I've started collecting a certificate torture test suite at http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/tests/Makefile.am
It has RSA, DSA and EC keys in various forms (PKCS#1, PKCS#8, PKCS#12 with varying encryptions), and PKCS#11. I'm vaguely thinking about separating it from OpenConnect and making it available as a generic test suite — and then perhaps trying to set expectations that any application that can use SSL client certs/keys should pass it. Currently, every application you encounter on a Linux system will support a *different* subset of the keys here. It would be nice to have a bit of consistency. Does that seem reasonable? Is there anything I'm missing from the tests above? I know I need to add some non-ASCII password tests, and I need a PKCS#11 test case where the certificate isn't visible until you log in to the token. What else? Should I add PKCS#12 in PEM form for completeness? FWIW I hate all crypto libraries... there isn't *one* which simply has a function that'll do the right thing and load a certificate given a string which identifies it (by filename or PKCS#11 URI). GnuTLS comes closest, I think, but we still have to jump through hoops in the *application* to work out what kind of file we're looking at and ask for it to be loaded. The library *really* ought to make that simple. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
