From 3be7eacea976aa68310c786fcc312e5fd279aa3c Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 24 Oct 2018 10:55:39 -0700 Subject: [PATCH] Added client/server certs and keys for P-384-bit signed by P-384 CA. Fix for broken certs/ecc/genecc.sh script. Added simple P-384 cipher suite test. --- certs/client-ecc384-cert.der | Bin 0 -> 754 bytes certs/client-ecc384-cert.pem | 18 ++++++ certs/client-ecc384-key.der | Bin 0 -> 167 bytes certs/client-ecc384-key.pem | 6 ++ certs/crl/gencrls.sh | 18 +++--- certs/crl/include.am | 3 +- certs/crl/wolfssl.cnf | 110 +++++++++++++++++++++++++++++++++++ certs/ecc/genecc.sh | 62 ++++++++++++++++---- certs/ecc/include.am | 4 +- certs/ecc/wolfssl.cnf | 14 ++--- certs/ecc/wolfssl_384.cnf | 110 +++++++++++++++++++++++++++++++++++ certs/server-ecc384-cert.der | Bin 0 -> 918 bytes certs/server-ecc384-cert.pem | 22 +++++++ certs/server-ecc384-key.der | Bin 0 -> 167 bytes certs/server-ecc384-key.pem | 6 ++ tests/test.conf | 14 +++++ 16 files changed, 356 insertions(+), 31 deletions(-) create mode 100644 certs/client-ecc384-cert.der create mode 100644 certs/client-ecc384-cert.pem create mode 100644 certs/client-ecc384-key.der create mode 100644 certs/client-ecc384-key.pem create mode 100644 certs/crl/wolfssl.cnf create mode 100644 certs/ecc/wolfssl_384.cnf create mode 100644 certs/server-ecc384-cert.der create mode 100644 certs/server-ecc384-cert.pem create mode 100644 certs/server-ecc384-key.der create mode 100644 certs/server-ecc384-key.pem diff --git a/certs/client-ecc384-cert.der b/certs/client-ecc384-cert.der new file mode 100644 index 0000000000000000000000000000000000000000..9bf89c7f124920c0d9747f44c44531a1de34080d GIT binary patch literal 754 zcmXqLVtQxL#8kY1nTe5!iAjLbfQyYotIgw_EekWVLF05oZUas>=1>+kVW!YvLtz6! z5Ql?@D?G6{BQr0(BtOqkz<>`V$j-waoSIltl9LJ(;o@O0&(BE<4)!q=F%SZ&;pX9X zNi9pw$uG!F%_}jKFc1TYGV}14mzV2-)D{=#=q2ap8p<2UvTUiEDTD_NenD$M>uTLmM;{&63nH%c`f(3{u5tj$S%9F zDNjl8*UtAd5B$=!^I-V-@6a+Y>E%KzvM2b+>|PU_$Cq@jK;gS{`HktvOD<>p>wHsw zT2jB$OSb&ybni5#jHOBIr#7B`tYY@Mb#dbagT`KPT*?ZwFc~ly2(ob|w0SVL{cvJr zWMN@uVqIV$%f=ik%f}+dA|m(cg7l9+OHbS1>H0cd%PDw+)6Xjg@*rtt76}8f29ebd z4y*Y{Tq)XpsikKQ7we=3q2M5JI*{dOWc&{{?*YU-RTeP=5jGBOHbz!fc4j6xiv>BQ zF=sLuq%j#XeBrG)^yl4IcNvkWg?o)y{t9UK8183b*{#0jZ%K>XE8oN~>kHQINP2X2 zcIN8iZ_l1!GGyrdQ?4=n^X$A`)qlPVJH>R02b87mS+}L;n9`RIc}33@%k{2U=XSVl NNiTXT7gYpLyVyrkw}F&wq!Oc}Xu9T9G}$M`rh$*gU?Za|H_Doy%`bKVEV<<6q~S^3#&~ aonEr#Kc{=AF=Z@GT0gb%^kWsX*R23j&`XN| literal 0 HcmV?d00001 diff --git a/certs/client-ecc384-key.pem b/certs/client-ecc384-key.pem new file mode 100644 index 000000000..c12526d3d --- /dev/null +++ b/certs/client-ecc384-key.pem @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB1nVO7/TbLqFdjldpO +TH23WVi/DIOkNaLUNEpfkh3gbrWk1AQ2OgnmrBSgMI8FN5ahZANiAARmxAg9Zqeh +FdRTCiOzrQvOj8j0mB2m2LJuIhH6ue+ZwPopPkgA+f7CpkobpxKoa5BMHLusXW4O +Ys5wIPdDd9iXx3TTaP6J7HfLGS+JSh13+ZdLZgJopWKvlYHL4yQ264U= +-----END PRIVATE KEY----- diff --git a/certs/crl/gencrls.sh b/certs/crl/gencrls.sh index 6a0f15c33..7cf4bf6e4 100755 --- a/certs/crl/gencrls.sh +++ b/certs/crl/gencrls.sh @@ -17,25 +17,23 @@ setup_files() { mkdir demoCA || exit 1 touch ./demoCA/index.txt || exit 1 touch ./index.txt || exit 1 - touch ../ecc/index.txt || exit 1 + touch ../crl/index.txt || exit 1 touch ./crlnumber || exit 1 - touch ../ecc/crlnumber || exit 1 + touch ../crl/crlnumber || exit 1 echo "01" >> crlnumber || exit 1 - echo "01" >> ../ecc/crlnumber || exit 1 + echo "01" >> ../crl/crlnumber || exit 1 touch ./blank.index.txt || exit 1 touch ./demoCA/index.txt.attr || exit 1 - touch ../ecc/index.txt.attr || exit 1 + touch ../crl/index.txt.attr || exit 1 } cleanup_files() { rm blank.index.txt || exit 1 rm index.* || exit 1 rm crlnumber* || exit 1 - rm ../ecc/crlnumber* || exit 1 - rm ../ecc/index.* || exit 1 - rm -r demoCA || exit 1 + rm -rf demoCA || exit 1 echo "Removed ../wolfssl.cnf, blank.index.txt, index.*, crlnumber*, demoCA/" - echo " ../ecc/index.txt" + echo " ../crl/index.txt" echo "" exit 0 } @@ -171,12 +169,12 @@ mv tmp eccSrvCRL.pem # caEccCrl echo "Step 21" -openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem +openssl ca -config ./wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem check_result $? # ca-ecc384-cert echo "Step 22" -openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem +openssl ca -config ./wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem check_result $? exit 0 diff --git a/certs/crl/include.am b/certs/crl/include.am index 0cdd3a91c..c5d635df8 100644 --- a/certs/crl/include.am +++ b/certs/crl/include.am @@ -9,7 +9,8 @@ EXTRA_DIST += \ certs/crl/eccCliCRL.pem \ certs/crl/crl2.pem \ certs/crl/caEccCrl.pem \ - certs/crl/caEcc384Crl.pem + certs/crl/caEcc384Crl.pem \ + certs/crl/wolfssl.cnf EXTRA_DIST += \ certs/crl/crl.revoked diff --git a/certs/crl/wolfssl.cnf b/certs/crl/wolfssl.cnf new file mode 100644 index 000000000..78593cb8e --- /dev/null +++ b/certs/crl/wolfssl.cnf @@ -0,0 +1,110 @@ +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations relevant to where the script is executing +dir = . +certs = $dir/../ +new_certs_dir = $dir/../ +database = $dir/../crl/index.txt +serial = $dir/../crl/serial +# This should come from the system disregard local pathing +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = $dir/../ca-ecc-key.pem +certificate = $dir/../ca-ecc-cert.pem + +# For certificate revocation lists. +crlnumber = $dir/../crl/crlnumber +crl_extensions = crl_ext +default_crl_days = 1000 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 3650 +preserve = no +policy = policy_loose + + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +countryName = US +stateOrProvinceName = Washington +localityName = Seattle +0.organizationName = wolfSSL +organizationalUnitName = Development +commonName = www.wolfssl.com +emailAddress = info@wolfssl.com + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always diff --git a/certs/ecc/genecc.sh b/certs/ecc/genecc.sh index ef28371ba..2efb033c9 100755 --- a/certs/ecc/genecc.sh +++ b/certs/ecc/genecc.sh @@ -13,21 +13,17 @@ echo 2000 > ./certs/ecc/crlnumber # generate ECC 256-bit CA openssl ecparam -out ./certs/ca-ecc-key.par -name prime256v1 -openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" +openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 \ + -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" openssl x509 -in ./certs/ca-ecc-cert.pem -inform PEM -out ./certs/ca-ecc-cert.der -outform DER openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -outform DER rm ./certs/ca-ecc-key.par -# generate ECC 384-bit CA -openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1 -openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" +# Gen CA CRL +openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem -openssl x509 -in ./certs/ca-ecc384-cert.pem -inform PEM -out ./certs/ca-ecc384-cert.der -outform DER -openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.der -outform DER - -rm ./certs/ca-ecc384-key.par # Generate ECC 256-bit server cert @@ -40,9 +36,53 @@ openssl x509 -in ./certs/server-ecc.pem -outform der -out ./certs/server-ecc.der rm ./certs/server-ecc-req.pem -# Gen CRL -openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem -openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem + + +# generate ECC 384-bit CA +openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1 +openssl req -config ./certs/ecc/wolfssl_384.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 \ + -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" + +openssl x509 -in ./certs/ca-ecc384-cert.pem -inform PEM -out ./certs/ca-ecc384-cert.der -outform DER +openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.der -outform DER + +rm ./certs/ca-ecc384-key.par + +# Gen CA CRL +openssl ca -config ./certs/ecc/wolfssl_384.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem + + + +# Generate ECC 384-bit server cert +openssl ecparam -out ./certs/server-ecc384-key.par -name secp384r1 +openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/server-ecc384-key.par -keyout ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \ + -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/" +openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -new -key ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \ + -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/" +openssl ec -in ./certs/server-ecc384-key.pem -inform PEM -out ./certs/server-ecc384-key.der -outform DER + +# Sign server certificate +openssl ca -config ./certs/ecc/wolfssl_384.cnf -extensions server_cert -days 10950 -notext -md sha384 -in ./certs/server-ecc384-req.pem -out ./certs/server-ecc384-cert.pem +openssl x509 -in ./certs/server-ecc384-cert.pem -outform der -out ./certs/server-ecc384-cert.der + +rm ./certs/server-ecc384-req.pem +rm ./certs/server-ecc384-key.par + +# Generate ECC 384-bit client cert +openssl ecparam -out ./certs/client-ecc384-key.par -name secp384r1 +openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/client-ecc384-key.par -keyout ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \ + -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Cli/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/" +openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -new -key ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \ + -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Clit/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/" +openssl ec -in ./certs/client-ecc384-key.pem -inform PEM -out ./certs/client-ecc384-key.der -outform DER + +# Sign client certificate +openssl ca -config ./certs/ecc/wolfssl_384.cnf -extensions usr_cert -days 10950 -notext -md sha384 -in ./certs/client-ecc384-req.pem -out ./certs/client-ecc384-cert.pem +openssl x509 -in ./certs/client-ecc384-cert.pem -outform der -out ./certs/client-ecc384-cert.der + +rm ./certs/client-ecc384-req.pem +rm ./certs/client-ecc384-key.par + # Also manually need to: # 1. Copy ./certs/server-ecc.der into ./certs/test/server-cert-ecc-badsig.der `cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der` diff --git a/certs/ecc/include.am b/certs/ecc/include.am index 3c4eddbd4..b9897c1c2 100644 --- a/certs/ecc/include.am +++ b/certs/ecc/include.am @@ -4,5 +4,5 @@ EXTRA_DIST += \ certs/ecc/genecc.sh \ - certs/ecc/wolfssl.cnf - + certs/ecc/wolfssl.cnf \ + certs/ecc/wolfssl_384.cnf diff --git a/certs/ecc/wolfssl.cnf b/certs/ecc/wolfssl.cnf index 969fdb9a3..a974aeb35 100644 --- a/certs/ecc/wolfssl.cnf +++ b/certs/ecc/wolfssl.cnf @@ -5,19 +5,19 @@ default_ca = CA_default [ CA_default ] # Directory and file locations relevant to where the script is executing dir = . -certs = $dir/../ -new_certs_dir = $dir/../ -database = $dir/../ecc/index.txt -serial = $dir/../ecc/serial +certs = $dir/certs +new_certs_dir = $dir/certs +database = $dir/certs/ecc/index.txt +serial = $dir/certs/ecc/serial # This should come from the system disregard local pathing RANDFILE = $dir/private/.rand # The root key and root certificate. -private_key = $dir/../ca-ecc-key.pem -certificate = $dir/../ca-ecc-cert.pem +private_key = $dir/certs/ca-ecc-key.pem +certificate = $dir/certs/ca-ecc-cert.pem # For certificate revocation lists. -crlnumber = $dir/../ecc/crlnumber +crlnumber = $dir/certs/ecc/crlnumber crl_extensions = crl_ext default_crl_days = 1000 diff --git a/certs/ecc/wolfssl_384.cnf b/certs/ecc/wolfssl_384.cnf new file mode 100644 index 000000000..7cb35f709 --- /dev/null +++ b/certs/ecc/wolfssl_384.cnf @@ -0,0 +1,110 @@ +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations relevant to where the script is executing +dir = . +certs = $dir/certs +new_certs_dir = $dir/certs +database = $dir/certs/ecc/index.txt +serial = $dir/certs/ecc/serial +# This should come from the system disregard local pathing +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = $dir/certs/ca-ecc384-key.pem +certificate = $dir/certs/ca-ecc384-cert.pem + +# For certificate revocation lists. +crlnumber = $dir/certs/ecc/crlnumber +crl_extensions = crl_ext +default_crl_days = 1000 + +# SHA-384 is default +default_md = sha384 + +name_opt = ca_default +cert_opt = ca_default +default_days = 3650 +preserve = no +policy = policy_loose + + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-384 is default +default_md = sha384 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +countryName = US +stateOrProvinceName = Washington +localityName = Seattle +0.organizationName = wolfSSL +organizationalUnitName = Development +commonName = www.wolfssl.com +emailAddress = info@wolfssl.com + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always diff --git a/certs/server-ecc384-cert.der b/certs/server-ecc384-cert.der new file mode 100644 index 0000000000000000000000000000000000000000..ea466cb11e0f7af77e7954d8a3bf142e6f168e4b GIT binary patch literal 918 zcmXqLVxDBs#4NFZnTe5!iAjLLfQyYotIgw_EekWVLF05oZUas>=1>+kVW!YvLtz6! z5Ql?@D?G6{BQr0(BtOqkz<>`V$j-waoSIltl9LJ(;o@O0&(BE<4)!q=F%SZ&;pX9X zNi9pw$uG!F%_}jKFc1TYGV}14mzV2-)D{=#=q2ap8p<2UvTDRjAOPG&(#X0oA>fdI&j+&rAF z&d$abCc#Bzl(@UhK!A-M9KKA9Y^>UiEDTD_NenEn&QJE&;oNO0!XK7$*kQ|kzT|aJ z3%wc6uuT8|@TJAH-SHDQWu4h-8Q)(J`H}Hkls02d2KV_;)%CeEJh)broLnisfamb< z%gP!5SZtC5I;?m4*QA?#w_aKNT>5ZeoRY+w#Z8Q+22G5H;K-B}W??d5Fc4(pOlb39 zZ2RHF$jHLN%*5tkAj`%aD$B6j5KE58?m- literal 0 HcmV?d00001 diff --git a/certs/server-ecc384-cert.pem b/certs/server-ecc384-cert.pem new file mode 100644 index 000000000..ed415bf8e --- /dev/null +++ b/certs/server-ecc384-cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkjCCAxigAwIBAgICEAAwCgYIKoZIzj0EAwMwgZcxCzAJBgNVBAYTAlVTMRMw +EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3 +b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz +c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MTAx +OTEzNDA0M1oXDTQ4MTAxMTEzNDA0M1owgZUxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj +MRIwEAYDVQQLDAlFQ0MzODRTcnYxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf +MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTB2MBAGByqGSM49AgEGBSuB +BAAiA2IABOrPk08sCbs5FA9WZMNAtN8OY67lcUsAzASX/+HpOJa7X5Gyasy1OV+P +cFnxAfZaKwFsaAvPVSWvbZhICqh0yakXoAzD+9MjaP4EPGNQiDu5T3xnNPc7qXPn +G8NRXiIY7KOCATUwggExMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMB0G +A1UdDgQWBBSCO/JlL/O0AMa8Bv15QnVLZdHOvDCBzAYDVR0jBIHEMIHBgBSr4MMm +TBjUcrvShIycCgWSgBJTUqGBnaSBmjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM +Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx +FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x +HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQD8OQSkDqVshzAOBgNV +HQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0EAwMDaAAw +ZQIxAOia1gUcnnky9I/5RZ4A7r19gJvqudLrnujFOsHcaqvmGVe4tg1QSS2TDfzH +t5uKyQIwUAkNmwgdmhfE5ytISptkpxyWq3z8NWWPefjOmUpzBG/gVxX1Wvn+Wc2Z +WeMuU92v +-----END CERTIFICATE----- diff --git a/certs/server-ecc384-key.der b/certs/server-ecc384-key.der new file mode 100644 index 0000000000000000000000000000000000000000..9dde676428a64f2b2dc29fd76ce9600e11be468b GIT binary patch literal 167 zcmXqLT*Ac2$YQYMDccJ+F}u~BKN6e|B&gorRsB!Wlp{2??9rVEjNRE8_s{1y2%W1m zf2}>I`bdUM$pUsZR_#U>2Bn25%t;I^ug*{Q*Wui4DZ(F?a@b+ZeZJ&%PYb;n&ah1X z|L~>7wB7L&H)WmKY8l^O5c!euTa-3qP6qe+P}TLhGd#Ffl$=~CzJTZO@5{;=|5$92 Z13IjC`q!kJe79a%{9O8QV4RY~8vsWENc{i+ literal 0 HcmV?d00001 diff --git a/certs/server-ecc384-key.pem b/certs/server-ecc384-key.pem new file mode 100644 index 000000000..5d3d61d0c --- /dev/null +++ b/certs/server-ecc384-key.pem @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCk5QboBhY+q4n4YEPA +YCXbunv+GTUIVWV24tzgAYtraN/Pb4ASznk36yuce8RoHHShZANiAATqz5NPLAm7 +ORQPVmTDQLTfDmOu5XFLAMwEl//h6TiWu1+RsmrMtTlfj3BZ8QH2WisBbGgLz1Ul +r22YSAqodMmpF6AMw/vTI2j+BDxjUIg7uU98ZzT3O6lz5xvDUV4iGOw= +-----END PRIVATE KEY----- diff --git a/tests/test.conf b/tests/test.conf index a678f52c4..faad62e6e 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -2364,3 +2364,17 @@ -v 3 -l ECDHE-RSA-AES256-GCM-SHA384 -H useSupCurve + +# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 with P-384 Certs and CA +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc384-cert.pem +-k ./certs/server-ecc384-key.pem +-A ./certs/ca-ecc384-cert.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 with P-384 Certs and CA +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/client-ecc384-cert.pem +-k ./certs/client-ecc384-key.pem +-A ./certs/ca-ecc384-cert.pem