[Openvpn-devel] [PATCH 2/2] Add an elliptic curve testing cert chain to the sample keys
Signed-off-by: Steffan Karger--- sample/sample-keys/README| 6 ++-- sample/sample-keys/ec-ca.crt | 13 + sample/sample-keys/ec-ca.key | 6 sample/sample-keys/ec-client.crt | 61 sample/sample-keys/ec-client.key | 6 sample/sample-keys/ec-server.crt | 61 sample/sample-keys/ec-server.key | 6 7 files changed, 156 insertions(+), 3 deletions(-) create mode 100644 sample/sample-keys/ec-ca.crt create mode 100644 sample/sample-keys/ec-ca.key create mode 100644 sample/sample-keys/ec-client.crt create mode 100644 sample/sample-keys/ec-client.key create mode 100644 sample/sample-keys/ec-server.crt create mode 100644 sample/sample-keys/ec-server.key diff --git a/sample/sample-keys/README b/sample/sample-keys/README index 1cd473a..9f4f918 100644 --- a/sample/sample-keys/README +++ b/sample/sample-keys/README @@ -1,7 +1,6 @@ -Sample RSA keys. +Sample RSA and EC keys. -See the examples section of the man page -for usage examples. +See the examples section of the man page for usage examples. NOTE: THESE KEYS ARE FOR TESTING PURPOSES ONLY. DON'T USE THEM FOR ANY REAL WORK BECAUSE @@ -12,3 +11,4 @@ client.{crt,key} -- sample client key/cert server.{crt,key} -- sample server key/cert (nsCertType=server) pass.{crt,key} -- sample client key/cert with password-encrypted key password = "password" +ec-*.{crt,key} -- sample elliptic curve variants of the above diff --git a/sample/sample-keys/ec-ca.crt b/sample/sample-keys/ec-ca.crt new file mode 100644 index 000..e190801 --- /dev/null +++ b/sample/sample-keys/ec-ca.crt @@ -0,0 +1,13 @@ +-BEGIN CERTIFICATE- +MIIB4jCCAWmgAwIBAgIJALGEGB2g6cAXMAoGCCqGSM49BAMCMBUxEzARBgNVBAMT +CkVDLVRlc3QgQ0EwHhcNMTQwMTE4MTYwMTUzWhcNMjQwMTE2MTYwMTUzWjAVMRMw +EQYDVQQDEwpFQy1UZXN0IENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE2S4AZT7j +ZlPG/CXpT12CzCNSySyKmJt+fWyW/wzbRulVJpGHXRHpZZj2VNOUE72kqGUeshh6 +Um1o7lHGDSAkHOJpeW5FtryiKhwFc+4dsOCLTNLVFXQsEtY3gY14Uquio4GEMIGB +MB0GA1UdDgQWBBS0mkFcuCZ8SLWZRAD/8LpBQcgGPDBFBgNVHSMEPjA8gBS0mkFc +uCZ8SLWZRAD/8LpBQcgGPKEZpBcwFTETMBEGA1UEAxMKRUMtVGVzdCBDQYIJALGE +GB2g6cAXMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA2cA +MGQCMHWlVTi0xNZstR8ZNH+7z0WlyIXyZe23ne3EXkO0thZLdv86kpxFMPW/llB+ +RMRKuQIweN97n7FQy5DTenr91U98KDFJ5Av4mDFRL1mkXiu3W1//4XD8yEYDQTRz +/GARuOLL +-END CERTIFICATE- diff --git a/sample/sample-keys/ec-ca.key b/sample/sample-keys/ec-ca.key new file mode 100644 index 000..51a72e1 --- /dev/null +++ b/sample/sample-keys/ec-ca.key @@ -0,0 +1,6 @@ +-BEGIN PRIVATE KEY- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDASU6X/mh2m2PayviL3 +teoml5soyIUcZfwZpVn6oNtnrLcAbIRsAJbM4xyGVp77G/6hZANiAATZLgBlPuNm +U8b8JelPXYLMI1LJLIqYm359bJb/DNtG6VUmkYddEellmPZU05QTvaSoZR6yGHpS +bWjuUcYNICQc4ml5bkW2vKIqHAVz7h2w4ItM0tUVdCwS1jeBjXhSq6I= +-END PRIVATE KEY- diff --git a/sample/sample-keys/ec-client.crt b/sample/sample-keys/ec-client.crt new file mode 100644 index 000..9372800 --- /dev/null +++ b/sample/sample-keys/ec-client.crt @@ -0,0 +1,61 @@ +Certificate: +Data: +Version: 3 (0x2) +Serial Number: 2 (0x2) +Signature Algorithm: ecdsa-with-SHA256 +Issuer: CN=EC-Test CA +Validity +Not Before: Jan 18 16:02:37 2014 GMT +Not After : Jan 16 16:02:37 2024 GMT +Subject: CN=ec-client +Subject Public Key Info: +Public Key Algorithm: id-ecPublicKey +Public-Key: (384 bit) +pub: +04:40:d9:b9:a2:44:1b:01:39:2c:14:ee:aa:70:6b: +31:98:28:44:c9:61:bc:b7:0b:b5:53:49:c2:c0:0a: +43:b0:08:50:cd:80:2f:5d:a4:89:f1:ff:7d:11:78: +f5:0c:b2:86:e2:59:f8:17:76:1b:22:f2:23:67:e7: +55:90:ea:ce:0a:aa:da:05:f4:85:19:c9:ed:ae:6d: +a3:ad:56:7a:f6:33:c6:cf:bb:c7:39:fa:e4:d3:67: +df:f0:b8:4a:88:57:98 +ASN1 OID: secp384r1 +X509v3 extensions: +X509v3 Basic Constraints: +CA:FALSE +X509v3 Subject Key Identifier: +D8:E2:35:7B:CA:66:71:6B:D8:5B:F5:12:13:82:2D:ED:CD:E5:ED:7F +X509v3 Authority Key Identifier: + keyid:B4:9A:41:5C:B8:26:7C:48:B5:99:44:00:FF:F0:BA:41:41:C8:06:3C +DirName:/CN=EC-Test CA +serial:B1:84:18:1D:A0:E9:C0:17 + +X509v3 Extended Key Usage: +TLS Web Client Authentication +X509v3 Key Usage: +Digital Signature +Netscape Comment: +Easy-RSA Generated Certificate +Netscape Cert Type: +SSL Client +Signature Algorithm: ecdsa-with-SHA256 + 30:64:02:30:41:8b:1a:fd:97:a8:bb:7c:d0:eb:1c:a2:ba:c0: + ac:2f:6d:80:07:5b:5c:ef:55:59:1a:92:56:66:94:ce:49:6a: +
Re: [Openvpn-devel] [PATCH 2/2] Add an elliptic curve testing cert chain to the sample keys
Hi, On 04/23/2014 12:08 PM, Arne Schwabe wrote: > ACK. Thanks for reviewing. Yesterday evening I've been reworking these patches a bit however. I want to have three things resolved: 1) PolarSSL 1.3 is already in master, and supports elliptic curve crypto, so the --show-curves and --ecdh-curve options need to be implemented for polarssl too. 2) Some distro's (notably, RHEL) ship without EC in openssl, so I needed to add a number of #ifdefs to deal with that. 3) While I'm at it, improve the error reporting a bit. I expect to send out reworked patches later this week. > I don't think that adding sample keys is a good idea. Having a script > which generates sample dummy key is probably a much better idea. I am > acking this on the basis that we do the same stuff for RSA. I agree. Let's do that in a separate patch set. -Steffan
Re: [Openvpn-devel] [PATCH 2/2] Add an elliptic curve testing cert chain to the sample keys
Am 26.02.14 00:28, schrieb Steffan Karger: > Signed-off-by: Steffan Karger> --- > sample/sample-keys/README| 6 ++-- > sample/sample-keys/ec-ca.crt | 13 + > sample/sample-keys/ec-ca.key | 6 > sample/sample-keys/ec-client.crt | 61 > > sample/sample-keys/ec-client.key | 6 > sample/sample-keys/ec-server.crt | 61 > > sample/sample-keys/ec-server.key | 6 > 7 files changed, 156 insertions(+), 3 deletions(-) > ACK. I don't think that adding sample keys is a good idea. Having a script which generates sample dummy key is probably a much better idea. I am acking this on the basis that we do the same stuff for RSA. signature.asc Description: OpenPGP digital signature
[Openvpn-devel] [PATCH 2/2] Add an elliptic curve testing cert chain to the sample keys
Signed-off-by: Steffan Karger--- sample/sample-keys/README| 6 ++-- sample/sample-keys/ec-ca.crt | 13 + sample/sample-keys/ec-ca.key | 6 sample/sample-keys/ec-client.crt | 61 sample/sample-keys/ec-client.key | 6 sample/sample-keys/ec-server.crt | 61 sample/sample-keys/ec-server.key | 6 7 files changed, 156 insertions(+), 3 deletions(-) create mode 100644 sample/sample-keys/ec-ca.crt create mode 100644 sample/sample-keys/ec-ca.key create mode 100644 sample/sample-keys/ec-client.crt create mode 100644 sample/sample-keys/ec-client.key create mode 100644 sample/sample-keys/ec-server.crt create mode 100644 sample/sample-keys/ec-server.key diff --git a/sample/sample-keys/README b/sample/sample-keys/README index 1cd473a..9f4f918 100644 --- a/sample/sample-keys/README +++ b/sample/sample-keys/README @@ -1,7 +1,6 @@ -Sample RSA keys. +Sample RSA and EC keys. -See the examples section of the man page -for usage examples. +See the examples section of the man page for usage examples. NOTE: THESE KEYS ARE FOR TESTING PURPOSES ONLY. DON'T USE THEM FOR ANY REAL WORK BECAUSE @@ -12,3 +11,4 @@ client.{crt,key} -- sample client key/cert server.{crt,key} -- sample server key/cert (nsCertType=server) pass.{crt,key} -- sample client key/cert with password-encrypted key password = "password" +ec-*.{crt,key} -- sample elliptic curve variants of the above diff --git a/sample/sample-keys/ec-ca.crt b/sample/sample-keys/ec-ca.crt new file mode 100644 index 000..e190801 --- /dev/null +++ b/sample/sample-keys/ec-ca.crt @@ -0,0 +1,13 @@ +-BEGIN CERTIFICATE- +MIIB4jCCAWmgAwIBAgIJALGEGB2g6cAXMAoGCCqGSM49BAMCMBUxEzARBgNVBAMT +CkVDLVRlc3QgQ0EwHhcNMTQwMTE4MTYwMTUzWhcNMjQwMTE2MTYwMTUzWjAVMRMw +EQYDVQQDEwpFQy1UZXN0IENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE2S4AZT7j +ZlPG/CXpT12CzCNSySyKmJt+fWyW/wzbRulVJpGHXRHpZZj2VNOUE72kqGUeshh6 +Um1o7lHGDSAkHOJpeW5FtryiKhwFc+4dsOCLTNLVFXQsEtY3gY14Uquio4GEMIGB +MB0GA1UdDgQWBBS0mkFcuCZ8SLWZRAD/8LpBQcgGPDBFBgNVHSMEPjA8gBS0mkFc +uCZ8SLWZRAD/8LpBQcgGPKEZpBcwFTETMBEGA1UEAxMKRUMtVGVzdCBDQYIJALGE +GB2g6cAXMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA2cA +MGQCMHWlVTi0xNZstR8ZNH+7z0WlyIXyZe23ne3EXkO0thZLdv86kpxFMPW/llB+ +RMRKuQIweN97n7FQy5DTenr91U98KDFJ5Av4mDFRL1mkXiu3W1//4XD8yEYDQTRz +/GARuOLL +-END CERTIFICATE- diff --git a/sample/sample-keys/ec-ca.key b/sample/sample-keys/ec-ca.key new file mode 100644 index 000..51a72e1 --- /dev/null +++ b/sample/sample-keys/ec-ca.key @@ -0,0 +1,6 @@ +-BEGIN PRIVATE KEY- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDASU6X/mh2m2PayviL3 +teoml5soyIUcZfwZpVn6oNtnrLcAbIRsAJbM4xyGVp77G/6hZANiAATZLgBlPuNm +U8b8JelPXYLMI1LJLIqYm359bJb/DNtG6VUmkYddEellmPZU05QTvaSoZR6yGHpS +bWjuUcYNICQc4ml5bkW2vKIqHAVz7h2w4ItM0tUVdCwS1jeBjXhSq6I= +-END PRIVATE KEY- diff --git a/sample/sample-keys/ec-client.crt b/sample/sample-keys/ec-client.crt new file mode 100644 index 000..9372800 --- /dev/null +++ b/sample/sample-keys/ec-client.crt @@ -0,0 +1,61 @@ +Certificate: +Data: +Version: 3 (0x2) +Serial Number: 2 (0x2) +Signature Algorithm: ecdsa-with-SHA256 +Issuer: CN=EC-Test CA +Validity +Not Before: Jan 18 16:02:37 2014 GMT +Not After : Jan 16 16:02:37 2024 GMT +Subject: CN=ec-client +Subject Public Key Info: +Public Key Algorithm: id-ecPublicKey +Public-Key: (384 bit) +pub: +04:40:d9:b9:a2:44:1b:01:39:2c:14:ee:aa:70:6b: +31:98:28:44:c9:61:bc:b7:0b:b5:53:49:c2:c0:0a: +43:b0:08:50:cd:80:2f:5d:a4:89:f1:ff:7d:11:78: +f5:0c:b2:86:e2:59:f8:17:76:1b:22:f2:23:67:e7: +55:90:ea:ce:0a:aa:da:05:f4:85:19:c9:ed:ae:6d: +a3:ad:56:7a:f6:33:c6:cf:bb:c7:39:fa:e4:d3:67: +df:f0:b8:4a:88:57:98 +ASN1 OID: secp384r1 +X509v3 extensions: +X509v3 Basic Constraints: +CA:FALSE +X509v3 Subject Key Identifier: +D8:E2:35:7B:CA:66:71:6B:D8:5B:F5:12:13:82:2D:ED:CD:E5:ED:7F +X509v3 Authority Key Identifier: + keyid:B4:9A:41:5C:B8:26:7C:48:B5:99:44:00:FF:F0:BA:41:41:C8:06:3C +DirName:/CN=EC-Test CA +serial:B1:84:18:1D:A0:E9:C0:17 + +X509v3 Extended Key Usage: +TLS Web Client Authentication +X509v3 Key Usage: +Digital Signature +Netscape Comment: +Easy-RSA Generated Certificate +Netscape Cert Type: +SSL Client +Signature Algorithm: ecdsa-with-SHA256 + 30:64:02:30:41:8b:1a:fd:97:a8:bb:7c:d0:eb:1c:a2:ba:c0: + ac:2f:6d:80:07:5b:5c:ef:55:59:1a:92:56:66:94:ce:49:6a: +