4
0
mirror of https://github.com/QuasarApp/qca.git synced 2025-05-12 18:49:34 +00:00

Add CA tools used for test certificate generation.

These are from openssl.

svn path=/trunk/kdesupport/qca/; revision=690746
This commit is contained in:
Brad Hards 2007-07-22 04:32:00 +00:00
parent 515bbd19e1
commit e1c4a32119
17 changed files with 872 additions and 0 deletions

@ -5,6 +5,10 @@ for qconf/qmake, experimental only) in this directory. You can also
run a single set of tests by doing "make test" in the applicable
subdirectory. See "TestPlan" for more detail.
The "testcerts" directory is not a unit test. It is the tools used
to generate certificates used in unit tests, and is a copy of the
CA.pl script and associated configuration file provided with openssl.
These tests are implemented using the QTestLib test framework provided
with Qt 4.1 and later. If you are having trouble with a test, you can
get more information by running the test applicable directly (e.g. if

189
unittest/testcerts/CA.pl Executable file

@ -0,0 +1,189 @@
#!/usr/bin/perl
#
# CA - wrapper around ca to make it easier to use ... basically ca requires
# some setup stuff to be done before you can use it and this makes
# things easier between now and when Eric is convinced to fix it :-)
#
# CA -newca ... will setup the right stuff
# CA -newreq[-nodes] ... will generate a certificate request
# CA -sign ... will sign the generated request and output
#
# At the end of that grab newreq.pem and newcert.pem (one has the key
# and the other the certificate) and cat them together and that is what
# you want/need ... I'll make even this a little cleaner later.
#
#
# 12-Jan-96 tjh Added more things ... including CA -signcert which
# converts a certificate to a request and then signs it.
# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
# environment variable so this can be driven from
# a script.
# 25-Jul-96 eay Cleaned up filenames some more.
# 11-Jun-96 eay Fixed a few filename missmatches.
# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'.
# 18-Apr-96 tjh Original hacking
#
# Tim Hudson
# tjh@cryptsoft.com
#
# 27-Apr-98 snh Translation into perl, fix existing CA bug.
#
#
# Steve Henson
# shenson@bigfoot.com
# default openssl.cnf file has setup as per the following
# demoCA ... where everything is stored
my $openssl;
if(defined $ENV{OPENSSL}) {
$openssl = $ENV{OPENSSL};
} else {
$openssl = "openssl";
$ENV{OPENSSL} = $openssl;
}
#$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
$DAYS="-days 3650"; # 10 years
$CADAYS="-days 2000"; # ~6 years
$REQ="$openssl req -config ./openssl.cnf";
$CA="$openssl ca -config ./openssl.cnf";
$VERIFY="$openssl verify";
$X509="$openssl x509";
$PKCS12="$openssl pkcs12";
$CATOP="./CA";
$CAKEY="cakey.pem";
$CAREQ="careq.pem";
$CACERT="cacert.pem";
$DIRMODE = 0777;
$RET = 0;
foreach (@ARGV) {
if ( /^(-\?|-h|-help)$/ ) {
print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
exit 0;
} elsif (/^-newcert$/) {
# create a certificate
system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
$RET=$?;
print "Certificate is in newcert.pem, private key is in newkey.pem\n"
} elsif (/^-newreq$/) {
# create a certificate request
system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
$RET=$?;
print "Request is in newreq.pem, private key is in newkey.pem\n";
} elsif (/^-newreq-nodes$/) {
# create a certificate request
system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
$RET=$?;
print "Request is in newreq.pem, private key is in newkey.pem\n";
} elsif (/^-newca$/) {
# if explicitly asked for or it doesn't exist then setup the
# directory structure that Eric likes to manage things
$NEW="1";
if ( "$NEW" || ! -f "${CATOP}/serial" ) {
# create the directory hierarchy
mkdir $CATOP, $DIRMODE;
mkdir "${CATOP}/certs", $DIRMODE;
mkdir "${CATOP}/crl", $DIRMODE ;
mkdir "${CATOP}/newcerts", $DIRMODE;
mkdir "${CATOP}/private", $DIRMODE;
open OUT, ">${CATOP}/index.txt";
close OUT;
open OUT, ">${CATOP}/crlnumber";
print OUT "01\n";
close OUT;
}
if ( ! -f "${CATOP}/private/$CAKEY" ) {
print "CA certificate filename (or enter to create)\n";
$FILE = <STDIN>;
chop $FILE;
# ask user for existing CA certificate
if ($FILE) {
cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
$RET=$?;
} else {
print "Making CA certificate ...\n";
system ("$REQ -new -keyout " .
"${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
system ("$CA -create_serial " .
"-out ${CATOP}/$CACERT $CADAYS -batch " .
"-keyfile ${CATOP}/private/$CAKEY -selfsign " .
"-extensions v3_ca " .
"-infiles ${CATOP}/$CAREQ ");
$RET=$?;
}
}
} elsif (/^-pkcs12$/) {
my $cname = $ARGV[1];
$cname = "My Certificate" unless defined $cname;
system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .
"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
"-export -name \"$cname\"");
$RET=$?;
print "PKCS #12 file is in newcert.p12\n";
exit $RET;
} elsif (/^-xsign$/) {
system ("$CA -policy policy_anything -infiles newreq.pem");
$RET=$?;
} elsif (/^(-sign|-signreq)$/) {
system ("$CA -policy policy_anything -out newcert.pem " .
"-infiles newreq.pem");
$RET=$?;
print "Signed certificate is in newcert.pem\n";
} elsif (/^(-signCA)$/) {
system ("$CA -policy policy_anything -out newcert.pem " .
"-extensions v3_ca -infiles newreq.pem");
$RET=$?;
print "Signed CA certificate is in newcert.pem\n";
} elsif (/^-signcert$/) {
system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
"-out tmp.pem");
system ("$CA -policy policy_anything -out newcert.pem " .
"-infiles tmp.pem");
$RET = $?;
print "Signed certificate is in newcert.pem\n";
} elsif (/^-verify$/) {
if (shift) {
foreach $j (@ARGV) {
system ("$VERIFY -CAfile $CATOP/$CACERT $j");
$RET=$? if ($? != 0);
}
exit $RET;
} else {
system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
$RET=$?;
exit 0;
}
} else {
print STDERR "Unknown arg $_\n";
print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
exit 1;
}
}
exit $RET;
sub cp_pem {
my ($infile, $outfile, $bound) = @_;
open IN, $infile;
open OUT, ">$outfile";
my $flag = 0;
while (<IN>) {
$flag = 1 if (/^-----BEGIN.*$bound/) ;
print OUT $_ if ($flag);
if (/^-----END.*$bound/) {
close IN;
close OUT;
return;
}
}
}

@ -0,0 +1,83 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b6:7b:e8:90:4d:70:7d:7f
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Australian Capital Territory, O=Qca Development and Test, OU=Certificate Generation Section, CN=Qca Test Root Certificate/emailAddress=testonly@test.example.com
Validity
Not Before: Jul 22 01:48:15 2007 GMT
Not After : Jan 11 01:48:15 2013 GMT
Subject: C=AU, ST=Australian Capital Territory, O=Qca Development and Test, OU=Certificate Generation Section, CN=Qca Test Root Certificate/emailAddress=testonly@test.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a1:a2:3e:9e:53:de:98:2c:2f:9e:fa:12:fa:54:
6c:0a:0a:e8:23:f4:25:86:24:da:ed:6f:18:e2:6e:
1e:ae:36:4e:45:63:0d:5b:20:aa:09:70:55:b9:a1:
08:e3:cb:3d:e3:c3:ca:34:c3:c7:90:30:50:51:d6:
30:b3:3f:12:70:99:ae:2d:c8:2e:ea:c6:c6:43:e5:
9f:30:ab:e3:5b:d9:b0:91:92:c2:94:79:79:9b:87:
05:60:01:8c:f1:0e:75:f7:82:d6:f9:e6:fb:45:b8:
4d:53:eb:66:a0:98:93:28:d7:1e:db:43:3d:84:9b:
2b:1f:ee:af:d8:23:b5:a1:cd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
51:3F:F2:14:6E:49:6A:DC:41:B8:15:B5:A0:86:F4:2E:E4:F5:45:F8
X509v3 Authority Key Identifier:
keyid:51:3F:F2:14:6E:49:6A:DC:41:B8:15:B5:A0:86:F4:2E:E4:F5:45:F8
DirName:/C=AU/ST=Australian Capital Territory/O=Qca Development and Test/OU=Certificate Generation Section/CN=Qca Test Root Certificate/emailAddress=testonly@test.example.com
serial:B6:7B:E8:90:4D:70:7D:7F
X509v3 Subject Alternative Name:
email:testonly@test.example.com
X509v3 Issuer Alternative Name:
email:testonly@test.example.com
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
Netscape Comment:
This certificate was issued for testing only!
Signature Algorithm: sha1WithRSAEncryption
0f:b6:d9:37:b3:d8:bb:69:1e:ce:1a:35:29:1b:ce:d5:38:3e:
29:13:17:91:5b:1f:9c:59:52:67:d3:05:91:2a:e8:7f:b9:76:
1a:01:f6:9f:07:74:be:e4:37:87:d0:9b:84:c6:81:3f:c4:96:
52:46:80:52:a7:7b:14:fd:f6:4d:23:15:b6:7e:2a:a6:d7:90:
97:4f:22:7c:3e:7d:12:84:28:a4:9a:30:67:77:16:f7:80:0f:
6a:d0:82:fc:f6:91:39:14:d2:a5:de:18:f1:bb:38:f1:98:88:
1c:13:63:e9:a3:d7:b5:b0:70:f2:82:58:bd:ef:3c:02:42:a0:
7e:c9
-----BEGIN CERTIFICATE-----
MIIFAzCCBGygAwIBAgIJALZ76JBNcH1/MA0GCSqGSIb3DQEBBQUAMIHOMQswCQYD
VQQGEwJBVTElMCMGA1UECBMcQXVzdHJhbGlhbiBDYXBpdGFsIFRlcnJpdG9yeTEh
MB8GA1UEChMYUWNhIERldmVsb3BtZW50IGFuZCBUZXN0MScwJQYDVQQLEx5DZXJ0
aWZpY2F0ZSBHZW5lcmF0aW9uIFNlY3Rpb24xIjAgBgNVBAMTGVFjYSBUZXN0IFJv
b3QgQ2VydGlmaWNhdGUxKDAmBgkqhkiG9w0BCQEWGXRlc3Rvbmx5QHRlc3QuZXhh
bXBsZS5jb20wHhcNMDcwNzIyMDE0ODE1WhcNMTMwMTExMDE0ODE1WjCBzjELMAkG
A1UEBhMCQVUxJTAjBgNVBAgTHEF1c3RyYWxpYW4gQ2FwaXRhbCBUZXJyaXRvcnkx
ITAfBgNVBAoTGFFjYSBEZXZlbG9wbWVudCBhbmQgVGVzdDEnMCUGA1UECxMeQ2Vy
dGlmaWNhdGUgR2VuZXJhdGlvbiBTZWN0aW9uMSIwIAYDVQQDExlRY2EgVGVzdCBS
b290IENlcnRpZmljYXRlMSgwJgYJKoZIhvcNAQkBFhl0ZXN0b25seUB0ZXN0LmV4
YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChoj6eU96YLC+e
+hL6VGwKCugj9CWGJNrtbxjibh6uNk5FYw1bIKoJcFW5oQjjyz3jw8o0w8eQMFBR
1jCzPxJwma4tyC7qxsZD5Z8wq+Nb2bCRksKUeXmbhwVgAYzxDnX3gtb55vtFuE1T
62agmJMo1x7bQz2Emysf7q/YI7WhzQIDAQABo4IB5TCCAeEwDwYDVR0TAQH/BAUw
AwEB/zALBgNVHQ8EBAMCAeYwHQYDVR0OBBYEFFE/8hRuSWrcQbgVtaCG9C7k9UX4
MIIBAwYDVR0jBIH7MIH4gBRRP/IUbklq3EG4FbWghvQu5PVF+KGB1KSB0TCBzjEL
MAkGA1UEBhMCQVUxJTAjBgNVBAgTHEF1c3RyYWxpYW4gQ2FwaXRhbCBUZXJyaXRv
cnkxITAfBgNVBAoTGFFjYSBEZXZlbG9wbWVudCBhbmQgVGVzdDEnMCUGA1UECxMe
Q2VydGlmaWNhdGUgR2VuZXJhdGlvbiBTZWN0aW9uMSIwIAYDVQQDExlRY2EgVGVz
dCBSb290IENlcnRpZmljYXRlMSgwJgYJKoZIhvcNAQkBFhl0ZXN0b25seUB0ZXN0
LmV4YW1wbGUuY29tggkAtnvokE1wfX8wJAYDVR0RBB0wG4EZdGVzdG9ubHlAdGVz
dC5leGFtcGxlLmNvbTAkBgNVHRIEHTAbgRl0ZXN0b25seUB0ZXN0LmV4YW1wbGUu
Y29tMBEGCWCGSAGG+EIBAQQEAwIABzA8BglghkgBhvhCAQ0ELxYtVGhpcyBjZXJ0
aWZpY2F0ZSB3YXMgaXNzdWVkIGZvciB0ZXN0aW5nIG9ubHkhMA0GCSqGSIb3DQEB
BQUAA4GBAA+22Tez2LtpHs4aNSkbztU4PikTF5FbH5xZUmfTBZEq6H+5dhoB9p8H
dL7kN4fQm4TGgT/EllJGgFKnexT99k0jFbZ+KqbXkJdPInw+fRKEKKSaMGd3FveA
D2rQgvz2kTkU0qXeGPG7OPGYiBwTY+mj17WwcPKCWL3vPAJCoH7J
-----END CERTIFICATE-----

@ -0,0 +1,14 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICITCCAYoCAQAwgeAxCzAJBgNVBAYTAkFVMSUwIwYDVQQIExxBdXN0cmFsaWFu
IENhcGl0YWwgVGVycml0b3J5MRAwDgYDVQQHEwdRY2FMYW5kMSEwHwYDVQQKExhR
Y2EgRGV2ZWxvcG1lbnQgYW5kIFRlc3QxJzAlBgNVBAsTHkNlcnRpZmljYXRlIEdl
bmVyYXRpb24gU2VjdGlvbjEiMCAGA1UEAxMZUWNhIFRlc3QgUm9vdCBDZXJ0aWZp
Y2F0ZTEoMCYGCSqGSIb3DQEJARYZdGVzdG9ubHlAdGVzdC5leGFtcGxlLmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoaI+nlPemCwvnvoS+lRsCgroI/Ql
hiTa7W8Y4m4erjZORWMNWyCqCXBVuaEI48s948PKNMPHkDBQUdYwsz8ScJmuLcgu
6sbGQ+WfMKvjW9mwkZLClHl5m4cFYAGM8Q5194LW+eb7RbhNU+tmoJiTKNce20M9
hJsrH+6v2CO1oc0CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAJFcvHZDxAudRtla
dELJWVRXIyijLfDSxt5TVqF3GtGZum9JX7Hj0QETu3VkUL91eOLO3RiiWQrm2Wd6
huRkzv3AbkifAWlCOIhkXQxFdsqi3KRhXQc1Y+kiRk+1xhftMvsWprtHq64qS8Da
bKT/rF1DmMzynQ0KUr+Z8eXEL7aH
-----END CERTIFICATE REQUEST-----

@ -0,0 +1 @@
01

@ -0,0 +1,3 @@
V 130111014815Z B67BE8904D707D7F unknown /C=AU/ST=Australian Capital Territory/O=Qca Development and Test/OU=Certificate Generation Section/CN=Qca Test Root Certificate/emailAddress=testonly@test.example.com
V 120720033029Z B67BE8904D707D80 unknown /C=US/ST=Kalifornia/L=QcaLand/O=Qca Development and Test/OU=Certificate Generation Section/CN=Qca Test Client Certificate/emailAddress=client@test.example.com
V 120720060539Z B67BE8904D707D81 unknown /C=IL/ST=Qca Province/L=TLS City/O=Qca Development and Test/OU=Server Management Section/CN=Qca Server Test certificate/emailAddress=server@test.example.com

@ -0,0 +1 @@
unique_subject = no

@ -0,0 +1 @@
unique_subject = no

@ -0,0 +1,2 @@
V 130111014815Z B67BE8904D707D7F unknown /C=AU/ST=Australian Capital Territory/O=Qca Development and Test/OU=Certificate Generation Section/CN=Qca Test Root Certificate/emailAddress=testonly@test.example.com
V 120720033029Z B67BE8904D707D80 unknown /C=US/ST=Kalifornia/L=QcaLand/O=Qca Development and Test/OU=Certificate Generation Section/CN=Qca Test Client Certificate/emailAddress=client@test.example.com

@ -0,0 +1,83 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b6:7b:e8:90:4d:70:7d:7f
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Australian Capital Territory, O=Qca Development and Test, OU=Certificate Generation Section, CN=Qca Test Root Certificate/emailAddress=testonly@test.example.com
Validity
Not Before: Jul 22 01:48:15 2007 GMT
Not After : Jan 11 01:48:15 2013 GMT
Subject: C=AU, ST=Australian Capital Territory, O=Qca Development and Test, OU=Certificate Generation Section, CN=Qca Test Root Certificate/emailAddress=testonly@test.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a1:a2:3e:9e:53:de:98:2c:2f:9e:fa:12:fa:54:
6c:0a:0a:e8:23:f4:25:86:24:da:ed:6f:18:e2:6e:
1e:ae:36:4e:45:63:0d:5b:20:aa:09:70:55:b9:a1:
08:e3:cb:3d:e3:c3:ca:34:c3:c7:90:30:50:51:d6:
30:b3:3f:12:70:99:ae:2d:c8:2e:ea:c6:c6:43:e5:
9f:30:ab:e3:5b:d9:b0:91:92:c2:94:79:79:9b:87:
05:60:01:8c:f1:0e:75:f7:82:d6:f9:e6:fb:45:b8:
4d:53:eb:66:a0:98:93:28:d7:1e:db:43:3d:84:9b:
2b:1f:ee:af:d8:23:b5:a1:cd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
51:3F:F2:14:6E:49:6A:DC:41:B8:15:B5:A0:86:F4:2E:E4:F5:45:F8
X509v3 Authority Key Identifier:
keyid:51:3F:F2:14:6E:49:6A:DC:41:B8:15:B5:A0:86:F4:2E:E4:F5:45:F8
DirName:/C=AU/ST=Australian Capital Territory/O=Qca Development and Test/OU=Certificate Generation Section/CN=Qca Test Root Certificate/emailAddress=testonly@test.example.com
serial:B6:7B:E8:90:4D:70:7D:7F
X509v3 Subject Alternative Name:
email:testonly@test.example.com
X509v3 Issuer Alternative Name:
email:testonly@test.example.com
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
Netscape Comment:
This certificate was issued for testing only!
Signature Algorithm: sha1WithRSAEncryption
0f:b6:d9:37:b3:d8:bb:69:1e:ce:1a:35:29:1b:ce:d5:38:3e:
29:13:17:91:5b:1f:9c:59:52:67:d3:05:91:2a:e8:7f:b9:76:
1a:01:f6:9f:07:74:be:e4:37:87:d0:9b:84:c6:81:3f:c4:96:
52:46:80:52:a7:7b:14:fd:f6:4d:23:15:b6:7e:2a:a6:d7:90:
97:4f:22:7c:3e:7d:12:84:28:a4:9a:30:67:77:16:f7:80:0f:
6a:d0:82:fc:f6:91:39:14:d2:a5:de:18:f1:bb:38:f1:98:88:
1c:13:63:e9:a3:d7:b5:b0:70:f2:82:58:bd:ef:3c:02:42:a0:
7e:c9
-----BEGIN CERTIFICATE-----
MIIFAzCCBGygAwIBAgIJALZ76JBNcH1/MA0GCSqGSIb3DQEBBQUAMIHOMQswCQYD
VQQGEwJBVTElMCMGA1UECBMcQXVzdHJhbGlhbiBDYXBpdGFsIFRlcnJpdG9yeTEh
MB8GA1UEChMYUWNhIERldmVsb3BtZW50IGFuZCBUZXN0MScwJQYDVQQLEx5DZXJ0
aWZpY2F0ZSBHZW5lcmF0aW9uIFNlY3Rpb24xIjAgBgNVBAMTGVFjYSBUZXN0IFJv
b3QgQ2VydGlmaWNhdGUxKDAmBgkqhkiG9w0BCQEWGXRlc3Rvbmx5QHRlc3QuZXhh
bXBsZS5jb20wHhcNMDcwNzIyMDE0ODE1WhcNMTMwMTExMDE0ODE1WjCBzjELMAkG
A1UEBhMCQVUxJTAjBgNVBAgTHEF1c3RyYWxpYW4gQ2FwaXRhbCBUZXJyaXRvcnkx
ITAfBgNVBAoTGFFjYSBEZXZlbG9wbWVudCBhbmQgVGVzdDEnMCUGA1UECxMeQ2Vy
dGlmaWNhdGUgR2VuZXJhdGlvbiBTZWN0aW9uMSIwIAYDVQQDExlRY2EgVGVzdCBS
b290IENlcnRpZmljYXRlMSgwJgYJKoZIhvcNAQkBFhl0ZXN0b25seUB0ZXN0LmV4
YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChoj6eU96YLC+e
+hL6VGwKCugj9CWGJNrtbxjibh6uNk5FYw1bIKoJcFW5oQjjyz3jw8o0w8eQMFBR
1jCzPxJwma4tyC7qxsZD5Z8wq+Nb2bCRksKUeXmbhwVgAYzxDnX3gtb55vtFuE1T
62agmJMo1x7bQz2Emysf7q/YI7WhzQIDAQABo4IB5TCCAeEwDwYDVR0TAQH/BAUw
AwEB/zALBgNVHQ8EBAMCAeYwHQYDVR0OBBYEFFE/8hRuSWrcQbgVtaCG9C7k9UX4
MIIBAwYDVR0jBIH7MIH4gBRRP/IUbklq3EG4FbWghvQu5PVF+KGB1KSB0TCBzjEL
MAkGA1UEBhMCQVUxJTAjBgNVBAgTHEF1c3RyYWxpYW4gQ2FwaXRhbCBUZXJyaXRv
cnkxITAfBgNVBAoTGFFjYSBEZXZlbG9wbWVudCBhbmQgVGVzdDEnMCUGA1UECxMe
Q2VydGlmaWNhdGUgR2VuZXJhdGlvbiBTZWN0aW9uMSIwIAYDVQQDExlRY2EgVGVz
dCBSb290IENlcnRpZmljYXRlMSgwJgYJKoZIhvcNAQkBFhl0ZXN0b25seUB0ZXN0
LmV4YW1wbGUuY29tggkAtnvokE1wfX8wJAYDVR0RBB0wG4EZdGVzdG9ubHlAdGVz
dC5leGFtcGxlLmNvbTAkBgNVHRIEHTAbgRl0ZXN0b25seUB0ZXN0LmV4YW1wbGUu
Y29tMBEGCWCGSAGG+EIBAQQEAwIABzA8BglghkgBhvhCAQ0ELxYtVGhpcyBjZXJ0
aWZpY2F0ZSB3YXMgaXNzdWVkIGZvciB0ZXN0aW5nIG9ubHkhMA0GCSqGSIb3DQEB
BQUAA4GBAA+22Tez2LtpHs4aNSkbztU4PikTF5FbH5xZUmfTBZEq6H+5dhoB9p8H
dL7kN4fQm4TGgT/EllJGgFKnexT99k0jFbZ+KqbXkJdPInw+fRKEKKSaMGd3FveA
D2rQgvz2kTkU0qXeGPG7OPGYiBwTY+mj17WwcPKCWL3vPAJCoH7J
-----END CERTIFICATE-----

@ -0,0 +1,84 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b6:7b:e8:90:4d:70:7d:80
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Australian Capital Territory, O=Qca Development and Test, OU=Certificate Generation Section, CN=Qca Test Root Certificate/emailAddress=testonly@test.example.com
Validity
Not Before: Jul 22 03:30:29 2007 GMT
Not After : Jul 20 03:30:29 2012 GMT
Subject: C=US, ST=Kalifornia, L=QcaLand, O=Qca Development and Test, OU=Certificate Generation Section, CN=Qca Test Client Certificate/emailAddress=client@test.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b0:67:99:c9:d4:42:eb:f5:a6:25:7e:99:31:4e:
d7:71:e2:15:95:8b:6a:e9:13:c6:0a:6e:cd:5d:ce:
23:c8:b0:4a:af:d6:d3:ef:3d:09:23:97:6d:ed:49:
0a:2c:e4:9d:a2:50:78:bc:a5:94:79:45:b1:b0:85:
3a:02:1b:5f:f4:be:94:9e:a1:d1:a4:9c:31:02:ed:
62:3f:b3:f1:1a:5b:7d:31:27:ae:7b:f1:67:bd:60:
86:27:34:80:96:53:04:00:4e:d8:f2:b3:bb:6e:62:
ab:51:ee:f9:25:ad:de:3a:4f:e5:1e:d5:42:28:e8:
73:96:4c:1f:06:42:ee:d8:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection
Netscape Comment:
This certificate was issued for testing only!
X509v3 Subject Key Identifier:
B2:7F:D3:11:39:23:BE:1D:C4:6F:53:CE:81:AF:F1:D4:80:01:F6:F6
X509v3 Authority Key Identifier:
keyid:51:3F:F2:14:6E:49:6A:DC:41:B8:15:B5:A0:86:F4:2E:E4:F5:45:F8
DirName:/C=AU/ST=Australian Capital Territory/O=Qca Development and Test/OU=Certificate Generation Section/CN=Qca Test Root Certificate/emailAddress=testonly@test.example.com
serial:B6:7B:E8:90:4D:70:7D:7F
X509v3 Subject Alternative Name:
email:client@test.example.com
X509v3 Issuer Alternative Name:
email:testonly@test.example.com
Signature Algorithm: sha1WithRSAEncryption
36:9a:0e:7a:a4:d3:6b:e8:d6:1b:ba:34:89:a6:dc:26:01:28:
71:7d:28:71:22:79:ae:3b:27:2a:d5:6c:d6:99:93:c0:01:45:
5d:78:2a:83:05:a8:eb:41:be:62:37:92:ff:b9:41:3d:37:4c:
25:85:4b:c8:c3:ba:cd:71:06:18:12:a3:7f:2d:17:90:b2:87:
e6:ca:86:fb:dc:d0:ef:1d:d6:b3:86:b3:28:72:45:fa:bb:dd:
32:06:44:b1:ed:35:b6:c4:6b:54:88:49:9d:3a:2e:fa:37:3b:
84:98:de:68:14:ac:2f:37:42:21:f5:b9:27:18:1b:5d:5e:ba:
74:09
-----BEGIN CERTIFICATE-----
MIIFDzCCBHigAwIBAgIJALZ76JBNcH2AMA0GCSqGSIb3DQEBBQUAMIHOMQswCQYD
VQQGEwJBVTElMCMGA1UECBMcQXVzdHJhbGlhbiBDYXBpdGFsIFRlcnJpdG9yeTEh
MB8GA1UEChMYUWNhIERldmVsb3BtZW50IGFuZCBUZXN0MScwJQYDVQQLEx5DZXJ0
aWZpY2F0ZSBHZW5lcmF0aW9uIFNlY3Rpb24xIjAgBgNVBAMTGVFjYSBUZXN0IFJv
b3QgQ2VydGlmaWNhdGUxKDAmBgkqhkiG9w0BCQEWGXRlc3Rvbmx5QHRlc3QuZXhh
bXBsZS5jb20wHhcNMDcwNzIyMDMzMDI5WhcNMTIwNzIwMDMzMDI5WjCBzjELMAkG
A1UEBhMCVVMxEzARBgNVBAgTCkthbGlmb3JuaWExEDAOBgNVBAcTB1FjYUxhbmQx
ITAfBgNVBAoTGFFjYSBEZXZlbG9wbWVudCBhbmQgVGVzdDEnMCUGA1UECxMeQ2Vy
dGlmaWNhdGUgR2VuZXJhdGlvbiBTZWN0aW9uMSQwIgYDVQQDExtRY2EgVGVzdCBD
bGllbnQgQ2VydGlmaWNhdGUxJjAkBgkqhkiG9w0BCQEWF2NsaWVudEB0ZXN0LmV4
YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwZ5nJ1ELr9aYl
fpkxTtdx4hWVi2rpE8YKbs1dziPIsEqv1tPvPQkjl23tSQos5J2iUHi8pZR5RbGw
hToCG1/0vpSeodGknDEC7WI/s/EaW30xJ6578We9YIYnNICWUwQATtjys7tuYqtR
7vklrd46T+Ue1UIo6HOWTB8GQu7YiwIDAQABo4IB8TCCAe0wEQYJYIZIAYb4QgEB
BAQDAgWgMAsGA1UdDwQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH
AwQwPAYJYIZIAYb4QgENBC8WLVRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBm
b3IgdGVzdGluZyBvbmx5ITAdBgNVHQ4EFgQUsn/TETkjvh3Eb1POga/x1IAB9vYw
ggEDBgNVHSMEgfswgfiAFFE/8hRuSWrcQbgVtaCG9C7k9UX4oYHUpIHRMIHOMQsw
CQYDVQQGEwJBVTElMCMGA1UECBMcQXVzdHJhbGlhbiBDYXBpdGFsIFRlcnJpdG9y
eTEhMB8GA1UEChMYUWNhIERldmVsb3BtZW50IGFuZCBUZXN0MScwJQYDVQQLEx5D
ZXJ0aWZpY2F0ZSBHZW5lcmF0aW9uIFNlY3Rpb24xIjAgBgNVBAMTGVFjYSBUZXN0
IFJvb3QgQ2VydGlmaWNhdGUxKDAmBgkqhkiG9w0BCQEWGXRlc3Rvbmx5QHRlc3Qu
ZXhhbXBsZS5jb22CCQC2e+iQTXB9fzAiBgNVHREEGzAZgRdjbGllbnRAdGVzdC5l
eGFtcGxlLmNvbTAkBgNVHRIEHTAbgRl0ZXN0b25seUB0ZXN0LmV4YW1wbGUuY29t
MA0GCSqGSIb3DQEBBQUAA4GBADaaDnqk02vo1hu6NImm3CYBKHF9KHEiea47JyrV
bNaZk8ABRV14KoMFqOtBvmI3kv+5QT03TCWFS8jDus1xBhgSo38tF5Cyh+bKhvvc
0O8d1rOGsyhyRfq73TIGRLHtNbbEa1SISZ06Lvo3O4SY3mgUrC83QiH1uScYG11e
unQJ
-----END CERTIFICATE-----

@ -0,0 +1,84 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b6:7b:e8:90:4d:70:7d:81
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Australian Capital Territory, O=Qca Development and Test, OU=Certificate Generation Section, CN=Qca Test Root Certificate/emailAddress=testonly@test.example.com
Validity
Not Before: Jul 22 06:05:39 2007 GMT
Not After : Jul 20 06:05:39 2012 GMT
Subject: C=IL, ST=Qca Province, L=TLS City, O=Qca Development and Test, OU=Server Management Section, CN=Qca Server Test certificate/emailAddress=server@test.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c1:59:ff:39:1d:96:af:d8:55:cd:89:a1:19:14:
a0:63:33:2a:1c:09:92:07:ea:8e:64:91:17:19:3a:
ca:6d:a8:2a:81:7d:a6:48:6a:8c:04:d5:dc:9b:b0:
86:44:8c:65:27:9c:a6:63:ec:f0:f6:f2:03:76:4e:
46:72:20:3c:eb:ac:c5:a7:4d:fa:36:84:a7:a1:45:
c2:54:43:b9:5d:88:17:b6:b2:6c:af:ce:9c:e2:2e:
65:e2:82:4c:02:a4:4d:91:58:7d:16:14:dc:29:1c:
1c:bc:c5:89:ac:e0:ea:f7:2d:9a:fe:d8:ca:53:98:
ce:ab:3a:c2:60:ad:91:e9:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Netscape Comment:
This certificate was issued for qca server testing only!
X509v3 Subject Key Identifier:
3C:AA:B3:B7:59:75:DB:2C:95:AF:B4:81:FA:56:40:D8:98:6B:27:CB
X509v3 Authority Key Identifier:
keyid:51:3F:F2:14:6E:49:6A:DC:41:B8:15:B5:A0:86:F4:2E:E4:F5:45:F8
DirName:/C=AU/ST=Australian Capital Territory/O=Qca Development and Test/OU=Certificate Generation Section/CN=Qca Test Root Certificate/emailAddress=testonly@test.example.com
serial:B6:7B:E8:90:4D:70:7D:7F
X509v3 Subject Alternative Name:
email:server@test.example.com
X509v3 Issuer Alternative Name:
email:testonly@test.example.com
Signature Algorithm: sha1WithRSAEncryption
0f:0b:9f:d9:38:62:20:40:a5:ff:0c:7b:d5:21:82:dd:9a:74:
94:81:72:aa:94:fc:1b:e0:53:56:e1:65:67:ed:a5:97:94:87:
fc:ee:37:66:e5:bf:7e:92:1b:b9:a4:e8:96:4a:5e:67:64:de:
f8:43:47:de:50:85:f6:a6:47:df:b4:ff:e3:93:ef:8e:b1:7c:
38:52:e4:e4:90:45:d1:85:db:c2:db:91:81:44:5a:41:a8:9b:
68:f6:dd:4b:c0:88:f0:fb:f0:73:17:9d:c4:9e:2b:1d:ba:6c:
43:bd:38:a3:f7:3f:55:cb:1a:7b:c4:5e:4a:39:fc:a2:86:ed:
d9:ba
-----BEGIN CERTIFICATE-----
MIIFDjCCBHegAwIBAgIJALZ76JBNcH2BMA0GCSqGSIb3DQEBBQUAMIHOMQswCQYD
VQQGEwJBVTElMCMGA1UECBMcQXVzdHJhbGlhbiBDYXBpdGFsIFRlcnJpdG9yeTEh
MB8GA1UEChMYUWNhIERldmVsb3BtZW50IGFuZCBUZXN0MScwJQYDVQQLEx5DZXJ0
aWZpY2F0ZSBHZW5lcmF0aW9uIFNlY3Rpb24xIjAgBgNVBAMTGVFjYSBUZXN0IFJv
b3QgQ2VydGlmaWNhdGUxKDAmBgkqhkiG9w0BCQEWGXRlc3Rvbmx5QHRlc3QuZXhh
bXBsZS5jb20wHhcNMDcwNzIyMDYwNTM5WhcNMTIwNzIwMDYwNTM5WjCBzDELMAkG
A1UEBhMCSUwxFTATBgNVBAgTDFFjYSBQcm92aW5jZTERMA8GA1UEBxMIVExTIENp
dHkxITAfBgNVBAoTGFFjYSBEZXZlbG9wbWVudCBhbmQgVGVzdDEiMCAGA1UECxMZ
U2VydmVyIE1hbmFnZW1lbnQgU2VjdGlvbjEkMCIGA1UEAxMbUWNhIFNlcnZlciBU
ZXN0IGNlcnRpZmljYXRlMSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXJAdGVzdC5leGFt
cGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwVn/OR2Wr9hVzYmh
GRSgYzMqHAmSB+qOZJEXGTrKbagqgX2mSGqMBNXcm7CGRIxlJ5ymY+zw9vIDdk5G
ciA866zFp036NoSnoUXCVEO5XYgXtrJsr86c4i5l4oJMAqRNkVh9FhTcKRwcvMWJ
rODq9y2a/tjKU5jOqzrCYK2R6U8CAwEAAaOCAfIwggHuMBEGCWCGSAGG+EIBAQQE
AwIGQDALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwRwYJYIZIAYb4
QgENBDoWOFRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBmb3IgcWNhIHNlcnZl
ciB0ZXN0aW5nIG9ubHkhMB0GA1UdDgQWBBQ8qrO3WXXbLJWvtIH6VkDYmGsnyzCC
AQMGA1UdIwSB+zCB+IAUUT/yFG5JatxBuBW1oIb0LuT1RfihgdSkgdEwgc4xCzAJ
BgNVBAYTAkFVMSUwIwYDVQQIExxBdXN0cmFsaWFuIENhcGl0YWwgVGVycml0b3J5
MSEwHwYDVQQKExhRY2EgRGV2ZWxvcG1lbnQgYW5kIFRlc3QxJzAlBgNVBAsTHkNl
cnRpZmljYXRlIEdlbmVyYXRpb24gU2VjdGlvbjEiMCAGA1UEAxMZUWNhIFRlc3Qg
Um9vdCBDZXJ0aWZpY2F0ZTEoMCYGCSqGSIb3DQEJARYZdGVzdG9ubHlAdGVzdC5l
eGFtcGxlLmNvbYIJALZ76JBNcH1/MCIGA1UdEQQbMBmBF3NlcnZlckB0ZXN0LmV4
YW1wbGUuY29tMCQGA1UdEgQdMBuBGXRlc3Rvbmx5QHRlc3QuZXhhbXBsZS5jb20w
DQYJKoZIhvcNAQEFBQADgYEADwuf2ThiIECl/wx71SGC3Zp0lIFyqpT8G+BTVuFl
Z+2ll5SH/O43ZuW/fpIbuaTolkpeZ2Te+ENH3lCF9qZH37T/45PvjrF8OFLk5JBF
0YXbwtuRgURaQaibaPbdS8CI8PvwcxedxJ4rHbpsQ704o/c/Vcsae8ReSjn8oobt
2bo=
-----END CERTIFICATE-----

@ -0,0 +1,18 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,F17A1709AFCFEA09
N6sF87gUNUp77rz4HIT9DCJcQXJThEjGzzkJzIrPcNRBREdeTo+gYUXs7G730fRK
QAlpGNO4YvRZ2N3X+OyM7r1GYLe4CFRrGPLFwkeoMiCwwc/jl5NbdzOl0By67A1V
WygRavO3B8Tp7jUsNniAA7yr66I6nu2oj3DRjp+DJBowJNBRvc5d2GsoC2odQyKp
Po4P3kMYWZyfhIAp1KeuqQyyG1WVjQlzRtqHUwcs4GZ0xmfaFXfqPA3nFz7GXjzP
QTrOz2eB3+VWGbd7w0UUnMndvz1sJjV/3JCAFlNNC/sqb2CsYYhaEoiu5NlIDhQ/
z+pZtAGksMqHfULnI3aqomg6/8bS3zyqQCC8bacDV6glNnzypfDOXhomjXRpxUwf
sRGTIj0BsippAYSW503Ab5UMKlpDK2h/6Y3XM52bs+fTi6qnCf8udtpJVNzEwyZj
eem1mzhs8NT0ZRpGVEOUaK8eIVGA7k6sObRT3sXDNjIw6HvKb1RaLDVy28+CYmd6
WFXv0+YOlZFBdXS4epAnxddap+tfHuEbB17J4mc28FucPtfzfCRkUZ4c3uEbqDDe
tHW2z0xqj2vGKYG9v8yKu7oKOwCxqGNH2PzYOm2ttaD9wIJP4mWtSw74sMOpceKB
HWgSVjvD5FfFNi7vpQ/s1+aC/BF0Dfsy3pg3cwJA6vZQp4QdsAneecC7i+faS+nD
tiN24WM9sXciT3tCVpU9KFF4VSjs5gkyWWyjZiq7KNXvFXS5A75XXRmDcvnG6lEy
q+CMERq6iAuQSpcu+avK7SdZSjCRaWFYx8tTFdYbjtLpNHoJcyw4FA==
-----END RSA PRIVATE KEY-----

@ -0,0 +1 @@
B67BE8904D707D82

@ -0,0 +1 @@
B67BE8904D707D81

11
unittest/testcerts/README Normal file

@ -0,0 +1,11 @@
These are the tools used to generate test certificates
for unit testing in QCA.
You need to have openssl installed.
Do not try to generate certificates blindly. You always need
to read and understand the openssl.cnf options to make any
kind of sensible certificate.
The PEM passphrase is always "start".

@ -0,0 +1,292 @@
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 1825 # how long to certify for
default_crl_days= 300 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
# we use PrintableString+UTF8String mask so if pure ASCII texts are used
# the resulting certificates are compatible with Netscape
string_mask = MASK:0x2002
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Australian Capital Territory
localityName = Locality Name (eg, city)
localityName_default = QcaLand
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Qca Development and Test
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Certificate Generation Section
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = testonly@test.example.com
# SET-ex3 = SET extension number 3
[ req_attributes ]
# not used
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
# basicConstraints=CA:FALSE
# For normal client use this is typical
# nsCertType = client, email
nsCertType = server
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
#extendedKeyUsage = clientAuth, emailProtection
extendedKeyUsage = serverAuth
# This will be displayed in Netscape's comment listbox.
# nsComment = "This certificate was issued for testing only!"
nsComment = "This certificate was issued for qca server testing only!"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
basicConstraints = critical,CA:true
# keyUsage = cRLSign, keyCertSign
keyUsage = cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# Include email address in subject alt name: another PKIX recommendation
subjectAltName=email:copy
# Copy issuer details
issuerAltName=issuer:copy
# Some might want this also
nsCertType = sslCA, emailCA, objCA
nsComment = "This certificate was issued for testing only!"
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo