From 550f7878bf509cc825726e6d95506e62857d48c9 Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Mon, 26 Oct 2020 23:48:36 +0100 Subject: tested certificate chain code path further Added more documentation and quick helper scripts for now. We need to specify which signature schemes we expect/support from submitters. --- server/testdata/chain/README.md | 44 +++++++++++++++++++++++++++++++ server/testdata/chain/rgdd-ecdsa.csr | 8 ++++++ server/testdata/chain/rgdd-ecdsa.key | 5 ++++ server/testdata/chain/rgdd-ecdsa.pem | 10 +++++++ server/testdata/chain/rgdd-root.key | 3 +++ server/testdata/chain/rgdd-root.pem | 11 ++++++++ server/testdata/chain/rgdd-root.srl | 1 + server/testdata/chain/rgdd-rsa.csr | 27 +++++++++++++++++++ server/testdata/chain/rgdd-rsa.key | 51 ++++++++++++++++++++++++++++++++++++ server/testdata/chain/rgdd-rsa.pem | 20 ++++++++++++++ 10 files changed, 180 insertions(+) create mode 100644 server/testdata/chain/README.md create mode 100644 server/testdata/chain/rgdd-ecdsa.csr create mode 100644 server/testdata/chain/rgdd-ecdsa.key create mode 100644 server/testdata/chain/rgdd-ecdsa.pem create mode 100644 server/testdata/chain/rgdd-root.key create mode 100644 server/testdata/chain/rgdd-root.pem create mode 100644 server/testdata/chain/rgdd-root.srl create mode 100644 server/testdata/chain/rgdd-rsa.csr create mode 100644 server/testdata/chain/rgdd-rsa.key create mode 100644 server/testdata/chain/rgdd-rsa.pem (limited to 'server/testdata/chain') diff --git a/server/testdata/chain/README.md b/server/testdata/chain/README.md new file mode 100644 index 0000000..fc19735 --- /dev/null +++ b/server/testdata/chain/README.md @@ -0,0 +1,44 @@ +# Create new certificate chains +A more in-depth explanation of the different commands and parameters can be +found in the man pages, e.g., `man openssl-genpkey` and `man openssl-req` + +## Root certificate +``` +# Generate ed25519 private key +$ openssl genpkey -algorithm ed25519 -out rgdd-root.key + +### +# Create and self-sign a root certificate +# -x509 => output a self-signed certificate +# -new => prompt the user for relevant field values +# -key => file to read private key from +# -days => number of days that the certificate is valid +# -out => where to write the resulting PEM-encoded certificate +### +$ openssl req -x509 -new -key rgdd-root.key -days 2048 -out rgdd-root.pem + +# View the generated certificate +$ openssl x509 -in rgdd-root.pem -text -noout +``` + +## End-entity certificates +Let's generate two different end-entity certificates. One that uses ECDSA, and +another one that uses RSA. Note that `-CAcreateserial` creates a file with the +next serial number if it does not exist. After a certificate is issued, this +number is incremented. + +### NIST P-256 +``` +$ openssl ecparam -genkey -name prime256v1 -noout -out rgdd-ecdsa.key +$ openssl req -new -key rgdd-ecdsa.key -out rgdd-ecdsa.csr +$ openssl x509 -req -in rgdd-ecdsa.csr -CA rgdd-root.pem -CAkey rgdd-root.key -CAcreateserial -out rgdd-ecdsa.pem -days 1024 +$ openssl x509 -in rgdd-ecdsa.pem -text -noout +``` + +### RSA +``` +$ openssl genrsa -out rgdd-rsa.key 4096 +$ openssl req -new -key rgdd-rsa.key -out rgdd-rsa.csr +$ openssl x509 -req -in rgdd-rsa.csr -CA rgdd-root.pem -CAkey rgdd-root.key -CAcreateserial -out rgdd-rsa.pem -days 1024 +$ openssl x509 -in rgdd-rsa.pem -text -noout +``` diff --git a/server/testdata/chain/rgdd-ecdsa.csr b/server/testdata/chain/rgdd-ecdsa.csr new file mode 100644 index 0000000..4594ac7 --- /dev/null +++ b/server/testdata/chain/rgdd-ecdsa.csr @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIH/MIGnAgEAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggq +hkjOPQMBBwNCAAS0HCnBOAIerw9sIB1juMsgIbOkQ6AoyFeAwHNjkmnM/TmP01/w +u0MimgeZGepyaTGOi01SVLcCcId5mzATgrZEoAAwCgYIKoZIzj0EAwIDRwAwRAIg +QZ4OT72aVFTc3W4XQZdVIvtSXStRYp5NA6Ei69lv6BACIHnKSIXhNSmGeHI2Lwuq +s2uAm0sEP3/j6d1Pzm3ymPp4 +-----END CERTIFICATE REQUEST----- diff --git a/server/testdata/chain/rgdd-ecdsa.key b/server/testdata/chain/rgdd-ecdsa.key new file mode 100644 index 0000000..6ac18ca --- /dev/null +++ b/server/testdata/chain/rgdd-ecdsa.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIPqFWTEd8sZG9Fc/CwfUQCTR/GFZYzbFrkxEufY6f2qVoAoGCCqGSM49 +AwEHoUQDQgAEtBwpwTgCHq8PbCAdY7jLICGzpEOgKMhXgMBzY5JpzP05j9Nf8LtD +IpoHmRnqcmkxjotNUlS3AnCHeZswE4K2RA== +-----END EC PRIVATE KEY----- diff --git a/server/testdata/chain/rgdd-ecdsa.pem b/server/testdata/chain/rgdd-ecdsa.pem new file mode 100644 index 0000000..f93f0a2 --- /dev/null +++ b/server/testdata/chain/rgdd-ecdsa.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBdDCCASYCFA1YWDyW1iZyA9IVo6X0edUqQDP2MAUGAytlcDBFMQswCQYDVQQG +EwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lk +Z2l0cyBQdHkgTHRkMB4XDTIwMTAyNjIyMzYyMFoXDTIzMDgxNjIyMzYyMFowRTEL +MAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVy +bmV0IFdpZGdpdHMgUHR5IEx0ZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLQc +KcE4Ah6vD2wgHWO4yyAhs6RDoCjIV4DAc2OSacz9OY/TX/C7QyKaB5kZ6nJpMY6L +TVJUtwJwh3mbMBOCtkQwBQYDK2VwA0EA3p8koB34InjhzheTH+Mv6d4ScqDZ9GT2 +w6eNKFhd5kcr0vrcJ7J7Jzm6lY1fR3mZzvv4ko0OdW2a6iY7ikTdAA== +-----END CERTIFICATE----- diff --git a/server/testdata/chain/rgdd-root.key b/server/testdata/chain/rgdd-root.key new file mode 100644 index 0000000..74e2928 --- /dev/null +++ b/server/testdata/chain/rgdd-root.key @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIHD6JY7yaitYT5aDrIWdZ6MBtRdqpggWyfhqJH3znLR2 +-----END PRIVATE KEY----- diff --git a/server/testdata/chain/rgdd-root.pem b/server/testdata/chain/rgdd-root.pem new file mode 100644 index 0000000..75f7a8e --- /dev/null +++ b/server/testdata/chain/rgdd-root.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBnzCCAVGgAwIBAgIUCjfMeafmxgsMeaQQQuP8vMkjRgwwBQYDK2VwMEUxCzAJ +BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l +dCBXaWRnaXRzIFB0eSBMdGQwHhcNMjAxMDI2MjIzNTUwWhcNMjYwNjA1MjIzNTUw +WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwY +SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMCowBQYDK2VwAyEAbu58egSJq3r5n8pJ +JVkNGoZsp28dRFC8LDMThg9IWNmjUzBRMB0GA1UdDgQWBBT1tfMTNJANubW44TUZ +0q24o27lRTAfBgNVHSMEGDAWgBT1tfMTNJANubW44TUZ0q24o27lRTAPBgNVHRMB +Af8EBTADAQH/MAUGAytlcANBAOfrYoK45bNHSCxtD70LGAWO3AYJnH4M0hkaIOsf +rb7/ses1xvDTi0AuOcKpnNtRmfDTGT81iHC+U2dqL/h5Gw8= +-----END CERTIFICATE----- diff --git a/server/testdata/chain/rgdd-root.srl b/server/testdata/chain/rgdd-root.srl new file mode 100644 index 0000000..dac138f --- /dev/null +++ b/server/testdata/chain/rgdd-root.srl @@ -0,0 +1 @@ +0D58583C96D6267203D215A3A5F479D52A4033F9 diff --git a/server/testdata/chain/rgdd-rsa.csr b/server/testdata/chain/rgdd-rsa.csr new file mode 100644 index 0000000..0708212 --- /dev/null +++ b/server/testdata/chain/rgdd-rsa.csr @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIEijCCAnICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx +ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAiIwDQYJKoZIhvcN +AQEBBQADggIPADCCAgoCggIBAMV0T/QhOMC3YWC02iU/K6f2fBATgSLOIyA+Nbit +Y1vnzM1Uug00CHDr5Z8CS/tt25+nCJPkqfMUqjImkxdaIlktdFa1aJZIeT1xLjAy +7Vs4L8b7iDQ2oYmfbYlLKkWFkpEH5inohfT8m7xHMmUPA8r5zW2J6F+Rxl5//U/D +d0K8JaAEOj/tk9JG+spMsAP/HqUO1wVfon6sNw/vTPbnlHwVQn2+VgRo3yWkUo4w +34LUJbCVe0pvi5ep2OeuuS3sKmTakvj8Wv0fPGCbbbVjMtFKHbm1kn9uCY3L33py +RTMQzEKaIXTU743JmDf5LfRTu7monlu+JFIU2oFcKq3V9zredCmZzy4JENrjD1dZ +yX1yqqeDsLU06zYXIo/dS2wSi4lcSWXpYYnAwUf/BrYbeF5mFTJzSScZP85/OKLX +AGFbe0IBpqxZcCWOZC+PYOedoH+oyKWANFlmO4A64vwkYEvLIT1mC5obM7f8l8vz +w3e5yeYPWPpZlTCtGeMQv0Vkrbgqu+sz5qe5JTvrJd04z06kVR948Tm0HvNBARZS +He81XY9K43qiZ4wSoTCcRnjBL9Zbrbmj/Amp3M2wnLB1QRBsp9H4eKHncC2huzoj +OCueFPgEGDJu4GMtbDVz4eoWnOF6Xr4lQx0cBE5aXJ/YRLvln6NGjwygXFCCel+u +XDEjAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAl+puaqQIFvwuGJzrHkEbkIRA +CnLqv5yCFNNVxCDpPhHCJnqX3Z+9tVYIAKn9kdktZzs7Tj7pvTf1zDoPrEhfu1Xc +b4CEz7+ToWNJ78G+nZQnGE3PZj2JhT+oX+MySW+QUgs32LNkUsKglZXNXyKAUKOS +V65EcSS9uA/hNntHkj+NfBX90ANC5NOp0rWxLhc2hSO+XwQpdWYx34za8Bh6w0x3 +tElE+y0QkC6o8q1YbrzEEObUu+rYZk1rROiOrHYsN3VNjMhvMisCUUvwSI9vV3gA +MRzfHJKMd2YMOFbj62oZ9ZgmiZBSOX035m0GOt2qtm2cBCUvmLb1p0mKxx9sqXql +Xj4rTT/acS0m6s3r680zxmdd6ADz3485n5bqpK24oGfTBYAk6v+oQApd1iorIp1P +uRobIHQaUOCMmXfAQuhvC7iws2c8dwd4AVjNZI57xKuBjtdIXnGg3+y5btmp1mg6 +lDzaoG4bMEReCr7UzDCCRzDoKdtx62XxaTj5jHHZ4fgyKsuoNCz2+d570YWseZBf +rYRlXE/sPX4N1KLG7QOa9rYcJxJNov8BI+ONjZ7+OWdNBN1KIWolmgYWm1HOuiyJ +nON3KbKS/Rmsr8LUitCido2BDx0jZA0HrBOM3rLs1lj9X0RXeBF12gXFR0tTyP/o +RLY5kHclMD4h9jybBwM= +-----END CERTIFICATE REQUEST----- diff --git a/server/testdata/chain/rgdd-rsa.key b/server/testdata/chain/rgdd-rsa.key new file mode 100644 index 0000000..f4a8259 --- /dev/null +++ b/server/testdata/chain/rgdd-rsa.key @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJJwIBAAKCAgEAxXRP9CE4wLdhYLTaJT8rp/Z8EBOBIs4jID41uK1jW+fMzVS6 +DTQIcOvlnwJL+23bn6cIk+Sp8xSqMiaTF1oiWS10VrVolkh5PXEuMDLtWzgvxvuI +NDahiZ9tiUsqRYWSkQfmKeiF9PybvEcyZQ8DyvnNbYnoX5HGXn/9T8N3QrwloAQ6 +P+2T0kb6ykywA/8epQ7XBV+ifqw3D+9M9ueUfBVCfb5WBGjfJaRSjjDfgtQlsJV7 +Sm+Ll6nY5665LewqZNqS+Pxa/R88YJtttWMy0UodubWSf24JjcvfenJFMxDMQpoh +dNTvjcmYN/kt9FO7uaieW74kUhTagVwqrdX3Ot50KZnPLgkQ2uMPV1nJfXKqp4Ow +tTTrNhcij91LbBKLiVxJZelhicDBR/8Gtht4XmYVMnNJJxk/zn84otcAYVt7QgGm +rFlwJY5kL49g552gf6jIpYA0WWY7gDri/CRgS8shPWYLmhszt/yXy/PDd7nJ5g9Y ++lmVMK0Z4xC/RWStuCq76zPmp7klO+sl3TjPTqRVH3jxObQe80EBFlId7zVdj0rj +eqJnjBKhMJxGeMEv1lutuaP8CanczbCcsHVBEGyn0fh4oedwLaG7OiM4K54U+AQY +Mm7gYy1sNXPh6hac4XpeviVDHRwETlpcn9hEu+Wfo0aPDKBcUIJ6X65cMSMCAwEA +AQKCAgApZyA0wpqR3mHu0z1CviI7T/XnsQ9M6wh2hFTjaogBB3PsQi3ZAuYaN3yo +gOTJzdlVesLTsAjqzZR6e5gwN1godt2EKPnLOVsixQ64UJVwoTFzed6vhB0PLHzd +YwN0HHQFMTDT7MvZ+PX23r70bdePwh2PMHGnSHvd6NyG0ye4uJbzHK/SI9DxMKz5 +qmbmD6KvXZM8rzb1dMr+7mCnDRwXgKW2lCiZOBxCWlhtNFZJqo5UnqOBki4lGRpA +SmTN+k1RZHuY9eFmXhxc7XptpGVNeUsOW8JiMgKS1wL/O+LCuGz8MjF9vACXLIRc +iEVYjA46+d5qwk3/YBwJL/hLByiVsnXHg3la9jqt+KYtjD0dyxaezq/B3qPUcjv1 +tWW+k0MDhzAcZS82nsc1S9mUBvs22btjp4nLScVTyADofQ4Wszj9Ji84FppD/85M +hNC07RSUA6WSe+pRgU1Ca2GARgYA7BjTWI02kHfqdM8tnDqgtaBPNiVSOgFI/qPu +Tj+/MBxkCYF1+f2FaIj3MoCRd2FlKRqhSdShmdh4PowIOjuUplW7XD1Ti0zVzvFH +9E7KdAVuyiSa4IQ4If+t/Ijwrol6hWJ2FdGnWI1v6bNDCs2USlQi4gFzXP3N1VmZ +367k4TXOSwk5teWNgmKTOAqXciVzlj0UmeY6LXUkdemKAz52IQKCAQEA/rbXr63O +/N5qGTz7SWXQQpBID/o/rABbdoo/ib+2mF0cC41GFXJbSItl+H4nJDLCvTv0M6ZF +cmsAnEtoD6B7UCZkeI9/fAGUphXurdL4Erhex4adsv/TjkxvcK5FzP3Rjy0eCTNs +kpbZT+8bqTzga0/Ww9xDBCiotnDs+2JuhegZ76dN3vQSMB/MmT2FVaA8LzSOD9cx +Fo+urKdmXjQiTO2CsL2uZPE8pGRFNjYwTFe9ndShWiWaMpiUsBfS/hS8mgQV2rpx +HbEfu7v6wXjne6KijToUDekXY4SRK1CyDQSbmSKr72+JnOv7BvaZv/+RKsWSdI26 +IAdcFuUW9qjDGwKCAQEAxnN5m7knBPA6s8MeDxKtS72juL3J4S/yi7kQjXR12+q2 +5XA8yl3EW9w9GgpUnAD7W5u0TVH6ld4Ndgu8Gia2StMzUaTJuYIwmBVkQWWD+4wL +HfWAAW0N16inMEtfIQ6qoWl1XadZWuNhzyqsk4wM7OqQPIlqCSp0N9gmSsCgeeKQ +mKUS2pn+5mIGrAoGcTuUqkLWjYqjVteyIu6EzZQNoHKzQgUDx7g8gfblHBeu5qHe +/+Fr8vf+KP2n/V8/wxCWdhwNCRHQLJPJ/jrrz5J/tj3HBjFwfL0e8h3nZgYpUZCI +VR26q5Nat2Pt72bHTR9kaT6I9ZI3pOUIe5Ec0CIimQKCAQAD3P4UegxjpXPyggxF +prer6shNBbylfTPl7l7cVf4M/YyJWFExzhQ4W3TmefNaBzMQ77HafrEa9SiDNlmT +sxlrs8leUr7aQKPiiP6fwE1m60j0ucP2jQ7GX75o9Ru16judck+8T/1bk9Ij9jpz +LKsytXlKazLRA1Tbv4a4oVuPyF9sVRtHQGhuNm1B/b7h95YyGRf2gYsLDo7Vq4xP +7XZ/uDJ9P8M/YLFMxQCPu+6rmcEUfb8cwOk/zzSiHxpiJCpgI6O5N46zppYWoNlC +yfSo2WShw7m+JEToi4AwKf8pV2KMxgvZi9WIfcPG7UKTuOqYvXplLikehz4MUtkw +UIr1AoIBAFNpUeHsLsRanLHV/xpixUgii2ApFWN7Hb0wqg5qtucafoltZX/BbbkW +lvANC4cOupfEmEIvhN3dGVdWk1eCkfhdUSKt2sQIPpiN1TfPjWv7bujGuWjgB4Nv +teYMqA1i9sElbFlS77HOBNxomWTi5sPly35GW7VCjNq0FVQyJsFUQ2aFa6lKNONs +rFU/WXnaiyANO9T+Qq1Lt+oKyvMFmbyouUO0i+Q0Qep2ddIa+j6iJvLyMsdLCR79 +jtBmaox4umUmYSxAunkiHTKoXVk/wEI/MRofSaKEcy9c9lfhmxhXYZY1CrL3Gpge +fnGzh22ZFkFOMY7WSGEcizY0xiGNV3ECggEAYg8/MEFShIjBEiPDFJi4XOXUj9Ew +m05ZL7SWJdAytt7B1KF4C6I86CjuHqFvwHjJjSWjBbfebheaq8eDH/6ByG5RIEeF +ySuP44zNsHYjX4Nv2CogHURZzBCc96FlqF0lEpHPsWKDt41ULdpZNO5qCkVInObz +jdryFUpNcF8DX9SwQvcE/aNnPdZfK7Ga8AFgHfw9F+5FzAj0/IWWxI4rlrrp3deY +S2L2jxIOhEVrRNLAZn7VZ9WaHS3+OPUEy1as5poecehFXTnGXBS2+//Nh8OmyEGm +rNHmON5XW51UXSy+7bGFZolhPjicIKCRLBYcwBNf32/Ng9vI5++6XkSAuQ== +-----END RSA PRIVATE KEY----- diff --git a/server/testdata/chain/rgdd-rsa.pem b/server/testdata/chain/rgdd-rsa.pem new file mode 100644 index 0000000..eefb697 --- /dev/null +++ b/server/testdata/chain/rgdd-rsa.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPzCCAvECFA1YWDyW1iZyA9IVo6X0edUqQDP5MAUGAytlcDBFMQswCQYDVQQG +EwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lk +Z2l0cyBQdHkgTHRkMB4XDTIwMTAyNjIyMzc0N1oXDTIzMDgxNjIyMzc0N1owRTEL +MAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVy +bmV0IFdpZGdpdHMgUHR5IEx0ZDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBAMV0T/QhOMC3YWC02iU/K6f2fBATgSLOIyA+NbitY1vnzM1Uug00CHDr5Z8C +S/tt25+nCJPkqfMUqjImkxdaIlktdFa1aJZIeT1xLjAy7Vs4L8b7iDQ2oYmfbYlL +KkWFkpEH5inohfT8m7xHMmUPA8r5zW2J6F+Rxl5//U/Dd0K8JaAEOj/tk9JG+spM +sAP/HqUO1wVfon6sNw/vTPbnlHwVQn2+VgRo3yWkUo4w34LUJbCVe0pvi5ep2Oeu +uS3sKmTakvj8Wv0fPGCbbbVjMtFKHbm1kn9uCY3L33pyRTMQzEKaIXTU743JmDf5 +LfRTu7monlu+JFIU2oFcKq3V9zredCmZzy4JENrjD1dZyX1yqqeDsLU06zYXIo/d +S2wSi4lcSWXpYYnAwUf/BrYbeF5mFTJzSScZP85/OKLXAGFbe0IBpqxZcCWOZC+P +YOedoH+oyKWANFlmO4A64vwkYEvLIT1mC5obM7f8l8vzw3e5yeYPWPpZlTCtGeMQ +v0Vkrbgqu+sz5qe5JTvrJd04z06kVR948Tm0HvNBARZSHe81XY9K43qiZ4wSoTCc +RnjBL9Zbrbmj/Amp3M2wnLB1QRBsp9H4eKHncC2huzojOCueFPgEGDJu4GMtbDVz +4eoWnOF6Xr4lQx0cBE5aXJ/YRLvln6NGjwygXFCCel+uXDEjAgMBAAEwBQYDK2Vw +A0EAQeks+dakJG9woMoFtsdb/W6SZ6b8gFXjxiYhLw7LkChPvohPEjp7XSfv/OPx +VVXG3riQWYiwigTXad8ENIx8Cg== +-----END CERTIFICATE----- -- cgit v1.2.3