From cbf3ef3861dc82525d6d0cc7624586d62f200e0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 23 Sep 2013 12:20:02 +0200 Subject: [PATCH 01/18] RSA and ECDSA key exchanges don't depend on CRL --- include/polarssl/config.h | 22 +++++++++------------- include/polarssl/ssl.h | 6 ------ include/polarssl/x509_crt.h | 6 ++---- library/x509_crt.c | 2 ++ programs/test/ssl_cert_test.c | 6 ++++-- scripts/data_files/config-mini-tls1_1.h | 1 - scripts/data_files/config-suite-b.h | 1 - tests/suites/test_suite_x509parse.function | 2 +- 8 files changed, 18 insertions(+), 28 deletions(-) diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 737e5b489..f2ac41c67 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -286,7 +286,7 @@ * Enable the RSA-PSK based ciphersuite modes in SSL / TLS. * (NOT YET IMPLEMENTED) * Requires: POLARSSL_RSA_C, POLARSSL_PKCS1_V15, - * POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C + * POLARSSL_X509_CRT_PARSE_C * * This enables the following ciphersuites (if other requisites are * enabled as well): @@ -307,7 +307,7 @@ * Enable the RSA-only based ciphersuite modes in SSL / TLS. * * Requires: POLARSSL_RSA_C, POLARSSL_PKCS1_V15, - * POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C + * POLARSSL_X509_CRT_PARSE_C * * This enables the following ciphersuites (if other requisites are * enabled as well): @@ -333,7 +333,7 @@ * Enable the DHE-RSA based ciphersuite modes in SSL / TLS. * * Requires: POLARSSL_DHM_C, POLARSSL_RSA_C, POLARSSL_PKCS1_V15, - * POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C + * POLARSSL_X509_CRT_PARSE_C * * This enables the following ciphersuites (if other requisites are * enabled as well): @@ -355,7 +355,7 @@ * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. * * Requires: POLARSSL_ECDH_C, POLARSSL_RSA_C, POLARSSL_PKCS1_V15, - * POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C + * POLARSSL_X509_CRT_PARSE_C * * This enables the following ciphersuites (if other requisites are * enabled as well): @@ -378,7 +378,6 @@ * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. * * Requires: POLARSSL_ECDH_C, POLARSSL_ECDSA_C, POLARSSL_X509_CRT_PARSE_C, - * POLARSSL_X509_CRL_PARSE_C * * This enables the following ciphersuites (if other requisites are * enabled as well): @@ -1683,34 +1682,31 @@ #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ ( !defined(POLARSSL_DHM_C) || !defined(POLARSSL_RSA_C) || \ - !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) || \ - !defined(POLARSSL_X509_CRL_PARSE_C) ) + !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) ) #error "POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED defined, but not all prerequisites" #endif #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ ( !defined(POLARSSL_ECDH_C) || !defined(POLARSSL_RSA_C) || \ - !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) || \ - !defined(POLARSSL_X509_CRL_PARSE_C) ) + !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) ) #error "POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites" #endif #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \ ( !defined(POLARSSL_ECDH_C) || !defined(POLARSSL_ECDSA_C) || \ - !defined(POLARSSL_X509_CRT_PARSE_C) || \ - !defined(POLARSSL_X509_CRL_PARSE_C) ) + !defined(POLARSSL_X509_CRT_PARSE_C) ) #error "POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites" #endif #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) && \ ( !defined(POLARSSL_RSA_C) || !defined(POLARSSL_X509_CRT_PARSE_C) ||\ - !defined(POLARSSL_PKCS1_V15) || !defined(POLARSSL_X509_CRL_PARSE_C) ) + !defined(POLARSSL_PKCS1_V15) ) #error "POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED defined, but not all prerequisites" #endif #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \ ( !defined(POLARSSL_RSA_C) || !defined(POLARSSL_X509_CRT_PARSE_C) ||\ - !defined(POLARSSL_PKCS1_V15) || !defined(POLARSSL_X509_CRL_PARSE_C) ) + !defined(POLARSSL_PKCS1_V15) ) #error "POLARSSL_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites" #endif diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 98742dc69..93b3170ba 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -58,9 +58,7 @@ #include "x509_crt.h" #endif -#if defined(POLARSSL_X509_CRL_PARSE_C) #include "x509_crl.h" -#endif #if defined(POLARSSL_DHM_C) #include "dhm.h" @@ -659,9 +657,7 @@ struct _ssl_context x509_crt *ca_chain; /*!< own trusted CA chain */ const char *peer_cn; /*!< expected peer CN */ #endif /* POLARSSL_X509_CRT_PARSE_C */ -#if defined(POLARSSL_X509_CRL_PARSE_C) x509_crl *ca_crl; /*!< trusted CA CRLs */ -#endif /* POLARSSL_X509_CRL_PARSE_C */ #if defined(POLARSSL_SSL_SESSION_TICKETS) /* @@ -956,7 +952,6 @@ void ssl_set_ciphersuites_for_version( ssl_context *ssl, int major, int minor ); #if defined(POLARSSL_X509_CRT_PARSE_C) -#if defined(POLARSSL_X509_CRL_PARSE_C) /** * \brief Set the data required to verify peer certificate * @@ -967,7 +962,6 @@ void ssl_set_ciphersuites_for_version( ssl_context *ssl, */ void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain, x509_crl *ca_crl, const char *peer_cn ); -#endif /* POLARSSL_X509_CRL_PARSE_C */ /** * \brief Set own certificate chain and private key diff --git a/include/polarssl/x509_crt.h b/include/polarssl/x509_crt.h index dab1296ca..0c1b9e109 100644 --- a/include/polarssl/x509_crt.h +++ b/include/polarssl/x509_crt.h @@ -31,9 +31,7 @@ #include "x509.h" -#if defined(POLARSSL_X509_CRL_PARSE_C) #include "x509_crl.h" -#endif /** * \addtogroup x509_module @@ -198,7 +196,6 @@ int x509_crt_parse_path( x509_crt *chain, const char *path ); int x509_crt_info( char *buf, size_t size, const char *prefix, const x509_crt *crt ); -#if defined(POLARSSL_X509_CRL_PARSE_C) /** * \brief Verify the certificate signature * @@ -242,8 +239,9 @@ int x509_crt_verify( x509_crt *crt, int (*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy ); +#if defined(POLARSSL_X509_CRL_PARSE_C) /** - * \brief Verify the certificate signature + * \brief Verify the certificate revocation status * * \param crt a certificate to be verified * \param crl the CRL to verify against diff --git a/library/x509_crt.c b/library/x509_crt.c index 1173cae4b..e6c840c9b 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1391,6 +1391,8 @@ static int x509_crt_verify_top( #if defined(POLARSSL_X509_CRL_PARSE_C) /* Check trusted CA's CRL for the chain's top crt */ *flags |= x509_crt_verifycrl( child, trust_ca, ca_crl ); +#else + ((void) ca_crl); #endif if( x509_time_expired( &trust_ca->valid_to ) ) diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c index 42f5c5928..57f5f844f 100644 --- a/programs/test/ssl_cert_test.c +++ b/programs/test/ssl_cert_test.c @@ -29,13 +29,14 @@ #include #if !defined(POLARSSL_RSA_C) || !defined(POLARSSL_X509_CRT_PARSE_C) || \ - !defined(POLARSSL_FS_IO) + !defined(POLARSSL_FS_IO) || !defined(POLARSSL_X509_CRL_PARSE_C) int main( int argc, char *argv[] ) { ((void) argc); ((void) argv); printf("POLARSSL_RSA_C and/or POLARSSL_X509_CRT_PARSE_C " + "POLARSSL_FS_IO and/or POLARSSL_X509_CRL_PARSE_C " "not defined.\n"); return( 0 ); } @@ -257,4 +258,5 @@ exit: return( ret ); } -#endif /* POLARSSL_RSA_C && POLARSSL_X509_CRT_PARSE_C && POLARSSL_FS_IO */ +#endif /* POLARSSL_RSA_C && POLARSSL_X509_CRT_PARSE_C && POLARSSL_FS_IO && + POLARSSL_X509_CRL_PARSE_C */ diff --git a/scripts/data_files/config-mini-tls1_1.h b/scripts/data_files/config-mini-tls1_1.h index 493069707..60b4c3688 100644 --- a/scripts/data_files/config-mini-tls1_1.h +++ b/scripts/data_files/config-mini-tls1_1.h @@ -34,7 +34,6 @@ #define POLARSSL_SSL_CLI_C #define POLARSSL_SSL_SRV_C #define POLARSSL_SSL_TLS_C -#define POLARSSL_X509_CRL_PARSE_C #define POLARSSL_X509_CRT_PARSE_C #define POLARSSL_X509_USE_C diff --git a/scripts/data_files/config-suite-b.h b/scripts/data_files/config-suite-b.h index 72dd348f8..a1543ee9c 100644 --- a/scripts/data_files/config-suite-b.h +++ b/scripts/data_files/config-suite-b.h @@ -34,7 +34,6 @@ #define POLARSSL_SSL_CLI_C #define POLARSSL_SSL_SRV_C #define POLARSSL_SSL_TLS_C -#define POLARSSL_X509_CRL_PARSE_C #define POLARSSL_X509_CRT_PARSE_C #define POLARSSL_X509_USE_C diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 02238ba34..2add9e3c9 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -75,7 +75,7 @@ void x509_crl_info( char *crl_file, char *result_str ) } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C */ +/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C:POLARSSL_X509_CRL_PARSE_C */ void x509_verify( char *crt_file, char *ca_file, char *crl_file, char *cn_name_str, int result, int flags_result, char *verify_callback ) From 834ea8587fc43151d3d629b23ba02a32256b2730 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 23 Sep 2013 14:46:13 +0200 Subject: [PATCH 02/18] Change internal structs for multi-cert support --- include/polarssl/ssl.h | 62 +++++++++++++++++------- library/ssl_cli.c | 14 +++--- library/ssl_srv.c | 16 +++---- library/ssl_tls.c | 105 +++++++++++++++++++++++++++++++---------- 4 files changed, 141 insertions(+), 56 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 93b3170ba..c764961d0 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -56,9 +56,8 @@ #if defined(POLARSSL_X509_CRT_PARSE_C) #include "x509_crt.h" -#endif - #include "x509_crl.h" +#endif #if defined(POLARSSL_DHM_C) #include "dhm.h" @@ -394,6 +393,9 @@ typedef struct _ssl_handshake_params ssl_handshake_params; #if defined(POLARSSL_SSL_SESSION_TICKETS) typedef struct _ssl_ticket_keys ssl_ticket_keys; #endif +#if defined(POLARSSL_X509_CRT_PARSE_C) +typedef struct _ssl_key_cert ssl_key_cert; +#endif /* * This structure is used for storing current session data. @@ -543,6 +545,19 @@ struct _ssl_ticket_keys }; #endif /* POLARSSL_SSL_SESSION_TICKETS */ +#if defined(POLARSSL_X509_CRT_PARSE_C) +/* + * List of certificate + private key pairs + */ +struct _ssl_key_cert +{ + x509_crt *cert; /*!< cert */ + pk_context *key; /*!< private key */ + int key_own_alloc; /*!< did we allocate key? */ + ssl_key_cert *next; /*!< next key/cert pair */ +}; +#endif /* POLARSSL_X509_CRT_PARSE_C */ + struct _ssl_context { /* @@ -647,22 +662,18 @@ struct _ssl_context /* * PKI layer */ -#if defined(POLARSSL_PK_C) - pk_context *pk_key; /*!< own private key */ - int pk_key_own_alloc; /*!< did we allocate pk_key? */ -#endif - #if defined(POLARSSL_X509_CRT_PARSE_C) - x509_crt *own_cert; /*!< own X.509 certificate */ - x509_crt *ca_chain; /*!< own trusted CA chain */ - const char *peer_cn; /*!< expected peer CN */ -#endif /* POLARSSL_X509_CRT_PARSE_C */ - x509_crl *ca_crl; /*!< trusted CA CRLs */ + ssl_key_cert *key_cert; /*!< own certificate(s)/key(s) */ + + x509_crt *ca_chain; /*!< own trusted CA chain */ + x509_crl *ca_crl; /*!< trusted CA CRLs */ + const char *peer_cn; /*!< expected peer CN */ +#endif /* POLARSSL_X509_CRT_PARSE_C */ -#if defined(POLARSSL_SSL_SESSION_TICKETS) /* * Support for generating and checking session tickets */ +#if defined(POLARSSL_SSL_SESSION_TICKETS) ssl_ticket_keys *ticket_keys; /*!< keys for ticket encryption */ #endif /* POLARSSL_SSL_SESSION_TICKETS */ @@ -966,15 +977,22 @@ void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain, /** * \brief Set own certificate chain and private key * - * Note: own_cert should contain IN order from the bottom - * up your certificate chain. The top certificate (self-signed) + * \note own_cert should contain in order from the bottom up your + * certificate chain. The top certificate (self-signed) * can be omitted. * + * \note This function may be called more than once if you want to + * support multiple certificates (eg, one using RSA and one + * using ECDSA). However, on client, currently only the first + * certificate is used (subsequent calls have no effect). + * * \param ssl SSL context * \param own_cert own public certificate chain * \param pk_key own private key + * + * \return 0 on success or POLARSSL_ERR_SSL_MALLOC_FAILED */ -void ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert, +int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert, pk_context *pk_key ); #if defined(POLARSSL_RSA_C) @@ -1496,6 +1514,18 @@ pk_type_t ssl_pk_alg_from_sig( unsigned char sig ); md_type_t ssl_md_alg_from_hash( unsigned char hash ); +#if defined(POLARSSL_X509_CRT_PARSE_C) +static inline pk_context *ssl_own_key( ssl_context *ssl ) +{ + return( ssl->key_cert == NULL ? NULL : ssl->key_cert->key ); +} + +static inline x509_crt *ssl_own_cert( ssl_context *ssl ) +{ + return( ssl->key_cert == NULL ? NULL : ssl->key_cert->cert ); +} +#endif /* POLARSSL_X509_CRT_PARSE_C */ + #ifdef __cplusplus } #endif diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 7d1a83285..ae8c916c8 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1595,7 +1595,7 @@ static int ssl_parse_certificate_request( ssl_context *ssl ) { #if defined(POLARSSL_RSA_C) if( *p == SSL_CERT_TYPE_RSA_SIGN && - pk_can_do( ssl->pk_key, POLARSSL_PK_RSA ) ) + pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) ) { ssl->handshake->cert_type = SSL_CERT_TYPE_RSA_SIGN; break; @@ -1604,7 +1604,7 @@ static int ssl_parse_certificate_request( ssl_context *ssl ) #endif #if defined(POLARSSL_ECDSA_C) if( *p == SSL_CERT_TYPE_ECDSA_SIGN && - pk_can_do( ssl->pk_key, POLARSSL_PK_ECDSA ) ) + pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) ) { ssl->handshake->cert_type = SSL_CERT_TYPE_ECDSA_SIGN; break; @@ -2005,14 +2005,14 @@ static int ssl_write_certificate_verify( ssl_context *ssl ) return( 0 ); } - if( ssl->client_auth == 0 || ssl->own_cert == NULL ) + if( ssl->client_auth == 0 || ssl_own_cert( ssl ) == NULL ) { SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); ssl->state++; return( 0 ); } - if( ssl->pk_key == NULL ) + if( ssl_own_key( ssl ) == NULL ) { SSL_DEBUG_MSG( 1, ( "got no private key" ) ); return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); @@ -2045,7 +2045,7 @@ static int ssl_write_certificate_verify( ssl_context *ssl ) /* * For ECDSA, default hash is SHA-1 only */ - if( pk_can_do( ssl->pk_key, POLARSSL_PK_ECDSA ) ) + if( pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) ) { hash_start += 16; hashlen -= 16; @@ -2084,7 +2084,7 @@ static int ssl_write_certificate_verify( ssl_context *ssl ) md_alg = POLARSSL_MD_SHA256; ssl->out_msg[4] = SSL_HASH_SHA256; } - ssl->out_msg[5] = ssl_sig_from_pk( ssl->pk_key ); + ssl->out_msg[5] = ssl_sig_from_pk( ssl_own_key( ssl ) ); /* Info from md_alg will be used instead */ hashlen = 0; @@ -2097,7 +2097,7 @@ static int ssl_write_certificate_verify( ssl_context *ssl ) return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); } - if( ( ret = pk_sign( ssl->pk_key, md_alg, hash_start, hashlen, + if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash_start, hashlen, ssl->out_msg + 6 + offset, &n, ssl->f_rng, ssl->p_rng ) ) != 0 ) { diff --git a/library/ssl_srv.c b/library/ssl_srv.c index e6ce88c0c..47e3e272c 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1306,8 +1306,8 @@ static int ssl_parse_client_hello( ssl_context *ssl ) #if defined(POLARSSL_PK_C) pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); if( pk_alg != POLARSSL_PK_NONE && - ( ssl->pk_key == NULL || - ! pk_can_do( ssl->pk_key, pk_alg ) ) ) + ( ssl_own_key( ssl ) == NULL || + ! pk_can_do( ssl_own_key( ssl ), pk_alg ) ) ) continue; #endif @@ -2065,7 +2065,7 @@ static int ssl_write_server_key_exchange( ssl_context *ssl ) /* * Make the signature */ - if( ssl->pk_key == NULL ) + if( ssl_own_key( ssl ) == NULL ) { SSL_DEBUG_MSG( 1, ( "got no private key" ) ); return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); @@ -2075,13 +2075,13 @@ static int ssl_write_server_key_exchange( ssl_context *ssl ) if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) { *(p++) = ssl->handshake->sig_alg; - *(p++) = ssl_sig_from_pk( ssl->pk_key ); + *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) ); n += 2; } #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ - if( ( ret = pk_sign( ssl->pk_key, md_alg, hash, hashlen, + if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen, p + 2 , &signature_len, ssl->f_rng, ssl->p_rng ) ) != 0 ) { @@ -2221,7 +2221,7 @@ static int ssl_parse_encrypted_pms_secret( ssl_context *ssl ) int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; size_t i, n = 0; - if( ! pk_can_do( ssl->pk_key, POLARSSL_PK_RSA ) ) + if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) ) { SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) ); return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); @@ -2231,7 +2231,7 @@ static int ssl_parse_encrypted_pms_secret( ssl_context *ssl ) * Decrypt the premaster using own private RSA key */ i = 4; - n = pk_get_len( ssl->pk_key ); + n = pk_get_len( ssl_own_key( ssl ) ); ssl->handshake->pmslen = 48; #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \ @@ -2254,7 +2254,7 @@ static int ssl_parse_encrypted_pms_secret( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); } - ret = pk_decrypt( ssl->pk_key, + ret = pk_decrypt( ssl_own_key( ssl ), ssl->in_msg + i, n, ssl->handshake->premaster, &ssl->handshake->pmslen, sizeof(ssl->handshake->premaster), diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a113ec1f2..7f5ea76bd 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2302,7 +2302,7 @@ int ssl_write_certificate( ssl_context *ssl ) * If using SSLv3 and got no cert, send an Alert message * (otherwise an empty Certificate message will be sent). */ - if( ssl->own_cert == NULL && + if( ssl_own_cert( ssl ) == NULL && ssl->minor_ver == SSL_MINOR_VERSION_0 ) { ssl->out_msglen = 2; @@ -2317,14 +2317,14 @@ int ssl_write_certificate( ssl_context *ssl ) } else /* SSL_IS_SERVER */ { - if( ssl->own_cert == NULL ) + if( ssl_own_cert( ssl ) == NULL ) { SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) ); return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED ); } } - SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert ); + SSL_DEBUG_CRT( 3, "own certificate", ssl_own_cert( ssl ) ); /* * 0 . 0 handshake type @@ -2336,7 +2336,7 @@ int ssl_write_certificate( ssl_context *ssl ) * n+3 . ... upper level cert, etc. */ i = 7; - crt = ssl->own_cert; + crt = ssl_own_cert( ssl ); while( crt != NULL ) { @@ -3462,6 +3462,30 @@ void ssl_set_ciphersuites_for_version( ssl_context *ssl, const int *ciphersuites } #if defined(POLARSSL_X509_CRT_PARSE_C) +/* Add a new (empty) key_cert entry an return a pointer to it */ +static ssl_key_cert *ssl_add_key_cert( ssl_context *ssl ) +{ + ssl_key_cert *key_cert, *last; + + if( ( key_cert = polarssl_malloc( sizeof( ssl_key_cert ) ) ) == NULL ) + return( NULL ); + + memset( key_cert, 0, sizeof( ssl_key_cert ) ); + + /* Append the new key_cert to the (possibly empty) current list */ + if( ssl->key_cert == NULL ) + ssl->key_cert = key_cert; + else + { + last = ssl->key_cert; + while( last->next != NULL ) + last = last->next; + last->next = key_cert; + } + + return key_cert; +} + void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain, x509_crl *ca_crl, const char *peer_cn ) { @@ -3470,11 +3494,18 @@ void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain, ssl->peer_cn = peer_cn; } -void ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert, +int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert, pk_context *pk_key ) { - ssl->own_cert = own_cert; - ssl->pk_key = pk_key; + ssl_key_cert *key_cert = ssl_add_key_cert( ssl ); + + if( key_cert == NULL ) + return( POLARSSL_ERR_SSL_MALLOC_FAILED ); + + key_cert->cert = own_cert; + key_cert->key = pk_key; + + return( 0 ); } #if defined(POLARSSL_RSA_C) @@ -3482,23 +3513,26 @@ int ssl_set_own_cert_rsa( ssl_context *ssl, x509_crt *own_cert, rsa_context *rsa_key ) { int ret; + ssl_key_cert *key_cert = ssl_add_key_cert( ssl ); - ssl->own_cert = own_cert; - - if( ( ssl->pk_key = polarssl_malloc( sizeof( pk_context ) ) ) == NULL ) + if( key_cert == NULL ) return( POLARSSL_ERR_SSL_MALLOC_FAILED ); - ssl->pk_key_own_alloc = 1; + if( ( key_cert->key = polarssl_malloc( sizeof( pk_context ) ) ) == NULL ) + return( POLARSSL_ERR_SSL_MALLOC_FAILED ); - pk_init( ssl->pk_key ); + pk_init( key_cert->key ); - ret = pk_init_ctx( ssl->pk_key, pk_info_from_type( POLARSSL_PK_RSA ) ); + ret = pk_init_ctx( key_cert->key, pk_info_from_type( POLARSSL_PK_RSA ) ); if( ret != 0 ) return( ret ); - if( ( ret = rsa_copy( ssl->pk_key->pk_ctx, rsa_key ) ) != 0 ) + if( ( ret = rsa_copy( key_cert->key->pk_ctx, rsa_key ) ) != 0 ) return( ret ); + key_cert->cert = own_cert; + key_cert->key_own_alloc = 1; + return( 0 ); } #endif /* POLARSSL_RSA_C */ @@ -3509,17 +3543,25 @@ int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert, rsa_sign_func rsa_sign, rsa_key_len_func rsa_key_len ) { - ssl->own_cert = own_cert; + int ret; + ssl_key_cert *key_cert = ssl_add_key_cert( ssl ); - if( ( ssl->pk_key = polarssl_malloc( sizeof( pk_context ) ) ) == NULL ) + if( key_cert == NULL ) return( POLARSSL_ERR_SSL_MALLOC_FAILED ); - ssl->pk_key_own_alloc = 1; + if( ( key_cert->key = polarssl_malloc( sizeof( pk_context ) ) ) == NULL ) + return( POLARSSL_ERR_SSL_MALLOC_FAILED ); - pk_init( ssl->pk_key ); + pk_init( key_cert->key ); - return( pk_init_ctx_rsa_alt( ssl->pk_key, rsa_key, - rsa_decrypt, rsa_sign, rsa_key_len ) ); + if( ( ret = pk_init_ctx_rsa_alt( key_cert->key, rsa_key, + rsa_decrypt, rsa_sign, rsa_key_len ) ) != 0 ) + return( ret ); + + key_cert->cert = own_cert; + key_cert->key_own_alloc = 1; + + return( 0 ); } #endif /* POLARSSL_X509_CRT_PARSE_C */ @@ -4188,13 +4230,26 @@ void ssl_free( ssl_context *ssl ) } #endif -#if defined(POLARSSL_PK_C) - if( ssl->pk_key_own_alloc ) +#if defined(POLARSSL_X509_CRT_PARSE_C) + if( ssl->key_cert != NULL ) { - pk_free( ssl->pk_key ); - polarssl_free( ssl->pk_key ); + ssl_key_cert *cur = ssl->key_cert, *next; + + while( cur != NULL ) + { + next = cur->next; + + if( cur->key_own_alloc ) + { + pk_free( cur->key ); + polarssl_free( cur->key ); + } + polarssl_free( cur ); + + cur = next; + } } -#endif +#endif /* POLARSSL_X509_CRT_PARSE_C */ #if defined(POLARSSL_SSL_HW_RECORD_ACCEL) if( ssl_hw_record_finish != NULL ) From 3ebb2cdb523e6d8708f8ca74d3cdac15e74ae185 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 23 Sep 2013 17:00:18 +0200 Subject: [PATCH 03/18] Add support for multiple server certificates --- include/polarssl/ssl.h | 9 ++- library/ssl_srv.c | 35 ++++++++--- library/ssl_tls.c | 4 ++ programs/ssl/ssl_server2.c | 116 ++++++++++++++++++++++++------------- 4 files changed, 114 insertions(+), 50 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index c764961d0..f357b4624 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -492,6 +492,9 @@ struct _ssl_handshake_params #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) int ec_curve; /*!< Selected elliptic curve */ #endif +#if defined(POLARSSL_X509_CRT_PARSE_C) + ssl_key_cert *key_cert; /*!< Own key/cert in use */ +#endif /* * Checksum contexts @@ -1517,12 +1520,14 @@ md_type_t ssl_md_alg_from_hash( unsigned char hash ); #if defined(POLARSSL_X509_CRT_PARSE_C) static inline pk_context *ssl_own_key( ssl_context *ssl ) { - return( ssl->key_cert == NULL ? NULL : ssl->key_cert->key ); + return( ssl->handshake->key_cert == NULL ? NULL + : ssl->handshake->key_cert->key ); } static inline x509_crt *ssl_own_cert( ssl_context *ssl ) { - return( ssl->key_cert == NULL ? NULL : ssl->key_cert->cert ); + return( ssl->handshake->key_cert == NULL ? NULL + : ssl->handshake->key_cert->cert ); } #endif /* POLARSSL_X509_CRT_PARSE_C */ diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 47e3e272c..d1d5ec7fc 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1271,7 +1271,8 @@ static int ssl_parse_client_hello( ssl_context *ssl ) /* * Search for a matching ciphersuite - * (At the end because we need information from the EC-based extensions) + * (At the end because we need information from the EC-based extensions + * and certificate from the SNI callback triggered by the SNI extension.) */ ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; for( i = 0; ciphersuites[i] != 0; i++ ) @@ -1301,14 +1302,32 @@ static int ssl_parse_client_hello( ssl_context *ssl ) continue; #endif - /* If ciphersuite requires us to have a private key of a - * certain type, make sure we do */ -#if defined(POLARSSL_PK_C) +#if defined(POLARSSL_X509_CRT_PARSE_C) + /* + * Final check: if ciphersuite requires us to have a + * certificate/key of a particular type: + * - select the appropriate certificate if we have one, or + * - try the next ciphersuite if we don't + * This must be done last since we modify the key_cert list. + */ pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); - if( pk_alg != POLARSSL_PK_NONE && - ( ssl_own_key( ssl ) == NULL || - ! pk_can_do( ssl_own_key( ssl ), pk_alg ) ) ) - continue; + if( pk_alg != POLARSSL_PK_NONE ) + { + ssl_key_cert *good = NULL; + ssl_key_cert *cur = ssl->key_cert; + + while( cur != NULL && good == NULL ) + { + if( pk_can_do( cur->key, pk_alg ) ) + good = cur; + cur = cur->next; + } + + if( good == NULL ) + continue; + else + ssl->handshake->key_cert = good; + } #endif goto have_ciphersuite; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7f5ea76bd..86c2953d4 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3849,6 +3849,10 @@ int ssl_handshake( ssl_context *ssl ) SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); +#if defined(POLARSSL_X509_CRT_PARSE_C) + ssl->handshake->key_cert = ssl->key_cert; +#endif + while( ssl->state != SSL_HANDSHAKE_OVER ) { ret = ssl_handshake_step( ssl ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 69b005a52..e73a0b598 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -56,6 +56,8 @@ #define DFL_CA_PATH "" #define DFL_CRT_FILE "" #define DFL_KEY_FILE "" +#define DFL_CRT_FILE2 "" +#define DFL_KEY_FILE2 "" #define DFL_PSK "" #define DFL_PSK_IDENTITY "Client_identity" #define DFL_FORCE_CIPHER 0 @@ -91,8 +93,10 @@ struct options int debug_level; /* level of debugging */ const char *ca_file; /* the file with the CA certificate(s) */ const char *ca_path; /* the path with the CA certificate(s) reside */ - const char *crt_file; /* the file with the client certificate */ - const char *key_file; /* the file with the client key */ + const char *crt_file; /* the file with the server certificate */ + const char *key_file; /* the file with the server key */ + const char *crt_file2; /* the file with the 2nd server certificate */ + const char *key_file2; /* the file with the 2nd server key */ const char *psk; /* the pre-shared key */ const char *psk_identity; /* the pre-shared key identity */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ @@ -114,6 +118,56 @@ static void my_debug( void *ctx, int level, const char *str ) } } +#if defined(POLARSSL_X509_CRT_PARSE_C) +static int parse_cert_key( x509_crt *crt, const char *crt_file, + pk_context *key, const char *key_file ) +{ + int ret; + +#if defined(POLARSSL_FS_IO) + if( strlen( crt_file ) ) + ret = x509_crt_parse_file( crt, crt_file ); + else +#endif +#if defined(POLARSSL_CERTS_C) + ret = x509_crt_parse( crt, (const unsigned char *) test_srv_crt, + strlen( test_srv_crt ) ); +#else + { + ret = 1; + printf("POLARSSL_CERTS_C not defined."); + } +#endif + if( ret != 0 ) + { + printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret ); + return( ret ); + } + +#if defined(POLARSSL_FS_IO) + if( strlen( key_file ) ) + ret = pk_parse_keyfile( key, key_file, "" ); + else +#endif +#if defined(POLARSSL_CERTS_C) + ret = pk_parse_key( key, (const unsigned char *) test_srv_key, + strlen( test_srv_key ), NULL, 0 ); +#else + { + ret = 1; + printf("POLARSSL_CERTS_C not defined."); + } +#endif + if( ret != 0 ) + { + printf( " failed\n ! pk_parse_key returned -0x%x\n\n", -ret ); + return( ret ); + } + + return( 0 ); +} +#endif /* POLARSSL_X509_CRT_PARSE_C */ + #if defined(POLARSSL_X509_CRT_PARSE_C) #if defined(POLARSSL_FS_IO) #define USAGE_IO \ @@ -123,7 +177,10 @@ static void my_debug( void *ctx, int level, const char *str ) " default: \"\" (pre-loaded) (overrides ca_file)\n" \ " crt_file=%%s Your own cert and chain (in bottom to top order, top may be omitted)\n" \ " default: \"\" (pre-loaded)\n" \ - " key_file=%%s default: \"\" (pre-loaded)\n" + " key_file=%%s default: \"\" (pre-loaded)\n" \ + " crt_file2=%%s Your second cert and chain (in bottom to top order, top may be omitted)\n" \ + " default: \"\" (pre-loaded)\n" \ + " key_file2=%%s default: \"\" (pre-loaded)\n" #else #define USAGE_IO \ "\n" \ @@ -212,6 +269,8 @@ int main( int argc, char *argv[] ) x509_crt cacert; x509_crt srvcert; pk_context pkey; + x509_crt srvcert2; + pk_context pkey2; #endif #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_context cache; @@ -237,6 +296,8 @@ int main( int argc, char *argv[] ) x509_crt_init( &cacert ); x509_crt_init( &srvcert ); pk_init( &pkey ); + x509_crt_init( &srvcert2 ); + pk_init( &pkey2 ); #endif #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_init( &cache ); @@ -270,6 +331,8 @@ int main( int argc, char *argv[] ) opt.ca_path = DFL_CA_PATH; opt.crt_file = DFL_CRT_FILE; opt.key_file = DFL_KEY_FILE; + opt.crt_file2 = DFL_CRT_FILE2; + opt.key_file2 = DFL_KEY_FILE2; opt.psk = DFL_PSK; opt.psk_identity = DFL_PSK_IDENTITY; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; @@ -308,6 +371,10 @@ int main( int argc, char *argv[] ) opt.crt_file = q; else if( strcmp( p, "key_file" ) == 0 ) opt.key_file = q; + else if( strcmp( p, "crt_file2" ) == 0 ) + opt.crt_file2 = q; + else if( strcmp( p, "key_file2" ) == 0 ) + opt.key_file2 = q; else if( strcmp( p, "psk" ) == 0 ) opt.psk = q; else if( strcmp( p, "psk_identity" ) == 0 ) @@ -550,45 +617,11 @@ int main( int argc, char *argv[] ) printf( " . Loading the server cert. and key..." ); fflush( stdout ); -#if defined(POLARSSL_FS_IO) - if( strlen( opt.crt_file ) ) - ret = x509_crt_parse_file( &srvcert, opt.crt_file ); - else -#endif -#if defined(POLARSSL_CERTS_C) - ret = x509_crt_parse( &srvcert, (const unsigned char *) test_srv_crt, - strlen( test_srv_crt ) ); -#else - { - ret = 1; - printf("POLARSSL_CERTS_C not defined."); - } -#endif - if( ret != 0 ) - { - printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret ); + if( parse_cert_key( &srvcert, opt.crt_file, &pkey, opt.key_file ) != 0 ) goto exit; - } -#if defined(POLARSSL_FS_IO) - if( strlen( opt.key_file ) ) - ret = pk_parse_keyfile( &pkey, opt.key_file, "" ); - else -#endif -#if defined(POLARSSL_CERTS_C) - ret = pk_parse_key( &pkey, (const unsigned char *) test_srv_key, - strlen( test_srv_key ), NULL, 0 ); -#else - { - ret = 1; - printf("POLARSSL_CERTS_C not defined."); - } -#endif - if( ret != 0 ) - { - printf( " failed\n ! pk_parse_key returned -0x%x\n\n", -ret ); + if( parse_cert_key( &srvcert2, opt.crt_file2, &pkey2, opt.key_file2 ) != 0 ) goto exit; - } printf( " ok\n" ); #endif /* POLARSSL_X509_CRT_PARSE_C */ @@ -647,6 +680,7 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_X509_CRT_PARSE_C) ssl_set_ca_chain( &ssl, &cacert, NULL, NULL ); ssl_set_own_cert( &ssl, &srvcert, &pkey ); + ssl_set_own_cert( &ssl, &srvcert2, &pkey2 ); #endif #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) @@ -875,9 +909,11 @@ exit: net_close( client_fd ); #if defined(POLARSSL_X509_CRT_PARSE_C) - x509_crt_free( &srvcert ); x509_crt_free( &cacert ); + x509_crt_free( &srvcert ); pk_free( &pkey ); + x509_crt_free( &srvcert2 ); + pk_free( &pkey2 ); #endif ssl_free( &ssl ); From f71e587c5e2be1cc9d310e73b73e0c71e742a06a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 23 Sep 2013 17:12:43 +0200 Subject: [PATCH 04/18] Fix memory leak in ssl cipher usage --- library/ssl_tls.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 86c2953d4..5ab4a5cbe 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4127,6 +4127,9 @@ void ssl_transform_free( ssl_transform *transform ) inflateEnd( &transform->ctx_inflate ); #endif + cipher_free_ctx( &transform->cipher_ctx_enc ); + cipher_free_ctx( &transform->cipher_ctx_dec ); + md_free_ctx( &transform->md_ctx_enc ); md_free_ctx( &transform->md_ctx_dec ); From f24b4a7316185b80490ae04dc74ae00d43baf1fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 23 Sep 2013 18:14:50 +0200 Subject: [PATCH 05/18] Interface change in ECP info functions ecp_named_curve_from_grp_id() -> ecp_curve_info_from_grp_id() ecp_grp_id_from_named_curve() -> ecp_curve_info_from_tls_id() --- include/polarssl/ecp.h | 21 ++++++++++++--------- library/ecp.c | 41 ++++++++++++++++++++++++----------------- library/ssl_srv.c | 8 ++++---- 3 files changed, 40 insertions(+), 30 deletions(-) diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h index 353dd8bb3..94618e769 100644 --- a/include/polarssl/ecp.h +++ b/include/polarssl/ecp.h @@ -63,6 +63,11 @@ typedef enum POLARSSL_ECP_DP_SECP521R1, /*!< 521-bits NIST curve */ } ecp_group_id; +/** + * Number of supported curves (plus one for NONE) + */ +#define POLARSSL_ECP_DP_MAX 6 + /** * Curve information for use by other modules */ @@ -365,24 +370,22 @@ int ecp_tls_write_group( const ecp_group *grp, size_t *olen, unsigned char *buf, size_t blen ); /** - * \brief Get a TLS NamedCurve value from an internal group identifier + * \brief Get curve information from an internal group identifier * * \param grp_id A POLARSSL_ECP_DP_XXX value * - * \return The associated TLS NamedCurve value on success, - * 0 on failure. + * \return The associated curve information or NULL */ -uint16_t ecp_named_curve_from_grp_id( ecp_group_id id ); +const ecp_curve_info *ecp_curve_info_from_grp_id( ecp_group_id grp_id ); /** - * \brief Get an internal group identifier from a TLS NamedCurve value + * \brief Get curve information from a TLS NamedCurve value * - * \param curve A value from TLS's enum NamedCurve + * \param grp_id A POLARSSL_ECP_DP_XXX value * - * \return The associated POLARSSL_ECP_DP_XXX identifer on success, - * POLARSSL_ECP_DP_NONE on failure. + * \return The associated curve information or NULL */ -ecp_group_id ecp_grp_id_from_named_curve( uint16_t curve ); +const ecp_curve_info *ecp_curve_info_from_tls_id( uint16_t tls_id ); /** * \brief Import a point from a TLS ECPoint record diff --git a/library/ecp.c b/library/ecp.c index 9ab376317..c8ee3a76f 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -703,7 +703,8 @@ int ecp_use_known_dp( ecp_group *grp, ecp_group_id id ) */ int ecp_tls_read_group( ecp_group *grp, const unsigned char **buf, size_t len ) { - unsigned int named_curve; + uint16_t tls_id; + const ecp_curve_info *curve_info; /* * We expect at least three bytes (see below) @@ -720,10 +721,14 @@ int ecp_tls_read_group( ecp_group *grp, const unsigned char **buf, size_t len ) /* * Next two bytes are the namedcurve value */ - named_curve = *(*buf)++; - named_curve <<= 8; - named_curve |= *(*buf)++; - return ecp_use_known_dp( grp, ecp_grp_id_from_named_curve( named_curve ) ); + tls_id = *(*buf)++; + tls_id <<= 8; + tls_id |= *(*buf)++; + + if( ( curve_info = ecp_curve_info_from_tls_id( tls_id ) ) == NULL ) + return( POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE ); + + return ecp_use_known_dp( grp, curve_info->grp_id ); } /* @@ -732,7 +737,10 @@ int ecp_tls_read_group( ecp_group *grp, const unsigned char **buf, size_t len ) int ecp_tls_write_group( const ecp_group *grp, size_t *olen, unsigned char *buf, size_t blen ) { - unsigned int named_curve; + const ecp_curve_info *curve_info; + + if( ( curve_info = ecp_curve_info_from_grp_id( grp->id ) ) == NULL ) + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); /* * We are going to write 3 bytes (see below) @@ -749,17 +757,16 @@ int ecp_tls_write_group( const ecp_group *grp, size_t *olen, /* * Next two bytes are the namedcurve value */ - named_curve = ecp_named_curve_from_grp_id( grp->id ); - buf[0] = named_curve >> 8; - buf[1] = named_curve & 0xFF; + buf[0] = curve_info->tls_id >> 8; + buf[1] = curve_info->tls_id & 0xFF; return 0; } /* - * Get the internal identifer from the TLS name + * Get the curve info from the TLS identifier */ -ecp_group_id ecp_grp_id_from_named_curve( uint16_t tls_id ) +const ecp_curve_info *ecp_curve_info_from_tls_id( uint16_t tls_id ) { const ecp_curve_info *curve_info; @@ -768,16 +775,16 @@ ecp_group_id ecp_grp_id_from_named_curve( uint16_t tls_id ) curve_info++ ) { if( curve_info->tls_id == tls_id ) - return( curve_info->grp_id ); + return( curve_info ); } - return( POLARSSL_ECP_DP_NONE ); + return( NULL ); } /* - * Get the TLS name for the internal identifer + * Get the curve info for the internal identifer */ -uint16_t ecp_named_curve_from_grp_id( ecp_group_id grp_id ) +const ecp_curve_info *ecp_curve_info_from_grp_id( ecp_group_id grp_id ) { const ecp_curve_info *curve_info; @@ -786,10 +793,10 @@ uint16_t ecp_named_curve_from_grp_id( ecp_group_id grp_id ) curve_info++ ) { if( curve_info->grp_id == grp_id ) - return( curve_info->tls_id ); + return( curve_info ); } - return( 0 ); + return( NULL ); } /* diff --git a/library/ssl_srv.c b/library/ssl_srv.c index d1d5ec7fc..9c90268c1 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -503,7 +503,7 @@ static int ssl_parse_supported_elliptic_curves( ssl_context *ssl, { size_t list_size; const unsigned char *p; - ecp_group_id grp_id; + const ecp_curve_info *curve_info; list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); if( list_size + 2 != len || @@ -516,11 +516,11 @@ static int ssl_parse_supported_elliptic_curves( ssl_context *ssl, p = buf + 2; while( list_size > 0 ) { - grp_id = ecp_grp_id_from_named_curve( ( p[0] << 8 ) | p[1] ); + curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] ); - if( grp_id != POLARSSL_ECP_DP_NONE ) + if( curve_info != NULL ) { - ssl->handshake->ec_curve = grp_id; + ssl->handshake->ec_curve = curve_info->grp_id; return( 0 ); } From d09453c88c970059a2754d420523f577ab5deda8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 23 Sep 2013 19:11:32 +0200 Subject: [PATCH 06/18] Check our ECDSA cert(s) against supported curves --- include/polarssl/ssl.h | 2 +- library/ssl_srv.c | 105 ++++++++++++++++++++++++++++++----------- library/ssl_tls.c | 4 ++ 3 files changed, 82 insertions(+), 29 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index f357b4624..144c85256 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -490,7 +490,7 @@ struct _ssl_handshake_params ecdh_context ecdh_ctx; /*!< ECDH key exchange */ #endif #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) - int ec_curve; /*!< Selected elliptic curve */ + const ecp_curve_info **curves; /*!< Supported elliptic curves */ #endif #if defined(POLARSSL_X509_CRT_PARSE_C) ssl_key_cert *key_cert; /*!< Own key/cert in use */ diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 9c90268c1..df7709bd4 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -501,9 +501,9 @@ static int ssl_parse_supported_elliptic_curves( ssl_context *ssl, const unsigned char *buf, size_t len ) { - size_t list_size; + size_t list_size, our_size; const unsigned char *p; - const ecp_curve_info *curve_info; + const ecp_curve_info *curve_info, **curves; list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); if( list_size + 2 != len || @@ -513,15 +513,27 @@ static int ssl_parse_supported_elliptic_curves( ssl_context *ssl, return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); } + /* Don't allow our peer to make use allocated too much memory, + * and leave room for a final 0 */ + our_size = list_size / 2 + 1; + if( our_size > POLARSSL_ECP_DP_MAX ) + our_size = POLARSSL_ECP_DP_MAX; + + if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL ) + return( POLARSSL_ERR_SSL_MALLOC_FAILED ); + + memset( curves, 0, our_size * sizeof( *curves ) ); + ssl->handshake->curves = curves; + p = buf + 2; - while( list_size > 0 ) + while( list_size > 0 && our_size > 1 ) { curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] ); if( curve_info != NULL ) { - ssl->handshake->ec_curve = curve_info->grp_id; - return( 0 ); + *curves++ = curve_info; + our_size--; } list_size -= 2; @@ -875,6 +887,62 @@ have_ciphersuite_v2: } #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ +#if defined(POLARSSL_X509_CRT_PARSE_C) +#if defined(POLARSSL_ECDSA_C) +static int ssl_key_matches_curves( pk_context *pk, + const ecp_curve_info **curves ) +{ + const ecp_curve_info **crv = curves; + ecp_group_id grp_id = pk_ec( *pk )->grp.id; + + while( *crv != NULL ) + { + if( (*crv)->grp_id == grp_id ) + return( 1 ); + crv++; + } + + return( 0 ); +} +#endif /* POLARSSL_ECDSA_C */ + +/* + * Try picking a certificate for this ciphersuite, + * return 0 on success and -1 on failure. + */ +static int ssl_pick_cert( ssl_context *ssl, + const ssl_ciphersuite_t * ciphersuite_info ) +{ + ssl_key_cert *cur; + pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); + + if( pk_alg == POLARSSL_PK_NONE ) + return( 0 ); + + for( cur = ssl->key_cert; cur != NULL; cur = cur->next ) + { + if( ! pk_can_do( cur->key, pk_alg ) ) + continue; + +#if defined(POLARSSL_ECDSA_C) + if( pk_alg == POLARSSL_PK_ECDSA ) + { + if( ssl_key_matches_curves( cur->key, ssl->handshake->curves ) ) + break; + } + else +#endif + break; + } + + if( cur == NULL ) + return( -1 ); + + ssl->handshake->key_cert = cur; + return( 0 ); +} +#endif /* POLARSSL_X509_CRT_PARSE_C */ + static int ssl_parse_client_hello( ssl_context *ssl ) { int ret; @@ -888,9 +956,6 @@ static int ssl_parse_client_hello( ssl_context *ssl ) int handshake_failure = 0; const int *ciphersuites; const ssl_ciphersuite_t *ciphersuite_info; -#if defined(POLARSSL_PK_C) - pk_type_t pk_alg; -#endif SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); @@ -1298,7 +1363,7 @@ static int ssl_parse_client_hello( ssl_context *ssl ) #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) if( ssl_ciphersuite_uses_ec( ciphersuite_info ) && - ssl->handshake->ec_curve == 0 ) + ssl->handshake->curves[0] == NULL ) continue; #endif @@ -1310,24 +1375,8 @@ static int ssl_parse_client_hello( ssl_context *ssl ) * - try the next ciphersuite if we don't * This must be done last since we modify the key_cert list. */ - pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); - if( pk_alg != POLARSSL_PK_NONE ) - { - ssl_key_cert *good = NULL; - ssl_key_cert *cur = ssl->key_cert; - - while( cur != NULL && good == NULL ) - { - if( pk_can_do( cur->key, pk_alg ) ) - good = cur; - cur = cur->next; - } - - if( good == NULL ) - continue; - else - ssl->handshake->key_cert = good; - } + if( ssl_pick_cert( ssl, ciphersuite_info ) != 0 ) + continue; #endif goto have_ciphersuite; @@ -1928,7 +1977,7 @@ static int ssl_write_server_key_exchange( ssl_context *ssl ) * } ServerECDHParams; */ if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp, - ssl->handshake->ec_curve ) ) != 0 ) + ssl->handshake->curves[0]->grp_id ) ) != 0 ) { SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret ); return( ret ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5ab4a5cbe..cafdcf092 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4145,6 +4145,10 @@ void ssl_handshake_free( ssl_handshake_params *handshake ) ecdh_free( &handshake->ecdh_ctx ); #endif +#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) + polarssl_free( handshake->curves ); +#endif + memset( handshake, 0, sizeof( ssl_handshake_params ) ); } From 705fcca409777ac730952375106c081654ba8901 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 23 Sep 2013 20:04:20 +0200 Subject: [PATCH 07/18] Adapt support for SNI to recent changes --- include/polarssl/ssl.h | 1 + library/ssl_srv.c | 22 +++++++++++++++++++- library/ssl_tls.c | 47 +++++++++++++++++++++++++----------------- 3 files changed, 50 insertions(+), 20 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 144c85256..d6db97807 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -494,6 +494,7 @@ struct _ssl_handshake_params #endif #if defined(POLARSSL_X509_CRT_PARSE_C) ssl_key_cert *key_cert; /*!< Own key/cert in use */ + int free_key_cert; /*!< Shall we free key_cert? */ #endif /* diff --git a/library/ssl_srv.c b/library/ssl_srv.c index df7709bd4..e291c53d1 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -338,6 +338,26 @@ static int ssl_parse_ticket( ssl_context *ssl, #endif /* POLARSSL_SSL_SESSION_TICKETS */ #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) +/* + * Wrapper around f_sni, allowing use of + * ssl_set_own_cert() but making it act on ssl->hanshake->key_cert instead. + */ +static int ssl_sni_wrapper( ssl_context *ssl, + const unsigned char* name, size_t len ) +{ + int ret; + ssl_key_cert *key_cert_ori = ssl->key_cert; + + ssl->key_cert = NULL; + ret = ssl->f_sni( ssl->p_sni, ssl, name, len ); + ssl->handshake->key_cert = ssl->key_cert; + ssl->handshake->free_key_cert = 1; + + ssl->key_cert = key_cert_ori; + + return( ret ); +} + static int ssl_parse_servername_ext( ssl_context *ssl, const unsigned char *buf, size_t len ) @@ -365,7 +385,7 @@ static int ssl_parse_servername_ext( ssl_context *ssl, if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME ) { - ret = ssl->f_sni( ssl->p_sni, ssl, p + 3, hostname_len ); + ret = ssl_sni_wrapper( ssl, p + 3, hostname_len ); if( ret != 0 ) { ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, diff --git a/library/ssl_tls.c b/library/ssl_tls.c index cafdcf092..a94751ba2 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4136,6 +4136,27 @@ void ssl_transform_free( ssl_transform *transform ) memset( transform, 0, sizeof( ssl_transform ) ); } +#if defined(POLARSSL_X509_CRT_PARSE_C) +static void ssl_key_cert_free( ssl_key_cert *key_cert ) +{ + ssl_key_cert *cur = key_cert, *next; + + while( cur != NULL ) + { + next = cur->next; + + if( cur->key_own_alloc ) + { + pk_free( cur->key ); + polarssl_free( cur->key ); + } + polarssl_free( cur ); + + cur = next; + } +} +#endif /* POLARSSL_X509_CRT_PARSE_C */ + void ssl_handshake_free( ssl_handshake_params *handshake ) { #if defined(POLARSSL_DHM_C) @@ -4149,6 +4170,11 @@ void ssl_handshake_free( ssl_handshake_params *handshake ) polarssl_free( handshake->curves ); #endif +#if defined(POLARSSL_X509_CRT_PARSE_C) + if( handshake->free_key_cert != 0 ) + ssl_key_cert_free( handshake->key_cert ); +#endif + memset( handshake, 0, sizeof( ssl_handshake_params ) ); } @@ -4242,25 +4268,8 @@ void ssl_free( ssl_context *ssl ) #endif #if defined(POLARSSL_X509_CRT_PARSE_C) - if( ssl->key_cert != NULL ) - { - ssl_key_cert *cur = ssl->key_cert, *next; - - while( cur != NULL ) - { - next = cur->next; - - if( cur->key_own_alloc ) - { - pk_free( cur->key ); - polarssl_free( cur->key ); - } - polarssl_free( cur ); - - cur = next; - } - } -#endif /* POLARSSL_X509_CRT_PARSE_C */ + ssl_key_cert_free( ssl->key_cert ); +#endif #if defined(POLARSSL_SSL_HW_RECORD_ACCEL) if( ssl_hw_record_finish != NULL ) From 6a987f4a90e59f748d5b89e82ef1de8fb2c36d93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 24 Sep 2013 18:38:12 +0200 Subject: [PATCH 08/18] Update EC certs to use NIST-256 and NIST-384 --- tests/data_files/cli2.crt | 14 ++++++ tests/data_files/cli2.key | 5 +++ tests/data_files/crl-ec-sha1.pem | 10 +++++ tests/data_files/crl-ec-sha224.pem | 14 +++--- tests/data_files/crl-ec-sha256.pem | 14 +++--- tests/data_files/crl-ec-sha384.pem | 14 +++--- tests/data_files/crl-ec-sha512.pem | 14 +++--- tests/data_files/crl-ec.pem | 10 ----- tests/data_files/server4.crt | 29 ++++++------ tests/data_files/server4.key | 43 +++++++++++------- tests/data_files/server5-badsign.crt | 23 +++++----- tests/data_files/server5-sha1.crt | 14 ++++++ tests/data_files/server5-sha224.crt | 21 ++++----- tests/data_files/server5-sha256.crt | 13 ------ tests/data_files/server5-sha384.crt | 21 ++++----- tests/data_files/server5-sha512.crt | 21 ++++----- tests/data_files/server5.crt | 23 +++++----- tests/data_files/server5.key | 6 +-- tests/data_files/server6.crt | 23 +++++----- tests/data_files/server6.key | 6 +-- tests/data_files/server7.crt | 29 +++++++----- tests/data_files/server7.key | 6 +-- tests/data_files/server7_int-ca.crt | 64 ++++++++++++++++---------- tests/data_files/server8.crt | 27 ++++++----- tests/data_files/server8.key | 35 +++++++++++---- tests/data_files/server8_int-ca2.crt | 60 ++++++++++++++----------- tests/data_files/test-ca2.crt | 25 ++++++----- tests/data_files/test-ca2.key | 7 +-- tests/data_files/test-ca_cat12.crt | 25 ++++++----- tests/data_files/test-ca_cat21.crt | 25 ++++++----- tests/data_files/test-int-ca.crt | 35 +++++++++------ tests/data_files/test-int-ca.key | 67 +++++++++++++++++++++------- tests/data_files/test-int-ca2.crt | 27 +++++------ tests/data_files/test-int-ca2.key | 7 +-- 34 files changed, 462 insertions(+), 315 deletions(-) create mode 100644 tests/data_files/cli2.crt create mode 100644 tests/data_files/cli2.key create mode 100644 tests/data_files/crl-ec-sha1.pem delete mode 100644 tests/data_files/crl-ec.pem create mode 100644 tests/data_files/server5-sha1.crt delete mode 100644 tests/data_files/server5-sha256.crt diff --git a/tests/data_files/cli2.crt b/tests/data_files/cli2.crt new file mode 100644 index 000000000..2dfa51632 --- /dev/null +++ b/tests/data_files/cli2.crt @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICLDCCAbKgAwIBAgIBDTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjBBMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHzAdBgNVBAMTFlBvbGFyU1NMIFRlc3QgQ2xpZW50IDIw +WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARX5a6xc9/TrLuTuIH/Eq7u5lOszlVT +9jQOzC7jYyUL35ji81xgNpbA1RgUcOV/n9VLRRjlsGzVXPiWj4dwo+THo4GdMIGa +MAkGA1UdEwQCMAAwHQYDVR0OBBYEFHoAX4Zk/OBd5REQO7LmO8QmP8/iMG4GA1Ud +IwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8oUKkQDA+MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC +CQDBQ+J+YkPM6DAKBggqhkjOPQQDAgNoADBlAjBKZQ17IIOimbmoD/yN7o89u3BM +lgOsjnhw3fIOoLIWy2WOGsk/LGF++DzvrRzuNiACMQCd8iem1XS4JK7haj8xocpU +LwjQje5PDGHfd3h9tP38Qknu5bJqws0md2KOKHyeV0U= +-----END CERTIFICATE----- diff --git a/tests/data_files/cli2.key b/tests/data_files/cli2.key new file mode 100644 index 000000000..e747d0943 --- /dev/null +++ b/tests/data_files/cli2.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49 +AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW +wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw== +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/crl-ec-sha1.pem b/tests/data_files/crl-ec-sha1.pem new file mode 100644 index 000000000..8358640a0 --- /dev/null +++ b/tests/data_files/crl-ec-sha1.pem @@ -0,0 +1,10 @@ +-----BEGIN X509 CRL----- +MIIBbzCB9gIBATAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQ +b2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQRcNMTMwOTI0MTYz +MTA4WhcNMjMwOTIyMTYzMTA4WjAUMBICAQoXDTEzMDkyNDE2MjgzOFqgcjBwMG4G +A1UdIwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8oUKkQDA+MQswCQYDVQQGEwJO +TDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMg +Q0GCCQDBQ+J+YkPM6DAJBgcqhkjOPQQBA2kAMGYCMQDVG95rrSSl4dJgbJ5vR1GW +svEuEsAh35EhF1WrcadMuCeMQVX9cUPupFfQUpHyMfoCMQCKf0yv8pN9BAoi3FVm +56meWPhUekgLKKMAobt2oJJY6feuiFU2YFGs1aF0rV6Bj+U= +-----END X509 CRL----- diff --git a/tests/data_files/crl-ec-sha224.pem b/tests/data_files/crl-ec-sha224.pem index bae7063ca..9131f104f 100644 --- a/tests/data_files/crl-ec-sha224.pem +++ b/tests/data_files/crl-ec-sha224.pem @@ -1,10 +1,10 @@ -----BEGIN X509 CRL----- -MIIBUDCB9wIBATAKBggqhkjOPQQDATA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI -UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDgwOTA4 -MDYzOFoXDTIzMDgwNzA4MDYzOFowFDASAgECFw0xMzA4MDkwODA0MDNaoHIwcDBu -BgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFCpEAwPjELMAkGA1UEBhMC +MIIBcDCB9wIBATAKBggqhkjOPQQDATA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI +UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2 +MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu +BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD -IENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwEDSAAwRQIge0CLFC7Ba9urAcQjRg2y -MlaoNZjFTLfgORXoVIr7qB0CIQD875hm+aual5qW62hMfHcb7W3BoU+vV1D42YyE -sd4POA== +IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwEDaAAwZQIwbn+i0dOest0IJGzuqBLA +V5nscZPvHjDV6lWsSwurS4LC/Uv/qWteuMCp3OqQRJHcAjEA6KA0dibovfL1WKFo +C8jUGxlMfHeWDRkqMfcjjgIpky7v50sKtDOfmFJn3HFUbiKp -----END X509 CRL----- diff --git a/tests/data_files/crl-ec-sha256.pem b/tests/data_files/crl-ec-sha256.pem index cc01f39e0..adfd5f893 100644 --- a/tests/data_files/crl-ec-sha256.pem +++ b/tests/data_files/crl-ec-sha256.pem @@ -1,10 +1,10 @@ -----BEGIN X509 CRL----- -MIIBTjCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI -UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDgwOTA4 -MDY0NFoXDTIzMDgwNzA4MDY0NFowFDASAgECFw0xMzA4MDkwODA0MDNaoHIwcDBu -BgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFCpEAwPjELMAkGA1UEBhMC +MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI +UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2 +MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu +BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD -IENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwIDRgAwQwIgZ8GDUEO/f6f6+yCdb6jj -/Sw0bkdVRGinNKBda4J87ksCHySC8j+ijdECxWR6O6Isxl9g47WSf+0tRslvqn0k -D9k= +IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAKuQ684s7gyhtxKJr6Ln +S2BQ02f1jjPHrZVdXaZvm3C5tGi2cKkoK1aMiyC3LsRCuAIxAIMhj0TmcuIZr5fX +g5RByD7zUnZBpoEAdgxFy4JPJ2IViWOPekSGh8b/JY1VNS6Zbw== -----END X509 CRL----- diff --git a/tests/data_files/crl-ec-sha384.pem b/tests/data_files/crl-ec-sha384.pem index 9c74f4d2f..b757abb18 100644 --- a/tests/data_files/crl-ec-sha384.pem +++ b/tests/data_files/crl-ec-sha384.pem @@ -1,10 +1,10 @@ -----BEGIN X509 CRL----- -MIIBUDCB9wIBATAKBggqhkjOPQQDAzA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI -UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDgwOTA4 -MDY1MloXDTIzMDgwNzA4MDY1MlowFDASAgECFw0xMzA4MDkwODA0MDNaoHIwcDBu -BgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFCpEAwPjELMAkGA1UEBhMC +MIIBcDCB9wIBATAKBggqhkjOPQQDAzA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI +UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2 +MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu +BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD -IENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwMDSAAwRQIhAJpojagrap1H0VYcCkfs -JK0a304u+NLa4fkL4Qe9dXRaAiB7gx0xZL0ePad7/PiFfsJgIhMrGiRHGTXnK121 -DgSMLw== +IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwMDaAAwZQIwateJaD13+Yi4HWBIlOov +8ZDsvnfQfW/R0A1s2ZccAi+byurShuNGiSvsFSh5d/6QAjEA427F8bNk/fdj5YXu +Oo1qEd7WpD2dNUb0draGSIcJGBRGzi5it14UXr9cR4S5eJ6Q -----END X509 CRL----- diff --git a/tests/data_files/crl-ec-sha512.pem b/tests/data_files/crl-ec-sha512.pem index 8d82a8c27..f7c9402a3 100644 --- a/tests/data_files/crl-ec-sha512.pem +++ b/tests/data_files/crl-ec-sha512.pem @@ -1,10 +1,10 @@ -----BEGIN X509 CRL----- -MIIBUDCB9wIBATAKBggqhkjOPQQDBDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI -UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDgwOTA4 -MDcwMVoXDTIzMDgwNzA4MDcwMVowFDASAgECFw0xMzA4MDkwODA0MDNaoHIwcDBu -BgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFCpEAwPjELMAkGA1UEBhMC +MIIBcTCB9wIBATAKBggqhkjOPQQDBDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI +UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2 +MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu +BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD -IENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwQDSAAwRQIgYkzK1SMOvmwq2qfkxQ/6 -nWz0QaNSVS589vInbPBrFt8CIQDQFZi4S+L7DN/WUl91o1xS6n9aTGoHOzaQS7Ym -fWUstQ== +IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwQDaQAwZgIxAL/VFrDIYUECsS0rVpAy +6zt/CqeAZ1sa/l5LTaG1XW286n2Kibipr6EpkYZNYIQILgIxAI0wb3Py1DHPWpYf +/BFBH7C3KYq+nWTrLeEnhrjU1LzG/CiQ8lnuskya6lw/P3lJ/A== -----END X509 CRL----- diff --git a/tests/data_files/crl-ec.pem b/tests/data_files/crl-ec.pem deleted file mode 100644 index 5388d7e42..000000000 --- a/tests/data_files/crl-ec.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN X509 CRL----- -MIIBTTCB9gIBATAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQ -b2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQRcNMTMwODA5MDgw -NjI2WhcNMjMwODA3MDgwNjI2WjAUMBICAQIXDTEzMDgwOTA4MDQwM1qgcjBwMG4G -A1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKkQDA+MQswCQYDVQQGEwJO -TDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMg -Q0GCCQCtQnl2nnL24TAJBgcqhkjOPQQBA0cAMEQCIDbClXv2qJc1OgDtaxLWogdO -5x51dupuJ8N+Oa2S1aPJAiBJWFhnRZRvqVRMhkJ5NQquR+crofroBOOrrdmlHvC3 -+g== ------END X509 CRL----- diff --git a/tests/data_files/server4.crt b/tests/data_files/server4.crt index ccebbd873..96b1aa772 100644 --- a/tests/data_files/server4.crt +++ b/tests/data_files/server4.crt @@ -1,15 +1,18 @@ -----BEGIN CERTIFICATE----- -MIICRDCCAeugAwIBAgIBBDAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x -MzA4MDkwNzU3NTdaFw0yMzA4MDcwNzU3NTdaMDQxCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEB -AQUAA4GNADCBiQKBgQCrySYRCWA2hMyRyGXtO58nVCboGjDXfw+T78yfzrQUFMmG -sMsrjnVriz8TboJla9G5l0BO/KVInrs4X5CBJkAy1TZoJy8QJoYwfDFXQ+x2hH9l -23BF0Mom1frAJl/ju9TzIhqGM2zCFcVHH1ACCxstDp9nqEWN1B0YVW02th8pHwID -AQABo4GdMIGaMAkGA1UdEwQCMAAwHQYDVR0OBBYEFBfZRL1Q6LhG2+zv4wFMS8Yw -taURMG4GA1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKkQDA+MQswCQYD -VQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRl -c3QgRUMgQ0GCCQCtQnl2nnL24TAJBgcqhkjOPQQBA0gAMEUCICi0VueSFiU2O5MP -LBPbu0Lsm4kCbWJA34HteefA29wWAiEAne8oWL9ILDpqhuB0wEv5PpKMuXLC2A1e -ATV35ATh3EM= +MIIC6jCCAnCgAwIBAgIBCDAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAKvXjL5VfYc7D/truqEpYcZcvlUhnuCNDJctYDJL +vgYYj5uxDxLHBXvnEHLgO5K+lps42p+r/dd4oE64ttRoeZZUvr+7eBnW35n0EpPA +Ik9Gwu+vg7GfxmifgIR8hZnOQkt2OjvvpChPCxvUailtB450Izh+mEK/hYFr+7Jl +NnxR1XQlbbyDM7Ect1HwYcuS3MBlBqq048J+0KEkQXICSjKeHFga9eDCq+Jyfqe5 +bt0K30hl1N0164B7aoh08Eomme+aSuAsz+MsJ3m7AO2DUYdrDxlrky1QrvRWWfX0 +d8djTM+uHTo1DviRM6o9+P9DfoFd53/Z0Km03sVLQWvUrhECAwEAAaOBnTCBmjAJ +BgNVHRMEAjAAMB0GA1UdDgQWBBTAlAm1+0L41mhqYWjFiejsRVrGeTBuBgNVHSME +ZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMCTkwxETAP +BgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVDIENBggkA +wUPifmJDzOgwCgYIKoZIzj0EAwIDaAAwZQIxAPWlxnMcjBaxaVieQYSLBqzizS3/ +O8Na6owRGPk0/UK+j5O9NTBHk+uXW/fQblKamQIwUQl4dl6gkRDE4rBR/yGjZZ1Z +3dEpvL2Wimt3keD7AcLpYB2FJ1mVcY1XQUeK1Vfc -----END CERTIFICATE----- diff --git a/tests/data_files/server4.key b/tests/data_files/server4.key index ba6cf23c8..9e4daee4a 100644 --- a/tests/data_files/server4.key +++ b/tests/data_files/server4.key @@ -1,16 +1,27 @@ ------BEGIN PRIVATE KEY----- -MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKvJJhEJYDaEzJHI -Ze07nydUJugaMNd/D5PvzJ/OtBQUyYawyyuOdWuLPxNugmVr0bmXQE78pUieuzhf -kIEmQDLVNmgnLxAmhjB8MVdD7HaEf2XbcEXQyibV+sAmX+O71PMiGoYzbMIVxUcf -UAILGy0On2eoRY3UHRhVbTa2HykfAgMBAAECgYALAPmFQdp944fPFs0gox8Qv902 -JOdYBnWS/ltXKUBzwNkf3ZdGFPwEhYjmz79ei8eFYeDmrlxQCIrpk4WIIFEgVZZA -DRFZSQDIm6i+KSKWX6dFG/ot6VBzahKX24TUNuPhTrYUb+vkqxifbN/ItXcfcG2Z -HB7AZl2RgRbeJGI/IQJBANJCx2dkCIKsrC21cAuq+fbxtSdzGho4hF1jsDHOjoCh -x53BCivk1tL0kLcmLPbJnH2KvzTV4YrizAoGKFneiokCQQDRJ7pnKabHs9qhF6kl -6m9dxAoGmeZY4RwodcVOqAjHFeMI9eSNLpsxava2RJFQVagCzwuft5lvhqeaxxZ0 -nwxnAkBFcKCCWNsmrPhAMEfM0q6zC6iUWsMoHbo5TY8HI/yUJtnSE8rULEN2cCbL -FeSLrJHuNEBppqlSQQy50sbIx2JhAkEAug8ZZ0RKNUTtrHib5DrUrxkBwjWOEGrQ -3b1GtF4O0OvLd+EmW+Gl9SQuLJ56lnhcaYM91+s/91JWLv4EH+KM6QJADR52KML6 -0IvPiOv8i98U+H5GvYT7pla+F61Y2i/h7M7wpANR8hAwK9IQ2eloeGQ3Fmyedd9l -kHGxNTIgEkw3uQ== ------END PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAq9eMvlV9hzsP+2u6oSlhxly+VSGe4I0Mly1gMku+BhiPm7EP +EscFe+cQcuA7kr6Wmzjan6v913igTri21Gh5llS+v7t4GdbfmfQSk8AiT0bC76+D +sZ/GaJ+AhHyFmc5CS3Y6O++kKE8LG9RqKW0HjnQjOH6YQr+FgWv7smU2fFHVdCVt +vIMzsRy3UfBhy5LcwGUGqrTjwn7QoSRBcgJKMp4cWBr14MKr4nJ+p7lu3QrfSGXU +3TXrgHtqiHTwSiaZ75pK4CzP4ywnebsA7YNRh2sPGWuTLVCu9FZZ9fR3x2NMz64d +OjUO+JEzqj34/0N+gV3nf9nQqbTexUtBa9SuEQIDAQABAoIBAHnxtYvgCPttG1NU +yJTTU/I7IEozWJaLIZMqfShT/Z4/0bEvfb3ag/bAKzkKDNx+6Utvlh1XJQTCMiiL +BhtHpHjc3JwdAgZ8KCMNRB2ba/2L/ouupqrm8hqOjdn2r6xM5Vi9pmegEIMWTJDM +NSX+nC0oF1Jg69X6KViFc5DOKFMhacSEwLJkv/EqCgdWaBoqMlTtTWKdm34xSN2L +P5o9kOgihTBNUUnVBUWJiT7C6bBAFwb1rECpvNOk6h+lvG+fSDZKYdwBrAsKspIy +/aXZD4qaicefGblrHcZv2og/zYkFs4riWNOmglxZyrK/3rFFk0B8mBk1mWQvrK7+ +Jq/R4k0CgYEA0hO29hJjeTBDdOWgzyXr5uppmR1WU7fv/Jy8PLRMvUvmiMQqRDK3 +zwGc6H938wdsubpdTCLPhq0rhDCTqtwIEAuFjZIYJs4yZzfy6klaD3516iIgb+W7 +fe1RkYMBp9wV0x272vzP4Y5p/fzp5xhvN52OkhQsjHRHewfDaUwSFScCgYEA0Wgi +kGVK6OxzoMCgiWx/L+y3yrYuHdWANTIIa5RvZk4UQqEFkGYGVP1rpbB/fAa1Yqev +qXkLZqad2dhJCuBVryGt29CHsbnEQ/QuTwlGmyZj1U8NnJBgNCPTdmGTBIm/7w9S +ESZ48bUlcqzsZn1Big/A6JX1e5i9b/1jyozNVgcCgYEAnRZc49iQRZjPeGQVQZEL +u5ph6DrFyMhsTistnv77uzk8Y9y79k8unz6HhFt86GAO7zrqdPo60GxBdBGW+laa +ONVEwr4SDUJ28jQmEwdSru9TYQav1ryk3N9O9U5POKQcNcewJ2qQUAvcOi6bAVGG +KMJKT/WB8m0o3ljJyL03cFUCgYBoHFTq42Fd8oj+SCbIjCej5RXvc6nz7Tzjta9Y +BSFphLIv+ixxAThustv9MYYAXLl7hhEgueyAKaBbOVv/S09uVdlBayi7pLc+bb1E +UEFJS8nguH/08hbSdWlh9tsIK5BAQ6ayniUNTtmCbRTPU8Ds6i4ntL6qp2KvthQS +FPTVqwKBgQC8m2sJapMms0/7EeGpUwMO+WNCHeRyujnriWYL8Kms0lmAn8NrQoA5 +wgbx0nZ/VrXtLPGHy915jxDXOU1Yc2gqEf5Qm/GnByUuml1mUSldiPciSJvKzMqP +LeWnb62HD60t/zwstN20Yzt6mBLocm1PPdPhPweI/EF6pSgvlw5NTw== +-----END RSA PRIVATE KEY----- diff --git a/tests/data_files/server5-badsign.crt b/tests/data_files/server5-badsign.crt index 8e6024353..0c6507233 100644 --- a/tests/data_files/server5-badsign.crt +++ b/tests/data_files/server5-badsign.crt @@ -1,13 +1,14 @@ -----BEGIN CERTIFICATE----- -MIIB7TCCAZSgAwIBAgIBAzAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x -MzA4MDkwNzU3NDBaFw0yMzA4MDcwNzU3NDBaMDQxCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MEkwEwYHKoZIzj0CAQYI -KoZIzj0DAQEDMgAEy0Lh3ZfhEwBiC8jmJfEg8NGxCDqHEtz+hPgYs37hDz9wTOoY -+CJDtEUcDedgFCpqo4GdMIGaMAkGA1UdEwQCMAAwHQYDVR0OBBYEFKItALYotNzi -cfBPd7LwETtkYmdBMG4GA1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKk -QDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1Bv -bGFyc3NsIFRlc3QgRUMgQ0GCCQCtQnl2nnL24TAJBgcqhkjOPQQBA0gAMEUCIE/J -rb3TrYL+z1OsZ2rtCmji7hrPj570X4Qkm1Pb5QEvAiEAiq46sM0+1DSAU0u8FcuL -jbRvSP9W7EJjb9QR3zNYbf4= +MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA +2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd +BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB +PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh +clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG +CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S +C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V +fGa5kHvHARBPc8YAIVIqDvHH1A== -----END CERTIFICATE----- diff --git a/tests/data_files/server5-sha1.crt b/tests/data_files/server5-sha1.crt new file mode 100644 index 000000000..73e2d1745 --- /dev/null +++ b/tests/data_files/server5-sha1.crt @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICHTCCAaSgAwIBAgIBEjAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x +MzA5MjQxNjIxMjdaFw0yMzA5MjIxNjIxMjdaMDQxCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDY +IxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6OBnTCBmjAJBgNVHRMEAjAAMB0G +A1UdDgQWBBRQYaWP1AfZ14IBDOVlf4xjRqcTvjBuBgNVHSMEZzBlgBSdbSAkSQE/ +K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFy +U1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVDIENBggkAwUPifmJDzOgwCQYH +KoZIzj0EAQNoADBlAjEAyjvzRWtxbXvkoYTYSQY9gFBpP7/wTZ2q6FbRiAuZULFt +lc0PMPDfVZChgA6iDH+BAjBdkOb73f2pOwZpMRqrOgqSynbt2uWY87mC5lRlNEoR +WXEv1AzIeBCv+81DN1Iuu4w= +-----END CERTIFICATE----- diff --git a/tests/data_files/server5-sha224.crt b/tests/data_files/server5-sha224.crt index 1bda4fb38..47b11688c 100644 --- a/tests/data_files/server5-sha224.crt +++ b/tests/data_files/server5-sha224.crt @@ -1,13 +1,14 @@ -----BEGIN CERTIFICATE----- -MIIB7jCCAZWgAwIBAgIBBjAKBggqhkjOPQQDATA+MQswCQYDVQQGEwJOTDERMA8G +MIICIDCCAaWgAwIBAgIBEzAKBggqhkjOPQQDATA+MQswCQYDVQQGEwJOTDERMA8G A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN -MTMwODA5MDgwODEyWhcNMjMwODA3MDgwODEyWjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJMBMGByqGSM49AgEG -CCqGSM49AwEBAzIABMtC4d2X4RMAYgvI5iXxIPDRsQg6hxLc/oT4GLN+4Q8/cEzq -GPgiQ7RFHA3nYBQqaqOBnTCBmjAJBgNVHRMEAjAAMB0GA1UdDgQWBBSiLQC2KLTc -4nHwT3ey8BE7ZGJnQTBuBgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFC -pEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQ -b2xhcnNzbCBUZXN0IEVDIENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwEDRwAwRAIg -Xm1nvMzdlO+q5tGATM/IPZxuWSZQqFqwqqdlDEe2OCcCIEbPknZFIjopDpOBMSuU -k+VDnNYzQajkdeM9T5XqaX6B +MTMwOTI0MTYyMTI3WhcNMjMwOTIyMTYyMTI3WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA +2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd +BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB +PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh +clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG +CCqGSM49BAMBA2kAMGYCMQCj0EyFUzDRmfokWzLVEWN0epR4/sZytfIeozp6BqWH +qaTBdAR2vthIKC7dKuUkg34CMQD6YtB2O9Vso79gbzSen2qh7gK7VvGE+31EVPbR +Ce/oNG/3OfhRSdn3FOvBBg2UErM= -----END CERTIFICATE----- diff --git a/tests/data_files/server5-sha256.crt b/tests/data_files/server5-sha256.crt deleted file mode 100644 index 43ac60aa3..000000000 --- a/tests/data_files/server5-sha256.crt +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIB7zCCAZWgAwIBAgIBBzAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN -MTMwODA5MDgwODE3WhcNMjMwODA3MDgwODE3WjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJMBMGByqGSM49AgEG -CCqGSM49AwEBAzIABMtC4d2X4RMAYgvI5iXxIPDRsQg6hxLc/oT4GLN+4Q8/cEzq -GPgiQ7RFHA3nYBQqaqOBnTCBmjAJBgNVHRMEAjAAMB0GA1UdDgQWBBSiLQC2KLTc -4nHwT3ey8BE7ZGJnQTBuBgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFC -pEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQ -b2xhcnNzbCBUZXN0IEVDIENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwIDSAAwRQIh -ALfqO3j3gA18v/MG+s5CJfNGBeeRIttASyiO3FOiZUfeAiBoid6STq5AvS1c9Olm -Vk7wB2zYU9v6sSoR99csMz4TTQ== ------END CERTIFICATE----- diff --git a/tests/data_files/server5-sha384.crt b/tests/data_files/server5-sha384.crt index cb727e7c8..5d6a79b2f 100644 --- a/tests/data_files/server5-sha384.crt +++ b/tests/data_files/server5-sha384.crt @@ -1,13 +1,14 @@ -----BEGIN CERTIFICATE----- -MIIB7zCCAZWgAwIBAgIBCDAKBggqhkjOPQQDAzA+MQswCQYDVQQGEwJOTDERMA8G +MIICHzCCAaWgAwIBAgIBFDAKBggqhkjOPQQDAzA+MQswCQYDVQQGEwJOTDERMA8G A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN -MTMwODA5MDgwODI1WhcNMjMwODA3MDgwODI1WjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJMBMGByqGSM49AgEG -CCqGSM49AwEBAzIABMtC4d2X4RMAYgvI5iXxIPDRsQg6hxLc/oT4GLN+4Q8/cEzq -GPgiQ7RFHA3nYBQqaqOBnTCBmjAJBgNVHRMEAjAAMB0GA1UdDgQWBBSiLQC2KLTc -4nHwT3ey8BE7ZGJnQTBuBgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFC -pEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQ -b2xhcnNzbCBUZXN0IEVDIENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwMDSAAwRQIh -ANRFz89Cp8ohvDHX94h+pftXR34mhGqzzi3xidVj1Sg8AiBOv+ChIGVXGmM3RFvj -kOaH0pCTLJQEpIAj5jlaCw9tDA== +MTMwOTI0MTYyMTI3WhcNMjMwOTIyMTYyMTI3WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA +2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd +BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB +PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh +clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG +CCqGSM49BAMDA2gAMGUCMQCnsd/6VB2kLIqMRsWdkJvRaQROyAg78CQExFEY3CMv +9t0kWRXPc4nCMH69RjQVvC4CMB4lk9A7hnX2zQy3bbUhOCOvXcsQdEe8AMgJBviz +5Nob2wThRqsm1wjCF60fyzXWuA== -----END CERTIFICATE----- diff --git a/tests/data_files/server5-sha512.crt b/tests/data_files/server5-sha512.crt index 44f4041fd..16112ac54 100644 --- a/tests/data_files/server5-sha512.crt +++ b/tests/data_files/server5-sha512.crt @@ -1,13 +1,14 @@ -----BEGIN CERTIFICATE----- -MIIB7zCCAZWgAwIBAgIBCTAKBggqhkjOPQQDBDA+MQswCQYDVQQGEwJOTDERMA8G +MIICHzCCAaWgAwIBAgIBFTAKBggqhkjOPQQDBDA+MQswCQYDVQQGEwJOTDERMA8G A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN -MTMwODA5MDgwODMyWhcNMjMwODA3MDgwODMyWjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJMBMGByqGSM49AgEG -CCqGSM49AwEBAzIABMtC4d2X4RMAYgvI5iXxIPDRsQg6hxLc/oT4GLN+4Q8/cEzq -GPgiQ7RFHA3nYBQqaqOBnTCBmjAJBgNVHRMEAjAAMB0GA1UdDgQWBBSiLQC2KLTc -4nHwT3ey8BE7ZGJnQTBuBgNVHSMEZzBlgBS8QO+57pq7NjnhLamiuiy7pr0QcaFC -pEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQ -b2xhcnNzbCBUZXN0IEVDIENBggkArUJ5dp5y9uEwCgYIKoZIzj0EAwQDSAAwRQIh -AN5rRzdwAbgA4scB15w5W9DPJ6w7Q7QiEnV7PV5IAXX4AiBAFnODGe6Lk7C5YYYU -dANkEzunQUZNP1qh24SgeqBUNg== +MTMwOTI0MTYyMTI3WhcNMjMwOTIyMTYyMTI3WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA +2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd +BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB +PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh +clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG +CCqGSM49BAMEA2gAMGUCMFPL2OI8arcbRlKAbRb/YfGibo4Mwts8KX3fOuRCbXEn +pDWeb82kBqfXwzPJwamFOwIxAPGzyhWrxn0qEynWV5nzFK02PYBnYFgClISyyudH +HJGHtbEVRc5JA8ALnggaLVpuvg== -----END CERTIFICATE----- diff --git a/tests/data_files/server5.crt b/tests/data_files/server5.crt index b42abf2e1..459742828 100644 --- a/tests/data_files/server5.crt +++ b/tests/data_files/server5.crt @@ -1,13 +1,14 @@ -----BEGIN CERTIFICATE----- -MIIB7TCCAZSgAwIBAgIBAzAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x -MzA4MDkwNzU3NDBaFw0yMzA4MDcwNzU3NDBaMDQxCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MEkwEwYHKoZIzj0CAQYI -KoZIzj0DAQEDMgAEy0Lh3ZfhEwBiC8jmJfEg8NGxCDqHEtz+hPgYs37hDz9wTOoY -+CJDtEUcDedgFCpqo4GdMIGaMAkGA1UdEwQCMAAwHQYDVR0OBBYEFKItALYotNzi -cfBPd7LwETtkYmdBMG4GA1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKk -QDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1Bv -bGFyc3NsIFRlc3QgRUMgQ0GCCQCtQnl2nnL24TAJBgcqhkjOPQQBA0gAMEUCIE/J -rb3TrYL+z1OsZ2rtCmji7hrPj570X4Qkm1Pb5QEvAiEAiq46sM0+1DSAU0u8FcuL -jbRvSP9W7EJjb9QR3zNYbX4= +MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA +2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd +BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB +PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh +clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG +CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S +C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V +fGa5kHvHARBPc8YAIVIqDvHH1Q== -----END CERTIFICATE----- diff --git a/tests/data_files/server5.key b/tests/data_files/server5.key index 844bb4498..c8459ee46 100644 --- a/tests/data_files/server5.key +++ b/tests/data_files/server5.key @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MF8CAQEEGO82j8OXBoUhVyauCA8XZ288l595u7BXWqAKBggqhkjOPQMBAaE0AzIA -BMtC4d2X4RMAYgvI5iXxIPDRsQg6hxLc/oT4GLN+4Q8/cEzqGPgiQ7RFHA3nYBQq -ag== +MHcCAQEEIPEqEyB2AnCoPL/9U/YDHvdqXYbIogTywwyp6/UfDw6noAoGCCqGSM49 +AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/ +6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w== -----END EC PRIVATE KEY----- diff --git a/tests/data_files/server6.crt b/tests/data_files/server6.crt index b5f210f9a..6df671686 100644 --- a/tests/data_files/server6.crt +++ b/tests/data_files/server6.crt @@ -1,13 +1,14 @@ -----BEGIN CERTIFICATE----- -MIIB7TCCAZSgAwIBAgIBAjAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x -MzA4MDkwNzU3MjZaFw0yMzA4MDcwNzU3MjZaMDQxCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MEkwEwYHKoZIzj0CAQYI -KoZIzj0DAQEDMgAEE2sIbSZOSEinZM3q2MMOy8egM8Y9BAcsuwxO9UpS1B8nT9u1 -1bvjTh5VQAgJAU+Oo4GdMIGaMAkGA1UdEwQCMAAwHQYDVR0OBBYEFDYreWnU1s1J -AG49ALPOQliFaJahMG4GA1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKk -QDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1Bv -bGFyc3NsIFRlc3QgRUMgQ0GCCQCtQnl2nnL24TAJBgcqhkjOPQQBA0gAMEUCICDC -Qiv7ypgB4K9x6mf3UvYmdfLHzRkUHyP2FoY/GnFwAiEAr/WVRRw8tPZq3kKaMApQ -OLFV/1jRkCd3i9vpRfdZjsI= +MIICIDCCAaWgAwIBAgIBCjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABIFZMXZJJPoVraugMW4O7TMR+pElVcGwwZwDcj6Yui2kcjeJ +H0M3jR+OOtjwV+gvT8kApPfbcw+yxgSU0UA7OOOjgZ0wgZowCQYDVR0TBAIwADAd +BgNVHQ4EFgQUfmWPPjMDFOXhvmCy4IV/jOdgK3swbgYDVR0jBGcwZYAUnW0gJEkB +PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh +clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG +CCqGSM49BAMCA2kAMGYCMQCsYTyleBFuI4nizuxo/ie5dxJnD0ynwCnRJ+84PZP4 +AQA3HdUz0qNYs4CZ2am9Gz0CMQDr2TNLFA3C3S3pmgXMT0eKzR1Ca1/Nulf0llQZ +Xj09kLboxuemP40IIqhQnpYptMg= -----END CERTIFICATE----- diff --git a/tests/data_files/server6.key b/tests/data_files/server6.key index 9b582dc4b..1311cfa21 100644 --- a/tests/data_files/server6.key +++ b/tests/data_files/server6.key @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MF8CAQEEGD5d3O02N8S/dSjU0RmPK8h2TEH64xPN6qAKBggqhkjOPQMBAaE0AzIA -BBNrCG0mTkhIp2TN6tjDDsvHoDPGPQQHLLsMTvVKUtQfJ0/btdW7404eVUAICQFP -jg== +MHcCAQEEIEQZG5j8IkRLxa9OoZJzD3KkrXqIgi9cHZMVv2s/VcPOoAoGCCqGSM49 +AwEHoUQDQgAEgVkxdkkk+hWtq6Axbg7tMxH6kSVVwbDBnANyPpi6LaRyN4kfQzeN +H4462PBX6C9PyQCk99tzD7LGBJTRQDs44w== -----END EC PRIVATE KEY----- diff --git a/tests/data_files/server7.crt b/tests/data_files/server7.crt index 5040bec9a..ed087ef61 100644 --- a/tests/data_files/server7.crt +++ b/tests/data_files/server7.crt @@ -1,14 +1,23 @@ -----BEGIN CERTIFICATE----- -MIICMTCCAZqgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJOTDER +MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt -ZWRpYXRlIENBMB4XDTEzMDgxMDA5Mzc1OVoXDTIzMDgwODA5Mzc1OVowNDELMAkG +ZWRpYXRlIENBMB4XDTEzMDkyNDE2MTIyNFoXDTIzMDkyMjE2MTIyNFowNDELMAkG A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw -STATBgcqhkjOPQIBBggqhkjOPQMBAQMyAATLQuHdl+ETAGILyOYl8SDw0bEIOocS -3P6E+BizfuEPP3BM6hj4IkO0RRwN52AUKmqjgZUwgZIwCQYDVR0TBAIwADAdBgNV -HQ4EFgQUoi0Atii03OJx8E93svARO2RiZ0EwZgYDVR0jBF8wXYAUSWP5COj9AlpE -9UEpjc+8T9LAHryhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNT -TDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIBDzANBgkqhkiG9w0BAQUF -AAOBgQDXdaDKbre+goT5vJ8GHr3APTsHed40sS/UvbGtjC4XsZ+liUMhAZn85nWd -95FifmASBWG7R8eyU+nOL1yDQNxIcN1nqzX+UNUnXI5P2gNLF+lllr9T9zYmFo4s -Qg4vVTIZIidwJtB60ZwboTx1au0bDPGDF1oniyLPBJdwcY4jsA== +WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m +47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS +MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNIK06V3H85VsFxGoo5zbL+hYCa7MGYGA1Ud +IwRfMF2AFDh32Gt3nCh3gotO2BupHveUFrcOoUKkQDA+MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC +AQ4wDQYJKoZIhvcNAQELBQADggIBADRoQ5fHKw+vkl0D3aqLX1XrZidb+25AWbhr +FYXdaskN219PrXBL3cV8x5tK6qsPKSyyw1lue80OmhXs/w7PJkOHHUSWRnmTv7lr +8Us3Zr/yOF/VVqzdGs7DlOTpyzEBdugI9uar/aCqHDoltN8wOduOoQB9aojYpROj ++gjlEO0mgt/87XpjYOig1o0jv44QYDQZQzpj1zeIn6WMe6xk9YDwCLMjRIpg++c7 +QyxvcEJTn80wX1SaEBM2gau97G7bORLMwBVkMT4oSY+iKYgpPpawOnMJbqUP73Dm +yfJExDdrW/BbWZ/vKIcSqSZIbkHdkNjUDVHczyVwQxZxzvLFw/B1k9s7jYFsi5eK +TNAdXFa4et1H2sd+uhu24GxsjmJioDrftixcgzPVBjDCjH8QWkBEX292WJ58on0e +deWLpZUnzPdE1B4rsiPw1Vg28mGgr2O1xgBQr/fx6A+8ItNTzAXbZfEcult9ypwM +0b6YDNe5IvdKk8iwz3mof0VNy47K6xoCaE/fxxWkjoXK8x2wfswGeP2QgUzQE93b +OtjdHpsG1c7gIVFQmKATyAPUz4vqmezgNRleXU0oL0PYtoCmKQ51UjNMUfmO9xCj +VJaNa2iTQ5Dgic+CW4TYAgj5/9g9X3WfwnDNxrZ0UxxawGElczHXqbrNleTtPaKp +a8Si6UK5 -----END CERTIFICATE----- diff --git a/tests/data_files/server7.key b/tests/data_files/server7.key index 844bb4498..0088331ea 100644 --- a/tests/data_files/server7.key +++ b/tests/data_files/server7.key @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MF8CAQEEGO82j8OXBoUhVyauCA8XZ288l595u7BXWqAKBggqhkjOPQMBAaE0AzIA -BMtC4d2X4RMAYgvI5iXxIPDRsQg6hxLc/oT4GLN+4Q8/cEzqGPgiQ7RFHA3nYBQq -ag== +MHcCAQEEILBDMs7bRVxVg6ovTpf2zB9m+22jY7R3LNKRvCPfa6YJoAoGCCqGSM49 +AwEHoUQDQgAEHG336dql6qGcsnIZqAkcc63eFbvepuOzTwXobRAuOmk3l4A5wXX/ +vs5wAawLX1wUTUM/AESHmAZrJK9tq5So8g== -----END EC PRIVATE KEY----- diff --git a/tests/data_files/server7_int-ca.crt b/tests/data_files/server7_int-ca.crt index 75c9dc612..d3ddc46a8 100644 --- a/tests/data_files/server7_int-ca.crt +++ b/tests/data_files/server7_int-ca.crt @@ -1,29 +1,47 @@ -----BEGIN CERTIFICATE----- -MIICMTCCAZqgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJOTDER +MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt -ZWRpYXRlIENBMB4XDTEzMDgxMDA5Mzc1OVoXDTIzMDgwODA5Mzc1OVowNDELMAkG +ZWRpYXRlIENBMB4XDTEzMDkyNDE2MTIyNFoXDTIzMDkyMjE2MTIyNFowNDELMAkG A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw -STATBgcqhkjOPQIBBggqhkjOPQMBAQMyAATLQuHdl+ETAGILyOYl8SDw0bEIOocS -3P6E+BizfuEPP3BM6hj4IkO0RRwN52AUKmqjgZUwgZIwCQYDVR0TBAIwADAdBgNV -HQ4EFgQUoi0Atii03OJx8E93svARO2RiZ0EwZgYDVR0jBF8wXYAUSWP5COj9AlpE -9UEpjc+8T9LAHryhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNT -TDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIBDzANBgkqhkiG9w0BAQUF -AAOBgQDXdaDKbre+goT5vJ8GHr3APTsHed40sS/UvbGtjC4XsZ+liUMhAZn85nWd -95FifmASBWG7R8eyU+nOL1yDQNxIcN1nqzX+UNUnXI5P2gNLF+lllr9T9zYmFo4s -Qg4vVTIZIidwJtB60ZwboTx1au0bDPGDF1oniyLPBJdwcY4jsA== +WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m +47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS +MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNIK06V3H85VsFxGoo5zbL+hYCa7MGYGA1Ud +IwRfMF2AFDh32Gt3nCh3gotO2BupHveUFrcOoUKkQDA+MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC +AQ4wDQYJKoZIhvcNAQELBQADggIBADRoQ5fHKw+vkl0D3aqLX1XrZidb+25AWbhr +FYXdaskN219PrXBL3cV8x5tK6qsPKSyyw1lue80OmhXs/w7PJkOHHUSWRnmTv7lr +8Us3Zr/yOF/VVqzdGs7DlOTpyzEBdugI9uar/aCqHDoltN8wOduOoQB9aojYpROj ++gjlEO0mgt/87XpjYOig1o0jv44QYDQZQzpj1zeIn6WMe6xk9YDwCLMjRIpg++c7 +QyxvcEJTn80wX1SaEBM2gau97G7bORLMwBVkMT4oSY+iKYgpPpawOnMJbqUP73Dm +yfJExDdrW/BbWZ/vKIcSqSZIbkHdkNjUDVHczyVwQxZxzvLFw/B1k9s7jYFsi5eK +TNAdXFa4et1H2sd+uhu24GxsjmJioDrftixcgzPVBjDCjH8QWkBEX292WJ58on0e +deWLpZUnzPdE1B4rsiPw1Vg28mGgr2O1xgBQr/fx6A+8ItNTzAXbZfEcult9ypwM +0b6YDNe5IvdKk8iwz3mof0VNy47K6xoCaE/fxxWkjoXK8x2wfswGeP2QgUzQE93b +OtjdHpsG1c7gIVFQmKATyAPUz4vqmezgNRleXU0oL0PYtoCmKQ51UjNMUfmO9xCj +VJaNa2iTQ5Dgic+CW4TYAgj5/9g9X3WfwnDNxrZ0UxxawGElczHXqbrNleTtPaKp +a8Si6UK5 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIICWjCCAgKgAwIBAgIBDzAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x -MzA4MTAwOTA4NTFaFw0yMzA4MTAwOTA4NTFaMEgxCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDEmMCQGA1UEAxMdUG9sYXJTU0wgVGVzdCBJbnRlcm1lZGlh -dGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN/CgAVAhMzUJ7kFpAjx -7vwq2Vs4qmy6nuwOJ7UNBHXaWKSBUUP9KhExuTGMeNvYZmLiwfrd7p22Cgj1VFwp -V/5FEuEk4C7pXSZxqn2bXTaD1ivOVu9I0yKmA3+95f34V72fiqQ2U/SssGhI0EX4 -pSMEEbX8NOR31MCFut8ACzQ1AgMBAAGjgaAwgZ0wHQYDVR0OBBYEFElj+Qjo/QJa -RPVBKY3PvE/SwB68MG4GA1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKk -QDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1Bv -bGFyc3NsIFRlc3QgRUMgQ0GCCQCtQnl2nnL24TAMBgNVHRMEBTADAQH/MAkGByqG -SM49BAEDRwAwRAIgfIwD+A0rcrrJWKLR1g88ImIx5765D0ZAixZy9Q1j8EgCIFPo -AAs001kkpocmMwGv3Mz8bYCK+0GwSteAoWtZmTz0 +MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq +vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR +wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF +CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g +Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q +AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2 +qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM +uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA +kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P +d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br +Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg +updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY +a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7 +NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE +AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w +CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG +i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9 +Af5cNR8KhzegznL6amRObGGKmX1F -----END CERTIFICATE----- diff --git a/tests/data_files/server8.crt b/tests/data_files/server8.crt index 533006087..b435b2deb 100644 --- a/tests/data_files/server8.crt +++ b/tests/data_files/server8.crt @@ -1,13 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIB4TCCAZmgAwIBAgIBAzAJBgcqhkjOPQQBMEsxCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDEpMCcGA1UEAxMgUG9sYXJTU0wgVGVzdCBJbnRlcm1lZGlh -dGUgRUMgQ0EwHhcNMTMwODEwMTA0ODQyWhcNMjMwODEwMTA0ODQyWjA0MQswCQYD -VQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJ -MBMGByqGSM49AgEGCCqGSM49AwEBAzIABH0AoQyUhPABS38y67uEVs4O3RXmKKrB -dUR7/L2QPB8EC2p5fQcsej6EFasvlTdJ/6OBlTCBkjAdBgNVHQ4EFgQU5BdrNrIG -iTrZXkO24GR9h6t93jcwYwYDVR0jBFwwWoAUsdlE7s/zeovBx8go2LphSL+Nu9mh -P6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQ -UG9sYXJTU0wgVGVzdCBDQYIBETAMBgNVHRMEBTADAQH/MAkGByqGSM49BAEDNwAw -NAIYPH5MSjau/MPc+rjSbYt+Q9rlv4idlJ84AhhWuxV7gaFzJzCs7acgX6WbfOAB -SAnWzz4= +MIIC6zCCAnKgAwIBAgIBETAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIEVDIENBMB4XDTEzMDkyNDE2MTI1NloXDTIzMDkyMjE2MTI1NlowNDELMAkG +A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbHH8uC82/ztF1EKCiuM59 +quIF4HrYRGOPtb3AsBm5N7gZSg7xXXSAZ0aHBt5bfwYDvcGNXgcV1Fv03OXPPfnB +ESyuarmKvR1nZhfqTr3bFZqCh+TweMOjhYew/Z+pmV/jM+zM6gu1YV7xSX4/oy3q +AQzMQpp2m8TQN9OxFwFhARZZfhwXw1P90XLLTGAV2n3i6q1Q747ii9Rqd1XWcNlr +u/HuOQQ4o73i0eBma+KcR5npKOa2/C7KZ0OE6NWD1p2YawE+gdw8esr585z31igb +J3h8w9DVY6eBNImtJWq98urt+lf85TTGwQ9xLdIIEButREHg/nmgY5OKsV3psO5v +AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU4j/mLfTnuKaM3G0XpxhA +J2F2Dx0wYwYDVR0jBFwwWoAUD4m9Y0Hry14XKP9oMD3BiNCcWDmhP6Q9MDsxCzAJ +BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg +VGVzdCBDQYIBDzAKBggqhkjOPQQDAgNnADBkAjBkP1bGlZvxnYySZjdBq4m8lkyz +2cjfqjYs8COEkRkONaVz7888HvFdGpL98uQeFvECMHCyCrHprkGzvq/L9kUnx9Bh +2IHbCzbbi9moYC1XcOxgfsEKmhtVF/uQdf8+3VtGqA== -----END CERTIFICATE----- diff --git a/tests/data_files/server8.key b/tests/data_files/server8.key index 447925831..aa9941ec1 100644 --- a/tests/data_files/server8.key +++ b/tests/data_files/server8.key @@ -1,8 +1,27 @@ ------BEGIN EC PARAMETERS----- -BggqhkjOPQMBAQ== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MF8CAQEEGItTogpE7AOnjvYuTqm+9OabmsX02XKIAqAKBggqhkjOPQMBAaE0AzIA -BH0AoQyUhPABS38y67uEVs4O3RXmKKrBdUR7/L2QPB8EC2p5fQcsej6EFasvlTdJ -/w== ------END EC PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2xx/LgvNv87RdRCgorjOfariBeB62ERjj7W9wLAZuTe4GUoO +8V10gGdGhwbeW38GA73BjV4HFdRb9Nzlzz35wREsrmq5ir0dZ2YX6k692xWagofk +8HjDo4WHsP2fqZlf4zPszOoLtWFe8Ul+P6Mt6gEMzEKadpvE0DfTsRcBYQEWWX4c +F8NT/dFyy0xgFdp94uqtUO+O4ovUandV1nDZa7vx7jkEOKO94tHgZmvinEeZ6Sjm +tvwuymdDhOjVg9admGsBPoHcPHrK+fOc99YoGyd4fMPQ1WOngTSJrSVqvfLq7fpX +/OU0xsEPcS3SCBAbrURB4P55oGOTirFd6bDubwIDAQABAoIBAFvf3xQXrvY2am2D +w1d31l2rQYrlTZ1RT836js41CRQ44OD5xLpATZFpvJDxuFr1MDhxYK8+NgpZORW7 +akEz432pDes0pQgftCyfCngc/E7ZCCijgsOyX5Y5b2QvdLtQrHxAUZK6sJ4lbgIO +pvlYGvB78DnV057YQfZs8j7XPqTFYVNlIx6xCFxwiMTeUGZvSrN8CpKT/5zsSE5d +xX2alaYiWl2oSOI7axrtpMEXAI0A/O/N1mI+n3cs15cfAJa/fMjEMmGz0Pqg5IlS +IwZWpr6BzbdHldO/XlVErKMo4lADUmsr2d+q3vfQmLEAyizp7OmU9vc+DXcK9jH+ +aDd0gcECgYEA7SAVA/banYejN7Ovn84pJ+mguINMwPFZd9eW9op1PgRryGCpdh77 +qV64YIjFhwt1JQQIf5GCPD5Um0Z8mY59a6MU+sJGGB7xwVuCuXbDAKJJF6/58f7/ +MoLzsoQFy50TpA90T0WOvMWDnWSLTYjRr1fFTKNWNcvPoFOnmAydGbUCgYEA7I1X +mCFRSGiu0NdN2j7mwtTudI4m/qyYfUQxpSvvgN2DSHtG56h8Dz1w7CpNlLDHodPP +e8oiXMS/bBBNwWHu9hxhBqdmvj4C+K5Ax0EKYx7CsHWK7BJ8u8Ak8xwaufMiejt5 +ioJhI4pyukBEqJbnuzmuDcuoqxPF1ZTmM/WzrhMCgYBi5V9+cMUKsFhFUf6sUqpd +iBXM/o3TZpVe4x6GIob1X5ioUJA8wH1LTULul/xx7zhjQMRemAxOHdzhictLq97p +NnH4h2/+fWFsuELUIREBQa3kYDOJV0WOBomm6WMVYaSgZwWmTidS2bmjuhxTMP3q ++FtENFcvRpqIjns2cgRPhQKBgQDcjhia5o2z9q7wV57mG3nrNL+0ewoOsHxpZ5jm +SSXBQEf038RHoIczanUMLZEyTvWDhErTP690UZmtNzJYWWiFngY1PwYD4SvCFC6f +2ZvGuVqLTr0dyUr1f3y0E4Mz12dREn0LUO8jRSYdVGjvy+v6XBhWEoqMIB54OqG8 +1p0WcwKBgF4KfzBOi1DarCuxaa6huUdNc8efog5GO1lmNenKlRuPLp5wp3qvWsyH +blfbtJQNE1DhbDGwmzPCGLc3wXx0t0gCrcMkxoRATFMNOSLodG7Mbkj9AoEMx94X +XYfi5vYftbEUmZeZtHZBI3o3up/xtPcuGNlb8BSIIOaQtIYybxKa +-----END RSA PRIVATE KEY----- diff --git a/tests/data_files/server8_int-ca2.crt b/tests/data_files/server8_int-ca2.crt index e43e6b8ca..7a8da717d 100644 --- a/tests/data_files/server8_int-ca2.crt +++ b/tests/data_files/server8_int-ca2.crt @@ -1,30 +1,36 @@ -----BEGIN CERTIFICATE----- -MIIB4TCCAZmgAwIBAgIBAzAJBgcqhkjOPQQBMEsxCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDEpMCcGA1UEAxMgUG9sYXJTU0wgVGVzdCBJbnRlcm1lZGlh -dGUgRUMgQ0EwHhcNMTMwODEwMTA0ODQyWhcNMjMwODEwMTA0ODQyWjA0MQswCQYD -VQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJ -MBMGByqGSM49AgEGCCqGSM49AwEBAzIABH0AoQyUhPABS38y67uEVs4O3RXmKKrB -dUR7/L2QPB8EC2p5fQcsej6EFasvlTdJ/6OBlTCBkjAdBgNVHQ4EFgQU5BdrNrIG -iTrZXkO24GR9h6t93jcwYwYDVR0jBFwwWoAUsdlE7s/zeovBx8go2LphSL+Nu9mh -P6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQ -UG9sYXJTU0wgVGVzdCBDQYIBETAMBgNVHRMEBTADAQH/MAkGByqGSM49BAEDNwAw -NAIYPH5MSjau/MPc+rjSbYt+Q9rlv4idlJ84AhhWuxV7gaFzJzCs7acgX6WbfOAB -SAnWzz4= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIICvDCCAaSgAwIBAgIBETANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN -MTMwODEwMTA0NzM5WhcNMjMwODEwMTA0NzM5WjBLMQswCQYDVQQGEwJOTDERMA8G +MIIC6zCCAnKgAwIBAgIBETAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp -YXRlIEVDIENBMEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEF/Nw4VH9gt/WUMJt -dKRsyselY6ngTpfw1XDtlLMT2XewBCAgIHDQoeQlVIkxsdRGo4GVMIGSMB0GA1Ud -DgQWBBSx2UTuz/N6i8HHyCjYumFIv4272TBjBgNVHSMEXDBagBS0WuSls97SUva5 -1aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NM -MRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJ -KoZIhvcNAQEFBQADggEBABKWcjM5s2rqe3Ha3MR8rj5Ki6sXnda6mDFga4sWrkzR -aK8FOzHNtGgZvua7mQ3slvxa1b4rdl0ZiCzs16FxeIPrdilo2EqzKKZNbTNx8hGu -f593cXnjRijU4O4ysqNdPfrmUrJHl+gME6C5eLJsrdlhYXa8zog+eOUn/94EFq6I -QW/7hcaAN8mr1ZPCml+dWNynkYd7TqtqIkukB6pqZU9SkSIX6iNaRZXhSjge/+iB -XkJS7NXqwQZ3ktUhHYrkqSuVkdL61hrkB20T3NaPaYGPj/PcnCfk9nOmTmWlqHhl -FZM816w2/AT6G98zJgU0iAG53ANVO1k+FgbUFjrqRDQ= +YXRlIEVDIENBMB4XDTEzMDkyNDE2MTI1NloXDTIzMDkyMjE2MTI1NlowNDELMAkG +A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbHH8uC82/ztF1EKCiuM59 +quIF4HrYRGOPtb3AsBm5N7gZSg7xXXSAZ0aHBt5bfwYDvcGNXgcV1Fv03OXPPfnB +ESyuarmKvR1nZhfqTr3bFZqCh+TweMOjhYew/Z+pmV/jM+zM6gu1YV7xSX4/oy3q +AQzMQpp2m8TQN9OxFwFhARZZfhwXw1P90XLLTGAV2n3i6q1Q747ii9Rqd1XWcNlr +u/HuOQQ4o73i0eBma+KcR5npKOa2/C7KZ0OE6NWD1p2YawE+gdw8esr585z31igb +J3h8w9DVY6eBNImtJWq98urt+lf85TTGwQ9xLdIIEButREHg/nmgY5OKsV3psO5v +AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU4j/mLfTnuKaM3G0XpxhA +J2F2Dx0wYwYDVR0jBFwwWoAUD4m9Y0Hry14XKP9oMD3BiNCcWDmhP6Q9MDsxCzAJ +BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg +VGVzdCBDQYIBDzAKBggqhkjOPQQDAgNnADBkAjBkP1bGlZvxnYySZjdBq4m8lkyz +2cjfqjYs8COEkRkONaVz7888HvFdGpL98uQeFvECMHCyCrHprkGzvq/L9kUnx9Bh +2IHbCzbbi9moYC1XcOxgfsEKmhtVF/uQdf8+3VtGqA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTMwOTI0MTYwODQyWhcNMjMwOTIyMTYwODQyWjBLMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl +WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8 +ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW +BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV +D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkw +FwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAAjeaTUaCBiXT1CYLVr6UFSeRNZBrDPnj6PwqUQTvgB5I5n6 +yXqoE4RYDaEL0Lg24juFxI26itBuypto6vscgGq77cfrP/avSdxU+xeZ4bCWvh3M +ddj9lmko2U8I8GhBcHpSuIiTvgKDB8eKkjeq3AsLGchHDvip8pB3IhcNfL7W94Zf +7/lH9VQiE3/px7amD32cidoPvWLA9U3f1FsPmJESUz0wwNfINpDjmPr8dGbkCN+M +CFhxo6sCfK8KLYG4nYX8FwxVR86kpSrO9e84AX0YYbdzxprbc2XOaebJ8+BDmzut +ARkD7DTXrodN1wV7jQJkrUuEwPj9Rhvk+MFRkaw= -----END CERTIFICATE----- diff --git a/tests/data_files/test-ca2.crt b/tests/data_files/test-ca2.crt index bfd3eeff6..d41a420ef 100644 --- a/tests/data_files/test-ca2.crt +++ b/tests/data_files/test-ca2.crt @@ -1,14 +1,15 @@ -----BEGIN CERTIFICATE----- -MIICEjCCAbmgAwIBAgIJAK1CeXaecvbhMAkGByqGSM49BAEwPjELMAkGA1UEBhMC -TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD -IENBMB4XDTEzMDgwOTA3NDk0NloXDTIzMDgwNzA3NDk0NlowPjELMAkGA1UEBhMC -TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD -IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElrizLPspIX2+kNvC+BOpJnw1 -9tnAi5nsUnt8r6N+KDybdaVUWmLIqZCrjuaGKwOdOZtl/bBp8KOpLZ4UDujV/qOB -oDCBnTAdBgNVHQ4EFgQUvEDvue6auzY54S2porosu6a9EHEwbgYDVR0jBGcwZYAU -vEDvue6auzY54S2porosu6a9EHGhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQK -EwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAK1CeXae -cvbhMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0EAQNIADBFAiBs5rd9NzQs/wQZVS6D -rjpOpzFteqBkqe6YgKWkG5kDVwIhAKr4Lr4v+MU1G5D5oSZXYxvUPBa4yARcD7QM -espQnlFX +MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT +Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF +QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT +Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF +QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu +ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy +aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g +JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7 +NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE +AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w +CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56 +t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv +uCjn8pwUOkABXK8Mss90fzCfCEOtIA== -----END CERTIFICATE----- diff --git a/tests/data_files/test-ca2.key b/tests/data_files/test-ca2.key index 4f6fa6721..ccbba3c2a 100644 --- a/tests/data_files/test-ca2.key +++ b/tests/data_files/test-ca2.key @@ -1,5 +1,6 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIBgsCX6wjouYFLrghn4s8iRrt9krCKiFHZYtzY8J7+p3oAoGCCqGSM49 -AwEHoUQDQgAElrizLPspIX2+kNvC+BOpJnw19tnAi5nsUnt8r6N+KDybdaVUWmLI -qZCrjuaGKwOdOZtl/bBp8KOpLZ4UDujV/g== +MIGkAgEBBDCD2RUOoHHwVxAzozi4hsGmEV1ttAPhKXZF14dvI6tEIOpke4WxdueF +lap01tGkXuqgBwYFK4EEACKhZANiAATD2is0QTdYL4dW/vyJuilDS07gbsMOV1Mz +OVjUUrSRlTkLI99fFyRiSPwalSnOLC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80Gt +KcO0X3WnR2/VGSlVaZpTOyC0ZhZgMx4= -----END EC PRIVATE KEY----- diff --git a/tests/data_files/test-ca_cat12.crt b/tests/data_files/test-ca_cat12.crt index 18aa919be..5e4bf063d 100644 --- a/tests/data_files/test-ca_cat12.crt +++ b/tests/data_files/test-ca_cat12.crt @@ -79,16 +79,17 @@ m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ 7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIICEjCCAbmgAwIBAgIJAK1CeXaecvbhMAkGByqGSM49BAEwPjELMAkGA1UEBhMC -TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD -IENBMB4XDTEzMDgwOTA3NDk0NloXDTIzMDgwNzA3NDk0NlowPjELMAkGA1UEBhMC -TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD -IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElrizLPspIX2+kNvC+BOpJnw1 -9tnAi5nsUnt8r6N+KDybdaVUWmLIqZCrjuaGKwOdOZtl/bBp8KOpLZ4UDujV/qOB -oDCBnTAdBgNVHQ4EFgQUvEDvue6auzY54S2porosu6a9EHEwbgYDVR0jBGcwZYAU -vEDvue6auzY54S2porosu6a9EHGhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQK -EwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAK1CeXae -cvbhMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0EAQNIADBFAiBs5rd9NzQs/wQZVS6D -rjpOpzFteqBkqe6YgKWkG5kDVwIhAKr4Lr4v+MU1G5D5oSZXYxvUPBa4yARcD7QM -espQnlFX +MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT +Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF +QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT +Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF +QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu +ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy +aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g +JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7 +NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE +AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w +CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56 +t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv +uCjn8pwUOkABXK8Mss90fzCfCEOtIA== -----END CERTIFICATE----- diff --git a/tests/data_files/test-ca_cat21.crt b/tests/data_files/test-ca_cat21.crt index 18a2c0d0d..5630789eb 100644 --- a/tests/data_files/test-ca_cat21.crt +++ b/tests/data_files/test-ca_cat21.crt @@ -1,16 +1,17 @@ -----BEGIN CERTIFICATE----- -MIICEjCCAbmgAwIBAgIJAK1CeXaecvbhMAkGByqGSM49BAEwPjELMAkGA1UEBhMC -TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD -IENBMB4XDTEzMDgwOTA3NDk0NloXDTIzMDgwNzA3NDk0NlowPjELMAkGA1UEBhMC -TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD -IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElrizLPspIX2+kNvC+BOpJnw1 -9tnAi5nsUnt8r6N+KDybdaVUWmLIqZCrjuaGKwOdOZtl/bBp8KOpLZ4UDujV/qOB -oDCBnTAdBgNVHQ4EFgQUvEDvue6auzY54S2porosu6a9EHEwbgYDVR0jBGcwZYAU -vEDvue6auzY54S2porosu6a9EHGhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQK -EwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAK1CeXae -cvbhMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0EAQNIADBFAiBs5rd9NzQs/wQZVS6D -rjpOpzFteqBkqe6YgKWkG5kDVwIhAKr4Lr4v+MU1G5D5oSZXYxvUPBa4yARcD7QM -espQnlFX +MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT +Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF +QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT +Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF +QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu +ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy +aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g +JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7 +NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE +AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w +CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56 +t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv +uCjn8pwUOkABXK8Mss90fzCfCEOtIA== -----END CERTIFICATE----- Certificate: Data: diff --git a/tests/data_files/test-int-ca.crt b/tests/data_files/test-int-ca.crt index 1bb5a9914..cbe99e0a6 100644 --- a/tests/data_files/test-int-ca.crt +++ b/tests/data_files/test-int-ca.crt @@ -1,15 +1,24 @@ -----BEGIN CERTIFICATE----- -MIICWjCCAgKgAwIBAgIBDzAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x -MzA4MTAwOTA4NTFaFw0yMzA4MTAwOTA4NTFaMEgxCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDEmMCQGA1UEAxMdUG9sYXJTU0wgVGVzdCBJbnRlcm1lZGlh -dGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN/CgAVAhMzUJ7kFpAjx -7vwq2Vs4qmy6nuwOJ7UNBHXaWKSBUUP9KhExuTGMeNvYZmLiwfrd7p22Cgj1VFwp -V/5FEuEk4C7pXSZxqn2bXTaD1ivOVu9I0yKmA3+95f34V72fiqQ2U/SssGhI0EX4 -pSMEEbX8NOR31MCFut8ACzQ1AgMBAAGjgaAwgZ0wHQYDVR0OBBYEFElj+Qjo/QJa -RPVBKY3PvE/SwB68MG4GA1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKk -QDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1Bv -bGFyc3NsIFRlc3QgRUMgQ0GCCQCtQnl2nnL24TAMBgNVHRMEBTADAQH/MAkGByqG -SM49BAEDRwAwRAIgfIwD+A0rcrrJWKLR1g88ImIx5765D0ZAixZy9Q1j8EgCIFPo -AAs001kkpocmMwGv3Mz8bYCK+0GwSteAoWtZmTz0 +MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq +vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR +wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF +CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g +Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q +AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2 +qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM +uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA +kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P +d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br +Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg +updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY +a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7 +NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE +AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w +CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG +i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9 +Af5cNR8KhzegznL6amRObGGKmX1F -----END CERTIFICATE----- diff --git a/tests/data_files/test-int-ca.key b/tests/data_files/test-int-ca.key index 9d0e234c9..4fd62f3f3 100644 --- a/tests/data_files/test-int-ca.key +++ b/tests/data_files/test-int-ca.key @@ -1,16 +1,51 @@ ------BEGIN PRIVATE KEY----- -MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAN/CgAVAhMzUJ7kF -pAjx7vwq2Vs4qmy6nuwOJ7UNBHXaWKSBUUP9KhExuTGMeNvYZmLiwfrd7p22Cgj1 -VFwpV/5FEuEk4C7pXSZxqn2bXTaD1ivOVu9I0yKmA3+95f34V72fiqQ2U/SssGhI -0EX4pSMEEbX8NOR31MCFut8ACzQ1AgMBAAECgYB+yAibcTQNjoO3TN/lhZcgX/Lp -wdCmbJMRMvACoI6PbBjflLoD6NTGC0NgNLRh9FoG226HgunpiDRlYQPceDx3MP5p -1bcUInatOdAMbYoYw+O+y+/w9qDQWiWOskkdaiktFlaZFC9jaI37jr5ChCsH+3v3 -bjnX/8YWYeBZHZEowQJBAPvvhioS4b2RcrkLSUI7pJx3Dlj4m/crlK0v0un1ikNg -ahplDMZoTFhvagUGDKXE4Uqj3Iz9c4QKsZozcwBio4UCQQDjXpyXHscDqo6iXaAz -8McsxXQs1ITs3R9F6SwPbhmF1W7WiMgR5udEHnBkagyFzl2LpwJdFUW3BFHOpPhe -63TxAkEAorlQ9PgBKoo5iV/Kz6bqac1UTQ823e0eOMZ8+nSH+4DYx3ehSr2vIifE -WL5RiPijc6xnFgHWjODDWhAFJaiQaQJBAL1weu++iPqZBLZrY6tjFdBLw/wGJapk -okXRfRBuH33O0saUuH2R8WZkJijD4yMpSe+tet6rdqaCRtbxxK7xZ0ECQFxKE1Zb -nzECNNfhXkswM4X5ieCZAGvh8P0WvmyvPUGkgQIcsQb+exw2FCvsdetqdVHQqzNl -LKLwwuNT9u4/XCo= ------END PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEAo1Oc8nr6fMTqvowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7Jep +dFjAVbBtyQRJSiY1ja0tgLQDDKZRwfEI+b4azse460InPHv7C1TN0upXlxuj6m9B +1IlP+sBaM7WBC6dVfPO+jVMIxgkFCaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+ +nqRZjXe/eIcqm5HwjDDhu+gz+o0gVz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xT +xtu6dLunhpmLFj2mm0Vjwa7Ypj5qAjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJ +JFVdjdtgYAcQwzikwF5HoITJzzJ2qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEG +Jo7XKyNEuHPQgB+e0cg1SD1HqlAMuCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY ++/9e2xn8DCrhBKLXQMZFDZqUoLYAkGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSP +T28rLdFr49dwYOtDg9foA8hDIW2Pd6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz +9bqBVNlNOESSqm4kiCJFmslm/6brNp0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TY +YhMbfnfFyo4m707ebcflPbBEN2dgupdQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEA +AQKCAgEAgyuxzuSJrA8SYLptIoP+e7YiUqCOfy1Z9q3paLeUAhRmWilrxK9KuQcb +BOhWXCDXvdMpykXIdS5WVyZYCQtuyEeK8haNIHyKII2ZSB1A/3EJckysWB93hnFZ +gFHzNALOG64+iY34a+Pukc6NmCulGBcjjAWR2KOg9vyRsiRr2m1TkZHFpW9lJMLZ +mdkklRDeWhkgEiPpKv6QzMFfkzL9mregE3VgEjQfeFNaZlS2HWddhB5z4i+yTfIw +F1/VXqVg2y8dcP4VrV5PET8NBGPzInkj0lk1NeveE2Cl2DlUq4BMyWvUFkQhAL8B +Zd4GzmL9nimZ6Qb8dVWYC/YTahoIL3+YUCZAGIeczAo6dryheUsj1w3pSErOIY9U +dGSyq9I9XYXqcRNeyfkoNVOZ7ugqk4DvMyv64tt+NIIy9SZGcHuWo3GL0FdKiR5c +Xbn18tD+Wwrka0O1ntvzX1qkwJcpvu5+xNVbobkM4DiluoivOq+29CGANtG2Et7S +m6KCUwSElKsvpI4dNW4nWcbdj8i8gcLiKjqRu9n2BdkvAHaMhVbl9xnp9sveGLcR +iFg6mDsCQuVEH8bGPIMIav/3VUjy1wbMAA54PsqKM0aTA+DHnleXchVAhMm9eHD8 +yrV8eb8/bcCbWvhDDi80kuRIaDSsYTwMWpzjz6MU9v8OuFGZZaECggEBANL44VQ7 +7tok5XeJJgnRV/PGNlHKksctPMj+ye8iSDrRvHVlHHqvZ26MZJPgXwHCO/NVIWv6 +hfCYlfmP/63fZ1WJqDUDxHOgjIbPtOIKTsJi3PbbODVrsycZ3y5OjpbjXKG97cKM +6RX6zbnjtGKPfbUJx+kuAOxmkFLiLJGNlLqzaJafkgWjUAV/nT6Qm2663msfZ/Md +7uDFDNOTbPS74ki5JTjlj8xmxAPcnxjNJ2ijDQ7eiCAm6JozJYy9PYixmuScFF2x +D2N6E9/JWUcYezybUgOLzbwzvJkCRJoBXj09F8cb3m6ZQ04n2peQg/0bn6HUVovF +opZJW9uZTRmFae0CggEBAMYveBnYRXyWqENf8PZ8xlqiOvJBARaIYQOPy1t4LeOv +t4ssvkSJPEG0tP2IT6ptecNN9CVRdPJn7tsgvjgPvqgymLlaw8DheFS3EK4sFd0a +SIwrYcXY8fyAFuGbbcx2JTfmxwLGYXeWG4MDkcYctUhXiObMb0YI2eXlTu4JXqJH +q1myl7pi3gux7JcFjr0ANh9mDOYXzL52WqZObaVUUNn8p/aNWpati9Z9PL2uJNxY +myZbTqWGTpZ8XlZnZYg8bHVJGoc7/seSDEnSreGQtXl6MrnsN9bDU6UhufI0iAiH +fCeELpxjBpvZi2TzYnltX+21f3oUXurXT4eYPJm6YU0CggEBAIrJUSphtvJovU/S +uGRTBEIIzekmk0JWHxu2iU84RT30hb7QwlhvFWLjFrM1MirtBRVBlpf7Gau6JUck +lLVkNw1NXotprA3Iu0lgUIU29LLp6KS4eBSkghmh6nEDGshmT6TTVhrbKebctAOq +qRsBfFfhVFKwgckCe8Uapukls4bSyWX1GVF+KwFC/0WOScIhSno8Ed0cfu38k0CI +RnAFPYpLyhHQ6rUzkZVcyIi/RUKPqOJ0QCaukewG45ffUiCffd8QUlGETjRJtdNN +GN8tWrz3DI/qo3BAtLwPguOxLLaqfv7r9Xradi1vCF0Wo82ZI32JO1n9rMSjA7vF +8LNuUc0CggEAedBPh8Mw4qVPgyoDV93VpXu1s5VU796fkqrdmblCq4Ij1L2JrWKU +0OYboQIZxW1IvEy71fw9X4mWfMWhZZ/31jZTPQqW64UqixeCfyvFvIMdOFqp3Au+ +oS6x4bXBRT0RH00P4ZrB6dkvy9Vz0ktu+aokEYhylJ94HyBU5WaI7kITBi0JqZx/ +Urzn6OOXmn/4xE/becoDJMZmbXYjWs16bKIpMxgrKBY/r3SG0yeorG8h3e+dZYwp +3cFP0tf2xkgteeGXFqw/q7cPKoj+K3jgsmvzpeeVYsHoNcWHH2I+gs+T9k3+wEz1 +kPGkBka6rlwV7Gv0kLrYpIv27CcciHjQuQKCAQActQM3DTC3pzEwwPeYMnSXL9/s +uDqbj3MV6H8fxPIGJWfpDst7nWXhT81uKG6fYmeg5Z6nJXfP0dUF5TpW1zk6VGwn +t/ch6U7HYpseZsywdZPVIo/upgkowXSl6mfqyxzGngXuORh4zhRpcn4GTwzHG2Te +xNqMEb/i/IWnvtfvyfhEBewJcMr9Npwrg615pCiZ8y3cjvJf/gl0cGZ5LIuWBQB5 +F16JxF3mm1XCukTXZO90vg3Y1JxeB+YYyF+1aQL+DgvhGZNRrGrBT/QuXQpiMCMf +VM9oZVrI7cYVNnPBEoHVcyP21NQ5AWoFTaSpMJiHZ4FBie0BGO6IkzMcG23r +-----END RSA PRIVATE KEY----- diff --git a/tests/data_files/test-int-ca2.crt b/tests/data_files/test-int-ca2.crt index 8fed9179d..9ce44c231 100644 --- a/tests/data_files/test-int-ca2.crt +++ b/tests/data_files/test-int-ca2.crt @@ -1,17 +1,18 @@ -----BEGIN CERTIFICATE----- -MIICvDCCAaSgAwIBAgIBETANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN -MTMwODEwMTA0NzM5WhcNMjMwODEwMTA0NzM5WjBLMQswCQYDVQQGEwJOTDERMA8G +MTMwOTI0MTYwODQyWhcNMjMwOTIyMTYwODQyWjBLMQswCQYDVQQGEwJOTDERMA8G A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp -YXRlIEVDIENBMEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEF/Nw4VH9gt/WUMJt -dKRsyselY6ngTpfw1XDtlLMT2XewBCAgIHDQoeQlVIkxsdRGo4GVMIGSMB0GA1Ud -DgQWBBSx2UTuz/N6i8HHyCjYumFIv4272TBjBgNVHSMEXDBagBS0WuSls97SUva5 -1aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NM -MRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJ -KoZIhvcNAQEFBQADggEBABKWcjM5s2rqe3Ha3MR8rj5Ki6sXnda6mDFga4sWrkzR -aK8FOzHNtGgZvua7mQ3slvxa1b4rdl0ZiCzs16FxeIPrdilo2EqzKKZNbTNx8hGu -f593cXnjRijU4O4ysqNdPfrmUrJHl+gME6C5eLJsrdlhYXa8zog+eOUn/94EFq6I -QW/7hcaAN8mr1ZPCml+dWNynkYd7TqtqIkukB6pqZU9SkSIX6iNaRZXhSjge/+iB -XkJS7NXqwQZ3ktUhHYrkqSuVkdL61hrkB20T3NaPaYGPj/PcnCfk9nOmTmWlqHhl -FZM816w2/AT6G98zJgU0iAG53ANVO1k+FgbUFjrqRDQ= +YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl +WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8 +ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW +BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV +D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkw +FwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAAjeaTUaCBiXT1CYLVr6UFSeRNZBrDPnj6PwqUQTvgB5I5n6 +yXqoE4RYDaEL0Lg24juFxI26itBuypto6vscgGq77cfrP/avSdxU+xeZ4bCWvh3M +ddj9lmko2U8I8GhBcHpSuIiTvgKDB8eKkjeq3AsLGchHDvip8pB3IhcNfL7W94Zf +7/lH9VQiE3/px7amD32cidoPvWLA9U3f1FsPmJESUz0wwNfINpDjmPr8dGbkCN+M +CFhxo6sCfK8KLYG4nYX8FwxVR86kpSrO9e84AX0YYbdzxprbc2XOaebJ8+BDmzut +ARkD7DTXrodN1wV7jQJkrUuEwPj9Rhvk+MFRkaw= -----END CERTIFICATE----- diff --git a/tests/data_files/test-int-ca2.key b/tests/data_files/test-int-ca2.key index ef3798c27..9df5b7aad 100644 --- a/tests/data_files/test-int-ca2.key +++ b/tests/data_files/test-int-ca2.key @@ -1,5 +1,6 @@ -----BEGIN EC PRIVATE KEY----- -MF8CAQEEGFgy1xMAKfxIVYM/GIkSort30RcWwJOv3aAKBggqhkjOPQMBAaE0AzIA -BBfzcOFR/YLf1lDCbXSkbMrHpWOp4E6X8NVw7ZSzE9l3sAQgICBw0KHkJVSJMbHU -Rg== +MIGkAgEBBDAtxOHUV4be1MdH1frBHzxITCyUSxrVjJN8QTvTVk558ka0a3zhd4Pb +ekWt7wBPXQegBwYFK4EEACKhZANiAATw6KHd9flIt43V2YWdxCVYzD35jqxduWGW +tcHGFfGPB3CkIcQ2f5+hRV2uphVhrtK6/dBV47qcnX0fdA2LFbyKTU/6HGxtqrxu +1rvy8DIeYLgSZdAuDXDujFv1DzapfVg= -----END EC PRIVATE KEY----- From cc648d19dcd827bf717e1e2041ddbd25308e3f5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 24 Sep 2013 18:57:09 +0200 Subject: [PATCH 09/18] Adapt test cases to new certs and file names --- tests/suites/test_suite_x509parse.data | 54 +++++++++++++------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index b853e2674..d9438d3fc 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -44,27 +44,27 @@ x509_cert_info:"data_files/cert_sha512.crt":"cert. version \: 3\nserial number \ X509 Certificate information EC, SHA1 Digest depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C -x509_cert_info:"data_files/server5.crt":"cert. version \: 3\nserial number \: 03\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 07\:57\:40\nexpires on \: 2023-08-07 07\:57\:40\nsigned using \: ECDSA with SHA1\nEC key size \: 192 bits\n" +x509_cert_info:"data_files/server5-sha1.crt":"cert. version \: 3\nserial number \: 12\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n" X509 Certificate information EC, SHA224 Digest depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C -x509_cert_info:"data_files/server5-sha224.crt":"cert. version \: 3\nserial number \: 06\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 08\:08\:12\nexpires on \: 2023-08-07 08\:08\:12\nsigned using \: ECDSA with SHA224\nEC key size \: 192 bits\n" +x509_cert_info:"data_files/server5-sha224.crt":"cert. version \: 3\nserial number \: 13\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\n" X509 Certificate information EC, SHA256 Digest depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C -x509_cert_info:"data_files/server5-sha256.crt":"cert. version \: 3\nserial number \: 07\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 08\:08\:17\nexpires on \: 2023-08-07 08\:08\:17\nsigned using \: ECDSA with SHA256\nEC key size \: 192 bits\n" +x509_cert_info:"data_files/server5.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 15\:52\:04\nexpires on \: 2023-09-22 15\:52\:04\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n" X509 Certificate information EC, SHA384 Digest depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C -x509_cert_info:"data_files/server5-sha384.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 08\:08\:25\nexpires on \: 2023-08-07 08\:08\:25\nsigned using \: ECDSA with SHA384\nEC key size \: 192 bits\n" +x509_cert_info:"data_files/server5-sha384.crt":"cert. version \: 3\nserial number \: 14\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\n" X509 Certificate information EC, SHA512 Digest depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C -x509_cert_info:"data_files/server5-sha512.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 08\:08\:32\nexpires on \: 2023-08-07 08\:08\:32\nsigned using \: ECDSA with SHA512\nEC key size \: 192 bits\n" +x509_cert_info:"data_files/server5-sha512.crt":"cert. version \: 3\nserial number \: 15\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n" X509 Certificate information RSA signed by EC depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C -x509_cert_info:"data_files/server4.crt":"cert. version \: 3\nserial number \: 04\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 07\:57\:57\nexpires on \: 2023-08-07 07\:57\:57\nsigned using \: ECDSA with SHA1\nRSA key size \: 1024 bits\n" +x509_cert_info:"data_files/server4.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 15\:52\:04\nexpires on \: 2023-09-22 15\:52\:04\nsigned using \: ECDSA with SHA256\nRSA key size \: 2048 bits\n" X509 Certificate information EC signed by RSA depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C @@ -112,23 +112,23 @@ x509_crl_info:"data_files/crl_sha512.pem":"CRL version \: 1\nissuer name \: X509 CRL Information EC, SHA1 Digest depends_on:POLARSSL_PEM_PARSE_C -x509_crl_info:"data_files/crl-ec.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-08-09 08\:06\:26\nnext update \: 2023-08-07 08\:06\:26\nRevoked certificates\:\nserial number\: 02 revocation date\: 2013-08-09 08\:04\:03\nsigned using \: ECDSA with SHA1\n" +x509_crl_info:"data_files/crl-ec-sha1.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA1\n" X509 CRL Information EC, SHA224 Digest depends_on:POLARSSL_PEM_PARSE_C -x509_crl_info:"data_files/crl-ec-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-08-09 08\:06\:38\nnext update \: 2023-08-07 08\:06\:38\nRevoked certificates\:\nserial number\: 02 revocation date\: 2013-08-09 08\:04\:03\nsigned using \: ECDSA with SHA224\n" +x509_crl_info:"data_files/crl-ec-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA224\n" X509 CRL Information EC, SHA256 Digest depends_on:POLARSSL_PEM_PARSE_C -x509_crl_info:"data_files/crl-ec-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-08-09 08\:06\:44\nnext update \: 2023-08-07 08\:06\:44\nRevoked certificates\:\nserial number\: 02 revocation date\: 2013-08-09 08\:04\:03\nsigned using \: ECDSA with SHA256\n" +x509_crl_info:"data_files/crl-ec-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA256\n" X509 CRL Information EC, SHA384 Digest depends_on:POLARSSL_PEM_PARSE_C -x509_crl_info:"data_files/crl-ec-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-08-09 08\:06\:52\nnext update \: 2023-08-07 08\:06\:52\nRevoked certificates\:\nserial number\: 02 revocation date\: 2013-08-09 08\:04\:03\nsigned using \: ECDSA with SHA384\n" +x509_crl_info:"data_files/crl-ec-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA384\n" X509 CRL Information EC, SHA512 Digest depends_on:POLARSSL_PEM_PARSE_C -x509_crl_info:"data_files/crl-ec-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-08-09 08\:07\:01\nnext update \: 2023-08-07 08\:07\:01\nRevoked certificates\:\nserial number\: 02 revocation date\: 2013-08-09 08\:04\:03\nsigned using \: ECDSA with SHA512\n" +x509_crl_info:"data_files/crl-ec-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA512\n" X509 Get Distinguished Name #1 depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C @@ -300,31 +300,31 @@ x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pe X509 Certificate verification #33 (Valid, RSA cert, EC CA) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C:POLARSSL_ECP_C:POLARSSL_SHA1_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_PKCS1_V15 -x509_verify:"data_files/server4.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" +x509_verify:"data_files/server4.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL" X509 Certificate verification #34 (Valid, EC cert, EC CA) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_SHA1_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED -x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" +x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL" X509 Certificate verification #35 (Revoked, EC CA) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_SHA1_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED -x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:"NULL" +x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:"NULL" -X509 Certificate verification #36 (Valid, EC CA, SHA224 Digest) +X509 Certificate verification #36 (Valid, EC CA, SHA1 Digest) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_SHA256_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED -x509_verify:"data_files/server5-sha224.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" +x509_verify:"data_files/server5-sha1.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL" -X509 Certificate verification #37 (Valid, EC CA, SHA256 Digest) +X509 Certificate verification #37 (Valid, EC CA, SHA224 Digest) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_SHA256_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED -x509_verify:"data_files/server5-sha256.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" +x509_verify:"data_files/server5-sha224.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL" X509 Certificate verification #38 (Valid, EC CA, SHA384 Digest) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_SHA512_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED -x509_verify:"data_files/server5-sha384.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" +x509_verify:"data_files/server5-sha384.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL" X509 Certificate verification #39 (Valid, EC CA, SHA512 Digest) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_SHA512_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED -x509_verify:"data_files/server5-sha512.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" +x509_verify:"data_files/server5-sha512.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL" X509 Certificate verification #40 (Valid, depth 0, RSA, CA) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15 @@ -332,7 +332,7 @@ x509_verify:"data_files/test-ca.crt":"data_files/test-ca.crt":"data_files/crl.pe X509 Certificate verification #41 (Valid, depth 0, EC, CA) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C -x509_verify:"data_files/test-ca2.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" +x509_verify:"data_files/test-ca2.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL" X509 Certificate verification #42 (Depth 0, not CA, RSA) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15 @@ -340,11 +340,11 @@ x509_verify:"data_files/server2.crt":"data_files/server2.crt":"data_files/crl.pe X509 Certificate verification #43 (Depth 0, not CA, EC) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C -x509_verify:"data_files/server5.crt":"data_files/server5.crt":"data_files/crl-ec.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" +x509_verify:"data_files/server5.crt":"data_files/server5.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" X509 Certificate verification #44 (Corrupted signature, EC) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED -x509_verify:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" +x509_verify:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" X509 Certificate verification #45 (Corrupted signature, RSA) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15 @@ -352,19 +352,19 @@ x509_verify:"data_files/server2-badsign.crt":"data_files/test-ca.crt":"data_file X509 Certificate verification #46 (Valid, depth 2, EC-RSA-EC) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED:POLARSSL_PKCS1_V15 -x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca2.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" +x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL" X509 Certificate verification #47 (Untrusted, depth 2, EC-RSA-EC) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED:POLARSSL_PKCS1_V15 -x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca.crt":"data_files/crl-ec.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" +x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" X509 Certificate verification #48 (Missing intermediate CA, EC-RSA-EC) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP192R1_ENABLED:POLARSSL_PKCS1_V15 -x509_verify:"data_files/server7.crt":"data_files/test-ca.crt":"data_files/crl-ec.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" +x509_verify:"data_files/server7.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" X509 Certificate verification #49 (Valid, depth 2, RSA-EC-RSA) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP192R1_ENABLED:POLARSSL_PKCS1_V15 -x509_verify:"data_files/server8_int-ca2.crt":"data_files/test-ca.crt":"data_files/crl-ec.pem":"NULL":0:0:"NULL" +x509_verify:"data_files/server8_int-ca2.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL" X509 Certificate verification #50 (Valid, multiple CAs) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP192R1_ENABLED:POLARSSL_PKCS1_V15 From 4618459fa1f5b6d187fc75254bd546370bc5b953 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 24 Sep 2013 19:20:57 +0200 Subject: [PATCH 10/18] Update EC certificates in certs.c --- library/certs.c | 91 ++++++++++++++++++++++++++----------------------- 1 file changed, 49 insertions(+), 42 deletions(-) diff --git a/library/certs.c b/library/certs.c index ecfc82942..4c2994240 100644 --- a/library/certs.c +++ b/library/certs.c @@ -30,71 +30,78 @@ #if defined(POLARSSL_ECDSA_C) const char test_ca_crt[] = "-----BEGIN CERTIFICATE-----\r\n" -"MIICEjCCAbmgAwIBAgIJAK1CeXaecvbhMAkGByqGSM49BAEwPjELMAkGA1UEBhMC\r\n" -"TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD\r\n" -"IENBMB4XDTEzMDgwOTA3NDk0NloXDTIzMDgwNzA3NDk0NlowPjELMAkGA1UEBhMC\r\n" -"TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD\r\n" -"IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElrizLPspIX2+kNvC+BOpJnw1\r\n" -"9tnAi5nsUnt8r6N+KDybdaVUWmLIqZCrjuaGKwOdOZtl/bBp8KOpLZ4UDujV/qOB\r\n" -"oDCBnTAdBgNVHQ4EFgQUvEDvue6auzY54S2porosu6a9EHEwbgYDVR0jBGcwZYAU\r\n" -"vEDvue6auzY54S2porosu6a9EHGhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQK\r\n" -"EwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAK1CeXae\r\n" -"cvbhMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0EAQNIADBFAiBs5rd9NzQs/wQZVS6D\r\n" -"rjpOpzFteqBkqe6YgKWkG5kDVwIhAKr4Lr4v+MU1G5D5oSZXYxvUPBa4yARcD7QM\r\n" -"espQnlFX\r\n" +"MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT\r\n" +"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n" +"QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT\r\n" +"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n" +"QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu\r\n" +"ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy\r\n" +"aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g\r\n" +"JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7\r\n" +"NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE\r\n" +"AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w\r\n" +"CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56\r\n" +"t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv\r\n" +"uCjn8pwUOkABXK8Mss90fzCfCEOtIA==\r\n" "-----END CERTIFICATE-----\r\n"; const char test_ca_key[] = "-----BEGIN EC PRIVATE KEY-----\r\n" "Proc-Type: 4,ENCRYPTED\r\n" -"DEK-Info: AES-128-CBC,2A7435F5137D68C6402DB35E5BFD277A\r\n" +"DEK-Info: DES-EDE3-CBC,307EAB469933D64E\r\n" "\r\n" -"Sw5YgGVvNxXMvnGKYPuUqiDfjXhK/VTQ6dE9+33jwobKJvqR4pIrelw5QbJ5MCi2\r\n" -"dRGEMi4hT+EiS1UZtagqYUQyYZegZB48eoSRySsfW3kqQ4aG99+4iDLCY+JhICs9\r\n" -"aZdJhyUSOy2KRnFN/ZUy/Hvlsy10dw/Cp73TpJZmTz4=\r\n" +"IxbrRmKcAzctJqPdTQLA4SWyBYYGYJVkYEna+F7Pa5t5Yg/gKADrFKcm6B72e7DG\r\n" +"ihExtZI648s0zdYw6qSJ74vrPSuWDe5qm93BqsfVH9svtCzWHW0pm1p0KTBCFfUq\r\n" +"UsuWTITwJImcnlAs1gaRZ3sAWm7cOUidL0fo2G0fYUFNcYoCSLffCFTEHBuPnagb\r\n" +"a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm\r\n" "-----END EC PRIVATE KEY-----\r\n"; const char test_ca_pwd[] = "PolarSSLTest"; const char test_srv_crt[] = "-----BEGIN CERTIFICATE-----\r\n" -"MIIB7TCCAZSgAwIBAgIBAzAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD\r\n" -"VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x\r\n" -"MzA4MDkwNzU3NDBaFw0yMzA4MDcwNzU3NDBaMDQxCzAJBgNVBAYTAk5MMREwDwYD\r\n" -"VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MEkwEwYHKoZIzj0CAQYI\r\n" -"KoZIzj0DAQEDMgAEy0Lh3ZfhEwBiC8jmJfEg8NGxCDqHEtz+hPgYs37hDz9wTOoY\r\n" -"+CJDtEUcDedgFCpqo4GdMIGaMAkGA1UdEwQCMAAwHQYDVR0OBBYEFKItALYotNzi\r\n" -"cfBPd7LwETtkYmdBMG4GA1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKk\r\n" -"QDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1Bv\r\n" -"bGFyc3NsIFRlc3QgRUMgQ0GCCQCtQnl2nnL24TAJBgcqhkjOPQQBA0gAMEUCIE/J\r\n" -"rb3TrYL+z1OsZ2rtCmji7hrPj570X4Qkm1Pb5QEvAiEAiq46sM0+1DSAU0u8FcuL\r\n" -"jbRvSP9W7EJjb9QR3zNYbX4=\r\n" +"MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n" +"A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n" +"MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" +"A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG\r\n" +"CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA\r\n" +"2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd\r\n" +"BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB\r\n" +"PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh\r\n" +"clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG\r\n" +"CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S\r\n" +"C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V\r\n" +"fGa5kHvHARBPc8YAIVIqDvHH1Q==\r\n" "-----END CERTIFICATE-----\r\n"; const char test_srv_key[] = "-----BEGIN EC PRIVATE KEY-----\r\n" -"MF8CAQEEGO82j8OXBoUhVyauCA8XZ288l595u7BXWqAKBggqhkjOPQMBAaE0AzIA\r\n" -"BMtC4d2X4RMAYgvI5iXxIPDRsQg6hxLc/oT4GLN+4Q8/cEzqGPgiQ7RFHA3nYBQq\r\n" -"ag==\r\n" +"MHcCAQEEIPEqEyB2AnCoPL/9U/YDHvdqXYbIogTywwyp6/UfDw6noAoGCCqGSM49\r\n" +"AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/\r\n" +"6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w==\r\n" "-----END EC PRIVATE KEY-----\r\n"; const char test_cli_crt[] = "-----BEGIN CERTIFICATE-----\r\n" -"MIIBUjCB+gIBEjAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQ\r\n" -"b2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0xMzA4MjIx\r\n" -"NDQyMTdaFw0yMzA4MjAxNDQyMTdaMD8xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQ\r\n" -"b2xhclNTTDEdMBsGA1UEAxMUUG9sYXJTU0wgVGVzdCBDbGllbnQwSTATBgcqhkjO\r\n" -"PQIBBggqhkjOPQMBAQMyAATnnXkhKuPh1tou3B+DV9lyE4IlISuYVm86E776WBm5\r\n" -"+hNTqK0AaV6gqEL/XdLEGVwwCQYHKoZIzj0EAQNIADBFAiEA/xaze0PZk51nJJSR\r\n" -"Z5SmN9VlzqgN2aSmL4JQRPzjDr0CIFOmuwP8WRdPUJvXh7NQgvl4kW3xkcrmfd6a\r\n" -"zJbBMLxH\r\n" +"MIICLDCCAbKgAwIBAgIBDTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n" +"A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n" +"MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjBBMQswCQYDVQQGEwJOTDERMA8G\r\n" +"A1UEChMIUG9sYXJTU0wxHzAdBgNVBAMTFlBvbGFyU1NMIFRlc3QgQ2xpZW50IDIw\r\n" +"WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARX5a6xc9/TrLuTuIH/Eq7u5lOszlVT\r\n" +"9jQOzC7jYyUL35ji81xgNpbA1RgUcOV/n9VLRRjlsGzVXPiWj4dwo+THo4GdMIGa\r\n" +"MAkGA1UdEwQCMAAwHQYDVR0OBBYEFHoAX4Zk/OBd5REQO7LmO8QmP8/iMG4GA1Ud\r\n" +"IwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8oUKkQDA+MQswCQYDVQQGEwJOTDER\r\n" +"MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC\r\n" +"CQDBQ+J+YkPM6DAKBggqhkjOPQQDAgNoADBlAjBKZQ17IIOimbmoD/yN7o89u3BM\r\n" +"lgOsjnhw3fIOoLIWy2WOGsk/LGF++DzvrRzuNiACMQCd8iem1XS4JK7haj8xocpU\r\n" +"LwjQje5PDGHfd3h9tP38Qknu5bJqws0md2KOKHyeV0U=\r\n" "-----END CERTIFICATE-----\r\n"; const char test_cli_key[] = "-----BEGIN EC PRIVATE KEY-----\r\n" -"MF8CAQEEGCTQxP5vTfEwCWdeLdPqgGQ4AuxGG3gPA6AKBggqhkjOPQMBAaE0AzIA\r\n" -"BOedeSEq4+HW2i7cH4NX2XITgiUhK5hWbzoTvvpYGbn6E1OorQBpXqCoQv9d0sQZ\r\n" -"XA==\r\n" +"MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49\r\n" +"AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n" +"wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n" "-----END EC PRIVATE KEY-----\r\n"; #else /* !POLARSSL_ECDSA_C, so POLARSSL_RSA_C */ @@ -194,7 +201,7 @@ const char test_srv_key[] = "oArQJGgkAdaq0pcTyOIjtTQVMFygdVmCEJmxh/3RutPcTeydqW9fphKDMej32J8e\r\n" "GniGmNGiclbcfNOS8E5TGp445yZb9P1+7AHng16bGg3Ykj5EA4G+HCcCgYEAyHAl\r\n" "//ekk8YjQElm+8izLtFkymIK0aCtEe9C/RIRhFYBeFaotC5dStNhBOncn4ovMAPD\r\n" -"Lx/92YdI9op8ppln3a4B9XpW3k/SS5GrbT5cwOivBHNllZSmu/2qz5WPGcjVCOrB\r\n" +"lX/92yDi9OP8PPLN3a4B9XpW3k/SS5GrbT5cwOivBHNllZSmu/2qz5WPGcjVCOrB\r\n" "LYl3YWr2h3EGKICT03kEoTkiDBvCeOpW7cCGl2cCgYBD5whoXHz1+ptPlI4YVjZt\r\n" "Xh86aU+ajpVPiEyJ84I6xXmO4SZXv8q6LaycR0ZMbcL+zBelMb4Z2nBv7jNrtuR7\r\n" "ZF28cdPv+YVr3esaybZE/73VjXup4SQPH6r3l7qKTVi+y6+FeJ4b2Xn8/MwgnT23\r\n" From 482a2828e42019f273ea09da2bb1bfe3393f0434 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 24 Sep 2013 19:33:17 +0200 Subject: [PATCH 11/18] Offer both EC and RSA in certs.c, RSA first --- include/polarssl/certs.h | 49 ++++++++++++++++++++++++++----- library/certs.c | 63 ++++++++++++++++++++++++++++++---------- 2 files changed, 89 insertions(+), 23 deletions(-) diff --git a/include/polarssl/certs.h b/include/polarssl/certs.h index 5399e326d..ded3ddf06 100644 --- a/include/polarssl/certs.h +++ b/include/polarssl/certs.h @@ -31,14 +31,49 @@ extern "C" { #endif -extern const char test_ca_crt[]; -extern const char test_ca_key[]; -extern const char test_ca_pwd[]; -extern const char test_srv_crt[]; -extern const char test_srv_key[]; -extern const char test_cli_crt[]; -extern const char test_cli_key[]; +/* First set of certificates: RSA, or ECDSA if RSA is not available */ +extern const char *test_ca_crt; +extern const char *test_ca_key; +extern const char *test_ca_pwd; +extern const char *test_srv_crt; +extern const char *test_srv_key; +extern const char *test_cli_crt; +extern const char *test_cli_key; + +/* Second set of certificates: ECDSA is both are available */ +#if defined(POLARSSL_RSA_C) && defined(POLARSSL_RSA_C) +extern const char *test_ca_crt2; +extern const char *test_ca_key2; +extern const char *test_ca_pwd2; +extern const char *test_srv_crt2; +extern const char *test_srv_key2; +extern const char *test_cli_crt2; +extern const char *test_cli_key2; +#endif + +#if defined(POLARSSL_ECDSA_C) +extern const char test_ca_crt_ec[]; +extern const char test_ca_key_ec[]; +extern const char test_ca_pwd_ec[]; +extern const char test_srv_crt_ec[]; +extern const char test_srv_key_ec[]; +extern const char test_cli_crt_ec[]; +extern const char test_cli_key_ec[]; +#endif + +#if defined(POLARSSL_RSA_C) +extern const char test_ca_crt_rsa[]; +extern const char test_ca_key_rsa[]; +extern const char test_ca_pwd_rsa[]; +extern const char test_srv_crt_rsa[]; +extern const char test_srv_key_rsa[]; +extern const char test_cli_crt_rsa[]; +extern const char test_cli_key_rsa[]; +#endif + +#if defined(POLARSSL_DHM_C) extern const char test_dhm_params[]; +#endif #ifdef __cplusplus } diff --git a/library/certs.c b/library/certs.c index 4c2994240..1a853515d 100644 --- a/library/certs.c +++ b/library/certs.c @@ -28,7 +28,7 @@ #if defined(POLARSSL_CERTS_C) #if defined(POLARSSL_ECDSA_C) -const char test_ca_crt[] = +const char test_ca_crt_ec[] = "-----BEGIN CERTIFICATE-----\r\n" "MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT\r\n" "Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n" @@ -45,7 +45,7 @@ const char test_ca_crt[] = "uCjn8pwUOkABXK8Mss90fzCfCEOtIA==\r\n" "-----END CERTIFICATE-----\r\n"; -const char test_ca_key[] = +const char test_ca_key_ec[] = "-----BEGIN EC PRIVATE KEY-----\r\n" "Proc-Type: 4,ENCRYPTED\r\n" "DEK-Info: DES-EDE3-CBC,307EAB469933D64E\r\n" @@ -56,9 +56,9 @@ const char test_ca_key[] = "a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm\r\n" "-----END EC PRIVATE KEY-----\r\n"; -const char test_ca_pwd[] = "PolarSSLTest"; +const char test_ca_pwd_ec[] = "PolarSSLTest"; -const char test_srv_crt[] = +const char test_srv_crt_ec[] = "-----BEGIN CERTIFICATE-----\r\n" "MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n" "A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n" @@ -74,14 +74,14 @@ const char test_srv_crt[] = "fGa5kHvHARBPc8YAIVIqDvHH1Q==\r\n" "-----END CERTIFICATE-----\r\n"; -const char test_srv_key[] = +const char test_srv_key_ec[] = "-----BEGIN EC PRIVATE KEY-----\r\n" "MHcCAQEEIPEqEyB2AnCoPL/9U/YDHvdqXYbIogTywwyp6/UfDw6noAoGCCqGSM49\r\n" "AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/\r\n" "6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w==\r\n" "-----END EC PRIVATE KEY-----\r\n"; -const char test_cli_crt[] = +const char test_cli_crt_ec[] = "-----BEGIN CERTIFICATE-----\r\n" "MIICLDCCAbKgAwIBAgIBDTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n" "A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n" @@ -97,15 +97,16 @@ const char test_cli_crt[] = "LwjQje5PDGHfd3h9tP38Qknu5bJqws0md2KOKHyeV0U=\r\n" "-----END CERTIFICATE-----\r\n"; -const char test_cli_key[] = +const char test_cli_key_ec[] = "-----BEGIN EC PRIVATE KEY-----\r\n" "MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49\r\n" "AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n" "wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n" "-----END EC PRIVATE KEY-----\r\n"; +#endif /* POLARSSL_ECDSA_C */ -#else /* !POLARSSL_ECDSA_C, so POLARSSL_RSA_C */ -const char test_ca_crt[] = +#if defined(POLARSSL_RSA_C) +const char test_ca_crt_rsa[] = "-----BEGIN CERTIFICATE-----\r\n" "MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" "MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" @@ -128,7 +129,7 @@ const char test_ca_crt[] = "7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n" "-----END CERTIFICATE-----\r\n"; -const char test_ca_key[] = +const char test_ca_key_rsa[] = "-----BEGIN RSA PRIVATE KEY-----\r\n" "Proc-Type: 4,ENCRYPTED\r\n" "DEK-Info: DES-EDE3-CBC,A8A95B05D5B7206B\r\n" @@ -160,9 +161,9 @@ const char test_ca_key[] = "P/eQiddSf0brnpiLJRh7qZrl9XuqYdpUqnoEdMAfotDOID8OtV7gt8a48ad8VPW2\r\n" "-----END RSA PRIVATE KEY-----\r\n"; -const char test_ca_pwd[] = "PolarSSLTest"; +const char test_ca_pwd_rsa[] = "PolarSSLTest"; -const char test_srv_crt[] = +const char test_srv_crt_rsa[] = "-----BEGIN CERTIFICATE-----\r\n" "MIIDPzCCAiegAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" "MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" @@ -184,7 +185,7 @@ const char test_srv_crt[] = "/WzRyYRBRjAI49mzHX6raleqnw==\r\n" "-----END CERTIFICATE-----\r\n"; -const char test_srv_key[] = +const char test_srv_key_rsa[] = "-----BEGIN RSA PRIVATE KEY-----\r\n" "MIIEogIBAAKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/uOhFkNvuiBZS0/FDUEeW\r\n" "Ellkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFDd185fAkER4KwVzlw7aPs\r\n" @@ -213,7 +214,7 @@ const char test_srv_key[] = "mKsIVRBq4IfwiwyMNG2BYZQAwbSDjjPtn/kPBduPzPj7eriByhI=\r\n" "-----END RSA PRIVATE KEY-----\r\n"; -const char test_cli_crt[] = +const char test_cli_crt_rsa[] = "-----BEGIN CERTIFICATE-----\r\n" "MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" "MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" @@ -235,7 +236,7 @@ const char test_cli_crt[] = "D+stpAKiQLAWaAusIWKYEyw9MQ==\r\n" "-----END CERTIFICATE-----\r\n"; -const char test_cli_key[] = +const char test_cli_key_rsa[] = "-----BEGIN RSA PRIVATE KEY-----\r\n" "MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF\r\n" "B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1\r\n" @@ -263,13 +264,43 @@ const char test_cli_key[] = "bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n" "8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n" "-----END RSA PRIVATE KEY-----\r\n"; -#endif /* !POLARSSL_ECDSA_C, so POLARSSL_RSA_C */ +#endif /* POLARSSL_RSA_C */ +#if defined(POLARSSL_DHM_C) const char test_dhm_params[] = "-----BEGIN DH PARAMETERS-----\r\n" "MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh\r\n" "1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32\r\n" "9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n" "-----END DH PARAMETERS-----\r\n"; +#endif + +#if defined(POLARSSL_RSA_C) +const char *test_ca_crt = test_ca_crt_rsa; +const char *test_ca_key = test_ca_key_rsa; +const char *test_ca_pwd = test_ca_pwd_rsa; +const char *test_srv_crt = test_srv_crt_rsa; +const char *test_srv_key = test_srv_key_rsa; +const char *test_cli_crt = test_cli_crt_rsa; +const char *test_cli_key = test_cli_key_rsa; +#else /* ! POLARSSL_RSA_C, so POLARSSL_ECDSA_C */ +const char *test_ca_crt = test_ca_crt_ec; +const char *test_ca_key = test_ca_key_ec; +const char *test_ca_pwd = test_ca_pwd_ec; +const char *test_srv_crt = test_srv_crt_ec; +const char *test_srv_key = test_srv_key_ec; +const char *test_cli_crt = test_cli_crt_ec; +const char *test_cli_key = test_cli_key_ec; +#endif + +#if defined(POLARSSL_RSA_C) && defined(POLARSSL_ECDSA_C) +const char *test_ca_crt2 = test_ca_crt_ec; +const char *test_ca_key2 = test_ca_key_ec; +const char *test_ca_pwd2 = test_ca_pwd_ec; +const char *test_srv_crt2 = test_srv_crt_ec; +const char *test_srv_key2 = test_srv_key_ec; +const char *test_cli_crt2 = test_cli_crt_ec; +const char *test_cli_key2 = test_cli_key_ec; +#endif #endif /* POLARSSL_CERTS_C */ From b095a7bf290c9d78260ed94f8d33f0ce98f78f7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 24 Sep 2013 21:14:51 +0200 Subject: [PATCH 12/18] Offer both RSA and ECDSA by default in ssl_server2 --- programs/ssl/ssl_server2.c | 131 ++++++++++++++++++++++--------------- 1 file changed, 80 insertions(+), 51 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index e73a0b598..34cd9d6d0 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -118,55 +118,6 @@ static void my_debug( void *ctx, int level, const char *str ) } } -#if defined(POLARSSL_X509_CRT_PARSE_C) -static int parse_cert_key( x509_crt *crt, const char *crt_file, - pk_context *key, const char *key_file ) -{ - int ret; - -#if defined(POLARSSL_FS_IO) - if( strlen( crt_file ) ) - ret = x509_crt_parse_file( crt, crt_file ); - else -#endif -#if defined(POLARSSL_CERTS_C) - ret = x509_crt_parse( crt, (const unsigned char *) test_srv_crt, - strlen( test_srv_crt ) ); -#else - { - ret = 1; - printf("POLARSSL_CERTS_C not defined."); - } -#endif - if( ret != 0 ) - { - printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret ); - return( ret ); - } - -#if defined(POLARSSL_FS_IO) - if( strlen( key_file ) ) - ret = pk_parse_keyfile( key, key_file, "" ); - else -#endif -#if defined(POLARSSL_CERTS_C) - ret = pk_parse_key( key, (const unsigned char *) test_srv_key, - strlen( test_srv_key ), NULL, 0 ); -#else - { - ret = 1; - printf("POLARSSL_CERTS_C not defined."); - } -#endif - if( ret != 0 ) - { - printf( " failed\n ! pk_parse_key returned -0x%x\n\n", -ret ); - return( ret ); - } - - return( 0 ); -} -#endif /* POLARSSL_X509_CRT_PARSE_C */ #if defined(POLARSSL_X509_CRT_PARSE_C) #if defined(POLARSSL_FS_IO) @@ -617,11 +568,87 @@ int main( int argc, char *argv[] ) printf( " . Loading the server cert. and key..." ); fflush( stdout ); - if( parse_cert_key( &srvcert, opt.crt_file, &pkey, opt.key_file ) != 0 ) +#if defined(POLARSSL_FS_IO) + if( strlen( opt.crt_file ) ) + ret = x509_crt_parse_file( &srvcert, opt.crt_file ); + else +#endif +#if defined(POLARSSL_CERTS_C) + ret = x509_crt_parse( &srvcert, (const unsigned char *) test_srv_crt, + strlen( test_srv_crt ) ); +#else + { + ret = 1; + printf("POLARSSL_CERTS_C not defined."); + } +#endif + if( ret != 0 ) + { + printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret ); goto exit; + } - if( parse_cert_key( &srvcert2, opt.crt_file2, &pkey2, opt.key_file2 ) != 0 ) +#if defined(POLARSSL_FS_IO) + if( strlen( opt.key_file ) ) + ret = pk_parse_keyfile( &pkey, opt.key_file, "" ); + else +#endif +#if defined(POLARSSL_CERTS_C) + ret = pk_parse_key( &pkey, (const unsigned char *) test_srv_key, + strlen( test_srv_key ), NULL, 0 ); +#else + { + ret = 1; + printf("POLARSSL_CERTS_C not defined."); + } +#endif + if( ret != 0 ) + { + printf( " failed\n ! pk_parse_key returned -0x%x\n\n", -ret ); goto exit; + } + +#if defined(POLARSSL_RSA_C) && defined(POLARSSL_ECDSA_C) +#if defined(POLARSSL_FS_IO) + if( strlen( opt.crt_file2 ) ) + ret = x509_crt_parse_file( &srvcert2, opt.crt_file2 ); + else +#endif +#if defined(POLARSSL_CERTS_C) + ret = x509_crt_parse( &srvcert2, (const unsigned char *) test_srv_crt2, + strlen( test_srv_crt2 ) ); +#else + { + ret = 1; + printf("POLARSSL_CERTS_C not defined."); + } +#endif + if( ret != 0 ) + { + printf( " failed\n ! x509_crt_parse(2) returned -0x%x\n\n", -ret ); + goto exit; + } + +#if defined(POLARSSL_FS_IO) + if( strlen( opt.key_file2 ) ) + ret = pk_parse_keyfile( &pkey2, opt.key_file2, "" ); + else +#endif +#if defined(POLARSSL_CERTS_C) + ret = pk_parse_key( &pkey2, (const unsigned char *) test_srv_key2, + strlen( test_srv_key2 ), NULL, 0 ); +#else + { + ret = 1; + printf("POLARSSL_CERTS_C not defined."); + } +#endif + if( ret != 0 ) + { + printf( " failed\n ! pk_parse_key(2) returned -0x%x\n\n", -ret ); + goto exit; + } +#endif /* POLARSSL_RSA_C && POLARSSL_ECDSA_C */ printf( " ok\n" ); #endif /* POLARSSL_X509_CRT_PARSE_C */ @@ -680,8 +707,10 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_X509_CRT_PARSE_C) ssl_set_ca_chain( &ssl, &cacert, NULL, NULL ); ssl_set_own_cert( &ssl, &srvcert, &pkey ); +#if defined(POLARSSL_RSA_C) && defined(POLARSSL_ECDSA_C) ssl_set_own_cert( &ssl, &srvcert2, &pkey2 ); #endif +#endif #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) ssl_set_psk( &ssl, psk, psk_len, (const unsigned char *) opt.psk_identity, From 8372454615207dc701b0fa845a43e2793ad40d41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 24 Sep 2013 22:30:56 +0200 Subject: [PATCH 13/18] Rework SNI to fix memory issues --- include/polarssl/ssl.h | 12 ++++++++++-- library/ssl_srv.c | 18 ++++++++++++------ library/ssl_tls.c | 20 +++++++++++++++++--- 3 files changed, 39 insertions(+), 11 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index d6db97807..fb9a40c8b 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -493,8 +493,16 @@ struct _ssl_handshake_params const ecp_curve_info **curves; /*!< Supported elliptic curves */ #endif #if defined(POLARSSL_X509_CRT_PARSE_C) - ssl_key_cert *key_cert; /*!< Own key/cert in use */ - int free_key_cert; /*!< Shall we free key_cert? */ + /** + * Current key/cert or key/cert list. + * On client: pointer to ssl->key_cert, only the first entry used. + * On server: starts as a pointer to ssl->key_cert, then becomes + * a pointer to the chosen key from this list or the SNI list. + */ + ssl_key_cert *key_cert; +#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) + ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ +#endif #endif /* diff --git a/library/ssl_srv.c b/library/ssl_srv.c index e291c53d1..960906bd1 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -339,8 +339,8 @@ static int ssl_parse_ticket( ssl_context *ssl, #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) /* - * Wrapper around f_sni, allowing use of - * ssl_set_own_cert() but making it act on ssl->hanshake->key_cert instead. + * Wrapper around f_sni, allowing use of ssl_set_own_cert() but + * making it act on ssl->hanshake->sni_key_cert instead. */ static int ssl_sni_wrapper( ssl_context *ssl, const unsigned char* name, size_t len ) @@ -350,8 +350,7 @@ static int ssl_sni_wrapper( ssl_context *ssl, ssl->key_cert = NULL; ret = ssl->f_sni( ssl->p_sni, ssl, name, len ); - ssl->handshake->key_cert = ssl->key_cert; - ssl->handshake->free_key_cert = 1; + ssl->handshake->sni_key_cert = ssl->key_cert; ssl->key_cert = key_cert_ori; @@ -933,13 +932,20 @@ static int ssl_key_matches_curves( pk_context *pk, static int ssl_pick_cert( ssl_context *ssl, const ssl_ciphersuite_t * ciphersuite_info ) { - ssl_key_cert *cur; + ssl_key_cert *cur, *list; pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); +#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) + if( ssl->handshake->sni_key_cert != NULL ) + list = ssl->handshake->sni_key_cert; + else +#endif + list = ssl->handshake->key_cert; + if( pk_alg == POLARSSL_PK_NONE ) return( 0 ); - for( cur = ssl->key_cert; cur != NULL; cur = cur->next ) + for( cur = list; cur != NULL; cur = cur->next ) { if( ! pk_can_do( cur->key, pk_alg ) ) continue; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a94751ba2..388ce8d26 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4170,9 +4170,23 @@ void ssl_handshake_free( ssl_handshake_params *handshake ) polarssl_free( handshake->curves ); #endif -#if defined(POLARSSL_X509_CRT_PARSE_C) - if( handshake->free_key_cert != 0 ) - ssl_key_cert_free( handshake->key_cert ); +#if defined(POLARSSL_X509_CRT_PARSE_C) && \ + defined(POLARSSL_SSL_SERVER_NAME_INDICATION) + /* + * Free only the linked list wrapper, not the keys themselves + * since the belong to the SNI callback + */ + if( handshake->sni_key_cert != NULL ) + { + ssl_key_cert *cur = handshake->sni_key_cert, *next; + + while( cur != NULL ) + { + next = cur->next; + polarssl_free( cur ); + cur = next; + } + } #endif memset( handshake, 0, sizeof( ssl_handshake_params ) ); From ac8474fb1c6230bf15db1a08d9784acf0551c2a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 25 Sep 2013 11:35:15 +0200 Subject: [PATCH 14/18] Changed default cert loading in ssl_server2 --- programs/ssl/ssl_server2.c | 136 ++++++++++++++++++------------------- 1 file changed, 68 insertions(+), 68 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 34cd9d6d0..4b1cec2fa 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -127,11 +127,13 @@ static void my_debug( void *ctx, int level, const char *str ) " ca_path=%%s The path containing the top-level CA(s) you fully trust\n" \ " default: \"\" (pre-loaded) (overrides ca_file)\n" \ " crt_file=%%s Your own cert and chain (in bottom to top order, top may be omitted)\n" \ - " default: \"\" (pre-loaded)\n" \ - " key_file=%%s default: \"\" (pre-loaded)\n" \ + " default: see note after key_file2\n" \ + " key_file=%%s default: see note after key_file2\n" \ " crt_file2=%%s Your second cert and chain (in bottom to top order, top may be omitted)\n" \ - " default: \"\" (pre-loaded)\n" \ - " key_file2=%%s default: \"\" (pre-loaded)\n" + " default: see note after key_file2\n" \ + " key_file2=%%s default: see note below\n" \ + " note: if neither crt_file/key_file nor crt_file2/key_file2 are used,\n" \ + " preloaded certificate(s) and key(s) are used if available\n" #else #define USAGE_IO \ "\n" \ @@ -222,6 +224,7 @@ int main( int argc, char *argv[] ) pk_context pkey; x509_crt srvcert2; pk_context pkey2; + int key_cert_provided = 0; #endif #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_context cache; @@ -570,85 +573,82 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_FS_IO) if( strlen( opt.crt_file ) ) - ret = x509_crt_parse_file( &srvcert, opt.crt_file ); - else -#endif -#if defined(POLARSSL_CERTS_C) - ret = x509_crt_parse( &srvcert, (const unsigned char *) test_srv_crt, - strlen( test_srv_crt ) ); -#else { - ret = 1; - printf("POLARSSL_CERTS_C not defined."); + key_cert_provided = 1; + if( ( ret = x509_crt_parse_file( &srvcert, opt.crt_file ) ) != 0 ) + { + printf( " failed\n ! x509_crt_parse_file returned -0x%x\n\n", + -ret ); + goto exit; + } } -#endif - if( ret != 0 ) - { - printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret ); - goto exit; - } - -#if defined(POLARSSL_FS_IO) if( strlen( opt.key_file ) ) - ret = pk_parse_keyfile( &pkey, opt.key_file, "" ); - else -#endif -#if defined(POLARSSL_CERTS_C) - ret = pk_parse_key( &pkey, (const unsigned char *) test_srv_key, - strlen( test_srv_key ), NULL, 0 ); -#else { - ret = 1; - printf("POLARSSL_CERTS_C not defined."); + key_cert_provided = 1; + if( ( ret = pk_parse_keyfile( &pkey, opt.key_file, "" ) ) != 0 ) + { + printf( " failed\n ! pk_parse_keyfile returned -0x%x\n\n", -ret ); + goto exit; + } } -#endif - if( ret != 0 ) - { - printf( " failed\n ! pk_parse_key returned -0x%x\n\n", -ret ); - goto exit; - } - -#if defined(POLARSSL_RSA_C) && defined(POLARSSL_ECDSA_C) -#if defined(POLARSSL_FS_IO) if( strlen( opt.crt_file2 ) ) - ret = x509_crt_parse_file( &srvcert2, opt.crt_file2 ); - else -#endif -#if defined(POLARSSL_CERTS_C) - ret = x509_crt_parse( &srvcert2, (const unsigned char *) test_srv_crt2, - strlen( test_srv_crt2 ) ); -#else { - ret = 1; - printf("POLARSSL_CERTS_C not defined."); + key_cert_provided = 1; + if( ( ret = x509_crt_parse_file( &srvcert2, opt.crt_file2 ) ) != 0 ) + { + printf( " failed\n ! x509_crt_parse_file(2) returned -0x%x\n\n", + -ret ); + goto exit; + } } -#endif - if( ret != 0 ) - { - printf( " failed\n ! x509_crt_parse(2) returned -0x%x\n\n", -ret ); - goto exit; - } - -#if defined(POLARSSL_FS_IO) if( strlen( opt.key_file2 ) ) - ret = pk_parse_keyfile( &pkey2, opt.key_file2, "" ); - else -#endif -#if defined(POLARSSL_CERTS_C) - ret = pk_parse_key( &pkey2, (const unsigned char *) test_srv_key2, - strlen( test_srv_key2 ), NULL, 0 ); -#else { - ret = 1; - printf("POLARSSL_CERTS_C not defined."); + key_cert_provided = 1; + if( ( ret = pk_parse_keyfile( &pkey2, opt.key_file2, "" ) ) != 0 ) + { + printf( " failed\n ! pk_parse_keyfile(2) returned -0x%x\n\n", + -ret ); + goto exit; + } } #endif - if( ret != 0 ) + if( key_cert_provided == 0 ) { - printf( " failed\n ! pk_parse_key(2) returned -0x%x\n\n", -ret ); +#if !defined(POLARSSL_CERTS_C) + printf( "Not certificated or key provided, and \n" + "POLARSSL_CERTS_C not defined!\n" ); goto exit; - } +#else + if( ( ret = x509_crt_parse( &srvcert, + (const unsigned char *) test_srv_crt, + strlen( test_srv_crt ) ) ) != 0 ) + { + printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret ); + goto exit; + } + if( ( ret = pk_parse_key( &pkey, (const unsigned char *) test_srv_key, + strlen( test_srv_key ), NULL, 0 ) ) != 0 ) + { + printf( " failed\n ! pk_parse_key returned -0x%x\n\n", -ret ); + goto exit; + } +#if defined(POLARSSL_RSA_C) && defined(POLARSSL_ECDSA_C) + if( ( ret = x509_crt_parse( &srvcert2, + (const unsigned char *) test_srv_crt2, + strlen( test_srv_crt2 ) ) ) != 0 ) + { + printf( " failed\n ! x509_crt_parse2 returned -0x%x\n\n", -ret ); + goto exit; + } + if( ( ret = pk_parse_key( &pkey2, (const unsigned char *) test_srv_key2, + strlen( test_srv_key2 ), NULL, 0 ) ) != 0 ) + { + printf( " failed\n ! pk_parse_key2 returned -0x%x\n\n", -ret ); + goto exit; + } #endif /* POLARSSL_RSA_C && POLARSSL_ECDSA_C */ +#endif /* POLARSSL_CERTS_C */ + } printf( " ok\n" ); #endif /* POLARSSL_X509_CRT_PARSE_C */ From 420edcaf1dc6f9f5a08f4cc9ced5a2203069d19c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 25 Sep 2013 11:52:38 +0200 Subject: [PATCH 15/18] Clean up config-suite-b.h thanks to new certs --- scripts/data_files/config-suite-b.h | 4 ---- tests/suites/test_suite_ecp.data | 2 +- tests/suites/test_suite_x509parse.data | 4 ++-- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/scripts/data_files/config-suite-b.h b/scripts/data_files/config-suite-b.h index a1543ee9c..d140d8f7f 100644 --- a/scripts/data_files/config-suite-b.h +++ b/scripts/data_files/config-suite-b.h @@ -45,9 +45,5 @@ /* For testing with compat.sh */ #define POLARSSL_FS_IO -/* Temporary for current certificates */ -#define POLARSSL_ECP_DP_SECP192R1_ENABLED -#define POLARSSL_SHA1_C - /* marker for activate-config.pl * \} name SECTION: PolarSSL modules */ diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data index 8f32bdc57..1b4d14afc 100644 --- a/tests/suites/test_suite_ecp.data +++ b/tests/suites/test_suite_ecp.data @@ -246,6 +246,7 @@ depends_on:POLARSSL_ECP_DP_SECP521R1_ENABLED ecp_tls_write_read_group:POLARSSL_ECP_DP_SECP521R1 ECP check privkey +depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED ecp_check_privkey:POLARSSL_ECP_DP_SECP192R1 ECP gen keypair @@ -281,5 +282,4 @@ depends_on:POLARSSL_ECP_DP_SECP521R1_ENABLED ecp_test_vect:POLARSSL_ECP_DP_SECP521R1:"0113F82DA825735E3D97276683B2B74277BAD27335EA71664AF2430CC4F33459B9669EE78B3FFB9B8683015D344DCBFEF6FB9AF4C6C470BE254516CD3C1A1FB47362":"01EBB34DD75721ABF8ADC9DBED17889CBB9765D90A7C60F2CEF007BB0F2B26E14881FD4442E689D61CB2DD046EE30E3FFD20F9A45BBDF6413D583A2DBF59924FD35C":"00F6B632D194C0388E22D8437E558C552AE195ADFD153F92D74908351B2F8C4EDA94EDB0916D1B53C020B5EECAED1A5FC38A233E4830587BB2EE3489B3B42A5A86A4":"00CEE3480D8645A17D249F2776D28BAE616952D1791FDB4B70F7C3378732AA1B22928448BCD1DC2496D435B01048066EBE4F72903C361B1A9DC1193DC2C9D0891B96":"010EBFAFC6E85E08D24BFFFCC1A4511DB0E634BEEB1B6DEC8C5939AE44766201AF6200430BA97C8AC6A0E9F08B33CE7E9FEEB5BA4EE5E0D81510C24295B8A08D0235":"00A4A6EC300DF9E257B0372B5E7ABFEF093436719A77887EBB0B18CF8099B9F4212B6E30A1419C18E029D36863CC9D448F4DBA4D2A0E60711BE572915FBD4FEF2695":"00CDEA89621CFA46B132F9E4CFE2261CDE2D4368EB5656634C7CC98C7A00CDE54ED1866A0DD3E6126C9D2F845DAFF82CEB1DA08F5D87521BB0EBECA77911169C20CC":"00F9A71641029B7FC1A808AD07CD4861E868614B865AFBECAB1F2BD4D8B55EBCB5E3A53143CEB2C511B1AE0AF5AC827F60F2FD872565AC5CA0A164038FE980A7E4BD" ECP selftest -depends_on:POLARSSL_SELF_TEST ecp_selftest: diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index d9438d3fc..567dcd2d5 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -67,7 +67,7 @@ depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C x509_cert_info:"data_files/server4.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 15\:52\:04\nexpires on \: 2023-09-22 15\:52\:04\nsigned using \: ECDSA with SHA256\nRSA key size \: 2048 bits\n" X509 Certificate information EC signed by RSA -depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP192R1_ENABLED x509_cert_info:"data_files/server3.crt":"cert. version \: 3\nserial number \: 0D\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 09\:17\:03\nexpires on \: 2023-08-07 09\:17\:03\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\n" X509 certificate v1 with extension @@ -375,7 +375,7 @@ depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_ x509_verify:"data_files/server2.crt":"data_files/test-ca_cat21.crt":"data_files/crl.pem":"NULL":0:0:"NULL" X509 Parse Selftest -depends_on:POLARSSL_MD5_C:POLARSSL_PEM_PARSE_C:POLARSSL_SELF_TEST +depends_on:POLARSSL_MD5_C:POLARSSL_PEM_PARSE_C x509_selftest: X509 Certificate ASN1 (Incorrect first tag) From 641de714b617d5161b6b32539766ea179cde9174 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 25 Sep 2013 13:23:33 +0200 Subject: [PATCH 16/18] Use both RSA and ECDSA CA if available --- include/polarssl/certs.h | 3 ++ library/certs.c | 85 +++++++++++++++++++--------------- programs/ssl/ssl_client1.c | 4 +- programs/ssl/ssl_client2.c | 4 +- programs/ssl/ssl_fork_server.c | 4 +- programs/ssl/ssl_mail_client.c | 4 +- programs/ssl/ssl_server.c | 4 +- programs/ssl/ssl_server2.c | 4 +- programs/test/ssl_test.c | 4 +- 9 files changed, 64 insertions(+), 52 deletions(-) diff --git a/include/polarssl/certs.h b/include/polarssl/certs.h index ded3ddf06..5fcd85da0 100644 --- a/include/polarssl/certs.h +++ b/include/polarssl/certs.h @@ -31,6 +31,9 @@ extern "C" { #endif +/* Concatenation of all available CA certificates */ +extern const char test_ca_list[]; + /* First set of certificates: RSA, or ECDSA if RSA is not available */ extern const char *test_ca_crt; extern const char *test_ca_key; diff --git a/library/certs.c b/library/certs.c index 1a853515d..67172dde2 100644 --- a/library/certs.c +++ b/library/certs.c @@ -28,22 +28,23 @@ #if defined(POLARSSL_CERTS_C) #if defined(POLARSSL_ECDSA_C) -const char test_ca_crt_ec[] = -"-----BEGIN CERTIFICATE-----\r\n" -"MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT\r\n" -"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n" -"QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT\r\n" -"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n" -"QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu\r\n" -"ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy\r\n" -"aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g\r\n" -"JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7\r\n" -"NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE\r\n" -"AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w\r\n" -"CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56\r\n" -"t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv\r\n" -"uCjn8pwUOkABXK8Mss90fzCfCEOtIA==\r\n" -"-----END CERTIFICATE-----\r\n"; +#define TEST_CA_CRT_EC \ +"-----BEGIN CERTIFICATE-----\r\n" \ +"MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT\r\n" \ +"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n" \ +"QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT\r\n" \ +"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n" \ +"QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu\r\n" \ +"ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy\r\n" \ +"aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g\r\n" \ +"JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7\r\n" \ +"NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE\r\n" \ +"AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w\r\n" \ +"CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56\r\n" \ +"t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv\r\n" \ +"uCjn8pwUOkABXK8Mss90fzCfCEOtIA==\r\n" \ +"-----END CERTIFICATE-----\r\n" +const char test_ca_crt_ec[] = TEST_CA_CRT_EC; const char test_ca_key_ec[] = "-----BEGIN EC PRIVATE KEY-----\r\n" @@ -103,31 +104,34 @@ const char test_cli_key_ec[] = "AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n" "wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n" "-----END EC PRIVATE KEY-----\r\n"; +#else +#define TEST_CA_CRT_EC #endif /* POLARSSL_ECDSA_C */ #if defined(POLARSSL_RSA_C) -const char test_ca_crt_rsa[] = -"-----BEGIN CERTIFICATE-----\r\n" -"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" -"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" -"MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" -"A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" -"CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" -"mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" -"50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" -"YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" -"R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" -"KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" -"gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH\r\n" -"/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV\r\n" -"BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz\r\n" -"dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ\r\n" -"SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H\r\n" -"DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF\r\n" -"pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf\r\n" -"m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ\r\n" -"7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n" -"-----END CERTIFICATE-----\r\n"; +#define TEST_CA_CRT_RSA \ +"-----BEGIN CERTIFICATE-----\r\n" \ +"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \ +"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \ +"MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" \ +"A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" \ +"CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" \ +"mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" \ +"50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" \ +"YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" \ +"R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" \ +"KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" \ +"gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH\r\n" \ +"/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV\r\n" \ +"BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz\r\n" \ +"dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ\r\n" \ +"SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H\r\n" \ +"DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF\r\n" \ +"pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf\r\n" \ +"m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ\r\n" \ +"7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n" \ +"-----END CERTIFICATE-----\r\n" +const char test_ca_crt_rsa[] = TEST_CA_CRT_RSA; const char test_ca_key_rsa[] = "-----BEGIN RSA PRIVATE KEY-----\r\n" @@ -264,6 +268,8 @@ const char test_cli_key_rsa[] = "bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n" "8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n" "-----END RSA PRIVATE KEY-----\r\n"; +#else +#define TEST_CA_CRT_RSA #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_DHM_C) @@ -275,6 +281,9 @@ const char test_dhm_params[] = "-----END DH PARAMETERS-----\r\n"; #endif +/* Concatenation of all available CA certificates */ +const char test_ca_list[] = TEST_CA_CRT_RSA TEST_CA_CRT_EC; + #if defined(POLARSSL_RSA_C) const char *test_ca_crt = test_ca_crt_rsa; const char *test_ca_key = test_ca_key_rsa; diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 286075a4d..2c6e7c868 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -109,8 +109,8 @@ int main( int argc, char *argv[] ) fflush( stdout ); #if defined(POLARSSL_CERTS_C) - ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_crt, - strlen( test_ca_crt ) ); + ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list, + strlen( test_ca_list ) ); #else ret = 1; printf("POLARSSL_CERTS_C not defined."); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 9684aa89b..f518d39f7 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -576,8 +576,8 @@ int main( int argc, char *argv[] ) else #endif #if defined(POLARSSL_CERTS_C) - ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_crt, - strlen( test_ca_crt ) ); + ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list, + strlen( test_ca_list ) ); #else { ret = 1; diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 1d2791cc2..3d4c7d3b3 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -145,8 +145,8 @@ int main( int argc, char *argv[] ) goto exit; } - ret = x509_crt_parse( &srvcert, (const unsigned char *) test_ca_crt, - strlen( test_ca_crt ) ); + ret = x509_crt_parse( &srvcert, (const unsigned char *) test_ca_list, + strlen( test_ca_list ) ); if( ret != 0 ) { printf( " failed\n ! x509_crt_parse returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index e8a49dbe6..edee85db7 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -484,8 +484,8 @@ int main( int argc, char *argv[] ) else #endif #if defined(POLARSSL_CERTS_C) - ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_crt, - strlen( test_ca_crt ) ); + ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list, + strlen( test_ca_list ) ); #else { ret = 1; diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 258ca5b98..2a528cb07 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -125,8 +125,8 @@ int main( int argc, char *argv[] ) goto exit; } - ret = x509_crt_parse( &srvcert, (const unsigned char *) test_ca_crt, - strlen( test_ca_crt ) ); + ret = x509_crt_parse( &srvcert, (const unsigned char *) test_ca_list, + strlen( test_ca_list ) ); if( ret != 0 ) { printf( " failed\n ! x509_crt_parse returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 4b1cec2fa..ba651318f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -549,8 +549,8 @@ int main( int argc, char *argv[] ) else #endif #if defined(POLARSSL_CERTS_C) - ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_crt, - strlen( test_ca_crt ) ); + ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list, + strlen( test_ca_list ) ); #else { ret = 1; diff --git a/programs/test/ssl_test.c b/programs/test/ssl_test.c index 8cc2d0f7a..97e308f7f 100644 --- a/programs/test/ssl_test.c +++ b/programs/test/ssl_test.c @@ -218,8 +218,8 @@ static int ssl_test( struct options *opt ) goto exit; } - ret = x509_crt_parse( &srvcert, (const unsigned char *) test_ca_crt, - strlen( test_ca_crt ) ); + ret = x509_crt_parse( &srvcert, (const unsigned char *) test_ca_list, + strlen( test_ca_list ) ); if( ret != 0 ) { printf( " ! x509_crt_parse returned %d\n\n", ret ); From cb99bdb27e798f2759e6800a6845e45c598febf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 25 Sep 2013 13:30:56 +0200 Subject: [PATCH 17/18] Client: if no cert, send empty cert list --- library/ssl_cli.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index ae8c916c8..81d8e8834 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1619,14 +1619,6 @@ static int ssl_parse_certificate_request( ssl_context *ssl ) p++; } - // TODO: shall we abort now or send an empty certificate list later? - - if( ssl->handshake->cert_type == 0 ) - { - SSL_DEBUG_MSG( 1, ( "no known cert_type provided" ) ); - return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); - } - #if defined(POLARSSL_SSL_PROTO_TLS1_2) if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) { From a0fdf8b0a049968521f95303f3e794fd4107c811 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 25 Sep 2013 14:05:49 +0200 Subject: [PATCH 18/18] Simplify the way default certs are used --- include/polarssl/certs.h | 16 +++-------- library/certs.c | 10 ------- programs/ssl/ssl_server2.c | 57 +++++++++++++++++++++++++------------- 3 files changed, 41 insertions(+), 42 deletions(-) diff --git a/include/polarssl/certs.h b/include/polarssl/certs.h index 5fcd85da0..ba7c028af 100644 --- a/include/polarssl/certs.h +++ b/include/polarssl/certs.h @@ -34,7 +34,10 @@ extern "C" { /* Concatenation of all available CA certificates */ extern const char test_ca_list[]; -/* First set of certificates: RSA, or ECDSA if RSA is not available */ +/* + * Convenience for users who just want a certificate: + * RSA by default, or ECDSA if RSA i not available + */ extern const char *test_ca_crt; extern const char *test_ca_key; extern const char *test_ca_pwd; @@ -43,17 +46,6 @@ extern const char *test_srv_key; extern const char *test_cli_crt; extern const char *test_cli_key; -/* Second set of certificates: ECDSA is both are available */ -#if defined(POLARSSL_RSA_C) && defined(POLARSSL_RSA_C) -extern const char *test_ca_crt2; -extern const char *test_ca_key2; -extern const char *test_ca_pwd2; -extern const char *test_srv_crt2; -extern const char *test_srv_key2; -extern const char *test_cli_crt2; -extern const char *test_cli_key2; -#endif - #if defined(POLARSSL_ECDSA_C) extern const char test_ca_crt_ec[]; extern const char test_ca_key_ec[]; diff --git a/library/certs.c b/library/certs.c index 67172dde2..17775b889 100644 --- a/library/certs.c +++ b/library/certs.c @@ -302,14 +302,4 @@ const char *test_cli_crt = test_cli_crt_ec; const char *test_cli_key = test_cli_key_ec; #endif -#if defined(POLARSSL_RSA_C) && defined(POLARSSL_ECDSA_C) -const char *test_ca_crt2 = test_ca_crt_ec; -const char *test_ca_key2 = test_ca_key_ec; -const char *test_ca_pwd2 = test_ca_pwd_ec; -const char *test_srv_crt2 = test_srv_crt_ec; -const char *test_srv_key2 = test_srv_key_ec; -const char *test_cli_crt2 = test_cli_crt_ec; -const char *test_cli_key2 = test_cli_key_ec; -#endif - #endif /* POLARSSL_CERTS_C */ diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index ba651318f..2d81e755e 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -224,7 +224,7 @@ int main( int argc, char *argv[] ) pk_context pkey; x509_crt srvcert2; pk_context pkey2; - int key_cert_provided = 0; + int key_cert_init = 0, key_cert_init2 = 0; #endif #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_context cache; @@ -574,7 +574,7 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_FS_IO) if( strlen( opt.crt_file ) ) { - key_cert_provided = 1; + key_cert_init++; if( ( ret = x509_crt_parse_file( &srvcert, opt.crt_file ) ) != 0 ) { printf( " failed\n ! x509_crt_parse_file returned -0x%x\n\n", @@ -584,16 +584,22 @@ int main( int argc, char *argv[] ) } if( strlen( opt.key_file ) ) { - key_cert_provided = 1; + key_cert_init++; if( ( ret = pk_parse_keyfile( &pkey, opt.key_file, "" ) ) != 0 ) { printf( " failed\n ! pk_parse_keyfile returned -0x%x\n\n", -ret ); goto exit; } } + if( key_cert_init == 1 ) + { + printf( " failed\n ! crt_file without key_file or vice-versa\n\n" ); + goto exit; + } + if( strlen( opt.crt_file2 ) ) { - key_cert_provided = 1; + key_cert_init2++; if( ( ret = x509_crt_parse_file( &srvcert2, opt.crt_file2 ) ) != 0 ) { printf( " failed\n ! x509_crt_parse_file(2) returned -0x%x\n\n", @@ -603,7 +609,7 @@ int main( int argc, char *argv[] ) } if( strlen( opt.key_file2 ) ) { - key_cert_provided = 1; + key_cert_init2++; if( ( ret = pk_parse_keyfile( &pkey2, opt.key_file2, "" ) ) != 0 ) { printf( " failed\n ! pk_parse_keyfile(2) returned -0x%x\n\n", @@ -611,42 +617,53 @@ int main( int argc, char *argv[] ) goto exit; } } + if( key_cert_init2 == 1 ) + { + printf( " failed\n ! crt_file2 without key_file2 or vice-versa\n\n" ); + goto exit; + } #endif - if( key_cert_provided == 0 ) + if( key_cert_init == 0 && key_cert_init2 == 0 ) { #if !defined(POLARSSL_CERTS_C) printf( "Not certificated or key provided, and \n" "POLARSSL_CERTS_C not defined!\n" ); goto exit; #else +#if defined(POLARSSL_RSA_C) if( ( ret = x509_crt_parse( &srvcert, - (const unsigned char *) test_srv_crt, - strlen( test_srv_crt ) ) ) != 0 ) + (const unsigned char *) test_srv_crt_rsa, + strlen( test_srv_crt_rsa ) ) ) != 0 ) { printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret ); goto exit; } - if( ( ret = pk_parse_key( &pkey, (const unsigned char *) test_srv_key, - strlen( test_srv_key ), NULL, 0 ) ) != 0 ) + if( ( ret = pk_parse_key( &pkey, + (const unsigned char *) test_srv_key_rsa, + strlen( test_srv_key_rsa ), NULL, 0 ) ) != 0 ) { printf( " failed\n ! pk_parse_key returned -0x%x\n\n", -ret ); goto exit; } -#if defined(POLARSSL_RSA_C) && defined(POLARSSL_ECDSA_C) + key_cert_init = 2; +#endif /* POLARSSL_RSA_C */ +#if defined(POLARSSL_ECDSA_C) if( ( ret = x509_crt_parse( &srvcert2, - (const unsigned char *) test_srv_crt2, - strlen( test_srv_crt2 ) ) ) != 0 ) + (const unsigned char *) test_srv_crt_ec, + strlen( test_srv_crt_ec ) ) ) != 0 ) { printf( " failed\n ! x509_crt_parse2 returned -0x%x\n\n", -ret ); goto exit; } - if( ( ret = pk_parse_key( &pkey2, (const unsigned char *) test_srv_key2, - strlen( test_srv_key2 ), NULL, 0 ) ) != 0 ) + if( ( ret = pk_parse_key( &pkey2, + (const unsigned char *) test_srv_key_ec, + strlen( test_srv_key_ec ), NULL, 0 ) ) != 0 ) { printf( " failed\n ! pk_parse_key2 returned -0x%x\n\n", -ret ); goto exit; } -#endif /* POLARSSL_RSA_C && POLARSSL_ECDSA_C */ + key_cert_init2 = 2; +#endif /* POLARSSL_ECDSA_C */ #endif /* POLARSSL_CERTS_C */ } @@ -706,10 +723,10 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_X509_CRT_PARSE_C) ssl_set_ca_chain( &ssl, &cacert, NULL, NULL ); - ssl_set_own_cert( &ssl, &srvcert, &pkey ); -#if defined(POLARSSL_RSA_C) && defined(POLARSSL_ECDSA_C) - ssl_set_own_cert( &ssl, &srvcert2, &pkey2 ); -#endif + if( key_cert_init ) + ssl_set_own_cert( &ssl, &srvcert, &pkey ); + if( key_cert_init2 ) + ssl_set_own_cert( &ssl, &srvcert2, &pkey2 ); #endif #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)