[Openvpn-devel] [PATCH 2/2] Add an elliptic curve testing cert chain to the sample keys

[Steffan Karger]

Signed-off-by: Steffan Karger 
---
 sample/sample-keys/README|  6 ++--
 sample/sample-keys/ec-ca.crt | 13 +
 sample/sample-keys/ec-ca.key |  6 
 sample/sample-keys/ec-client.crt | 61 
 sample/sample-keys/ec-client.key |  6 
 sample/sample-keys/ec-server.crt | 61 
 sample/sample-keys/ec-server.key |  6 
 7 files changed, 156 insertions(+), 3 deletions(-)
 create mode 100644 sample/sample-keys/ec-ca.crt
 create mode 100644 sample/sample-keys/ec-ca.key
 create mode 100644 sample/sample-keys/ec-client.crt
 create mode 100644 sample/sample-keys/ec-client.key
 create mode 100644 sample/sample-keys/ec-server.crt
 create mode 100644 sample/sample-keys/ec-server.key

diff --git a/sample/sample-keys/README b/sample/sample-keys/README
index 1cd473a..9f4f918 100644
--- a/sample/sample-keys/README
+++ b/sample/sample-keys/README
@@ -1,7 +1,6 @@
-Sample RSA keys.
+Sample RSA and EC keys.

-See the examples section of the man page
-for usage examples.
+See the examples section of the man page for usage examples.

 NOTE: THESE KEYS ARE FOR TESTING PURPOSES ONLY.
   DON'T USE THEM FOR ANY REAL WORK BECAUSE
@@ -12,3 +11,4 @@ client.{crt,key} -- sample client key/cert
 server.{crt,key} -- sample server key/cert (nsCertType=server)
 pass.{crt,key}   -- sample client key/cert with password-encrypted key
 password = "password"
+ec-*.{crt,key}   -- sample elliptic curve variants of the above
diff --git a/sample/sample-keys/ec-ca.crt b/sample/sample-keys/ec-ca.crt
new file mode 100644
index 000..e190801
--- /dev/null
+++ b/sample/sample-keys/ec-ca.crt
@@ -0,0 +1,13 @@
+-BEGIN CERTIFICATE-
+MIIB4jCCAWmgAwIBAgIJALGEGB2g6cAXMAoGCCqGSM49BAMCMBUxEzARBgNVBAMT
+CkVDLVRlc3QgQ0EwHhcNMTQwMTE4MTYwMTUzWhcNMjQwMTE2MTYwMTUzWjAVMRMw
+EQYDVQQDEwpFQy1UZXN0IENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE2S4AZT7j
+ZlPG/CXpT12CzCNSySyKmJt+fWyW/wzbRulVJpGHXRHpZZj2VNOUE72kqGUeshh6
+Um1o7lHGDSAkHOJpeW5FtryiKhwFc+4dsOCLTNLVFXQsEtY3gY14Uquio4GEMIGB
+MB0GA1UdDgQWBBS0mkFcuCZ8SLWZRAD/8LpBQcgGPDBFBgNVHSMEPjA8gBS0mkFc
+uCZ8SLWZRAD/8LpBQcgGPKEZpBcwFTETMBEGA1UEAxMKRUMtVGVzdCBDQYIJALGE
+GB2g6cAXMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA2cA
+MGQCMHWlVTi0xNZstR8ZNH+7z0WlyIXyZe23ne3EXkO0thZLdv86kpxFMPW/llB+
+RMRKuQIweN97n7FQy5DTenr91U98KDFJ5Av4mDFRL1mkXiu3W1//4XD8yEYDQTRz
+/GARuOLL
+-END CERTIFICATE-
diff --git a/sample/sample-keys/ec-ca.key b/sample/sample-keys/ec-ca.key
new file mode 100644
index 000..51a72e1
--- /dev/null
+++ b/sample/sample-keys/ec-ca.key
@@ -0,0 +1,6 @@
+-BEGIN PRIVATE KEY-
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDASU6X/mh2m2PayviL3
+teoml5soyIUcZfwZpVn6oNtnrLcAbIRsAJbM4xyGVp77G/6hZANiAATZLgBlPuNm
+U8b8JelPXYLMI1LJLIqYm359bJb/DNtG6VUmkYddEellmPZU05QTvaSoZR6yGHpS
+bWjuUcYNICQc4ml5bkW2vKIqHAVz7h2w4ItM0tUVdCwS1jeBjXhSq6I=
+-END PRIVATE KEY-
diff --git a/sample/sample-keys/ec-client.crt b/sample/sample-keys/ec-client.crt
new file mode 100644
index 000..9372800
--- /dev/null
+++ b/sample/sample-keys/ec-client.crt
@@ -0,0 +1,61 @@
+Certificate:
+Data:
+Version: 3 (0x2)
+Serial Number: 2 (0x2)
+Signature Algorithm: ecdsa-with-SHA256
+Issuer: CN=EC-Test CA
+Validity
+Not Before: Jan 18 16:02:37 2014 GMT
+Not After : Jan 16 16:02:37 2024 GMT
+Subject: CN=ec-client
+Subject Public Key Info:
+Public Key Algorithm: id-ecPublicKey
+Public-Key: (384 bit)
+pub: 
+04:40:d9:b9:a2:44:1b:01:39:2c:14:ee:aa:70:6b:
+31:98:28:44:c9:61:bc:b7:0b:b5:53:49:c2:c0:0a:
+43:b0:08:50:cd:80:2f:5d:a4:89:f1:ff:7d:11:78:
+f5:0c:b2:86:e2:59:f8:17:76:1b:22:f2:23:67:e7:
+55:90:ea:ce:0a:aa:da:05:f4:85:19:c9:ed:ae:6d:
+a3:ad:56:7a:f6:33:c6:cf:bb:c7:39:fa:e4:d3:67:
+df:f0:b8:4a:88:57:98
+ASN1 OID: secp384r1
+X509v3 extensions:
+X509v3 Basic Constraints: 
+CA:FALSE
+X509v3 Subject Key Identifier: 
+D8:E2:35:7B:CA:66:71:6B:D8:5B:F5:12:13:82:2D:ED:CD:E5:ED:7F
+X509v3 Authority Key Identifier: 
+
keyid:B4:9A:41:5C:B8:26:7C:48:B5:99:44:00:FF:F0:BA:41:41:C8:06:3C
+DirName:/CN=EC-Test CA
+serial:B1:84:18:1D:A0:E9:C0:17
+
+X509v3 Extended Key Usage: 
+TLS Web Client Authentication
+X509v3 Key Usage: 
+Digital Signature
+Netscape Comment: 
+Easy-RSA Generated Certificate
+Netscape Cert Type: 
+SSL Client
+Signature Algorithm: ecdsa-with-SHA256
+ 30:64:02:30:41:8b:1a:fd:97:a8:bb:7c:d0:eb:1c:a2:ba:c0:
+ ac:2f:6d:80:07:5b:5c:ef:55:59:1a:92:56:66:94:ce:49:6a:
+   

Re: [Openvpn-devel] [PATCH 2/2] Add an elliptic curve testing cert chain to the sample keys

[Steffan Karger]

Hi,

On 04/23/2014 12:08 PM, Arne Schwabe wrote:
> ACK.

Thanks for reviewing. Yesterday evening I've been reworking these
patches a bit however. I want to have three things resolved:
1) PolarSSL 1.3 is already in master, and supports elliptic curve
crypto, so the --show-curves and --ecdh-curve options need to be
implemented for polarssl too.
2) Some distro's (notably, RHEL) ship without EC in openssl, so I needed
to add a number of #ifdefs to deal with that.
3) While I'm at it, improve the error reporting a bit.

I expect to send out reworked patches later this week.

> I don't think that adding sample keys is a good idea. Having a script
> which generates sample dummy key is probably a much better idea. I am
> acking this on the basis that we do the same stuff for RSA.

I agree. Let's do that in a separate patch set.

-Steffan

Re: [Openvpn-devel] [PATCH 2/2] Add an elliptic curve testing cert chain to the sample keys

[Arne Schwabe]

Am 26.02.14 00:28, schrieb Steffan Karger:
> Signed-off-by: Steffan Karger 
> ---
>  sample/sample-keys/README|  6 ++--
>  sample/sample-keys/ec-ca.crt | 13 +
>  sample/sample-keys/ec-ca.key |  6 
>  sample/sample-keys/ec-client.crt | 61 
> 
>  sample/sample-keys/ec-client.key |  6 
>  sample/sample-keys/ec-server.crt | 61 
> 
>  sample/sample-keys/ec-server.key |  6 
>  7 files changed, 156 insertions(+), 3 deletions(-)
>  
ACK.

I don't think that adding sample keys is a good idea. Having a script
which generates sample dummy key is probably a much better idea. I am
acking this on the basis that we do the same stuff for RSA.





signature.asc
Description: OpenPGP digital signature

[Openvpn-devel] [PATCH 2/2] Add an elliptic curve testing cert chain to the sample keys

[Steffan Karger]

Signed-off-by: Steffan Karger 
---
 sample/sample-keys/README|  6 ++--
 sample/sample-keys/ec-ca.crt | 13 +
 sample/sample-keys/ec-ca.key |  6 
 sample/sample-keys/ec-client.crt | 61 
 sample/sample-keys/ec-client.key |  6 
 sample/sample-keys/ec-server.crt | 61 
 sample/sample-keys/ec-server.key |  6 
 7 files changed, 156 insertions(+), 3 deletions(-)
 create mode 100644 sample/sample-keys/ec-ca.crt
 create mode 100644 sample/sample-keys/ec-ca.key
 create mode 100644 sample/sample-keys/ec-client.crt
 create mode 100644 sample/sample-keys/ec-client.key
 create mode 100644 sample/sample-keys/ec-server.crt
 create mode 100644 sample/sample-keys/ec-server.key

diff --git a/sample/sample-keys/README b/sample/sample-keys/README
index 1cd473a..9f4f918 100644
--- a/sample/sample-keys/README
+++ b/sample/sample-keys/README
@@ -1,7 +1,6 @@
-Sample RSA keys.
+Sample RSA and EC keys.

-See the examples section of the man page
-for usage examples.
+See the examples section of the man page for usage examples.

 NOTE: THESE KEYS ARE FOR TESTING PURPOSES ONLY.
   DON'T USE THEM FOR ANY REAL WORK BECAUSE
@@ -12,3 +11,4 @@ client.{crt,key} -- sample client key/cert
 server.{crt,key} -- sample server key/cert (nsCertType=server)
 pass.{crt,key}   -- sample client key/cert with password-encrypted key
 password = "password"
+ec-*.{crt,key}   -- sample elliptic curve variants of the above
diff --git a/sample/sample-keys/ec-ca.crt b/sample/sample-keys/ec-ca.crt
new file mode 100644
index 000..e190801
--- /dev/null
+++ b/sample/sample-keys/ec-ca.crt
@@ -0,0 +1,13 @@
+-BEGIN CERTIFICATE-
+MIIB4jCCAWmgAwIBAgIJALGEGB2g6cAXMAoGCCqGSM49BAMCMBUxEzARBgNVBAMT
+CkVDLVRlc3QgQ0EwHhcNMTQwMTE4MTYwMTUzWhcNMjQwMTE2MTYwMTUzWjAVMRMw
+EQYDVQQDEwpFQy1UZXN0IENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE2S4AZT7j
+ZlPG/CXpT12CzCNSySyKmJt+fWyW/wzbRulVJpGHXRHpZZj2VNOUE72kqGUeshh6
+Um1o7lHGDSAkHOJpeW5FtryiKhwFc+4dsOCLTNLVFXQsEtY3gY14Uquio4GEMIGB
+MB0GA1UdDgQWBBS0mkFcuCZ8SLWZRAD/8LpBQcgGPDBFBgNVHSMEPjA8gBS0mkFc
+uCZ8SLWZRAD/8LpBQcgGPKEZpBcwFTETMBEGA1UEAxMKRUMtVGVzdCBDQYIJALGE
+GB2g6cAXMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA2cA
+MGQCMHWlVTi0xNZstR8ZNH+7z0WlyIXyZe23ne3EXkO0thZLdv86kpxFMPW/llB+
+RMRKuQIweN97n7FQy5DTenr91U98KDFJ5Av4mDFRL1mkXiu3W1//4XD8yEYDQTRz
+/GARuOLL
+-END CERTIFICATE-
diff --git a/sample/sample-keys/ec-ca.key b/sample/sample-keys/ec-ca.key
new file mode 100644
index 000..51a72e1
--- /dev/null
+++ b/sample/sample-keys/ec-ca.key
@@ -0,0 +1,6 @@
+-BEGIN PRIVATE KEY-
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDASU6X/mh2m2PayviL3
+teoml5soyIUcZfwZpVn6oNtnrLcAbIRsAJbM4xyGVp77G/6hZANiAATZLgBlPuNm
+U8b8JelPXYLMI1LJLIqYm359bJb/DNtG6VUmkYddEellmPZU05QTvaSoZR6yGHpS
+bWjuUcYNICQc4ml5bkW2vKIqHAVz7h2w4ItM0tUVdCwS1jeBjXhSq6I=
+-END PRIVATE KEY-
diff --git a/sample/sample-keys/ec-client.crt b/sample/sample-keys/ec-client.crt
new file mode 100644
index 000..9372800
--- /dev/null
+++ b/sample/sample-keys/ec-client.crt
@@ -0,0 +1,61 @@
+Certificate:
+Data:
+Version: 3 (0x2)
+Serial Number: 2 (0x2)
+Signature Algorithm: ecdsa-with-SHA256
+Issuer: CN=EC-Test CA
+Validity
+Not Before: Jan 18 16:02:37 2014 GMT
+Not After : Jan 16 16:02:37 2024 GMT
+Subject: CN=ec-client
+Subject Public Key Info:
+Public Key Algorithm: id-ecPublicKey
+Public-Key: (384 bit)
+pub: 
+04:40:d9:b9:a2:44:1b:01:39:2c:14:ee:aa:70:6b:
+31:98:28:44:c9:61:bc:b7:0b:b5:53:49:c2:c0:0a:
+43:b0:08:50:cd:80:2f:5d:a4:89:f1:ff:7d:11:78:
+f5:0c:b2:86:e2:59:f8:17:76:1b:22:f2:23:67:e7:
+55:90:ea:ce:0a:aa:da:05:f4:85:19:c9:ed:ae:6d:
+a3:ad:56:7a:f6:33:c6:cf:bb:c7:39:fa:e4:d3:67:
+df:f0:b8:4a:88:57:98
+ASN1 OID: secp384r1
+X509v3 extensions:
+X509v3 Basic Constraints: 
+CA:FALSE
+X509v3 Subject Key Identifier: 
+D8:E2:35:7B:CA:66:71:6B:D8:5B:F5:12:13:82:2D:ED:CD:E5:ED:7F
+X509v3 Authority Key Identifier: 
+
keyid:B4:9A:41:5C:B8:26:7C:48:B5:99:44:00:FF:F0:BA:41:41:C8:06:3C
+DirName:/CN=EC-Test CA
+serial:B1:84:18:1D:A0:E9:C0:17
+
+X509v3 Extended Key Usage: 
+TLS Web Client Authentication
+X509v3 Key Usage: 
+Digital Signature
+Netscape Comment: 
+Easy-RSA Generated Certificate
+Netscape Cert Type: 
+SSL Client
+Signature Algorithm: ecdsa-with-SHA256
+ 30:64:02:30:41:8b:1a:fd:97:a8:bb:7c:d0:eb:1c:a2:ba:c0:
+ ac:2f:6d:80:07:5b:5c:ef:55:59:1a:92:56:66:94:ce:49:6a:
+