlJ6dR6Tyf6G5HHmDPufzHT0ouL5Db6C59XSMWud6RG +E3ODKNXOOP3jsDAMoAoGCCsGAQUFBwMC +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sroot-serverAuth.pem b/test/certs/sroot-serverAuth.pem new file mode 100644 index 0000000000..2fd78ccfb8 --- /dev/null +++ b/test/certs/sroot-serverAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAknUQhKHR +lI3BOPTuD+DMabjdfZ6Sb5ICpIOcvYFnlZV0lkyK3TuOw+iSlUUzHT3MlMos1w2a +mYPb1BpACTpB1vOcRZPaoSZqiOJrKzes+oUZG7R75lz+TK4Y1lQlWObsnUlFUDzr +c3P3mbCALr9RPee+Mqd10E/57jjIF0sb3Cq74l7MEzD/3JWKhxEtTmChG+Q29bzW +foaDqVaePdyk4M+TMQMioGqXYqu/4bzCnZyls1J5FfwBCtPGJ1/3wxLwk+Pavu9w +TSagWsC90QGRYH0EauS1KqlJ6dR6Tyf6G5HHmDPufzHT0ouL5Db6C59XSMWud6RG +E3ODKNXOOP3jsDAMoAoGCCsGAQUFBwMB +-----END TRUSTED CERTIFICATE----- diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 93d993dcdc..ac579ab3fb 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -19,87 +19,171 @@ sub verify { run(app([@args])); } -plan tests => 38; +plan tests => 76; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), - "verify valid chain"); + "accept compat trust"); # Root CA variants ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]), - "Trusted CA certs now subject to CA:true checks"); + "fail trusted non-ca root"); ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]), "fail wrong root key"); ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]), "fail wrong root DN"); + +# Explicit trust/purpose combinations +# +ok(verify("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]), + "accept server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]), + "fail client purpose"); ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]), - "accept right EKU"); + "accept server trust"); +ok(verify("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]), + "accept server trust with server purpose"); +ok(verify("ee-cert", "sslserver", [qw(croot+serverAuth)], [qw(ca-cert)]), + "accept server trust with client purpose"); +# Wildcard trust ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]), - "accept anyEKU"); + "accept wildcard trust"); +ok(verify("ee-cert", "sslserver", [qw(sroot+anyEKU)], [qw(ca-cert)]), + "accept wildcard trust with server purpose"); +ok(verify("ee-cert", "sslserver", [qw(croot+anyEKU)], [qw(ca-cert)]), + "accept wildcard trust with client purpose"); +# Inapplicable mistrust +ok(verify("ee-cert", "sslserver", [qw(root-clientAuth)], [qw(ca-cert)]), + "accept client mistrust"); +ok(verify("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]), + "accept client mistrust with server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]), + "fail client mistrust with client purpose"); +# Inapplicable trust +ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]), + "fail client trust"); +ok(!verify("ee-cert", "sslserver", [qw(sroot+clientAuth)], [qw(ca-cert)]), + "fail client trust with server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(croot+clientAuth)], [qw(ca-cert)]), + "fail client trust with client purpose"); +# Server mistrust ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]), "fail rejected EKU"); +ok(!verify("ee-cert", "sslserver", [qw(sroot-serverAuth)], [qw(ca-cert)]), + "fail server mistrust with server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(croot-serverAuth)], [qw(ca-cert)]), + "fail server mistrust with client purpose"); +# Wildcard mistrust ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]), - "fail rejected anyEKU"); -ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]), - "fail wrong EKU"); + "fail wildcard mistrust"); +ok(!verify("ee-cert", "sslserver", [qw(sroot-anyEKU)], [qw(ca-cert)]), + "fail wildcard mistrust with server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(croot-anyEKU)], [qw(ca-cert)]), + "fail wildcard mistrust with client purpose"); # Check that trusted-first is on by setting up paths to different roots # depending on whether the intermediate is the trusted or untrusted one. # ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)], [qw(ca-cert)]), - "verify trusted-first path"); + "accept trusted-first path"); ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)], [qw(ca-cert)]), - "verify trusted-first path right EKU"); + "accept trusted-first path with server trust"); ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)], [qw(ca-cert)]), - "fail trusted-first path rejected EKU"); + "fail trusted-first path with server mistrust"); ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)], [qw(ca-cert)]), - "fail trusted-first path wrong EKU"); + "fail trusted-first path with client trust"); # CA variants ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]), - "fail non-CA"); + "fail non-CA intermediate"); ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]), - "fail wrong CA key"); + "fail wrong intermediate CA key"); ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]), - "fail wrong CA DN"); + "fail wrong intermediate CA DN"); ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]), - "fail wrong CA issuer"); + "fail wrong intermediate CA issuer"); ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"), - "fail untrusted partial"); -ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"), - "fail untrusted EKU partial"); + "fail untrusted partial chain"); +ok(verify("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"), + "accept trusted partial chain"); +ok(verify("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"), + "accept partial chain with server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"), + "fail partial chain with client purpose"); ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"), - "accept trusted EKU partial"); + "accept server trust partial chain"); +ok(verify("ee-cert", "sslserver", [qw(cca+serverAuth)], [], "-partial_chain"), + "accept server trust client purpose partial chain"); +ok(verify("ee-cert", "sslserver", [qw(ca-clientAuth)], [], "-partial_chain"), + "accept client mistrust partial chain"); +ok(verify("ee-cert", "sslserver", [qw(ca+anyEKU)], [], "-partial_chain"), + "accept wildcard trust partial chain"); +ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"), + "fail untrusted partial issuer with ignored server trust"); ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"), - "fail rejected EKU partial"); + "fail server mistrust partial chain"); ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"), - "fail wrong EKU partial"); + "fail client trust partial chain"); +ok(!verify("ee-cert", "sslserver", [qw(ca-anyEKU)], [], "-partial_chain"), + "fail wildcard mistrust partial chain"); # We now test auxiliary trust even for intermediate trusted certs without # -partial_chain. Note that "-trusted_first" is now always on and cannot # be disabled. ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]), - "accept trusted EKU"); + "accept server trust"); +ok(verify("ee-cert", "sslserver", [qw(root-cert ca+anyEKU)], [qw(ca-cert)]), + "accept wildcard trust"); +ok(verify("ee-cert", "sslserver", [qw(root-cert sca-cert)], [qw(ca-cert)]), + "accept server purpose"); +ok(verify("ee-cert", "sslserver", [qw(root-cert sca+serverAuth)], [qw(ca-cert)]), + "accept server trust and purpose"); +ok(verify("ee-cert", "sslserver", [qw(root-cert sca+anyEKU)], [qw(ca-cert)]), + "accept wildcard trust and server purpose"); +ok(verify("ee-cert", "sslserver", [qw(root-cert sca-clientAuth)], [qw(ca-cert)]), + "accept client mistrust and server purpose"); +ok(verify("ee-cert", "sslserver", [qw(root-cert cca+serverAuth)], [qw(ca-cert)]), + "accept server trust and client purpose"); +ok(verify("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]), + "accept wildcard trust and client purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]), + "fail client purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]), + "fail wildcard mistrust"); ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]), - "fail rejected EKU"); + "fail server mistrust"); ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]), - "fail wrong EKU"); + "fail client trust"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert sca+clientAuth)], [qw(ca-cert)]), + "fail client trust and server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert cca+clientAuth)], [qw(ca-cert)]), + "fail client trust and client purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-serverAuth)], [qw(ca-cert)]), + "fail server mistrust and client purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-clientAuth)], [qw(ca-cert)]), + "fail client mistrust and client purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-serverAuth)], [qw(ca-cert)]), + "fail server mistrust and server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-anyEKU)], [qw(ca-cert)]), + "fail wildcard mistrust and server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-anyEKU)], [qw(ca-cert)]), + "fail wildcard mistrust and client purpose"); # EE variants ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]), - "accept client cert"); + "accept client chain"); ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]), - "fail wrong leaf purpose"); + "fail server leaf purpose"); ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]), - "fail wrong leaf purpose"); + "fail client leaf purpose"); ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]), - "fail wrong CA key"); + "fail wrong intermediate CA key"); ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]), - "fail wrong CA name"); + "fail wrong intermediate CA DN"); ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]), "fail expired leaf"); ok(verify("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"), @@ -109,10 +193,10 @@ ok(verify("ee-client", "sslclient", [qw(ee-client)], [], "-partial_chain"), ok(!verify("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"), "fail last-resort direct leaf non-match"); ok(verify("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"), - "accept direct match with trusted EKU"); + "accept direct match with server trust"); ok(!verify("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"), - "reject direct match with rejected EKU"); + "fail direct match with server mistrust"); ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"), - "accept direct match with trusted EKU"); + "accept direct match with client trust"); ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"), - "reject direct match with rejected EKU"); + "reject direct match with client mistrust"); |